risk management case study approach

Enterprise Risk Management Case Studies: Heroes and Zeros

By Andy Marker | April 7, 2021

• Share on Facebook
• Share on LinkedIn

Link copied

We’ve compiled more than 20 case studies of enterprise risk management programs that illustrate how companies can prevent significant losses yet take risks with more confidence.   

Included on this page, you’ll find case studies and examples by industry , case studies of major risk scenarios (and company responses), and examples of ERM successes and failures .

Enterprise Risk Management Examples and Case Studies

With enterprise risk management (ERM) , companies assess potential risks that could derail strategic objectives and implement measures to minimize or avoid those risks. You can analyze examples (or case studies) of enterprise risk management to better understand the concept and how to properly execute it.

The collection of examples and case studies on this page illustrates common risk management scenarios by industry, principle, and degree of success. For a basic overview of enterprise risk management, including major types of risks, how to develop policies, and how to identify key risk indicators (KRIs), read “ Enterprise Risk Management 101: Programs, Frameworks, and Advice from Experts .”

Enterprise Risk Management Framework Examples

An enterprise risk management framework is a system by which you assess and mitigate potential risks. The framework varies by industry, but most include roles and responsibilities, a methodology for risk identification, a risk appetite statement, risk prioritization, mitigation strategies, and monitoring and reporting.

To learn more about enterprise risk management and find examples of different frameworks, read our “ Ultimate Guide to Enterprise Risk Management .”

Enterprise Risk Management Examples and Case Studies by Industry

Though every firm faces unique risks, those in the same industry often share similar risks. By understanding industry-wide common risks, you can create and implement response plans that offer your firm a competitive advantage.

Enterprise Risk Management Example in Banking

Toronto-headquartered TD Bank organizes its risk management around two pillars: a risk management framework and risk appetite statement. The enterprise risk framework defines the risks the bank faces and lays out risk management practices to identify, assess, and control risk. The risk appetite statement outlines the bank’s willingness to take on risk to achieve its growth objectives. Both pillars are overseen by the risk committee of the company’s board of directors.  

Risk management frameworks were an important part of the International Organization for Standardization’s 31000 standard when it was first written in 2009 and have been updated since then. The standards provide universal guidelines for risk management programs.  

Risk management frameworks also resulted from the efforts of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The group was formed to fight corporate fraud and included risk management as a dimension. 

Once TD completes the ERM framework, the bank moves onto the risk appetite statement. 

The bank, which built a large U.S. presence through major acquisitions, determined that it will only take on risks that meet the following three criteria:

• The risk fits the company’s strategy, and TD can understand and manage those risks. 
• The risk does not render the bank vulnerable to significant loss from a single risk.
• The risk does not expose the company to potential harm to its brand and reputation. 

Some of the major risks the bank faces include strategic risk, credit risk, market risk, liquidity risk, operational risk, insurance risk, capital adequacy risk, regulator risk, and reputation risk. Managers detail these categories in a risk inventory. 

The risk framework and appetite statement, which are tracked on a dashboard against metrics such as capital adequacy and credit risk, are reviewed annually. 

TD uses a three lines of defense (3LOD) strategy, an approach widely favored by ERM experts, to guard against risk. The three lines are as follows:

• A business unit and corporate policies that create controls, as well as manage and monitor risk
• Standards and governance that provide oversight and review of risks and compliance with the risk appetite and framework 
• Internal audits that provide independent checks and verification that risk-management procedures are effective

Enterprise Risk Management Example in Pharmaceuticals

Drug companies’ risks include threats around product quality and safety, regulatory action, and consumer trust. To avoid these risks, ERM experts emphasize the importance of making sure that strategic goals do not conflict. 

For Britain’s GlaxoSmithKline, such a conflict led to a breakdown in risk management, among other issues. In the early 2000s, the company was striving to increase sales and profitability while also ensuring safe and effective medicines. One risk the company faced was a failure to meet current good manufacturing practices (CGMP) at its plant in Cidra, Puerto Rico. 

CGMP includes implementing oversight and controls of manufacturing, as well as managing the risk and confirming the safety of raw materials and finished drug products. Noncompliance with CGMP can result in escalating consequences, ranging from warnings to recalls to criminal prosecution. 

GSK’s unit pleaded guilty and paid $750 million in 2010 to resolve U.S. charges related to drugs made at the Cidra plant, which the company later closed. A fired GSK quality manager alerted regulators and filed a whistleblower lawsuit in 2004. In announcing the consent decree, the U.S. Department of Justice said the plant had a history of bacterial contamination and multiple drugs created there in the early 2000s violated safety standards.

According to the whistleblower, GSK’s ERM process failed in several respects to act on signs of non-compliance with CGMP. The company received warning letters from the U.S. Food and Drug Administration in 2001 about the plant’s practices, but did not resolve the issues. 

Additionally, the company didn’t act on the quality manager’s compliance report, which advised GSK to close the plant for two weeks to fix the problems and notify the FDA. According to court filings, plant staff merely skimmed rejected products and sold them on the black market. They also scraped by hand the inside of an antibiotic tank to get more product and, in so doing, introduced bacteria into the product.

Enterprise Risk Management Example in Consumer Packaged Goods

Mars Inc., an international candy and food company, developed an ERM process. The company piloted and deployed the initiative through workshops with geographic, product, and functional teams from 2003 to 2012. 

Driven by a desire to frame risk as an opportunity and to work within the company’s decentralized structure, Mars created a process that asked participants to identify potential risks and vote on which had the highest probability. The teams listed risk mitigation steps, then ranked and color-coded them according to probability of success. 

Larry Warner, a Mars risk officer at the time, illustrated this process in a case study . An initiative to increase direct-to-consumer shipments by 12 percent was colored green, indicating a 75 percent or greater probability of achievement. The initiative to bring a new plant online by the end of Q3 was coded red, meaning less than a 50 percent probability of success. 

The company’s results were hurt by a surprise at an operating unit that resulted from a so-coded red risk identified in a unit workshop. Executives had agreed that some red risk profile was to be expected, but they decided that when a unit encountered a red issue, it must be communicated upward when first identified. This became a rule. 

This process led to the creation of an ERM dashboard that listed initiatives in priority order, with the profile of each risk faced in the quarter, the risk profile trend, and a comment column for a year-end view. 

According to Warner, the key factors of success for ERM at Mars are as follows:

• The initiative focused on achieving operational and strategic objectives rather than compliance, which refers to adhering to established rules and regulations.
• The program evolved, often based on requests from business units, and incorporated continuous improvement. 
• The ERM team did not overpromise. It set realistic objectives.
• The ERM team periodically surveyed business units, management teams, and board advisers.

Enterprise Risk Management Example in Retail

Walmart is the world’s biggest retailer. As such, the company understands that its risk makeup is complex, given the geographic spread of its operations and its large number of stores, vast supply chain, and high profile as an employer and buyer of goods. 

In the 1990s, the company sought a simplified strategy for assessing risk and created an enterprise risk management plan with five steps founded on these four questions:

• What are the risks?
• What are we going to do about them?
• How will we know if we are raising or decreasing risk?
• How will we show shareholder value?

The process follows these five steps:

• Risk Identification: Senior Walmart leaders meet in workshops to identify risks, which are then plotted on a graph of probability vs. impact. Doing so helps to prioritize the biggest risks. The executives then look at seven risk categories (both internal and external): legal/regulatory, political, business environment, strategic, operational, financial, and integrity. Many ERM pros use risk registers to evaluate and determine the priority of risks. You can download templates that help correlate risk probability and potential impact in “ Free Risk Register Templates .”
• Risk Mitigation: Teams that include operational staff in the relevant area meet. They use existing inventory procedures to address the risks and determine if the procedures are effective.
• Action Planning: A project team identifies and implements next steps over the several months to follow.
• Performance Metrics: The group develops metrics to measure the impact of the changes. They also look at trends of actual performance compared to goal over time.
• Return on Investment and Shareholder Value: In this step, the group assesses the changes’ impact on sales and expenses to determine if the moves improved shareholder value and ROI.

To develop your own risk management planning, you can download a customizable template in “ Risk Management Plan Templates .”

Enterprise Risk Management Example in Agriculture

United Grain Growers (UGG), a Canadian grain distributor that now is part of Glencore Ltd., was hailed as an ERM innovator and became the subject of business school case studies for its enterprise risk management program. This initiative addressed the risks associated with weather for its business. Crop volume drove UGG’s revenue and profits. 

In the late 1990s, UGG identified its major unaddressed risks. Using almost a century of data, risk analysts found that extreme weather events occurred 10 times as frequently as previously believed. The company worked with its insurance broker and the Swiss Re Group on a solution that added grain-volume risk (resulting from weather fluctuations) to its other insured risks, such as property and liability, in an integrated program. 

The result was insurance that protected grain-handling earnings, which comprised half of UGG’s gross profits. The greater financial stability significantly enhanced the firm’s ability to achieve its strategic objectives. 

Since then, the number and types of instruments to manage weather-related risks has multiplied rapidly. For example, over-the-counter derivatives, such as futures and options, began trading in 1997. The Chicago Mercantile Exchange now offers weather futures contracts on 12 U.S. and international cities. 

Weather derivatives are linked to climate factors such as rainfall or temperature, and they hedge different kinds of risks than do insurance. These risks are much more common (e.g., a cooler-than-normal summer) than the earthquakes and floods that insurance typically covers. And the holders of derivatives do not have to incur any damage to collect on them.

These weather-linked instruments have found a wider audience than anticipated, including retailers that worry about freak storms decimating Christmas sales, amusement park operators fearing rainy summers will keep crowds away, and energy companies needing to hedge demand for heating and cooling.

This area of ERM continues to evolve because weather and crop insurance are not enough to address all the risks that agriculture faces. Arbol, Inc. estimates that more than $1 trillion of agricultural risk is uninsured. As such, it is launching a blockchain-based platform that offers contracts (customized by location and risk parameters) with payouts based on weather data. These contracts can cover risks associated with niche crops and small growing areas.

Enterprise Risk Management Example in Insurance

Switzerland’s Zurich Insurance Group understands that risk is inherent for insurers and seeks to practice disciplined risk-taking, within a predetermined risk tolerance. 

The global insurer’s enterprise risk management framework aims to protect capital, liquidity, earnings, and reputation. Governance serves as the basis for risk management, and the framework lays out responsibilities for taking, managing, monitoring, and reporting risks. 

The company uses a proprietary process called Total Risk Profiling (TRP) to monitor internal and external risks to its strategy and financial plan. TRP assesses risk on the basis of severity and probability, and helps define and implement mitigating moves. 

Zurich’s risk appetite sets parameters for its tolerance within the goal of maintaining enough capital to achieve an AA rating from rating agencies. For this, the company uses its own Zurich economic capital model, referred to as Z-ECM. The model quantifies risk tolerance with a metric that assesses risk profile vs. risk tolerance. 

To maintain the AA rating, the company aims to hold capital between 100 and 120 percent of capital at risk. Above 140 percent is considered overcapitalized (therefore at risk of throttling growth), and under 90 percent is below risk tolerance (meaning the risk is too high). On either side of 100 to 120 percent (90 to 100 percent and 120 to 140 percent), the insurer considers taking mitigating action. 

Zurich’s assessment of risk and the nature of those risks play a major role in determining how much capital regulators require the business to hold. A popular tool to assess risk is the risk matrix, and you can find a variety of templates in “ Free, Customizable Risk Matrix Templates .”

In 2020, Zurich found that its biggest exposures were market risk, such as falling asset valuations and interest-rate risk; insurance risk, such as big payouts for covered customer losses, which it hedges through diversification and reinsurance; credit risk in assets it holds and receivables; and operational risks, such as internal process failures and external fraud.

Enterprise Risk Management Example in Technology

Financial software maker Intuit has strengthened its enterprise risk management through evolution, according to a case study by former Chief Risk Officer Janet Nasburg. 

The program is founded on the following five core principles:

• Use a common risk framework across the enterprise.
• Assess risks on an ongoing basis.
• Focus on the most important risks.
• Clearly define accountability for risk management.
• Commit to continuous improvement of performance measurement and monitoring. 

ERM programs grow according to a maturity model, and as capability rises, the shareholder value from risk management becomes more visible and important. 

The maturity phases include the following:

• Ad hoc risk management addresses a specific problem when it arises.
• Targeted or initial risk management approaches risks with multiple understandings of what constitutes risk and management occurs in silos. 
• Integrated or repeatable risk management puts in place an organization-wide framework for risk assessment and response. 
• Intelligent or managed risk management coordinates risk management across the business, using common tools. 
• Risk leadership incorporates risk management into strategic decision-making. 

Intuit emphasizes using key risk indicators (KRIs) to understand risks, along with key performance indicators (KPIs) to gauge the effectiveness of risk management. 

Early in its ERM journey, Intuit measured performance on risk management process participation and risk assessment impact. For participation, the targeted rate was 80 percent of executive management and business-line leaders. This helped benchmark risk awareness and current risk management, at a time when ERM at the company was not mature.

Conduct an annual risk assessment at corporate and business-line levels to plot risks, so the most likely and most impactful risks are graphed in the upper-right quadrant. Doing so focuses attention on these risks and helps business leaders understand the risk’s impact on performance toward strategic objectives. 

In the company’s second phase of ERM, Intuit turned its attention to building risk management capacity and sought to ensure that risk management activities addressed the most important risks. The company evaluated performance using color-coded status symbols (red, yellow, green) to indicate risk trend and progress on risk mitigation measures.

In its third phase, Intuit moved to actively monitoring the most important risks and ensuring that leaders modified their strategies to manage risks and take advantage of opportunities. An executive dashboard uses KRIs, KPIs, an overall risk rating, and red-yellow-green coding. The board of directors regularly reviews this dashboard.

Over this evolution, the company has moved from narrow, tactical risk management to holistic, strategic, and long-term ERM.

Enterprise Risk Management Case Studies by Principle

ERM veterans agree that in addition to KPIs and KRIs, other principles are equally important to follow. Below, you’ll find examples of enterprise risk management programs by principles.

ERM Principle #1: Make Sure Your Program Aligns with Your Values

Raytheon Case Study U.S. defense contractor Raytheon states that its highest priority is delivering on its commitment to provide ethical business practices and abide by anti-corruption laws.

Raytheon backs up this statement through its ERM program. Among other measures, the company performs an annual risk assessment for each function, including the anti-corruption group under the Chief Ethics and Compliance Officer. In addition, Raytheon asks 70 of its sites to perform an anti-corruption self-assessment each year to identify gaps and risks. From there, a compliance team tracks improvement actions. 

Every quarter, the company surveys 600 staff members who may face higher anti-corruption risks, such as the potential for bribes. The survey asks them to report any potential issues in the past quarter.

Also on a quarterly basis, the finance and internal controls teams review higher-risk profile payments, such as donations and gratuities to confirm accuracy and compliance. Oversight and compliance teams add other checks, and they update a risk-based audit plan continuously.

ERM Principle #2: Embrace Diversity to Reduce Risk

State Street Global Advisors Case Study In 2016, the asset management firm State Street Global Advisors introduced measures to increase gender diversity in its leadership as a way of reducing portfolio risk, among other goals. 

The company relied on research that showed that companies with more women senior managers had a better return on equity, reduced volatility, and fewer governance problems such as corruption and fraud. 

Among the initiatives was a campaign to influence companies where State Street had invested, in order to increase female membership on their boards. State Street also developed an investment product that tracks the performance of companies with the highest level of senior female leadership relative to peers in their sector. 

In 2020, the company announced some of the results of its effort. Among the 1,384 companies targeted by the firm, 681 added at least one female director.

ERM Principle #3: Do Not Overlook Resource Risks

Infosys Case Study India-based technology consulting company Infosys, which employees more than 240,000 people, has long recognized the risk of water shortages to its operations. 

India’s rapidly growing population and development has increased the risk of water scarcity. A 2020 report by the World Wide Fund for Nature said 30 cities in India faced the risk of severe water scarcity over the next three decades. 

Infosys has dozens of facilities in India and considers water to be a significant short-term risk. At its campuses, the company uses the water for cooking, drinking, cleaning, restrooms, landscaping, and cooling. Water shortages could halt Infosys operations and prevent it from completing customer projects and reaching its performance objectives. 

In an enterprise risk assessment example, Infosys’ ERM team conducts corporate water-risk assessments while sustainability teams produce detailed water-risk assessments for individual locations, according to a report by the World Business Council for Sustainable Development .

The company uses the COSO ERM framework to respond to the risks and decide whether to accept, avoid, reduce, or share these risks. The company uses root-cause analysis (which focuses on identifying underlying causes rather than symptoms) and the site assessments to plan steps to reduce risks. 

Infosys has implemented various water conservation measures, such as water-efficient fixtures and water recycling, rainwater collection and use, recharging aquifers, underground reservoirs to hold five days of water supply at locations, and smart-meter usage monitoring. Infosys’ ERM team tracks metrics for per-capita water consumption, along with rainfall data, availability and cost of water by tanker trucks, and water usage from external suppliers. 

In the 2020 fiscal year, the company reported a nearly 64 percent drop in per-capita water consumption by its workforce from the 2008 fiscal year. 

The business advantages of this risk management include an ability to open locations where water shortages may preclude competitors, and being able to maintain operations during water scarcity, protecting profitability.

ERM Principle #4: Fight Silos for Stronger Enterprise Risk Management

U.S. Government Case Study The terrorist attacks of September 11, 2001, revealed that the U.S. government’s then-current approach to managing intelligence was not adequate to address the threats — and, by extension, so was the government’s risk management procedure. Since the Cold War, sensitive information had been managed on a “need to know” basis that resulted in data silos. 

In the case of 9/11, this meant that different parts of the government knew some relevant intelligence that could have helped prevent the attacks. But no one had the opportunity to put the information together and see the whole picture. A congressional commission determined there were 10 lost operational opportunities to derail the plot. Silos existed between law enforcement and intelligence, as well as between and within agencies. 

After the attacks, the government moved toward greater information sharing and collaboration. Based on a task force’s recommendations, data moved from a centralized network to a distributed model, and social networking tools now allow colleagues throughout the government to connect. Staff began working across agency lines more often.

Enterprise Risk Management Examples by Scenario

While some scenarios are too unlikely to receive high-priority status, low-probability risks are still worth running through the ERM process. Robust risk management creates a culture and response capacity that better positions a company to deal with a crisis.

In the following enterprise risk examples, you will find scenarios and details of how organizations manage the risks they face.

Scenario: ERM and the Global Pandemic While most businesses do not have the resources to do in-depth ERM planning for the rare occurrence of a global pandemic, companies with a risk-aware culture will be at an advantage if a pandemic does hit. 

These businesses already have processes in place to escalate trouble signs for immediate attention and an ERM team or leader monitoring the threat environment. A strong ERM function gives clear and effective guidance that helps the company respond.

A report by Vodafone found that companies identified as “future ready” fared better in the COVID-19 pandemic. The attributes of future-ready businesses have a lot in common with those of companies that excel at ERM. These include viewing change as an opportunity; having detailed business strategies that are documented, funded, and measured; working to understand the forces that shape their environments; having roadmaps in place for technological transformation; and being able to react more quickly than competitors. 

Only about 20 percent of companies in the Vodafone study met the definition of “future ready.” But 54 percent of these firms had a fully developed and tested business continuity plan, compared to 30 percent of all businesses. And 82 percent felt their continuity plans worked well during the COVID-19 crisis. Nearly 50 percent of all businesses reported decreased profits, while 30 percent of future-ready organizations saw profits rise. 

Scenario: ERM and the Economic Crisis  The 2008 economic crisis in the United States resulted from the domino effect of rising interest rates, a collapse in housing prices, and a dramatic increase in foreclosures among mortgage borrowers with poor creditworthiness. This led to bank failures, a credit crunch, and layoffs, and the U.S. government had to rescue banks and other financial institutions to stabilize the financial system.

Some commentators said these events revealed the shortcomings of ERM because it did not prevent the banks’ mistakes or collapse. But Sim Segal, an ERM consultant and director of Columbia University’s ERM master’s degree program, analyzed how banks performed on 10 key ERM criteria. 

Segal says a risk-management program that incorporates all 10 criteria has these characteristics: 

• Risk management has an enterprise-wide scope.
• The program includes all risk categories: financial, operational, and strategic. 
• The focus is on the most important risks, not all possible risks. 
• Risk management is integrated across risk types.
• Aggregated metrics show risk exposure and appetite across the enterprise.
• Risk management incorporates decision-making, not just reporting.
• The effort balances risk and return management.
• There is a process for disclosure of risk.
• The program measures risk in terms of potential impact on company value.
• The focus of risk management is on the primary stakeholder, such as shareholders, rather than regulators or rating agencies.

In his book Corporate Value of Enterprise Risk Management , Segal concluded that most banks did not actually use ERM practices, which contributed to the financial crisis. He scored banks as failing on nine of the 10 criteria, only giving them a passing grade for focusing on the most important risks. 

Scenario: ERM and Technology Risk  The story of retailer Target’s failed expansion to Canada, where it shut down 133 loss-making stores in 2015, has been well documented. But one dimension that analysts have sometimes overlooked was Target’s handling of technology risk. 

A case study by Canadian Business magazine traced some of the biggest issues to software and data-quality problems that dramatically undermined the Canadian launch. 

As with other forms of ERM, technology risk management requires companies to ask what could go wrong, what the consequences would be, how they might prevent the risks, and how they should deal with the consequences. 

But with its technology plan for Canada, Target did not heed risk warning signs. 

In the United States, Target had custom systems for ordering products from vendors, processing items at warehouses, and distributing merchandise to stores quickly. But that software would need customization to work with the Canadian dollar, metric system, and French-language characters. 

Target decided to go with new ERP software on an aggressive two-year timeline. As Target began ordering products for the Canadian stores in 2012, problems arose. Some items did not fit into shipping containers or on store shelves, and information needed for customs agents to clear imported items was not correct in Target's system. 

Target found that its supply chain software data was full of errors. Product dimensions were in inches, not centimeters; height and width measurements were mixed up. An internal investigation showed that only about 30 percent of the data was accurate. 

In an attempt to fix these errors, Target merchandisers spent a week double-checking with vendors up to 80 data points for each of the retailer’s 75,000 products. They discovered that the dummy data entered into the software during setup had not been altered. To make any corrections, employees had to send the new information to an office in India where staff would enter it into the system. 

As the launch approached, the technology errors left the company vulnerable to stockouts, few people understood how the system worked, and the point-of-sale checkout system did not function correctly. Soon after stores opened in 2013, consumers began complaining about empty shelves. Meanwhile, Target Canada distribution centers overflowed due to excess ordering based on poor data fed into forecasting software. 

The rushed launch compounded problems because it did not allow the company enough time to find solutions or alternative technology. While the retailer fixed some issues by the end of 2014, it was too late. Target Canada filed for bankruptcy protection in early 2015. 

Scenario: ERM and Cybersecurity System hacks and data theft are major worries for companies. But as a relatively new field, cyber-risk management faces unique hurdles.

For example, risk managers and information security officers have difficulty quantifying the likelihood and business impact of a cybersecurity attack. The rise of cloud-based software exposes companies to third-party risks that make these projections even more difficult to calculate. 

As the field evolves, risk managers say it’s important for IT security officers to look beyond technical issues, such as the need to patch a vulnerability, and instead look more broadly at business impacts to make a cost benefit analysis of risk mitigation. Frameworks such as the Risk Management Framework for Information Systems and Organizations by the National Institute of Standards and Technology can help.  

Health insurer Aetna considers cybersecurity threats as a part of operational risk within its ERM framework and calculates a daily risk score, adjusted with changes in the cyberthreat landscape. 

Aetna studies threats from external actors by working through information sharing and analysis centers for the financial services and health industries. Aetna staff reverse-engineers malware to determine controls. The company says this type of activity helps ensure the resiliency of its business processes and greatly improves its ability to help protect member information.

For internal threats, Aetna uses models that compare current user behavior to past behavior and identify anomalies. (The company says it was the first organization to do this at scale across the enterprise.) Aetna gives staff permissions to networks and data based on what they need to perform their job. This segmentation restricts access to raw data and strengthens governance. 

Another risk initiative scans outgoing employee emails for code patterns, such as credit card or Social Security numbers. The system flags the email, and a security officer assesses it before the email is released.

Examples of Poor Enterprise Risk Management

Case studies of failed enterprise risk management often highlight mistakes that managers could and should have spotted — and corrected — before a full-blown crisis erupted. The focus of these examples is often on determining why that did not happen. 

ERM Case Study: General Motors

In 2014, General Motors recalled the first of what would become 29 million cars due to faulty ignition switches and paid compensation for 124 related deaths. GM knew of the problem for at least 10 years but did not act, the automaker later acknowledged. The company entered a deferred prosecution agreement and paid a $900 million penalty. 

Pointing to the length of time the company failed to disclose the safety problem, ERM specialists say it shows the problem did not reside with a single department. “Rather, it reflects a failure to properly manage risk,” wrote Steve Minsky, a writer on ERM and CEO of an ERM software company, in Risk Management magazine. 

“ERM is designed to keep all parties across the organization, from the front lines to the board to regulators, apprised of these kinds of problems as they become evident. Unfortunately, GM failed to implement such a program, ultimately leading to a tragic and costly scandal,” Minsky said.

