risk management strategy for research project

• Contact sales

Start free trial

The Risk Management Process in Project Management

When you start the planning process for a project, one of the first things you need to think about is: what can go wrong? It sounds negative, but pragmatic project managers know this type of thinking is preventative. Issues will inevitably come up, and you need a mitigation strategy in place to know how to manage risks when project planning .

But how do you work towards resolving the unknown? It sounds like a philosophical paradox, but don’t worry—there are practical steps you can take. In this article, we’ll discuss strategies that let you get a glimpse at potential risks, so you can identify and track risks on your project.

What Is Risk Management on Projects?

Project risk management is the process of identifying, analyzing and responding to any risk that arises over the life cycle of a project to help the project remain on track and meet its goal. Risk management isn’t reactive only; it should be part of the planning process to figure out the risk that might happen in the project and how to control that risk if it in fact occurs.

A risk is anything that could potentially impact your project’s timeline, performance or budget. Risks are potentialities, and in a project management context, if they become realities, they then become classified as “issues” that must be addressed with a risk response plan . So risk management, then, is the process of identifying, categorizing, prioritizing and planning for risks before they become issues.

Risk management can mean different things on different types of projects. On large-scale projects, risk management strategies might include extensive detailed planning for each risk to ensure mitigation strategies are in place if project issues arise. For smaller projects, risk management might mean a simple, prioritized list of high, medium and low-priority risks.

Get your free

Risk Matrix Template

Use this free Risk Matrix Template for Excel to manage your projects better.

How to Manage Project Risk

To begin managing risk, it’s crucial to start with a clear and precise definition of what your project has been tasked to deliver. In other words, write a very detailed project charter , with your project vision, objectives, scope and deliverables. This way risks can be identified at every stage of the project. Then you’ll want to engage your team early in identifying any and all risks.

Don’t be afraid to get more than just your team involved to identify and prioritize risks, too. Many project managers simply email their project team and ask to send them things they think might go wrong on the project. But to better plot project risk, you should get the entire project team, your client’s representatives, and vendors into a room together and do a risk identification session.

With every risk you define, you’ll want to log it somewhere—using a risk tracking template helps you prioritize the level of risk. Then, create a risk management plan to capture the negative and positive impacts of the project and what actions you will take to deal with them. You’ll want to set up regular meetings to monitor risk while your project is ongoing. Transparency is critical.

Project management software can help you keep track of risk. ProjectManager is online software that helps you identify risks, track them and calculate their impact. With our Risk view, you can make a risk list with your team and stay on top of all the risks within your project. Write a description, add tags, identify a resolution, mark impact and likelihood, even see a risk matrix—all in one place. Get started today with a free trial.

What Is Positive Risk In Project Management?

Not all risk is created equally. Risk can be either positive or negative, though most people assume risks are inherently the latter. Where negative risk implies something unwanted that has the potential to irreparably damage a project, positive risks are opportunities that can affect the project in beneficial ways.

Negative risks are part of your risk management plan, just as positive risks should be, but the difference is in approach. You manage and account for known negative risks to neuter their impact, but positive risks can also be managed to take full advantage of them.

There are many examples of positive risks in projects: you could complete the project early; you could acquire more customers than you accounted for; you could imagine how a delay in shipping might open up a potential window for better marketing opportunities, etc. It’s important to note, though, that these definitions are not etched in stone. Positive risk can quickly turn to negative risk and vice versa, so you must be sure to plan for all eventualities with your team.

Managing Risk Throughout the Organization

Can your organization also improve by adopting risk management into its daily routine? Yes! Building a risk management protocol into your organization’s culture by creating a consistent set of risk management tools and templates, with training, can reduce overhead over time. That way, each time you start a new project, it won’t be like having to reinvent the wheel.

Things such as your organization’s records and history are an archive of knowledge that can help you learn from that experience when approaching risk in a new project. Also, by adopting the attitudes and values of your organization to become more aware of risk, your organization can develop a risk culture . With improved governance comes better planning, strategy, policy and decisions.

Free Risk Matrix Template

To manage project risks throughout your organization, it’s important to create a risk matrix. A risk matrix is going to help you organize your risks by severity and likelihood, so you can stay on top of potential issues that threaten the greatest impact. Try this free risk matrix template for Excel so you and your team can organize project risks.

6 Steps in the Risk Management Process

So, how do you handle something as seemingly elusive as project risk management? You make a risk management plan. It’s all about the process. Turn disadvantages into an advantage by following these six steps.

Identify the Risk

You can’t resolve a risk if you don’t know what it is. There are many ways to identify risk. As you do go through this step, you’ll want to collect the data in a risk register .

One way is brainstorming with your team, colleagues or stakeholders. Find the individuals with relevant experience and set up interviews so you can gather the information you’ll need to both identify and resolve the risks. Think of the many things that can go wrong. Note them. Do the same with historical data on past projects. Now your list of potential risks has grown.

Make sure the risks are rooted in the cause of a problem. Basically, drill down to the root cause to see if the risk is one that will have the kind of impact on your project that needs identifying. When trying to minimize risk, it’s good to trust your intuition. This can point you to unlikely scenarios that you just assume couldn’t happen. Use a risk breakdown structure process to weed out risks from non-risks.

Analyze the Risk

Analyzing risk is hard. There is never enough information you can gather. Of course, a lot of that data is complex, but most industries have best practices, which can help you with your risk analysis . You might be surprised to discover that your company already has a framework for this process.

When you assess project risk you can ultimately and proactively address many impacts, such as avoiding potential litigation, addressing regulatory issues, complying with new legislation, reducing your exposure and minimizing impact.

So, how do you analyze risk in your project? Through qualitative and quantitative risk analysis, you can determine how the risk is going to impact your schedule and budget.

Project management software helps you analyze risk by monitoring your project. ProjectManager takes that one step further with real-time dashboards that display live data. Unlike other software tools, you don’t have to set up our dashboard. It’s ready to give you a high-level view of your project from the get-go. We calculate the live date and then display it for you in easy-to-read graphs and charts. Catch issues faster as you monitor time, costs and more.

Prioritize Risks & Issues

Not all risks are created equally. You need to evaluate the risk to know what resources you’re going to assemble towards resolving it when and if it occurs.

Having a large list of risks can be daunting. But you can manage this by simply categorizing risks as high, medium or low. Now there’s a horizon line and you can see the risk in context. With this perspective, you can begin to plan for how and when you’ll address these risks. Then, if risks become issues, it’s advisable to keep an issue log so you can keep track of each of them and implement corrective actions.

Some risks are going to require immediate attention. These are the risks that can derail your project. Failure isn’t an option. Other risks are important, but perhaps do not threaten the success of your project. You can act accordingly. Then there are those risks that have little to no impact on the overall project’s schedule and budget . Some of these low-priority risks might be important, but not enough to waste time on.

Assign an Owner to the Risk

All your hard work identifying and evaluating risk is for naught if you don’t assign someone to oversee the risk. In fact, this is something that you should do when listing the risks. Who is the person who is responsible for that risk, identifying it when and if it should occur and then leading the work toward resolving it?

That determination is up to you. There might be a team member who is more skilled or experienced in the risk. Then that person should lead the charge to resolve it. Or it might just be an arbitrary choice. Of course, it’s better to assign the task to the right person, but equally important in making sure that every risk has a person responsible for it.

Think about it. If you don’t give each risk a person tasked with watching out for it, and then dealing with resolving it when and if it should arise, you’re opening yourself up to more risk. It’s one thing to identify risk, but if you don’t manage it then you’re not protecting the project.

Respond to the Risk

Now the rubber hits the road. You’ve found a risk. All that planning you’ve done is going to be put to use. First, you need to know if this is a positive or negative risk. Is it something you could exploit for the betterment of the project? If not you need to deploy a risk mitigation strategy .

A risk mitigation strategy is simply a contingency plan to minimize the impact of a project risk. You then act on the risk by how you prioritize it. You have communications with the risk owner and, together, decide on which of the plans you created to implement to resolve the risk.

Monitor the Risk

You can’t just set forces against risk without tracking the progress of that initiative. That’s where the monitoring comes in. Whoever owns the risk will be responsible for tracking its progress towards resolution. However, you’ll need to stay updated to have an accurate picture of the project’s overall progress to identify and monitor new risks.

You’ll want to set up a series of project meetings to manage the risks. Make sure you’ve already decided on the means of communication to do this. It’s best to have various channels dedicated to communication.

Whatever you choose to do, remember to always be transparent. It’s best if everyone in the project knows what is going on, so they know what to be on the lookout for and help manage the process.

In the video below, Jennifer Bridges, professional project manager (PMP) dives deeper into the steps in the risk management process.

Risk Management Templates

We’ve created dozens of free project management templates for Excel and Word to help you manage projects. Here are some of our risk management templates to help you as you go through the process of identifying, analyzing, prioritizing and responding to risks.

Risk Register Template

A risk register is a risk management document that allows project managers to identify and keep track of potential project risks. Using a risk register to list down project risks is one of the first steps in the risk management process and one of the most important because it sets the stage for future risk management activities.

A risk matrix is a project management tool that allows project managers to analyze the likelihood and potential impact of project risks. This helps them prioritize project risks and build a risk mitigation plan to respond to those risks if they were to occur.

Managing Risk With ProjectManager

Using a risk-tracking template is a start, but to gain even more control over your project risks you’ll want to use project management software. ProjectManager has a number of tools including risk management that let you address risks at every phase of a project.

Make an Online Risk Register

Identify and track all the risks for your project in one place. Unlike other project management software, you can manage risks alongside your project rather than in a separate tool. Set due dates, mark priority, identify resolutions and more.

Gantt Charts for Risk Management Plans

Use our award-winning Gantt charts to create detailed risk management plans to prevent risks from becoming issues. Schedule, assign and monitor project tasks with full visibility. Gantt charts allow team members add comments and files to their assigned tasks, so all the communication happens on the project level—in real time.

Risk management is complicated. A risk register or template is a good start, but you’re going to want robust project management software to facilitate the process of risk management. ProjectManager is an online tool that fosters the collaborative environment you need to get risks resolved, as well as provides real-time information, so you’re always acting on accurate data. Try it yourself and see, take this free 30-day trial.

Deliver your projects on time and on budget

Start planning your projects.

Thank you for visiting nature.com. You are using a browser version with limited support for CSS. To obtain the best experience, we recommend you use a more up to date browser (or turn off compatibility mode in Internet Explorer). In the meantime, to ensure continued support, we are displaying the site without styles and JavaScript.

• View all journals
• My Account Login
• Explore content
• About the journal
• Publish with us
• Sign up for alerts
• Open access
• Published: 22 April 2024

A method for managing scientific research project resource conflicts and predicting risks using BP neural networks

• Xuying Dong 1 &
• Wanlin Qiu 1  

Scientific Reports volume  14 , Article number:  9238 ( 2024 ) Cite this article

227 Accesses

Metrics details

• Computer science
• Engineering

This study begins by considering the resource-sharing characteristics of scientific research projects to address the issues of resource misalignment and conflict in scientific research project management. It comprehensively evaluates the tangible and intangible resources required during project execution and establishes a resource conflict risk index system. Subsequently, a resource conflict risk management model for scientific research projects is developed using Back Propagation (BP) neural networks. This model incorporates the Dropout regularization technique to enhance the generalization capacity of the BP neural network. Leveraging the BP neural network’s non-linear fitting capabilities, it captures the intricate relationship between project resource demand and supply. Additionally, the model employs self-learning to continuously adapt to new scenarios based on historical data, enabling more precise resource conflict risk assessments. Finally, the model’s performance is analyzed. The results reveal that risks in scientific research project management primarily fall into six categories: material, equipment, personnel, financial, time, and organizational factors. This study’s model algorithm exhibits the highest accuracy in predicting time-related risks, achieving 97.21%, surpassing convolutional neural network algorithms. Furthermore, the Root Mean Squared Error of the model algorithm remains stable at approximately 0.03, regardless of the number of hidden layer neurons, demonstrating excellent fitting capabilities. The developed BP neural network risk prediction framework in this study, while not directly influencing resource utilization efficiency or mitigating resource conflicts, aims to offer robust data support for research project managers when making decisions on resource allocation. The framework provides valuable insights through sensitivity analysis of organizational risks and other factors, with their relative importance reaching up to 20%. Further research should focus on defining specific strategies for various risk factors to effectively enhance resource utilization efficiency and manage resource conflicts.

Similar content being viewed by others

Highly accurate protein structure prediction with AlphaFold

Artificial intelligence in surgery

The role of artificial intelligence in achieving the Sustainable Development Goals

Introduction.

In the twenty-first century, driven by rapid technological innovation and a substantial increase in research funding, the number of scientific research projects has experienced exponential growth. These projects, serving as pivotal drivers of scientific and technological advancement, encompass a wide array of domains, including natural sciences, engineering, medicine, and social sciences, among others. This extensive spectrum attracts participation from diverse researchers and institutions 1 , 2 . However, this burgeoning landscape of scientific research projects brings forth a set of accompanying challenges and predicaments. Foremost among these challenges is the persistent issue of resource scarcity and the diversity of project requirements. This quandary poses a formidable obstacle to the management and execution of scientific research initiatives. It not only impacts the project’s quality and efficiency but can also cast a shadow on an organization’s reputation and the output of its research endeavors 3 , 4 , 5 . For instance, when two university research projects concurrently require the use of a specific instrument with limited availability or in need of maintenance, it may result in both projects being unable to proceed as planned, leading to resource conflicts. Similarly, competition for research funding from the same source can introduce conflicts in resource allocation decisions by the approval authority. These issues are widespread in research projects, and surveys indicate that project delays or budget overruns due to improper resource allocation are common in scientific research. For example, a study on research projects funded by the National Institutes of Health in the United States revealed that approximately 30% of projects faced delays due to improper resource allocation. In Europe, statistics from the European Union’s Framework Programme for Science and Innovation indicate that resource conflicts have impeded about 20% of transnational collaborative research projects from achieving their established research objectives on time. Furthermore, scientific research projects encompass a spectrum of resource requirements essential for their seamless progression, including but not limited to materials, equipment, skilled personnel, adequate funding, and time 6 . The predicament arises when multiple research initiatives necessitate identical or analogous resources simultaneously, creating a challenge for organizations to provide equitable support during peak demand periods. To mitigate the risks associated with resource conflicts, organizations must continually administer their resource allocation and strike a harmonious equilibrium between resource requisites and their availability 7 .

The Back Propagation (BP) neural network, as a prominent deep learning algorithm, boasts exceptional data processing capabilities. Notably, neural networks possess the capacity to swiftly process extensive datasets and extract intricate mapping relationships within data, rendering them versatile tools employed across various domains, including project evaluation, risk assessment, and cost prediction 8 , 9 . Scientific research project management constitutes a dynamic process. As projects advance and environmental factors evolve, the risk landscape may undergo continuous transformation 10 . The BP neural network’s inherent self-learning ability empowers it to iteratively update its model based on fresh data, enabling seamless adaptation to new circumstances and changes, thereby preserving the model’s real-time relevance 11 . In conclusion, this approach is poised to enhance project management efficiency and quality, mitigate risks, and foster the potential for the successful realization of scientific research projects.

The primary objective of this study is to formulate an evaluation and risk prediction framework for scientific research project management utilizing the BP neural network. This framework aims to address the issues associated with resource discrepancies and conflicts within the realm of scientific research project management. This study addresses the primary inquiry: What types of resource conflict risks exist in scientific research project management? An extensive literature review and empirical data analysis are conducted to answer this question, identifying six main risk categories: materials, equipment, personnel, finance, time, and organizational factors. A comprehensive resource conflict risk index system is constructed based on these categories. To quantitatively assess the importance of different resource conflict risk factors, the Analytic Hierarchy Process (AHP) is employed. This method allowed for the quantification of the influence of each risk factor objectively and accurately by constructing judgment matrices and calculating the weights of each factor. Subsequently, exploration is conducted into the utilization of BP neural networks to construct a resource conflict risk management model for scientific research projects. A BP neural network model is developed incorporating Dropout technology to capture complex correlations between project resource demand and supply. This model self-learns to adapt to new scenarios in historical data, thereby improving prediction accuracy. Research project data is collected from several universities in Xi’an from September 2021 to March 2023 to validate the effectiveness and accuracy of the proposed model. This data is utilized to train and test the model, and its performance is compared with other advanced algorithms such as CNN and BiLSTM. The evaluation is based on two key metrics: accuracy and root mean square error (RMSE), demonstrating excellent fitting ability and prediction accuracy.

The innovation introduced in this study is rooted in the recognition that the proliferation of scientific research initiatives can precipitate resource conflicts and competition, potentially leading to adverse outcomes such as project failure or resource inefficiency. This study harnesses a multi-layer BP neural network as its central computational tool, concomitantly incorporating the establishment of a resource conflict risk index system. This comprehensive model for evaluating and predicting the risks in scientific research project management takes into account both the resource conflict risk index system and the intrinsic characteristics of the BP neural network. This combined approach serves to enhance the efficiency of managing scientific research projects, curtail resource wastage, mitigate the risk of resource conflicts, and ultimately furnish robust support for the enduring success of scientific research endeavors.

Related work

Current research landscape in scientific research project management.

Scientific research projects hold a pivotal role in advancing scientific and technological frontiers, fostering knowledge generation, and driving innovation. Effective project management in this context ensures the timely delivery, adherence to budgetary constraints, and attainment of predefined quality standards. Numerous scholars have contributed to the body of knowledge concerning scientific research project management. Significant risks in scientific research project management include improper resource allocation, time delays, budget overruns, and collaboration challenges. For instance, concerning time management, Khiat 12 illustrated that insufficient project planning or external factors often hinder project deadlines. Regarding financial management, Gao 13 highlighted the lack of transparency in fund allocation and unreasonable budgeting, leading to unnecessary research cost overruns. Previous studies have predominantly concentrated on developing diverse methodologies and tools to identify and assess potential risks in scientific research projects. For instance, quantitative models have been employed by researchers like Jeong et al. 14 to evaluate project failure probabilities and devise corresponding risk mitigation strategies. Concurrently, Matel et al. 15 utilized artificial intelligence (AI), including neural networks and machine learning, to conduct comprehensive analyses of project data and predict potential issues throughout project progression.

The preceding studies offer essential groundwork and insights for the scientific research project management discussed in this study. They illuminate key risks encountered in scientific research project management, including inadequate resource allocation, time constraints, budgetary overruns, and collaboration hurdles. These risks are pervasive in scientific research project management, directly impacting project execution efficiency and outcomes. Moreover, these studies furnish empirical data and case studies, elucidating the underlying causes and mechanisms of these risks. For example, the research conducted by Khiat and Gao offers a nuanced understanding of risk factors, enriching the comprehension of the challenges in scientific research project management. Additionally, these studies introduce diverse methods and tools for identifying and evaluating potential risks in scientific research projects. For instance, the works of Jeong et al. and Matel et al. utilize quantitative models and artificial intelligence techniques to comprehensively analyze project data and forecast potential issues in project advancement. These methodologies and tools serve as valuable resources for constructing the research framework and methodologies in this study. Despite the commendable strides made in employing multidisciplinary approaches to address the challenges posed by scientific research project management, the issues related to resource allocation conflicts and quality assurance during project implementation remain fertile ground for future exploration and active investigation.

Application of BP neural network in project risk and resource management

BP neural networks are renowned for their non-linear fitting and self-learning capabilities, rendering them invaluable for discerning intricate relationships and patterns in project management. Their applications span diverse areas, including resource allocation, risk assessment, schedule forecasting, cost estimation, and more, culminating in heightened efficiency and precision within project management practices. Numerous scholars have ventured into the realm of BP neural network applications within project management. Zhang et al. 16 introduced a real-time network attack detection method underpinned by deep belief networks and support vector machines. Their findings underscore the method’s potential for bolstering network security risk management, extending novel data security safeguards to scientific research project management. Gong et al. 17 devised an AI-driven human resources management system. This system autonomously evaluates employee performance and needs, proffering intelligent managerial recommendations. Bai et al. 18 harnessed BP neural networks to tackle the intricate challenge of selecting service providers for project management portfolios. Leveraging neural networks, they prognosticate the performance of diverse service providers, lending support to project management decision-making. Sivakumar et al. 19 harnessed BP neural networks to prognosticate the prioritization of production facilities in the bus body manufacturing sector. Their work serves as an illustrative testament to the potential of neural networks in the production and resource allocation facets of scientific project management. Liu et al. 20 undertook an analysis of the influential factors and early warning signs pertaining to construction workers’ safety conditions. This investigation underscores the profound implications of neural networks in safety management within the context of engineering and construction project management. Li et al. 21 harnessed optimized BP neural networks to anticipate risks in the financial management arena of listed companies. Their outcomes underscore the utility of neural networks in financial management, providing an exemplar of a risk assessment tool for scientific research project management.

The comprehensive analysis of the aforementioned studies reveals that BP neural networks exhibit substantial capabilities in scrutinizing historical project data, discerning intricate resource demand–supply dynamics, and offering valuable insights for project management decisions and optimizations. These applications underscore the potential of BP neural networks as indispensable tools within the project management domain. Nonetheless, several challenges persist, particularly concerning the real-time adaptability of BP neural networks and their capacity to cater to dynamic project management requisites.

Research in the field of scientific research project resource management and risk prediction

Within the realm of scientific research project resource management and risk prediction, various studies by notable scholars warrant attention. Jehi et al. 22 employed statistical models for risk prediction but overlooked the intricate resource conflict relationships within scientific research projects. Efficient project resource management and accurate risk prediction are pivotal for ensuring smooth project execution and attaining desired outcomes. Asamoah et al. elucidated that scientific research projects necessitate both tangible and intangible resources 23 , encompassing materials, equipment, personnel, funding, and time. The judicious allocation and optimal utilization of these resources significantly influence project progress and outcomes. Misallocation of resources can lead to setbacks such as project delays and budget overruns. Meanwhile, Zwikael et al. identified organizational culture, awareness, support, rewards, and incentive programs as key drivers impacting the effective management of scientific research project benefits 24 . These risks can profoundly affect project advancement and outcomes, underscoring the importance of accurate prediction and adept management. Farooq et al. advocated for scientific project management, emphasizing the need for enhanced risk management strategies and management efficacy to foster sustainable enterprise development 25 .

In conclusion, studies on project resource management and risk prediction encompass diverse facets, including resource allocation, risk assessment, and model development. These efforts offer essential theoretical and methodological underpinnings for the effective execution of scientific research endeavors. Given the ongoing expansion and growing complexity of scientific projects, further research on resource management and risk prediction is imperative to navigate increasingly intricate circumstances.

A comprehensive review of methods employed in scientific research project management and risk assessment reveals a predominant focus on quantitative analysis, qualitative research, and the integration of AI techniques. In particular, the utilization of BP neural networks, as demonstrated in studies such as Sivakumar et al., Liu et al., and Li et al., underscores their capacity to furnish real-time data analysis and decision-making support for project managers. However, it remains evident that challenges persist in harnessing the full potential of BP neural networks in terms of real-time adaptability and resource allocation within the multifaceted landscape of dynamic project management. Hence, this study accentuates the existing methodological challenges associated with resource conflict resolution, risk management, and overall scientific research project management. Through the optimization and refinement of BP neural network applications in risk assessment, this study strives to furnish organizations with effective decision-making tools. Ultimately, the insights gleaned from this study aim to serve as a valuable reference for scientific research project managers as they navigate the complexities of project risk management.

