short case study on risk management

• Predict! Software Suite
• Training and Coaching
• Predict! Risk Controller
• Rapid Deployment
• Predict! Risk Analyser
• Predict! Risk Reporter
• Predict! Risk Visualiser
• Predict! Cloud Hosting
• BOOK A DEMO
• Risk Vision
• Win Proposals with Risk Analysis
• Case Studies
• Video Gallery
• White Papers
• Upcoming Events
• Past Events

Fehmarnbelt case study

. . . . . learn more

Lend Lease case study

ASC case study

Tornado IPT case study

LLW Repository case study

OHL case study

Babcock case study

HUMS case study

UK Chinook case study

• EMEA: +44 (0) 1865 987 466
• Americas: +1 (0) 437 269 0697
• APAC: +61 499 520 456

Subscribe for Updates

Copyright © 2024 risk decisions. All rights reserved.

• Privacy Policy
• Cookie Policy
• Terms and Conditions
• Company Registration No: 01878114

Powered by The Communications Group

Enterprise Risk Management Case Studies: Heroes and Zeros

By Andy Marker | April 7, 2021

• Share on Facebook
• Share on LinkedIn

Link copied

We’ve compiled more than 20 case studies of enterprise risk management programs that illustrate how companies can prevent significant losses yet take risks with more confidence.   

Included on this page, you’ll find case studies and examples by industry , case studies of major risk scenarios (and company responses), and examples of ERM successes and failures .

Enterprise Risk Management Examples and Case Studies

With enterprise risk management (ERM) , companies assess potential risks that could derail strategic objectives and implement measures to minimize or avoid those risks. You can analyze examples (or case studies) of enterprise risk management to better understand the concept and how to properly execute it.

The collection of examples and case studies on this page illustrates common risk management scenarios by industry, principle, and degree of success. For a basic overview of enterprise risk management, including major types of risks, how to develop policies, and how to identify key risk indicators (KRIs), read “ Enterprise Risk Management 101: Programs, Frameworks, and Advice from Experts .”

Enterprise Risk Management Framework Examples

An enterprise risk management framework is a system by which you assess and mitigate potential risks. The framework varies by industry, but most include roles and responsibilities, a methodology for risk identification, a risk appetite statement, risk prioritization, mitigation strategies, and monitoring and reporting.

To learn more about enterprise risk management and find examples of different frameworks, read our “ Ultimate Guide to Enterprise Risk Management .”

Enterprise Risk Management Examples and Case Studies by Industry

Though every firm faces unique risks, those in the same industry often share similar risks. By understanding industry-wide common risks, you can create and implement response plans that offer your firm a competitive advantage.

Enterprise Risk Management Example in Banking

Toronto-headquartered TD Bank organizes its risk management around two pillars: a risk management framework and risk appetite statement. The enterprise risk framework defines the risks the bank faces and lays out risk management practices to identify, assess, and control risk. The risk appetite statement outlines the bank’s willingness to take on risk to achieve its growth objectives. Both pillars are overseen by the risk committee of the company’s board of directors.  

Risk management frameworks were an important part of the International Organization for Standardization’s 31000 standard when it was first written in 2009 and have been updated since then. The standards provide universal guidelines for risk management programs.  

Risk management frameworks also resulted from the efforts of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The group was formed to fight corporate fraud and included risk management as a dimension. 

Once TD completes the ERM framework, the bank moves onto the risk appetite statement. 

The bank, which built a large U.S. presence through major acquisitions, determined that it will only take on risks that meet the following three criteria:

• The risk fits the company’s strategy, and TD can understand and manage those risks. 
• The risk does not render the bank vulnerable to significant loss from a single risk.
• The risk does not expose the company to potential harm to its brand and reputation. 

Some of the major risks the bank faces include strategic risk, credit risk, market risk, liquidity risk, operational risk, insurance risk, capital adequacy risk, regulator risk, and reputation risk. Managers detail these categories in a risk inventory. 

The risk framework and appetite statement, which are tracked on a dashboard against metrics such as capital adequacy and credit risk, are reviewed annually. 

TD uses a three lines of defense (3LOD) strategy, an approach widely favored by ERM experts, to guard against risk. The three lines are as follows:

• A business unit and corporate policies that create controls, as well as manage and monitor risk
• Standards and governance that provide oversight and review of risks and compliance with the risk appetite and framework 
• Internal audits that provide independent checks and verification that risk-management procedures are effective

Enterprise Risk Management Example in Pharmaceuticals

Drug companies’ risks include threats around product quality and safety, regulatory action, and consumer trust. To avoid these risks, ERM experts emphasize the importance of making sure that strategic goals do not conflict. 

For Britain’s GlaxoSmithKline, such a conflict led to a breakdown in risk management, among other issues. In the early 2000s, the company was striving to increase sales and profitability while also ensuring safe and effective medicines. One risk the company faced was a failure to meet current good manufacturing practices (CGMP) at its plant in Cidra, Puerto Rico. 

CGMP includes implementing oversight and controls of manufacturing, as well as managing the risk and confirming the safety of raw materials and finished drug products. Noncompliance with CGMP can result in escalating consequences, ranging from warnings to recalls to criminal prosecution. 

GSK’s unit pleaded guilty and paid $750 million in 2010 to resolve U.S. charges related to drugs made at the Cidra plant, which the company later closed. A fired GSK quality manager alerted regulators and filed a whistleblower lawsuit in 2004. In announcing the consent decree, the U.S. Department of Justice said the plant had a history of bacterial contamination and multiple drugs created there in the early 2000s violated safety standards.

According to the whistleblower, GSK’s ERM process failed in several respects to act on signs of non-compliance with CGMP. The company received warning letters from the U.S. Food and Drug Administration in 2001 about the plant’s practices, but did not resolve the issues. 

Additionally, the company didn’t act on the quality manager’s compliance report, which advised GSK to close the plant for two weeks to fix the problems and notify the FDA. According to court filings, plant staff merely skimmed rejected products and sold them on the black market. They also scraped by hand the inside of an antibiotic tank to get more product and, in so doing, introduced bacteria into the product.

Enterprise Risk Management Example in Consumer Packaged Goods

Mars Inc., an international candy and food company, developed an ERM process. The company piloted and deployed the initiative through workshops with geographic, product, and functional teams from 2003 to 2012. 

Driven by a desire to frame risk as an opportunity and to work within the company’s decentralized structure, Mars created a process that asked participants to identify potential risks and vote on which had the highest probability. The teams listed risk mitigation steps, then ranked and color-coded them according to probability of success. 

Larry Warner, a Mars risk officer at the time, illustrated this process in a case study . An initiative to increase direct-to-consumer shipments by 12 percent was colored green, indicating a 75 percent or greater probability of achievement. The initiative to bring a new plant online by the end of Q3 was coded red, meaning less than a 50 percent probability of success. 

The company’s results were hurt by a surprise at an operating unit that resulted from a so-coded red risk identified in a unit workshop. Executives had agreed that some red risk profile was to be expected, but they decided that when a unit encountered a red issue, it must be communicated upward when first identified. This became a rule. 

This process led to the creation of an ERM dashboard that listed initiatives in priority order, with the profile of each risk faced in the quarter, the risk profile trend, and a comment column for a year-end view. 

According to Warner, the key factors of success for ERM at Mars are as follows:

• The initiative focused on achieving operational and strategic objectives rather than compliance, which refers to adhering to established rules and regulations.
• The program evolved, often based on requests from business units, and incorporated continuous improvement. 
• The ERM team did not overpromise. It set realistic objectives.
• The ERM team periodically surveyed business units, management teams, and board advisers.

Enterprise Risk Management Example in Retail

Walmart is the world’s biggest retailer. As such, the company understands that its risk makeup is complex, given the geographic spread of its operations and its large number of stores, vast supply chain, and high profile as an employer and buyer of goods. 

In the 1990s, the company sought a simplified strategy for assessing risk and created an enterprise risk management plan with five steps founded on these four questions:

• What are the risks?
• What are we going to do about them?
• How will we know if we are raising or decreasing risk?
• How will we show shareholder value?

The process follows these five steps:

• Risk Identification: Senior Walmart leaders meet in workshops to identify risks, which are then plotted on a graph of probability vs. impact. Doing so helps to prioritize the biggest risks. The executives then look at seven risk categories (both internal and external): legal/regulatory, political, business environment, strategic, operational, financial, and integrity. Many ERM pros use risk registers to evaluate and determine the priority of risks. You can download templates that help correlate risk probability and potential impact in “ Free Risk Register Templates .”
• Risk Mitigation: Teams that include operational staff in the relevant area meet. They use existing inventory procedures to address the risks and determine if the procedures are effective.
• Action Planning: A project team identifies and implements next steps over the several months to follow.
• Performance Metrics: The group develops metrics to measure the impact of the changes. They also look at trends of actual performance compared to goal over time.
• Return on Investment and Shareholder Value: In this step, the group assesses the changes’ impact on sales and expenses to determine if the moves improved shareholder value and ROI.

To develop your own risk management planning, you can download a customizable template in “ Risk Management Plan Templates .”

Enterprise Risk Management Example in Agriculture

United Grain Growers (UGG), a Canadian grain distributor that now is part of Glencore Ltd., was hailed as an ERM innovator and became the subject of business school case studies for its enterprise risk management program. This initiative addressed the risks associated with weather for its business. Crop volume drove UGG’s revenue and profits. 

In the late 1990s, UGG identified its major unaddressed risks. Using almost a century of data, risk analysts found that extreme weather events occurred 10 times as frequently as previously believed. The company worked with its insurance broker and the Swiss Re Group on a solution that added grain-volume risk (resulting from weather fluctuations) to its other insured risks, such as property and liability, in an integrated program. 

The result was insurance that protected grain-handling earnings, which comprised half of UGG’s gross profits. The greater financial stability significantly enhanced the firm’s ability to achieve its strategic objectives. 

Since then, the number and types of instruments to manage weather-related risks has multiplied rapidly. For example, over-the-counter derivatives, such as futures and options, began trading in 1997. The Chicago Mercantile Exchange now offers weather futures contracts on 12 U.S. and international cities. 

Weather derivatives are linked to climate factors such as rainfall or temperature, and they hedge different kinds of risks than do insurance. These risks are much more common (e.g., a cooler-than-normal summer) than the earthquakes and floods that insurance typically covers. And the holders of derivatives do not have to incur any damage to collect on them.

These weather-linked instruments have found a wider audience than anticipated, including retailers that worry about freak storms decimating Christmas sales, amusement park operators fearing rainy summers will keep crowds away, and energy companies needing to hedge demand for heating and cooling.

This area of ERM continues to evolve because weather and crop insurance are not enough to address all the risks that agriculture faces. Arbol, Inc. estimates that more than $1 trillion of agricultural risk is uninsured. As such, it is launching a blockchain-based platform that offers contracts (customized by location and risk parameters) with payouts based on weather data. These contracts can cover risks associated with niche crops and small growing areas.

Enterprise Risk Management Example in Insurance

Switzerland’s Zurich Insurance Group understands that risk is inherent for insurers and seeks to practice disciplined risk-taking, within a predetermined risk tolerance. 

The global insurer’s enterprise risk management framework aims to protect capital, liquidity, earnings, and reputation. Governance serves as the basis for risk management, and the framework lays out responsibilities for taking, managing, monitoring, and reporting risks. 

The company uses a proprietary process called Total Risk Profiling (TRP) to monitor internal and external risks to its strategy and financial plan. TRP assesses risk on the basis of severity and probability, and helps define and implement mitigating moves. 

Zurich’s risk appetite sets parameters for its tolerance within the goal of maintaining enough capital to achieve an AA rating from rating agencies. For this, the company uses its own Zurich economic capital model, referred to as Z-ECM. The model quantifies risk tolerance with a metric that assesses risk profile vs. risk tolerance. 

To maintain the AA rating, the company aims to hold capital between 100 and 120 percent of capital at risk. Above 140 percent is considered overcapitalized (therefore at risk of throttling growth), and under 90 percent is below risk tolerance (meaning the risk is too high). On either side of 100 to 120 percent (90 to 100 percent and 120 to 140 percent), the insurer considers taking mitigating action. 

Zurich’s assessment of risk and the nature of those risks play a major role in determining how much capital regulators require the business to hold. A popular tool to assess risk is the risk matrix, and you can find a variety of templates in “ Free, Customizable Risk Matrix Templates .”

In 2020, Zurich found that its biggest exposures were market risk, such as falling asset valuations and interest-rate risk; insurance risk, such as big payouts for covered customer losses, which it hedges through diversification and reinsurance; credit risk in assets it holds and receivables; and operational risks, such as internal process failures and external fraud.

Enterprise Risk Management Example in Technology

Financial software maker Intuit has strengthened its enterprise risk management through evolution, according to a case study by former Chief Risk Officer Janet Nasburg. 

The program is founded on the following five core principles:

• Use a common risk framework across the enterprise.
• Assess risks on an ongoing basis.
• Focus on the most important risks.
• Clearly define accountability for risk management.
• Commit to continuous improvement of performance measurement and monitoring. 

ERM programs grow according to a maturity model, and as capability rises, the shareholder value from risk management becomes more visible and important. 

The maturity phases include the following:

• Ad hoc risk management addresses a specific problem when it arises.
• Targeted or initial risk management approaches risks with multiple understandings of what constitutes risk and management occurs in silos. 
• Integrated or repeatable risk management puts in place an organization-wide framework for risk assessment and response. 
• Intelligent or managed risk management coordinates risk management across the business, using common tools. 
• Risk leadership incorporates risk management into strategic decision-making. 

Intuit emphasizes using key risk indicators (KRIs) to understand risks, along with key performance indicators (KPIs) to gauge the effectiveness of risk management. 

Early in its ERM journey, Intuit measured performance on risk management process participation and risk assessment impact. For participation, the targeted rate was 80 percent of executive management and business-line leaders. This helped benchmark risk awareness and current risk management, at a time when ERM at the company was not mature.

Conduct an annual risk assessment at corporate and business-line levels to plot risks, so the most likely and most impactful risks are graphed in the upper-right quadrant. Doing so focuses attention on these risks and helps business leaders understand the risk’s impact on performance toward strategic objectives. 

In the company’s second phase of ERM, Intuit turned its attention to building risk management capacity and sought to ensure that risk management activities addressed the most important risks. The company evaluated performance using color-coded status symbols (red, yellow, green) to indicate risk trend and progress on risk mitigation measures.

In its third phase, Intuit moved to actively monitoring the most important risks and ensuring that leaders modified their strategies to manage risks and take advantage of opportunities. An executive dashboard uses KRIs, KPIs, an overall risk rating, and red-yellow-green coding. The board of directors regularly reviews this dashboard.

Over this evolution, the company has moved from narrow, tactical risk management to holistic, strategic, and long-term ERM.

Enterprise Risk Management Case Studies by Principle

ERM veterans agree that in addition to KPIs and KRIs, other principles are equally important to follow. Below, you’ll find examples of enterprise risk management programs by principles.

ERM Principle #1: Make Sure Your Program Aligns with Your Values

Raytheon Case Study U.S. defense contractor Raytheon states that its highest priority is delivering on its commitment to provide ethical business practices and abide by anti-corruption laws.

