The professionalization of risk management: What role can the ISO 31000 risk management principles play?

https://doi.org/10.1016/j.ijproman.2016.08.002Get rights and content

Highlights

  • Empirical study of the eleven principles of the ISO 31000 Risk Management Standard

  • Reveals two cluster of principles: process capability and process integration

  • Principles associate with positive cost, budget, technical and customer outcomes

  • Reveals promising evidence for legitimacy of the ISO 31000 principles

  • Proposes principles as basis for professionalization of risk management field

Abstract

Risk management is increasingly seen as a means of improving the likelihood of success in complex engineering projects. Yet the presence of a legitimacy gap, driven by the lack of empirical validation of published best practices, might explain low adoption of risk management on projects. We present an empirical investigation and discussion of the eleven principles of the ISO 31000:2009 Risk Management Standard via a large-scale survey of engineering and product development practitioners. Adhering to the risk management principles at a high level was found to be a significant factor in better reaching cost, schedule, technical and customer targets, in addition to achieving a more stable project execution. This finding suggests that, rather than a single rigid standard or an ever-changing set of detailed methods, the ISO principles have potential to be the basis for our shared understanding of best practice, and to catalyze the professionalization of project risk management.

Introduction

Risk management is increasingly seen as a means of improving the likelihood of success in the complex, multi-functional and challenging task of managing engineering and product development projects. Studies show that project risks affect outcomes in a number of industries (Wallace and Keil, 2004, Mishra et al., 2016). Yet studies have shown that risk management practices are poorly adopted by project managers (Kutsch and Hall, 2009, Raz et al., 2002, Grant and Pennypacker, 2006, Ibbs and Kwak, 2000, Papke-Shields et al., 2010). How do project managers decide which risk management practices to engage in, and how can they have confidence in the value of investing in such processes?

Given the increasing ad hoc implementation of risk management practices by project managers, the under-usage of existing methods due to lack of legitimacy, and thus the search for and generation of numerous prescriptive guidelines, we recognize the need for studies that validate methods for project risk management, and lead to professionalization of the field. But we must balance this search for validation of prescriptive methods with the warnings of the contingency point of view, and avoid a one-size-fits-all solution.

In this paper we propose the use of risk management principles as an alternative to specific practices or tools. We argue that these principles provide guidance to project managers in establishing a risk management process, while recognizing that each project is different. We seek to explore the potential of one set of such risk management principles in this work. This study will report the results of an empirical study in the engineering and product development context of the effectiveness of the principles included in one promising standard — the ISO 31000:2009 Risk Management guideline.

Section snippets

Literature review

We begin with a discussion of the state of professionalization of project risk management. The establishment of a formal body of knowledge is seen as a critical step towards professionalization of a field (Wirth and Tryloff, 1995). This body of knowledge provides a common understanding of industry best practices in the field, allowing for teaching, certification, and common competence improvement. The complex and diverse nature of project management has led to various communities of practice

The ISO 31000:2009 Risk Management Standard

The ISO 31000:2009 Risk Management Standard was created to be widely applicable across contexts and projects (International Organization for Standardization, 2009). The International Organization for Standardization (ISO) has developed and released a number of highly popular standards, most notably ISO 9000 for quality management, and ISO 14000 for environmental management (Heras-Saizarbitoria and Boiral, 2013, Anttila, 1992, Su et al., 2015). Given the high reputation and wide acceptance of

Survey of engineering practitioners

The goal of this work is to empirically investigate the effectiveness of the ISO 31000 risk management principles in the engineering industry. As a means of collecting empirical evidence, we conducted a large-scale survey of engineering practitioners (Oehmen et al., 2014). The survey was distributed to six major aerospace and defense organizations and one government risk management function. To gain responses from a wider variety of practitioners and organizations, the survey was also

Results

Table 2 presents the responses to the survey questions regarding the ISO 31000 Risk Management principles. The respondents were asked to “Please indicate your assessment of the way risk management was executed [on this project].” The principles were phrased in the active style, for example “Our risk management creates and protects value.” The respondents were asked to respond on a 5-point scale, from “Strongly disagree” to “Strongly agree.”

A review of the distributions presented in Table 2

Discussion

We discuss the results of the survey analysis in two parts: first implications of the associations between the 11 ISO risk management principles, and next a discussion of the revealed relationship between the principles and project outcomes.

Conclusions

Risk management is increasingly seen in industry as a tool for improving engineering project success, but practices remain ad hoc and non-standardized. Yet there is evidence to suggest that a one-size-fits-all approach to risk management best practice is not the right choice, given the complexity and diversity of modern projects. The new ISO 31000 risk management standard was introduced with the promise of universal applicability and included eleven principles for effective risk management. The

Conflict of interest

The authors declare that we have no conflict of interest with regard to this paper.

Acknowledgments

The authors would like to thank the King Fahd University of Petroleum and Minerals in Dhahran, Saudi Arabia, for funding the research reported in this paper through the Center for Clean Water and Clean Energy at MIT and KFUPM under R11-DMN-09. We are also very grateful to the members of our industry focus group, benchmarking partners, professional organizations and academic partners that helped us develop, test and disseminate the survey, most notably AFIT, Futron, INCOSE and NDIA.

References (42)

  • J. Mu et al.

    Effect of risk management strategy on NPD performance

    Technovation

    (2009)
  • J. Oehmen

    Analysis of the effect of risk management practices on the performance of new product development programs

    Technovation

    (2014)
  • K.E. Papke-Shields et al.

    Do project managers practice what they preach, and does it matter to project success?

    Int. J. Proj. Manag.

    (2010)
  • O. Perminova et al.

    Defining uncertainty in projects — a new perspective

    Int. J. Proj. Manag.

    (2008)
  • T. Raz et al.

    Use and benefits of tools for project risk management

    Int. J. Proj. Manag.

    (2001)
  • H.-C. Su et al.

    A competitive advantage from the implementation timing of ISO management standards

    J. Oper. Manag.

    (2015)
  • I. Wirth et al.

    Preliminary comparison of six efforts to document the project-management body of knowledge

    Int. J. Proj. Manag.

    (1995)
  • N. Brunsson et al.

    The dynamics of standardization: three perspectives on standards in organization studies

    Organ. Stud.

    (2012)
  • DoD

    Risk Management Guide for DoD Acquisition

    (2006)
  • K.P. Grant et al.

    Project management maturity: an assessment of project management capabilities among and between selected industries

    IEEE Trans. Eng. Manag.

    (2006)
  • I. Heras-Saizarbitoria et al.

    ISO 9001 and ISO 14001: towards a research agenda on management system standards*

    Int. J. Manag. Rev.

    (2013)
  • Cited by (90)

    • Technological barriers to digital printing in textiles: a study

      2023, Digital Textile Printing: Science, Technology and Markets
    • The effect of enterprise risk management competencies on students’ perceptions of their work readiness

      2022, International Journal of Management Education
      Citation Excerpt :

      The ISO 31000 standard (2018) defines risk as “the effect of uncertainty on objectives”. Risk are managed by processes that improve the likelihood of success in complex and challenging environments (Olechowski et al., 2016). An organization faces different kinds of risks, such as the ones related to regulatory compliance, environmental and social issues, workplace health and safety, and the business operation (Shad et al., 2019).

    View all citing articles on Scopus
    View full text