The professionalization of risk management: What role can the ISO 31000 risk management principles play?
Introduction
Risk management is increasingly seen as a means of improving the likelihood of success in the complex, multi-functional and challenging task of managing engineering and product development projects. Studies show that project risks affect outcomes in a number of industries (Wallace and Keil, 2004, Mishra et al., 2016). Yet studies have shown that risk management practices are poorly adopted by project managers (Kutsch and Hall, 2009, Raz et al., 2002, Grant and Pennypacker, 2006, Ibbs and Kwak, 2000, Papke-Shields et al., 2010). How do project managers decide which risk management practices to engage in, and how can they have confidence in the value of investing in such processes?
Given the increasing ad hoc implementation of risk management practices by project managers, the under-usage of existing methods due to lack of legitimacy, and thus the search for and generation of numerous prescriptive guidelines, we recognize the need for studies that validate methods for project risk management, and lead to professionalization of the field. But we must balance this search for validation of prescriptive methods with the warnings of the contingency point of view, and avoid a one-size-fits-all solution.
In this paper we propose the use of risk management principles as an alternative to specific practices or tools. We argue that these principles provide guidance to project managers in establishing a risk management process, while recognizing that each project is different. We seek to explore the potential of one set of such risk management principles in this work. This study will report the results of an empirical study in the engineering and product development context of the effectiveness of the principles included in one promising standard — the ISO 31000:2009 Risk Management guideline.
Section snippets
Literature review
We begin with a discussion of the state of professionalization of project risk management. The establishment of a formal body of knowledge is seen as a critical step towards professionalization of a field (Wirth and Tryloff, 1995). This body of knowledge provides a common understanding of industry best practices in the field, allowing for teaching, certification, and common competence improvement. The complex and diverse nature of project management has led to various communities of practice
The ISO 31000:2009 Risk Management Standard
The ISO 31000:2009 Risk Management Standard was created to be widely applicable across contexts and projects (International Organization for Standardization, 2009). The International Organization for Standardization (ISO) has developed and released a number of highly popular standards, most notably ISO 9000 for quality management, and ISO 14000 for environmental management (Heras-Saizarbitoria and Boiral, 2013, Anttila, 1992, Su et al., 2015). Given the high reputation and wide acceptance of
Survey of engineering practitioners
The goal of this work is to empirically investigate the effectiveness of the ISO 31000 risk management principles in the engineering industry. As a means of collecting empirical evidence, we conducted a large-scale survey of engineering practitioners (Oehmen et al., 2014). The survey was distributed to six major aerospace and defense organizations and one government risk management function. To gain responses from a wider variety of practitioners and organizations, the survey was also
Results
Table 2 presents the responses to the survey questions regarding the ISO 31000 Risk Management principles. The respondents were asked to “Please indicate your assessment of the way risk management was executed [on this project].” The principles were phrased in the active style, for example “Our risk management creates and protects value.” The respondents were asked to respond on a 5-point scale, from “Strongly disagree” to “Strongly agree.”
A review of the distributions presented in Table 2
Discussion
We discuss the results of the survey analysis in two parts: first implications of the associations between the 11 ISO risk management principles, and next a discussion of the revealed relationship between the principles and project outcomes.
Conclusions
Risk management is increasingly seen in industry as a tool for improving engineering project success, but practices remain ad hoc and non-standardized. Yet there is evidence to suggest that a one-size-fits-all approach to risk management best practice is not the right choice, given the complexity and diversity of modern projects. The new ISO 31000 risk management standard was introduced with the promise of universal applicability and included eleven principles for effective risk management. The
Conflict of interest
The authors declare that we have no conflict of interest with regard to this paper.
Acknowledgments
The authors would like to thank the King Fahd University of Petroleum and Minerals in Dhahran, Saudi Arabia, for funding the research reported in this paper through the Center for Clean Water and Clean Energy at MIT and KFUPM under R11-DMN-09. We are also very grateful to the members of our industry focus group, benchmarking partners, professional organizations and academic partners that helped us develop, test and disseminate the survey, most notably AFIT, Futron, INCOSE and NDIA.
References (42)
Standardization of quality management and quality assurance: a project viewpoint
Int. J. Proj. Manag.
(1992)On the new ISO guide on risk management terminology
Reliab. Eng. Syst. Saf.
(2011)Institutional development, divergence and change in the discipline of project management
Int. J. Proj. Manag.
(2016)- et al.
Does risk management contribute to IT project success? A meta-analysis of empirical evidence
Int. J. Proj. Manag.
(2010) Developing a project-management body-of-knowledge document: the US Project Management Institute's approach, 1983–94
Int. J. Proj. Manag.
(1995)- et al.
Framing of project critical success factors by a systems model
Int. J. Proj. Manag.
(2006) - et al.
The effects of project uncertainty and risk management on IS development project performance: a vendor perspective
Int. J. Proj. Manag.
(2011) - et al.
Standardized project management may increase development projects success
Int. J. Proj. Manag.
(2005) - et al.
Exploring program management competences for various program types
Int. J. Proj. Manag.
(2016) Exploring the role of formal bodies of knowledge in defining a profession — the case of project management
Int. J. Proj. Manag.
(2006)
Effect of risk management strategy on NPD performance
Technovation
Analysis of the effect of risk management practices on the performance of new product development programs
Technovation
Do project managers practice what they preach, and does it matter to project success?
Int. J. Proj. Manag.
Defining uncertainty in projects — a new perspective
Int. J. Proj. Manag.
Use and benefits of tools for project risk management
Int. J. Proj. Manag.
A competitive advantage from the implementation timing of ISO management standards
J. Oper. Manag.
Preliminary comparison of six efforts to document the project-management body of knowledge
Int. J. Proj. Manag.
The dynamics of standardization: three perspectives on standards in organization studies
Organ. Stud.
Risk Management Guide for DoD Acquisition
Project management maturity: an assessment of project management capabilities among and between selected industries
IEEE Trans. Eng. Manag.
ISO 9001 and ISO 14001: towards a research agenda on management system standards*
Int. J. Manag. Rev.
Cited by (90)
The performance effects of optimistic and pessimistic project status reporting behavior
2023, International Journal of Project ManagementTechnological barriers to digital printing in textiles: a study
2023, Digital Textile Printing: Science, Technology and MarketsThe effect of enterprise risk management competencies on students’ perceptions of their work readiness
2022, International Journal of Management EducationCitation Excerpt :The ISO 31000 standard (2018) defines risk as “the effect of uncertainty on objectives”. Risk are managed by processes that improve the likelihood of success in complex and challenging environments (Olechowski et al., 2016). An organization faces different kinds of risks, such as the ones related to regulatory compliance, environmental and social issues, workplace health and safety, and the business operation (Shad et al., 2019).
Evaluation of a conceptual model of supply chain risk management to import/export process of an automotive industry: an action research approach
2024, Operations Management ResearchDemand Driven Material Requirements Planning: Using the Buffer Status to Schedule Replenishment Orders
2024, Lecture Notes in Networks and SystemsDecision-making analysis in post-fire and explosion aftermath assessment tool: A fuzzy cognitive mapping approach
2024, Process Safety Progress