Prediction method for scientific research project management risks based on the BP neural network

Analysis of the construction of a scientific research project management risk system.

Scientific research project management constitutes a specialized discipline encompassing the planning, organization, execution, and oversight of scientific research endeavors. Its primary objective is to facilitate the effective attainment of research objectives and anticipated outcomes. The overarching aim of scientific research project management is to optimize resource allocation, schedule planning, and risk mitigation, thereby ensuring the successful culmination of research projects 26 , 27 . A visual representation of the fundamental task processes integral to scientific research project management is depicted in Fig.  1 .

Schematic representation of key scientific research project management tasks.

Scientific research project management, as illustrated in Fig.  1 , constitutes an essential framework to ensure the efficient and organized execution of scientific research endeavors. It encompasses four core phases: project planning and initiation, project execution and monitoring, project closure and summarization, and project communication and feedback 28 . The meticulous determination of project requisites is of particular significance, encompassing financial resources, personnel, equipment, materials, and more. Failure to ensure the effective utilization and judicious allocation of these resources during project management may introduce the risk of hindrances in the smooth progress and achievement of the research project’s envisioned objectives.

Ongoing scientific research projects necessitate an array of resources, encompassing both tangible assets such as materials, equipment, and funds, and intangible elements like time, personnel expertise, and organizational support 29 , 30 . These resources are intricately interwoven within scientific research projects and collectively influence project success. However, when confronted with limited total resources, resource conflicts can arise when multiple projects vie for the utilization of the same resources. Consequently, this study has devised a resource conflict risk index system tailored for the management of scientific research projects. This system stratifies risks according to the categories of resources implicated in the project implementation process, as depicted in Fig.  2 . In this study, ensuring the representativeness and comprehensiveness of risk assessment for resource conflicts in scientific research project management is pivotal. A multifaceted and systematic approach is adopted to define risk categories. A comprehensive literature review initially identifies common resource conflicts in scientific research project management. Subsequently, through interviews and surveys with industry research project managers, firsthand information on specific challenges and risk factors encountered during project execution is collected. Additionally, referencing international standards and best practices ensures the authority and applicability of risk classification. The outcome of these efforts is illustrated in Fig.  2 , showcasing a meticulously designed resource conflict risk index system. It encompasses six major categories: equipment risk, material risk, personnel risk, financial risk, time risk, and organizational risk, further subdivided into 17 specific sub-items. Acknowledging the complexity and diversity of research projects, it is recognized that, despite efforts made, other potential risks may not be included in the current model. A dynamic iterative approach is proposed to address this challenge, integrate additional risk factors, and continuously optimize the model. Specific steps are outlined to enhance the model’s capabilities. Firstly, establishing a monitoring system to regularly collect user feedback and industry updates allows the prompt discovery and incorporation of new risk factors. Simultaneously, closely monitoring the latest research findings in the domestic and international scientific research project management field ensures the continuous integration of new discoveries from academia. Additionally, a dedicated team conducts regular in-depth reviews of the existing risk index system, adding, deleting, or adjusting the weights of risk factors as needed based on actual requirements. This process enables the model to better adapt to the current project management environment and future trends. Secondly, utilizing the newly integrated dataset to cross-validate the model ensures that the newly added risk factors are appropriately assessed and predicted. By comparing the performance of different versions of the model, a more accurate measurement of the effects of optimization is achieved. Finally, research project managers are encouraged to provide real-time feedback, including the model’s performance in actual applications, overlooked risk points, and improvement suggestions, enhancing the model’s usability and reliability. These methods aim to construct a more refined, flexible, and adaptable scientific research project risk assessment model that continuously evolves to meet changing needs. Through continuous optimization and improvement, this model is believed to more effectively assist project managers in making risk-based decisions and promote the success rate of scientific research projects.

Resource conflict risk indicator system for scientific research project management.

As depicted in Fig.  2 , this risk system underscores the significance of material quality and timely supply in project execution. The establishment of this resource conflict risk indicator system forms a fundamental basis for subsequent model development and risk forecasting, empowering project managers to gain comprehensive insights into and effectively manage resource conflict risks.

Weight analysis process using APH for the risk indicator system

The AHP is primarily employed for the comprehensive analysis of multifaceted problem systems, involving the segmentation of interrelated factors into hierarchical levels. It subsequently facilitates objective assessments at each tier. This method typically deconstructs problems into a tripartite structure comprising the following levels: the objective layer (highest), the criteria layer (intermediate), and the indicator layer (fundamental) 31 , 32 . In this context, the objective layer pertains to the project’s resource conflict risk, which represents the core challenge addressed by this structural model. The criteria layer provides an initial decomposition of the objective layer and establishes the foundational logical framework for third-level indicators. The indicator layer encompasses risk factors, specifically, the potential triggers for resource conflict risks. The weight analysis process, employing the AHP for the risk indicator system, is delineated in Fig.  3 .

Weight analysis process of applying the hierarchical analysis method to the risk indicator system.

In Fig.  3 , the application of the AHP to the weight analysis of the scientific research project management risk indicator system follows a general procedure: sequentially defining individual problems, creating a hierarchical structural model, constructing pairwise comparison matrices, performing hierarchical ranking calculations and consistency tests, and finally, selecting evaluation criteria systematically for assessment.

The initial step involves breaking down the intricate problem into distinct components, creating a hierarchical structure model comprising the target layer, criterion layer, and indicator layer.

In this phase, the assessment of relative importance between elements leads to the formation of a pairwise comparison judgment matrix, denoted as matrix A , as depicted in Eq. ( 1 ).

In Eq. ( 1 ), \(a_{ij} > 0\) , \(a_{ji} = 1/a_{ij}\) , and \(a_{ii} = 1\) .

The AHP calculations are performed following the classic methodology proposed by Rehman 33 . The process begins by computing the product M i of the elements within each row, as illustrated in Eq. ( 2 ).

The next step involves calculating the n -th root of M i , as described in Eq. ( 3 ).

Next, the process involves normalizing \(W = \left[ {W_{1} ,W_{2} , \cdots ,W_{n} } \right]^{T}\) , as shown in Eq. ( 4 ).

Finally, the maximum eigenvalue \(\lambda_{\max }\) is calculated via Eq. ( 5 ).

The calculation of weights and the consistency test of the judgment matrix involve the use of the eigenvalue method to calculate the weight vector of the judgment matrix. This is demonstrated in Eq. ( 6 ).

In Eq. ( 6 ), \(\lambda_{\max }\) denotes the maximum characteristic root of A , Q signifies the eigenvector, and the weight vector is obtained by normalizing Q.

Continuing with the consistency testing, the weight vector must undergo evaluation for consistency. To initiate this evaluation, calculate the Consistency Index ( C.I. ) using Eq. ( 7 ).

Next, it is imperative to determine the corresponding average Random Consistency Index ( R.I. ). Subsequently, the Consistency Ratio ( C.R. ) is computed using the formula presented in Eq. ( 8 ).

If the calculated C.R. is less than 0.1, it indicates that the judgment matrix meets the prescribed consistency criteria, and the assigned weight values for each indicator are considered valid. However, if the calculated C.R. equals or exceeds 0.1, this signals the need for adjustments to the judgment matrix. To address this, the matrix is re-evaluated, and consistency checks are repeatedly performed until the matrix achieves the required level of consistency.

Analyzing the resource conflict risk management model for scientific research projects based on the BP neural network

This section focuses on predicting and evaluating the potential occurrence of various risk factors within scientific research projects. The objective is to facilitate the selection of appropriate response strategies aimed at minimizing losses stemming from risks associated with scientific research endeavors. Resource management within scientific research projects is a complex undertaking, with resource conflict risks influenced by a multitude of factors. Furthermore, as projects evolve, the risk landscape undergoes dynamic changes. In contrast to conventional statistical models, BP neural networks offer distinctive advantages. They employ a combination of forward signal propagation and reverse error-adjustment learning techniques, showcasing exceptional self-learning capabilities, distributed knowledge storage, and associative memory functions 34 . The BP neural network model, rooted in the backpropagation algorithm, evolved from the necessity to simulate biological neural systems and meet the demands of machine learning. Originating in the 1980s, it became a prominent deep learning model, continually iterating and adjusting connection weights to minimize the error between output and target. This learning mechanism allows the BP neural network to adapt to complex non-linear relationships, showcasing robust approximation and generalization capabilities. Over time, enhanced computer hardware and algorithm optimization led to widespread application and development of the BP neural network model. Algorithmically, various improvements, including the momentum method, adaptive learning rate, and regularization, were introduced to boost training speed and generalization ability, addressing challenges such as susceptibility to local minima in traditional BP algorithms. The advent of deep learning saw the integration of the BP neural network into deeper structures like ResNet and CNN, enabling it to handle more intricate tasks and data. The model’s applicability expanded across diverse domains, including image and speech recognition, natural language processing, financial forecasting, and medical diagnosis, yielding breakthrough results. Moreover, technological advancements like big data and cloud computing have enhanced the training and application efficiency of the BP neural network model, presenting new avenues for development. In conclusion, the evolution of the BP neural network model stems from algorithmic refinements, structural enhancements, and broadened applications, providing potent tools for addressing diverse practical challenges. The data transmission process of the BP neural network is illustrated in Fig.  4 .

Data transmission flow chart of the BP neural network.

Figure  4 illustrates the data transmission process in the BP neural network, highlighting forward propagation, which entails processing and transmitting received data information. This unidirectional propagation begins at the input layer, traverses through the hidden layers, and culminates in the output layer to yield the network’s overall output. Let the received input data be denoted as X  = ( x 1 , x 2 …, x n ), with ‘ n ’ signifying the number of neurons in the input layer. The connections between the input layer and the hidden layer initially possess randomized weight values. This citation is derived from Liu et al.’s recommendation 35 to prevent premature convergence to local minima during the training process. Representing the weight of the connection between the i -th neuron in the input layer and the j -th neuron in the hidden layer as W ij . The notation follows Narkhede et al.’s study 36 , which offers a comprehensive explanation of neural network fundamentals and operational principles. The information received by the hidden layer is expressed in Eq. ( 9 ).

In Eq. ( 9 ), i represents the number assigned to neurons in the input layer, ‘ j ’ pertains to the number of neurons in the hidden layer, and A  = ( a 1 , a 2 …, a m ) symbolizes the input variables received by the hidden layer. Upon receiving these variables, the hidden layer neuron transforms them into the output value of the hidden layer using the activation function. The methodology in this section draws from the research by Narengbam et al. 37 on activation functions in deep learning models. Specifically, the treatment of the output layer mirrors that of the hidden layers, and the computation of output layer neurons adheres to the methodology outlined in the cited literature.

In Eq. ( 10 ), Y  = ( y 1 , y 2 …, y m ) represents the output variables of the hidden layer. The computation method for the input and output values of the output layer parallels that of the hidden layer. The weight denoted as v jk signifies the connection between the j -th neuron in the hidden layer and the k -th neuron in the output layer. The information received by the output layer is described in Eq. ( 11 ).

The output value of the output layer neurons, once activated by the activation function, is expressed in Eq. ( 12 ).

At this juncture, the output value O denoted as \(O = \left( {o_{1} ,o_{2} , \cdots ,o_{z} } \right)\) is obtained, signifying the conclusion of the forward propagation process.

In the backpropagation process, the loss function J quantifies the error between the neural network’s output value and the true value (referring to the definition and application of the loss function in neural network optimization as articulated by Özden et al. 38 ), as illustrated in Eq. ( 13 ).

During the neural network’s training process, the weight, denoted as W , and the bias vector, denoted as b , play essential roles. The gradient descent method is employed to optimize the neural network (derived from Kumar et al.’s 39 analysis of the effectiveness of optimization algorithms in deep learning training). Each iteration within the gradient descent method updates the parameters W and b as per Eqs. ( 14 ) and ( 15 ).

where α represents the learning rate. The crucial step involves computing derivatives using backpropagation, employing the BP algorithm to calculate \(\frac{\partial }{{\partial W_{ij}^{\left( l \right)} }}J\left( {W,b;x,y} \right)\) and \(\frac{\partial }{{\partial b_{i}^{\left( l \right)} }}J\left( {W,b;x,y} \right)\) . These two components represent the derivatives of the cost function J ( W , b ; x , y ) for a single sample ( x , y ). Once this derivative is computed, deriving the derivatives of the overall cost function J ( W , b ; x , y ) becomes relatively straightforward. The calculated results are presented in Eqs. ( 16 ) and ( 17 ).

This study aims to develop a resource conflict risk management model tailored to predict and assess the resource conflict risks inherent in scientific research projects during execution. Resource conflicts arise from competition for limited resources like equipment, funding, and personnel among multiple projects. If unaddressed, these conflicts can significantly impede project progress and outcomes. The model’s specific objectives are to analyze project-related information (e.g., project scale, duration, funding, personnel allocation) to predict potential conflict points in resource allocation, enabling project managers to proactively mitigate or avoid conflicts and optimize resource utilization effectively. To achieve these objectives, we employ a BP neural network approach for model construction, chosen for its superior non-linear mapping capability and self-learning characteristics, enabling it to learn from extensive historical project data and identify complex resource conflict risk patterns. The model construction entails key steps: Data preprocessing involves cleaning and normalizing collected project data to meet model input requirements. Feature selection entails choosing highly correlated feature variables associated with resource conflict risks as model inputs based on expert knowledge and data analysis results. Model training and validation involve training the BP neural network with labeled historical project data and evaluating and optimizing model performance through techniques like cross-validation. Through these methods, the developed model accurately predicts resource conflict risks in scientific research project management, providing decision support for project managers to enhance resource utilization efficiency and foster successful project completion.

While the BP neural network possesses robust learning and non-linear fitting capabilities, inadequate training data can lead to suboptimal fitting. In some cases, the network may only excel at learning from a limited dataset, generating a mapping function (typically represented as a weight vector) that closely matches the training dataset. Consequently, it may struggle to generalize well to new data, exhibiting insufficient generalization abilities. This scenario is known as overfitting. To mitigate overfitting, this study introduces the Dropout regularization method 40 when applying the BP neural network to scientific research project risk management. The Dropout method involves freezing nodes within the input and hidden layers. It is particularly useful when specific neuron correlations in the input layer hinder continuous error convergence during training. The node freezing rate should strike a balance—not too low, as it would have an insignificant impact on the neural network, and not too high, which could lead to underfitting. Therefore, this study sets the node freezing rate for the Dropout regularization method at 50%. By incorporating the Dropout method into the BP neural network, the network topology used for managing resource conflict risks in scientific research projects, based on the BP neural network, is depicted in Fig.  5 .

Network topology based on the BP neural network applied to the resource conflict risk management model for scientific research projects.

As depicted in Fig.  5 , this model incorporates a novel approach. During each training iteration, a randomly selected set of neurons, encompassing those associated with equipment, materials, and organizational risk factors, is temporarily frozen. These frozen neurons do not participate in either the forward propagation calculations or the subsequent backpropagation error adjustments within the current training cycle. The weights connecting these neurons to others retain their previous states or revert to their initial values from the last training update. As the next training iteration commences, the neurons previously frozen are unfrozen, and a new batch of neurons is randomly chosen for freezing. This iterative process effectively bolsters the BP neural network’s ability to generalize from limited data, particularly when addressing resource conflict risk management in research projects.

The integration of the Dropout method into the BP neural network introduces further opportunities for optimization. Adjustments to the network’s depth, the number of neurons, and the choice of activation functions within the risk prediction model can be made. The specific optimization procedure for the BP neural network is outlined in Fig.  6 .

Flowchart presenting the pseudocode algorithm for optimizing the BP neural network.

Experimental evaluation

To assess the performance of the resource conflict risk management model developed in this study, a BP neural network was constructed utilizing the ‘newff’ function within MATLAB. Python was employed for data preprocessing and algorithm implementation. The training of the BP neural network involved configuring parameters for net.trainFcn and net. trainParam following network initialization. Training iterations continued until the error met the predefined performance criterion. The dataset utilized in this study consisted of research project information spanning all universities in Xi’an, China, from September 2021 to March 2023. In comprehensively evaluating the performance of the resource conflict risk management model developed in this study, the scope and objectives of data collection are first determined, focusing primarily on scientific research projects at major universities in the Xi’an area. Data sources included publicly available project records, official website information, and pertinent research project databases. The utilization of web scraping techniques facilitates automated data collection, encompassing details such as project names, principal investigators, start and completion dates, funding particulars, research areas, and participating personnel. Rigorous anonymization and encryption measures are implemented to uphold information security. Subsequently, to enhance understanding of the data characteristics, exploratory data analysis is conducted on the cleaned dataset. This involves calculating descriptive statistics, conducting distribution tests, and performing correlation analysis. Such steps aid in identifying the most influential feature variables for the predictive model. Given that raw data often contain missing values, outliers, or inconsistencies, comprehensive data cleaning is executed, which includes imputation of missing values, removal of outlier data, and standardization of data formats. To safeguard individual privacy, sensitive information such as project leader names undergoes anonymization and encryption. Concerning the application of the AHP in this study, this method is employed to ascertain the relative weights of various risk factors (including materials, equipment, funding, time, personnel skills, and organizational support). The operational process involves establishing a pairwise comparison judgment matrix based on expert assessments and historical data analysis. Each element in the matrix reflects the importance of one risk factor relative to another. The weights of each risk factor are determined by calculating the maximum eigenvalue of the judgment matrix and its corresponding eigenvector. Consistency indices and random consistency ratios are used to verify the consistency of the judgment matrix, deeming the derived weights acceptable only when the random consistency ratio is below 0.1. Using these meticulously assigned weighted risk factors throughout the model evaluation process, resource conflict risk prediction is conducted via the BP neural network using data collected from actual scientific research projects.

Subsequently, rigorous data anonymization procedures were applied, including de-identification, data anonymization, and encryption of sensitive information. The data preprocessing workflow encompassed comprehensive data cleaning to rectify missing or outlier data points. Ultimately, data from 8,175 research projects were amassed and segregated into training and testing subsets, with an 80% to 20% partition ratio.

To assess the performance of the model developed in this study, an initial step involved employing the AHP to evaluate the weights assigned to each factor, including materials, equipment, funds, time, personnel skills, and organization. Subsequently, the algorithm presented in this study was combined with the Convolutional Neural Network (CNN) 41 , Bidirectional Long Short-Term Memory (BiLSTM) 42 , and comparative experiments were conducted in alignment with recent studies conducted by Liu et al. and Li et al. The evaluation primarily relied on accuracy and RMSE as key metrics, precisely measuring model prediction accuracy. Additionally, the Garson sensitivity analysis method was employed to assess the sensitivity of risk factors across various algorithms.

Results and discussions

Analysis of weights and sensitivity results of different factors.

The analysis of weights and sensitivities for various factors is depicted in Figs.  7 and 8 .

Weight results of different factors.

Sensitivity results of different factors.

Figure  7 highlights the various risk factors present in scientific research project management, including materials, equipment, funds, time, personnel skills, and organization. A more in-depth examination of the weight of sub-indicators within each factor reveals that A 21 holds the highest weight value, at 0.705, while A 63 carries the smallest weight value. Consequently, the application of the AHP in this study enables a clear representation of the significance of each influencing factor. This, in turn, facilitates a more targeted and informed decision-making process, allowing for decisions that align better with the actual circumstances and desired outcomes.

Figure  8 reveals notable variations in the sensitivity of each risk factor to the model’s output variables. Organizational risk emerges as the most influential factor on the comprehensive risk value, accounting for a relative importance of 20.31%. Following closely are financial risk at 18.84%, personnel risk at 18.30%, material risk at 17.04%, equipment risk at 16.29%, and time risk at 9.24%. A more detailed scrutiny of the sensitivity of individual sub-indicators within each factor uncovers that A52 exhibits the lowest sensitivity, standing at 4.28%, while A63 records the highest sensitivity, reaching 7.84%.

Model performance comparison results under different algorithms

In-depth analysis encompassed evaluating the accuracy and RMSE outcomes of distinct algorithms across diverse indicators, as depicted in Figs.  9 and 10 .

Visual representation of accuracy results achieved by different algorithms across various factors.

RMSE comparison results of each algorithm under different numbers of neurons.

Figure  9 illustrates that the accuracy of various algorithms remains relatively stable across different index factors. Notably, the risk prediction accuracy achieved by the algorithm proposed in this study outperforms other model algorithms across various factors. The highest risk prediction accuracy is observed in the time factor, reaching an impressive 97.21%, while the equipment factor yields the lowest prediction accuracy, hovering around 80%. Upon further comparison of risk prediction accuracy across algorithms, it becomes evident that the model algorithms proposed in this study outperform Li et al.’s model algorithm and Liu et al.’s model algorithm. Additionally, the proposed model algorithm surpasses BiLSTM and CNN. Consequently, this study’s model algorithm effectively identifies risk factors in the management of scientific research projects.

Figure  10 presents the RMSE results of each algorithm, and it is evident that increasing the number of hidden layer neurons does not significantly alter the RMSE values. Specifically, the RMSE of the model algorithm introduced in this study consistently remains around 0.03. In contrast, other model algorithms yield RMSE values exceeding 0.031, indicating higher errors compared to the model proposed in this study. When arranging the RMSE results in ascending order, it becomes apparent that the order is as follows: the model algorithm introduced in this study has the lowest RMSE, followed by Li et al.’s proposed model algorithm, Liu et al.’s proposed model algorithm, BiLSTM, and CNN. Therefore, the research model demonstrates effective risk prediction in scientific research project management, characterized by lower identification errors and superior fitting capabilities.

This study established a resource conflict risk index system for scientific research project management and introduced a BP neural network as a risk prediction model. Leveraging its non-linear fitting and self-learning capabilities, the model effectively captured intricate resource demand and supply dynamics, enabling a more precise assessment of resource conflict risks. The performance evaluation revealed the model’s strength in predicting time-related risks, achieving an accuracy rate of 97.21% with an RMSE consistently around 0.03, indicating strong fitting capabilities. The developed BP neural network model in this study effectively predicts resource conflict risks in scientific research project management, serving as a valuable decision support tool for risk assessment. However, certain limitations are acknowledged in this research. Firstly, the dataset is derived from universities in a specific region (Xi’an), and although sizable, it may not comprehensively represent all types of scientific research projects. Future endeavors could involve incorporating more diverse and extensive data sources to enhance the model’s universality and robustness. Secondly, despite the notable advantages of BP neural networks in addressing non-linear problems, the selection of appropriate network structures and parameter settings remains a challenge. Subsequent work could focus on further enhancing the network’s performance through the exploration of additional optimization algorithms. In terms of future research directions, the following points are proposed: Firstly, considering the integration of various machine learning and deep learning technologies to obtain more comprehensive risk prediction results. Secondly, exploring the application of the model in scientific research projects of different scales and types to validate and broaden its applicability. Lastly, investigating the integration of the model into a real-time project management system can provide project managers with dynamic risk monitoring and warning services.

Data availability

All data generated or analysed during this study are included in this published article [and its supplementary information files].

Ren, S. et al. The emerging driving force of inclusive green growth: Does digital economy agglomeration work?. Bus. Strateg. Environ. 31 (4), 1656–1678 (2022).

Article   Google Scholar  

Wang, W., Hu, Y. & Lu, Y. Driving forces of China’s provincial bilateral carbon emissions and the redefinition of corresponding responsibilities. Sci. Total Environ. 857 , 159404 (2023).