Raytheon backs up this statement through its ERM program. Among other measures, the company performs an annual risk assessment for each function, including the anti-corruption group under the Chief Ethics and Compliance Officer. In addition, Raytheon asks 70 of its sites to perform an anti-corruption self-assessment each year to identify gaps and risks. From there, a compliance team tracks improvement actions. 

Every quarter, the company surveys 600 staff members who may face higher anti-corruption risks, such as the potential for bribes. The survey asks them to report any potential issues in the past quarter.

Also on a quarterly basis, the finance and internal controls teams review higher-risk profile payments, such as donations and gratuities to confirm accuracy and compliance. Oversight and compliance teams add other checks, and they update a risk-based audit plan continuously.

ERM Principle #2: Embrace Diversity to Reduce Risk

State Street Global Advisors Case Study In 2016, the asset management firm State Street Global Advisors introduced measures to increase gender diversity in its leadership as a way of reducing portfolio risk, among other goals. 

The company relied on research that showed that companies with more women senior managers had a better return on equity, reduced volatility, and fewer governance problems such as corruption and fraud. 

Among the initiatives was a campaign to influence companies where State Street had invested, in order to increase female membership on their boards. State Street also developed an investment product that tracks the performance of companies with the highest level of senior female leadership relative to peers in their sector. 

In 2020, the company announced some of the results of its effort. Among the 1,384 companies targeted by the firm, 681 added at least one female director.

ERM Principle #3: Do Not Overlook Resource Risks

Infosys Case Study India-based technology consulting company Infosys, which employees more than 240,000 people, has long recognized the risk of water shortages to its operations. 

India’s rapidly growing population and development has increased the risk of water scarcity. A 2020 report by the World Wide Fund for Nature said 30 cities in India faced the risk of severe water scarcity over the next three decades. 

Infosys has dozens of facilities in India and considers water to be a significant short-term risk. At its campuses, the company uses the water for cooking, drinking, cleaning, restrooms, landscaping, and cooling. Water shortages could halt Infosys operations and prevent it from completing customer projects and reaching its performance objectives. 

In an enterprise risk assessment example, Infosys’ ERM team conducts corporate water-risk assessments while sustainability teams produce detailed water-risk assessments for individual locations, according to a report by the World Business Council for Sustainable Development .

The company uses the COSO ERM framework to respond to the risks and decide whether to accept, avoid, reduce, or share these risks. The company uses root-cause analysis (which focuses on identifying underlying causes rather than symptoms) and the site assessments to plan steps to reduce risks. 

Infosys has implemented various water conservation measures, such as water-efficient fixtures and water recycling, rainwater collection and use, recharging aquifers, underground reservoirs to hold five days of water supply at locations, and smart-meter usage monitoring. Infosys’ ERM team tracks metrics for per-capita water consumption, along with rainfall data, availability and cost of water by tanker trucks, and water usage from external suppliers. 

In the 2020 fiscal year, the company reported a nearly 64 percent drop in per-capita water consumption by its workforce from the 2008 fiscal year. 

The business advantages of this risk management include an ability to open locations where water shortages may preclude competitors, and being able to maintain operations during water scarcity, protecting profitability.

ERM Principle #4: Fight Silos for Stronger Enterprise Risk Management

U.S. Government Case Study The terrorist attacks of September 11, 2001, revealed that the U.S. government’s then-current approach to managing intelligence was not adequate to address the threats — and, by extension, so was the government’s risk management procedure. Since the Cold War, sensitive information had been managed on a “need to know” basis that resulted in data silos. 

In the case of 9/11, this meant that different parts of the government knew some relevant intelligence that could have helped prevent the attacks. But no one had the opportunity to put the information together and see the whole picture. A congressional commission determined there were 10 lost operational opportunities to derail the plot. Silos existed between law enforcement and intelligence, as well as between and within agencies. 

After the attacks, the government moved toward greater information sharing and collaboration. Based on a task force’s recommendations, data moved from a centralized network to a distributed model, and social networking tools now allow colleagues throughout the government to connect. Staff began working across agency lines more often.

Enterprise Risk Management Examples by Scenario

While some scenarios are too unlikely to receive high-priority status, low-probability risks are still worth running through the ERM process. Robust risk management creates a culture and response capacity that better positions a company to deal with a crisis.

In the following enterprise risk examples, you will find scenarios and details of how organizations manage the risks they face.

Scenario: ERM and the Global Pandemic While most businesses do not have the resources to do in-depth ERM planning for the rare occurrence of a global pandemic, companies with a risk-aware culture will be at an advantage if a pandemic does hit. 

These businesses already have processes in place to escalate trouble signs for immediate attention and an ERM team or leader monitoring the threat environment. A strong ERM function gives clear and effective guidance that helps the company respond.

A report by Vodafone found that companies identified as “future ready” fared better in the COVID-19 pandemic. The attributes of future-ready businesses have a lot in common with those of companies that excel at ERM. These include viewing change as an opportunity; having detailed business strategies that are documented, funded, and measured; working to understand the forces that shape their environments; having roadmaps in place for technological transformation; and being able to react more quickly than competitors. 

Only about 20 percent of companies in the Vodafone study met the definition of “future ready.” But 54 percent of these firms had a fully developed and tested business continuity plan, compared to 30 percent of all businesses. And 82 percent felt their continuity plans worked well during the COVID-19 crisis. Nearly 50 percent of all businesses reported decreased profits, while 30 percent of future-ready organizations saw profits rise. 

Scenario: ERM and the Economic Crisis  The 2008 economic crisis in the United States resulted from the domino effect of rising interest rates, a collapse in housing prices, and a dramatic increase in foreclosures among mortgage borrowers with poor creditworthiness. This led to bank failures, a credit crunch, and layoffs, and the U.S. government had to rescue banks and other financial institutions to stabilize the financial system.

Some commentators said these events revealed the shortcomings of ERM because it did not prevent the banks’ mistakes or collapse. But Sim Segal, an ERM consultant and director of Columbia University’s ERM master’s degree program, analyzed how banks performed on 10 key ERM criteria. 

Segal says a risk-management program that incorporates all 10 criteria has these characteristics: 

• Risk management has an enterprise-wide scope.
• The program includes all risk categories: financial, operational, and strategic. 
• The focus is on the most important risks, not all possible risks. 
• Risk management is integrated across risk types.
• Aggregated metrics show risk exposure and appetite across the enterprise.
• Risk management incorporates decision-making, not just reporting.
• The effort balances risk and return management.
• There is a process for disclosure of risk.
• The program measures risk in terms of potential impact on company value.
• The focus of risk management is on the primary stakeholder, such as shareholders, rather than regulators or rating agencies.

In his book Corporate Value of Enterprise Risk Management , Segal concluded that most banks did not actually use ERM practices, which contributed to the financial crisis. He scored banks as failing on nine of the 10 criteria, only giving them a passing grade for focusing on the most important risks. 

Scenario: ERM and Technology Risk  The story of retailer Target’s failed expansion to Canada, where it shut down 133 loss-making stores in 2015, has been well documented. But one dimension that analysts have sometimes overlooked was Target’s handling of technology risk. 

A case study by Canadian Business magazine traced some of the biggest issues to software and data-quality problems that dramatically undermined the Canadian launch. 

As with other forms of ERM, technology risk management requires companies to ask what could go wrong, what the consequences would be, how they might prevent the risks, and how they should deal with the consequences. 

But with its technology plan for Canada, Target did not heed risk warning signs. 

In the United States, Target had custom systems for ordering products from vendors, processing items at warehouses, and distributing merchandise to stores quickly. But that software would need customization to work with the Canadian dollar, metric system, and French-language characters. 

Target decided to go with new ERP software on an aggressive two-year timeline. As Target began ordering products for the Canadian stores in 2012, problems arose. Some items did not fit into shipping containers or on store shelves, and information needed for customs agents to clear imported items was not correct in Target's system. 

Target found that its supply chain software data was full of errors. Product dimensions were in inches, not centimeters; height and width measurements were mixed up. An internal investigation showed that only about 30 percent of the data was accurate. 

In an attempt to fix these errors, Target merchandisers spent a week double-checking with vendors up to 80 data points for each of the retailer’s 75,000 products. They discovered that the dummy data entered into the software during setup had not been altered. To make any corrections, employees had to send the new information to an office in India where staff would enter it into the system. 

As the launch approached, the technology errors left the company vulnerable to stockouts, few people understood how the system worked, and the point-of-sale checkout system did not function correctly. Soon after stores opened in 2013, consumers began complaining about empty shelves. Meanwhile, Target Canada distribution centers overflowed due to excess ordering based on poor data fed into forecasting software. 

The rushed launch compounded problems because it did not allow the company enough time to find solutions or alternative technology. While the retailer fixed some issues by the end of 2014, it was too late. Target Canada filed for bankruptcy protection in early 2015. 

Scenario: ERM and Cybersecurity System hacks and data theft are major worries for companies. But as a relatively new field, cyber-risk management faces unique hurdles.

For example, risk managers and information security officers have difficulty quantifying the likelihood and business impact of a cybersecurity attack. The rise of cloud-based software exposes companies to third-party risks that make these projections even more difficult to calculate. 

As the field evolves, risk managers say it’s important for IT security officers to look beyond technical issues, such as the need to patch a vulnerability, and instead look more broadly at business impacts to make a cost benefit analysis of risk mitigation. Frameworks such as the Risk Management Framework for Information Systems and Organizations by the National Institute of Standards and Technology can help.  

Health insurer Aetna considers cybersecurity threats as a part of operational risk within its ERM framework and calculates a daily risk score, adjusted with changes in the cyberthreat landscape. 

Aetna studies threats from external actors by working through information sharing and analysis centers for the financial services and health industries. Aetna staff reverse-engineers malware to determine controls. The company says this type of activity helps ensure the resiliency of its business processes and greatly improves its ability to help protect member information.

For internal threats, Aetna uses models that compare current user behavior to past behavior and identify anomalies. (The company says it was the first organization to do this at scale across the enterprise.) Aetna gives staff permissions to networks and data based on what they need to perform their job. This segmentation restricts access to raw data and strengthens governance. 

Another risk initiative scans outgoing employee emails for code patterns, such as credit card or Social Security numbers. The system flags the email, and a security officer assesses it before the email is released.

Examples of Poor Enterprise Risk Management

Case studies of failed enterprise risk management often highlight mistakes that managers could and should have spotted — and corrected — before a full-blown crisis erupted. The focus of these examples is often on determining why that did not happen. 

ERM Case Study: General Motors

In 2014, General Motors recalled the first of what would become 29 million cars due to faulty ignition switches and paid compensation for 124 related deaths. GM knew of the problem for at least 10 years but did not act, the automaker later acknowledged. The company entered a deferred prosecution agreement and paid a $900 million penalty. 

Pointing to the length of time the company failed to disclose the safety problem, ERM specialists say it shows the problem did not reside with a single department. “Rather, it reflects a failure to properly manage risk,” wrote Steve Minsky, a writer on ERM and CEO of an ERM software company, in Risk Management magazine. 

“ERM is designed to keep all parties across the organization, from the front lines to the board to regulators, apprised of these kinds of problems as they become evident. Unfortunately, GM failed to implement such a program, ultimately leading to a tragic and costly scandal,” Minsky said.

Also in the auto sector, an enterprise risk management case study of Toyota looked at its problems with unintended acceleration of vehicles from 2002 to 2009. Several studies, including a case study by Carnegie Mellon University Professor Phil Koopman , blamed poor software design and company culture. A whistleblower later revealed a coverup by Toyota. The company paid more than $2.5 billion in fines and settlements.

ERM Case Study: Lululemon

In 2013, following customer complaints that its black yoga pants were too sheer, the athletic apparel maker recalled 17 percent of its inventory at a cost of $67 million. The company had previously identified risks related to fabric supply and quality. The CEO said the issue was inadequate testing. 

Analysts raised concerns about the company’s controls, including oversight of factories and product quality. A case study by Stanford University professors noted that Lululemon’s episode illustrated a common disconnect between identifying risks and being prepared to manage them when they materialize. Lululemon’s reporting and analysis of risks was also inadequate, especially as related to social media. In addition, the case study highlighted the need for a system to escalate risk-related issues to the board. 

ERM Case Study: Kodak 

Once an iconic brand, the photo film company failed for decades to act on the threat that digital photography posed to its business and eventually filed for bankruptcy in 2012. The company’s own research in 1981 found that digital photos could ultimately replace Kodak’s film technology and estimated it had 10 years to prepare. 

Unfortunately, Kodak did not prepare and stayed locked into the film paradigm. The board reinforced this course when in 1989 it chose as CEO a candidate who came from the film business over an executive interested in digital technology. 

Had the company acknowledged the risks and employed ERM strategies, it might have pursued a variety of strategies to remain successful. The company’s rival, Fuji Film, took the money it made from film and invested in new initiatives, some of which paid off. Kodak, on the other hand, kept investing in the old core business.

Case Studies of Successful Enterprise Risk Management

Successful enterprise risk management usually requires strong performance in multiple dimensions, and is therefore more likely to occur in organizations where ERM has matured. The following examples of enterprise risk management can be considered success stories. 

ERM Case Study: Statoil 

A major global oil producer, Statoil of Norway stands out for the way it practices ERM by looking at both downside risk and upside potential. Taking risks is vital in a business that depends on finding new oil reserves. 

According to a case study, the company developed its own framework founded on two basic goals: creating value and avoiding accidents.

The company aims to understand risks thoroughly, and unlike many ERM programs, Statoil maps risks on both the downside and upside. It graphs risk on probability vs. impact on pre-tax earnings, and it examines each risk from both positive and negative perspectives. 

For example, the case study cites a risk that the company assessed as having a 5 percent probability of a somewhat better-than-expected outcome but a 10 percent probability of a significant loss relative to forecast. In this case, the downside risk was greater than the upside potential.

ERM Case Study: Lego 

The Danish toy maker’s ERM evolved over the following four phases, according to a case study by one of the chief architects of its program:

• Traditional management of financial, operational, and other risks. Strategic risk management joined the ERM program in 2006. 
• The company added Monte Carlo simulations in 2008 to model financial performance volatility so that budgeting and financial processes could incorporate risk management. The technique is used in budget simulations, to assess risk in its credit portfolio, and to consolidate risk exposure. 
• Active risk and opportunity planning is part of making a business case for new projects before final decisions.
• The company prepares for uncertainty so that long-term strategies remain relevant and resilient under different scenarios. 

As part of its scenario modeling, Lego developed its PAPA (park, adapt, prepare, act) model. 

• Park: The company parks risks that occur slowly and have a low probability of happening, meaning it does not forget nor actively deal with them.
• Adapt: This response is for risks that evolve slowly and are certain or highly probable to occur. For example, a risk in this category is the changing nature of play and the evolution of buying power in different parts of the world. In this phase, the company adjusts, monitors the trend, and follows developments.
• Prepare: This category includes risks that have a low probability of occurring — but when they do, they emerge rapidly. These risks go into the ERM risk database with contingency plans, early warning indicators, and mitigation measures in place.
• Act: These are high-probability, fast-moving risks that must be acted upon to maintain strategy. For example, developments around connectivity, mobile devices, and online activity are in this category because of the rapid pace of change and the influence on the way children play. 

