Project Risk Governance in Context


Project risk governance does not operate in isolation but is impacted by the context in which it is applied. Contextual factors can either facilitate or impede the implementation of PRG and organisations therefore desire to maximise the former and minimise the latter. Factors are wide-ranging and can be found both externally and internally to the organisation. In this chapter they are recognised as professional associations that mentor project management practice, the principles of risk management standards, factors that determine project success, human resources management for projects, and change management. Each of them has relevance to PRG. Finally, the impact on PRG of the emerging influence of the soft paradigm in project management is recognised.

Professional Associations

Professional associations have become attractive to project managers because they reflect a degree of 'professionalism' and offer certification programmes to indicate a certain level of competence of the holder. Memberships have increased dramatically over the past two decades, with the US Project Management Institute (PMI) recording 210,000 members as at March 2006 (Morris et al. 2006).


A current debate is whether or not project management can be regarded as a profession, on a par, for example, with law and medicine. To form an opinion, project management's origin and traits should be examined. The practice of project management first attracted wider attention in the late 1960s when project managers met informally at conferences and seminars to exchange information on topics of mutual interest (Morris et al. 2006). This was followed in the mid 1970s by the formation of the US PMI and subsequently by the UK Academy for Project Management (APM). It can be concluded that project management lacks history in its origin, unlike law and medicine which have been practised for centuries.

A further criterion of professionalism is 'legitimacy by reference to its contribution to the public good, to an ideal of social service, or by adherence to an overarching ethical code' (Morris et al. 2006: 711). A profession should be clearly recognised as playing an important role in society and that its services are in demand. This is the case with law for those seeking to settle a dispute and medicine for those seeking a remedy for a malaise. Project management is not conducted in the public forum. It delivers projects with technical and managerial competence in a wide range of activities. Unlike the legal and medical professions, the product or service to be delivered (i.e. the project) is defined by negotiation between two parties (developer and client).

Then there is the notion of autonomy and authority. This applies only to a handful of occupations (Morris et al. 2006). An example is achieving Royal Charter status in the UK, which the APM has not but law and medicine have. The latter have stringent requirements for meeting entry standards, such as requiring a university qualification and serving a period of time under a supervising practitioner. Conditions of practice, contained in a code of conduct and enforced by a licensing body, imposed on their members are far more stringent than those of current project management associations.

Because of its business approach, project management has at times been termed a 'commercialised profession' (Morris et al. 2006). However, the development of project management Bodies of Knowledge (BOKs) is giving credibility for project management associations to act as emerging professional bodies. BOKs are developed by leading experts in the field, are open for comment and are regularly reviewed and updated. Project management can therefore be seen as evolving to a 'semi-profession' (Morris et al. 2006).


There are three formal project management Bodies of Knowledge (Morris et al. 2006). The first was established by the American PMI in the 1980s and followed by the UK APM BOK and the Japanese ENAA (Engineering

Advanced Association of Japan) and JPMF (Japanese Project Management Forum). Coverage of project management in their BOKs has similarities, but 'the conceptual depth - the scope – of each of these three ... increases as one goes from PMI's PMBOK® Guide to APM BOK and then to the Japanese BOK, P2M. The latter two, the APM BOK and P2M, are much broader in conceptual breath and scope than the PMBOK® Guide' (Morris et al. 2006: 712).

BOKs play a significant role in the certification process since they lay out the knowledge that is required to gain recognition within the profession. Certification is keenly sought because it signifies that the holder has reached a certain status which is recognised by others in the field. It complements the shortage of alternative qualifications, in particular those awarded by universities as is the case with recognised professions. It is also seen to act as a barrier to entry and to promote the value of practising project managers to industry and commerce. While certification demonstrates that the holder has mastered the required knowledge, it does not guarantee performance in successfully completing a project.

BOKs have attracted criticism as being too mechanistic in their recommended approaches for a world where projects have a wide range of characteristics. Their apparent emphasis on control is 'more suited to achieving security of execution rather than the shaping of effective solutions' (Morris et al. 2006: 718). They provide management with possibly a false sense of confidence that following guidelines will automatically lead to project success. There are other aspects of knowledge related to professional 'doing' to be considered: know-what, know-how, know-why and care-why. 'Know-what' is knowledge acquired in classrooms about content. This is supplemented by procedural knowledge gained in practice to acquire 'know-how'. With experience, a broader understanding is gained as to the 'know-why'. Finally, the commitment to the profession brings about 'care-why' knowledge.

Morris et al. (2006: 718) summarised the current situation well:

The challenge for the professional associations in establishing their Bodies of Knowledge is to set out the jurisdiction for project management without implying that there is 'one best way' to manage regardless of context and contingency; and to promote and disseminate this knowledge in a manner which allows intelligent and reflexive practitioners to use their professional discretion to choose how to relate to and engage the principles, concepts, models, and techniques it contains.

Relevance of Professional Associations to Project Risk Governance

Publications such as PMBOK® (Project Management Institute 2008) are attempts to codify professional knowledge about project management practice in what appears to be a logical and pragmatic manner. At the project level the logical approach, defined as 'the study of ideal method in thought and research' (Childress 1962: 321), is relevant to risk management because it lends itself to planning and control (see Chapter 8). At the governance level, the approach may be less suitable because of the diversity in which projects are integrated into business activities. This may explain why professional guidelines are lacking in their coverage of governance, including PRG.

Certificates in project risk management do not appear to require knowledge of PRG. In the APM's Project Risk Management Single Subject Certificate Syllabus Levels 1&2 - 4th Edition, knowledge in project management is extended to risk management. Level 2 is the advanced stage and is designed 'to allow an individual to undertake formal project risk management'. Its syllabus recognises the 'hard' and 'soft' benefits of project risk management and risk as a threat and opportunity. It also acknowledges the human factor in risk management. However, it does not address governance activities that manage project risk in a strategic manner by aligning it with corporate strategy.

Risk Management Standards

Risk management guides and standards have been developed at national (for example in Australia/New Zealand, Canada, Japan, UK) and international levels - for example through the International Organization for Standardization (ISO). The former were criticised for being too narrow by representing the views of a specific group, and lacked universal acceptance. Among the latter are ISO 31000 and COSO Enterprise Risk Management, both aiming to provide a generic approach to risk management that is recognised globally.

ISO 31000:2009

ISO 31000, Risk Management - Principles and Guidelines, was published in November 2009 by the International Organization for Standardization and was 'designed for a wide range of risk management practitioners, experienced or novice, and those responsible for risk management oversight interested in benchmarking their risk management organization and practices against a recognised international reference' (Dali and Lajtha 2012: 1).

As such, it supplements or replaces independent national risk management standards, such as the Australian/New Zealand AS/NZS 4360:2004, and represents a form of international consensus on risk management.

ISO 31000 is a family of standards (see Moody 2010) consisting of:

• ISO 31000 Risk Management - Principles and Guidelines. This is the primary document and provides a three-pillar architecture of principles for managing risk, framework for managing risk and process for managing risk.

° Principles. These emphasise managing risk in business processes and in the context of creating value and making risk part of decision-making.

° Framework. To ensure that risk management is embedded in all levels of business activity, there must be a commitment from the board and senior management to its implementation, review and continuous improvement.

° Process. Risk is managed through communication and consultation, establishing context, risk assessment, risk treatment, and monitoring and review. The processes should be tailored and interwoven into the organisation's practices and culture.

• ISO 31010 Risk Management - Risk Assessment Techniques. This provides assistance on the selection and application of systematic techniques for risk assessment.

• ISO Guide 73 Risk Management Vocabulary. This defines generic terms to encourage mutual and consistent understanding of topics related to risk management.

Dali and Lajtha (2012) highlighted a number of positive features of ISO 31000. It should not be regarded as a standard but a guideline. The former is often associated with certification, while the latter is not. The most appropriate description of ISO 31000 is that of a 'Guidance Standard'. As a generic reference, it is not intended to be prescriptive and compliance oriented, but to encourage voluntary application. ISO 31000 'does not pretend to impose best practices but rather to harmonize principles, framework, and processes' (Dali and Lajtha 2012: 5). Within an organisation it can be a single reference point for judging existing practices and developing best practices on risk assessment and treatment. The framework provides an opportunity to integrate risk management into corporate activities, provided the approach is part of the organisational management system and not a standalone activity. Organisations should guard against 'creeping certification' when standardsetting bodies or vendors exploit ISO 31000 for commercial reasons.

Leitch (2010) offered a more critical assessment of ISO 31000 along the following lines. The terminology used is imprecise and confusing, and at times contradictory. An example is how inadequately 'risk management framework' is defined: a set of components. This is meaningless to the risk manager. Rigour appears to be lacking in that mathematical terms are avoided. Leitch (2010) referred to the absence of a definition of 'probability', a key concept that needs to be quantified when establishing the existence of risk. No advice is provided on aggregating risks. During the identification of risk and their recording in the risk register, choices exist on how they are split up. The standard gives the impression that risks are naturally occurring phenomena that define themselves. Although explicit recognition is given to managing risks from an enterprisewide perspective, no specific guidance is provided on how this is done.

Being industry- and business-neutral, ISO 31000 is intended to have a commercial rather than a technical tone. The tension between using business language or technical jargon is demonstrated by the attitude towards compiling the risk register. Business people prefer to keep the content of the register as broad as possible, highlighting a small number of the most important risks and their potential impact on business. They prefer to gain an understanding of the overall risk environment from the identified critical risk items. Technical staff, by contrast, are tempted to go into great detail with a high level of complexity. It would be difficult to form an overall opinion on risk significance with this approach.


The Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its Enterprise Risk Management Framework in 2004. It builds on an earlier COSO framework, released in 1994, titled Internal Control - Integrated Framework, by expanding on its risk assessment components (Scott 2004).

COSO identifies four categories of entity objectives and events that could be impacted by enterprise risks: strategic objectives to achieve high-level goals, the effectiveness and efficiency of the entity's operations, reporting, and compliance with applicable laws and regulations (see Scott 2004). To achieve these four objectives, COSO identifies eight components of Enterprise Risk Management (ERM). Only when all eight components are present and functioning well do they become interrelated and realise the benefits of ERM (see Hermanson 2003).

1. Internal environment. This is regarded as the foundations of ERM since it covers risk management philosophy, risk culture, board of directors, integrity and ethical values.

2. Objective setting. Establishes the targets for the four entity objectives: strategic, operations, reporting and compliance.

3. Event identification. A list of possible events that could affect the achievement of the four objectives.

4. Risk assessment. This is achieved by considering the likelihood (probability) and impact of possible events.

5. Risk response. Deciding on the strategy of responding to identified risks, viz. risk avoidance, reduction, sharing and acceptance.

6. Control activities. These are policies and procedures that ensure that risk responses are properly executed.

7. Information and communication. Strong communications and information flows to support ERM.

8. Monitoring. Ongoing activities and evaluations instead of periodic assessments.

The overall direction of COSO is reflected in its definition of ERM (Hermanson 2003: 41):

Enterprise risk management is a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of the entity objectives.

From the definition of ERM, Moody (2004) concluded that ERM

• is not one single action or activity, but rather a series of actions;

• processes are affected by and affect people's actions;

• allows management to consider risks in various alternative strategy settings;

• applies across the enterprise and requires a portfolio view of risks;

• considers risk appetite in pursuit of values;

• provides reasonable assurance towards achieving objectives.

Relevance of Risk Management Standards to Project Risk Governance

There are two ways of perceiving risk management standards: as a monolithic process with a set of techniques, or as a multitude of processes with a range of techniques from which organisations select those that suit them best (Leitch 2010). For early adopters, a standard such as ISO 31000 provides a good starting point for senior management taking on risk management responsibilities. They are encouraged 'to read ISO 31000, which is written in business language, in order to gain an understanding of key risk management concepts and terminology' (Everett 2011: 6). A common culture towards risk management develops within the organisation and greater certainty is obtained that risk is measured and managed consistently.

With increasing maturity, organisations realise that risk is a complex phenomenon and standards can only provide broad frameworks in which to manage risks. Standards give strong recognition to managing risks through enterprise-wide approaches and confirm that project risk processes are part of business processes at all levels. ERM is therefore a governance responsibility of boards and senior management. The standards refer to the responsibilities to provide oversight, give support from the top, assess risks relative to strategy and objectives, and establish and articulate the risk appetite. Agreement on, and compliance with, ERM is the first step to implementing PRG.

Since the release of the original ERM framework, further COSO guidelines have emerged. To assist companies, especially smaller ones, to embark on risk management initiatives with the aim of implementing ERM, COSO issued a report titled Embracing Enterprise Risk Management: Practice Approaches for Getting Started in 2011 (Steinberg 2011). In 2012, COSO published a new guide titled Enterprise Risk Management for Cloud Computing (Jaeger 2012). It leverages the principles of the ERM integrated framework to provide understanding to boards and management about the risks and opportunities of cloud computing.

< Prev   CONTENTS   Next >