Article   ADS   CAS   PubMed   Google Scholar  

Do, S. T., Nguyen, V. T. & Likhitruangsilp, V. RSIAM risk profile for managing risk factors of international construction joint ventures. Int. J. Constr. Manag. 23 (7), 1148–1162 (2023).

Google Scholar  

Nguyen, H. D., Do, Q. N. H. & Macchion, L. Influence of practitioners’ characteristics on risk assessment in Green Building projects in emerging economies: A case of Vietnam. Eng. Constr. Archit. Manag. 30 (2), 833–852 (2023).

Shayan, S., Pyung Kim, K. & Tam, V. W. Y. Critical success factor analysis for effective risk management at the execution stage of a construction project. Int. J. Constr. Manag. 22 (3), 379–386 (2022).

Alam, I., Sarwar, N. & Noreen, I. Statistical analysis of software development models by six-pointed star framework. PLoS ONE 17 (4), e0264420 (2022).

Article   CAS   PubMed   PubMed Central   Google Scholar  

Pham, H. T. et al. Supply chain risk management research in construction: A systematic review. Int. J. Constr. Manag. 23 (11), 1945–1955 (2023).

Zhao, Y. et al. Predicting delays in prefabricated projects: SD-BP neural network to define effects of risk disruption. Eng. Constr. Archit. Manag. 29 (4), 1753–1776 (2022).

Zhang, X. et al. Application of grey feed forward back propagation-neural network model based on wavelet denoising to predict the residual settlement of goafs. PLoS ONE 18 (5), e0281471 (2023).

Article   PubMed   PubMed Central   Google Scholar  

El Khatib, M., Al Mulla, A. & Al, K. W. The role of blockchain in E-governance and decision-making in project and program management. Adv. Internet Things 12 (3), 88–109 (2022).

Ujong, J. A., Mbadike, E. M. & Alaneme, G. U. Prediction of cost and duration of building construction using artificial neural network. Asian J. Civil Eng. 23 (7), 1117–1139 (2022).

Khiat, H. Using automated time management enablers to improve self-regulated learning. Act. Learn. High. Educ. 23 (1), 3–15 (2022).

Gao, J. Analysis of enterprise financial accounting information management from the perspective of big data. Int. J. Sci. Res. 11 (5), 1272–1276 (2022).

Jeong, J. & Jeong, J. Quantitative risk evaluation of fatal incidents in construction based on frequency and probability analysis. J. Manag. Eng. 38 (2), 04021089 (2022).

Matel, E. et al. An artificial neural network approach for cost estimation of engineering services. Int. J. Constr. Manag. 22 (7), 1274–1287 (2022).

Zhang, H. et al. A real-time and ubiquitous network attack detection based on deep belief network and support vector machine. IEEE/CAA J. Autom. Sin. 7 (3), 790–799 (2020).

Gong, Y. et al. Design and interactive performance of human resource management system based on artificial intelligence. PLoS ONE 17 (1), e0262398 (2022).

Bai, L. et al. Service provider portfolio selection for project management using a BP neural network. Ann. Oper. Res. 308 , 41–62 (2022).

Article   MathSciNet   Google Scholar  

Sivakumar, A. et al. Prediction of production facility priorities using Back Propagation Neural Network for bus body building industries: A post pandemic research article. Qual. Quant. 57 (1), 561–585 (2023).

Article   CAS   PubMed   Google Scholar  

Liu, N. et al. Influencing factors and prewarning of unsafe status of construction workers based on BP neural network. Appl. Sci. 13 (6), 4026 (2023).

Article   CAS   Google Scholar  

Li, X., Wang, J. & Yang, C. Risk prediction in financial management of listed companies based on optimized BP neural network under digital economy. Neural Comput. Appl. 35 (3), 2045–2058 (2023).

Jehi, L. et al. Individualizing risk prediction for positive coronavirus disease 2019 testing: Results from 11,672 patients. Chest 158 (4), 1364–1375 (2020).

Asamoah, R. O. et al. Identifying intangible resources to enhance profitability strategies of Small-Medium Scale Construction Firms (SMSCFs) in developing countries. Int. J. Construct. Manag. 22 (11), 2207–2214 (2022).

Zwikael, O. & Huemann, M. Project benefits management: Making an impact on organizations and society through projects and programs. Int. J. Project Manag. 41 (8), 102538 (2023).

Farooq, R. A review of knowledge management research in the past three decades: A bibliometric analysis. VINE J. Inf. Knowl. Manag. Syst. 54 (2), 339–378 (2024).

Bergevin, M. D. et al. Cache a Killer: Cache Valley virus seropositivity and associated farm management risk factors in sheep in Ontario, Canada. PLoS ONE 18 (8), e0290443 (2023).

Huang, G., Lee, S. M. & Clinciu, D. L. Competitive advantages of organizational project management maturity: A quantitative descriptive study in Australia. PLoS ONE 18 (6), e0287225 (2023).

Yesica, R. et al. Project management office manager’s competences: Systematic literature review. Int. J. Project Organ. Manag. 15 (2), 253–278 (2023).

Yu, C. & Hsiao, Y. C. IT project management resource: Identifying your project’s common goals. Int. J. Inf. Technol. Project Manag. 13 (1), 1–15 (2022).

Qu, S. et al. The performance evaluation of management mode of small water resources projects. PLoS ONE 18 (4), e0282357 (2023).

Wu, Z. et al. Urban flood risk assessment in Zhengzhou, China, based on a D-number-improved analytic hierarchy process and a self-organizing map algorithm. Remote Sens. 14 (19), 4777 (2022).

Article   ADS   Google Scholar  

Lin, C. L., Fan, C. L. & Chen, B. K. Hybrid analytic hierarchy process-artificial neural network model for predicting the major risks and quality of Taiwanese construction projects. Appl. Sci. 12 (15), 7790 (2022).

Rehman, A. et al. Multi-hazard susceptibility assessment using the analytical hierarchy process and frequency ratio techniques in the Northwest Himalayas, Pakistan. Remote Sens. 14 (3), 554 (2022).

Liu, J. et al. Developing a hybrid algorithm based on an equilibrium optimizer and an improved backpropagation neural network for fault warning. Processes 11 (6), 1813 (2023).

Narkhede, M. V., Bartakke, P. P. & Sutaone, M. S. A review on weight initialization strategies for neural networks. Artif. Intell. Rev. 55 (1), 291–322 (2022).

Narengbam, L. & Dey, S. Harris hawk optimization trained artificial neural network for anomaly based intrusion detection system. Concurr. Comput. Pract. Exp. 35 (23), e7771 (2023).

Özden, A. & İşeri, İ. COOT optimization algorithm on training artificial neural networks. Knowl. Inf. Syst. 65 (8), 3353–3383 (2023).

Kumar, G., Singh, U. P. & Jain, S. Swarm intelligence based hybrid neural network approach for stock price forecasting. Comput. Econ. 60 (3), 991–1039 (2022).

Zhao, Y. Application of BP neural network algorithm in visualization system of sports training management. Soft Comput. 27 (10), 6845–6854 (2023).

Nketiah, E. A. et al. Recurrent neural network modeling of multivariate time series and its application in temperature forecasting. PLoS ONE 18 (5), e0285713 (2023).

Kumar, T. A. et al. A novel CNN gap layer for growth prediction of palm tree plantlings. PLoS ONE 18 (8), e0289963 (2023).

Liu, J. et al. Research on reservoir porosity prediction method based on bidirectional longshort-term memory neural network. Prog. Geophys. 37 (5), 1993–2000 (2022).

Download references

Author information

Authors and affiliations.

Institute of Policy Studies, Lingnan University, Tuen Mun, 999077, Hong Kong

Xuying Dong & Wanlin Qiu

You can also search for this author in PubMed   Google Scholar

Contributions

Dong Xuying and Qiu Wanlin studied the specific situation of BP neural network, and combined with the experience of scientific research project management, Dong Xuying designed a scientific research project management evaluation and risk prediction method based on BP neural network. At the same time, Qiu Wanlin collected and analyzed the experimental data in this paper according to the actual situation. Dong Xuying and Qiu Wanlin wrote the first draft together.

Corresponding author

Correspondence to Wanlin Qiu .

Ethics declarations

Competing interests.

The authors declare no competing interests.

Additional information

Publisher's note.

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Supplementary Information

Supplementary information., rights and permissions.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/ .

Reprints and permissions

About this article

Cite this article.

Dong, X., Qiu, W. A method for managing scientific research project resource conflicts and predicting risks using BP neural networks. Sci Rep 14 , 9238 (2024). https://doi.org/10.1038/s41598-024-59911-w

Download citation

Received : 26 September 2023

Accepted : 16 April 2024

Published : 22 April 2024

DOI : https://doi.org/10.1038/s41598-024-59911-w

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

• BP neural network
• Scientific research project management
• Regularization
• Resource conflict risk
• Deep learning

By submitting a comment you agree to abide by our Terms and Community Guidelines . If you find something abusive or that does not comply with our terms or guidelines please flag it as inappropriate.

Quick links

• Explore articles by subject
• Guide to authors
• Editorial policies

Sign up for the Nature Briefing: AI and Robotics newsletter — what matters in AI and robotics research, free to your inbox weekly.

How to Create a Project Risk Management Plan

By Kate Eby | February 27, 2023

• Share on Facebook
• Share on LinkedIn

Link copied

Teams can use a project risk management plan to identify and assess the potential risks to a project. We’ve gathered expert tips on creating an effective risk management plan, as well as step-by-step instructions for creating an example plan.

On this page, you’ll find information on what to include in a project risk management plan and how to create a plan , as well as step-by-step instructions for completing an example project risk management plan .

What Is a Project Risk Management Plan?

Project teams create a project risk management plan , a document that helps identify and assess potential risks to a project. The plan outlines how your team will analyze and mitigate the potential risks to ensure project success.

The project risk management plan is one of the most important documents in project risk management . You can learn more about project risks in general — as well as specific types of project risks — in our comprehensive guides

What Does a Risk Management Plan Cover?

A risk management plan should cover a number of areas detailing potential project risks and how your team will deal with them. It will include a description of the project, along with how your team will identify and assess risk.

At a minimum, your project risk management plan should include the following details:

• Project description, including its purpose
• The team plan for identifying, logging, and assessing potential risks
• How the team will identify broad categories of risk
• How the team will evaluate the severity of each potential risk
• How your team will continue to monitor risks throughout the project
• How team members will be assigned as owners of various risks
• Your organization’s tolerance for certain risks, along with criteria for a risk being too large to accept

“A risk management plan defines how the risks for a project will be handled to ensure that the project can be completed within the set timeframe,” says Veniamin Simonov, Director of Product Management at NAKIVO , a backup and ransomware recovery software vendor. “The plan should cover methodology, risk categorization and prioritization, a response plan, staff roles, and responsibility areas and budgets.”

“The risk management plan will address ‘What are we going to do? How are we going to do it? What are the processes we're going to follow?’” says Alan Zucker, Founding Principal of Project Management Essentials . “It may include things such as what are the major categories you're going to use to define your risks. It might also include some guidelines for assessing risks.”

Components in a Project Risk Management Plan 

A project risk management plan will include certain components and describe how your project team will use certain tools to understand and manage potential risks. Some components include a risk register, a risk breakdown structure, and a risk response plan.

Here are components or tools that a project risk management plan often includes or describes:

• Risk Register: A risk register is the document your project team will use to identify, log, and monitor potential project risks.
• Risk Breakdown Structure: A risk breakdown structure is a chart that allows your team to identify broad risk categories and specific risks that fit within each category. Your team can decide on the broad categories, depending on your project.
• Risk Assessment Matrix: A risk assessment matrix is a chart matrix that allows teams to score the severity of potential risks based on both the likelihood of each risk happening and the impact to the project if a risk happens.
• Risk Response Plan: A risk response plan is a document that details how your team plans to respond to each potential risk to try to either prevent it from happening or lessen the impact if it does happen. You can learn more about project risk mitigation . 
• Roles and Responsibilities: The risk management plan can provide details on the project risk management team, including the lead member for risk management. It also likely details the roles and responsibilities each team member will have in addressing and dealing with specific risks.
• Risk Reporting Formats: The risk management plan describes how the project team will document and report its work on monitoring and dealing with risks. It describes the risk register format that the team will use. It might also describe how risks will be added to or deleted from the register and how the project team will provide periodic summarized risk reports to top project and organization leaders.
• Project Funding and Timing: The plan will likely have a section describing the overall funding and timing for the project. That section also likely details funding for all project risk management work.

To determine what you need to include in your risk management plan, see the following requirements based on project size:

An Organization’s Risk Management Plan Often Doesn’t Change with Projects  

Many risk management experts emphasize that an organization’s project risk management plans might not change much from project to project. That’s because the plan sets out particulars that will be followed for all projects.

“Remember, it's just an approach document that answers the question: How?” says Kris Reynolds, Founder and CEO of Arrowhead Consulting in Tulsa, Oklahoma. “The company or the department as a whole should have a single risk management plan that gets built as you're building your project management methodology. And it’s your Bible. It’s your guidebook. 

“But it isn't going to change across projects,” Reynolds continues. “What changes are the artifacts, including the risk register. But your approach of how you're going to address risk or analyze risk or plan for risk is in the project risk management plan document. As a company or organization, you create that document, and it exists for a year or two years without changing.”

To create a project risk management plan, your team should gather important documents and decide on an approach for assessing and responding to risks. This process involves gathering support documents, listing potential risk management tools, and more. 

Consider some of these basic steps and factors as you begin creating the project risk management plan:

• Gather Supporting Documents: Gather and read through supporting documents related to the overall project, including the project and project management plan. It’s important for your project risk team to have a full view of project goals and objectives.
• Frame the Context: Make sure your team understands both the business value of the project and the impact on the organization if the project fails.
• Decide on Risk Assessment Criteria: Decide how your team will identify and assess important risks. That will require your team to have an understanding of which types of risks your organization can tolerate and which risks could be ruinous to the project.
• Inventory Possible Risk Management Tools: Make a list of risk management tools and documents that your team might use to help identify and manage project risk.
• Known Risks: At the start of a project, team members will be able to identify a number of known risks , such as budget issues, shortages of material, and human and other resource constraints, which are measurable and based on specific events. 
• Unknown Risks: At the start of a project, team members will not be able to identify a range of unknown risks that could impact your project. Those risks are not as easily or objectively measurable as known risks and can crop up at any point during a project. A main goal of project risk management is to help your team discover and address unknown risks before they happen.
• Unknowable Risks: Your team will not be able to anticipate unknowable risks that could affect the project, such as catastrophic weather events, accidents, and major system failures.
• Understand Human Bias: Studies have shown that people overestimate their ability to predict and influence the future. We often think we have more control than we do. Those biases can affect how we assess and manage risks in a project. We tend to give too much credence to what happened with past processes, fall into agreement with others in our group, and be more optimistic than we should be about how long a project will take or how much it will cost.  It’s important to account for all of those biases as your team identifies and assesses project risk.

Steps in Developing a Project Risk Management Plan

After your project team has gathered documents and done other preparation work, you will want to follow nine basic steps in creating a project risk management plan. Those start with identifying and assessing risks.

Here are details on the nine steps of project risk management to keep in mind while drafting your project risk management plan:

• Identify Risks: Your team should gather information and request input from team and organization members to determine potential risks to the project. Some specific risks can threaten many projects. Other risks will vary, based on the type of project and the industry. “If you're talking about a software project, you could have risks associated with the technology, resources, and interdependencies with other systems,” says Zucker. “If you have vendors you're working with, there may be risks associated with the vendors. There may be risks that are software- or hardware-specific. If you're working on a construction project, those risks obviously would be very different. ”You can learn more about project risk analysis and how to identify potential risks to a project .
• Assess Potential Impact of Each Risk: After your team identifies potential risks, it can assess the likelihood of each risk, along with the expected impact on the project if the risk happens. Your team can use a risk matrix to identify both the likelihood and impact of each risk. You can learn more about how to create a risk matrix and assess risks .
• Determine Your Organization's Risk Threshold and Tolerance: Your team will want to understand your organization’s risk threshold , or tolerance for risk. Organization leaders might decide that some risks should be avoided at all costs, while others are acceptable. Take the time to understand those views as you prioritize project risks.
• Prioritize Risks Based on Impact and Risk Tolerance: Once your team assesses the potential impact of a risk and your organization's risk tolerance for risks, it will prioritize risks accordingly. “Prioritize risks based on their disruptive potential for an organization,” says Simonov.
• Create a Risk Response Plan: Your team should then create a response plan for each risk that the team considers a priority. That response plan will include measures that could prevent the risk from happening or lessen the risk’s impact if it does happen.
• Select Project Risk Management Tools: Your team will need to decide on the best risk management tools to use for your project. That will likely include a risk register and a risk assessment matrix. It might include other tools, such as Monte Carlo simulations. Learn more about various tools and documents to use in risk management . 
• Select an Owner for Each Risk: Each identified risk should have an assigned owner. In some cases, a department might be an owner of a risk, but most often, the team will assign individuals to monitor risks. In some cases, the owner will be responsible for dealing with the risk if it happens. Teams can list the owners of each risk on their project risk register. 
• Determine Possible Triggers for Each Risk: As your team conducts a closer assessment of all risks, it should identify risk triggers where possible. Triggers are events that can cause a risk to happen. Your team won’t be able to identify triggers for all risks, but it will for some. For example, if you have a plant without sufficient backup power, a trigger could be warnings of a violent storm that could cause a power outage.
• Determine How Your Team Will Monitor Risks: An important part of your plan includes recording concrete details about how your team will ensure that it can continually monitor risks throughout the life of a project.

Risk Management Plan Examples, Templates, and Components

Examples of project risk management plans can help your team understand what information to include in a plan. The risk management plan can also detail various components that will be part of your team’s risk management.

Project Risk Management Plan Template

Download the Sample Project Risk Management Plan Template for Microsoft Word  

Download this sample project risk management plan, which includes primary components that might be described in a project risk management plan, such as details on risk identification, risk mitigation, and risk tracking and reporting.

Download the Blank Project Risk Management Plan for Microsoft Word

Use this blank template to create your own project risk management plan. The template includes sections to ensure that your team covers all areas of risk management, such as risk identification, risk assessment, and risk mitigation. Customize the template based on your needs.

Project Risk Register Template

Download the Sample Project Risk Register for Excel

This sample project risk register gives your team a better understanding of the information that a risk register should include to help the team understand and deal with risks. This sample includes potential risks that a project manager might track for a construction project.

Download the Blank Project Risk Register Template for Excel  

Use this project risk register template to help your team identify, track, and plan for project risks. The template includes columns for categorizing risks, providing risk descriptions, determining a risk severity score, and more.  

Quantitative Risk Register Template

Download the Sample Quantitative Project Risk Impact Matrix for Excel

This sample quantitative project risk impact matrix template can help your team assess a project risk based on quantitative measures, such as potential monetary cost to the project. The template includes columns where your team can assess and track the probability and potential cost of each project risk. The template calculates a total monetary risk impact based on your estimates of probability and cost.

Risk Breakdown Structure Template

Download the Risk Breakdown Structure Template for Excel

Your team can use this template to create a risk breakdown structure diagram that shows different types of risks that could affect a project. The template helps your team organize risks into broad categories.

Step-By-Step Guide to Creating a Project Risk Management Plan

Below are step-by-step instructions on how to fill out a project risk management plan template. Follow these steps to help you and your team understand the information needed in an effective risk management plan.

This template is based on a project risk management plan template created by Arrowhead Consulting of Tulsa, Oklahoma, and was shared with us by Kris Reynolds.

• Cover Section: Provide information for the cover section , also known as the summary section . This will include the name of the project, the project overview, the project goals, the expected length of the project, and the project manager.
• Risk Management Approach: Write a short summary of your organization's overall approach to project risk management for all projects, not only the project at hand. The summary might describe overall goals, along with your organization’s view of the benefits of good project risk management.
• Plan Purpose: Write a short summary explaining how the plan will help your team perform proper risk management for the project.
• Risk Identification: Provide details on how your team plans to identify and define risks to the project. Those details should include who is assigned to specific responsibilities for risk identification and tracking, as well as what information and categories will be included in your team’s project risk register.
• Risk Assessment: Provide details on how your team will assess the probability and potential impact of each risk it has identified. Your team should also include details on any risk matrices it plans to use and how the team will prioritize risks based on those matrices.
• Risk Response: Provide details on the ways your team can choose to respond to various risks. In the case of high-priority risks, that will include prevention or mitigation plans for each risk. In the case of low-priority risks, or risks that might be prohibitively expensive to mitigate, it might include accepting the risk with limited mitigation measures.
• Risk Mitigation: Provide more details on how your team plans to lessen the likelihood  or impact of each risk. Your team should also provide details on how it will monitor the effectiveness of prevention and mitigation strategies, and change them if needed.
• Risk Tracking and Reporting: Provide details on how your team plans to track and report on risks and risk mitigation activities. These details will likely include information on the project risk register your team plans to use and information on how your team plans to periodically report risk and risk responses to organizational leadership.

Do Complex Projects Require More Complex Project Risk Management Plans? 

Experts say that complex projects shouldn’t require more complex project risk management plans. A project might have more complex tools, such as a more detailed risk register, but the risk management plan should cover the same basics for all projects.

“The problem is, most people get these management plans confused. They then start lumping in the artifacts [such as risk registers] — which can be more complex and have more detail — to the risk management plan itself,” says Reynolds. “You want it to be easily understood and easily followed.

“I don't think the complexity of the project changes the risk management plan,” Reynolds says. “You may have to circulate the plan to more people. You may have to meet more frequently. You may have to use quantitative risk analysis. That would be more complex with more complex projects. But the management plan itself —  no.”

Effectively Manage Project Risks with Real-Time Work Management in Smartsheet

From simple task management and project planning to complex resource and portfolio management, Smartsheet helps you improve collaboration and increase work velocity -- empowering you to get more done. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.

Discover a better way to streamline workflows and eliminate silos for good.

• Business Essentials
• Leadership & Management
• Credential of Leadership, Impact, and Management in Business (CLIMB)
• Entrepreneurship & Innovation
• Digital Transformation
• Finance & Accounting
• Business in Society
• For Organizations
• Support Portal
• Media Coverage
• Founding Donors
• Leadership Team

• Harvard Business School →
• HBS Online →
• Business Insights →

Business Insights

Harvard Business School Online's Business Insights Blog provides the career insights you need to achieve your goals and gain confidence in your business skills.

• Career Development
• Communication
• Decision-Making
• Earning Your MBA
• Negotiation
• News & Events
• Productivity
• Staff Spotlight
• Student Profiles
• Work-Life Balance
• AI Essentials for Business
• Alternative Investments
• Business Analytics
• Business Strategy
• Business and Climate Change
• Design Thinking and Innovation
• Digital Marketing Strategy
• Disruptive Strategy
• Economics for Managers
• Entrepreneurship Essentials
• Financial Accounting
• Global Business
• Launching Tech Ventures
• Leadership Principles
• Leadership, Ethics, and Corporate Accountability
• Leading Change and Organizational Renewal
• Leading with Finance
• Management Essentials
• Negotiation Mastery
• Organizational Leadership
• Power and Influence for Positive Impact
• Strategy Execution
• Sustainable Business Strategy
• Sustainable Investing
• Winning with Digital Platforms

What Is Risk Management & Why Is It Important?

• 24 Oct 2023

Businesses can’t operate without risk. Economic, technological, environmental, and competitive factors introduce obstacles that companies must not only manage but overcome.