Lego views risk management as a way to better equip itself to take risks than its competitors. In the case study, the writer likens this approach to the need for the fastest race cars to have the best brakes and steering to achieve top speeds.

ERM Case Study: University of California 

The University of California, one of the biggest U.S. public university systems, introduced a new view of risk to its workforce when it implemented enterprise risk management in 2005. Previously, the function was merely seen as a compliance requirement.

ERM became a way to support the university’s mission of education and research, drawing on collaboration of the system’s employees across departments. “Our philosophy is, ‘Everyone is a risk manager,’” Erike Young, deputy director of ERM told Treasury and Risk magazine. “Anyone who’s in a management position technically manages some type of risk.”

The university faces a diverse set of risks, including cybersecurity, hospital liability, reduced government financial support, and earthquakes.  

The ERM department had to overhaul systems to create a unified view of risk because its information and processes were not linked. Software enabled both an organizational picture of risk and highly detailed drilldowns on individual risks. Risk managers also developed tools for risk assessment, risk ranking, and risk modeling. 

Better risk management has provided more than $100 million in annual cost savings and nearly $500 million in cost avoidance, according to UC officials. 

UC drives ERM with risk management departments at each of its 10 locations and leverages university subject matter experts to form multidisciplinary workgroups that develop process improvements.

APQC, a standards quality organization, recognized UC as a top global ERM practice organization, and the university system has won other awards. The university says in 2010 it was the first nonfinancial organization to win credit-rating agency recognition of its ERM program.

Examples of How Technology Is Transforming Enterprise Risk Management

Business intelligence software has propelled major progress in enterprise risk management because the technology enables risk managers to bring their information together, analyze it, and forecast how risk scenarios would impact their business.

ERM organizations are using computing and data-handling advancements such as blockchain for new innovations in strengthening risk management. Following are case studies of a few examples.

ERM Case Study: Bank of New York Mellon 

In 2021, the bank joined with Google Cloud to use machine learning and artificial intelligence to predict and reduce the risk that transactions in the $22 trillion U.S. Treasury market will fail to settle. Settlement failure means a buyer and seller do not exchange cash and securities by the close of business on the scheduled date. 

The party that fails to settle is assessed a daily financial penalty, and a high level of settlement failures can indicate market liquidity problems and rising risk. BNY says that, on average, about 2 percent of transactions fail to settle.

The bank trained models with millions of trades to consider every factor that could result in settlement failure. The service uses market-wide intraday trading metrics, trading velocity, scarcity indicators, volume, the number of trades settled per hour, seasonality, issuance patterns, and other signals. 

The bank said it predicts about 40 percent of settlement failures with 90 percent accuracy. But it also cautioned against overconfidence in the technology as the model continues to improve. 

AI-driven forecasting reduces risk for BNY clients in the Treasury market and saves costs. For example, a predictive view of settlement risks helps bond dealers more accurately manage their liquidity buffers, avoid penalties, optimize their funding sources, and offset the risks of failed settlements. In the long run, such forecasting tools could improve the health of the financial market. 

ERM Case Study: PwC

Consulting company PwC has leveraged a vast information storehouse known as a data lake to help its customers manage risk from suppliers.

A data lake stores both structured or unstructured information, meaning data in highly organized, standardized formats as well as unstandardized data. This means that everything from raw audio to credit card numbers can live in a data lake. 

Using techniques pioneered in national security, PwC built a risk data lake that integrates information from client companies, public databases, user devices, and industry sources. Algorithms find patterns that can signify unidentified risks.

One of PwC’s first uses of this data lake was a program to help companies uncover risks from their vendors and suppliers. Companies can violate laws, harm their reputations, suffer fraud, and risk their proprietary information by doing business with the wrong vendor. 

Today’s complex global supply chains mean companies may be several degrees removed from the source of this risk, which makes it hard to spot and mitigate. For example, a product made with outlawed child labor could be traded through several intermediaries before it reaches a retailer. 

PwC’s service helps companies recognize risk beyond their primary vendors and continue to monitor that risk over time as more information enters the data lake.

ERM Case Study: Financial Services

As analytics have become a pillar of forecasting and risk management for banks and other financial institutions, a new risk has emerged: model risk . This refers to the risk that machine-learning models will lead users to an unreliable understanding of risk or have unintended consequences.

For example, a 6 percent drop in the value of the British pound over the course of a few minutes in 2016 stemmed from currency trading algorithms that spiralled into a negative loop. A Twitter-reading program began an automated selling of the pound after comments by a French official, and other selling algorithms kicked in once the currency dropped below a certain level.

U.S. banking regulators are so concerned about model risk that the Federal Reserve set up a model validation council in 2012 to assess the models that banks use in running risk simulations for capital adequacy requirements. Regulators in Europe and elsewhere also require model validation.

A form of managing risk from a risk-management tool, model validation is an effort to reduce risk from machine learning. The technology-driven rise in modeling capacity has caused such models to proliferate, and banks can use hundreds of models to assess different risks. 

Model risk management can reduce rising costs for modeling by an estimated 20 to 30 percent by building a validation workflow, prioritizing models that are most important to business decisions, and implementing automation for testing and other tasks, according to McKinsey.

Streamline Your Enterprise Risk Management Efforts with Real-Time Work Management in Smartsheet

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time.  Try Smartsheet for free, today.

Discover why over 90% of Fortune 100 companies trust Smartsheet to get work done.

Table of Contents

Understanding project risk management, definition and explanation of project risk management, 4 key components of project risk management, risk identification, risk assessment, risk response planning, risk monitoring and control, 5 project risk management case studies, gordie howe international bridge project, fujitsu’s early-career project managers, vodafone’s complex technology project, fehmarnbelt project, lend lease project, project risk management at designveloper, how we manage project risks, advancements in project risk management, project risk management: 5 case studies you should not miss.

May 21, 2024

Exploring project risk management, one can see how vital it is in today’s business world. This article from Designveloper, “Project Risk Management: 5 Case Studies You Should Not Miss”, exists in order to shed light on this important component of project management.

We’ll reference some new numbers and facts that highlight the significance of risk management in projects. These data points are based on legit reports and will help create a good basis of understanding on the subject matter.

In addition, we will discuss specific case studies when risk management was successfully applied and when it was not applied in project management. These real world examples are very much important for project managers and teams.

It is also important to keep in mind that each project has associated risks. However through project risk management these risks can be identified, analyzed, prioritized and managed in order to make the project achieve its objectives. Well then, let’s take this journey of understanding together. Watch out for an analysis of the five case studies you must not miss.

Risk management is a very critical component of any project. Risk management is a set of tools that allow determining the potential threats to the success of a project and how to address them. Let’s look at some more recent stats and examples to understand this better.

Statistics show that as high as 70% of all projects are unsuccessful . This high failure rate highlights the need for efficient project risk management. Surprisingly, organizations that do not attach much importance to project risk management face 50% chances of their project failure. This results in huge losses of money and untapped business potential.

Additionally, poor performance leads to approximated 10% loss of every dollar spent on projects. This translates to a loss of $99 for every $1 billion invested. These statistics demonstrate the importance of project risk management in improving project success rates and minimizing waste.

Let us consider a project management example to demonstrate the relevance of the issue discussed above. Consider a new refinery being constructed in the Middle East. The project is entering a key phase: purchasing. Poor risk management could see important decisions surrounding procurement strategy, or the timing of the tendering process result in project failure.

Project risk management in itself is a process that entails the identification of potential threats and their mitigation. It is not reactionary but proactive.

This process begins with the identification of potential risks. These could be any time from budget overruns to delayed deliveries. After the risks are identified they are then analyzed. This involves estimating the probability of each risk event and the potential consequences to the project.

The next stage is risk response planning. This could be in the form of risk reduction, risk shifting or risk acceptance. The goal here is to reduce the impact of risks on the project.

Finally, the process entails identifying and tracking these risks throughout the life of a project. This helps in keeping the project on course and any new risks that might arise are identified and managed.

Let’s dive into the heart of project risk management: its four key components. These pillars form the foundation of any successful risk management strategy. They are risk identification, risk analysis, risk response planning, and risk monitoring and control. Each plays a crucial role in ensuring project success. This section will provide a detailed explanation of each component, backed by data and real-world examples. So, let’s embark on this journey to understand the four key components of project risk management.

Risk identification is the first process in a project risk management process. It’s about proactively identifying risks that might cause a project to fail. This is very important because a recent study has shown that 77% of companies had operational surprises due to unidentified risks.

There are different approaches to risk identification such as brainstorming, Delphi technique, SWOT analysis, checklist analysis, flowchart. These techniques assist project teams in identifying all potential risks.

Risk identification is the second stage of the project risk management process. It is a systematic approach that tries to determine the probability of occurrence and severity of identified risks. This step is very important; it helps to rank the identified risks and assists in the formation of risk response strategies.

Risk assessment involves two key elements: frequency and severity of occurrence. As for risk probability, it estimates the chances of a risk event taking place, and risk impact measures the impact associated with the risk event.

This is the third component of project risk management. It deals with planning the best ways to deal with the risks that have been identified. This step is important since it ensures that the risk does not have a substantial effect on the project.

One of the statistics stated that nearly three-quarters of organizations have an incident response plan and 63 percent of these organizations conduct the plan regularly. This explains why focusing only on risks’ identification and analysis without a plan of action is inadequate.

Risk response planning involves four key strategies: risk acceptance, risk sharing, risk reduction, and risk elimination. Each strategy is selected depending on the nature and potential of the risk.

Risk monitoring and control is the last step of project risk management. It’s about monitoring and controlling the identified risks and making sure that they are being addressed according to the plan.

Furthermore, risk control and management involve managing identified risks, monitoring the remaining risk, identifying new risks, implementing risk strategies, and evaluating their implementation during the project life cycle.

It is now high time to approach the practical side of project risk management. This section provides selected five case studies that explain the need and application of project risk management. Each case study gives an individual approach revealing how risk management can facilitate success of the project. Additionally, these case studies include construction projects, technology groups, among other industries. They show how effective project risk management can be, by allowing organizations to respond to uncertainties and successfully accomplish their project objectives. Let us now examine these case studies and understand the concept of risk in project management.

The Gordie Howe International Bridge is one of the projects that demonstrate the principles of project risk management. This is one of the biggest infrastructure projects in North America which includes the construction of a 6 lane bridge at the busiest commercial border crossing point between the U.S. and Canada.

The project scope can be summarized as: New Port of Entry and Inspection facilities for the Canadian and US governments; Tolls Collection Facilities; Projects and modifications to multiple local bridges and roadways. The project is administered via Windsor-Detroit Bridge Authority, a nonprofit Canadian Crown entity.

Specifically, one of the project challenges associated with the fact that the project was a big one in terms of land size and the community of interests involved in the undertaking. Governance and the CI were fundamental aspects that helped the project team to overcome these challenges.

The PMBOK® Guide is the contractual basis for project management of the project agreement. This dedication to following the best practices for project management does not end with bridge construction: It spreads to all other requirements.

However, the project is making steady progress to the objective of finishing the project in 2024. This case study clearly demonstrates the role of project risk management in achieving success with large and complicated infrastructure projects.

Fujitsu is an international company that deals with the provision of a total information and communication technology system as well as its products and services. The typical way was to employ a few college and school leavers and engage them in a two-year manual management training and development course. Nevertheless, this approach failed in terms of the following.

Firstly, the training was not comprehensive in its coverage of project management and was solely concerned with generic messaging – for example, promoting leadership skills and time management. Secondly it was not effectively reaching out to the need of apprentices. Thirdly the two year time frame was not sufficient to allow for a deep approach to the development of the required project management skills for this job. Finally the retention problems of employees in the train program presented a number of issues.

To tackle these issues, Fujitsu UK adopted a framework based on three dimensions: structured learning, learning from others, and rotation. This framework is designed to operate for the first five years of a participant’s career and is underpinned by the 70-20-10 model for learning and development. Rogers’ model acknowledges that most learning occurs on the job.

The initial training process starts with a three-week formal learning and induction program that includes the initial orientation to the organization and its operations, the fundamentals of project management, and business in general. Lastly, the participants are put on a rotational assignment in the PMO of the program for the first six to eight months.

Vodafone is a multinational mobile telecommunications group that manages telecommunications services in 28 countries across five continents and decided to undertake a highly complex technology project to replace an existing network with a fully managed GLAN in 42 locations. This project was much complex and thus a well grounded approach to risk management was needed.

The project team faced a long period of delay in signing the contract and frequent changes after the contract was signed until the project is baselined. These challenges stretched the time frame of the project and enhanced the project complexity.

In order to mitigate the risks, Vodafone employed PMI standards for their project management structure. This approach included conducting workshops, developing resource and risk management plan and tailoring project documentations as well as conducting regular lesson learned.

Like any other project, the Vodafone GLAN project was not an easy one either but it was completed on time and in some cases ahead of the schedule that the team had anticipated to complete the project. At the first stage 90% of migrated sites were successfully migrated at the first attempt and 100% – at second.

The Fehmarnbelt project is a real-life example of the strategic role of project risk management. It provides information about a mega-project to construct the world’s longest immersed tunnel between Germany and Denmark. It will be a four-lane highway and two-rail electrified tunnel extending for 18 kilometers and it will be buried 40 meters under the Baltic Sea.

This project is managed by Femern A/S which is a Danish government-owned company with construction value over more than €7 billion (£8. 2 billion). It is estimated to provide jobs for 3,000 workers directly in addition to 10,000 in the suppliers. Upon its completion, its travel between Denmark and Germany will be cut to 10 minutes by automobile and 7 minutes by rail.

The Femern risk management functions and controls in particular the role of Risk Manager Bo Nygaard Sørensen then initiated the process and developed some clear key strategic objectives for the project. They formulated a simple, dynamic, and comprehensive risk register to give a more complete risk view of the mega-project. They also created a risk index in order to assess all risks in a consistent and predictable manner, classify them according to their importance, and manage and overcome the risks in an appropriate and timely manner.

Predict! is a risk assessment and analysis tool that came in use by the team, which helps determine the effect of various risks on the cost of the construction of the link and to calculate the risk contingency needed for the project. This way they were able to make decisions on whether an immersed tunnel could be constructed instead of a bridge.

Lend Lease is an international property and infrastructure group that operates in over 20 countries in the world; the company offers a better example of managing project risks. The company has established a complex framework called the Global Minimum Requirements (GMRs) to identify risks to which it is exposed.

The GMRs have scope for the phase of the project before a decision to bid for a job is taken. This framework includes factors related to flooding, heat, biodiversity, land or soil subsidence, water, weathering, infrastructure and insurance.

The GMRs are organized into five main phases in line with the five main development stages of a project. These stages guarantee that vital decisions are made at the ideal time. The stages include governance, investment, design and procurement, establishment, and delivery.

For instance, during the design and procurement stage, the GMRs identify requisite design controls that will prevent environment degradation during design as well as fatal risk elimination during planning and procurement. This approach aids in effective management of risks and delivery of successful projects in Lend Lease.