Also in the auto sector, an enterprise risk management case study of Toyota looked at its problems with unintended acceleration of vehicles from 2002 to 2009. Several studies, including a case study by Carnegie Mellon University Professor Phil Koopman , blamed poor software design and company culture. A whistleblower later revealed a coverup by Toyota. The company paid more than $2.5 billion in fines and settlements.

ERM Case Study: Lululemon

In 2013, following customer complaints that its black yoga pants were too sheer, the athletic apparel maker recalled 17 percent of its inventory at a cost of $67 million. The company had previously identified risks related to fabric supply and quality. The CEO said the issue was inadequate testing. 

Analysts raised concerns about the company’s controls, including oversight of factories and product quality. A case study by Stanford University professors noted that Lululemon’s episode illustrated a common disconnect between identifying risks and being prepared to manage them when they materialize. Lululemon’s reporting and analysis of risks was also inadequate, especially as related to social media. In addition, the case study highlighted the need for a system to escalate risk-related issues to the board. 

ERM Case Study: Kodak 

Once an iconic brand, the photo film company failed for decades to act on the threat that digital photography posed to its business and eventually filed for bankruptcy in 2012. The company’s own research in 1981 found that digital photos could ultimately replace Kodak’s film technology and estimated it had 10 years to prepare. 

Unfortunately, Kodak did not prepare and stayed locked into the film paradigm. The board reinforced this course when in 1989 it chose as CEO a candidate who came from the film business over an executive interested in digital technology. 

Had the company acknowledged the risks and employed ERM strategies, it might have pursued a variety of strategies to remain successful. The company’s rival, Fuji Film, took the money it made from film and invested in new initiatives, some of which paid off. Kodak, on the other hand, kept investing in the old core business.

Case Studies of Successful Enterprise Risk Management

Successful enterprise risk management usually requires strong performance in multiple dimensions, and is therefore more likely to occur in organizations where ERM has matured. The following examples of enterprise risk management can be considered success stories. 

ERM Case Study: Statoil 

A major global oil producer, Statoil of Norway stands out for the way it practices ERM by looking at both downside risk and upside potential. Taking risks is vital in a business that depends on finding new oil reserves. 

According to a case study, the company developed its own framework founded on two basic goals: creating value and avoiding accidents.

The company aims to understand risks thoroughly, and unlike many ERM programs, Statoil maps risks on both the downside and upside. It graphs risk on probability vs. impact on pre-tax earnings, and it examines each risk from both positive and negative perspectives. 

For example, the case study cites a risk that the company assessed as having a 5 percent probability of a somewhat better-than-expected outcome but a 10 percent probability of a significant loss relative to forecast. In this case, the downside risk was greater than the upside potential.

ERM Case Study: Lego 

The Danish toy maker’s ERM evolved over the following four phases, according to a case study by one of the chief architects of its program:

• Traditional management of financial, operational, and other risks. Strategic risk management joined the ERM program in 2006. 
• The company added Monte Carlo simulations in 2008 to model financial performance volatility so that budgeting and financial processes could incorporate risk management. The technique is used in budget simulations, to assess risk in its credit portfolio, and to consolidate risk exposure. 
• Active risk and opportunity planning is part of making a business case for new projects before final decisions.
• The company prepares for uncertainty so that long-term strategies remain relevant and resilient under different scenarios. 

As part of its scenario modeling, Lego developed its PAPA (park, adapt, prepare, act) model. 

• Park: The company parks risks that occur slowly and have a low probability of happening, meaning it does not forget nor actively deal with them.
• Adapt: This response is for risks that evolve slowly and are certain or highly probable to occur. For example, a risk in this category is the changing nature of play and the evolution of buying power in different parts of the world. In this phase, the company adjusts, monitors the trend, and follows developments.
• Prepare: This category includes risks that have a low probability of occurring — but when they do, they emerge rapidly. These risks go into the ERM risk database with contingency plans, early warning indicators, and mitigation measures in place.
• Act: These are high-probability, fast-moving risks that must be acted upon to maintain strategy. For example, developments around connectivity, mobile devices, and online activity are in this category because of the rapid pace of change and the influence on the way children play. 

Lego views risk management as a way to better equip itself to take risks than its competitors. In the case study, the writer likens this approach to the need for the fastest race cars to have the best brakes and steering to achieve top speeds.

ERM Case Study: University of California 

The University of California, one of the biggest U.S. public university systems, introduced a new view of risk to its workforce when it implemented enterprise risk management in 2005. Previously, the function was merely seen as a compliance requirement.

ERM became a way to support the university’s mission of education and research, drawing on collaboration of the system’s employees across departments. “Our philosophy is, ‘Everyone is a risk manager,’” Erike Young, deputy director of ERM told Treasury and Risk magazine. “Anyone who’s in a management position technically manages some type of risk.”

The university faces a diverse set of risks, including cybersecurity, hospital liability, reduced government financial support, and earthquakes.  

The ERM department had to overhaul systems to create a unified view of risk because its information and processes were not linked. Software enabled both an organizational picture of risk and highly detailed drilldowns on individual risks. Risk managers also developed tools for risk assessment, risk ranking, and risk modeling. 

Better risk management has provided more than $100 million in annual cost savings and nearly $500 million in cost avoidance, according to UC officials. 

UC drives ERM with risk management departments at each of its 10 locations and leverages university subject matter experts to form multidisciplinary workgroups that develop process improvements.

APQC, a standards quality organization, recognized UC as a top global ERM practice organization, and the university system has won other awards. The university says in 2010 it was the first nonfinancial organization to win credit-rating agency recognition of its ERM program.

Examples of How Technology Is Transforming Enterprise Risk Management

Business intelligence software has propelled major progress in enterprise risk management because the technology enables risk managers to bring their information together, analyze it, and forecast how risk scenarios would impact their business.

ERM organizations are using computing and data-handling advancements such as blockchain for new innovations in strengthening risk management. Following are case studies of a few examples.

ERM Case Study: Bank of New York Mellon 

In 2021, the bank joined with Google Cloud to use machine learning and artificial intelligence to predict and reduce the risk that transactions in the $22 trillion U.S. Treasury market will fail to settle. Settlement failure means a buyer and seller do not exchange cash and securities by the close of business on the scheduled date. 

The party that fails to settle is assessed a daily financial penalty, and a high level of settlement failures can indicate market liquidity problems and rising risk. BNY says that, on average, about 2 percent of transactions fail to settle.

The bank trained models with millions of trades to consider every factor that could result in settlement failure. The service uses market-wide intraday trading metrics, trading velocity, scarcity indicators, volume, the number of trades settled per hour, seasonality, issuance patterns, and other signals. 

The bank said it predicts about 40 percent of settlement failures with 90 percent accuracy. But it also cautioned against overconfidence in the technology as the model continues to improve. 

AI-driven forecasting reduces risk for BNY clients in the Treasury market and saves costs. For example, a predictive view of settlement risks helps bond dealers more accurately manage their liquidity buffers, avoid penalties, optimize their funding sources, and offset the risks of failed settlements. In the long run, such forecasting tools could improve the health of the financial market. 

ERM Case Study: PwC

Consulting company PwC has leveraged a vast information storehouse known as a data lake to help its customers manage risk from suppliers.

A data lake stores both structured or unstructured information, meaning data in highly organized, standardized formats as well as unstandardized data. This means that everything from raw audio to credit card numbers can live in a data lake. 

Using techniques pioneered in national security, PwC built a risk data lake that integrates information from client companies, public databases, user devices, and industry sources. Algorithms find patterns that can signify unidentified risks.

One of PwC’s first uses of this data lake was a program to help companies uncover risks from their vendors and suppliers. Companies can violate laws, harm their reputations, suffer fraud, and risk their proprietary information by doing business with the wrong vendor. 

Today’s complex global supply chains mean companies may be several degrees removed from the source of this risk, which makes it hard to spot and mitigate. For example, a product made with outlawed child labor could be traded through several intermediaries before it reaches a retailer. 

PwC’s service helps companies recognize risk beyond their primary vendors and continue to monitor that risk over time as more information enters the data lake.

ERM Case Study: Financial Services

As analytics have become a pillar of forecasting and risk management for banks and other financial institutions, a new risk has emerged: model risk . This refers to the risk that machine-learning models will lead users to an unreliable understanding of risk or have unintended consequences.

For example, a 6 percent drop in the value of the British pound over the course of a few minutes in 2016 stemmed from currency trading algorithms that spiralled into a negative loop. A Twitter-reading program began an automated selling of the pound after comments by a French official, and other selling algorithms kicked in once the currency dropped below a certain level.

U.S. banking regulators are so concerned about model risk that the Federal Reserve set up a model validation council in 2012 to assess the models that banks use in running risk simulations for capital adequacy requirements. Regulators in Europe and elsewhere also require model validation.

A form of managing risk from a risk-management tool, model validation is an effort to reduce risk from machine learning. The technology-driven rise in modeling capacity has caused such models to proliferate, and banks can use hundreds of models to assess different risks. 

Model risk management can reduce rising costs for modeling by an estimated 20 to 30 percent by building a validation workflow, prioritizing models that are most important to business decisions, and implementing automation for testing and other tasks, according to McKinsey.

Streamline Your Enterprise Risk Management Efforts with Real-Time Work Management in Smartsheet

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time.  Try Smartsheet for free, today.

Discover why over 90% of Fortune 100 companies trust Smartsheet to get work done.

• Business Essentials
• Leadership & Management
• Credential of Leadership, Impact, and Management in Business (CLIMB)
• Entrepreneurship & Innovation
• Digital Transformation
• Finance & Accounting
• Business in Society
• For Organizations
• Support Portal
• Media Coverage
• Founding Donors
• Leadership Team

• Harvard Business School →
• HBS Online →
• Business Insights →

Business Insights

Harvard Business School Online's Business Insights Blog provides the career insights you need to achieve your goals and gain confidence in your business skills.

• Career Development
• Communication
• Decision-Making
• Earning Your MBA
• Negotiation
• News & Events
• Productivity
• Staff Spotlight
• Student Profiles
• Work-Life Balance
• AI Essentials for Business
• Alternative Investments
• Business Analytics
• Business Strategy
• Business and Climate Change
• Design Thinking and Innovation
• Digital Marketing Strategy
• Disruptive Strategy
• Economics for Managers
• Entrepreneurship Essentials
• Financial Accounting
• Global Business
• Launching Tech Ventures
• Leadership Principles
• Leadership, Ethics, and Corporate Accountability
• Leading Change and Organizational Renewal
• Leading with Finance
• Management Essentials
• Negotiation Mastery
• Organizational Leadership
• Power and Influence for Positive Impact
• Strategy Execution
• Sustainable Business Strategy
• Sustainable Investing
• Winning with Digital Platforms

What Is Risk Management & Why Is It Important?

• 24 Oct 2023

Businesses can’t operate without risk. Economic, technological, environmental, and competitive factors introduce obstacles that companies must not only manage but overcome.

According to PwC’s Global Risk Survey , organizations that embrace strategic risk management are five times more likely to deliver stakeholder confidence and better business outcomes and two times more likely to expect faster revenue growth.

If you want to enhance your job performance and identify and mitigate risk more effectively, here’s a breakdown of what risk management is and why it’s important.

Access your free e-book today.

What Is Risk Management?

Risk management is the systematic process of identifying, assessing, and mitigating threats or uncertainties that can affect your organization. It involves analyzing risks’ likelihood and impact, developing strategies to minimize harm, and monitoring measures’ effectiveness.

“Competing successfully in any industry involves some level of risk,” says Harvard Business School Professor Robert Simons, who teaches the online course Strategy Execution . “But high-performing businesses with high-pressure cultures are especially vulnerable. As a manager, you need to know how and why these risks arise and how to avoid them.”

According to Strategy Execution , strategic risk has three main causes:

• Pressures due to growth: This is often caused by an accelerated rate of expansion that makes staffing or industry knowledge gaps more harmful to your business.
• Pressures due to culture: While entrepreneurial risk-taking can come with rewards, executive resistance and internal competition can cause problems.
• Pressures due to information management: Since information is key to effective leadership , gaps in performance measures can result in decentralized decision-making.

These pressures can lead to several types of risk that you must manage or mitigate to avoid reputational, financial, or strategic failures. However, risks aren’t always obvious.

“I think one of the challenges firms face is the ability to properly identify their risks,” says HBS Professor Eugene Soltes in Strategy Execution .

Therefore, it’s crucial to pinpoint unexpected events or conditions that could significantly impede your organization’s business strategy .

Related: Business Strategy vs. Strategy Execution: Which Course Is Right for Me?

According to Strategy Execution , strategic risk comprises:

• Operations risk: This occurs when internal operational errors interrupt your products or services’ flow. For example, shipping tainted products can negatively affect food distribution companies.
• Asset impairment risk: When your company’s assets lose a significant portion of their current value because of a decreased likelihood of receiving future cash flows . For instance, losing property assets, like a manufacturing plant, due to a natural disaster.
• Competitive risk: Changes in the competitive environment can interrupt your organization’s ability to create value and differentiate its offerings—eventually leading to a significant loss in revenue.
• Franchise risk: When your organization’s value erodes because stakeholders lose confidence in its objectives. This primarily results from failing to control any of the strategic risk sources listed above.

Understanding these risks is essential to ensuring your organization’s long-term success. Here’s a deeper dive into why risk management is important.

4 Reasons Why Risk Management Is Important

1. protects organization’s reputation.

In many cases, effective risk management proactively protects your organization from incidents that can affect its reputation.

“Franchise risk is a concern for all businesses,“ Simons says in Strategy Execution . “However, it's especially pressing for businesses whose reputations depend on the trust of key constituents.”

For example, airlines are particularly susceptible to franchise risk because of unforeseen events, such as flight delays and cancellations caused by weather or mechanical failure. While such incidents are considered operational risks, they can be incredibly damaging.

In 2016, Delta Airlines experienced a national computer outage, resulting in over 2,000 flight cancellations. Delta not only lost an estimated $150 million but took a hit to its reputation as a reliable airline that prided itself on “canceling cancellations.”

While Delta bounced back, the incident illustrates how mitigating operational errors can make or break your organization.

2. Minimizes Losses

Most businesses create risk management teams to avoid major financial losses. Yet, various risks can still impact their bottom lines.

A Vault Platform study found that dealing with workplace misconduct cost U.S. businesses over $20 billion in 2021. In addition, Soltes says in Strategy Execution that corporate fines for misconduct have risen 40-fold in the U.S. over the last 20 years.

One way to mitigate financial losses related to employee misconduct is by implementing internal controls. According to Strategy Execution , internal controls are the policies and procedures designed to ensure reliable accounting information and safeguard company assets.

“Managers use internal controls to limit the opportunities employees have to expose the business to risk,” Simons says in the course.

One company that could have benefited from implementing internal controls is Volkswagen (VW). In 2015, VW whistle-blowers revealed that the company’s engineers deliberately manipulated diesel vehicles’ emissions data to make them appear more environmentally friendly.

This led to severe consequences, including regulatory penalties, expensive vehicle recalls, and legal settlements—all of which resulted in significant financial losses. By 2018, U.S. authorities had extracted $25 billion in fines, penalties, civil damages, and restitution from the company.

Had VW maintained more rigorous internal controls to ensure transparency, compliance, and proper oversight of its engineering practices, perhaps it could have detected—or even averted—the situation.

Related: What Are Business Ethics & Why Are They Important?

3. Encourages Innovation and Growth

Risk management isn’t just about avoiding negative outcomes. It can also be the catalyst that drives your organization’s innovation and growth.

“Risks may not be pleasant to think about, but they’re inevitable if you want to push your business to innovate and remain competitive,” Simons says in Strategy Execution .

According to PwC , 83 percent of companies’ business strategies focus on growth, despite risks and mixed economic signals. In Strategy Execution , Simons notes that competitive risk is a challenge you must constantly monitor and address.

“Any firm operating in a competitive market must focus its attention on changes in the external environment that could impair its ability to create value for its customers,” Simons says.

This requires incorporating boundary systems —explicit statements that define and communicate risks to avoid—to ensure internal controls don’t extinguish innovation.

“Boundary systems are essential levers in businesses to give people freedom,” Simons says. “In such circumstances, you don’t want to stifle innovation or entrepreneurial behavior by telling people how to do their jobs. And if you want to remain competitive, you’ll need to innovate and adapt.”

Netflix is an example of how risk management can inspire innovation. In the early 2000s, the company was primarily known for its DVD-by-mail rental service. With growing competition from video rental stores, Netflix went against the grain and introduced its streaming service. This changed the market, resulting in a booming industry nearly a decade later.

Netflix’s innovation didn’t stop there. Once the steaming services market became highly competitive, the company shifted once again to gain a competitive edge. It ventured into producing original content, which ultimately helped differentiate its platform and attract additional subscribers.

By offering more freedom within internal controls, you can encourage innovation and constant growth.

4. Enhances Decision-Making

Risk management also provides a structured framework for decision-making. This can be beneficial if your business is inclined toward risks that are difficult to manage.

By pulling data from existing control systems to develop hypothetical scenarios, you can discuss and debate strategies’ efficacy before executing them.

“Interactive control systems are the formal information systems managers use to personally involve themselves in the decision activities of subordinates,” Simons says in Strategy Execution . “Decision activities that relate to and impact strategic uncertainties.”

JPMorgan Chase, one of the most prominent financial institutions in the world, is particularly susceptible to cyber risks because it compiles vast amounts of sensitive customer data . According to PwC , cybersecurity is the number one business risk on managers’ minds, with 78 percent worried about more frequent or broader cyber attacks.

Using data science techniques like machine learning algorithms enables JPMorgan Chase’s leadership not only to detect and prevent cyber attacks but address and mitigate risk.

Start Managing Your Organization's Risk

Risk management is essential to business. While some risk is inevitable, your ability to identify and mitigate it can benefit your organization.

But you can’t plan for everything. According to the Harvard Business Review , some risks are so remote that no one could have imagined them. Some result from a perfect storm of incidents, while others materialize rapidly and on enormous scales.

By taking an online strategy course , you can build the knowledge and skills to identify strategic risks and ensure they don’t undermine your business. For example, through an interactive learning experience, Strategy Execution enables you to draw insights from real-world business examples and better understand how to approach risk management.

Do you want to mitigate your organization’s risks? Explore Strategy Execution —one of our online strategy courses —and download our free strategy e-book to gain the insights to build a successful strategy.

About the Author

Risk Management 101: Process, Examples, Strategies

Emily Villanueva

August 16, 2023

Effective risk management takes a proactive and preventative stance to risk, aiming to identify and then determine the appropriate response to the business and facilitate better decision-making. Many approaches to risk management focus on risk reduction, but it’s important to remember that risk management practices can also be applied to opportunities, assisting the organization with determining if that possibility is right for it.

Risk management as a discipline has evolved to the point that there are now common subsets and branches of risk management programs, from enterprise risk management (ERM) , to cybersecurity risk management, to operational risk management (ORM) , to  supply chain risk management (SCRM) . With this evolution, standards organizations around the world, like the US’s National Institute of Standards and Technology (NIST) and the International Standards Organization (ISO) have developed and released their own best practice frameworks and guidance for businesses to apply to their risk management plan.

Companies that adopt and continuously improve their risk management programs can reap the benefits of improved decision-making, a higher probability of reaching goals and business objectives, and an augmented security posture. But, with risks proliferating and the many types of risks that face businesses today, how can an organization establish and optimize its risk management processes? This article will walk you through the fundamentals of risk management and offer some thoughts on how you can apply it to your organization.

What Are Risks?

We’ve been talking about risk management and how it has evolved, but it’s important to clearly define the concept of risk. Simply put, risks are the things that could go wrong with a given initiative, function, process, project, and so on. There are potential risks everywhere — when you get out of bed, there’s a risk that you’ll stub your toe and fall over, potentially injuring yourself (and your pride). Traveling often involves taking on some risks, like the chance that your plane will be delayed or your car runs out of gas and leave you stranded. Nevertheless, we choose to take on those risks, and may benefit from doing so. 

Companies should think about risk in a similar way, not seeking simply to avoid risks, but to integrate risk considerations into day-to-day decision-making.

• What are the opportunities available to us?
• What could be gained from those opportunities?
• What is the business’s risk tolerance or risk appetite – that is, how much risk is the company willing to take on?
• How will this relate to or affect the organization’s goals and objectives?
• Are these opportunities aligned with business goals and objectives?

With that in mind, conversations about risks can progress by asking, “What could go wrong?” or “What if?” Within the business environment, identifying risks starts with key stakeholders and management, who first define the organization’s objectives. Then, with a risk management program in place, those objectives can be scrutinized for the risks associated with achieving them. Although many organizations focus their risk analysis around financial risks and risks that can affect a business’s bottom line, there are many types of risks that can affect an organization’s operations, reputation, or other areas.

Remember that risks are hypotheticals — they haven’t occurred or been “realized” yet. When we talk about the impact of risks, we’re always discussing the potential impact. Once a risk has been realized, it usually turns into an incident, problem, or issue that the company must address through their contingency plans and policies. Therefore, many risk management activities focus on risk avoidance, risk mitigation, or risk prevention.

What Different Types of Risks Are There?

There’s a vast landscape of potential risks that face modern organizations. Targeted risk management practices like ORM and SCRM have risen to address emerging areas of risk, with those disciplines focused on mitigating risks associated with operations and the supply chain. Specific risk management strategies designed to address new risks and existing risks have emerged from these facets of risk management, providing organizations and risk professionals with action plans and contingency plans tailored to unique problems and issues.

Common types of risks include: strategic, compliance, financial, operational, reputational, security, and quality risks.

Strategic Risk

Strategic risks are those risks that could have a potential impact on a company’s strategic objectives, business plan, and/or strategy. Adjustments to business objectives and strategy have a trickle-down effect to almost every function in the organization. Some events that could cause strategic risks to be realized are: major technological changes in the company, like switching to a new tech stack; large layoffs or reductions-in-force (RIFs); changes in leadership; competitive pressure; and legal changes.

Compliance Risk

Compliance risks materialize from regulatory and compliance requirements that businesses are subject to, like Sarbanes-Oxley for publicly-traded US companies, or GDPR for companies that handle personal information from the EU. The consequence or impact of noncompliance is generally a fine from the governing body of that regulation. These types of risks are realized when the organization does not maintain compliance with regulatory requirements, whether those requirements are environmental, financial, security-specific, or related to labor and civil laws.

Financial Risk

Financial risks are fairly self-explanatory — they have the possibility of affecting an organization’s profits. These types of risks often receive significant attention due to the potential impact on a company’s bottom line. Financial risks can be realized in many circumstances, like performing a financial transaction, compiling financial statements, developing new partnerships, or making new deals.

Operational Risk

Risks to operations, or operational risks, have the potential to disrupt daily operations involved with running a business. Needless to say, this can be a problematic scenario for organizations with employees unable to do their jobs, and with product delivery possibly delayed. Operational risks can materialize from internal or external sources — employee conduct, retention, technology failures, natural disasters, supply chain breakdowns — and many more.

Reputational Risk

Reputational risks are an interesting category. These risks look at a company’s standing in the public and in the media and identify what could impact its reputation. The advent of social media changed the reputation game quite a bit, giving consumers direct access to brands and businesses. Consumers and investors too are becoming more conscious about the companies they do business with and their impact on the environment, society, and civil rights. Reputational risks are realized when a company receives bad press or experiences a successful cyber attack or security breach; or any situation that causes the public to lose trust in an organization.

Security Risk

Security risks have to do with possible threats to your organization’s physical premises, as well as information systems security. Security breaches, data leaks, and other successful types of cyber attacks threaten the majority of businesses operating today. Security risks have become an area of risk that companies can’t ignore, and must safeguard against.

Quality Risk

Quality risks are specifically associated with the products or services that a company provides. Producing low-quality goods or services can cause an organization to lose customers, ultimately affecting revenue. These risks are realized when product quality drops for any reason — whether that’s technology changes, outages, employee errors, or supply chain disruptions.

Steps in the Risk Management Process

The six risk management process steps that we’ve outlined below will give you and your organization a starting point to implement or improve your risk management practices. In order, the risk management steps are: 

• Risk identification
• Risk analysis or assessment
• Controls implementation
• Resource and budget allocation
• Risk mitigation
• Risk monitoring, reviewing, and reporting

If this is your organization’s first time setting up a risk management program, consider having a formal risk assessment completed by an experienced third party, with the goal of producing a risk register and prioritized recommendations on what activities to focus on first. Annual (or more frequent) risk assessments are usually required when pursuing compliance and security certifications, making them a valuable investment.

Step 1: Risk Identification

The first step in the risk management process is risk identification. This step takes into account the organization’s overarching goals and objectives, ideally through conversations with management and leadership. Identifying risks to company goals involves asking, “What could go wrong?” with the plans and activities aimed at meeting those goals. As an organization moves from macro-level risks to more specific function and process-related risks, risk teams should collaborate with critical stakeholders and process owners, gaining their insight into the risks that they foresee.

As risks are identified, they should be captured in formal documentation — most organizations do this through a risk register, which is a database of risks, risk owners, mitigation plans, and risk scores.

Step 2: Risk Analysis or Assessment

Analyzing risks, or assessing risks, involves looking at the likelihood that a risk will be realized, and the potential impact that risk would have on the organization if that risk were realized. By quantifying these on a three- or five-point scale, risk prioritization becomes simpler. Multiplying the risk’s likelihood score with the risk’s impact score generates the risk’s overall risk score. This value can then be compared to other risks for prioritization purposes.