According to PwC’s Global Risk Survey , organizations that embrace strategic risk management are five times more likely to deliver stakeholder confidence and better business outcomes and two times more likely to expect faster revenue growth.

If you want to enhance your job performance and identify and mitigate risk more effectively, here’s a breakdown of what risk management is and why it’s important.

Access your free e-book today.

What Is Risk Management?

Risk management is the systematic process of identifying, assessing, and mitigating threats or uncertainties that can affect your organization. It involves analyzing risks’ likelihood and impact, developing strategies to minimize harm, and monitoring measures’ effectiveness.

“Competing successfully in any industry involves some level of risk,” says Harvard Business School Professor Robert Simons, who teaches the online course Strategy Execution . “But high-performing businesses with high-pressure cultures are especially vulnerable. As a manager, you need to know how and why these risks arise and how to avoid them.”

According to Strategy Execution , strategic risk has three main causes:

• Pressures due to growth: This is often caused by an accelerated rate of expansion that makes staffing or industry knowledge gaps more harmful to your business.
• Pressures due to culture: While entrepreneurial risk-taking can come with rewards, executive resistance and internal competition can cause problems.
• Pressures due to information management: Since information is key to effective leadership , gaps in performance measures can result in decentralized decision-making.

These pressures can lead to several types of risk that you must manage or mitigate to avoid reputational, financial, or strategic failures. However, risks aren’t always obvious.

“I think one of the challenges firms face is the ability to properly identify their risks,” says HBS Professor Eugene Soltes in Strategy Execution .

Therefore, it’s crucial to pinpoint unexpected events or conditions that could significantly impede your organization’s business strategy .

Related: Business Strategy vs. Strategy Execution: Which Course Is Right for Me?

According to Strategy Execution , strategic risk comprises:

• Operations risk: This occurs when internal operational errors interrupt your products or services’ flow. For example, shipping tainted products can negatively affect food distribution companies.
• Asset impairment risk: When your company’s assets lose a significant portion of their current value because of a decreased likelihood of receiving future cash flows . For instance, losing property assets, like a manufacturing plant, due to a natural disaster.
• Competitive risk: Changes in the competitive environment can interrupt your organization’s ability to create value and differentiate its offerings—eventually leading to a significant loss in revenue.
• Franchise risk: When your organization’s value erodes because stakeholders lose confidence in its objectives. This primarily results from failing to control any of the strategic risk sources listed above.

Understanding these risks is essential to ensuring your organization’s long-term success. Here’s a deeper dive into why risk management is important.

4 Reasons Why Risk Management Is Important

1. protects organization’s reputation.

In many cases, effective risk management proactively protects your organization from incidents that can affect its reputation.

“Franchise risk is a concern for all businesses,“ Simons says in Strategy Execution . “However, it's especially pressing for businesses whose reputations depend on the trust of key constituents.”

For example, airlines are particularly susceptible to franchise risk because of unforeseen events, such as flight delays and cancellations caused by weather or mechanical failure. While such incidents are considered operational risks, they can be incredibly damaging.

In 2016, Delta Airlines experienced a national computer outage, resulting in over 2,000 flight cancellations. Delta not only lost an estimated $150 million but took a hit to its reputation as a reliable airline that prided itself on “canceling cancellations.”

While Delta bounced back, the incident illustrates how mitigating operational errors can make or break your organization.

2. Minimizes Losses

Most businesses create risk management teams to avoid major financial losses. Yet, various risks can still impact their bottom lines.

A Vault Platform study found that dealing with workplace misconduct cost U.S. businesses over $20 billion in 2021. In addition, Soltes says in Strategy Execution that corporate fines for misconduct have risen 40-fold in the U.S. over the last 20 years.

One way to mitigate financial losses related to employee misconduct is by implementing internal controls. According to Strategy Execution , internal controls are the policies and procedures designed to ensure reliable accounting information and safeguard company assets.

“Managers use internal controls to limit the opportunities employees have to expose the business to risk,” Simons says in the course.

One company that could have benefited from implementing internal controls is Volkswagen (VW). In 2015, VW whistle-blowers revealed that the company’s engineers deliberately manipulated diesel vehicles’ emissions data to make them appear more environmentally friendly.

This led to severe consequences, including regulatory penalties, expensive vehicle recalls, and legal settlements—all of which resulted in significant financial losses. By 2018, U.S. authorities had extracted $25 billion in fines, penalties, civil damages, and restitution from the company.

Had VW maintained more rigorous internal controls to ensure transparency, compliance, and proper oversight of its engineering practices, perhaps it could have detected—or even averted—the situation.

Related: What Are Business Ethics & Why Are They Important?

3. Encourages Innovation and Growth

Risk management isn’t just about avoiding negative outcomes. It can also be the catalyst that drives your organization’s innovation and growth.

“Risks may not be pleasant to think about, but they’re inevitable if you want to push your business to innovate and remain competitive,” Simons says in Strategy Execution .

According to PwC , 83 percent of companies’ business strategies focus on growth, despite risks and mixed economic signals. In Strategy Execution , Simons notes that competitive risk is a challenge you must constantly monitor and address.

“Any firm operating in a competitive market must focus its attention on changes in the external environment that could impair its ability to create value for its customers,” Simons says.

This requires incorporating boundary systems —explicit statements that define and communicate risks to avoid—to ensure internal controls don’t extinguish innovation.

“Boundary systems are essential levers in businesses to give people freedom,” Simons says. “In such circumstances, you don’t want to stifle innovation or entrepreneurial behavior by telling people how to do their jobs. And if you want to remain competitive, you’ll need to innovate and adapt.”

Netflix is an example of how risk management can inspire innovation. In the early 2000s, the company was primarily known for its DVD-by-mail rental service. With growing competition from video rental stores, Netflix went against the grain and introduced its streaming service. This changed the market, resulting in a booming industry nearly a decade later.

Netflix’s innovation didn’t stop there. Once the steaming services market became highly competitive, the company shifted once again to gain a competitive edge. It ventured into producing original content, which ultimately helped differentiate its platform and attract additional subscribers.

By offering more freedom within internal controls, you can encourage innovation and constant growth.

4. Enhances Decision-Making

Risk management also provides a structured framework for decision-making. This can be beneficial if your business is inclined toward risks that are difficult to manage.

By pulling data from existing control systems to develop hypothetical scenarios, you can discuss and debate strategies’ efficacy before executing them.

“Interactive control systems are the formal information systems managers use to personally involve themselves in the decision activities of subordinates,” Simons says in Strategy Execution . “Decision activities that relate to and impact strategic uncertainties.”

JPMorgan Chase, one of the most prominent financial institutions in the world, is particularly susceptible to cyber risks because it compiles vast amounts of sensitive customer data . According to PwC , cybersecurity is the number one business risk on managers’ minds, with 78 percent worried about more frequent or broader cyber attacks.

Using data science techniques like machine learning algorithms enables JPMorgan Chase’s leadership not only to detect and prevent cyber attacks but address and mitigate risk.

Start Managing Your Organization's Risk

Risk management is essential to business. While some risk is inevitable, your ability to identify and mitigate it can benefit your organization.

But you can’t plan for everything. According to the Harvard Business Review , some risks are so remote that no one could have imagined them. Some result from a perfect storm of incidents, while others materialize rapidly and on enormous scales.

By taking an online strategy course , you can build the knowledge and skills to identify strategic risks and ensure they don’t undermine your business. For example, through an interactive learning experience, Strategy Execution enables you to draw insights from real-world business examples and better understand how to approach risk management.

Do you want to mitigate your organization’s risks? Explore Strategy Execution —one of our online strategy courses —and download our free strategy e-book to gain the insights to build a successful strategy.

About the Author

Risk Management 101: Process, Examples, Strategies

Emily Villanueva

August 16, 2023

Effective risk management takes a proactive and preventative stance to risk, aiming to identify and then determine the appropriate response to the business and facilitate better decision-making. Many approaches to risk management focus on risk reduction, but it’s important to remember that risk management practices can also be applied to opportunities, assisting the organization with determining if that possibility is right for it.

Risk management as a discipline has evolved to the point that there are now common subsets and branches of risk management programs, from enterprise risk management (ERM) , to cybersecurity risk management, to operational risk management (ORM) , to  supply chain risk management (SCRM) . With this evolution, standards organizations around the world, like the US’s National Institute of Standards and Technology (NIST) and the International Standards Organization (ISO) have developed and released their own best practice frameworks and guidance for businesses to apply to their risk management plan.

Companies that adopt and continuously improve their risk management programs can reap the benefits of improved decision-making, a higher probability of reaching goals and business objectives, and an augmented security posture. But, with risks proliferating and the many types of risks that face businesses today, how can an organization establish and optimize its risk management processes? This article will walk you through the fundamentals of risk management and offer some thoughts on how you can apply it to your organization.

What Are Risks?

We’ve been talking about risk management and how it has evolved, but it’s important to clearly define the concept of risk. Simply put, risks are the things that could go wrong with a given initiative, function, process, project, and so on. There are potential risks everywhere — when you get out of bed, there’s a risk that you’ll stub your toe and fall over, potentially injuring yourself (and your pride). Traveling often involves taking on some risks, like the chance that your plane will be delayed or your car runs out of gas and leave you stranded. Nevertheless, we choose to take on those risks, and may benefit from doing so. 

Companies should think about risk in a similar way, not seeking simply to avoid risks, but to integrate risk considerations into day-to-day decision-making.

• What are the opportunities available to us?
• What could be gained from those opportunities?
• What is the business’s risk tolerance or risk appetite – that is, how much risk is the company willing to take on?
• How will this relate to or affect the organization’s goals and objectives?
• Are these opportunities aligned with business goals and objectives?

With that in mind, conversations about risks can progress by asking, “What could go wrong?” or “What if?” Within the business environment, identifying risks starts with key stakeholders and management, who first define the organization’s objectives. Then, with a risk management program in place, those objectives can be scrutinized for the risks associated with achieving them. Although many organizations focus their risk analysis around financial risks and risks that can affect a business’s bottom line, there are many types of risks that can affect an organization’s operations, reputation, or other areas.

Remember that risks are hypotheticals — they haven’t occurred or been “realized” yet. When we talk about the impact of risks, we’re always discussing the potential impact. Once a risk has been realized, it usually turns into an incident, problem, or issue that the company must address through their contingency plans and policies. Therefore, many risk management activities focus on risk avoidance, risk mitigation, or risk prevention.

What Different Types of Risks Are There?

There’s a vast landscape of potential risks that face modern organizations. Targeted risk management practices like ORM and SCRM have risen to address emerging areas of risk, with those disciplines focused on mitigating risks associated with operations and the supply chain. Specific risk management strategies designed to address new risks and existing risks have emerged from these facets of risk management, providing organizations and risk professionals with action plans and contingency plans tailored to unique problems and issues.

Common types of risks include: strategic, compliance, financial, operational, reputational, security, and quality risks.

Strategic Risk

Strategic risks are those risks that could have a potential impact on a company’s strategic objectives, business plan, and/or strategy. Adjustments to business objectives and strategy have a trickle-down effect to almost every function in the organization. Some events that could cause strategic risks to be realized are: major technological changes in the company, like switching to a new tech stack; large layoffs or reductions-in-force (RIFs); changes in leadership; competitive pressure; and legal changes.

Compliance Risk

Compliance risks materialize from regulatory and compliance requirements that businesses are subject to, like Sarbanes-Oxley for publicly-traded US companies, or GDPR for companies that handle personal information from the EU. The consequence or impact of noncompliance is generally a fine from the governing body of that regulation. These types of risks are realized when the organization does not maintain compliance with regulatory requirements, whether those requirements are environmental, financial, security-specific, or related to labor and civil laws.

Financial Risk

Financial risks are fairly self-explanatory — they have the possibility of affecting an organization’s profits. These types of risks often receive significant attention due to the potential impact on a company’s bottom line. Financial risks can be realized in many circumstances, like performing a financial transaction, compiling financial statements, developing new partnerships, or making new deals.

Operational Risk

Risks to operations, or operational risks, have the potential to disrupt daily operations involved with running a business. Needless to say, this can be a problematic scenario for organizations with employees unable to do their jobs, and with product delivery possibly delayed. Operational risks can materialize from internal or external sources — employee conduct, retention, technology failures, natural disasters, supply chain breakdowns — and many more.

Reputational Risk

Reputational risks are an interesting category. These risks look at a company’s standing in the public and in the media and identify what could impact its reputation. The advent of social media changed the reputation game quite a bit, giving consumers direct access to brands and businesses. Consumers and investors too are becoming more conscious about the companies they do business with and their impact on the environment, society, and civil rights. Reputational risks are realized when a company receives bad press or experiences a successful cyber attack or security breach; or any situation that causes the public to lose trust in an organization.

Security Risk

Security risks have to do with possible threats to your organization’s physical premises, as well as information systems security. Security breaches, data leaks, and other successful types of cyber attacks threaten the majority of businesses operating today. Security risks have become an area of risk that companies can’t ignore, and must safeguard against.

Quality Risk

Quality risks are specifically associated with the products or services that a company provides. Producing low-quality goods or services can cause an organization to lose customers, ultimately affecting revenue. These risks are realized when product quality drops for any reason — whether that’s technology changes, outages, employee errors, or supply chain disruptions.

Steps in the Risk Management Process

The six risk management process steps that we’ve outlined below will give you and your organization a starting point to implement or improve your risk management practices. In order, the risk management steps are: 

• Risk identification
• Risk analysis or assessment
• Controls implementation
• Resource and budget allocation
• Risk mitigation
• Risk monitoring, reviewing, and reporting

If this is your organization’s first time setting up a risk management program, consider having a formal risk assessment completed by an experienced third party, with the goal of producing a risk register and prioritized recommendations on what activities to focus on first. Annual (or more frequent) risk assessments are usually required when pursuing compliance and security certifications, making them a valuable investment.

Step 1: Risk Identification

The first step in the risk management process is risk identification. This step takes into account the organization’s overarching goals and objectives, ideally through conversations with management and leadership. Identifying risks to company goals involves asking, “What could go wrong?” with the plans and activities aimed at meeting those goals. As an organization moves from macro-level risks to more specific function and process-related risks, risk teams should collaborate with critical stakeholders and process owners, gaining their insight into the risks that they foresee.

As risks are identified, they should be captured in formal documentation — most organizations do this through a risk register, which is a database of risks, risk owners, mitigation plans, and risk scores.

Step 2: Risk Analysis or Assessment

Analyzing risks, or assessing risks, involves looking at the likelihood that a risk will be realized, and the potential impact that risk would have on the organization if that risk were realized. By quantifying these on a three- or five-point scale, risk prioritization becomes simpler. Multiplying the risk’s likelihood score with the risk’s impact score generates the risk’s overall risk score. This value can then be compared to other risks for prioritization purposes.

The likelihood that a risk will be realized asks the risk assessor to consider how probable it would be for a risk to actually occur. Lower scores indicate less chances that the risk will materialize. Higher scores indicate more chances that the risk will occur.

Likelihood, on a 5×5 risk matrix, is broken out into:

• Highly Unlikely
• Highly Likely

The potential impact of a risk, should it be realized, asks the risk assessor to consider how the business would be affected if that risk occurred. Lower scores signal less impact to the organization, while higher scores indicate more significant impacts to the company.

Impact, on a 5×5 risk matrix, is broken out into:

• Negligible Impact
• Moderate Impact
• High Impact
• Catastrophic Impact

Risk assessment matrices help visualize the relationship between likelihood and impact, serving as a valuable tool in risk professionals’ arsenals.

Organizations can choose whether to employ a 5×5 risk matrix, as shown above, or a 3×3 risk matrix, which breaks likelihood, impact, and aggregate risk scores into low, moderate, and high categories.

Step 3: Controls Assessment and Implementation

Once risks have been identified and analyzed, controls that address or partially address those risks should be mapped. Any risks that don’t have associated controls, or that have controls that are inadequate to mitigate the risk, should have controls designed and implemented to do so.

Step 4: Resource and Budget Allocation

This step, the resource and budget allocation step, doesn’t get included in a lot of content about risk management. However, many businesses find themselves in a position where they have limited resources and funds to dedicate to risk management and remediation. Developing and implementing new controls and control processes is timely and costly; there’s usually a learning curve for employees to get used to changes in their workflow.

Using the risk register and corresponding risk scores, management can more easily allocate resources and budget to priority areas, with cost-effectiveness in mind. Each year, leadership should re-evaluate their resource allocation as part of annual risk lifecycle practices.

Step 5: Risk Mitigation

The risk mitigation step of risk management involves both coming up with the action plan for handling open risks, and then executing on that action plan. Mitigating risks successfully takes buy-in from various stakeholders. Due to the various types of risks that exist, each action plan may look vastly different between risks. 

For example, vulnerabilities present in information systems pose a risk to data security and could result in a data breach. The action plan for mitigating this risk might involve automatically installing security patches for IT systems as soon as they are released and approved by the IT infrastructure manager. Another identified risk could be the possibility of cyber attacks resulting in data exfiltration or a security breach. The organization might decide that establishing security controls is not enough to mitigate that threat, and thus contract with an insurance company to cover off on cyber incidents. Two related security risks; two very different mitigation strategies. 

One more note on risk mitigation — there are four generally accepted “treatment” strategies for risks. These four treatments are:

• Risk Acceptance: Risk thresholds are within acceptable tolerance, and the organization chooses to accept this risk.
• Risk Transfer : The organization chooses to transfer the risk or part of the risk to a third party provider or insurance company.
• Risk Avoidance : The organization chooses not to move forward with that risk and avoids incurring it.
• Risk Mitigation : The organization establishes an action plan for reducing or limiting risk to acceptable levels.

If an organization is not opting to mitigate a risk, and instead chooses to accept, transfer, or avoid the risk, these details should still be captured in the risk register, as they may need to be revisited in future risk management cycles.

Step 6: Risk Monitoring, Reviewing, and Reporting

The last step in the risk management lifecycle is monitoring risks, reviewing the organization’s risk posture, and reporting on risk management activities. Risks should be monitored on a regular basis to detect any changes to risk scoring, mitigation plans, or owners. Regular risk assessments can help organizations continue to monitor their risk posture. Having a risk committee or similar committee meet on a regular basis, such as quarterly, integrates risk management activities into scheduled operations, and ensures that risks undergo continuous monitoring. These committee meetings also provide a mechanism for reporting risk management matters to senior management and the board, as well as affected stakeholders.

As an organization reviews and monitors its risks and mitigation efforts, it should apply any lessons learned and use past experiences to improve future risk management plans.

Examples of Risk Management Strategies

Depending on your company’s industry, the types of risks it faces, and its objectives, you may need to employ many different risk management strategies to adequately handle the possibilities that your organization encounters. 

Some examples of risk management strategies include leveraging existing frameworks and best practices, minimum viable product (MVP) development, contingency planning, root cause analysis and lessons learned, built-in buffers, risk-reward analysis, and third-party risk assessments.

Leverage Existing Frameworks and Best Practices

Risk management professionals need not go it alone. There are several standards organizations and committees that have developed risk management frameworks, guidance, and approaches that business teams can leverage and adapt for their own company. 

Some of the more popular risk management frameworks out there include:

• ISO 31000 Family : The International Standards Organization’s guidance on risk management.
• NIST Risk Management Framework (RMF) : The National Institute of Standards and Technology has released risk management guidance compatible with their Cybersecurity Framework (CSF).
• COSO Enterprise Risk Management (ERM) : The Committee of Sponsoring Organizations’ enterprise risk management guidance.

Minimum Viable Product (MVP) Development

This approach to product development involves developing core features and delivering those to the customer, then assessing response and adjusting development accordingly. Taking an MVP path reduces the likelihood of financial and project risks, like excessive spend or project delays by simplifying the product and decreasing development time.

Contingency Planning

Developing contingency plans for significant incidents and disaster events are a great way for businesses to prepare for worst-case scenarios. These plans should account for response and recovery. Contingency plans specific to physical sites or systems help mitigate the risk of employee injury and outages.

Root Cause Analysis and Lessons Learned

Sometimes, experience is the best teacher. When an incident occurs or a risk is realized, risk management processes should include some kind of root cause analysis that provides insights into what can be done better next time. These lessons learned, integrated with risk management practices, can streamline and optimize response to similar risks or incidents.

Built-In Buffers

Applicable to discrete projects, building in buffers in the form of time, resources, and funds can be another viable strategy to mitigate risks. As you may know, projects can get derailed very easily, going out of scope, over budget, or past the timeline. Whether a project team can successfully navigate project risks spells the success or failure of the project. By building in some buffers, project teams can set expectations appropriately and account for the possibility that project risks may come to fruition.

Risk-Reward Analysis

In a risk-reward analysis, companies and project teams weigh the possibility of something going wrong with the potential benefits of an opportunity or initiative. This analysis can be done by looking at historical data, doing research about the opportunity, and drawing on lessons learned. Sometimes the risk of an initiative outweighs the reward; sometimes the potential reward outweighs the risk. At other times, it’s unclear whether the risk is worth the potential reward or not. Still, a simple risk-reward analysis can keep organizations from bad investments and bad deals.

Third-Party Risk Assessments

Another strategy teams can employ as part of their risk management plan is to conduct periodic third-party risk assessments. In this method, a company would contract with a third party experienced in conducting risk assessments, and have them perform one (or more) for the organization. Third-party risk assessments can be immensely helpful for the new risk management team or for a mature risk management team that wants a new perspective on their program. 

Generally, third-party risk assessments result in a report of risks, findings, and recommendations. In some cases, a third-party provider may also be able to help draft or provide input into your risk register. As external resources, third-party risk assessors can bring their experience and opinions to your organization, leading to insights and discoveries that may not have been found without an independent set of eyes.

Components of an Effective Risk Management Plan

An effective risk management plan has buy-in from leadership and key stakeholders; applies the risk management steps; has good documentation; and is actionable. Buy-in from management often determines whether a risk management function is successful or not, since risk management requires resources to conduct risk assessments, risk identification, risk mitigation, and so on. Without leadership buy-in, risk management teams may end up just going through the motions without the ability to make an impact. Risk management plans should be integrated into organizational strategy, and without stakeholder buy-in, that typically does not happen. 

Applying the risk management methodology is another key component of an effective plan. That means following the six steps outlined above should be incorporated into a company’s risk management lifecycle. Identifying and analyzing risks, establishing controls, allocating resources, conducting mitigation, and monitoring and reporting on findings form the foundations of good risk management. 

Good documentation is another cornerstone of effective risk management. Without a risk register recording all of a company’s identified risks and accompanying scores and mitigation strategies, there would be little for a risk team to act on. Maintaining and updating the risk register should be a priority for the risk team — risk management software can help here, providing users with a dashboard and collaboration mechanism.

Last but not least, an effective risk management plan needs to be actionable. Any activities that need to be completed for mitigating risks or establishing controls, should be feasible for the organization and allocated resources. An organization can come up with the best possible, best practice risk management plan, but find it completely unactionable because they don’t have the capabilities, technology, funds, and/or personnel to do so. It’s all well and good to recommend that cybersecurity risks be mitigated by setting up a 24/7 continuous monitoring Security Operations Center (SOC), but if your company only has one IT person on staff, that may not be a feasible action plan.