Let’s take a closer look at what risk management strategies are used here at Designveloper – a top web & software development firm in Vietnam. We also provide a range of other services, so it is essential that we manage risks on all our projects in similar and effective ways. The following part of the paper will try to give a glimpse of how we manage project risk in an exemplary manner using research from recent years and include specific cases.

The following steps explain the risk management process that we use—from the identification of potential risks to managing them: Discovering the risks. We will also mention here how our experience and expertise has helped us in this area.

Risk management as a function in project delivery is well comprehended at Designveloper. Our method of managing the project risk is proactive and systematic, which enables us to predict possible problems and create successful solutions to overcome them.

One of the problems we frequently encounter is the comprehension of our clients’ needs. In most cases, clients come to us with a basic idea or concept. To convert these ideas into particular requirements and feature lists, the business analysts of our company have to collaborate with the client. The whole process is often a time-waster, and having a chance is missed.

To solve this problem, we’ve created a library of features with their own time and cost estimate. This library is based on data of previous projects that we have documented, arranged, and consolidated. At the present time when a client approaches us with a request, we can search for similar features in our library and give an initial quote. This method has considerably cut the period of providing the first estimations to our clients and saving the time for all participants.

This is only one of the techniques we use to mitigate project risks at Designveloper. The focus on effective project risk management has been contributing significantly to our successful operation as a leading company in web and software development in Vietnam. It is a mindset that enables us to convert challenges into opportunities and provide outstanding results for our clients.

In Designveloper, we always aim at enhancing our project risk management actions. Below are a couple examples of the advancements we’ve made.

To reduce the waiting time, we have adopted continuous deployment. This enables us to provide value fast and effectively. We release a minimum feature rather than a big feature. It helps us to collect the input from our customers and keep on improving. What this translates into for our customers is that they start to derive value from the product quickly and that they have near-continuous improvement rather than have to wait for a “perfect” feature.

We also hold regular “sync-up” meetings between teams to keep the information synchronized and transparent from input (requirements) to output (product). Changes are known to all teams and thus teams can prepare to respond in a flexible and best manner.

Some of these developments in project risk management have enabled us to complete projects successfully, and be of an excellent service to our clients. They show our support of the never-ending improving and our capability to turn threats into opportunities. The strength of Designveloper is largely attributed to the fact that we do not just control project risks – we master them.

To conclude, project risk management is an important element of nearly all successful projects. It is all about identification of possible problems and organization necessary measures that will result in the success of the project. The case studies addressed in this article illustrate the significance and implementation of project risk management in different settings and fields. They show what efficient risk management can result in.

We have witnessed the advantages of solid project risk management at Designveloper. The combination of our approach, powered by our track record and professionalism, has enabled us to complete projects that met all client’s requirements. We are not only managing project risks but rather mastering them.

We trust you have found this article helpful in understanding project risk management and its significance in the fast-changing, complicated project environment of today. However, one needs to mind that proper project management is not only about task and resource management but also risk management. And at Designveloper, our team is there to guide you through those risks and to help you realize your project’s objectives.

Also published on

Share post on

Insights worth keeping. Get them weekly.

Get in touch

Simply register below to receive our weekly newsletters with the newest blog posts

Read more topics

• How it works
• Case studies

13 case studies on how risk managers are assessing their risk culture

Continuing on from last week's post, There’s no such thing as risk culture, or is there? , this is the third in a series of blogs in which we are summarising key insights gained from about 50 risk managers and CROs interviewed between December 2019 and May 2020.

There are various techniques and different mindsets on how to assess and measure risk culture. We round-up the very best case studies, tools and templates used by risk managers around the world.

To survey or not to survey?

If you start from a base of assuming you need a survey (or perhaps you have an executive or board who want one), then you are faced with two main choices:

• Include a number of questions in a larger employee engagement/culture survey, probably being run by HR (as one of our Member organisations did, only to discover the results didn’t align with their anecdotal feedback and experiences)
• Conduct a dedicated risk culture survey, which might later be re-run as a benchmark (as one former CRO at an international airline did upon joining the organisation).

However, not everyone believes a survey is the way to go. Or at least, not a survey in isolation.

It’s a self-assessment tool, for one thing, as former Bank of Queensland CRO Peter Deans pointed out in a recent Intelligence contribution (Members: access this here ). You may not get the true risk picture you need, if you are only asking people if they believe they are making risk-aware decisions and are satisfied with the culture.

UK risk consultant Roger Noon shared with us a variety of tools risk managers can use in-house to help understand behaviours and diagnose culture (Members: access these tools here) . Of quantitative risk culture surveys, he says: “Survey instruments can also be used so long as you and your sponsors recognise that they are typically very blunt tools, often with poor validity. They're very ‘point in time and context’ driven, and they don't really provide you with objective observable output. 

“However, they can be used to generate interesting data that creates helpful dialogue at the senior management table. They’re also useful to build engagement with the people that are part of the culture, and as part of a wider, triangulated set of data.”

In other instances, risk managers found it was not employees they initially needed to survey, but their board. Across different industries, different understandings of risk culture exist. If your board is asking about risk culture, it can be a good idea to check in that you (and they, among themselves) are all on the same page before beginning any broader projects. (Members: take a look at some sample questions about risk culture for the board here .)

So overt it’s covert

When it comes to an organisation’s overall approach to assessing and changing risk culture, there are also a few fundamentally different mindsets.

For some companies, the ‘culture overhaul’ needs to be a large project with lots of publicity and a big push from the top. In such cases, when it comes to driving change, extensive engagement and communications programs are planned, potentially including video.

We collected one case study, however, that stood out for its far more subtle and positive approach. In it, the head of risk at a large organisation with a few thousand staff spread across nine departments said there were a lot of preconceptions and quite a bit of nervousness around the idea of ‘working on risk culture’. This risk manager had therefore developed a different kind of self-assessment tool, which helped participants map their own risk culture using evidence-based attributes. 

At the end of the initial meeting (which took no more than an hour and a half), participants had identified their own areas for improvement and incorporated culture elements into their future risk planning. (Members: access this case study here .)

Sometimes risk managers reach a point where they simply have to be realistic about their resources and prospects for implementing large scale change.

In another example from the Middle East, an expat risk manager found it was a case of trying to move his company’s risk culture at different ‘clock speeds’ across the organisation’s verticals, catering to different levels of appetite, awareness and need for change between delivery teams and the C-Suite. (Members: access this case study here .)

And, finally, sometimes risk managers reach a point where they simply have to be realistic about their resources and prospects for implementing large scale change. If there’s no appetite from the top for a risk culture shift, the risk manager will have an uphill battle. We’ve collected ideas from the former risk leader at a government utility, who devised tactics for embedding changes into existing systems and processes to deliver better risk outcomes for the business. (Members: access these ideas here .)

Measuring, reporting and dashboards

We found that the facet of culture where everybody most wanted to know what everybody else was measuring and what they were doing in terms of reporting and dashboards.

Again, there were a number of different methods shared by our Members and contributors, as well as contrasting views on what actually should be measured.

For example, is it redundant to actually measure ‘risk culture’? After all, isn’t the entire point of improving risk culture to improve risk outcomes? Why not just focus on measuring the risk outcomes, with culture change happening in the background to facilitate? 

Certainly, this was the view of the former risk manager at a prominent United States government organisation, who spoke to us about building up their organisation’s risk capability over several years. (Members: read more on this here .)

Is it redundant to actually measure ‘risk culture’? After all, isn’t the entire point of improving risk culture to improve risk outcomes?

However, others saw value in tracking specific culture metrics, even if these goals were a means to an end. A scorecard or dashboard became a talking point to launch difficult conversations with different managers or executives, and the ability to show progress over time helped maintain momentum and commitment.

Over time, Peter Deans at BOQ developed and refined a ‘basket of risk culture measures’ along the same lines as the consumer price index, which he regularly updated and used to give leadership a ‘big picture view’ of how risk culture was doing.

Other contributing risk managers shared their scorecards and dashboards with us as templates, such as a scorecard example using a traffic light system across nine key risk indicators. We also collected ideas for dashboard metrics and a spreadsheet-based sunburst tool, alongside risk culture pillars.

On a final note, UK risk advisor Danny Wong shared a detailed case study on how to use data to drive an impactful risk narrative. For any risk managers who are striving to bring risk into line with many other functions in contemporary business – such as product development, sales, operations, and others that regularly use data strategically to inform decision making and best practice – this piece is essential reading. (Members: access this piece here .)

Risk Leadership Network’s Intelligence platform – our searchable database of peer-contributed case-studies, tools and templates – delves deeper into risk culture with more on diagnosing culture , addressing culture and ethics , and building a risk culture survey of boards . (Members only)

Are you an in-house risk manager who could benefit from collaborating with a global network of senior risk professionals talk to us about becoming a member today ., related posts you may be interested in.

5 ways to become a better leader in risk culture

There’s no such thing as risk culture, or is there?

Three useful tools to optimise a risk culture review

Get new posts by email.

Increasing Value and Resilience Through Project Risk Management: A Case Study in the IT Consulting Sector

• First Online: 19 March 2024

Cite this chapter

• Raffaele Testorelli 3 ,
• Anna Tiso 3 &
• Chiara Verbano 3  

Part of the book series: Management for Professionals ((MANAGPROF))

181 Accesses

In the current dynamic and uncertain business environment, small- and medium-sized enterprises (SMEs) are struggling to enhance their ability to adapt and resist to the changes while pursuing their strategic objectives. In particular, projects are gaining a crucial role for companies’ success, as the main vehicles for managing change and creating innovation. Consequently, Project Risk Management (PRM) is a widely used approach to foster the effect of positive events opportunities while mitigating those related to negative ones, with the final aim of creating value and resilience. For these reasons, there is growing interest in PRM as a value generation process for multiple project stakeholders. This research presents a case study conducted in an SME based in Italy and operating in the information technology (IT) consulting sector, addressing the literature gaps about the creation of value through PRM. From an academic perspective, it provides an overview of the topic, proposing a framework for the analysis of the relationships between the characteristics of the context, the PRM system implemented, and the value generated. Moreover, it supports practitioners with a new measurement system for the value generated through PRM and with guidelines to enhance value generation and resilience.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

• Get 10 units per month
• Download Article/Chapter or Ebook
• 1 Unit = 1 Article or 1 Chapter
• Cancel anytime
• Available as PDF
• Read on any device
• Instant download
• Own it forever
• Available as EPUB and PDF
• Durable hardcover edition
• Dispatched in 3 to 5 business days
• Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Ahmadi-Javid, A., Fateminia, S. H., & Gemünden, H. G. (2020). A method for risk response planning in project portfolio management. Project Management Journal, 51 , 77–95. https://doi.org/10.1177/8756972819866577

Article   Google Scholar  

Andersen, E. S. (2014). Value creation using the mission breakdown structure. International Journal of Project Management, 32 , 885–892. https://doi.org/10.1016/j.ijproman.2013.11.003

Andersen, E. S. (2016). Do project managers have different perspectives on project management? International Journal of Project Management, 34 , 58–65. https://doi.org/10.1016/j.ijproman.2015.09.007

Bakker, R. M. (2010). Taking stock of temporary organizational forms: A systematic review and research agenda. International Journal of Management Reviews, 12 , 466–486. https://doi.org/10.1111/j.1468-2370.2010.00281.x

Besner, C., & Hobbs, B. (2012). The paradox of risk management: A project management practice perspective. International Journal of Managing Projects in Business, 5 . https://doi.org/10.1108/17538371211214923

Borge, D. (2002). The book of risk . Wiley.

Google Scholar  

Branzei, O., & Abdelnour, S. (2010). Another day, another dollar: Enterprise resilience under terrorism in developing countries. Journal of International Business Studies, 41 (5), 804–825. https://doi.org/10.1057/jibs.2010.6

Buganová, K., & Šimíčková, J. (2019). Risk management in traditional and agile project management. Transportation Research Procedia, 40 , 986–993. https://doi.org/10.1016/j.trpro.2019.07.138

Chroust, G., & Aumayr, G. (2017). Resilience 2.0: Computer-aided disaster management. Journal of Systems Science and Systems Engineering, 26 , 321–335. https://doi.org/10.1007/s11518-017-5335-7

Conroy, G., & Soltan, H. (1998). ConSERV, a project specific risk management concept. International Journal of Project Management, 16 , 353–366. https://doi.org/10.1016/S0263-7863(98)00012-X

Crispim, J., Silva, L. H., & Rego, N. (2019). Project risk management practices: The organizational maturity influence. IJMPB, 12 , 187–210. https://doi.org/10.1108/IJMPB-10-2017-0122

Dahlberg, R. (2015). Resilience and complexity: Conjoining the discourses of two contested concepts. Culture Unbound: Journal of Current Cultural Research, 7 , 541–557. https://doi.org/10.3384/cu.2000.1525.1572541

de Bakker, K., Boonstra, A., & Wortmann, H. (2010). Does risk management contribute to IT project success? A meta-analysis of empirical evidence. International Journal of Project Management . Elsevier Ltd and IPMA , 28 (5), 493–503. https://doi.org/10.1016/j.ijproman.2009.07.002

de Camprieu, R., Desbiens, J., & Feixue, Y. (2007). “Cultural” differences in project risk perception: An empirical comparison of China and Canada. International Journal of Project Management, 25 , 683–693. https://doi.org/10.1016/j.ijproman.2007.07.005

de Carvalho, M. M., & Rabechini Junior, R. (2015). Impact of risk management on project performance: The importance of soft skills. International Journal of Production Research, 53 (2), 321–340. https://doi.org/10.1080/00207543.2014.919423

Dey, P. K. (2012). Project risk management using multiple criteria decision-making technique and decision tree analysis: A case study of Indian oil refinery. Production Planning and Control, 23 , 903–921. https://doi.org/10.1080/09537287.2011.586379

Durst, S., Bruns, G., & Henschel, T. (2018). The management of knowledge risks: What do we really know? In Global business expansion: Concepts, methodologies, tools, and applications (pp. 258–269). IGI Global.

Chapter   Google Scholar  

Elkington, P., & Smallman, C. (2002). Managing project risks: A case study from the utilities sector. International Journal of Project Management, 20 , 49–57. https://doi.org/10.1016/S0263-7863(00)00034-X

European Standard 12973. (2000). Value management.

European Standards 12973. (2000). EN 12973.

Fitsilis, P. (2008). Comparing PMBOK and agile project management software development processes. Advances in Computer and Information Sciences and Engineering , 378–383. https://doi.org/10.1007/978-1-4020-8741-7_68

Geraldi, J. G., Lee-Kelley, L., & Kutsch, E. (2010). The Titanic sunk, so what? Project manager response to unexpected events. International Journal of Project Management, 28 , 547–558. https://doi.org/10.1016/j.ijproman.2009.10.008

Henschel, T., & Durst, S. (2016). Risk management in Scottish, Chinese and German small and medium-sized enterprises: A country comparison. International Journal of Entrepreneurship and Small Business, 29 (1), 112–132.

Henschel, T., & Lantzsch, A. D. (2022). The relationship between ERM and performance revisited: Empirical evidence from SMEs. In Risk management: Insights from different settings (pp. 95–113). Springer.