The likelihood that a risk will be realized asks the risk assessor to consider how probable it would be for a risk to actually occur. Lower scores indicate less chances that the risk will materialize. Higher scores indicate more chances that the risk will occur.

Likelihood, on a 5×5 risk matrix, is broken out into:

• Highly Unlikely
• Highly Likely

The potential impact of a risk, should it be realized, asks the risk assessor to consider how the business would be affected if that risk occurred. Lower scores signal less impact to the organization, while higher scores indicate more significant impacts to the company.

Impact, on a 5×5 risk matrix, is broken out into:

• Negligible Impact
• Moderate Impact
• High Impact
• Catastrophic Impact

Risk assessment matrices help visualize the relationship between likelihood and impact, serving as a valuable tool in risk professionals’ arsenals.

Organizations can choose whether to employ a 5×5 risk matrix, as shown above, or a 3×3 risk matrix, which breaks likelihood, impact, and aggregate risk scores into low, moderate, and high categories.

Step 3: Controls Assessment and Implementation

Once risks have been identified and analyzed, controls that address or partially address those risks should be mapped. Any risks that don’t have associated controls, or that have controls that are inadequate to mitigate the risk, should have controls designed and implemented to do so.

Step 4: Resource and Budget Allocation

This step, the resource and budget allocation step, doesn’t get included in a lot of content about risk management. However, many businesses find themselves in a position where they have limited resources and funds to dedicate to risk management and remediation. Developing and implementing new controls and control processes is timely and costly; there’s usually a learning curve for employees to get used to changes in their workflow.

Using the risk register and corresponding risk scores, management can more easily allocate resources and budget to priority areas, with cost-effectiveness in mind. Each year, leadership should re-evaluate their resource allocation as part of annual risk lifecycle practices.

Step 5: Risk Mitigation

The risk mitigation step of risk management involves both coming up with the action plan for handling open risks, and then executing on that action plan. Mitigating risks successfully takes buy-in from various stakeholders. Due to the various types of risks that exist, each action plan may look vastly different between risks. 

For example, vulnerabilities present in information systems pose a risk to data security and could result in a data breach. The action plan for mitigating this risk might involve automatically installing security patches for IT systems as soon as they are released and approved by the IT infrastructure manager. Another identified risk could be the possibility of cyber attacks resulting in data exfiltration or a security breach. The organization might decide that establishing security controls is not enough to mitigate that threat, and thus contract with an insurance company to cover off on cyber incidents. Two related security risks; two very different mitigation strategies. 

One more note on risk mitigation — there are four generally accepted “treatment” strategies for risks. These four treatments are:

• Risk Acceptance: Risk thresholds are within acceptable tolerance, and the organization chooses to accept this risk.
• Risk Transfer : The organization chooses to transfer the risk or part of the risk to a third party provider or insurance company.
• Risk Avoidance : The organization chooses not to move forward with that risk and avoids incurring it.
• Risk Mitigation : The organization establishes an action plan for reducing or limiting risk to acceptable levels.

If an organization is not opting to mitigate a risk, and instead chooses to accept, transfer, or avoid the risk, these details should still be captured in the risk register, as they may need to be revisited in future risk management cycles.

Step 6: Risk Monitoring, Reviewing, and Reporting

The last step in the risk management lifecycle is monitoring risks, reviewing the organization’s risk posture, and reporting on risk management activities. Risks should be monitored on a regular basis to detect any changes to risk scoring, mitigation plans, or owners. Regular risk assessments can help organizations continue to monitor their risk posture. Having a risk committee or similar committee meet on a regular basis, such as quarterly, integrates risk management activities into scheduled operations, and ensures that risks undergo continuous monitoring. These committee meetings also provide a mechanism for reporting risk management matters to senior management and the board, as well as affected stakeholders.

As an organization reviews and monitors its risks and mitigation efforts, it should apply any lessons learned and use past experiences to improve future risk management plans.

Examples of Risk Management Strategies

Depending on your company’s industry, the types of risks it faces, and its objectives, you may need to employ many different risk management strategies to adequately handle the possibilities that your organization encounters. 

Some examples of risk management strategies include leveraging existing frameworks and best practices, minimum viable product (MVP) development, contingency planning, root cause analysis and lessons learned, built-in buffers, risk-reward analysis, and third-party risk assessments.

Leverage Existing Frameworks and Best Practices

Risk management professionals need not go it alone. There are several standards organizations and committees that have developed risk management frameworks, guidance, and approaches that business teams can leverage and adapt for their own company. 

Some of the more popular risk management frameworks out there include:

• ISO 31000 Family : The International Standards Organization’s guidance on risk management.
• NIST Risk Management Framework (RMF) : The National Institute of Standards and Technology has released risk management guidance compatible with their Cybersecurity Framework (CSF).
• COSO Enterprise Risk Management (ERM) : The Committee of Sponsoring Organizations’ enterprise risk management guidance.

Minimum Viable Product (MVP) Development

This approach to product development involves developing core features and delivering those to the customer, then assessing response and adjusting development accordingly. Taking an MVP path reduces the likelihood of financial and project risks, like excessive spend or project delays by simplifying the product and decreasing development time.

Contingency Planning

Developing contingency plans for significant incidents and disaster events are a great way for businesses to prepare for worst-case scenarios. These plans should account for response and recovery. Contingency plans specific to physical sites or systems help mitigate the risk of employee injury and outages.

Root Cause Analysis and Lessons Learned

Sometimes, experience is the best teacher. When an incident occurs or a risk is realized, risk management processes should include some kind of root cause analysis that provides insights into what can be done better next time. These lessons learned, integrated with risk management practices, can streamline and optimize response to similar risks or incidents.

Built-In Buffers

Applicable to discrete projects, building in buffers in the form of time, resources, and funds can be another viable strategy to mitigate risks. As you may know, projects can get derailed very easily, going out of scope, over budget, or past the timeline. Whether a project team can successfully navigate project risks spells the success or failure of the project. By building in some buffers, project teams can set expectations appropriately and account for the possibility that project risks may come to fruition.

Risk-Reward Analysis

In a risk-reward analysis, companies and project teams weigh the possibility of something going wrong with the potential benefits of an opportunity or initiative. This analysis can be done by looking at historical data, doing research about the opportunity, and drawing on lessons learned. Sometimes the risk of an initiative outweighs the reward; sometimes the potential reward outweighs the risk. At other times, it’s unclear whether the risk is worth the potential reward or not. Still, a simple risk-reward analysis can keep organizations from bad investments and bad deals.

Third-Party Risk Assessments

Another strategy teams can employ as part of their risk management plan is to conduct periodic third-party risk assessments. In this method, a company would contract with a third party experienced in conducting risk assessments, and have them perform one (or more) for the organization. Third-party risk assessments can be immensely helpful for the new risk management team or for a mature risk management team that wants a new perspective on their program. 

Generally, third-party risk assessments result in a report of risks, findings, and recommendations. In some cases, a third-party provider may also be able to help draft or provide input into your risk register. As external resources, third-party risk assessors can bring their experience and opinions to your organization, leading to insights and discoveries that may not have been found without an independent set of eyes.

Components of an Effective Risk Management Plan

An effective risk management plan has buy-in from leadership and key stakeholders; applies the risk management steps; has good documentation; and is actionable. Buy-in from management often determines whether a risk management function is successful or not, since risk management requires resources to conduct risk assessments, risk identification, risk mitigation, and so on. Without leadership buy-in, risk management teams may end up just going through the motions without the ability to make an impact. Risk management plans should be integrated into organizational strategy, and without stakeholder buy-in, that typically does not happen. 

Applying the risk management methodology is another key component of an effective plan. That means following the six steps outlined above should be incorporated into a company’s risk management lifecycle. Identifying and analyzing risks, establishing controls, allocating resources, conducting mitigation, and monitoring and reporting on findings form the foundations of good risk management. 

Good documentation is another cornerstone of effective risk management. Without a risk register recording all of a company’s identified risks and accompanying scores and mitigation strategies, there would be little for a risk team to act on. Maintaining and updating the risk register should be a priority for the risk team — risk management software can help here, providing users with a dashboard and collaboration mechanism.

Last but not least, an effective risk management plan needs to be actionable. Any activities that need to be completed for mitigating risks or establishing controls, should be feasible for the organization and allocated resources. An organization can come up with the best possible, best practice risk management plan, but find it completely unactionable because they don’t have the capabilities, technology, funds, and/or personnel to do so. It’s all well and good to recommend that cybersecurity risks be mitigated by setting up a 24/7 continuous monitoring Security Operations Center (SOC), but if your company only has one IT person on staff, that may not be a feasible action plan.

Executing on an effective risk management plan necessitates having the right people, processes, and technology in place. Sometimes the challenges involved with running a good risk management program are mundane — such as disconnects in communication, poor version control, and multiple risk registers floating around. Risk management software can provide your organization with a unified view of the company’s risks, a repository for storing and updating key documentation like a risk register, and a space to collaborate virtually with colleagues to check on risk mitigation efforts or coordinate on risk assessments. Get started building your ideal risk management plan today!

Emily Villanueva, MBA, is a Senior Manager of Product Solutions at AuditBoard. Emily joined AuditBoard from Grant Thornton, where she provided consulting services specializing in SOX compliance, internal audit, and risk management. She also spent 5 years in the insurance industry specializing in SOX/ICFR, internal audits, and operational compliance. Connect with Emily on LinkedIn .

Related Articles

Case Study: Companies Excelling in Risk Management

In this article

In the modern business landscape, navigating uncertainties and pitfalls is essential for sustainable growth and longevity. Effective risk management emerges as a shield against potential threats – and it also unlocks opportunities for innovation and advancement. In this article, we will explore risk management and its significance and criteria for excellence. We will also examine case studies of two companies that have excelled in this domain. Through these insights, we aim to glean valuable lessons and best practices. As such, businesses across diverse industries can fortify their risk management frameworks.

The Significance of Risk Management

Risk management is vital for the sustenance and prosperity of companies, regardless of their size or industry. At its core, it is the identification, assessment and mitigation of potential risks that may impede organisational objectives or lead to adverse outcomes. Having a robust risk management approach means businesses can safeguard their assets, reputation and bottom line. 

The statistics are somewhat alarming. According to research , 69% of executives are not confident with their current risk management policies and practices. What’s more, only 36% of organisations have a formal enterprise risk management (ERM) programme. 

Proactive risk management isn’t just a defensive measure; rather, it is necessary for sustainability and growth. With 62% of organisations experiencing a critical risk event in the last three years, it is important to be proactive. By identifying and addressing potential risks, organisations can become more resilient to external shocks and internal disruptions. This means they’re better able to survive through difficult times and maintain operational continuity. Moreover, a proactive stance enables companies to seize strategic advantages. It allows them to innovate, expand into new markets and capitalise on emerging trends with confidence.

Criteria for Excellence in Risk Management

Achieving excellence in risk management means adhering to several key criteria:  

• Ability to Identify Risks: Exceptional risk management begins with identifying potential risks comprehensively. This involves a thorough understanding of both internal and external factors that could impact the organisation. It includes market volatility, regulatory changes, cybersecurity threats and operational vulnerabilities.
• Assessment of Risks: Once identified, risks must be assessed to gauge their potential impact and likelihood of occurrence. This involves using risk assessment methodologies like quantitative analysis, scenario planning and risk heat mapping, to prioritise risks based on their severity and urgency.
• Mitigation Strategies and Control Measures: Effective risk management relies on proactive mitigation strategies to minimise the likelihood of risk occurrence and mitigate its potential impact. This may involve implementing control measures, diversifying risk exposure, investing in risk transfer mechanisms such as insurance and enhancing resilience through business continuity planning.
• Adaptability to Change: Organisations need to be ready to adapt to emerging risks and changing circumstances. This requires a culture of continuous learning and improvement. This means lessons are learned from past experiences to enhance risk management practices and anticipate future challenges.
• Leadership Commitment: Effective leaders demonstrate a clear understanding of the importance of risk management. They know how to allocate adequate resources, support and incentives to prioritise risk management initiatives.
• Strong Risk Culture: A strong risk culture permeates every level of the organisation. This involves a mindset where risk management is viewed as everyone’s responsibility.
• Robust Risk Management Frameworks: Finally, excellence in risk management requires robust frameworks and processes to guide risk identification, assessment and mitigation efforts. This includes defining clear roles and responsibilities, implementing effective governance structures and leveraging technology and data analytics to enhance risk visibility and decision-making.

Company A: Case Study in Risk Management Excellence

Now, let’s take a look at a case study that highlights risk management excellence in practice.

ApexTech Solutions is a company known for its exemplary risk management practices. Founded in 2005 by visionary entrepreneur Sarah Lawson, ApexTech began as a small start-up in the tech industry. It specialises in software development and IT consulting services. 

Over the years, under Lawson’s leadership, the company expanded its offerings and diversified into various sectors, including cybersecurity solutions, cloud computing and artificial intelligence. Today, ApexTech is a prominent player in the global technology market, serving clients ranging from small businesses to Fortune 500 companies.

Risk management strategies and successes

ApexTech’s journey to risk management excellence can be attributed to several key strategies and initiatives:

• Comprehensive Risk Assessment: ApexTech conducts regular and thorough risk assessments to identify potential threats and vulnerabilities across its operations.
• Investment in Technology and Innovation: ApexTech prioritises investments in cutting-edge technologies such as AI-driven analytics, predictive modelling and threat intelligence solutions.
• Customer-Centric Approach: ApexTech tailors its risk management solutions to meet specific needs and preferences. This fosters trust and long-term partnerships.
• Cybersecurity Measures: ApexTech has made cybersecurity a top priority. The company employs a multi-layered approach to cybersecurity to mitigate the risk of cyberattacks.
• Continual Improvement and Adaptation: ApexTech fosters a culture of continual improvement and adaptation. The company encourages feedback and collaboration among employees at all levels so they can identify areas for improvement and implement solutions to mitigate risks effectively.

By proactively identifying and addressing operational risks, such as supply chain disruptions and regulatory compliance challenges, ApexTech has maintained operational continuity and minimised potential disruptions to its business operations.

ApexTech Solutions serves as a compelling example of a company that has excelled in risk management excellence by embracing proactive strategies, leveraging advanced technologies and fostering a culture of innovation and adaptation. 

Company B: Case Study in Risk Management Excellence

TerraSafe Pharmaceuticals is a renowned company in the pharmaceutical industry, dedicated to developing and manufacturing innovative medications to improve global health outcomes. Established in 1998 by Dr Elena Chen, TerraSafe initially focused on the production of generic drugs to address critical healthcare needs. 

Over the years, the company has expanded its portfolio to include novel biopharmaceuticals and speciality medications.

TerraSafe Pharmaceuticals has a holistic approach to identifying, assessing and mitigating risks across its operations:

• Rigorous Quality Assurance Standards: TerraSafe prioritises stringent quality assurance measures throughout the drug development and manufacturing process. This ensures product safety, efficacy and compliance with regulatory requirements.
• Investment in Research and Development (R&D): TerraSafe allocates significant resources to research and development initiatives. These are aimed at advancing scientific knowledge and discovering breakthrough therapies. With its culture of innovation and collaboration, the company mitigates the risk of product obsolescence.
• Regulatory Compliance and Risk Monitoring: TerraSafe maintains a dedicated regulatory affairs department. This team stays abreast of evolving regulatory requirements and industry standards. They monitor regulatory changes proactively and engage with regulatory authorities to ensure timely compliance with applicable laws and standards. This reduces the risk of non-compliance penalties and legal disputes.
• Supply Chain Resilience: TerraSafe works closely with its suppliers and logistics partners to assess and mitigate supply chain risks like raw material shortages, transportation disruptions and geopolitical instability. It implements contingency planning and diversification of sourcing strategies.
• Focus on Patient Safety and Ethical Practices: The company adheres to stringent ethical guidelines and clinical trial protocols to protect patient welfare and maintain public trust in its products and services.

By investing in R&D and adhering to rigorous quality assurance standards, TerraSafe has successfully developed and commercialised several breakthrough medications that address unmet medical needs and improve patient outcomes. What’s more, the company’s proactive approach to regulatory compliance has facilitated the timely approval and market authorisation of its products in key global markets. This has enabled the company to expand its geographic footprint and reach new patient populations.

Key Takeaways and Best Practices

Despite being in different industries, both companies share similarities. Both ApexTech and TerraSafe Pharmaceuticals know the importance of proactive risk management. They have procedures in place that work to identify, assess and mitigate risks before they escalate. What’s more, both companies are led by visionary leaders who set the tone for decision-making. They prioritise building a strong risk culture with all employees knowing their role in risk management.

Best practices and strategies employed

• Conducting Regular Risk Assessments: Both companies conduct regular and comprehensive risk assessments to identify potential threats and vulnerabilities across their operations.
• Investing in Training and Education: Both invest in training and education programmes so that employees are equipped with the knowledge and skills necessary to identify and manage risks effectively. Employees at all levels contribute to risk management efforts.
• Collaboration and Communication: Both companies know the importance of collaboration and communication in risk management. They create channels for open dialogue and information sharing. Stakeholders collaborate on risk identification, assessment and mitigation efforts.
• Continual Improvement: Both companies have a culture of continual improvement. They encourage feedback and innovation to adapt to changing circumstances and emerging risks.
• Tailored Risk Management Approaches: Both companies develop customised risk management frameworks and strategies that align with their objectives and priorities.

Emerging Trends in Risk Management

One of the most prominent trends in risk management is the increasing integration of technology into risk management processes. Advanced technologies such as artificial intelligence (AI), machine learning and automation are revolutionising risk assessment, prediction and mitigation. These technologies mean companies can analyse vast amounts of data in real time. This allows them to identify patterns and trends and predict potential risks more accurately.

Data analytics is another key trend reshaping risk management practices. Companies are leveraging big data analytics tools and techniques to gain deeper insights. By analysing historical data and real-time information, they can identify emerging risks, detect anomalies and make more informed risk management decisions.

Cybersecurity risks have become a major concern. Threats such as data breaches, ransomware attacks and phishing scams pose significant risks to companies’ data, operation and reputation. Companies are investing heavily in cybersecurity measures and adopting proactive approaches to protect their digital assets and mitigate cyber risks.

Companies are integrating global risk management into their overall risk management strategy too. They are monitoring global developments, assessing the impact of global risks on their business operations and developing contingency plans.

The Role of Leadership

Leadership plays a pivotal role in shaping organisational culture and driving initiatives that promote risk management excellence. Effective leaders recognise the importance of risk management but also actively champion its integration into the fabric of the organisation. Effective leaders:

• Set the Tone: Leaders set the tone by articulating a clear vision and commitment to risk management from the top down.
• Lead by Example: Leaders demonstrate their own commitment to risk management through their actions and decisions.
• Empower Employees: Leaders empower employees at all levels to actively participate in risk management efforts. They encourage employees to voice their concerns and contribute.
• Provide Resources and Support: Effective leaders invest in training and development programmes to enhance employees’ risk management skills and knowledge.
• Encourage Innovation: Leaders encourage employees to think creatively and experiment with new approaches to risk management.
• Promote Continuous Improvement: Leaders create opportunities for reflection and evaluation to identify areas for improvement and drive learning.

Encouraging a Risk-Aware Culture

For organisations to identify, assess and mitigate risks at all levels effectively, they need to encourage a risk-aware culture. Here are some tips for encouraging a risk-aware culture:

Communication and transparency:

• Encourage open communication channels where employees feel comfortable discussing risks and raising concerns.
• Provide regular updates on the organisation’s risk landscape, including emerging risks and mitigation strategies.
• Foster transparency in decision-making processes, particularly regarding risk-related decisions.

Education and training:

• Provide comprehensive training programmes on risk management principles, processes and tools for employees at all levels.
• Offer specialised training sessions on specific risk areas relevant to employees’ roles and responsibilities.
• Incorporate real-life case studies and examples to illustrate the importance of risk awareness and effective risk management.

Empowerment and ownership:

• Empower employees to take ownership of risk management within their respective areas of expertise.
• Encourage employees to identify and assess risks in their day-to-day activities and propose mitigation strategies.
• Recognise and reward employees who demonstrate proactive risk awareness and contribute to effective risk management practices.

Integration into performance management:

• Include risk management objectives and key performance indicators (KPIs) in employee performance evaluations.
• Link performance bonuses or incentives to successful risk management outcomes and adherence to risk management protocols.
• Provide feedback and coaching to employees on their risk management performance, highlighting areas for improvement and best practices.

Challenges in Risk Management

Challenges in risk management are inevitable, even for companies excelling in this domain. Despite their proactive efforts, all organisations encounter obstacles that can impede their risk management practices. Here are some common challenges and strategies for addressing them:

Complexity and interconnectedness:

• Challenge: The modern business environment is increasingly complex and interconnected, making it challenging for organisations to anticipate and mitigate all potential risks comprehensively.
• Strategy: Implement a holistic risk management approach that considers both internal and external factors impacting the organisation. Create cross-functional collaboration and information sharing to gain a comprehensive understanding of risks across departments and business units.

Rapidly evolving risks:

• Challenge: Risks are constantly evolving due to technological advancements, regulatory changes and global events such as pandemics or geopolitical shifts. Organisations may struggle to keep pace with emerging risks and adapt their risk management strategies accordingly.
• Strategy: Stay informed about emerging trends and developments that may impact the organisation’s risk landscape. Maintain flexibility and agility in risk management processes to respond promptly to new challenges.

Resource constraints:

• Challenge: Limited resources, including budgetary constraints and staffing limitations, can hinder organisations’ ability to invest adequately in risk management initiatives and tools.
• Strategy: Prioritise risk management activities based on their potential impact on organisational objectives and allocate resources accordingly. Leverage technology and automation to streamline risk management processes and maximise efficiency.

Compliance and regulatory burden:

• Challenge: Meeting regulatory requirements and compliance standards can be burdensome and complex.
• Strategy: Stay abreast of regulatory developments and ensure compliance with applicable laws and regulations. Implement robust governance frameworks and internal controls to demonstrate regulatory compliance and mitigate legal and reputational risks. Invest in compliance training and education for employees.

Human factors and behavioural biases:

• Challenge: Human factors such as cognitive biases, organisational politics and resistance to change can undermine effective risk management practices, leading to decision-making errors and oversight of critical risks.
• Strategy: Raise awareness about common cognitive biases and behavioural tendencies that may influence risk perception and decision-making. Create a culture of psychological safety where employees feel comfortable challenging assumptions and raising concerns about potential risks.

Conclusion: Striving for Excellence

In this article, we have explored the importance of effective risk management for businesses. We have delved into the criteria for excellence in risk management, showcasing companies such as ApexTech Solutions and TerraSafe Pharmaceuticals that exemplify these principles through their proactive strategies and robust frameworks.

From embracing technology and fostering a culture of innovation to prioritising regulatory compliance and empowering employees, these companies have demonstrated remarkable achievements in navigating complex risk landscapes and achieving sustainable success.

However, it’s essential to recognise that even companies excelling in risk management face challenges. By acknowledging these and implementing strategies to address them, organisations can enhance their resilience and effectiveness in managing risks over the long term.

Assessing Risk

Study online and gain a full CPD certificate posted out to you the very next working day.

Take a look at this course

About the author

Louise Woffindin

Louise is a writer and translator from Sheffield. Before turning to writing, she worked as a secondary school language teacher. Outside of work, she is a keen runner and also enjoys reading and walking her dog Chaos.

Similar posts

Tips for Dining Out Safely with Food Allergies

The Importance of Early Detection and Treatment of Brain Injuries

The Role of Memory and Ritual Healing from Child Bereavement

Recognising Early Signs and Symptoms of Heart Disease

Celebrating our clients and partners.

Thank you for visiting nature.com. You are using a browser version with limited support for CSS. To obtain the best experience, we recommend you use a more up to date browser (or turn off compatibility mode in Internet Explorer). In the meantime, to ensure continued support, we are displaying the site without styles and JavaScript.

• View all journals
• My Account Login
• Explore content
• About the journal
• Publish with us
• Sign up for alerts
• Open access
• Published: 24 May 2024

Beyond probability-impact matrices in project risk management: A quantitative methodology for risk prioritisation

• F. Acebes   ORCID: orcid.org/0000-0002-4525-2610 1 ,
• J. M. González-Varona 2 ,
• A. López-Paredes 2 &
• J. Pajares 1  

Humanities and Social Sciences Communications volume  11 , Article number:  670 ( 2024 ) Cite this article

Metrics details

• Business and management

The project managers who deal with risk management are often faced with the difficult task of determining the relative importance of the various sources of risk that affect the project. This prioritisation is crucial to direct management efforts to ensure higher project profitability. Risk matrices are widely recognised tools by academics and practitioners in various sectors to assess and rank risks according to their likelihood of occurrence and impact on project objectives. However, the existing literature highlights several limitations to use the risk matrix. In response to the weaknesses of its use, this paper proposes a novel approach for prioritising project risks. Monte Carlo Simulation (MCS) is used to perform a quantitative prioritisation of risks with the simulation software MCSimulRisk. Together with the definition of project activities, the simulation includes the identified risks by modelling their probability and impact on cost and duration. With this novel methodology, a quantitative assessment of the impact of each risk is provided, as measured by the effect that it would have on project duration and its total cost. This allows the differentiation of critical risks according to their impact on project duration, which may differ if cost is taken as a priority objective. This proposal is interesting for project managers because they will, on the one hand, know the absolute impact of each risk on their project duration and cost objectives and, on the other hand, be able to discriminate the impacts of each risk independently on the duration objective and the cost objective.