Executing on an effective risk management plan necessitates having the right people, processes, and technology in place. Sometimes the challenges involved with running a good risk management program are mundane — such as disconnects in communication, poor version control, and multiple risk registers floating around. Risk management software can provide your organization with a unified view of the company’s risks, a repository for storing and updating key documentation like a risk register, and a space to collaborate virtually with colleagues to check on risk mitigation efforts or coordinate on risk assessments. Get started building your ideal risk management plan today!

Emily Villanueva, MBA, is a Senior Manager of Product Solutions at AuditBoard. Emily joined AuditBoard from Grant Thornton, where she provided consulting services specializing in SOX compliance, internal audit, and risk management. She also spent 5 years in the insurance industry specializing in SOX/ICFR, internal audits, and operational compliance. Connect with Emily on LinkedIn .

Related Articles

Strategic Risk Management: Complete Overview (With Examples)

As businesses continue to operate in an increasingly competitive and uncertain environment exacerbated by threats to their operations, such as cyberattacks, supply chain disruptions, and climate catastrophes, strategic risk management has become a key factor in ensuring an organization's success.

According to Racounteur , 85% of business leaders feel they are operating in a moderate to high-risk environment, and 79% of boards believe that improved risk management will be critical in enabling their organization to protect and build value in the next five years.

It's clear that organizations need to be prepared for the different types of strategic risk coming their way and have strong strategic risk management in place to not only reduce the impact on their operations but even take advantage of the context and transform it into an opportunity.

In this article, we'll dive into the world of strategic risk, the different types of strategic risks, and how to manage them to reduce the chances of disruption. We'll also give you real-life examples and a ready-to-use, free Risk Management Template to help your business be in strategic control and start your journey toward effective strategic risk management.

What Is Strategic Risk?

Strategic risk is the probability of the organization’s strategy failing. It is an estimation of the future success of the chosen strategy. Since strategy is a set of clear decisions, strategic risk reflects the aggregate of the risks of those decisions.

At its core, strategic risks affect an organization's overall strategy . It can sometimes be difficult to spot and manage.

This means that particularly at an executive level, leaders and teams need to be able to look for strategic risks and, instead of categorizing them as things to hedge or mitigate, develop the acumen to ask the appropriate questions:

• Are we going to resist this, avoid it, or maybe push it away?
• Or do we embrace it, use it as an indicator for the market and take it as an opportunity for a strategic change?

🤓Want to learn more? Download our FREE Strategic Risk Guide (PDF) with examples, definitions, and a clear framework to help you and your organization better manage strategic risk.

What Is Strategic Risk Management?

Strategic risk management is the process of recognizing risks, identifying their causes and effects, and taking the relevant actions to mitigate them. Risks arise from inside and outside factors such as manufacturing failures, economic changes, shifts in consumer tastes, etc. 

Strategic risk can disrupt a business’s ability to accomplish its goals , break out in the market or even survive. Effective, efficient management puts the power in leaders’ hands to avoid potential obstacles to success and maximize their performance.

Why Is Strategic Risk Management Important?

Organizations that fail to do proper risk management face significant threats. At times, they face existential threats. Kodak was a pioneer in the photography space (they actually filed a patent for one of the first digital cameras), but they lost the digital camera race . Blockbuster made $6 billion in revenue at its peak, but there is only one store left in the world ! MySpace was once one of the dominant social networks until Facebook came along . 

You could argue that these companies failed to innovate. Maybe, but they also failed to evaluate the threat properly and the risk involved in not dealing with it.

Every great company takes risks.

Smartphones, eReaders, car-sharing services, even natural cleaning products — so much of what we as consumers now take for granted was a brave step, once upon a time. But Apple , Amazon , Zipcar, and Method didn’t launch their category-defining products overnight.

These organizations safeguarded their success with a strong risk management strategy. They knew what success would look like, which factors could cause them to fail, what failure could cost them, and how they would respond to obstacles in their path.

Managing strategic risk is an essential activity for all businesses, whether you’re launching an innovative solution to market or just trying to stay ahead of the competition.

Understanding the dangers (however small) and their potential impact (however minor) empowers leaders at different levels to make smart, well-informed decisions. 

But that’s easier said than done. Risk management is a dynamic process - it shifts focus as internal and external influences change. It also requires joined-up thinking and communication across an organization. 

If you’re tasked with strategic planning and execution within your business, it can seem like an insurmountable task. Yet, armed with the right information, you can help ensure that your organization achieves its goals.

The Two Kinds Of Strategic Risk Factors

One of the first things you need to do to better manage risks is learn to identify them. There are mainly 2 kinds of strategic risk factors that you should look out for.

1. Internal strategic risk factors

Every business has strategic objectives and established routines.

Strategic risk relates to the dangers companies face in trying to accomplish their strategic objectives. Even though your plan might seem viable and on track for success, analyzing the strategic risks involved can help organizations identify obstacles (or opportunities)—and address them before it’s too late.

Strategic risks relate to a business’s internal choices, such as product development routines, advertising, communication tools, sales processes, investments in cutting-edge technologies, and more. These examples all directly impact function, performance, and overall results.

2. External strategic risk factors

Some strategic risks originate outside the company.

These could apply to the current or projected environment into which products will be released. 

It’s often easier to understand strategic risk through real-world examples. For instance, a new type of smartphone might be in high demand today, but economic changes could lead to a drop in commercial interest, leaving the business in a totally different position than it might have expected. 

Or a competitor may release a groundbreaking product or innovative service that fills the gap first, creating significant risk to the success of a strategy.

And let’s not forget that technology’s swift evolution could cause a new product to become obsolete within a few months—I’m sure that the manufacturers of wired headphones felt their stomachs drop when they saw Apple had cut the headphone jack.

These types of risks pose a real danger to companies. Investing in a business model with little chance of achieving the envisioned success can lead to severe financial strain, loss of revenue, and damage to reputation.

And none of these are easy to recover from.

Strategic Risk Assessment: How To Identify Strategic Risks?

Recognizing and taking action on strategic risks is vital to mitigate costly problems.

In your strategic risk management toolkit, you’ll need two essentials:

• An in-depth understanding of where your organization stands . This includes your target audience, market sector, competitors, and the environment in which your business operates.
• A clear awareness of your organization’s core strategic goals , from conception to proposed execution .

Gathering data on both areas can take time and investment, but it’s worthwhile to achieve accurate insights into strategic risks.

The more information you have to draw upon, the more likely it is that you’ll be able to implement processes and safeguards that facilitate organizational success.

Teams have a choice of different approaches when identifying strategic risks. 

Initiate “What if” discussions

Gather employees from across the business to explore ‘what-if’ scenarios .

By mind mapping risk factors collaboratively —with a mix of perspectives and experiences from different departments—Heads of Strategy, Change Managers, and Business Analysts may discover risks they wouldn’t have thought of on their own.

All potential risks are worth considering, no matter how unlikely they may seem at first. That’s why participants should be encouraged to let their minds wander and suggest virtually any viable risk that occurs to them.

It’s best to have a long list that can be reduced through elimination: underestimating risks can lead to businesses being unprepared down the line.

📚 Recommended reading: Risk Matrix: How To Use It In Strategic Planning

Gather input from all stakeholders

Speak with the whole range of stakeholders and consider their views on strategic risks.

If you consult a wide enough group, you’ll gather expanded perspectives about your organization or issues and not just the ones from your core employees.

Collecting a wide range of perspectives creates a holistic view of risk factors which can prove hugely beneficial when trying to understand the dangers the organization faces.

Their broad awareness of how the company operates can raise unexpected possibilities that need to be factored in.

Strategic Risk Examples

The specific strategic risks relevant to your business will largely depend on your industry, sector, product range, consumer base, and many other factors. That being said, there are some broad types of strategic risk, each of which should be on your radar.

Regulatory risks

Let’s demonstrate the importance of regulatory risks with an example.

Imagine an organization working on a new product or planning a fresh service set to transform the market. Perhaps it spots a gap in the industry and finds a way to fill it, yet needs years to bring it to fruition.

However, in this time, regulations change and the product or service suddenly becomes unacceptable. The company can’t deliver the result of its hard work to the target audience, risking a substantial loss of revenue.

Fortunately, the organization had prepared for unexpected regulatory change. Now, elements of the completed project can be incorporated into another or adapted to offer a slightly different solution.

The lesson here? 

It’s vital for companies to stay updated on all regulations relevant to their market and be aware of upcoming changes as early as possible. 

Competitor risks

Most industries are fiercely competitive. Companies can lose ground if their market rivals release a similar product at a similar or lower cost. Pricing may even be irrelevant if the product is suitably superior. 

Competitor analysis can help mitigate this strategic risk: businesses should never operate in a vacuum.

📚 Recommended read: 6 Competitive Analysis Frameworks: How to Leave Your Competition In the Dust

Economic risks

Economic risks are harder to predict, but they pose a real danger to even the most well-realized strategy. For example, economic changes can lead a business’s target audience to lose much of its disposable income or scale back on perceived luxuries.

Customer research is imperative to stay aware of what target audiences desire, their spending habits, lifestyles, financial situations, and more. 

Change risks

Change risks refer to the challenges that arise from changes in technology, market trends, consumer preferences, or industry standards. 

For instance, a company heavily invested in a particular technology may face significant risks if a disruptive innovation renders their current technology obsolete. Having a strong change management strategy to adapt to change and embracing innovation are key strategies to mitigate this risk.

Reputational risks

Reputational risks arise when a company's actions or associations damage its brand image and public perception. Negative publicity, customer dissatisfaction, product recalls, or ethical controversies can all contribute to reputational risks. 

Safeguarding the company's reputation through transparent communication, ethical practices, and proactive crisis management is crucial.

Governance risks

Governance risks refer to the effectiveness and integrity of a company's management and decision-making processes. Weak corporate governance, lack of oversight, non-compliance with regulations, or unethical behavior by key executives can lead to significant strategic risks. 

Establishing robust governance frameworks, maintaining transparency, and fostering a culture of accountability are essential to mitigate these risks.

Political risks

Political risks stem from changes in government policies, regulations, or geopolitical events. These risks can impact businesses operating domestically or internationally. Political instability, trade restrictions, sanctions, or changes in tax policies can disrupt operations and affect profitability. 

Companies must closely monitor political developments and have contingency plans to navigate such risks effectively.

Financial risks

Financial risks involve challenges related to capital management, funding, cash flow, and financial stability. Factors such as market volatility, credit risks, liquidity constraints, or inadequate financial planning can expose a company to strategic risks. 

Implementing sound financial strategies, conducting risk assessments, and maintaining a healthy balance sheet are crucial in managing these risks effectively.

Operational risks

Operational risks are inherent in day-to-day business activities and processes. These risks encompass issues such as supply chain disruptions, equipment failures, cybersecurity breaches, human errors, or natural disasters. 

Ensuring robust operational processes, implementing contingency plans, and investing in risk mitigation measures can help minimize the impact of operational risks.

Managing Strategic Risk Vs. Operational Risk

Strategic risks and operational risks are two distinct kinds. While strategic risks originate from both internal and external forces, operational risks stem solely from the internal processes within a business and they stand to disrupt workflow. 

However, the biggest difference between them is the level of the decisions they reflect.

Strategic risks reflect the risk of the decisions at a higher level, where the overall strategic plan is considered. The operational risks reflect the risk of the decisions at a lower level, the operational level, where the execution of the strategic plan is outlined.

Simply put, strategic risk is about what you do, and operational risk is how you do it.

Operational risks examples

Operational risks are critical to consider and must be dealt with as soon as possible. They directly impact a business’s work and can tie in with strategic risks, as the resources, processes, or staff available may be unable to achieve the established goals. 

One example of operational risk is outdated machinery. They can cause a slowdown in production, delay completion, and ultimately damage employee morale. In this case, the operational risk might stem from what appears to be a non-critical problem but has the potential to drag productivity down to rock bottom. So the decision of whether to upgrade the machinery should be considered.

Another example of operational risk is a company’s current payroll system. Let’s say they outsource to a small team with a weak reputation purely because it’s a cheaper alternative to working with a more reliable payroll solution . But this option could create a higher risk of late payments, processing errors, or other issues with the potential to frustrate the company’s most valuable asset: its employees.

Risk Mitigation Strategies

Implementing effective risk mitigation strategies is essential for businesses to navigate uncertainties and protect their long-term success. By identifying potential risks and proactively addressing them, companies can minimize the impact of adverse events and capitalize on opportunities for growth.

Discuss opportunities and risks separately

This is something that needs to happen before the risk identification process. Mixing in the same conversation potential opportunities and their risks handicaps the opportunity conversation.

You want your people to free their minds, brainstorm ideas, and locate all possible growth and incremental opportunities. Don’t allow that process to shrink and miss out on great opportunities. Discuss risks in a different meeting on a different day.

Distribute resources at the operational level

Once you have decided on your company’s strategy, you’ll have to align every department and person with it.

Allocate your resources in a way that serves your overall strategy to succeed. That means starving certain departments or regions to feed the ones that contribute the most to your strategic objectives.

Mitigating strategic risks is often nothing more than focusing on a great execution of your strategic plan.

Align your incentive structure

Focus on execution takes another form besides resource redistribution.

You have to visit and align with your strategic objectives the incentive structure of your top and middle management. This is a crucial step in executing your strategy because it eradicates internal conflicts.

If your leadership team is rewarded according to an older strategic plan, don’t expect them to take care of your new plan’s risks. They simply won’t have the incentive to do so.

Strategy Risk Management Examples

Let’s examine two specific real-life examples of strategic risk. One that happened a little while ago, and one that is still happening now.

Complacency vs Disruption

Before Netflix, HBO Go, Amazon Prime, Disney + , and all the other streaming platforms, people used to go to Blockbuster.

In its prime, Blockbuster had over 9,000 locations around the world and became synonymous with movie rental. It had a huge slice of the market share and looked pretty peachy until the late nineties. Until 1997, when a little company called Netflix came knocking.

At the time, Netflix didn't stream. It simply delivered rentals in the mail for a set fee each month. There were no late fees (which was one of the biggest gripes from Blockbuster customers), and movie delivery was very convenient.

Netflix was a pretty obvious strategic risk to Blockbuster, which needed to manage it somehow. This could also be seen as a clear opportunity for Blockbuster since they were in a position to buy Netflix but refused to do so.

Yes, Blockbuster passed on the $50 Million deal with Netflix and sealed its fate in the process.

Regulatory complexity

This story is still in development, so who knows how it will end.

Uber is known as the company that shook the cab industry around the world, but things are still changing. Uber is a tech company and understands that change happens, and risk evolves faster than ever before.

This is why they began investing in self-driving technology early on. At first glance, this seems counter-intuitive since moving in this direction could really upset the thousands of Uber drivers out there, but Uber gets it.

They know that if they do nothing, someone else will sweep in and, soon enough, turn Uber into another Blockbuster story.

Uber is a great example of strategic risk management since they not only have to manage things like implementing self-driving cars, but they have also had to navigate through complex regulatory risks in multiple countries.

They have also faced issues around customer safety, assaults, and constant battles with all kinds of protests and regulatory issues.

How To Measure Strategic Risk

So now you know the strategic risks your organization faces, you need a quantifiable figure to measure them. We suggest the following metrics and tools:

Economic Capital

This relates to the amount of equity a business needs to cover any unplanned losses, according to a standard of solvency (based on the organization’s ideal debt rating). 

This metric allows businesses to quantify all types of risks related to launching new products, acquiring enterprises, expanding into different territories, or internal transformation . Then, it can take the necessary actions to mitigate against it.

RAROC: Risk-Adjusted Return On Capital

This applies to the expected after-tax return on a scheme once divided by the economic capital. 

Companies can leverage this metric to determine if a strategy is viable and offers value, helping to guide leaders’ decision-making process. Any initiative with a RAROC below the capital amount offers no value and should be scrapped (sorry!).

Decision trees

Businesses on all scales can utilize both metrics to measure strategic risk, but the stakes will be different for a small enterprise than for a global corporation. The former may never recover from a bad investment, while the latter has a higher chance of weathering the storm. 

As a result, companies may use a decision tree to map the possible outcomes of a decision. This enables teams to determine which choices yield which results and prepare for all eventualities. Specific turning points can be identified and handled appropriately. 

The 7-Step Strategic Risk Management Framework

Now you have all the information, you need to capture it in one place: the strategic risk management framework . This is where you bring together all the resources (employees, technologies, capital, etc.) required to mitigate losses caused by internal or external forces.

Exactly how your framework is structured is your choice, but the following is a great strategic risk management step-by-step approach:

• Understand where you are right now . You could use a SWOT (Strengths, Weaknesses, Opportunities, and Threats) analysis, for example. Here you need to know where your organization is, your vulnerabilities, and what threats you face in the market. 
• Define your strategy and goals . This is where you clearly outline the strategy for your organization. Check out our free, ready-to-use strategic planning templates to build or revisit your strategy.
• Choose your key performance indicators (KPIs) . These can be used to measure success, monitor changes, and explore improvement opportunities over time. 
• Identify risks that can affect productivity and performance in the future. These factors may not be as apparent as others. For example, consumers’ changing tastes can be hard to predict but still have the potential to knock plans off the rails. 
• Assess your risks and define priorities . You can use a Risk Assessment Matrix that will help you score potential risks based on the probability and the impact on the business. 
• Identify KRIs (key risk indicators) to gauge your business's tolerance to obstacles . Be sure to look ahead at issues that may lurk around the corner, and determine the right time to put mitigating actions into effect.  ‍
• Continually monitor KPIs, KRIs, and their internal processes to chart progress . Are problems being resolved fast enough? Are target customers’ needs being addressed? Are all essential programs and processes in place? The aim is to stay on track and adapt to ensure you achieve your objectives. 

Implement A Long-term Strategic Risk Management Strategy

Managing strategic risk is an ongoing process.

It enables organizations to minimize their danger of experiencing severe losses and, ultimately, failure. It doesn’t guarantee every project will be a success (far from it!), but it will provide all the necessary tools to make better decisions in the long run. 

Remember to take your time, even if there’s market pressure to act fast. Trying to rush this process could lead to missed threats or opportunities in your risk analysis. Stay on top of your strategic risk management well into the future, that’s the key to organizational success.

Execute An Effective Risk Management Strategy With Cascade 🚀

Cascade is the world’s #1 strategy execution platform, remediating the chaos of running a business to help you move forward. Cascade serves as your organization's brain, offering a unified platform that spans your entire ecosystem. With Cascade, you can gain a clear picture of potential threats and create a strong risk management strategy to proactively address them.

Signal risks before they happen

Once you've identified your risks, Cascade enables you to seamlessly incorporate them into your strategic plan, ensuring alignment throughout your organization.

Adding risks is very simple:

• Give the risk a meaningful title, and a description. 
• Define the likelihood (probability of the event to happen on a scale of 1 to 10)
• Define the impact (impact of the risk on the outcome on a scale of 1 to 10)

Based on these factors, Cascade automatically calculates and displays a Risk Score (Likelihood * Impact) to assess the severity of each risk, guiding your decision-making process.

Add mitigations

Cascade empowers you to take proactive measures by adding mitigations to each identified risk. Mitigations are steps that can be implemented to avoid or minimize the occurrence and impact of risks. With a few clicks, you can expand the risk and add relevant mitigations.

As you progress with each mitigation, you can mark its completion using the checkboxes. Cascade keeps track of the number of completed mitigations, providing visibility into your progress.

Report your risks’ progress

Cascade offers a comprehensive risk reporting functionality to ensure that you stay informed about the progress of your risk management strategy. You can easily create detailed risk reports containing essential information such as risk title, owners and collaborators, risk type, status, mitigation status, and risk score. These reports can be saved and shared with stakeholders, enabling effective communication and collaboration.

Create a risk dashboard

Leverage Cascade's Risk Distribution Scatter Plot widget , available in Dashboards or Reports, to visually represent the count of risks within specific entities (e.g., objectives, measures, projects, or actions). The widget provides valuable insights into likelihood, impact, and risk scores, enabling you to monitor and analyze risks effectively.

👉🏼For more detailed information on our Risk Management features, visit our Knowledge Base .

8 Free Strategic Risk Management Templates To Get You Started!

Don’t know where to start? Check out these free strategy templates built by our experts to kickstart your risk management journey:

• Risk Management Strategy Template
• Regulatory Risk Management Plan Template
• Financial Risk Management Plan Template
• Compliance Risk Management Plan Template
• Enterprise Risk Management Plan Template
• Risk Mitigation Plan Template
• Risk Assessment Plan Template
• Risk Response Plan Template

Ready to up your Risk Management Strategy? Get started with a free plan in Cascade or book a demo with one of our strategist experts to help you develop your strategy. 

Popular articles

Viva Goals Vs. Cascade: Goal Management Vs. Strategy Execution

What Is A Maturity Model? Overview, Examples + Free Assessment

How To Implement The Balanced Scorecard Framework (With Examples)

The Best Management Reporting Software For Strategy Officers (2024 Guide)

Your toolkit for strategy success.

Successful implementation of project risk management in small and medium enterprises: a cross-case analysis

International Journal of Managing Projects in Business

ISSN : 1753-8378

Article publication date: 16 February 2021

Issue publication date: 20 May 2021

Despite the emergence and strategic importance of project risk management (PRM), its diffusion is limited mainly to large companies, leaving a lack of empirical evidence addressing SMEs. Given the socio-economic importance of SMEs and their need to manage risks to ensure the success of their strategic and innovative projects, this research aims to investigate how to adopt PRM in SMEs with a positive cost–benefit ratio.

Design/methodology/approach

This study presents an exploratory and explanatory research conducted through multiple-case studies involving 10 projects performed in Spanish and Italian small and medium-sized enterprises (SMEs).

The results obtained highlight how project features (commitment type, innovativeness, strategic relevance and managerial complexity) and firms' characteristics (sector of activity, production system and access to public incentives) influence PRM adoption, leading to different levels and types of benefits.

Originality/value

The paper offers practical indications about PRM phases, activities, tools and organizational aspects to be considered in different contexts to ensure the project's success and, ultimately, the company's growth and sustainability. Such indications could not be found in the literature.

• Project risk management
• Project management
• Successful implementation

Ferreira de Araújo Lima, P. , Marcelino-Sadaba, S. and Verbano, C. (2021), "Successful implementation of project risk management in small and medium enterprises: a cross-case analysis", International Journal of Managing Projects in Business , Vol. 14 No. 4, pp. 1023-1045. https://doi.org/10.1108/IJMPB-06-2020-0203

Emerald Publishing Limited

Copyright © 2020, Priscila Ferreira de Araújo Lima, Sara Marcelino-Sadaba and Chiara Verbano

Published by Emerald Publishing Limited. This article is published under the Creative Commons Attribution (CC BY 4.0) licence. Anyone may reproduce, distribute, translate and create derivative works of this article (for both commercial and non-commercial purposes), subject to full attribution to the original publication and authors. The full terms of this licence may be seen at http://creativecommons.org/licences/by/4.0/legalcode

1. Introduction

Risk Management (RM) is a very relevant process that can be related to many companies' survival. The strategic plan of the enterprises is frequently implemented by tackling projects, so project risk management (PRM) has arisen as a very important approach. Taking into account that SMEs make a very relevant contribution to the economy ( Turner et al ., 2010 ); the analysis and the understanding of the key processes of PRM in SMEs is a relevant and pressing question, and the guidelines and tools used by large firms are usually too expensive or too complex to be suitable for SMEs ( Pereira et al. , 2015 ).