ISO 31000. (2018). International Organization for Standardization: Geneva, Switzerland.

Javani, B., & Rwelamila, P. M. D. (2016). Risk management in IT projects – A case of the South African public sector. International Journal of Managing Projects in Business, 9 , 389–413. https://doi.org/10.1108/IJMPB-07-2015-0055

Jiang, J. J., & Klein, G. (2001). Software project risks and development focus. Project Management Journal, 32 , 4–9. https://doi.org/10.1177/875697280103200102

Jun, L., Qiuzhen, W., & Qingguo, M. (2011). The effects of project uncertainty and risk management on IS development project performance: A vendor perspective. International Journal of Project Management, 29 , 923–933. https://doi.org/10.1016/j.ijproman.2010.11.002

Keeney, R. L., & Raiffa, H. (1993). Decisions with multiple objectives – Preferences and value tradeoffs . Cambridge University Press.

Book   Google Scholar  

Kutsch, E. (2008). The effect of intervening conditions on the management of project risk. International Journal of Managing Projects in Business, 1 (4), 602–610. https://doi.org/10.1108/17538370810906282

Laursen, M., & Svejvig, P. (2016). Taking stock of project value creation: A structured literature review with future directions for research and practice. International Journal of Project Management, 34 , 736–747. https://doi.org/10.1016/j.ijproman.2015.06.007

Lepak, D. P., Smith, K. G., & Taylor, M. S. (2007). Value creation and value capture: A multilevel perspective. Academy of Management Review, 32 , 180–194. https://doi.org/10.5465/AMR.2007.23464011

Linnenluecke, M. K. (2017). Resilience in business and management research: A review of influential publications and a research agenda. International Journal of Management Reviews, 19 (1), 4–30. https://doi.org/10.1111/ijmr.12076

Marle, F. (2020). An assistance to project risk management based on complex systems theory and agile project management. Complexity . https://doi.org/10.1155/2020/3739129

Mendelow, A. (1991). Stakeholder mapping. In Proceedings of the 2nd international conference on information systems .

Mitchell, R. K., Agle, B. R., & Wood, D. J. (1997). Toward a theory of stakeholder identification and salience: Defining the principle of who and what really counts. The Academy of Management Review, 22 , 853–886. https://doi.org/10.2307/259247

Morris, P. (2013). Reconstructing project management . Wiley Blackwell.

Muhammedamin, H., Hagelaar, G., van der Velde, G., & Omta, S. W. F. (2021). Conceptualization of SMEs’ business resilience: A systematic literature review. Cogent Business & Management, 8 (1). https://doi.org/10.1080/23311975.2021.1938347

Murray-Webster, R., & Simon, P. (2006). Making sense of stakeholder mapping . PM World Today Tips and Techniques.

PMI. (2013). A guide to the project management body of knowledge (PMBOK guide) (5th ed.). PMI.

PMI. (2017). A guide to the project management body of knowledge (PMBOK guide) (6th ed.). PMI.

Qazi, A., Quigley, J., Dickson, A., & Kirytopoulos, K. A. (2016). Project Complexity and Risk Management (ProCRiM): Towards modelling project complexity driven risk paths in construction projects. International Journal of Project Management, 34 , 1183–1198. https://doi.org/10.1016/j.ijproman.2016.05.008

Quartermain, M. (2002). Value engineering. In Management A.f.P (Ed.), Project management pathways . Association for Project Management.

Radner, R., & Shepp, L. (1996). Risk vs. profit potential: A model for corporate strategy. Journal of Economic Dynamics and Control, 20 , 1373–1393. https://doi.org/10.1016/0165-1889(95)00904-3

Raz, T., & Michael, E. (2001). Use and benefits of tools for project risk management. International Journal of Project Management, 19 , 9–17. https://doi.org/10.1016/S0263-7863(99)00036-8

Sanchez, H., Robert, B., Bourgault, M., & Pellerin, R. (2009). Risk management applied to projects, programs, and portfolios. International Journal of Managing Projects in Business, 2 , 14–35. https://doi.org/10.1108/17538370910930491

Scholz, R. W., & Tietje, T. O. (2002). Embedded case study methods: Integrating quantitative and qualitative knowledge . SAGE.

Serpell, A. F., Ferrada, X., & Rubio, L. (2019). Measuring the performance of project risk management: A preliminary model. Organization, Technology and Management in Construction: an International Journal, 11 , 1984–1991. https://doi.org/10.2478/otmcj-2019-0005

Serra, C. E. M., & Kunc, M. (2015). Benefits realisation management and its influence on project success and on the execution of business strategies. International Journal of Project Management, 33 , 53–66. https://doi.org/10.1016/j.ijproman.2014.03.011

Shenhar, A., Dvir, D., Levy, O., & Maltz, A. (2001). Project success: A multidimensional strategic concept. Long Range Planning, 34 , 699–725. https://doi.org/10.1016/S0024-6301(01)00097-8

Shimizu, T., Won Park, Y., & Hong, P. (2012). Project managers for risk management: Case for Japan. Benchmarking: An International Journal, 19 (4/5), 532–547. https://doi.org/10.1108/14635771211257990

Sommer, S., & Loch, C. (2003). Incomplete incentive contracts under ambiguity and complexity. SSRN Electronic Journal . https://doi.org/10.2139/ssrn.452521

Taleb, N. N. (2012). Antifragile: Things that gain from disorder . Random House Publishing Group.

Tavares, B. G., da Silva, C. E. S., & de Souza, A. D. (2019). Risk management analysis in Scrum software projects. International Transactions in Operational Research, 26 , 1884–1905. https://doi.org/10.1111/itor.12401

Testorelli, R., & Verbano, C. (2020). Value creation with project risk management: A systematic literature review. In Business theory and practice across industries and markets, EuroMed academy of business conference book of proceedings (pp. 1399–1404).

Testorelli, R., & Verbano, C. (2022). An empirical framework to sustain value generation with project risk management: A case study in the IT consulting sector. Sustainability, 14 , 12117.

Tognazzo, A., Gubitta, P., & Favaron, S. D. (2016). Does slack always affect resilience? A study of quasi-medium-sized Italian firms. Entrepreneurship and Regional Development, 28 (9–10), 768–790. https://doi.org/10.1080/08985626.2016.1250820

Turner, R., Ledwith, A., & Kelly, J. (2010). Project management in small to medium-sized enterprises: Matching processes to the nature of the firm. International Journal of Project Management, 28 , 744–755. https://doi.org/10.1016/j.ijproman.2010.06.005

Voss, C., Tsikriktsis, N., & Frohlich, M. (2002). Case research in operations management. International Journal of Operations & Production Management, 22 , 195–219. https://doi.org/10.1108/01443570210414329

Wallace, L., Keil, M., & Rai, A. (2004). Understanding software project risk: A cluster analysis. Information & Management, 42 , 115–125. https://doi.org/10.1016/j.im.2003.12.007

Williams, N., Vorley, T., & Ketikidis, P. H. (2013). Economic resilience and entrepreneurship: A case study of the Thessaloniki City Region. Local Economy, 28 (4), 399–415.

Willumsen, P., Oehmen, J., Stingl, V., & Geraldi, J. (2019). Value creation through project risk management. International Journal of Project Management, 37 , 731–749. https://doi.org/10.1016/j.ijproman.2019.01.007

Winter, M., Smith, C., Morris, P., & Cicmil, S. (2006). Directions for future research in project management: The main findings of a UK government-funded research network. International Journal of Project Management, 24 , 638–649. https://doi.org/10.1016/j.ijproman.2006.08.009

Yeo, K. T., & Ren, Y. (2009). Risk management capability maturity model for complex product systems (CoPS) projects. Systems Engineering, 12 , 275–294. https://doi.org/10.1002/sys.20123

Yin, R. K. (2013). Case study research: Design and methods (5th ed.). SAGE.

Download references

Acknowledgments

The authors gratefully acknowledge the Grant VERB_SID19_01 funded by the University of Padova.

Author information

Authors and affiliations.

University of Padova, Padua, Italy

Raffaele Testorelli, Anna Tiso & Chiara Verbano

You can also search for this author in PubMed   Google Scholar

Corresponding author

Correspondence to Raffaele Testorelli .

Editor information

Editors and affiliations.

Business and Economics, Reykjavík University, Reykjavik, Iceland

Susanne Durst

Faculty of Business and Law, HTW Berlin – University of Applied Science, Berlin, Berlin, Germany

Thomas Henschel

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this chapter

Testorelli, R., Tiso, A., Verbano, C. (2024). Increasing Value and Resilience Through Project Risk Management: A Case Study in the IT Consulting Sector. In: Durst, S., Henschel, T. (eds) Small and Medium-Sized Enterprise (SME) Resilience. Management for Professionals. Springer, Cham. https://doi.org/10.1007/978-3-031-50836-3_13

Download citation

DOI : https://doi.org/10.1007/978-3-031-50836-3_13

Published : 19 March 2024

Publisher Name : Springer, Cham

Print ISBN : 978-3-031-50835-6

Online ISBN : 978-3-031-50836-3

eBook Packages : Business and Management Business and Management (R0)

Share this chapter

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

• Publish with us

Policies and ethics

• Find a journal
• Track your research

• Account details
• Follow topics
• Saved articles
• Newsletters
• Help Centre
• Subscriber rewards

You are currently accessing Risk.net via your Enterprise account.

If you already have an account please use the link below to sign in .

If you have any problems with your access or would like to request an individual access account please contact our customer service team.

Phone: 1+44 (0)870 240 8859

Email: [email protected]

You are currently accessing Risk.net via your institutional login.

If you have any problems with your access, contact our customer services team.

Phone: +44 20 7316 9685

Behavioural Risk Management

By René Doff

First published:

ISBN:  9781782724230

If you are a Risk.net subscriber you are entitled to 20% off your Risk books purchases. Please email [email protected] for more information.

As part of your Risk.net subscription you are entitled to 20% off all of your Risk Books purchases. If you would like to place an order please email [email protected]

• Tweet  
• Facebook  
• LinkedIn  
• Send to  
• Print this page  

Case Studies on Risk Management Failure

An Introduction to Behavioural Risk Management

Risk Management Context

Value-at-Risk as the Dominant Risk Management Tool in the Financial Industry

The Role of Regulation in Risk Management

Advances in Behavioural Economics and Finance

Behavioural Issues with Probability

Systems Theory

Using Scenarios

Making Robust Decisions

Advances in the Risk Management Process

Behavioural Risk Management in the Financial Markets

Countervailing Power

Behavioural Risk Management: Closing Thoughts

Appendix: Selective list of Behavioural Biases

Bibliography

Having understood the advantages and disadvantages of traditional risk management in the previous chapter, this chapter will analyse five case studies. In each of them, traditional risk management activities fell short because unwanted risks materialised with significant financial effect. The chapter will also provide some generic guidance that will help prepare us for the analysis in the remainder of this book. Despite the knowledge of hindsight, it is worth emphasising that none of the stakeholders involved in these examples would have stated at the time that risk management was unimportant for them. They all practiced some form of risk management to keep abreast of developments, and what really matters is the underlying belief of how risk management would be practised.

CASE STUDY 1: LEHMAN BROTHERS

Amid the global financial crisis, Lehman Brothers filed for bankruptcy on September 15, 2008. It is said to be the largest and most complex bankruptcy in US history. At the time, Lehman Brothers was the fourth largest investment bank in the world and was over 150 years old, being founded as a trading company in 1850. It evolved well and played an important role in the creation

Copyright Infopro Digital Limited. All rights reserved.

You may share this content using our article tools. Printing this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/

If you would like to purchase additional rights please email [email protected]

You may share this content using our article tools. Copying this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/

Sorry, our subscription options are not loading right now

Please try again later. Get in touch with our customer services team if this issue persists.

New to Risk.net? View our subscription options

If you already have an account, please sign in here .

Recommended Books

Machine Learning: Origins, Developments and Implications

ESG Investing and Analysis: A Practitioner’s Guide

Credit Default Swaps: The Vanilla Essence

Climate Change: Managing the Financial Risk and Funding the Transition

Network Theory and Financial Risk (2nd edition)

Non-Financial Risk Management: Emerging stronger after Covid-19

Interest Rate Risk in the Banking Book (2nd edition)

Regtech, Suptech and Beyond: Innovation in Financial Services

Life Annuities

The CECL Handbook: A Practitioner’s Guide

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Alternatively you can request an individual account here

Information

• Author Services

Initiatives

You are accessing a machine-readable page. In order to be human-readable, please install an RSS reader.

All articles published by MDPI are made immediately available worldwide under an open access license. No special permission is required to reuse all or part of the article published by MDPI, including figures and tables. For articles published under an open access Creative Common CC BY license, any part of the article may be reused without permission provided that the original article is clearly cited. For more information, please refer to https://www.mdpi.com/openaccess .

Feature papers represent the most advanced research with significant potential for high impact in the field. A Feature Paper should be a substantial original Article that involves several techniques or approaches, provides an outlook for future research directions and describes possible research applications.

Feature papers are submitted upon individual invitation or recommendation by the scientific editors and must receive positive feedback from the reviewers.

Editor’s Choice articles are based on recommendations by the scientific editors of MDPI journals from around the world. Editors select a small number of articles recently published in the journal that they believe will be particularly interesting to readers, or important in the respective research area. The aim is to provide a snapshot of some of the most exciting work published in the various research areas of the journal.

Original Submission Date Received: .

• Active Journals
• Find a Journal
• Proceedings Series
• For Authors
• For Reviewers
• For Editors
• For Librarians
• For Publishers
• For Societies
• For Conference Organizers
• Open Access Policy
• Institutional Open Access Program
• Special Issues Guidelines
• Editorial Process
• Research and Publication Ethics
• Article Processing Charges
• Testimonials
• Preprints.org
• SciProfiles
• Encyclopedia

Article Menu

• Subscribe SciFeed
• Recommended Articles
• Google Scholar
• on Google Scholar
• Table of Contents

Find support for a specific problem in the support section of our website.

Please let us know what you think of our products and services.

Visit our dedicated information section to learn more about MDPI.

JSmol Viewer

Triangulating risk profile and risk assessment: a case study of implementing enterprise risk management system.

1. Introduction

2. background on the firm, 3. erm literature review, 4. sample and questionnaire data, 5. risk profile and risk assessment, 6. mitigation strategies, 7. conclusions, 8. case requirements.

• Using the average coded responses to selected questions in each of the five risk areas in Table 7 , provide a 500-word summary of the firm’s risk profile.
• Complete the risk matrix in Table A1 , below, by using the input measures from Table 8 : average of likelihood, impact on annual revenue growth, and level of control, along with variance of the expected impact and average control.
• rank the ten risk categories by (i) their expected impact, (ii) by an equally weighted index of expected impact and average control, and (iii) by an equally weighted index of three indices: expected impact, opinion convergence on expected impact, and opinion convergence on control.
• create an equally weighted consolidated ranking of the above three rankings and re-rank the ten risk categories.
• Develop a risk map of all ten risks identified for the firm.
• Using the input in Table 1 , the questionnaire results, and quantitative risk metrics in Table 7 and Table 8 , along with the discussion on key sources and drivers of risk in Section 6 , propose mitigation strategies for the top six risks selected by the board.