Similar content being viewed by others

A case study on the relationship between risk assessment of scientific research projects and related factors under the Naive Bayesian algorithm

Compound Matrix-Based Project Database (CMPD)

Risk identification approaches and the number of risks identified: the use of work breakdown structure and business process

Introduction.

The European Commission ( 2023 ) defines a project as a temporary organizational structure designed to produce a unique product or service according to specified constraints, such as time, cost, and quality. As projects are inherently complex, they involve risks that must be effectively managed (Naderpour et al. 2019 ). However, achieving project objectives can be challenging due to unexpected developments, which often disrupt plans and budgets during project execution and lead to significant additional costs. The Standish Group ( 2022 ) notes that managing project uncertainty is of paramount importance, which renders risk management an indispensable discipline. Its primary goal is to identify a project’s risk profile and communicate it by enabling informed decision making to mitigate the impact of risks on project objectives, including budget and schedule adherence (Creemers et al. 2014 ).

Several methodologies and standards include a specific project risk management process (Axelos, 2023 ; European Commission, 2023 ; Project Management Institute, 2017 ; International Project Management Association, 2015 ; Simon et al. 1997 ), and there are even specific standards and guidelines for it (Project Management Institute, 2019 , 2009 ; International Organization for Standardization, 2018 ). Despite the differences in naming each phase or process that forms part of the risk management process, they all integrate risk identification, risk assessment, planning a response to the risk, and implementing this response. Apart from all this, a risk monitoring and control process is included. The “Risk Assessment” process comprises, in turn, risk assessments by qualitative methods and quantitative risk assessments.

A prevalent issue in managing project risks is identifying the significance of different sources of risks to direct future risk management actions and to sustain the project’s cost-effectiveness. For many managers busy with problems all over the place, one of the most challenging tasks is to decide which issues to work on first (Ward, 1999 ) or, in other words, which risks need to be paid more attention to avoid deviations from project objectives.

Given the many sources of risk and the impossibility of comprehensively addressing them, it is natural to prioritise identified risks. This process can be challenging because determining in advance which ones are the most significant factors, and how many risks merit detailed monitoring on an individual basis, can be complicated. Any approach that facilitates this prioritisation task, especially if it is simple, will be welcomed by those willing to use it (Ward, 1999 ).

Risk matrices emerge as established familiar tools for assessing and ranking risks in many fields and industry sectors (Krisper, 2021 ; Qazi et al. 2021 ; Qazi and Simsekler, 2021 ; Monat and Doremus, 2020 ; Li et al. 2018 ). They are now so commonplace that everyone accepts and uses them without questioning them, along with their advantages and disadvantages. Risk matrices use the likelihood and potential impact of risks to inform decision making about prioritising identified risks (Proto et al. 2023 ). The methods that use the risk matrix confer higher priority to those risks in which the product of their likelihood and impact is the highest.

However, the probability-impact matrix has severe limitations (Goerlandt and Reniers, 2016 ; Duijm, 2015 ; Vatanpour et al. 2015 ; Ball and Watt, 2013 ; Levine, 2012 ; Cox, 2008 ; Cox et al. 2005 ). The main criticism levelled at this methodology is its failure to consider the complex interrelations between various risks and use precise estimates for probability and impact levels. Since then, increasingly more academics and practitioners are reluctant to resort to risk matrices (Qazi et al. 2021 ).

Motivated by the drawbacks of using risk matrices or probability-impact matrices, the following research question arises: Is it possible to find a methodology for project risk prioritisation that overcomes the limitations of the current probability-impact matrix?

To answer this question, this paper proposes a methodology based on Monte Carlo Simulation that avoids using the probability-impact matrix and allows us to prioritise project risks by evaluating them quantitatively, and by assessing the impact of risks on project duration and the cost objectives. With the help of the ‘MCSimulRisk’ simulation software (Acebes et al. 2024 ; Acebes et al. 2023 ), this paper determines the impact of each risk on project duration objectives (quantified in time units) and cost objectives (quantified in monetary units). In this way, with the impact of all the risks, it is possible to establish their prioritisation based on their absolute (and not relative) importance for project objectives. The methodology allows quantified results to be obtained for each risk by differentiating between the project duration objective and its cost objective.

With this methodology, it also confers the ‘Risk Assessment’ process cohesion and meaning. This process forms part of the general Risk Management process and is divided into two subprocesses: qualitative and quantitative risk analyses (Project Management Institute, 2017 ). Although Monte Carlo simulation is widely used in project risk assessments (Tong et al. 2018 ; Taroun, 2014 ), as far as we know, the literature still does not contain references that use the data obtained in a qualitative analysis (data related to the probability and impact of each identified risk) to perform a quantitative risk analysis integrated into the project model. Only one research line by A. Qazi (Qazi et al. 2021 ; Qazi and Dikmen, 2021 ; Qazi and Simsekler, 2021 ) appears, where the authors propose a risk indicator with which they determine the level of each identified risk that concerns the established threshold. Similarly, Krisper ( 2021 ) applies the qualitative data of risk factors to construct probability functions, but once again falls in the error of calculating the expected value of the risk for risk prioritisation. In contrast, the novelty proposed in this study incorporates into the project simulation model all the identified risks characterised by their probability and impact values, as well as the set of activities making up the project.

In summary, instead of the traditional risk prioritisation method to qualitatively estimate risk probabilities and impacts, we model probabilities and impacts (duration and cost) at the activity level as distribution functions. When comparing both methods (traditional vs. our proposal), the risk prioritisation results are entirely different and lead to a distinct ranking.

From this point, and to achieve our purpose, the article comes as follows. Literature review summarises the relevant literature related to the research. Methodology describes the suggested methodology. Case study presents the case study used to show how to apply the presented method before discussing the obtained results. Finally, Conclusions draws conclusions about the proposed methodology and identifies the research future lines that can be developed from it.

Literature review

This section presents the literature review on risk management processes and probability-impact matrices to explain where this study fits into existing research. This review allows us to establish the context where our proposal lies in integrated risk management processes. Furthermore, it is necessary to understand the reasons for seeking alternatives to the usual well-known risk matrices.

Risk management methodologies and standards

It is interesting to start with the definition of ‘Risk’ because it is a term that is not universally agreed on, even by different standards and norms. Thus, for example, the International Organization for Standardization ( 2018 ) defines it as “the effect of uncertainty on objectives”, while the Project Management Institute ( 2021 ) defines it as “an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives”. This paper adopts the definition of risk proposed by Hillson ( 2014 ), who uses a particular concept: “risk is uncertainty that matters”. It matters because it affects project objectives and only the uncertainties that impact the project are considered a ‘risk’.

Other authors (Elms, 2004 ; Frank, 1999 ) identify two uncertainty categories: aleatoric, characterised by variability and the presence of a wide range of possible values; epistemic, which arises due to ambiguity or lack of complete knowledge. Hillson ( 2014 ) classifies uncertainties into four distinct types: aleatoric, due to the reliability of activities; stochastic, recognised as a risk event or a possible future event; epistemic, also due to ambiguity; ontological, that which we do not know (black swan). Except for ontological uncertainty, which cannot be modelled due to absolute ignorance of risk, the other identified uncertainties are incorporated into our project model. For this purpose, the probability and impact of each uncertainty are modelled as distribution functions to be incorporated into Monte Carlo simulation.

A risk management process involves analysing the opportunities and threats that can impact project objectives, followed by planning appropriate actions for each one. This process aims to maximise the likelihood of opportunities occurring and to minimise the likelihood of identified threats materialising.

Although it is true that different authors have proposed their particular way of understanding project risk management (Kerzner, 2022 ; Hillson and Simon, 2020 ; Chapman and Ward, 2003 ; Chapman, 1997 ), we wish to look at the principal methodologies, norms and standards in project management used by academics and practitioners to observe how they deal with risk (Axelos, 2023 ; European Commission, 2023 ; International Organization for Standardization, 2018 ; Project Management Institute, 2017 ; International Project Management Association, 2015 ) (Table 1 ).

Table 1 shows the main subprocesses making up the overall risk management process from the point of view of each different approach. All the aforementioned approaches contain a subprocess related to risk assessment. Some of these approaches develop the subprocess by dividing it into two parts: qualitative assessment and quantitative assessment. Individual project risks are ranked for further analyses or action with a qualitative assessment by evaluating the probability of their occurrence and potential impact. A quantitative assessment involves performing a numerical analysis of the joint effect of the identified individual risks and additional sources of uncertainty on the overall project objectives (Project Management Institute, 2017 ). In turn, all these approaches propose the probability-impact or risk matrix as a technique or tool for prioritising project risks.

Within this framework, a ranking of risks by a quantitative approach applies as opposed to the qualitative assessment provided by the risk matrix. To do so, we use estimates of the probability and impact associated with each identified risk. The project model includes these estimates to determine the absolute value of the impact of each risk on time and cost objectives.

Probability-impact matrix

The risk matrix, or probability-impact matrix, is a tool included in the qualitative analysis for risk management and used to analyse, visualise and prioritise risks to make decisions on the resources to be employed to combat them (Goerlandt and Reniers, 2016 ; Duijm, 2015 ). Its well-established use appears in different sectors, ranging from the construction industry (Qazi et al. 2021 ), oil and gas industries (Thomas et al. 2014 ), to the healthcare sector (Lemmens et al. 2022 ), engineering projects (Koulinas et al. 2021 ) and, of course, project management (International Organization for Standardization, 2019 ; Li et al. 2018 ).

In a table, the risk matrix represents the probability (usually on the vertical axis of the table) and impact (usually on the horizontal axis) categories (Ale et al. 2015 ). These axes are further divided into different levels so that risk matrices of 3×3 levels are found with three levels set for probability and three others to define impact, 5 × 5, or even more levels (Duijm, 2015 ; Levine, 2012 ; Cox, 2008 ). The matrix classifies risks into different risk categories, normally labelled with qualitative indicators of severity (often colours like “Red”, “Yellow” and “Green”). This classification combines each likelihood level with every impact level in the matrix (see an example of a probability-impact matrix in Fig. 1 ).

Probability – impact matrix. An example of use.

There are three different risk matrix typologies based on the categorisation of likelihood and impact: qualitative, semiquantitative, and quantitative. Qualitative risk matrices provide descriptive assessments of probability and consequence by establishing categories as “low,” “medium” or “high” (based on the matrix’s specific number of levels). In contrast, semiquantitative risk matrices represent the input categories by ascending scores, such as 1, 2, or 3 (in a 3×3 risk matrix), where higher scores indicate a stronger impact or more likelihood. Finally, in quantitative risk matrices, each category receives an assignment of numerical intervals corresponding to probability or impact estimates. For example, the “Low” probability level is associated with a probability interval [0.1 0.3] (Li et al. 2018 ).

Qualitative matrices classify risks according to their potential hazard, depending on where they fit into the matrix. The risk level is defined by the “colour” of the corresponding cell (in turn, this depends on the probability and impact level), with risks classified with “red” being the most important and the priority ones to pay attention to, but without distinguishing any risks in the different cells of the same colour. In contrast, quantitative risk matrices allow to classify risks according to their risk level (red, yellow, or green) and to prioritise each risk in the same colour by indicating which is the most important. Each cell is assigned a colour and a numerical value, and the product of the value is usually assigned to the probability level and the value assigned to the impact level (Risk = probability × impact).

Risk matrix use is frequent, partly due to its simple application and easy construction compared to alternative risk assessment methods (Levine, 2012 ). Risk matrices offer a well-defined structure for carrying out a methodical risk assessment, provide a practical justification for ranking and prioritising risks, visually and attractively inform stakeholders, among other reasons (Talbot, 2014 ; Ball and Watt, 2013 ).

However, many authors identify problems in using risk matrices (Monat and Doremus, 2020 ; Peace, 2017 ; Levine, 2012 ; Ni et al. 2010 ; Cox, 2008 ; Cox et al. 2005 ), and even the International Organization for Standardization ( 2019 ) indicates some drawbacks. The most critical problems identified in using risk matrices for strategic decision-making are that risk matrices can be inaccurate when comparing risks and they sometimes assign similar ratings to risks with significant quantitative differences. In addition, there is the risk of giving excessively high qualitative ratings to risks that are less serious from a quantitative perspective. This can lead to suboptimal decisions, especially when threats have negative correlations in frequency and severity terms. Such lack of precision can result in inefficient resource allocation because they cannot be based solely on the categories provided by risk matrices. Furthermore, the categorisation of the severity of consequences is subjective in uncertainty situations, and the assessment of probability, impact and risk ratings very much depends on subjective interpretations, which can lead to discrepancies between different users when assessing the same quantitative risks.

Given this background, several authors propose solutions to the posed problems. Goerlandt and Reniers ( 2016 ) review previous works that have attempted to respond to the problems identified with risk matrices. For example, Markowski and Mannan ( 2008 ) suggest using fuzzy sets to consider imprecision in describing ordinal linguistic scales. Subsequently, Ni et al. ( 2010 ) propose a methodology that employs probability and consequence ranks as independent score measures. Levine ( 2012 ) puts forward the use of logarithmic scales on probability and impact axes. Menge et al. (2018) recommend utilising untransformed values as scale labels due to experts’ misunderstanding of logarithmic scales. Ruan et al. ( 2015 ) suggest an approach that considers decision makers’ risk aversion by applying the utility theory.

Other authors, such as Duijm ( 2015 ), propose a continuous probability consequence diagram as an alternative to the risk matrix, and employing continuous scales instead of categories. They also propose utilising more comprehensive colour ranges in risk matrices whenever necessary to prioritise risks and to not simply accept them. In contrast, Monat and Doremus ( 2020 ) put forward a new risk prioritisation tool. Alternatively, Sutherland et al. ( 2022 ) suggest changing matrix size by accommodating cells’ size to the risk’s importance. Even Proto et al. ( 2023 ) recommend avoiding colour in risk matrices so that the provided information is unbiased due to the bias that arises when using coloured matrices.

By bearing in mind the difficulties presented by the results offered by risk matrices, we propose a quantitative method for risk prioritisation. We use qualitative risk analysis data by maintaining the estimate of the probability of each risk occurring and its potential impact. Nevertheless, instead of entering these data into the risk matrix, our project model contains them for Monte Carlo simulation. As a result, we obtain a quantified prioritisation of each risk that differentiates the importance of each risk according to the impact on cost and duration objectives.

Methodology

Figure 2 depicts the proposed method for prioritising project risks using quantitative techniques. At the end of the process, and with the prioritised risks indicating the absolute value of the impact of each risk on the project, the organisation can efficiently allocate resources to the risks identified as the most critical ones.

Quantitative Risk Assessment Flow Chart.

The top of the diagram indicates the risk phases that belong to the overall risk management process. Below them it reflects the steps of the proposed model that would apply in each phase.

The first step corresponds to the project’s “ risk identification ”. Using the techniques or tools established by the organisation (brainstorming, Delphi techniques, interviews, or others), we obtain a list of the risks ( R ) that could impact the project objectives (Eq. 1 ), where m is the number of risks identified in the project.

Next we move on to the “ risk estimation ” phase, in which a distribution function must be assigned to the probability that each identified risk will appear. We also assign the distribution function associated with the risk’s impact. Traditionally, the qualitative risk analysis defines semantic values (low, medium, high) to assign a level of probability and risk impact. These semantic values are used to evaluate the risk in the probability-impact matrix. Numerical scales apply in some cases, which help to assign a semantic level to a given risk (Fig. 3 ).

Source: Project Management Institute ( 2017 ).

Our proposed model includes the three uncertainty types put forward by Hillson ( 2014 ), namely aleatoric, stochastic and epistemic, to identify and assess different risks. Ontological uncertainty is not considered because it goes beyond the limits of human knowledge and cannot, therefore, be modelled (Alleman et al. 2018a ).

A risk can have aleatoric uncertainty as regards the probability of its occurrence, and mainly for its impact if its value can fluctuate over a set range due to its variability. This aleatoric risk uncertainty can be modelled using a probability distribution function (PDF), exactly as we do when modelling activity uncertainty (Acebes et al. 2015 , 2014 ). As the risk management team’s (or project management team’s) knowledge of the project increases, and as more information about the risk becomes available, the choice of the PDF (normal, triangular, beta, among others) and its parameters become more accurate.

A standard definition of risk is “an uncertain event that, if it occurs, may impact project objectives” (Project Management Institute, 2017 ). A risk, if defined according to the above statement, perfectly matches the stochastic uncertainty definition proposed by Hillson ( 2014 ). Moreover, one PDF that adequately models this type of uncertainty is a Bernoulli distribution function (Vose, 2008 ). Thus for deterministic risk probability estimates (the same as for risk impact), we model this risk (probability and impact) with a Bernoulli-type PDF that allows us to introduce this type of uncertainty into our simulation model.

Finally, epistemic uncertainties remain to be modelled, such as those for which we do not have absolute information about and that arise from a lack of knowledge (Damnjanovic and Reinschmidt, 2020 ; Alleman et al. 2018b ). In this case, risks (in likelihood and impact terms) are classified into different levels, and all these levels are assigned a numerical scale (as opposed to the methodology used in a qualitative risk analysis, where levels are classified with semantic values: “high”, “medium” and “low”).

“ Epistemic uncertainty is characterised by not precisely knowing the probability of occurrence or the magnitude of a potential impact. Traditionally, this type of risk has been identified with a qualitative term: “Very Low”, “Low”, “Medium”, “High” and “Very High” before using the probability-impact matrix. Each semantic category has been previously defined numerically by identifying every numerical range with a specific semantic value (Bae et al. 2004 ). For each established range, project managers usually know the limits (upper and lower) between which the risk (probability or impact) can occur. However, they do not certainly know the value it will take, not even the most probable value within that range. Therefore, we employ a uniform probability function to model epistemic uncertainty (i.e., by assuming that the probability of risk occurrence lies within an equiprobable range of values). Probabilistic representations of uncertainty have been successfully employed with uniform distributions to characterise uncertainty when knowledge is sparse or absent (Curto et al. 2022 ; Vanhoucke, 2018 ; Helton et al. 2006 ).

The choice of the number and range of each level should be subject to a thorough analysis and consideration by the risk management team. As each project is unique, there are ranges within which this type of uncertainty can be categorised. Different ranges apply to assess likelihood and impact. Furthermore for impact, further subdivision helps to distinguish between impact on project duration and impact on project costs. For example, when modelling probability, we can set five probability levels corresponding to intervals: [0 0.05], [0.05 0.2], [0.2 0.5], and so on. With the time impact, for example, on project duration, five levels as follows may apply: [0 1], [1 4], [4 12], …. (measured in weeks, for example).

Modelling this type of uncertainty requires the risk management team’s experience, the data stored on previous projects, and constant consultation with project stakeholders. The more project knowledge available, the more accurate the proposed model is for each uncertainty, regardless of it lying in the number of intervals, their magnitude or the type of probability function (PDF) chosen to model that risk.

Some authors propose using uniform distribution functions to model this type of epistemic uncertainty because it perfectly reflects lack of knowledge about the expected outcome (Eldosouky et al. 2014 ; Vose, 2008 ). On the contrary, others apply triangular functions, which require more risk knowledge (Hulett, 2012 ). Following the work by Curto et al. ( 2022 ), we employ uniform distribution functions.

As a result of this phase, we obtain the model and the parameters that model the distribution functions of the probability ( P ) and impact ( I ) of each identified risk in the previous phase (Eq. 2 ).

Once the risks identified in the project have been defined and their probabilities and impacts modelled, we move on to “ quantitative risk prioritisation ”. We start by performing MCS on the planned project model by considering only the aleatoric uncertainty of activities. In this way, we learn the project’s total duration and cost, which is commonly done in a Monte Carlo analysis. In Monte Carlo Methods (MCS), expert judgement and numerical methods are combined to generate a probabilistic result through simulation routine (Ammar et al. 2023 ). This mathematical approach is noted for its ability to analyse uncertain scenarios from a probabilistic perspective. MCS have been recognised as outperforming other methods due to their accessibility, ease of use and simplicity. MCS also allow the analysis of opportunities, uncertainties, and threats (Al-Duais and Al-Sharpi, 2023 ). This technique can be invaluable to risk managers and helpful for estimating project durations and costs (Ali Elfarra and Kaya, 2021 ).

As inputs to the simulation process, we include defining project activities (duration, cost, precedence relationship). We also consider the risks identified in the project, which are those we wish to prioritise and to obtain a list ordered by importance (according to their impact on not only duration, but also on project cost). The ‘MCSimulRisk’ software application (Acebes, Curto, et al. 2023 ; Acebes, De Antón, et al. 2023 ) allows us to perform MCS and to obtain the main statistics that result from simulation (including percentiles) that correspond to the total project duration ( Tot_Dur ) and to its total cost ( Tot_Cost ) (Eq. 3 ).

Next, we perform a new simulation by including the first of the identified risks ( R 1 ) in the project model, for which we know its probability ( P 1 ) and its Impact ( I 1 ). After MCS, we obtain the statistics corresponding to this simulation ([ Tot_Dur 1 Tot_Cost 1 ]). We repeat the same operation with each identified risk ( R i , i  =  1, …, m ) and obtain the main statistics corresponding to each simulation (Eq. 4 ).

Once all simulations (the same number as risks) have been performed, we must choose a confidence percentile to calculate risk prioritisation (Rezaei et al. 2020 ; Sarykalin et al. 2008 ). Given that the total duration and cost results available to us, obtained by MCS, are stochastic and have variability (they are no longer constant or deterministic), we must choose a percentile (α) that conveys the risk appetite that we are willing to assume when calculating. Risk appetite is “ the amount and type of risk that an organisation is prepared to pursue, retain or take ” (International Organization for Standardization, 2018 ).

A frequently employed metric for assessing risk in finance is the Value at Risk (VaR) (Caron, 2013 ; Caron et al. 2007 ). In financial terms, it is traditional to choose a P95 percentile as risk appetite (Chen and Peng, 2018 ; Joukar and Nahmens, 2016 ; Gatti et al. 2007 ; Kuester et al. 2006 ; Giot and Laurent, 2003 ). However in project management, the P80 percentile is sometimes chosen as the most appropriate percentile to measure risk appetite (Kwon and Kang, 2019 ; Traynor and Mahmoodian, 2019 ; Lorance and Wendling, 2001 ).

Finally, after choosing the risk level we are willing to assume, we need to calculate how each risk impacts project duration ( Imp_D Ri ) and costs ( Imp_C Ri ). To do so, we subtract the original value of the total project expected duration and costs (excluding all risks) from the total duration and costs of the simulation in which we include the risk we wish to quantify (Eq. 5 ).

Finally, we present these results on two separate lists, one for the cost impact and one for the duration impact, by ranking them according to their magnitude.

In this section, we use a real-life project to illustrate how to apply the proposed method for quantitative risk prioritisation purposes. For this purpose, we choose an engineering, procurement and construction project undertaken in South America and used in the literature by Votto et al. ( 2020a , 2020b ).

Project description

The project used as an application example consists of the expansion of an industrial facility. It covers a wide spectrum of tasks, such as design and engineering work, procurement of machinery and its components, civil construction, installation of all machinery, as well as commissioning and starting up machines (Votto et al. 2020a , 2020b ).

Table 2 details the parameters that we use to define activities. The project comprises 32 activities, divided into three groups: engineering, procurement and construction (EPC). A fictitious initial activity ( Ai ) and a fictitious final activity ( Af ) are included. We employ triangular distribution functions, whose parameters are the minimum value ( Min ), the most probable value ( Mp ) and the maximum value ( Max ), to model the random duration of activities, expressed as days. We divide the cost of each activity in monetary units into a fixed cost ( FC ), independently of activity duration, and the variable cost ( VC ), which is directly proportional to project duration. As activity duration can vary, and the activity cost increases directly with its duration, the total project cost also exhibits random variations.

Under these conditions, the planned project duration is 300 days and has a planned cost of 30,000 (x1000) monetary units. Figure 4 shows the Planned Value Curve of the project.

Planned value curve of the real-life project.

The next step in the methodology (Fig. 2 ) is to identify the project risks. To do this, the experts’ panel meets, analyses all the project documentation. Based on their personal experience with other similar projects and after consulting all the involved stakeholders, it provides a list of risks (see Table 3 ).

It identifies 11 risks, of which nine have the potential to directly impact the project duration objective (R1 to R9), while six may impact the cost objective (R10 to R15). The risks that might impact project duration and cost have two assigned codes. We identify the project phase and activity on which all the identified risks may have an impact (Table 3 ).

The next step is to estimate the likelihood and impact of the identified risks (qualitative analysis). Having analysed the project and consulted the involved stakeholders, the team determines the project’s different probability and impact levels (duration and cost). The estimation of these ranges depends on the project budget, the estimated project duration, and the team’s experience in assigning the different numerical values to each range. As a result, the project team is able to construct the probability-impact matrix shown in Fig. 5 .

Estimation of the probability and impact ranges.

Each probability range for risk occurrence in this project is defined. Thus for a very low probability (VL), the assigned probability range is between 0 and 3% probability, for a low level (L), the assigned range lies between 3% and 10% probability of risk occurrence, and so on with the other established probability ranges (medium, high, very high).