Although the relationship between the utilization of a project management (PM) methodology and project success has been well established ( Joslin and Müller, 2015 ), a review of the literature shows that there is not enough deep case analysis about how SMEs have implemented an RM methodology and how the project and the company benefit from it. Therefore, this study aims to understand how PRM can be adopted by SMEs with a positive cost–benefits ratio, considering the managerial and organizational aspects.

Experiences of empirical investigations about RM in other areas, such as portfolio management, project control, multicultural environments, stakeholders management or value creation, have been analysed, but they have not taken into account the RM and the specific characteristics of SMEs ( Teller and Kock, 2013 ; Lin et al. , 2019 ; Liu et al ., 2015 ; Xia et al. , 2018 ; Willumsen et al. , 2019 ). Rodney et al. (2015) have developed an integrated model that simultaneously represents RM and all the PM processes, including the environmental factors, but requires the project manager's effort in establishing different scenarios and identifying and analysing different risks. Nevertheless, the resources that are needed to support the application of this model, in terms of time, costs and knowledge, are usually beyond the capability and affordability of SMEs. These resource-related constraints increase the SMEs’ vulnerability and lead them to an additional need of PRM adoption ( Blanc Alquier and Lagasse Tignol, 2006 ; Dallago and Guglielmetti, 2012 ).

However, the literature on RM has focused mainly on large companies, leaving a gap of empirical evidence addressing small companies ( Kim and Vonortas, 2014 ). A recent literature review conducted on the development paths of RM in SMEs identified the PRM stream as an emerging and relevant field of application only slightly studied ( de Araújo Lima et al ., 2020 ).

Given this gap of knowledge, the current study aims at contributing meaningfully to understand how PRM processes have been implemented in SMEs. Based on the analysis of 10 cases, the benefits of efficiently conducting PRM along the project lifecycle have been identified. Moreover, this paper depicts the enabling and hindering factors for SMEs to successfully adopt PRM with a positive cost–benefit ratio, to projects with different features and in different types of industries.

Additionally, these findings have allowed the researchers to obtain different clusters with specific procedures to follow in order to obtain different levels of benefits in the project. They also provide SME's project managers indications about RM-specific tools that are appropriate for particular innovation levels or specific economic sectors.

In the following section, the result of an in-depth search for previous publications related to PRM and, more specifically, related to PRM in SMEs, has been conducted. As it is described in Section 3 , the main aim of this paper is to identify how to implement a PRM in SMEs reaching high benefits without many resources. This research has been performed through a deep multiple-case study involving 10 projects conducted in Spanish and Italian SMEs. The objectives and methodology applied in the investigation are also detailed in the referred Section. The results obtained are included in Section 4 , organized in within-case analysis and cross-cases analysis. The implications of these results are discussed in the following section, where the different clusters that have been identified – according to the level of benefits obtained through the implementation of PRM – are explained.

2. Literature review

2.1 project risk management.

The specific characteristics of the projects, such as novelty, uniqueness, high number of stakeholders and temporality, indicate that RM is useful to successfully achieve the project's objectives ( PMI, 2017 ). PRM is an integral part of PM, a process in which methods, knowledge, tools and techniques are applied to a project, integrating the various phases of a project's lifecycle in order to achieve its goal ( ISO 21500, 2012 ; PMI, 2017 ).

According to the Project Management Book of Knowledge (PMBoK), all projects involve associated risks, the positive side of which facilitates achieving certain benefits ( PMI, 2017 ). Some of the overall qualitative definitions of risk are the possibility of an unfortunate occurrence, the consequences of the activity and associated uncertainties and the deviation from a reference value ( Aven, 2016 ). A common definition of risk related to PM is an uncertain event or condition that, if takes place, has both negative and positive effects on the project's objectives ( PMI, 2017 ; ISO 31000, 2018 ; Pritchard and PMP, 2014 ; A Project risk management in SMEs PM, 2004 ; TSO, 2009 ). Therefore, organizations must achieve, through PRM, a balance between the risk assumed and the expected benefit.

RM is considered one of the most relevant areas in the training of project managers ( Nguyen et al ., 2017 ); even the project stakeholders expect them to analyse the different risks that can affect projects.

The way risk is understood and described strongly influences the way risk is analysed, and hence it may have serious implications for RM and decision-making ( Aven, 2016 ). It is also important to consider risk as systemic as it allows the investigation of the interactions between risks and encourages the management of the causality of relationships between them, thus forcing a more holistic appreciation of the project risks ( Ackermann et al. , 2007 ).

Technical-operative risks: technology selection, risks related to materials and equipment, risks related to change requests and its implementation, design risks

Organizational risks related to human factors (organizational, individual, project team): risks derived from regulations, policies, behaviour (lack of coordination/integration, human mistakes related to lack of knowledge)

Contract risks: risks of the contract related to the project

Financial/economic risks: inflation, interest rates fluctuation, exchange rate fluctuation

Political risk: environmental authorizations, governmental authorizations

The RM process defined in ISO 31000:2018 is composed of the following phases: initiate (context analysis); identify (risk identification); analyse (qualification and quantification); treatment (plan and implement) and risk monitor and control (monitoring and re-evaluation). The process must be continuous throughout the project lifecycle to increase the chances of the project's success ( Raz and Michael, 2001 ).

Within these processes, communication acquires great importance within RM and is a key element in its success, but only Portman (2009) specifically analyses it. Communication is the basis that allows the entire project team (including the main stakeholders) to understand the context of the project to develop the PRM approach. It is also necessary to define the support structure to address the risks that materialize and to monitor them by periodically communicating the status of defined indicators.

RM helps to achieve project objectives in a much more efficient way as it facilitates the proactive management of problems and the maximization of benefits if opportunities materialize ( Elkington and Smallman, 2002 ; Borge, 2002 ). Teams work with greater confidence and a lower level of stress, which increases their effectiveness ( APM, 2004 ). However, it is clear that a large number of project managers still believe that RM involves a great deal of work, for which they do not have time, and this is particularly common in projects addressed by SMEs ( Marcelino-Sádaba et al. , 2014 ).

One of the biggest issues in performing RM is the lack of systematic risk identification methods that provide characteristic taxonomies for specific project types based on lessons learned from similar projects ( Pellerin and Perrier, 2019 ).

2.2 Project risk management in SMES

The importance of PRM carried out in SMEs has been analysed and highlighted in the literature ( Blanc Alquier and Lagasse Tignol, 2006 ; Naude and Chiweshe, 2017 ). For SMEs, PRM should be carried out at an early stage in the strategic selection of projects to be implemented because their success has a great influence on its survival. However, as Vacik et al. (2018) indicate in their study, only 4% of the companies studied in their research have used risk measurement methodologies in their decision-making, carrying out the process in a qualitative way.

Some studies are available to assist SMEs in identifying and managing risks in specific business sectors; for example in ICT, where software projects are characterized by a high level of uncertainty in the definition of requirements, RM acquires great importance for SMEs project management ( Neves et al. , 2014 ). There are other studies about risk identification and their management in this area, including the one of Sharif et al. (2013) , Lam et al. (2017) , and Taherdoost et al. (2016) .

Despite the fact that different web tools have been developed for SMEs to solve their biggest difficulties in RM ( Sharif and Rozan, 2010 ; Pereira et al. , 2015 ), RM is generally carried out in person by the project manager due to the high cost of a tool and the need for qualified staff to use it.

Many sectors, such as IT, construction and design, usually work by projects and therefore have information on the specific risks associated to them. In the construction sector, for instance, different analyses, methodologies and tools for RM could be identified ( Tang et al ., 2009 ; Rostami et al. , 2015 ; Oduoza et al ., 2017 ; Hwang et al ., 2014 ). The main problems – lack of time and budget – arise when implementing RM among SMEs in this sector.

Tupa et al. (2017) and Moeuf et al . (2020) have analysed the risks and opportunities inherent to SMEs in the new paradigm brought by the Industry 4.0, in which relationships between people and systems are characterized by high connectivity and a significant quantity of data and information to manage. As a result, a new information security risk has emerged. In addition, due to the new connection systems, it will be possible to establish new information flows that update the indicators established for RM. Due to the great importance of decision-making in project success, the training of project managers in these disciplines is one of the key factors that will affect the PRM in the future.

Sanchez-Cazorla et al. (2016) concluded in their study of PRM, “Risk Identification in Megaprojects”, that further empirical studies are required to provide process information over the project lifecycle. The literature review also shows that there are not enough studies on how PRM could be adapted to SMEs.

Although Marcelino et al. (2014) established a methodology related to the project lifecycle and Lima and Verbano (2019) analysed how to implement a PRM methodology with a positive cost–benefit ratio, more studies are needed about the real practice RM in SMEs, best practices in this area and how to adapt them to different economic sectors, company sizes or types of projects addressed.

From the literature review, it could be concluded that specific methodologies are needed for SMEs in order to tackle PRM in an effective way. Nevertheless, not many methodologies in the literature are suitable for SMEs and their specific characteristics since these methodologies require a great amount of resources or the availability of specific tools and software that SMEs usually do not have.

This paper presents a more detailed analysis of the process developed to obtain good practice patterns according to the different economic sectors and types of projects.

3. Objective and methodology

What are the main RM phases, activities, tools and organizational aspects adopted by SMEs in the PRM process?

What are the evidences and outcomes of PRM adoption in SMEs?

What are the enabling and hindering factors to perform PRM in SMEs?

In particular, RQ1 and RQ3 are formulated to understand how to adopt PRM in SMEs, and RQ2 is defined to identify the evidences and outcomes deriving from a successful PRM adoption.

To achieve the research objective and answer the research questions, an exploratory and explanatory research through multiple case studies was conducted as it is the most suitable methodology for this type of research ( Voss et al ., 2002 ; Eisenhardt and Graebner, 2007 ; Yin, 2009 ).

To this extent, a specific empirical framework proposed by Lima and Verbano (2019) for analysing multiple cases of PRM adoption in SMEs was used since it is the only one available in literature in order to analyse cases with objectives similar to the ones in this study. In Figure 1 the process followed to build the framework and the main constructs and variables investigated with the questionnaire can be observed.

The final questionnaire is structured in nine sections reflecting the framework:

Company and respondents profile;

Project overview (i.e. objectives, type of commitment, innovativeness, strategic relevance and managerial complexity of the project);

PRM organization (people involved, training, procedures)

PRM plan, risks and opportunities considered;

(5-8)regarding each PRM phases (risk identification, analysis, treatment, monitoring and control), activities, tools and difficulties faced; finally, PRM hindering and enabling factors were analysed for the whole process;

Evidences and outcomes of the PRM adoption (i.e. the benefits, time and costs of PRM implementation).

The questionnaire included close-ended questions (i.e. number of employees, total cost of the project, etc.), perception questions on a 5-point Likert scale (regarding for example the level of technology innovativeness of the project and the benefits obtained from PRM) and open-ended questions (concerning, for example, the activities and tools adopted and the difficulties faced in each PRM phase, the enabling and hindering factors for PRM adoption). The choice of the type of questions depends on:

the qualitative or quantitative nature of the specific object investigated,

its degree of novelty (i.e. there is a gap in the literature regarding the measurement of PRM benefits; therefore they have been investigated mostly with perception questions),

the interrelation among the specific object with other variables, leading to more significant comprehension with an open-ended question.

The semi-structured interviews, using this questionnaire, were the primary source of data collection, supplemented with documents related to the project.

A pilot case belonging to service industry in the ICT has been selected in order to test the questionnaire. In particular, this project has been chosen considering the large experience of the project manager and his willingness to collaborate to the study; therefore, this pilot case was very useful to verify comprehensibility and validity of the questionnaire and to improve it. Notwithstanding, this study was then excluded from the cases analysed because the company was expanding beyond the limits set for SMEs. Once verified the questionnaire, the sampling of the cases has started.

The project was the unit of analysis of the research, and three characteristics were necessary to fit the selection criteria: a project with PRM implementation; a cost–benefit ratio of PRM adoption higher than 1 and a project developed in an SME.

In order to obtain a broad sample and gain a deeper understanding of the topic of interest in different scenarios, heterogeneity among the cases was necessary. Therefore, in addition to the requested project's features, the researchers selected projects from different industrial sectors and with different end users (external or internal), in order to guarantee the external validity of the research ( Yin, 2009 ). An overview of the 10 selected cases with the main characteristics of the project is displayed in Table 1 .

All interviews were conducted on-site and, to avoid bias and ensure the construct's validity ( Voss et al ., 2002 ), at least two people who were highly involved in the project (project manager, technical leader, project management consultant) responded to the questions individually. The interviews were about 90 min in length and were conducted in the respondents' native languages, which incentivized them to give more information about the project since they felt more comfortable during the process; for this reason, the questionnaire was translated in Italian and in Spanish. After a preliminary analysis of the collected data, integrative information was often requested by phone or email, and a final verification with the respondents of the resulting project report was conducted. The last column of Table 1 displays the number of interviews and the number of interviewees respectively. The researchers have also analysed documents related to the project in order to increase data reliability and to ensure the project's internal validity through triangulation ( Voss et al ., 2002 ).

The interviews were recorded and transcribed for the data analysis. To analyse the collected data, the directed approach to content analysis, the goal of which is to validate or extend conceptually a theoretical framework or theory ( Hsieh and Shannon, 2005 ), was initially used. This approach consists of coding data before and during its analysis. After the initial coding through the semi-structured questionnaires, in order to refine the results, especially those that emerged from the open-ended questions, it was necessary to complete the coding process through a careful analysis of the interviews. As was indicated by Hsieh and Shannon (2005) , since the goal of the research was to identify and categorize all instances of a particular phenomenon, the recorded interviews were transcribed and inductively coded with descriptive coding (using a word or a specific phrase to aggregate the basic topics of the interview transcript) and in vivo coding methods (i.e. assigning a label corresponding to word or short phrase taken from the interview transcript). For example, one interviewee said that they “did not know well the risks”, while another one, in another case, said they needed “to understand well the risk”. Both these expressions were labelled as “lack of knowledge” regarding the possible impact of the risk. The resulting categories were important variables in the inter-cases comparisons.

The entirety of the coding process was done manually. Segments of data were initially summarized, and then pattern coding was applied independently by two research team members; any coding disagreements were discussed until agreement was reached on all coded portions of the interview, in order to overcome the reliability tests ( Tong et al ., 2007 ). Once this process was done, the within-case analysis was conducted. The aforementioned directed approach analysis and the coding process are part of the within-case data analysis. The main goal of a within-case analysis is to describe, understand and explain what has happened in the single case ( Miles et al. , 1994 ). After understanding each case individually, the cross-case analysis was performed, and, as supported by Myers (2000) , partial generalizations to similar populations were made.

The following cross-case analysis allows the researcher to strengthen a theory, built through examination of similarities and differences across cases. Eisenhardt (1989) states that analysing similarities and differences between pairs of cases is a powerful method to better understand the cases and obtain meaningful findings ( Eisenhardt, 1989 ; Voss et al ., 2002 ).

Replication strategy has been used during the cross-case analysis. In this strategy, a theoretical framework is applied to study one case in depth, and the successive cases are examined to see whether the identified pattern matches the pattern in previous cases (creating a cluster) ( Yin, 2009 ). Therefore, both within-case and cross-case analysis of the data were conducted as they are suitable for multiple-case studies ( Eisenhardt, 1989 ; Voss et al ., 2002 ; Yin, 2009 ).

4. Findings

4.1 results from within-case analysis.

The within-case analyses allowed the researchers to answer the research questions proposed in Section 3 . For each case, the results obtained from the questionnaire were carefully analysed. All information collected was organized into tables for the next phase of the data analysis. In addition, a figure with the PRM phases, the activities conducted, the tools used, the difficulties faced in each phase, the gaps in the process and the PRM results was created. Through these analyses, the enabling and hindering factors were identified and the PRM benefits were evaluated and graphically displayed. As an example of the information collected and the analyses conducted, Figure 2 displays the results of the within-case analysis for the first case study.

Phase 1 (risk identification): the main activities are context analysis, risk identification (both activities were conducted in 9 of the 10 cases), stakeholder analysis and opportunity identification; and the main tools are brainstorming (80%), checklist (70%), risk register (50%). It has been emerged that in only 40% of cases interviews with experts were conducted and in 20% of the projects SWOT analysis, FMEA, 5 Whys and root-cause analysis tools were used.

Phase 2 (risk analysis): the main activities are meetings (both formal and informal). Design-related activities and tests have been found in 40% of cases. The main tools are risk matrix, risk register, risk ranking. Nevertheless, 5 Why and expected money value (EMV).

Phase 3 (risk treatment): all the activities identified have the same relevance (between 20 and 40%) being communication/meetings, design/specification changes the most important ones. Other activities are outsourcing decisions, prototype testing, team monitoring and analysis on the job. In all the cases, the main tools were risk mitigation. risk transfer, risk avoidance and risk retention.

Phase 4 (monitor and control): the main activities are risk revaluation and periodic monitoring meeting. Action monitoring plan, meetings and problem replication have been executed in a less relevant way. A main tool does not arise in this phase, being change request monitoring, risk trigger monitoring and risk audit are the ones used.

These results are summarized in Figure 3 .

Responsible for PRM implementation (who)

People involved in the PRM process (which roles)

Roles in PRM clearly assigned (yes/no)

Internal PRM procedures adopted in the project (yes/no)

PRM training plan for the people involved in the project (yes/no)

In all cases, the project manager was responsible for the PRM implementation process. In some of the cases, members of the team or a PM consultant or function manager was involved. In eight cases, the roles in the PRM process were clearly assigned, and in seven cases, the internal PRM procedures were followed, while PRM training was conducted in only two cases.

The innovation, complexity and relevance of the projects were also assessed. Using a 5-point Likert scale, the interviewees were questioned about the project's technologic innovativeness, innovativeness for the market, project management complexity and strategic relevance. On average, the innovativeness for the market and the PM complexity were medium-high, while the project technologic innovativeness was high and the strategic relevance of the projects was even higher.

In the final section of the interview, the main outcomes and evidence of the PRM process were discussed. A list of benefits than can be obtained through the implementation of PRM was created by the researchers. Using a 5-point Likert scale once again, the interviewees were asked about their perception regarding the achievement of these seven benefits (eight in the cases with an external end-user) through PRM adoption, which was very satisfactory.

In addition to the benefits obtained through PRM, other important evidence emerged from the results. In all cases, PRM was considered useful, and the time/cost spent on its implementation was justified by the benefits, as required by the selection criteria. The interviewees of six projects believe that PRM should be adopted in all of the company's projects. In another two interviews, the respondents stated that PRM should be implemented in all innovative projects, while in the other two cases, the interviewees affirmed that the PRM process should be carried on in the strategic projects.

The last research question concerned the enabling and hindering factors for companies to adopt PRM. The respondents have pointed out the following as the enabling factors: previous PRM experience; support of a PM consultant with PRM experience; having a strategic/innovative project (which stimulates PRM adoption); a PRM report requested by the government/project financer and stakeholder support. In terms of the hindering factors, it has emerged that difficulties in the communication with the external client, lack of support from CEO/stakeholders (i.e. no recognition of PRM importance for the project's success) and PRM being seen as a “waste of time” by some of the people involved in the project are the most significant issues. The proof of the benefits obtained through PRM can be used by project managers to convince the CEO, the external clients and all the stakeholders to adopt PRM in the future projects; moreover, they could explain that those benefits could be achieved only with the cooperation of all actors involved in the projects.

Table 2 summarizes the findings obtained: the PRM organizational aspects in the projects, the level of innovativeness and complexity of the projects, the main evidences and the main benefits obtained through PRM implementation.

4.2 Results from cross-case analysis: pattern identification

Group 1: very high level of benefits (cases 4, 7 and 10)

Group 2a: high level of benefits – manufacturing (cases 1, 2 and 9)

Group 2b: high level of benefits – services (cases 5, 6 and 8)

Case 3 had a medium-high innovativeness level and lacked of PRM organization ( Table 2 ). Moreover, some of the PRM phases were poorly implemented, indicating that in this case the lack of structure in the PRM process had a negative impact on the benefits, which were all rated as medium. Given its specific characteristics and the poor results obtained, case 3 was excluded from the clusters.

In group 1 (very high benefits achieved), similarities in the project context (all Spanish manufacturing companies implementing projects with very high strategic relevance) and in the PRM organization (PRM roles assigned, internal procedures adopted and identification of the risk owner) were acknowledged. All companies have identified the same project risk types (i.e. technical-operative risks) and have used two specific tools and performed the same activities to manage these risks. The risks were constantly measured during the projects, and the project manager was responsible for PRM. A consultant with PRM experience in the micro and small company and a project manager with significant PRM experience were crucial for achieving very high benefits.

Six other cases have reached a high level of benefits and, based on the project context characteristics, were split into two groups: manufacturing (group 2a) and services (group 2b).

In the first group, composed of the manufacturing cases, projects have a very high level of innovation and complexity, and the contexts in which they exist are extremely similar. The roles involved in the projects were the same (project manager and project manager consultant), and the same project risks were identified. Several common activities were conducted, and common tools were used in the first three PRM phases.

The project manager's knowledge and experience in implementing PRM enabled the team to adopt process, notwithstanding the fact that in all cases difficulties were faced due to the lack of knowledge and competences about some technical project details (such as material's specific characteristics, client's ERP system that could generate problems in the project). Interesting evidence has emerged in these cases, with opportunities considered and pursued and the risk register being constantly updated as the most significant pieces of evidence.

The third group is formed by three services companies with a very high standard of PRM organization. In contrast to the previous groups, more project risk types were considered in these cases (three in total), which led to the individuation of specific risks in all projects. Similarities are identified in the PRM process, which was slightly adapted in each of the cases. Their strategic relevance has triggered the project managers to adopt PRM, regardless of their lack of knowledge about the difficulties to be faced. While identifying the risks, the opportunities were also considered in all cases.

The project studied in case 3 reached a mid-range level of benefits. Regardless of the project's high level of innovativeness and medium-high level of project management complexity, no PRM roles were assigned, no internal procedures were followed and no PRM training was conducted, indicating a poor level of organization in both cases. The risk analysis was performed sketchily, and there were issues during the “go-live” phase of the project. According to the project manager, “PRM has to be well implemented, otherwise the time dedicated to it will be a waste”. Therefore, in this case, PRM was adopted, and the results were positive, but it is likely that with a better PRM approach, the project would have obtained higher benefits. Given the specific characteristics of the case and the impossibility of replicating the results, this project was not clustered.

Figure 4 summarizes the characteristics of the clusters obtained.

Comparing the benefits graphs in Figure 4 , it could be concluded that the main difference between group 1 (very high level of benefits) and groups 2a and 2b (high level of benefits) is a better decision-making process in the first group. This feature, together with the PRM knowledge of the people involved in the project, led to a better project control (budget, project performance and lower risk impact). On the other hand, the evaluation of budget reserve does not seem to be significantly impacted by PRM, being the lowest perceived benefit in all the groups. A deeper analysis of these differences is discussed in the next section.

5. Discussion

From the analysis of the cases, it can be noted that some common features of PRM adoption are aligned with the results of previous literature. Firstly, in the study of Vacík et al. (2018) , 96% of the analysed companies carried out the RM process in a qualitative way, which indicates that usually no quantitative methods are used. This tendency was confirmed in this research since in all the studied cases the risk analysis was only qualitative. Secondly, many studies about PRM in SMEs, as the ones of Sharif and Rozan (2010) and of Pereira et al. (2015) , state that RM is generally carried out in person by the project manager due to the high cost of the tool and the need for qualified staff to operate it. Also, this statement was confirmed, as in all 10 cases, the project manager was responsible for the PRM implementation and simple tools were used. Moreover, according to Pellerin and Perrier (2019) , one of the biggest issues in performing PRM is the lack of systematic risk identification methods for specific project types based on lessons learned from similar projects. In most of the cases considered in this study, no meetings to discuss the lessons learned were held, and therefore no methods for systematic risk analysis were created. Nevertheless, it is expected that the indications that emerged from this study – about tools and activities to be performed during the risk identification phase and the following PRM phases – can be relevant to developing structured and efficient PRM adoption in SMEs.

only technical-operative risks were considered and identified in all projects;

all PRM phases were followed, but in two cases the risk analysis phase was not fully implemented;

the risk matrix and risk mitigation tools were used in the risk analysis and in the risk treatment phases, respectively, and the risk revaluation activity was performed during the risk monitor and control phase and

when analysing the context in which the projects were developed, it has emerged that all of them had either a very high strategic relevance or a high level of innovation.

As for the PRM organization , the combination of assigning roles in the PRM process, adopting internal procedures and identifying the risk owner is a distinctive feature of the first cluster, in which all projects have achieved very high benefits. In cluster 2a, the roles were not assigned, and no internal procedures were adopted, but there was a consultant with PRM experience, which led these projects to obtain a high level of benefits. Therefore, the identification of the risk owner and the identification of internal PRM procedures, or the involvement of a PM consultant with PRM experience, seem to be necessary aspects to ensuring PRM adoption. In the cases in which there was not a minimum level of knowledge about PRM, the project managers have asked for external support. However, the best option is still to have the knowledge inside the company: in cluster 1, the PRM knowledge was internal; in cluster 2a, it was external and in cluster 2b, it was internal but less consolidated that in the cases of the first cluster.

Regarding the project risks, in cluster 2b, the collaboration of other functional areas with the PRM team led to the consideration of more project risk types. In particular, three types of risk were considered in these projects, indicating a more comprehensive approach of the project context since more functional areas were involved in the PRM team in these cases. It can also be assumed that the service industry, in which all projects of this cluster exist, is more aware of the context of the project than the manufacturing industries, due to the higher involvement of the project stakeholders.

In manufacturing projects in which the strategic relevance was not very high (cluster 2a), only technical-operative risks were considered, while in cluster 1 (manufacturing cases with very high strategic relevance), the organizational risk types, which include lack of competence of the people involved in the process, were also taken into consideration. Therefore, in manufacturing projects, technical operative risks are the primary risks, but if they are strategically relevant, organizational risks must also be considered.

Another positive result from the PRM process is that in clusters 2a and 2b, the opportunities are also being considered, indicating a more comprehensive approach towards risks.

Several differences were identified among the clusters also when analysing the PRM process phases . The studied literature indicates that PRM must be continuous throughout the project's lifecycle in order to be successful, which is confirmed in the cases.

During the risk identification phase of the Spanish projects' implementation (clusters 1 and 2a), many meetings were held, and the risks were constantly measured. In most of these cases, PRM was stimulated by the government, which has facilitated its adoption since the project managers had to deliver to the government a report about the project evolution every six months. During this phase, cluster 2a was the one in which the projects had more activities in common among them (context analysis, risk identification and stakeholder analysis).

Meetings and measurement of risk probability of occurrence, as well as effects based on feelings, were adopted by the manufacturing clusters (1 and 2a) during the risk analysis phase. Risk prioritization and the constant measurement of risks were important to achieving the highest level of benefits (cluster 1). The risk matrix was used in this phase in all cases and served as a basis for risk prioritization in cluster 1.

During the risk treatment phase, two tools were used in the manufacturing clusters: risk mitigation and risk avoidance. In some cases, instead of risk avoidance, the risk retention tool was used. In cluster 2b, only the risk mitigation tool was adopted. Except for the risk revaluation activity in the risk monitor and control phase, in the projects of clusters 2a and 2b, additional activities common to all projects inside the cluster were followed.

The interviewees reported they intend to adopt PRM in the future projects of the company; in cluster 2a in particular, project innovativeness will be the trigger for PRM adoption in future projects.

Regarding the hindering and enabling factors for PRM adoption, the support inside the company to conduct the PRM process and the client cooperation – when needed – are considered crucial factors for successful PRM implementation. In the projects of cluster 1, the company's higher-level management did not interfere in the project managers' decisions about PRM, so the interviewees have not felt any hindering factors during the PRM adoption. Significant hindering factors include the lack of information about the service to be provided or about the technical specifications of the process that are needed to develop a product.

The indications about activities, tools and organizational aspects that enable the effective implementation of PRM in SMEs in different industries represent a significant contribution to the literature of PRM in SMEs since none of the previously published papers have provided this result.

This paper also contributes to informing SMEs that by adopting PRM, they can achieve a positive balance between the risks assumed and the expected benefits, as demonstrated by the 10 cases analysed. As is stated in the PMI (2017) , all projects involve associated risks, the positive side of which allows them to achieve specific benefits. The adoption of PRM has always contributed to the project success of the cases considered, confirming that PRM is positively related to PM performance, as is indicated by Fernando et al. (2018) .

Figure 5 displays a comparison among the clusters according to the variables related to PRM and the benefits obtained.

6. Conclusions

Given the socio-economic importance of SMEs and their need to manage risks to assure project success, this research aims to investigate how to adopt PRM in SMEs with a positive cost–benefit ratio, considering RM phases, activities, tools and organizational aspects that enable the effective implementation of PRM in SMEs.

In order to pursue this objective, a multiple-case study was conducted, analysing 10 cases in Italy and Spain. Three clusters were eventually identified, revealing information about how to implement PRM in SMEs to achieve a high or very high level of benefits, considering different project characteristics and contexts.

The average complexity and innovation of the cases adopting PRM were high since higher project complexity implies higher risks, regardless of the type of industry.

The results obtained through the case studies confirm the literature indicating that SMEs need PM models that are less bureaucratic, with different versions of PRM depending on the characteristics of the project to facilitate its implementation.

From a managerial point of view, the findings offer practical information about PRM phases, activities, tools and organizational aspects to be considered in different types of industries and project complexities for its successful implementation.

Additionally, national and local governments can benefit from this research, taking advantage of the experience of the Spanish government that holds a prominent role in the adoption of PRM in SME projects, requiring periodical reports to financially support the projects.

Thanks to these results, it is possible to increase the diffusion of PRM in SMEs since they can be useful in other projects, thereby promoting the knowledge about and adoption of PRM.

From an academic point of view, this research confirmed the validity of an empirical framework specifically developed by Lima and Verbano (2019) to analyse PRM in SMEs and offers ten new cases to the scant literature devoted to SMEs. In addition, the findings obtained from the cases studied allow to outline the framework displayed in Figure 6 , highlighting the relations among the main constructs. In particular, project features (technology and market innovativeness, strategic relevance, managerial complexity and commitment type) and firm characteristics (sector, production system and public incentives available) have an influence on the adoption of PRM, referring to the following main components (organization, risks and opportunities considered, planning, activities, tools, enabling and hindering factors).

Furthermore, PRM adopted led to different type and level of outcomes and benefits, as emerged in the three clusters analysed. Project dimension and firm dimension, on the contrary, seem not to influence PRM adoption and its benefits.

Finally, as reported in Figure 7 , experience, PM and RM knowledge emerged as enabling factors for a successful PRM implementation; on the other side short time for PRM, lack of technical knowledge and information are the hindering factors.

These findings could support further research in PRM in SMEs, confirming and exploiting the knowledge of this emerging topic and its diffusion. Particularly, this study was not focussed specifically on the relations among the main constructs of the framework that could be examined considering the impact of every single dimension on the others, giving a deeper and specific knowledge on how to implement successfully PRM in SMEs.

Other future studies could be conducted from the starting point of the other limitations of this research: the data collection could be conducted with more than two respondents for each project (if feasible), the sample could be increased to also consider other industrial contexts, other countries and specific project characteristics, so as to expand the validity of this research and the information obtained so far. In addition, a large sample could allow statistical analysis to be performed with a greater possibility of generalization of the obtained results.

Moreover, further research is required to measure the benefits achieved from PRM in a more objective way. It is assumed in the PMBoK that PRM creates value for project outcomes, thereby increasing the probability of project success and strategic benefits ( Willumsen et al. , 2019 ). However, at the moment, there is a very scant literature considering the value of PRM, and no objective measures are available, except the ones regarding the costs, time and quality of the projects. This study offers the identification of the dimensions of PRM benefits, but future studies are needed to refine their measurement.

In conclusion, this research offers an academic and managerial contribution to the emerging topic of PRM in SMEs, which influences the development and sustainability of SME projects and, consequently, the economic growth of many countries' economies.

Construction of the framework

Within-case analysis results from the first case study

PRM phases, activities and tools

Profile of the clusters obtained

Comparison of PRM implementation among the clusters

Framework resulting from the analysis of the cases

Enabling and hindering factors for PRM implementation

Overview of the selected projects

Ackermann , F. , Eden , C. , Williams , T. and Howick , S. ( 2007 ), “ Systemic risk assessment: a case study ”, Journal of the Operational Research Society , Vol. 58 No. 1 , pp. 39 - 51 .

APM ( 2004 ), Directing Change – A Guide to the Governance of Project Management (GoPM) , APM Publishing, London .

Aven , T. ( 2016 ), “ Risk assessment and risk management: review of recent advances on their foundation ”, European Journal of Operational Research , Vol. 253 No. 1 , pp. 1 - 13 .

Blanc Alquier , A.M. and Lagasse Tignol , M.H. ( 2006 ), “ Risk management in small-and medium-sized enterprises ”, Production Planning and Control , Vol. 17 No. 3 , pp. 273 - 282 .

Borge , D. ( 2002 ), The Book of Risk , John Wiley and Sons , New York .

Dallago , B. and Guglielmetti , C. (Eds) ( 2012 ), The Consequences of the International Crisis for. European SMEs: Vulnerability and Resilience , Routledge , Abingdon .

de Araújo Lima , P.F. , Crema , M. and Verbano , C. ( 2020 ), “ Risk management in SMEs: a systematic literature review and future directions ”, European Management Journal , Vol. 38 No. 1 , pp. 78 - 94 .

de Camprieu , R. , Desbiens , J. and Feixue , Y. ( 2007 ), “ ‘Cultural’ differences in project risk perception: an empirical comparison of China and Canada ”, International Journal of Project Management , Vol. 25 No. 7 , pp. 683 - 693 .

Dey , P.K. ( 2012 ), “ Project risk management using multiple criteria decision-making technique and decision tree analysis: a case study of Indian oil refinery ”, Production Planning and Control , Vol. 23 No. 12 , pp. 903 - 921 .

Eisenhardt , K.M. ( 1989 ), “ Building theories from case study research ”, Academy of Management Review , Vol. 14 No. 4 , pp. 532 - 550 .

Eisenhardt , K.M. and Graebner , M.E. ( 2007 ), “ Theory building from cases: opportunities and challenges ”, Academy of Management Journal , Vol. 50 No. 1 , pp. 25 - 32 .

Elkington , P. and Smallman , C. ( 2002 ), “ Managing project risks: a case study from the utilities sector ”, International Journal of Project Management , Vol. 20 No. 1 , pp. 49 - 57 .

Fernando , Y. , Walters , T. , Ismail , M.N. , Seo , Y.W. and Kaimasu , M. ( 2018 ), “ Managing project success using project risk and green supply chain management: a survey of automotive industry ”, International Journal of Managing Projects in Business , Vol. 11 No. 2 , pp. 332 - 365 .

Hsieh , H.F. and Shannon , S.E. ( 2005 ), “ Three approaches to qualitative content analysis ”, Qualitative Health Research , Vol. 15 No. 9 , pp. 1277 - 1288 .

Hwang , B.G. , Zhao , X. and Toh , L.P. ( 2014 ), “ Risk management in small construction projects in Singapore: status, barriers and impact ”, International Journal of Project Management , Vol. 32 No. 1 , pp. 116 - 124 .

ISO 21500 ( 2012 ), Guidance on Project Management , International Organization for Standardization , available at: https://www.iso.org/standard/50003.html .

ISO 31000 ( 2018 ), Principles and Generic Guidelines on Risk Management International , International Organisation for Standardisation , available at: https://www.iso.org/standard/65694.html .

Joslin , R. and Müller , R. ( 2015 ), “ Relationships between a project management methodology and project success in different project governance contexts ”, International Journal of Project Management , Vol. 33 No. 6 , pp. 1377 - 1392 .

Kim , Y. and Vonortas , N.S. ( 2014 ), “ Managing risk in the formative years: evidence from young enterprises in Europe ”, Technovation , Vol. 34 No. 8 , pp. 454 - 465 .

Lam , T.T. , Mahdjoubi , L. and Mason , J. ( 2017 ), “ A framework to assist in the analysis of risks and rewards of adopting BIM for SMEs in the UK ”, Journal of Civil Engineering and Management , Vol. 23 No. 6 , pp. 740 - 752 .

Lima , P.F.D.A. and Verbano , C. ( 2019 ), “ Project risk management implementation in SMEs: a case study from Italy ”, Journal of Technology Management and Innovation , Vol. 14 No. 1 , pp. 3 - 10 .

Lin , L. , Müller , R. , Zhu , F. and Liu , H. ( 2019 ), “ Choosing suitable project control modes to improve the knowledge integration under different uncertainties ”, International Journal of Project Management , Vol. 37 No. 7 , pp. 896 - 911 .

Liu , J. , Meng , F. and Fellows , R. ( 2015 ), “ An exploratory study of understanding project risk management from the perspective of national culture ”, International Journal of Project Management , Vol. 33 No. 3 , pp. 564 - 575 .

Marcelino-Sádaba , Pérez-Ezcurdia , A. , Lazcano , A.M.E. and Villanueva , P. ( 2014 ), “ Project risk management methodology for small firms ”, International Journal of Project Management , Vol. 32 No. 2 , pp. 327 - 340 .

Miles , M.B. , Huberman , A.M. , Huberman , M.A. and Huberman , M. ( 1994 ), Qualitative Data Analysis: An Expanded Sourcebook , Sage , Thousand Oaks .

Myers , M. ( 2000 ), “ Qualitative research and the generalizability question: standing firm with Proteus ”, The Qualitative Report , Vol. 4 No. 3 , p. 9 .

Moeuf , A. , Lamouri , S. , Pellerin , R. , Tamayo-Giraldo , S. , Tobon-Valencia , E. and Eburdy , R. ( 2020 ), “ Identification of critical success factors, risks and opportunities of industry 4.0 in SMEs ”, International Journal of Production Research , Vol. 58 No. 5 , pp. 1384 - 1400 .

Naude , M.J. and Chiweshe , N. ( 2017 ), “ A proposed operational risk management framework for small and medium enterprises ”, South African Journal of Economic and Management Sciences , Vol. 20 No. 1 , pp. 1 - 10 .

Neves , S.M. , da Silva , C.E.S. , Salomon , V.A.P. , da Silva , A.F. and Sotomonte , B.E.P. ( 2014 ), “ Risk management in software projects through knowledge management techniques: cases in Brazilian incubated technology-based firms ”, International Journal of Project Management , Vol. 32 No. 1 , pp. 125 - 138 .

Nguyen , L.D. , Chih , Y.Y. and García de Soto , B. ( 2017 ), “ Knowledge areas delivered in project management programs: exploratory study ”, Journal of Management in Engineering , Vol. 33 No. 1 , 04016025 .

Oduoza , C.F. , Odimabo , O. and Tamparapoulos , A. ( 2017 ), “ Framework for risk management software system for SMEs in the engineering construction sector ”, Procedia manufacturing , Vol. 11 , pp. 1231 - 1238 .

OECD ( 2012 ), Financing SMEs and Entrepreneurs 2012 , AnOECD Scoreboard , Paris .

Pellerin , R. and Perrier , N. ( 2019 ), “ A review of methods, techniques and tools for project planning and control ”, International Journal of Production Research , Vol. 57 No. 7 , pp. 2160 - 2178 .

Pereira , L. , Tenera , A. , Bispo , J. and Wemans , J. ( 2015 ), “ A risk diagnosing methodology web-based platform for micro, small and medium businesses: remarks and enhancements ”, Communications in Computer and Information Science , Vol. 454 , pp. 340 - 356 .

PMI ( 2017 ), A Guide to Project Management Body of Knowledge: PMBoK Guide , 6th ed. , Project Management Institute , Newtown Square, PA .

Portman , H. ( 2009 ), PRINCE2™ in Practice , Van Haren Publishing , s-Hertogenbosch, NL .

Pritchard , C.L. and PMP , P.R. ( 2014 ), Risk Management: Concepts and Guidance , Auerbach Publications , Boca Raton, FL .

Qazi , A. , Quigley , J. , Dickson , A. and Kirytopoulos , K. ( 2016 ), “ Project complexity and risk management (ProCRiM): towards modelling project complexity driven risk paths in construction projects ”, International Journal of Project Management , Vol. 34 No. 7 , pp. 1183 - 1198 .

Raz , T. and Michael , E. ( 2001 ), “ Use and benefits of tools for project risk management ”, International Journal of Project mMnagement , Vol. 19 No. 1 , pp. 9 - 17 .

Rodney , E. , Ducq , Y. , Breysse , D. and Ledoux , Y. ( 2015 ), “ An integrated management approach of the project and project risks ”, IFAC-PapersOnLine , Vol. 48 No. 3 , pp. 535 - 540 .

Rostami , A. , Sommerville , J. , Wong , I.L. and Lee , C. ( 2015 ), “ Risk management implementation in small and medium enterprises in the UK construction industry ”, Engineering, Construction and Architectural Management , Vol. 22 No. 1 , pp. 91 - 107 .

Sanchez-Cazorla , A. , Alfalla-Luque , R. and Irimia-Dieguez , A.I. ( 2016 ), “ Risk identification in megaprojects as a crucial phase of risk management: a literature review ”, Project Management Journal , Vol. 47 No. 6 , pp. 75 - 93 .

Sharif , A.M. , Basri , S. and Ali , H.O. ( 2013 ), “ A study on SME software development background and risk assessment implementation in Malaysia ”, World Applied Sciences Journal , Vol. 26 No. 12 , pp. 1637 - 1642 .

Sharif , A.M. and Rozan , M.Z.A. ( 2010 ), “ Design and implementation of project time management risk assessment tool for SME projects using oracle application express ”, World Academy of Science, Engineering, and Technology (WASET) , Vol. 65 , pp. 1221 - 1226 .

Taherdoost , H. , Keshavarzsaleh , A. and Wang , C. ( 2016 ), “ A retrospective critic re-debate on stakeholders' resistance checklist in software project management within multi-cultural, multi-ethnical and cosmopolitan society context: the Malaysian experience ”, Cogent Business and Management , Vol. 3 No. 1 , 1151116 .

Tang , L.C.M. , Leung , A.Y.T. and Wong , C.W.Y. ( 2009 ), “ Entropic risk analysis by a high level decision support system for construction SMEs ”, Journal of Computing in Civil Engineering , Vol. 24 No. 1 , pp. 81 - 94 .

Teller , J. and Kock , A. ( 2013 ), “ An empirical investigation on how portfolio risk management influences project portfolio success ”, International Journal of Project Management , Vol. 31 No. 6 , pp. 817 - 829 .

Tong , A. , Sainsbury , P. and Craig , J. ( 2007 ), “ Consolidated criteria for reporting qualitative research (COREQ): a 32-item checklist for interviews and focus groups ”, International Journal for Quality in Health Care , Vol. 19 No. 6 , pp. 349 - 357 .

TSO ( 2009 ), Directing Successful Projects with Prince 2 , The Stationery Office , Norwick .

Tupa , J. , Simota , J. and Steiner , F. ( 2017 ), “ Aspects of risk management implementation for industry 4.0 ”, Procedia Manufacturing , Vol. 11 , pp. 1223 - 1230 .

Turner , R. , Ledwith , A. and Kelly , J. ( 2010 ), “ Project management in small to medium-sized enterprises: matching processes to the nature of the firm ”, International Journal of Project Management , Vol. 28 No. 8 , pp. 744 - 755 .

Vacík , E. , Špaček , M. , Fotr , J. and Kracík , L. ( 2018 ), “ Project portfolio optimization as a part of strategy implementation process in small and medium-sized enterprises ”, Economics and Management , Vol. 21 No. 3 , pp. 107 - 123 .

Voss , C. , Tsikriktsis , N. and Frohlich , M. ( 2002 ), “ Case research in operations management ”, International Journal of Operations and Production Management , Vol. 22 No. 2 , pp. 195 - 219 .

Willumsen , P. , Oehmen , J. , Stingl , V. and Geraldi , J. ( 2019 ), “ Value creation through project risk management ”, International Journal of Project Management , Vol. 37 No. 5 , pp. 731 - 749 .

Xia , N. , Zou , P. , Griffin , M.A. , Wang , X. and Zhong , R. ( 2018 ), “ Towards integrating construction risk management and stakeholder management: a systematic literature review and future research agendas ”, International Journal of Project Management , Vol. 36 No. 5 , pp. 701 - 715 .

Yin ( 2009 ), Case Study Research: Design and Methods , 4th ed. , Sage , Thousand Oaks, California .

Acknowledgements

This work was supported by the University of Padova under Grant VERB_SID19_01.

Corresponding author

Related articles, we’re listening — tell us what you think, something didn’t work….

Report bugs here

All feedback is valuable

Please share your general feedback

Join us on our journey

Platform update page.

Visit emeraldpublishing.com/platformupdate to discover the latest news and updates

Questions & More Information

Answers to the most commonly asked questions here

The CEO’s risk agenda: An insurance perspective

Adapting to a fast-changing risk landscape has become a priority for most organizations, a necessity made more evident by the global pandemic and recent geopolitical events. At the same time, chief executives are under more pressure than ever to reconcile agendas from multiple stakeholders affecting their organization. The convergence of these two trends means that CEOs need to take an increasingly active, innovative role in shaping their organizations’ approach to risk, playing both offense and defense.

About the authors

This article is a collaborative effort by Erwann Michel-Kerjan , Fritz Nauck , Lorenzo Serino, Kurt Strovink , and Cameron Talischi, representing views from McKinsey’s Insurance and Risk & Resilience Practices.

Experience shows that organizations that create strategic distance from their competitors have elevated their risk agenda and share some common traits in that regard. They anticipate and manage risks effectively as a core element of their customer value proposition while maintaining their entrepreneurial spirit and making bold moves. These types of organizations have greater alignment on strategic trade-offs and transparency on how much risk capacity they have and where to best deploy it. They have a strong risk culture and, when shocks occur, pivot quickly and reinvent themselves decisively. And because of the significance of the many underlying decisions, chief executives need to take charge. CEOs who elevate their role as the ultimate risk decision makers and partner with the executive team (especially business leaders, chief risk officers, chief compliance officers, and chief financial officers) are better able to leverage modern risk management.

While the elevation of the risk agenda has been ongoing, it has recently picked up speed, as major international events demonstrate. In 2000, for example, just a dozen sessions (of nearly 250) of the annual meeting of the World Economic Forum in Davos focused explicitly on risk. Today, nearly half typically focus on how to manage a wide spectrum of risks and build resilience. Or consider the boardroom dynamic, which affects the CEO agenda. According to the latest McKinsey Board Survey, which includes more than 1,000 directors globally, risk management ranks as one of the five top priorities for boards in 2022. As more directors become acutely aware of their fiduciary responsibility in a changing risk environment, they need to better understand the new risk agenda themselves and demand more from the management team on this front.

For many organizations, the pressure is compounded by the rising expectations of the media, regulators, investors, customers, employees, and society at large. Firms are more frequently expected to take a stance on a range of public issues that may be politically charged—such as social and racial justice, economic inequality, and climate change. There is also increased scrutiny and amplification of incidents that could subsequently create significant reputational risks and represent career turning points for chief executives.

We believe that a CEO’s risk agenda should include four key dimensions (exhibit):

• Ensure that the organization has robust risk management capabilities appropriate to its size, complexity, and aspiration.
• Orchestrate alignment on strategic trade-offs to capture the upside while protecting the downside for the top risks, supported by a clear risk appetite.
• Promote and role model a risk-aware culture that supports entrepreneurship and a growth mindset while protecting the organization.
• Lean in personally in high-stakes risk-related decisions for which the company has not yet developed fully mature capabilities.

In this article, we focus on each of the dimensions that can help CEOs rise to the challenge. To make it specific, we focus on insurance as a concrete case, an industry that is at the heart of both taking risk and helping others protect against risks. Our perspectives are informed by discussions with insurance CEOs, chief risk officers (CROs), and other executives and stakeholders around the world.

Ensure that the organization has robust risk management capabilities

Since the global financial crisis of 2008, many sophisticated insurance companies have built stronger risk capabilities across three lines of defense: business and corporate functions in the first line, risk and compliance in the second line, and internal audit in the third. But there is a wide spectrum of maturity across insurers and financial services more broadly. It is the CEO’s role to continuously elevate that risk maturity to the appropriate level for the size and complexity of the institution.

What does risk management maturity look like? Processes and governance structures ensure that key risk decisions are appropriately evaluated and, when needed, escalated and challenged. Risks are owned by the business, but the right checks and balances provide the necessary guardrails and challenges without preventing agile decision making. The risk functions understand sources of value creation and translate technical risk concepts into novel insights that are useful to the business. There is a clear sense of priorities and direction, given the multiplicity of sometimes conflicting capital constraints (GAAP, STAT, economic capital regulatory requirement, etcetera). Systems and advanced analytics provide support and insights to monitor financial and nonfinancial or operational risk positions across business units, functions, and geographies and at the enterprise level. Risk capacity is measured transparently and allocated strategically. Talent is hired and trained to provide expertise on well-known and emerging risks; internal as well as external sources of insights are leveraged for business decisions.

Once an organization reaches risk management maturity, its CEO can rely on solid day-to-day practices. As one chief executive put it, “My job is to ensure that we collectively reach such a maturity by allocating adequate budget, hiring the required talent internally and externally, structuring the right operating model across lines of defense, and supporting adequate board-level governance. I also set the tone on our overall enterprise-level risk appetite.”

Managing high-stake risks: A checklist for CEOs

Five concrete actions will help CEOs define and execute their own risk agenda. In our experience, these actions can show value within a year.

• Perform a comprehensive review of the foundational risk capabilities and risk governance across the firm every two years. This is as useful for newly appointed CEOs as it is for those who are tenured in the role. Invite independent insights to get a fresh perspective, and start by focusing on the five business processes that create most of the value for the organization and on forward-looking risks.
• Optimize resources. Reallocate resources from risks that have become less important but still consume a high level of resources or create decision paralysis, as well as from activities that could be automated. Fill gaps in risk talent and seniority, streamline controls where possible, and challenge bureaucracies that impair sound risk-taking (such as through risk-based prioritization or use of advanced analytics).
• Engage your board, chief risk officer (CRO), CFO, and business leaders in substantive discussions about risk appetite. What bold moves do we want to make? Are we equipped to make those moves? How do we manage the associated risks to give us confidence to move forward? Get transparency into your current risk capacity and reallocate it across the enterprise as needed.
• Role model the risk culture. Articulate why a strong risk culture matters to successful growth, and measure it over time. The culture that served the organization in its initial success could create the conditions for large risk events to go undetected. If company leadership believes the next disruptive event will somehow be similar to the last one, they are likely to be continuously ill prepared, as has been proven again and again. 1 Erwann Michel-Kerjan and Paul Slovic (eds), The Irrational Economist: Making Decisions in a Dangerous World , first edition, New York, NY: Public Affairs, 2009. Perform systematic root cause analysis for all critical events or near misses, then share it widely to give all employees the chance to learn and improve.
• Maintain a focus on balanced risk-taking as a source of sustainable profitable growth. Align with the board and with the executive team on high-stakes strategic trade-offs. The chief executive has an orchestration role to play here. This alignment helps promote transparency, shared responsibility, and trust—the ultimate currency when a crisis occurs.

For a CEO, knowing where the organization stands across these dimensions, how it compares with best-in-class institutions, and how to improve along this journey is critical (see sidebar, “Managing high-stake risks: A checklist for CEOs”).

Orchestrate alignment on strategic trade-offs

In today’s rapidly changing environment, organizations need to be able to play offense and defense at the same time. This is the core of a modern strategy that incorporates a thoughtful amount of controlled risk-taking to enable sustainable returns. Typically, the role of the CEO is particularly important in this space. For risks where the upside and downside are sizable and interconnected, no single executive other than the CEO is in a position to balance all aspects and trade-offs. CROs and chief compliance officers (CCOs) would naturally be in the best position to manage the downside, while business leaders would more naturally take actions to capture the upside opportunities.

Consider a few examples. Being bold can mean deciding to enter or expand in foreign markets. Some markets present significant opportunities for life and nonlife insurers given the significant insurance gap there. But there is an inherent trade-off, given geopolitical and business risks that have emerged recently. Where to play (home or abroad) and how intense the resource (re-)deployment should be are fundamental and complex questions. Aligning the organization’s stakeholders on choosing one path over another typically requires the CEO’s capacity and final determination.

Or consider climate change and sustainable and inclusive growth. Insurance companies, either through their asset management strategy or their underwriting portfolio choices, are inherently involved with those that are contributing to anthropogenic climate risk as well as with those who suffer from it. We believe this is a true moment for insurers globally. They can either accelerate or hinder progress toward the green transition. We also foresee more frequent extreme events leading to massive risk redistribution, demand for innovative products, and questions about who should ultimately pay for climate catastrophes in both mature and emerging markets.

Our most recent research suggests that the climate change transition will create massive capital redeployment. Capital spending on physical assets for energy and land-use systems in the net-zero transition between 2021 and 2050 will amount to about $275 trillion, or $9.2 trillion per year on average—an annual increase of $3.5 trillion from today. Insurance companies and their CEOs must judiciously consider the higher-level trade-offs and meaningfully engage internal and external stakeholders to clearly articulate the near- and long-term position. This becomes an even more important dimension as more regulators around the world ask for detailed climate risk disclosure for public companies that is reliable, auditable, and comprehensive (including the 2022 proposed SEC rule in the United States). At the same time, a holistic impact strategy that correctly incorporates climate transition trends is likely to be a key source of material advantage for a long time to come. Such a strategy could focus on new products for property and casualty (P&C) insurance, for example, or investment portfolios for all insurance carriers. It should factor in both physical trends, such as changing hazards, and the likely influence of customers, regulators, and investors on future states.

Climate transition brings meaningful upside opportunities, because investment in greener technology is expected to lead to the emergence of new and growing sectors (including those focused on energy generation, storage, green transportation, and construction) that require insurance protection to succeed. Many of these nascent sectors are unable to secure favorable funding (for example, through debt) due to limited insurance capacity today. How much risk capacity to allocate and who to partner with are CEO-level decisions.

Finally, insurance carriers face societal pressure to keep rates affordable for small businesses and individual consumers, especially in economically challenged communities, even if that means that the insurance premiums would no longer reflect the true risk exposure. This pressure challenges market viability without government intervention, as experience shows in several US coastal states and several European countries. Insurance affordability issues are likely to be elevated further as risk continues to increase. These issues often thrust the CEO into the public arena, so CEO-level alignment is needed here as well.

Promote a risk-aware culture that supports entrepreneurship

A strong risk culture is becoming table stakes in the value proposition of many companies. Customers and employees expect it. An important challenge for risk-mature organizations is how to ensure a strong entrepreneurial drive while promoting robust risk awareness and accountability. Especially among large financial institutions, the noble objective of building strong risk capabilities sometimes drifts into the creation of an oversize and inefficient bureaucracy of redundant controls. “We really need to take a step back and cleansheet,” a senior insurance executive recently told us. “Where do we truly need to allocate our risk management capacity moving forward? How do we link this to where the value is created, versus adding layers after layers of controls?”

By elevating the importance of risk culture in the business and by adopting a risk lens for all key business processes, organizations can create a more efficient and cost-effective operating model in the second and third lines. In these instances, CEOs should set the right tone from the top across several dimensions. Concrete actions include encouraging regular, open, fact-based discussions about risk at the senior-management level. CEOs should also involve the risk function as a thought partner from the very beginning on topics such as strategy, new products, market expansion, distribution channels, technology, and even customer experience and advanced-analytics transformation.

For example, most insurance companies are currently pursuing investments in advanced data and analytics capabilities to improve pricing and claim management. Machine learning models and third-party data can unlock significant value for insurers and their customers as they provide new and deeper insights and enable automation of tasks previously done manually and prone to error.

In some cases, however, the use of such advanced models and external data can lead to financial, regulatory, and reputational risks. Take underwriting models in life insurance. They can enable seamless customer experience (for example, through real-time decisions on applications), but they can contain and mask biases against minorities and underrepresented groups even if racial and demographic data are excluded from the models. Appropriate response and guidance from risk practitioners (from risk, model validation, compliance, and legal functions) can help mitigate these risks upfront without stifling further exploration and innovation. However, the organization’s risk culture often needs to evolve to be able to understand, assess, and appropriately manage these types of risks from inception.

CEOs must also make it clear that risk management is the responsibility of the entire organization, not just those individuals with the word “risk” in their title. Good practices include simulation exercises, stress testing with a wider spectrum of scenarios, and even inclusion of risk management consideration in employee compensation and annual review. As our colleagues Carolyn Dewar, Scott Keller, and Vikram Malhotra demonstrate in their recent book, which analyzes the best-performing CEOs, “regular stress-testing can reveal opportunities to make a business more resilient. It can lead to divesting underperforming businesses, cutting excess costs, doubling down in high-growth geographies, enhancing the M&A plan, and improving the effectiveness of the top team.” 1 Carolyn Dewar, Scott Keller, and Vikram Malhotra, The CEO Excellence: The Six Mindsets That Distinguish the Best Leaders from the Rest , first edition, New York City, NY: Scribner, 2022. What many of these high-performing executives have in common is that they always analyze the potential downside risks of bold moves and how to prevent them, so they avoid surprises down the road.

CEOs must make it clear that risk management is the responsibility of the entire organization, not just those individuals with the word “risk” in their title.

CEOs should regularly measure their organization’s risk culture too. Many tools are available to conduct risk culture diagnostics. Such an exercise can help CEOs develop an understanding of how each part of the organization integrates risk considerations into the way it works, allowing CEOs to prioritize risk efforts organizationally.

Lean in personally in high-stakes risk-related decisions

Not all risks should reach the CEO’s office. When the core is working well and a culture of risk management supports entrepreneurship across the organization, CEOs can focus on a select number of high-stakes decisions related to risk. A simple but effective way to identify these decisions is to consider two dimensions: low-to-high risk materiality and low-to-high maturity of the organization to manage that risk.

A given risk’s position along these two dimensions will differ across organizations, even among businesses in the same company and over time. In general, financial risks are certainly material for insurance companies, but in most cases, they are handled well by existing processes. In contrast, the immediate management of some nonfinancial risks (including conduct, model errors, third-party risk, and operational resilience) and emerging risks—such as cyberrisk, climate risk, crypto, pandemics, and geopolitics—is likely beyond the existing core risk management capabilities of many insurance carriers. CEOs need to focus their attention on material risks in areas where their organizations lack sufficient maturity. This is especially true of high-velocity, high-ambiguity situations and situations with the potential to significantly affect the reputation of the firm.

High velocity, high ambiguity

A prime example of this is the deadly COVID-19 pandemic, which also caused a rapid pace of change (weeks versus years) to customer and employee behaviors, possibly on a permanent basis . To be clear, the test is not whether organizations were able to move all their employees to remote work in just a few weeks back in 2020; virtually all organizations globally did it. We believe a longer-term test is yet to come. CEOs will need to address important questions about how to adjust to new modes of customer interactions that have resulted from accelerated digitalization at scale and how to confront the risks of not doing it right and in a timely way. They have to consider the implications of changing the mix of products and distribution channels versus favoring the status quo. We also see an innovative redesign of the employee working model to retain talent.

CEOs will need to address important questions about how to adjust to new modes of customer interactions that have resulted from accelerated digitalization at scale and how to confront the risks of not doing it right and in a timely way.

Cyberthreat is another risk that has escalated to the agenda of the CEO, because cyber missteps can have a significant business impact beyond operational losses. Today, trusted digital experience is an integral part of any winning customer value proposition: customers (whether B2B or B2C) expect a flawless experience and heightened security. To achieve this, businesses often impose security standards on all third-party vendors, as the US Department of Defense recently established through the Cybersecurity Maturity Model Certification (CMMC) program. CMMC mandates new cybersecurity requirements for all companies that are part of the vast defense industrial base.

What’s more, cyberrisk is rapidly changing by nature. For example, many hacker groups have expanded their ransomware targets to include personal customer data, IP, payroll information, system codes, and other elements that are important to businesses. As a result, hacked organizations are more willing to pay to restore private access to their own data and normal operations. In fact, media mentions of ransomware attacks on financial services firms have gone up 900 percent in the past six to eight years.

Organizations should also consider the impact of nontechnical attacks on systems. What would happen if hackers used misinformation to create a false story that went viral about a publicly traded organization, which in turn quickly drove down the stock, allowing the hackers to make money on selling short? On all of these topics, it often takes the CEO’s influence to move from a purely technical discussion on cyber to an understanding of the vulnerabilities along the value creation chain and how it can be disrupted.

Firm reputation

Navigating an organization’s diverse stakeholders is also ambiguous in nature. Customers and employees require companies to have a clear purpose beyond shareholder value maximization and increasingly demand absolute integrity from their executives. What’s more, CEOs are expected to take public positions on a growing number of issues. Some relate closely to the business, while others are more societal and often beyond the scope of the company or the industry. Not all of these issues are controversial, but every case requires the direct involvement of the CEO, who represents the company and faces public scrutiny. This is where clearly defined purpose and values matter most; those provide a solid guidepost to the chief executive regarding which topics to take a public stand on and when it is better not to.

As the world continues to transform at a rapid pace, the CEO’s new risk agenda will be complex and ambiguous but also exciting. By elevating their role as the ultimate risk decision maker, CEOs will expect more from their management team (including the CRO) in shaping and executing the strategy, and they will make better investments in modern risk management solutions. Ultimately, this shift creates a more resilient foundation for the business to thrive. It increases transparency into the risks the organization is taking to remain ahead—and into those it should take. When it is done well, customers are better served too.

Erwann Michel-Kerjan is a partner in McKinsey’s Philadelphia office; Fritz Nauck is a senior partner in the Charlotte office; Lorenzo Serino is a partner in the New York office, where Kurt Strovink is a senior partner; and Cameron Talischi is a partner in the Chicago office.

The authors wish to thank Tucker Bailey, Stephan Binder, Kevin Buehler, Tanguy Catlin, Kweilin Ellingrud, Celia Huber, Scott Keller, Bernhard Kotanko, Chris Leech, Vikram Malhotra, Brad Mendelson, Pradip Patiath, and Nina Spielmann for their contributions to this article.

Explore a career with us

Related articles.

Creating value, finding focus: Global Insurance Report 2022

Five steps to improve innovation in the insurance industry

Insurance: Transforming risk and compliance

Health & Environmental Research Online (HERO)

• Learn about HERO
• Search HERO
• Projects in HERO
• Risk Assessment
• Transparency & Integrity

• Strategic Project Management

The program is supported by a distinguished faculty composed of highly qualified and passionate experts in their respective fields of knowledge. Our professors bring extensive experience from both the academic and practical domains, enabling them to deliver dynamic and relevant classes to our students.

Each of our professors is committed not only to academic excellence but also to the personal and professional development of the students. Moreover, the faculty keeps abreast of the latest trends and advancements in their field, ensuring that students acquire the most relevant and up-to-date knowledge and skills to tackle the challenges of the modern world.

Academic Directors of IE's Strategic Project Management

Antonio is known as the world’s leading champion of project management and strategy implementation. Alongside his full-time role at GSK, where he is currently Director of the Sustainability Transformation Program—and previously Director of their global Project Management Office—he is also the former Chair of the Project Management Institute. Born in Spain and having lived around the world, he was previously a Senior Executive for Fortis Bank, responsible for their integration with BNP Paribas and ABN AMRO. He received a Global Award from Thinkers50 for Ideas into Practice, and his books include The Focused Organisation and Harvard’s Project Management Handbook .

ANTONIO NIETO-RODRÍGUEZ

“We are seeing a revolution in organizations and a shift from functions to projects. Today, in a world of relentless change, everyone is a project manager.”

Juan Manuel Domínguez Ortega, Managing Partner at SD Group, specializes in guiding business managers through strategy, planning and execution. With over two decades of experience, Juan Manuel has participated in the development and implementation of business strategies across diverse sectors since 2002.

He serves as President of APGP (Association of Professional Project Managers), advocating for the recognition of project management's value. Additionally, he contributes to national and international Project Management committees, including UNE and ISO, playing a pivotal role in shaping industry standards. He was accredited as a national expert for ISO International 21500 WG10, the overarching standard for project management, and other duties in ISO as national expert. He has been linked to PM2, the project management methodology of the European Commission, from its public release and participated in the official translation of the guide into Spanish. He frequently participates in the translation of other standards and methodologies into Spanish.

Beyond his professional commitments, Juan Manuel serves as a Board Member of the CIP Institute, facilitating knowledge exchange in risk and crisis management. He earned his MBA from IE Business School and holds accreditations including Project Management Professional (PMP®), PM2 Advanced Certificate, Lead Auditor in Business Continuity Management (ISO 22301), and EFQM Evaluator.

JUAN MANUEL DOMÍNGUEZ

President APGP (Association of Professional Project Managers)

Academic Director, Strategic Project Management for Business Leaders

This is a potential security issue, you are being redirected to https://csrc.nist.gov .

You have JavaScript disabled. This site requires JavaScript to be enabled for complete site functionality.

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock Locked padlock icon ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-229

Fiscal year 2023 cybersecurity and privacy annual report.

    Documentation     Topics

Date Published: May 2024

Send inquiries about this publication to [email protected] .

Patrick O'Reilly (NIST) , Kristina Rigopoulos (NIST)

During Fiscal Year 2023 (FY 2023) – from October 1, 2022, through September 30, 2023 –the NIST Information Technology Laboratory (ITL) Cybersecurity and Privacy Program successfully responded to numerous challenges and opportunities in security and privacy. This Annual Report highlights the FY 2023 research activities for the ITL Cybersecurity and Privacy Program, including the ongoing participation and development of international standards; research and practical applications in several key priority areas (e.g., Post Quantum Cryptography, updating the NIST Cybersecurity Framework (CSF 2.0) and some new CSF profiles); accomplishments in the area of improving software and supply chain cybersecurity; IoT cybersecurity guidelines work; National Cybersecurity Center of Excellence (NCCoE) projects, and setting up a new comment site for NIST’s Risk Management Framework work; release of a Phish scale; progress in the Identity and Access Management program; Strategic and Emerging Research Initiatives (SERI) for autonomous vehicles.

Control Families

None selected

Documentation

Publication: https://doi.org/10.6028/NIST.SP.800-229 Download URL

Supplemental Material: None available

Related NIST Publications: SP 800-225

Document History: 05/20/24: SP 800-229 (Final)

general security & privacy

annual reports

A .gov website belongs to an official government organization in the United States.

A lock ( ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

• Physical Activity in Daily Life
• About Physical Activity
• Increasing Physical Activity
• Built Environment Assessment Tool Manual
• Data & Statistics for Physical Activity
• Reports and Featured Research
• Community Design Examples
• Physical Activity Fact Sheets and Infographics
• Guidelines and Recommended Strategies

Community Design Resources

• Community Design Definitions

Military Readiness

• Stairwell Ideas
• Community Design Visual Guide
• Physical activity is one of the best things people can do to improve their health.
• Physical activity is vital for healthy aging. It can help reduce the chances of getting some chronic diseases and prevent early deaths.
• CDC works with state and local organizations to increase physical activity.

Why it matters

Active people generally live longer and are at less risk for serious health problems such as heart disease, type 2 diabetes, obesity, and some cancers. For people with chronic diseases, physical activity can help manage these conditions and complications.

About one in two adults lives with a chronic disease. Of adults with chronic diseases, about half have two or more.

Only one in four U.S. adults fully meet the physical activity guidelines for aerobic and muscle-strengthening activity. Getting enough physical activity could prevent:

• 1 in 10 premature deaths
• 1 in 8 cases of breast cancer
• 1 in 12 cases of diabetes
• 1 in 15 cases of heart disease

See health benefits for:

• Older Adults

Community benefits

Building active and walkable communities can help economically. It can also improve safety, result in the workforce taking fewer sick days, and promote social interactions.

Health care costs

$117 billion in annual health care costs are associated with inadequate physical activity.

Military readiness

Only 2 in 5 young adults are weight-eligible and physically prepared for basic training. "Long-term military readiness is at risk unless a large-scale change in physical activity and nutrition takes place in America," said Allen Peck, Lieutenant General, U.S. Air Force (Retired).

What CDC is doing

CDC's Division of Nutrition, Physical Activity, and Obesity partners with national groups, states, and communities to advance the following priorities:

Active People, Healthy Nation S M is a CDC initiative to help 27 million Americans become more physically active by 2027. To reach this goal, CDC works with states and communities to carry out evidence-based strategies to increase physical activity.

CDC's Division of Nutrition, Physical Activity, and Obesity (DNPAO) works with three state and local programs to increase access to places for physical activity for all people:

• State Physical Activity and Nutrition (SPAN)
• High Obesity Program (HOP)
• Racial and Ethnic Approaches to Community Health (REACH)

We also fund the Physical Activity Policy Research and Evaluation Network (PAPREN). The network works across sectors to advance the evidence base for physical activity policies. It also puts research into practice with a shared vision: active people in active communities, supported by equitable, sustainable policies and practices.

We encourage state and local organizations to use community design to connect pedestrian, bicycle, or transit transportation networks (called activity-friendly routes) to everyday destinations.

We also partner with states to implement policies and practices that improve physical activity in early care and education settings.

CDC is assessing progress toward the Active People, Healthy Nation goal by measuring:

• Physical activity levels
• Community design
• Champions' support

Physical Activity Basics

What You Can Do to Meet Physical Activity Recommendations

Physical Activity and Your Weight

Benefits of Physical Activity

Active People, Healthy Nation℠

Moving Matters for My Health

Public Health Strategies for Increasing Physical Activity

National Physical Activity Plan

Physical Activity Guidelines for Americans , 2 nd Edition

Step it Up! The Surgeon General's Call to Action to Promote Walking and Walkable Communities

Physical Activity

Physical activity is vital throughout life. See strategies, data, and resources to increase physical activity in states and communities.

For Everyone

Public health.