Author Contributions

Data availability statement, conflicts of interest, appendix a. instructor’s notes, appendix a.1. background and introduction, appendix a.2. case requirements: implementation.

• Aabo, Tom, John Fraser, and Betty Simkins. 2005. The Rise and Evolution of the Chief Risk Officer: Enterprise Risk Management at Hydro One. Journal of Applied Corporate Finance 17: 62–75. [ Google Scholar ] [ CrossRef ]
• Beasley, Mark, Richard Clune, and Dana Hermanson. 2005. Enterprise Risk Management: An Empirical Analysis of Factors Associated with the Extent of Implementation. Journal of Accounting and Public Policy 24: 521–31. [ Google Scholar ] [ CrossRef ]
• Fabrigar, Leandre, Duane Wegener, Robert MacCallum, and Erin Strahan. 1999. Evaluating the use of exploratory factor analysis in psychological research. Psychological Methods 4: 272–99. [ Google Scholar ] [ CrossRef ]
• Farrell, Mark, and Ronan Gallagher. 2014. The Valuation Implications of Enterprise Risk Management Maturity. The Journal of Risk and Insurance 82: 625–67. [ Google Scholar ] [ CrossRef ]
• Fraser, J., and B. Simkins. 2010. Enterprise Risk Management . Hoboken: John Wiley and Sons. ISBN 9780470499085. [ Google Scholar ]
• Fraser, John, Betty Simkins, and Kristina Narvaez. 2014. Implementing Enterprise Risk Management: Case Studies and Best Practices . Hoboken: John Wiley and Sons. [ Google Scholar ]
• Froot, Kenneth, David Scharfstein, and Jeremy Stein. 1993. Risk Management: Coordinating Investment and Financing Policies. Journal of Finance 48: 1629–58. [ Google Scholar ] [ CrossRef ]
• Grace, Martin, J. Tyler Leverty, Richard Phillips, and Prakash Shimpy. 2014. The Value of Investing in Enterprise Risk Management. The Journal of Risk and Insurance 82: 289–316. [ Google Scholar ] [ CrossRef ]
• Harrington, Scott, Greg Niehaus, and Kenneth J. Risko. 2002. Enterprise Risk Management: The Case of United Grain Growers. Journal of Applied Corporate Finance 14: 71–81. [ Google Scholar ] [ CrossRef ]
• Hoyt, Robert E., and Andre P. Liebenberg. 2011. The Value of Enterprise Risk Management. Journal of Risk and Insurance 78: 795–822. [ Google Scholar ] [ CrossRef ]
• Hristov, Ivo, Riccardo Camilli, Antonio Chirico, and Alessandro Mechelli. 2022. The Integration between Enterprise Risk Management and Performance Management System: Managerial Analysis and Conceptual Model to Support Strategic Decision-Making Process. Production Planning & Control , 1–14. [ Google Scholar ] [ CrossRef ]
• Jalilvand, Abol, and John W. Kostolansky. 2016. Le Beau Footwear: A Business Valuation Case for a Privately Held Firm. Issues in Accounting Education 31: 439–47. [ Google Scholar ] [ CrossRef ]
• Jalilvand, Abol, and Sidharth Moorthy. 2022. Enterprise Risk Management (ERM) Maturity: A Clinical Study of a U.S. Multinational Nonprofit Firm” (with S. Moorthy). Journal of Accounting, Auditing, and Finance . [ Google Scholar ] [ CrossRef ]
• Jensen, Michael C., and William H. Meckling. 1976. Theory of the Firm: Managerial Behavior, Agency Costs and Ownership Structure. Journal of Financial Economics 3: 305–60. [ Google Scholar ] [ CrossRef ]
• Kraus, Alan, and Robert Litzenberger. 1973. A State Preference Model of Optimal Financial Leverage. Journal of Finance 28: 911–22. [ Google Scholar ]
• Leland, Hayne E., and David H. Pyle. 1977. Informational Asymmetries, Financial Structure, and Financial Intermediation. Journal of Finance 32: 371–88. [ Google Scholar ] [ CrossRef ]
• Lindberg, Deborah L., and Deborah L. Seifert. 2011. A Comparison of U.S. Auditing Standards with International Standards on Auditing. The CPA Journal 81: 17–21. [ Google Scholar ]
• McShane, Michael K., Anil Nair, and Elzotbek Rustambekov. 2011. Does Enterprise Risk Management Increase Firm Value? Journal of Accounting, Auditing and Finance 26: 641–58. [ Google Scholar ] [ CrossRef ]
• Miller, Merton. 1977. Debt and Taxes. Journal of Finance 32: 261–75. [ Google Scholar ]
• Miller, Merton H., and Franco Modigliani. 1958. The Cost of Capital, Corporation Finance and the Theory of Investment. American Economic Review 48: 261–97. [ Google Scholar ]
• Miller, Merton H., and Franco Modigliani. 1963. Corporate Income Taxes and the Cost of Capital: A Correction. American Economic Review 53: 433–43. [ Google Scholar ]
• Nocco, Brian W., and René M. Stulz. 2006. Enterprise Risk Management: Theory and Practice. Journal of Applied Corporate Finance 18: 8–20. [ Google Scholar ] [ CrossRef ]
• Rosenburg, Joshua V., and Til Schuermann. 2006. A General Approach to Integrated Risk Management with Skewed, Fat-Tailed Risks. Journal of Financial Economics 79: 569–614. [ Google Scholar ] [ CrossRef ]
• Ross, Stephen A. 1977. The Determination of Financial Structure: The Incentive Signaling Approach. Bell Journal of Economics 8: 23–40. [ Google Scholar ] [ CrossRef ]
• Samanta, P., T. Azarchs, and J. Martinez. 2004. The PIM Approach to Assessing the TRM Practices of Financial Institutions . New York: Standard and Poor’s/McGraw-Hill. [ Google Scholar ]
• Shad, Muhammad Kashif, Fong-Woon Lai, Amjad Shamin, Michael McShane, and Sheikh Muhammad Zahid. 2022. The relationship between enterprise risk management and cost of capital. Asian Academy of Management Journal 27: 79–103. [ Google Scholar ]

Share and Cite

Jalilvand, A.; Moorthy, S. Triangulating Risk Profile and Risk Assessment: A Case Study of Implementing Enterprise Risk Management System. J. Risk Financial Manag. 2023 , 16 , 473. https://doi.org/10.3390/jrfm16110473

Jalilvand A, Moorthy S. Triangulating Risk Profile and Risk Assessment: A Case Study of Implementing Enterprise Risk Management System. Journal of Risk and Financial Management . 2023; 16(11):473. https://doi.org/10.3390/jrfm16110473

Jalilvand, Abol, and Sidharth Moorthy. 2023. "Triangulating Risk Profile and Risk Assessment: A Case Study of Implementing Enterprise Risk Management System" Journal of Risk and Financial Management 16, no. 11: 473. https://doi.org/10.3390/jrfm16110473

Article Metrics

Article access statistics, further information, mdpi initiatives, follow mdpi.

Subscribe to receive issue release notifications and newsletters from MDPI journals

• Business Essentials
• Leadership & Management
• Credential of Leadership, Impact, and Management in Business (CLIMB)
• Entrepreneurship & Innovation
• Digital Transformation
• Finance & Accounting
• Business in Society
• For Organizations
• Support Portal
• Media Coverage
• Founding Donors
• Leadership Team

• Harvard Business School →
• HBS Online →
• Business Insights →

Business Insights

Harvard Business School Online's Business Insights Blog provides the career insights you need to achieve your goals and gain confidence in your business skills.

• Career Development
• Communication
• Decision-Making
• Earning Your MBA
• Negotiation
• News & Events
• Productivity
• Staff Spotlight
• Student Profiles
• Work-Life Balance
• AI Essentials for Business
• Alternative Investments
• Business Analytics
• Business Strategy
• Business and Climate Change
• Design Thinking and Innovation
• Digital Marketing Strategy
• Disruptive Strategy
• Economics for Managers
• Entrepreneurship Essentials
• Financial Accounting
• Global Business
• Launching Tech Ventures
• Leadership Principles
• Leadership, Ethics, and Corporate Accountability
• Leading Change and Organizational Renewal
• Leading with Finance
• Management Essentials
• Negotiation Mastery
• Organizational Leadership
• Power and Influence for Positive Impact
• Strategy Execution
• Sustainable Business Strategy
• Sustainable Investing
• Winning with Digital Platforms

What Is Risk Management & Why Is It Important?

• 24 Oct 2023

Businesses can’t operate without risk. Economic, technological, environmental, and competitive factors introduce obstacles that companies must not only manage but overcome.

According to PwC’s Global Risk Survey , organizations that embrace strategic risk management are five times more likely to deliver stakeholder confidence and better business outcomes and two times more likely to expect faster revenue growth.

If you want to enhance your job performance and identify and mitigate risk more effectively, here’s a breakdown of what risk management is and why it’s important.

Access your free e-book today.

What Is Risk Management?

Risk management is the systematic process of identifying, assessing, and mitigating threats or uncertainties that can affect your organization. It involves analyzing risks’ likelihood and impact, developing strategies to minimize harm, and monitoring measures’ effectiveness.

“Competing successfully in any industry involves some level of risk,” says Harvard Business School Professor Robert Simons, who teaches the online course Strategy Execution . “But high-performing businesses with high-pressure cultures are especially vulnerable. As a manager, you need to know how and why these risks arise and how to avoid them.”

According to Strategy Execution , strategic risk has three main causes:

• Pressures due to growth: This is often caused by an accelerated rate of expansion that makes staffing or industry knowledge gaps more harmful to your business.
• Pressures due to culture: While entrepreneurial risk-taking can come with rewards, executive resistance and internal competition can cause problems.
• Pressures due to information management: Since information is key to effective leadership , gaps in performance measures can result in decentralized decision-making.

These pressures can lead to several types of risk that you must manage or mitigate to avoid reputational, financial, or strategic failures. However, risks aren’t always obvious.

“I think one of the challenges firms face is the ability to properly identify their risks,” says HBS Professor Eugene Soltes in Strategy Execution .

Therefore, it’s crucial to pinpoint unexpected events or conditions that could significantly impede your organization’s business strategy .

Related: Business Strategy vs. Strategy Execution: Which Course Is Right for Me?

According to Strategy Execution , strategic risk comprises:

• Operations risk: This occurs when internal operational errors interrupt your products or services’ flow. For example, shipping tainted products can negatively affect food distribution companies.
• Asset impairment risk: When your company’s assets lose a significant portion of their current value because of a decreased likelihood of receiving future cash flows . For instance, losing property assets, like a manufacturing plant, due to a natural disaster.
• Competitive risk: Changes in the competitive environment can interrupt your organization’s ability to create value and differentiate its offerings—eventually leading to a significant loss in revenue.
• Franchise risk: When your organization’s value erodes because stakeholders lose confidence in its objectives. This primarily results from failing to control any of the strategic risk sources listed above.

Understanding these risks is essential to ensuring your organization’s long-term success. Here’s a deeper dive into why risk management is important.

4 Reasons Why Risk Management Is Important

1. protects organization’s reputation.

In many cases, effective risk management proactively protects your organization from incidents that can affect its reputation.

“Franchise risk is a concern for all businesses,“ Simons says in Strategy Execution . “However, it's especially pressing for businesses whose reputations depend on the trust of key constituents.”

For example, airlines are particularly susceptible to franchise risk because of unforeseen events, such as flight delays and cancellations caused by weather or mechanical failure. While such incidents are considered operational risks, they can be incredibly damaging.

In 2016, Delta Airlines experienced a national computer outage, resulting in over 2,000 flight cancellations. Delta not only lost an estimated $150 million but took a hit to its reputation as a reliable airline that prided itself on “canceling cancellations.”

While Delta bounced back, the incident illustrates how mitigating operational errors can make or break your organization.

2. Minimizes Losses

Most businesses create risk management teams to avoid major financial losses. Yet, various risks can still impact their bottom lines.

A Vault Platform study found that dealing with workplace misconduct cost U.S. businesses over $20 billion in 2021. In addition, Soltes says in Strategy Execution that corporate fines for misconduct have risen 40-fold in the U.S. over the last 20 years.

One way to mitigate financial losses related to employee misconduct is by implementing internal controls. According to Strategy Execution , internal controls are the policies and procedures designed to ensure reliable accounting information and safeguard company assets.

“Managers use internal controls to limit the opportunities employees have to expose the business to risk,” Simons says in the course.

One company that could have benefited from implementing internal controls is Volkswagen (VW). In 2015, VW whistle-blowers revealed that the company’s engineers deliberately manipulated diesel vehicles’ emissions data to make them appear more environmentally friendly.

This led to severe consequences, including regulatory penalties, expensive vehicle recalls, and legal settlements—all of which resulted in significant financial losses. By 2018, U.S. authorities had extracted $25 billion in fines, penalties, civil damages, and restitution from the company.

Had VW maintained more rigorous internal controls to ensure transparency, compliance, and proper oversight of its engineering practices, perhaps it could have detected—or even averted—the situation.

Related: What Are Business Ethics & Why Are They Important?

3. Encourages Innovation and Growth

Risk management isn’t just about avoiding negative outcomes. It can also be the catalyst that drives your organization’s innovation and growth.

“Risks may not be pleasant to think about, but they’re inevitable if you want to push your business to innovate and remain competitive,” Simons says in Strategy Execution .

According to PwC , 83 percent of companies’ business strategies focus on growth, despite risks and mixed economic signals. In Strategy Execution , Simons notes that competitive risk is a challenge you must constantly monitor and address.

“Any firm operating in a competitive market must focus its attention on changes in the external environment that could impair its ability to create value for its customers,” Simons says.

This requires incorporating boundary systems —explicit statements that define and communicate risks to avoid—to ensure internal controls don’t extinguish innovation.

“Boundary systems are essential levers in businesses to give people freedom,” Simons says. “In such circumstances, you don’t want to stifle innovation or entrepreneurial behavior by telling people how to do their jobs. And if you want to remain competitive, you’ll need to innovate and adapt.”

Netflix is an example of how risk management can inspire innovation. In the early 2000s, the company was primarily known for its DVD-by-mail rental service. With growing competition from video rental stores, Netflix went against the grain and introduced its streaming service. This changed the market, resulting in a booming industry nearly a decade later.

Netflix’s innovation didn’t stop there. Once the steaming services market became highly competitive, the company shifted once again to gain a competitive edge. It ventured into producing original content, which ultimately helped differentiate its platform and attract additional subscribers.

By offering more freedom within internal controls, you can encourage innovation and constant growth.

4. Enhances Decision-Making

Risk management also provides a structured framework for decision-making. This can be beneficial if your business is inclined toward risks that are difficult to manage.

By pulling data from existing control systems to develop hypothetical scenarios, you can discuss and debate strategies’ efficacy before executing them.

“Interactive control systems are the formal information systems managers use to personally involve themselves in the decision activities of subordinates,” Simons says in Strategy Execution . “Decision activities that relate to and impact strategic uncertainties.”