The different impact ranges are also defined by differentiating between impacts in duration and cost terms. Thus a VL duration impact is between 0 and 5 days, while the same range (VL) in cost is between 0 and 100 (x1000) monetary units. Figure 5 shows the other ranges and their quantification in duration and cost terms.

The combination of each probability level and every impact level coincides in a cell of the risk matrix (Fig. 5 ) to indicate the risk level (“high”, “medium”, and “low”) according to the qualitative analysis. Each cell is assigned a numerical value by prioritising the risks at the same risk level. This work uses the matrix to compare the risk prioritisation results provided by this matrix to those provided by the proposed quantitative method.

A probability and impact value are assigned to each previously identified risk (Table 3 ). Thus, for example, for the risk called “Interruptions in the supply chain”, coded as R3 for impacting activity 13 duration, we estimate an L probability and a strong impact on duration (H). As this same risk might impact the activity 13 cost, it is also coded as R12, and its impact on cost is estimated as L (the probability is the same as in R3; Table 3 ).

Finally, to conclude the proposed methodology and to prioritise the identified risks, we use the “MCSimulRisk” software application by incorporating MCS (in this work, we employ 20,000 iterations in each simulation). Activities are modelled using triangular distribution functions to incorporate project information into the simulation application. Costs are modelled with fixed and variable costs depending on the duration of the corresponding activity. Furthermore, risks (probability and impact) are modelled by uniform distribution functions. Figure 6 depicts the project network and includes the identified risks that impact the corresponding activities.

Network diagram of the project together with the identified risks.

Results and discussion

In order to obtain the results of prioritising the identified risks, we must specify a percentile that determines our risk aversion. This is the measure by which we quantify the risk. Figure 7 graphically justifies the choice of P95 as a risk measure, as opposed to a lower percentile, which corroborates the view in the literature and appears in Methodology . In Fig. 7 , we plot the probability distribution and cumulative distribution functions corresponding to the total project planned cost, together with the cost impact of one of the risks. The impact caused by the risk on the total cost corresponds to the set of iterations whose total cost is higher than that planned (bottom right of the histogram).

Source: MCSimulRisk.

By choosing P95 as VaR, we can consider the impact of a risk on the project in the measure. In this example, for P95 we obtain a total cost value of 3.12 × 10 7 monetary units. Choosing a lower percentile, e.g. P80, means that the value we can obtain with this choice can be considerably lower (3.03 × 10 7 monetary units), and might completely ignore the impact of the risk on the total project cost. However, project managers can choose the percentile that represents their risk aversion.

Once the percentile on which to quantify the risk is chosen, the “MCSimulRisk” application provides us with the desired results for prioritising project risks (Fig. 8 ). For the chosen percentile (P95), which represents our risk appetite for this project, the planned project duration is 323.43 days. In other words, with a 95% probability the planned project will be completed before 323.43 days. Similarly, the P95 corresponding to cost is 30,339 ×1000 monetary units. The application also provides us with the project duration in the first column of Fig. 8 after incorporating all the identified risks (corresponding to a P95 risk appetite) into the planned project. Column 2 of the same figure shows the project cost after incorporating the corresponding risk into the model.

The first column corresponds to the risks identified. Columns Duration_with_Ri and Cost_with_Ri represent the simulation values, including the corresponding risk. Columns Difference_Duration_with_Ri and Difference_Cost_with_Ri represent the difference in duration and cost of each simulation concerning the value obtained for the chosen percentile. Finally, Ranking_Dur and Ranking_Cost represent the prioritisation of risks in duration and cost, respectively.

With the results in the first two columns (total project duration and cost after incorporating the corresponding risks), and by knowing the planned total project duration and cost (without considering risks) for a given percentile (P95), we calculate the values of the following columns in Fig. 8 . Thus column 3 represents the difference between the planned total project duration value (risk-free) and project duration by incorporating the corresponding risk that we wish to quantify. Column 4 prioritises the duration risks by ranking according to the duration that each risk contributes to the project. Column 5 represents the difference between the planned total project cost (risk-free) and the total project cost by incorporating the corresponding risk. Finally, Column 6 represents the ranking or prioritisation of the project risks according to their impact on cost.

To compare the results provided by this methodology in this paper we propose quantitative risk prioritisation, based on MCS. We draw up Table 4 with the results provided by the probability-impact matrix (Fig. 5 ).

The first set of columns in Table 4 corresponds to the implementation of the risk matrix (probability-impact matrix) for the identified risks. The second group of columns represents the prioritisation of risks according to their impact on duration (data obtained from Fig. 8 ). The third group corresponds to the risk prioritisation according to their impact on cost (data obtained from Fig. 8 ).

For the project proposed as an example, we find that risk R3 is the most important one if we wish to control the total duration because it corresponds to the risk that contributes the most duration to the project if it exists. We note that risks R10 to R15 do not impact project duration. If these risks materialise, their contribution to increase (or decrease, as the case may be) project duration is nil.

On the impact on project costs, we note that risk R15 is the most important. It is noteworthy that risk R5 is the fourth most important risk in terms of impact on the total project costs, even though it is initially identified as a risk that impacts project duration. Unlike cost risks (which do not impact the total project duration), the risks that can impact project duration also impact total costs.

We can see that the order of importance of the identified risks differs depending on our chosen method (risk matrix versus quantitative prioritisation). We independently quantify each risk’s impact on the cost and duration objectives. We know not only the order of importance of risks (R3, R5, etc.) but also the magnitude of their impact on the project (which is the absolute delay caused by a risk in duration terms or what is the absolute cost overrun generated by a risk in cost terms). It seems clear that one risk is more important than another, not only because of the estimation of its probability and impact but also because the activity on which it impacts may have a high criticality index or not (probability of belonging to the project’s critical path).

As expected, the contribution to the total duration of the identified risks that impact only cost is zero. The same is not valid for the risks identified to have an impact on duration because the latter also impacts the cost objective. We also see how the risks that initially impact a duration objective are more critical for their impact on cost than others that directly impact the project’s cost (e.g. R5).

Conclusions

The probability-impact matrix is used in project management to identify the risk to which the most attention should be paid during project execution. This paper studies how the risk matrix is adopted by a large majority of standards, norms and methodologies in project management and, at the same time, practitioners and academics recognise it as a fundamental tool in the qualitative risks analysis.

However, we also study how this risk matrix presents particular problems and offers erroneous and contradictory results. Some studies suggest alternatives to its use. Notwithstanding, it continues to be a widely employed tool in the literature by practitioners and academics. Along these lines, with this work we propose an alternative to the probability-impact matrix as a tool to know the most critical risk for a project that can prevent objectives from being fulfilled.

For this purpose, we propose a quantitative method based on MCS, which provides us with numerical results of the importance of risks and their impact on total duration and cost objectives. This proposed methodology offers significant advantages over other risk prioritisation methods and tools, especially the traditional risk matrix. The proposed case study reveals that risk prioritisation yields remarkably different results depending on the selected method, as our findings confirm.

In our case, we obtain numerical values for the impact of risks on total duration and cost objectives, and independently of one another. This result is interesting for project managers because they can focus decision-making on the priority order of risks and the dominant project objective (total duration or total cost) if they do not coincide.

From the obtained results, we find that the risks with an impact on the cost of activities do not influence the total duration result. The risks that impact project duration also impact the total cost target. This impact is more significant than that of a risk that impacts only the activity’s cost. This analysis leads us to believe that this quantitative prioritisation method has incredible potential for academics to extend their research on project risks and for practitioners to use it in the day-to-day implementation of their projects.

The proposed methodology will allow project managers to discover the most relevant project risks so they can focus their control efforts on managing those risks. Usually, implementing risk response strategies might be expensive (control efforts, insurance contracts, preventive actions, or others). Therefore, it is relevant to concentrate only on the most relevant risks. The proposed methodology allows project managers to select the most critical risks by overcoming the problems exhibited by previous methodologies like the probability-impact matrix.

In addition to the above, the risk prioritisation achieved by applying the proposed methodology is based on quantifying the impacts that risks may have on the duration and cost objectives of the project. Finally, we achieve an independent risk prioritisation in duration impact and project cost impact terms. This is important because the project manager can attach more importance to one risk or other risks depending on the priority objective that predominates in the project, the schedule or the total cost.

Undoubtedly, the reliability of the proposed method depends mainly on the accuracy of estimates, which starts by identifying risks and ends with modelling the probability and impact of each risk. The methodology we propose in this paper overcomes many of the problems of previous methodologies, but still has some limitations for future research to deal with. First of all, the results of simulations depend on the estimations of variables (probability distributions and their parameters, risk aversion parameters, etc.). Methodologies for improving estimations are beyond the scope of this research; we assume project teams are sufficient experts to make rational estimationsbased on experience and previous knowledge. Secondly, as risks are assumed to be independent, the contribution or effect of a particular risk can be estimated by including it in simulation and by computing its impact on project cost and duration. This is a reasonable assumption for most projects. In some very complex projects, however, risks can be related to one another. Further research should be done to face this situation.

As an additional research line, we plan to conduct a sensitivity study by simulating many different projects to analyse the robustness of the proposed method.

Finally, it is desirable to implement this methodology in real projects and see how it responds to the reality of a project in, for example, construction, industry, or any other sector that requires a precise and differentiated risk prioritisation.

Data availability

Data will be made available on request.

Acebes F, Curto D, De Antón J, Villafáñez, F (2024) Análisis cuantitativo de riesgos utilizando “MCSimulRisk” como herramienta didáctica. Dirección y Organización , 82(Abril 2024), 87–99. https://doi.org/10.37610/dyo.v0i82.662

Acebes F, De Antón J, Villafáñez F, Poza, D (2023) A Matlab-Based Educational Tool for Quantitative Risk Analysis. In IoT and Data Science in Engineering Management (Vol. 160). Springer International Publishing. https://doi.org/10.1007/978-3-031-27915-7_8

Acebes F, Pajares J, Galán JM, López-Paredes A (2014) A new approach for project control under uncertainty. Going back to the basics. Int J Proj Manag 32(3):423–434. https://doi.org/10.1016/j.ijproman.2013.08.003

Article   Google Scholar  

Acebes F, Pereda M, Poza D, Pajares J, Galán JM (2015) Stochastic earned value analysis using Monte Carlo simulation and statistical learning techniques. Int J Proj Manag 33(7):1597–1609. https://doi.org/10.1016/j.ijproman.2015.06.012

Al-Duais FS, Al-Sharpi RS (2023) A unique Markov chain Monte Carlo method for forecasting wind power utilizing time series model. Alex Eng J 74:51–63. https://doi.org/10.1016/j.aej.2023.05.019

Ale B, Burnap P, Slater D (2015) On the origin of PCDS - (Probability consequence diagrams). Saf Sci 72:229–239. https://doi.org/10.1016/j.ssci.2014.09.003

Ali Elfarra M, Kaya M (2021) Estimation of electricity cost of wind energy using Monte Carlo simulations based on nonparametric and parametric probability density functions. Alex Eng J 60(4):3631–3640. https://doi.org/10.1016/j.aej.2021.02.027

Alleman GB, Coonce TJ, Price RA (2018a) Increasing the probability of program succes with continuous risk management. Coll Perform Manag, Meas N. 4:27–46

Google Scholar  

Alleman GB, Coonce TJ, Price RA (2018b) What is Risk? Meas N. 01(1):25–34

Ammar T, Abdel-Monem M, El-Dash K (2023) Appropriate budget contingency determination for construction projects: State-of-the-art. Alex Eng J 78:88–103. https://doi.org/10.1016/j.aej.2023.07.035

Axelos (2023) Managing Successful Projects with PRINCE2® 7th ed . (AXELOS Limited, Ed.; 7th Ed). TSO (The Stationery Office)

Bae HR, Grandhi RV, Canfield RA (2004) Epistemic uncertainty quantification techniques including evidence theory for large-scale structures. Comput Struct 82(13–14):1101–1112. https://doi.org/10.1016/j.compstruc.2004.03.014

Ball DJ, Watt J (2013) Further thoughts on the utility of risk matrices. Risk Anal 33(11):2068–2078. https://doi.org/10.1111/risa.12057

Article   PubMed   Google Scholar  

Caron F (2013) Quantitative analysis of project risks. In Managing the Continuum: Certainty, Uncertainty, Unpredictability in Large Engineering Projects (Issue 9788847052437, pp. 75–80). Springer, Milano. https://doi.org/10.1007/978-88-470-5244-4_14

Caron F, Fumagalli M, Rigamonti A (2007) Engineering and contracting projects: A value at risk based approach to portfolio balancing. Int J Proj Manag 25(6):569–578. https://doi.org/10.1016/j.ijproman.2007.01.016

Chapman CB (1997) Project risk analysis and management– PRAM the generic process. Int J Proj Manag 15(5):273–281. https://doi.org/10.1016/S0263-7863(96)00079-8

Chapman CB, Ward S (2003) Project Risk Management: Processes, Techniques and Insights (John Wiley and Sons, Ed.; 2nd ed.). Chichester

Chen P-H, Peng T-T (2018) Value-at-risk model analysis of Taiwanese high-tech facility construction. J Manag Eng, 34 (2). https://doi.org/10.1061/(asce)me.1943-5479.0000585

Cox LA (2008) What’s wrong with risk matrices? Risk Anal 28(2):497–512. https://doi.org/10.1111/j.1539-6924.2008.01030.x

Cox LA, Babayev D, Huber W (2005) Some limitations of qualitative risk rating systems. Risk Anal 25(3):651–662. https://doi.org/10.1111/j.1539-6924.2005.00615.x

Creemers S, Demeulemeester E, Van de Vonder S (2014) A new approach for quantitative risk analysis. Ann Oper Res 213(1):27–65. https://doi.org/10.1007/s10479-013-1355-y

Article   MathSciNet   Google Scholar  

Curto D, Acebes F, González-Varona JM, Poza D (2022) Impact of aleatoric, stochastic and epistemic uncertainties on project cost contingency reserves. Int J Prod Econ 253(Nov):108626. https://doi.org/10.1016/j.ijpe.2022.108626

Damnjanovic I, Reinschmidt KF (2020) Data Analytics for Engineering and Construction Project Risk Management . Springer International Publishing

Duijm NJ (2015) Recommendations on the use and design of risk matrices. Saf Sci 76:21–31. https://doi.org/10.1016/j.ssci.2015.02.014

Eldosouky IA, Ibrahim AH, Mohammed HED (2014) Management of construction cost contingency covering upside and downside risks. Alex Eng J 53(4):863–881. https://doi.org/10.1016/j.aej.2014.09.008

Elms DG (2004) Structural safety: Issues and progress. Prog Struct Eng Mater 6:116–126. https://doi.org/10.1002/pse.176

European Commission. (2023) Project Management Methodology. Guide 3.1 (European Union, Ed.). Publications Office of the European Union

Frank M (1999) Treatment of uncertainties in space nuclear risk assessment with examples from Cassini mission implications. Reliab Eng Syst Safe 66:203–221. https://doi.org/10.1016/S0951-8320(99)00002-2

Gatti S, Rigamonti A, Saita F, Senati M (2007) Measuring value-at-risk in project finance transactions. Eur Financ Manag 13(1):135–158. https://doi.org/10.1111/j.1468-036X.2006.00288.x

Giot P, Laurent S (2003) Market risk in commodity markets: a VaR approach. Energy Econ 25:435–457. https://doi.org/10.1016/S0140-9883(03)00052-5

Goerlandt F, Reniers G (2016) On the assessment of uncertainty in risk diagrams. Saf Sci 84:67–77. https://doi.org/10.1016/j.ssci.2015.12.001

Helton JC, Johnson JD, Oberkampf WL, Sallaberry CJ (2006) Sensitivity analysis in conjunction with evidence theory representations of epistemic uncertainty. Reliab Eng Syst Saf 91(10–11):1414–1434. https://doi.org/10.1016/j.ress.2005.11.055

Hillson D (2014) How to manage the risks you didn’t know you were taking. Paper presented at PMI® Global Congress 2014—North America, Phoenix, AZ. Newtown Square, PA: Project Management Institute

Hillson D, Simon P (2020) Practical Project Risk Management. THE ATOM METHODOLOGY (Third Edit, Issue 1). Berrett-Koehler Publishers, Inc

Hulett DT (2012) Acumen Risk For Schedule Risk Analysis - A User’s Perspective . White Paper. https://info.deltek.com/acumen-risk-for-schedule-risk-analysis

International Organization for Standardization. (2018). ISO 31000:2018 Risk management – Guidelines (Vol. 2)

International Organization for Standardization. (2019). ISO/IEC 31010:2019 Risk management - Risk assessment techniques

International Project Management Association. (2015). Individual Competence Baseline for Project, Programme & Portfolio Management. Version 4.0. In International Project Management Association (Vol. 4). https://doi.org/10.1002/ejoc.201200111

Joukar A, Nahmens I (2016) Estimation of the Escalation Factor in Construction Projects Using Value at Risk. Construction Research Congress , 2351–2359. https://doi.org/10.1061/9780784479827.234

Kerzner H (2022) Project Management. A Systems Approach to Planning, Scheduling, and Controlling (Inc. John Wiley & Sons, Ed.; 13th Editi)

Koulinas GK, Demesouka OE, Sidas KA, Koulouriotis DE (2021) A topsis—risk matrix and Monte Carlo expert system for risk assessment in engineering projects. Sustainability 13(20):1–14. https://doi.org/10.3390/su132011277

Krisper M (2021) Problems with Risk Matrices Using Ordinal Scales . https://doi.org/10.48550/arXiv.2103.05440

Kuester K, Mittnik S, Paolella MS (2006) Value-at-risk prediction: A comparison of alternative strategies. J Financ Econ 4(1):53–89. https://doi.org/10.1093/jjfinec/nbj002

Kwon H, Kang CW (2019) Improving project budget estimation accuracy and precision by analyzing reserves for both identified and unidentified risks. Proj Manag J 50(1):86–100. https://doi.org/10.1177/8756972818810963

Lemmens SMP, Lopes van Balen VA, Röselaers YCM, Scheepers HCJ, Spaanderman MEA (2022) The risk matrix approach: a helpful tool weighing probability and impact when deciding on preventive and diagnostic interventions. BMC Health Serv Res 22(1):1–11. https://doi.org/10.1186/s12913-022-07484-7

Levine ES (2012) Improving risk matrices: The advantages of logarithmically scaled axes. J Risk Res 15(2):209–222. https://doi.org/10.1080/13669877.2011.634514

Article   ADS   Google Scholar  

Li J, Bao C, Wu D (2018) How to design rating schemes of risk matrices: a sequential updating approach. Risk Anal 38(1):99–117. https://doi.org/10.1111/risa.12810

Lorance RB, Wendling RV (2001) Basic techniques for analyzing and presentation of cost risk analysis. Cost Eng 43(6):25–31

Markowski AS, Mannan MS (2008) Fuzzy risk matrix. J Hazard Mater 159(1):152–157. https://doi.org/10.1016/j.jhazmat.2008.03.055

Article   CAS   PubMed   Google Scholar  

Menge DNL, MacPherson AC, Bytnerowicz TA et al. (2018) Logarithmic scales in ecological data presentation may cause misinterpretation. Nat Ecol Evol 2:1393–1402. https://doi.org/10.1038/s41559-018-0610-7

Monat JP, Doremus S (2020) An improved alternative to heat map risk matrices for project risk prioritization. J Mod Proj Manag 7(4):214–228. https://doi.org/10.19255/JMPM02210

Naderpour H, Kheyroddin A, Mortazavi S (2019) Risk assessment in bridge construction projects in Iran using Monte Carlo simulation technique. Pract Period Struct Des Constr 24(4):1–11. https://doi.org/10.1061/(asce)sc.1943-5576.0000450

Ni H, Chen A, Chen N (2010) Some extensions on risk matrix approach. Saf Sci 48(10):1269–1278. https://doi.org/10.1016/j.ssci.2010.04.005

Peace C (2017) The risk matrix: Uncertain results? Policy Pract Health Saf 15(2):131–144. https://doi.org/10.1080/14773996.2017.1348571

Project Management Institute. (2009) Practice Standard for Project Risk Management . Project Management Institute, Inc

Project Management Institute. (2017) A Guide to the Project Management Body of Knowledge: PMBoK(R) Guide. Sixth Edition (6th ed.). Project Management Institute Inc

Project Management Institute. (2019) The standard for Risk Management in Portfolios, Programs and Projects . Project Management Institute, Inc

Project Management Institute. (2021) A Guide to the Project Management Body of Knowledge: PMBoK(R) Guide. Seventh Edition (7th ed.). Project Management Institute, Inc

Proto R, Recchia G, Dryhurst S, Freeman ALJ (2023) Do colored cells in risk matrices affect decision-making and risk perception? Insights from randomized controlled studies. Risk Analysis , 1–15. https://doi.org/10.1111/risa.14091

Qazi A, Dikmen I (2021) From risk matrices to risk networks in construction projects. IEEE Trans Eng Manag 68(5):1449–1460. https://doi.org/10.1109/TEM.2019.2907787

Qazi A, Shamayleh A, El-Sayegh S, Formaneck S (2021) Prioritizing risks in sustainable construction projects using a risk matrix-based Monte Carlo Simulation approach. Sustain Cities Soc 65(Aug):102576. https://doi.org/10.1016/j.scs.2020.102576

Qazi A, Simsekler MCE (2021) Risk assessment of construction projects using Monte Carlo simulation. Int J Manag Proj Bus 14(5):1202–1218. https://doi.org/10.1108/IJMPB-03-2020-0097

Rehacek P (2017) Risk management standards for project management. Int J Adv Appl Sci 4(6):1–13. https://doi.org/10.21833/ijaas.2017.06.001

Rezaei F, Najafi AA, Ramezanian R (2020) Mean-conditional value at risk model for the stochastic project scheduling problem. Comput Ind Eng 142(Jul):106356. https://doi.org/10.1016/j.cie.2020.106356

Ruan X, Yin Z, Frangopol DM (2015) Risk Matrix integrating risk attitudes based on utility theory. Risk Anal 35(8):1437–1447. https://doi.org/10.1111/risa.12400

Sarykalin S, Serraino G, Uryasev S (2008) Value-at-risk vs. conditional value-at-risk in risk management and optimization. State-of-the-Art Decision-Making Tools in the Information-Intensive Age, October 2023 , 270–294. https://doi.org/10.1287/educ.1080.0052

Simon P, Hillson D, Newland K (1997) PRAM Project Risk Analysis and Management Guide (P. Simon, D. Hillson, & K. Newland, Eds.). Association for Project Management

Sutherland H, Recchia G, Dryhurst S, Freeman ALJ (2022) How people understand risk matrices, and how matrix design can improve their use: findings from randomized controlled studies. Risk Anal 42(5):1023–1041. https://doi.org/10.1111/risa.13822

Talbot, J (2014). What’s right with risk matrices? An great tool for risk managers… 31000risk. https://31000risk.wordpress.com/article/what-s-right-with-risk-matrices-3dksezemjiq54-4/

Taroun A (2014) Towards a better modelling and assessment of construction risk: Insights from a literature review. Int J Proj Manag 32(1):101–115. https://doi.org/10.1016/j.ijproman.2013.03.004

The Standish Group. (2022). Chaos report . https://standishgroup.myshopify.com/collections/all

Thomas P, Bratvold RB, Bickel JE (2014) The risk of using risk matrices. SPE Econ Manag 6(2):56–66. https://doi.org/10.2118/166269-pa

Tong R, Cheng M, Zhang L, Liu M, Yang X, Li X, Yin W (2018) The construction dust-induced occupational health risk using Monte-Carlo simulation. J Clean Prod 184:598–608. https://doi.org/10.1016/j.jclepro.2018.02.286

Traynor BA, Mahmoodian M (2019) Time and cost contingency management using Monte Carlo simulation. Aust J Civ Eng 17(1):11–18. https://doi.org/10.1080/14488353.2019.1606499

Vanhoucke, M (2018). The data-driven project manager: A statistical battle against project obstacles. In The Data-Driven Project Manager: A Statistical Battle Against Project Obstacles . https://doi.org/10.1007/978-1-4842-3498-3

Vatanpour S, Hrudey SE, Dinu I (2015) Can public health risk assessment using risk matrices be misleading? Int J Environ Res Public Health 12(8):9575–9588. https://doi.org/10.3390/ijerph120809575

Article   CAS   PubMed   PubMed Central   Google Scholar  

Vose, D (2008). Risk Analysis: a Quantitative Guide (3rd ed.) . Wiley

Votto R, Lee Ho L, Berssaneti F (2020a) Applying and assessing performance of earned duration management control charts for EPC project duration monitoring. J Constr Eng Manag 146(3):1–13. https://doi.org/10.1061/(ASCE)CO.1943-7862.0001765

Votto R, Lee Ho L, Berssaneti F (2020b) Multivariate control charts using earned value and earned duration management observations to monitor project performance. Comput Ind Eng 148(Sept):106691. https://doi.org/10.1016/j.cie.2020.106691

Ward S (1999) Assessing and managing important risks. Int J Proj Manag 17(6):331–336. https://doi.org/10.1016/S0263-7863(98)00051-9

Download references

Acknowledgements

This research has been partially funded by the Regional Government of Castile and Leon (Spain) and the European Regional Development Fund (ERDF, FEDER) with grant VA180P20.

Author information

Authors and affiliations.

GIR INSISOC. Dpto. de Organización de Empresas y CIM. Escuela de Ingenierías Industriales, Universidad de Valladolid, Pº Prado de la Magdalena s/n, 47011, Valladolid, Spain

F. Acebes & J. Pajares

GIR INSISOC. Dpto. Economía y Administración de Empresas, Universidad de Málaga, Avda. Cervantes, 2, 29071, Málaga, Spain

J. M. González-Varona & A. López-Paredes

You can also search for this author in PubMed   Google Scholar

Contributions

FA developed the conceptualisation and the methodology. JMG contributed to the literature review and interpretations of the results for the manuscript. FA and JP collected the experimental data and developed all the analyses and simulations. AL supervised the project. FA and JP wrote the original draft, while AL and JMG conducted the review and editing. All authors have read and agreed to the published version of the manuscript.

Corresponding author

Correspondence to F. Acebes .

Ethics declarations

Competing interests.

The authors declare no competing interests.

Ethical approval

Ethical approval was not required as the study did not involve human participants.

Informed consent

No human subjects are involved in this study.

Additional information

Publisher’s note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Supplementary information

Rights and permissions.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/ .

Reprints and permissions

About this article

Cite this article.

Acebes, F., González-Varona, J.M., López-Paredes, A. et al. Beyond probability-impact matrices in project risk management: A quantitative methodology for risk prioritisation. Humanit Soc Sci Commun 11 , 670 (2024). https://doi.org/10.1057/s41599-024-03180-5

Download citation

Received : 30 January 2024

Accepted : 13 May 2024

Published : 24 May 2024

DOI : https://doi.org/10.1057/s41599-024-03180-5

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

Quick links

• Explore articles by subject
• Guide to authors
• Editorial policies

An official website of the United States government

The .gov means it's official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.

The site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

• Publications
• Account settings
• Browse Titles

NCBI Bookshelf. A service of the National Library of Medicine, National Institutes of Health.

National Research Council (US) Committee on Improving Risk Analysis Approaches Used by the U.S. EPA. Science and Decisions: Advancing Risk Assessment. Washington (DC): National Academies Press (US); 2009.

Science and Decisions: Advancing Risk Assessment.

• Hardcopy Version at National Academies Press

Appendix F Case Studies of the Framework for Risk-Based Decision-Making

In Chapter 8 , we proposed a framework for risk-based decision-making in which an initial problem formulation and scoping phase is used to develop the analytic scope necessary to compare intervention options, risks and costs under existing conditions and with proposed interventions are assessed, and risk-management options are analyzed to inform decisions. We provide here three brief examples to demonstrate how the approach in Figure 8-1 might lead to a process and an outcome different from those of a conventional application of risk assessment. The examples are not meant to capture specific and current regulatory decisions in all their technical detail (and are perhaps caricatures of current decision-making paradigms) but are meant simply to illustrate some types of problems and how the framework would, in principle, address them. Similarly, while these examples would in principle involve multiple state and federal agencies under a variety of regulatory structures, they are meant to be more abstract examples of how the approach in Figure 8-1 would address risk management decisions.

• A CASE STUDY OF ELECTRICITY GENERATION

Suppose that a new peaking power plant has been proposed to be sited in a low-income neighborhood that already contains other power-generating capacity or sources of similar pollutants. A conventional application of risk-assessment methods in this context might lead the proponent of the power plant to conduct analyses to determine whether the facility would contribute to exceedances of predefined risk thresholds—for example, greater than a 10 −6 risk from air toxics for the maximally exposed person, a violation of ambient air quality standards for criteria pollutants. Issues related to alternative sites would typically be addressed in a separate part of the analysis, with argument of why the selected site is preferable, and no formal evaluations of alternative technologies and their implications for costs or benefits would be considered. Environmental-justice issues would typically be discussed but with no functional connection to the risk assessment or decision.

The questions addressed by risk assessment applied in that fashion attempt to determine whether there will be a “significant” problem if the plant is built with the proposed orientation. That sets up an adversarial relationship between the plant proponent and the local community in which the community is attempting to understand the intricacies of the risk assessment (which may have shown no “significant” increases in health risks) and is often operating under the assumption that the analysis has been manipulated in ways that the community does not understand or has not appropriately taken account of exposure and susceptibility conditions in the community. Whether the power plant is ultimately sited or not and whether the risk assessment represents best practice or not, this approach does not make optimal use of the insights that risk assessment can provide in that it focuses on only one alternative other than the status quo and provides limited information to stakeholders.

An alternative orientation following Figure 8-1 would still use risk-assessment methods but as part of Phase I would instead ask about the best approach to fulfill a given societal need that would minimize net impacts (including health impacts, costs, and other dimensions). With this orientation, the regulatory body that would be permitting the proposed facility would first determine the societal objective of the facility, which could be to decrease the projected gap between electricity supply and demand in the region during periods of high electricity use. That objective could be met in numerous ways, including energy-efficiency efforts by the utility’s suppliers or customers, increased use of existing power plants, different storage technologies to meet peak power needs, or new power plants using different technologies (that is, alternative fuels and control technologies) in different locations. A donothing strategy and its implications would also be evaluated. Risk assessment can play a key role in distinguishing among the various options considered in combination with other methods and information.

In phase I, the set of possible interventions would be determined collectively by all stakeholders with the end points that could inform decision-making (for example, effects on electricity cost per kilowatt-hour, population risk, distribution of risk among defined subpopulations, life-cycle impacts, and probability of blackouts and brownouts). Stakeholders may mutually decide that some end points are unimportant or that some should get greater weight than others, and this will inform the choice of methods.

A comprehensive consideration of options at the outset would ensure that all relevant stakeholders were present, avoiding NIMBY outcomes in which an alternative site is chosen in a community that has not been involved in the process. The risk assessments and economic, technical, and other analyses would be oriented around the proposed interventions and would allow for explicit consideration of the tradeoffs among different desirable attributes of the decision and upfront transparency about the solution set, methods, and criteria for decision-making. For example, a clear presentation of the probability of blackouts under the do-nothing strategy and with alternative new facilities would help to demonstrate the importance of new capacity.

One possible criticism of this approach is that stakeholder participation and evaluation of multiple competing options require substantial effort and could lead to delays in decision-making. However, the current paradigm often leads to intractable debates about minute details of the risk assessment (Did the proponent use the right dispersion model? Were emissions estimated appropriately? Where would the maximally exposed person live?) without consideration of whether a choice among options would be influenced by these details. An upfront investment of time and effort in developing options and scoping the problem should reduce debate and antagonism considerably in the long term, should reduce analytic effort by focusing it on the end points that would help to discriminate among options, and should allow more coordinated planning of multiple projects with the same general aims. It could also be argued that explicit presentation of the tradeoffs among cost, risk, blackout probability, and equity would make decisions impossible because stakeholders would weigh these components differently, and there are no obvious bright-line distinctions. However, the current decision paradigm considers some of the factors implicitly while ignoring others without any explicit attempt to set priorities, so it is hard to argue that better understanding of the implications of decisions would not be beneficial. A final critique could be that stakeholders are ultimately concerned with the decision rather than the method. If this approach resulted in a conclusion that building the power plant in the low-income community were the optimal solution, residents of the community would be unhappy; if this approach resulted in a decision not to build a new facility, the proponents of the power plant would be unhappy (even if the process and analysis were transparent and agreed on). That may be impossible to avoid, but upfront consideration of scoping and decision criteria will at least reassure stakeholders that the criteria were not determined post hoc, and the rationale for the decision will be clearly presented.

• A CASE STUDY OF DECISION SUPPORT FOR DRINKING-WATER SYSTEMS

Decision-makers and stakeholders seeking safe drinking water carry out their work in the face of a daunting array of microbial, chemical, climatic, operational, security and financial hazards. The capacity of risk assessment to support the societal goal of the provision of safe drinking water is an example of the critical need to reorient current risk-assessment practices away from the support of a series of disconnected single-hazard standard-setting processes and toward the provision of analytic support to facilitate the integration of complex health, ecologic, engineering, and economic elements of decision-making involved in providing safe drinking water.

Risk-assessment activities that are directed toward the safety of drinking water primarily support standard-setting exercises. The setting of such standards does not represent the types of more concrete system-design risk-management decisions that have direct physical, biologic, and chemical impacts on the safety of drinking water, representing distal decisions with ambiguous connections to risk reduction rather than proximal decisions with clear causal connections to risk reduction.

It is now generally understood that drinking water is best protected by an integrated risk-management approach in which multiple barriers are applied to protect against exposure to the hazards. The intervention options for drinking-water risk management include a complex set of decisions that affect system components that include sewage treatment, source-water selection and protection, multiple stages of water treatment, investments in operator training and information-management systems, changes in laboratory and monitoring practices, protection of the water in the distribution system, household water-use practices, and the capacity for effective emergency response that needs to be engaged when other barriers fail. It is inevitably a complex design problem to reduce risk from multiple sources that are subject to numerous competing constraints. The constraints include the fact that reducing some risks can increase others (the now classic problem of toxicity from disinfection byproducts that are produced in some processes aimed at reducing microbial risks or in choosing among sources of raw water that have varied microbial and chemical risk profiles). Other constraints include financial resources available in the short term and long term, the political and economic implications of issuing boil-water advisories, and the need to provide adequate protection to highly susceptible sub-populations (for example, in the case of persons with HIV/AIDS and the risk of cryptosporidiosis).

The societal goal is ultimately not to set standards themselves but rather to minimize the net risk associated with the provision of drinking water given the aforementioned risks and constraints. To that end, a series of decisions are made by the owners and operators of drinking-water systems. Some are discrete events, such as major investments in watershed protection, water-treatment technology, or construction of pipelines from distant water sources; some are continuous processes, such as treatment adjustments based on monitoring or customer complaints related to aesthetic properties of water.

It is obvious that those decisions would ideally be made in the presence of the most complete understanding of their implications that can reasonably be provided. The decisions are complex, and the selected actions will inevitably balance competing public goals. In this context, the present committee’s goal for the conduct of risk assessment is the assembly and provision of information that describes (quantitatively and qualitatively) the implications of a set of intervention options, the characterization of the implications in the form of risk measures, and the characterization of the net risk that would be predicted in connection with the decision-maker’s choice of a particular change in the water-management system. In the recommended framework in Figure 8-1 , the Environmental Protection Agency (EPA), subject to the continuing reality of standard-setting processes required by statute, would orient risk-assessment activities toward providing risk-informed decision-support tools to the more proximal risk managers and stakeholders. With the help of this reoriented form of risk assessment, locally accountable decision-makers and stakeholders would be empowered by EPA’s decision-support tools to make risk-informed decisions in designing and operating drinking-water systems.

• A CASE STUDY OF METHYLENE CHLORIDE IN TWO SECTORS

The third example is based loosely on the regulatory response during the 1990s to the problems posed by methylene chloride (MeCl 2 ), a ubiquitous solvent that is a neurotoxin and a rodent carcinogen and that exacerbates carboxyhemoglobin formation. The example considers some of the likely costs and benefits of various interventions to reduce MeCl 2 risks in the workplace and in the general environment; its main point is to show that the outcome would depend heavily on how the regulatory agency chose to formulate the problem and potential intervention options. It also emphasizes that a too-narrow formulation of the problem, without consideration of intervention options at the outset, could exacerbate or fail to identify risk-risk tradeoffs.

A conventional application of risk-assessment methods might attempt to determine the allowable MeCl 2 concentration in ambient air to meet a defined risk threshold. In this case, the risk assessment supports a distal decision to set a risk-specific concentration. However, nothing would prevent facilities from complying with the standard by transferring the MeCl 2 risk to other chemicals or populations. They could substitute an unregulated (but potentially more toxic) solvent or simply change the production conditions so that less MeCl 2 is emitted from stack and fugitive emission points but more is released into the workplace. Other tradeoffs are also possible; for example, the allegation has been made in the aircraft sector that one compliance strategy (reduction in the frequency of stripping and repainting) can lead to an increased safety risk if it compromises the airworthiness of the craft.

An alternative strategy could involve finding the best available technology to control MeCl 2 emissions. In this case, the exercise is reduced to arranging the existing control techniques in order of efficiency and choosing either the “best available technology” (the single most efficient) or some “good enough available technology,” as is done in the Maximum Achievable Control Technology (MACT) program under the Clean Air Act, which seeks to mandate the technology that corresponds to the average of the best-performing 12% of all current sources. As with any purely technology-based decision, the absolute risk reduction achieved may be insufficient to be acceptable, or it might be too stringent in that its costs outweigh its benefits. In spite of the simplicity of the approach, it is unlikely to yield the optimal solution, and firms could still respond to the technology mandate by adverse substitution, risk-shifting, plant closure, or some other action.

If the committee’s framework for risk-based decision-making ( Figure 8-1 ) were used instead, the initial problem-formulation step could determine that the goal is to minimize the total impacts of the production and use of the products that currently consume MeCl 2 (such as assembled foam and repainted aircraft). Risk assessments (and economic and other analyses) would be used to compare the residual risks and economic costs of control of each of a set of possible interventions. If the analytic question is asked about the process or function rather than about the substance, the set of interventions can be more expansive, and risk-risk tradeoffs can be minimized (or at least confronted explicitly).

Hypothetically, both EPA and the Occupational Safety and Health Administration might agree that for foam assembly, local ventilation plus carbon adsorption is the optimal solution for controlling MeCl 2 or any similar solvent that might be substituted for it. Similarly, for aircraft repainting, the optimal solution might involve requiring (or encouraging) the use of nontoxic abrasive material rather than a volatile solvent to remove the old paint layer.

The framework in Figure 8-1 could also allow the agencies to think more expansively and to seek global rather than local optima. Setting aside questions of agency scope, if the societal function were redefined as providing air travel rather than providing frequently repainted aircraft, intervention options might emerge for discussion that included changing the incentives to repaint so often, and this might broaden the analysis to include the impacts of jet-fuel use (fuel savings resulting from the coating, rather than painting, of planes). Even broader discussions of incentives for reducing the need for air travel might ensue; it is only the makeup of the involved participants and their preferences, subject to time and other logistical constraints, that dictates the scope of the interventions contemplated in this paradigm.

• Cite this Page National Research Council (US) Committee on Improving Risk Analysis Approaches Used by the U.S. EPA. Science and Decisions: Advancing Risk Assessment. Washington (DC): National Academies Press (US); 2009. Appendix F, Case Studies of the Framework for Risk-Based Decision-Making.
• PDF version of this title (3.6M)

In this Page

Recent activity.

• Case Studies of the Framework for Risk-Based Decision-Making - Science and Decis... Case Studies of the Framework for Risk-Based Decision-Making - Science and Decisions

Your browsing activity is empty.

Activity recording is turned off.

Turn recording back on

Connect with NLM

National Library of Medicine 8600 Rockville Pike Bethesda, MD 20894

Web Policies FOIA HHS Vulnerability Disclosure

Help Accessibility Careers

Table of Contents

Understanding project risk management, definition and explanation of project risk management, 4 key components of project risk management, risk identification, risk assessment, risk response planning, risk monitoring and control, 5 project risk management case studies, gordie howe international bridge project, fujitsu’s early-career project managers, vodafone’s complex technology project, fehmarnbelt project, lend lease project, project risk management at designveloper, how we manage project risks, advancements in project risk management, project risk management: 5 case studies you should not miss.

May 21, 2024

Exploring project risk management, one can see how vital it is in today’s business world. This article from Designveloper, “Project Risk Management: 5 Case Studies You Should Not Miss”, exists in order to shed light on this important component of project management.

We’ll reference some new numbers and facts that highlight the significance of risk management in projects. These data points are based on legit reports and will help create a good basis of understanding on the subject matter.

In addition, we will discuss specific case studies when risk management was successfully applied and when it was not applied in project management. These real world examples are very much important for project managers and teams.

It is also important to keep in mind that each project has associated risks. However through project risk management these risks can be identified, analyzed, prioritized and managed in order to make the project achieve its objectives. Well then, let’s take this journey of understanding together. Watch out for an analysis of the five case studies you must not miss.

Risk management is a very critical component of any project. Risk management is a set of tools that allow determining the potential threats to the success of a project and how to address them. Let’s look at some more recent stats and examples to understand this better.

Statistics show that as high as 70% of all projects are unsuccessful . This high failure rate highlights the need for efficient project risk management. Surprisingly, organizations that do not attach much importance to project risk management face 50% chances of their project failure. This results in huge losses of money and untapped business potential.

Additionally, poor performance leads to approximated 10% loss of every dollar spent on projects. This translates to a loss of $99 for every $1 billion invested. These statistics demonstrate the importance of project risk management in improving project success rates and minimizing waste.

Let us consider a project management example to demonstrate the relevance of the issue discussed above. Consider a new refinery being constructed in the Middle East. The project is entering a key phase: purchasing. Poor risk management could see important decisions surrounding procurement strategy, or the timing of the tendering process result in project failure.

Project risk management in itself is a process that entails the identification of potential threats and their mitigation. It is not reactionary but proactive.

This process begins with the identification of potential risks. These could be any time from budget overruns to delayed deliveries. After the risks are identified they are then analyzed. This involves estimating the probability of each risk event and the potential consequences to the project.

The next stage is risk response planning. This could be in the form of risk reduction, risk shifting or risk acceptance. The goal here is to reduce the impact of risks on the project.

Finally, the process entails identifying and tracking these risks throughout the life of a project. This helps in keeping the project on course and any new risks that might arise are identified and managed.

Let’s dive into the heart of project risk management: its four key components. These pillars form the foundation of any successful risk management strategy. They are risk identification, risk analysis, risk response planning, and risk monitoring and control. Each plays a crucial role in ensuring project success. This section will provide a detailed explanation of each component, backed by data and real-world examples. So, let’s embark on this journey to understand the four key components of project risk management.

Risk identification is the first process in a project risk management process. It’s about proactively identifying risks that might cause a project to fail. This is very important because a recent study has shown that 77% of companies had operational surprises due to unidentified risks.

There are different approaches to risk identification such as brainstorming, Delphi technique, SWOT analysis, checklist analysis, flowchart. These techniques assist project teams in identifying all potential risks.

Risk identification is the second stage of the project risk management process. It is a systematic approach that tries to determine the probability of occurrence and severity of identified risks. This step is very important; it helps to rank the identified risks and assists in the formation of risk response strategies.

Risk assessment involves two key elements: frequency and severity of occurrence. As for risk probability, it estimates the chances of a risk event taking place, and risk impact measures the impact associated with the risk event.

This is the third component of project risk management. It deals with planning the best ways to deal with the risks that have been identified. This step is important since it ensures that the risk does not have a substantial effect on the project.

One of the statistics stated that nearly three-quarters of organizations have an incident response plan and 63 percent of these organizations conduct the plan regularly. This explains why focusing only on risks’ identification and analysis without a plan of action is inadequate.

Risk response planning involves four key strategies: risk acceptance, risk sharing, risk reduction, and risk elimination. Each strategy is selected depending on the nature and potential of the risk.

Risk monitoring and control is the last step of project risk management. It’s about monitoring and controlling the identified risks and making sure that they are being addressed according to the plan.

Furthermore, risk control and management involve managing identified risks, monitoring the remaining risk, identifying new risks, implementing risk strategies, and evaluating their implementation during the project life cycle.

It is now high time to approach the practical side of project risk management. This section provides selected five case studies that explain the need and application of project risk management. Each case study gives an individual approach revealing how risk management can facilitate success of the project. Additionally, these case studies include construction projects, technology groups, among other industries. They show how effective project risk management can be, by allowing organizations to respond to uncertainties and successfully accomplish their project objectives. Let us now examine these case studies and understand the concept of risk in project management.

The Gordie Howe International Bridge is one of the projects that demonstrate the principles of project risk management. This is one of the biggest infrastructure projects in North America which includes the construction of a 6 lane bridge at the busiest commercial border crossing point between the U.S. and Canada.

The project scope can be summarized as: New Port of Entry and Inspection facilities for the Canadian and US governments; Tolls Collection Facilities; Projects and modifications to multiple local bridges and roadways. The project is administered via Windsor-Detroit Bridge Authority, a nonprofit Canadian Crown entity.

Specifically, one of the project challenges associated with the fact that the project was a big one in terms of land size and the community of interests involved in the undertaking. Governance and the CI were fundamental aspects that helped the project team to overcome these challenges.

The PMBOK® Guide is the contractual basis for project management of the project agreement. This dedication to following the best practices for project management does not end with bridge construction: It spreads to all other requirements.

However, the project is making steady progress to the objective of finishing the project in 2024. This case study clearly demonstrates the role of project risk management in achieving success with large and complicated infrastructure projects.

Fujitsu is an international company that deals with the provision of a total information and communication technology system as well as its products and services. The typical way was to employ a few college and school leavers and engage them in a two-year manual management training and development course. Nevertheless, this approach failed in terms of the following.

Firstly, the training was not comprehensive in its coverage of project management and was solely concerned with generic messaging – for example, promoting leadership skills and time management. Secondly it was not effectively reaching out to the need of apprentices. Thirdly the two year time frame was not sufficient to allow for a deep approach to the development of the required project management skills for this job. Finally the retention problems of employees in the train program presented a number of issues.

To tackle these issues, Fujitsu UK adopted a framework based on three dimensions: structured learning, learning from others, and rotation. This framework is designed to operate for the first five years of a participant’s career and is underpinned by the 70-20-10 model for learning and development. Rogers’ model acknowledges that most learning occurs on the job.

The initial training process starts with a three-week formal learning and induction program that includes the initial orientation to the organization and its operations, the fundamentals of project management, and business in general. Lastly, the participants are put on a rotational assignment in the PMO of the program for the first six to eight months.

Vodafone is a multinational mobile telecommunications group that manages telecommunications services in 28 countries across five continents and decided to undertake a highly complex technology project to replace an existing network with a fully managed GLAN in 42 locations. This project was much complex and thus a well grounded approach to risk management was needed.

The project team faced a long period of delay in signing the contract and frequent changes after the contract was signed until the project is baselined. These challenges stretched the time frame of the project and enhanced the project complexity.

In order to mitigate the risks, Vodafone employed PMI standards for their project management structure. This approach included conducting workshops, developing resource and risk management plan and tailoring project documentations as well as conducting regular lesson learned.

Like any other project, the Vodafone GLAN project was not an easy one either but it was completed on time and in some cases ahead of the schedule that the team had anticipated to complete the project. At the first stage 90% of migrated sites were successfully migrated at the first attempt and 100% – at second.

The Fehmarnbelt project is a real-life example of the strategic role of project risk management. It provides information about a mega-project to construct the world’s longest immersed tunnel between Germany and Denmark. It will be a four-lane highway and two-rail electrified tunnel extending for 18 kilometers and it will be buried 40 meters under the Baltic Sea.

This project is managed by Femern A/S which is a Danish government-owned company with construction value over more than €7 billion (£8. 2 billion). It is estimated to provide jobs for 3,000 workers directly in addition to 10,000 in the suppliers. Upon its completion, its travel between Denmark and Germany will be cut to 10 minutes by automobile and 7 minutes by rail.

The Femern risk management functions and controls in particular the role of Risk Manager Bo Nygaard Sørensen then initiated the process and developed some clear key strategic objectives for the project. They formulated a simple, dynamic, and comprehensive risk register to give a more complete risk view of the mega-project. They also created a risk index in order to assess all risks in a consistent and predictable manner, classify them according to their importance, and manage and overcome the risks in an appropriate and timely manner.

Predict! is a risk assessment and analysis tool that came in use by the team, which helps determine the effect of various risks on the cost of the construction of the link and to calculate the risk contingency needed for the project. This way they were able to make decisions on whether an immersed tunnel could be constructed instead of a bridge.

Lend Lease is an international property and infrastructure group that operates in over 20 countries in the world; the company offers a better example of managing project risks. The company has established a complex framework called the Global Minimum Requirements (GMRs) to identify risks to which it is exposed.

The GMRs have scope for the phase of the project before a decision to bid for a job is taken. This framework includes factors related to flooding, heat, biodiversity, land or soil subsidence, water, weathering, infrastructure and insurance.

The GMRs are organized into five main phases in line with the five main development stages of a project. These stages guarantee that vital decisions are made at the ideal time. The stages include governance, investment, design and procurement, establishment, and delivery.

For instance, during the design and procurement stage, the GMRs identify requisite design controls that will prevent environment degradation during design as well as fatal risk elimination during planning and procurement. This approach aids in effective management of risks and delivery of successful projects in Lend Lease.

Let’s take a closer look at what risk management strategies are used here at Designveloper – a top web & software development firm in Vietnam. We also provide a range of other services, so it is essential that we manage risks on all our projects in similar and effective ways. The following part of the paper will try to give a glimpse of how we manage project risk in an exemplary manner using research from recent years and include specific cases.

The following steps explain the risk management process that we use—from the identification of potential risks to managing them: Discovering the risks. We will also mention here how our experience and expertise has helped us in this area.

Risk management as a function in project delivery is well comprehended at Designveloper. Our method of managing the project risk is proactive and systematic, which enables us to predict possible problems and create successful solutions to overcome them.

One of the problems we frequently encounter is the comprehension of our clients’ needs. In most cases, clients come to us with a basic idea or concept. To convert these ideas into particular requirements and feature lists, the business analysts of our company have to collaborate with the client. The whole process is often a time-waster, and having a chance is missed.

To solve this problem, we’ve created a library of features with their own time and cost estimate. This library is based on data of previous projects that we have documented, arranged, and consolidated. At the present time when a client approaches us with a request, we can search for similar features in our library and give an initial quote. This method has considerably cut the period of providing the first estimations to our clients and saving the time for all participants.

This is only one of the techniques we use to mitigate project risks at Designveloper. The focus on effective project risk management has been contributing significantly to our successful operation as a leading company in web and software development in Vietnam. It is a mindset that enables us to convert challenges into opportunities and provide outstanding results for our clients.

In Designveloper, we always aim at enhancing our project risk management actions. Below are a couple examples of the advancements we’ve made.

To reduce the waiting time, we have adopted continuous deployment. This enables us to provide value fast and effectively. We release a minimum feature rather than a big feature. It helps us to collect the input from our customers and keep on improving. What this translates into for our customers is that they start to derive value from the product quickly and that they have near-continuous improvement rather than have to wait for a “perfect” feature.

We also hold regular “sync-up” meetings between teams to keep the information synchronized and transparent from input (requirements) to output (product). Changes are known to all teams and thus teams can prepare to respond in a flexible and best manner.

Some of these developments in project risk management have enabled us to complete projects successfully, and be of an excellent service to our clients. They show our support of the never-ending improving and our capability to turn threats into opportunities. The strength of Designveloper is largely attributed to the fact that we do not just control project risks – we master them.

To conclude, project risk management is an important element of nearly all successful projects. It is all about identification of possible problems and organization necessary measures that will result in the success of the project. The case studies addressed in this article illustrate the significance and implementation of project risk management in different settings and fields. They show what efficient risk management can result in.

We have witnessed the advantages of solid project risk management at Designveloper. The combination of our approach, powered by our track record and professionalism, has enabled us to complete projects that met all client’s requirements. We are not only managing project risks but rather mastering them.

We trust you have found this article helpful in understanding project risk management and its significance in the fast-changing, complicated project environment of today. However, one needs to mind that proper project management is not only about task and resource management but also risk management. And at Designveloper, our team is there to guide you through those risks and to help you realize your project’s objectives.

Also published on

Share post on

Insights worth keeping. Get them weekly.

Get in touch

Simply register below to receive our weekly newsletters with the newest blog posts

Read more topics

• Business & Money

Enjoy fast, free delivery, exclusive deals, and award-winning movies & TV shows with Prime Try Prime and start saving today with fast, free delivery

Amazon Prime includes:

Fast, FREE Delivery is available to Prime members. To join, select "Try Amazon Prime and start saving today with Fast, FREE Delivery" below the Add to Cart button.

• Cardmembers earn 5% Back at Amazon.com with a Prime Credit Card.
• Unlimited Free Two-Day Delivery
• Streaming of thousands of movies and TV shows with limited ads on Prime Video.
• A Kindle book to borrow for free each month - with no due dates
• Listen to over 2 million songs and hundreds of playlists
• Unlimited photo storage with anywhere access

Important:  Your credit card will NOT be charged when you start your free trial or if you cancel during the trial period. If you're happy with Amazon Prime, do nothing. At the end of the free trial, your membership will automatically upgrade to a monthly membership.

Buy new: .savingPriceOverride { color:#CC0C39!important; font-weight: 300!important; } .reinventMobileHeaderPrice { font-weight: 400; } #apex_offerDisplay_mobile_feature_div .reinventPriceSavingsPercentageMargin, #apex_offerDisplay_mobile_feature_div .reinventPricePriceToPayMargin { margin-right: 4px; } -38% $44.94 $ 44 . 94 FREE delivery Wednesday, June 5 Ships from: Amazon Sold by: RAINBOW TRADE

Return this item for free.

Free returns are available for the shipping address you chose. You can return the item for any reason in new and unused condition: no shipping charges

• Go to your orders and start the return
• Select the return method

Save with Used - Good .savingPriceOverride { color:#CC0C39!important; font-weight: 300!important; } .reinventMobileHeaderPrice { font-weight: 400; } #apex_offerDisplay_mobile_feature_div .reinventPriceSavingsPercentageMargin, #apex_offerDisplay_mobile_feature_div .reinventPricePriceToPayMargin { margin-right: 4px; } $22.03 $ 22 . 03 FREE delivery June 13 - July 1 Ships from: Reuseaworld Sold by: Reuseaworld

Download the free Kindle app and start reading Kindle books instantly on your smartphone, tablet, or computer - no Kindle device required .

Read instantly on your browser with Kindle for Web.

Using your mobile phone camera - scan the code below and download the Kindle app.

Image Unavailable

• To view this video download Flash Player

Follow the author

Operational Risk Management: A Case Study Approach to Effective Planning and Response 1st Edition

Purchase options and add-ons.

• ISBN-10 9780470256985
• ISBN-13 978-0470256985
• Edition 1st
• Publisher Wiley
• Publication date April 4, 2008
• Language English
• Dimensions 6.3 x 1.14 x 9.43 inches
• Print length 288 pages
• See all details

Frequently bought together

Customers who viewed this item also viewed

Editorial Reviews

From the inside flap.

In the world we live in today, disasters occur on a daily basis. Could they have been prevented from occurring? If emergency response had been more effective, how much less destruction might they have caused? Will similar disasters happen again? Operational Risk Management: A Case Study Approach to Effective Planning and Response examines the safety and security of an organization's people, facilities, and assets, as well as the communities in which they are located, from exposure to natural disasters, man-made accidents, and terrorist acts that have occurred worldwide, revealing the underlying causes of these catastrophic events.

Through the use of carefully selected case studies in a variety of scenarios across many different industries and environments, both in the United States and abroad, author and industry expert Mark Abkowitz uses historical events to demonstrate how operational risk management practices―or the lack of them―influence event likelihood and outcomes across all hazard domains. Each case contains a narrative, followed by a discussion that draws conclusions as to why things went wrong, as well as what, if anything, has been done to prevent such an occurrence from happening again. These include:

Hyatt Regency Walkway Collapse

Nightmare in Bhopal

Meltdown at Chernobyl

Attack on the USS Cole

September 11 – The World Trade Center

London Transit Bombings

Eruption of Mount St. Helens

Hurricane Katrina

In reviewing painful experiences of the past, it is clear that protecting our future cannot be left to chance. Operational Risk Management: A Case Study Approach to Effective Planning and Response not only looks at the risk factors present in previous disasters but also at the valuable lessons learned. These factors and lessons are used to forge a path forward that risk managers can use to ensure that their organizations have strong safety and security plans in place–and are ready to respond when necessary.

From the Back Cover

Operational Risk Management offers peace of mind to business and government leaders who want their organizations to be ready for any contingency, no matter how extreme. This invaluable book is designed to be used as both a preparatory resource for when times are good and an emergency reference when times are bad. Author Mark Abkowitz gets managers up to speed on what they should be prepared to deal with and offers real solutions for putting those business continuity plans in place. From natural and man-made disasters to terrorist attacks, Operational Risk Management is destined to become every risk manager's ultimate weapon to help their organization survive ― no matter what.

Praise for Operational Risk Management

"Mark Abkowitz has produced an excellent and wide-ranging collection of case studies that illustrate the role that risk factors play in determining the success or failure of anything designed. In Operational Risk Management, he not only analyzes the causes of failure but also indicates how proactive risk management can lead to success. This is a very well-written and instructive book." ―Henry Petroski, Aleksandar S. Vesic Professor of Civil Engineering and Professor of History, Duke University

"As one of the nation's largest domestic marine transport companies, moving hazardous cargo daily on our nation's waterways, we relentlessly pursue risk reduction through the lessons provided by real-world experiences. Mark Abkowitz's insightful analysis of recent disasters and his identification of risk factors common to them will help anyone concerned with incident prevention and consequence mitigation." ―Dr. Craig E. Philip, President and Chief Executive Officer, Ingram Barge Company

"A wise man once said, 'The mistakes we make are a result of the history we haven't read.' History is the treasure of evidence, whether it is about the risks we face as human beings or the mysteries of the universe. This book adds to the treasure of evidence and succinctly articulates, with distinction and clarity, the factors and actions most important to managing the risks we humans face." ―B. John Garrick, PhD, PE

"Dr. Abkowitz's masterful blend of great storytelling with astute professional risk assessment provides a fabulous tool for Joe Q. Public, public policy experts, and industrial risk managers to use together to make real headway on more intelligent risk management for all of us." ―Jim Vines, Environmental, Health & Safety Specialist, King & Spalding

"Through his case studies and analysis, Mark Abkowitz identifies key factors critical to understanding how we move towards more resilient communities. His focus on a more inclusive, all-hazards approach begins to point the way. A very useful collection indeed." ―Michael T. Lesnick, PhD, cofounder and Senior Partner, Meridian Institute

About the Author

Excerpt. © reprinted by permission. all rights reserved., operational risk management, john wiley & sons, chapter one.

Excerpted from Operational Risk Management by Mark D. Abkowitz Copyright © 2008 by Mark D. Abkowitz . Excerpted by permission. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher. Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Product details

• ASIN ‏ : ‎ 0470256982
• Publisher ‏ : ‎ Wiley; 1st edition (April 4, 2008)
• Language ‏ : ‎ English
• Hardcover ‏ : ‎ 288 pages
• ISBN-10 ‏ : ‎ 9780470256985
• ISBN-13 ‏ : ‎ 978-0470256985
• Item Weight ‏ : ‎ 1.14 pounds
• Dimensions ‏ : ‎ 6.3 x 1.14 x 9.43 inches
• #72 in Risk Management (Books)
• #205 in Atmospheric Sciences (Books)
• #230 in Disaster Relief (Books)

About the author

Mark david abkowitz.

Discover more of the author’s books, see similar authors, read author blogs and more

Customer reviews

Customer Reviews, including Product Star Ratings help customers to learn more about the product and decide whether it is the right product for them.

To calculate the overall star rating and percentage breakdown by star, we don’t use a simple average. Instead, our system considers things like how recent a review is and if the reviewer bought the item on Amazon. It also analyzed reviews to verify trustworthiness.

• Sort reviews by Top reviews Most recent Top reviews

Top reviews from the United States

There was a problem filtering reviews right now. please try again later..

• Amazon Newsletter
• About Amazon
• Accessibility
• Sustainability
• Press Center
• Investor Relations
• Amazon Devices
• Amazon Science
• Sell on Amazon
• Sell apps on Amazon
• Supply to Amazon
• Protect & Build Your Brand
• Become an Affiliate
• Become a Delivery Driver
• Start a Package Delivery Business
• Advertise Your Products
• Self-Publish with Us
• Become an Amazon Hub Partner
• › See More Ways to Make Money
• Amazon Visa
• Amazon Store Card
• Amazon Secured Card
• Amazon Business Card
• Shop with Points
• Credit Card Marketplace
• Reload Your Balance
• Amazon Currency Converter
• Your Account
• Your Orders
• Shipping Rates & Policies
• Amazon Prime
• Returns & Replacements
• Manage Your Content and Devices
• Recalls and Product Safety Alerts
• Conditions of Use
• Privacy Notice
• Consumer Health Data Privacy Disclosure
• Your Ads Privacy Choices

Project Risk Management: A Practical Implementation Approach by Michael M. Bissonette

Get full access to Project Risk Management: A Practical Implementation Approach and 60K+ other titles, with a free 10-day trial of O'Reilly.

There are also live events, courses curated by job role, and more.

Example Project Case Studies

Four project case studies are included in this chapter to demonstrate different aspects of project management that impact project risk and performance. The focus is on the differences between “best practices” used on different types of projects and the degree of risk that is imposed when project management tools, techniques, and competencies are not aligned with the prescribed “best practices” associated with those projects. These case studies highlight some organizational influences that can alter the course of project performance, as well.

Each of the case study projects has a particular project profile and suite of project management tools and techniques that were selected to be used. General ...

Get Project Risk Management: A Practical Implementation Approach now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Don’t leave empty-handed

Get Mark Richards’s Software Architecture Patterns ebook to better understand how to design components—and how they should interact.

It’s yours, free.

Check it out now on O’Reilly

Dive in for free with a 10-day trial of the O’Reilly learning platform—then explore all the other resources our members count on to build skills and solve problems every day.

Importance of Parameter Uncertainty in the Modeling of Geological Variables

• Original Paper
• Published: 28 May 2024

Cite this article

• Oktay Erten   ORCID: orcid.org/0000-0002-1718-3400 1 &
• Clayton V. Deutsch 1  

Quantitative modeling of geological heterogeneity is critical for resource management and decision-making. However, in the early stages of a mining project, the only data available for modeling the spatial variability of the variables are from a limited number of exploration drill holes. This means that the empirical cumulative distribution function of the data, which is one of the key inputs for the geostatistical simulation, is uncertain, and ignoring this uncertainty may lead to biased resource risk assessments. The parameter uncertainty can be quantified by the multivariate spatial bootstrap procedure and propagated through geostatistical simulation workflows. This methodology is demonstrated in a case study using the data from the former lead and zinc mine at Lisheen, Ireland. The joint modeling of the lead and zinc grades is carried out by using (1) all of the available data, (2) a representative subset (approximately 10% of the available data) without parameter uncertainty, and (3) the same subset with parameter uncertainty. In all cases, the turning bands simulation approach generates realizations of lead and zinc grades. In the third case, the uncertainty in the lead and zinc grade distributions is first quantified (i.e., prior uncertainty) by the correlated bootstrap realizations. This joint prior uncertainty is then updated in simulation by the conditioning data and domain limits, which results in posterior uncertainty. The results indicate that a more realistic resource risk assessment can be achieved when parameter uncertainty is considered.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price includes VAT (Russian Federation)

Instant access to the full article PDF.

Rent this article via DeepDyve

Institutional subscriptions

Almeida, A. S., & Journel, A. G. (1994). Joint simulation of multiple variables with a Markov-type coregionalization model. Mathematical Geology, 26 (5), 565–588.

Article   Google Scholar  

Arik, A. (1999). An alternative approach to resource classification. International Symposium on Computer Applications in the Mineral Industries (APCOM’99), 28 , 45–53.

Google Scholar  

Babak, O., & Deutsch, C. V. (2009a). An intrinsic model of coregionalization that solves variance inflation in collocated cokriging. Computers & Geosciences, 35 (3), 603–614.

Babak, O., & Deutsch, C. V. (2009b). Collocated cokriging based on merged secondary attributes. Mathematical Geosciences, 41 , 921–926.

Chilès, J. P., & Delfiner, P. (2012). Geostatistics: Modeling Spatial Uncertainty (2nd ed.). John Wiley & Sons.

Book   Google Scholar  

De Fouquet, C. (1994). Reminder on the conditioning kriging. In M. Armstrong & P. A. Dowd (Eds.), Geostatistical Simulation (pp. 131–145). Kluwer Academic.

Chapter   Google Scholar  

De Souza, L. E., Costa, J. F. C. L., & Koppe, J. C. (2004). Uncertainty estimate in resources assessment: A geostatistical contribution. Natural Resources Research, 13 , 1–15.

Deutsch, C. V., & Journel, A. G. (1997). GSLIB Geostatistical Software Library and User’s Guide (Second edi) . Oxford University Press.

Dillon, M., White, R., & Power, D. (2004). Tailings storage at lisheen mine. Ireland. Minerals Engineering, 17 (2), 123–130.

Article   CAS   Google Scholar  

Dominy, S. C., Noppé, M. A., & Annels, A. E. (2002). Errors and uncertainty in mineral resource and ore reserve estimation: The importance of getting it right. Exploration and Mining Geology, 11 (1–4), 77–98.

Efron, B., & Tibshirani, R. J. (1994). An introduction to the bootstrap . CRC Press.

Erten, O., & Deutsch, C. V. (2020). Bootstrap. In B. Daya Sagar, Q. Cheng, J. McKinley, & F. Agterberg (Eds.), Encyclopedia of Mathematical Geosciences (pp. 1–5). Springer.

Erten, O., Pardo-Igúzquiza, E., & Olea, R. A. (2020). Assessment of Experimental Semivariogram Uncertainty in the Presence of a Polynomial Drift. Natural Resources Research, 29 (2), 1087–1099.

Feyen, L., & Caers, J. (2006). Quantifying geological uncertainty for flow and transport modeling in multi-modal heterogeneous formations. Advances in Water Resources, 29 (6), 912–929.

Frenzel, M., Rohner, M., Gutzmer, J., Burisch, M., Cook, N. J., Gilbert, S., Ciobanu, C.L., Guven, J. (2019). Explaining metal zonation at the Lisheen Zn-Pb deposit. Life with Ore Deposits on Earth, Proceedings of the 15 th SGA Biennial Meeting, 2019, Vols 1-4, pp. 214–217

Fusciardi, L. P., Guven, J. F., Stewart, D. R. A., Carboni, V., Walsh, J. J., Kelly, J. G., Earls, G. (2003). The geology and genesis of the Lisheen Zn-Pb deposit, Co. Tipperary, Ireland. Europe’s Major Base Metal Deposits: Dublin, Irish Association for Economic Geology , pp 455–481

Hitzman, M. W. (1992). Discovery of the lisheen Zn-Pb-Au deposit Ireland. SEG Discovery, 09 , 1–15.

Hitzman, M. W., Redmond, P. B., & Beaty, D. W. (2002). The carbonate-hosted Lisheen Zn-Pb-Ag deposit, County Tipperary Ireland. Economic Geology, 97 (8), 1627–1655.

Journel, A. G. (1974). Geostatistics for conditional simulation of ore bodies. Economic Geology, 69 (5), 673–687.

Journel, A. G. (1983). Nonparametric estimation of spatial distributions. Mathematical Geology, 15 (3), 445–468.

Journel, A. G., Kyriakidis, P. C., & Mao, S. (2000). Correcting the smoothing effect of estimators: A spectral postprocessor. Mathematical Geology, 32 (7), 787–813.

Journel, A. G., & Bitanov, A. (2004). Uncertainty in N/G ratio in early reservoir development. Journal of Petroleum Science and Engineering, 44 (1), 115–130.

Khan, K. D., & Deutsch, C. V. (2016). Practical incorporation of multivariate parameter uncertainty in geostatistical resource modeling. Natural Resources Research, 25 (1), 51–70.

Kyne, R., Torremans, K., Güven, J., Doyle, R., & Walsh, J. (2019). 3-D modeling of the lisheen and silvermines deposits, county tipperary, Ireland: insights into structural controls on the formation of Irish Zn-Pb deposits. Economic Geology, 114 (1), 93–116.

Leuangthong, O., McLennan, J. A., & Deutsch, C. V. (2004). Minimum acceptance criteria for geostatistical realizations. Natural Resources Research, 13 (3), 131–141.

Leuangthong, O., & Nowak, M. (2015). Dealing with high-grade data in resource estimation. Journal of the Southern African Institute of Mining and Metallurgy, 115 (1), 27–36.

Mantoglou, A., & Wilson, J. L. (1982). The turning bands method for simulation of random fields using line generation by a spectral method. Water Resources Research, 18 (5), 1379–1394.

Matheron, G. (1963). Principles of geostatistics. Economic Geology, 58 , 1246–1266.

O’Sullivan, D., & Newman, A. (2014). Extraction and backfill scheduling in a complex underground mine. Interfaces, 44 (2), 204–221.

Olea, R. A. (2007). Declustering of clustered preferential sampling for histogram and semivariogram inference. Mathematical Geology, 39 (5), 453–467.

Olea, R. A., & Pardo-Igúzquiza, E. (2011). Generalized bootstrap method for assessment of uncertainty in semivariogram inference. Mathematical Geosciences, 43 (2), 203–228.

Pardo-Igúzquiza, E., & Olea, R. A. (2012). VARBOOT: A spatial bootstrap program for semivariogram uncertainty assessment. Computers and Geosciences, 41 , 188–198.

Philcox, M. E. (1984). Lower Carboniferous lithostratigraphy of the Irish Midlands . Irish Association for Economic Geology

Pyrcz, M. J., Deutsch, C. V, & Deutsch, J. L. (2018). Transforming data to a Gaussian distribution. Geostatistics Lessons

Revuelta, M. B. (2017). Mineral resources: from exploration to sustainability assessment . Springer.

Rezvandehy, M., & Deutsch, C. V. (2017). Geostatistical modeling with histogram uncertainty: Confirmation of a correct approach. Natural Resources Research, 26 (3), 285–302.

Rossi, M. E., & Deutsch, C. V. (2013). Mineral resource estimation New York: Springer Science & Business Media . Springer Science & Business Media.

Sevastopulo, G. D., & Redmond, P. (1999). Age of mineralization of carbonate-hosted, base metal deposits in the Rathdowney Trend, Ireland. Geological Society, London, Special Publications, 155 (1), 303–311.

Shearley, E., Redmond, P., King, M., & Goodman, R. (1996). Geological controls on mineralization and dolomitization of the Lisheen Zn-Pb-Ag deposit, Co. Tipperary, Ireland. Geological Society, London, Special Publications, 107 (1), 23–33.

Shephard-Thorn, E. R. (1961). The Carboniferous limestone succession in north-west County Limerick

Snowden, D. V, Glacken, I., & Noppe, M. (2002). Dealing with demands of technical variability and uncertainty along the mine value chain. Value Tracking Symposium, Brisbane, Australia , 69

Somerville, I. D., & Jones, G. L. I. (1985). The courceyan stratigraphy of the pallaskenry borehole, County limerick Ireland. Geological Journal, 20 (4), 377–400.

Torremans, K., Kyne, R., Doyle, R., Güven, J. F., & Walsh, J. J. (2018). Controls on metal distributions at the lisheen and silvermines deposits: insights into fluid flow pathways in irish-type Zn-Pb deposits. Economic Geology, 113 (7), 1455–1477.

Tukey, J. W. (1977). Exploratory data analysis (Vol. 2). Reading, MA.

Vargas-Guzmán, J. A. (2008). Unbiased resource evaluations with kriging and stochastic models of heterogeneous rock properties. Natural Resources Research, 17 (4), 245–254.

Verly, G. (1984). Estimation of spatial point and block distributions: the multigaussian model . Stanford University.

Wang, F., & Wall, M. M. (2003). Incorporating parameter uncertainty into prediction intervals for spatial data modeled via a parametric variogram. Journal of Agricultural, Biological, and Environmental Statistics, 8 , 296–309.

Wellmer, F.-W., Dalheimer, M., & Wagner, M. (2007). Economic evaluations in exploration . Springer.

Download references

Acknowledgments

We want to thank the industrial sponsors of the Center for Computational Geostatistics (CCG) for providing the resources to prepare this paper. We would also like to thank the Irish Center for Research in Applied Geosciences (iCRAG) for granting access to the Lisheen data. Finally, we thank Resource Modeling Solutions for providing a license to use the Resource Modeling Solutions Platform (RMSP) Python package.

Author information

Authors and affiliations.

Centre for Computational Geostatistics, University of Alberta, Edmonton, AB, Canada

Oktay Erten & Clayton V. Deutsch

You can also search for this author in PubMed   Google Scholar

Corresponding author

Correspondence to Oktay Erten .

Ethics declarations

Conflict of interest.

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Erten, O., Deutsch, C.V. Importance of Parameter Uncertainty in the Modeling of Geological Variables. Nat Resour Res (2024). https://doi.org/10.1007/s11053-024-10363-z

Download citation

Received : 17 March 2024

Accepted : 15 May 2024

Published : 28 May 2024

DOI : https://doi.org/10.1007/s11053-024-10363-z

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

• Turning bands
• Multivariate spatial bootstrap
• Geostatistical modeling
• Histogram uncertainty
• Lisheen deposit
• Find a journal
• Publish with us
• Track your research

• Systematic Review
• Open access
• Published: 29 May 2024

Risk factors of chronic postoperative pain after total knee arthroplasty: a systematic review

• Junfei Li 1 ,
• Tingyu Guan 1 ,
• Yue Zhai 1 &
• Yuxia Zhang 2  

Journal of Orthopaedic Surgery and Research volume  19 , Article number:  320 ( 2024 ) Cite this article

Metrics details

There is a lack of relevant studies to grade the evidence on the risk factors of chronic pain after total knee arthroplasty (TKA), and only quantitative methods are used for systematic evaluation. The review aimed to systematically identify risk factors of chronic postoperative pain following TKA and to evaluate the strength of the evidence underlying these correlations.

PubMed, Web of Science, Cochrane Library, Embase, and CINAHL databases were searched from initiation to September 2023. Cohort studies, case-control studies, and cross-sectional studies involving patients undergoing total knee replacement were included. A semi-quantitative approach was used to grade the strength of the evidence-based on the number of investigations, the quality of the studies, and the consistency of the associations reported by the studies.

Thirty-two articles involving 18,792 patients were included in the final systematic review. Ten variables were found to be strongly associated with postoperative pain, including Age, body mass index (BMI), comorbidities condition, preoperative pain, chronic widespread pain, preoperative adverse health beliefs, preoperative sleep disorders, central sensitization, preoperative anxiety, and preoperative function. Sixteen factors were identified as inconclusive evidence.

Conclusions

This systematic review clarifies which risk factors could be involved in future research on TKA pain management for surgeons and patients. It highlights those factors that have been controversial or weakly correlated, emphasizing the need for further high-quality studies to validate them. Most crucially, it can furnish clinicians with vital information regarding high-risk patients and their clinical attributes, thereby aiding in the development of preventive strategies to mitigate postoperative pain following TKA.

Trial registration

This systematic review has been registered on the PROSPERO platform (CRD42023444097).

Introduction

Total knee arthroplasty (TKA) is the most common surgical intervention for patients with end-stage osteoarthritis [ 1 ].Despite a positive outcome for most patients, a sizeable portion of individuals experience significant pain following TKA [ 2 ]. Previous studies showed that the percentage of patients with unfavorable long-term pain outcomes ranged 10% ∼ to 34% following knee replacement [ 3 ]. The International Association for the Study of Pain (IASP) defines chronic postoperative pain (CPSP) as pain that persists for more than 3 months after surgery, excluding other causes (e.g., infection, surgical failure, recurrence of malignancy, etc.) [ 4 ]. In addition to disruption of daily activities brought on by the pain itself, adverse or chronic pain outcomes following joint replacement are of great concern to orthopedic surgeons and their patients. Chronic postoperative pain is also associated with deterioration in physical, functional, and mental domains, which implies significant personal, social, and healthcare costs with the rising prevalence of knee replacement surgeries [ 5 ].

Understanding the risk factors affecting chronic postsurgical pain can help increase the clinical staff’s understanding of the field, which can help clinicians make better decisions and help patients reduce the risk of developing chronic pain. Previous pain guidelines have only recommended perioperative interventions without doing an integration of risk factors [ 6 ]. Earlier systematic reviews that applied quantitative measures to identify predictors of persistent pain after TKA, without considering the grading of evidence, may result in limited quality outcome [ 7 ].

Therefore, this study will conduct a systematic review and critical appraisal of the risk factors affecting chronic pain after TKA, and use the Newcastle-Ottawa Scale (NOS) and the Agency for Healthcare Research and Quality (AHRQ) checklist to quality rate the level of evidence in the included literature.

This article used the PRISMA (Preferred Reporting Items for Systematic Reviews and Meta-analyses) statement to guide implementation and reporting [ 8 ].

Data sources and search strategy

Five databases were searched (PubMed, Web of Science, Cochrane Library, Embase, CINAHL) from the time of the foundation of the database to July 2023. All pertinent keyword variations were used, including both the Medical Subject Headings (Mesh) of various databases as well as the free-text versions of these terms. Reference lists of selected studies and reviews were searched to find additional publications on the subject. Detailed information about the search strategy is shown in Appendix 1 .

Study selection and eligibility criteria

Studies meeting the following criteria were included: (1) cohort studies or case-control or cross-sectional studies; (2) patients undergoing total knee arthroplasty who are aged above 18 years old; (3) the outcome was defined as postoperative pain following total knee arthroplasty and follow-up had to be at least three months; (4) outcomes were predicted using preoperative, intraoperative or postoperative conditions. If total hip arthroplasty (THA) and total knee arthroplasty (TKA) patients were both included in the study, only TKA data were extracted. The exclusion criteria were as follows: (1) publications written in languages other than English and Chinese, (2) studies with incomplete methodology and full text not available. In addition, given the large number of possible confounding variables, cohort studies that failed to use a multivariate approach to assess risk factors were excluded.

Screening and data extraction

The titles and abstracts of all preliminary identified studies were screened by two investigators (JL and TG) independently following the selection criteria. Any differences of opinion were settled by consensus or discussion with a third independent reviewer. If there were multiple publications available, the most recent data were taken. To gather pertinent data, a predesigned electronic data extraction form was used. If there were multiple publications available, the most recent data were taken. The following information was extracted: participant characteristics, risk factors, pain outcome measures, follow-up period, and study design.

Assessing the risk of bias

The risk of bias assessment was independently assessed by two authors (JL and TG) in each included study by using the Newcastle Ottawa Quality Assessment Scale (NOS) and the checklist recommended by the Agency for Healthcare Research and Quality (AHRQ) [ 9 ].

The Newcastle-Ottawa Scale (NOS) is an important tool that evaluates case-control and cohort studies. It is composed of three main sections, which include a total of eight items. These sections cover various aspects of the study, including the selection of the study population, comparability, and exposure/outcome evaluation. The NOS uses a semi-quantitative star system to rate the study’s quality, with a maximum score of nine stars. Studies were categorized as high quality (7–9 points), moderate quality (4–6 points), and low quality (0–3 points) [ 10 ]. To evaluate the quality of the cross-sectional studies, we utilized the checklist recommended by the Agency for Healthcare Research and Quality (AHRQ). The AHRQ Risk of Bias Evaluation Tool assesses the risk of bias in five domains, including selection bias, implementation bias, follow-up bias, detection bias, and reporting bias. If the answer was “no” or “unclear”, the score was 0. If the answer is “yes”, the score is 1. Articles are rated as low (0–3), moderate (4–7), or high quality (8–11) [ 11 ].

Data synthesis and analysis

Semi-quantitative methods were used to summarize the strength of evidence supporting the association between risk factors and chronic postoperative pain. The best evidence synthesis included variables that were examined using a multivariate approach in at least two studies and demonstrated a statistically significant association. Three criteria were used to quantitatively evaluate the evidence of risk factors for chronic pain following total knee replacement: (1) the number of studies evaluating the variables; (2) the standard of the scores for each variable under assessment; (3) the consistency of the relationship between the factors and chronic postoperative pain. When 75% of the studies evaluating the variable reported the same direction of association, associations were deemed consistent [ 12 ]. Variables analyzed using multivariate methods that yielded no association were also taken into account. The level of evidence on risk factors for postoperative chronic pain was categorized into the following four categories: (1) strong: consistent findings were found in ≥ 2 high-quality articles; (2) moderate: with consistent results between 1 high-quality article and ≥ 1 moderate quality article or ≥ 3 moderate or low-quality articles; (3) inconclusive: When observed associations are inconsistent or assessed in 1 high-quality, < 3 moderate-quality studies or only in low-quality studies; (4) no association: no significant association was found in the high-quality multivariate analysis, or at least 3 high-quality studies found no association in the univariate analysis.

Study identification

Database search returned 18,792 articles, and 7 relevant articles were obtained through supplements from other resources. A total of 17,526 articles were obtained after eliminating duplicates. 17,239 references were excluded from the initial screening by reading titles and abstracts, leaving 287 references for full-text review. Among the remaining articles, 105 did not cover the outcome of concern, 66 did not match the target population, the full text was not available for one study, and 61 were excluded for other reasons. Therefore, a total of 32 studies were included in the systematic evaluation including five cross-sectional studies, one case-control study, and 26 cohort studies. The flowchart and reasons for exclusion are delineated in Fig.  1 .

Flowchart of study selection

Study characteristics

A total of 32,645 patients who underwent primary total knee arthroplasty were enrolled in this study (see Table  1 ). The sample size ranged from 71 to 11,373. The commonly used outcome measurement instruments in the studies were the visual analog scale (VAS) (10 studies), Western Ontario and McMaster Osteoarthritis Index (WOMAC) pain scale (8 studies), and the Numerical Rating Scale (NRS) (7 studies). Five studies included total knee arthroplasty and total hip arthroplasty from which we extracted data for TKA. Study follow-up lasted a minimum of 3 months and a maximum of 10 years. Furthermore, 29 predictive factors associated with the development of postoperative chronic pain after TKA were identified.

Methodologic quality of included reviews

The research primarily focused on high or medium-quality literature, with no low-quality literature included in the analysis. The quality of cohort studies was evaluated using the NOS scale, with ratings ranging from moderate (four) to high (nine). The case-control study received a score of six out of nine on the NOS scale, indicating a moderate level of evidence. Five cross-sectional studies were assessed for quality using AHRQ, with three receiving a high-quality rating and two receiving a moderate rating. The scores for these studies ranged from 6 to 11. In studies rated as moderate quality, the most frequent reasons were attributed to the presence of confounding and measurement bias. Nine cohort studies have not reported or controlled for confounders, which may have led to an elevated risk of confounding bias. Furthermore, four cross-sectional studies exhibited indications of measurement bias, and the handling of missing data were not disclosed in the publication. The quality evaluation of the included studies according to the NOS and AHRQ checklist are shown in Appendix 2 .

The level of evidence for risk factors

Twenty-nine risk factors associated with the incidence of postoperative chronic pain were identified. The results of the best evidence analysis are presented in Table  2 . Upon conducting the study, it was found that ten variables exhibited a significant association with the onset of chronic pain following total knee arthroplasty (TKA). Age, body mass index (BMI), and comorbidities condition were discovered to possess strong evidence among demographic variables. As for preoperative factors, strong evidence was observed for preoperative pain, chronic widespread pain, preoperative adverse health beliefs, preoperative sleep disorders, central sensitization, preoperative anxiety, and preoperative function. No risk factors were strongly associated with the development of chronic pain among intraoperative and postoperative factors. Additionally, three factors were found to have a moderate association with outcome variables, namely gender, preoperative depression, and pain trajectory. At length, sixteen risk factors were identified as inconclusive, with the majority of them being statistically linked to chronic pain after TKA in just one study.

A total of 32 studies were included in our review, with a focus on case-control, cohort, and cross-sectional studies, and the grade of evidence in the literature was evaluated using the NOS scale, a quality assessment tool for cohort/case-control studies, and the AHRQ, a quality assessment tool for cross-sectional studies. Overall, the quality level of literature included in this study was high, and the reason for articles with a moderate level of evidence rating was the presence of potential confounding bias or measurement bias in the study. Twenty-nine risk factors connected with the development of chronic postoperative pain were identified, among which ten exhibited a strong correlation, three showed a moderate correlation, and sixteen factors yielded inconclusive results.

We employed a semi-quantitative approach to evaluate the level of evidence for risk factors and, in contrast to previous studies, identified two novel factors that exhibit a strong association with chronic pain following knee replacement surgery: preoperative sleep disturbances and preoperative poor health beliefs.

According to recent research that utilized machine learning and a large sample size, it has been determined that sleep problems can have a significant impact on chronic pain [ 13 ]. When we sleep, our body’s natural pain relief system is activated, and any disruptions to this system due to sleep deprivation or disturbances can negatively affect it [ 14 ]. A study was conducted to delve deeper into the relationship between sleep quality before total knee arthroplasty surgery and postoperative chronic pain syndrome (CPSP) [ 15 ]. The findings revealed that individuals who experienced sleep problems before the surgery were more likely to report higher pain scores three months after the procedure. This highlights the importance of addressing any pre-existing sleep issues before undergoing surgery to minimize the risk of postoperative chronic pain.

Health beliefs are thoughts, attitudes, or expectations that influence the experience of health and illness and related behaviors. Predictors such as illness perception, pain catastrophizing, preoperative expectations, and coping attitudes were grouped into the category of preoperative health beliefs in our article. Seven high-quality articles and one moderately quality article have demonstrated a statistically significant correlation between preoperative negative health beliefs and chronic postoperative pain [ 16 , 17 , 18 , 19 , 20 , 21 , 22 , 23 ]. Research has shown that patients who experience greater levels of preoperative pain catastrophizing are more likely to suffer from moderate to severe pain after surgery. A study conducted by Giusti et al. has revealed that behavioral outcomes can forecast pain and functional outcomes up to 12 months after surgery [ 24 ]. Additionally, the study suggests that these outcomes partially mediate the relationship between catastrophizing and subsequent pain and function. Furthermore, a cohort study has identified the existence of psychological risk factors that may hinder the implementation of proper pain coping strategies and lead to the development of chronic postoperative pain.

Our review identified sixteen factors with insufficient evidence, as they were only statistically associated with CPSP in one study upon critical appraisal and lacked support from other literature. This highlights the necessity for further validation of these under-evidenced factors in future studies, specifically investigating their association with chronic pain. Moreover, it is crucial to prioritize factors backed by robust evidence and develop interventional clinical protocols based on these high-risk factors to provide comprehensive guidance to clinicians and nurses.

Limitations

This study has several limitations. In this systematic review, we only included patients with primary TKA and excluded those undergoing revision surgery and uni-compartmental arthroplasty; therefore, our findings may not extrapolate to other types of patients.

One of the major challenges in our study was the heterogeneity in the design of the included studies. We also found variations in the outcome indicators and measurement techniques used, which might account for the discrepancies in the results and hinder the integration of these findings.

Furthermore, we observed that some of the studies analyzed in this review did not adjust for potential confounders in their analyses. Confounding could have contributed to bias in our findings to some extent. Therefore, we recommend that future studies should put these factors into consideration when analyzing their results.

Clinical implications

This systematic review can inspire future personalized pain prevention and management measures. Enhanced monitoring of patient-reported pain before and early after surgery may lead to early detection and potential early intervention of patients at risk for CPSP. Early identification and targeted treatment of pain may reduce pain and prevent long-term disability. Improving awareness of the importance of biological, sociocultural, psychological, physical, and clinical factors will help to implement the role of interventions better.

This systematic review aims to assess the risk factors that contribute to the emergence of chronic pain after total knee arthroplasty. It further endeavors to appraise the evidence supporting these factors quantitatively. This analysis strives to enlighten surgeons and patients alike on potential risk factors that deserve exploration in future TKA pain management research, particularly those that have generated controversy or displayed weak correlations. Importantly, it underscores the necessity for additional high-quality studies to confirm these factors, thereby equipping clinicians with crucial knowledge regarding high-risk patients and their clinical characteristics. In turn, this knowledge contributes to the formulation of effective preventive measures aimed at reducing postoperative pain following TKA.

Data availability

No datasets were generated or analysed during the current study.

Hamilton D, Henderson GR, Gaston P, MacDonald D, Howie C, Simpson AH. Comparative outcomes of total hip and knee arthroplasty: a prospective cohort study. Postgrad Med J. 2012;88(1045):627–31.

Article   PubMed   Google Scholar  

Fuzier R, Rousset J, Bataille B, Salces-y-Nédéo A, Maguès JP. One half of patients reports persistent pain three months after orthopaedic surgery. Anaesth Crit Care Pain Med. 2015;34(3):159–64.

Beswick AD, Wylde V, Gooberman-Hill R, Blom A, Dieppe P. What proportion of patients report long-term pain after total hip or knee replacement for osteoarthritis? A systematic review of prospective studies in unselected patients. BMJ Open. 2012;2(1):e000435.

Article   PubMed   PubMed Central   Google Scholar  

Schug SA, Lavand’homme P, Barke A, Korwisi B, Rief W, Treede RD. The IASP classification of chronic pain for ICD-11: chronic postsurgical or posttraumatic pain. Pain. 2019;160(1):45–52.

Kim DH, Pearson-Chauhan KM, McCarthy RJ, Buvanendran A. Predictive factors for developing chronic Pain after total knee arthroplasty. J Arthroplasty. 2018;33(11):3372–8.

Wainwright TW, Gill M, McDonald DA, Middleton RG, Reed M, Sahota O, et al. Consensus statement for perioperative care in total hip replacement and total knee replacement surgery: enhanced recovery after surgery (ERAS(®)) Society recommendations. Acta Orthop. 2020;91(1):3–19.

Lewis GN, Rice DA, McNair PJ, Kluger M. Predictors of persistent pain after total knee arthroplasty: a systematic review and meta-analysis. Br J Anaesth. 2015;114(4):551–61.

Article   CAS   PubMed   Google Scholar  

Moher D, Liberati A, Tetzlaff J, Altman DG. Preferred reporting items for systematic reviews and meta-analyses: the PRISMA statement. BMJ. 2009;339:b2535.

Stang A. Critical evaluation of the Newcastle-Ottawa scale for the assessment of the quality of nonrandomized studies in meta-analyses. Eur J Epidemiol. 2010;25(9):603–5.

Martínez-González L, Fernández-Villa T, Molina AJ, Delgado-Rodríguez M, Martín V. Incidence of Anorexia Nervosa in women: a systematic review and Meta-analysis. Int J Environ Res Public Health. 2020;17(11).

Liu L, Cai XC, Sun XY, Zhou YQ, Jin MZ, Wang J, et al. Global prevalence of metabolic syndrome in patients with psoriasis in the past two decades: current evidence. J Eur Acad Dermatol Venereol. 2022;36(11):1969–79.

Gosselt AN, Slooter AJ, Boere PR, Zaal IJ. Risk factors for delirium after on-pump cardiac surgery: a systematic review. Crit Care. 2015;19(1):346.

Miettinen T, Mäntyselkä P, Hagelberg N, Mustola S, Kalso E, Lötsch J. Machine learning suggests sleep as a core factor in chronic pain. Pain. 2021;162(1):109–23.

Haack M, Simpson N, Sethna N, Kaur S, Mullington J. Sleep deficiency and chronic pain: potential underlying mechanisms and clinical implications. Neuropsychopharmacology. 2020;45(1):205–16.

Luo ZY, Li LL, Wang D, Wang HY, Pei FX, Zhou ZK. Preoperative sleep quality affects postoperative pain and function after total joint arthroplasty: a prospective cohort study. J Orthop Surg Res. 2019;14(1):378.

Yan Z, Liu M, Wang X, Wang J, Wang Z, Liu J, et al. Construction and Validation of Machine Learning Algorithms to Predict Chronic Post-surgical Pain among patients undergoing total knee arthroplasty. Pain Manag Nurs; 2023.

Lindberg MF, Miaskowski C, Rustøen T, Cooper BA, Aamodt A, Lerdal A. Preoperative risk factors associated with chronic pain profiles following total knee arthroplasty. Eur J Pain. 2021;25(3):680–92.

Shim J, McLernon DJ, Hamilton D, Simpson HA, Beasley M, Macfarlane GJ. Development of a clinical risk score for pain and function following total knee arthroplasty: results from the TRIO study. Rheumatol Adv Pract. 2018;2(2):rky021.

Rice DA, Kluger MT, McNair PJ, Lewis GN, Somogyi AA, Borotkanics R, et al. Persistent postoperative pain after total knee arthroplasty: a prospective cohort study of potential risk factors. Br J Anaesth. 2018;121(4):804–12.

Yakobov E, Scott W, Stanish W, Dunbar M, Richardson G, Sullivan M. The role of perceived injustice in the prediction of pain and function after total knee arthroplasty. Pain. 2014;155(10):2040–6.

Sullivan M, Tanzer M, Reardon G, Amirault D, Dunbar M, Stanish W. The role of presurgical expectancies in predicting pain and function one year following total knee arthroplasty. Pain. 2011;152(10):2287–93.

Riddle DL, Wade JB, Jiranek WA, Kong X. Preoperative pain catastrophizing predicts pain outcome after knee arthroplasty. Clin Orthop Relat Res. 2010;468(3):798–806.

Larsen DB, Laursen M, Edwards RR, Simonsen O, Arendt-Nielsen L, Petersen KK. The combination of Preoperative Pain, conditioned Pain Modulation, and Pain Catastrophizing predicts Postoperative Pain 12 months after total knee arthroplasty. Pain Med. 2021;22(7):1583–90.

Giusti EM, Manna C, Varallo G, Cattivelli R, Manzoni GM, Gabrielli S et al. The predictive role of executive functions and psychological factors on Chronic Pain after Orthopaedic surgery: a longitudinal cohort study. Brain Sci. 2020;10(10).

Download references

This study was supported by the National Key R&D Programmes (NKPs) subproject of China, Grant Numbered: No.2020YFC2008404-3.

Author information

Authors and affiliations.

Fudan University, Shanghai, China

Junfei Li, Tingyu Guan & Yue Zhai

Zhongshan Hospital, Shanghai, China

Yuxia Zhang

You can also search for this author in PubMed   Google Scholar

Contributions

Study concept and design: Junfei Li, Yuxia Zhang. Data acquisition analysis, or interpretation: Junfei Li, Tingyu Guan. Quality assessment: Junfei Li, Tingyu Guan. Manuscript preparation: Junfei Li. Critical revision of the manuscript: Yue Zhai, Yuxia Zhang. Study supervision and obtained funding: Yuxia Zhang. All authors have read and approved the final manuscript.

Corresponding author

Correspondence to Yuxia Zhang .

Ethics declarations

Competing interests.

The authors declare no competing interests.

Additional information

Publisher’s note.

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Electronic supplementary material

Below is the link to the electronic supplementary material.

Supplementary Material 1

Supplementary material 2, rights and permissions.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/ . The Creative Commons Public Domain Dedication waiver ( http://creativecommons.org/publicdomain/zero/1.0/ ) applies to the data made available in this article, unless otherwise stated in a credit line to the data.

Reprints and permissions

About this article

Cite this article.

Li, J., Guan, T., Zhai, Y. et al. Risk factors of chronic postoperative pain after total knee arthroplasty: a systematic review. J Orthop Surg Res 19 , 320 (2024). https://doi.org/10.1186/s13018-024-04778-w

Download citation

Received : 03 April 2024

Accepted : 02 May 2024

Published : 29 May 2024

DOI : https://doi.org/10.1186/s13018-024-04778-w

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

• Chronic pain
• Pain, postoperative
• Arthroplasty, replacement, knee
• Risk factor

Journal of Orthopaedic Surgery and Research

ISSN: 1749-799X

• Submission enquiries: [email protected]

• Skip to content
• Skip to search
• Skip to footer

Products, Solutions, and Services

Want some help finding the Cisco products that fit your needs? You're in the right place. If you want troubleshooting help, documentation, other support, or downloads, visit our  technical support area .

Contact Cisco

• Get a call from Sales

Call Sales:

• 1-800-553-6387
• US/CAN | 5am-5pm PT
• Product / Technical Support
• Training & Certification

Products by technology

• Software-defined networking
• Cisco Silicon One
• Cloud and network management
• Interfaces and modules
• Optical networking
• See all Networking

Wireless and Mobility

• Access points
• Outdoor and industrial access points
• Controllers
• See all Wireless and Mobility

• Secure Firewall
• Secure Endpoint
• Secure Email
• Secure Access
• Multicloud Defense
• See all Security

Collaboration

• Collaboration endpoints
• Conferencing
• Cisco Contact Center
• Unified communications
• Experience Management
• See all Collaboration

Data Center

• Servers: Cisco Unified Computing System
• Cloud Networking
• Hyperconverged infrastructure
• Storage networking
• See all Data Center

• Nexus Dashboard Insights
• Network analytics
• Cisco Secure Network Analytics (Stealthwatch)

• Video endpoints
• Cisco Vision
• See all Video

Internet of Things (IoT)

• Industrial Networking
• Industrial Routers and Gateways
• Industrial Security
• Industrial Switching
• Industrial Wireless
• Industrial Connectivity Management
• Extended Enterprise
• Data Management
• See all industrial IoT

• Cisco+ (as-a-service)
• Cisco buying programs
• Cisco Nexus Dashboard
• Cisco Networking Software
• Cisco DNA Software for Wireless
• Cisco DNA Software for Switching
• Cisco DNA Software for SD-WAN and Routing
• Cisco Intersight for Compute and Cloud
• Cisco ONE for Data Center Compute and Cloud
• See all Software
• Product index

Products by business type

Service providers

Small business

Midsize business

Cisco can provide your organization with solutions for everything from networking and data center to collaboration and security. Find the options best suited to your business needs.

• By technology
• By industry
• See all solutions

CX Services

Cisco and our partners can help you transform with less risk and effort while making sure your technology delivers tangible business value.

• See all services

Design Zone: Cisco design guides by category

Data center

• See all Cisco design guides

End-of-sale and end-of-life

• End-of-sale and end-of-life products
• End-of-Life Policy
• Cisco Commerce Build & Price
• Cisco Software Central
• Cisco Feature Navigator
• See all product tools
• Cisco Mobile Apps
• Design Zone: Cisco design guides
• Cisco DevNet
• Marketplace Solutions Catalog
• Product approvals
• Product identification standard
• Product warranties
• Cisco Security Advisories
• Security Vulnerability Policy
• Visio stencils
• Local Resellers
• Technical Support

Handling concentration data below the analytical limit in environmental mixture risk assessment: A case-study on pesticide river monitoring

• Noventa, Seta
• Pace, Emanuela
• Esposito, Dania
• Libralato, Giovanni
• Manfra, Loredana

Aquatic organisms are exposed to ever-changing complex mixtures of chemicals throughout their lifetime. Component-Based Mixture Risk Assessment (CBMRA) is a well-established methodology for water contaminant-mixture management, the use of which is growing due to improved access to reference ecotoxicity data and extensive monitoring datasets. It enables the translation of measured exposure concentrations of chemicals into biological effect values, and thus to quantitatively estimate the risk of the whole water sample (i.e., as a mixture). However, many factors can bias the final risk decision by impacting the risk metric components; thus, a careful design of the CBMRA is needed, taking into primary consideration the specific features of the dataset and mixture risk assessment assignments. This study systematically addressed the effects of the most common approaches used for handling the concentrations of chemicals below the limit of detection/quantification (LOD/LOQ) in CBMRA. The main results included: i) an informed CBMRA procedure that enables the tracking of the risk decisions triggered by substances below LOD/LOQ, ii) a conceptual map and guidance criteria to support the selection of the most suitable approach for specific scenarios and related interpretation; iii) a guided implementation of the informed CBMRA on dataset of pesticide concentrations in Italian rivers in 2020 (702,097 records).

• Cumulative toxicity;
• Combined exposure;
• Chemical water quality;
• Detection/quantification limits;
• Risk metrics;
• Wide-scope pollution target screening