JPMorgan Chase, one of the most prominent financial institutions in the world, is particularly susceptible to cyber risks because it compiles vast amounts of sensitive customer data . According to PwC , cybersecurity is the number one business risk on managers’ minds, with 78 percent worried about more frequent or broader cyber attacks.

Using data science techniques like machine learning algorithms enables JPMorgan Chase’s leadership not only to detect and prevent cyber attacks but address and mitigate risk.

Start Managing Your Organization's Risk

Risk management is essential to business. While some risk is inevitable, your ability to identify and mitigate it can benefit your organization.

But you can’t plan for everything. According to the Harvard Business Review , some risks are so remote that no one could have imagined them. Some result from a perfect storm of incidents, while others materialize rapidly and on enormous scales.

By taking an online strategy course , you can build the knowledge and skills to identify strategic risks and ensure they don’t undermine your business. For example, through an interactive learning experience, Strategy Execution enables you to draw insights from real-world business examples and better understand how to approach risk management.

Do you want to mitigate your organization’s risks? Explore Strategy Execution —one of our online strategy courses —and download our free strategy e-book to gain the insights to build a successful strategy.

About the Author

• SUGGESTED TOPICS
• The Magazine
• Newsletters
• Managing Yourself
• Managing Teams
• Work-life Balance
• The Big Idea
• Data & Visuals
• Reading Lists
• Case Selections
• HBR Learning
• Topic Feeds
• Account Settings
• Email Preferences

Risk management

• Change management
• Competitive strategy
• Corporate strategy
• Customer strategy

Bringing the Environment Down to Earth

• Forest L. Reinhardt
• From the July–August 1999 Issue

On Bear Stearns, the Democratic Primary, and Other Avoidable Disasters

• Bill Taylor
• March 17, 2008

Evidence-Based Management

• Jeffrey Pfeffer
• Robert I. Sutton
• From the January 2006 Issue

Living in a Radical State of Uncertainty

• Bruce Nussbaum
• March 23, 2011

The Most Common Ways You Could Get Tricked into Compromising Company Data

• December 08, 2017

How to Hedge Your Strategic Bets

• George Stalk, Jr.
• Ashish Iyer
• From the May 2016 Issue

Four Simple Low Resolution Innovation Tests

• Scott Anthony
• Scott D. Anthony
• June 13, 2011

How the War in Ukraine Is Further Disrupting Global Supply Chains

• David Simchi-Levi
• Pierre Haren
• March 17, 2022

Three Questions You Should Ask About Your Cyber-Security

• James Kaplan and Allen Weinberg
• March 05, 2012

A More Rational Approach to New-Product Development

• Eric Bonabeau
• Neil Bodick
• Robert W. Armstrong
• From the March 2008 Issue

Cutting the Cost of HIV

• Mergen Reddy
• Boetie Swanepoel
• From the September 2006 Issue

Why Companies Are Betting Against Big Ideas

• David Aaker
• February 29, 2012

The Bash Bug Is a Wake-Up Call

• Karim R. Lakhani
• September 29, 2014

You Have More Capital than You Think

• Robert C. Merton
• From the November 2005 Issue

What Every Executive Needs to Know About Global Warming

• Kimberly O’Neill Packard
• From the July–August 2000 Issue

The High Price of Social Media Risk Management

• Alexandra Samuel
• October 19, 2012

Why the TSA Screening Revolt is Like Poison Ivy

• November 23, 2010

Strategic Analysis for More Profitable Acquisitions

• Alfred Rappaport
• From the July 1979 Issue

Subprime Analytic Blues

• Thomas H. Davenport
• August 28, 2007

New Project? Don't Analyze--Act

• Leonard A. Schlesinger
• Charles F. Kiefer
• Paul B. Brown
• From the March 2012 Issue

The Ombudsman: Examining Portfolio Risk in Troubled Times (B)

• Chuck Grace
• April 08, 2015

The Walt Disney Studios

• Anita Elberse
• April 28, 2016

General Motors Corp. (C): 1990-92

• Peter Tufano
• Markus F. Mullarkey
• William J. Wildern
• August 11, 1998

Crisis Management: North American Sporting League Visits Mexico City (A)

• George Foster
• March 03, 2009

General Motors Corp. (D): 1993-96

Crisis management: north american sporting league visits mexico city (b).

• Joshua D. Margolis
• Fernanda Miguel
• January 20, 2021

Foreign Direct Investment in the Middle East: Riyadh and Dubai

• F. John Mathis
• Raja A. Albqami
• Tim Rogmans
• August 18, 2011

Groupe Eurotunnel S.A. (A)

• Stuart C. Gilson
• Vincent Dessain
• Sarah L. Abbott

Note: Credit Rating Agencies

• William E. Fruhan
• September 04, 2008

Leadership on the Line, With a New Preface: Staying Alive Through the Dangers of Change

• Ronald Heifetz
• Marty Linsky
• July 11, 2017

Long-Term Capital Management, L.P. (C)

• Andre F. Perold
• November 05, 1999

McDonald's Corp. (Abridged)

• David M. Upton
• October 03, 2002

Porsche: The Cayenne Launch

• John Deighton
• Jeffrey Fear
• February 15, 2011

Stripe: Helping Money Move on the Internet

• Sarit Markovich
• Nilima Achwal
• Eric Queathem
• October 10, 2017

Czech Mate: CME and Vladimir Zelezny (E)--CME Returns

• Mihir A. Desai
• Kathleen Luchs
• January 25, 2005

Crisis Management: North American Sporting League Visits Mexico City (C)

The tale of two peregrines.

• Agnes K.Y. Tai
• June 26, 2013

Business Process Reengineering of Accounts Payable at ABC, Inc. (3): Role of Purchasing Manager

• August 25, 2017

Khosla Ventures: Biofuels Gain Liquidity

• Joseph B. Lassiter
• William A. Sahlman
• Alison Berkley Wagonfeld
• Evan Richardson
• September 23, 2011

Popular Topics

Partner center.

• Skip to Content

Advertisement: Certified CEO Program

• Business Basics
• Business IT
• Finance And Risk
• Growing Your Business
• Managing People
• Personal Success
• Meet Some Of Our Contributors
• Business Books
• Purchase Audio Seminar Series
• Certified Manager Program
• Certified CEO Program
• Top CEO Issues
• Business Book Summaries
• Audio Seminar Library
• Business Book Extracts
• Learning Modules
• Video Seminars
• How IIDM CPD Works
• IIDM Knowledge Units
• Certification - CEOs, Senior Executives & Managers
• Approved Certification Courses
• Certified CPD Reporting

Advertisement: Join IIDM

Advertisement: register for newsletter, advertisement: cpd small top, risk management case studies.

Mitigating Risk

As John Curnow inherited $7million of debt when he became CEO of three advertising agencies during the global financial crisis, he has given a lot of thought to risk mitigation. Now, as Founder and Managing Director of Virtual Ad Agency (VAA), his entire business model is based on risk mitigation.

Creative Recovery

Imagine landing a multi-million dollar contract to conduct business in Dubai - then not getting paid for the work you've done. Discover how one entrepreneur is using the lessons learnt from this experience to rebuild his company bigger, better and stronger after a complete collapse.

Under Pressure

What would you do if your bank cancelled your short-term finance facility just as you had landed three new contracts? Now imagine that happening between Christmas and New Year. Welcome to Paul Newbound’s nightmare.

Medals Of Honour

Two Defence Force Academy graduates have been successfully applying their military training to a corporate assault on the project management sector.

Startup Decompression

An innovative R&D start-up is fighting a classic battle that faces most brilliant youngsters: turning intellectual property into a cash-flowing business.

Sweet Harvest

Setting out to challenge a dominant market player became a whole lot harder when a new fruit-processing business ran into cashflow problems.

Armor-Plated Business

A Sydney inventor uses technology to strengthen his glass and mentors to reinforce his management weaknesses.

The Case For Safety

The cost of not maintaining a safe workplace can be injured workers and criminal action against directors.

How To Make Good Ideas Pay

A New Zealand research commercialiser says the new-idea business is all about experience, contacts and patent defence.

Keeping The Thief From Your Door

Police can no longer cope with theft from workplaces. Two experts tell how to avoid the problem in the first place.

Work Safety Begins Before The Work Starts

When Des Walters won a contract to provide dive services for a major construction project, he knew his company's reputation would depend on keeping workers safe.

Featured Article 1

A fresh approach to leading today's sales teams.

7 Types Of Self-care That Every Business Leader Should Be Mindful Of

Featured Articles

Why Tapping Into The Power Of A Growth Mindset Boosts Performance

Six Steps To Less Stress And More Balance

• Terms of Use
• Advertise With Us
• Testimonials

Copyright © 2024 International Institute of Directors and Managers ABN 26 112 140 299. All rights reserved.

Log in using your username and password

• Search More Search for this keyword Advanced search
• Latest content
• For authors
• Browse by collection
• BMJ Journals

You are here

• Volume 14, Issue 6
• Development and validation of a model to predict the need for artificial airways for acute trauma patients in the emergency department: a retrospective case–control study
• Article Text
• Article info
• Citation Tools
• Rapid Responses
• Article metrics

• http://orcid.org/0000-0003-3920-3641 Ping Li 1 ,
• http://orcid.org/0009-0007-3965-0456 Zhuo Zhang 2 ,
• Hai Fang Yu 2 ,
• Rong Yao 2 ,
• Wei Wei 2 ,
• http://orcid.org/0000-0002-4799-3500 Hu Nie 2 , 3
• 1 Department of Critical Care Medicine , West China Hospital, Sichuan University , Chengdu , China
• 2 Emergency Department , West China Hospital, Sichuan University , Chengdu , China
• 3 West China Xiamen Hospital of Sichuan University , Xiamen , China
• Correspondence to Dr Hu Nie; 456nh{at}163.com

Objective To develop scores for predicting the need for artificial airway procedures for acute trauma patients in the emergency department (ED).

Design Retrospective case–control.

Setting A tertiary comprehensive hospital in China.

Participants 8288 trauma patients admitted to the ED within 24 hours of injury and who were admitted from 1 August 2012 to 31 July 2020.

Primary and secondary outcome measures The study outcome was the establishment of an artificial airway within 24 hours of admission to the ED. Based on the different feature compositions, two scores were developed in the development cohort by multivariable logistic regression. The predictive performance was assessed in the validation cohort.

Results The O-SPACER (Oxygen saturation, Systolic blood pressure, Pulse rate, Age, Coma Scale, Eye response, Respiratory rate) score was developed based on the patient’s basic information with an area under the curve (AUC) of 0.85 (95% CI 0.80 to 0.89) in the validation group. Based on the basic information and trauma scores, the IO-SPACER (Injury Severity Score, Oxygen saturation, Systolic blood pressure, Pulse rate, Age, Coma Scale, Eye response, Respiratory rate) score was developed, with an AUC of 0.88 (95% CI 0.84 to 0.92). According to the O-SPACER and IO-SPACER scores, the patients were stratified into low, medium and high-risk groups. According to these two scores, the high-risk patients were associated with an increased demand for artificial airways, with an OR of 40.16–40.67 compared with the low-risk patients.

Conclusions The O-SPACER score provides risk stratification for injured patients requiring urgent airway intervention in the ED and may be useful in guiding initial management. The IO-SPACER score may assist in further determining whether the patient needs planned intubation or tracheotomy early after trauma.

• Trauma management
• Clinical Decision-Making
• Risk management

Data availability statement

Data are available upon reasonable request.

This is an open access article distributed in accordance with the Creative Commons Attribution Non Commercial (CC BY-NC 4.0) license, which permits others to distribute, remix, adapt, build upon this work non-commercially, and license their derivative works on different terms, provided the original work is properly cited, appropriate credit is given, any changes made indicated, and the use is non-commercial. See:  http://creativecommons.org/licenses/by-nc/4.0/ .

https://doi.org/10.1136/bmjopen-2023-081638

Statistics from Altmetric.com

Request permissions.

If you wish to reuse any or all of this article please use the link below which will take you to the Copyright Clearance Center’s RightsLink service. You will be able to get a quick price and instant permission to reuse the content in many different ways.

Strengths and limitations of this study

Risk stratification of the need for artificial airway procedures was determined by X-tile software.

Two scores were developed based on different feature compositions to better fit the clinical scenarios.

The large study population ensured sufficient statistical power.

Whether patients establish artificial airways was mainly decided by the emergency doctor, and some of these decisions are jointly decided by the emergency doctor and the surgeon.

The performance of this model is limited by a single piece of data on admission.

Introduction

Trauma is one of the major causes of death and disability worldwide. Trauma accounts for 16% of the global disease burden; 16 000 people die from trauma, and millions of people temporarily or permanently become disabled owing to trauma. 1 In low and middle-income countries, injury-related mortality and disability account for approximately 90% of the global burden. 2

As the classic trauma management procedure, the initial assessment of Advanced Trauma Life Support 3 starts with airway management, which aims to identify obstructed or potentially obstructed airways and relieve the obstruction. Adequate airway management has been identified as one of the means to reduce preventable trauma-related death. 4

The Eastern Association for the Surgery of Trauma proposed the indications of endotracheal intubation for trauma patients in 2012. The level 1 recommendations included airway obstruction, hypoventilation, persistent hypoxaemia (SaO2<90%) despite supplemental oxygen, severe cognitive impairment (Glasgow Coma Scale (GCS) ≤8), severe haemorrhagic shock and cardiac arrest. The level 3 recommendations included facial or neck injury with the potential for airway obstruction, moderate cognitive impairment (GCS>9), persistent combativeness refractory to pharmacological agents, respiratory distress, preoperative management and cervical spinal cord injury with any evidence of respiratory insufficiency. 5 The indications in level 1 recommendations are easy to identify, while the indications in level 3 cannot be quantified and lack a uniform definition, which creates a challenge for medical staff to recognise injured patients in need of artificial airways (including endotracheal intubation and tracheotomy).

Therefore, the objective of this study was to develop and validate a model for predicting the need for artificial airway procedures for acute trauma patients in the emergency department (ED).

Study design and sample selection

This study was conducted from September 2020 to August 2022. The requirement for written informed consent was waived by the Biomedical Ethics Committee of West China Hospital, Sichuan University, because this study was retrospective and there was no intervention implemented. This work has been reported in compliance with the Transparent Reporting of a Multivariable Prediction Model for Individual Prognosis or Diagnosis reporting guideline. 6

This was a retrospective case–control study. All trauma patients admitted to the ED of West China Hospital, Sichuan University, within 24 hours of injury and who were admitted from 1 August 2012 to 31 July 2020 were included. The exclusion criteria were as follows: (1) pregnant patients; (2) patients aged <16; (3) patients lacking any one of the following information: current medical history, physical examination or imaging examination results; (4) patients who had established artificial airways, such as endotracheal intubation, tracheotomy and cricothyroid membrane puncture, when transferred to the ED; (5) patients with a Japan Coma Scale (JCS) score of 3 (indicating inability for being aroused by any forceful stimuli); and (6) patients with out-of-hospital cardiac arrest.

The study outcome was the establishment of an artificial airway within 24 hours of admission to the ED. The included patients were divided into an artificial airway group and a control group according to the study outcome. Logistic regression was applied to develop the prediction model, a minimum of 10 events per variable are recommended. 7 Eight variables were evaluated in the logistic regression model, so the sample size in the derivation stage was at least 80 events. Considering the proportion of patients in the artificial airway group was 3.03% in this cohort, thus we planned to collect at least 2641 cases for the prediction cohorts.

Patient and public involvement

Patients or the public were not involved in the design, or conduct or reporting of our research.

The variables, including age, gender, vital signs when admitted to the ED, medical history, physical examination and imaging results, were collected retrospectively and integrated into two feature categories based on clinical meanings and acquisition time. One feature category included basic variables, including age, gender, trauma mechanism, the time interval between admission to the ED and establishment of an artificial airway, JCS, vital signs on arrival at the ED (pulse rate (PR), respiratory rate (RR), systolic blood pressure (SBP), diastolic blood pressure, pulse oxygen saturation) and eye response. The other category is the trauma score consisting of the Abbreviated Injury Scale (AIS) and Injury Severity Score (ISS). Based on the patients’ variables on admission to the ED, the basic variables can be evaluated rapidly, while the trauma score may require more time to accumulate, which requires the information of the patient’s physical examination and imaging results.

The trauma mechanisms consisted of penetrating injury and blunt injury (traffic accident injury, high falling injury, flat ground falling injury, heavy pound injury (namely injury caused by heavy objects), scald burn and combined injury), which were determined by the patient’s medical history. The JCS is an extensively adopted scale for assessing the patients’ consciousness levels and was described in 1974. The scale is composed of three main categories: JCS-1 indicates awake without stimuli, JCS-2 means arousable with some stimuli (but reverts to the previous status if the stimulus stops) and JCS-3 indicates not able to be aroused by any forceful stimuli. 8 The JCS has a good correlation with the GCS 9 and is more concise than the GCS.

Whether the pupils were of equal diameter was recorded according to the physical examination, and the pupils were classified as equal, unequal and unable to be checked. Any limited examination caused by eye trauma was recorded as unable to be checked. The eye response was also recorded in accordance with the physical examination, which was classified as sensitive, slow, absent and unable to be checked. The JCS and pupillary-related examinations were recorded according to the physical examination.

The vital signs on arrival at the ED included PR (<60 beats per minute (bpm) or unmeasurable or ≥110 bpm, 60–109 bpm) and RR (<12 bpm or unmeasurable or ≥22 bpm, 12–21 bpm), SBP (<90 mmHg or unmeasurable, ≥90 mmHg), diastolic blood pressure (<60 mmHg or unmeasurable, ≥60 mmHg) and pulse oxygen saturation (<90% or unmeasurable, ≥90%).

AIS is an internationally recognised trauma severity scoring system based on anatomy. The AIS score was determined retrospectively according to the physical examination record and imaging results. The AIS scores were categorised into two categories: <3 and ≥3. 10 According to the different body regions, AIS is divided into six parts: head and neck, face, chest, abdomen, limbs as well as skin. ISS is scored on the basis of AIS, which equals the sum of squares of AIS of the three most severely injured body parts. The score ranges from 0 to 75; the higher the score is, the greater the severity of trauma. The ISS scores were grouped into three categories: <16, 16–24 and ≥25. 11 12

Statistical analysis

SPSS (V.23.0; IBM SPSS) was applied to analyse the data and construct a predictive model. MedCalc (V.18.2.1) was used to compare the area under the curve (AUC) value between the two scores. X-tile software (V.3.6.1) was applied to perform risk stratification. The measurement data obeying a normal distribution are represented as the mean and SD and were compared using an independent samples t-test. The measurement data obeying a skewed distribution are represented as the median and IQR and were compared using the Mann-Whitney U test. Numeration data are represented as counts and percentages and were compared using the χ 2 test. To preserve the study sample and reduce bias, the median value was used to handle the missing measurement data, while the missing values of numeration data were replaced with the mode values.

The included patients were randomly divided into a development group and a validation group. The former accounted for 70% of the total patients, and the latter accounted for 30% of the total patients. To increase the clinical application, the continuous variables were converted into classified variables based on the Youden index or clinical meanings. In the development cohort, univariable logistic regression analysis was applied to select predictors, and multivariable logistic analysis was used to identify the coefficient β and OR. The selected predictors were weighted on the basis of the respective coefficient β. The Hosmer-Lemeshow test was applied to assess the goodness of fit for the developed system, and an adequate fit was assumed if p>0.05. The data in the validation group were used to verify the model. The performance of this model was evaluated with AUC. There was a significant difference if the two-sided p value <0.05.

To better fit the clinical scenarios, two scores were developed: one was based on the basic information to achieve a quick evaluation, and the other was based on both the basic information and trauma score to identify the function of the trauma score to artificial airway demand.

A total of 13 685 patients were included, and 5397 patients were excluded based on the exclusion criteria. Finally, 8288 patients were analysed in this study, including 251 in the artificial airway group and 8037 in the control group. There were 5801 patients in the development group and 2487 in the validation group ( figure 1 ). Artificial airways were established in 170 (2.93%) patients in the development group and 81 (3.26%) patients in the validation group.

• Download figure
• Open in new tab
• Download powerpoint

Patient selection. JCS, Japan Coma Scale.

Among the 251 patients requiring artificial airways, 227 underwent endotracheal intubation and 24 underwent a tracheotomy. The median time interval between admission to the ED and establishment of an artificial airway was 1.67 hours, with an IQR of 0.58–3.47.

Baseline feature comparison

The study population is characterised in online supplemental table 1 . Compared with the control group, the age in the artificial airway group was significantly older (49.39±18.72 vs 46.69±16.51, p=0.03). There was no difference in gender composition between the two groups. Additionally, the SBP, diastolic blood pressure and oxygen saturation in the artificial airway group were significantly lower than those in the control group, while the PR and RR were significantly higher. The head AIS, face AIS, chest AIS, abdomen AIS and ISS in the artificial airway group were significantly higher than those in the control group. There was no significant difference in the AIS of limbs and AIS of skin between the two groups.

Supplemental material

Predictive score based on basic information.

Continuous variables were converted into classified variables according to the largest Youden index or clinical meaning for convenient clinical application. The variables with p<0.05 in the univariate logistic regression ( online supplemental table 2 ) were further evaluated with multivariate logistic regression.

For the variables in the basic information category, a total of seven variates, including age >60 years, SBP<90 mmHg, PR, RR, pulse oxygen saturation <90%, eye response and JCS, were found to be related to artificial airway demand for injured patients. JCS-2 achieved the largest OR of 5.94. According to coefficient β, these variates were weighted, and the respective score is displayed in table 1 . The scoring system was summarised by the mnemonic ‘O-SPACER’ (Oxygen saturation, Systolic blood pressure, Pulse rate, Age, Coma Scale, Eye response, Respiratory rate) ( table 2 ). The Hosmer-Lemeshow test was applied to examine the goodness of fit for the ‘O-SPACER’ system with a p value of 0.31.

• View inline

Multivariate logistic regression for identifying the injured patients needing artificial airway in development group based on two feature compositions

Two scores developed based on the different feature compositions

The patients were then divided into three risk groups according to their O-SPACER score: low risk, score 0; medium risk, score 1–2; and high risk, score 3–9. In both development and validation groups, the OR values of medium-risk and high-risk groups were significantly higher than the low-risk group ( table 3 ).

Performance of the O-SPACER score and IO-SPACER score

Predictive score based on both the basic information and trauma score

There were eight variables independently associated with artificial airway demand in multivariate logistic regression ( table 1 ). Among the eight variables, ISS was the newly added on the basis of the variables in the O-SPACER score. Likewise, the mnemonic ‘IO-SPACER’ (Injury Severity Score, Oxygen saturation, Systolic blood pressure, Pulse rate, Age, Coma Scale, Eye response, Respiratory rate) was developed, which is presented in table 2 .

According to the IO-SPACER score, the patients were stratified into low-risk (0–1), medium-risk (2–3) and high-risk (4–11) groups ( table 3 ). Using the low-risk group as a reference, IO-SPACER scores of 2–3 and >4 were associated with ORs of 6.32 (95% CI 3.14 to 12.72, p<0.001) and 60.06 (95% CI 31.34 to 115.08, p<0.001), respectively, for artificial airway demand. In the validation cohort, a medium-risk and high-risk O-SPACER score was associated with increased demand for artificial airways (OR=4.40, 95% CI 1.82 to 10.65, p=0.001; and OR=40.16, 95% CI 18.13 to 88.97, p<0.001, respectively).

Receiver operating characteristic curves were drawn, and AUCs were calculated to evaluate the performance of the two scores developed in this study ( figure 2 , online supplemental table 3 ). In the validation group, the AUC of the IO-SPACER was significantly larger than the AUC of the O-SPACER (0.88 with 95% CI 0.84 to 0.92 vs 0.85 with 95% CI 0.80 to 0.89, p=0.002, in the DeLong test).

Receiver operating characteristic curves of the IO-SPACER (Injury Severity Score, Oxygen saturation, Systolic blood pressure, Pulse rate, Age, Coma Scale, Eye response, Respiratory rate) and O-SPACER (Oxygen saturation, Systolic blood pressure, Pulse rate, Age, Coma Scale, Eye response, Respiratory rate) scores.

The present study developed the O-SPACER score and IO-SPACER score for predicting the need for artificial airway procedures in acute trauma patients based on a large sample, and these scores provide new tools for risk assessment and airway management in acute trauma.

Several studies 13–20 have explored the predictive system of artificial airways or surgical airways for injured patients, and the risk factors found in those studies included age, 13 gender, 13 18 American Spinal Injury Association (ASIA), 13 16 ASIA Motor Score, 13 16 ISS, 13 state of consciousness, 17 haemodynamic instability, 14 history of smoking, 15 history of lung diseases, 15 trauma mechanism, 17 trauma site, 15–18 pulmonary complications 14 and so on. The sample sizes of these studies ranged from 146 to 788 patients. 13–16 19 20 Limited sample sizes make it difficult to identify the risk factors for artificial airway demand for patients with acute trauma. Furthermore, the time of the establishment of the artificial airway was not clearly defined. The major reasons for establishing an artificial airway within 1 day after trauma are different from the reasons for establishing an artificial airway within 5 days after trauma. The former is closely related to trauma, while the latter may be more correlated with trauma-related complications.

The two scoring systems derived in this study are consistent with the standard trauma assessment procedures, and they start with a primary assessment based on the patient’s basic physical examination, which is followed by a secondary assessment based on anatomical information provided by imaging examinations. In addition, considering the time dependence of calculating AIS and ISS, it may not be practical to guide clinical practice according to the IO-SPACER score for patients requiring urgent airway intervention during initial care in the ED, although the performance of the IO-SPACER was greater than that of the O-SPACER score in terms of AUC. Therefore, the IO-SPACER score was a better fit for patients needing planned intubation or tracheotomy early after trauma.

This risk stratification, if validated in prospective studies, is a potentially important tool for the initial clinician, with the potential to identify those patients at high risk on admission. As an adjunct to the existing risk assessment of airway management, this scoring system may aid in the preparation and prediction. In consideration of the serious adverse effect of unplanned intubation, we can pay more attention to high-risk patients, and this can optimise the utilisation of medical resources, especially in the context of busy emergency medical work, which includes a seriously unbalanced proportion of medical staff and patients.

There are several unavoidable limitations. First, the proportion of patients in the artificial airway group was only 3.03%, which was similar to the research by Okada et al 17 and Hayashida et al , 18 so this model may increase the risk of overfitting. Second, in this study, whether patients establish artificial airways and what kind of artificial airway to establish are mainly decided by the emergency doctor, and some of these decisions are jointly decided by the emergency doctor and the surgeon. Therefore, there may be some limitations on the generalisation of the model. Multicentre research should be carried out in the future to fix this deficiency. Third, a single piece of data certainly cannot cover as much information as dynamic data, so further studies based on dynamic data can be carried out to dynamically assess the risk. Fourth, to rule out endotracheal intubation due to late complications such as lung infection, the study outcome was set as the establishment of an artificial airway within 24 hours of admission to the ED. While the cut-off point of time establishing an artificial airway needs to be further explored in future research.

To conclude, the O-SPACER score may permit risk stratification of injured patients requiring urgent airway intervention in the ED and may be useful in guiding initial management. The IO-SPACER score may assist in further determining whether the patient needs planned intubation or tracheotomy early after trauma.

Ethics statements

Patient consent for publication.

Not applicable.

Ethics approval

This study was approved by the Biomedical Ethics Committee of West China Hospital, Sichuan University (approval ID: 2020(1030)).

• Wang T , et al
• LaGrone L ,
• Joshipura M , et al
• Galvagno SM ,
• Nahmias JT ,
• Schoeneberg C ,
• Schilling M ,
• Hussmann B , et al
• Mayglothling J ,
• Gibbs M , et al
• Collins GS ,
• Reitsma JB ,
• Altman DG , et al
• Wynants L ,
• Bouwmeester W ,
• Moons KGM , et al
• Yorifuji T , et al
• Kiguchi T ,
• Iiduka R , et al
• Newgard CD ,
• Goldhaber-Fiebert JD , et al
• Schröter C ,
• Urbanek F ,
• Frömke C , et al
• Becnel C , et al
• Montoto-Marqués A ,
• Trillo-Dono N ,
• Ferreiro-Velasco ME , et al
• Mantha S , et al
• Daozhi X , et al
• Fang Z , et al
• Hashimoto K ,
• Ishii W , et al
• Hayashida K ,
• Matsumoto S ,
• Kitano M , et al
• Deng JX , et al
• Bachoumas K ,
• Le Thuaut A , et al

Supplementary materials

Supplementary data.

This web only file has been produced by the BMJ Publishing Group from an electronic file supplied by the author(s) and has not been edited for content.

• Data supplement 1

Contributors PL: contributes to literature search, study design, data collection, data analysis and writing. ZZ: contributes to literature search, study design and data analysis. HFY: contributes to study design and data interpretation. RY, WW: contributes to study design, data analysis and data interpretation. HN: contributes to study design, data interpretation, critical revision and funding acquisition as well as serves as guarantor and accepts full responsibility for the work and/or the conduct of the study, has access to the data, and controll the decision to publish.

Funding Financial support for this study was provided in part by a grant from the project of Medical Personnel Training and Discipline Development Fund in Western China (2019xb008) and Clinical Research Incubation Project of West China Hospital of Sichuan University (2021HXFH004).

Competing interests None declared.

Patient and public involvement Patients and/or the public were not involved in the design, or conduct, or reporting, or dissemination plans of this research.

Provenance and peer review Not commissioned; externally peer reviewed.

Supplemental material This content has been supplied by the author(s). It has not been vetted by BMJ Publishing Group Limited (BMJ) and may not have been peer-reviewed. Any opinions or recommendations discussed are solely those of the author(s) and are not endorsed by BMJ. BMJ disclaims all liability and responsibility arising from any reliance placed on the content. Where the content includes any translated material, BMJ does not warrant the accuracy and reliability of the translations (including but not limited to local regulations, clinical guidelines, terminology, drug names and drug dosages), and is not responsible for any error and/or omissions arising from translation and adaptation or otherwise.

Read the full text or download the PDF: