Risk management in the public sector: a structured literature review

Enrico Bracci (Department of Economics and Management, University of Ferrara, Ferrara, Italy)
Mouhcine Tallaki (Department of Economics and Management, University of Ferrara, Ferrara, Italy)
Giorgia Gobbo (Department of Economics and Management, University of Ferrara, Ferrara, Italy)
Luca Papi (Department of Economics and Management, University of Ferrara, Ferrara, Italy)

International Journal of Public Sector Management

ISSN: 0951-3558

Article publication date: 15 January 2021

Issue publication date: 15 February 2021




Risk management (RM) is receiving increasing academic and practitioner attention in the public sector. Despite this, there is a lack of systematization of this body of knowledge. The purpose of this paper is to analyze the state of art by examining the knowledge gaps and defining the emerging themes of RM in the public sector to guide future research agendas.


The authors conducted a structured literature review (SLR). They analyzed 63 papers, by using Scopus database, published from 1990 to 2018. All papers were categorized and analyzed according to 11 criteria defined by the literature.


Results show that there is an increasing attention to RM with a need for more effort to consolidate research knowledge. Findings also established a lack of theorization, with a limited explanatory capacity of most studies. The paper defined four main areas for future developments to increase the body of knowledge. Namely, RM and managerial systems (i.e. MCSs and performance management), integrating RM systems and the building blocks of RM that the authors identify will also play a role in helping the authors to understand the diffusion of RM within public sector organizations.


Despite the increasing attention to RM in the public sector, more research is required. Considering RM in public sector risks to be a “black box”, this paper revealed some new insights that could help to analyze better RM in the public sector, to open the black box and to avoid a symbolic use of the RM. In fact, integration with the managerial systems and the strengthening of the building block could help to exploit the potential of RM in the public sector.



Bracci, E., Tallaki, M., Gobbo, G. and Papi, L. (2021), "Risk management in the public sector: a structured literature review", International Journal of Public Sector Management, Vol. 34 No. 2, pp. 205-223. https://doi.org/10.1108/IJPSM-02-2020-0049



Emerald Publishing Limited

Copyright © 2021, Emerald Publishing Limited

1. Introduction

Risk management (RM) has become central to social and economic debate in both the public and private sectors. In the public sector, the diffusion of RM frameworks and practices, started in the 80s, can be seen as part of the modernization drive under New Public Management (NPM) (Lapsley, 2009). RM is considered to be a governance tool (Mikes, 2011; Power, 2007) used for supporting policy choices and decision-making (Hutter and Power, 2005; Hutter, 2005). This trend is linked to a shift in the conceptualization of risk (Power, 2007) from an objective and quantifiable process driven by laws of probability to a process that considers unquantifiable uncertainties and risks that cannot be known (Spira and Page, 2003). Recent events, like financial crisis and the COVID-19 pandemic, intensified the interest and the centrality of RM in the public sector. This centrality is stressed not only by the public management debate but also by regulators and policymakers (Black, 2005). In this regard, various public regulators or other public sector bodies (Black, 2005), like organisation for economic cooperation and development (OECD) (Boin and Lodge, 2016) and the World Bank (Osgood et al., 2007), mobilized and advocated the interest in RM. Moreover, various countries tried to introduce reforms on RM. This created and favoured the adoption of RM approaches in the public sector (Black, 2005). The diffusion of RM frameworks and practices is prominent in countries like Australia, New Zealand, the United Kingdom and Canada (Barrett, 2014; Bui et al., 2019; Rana et al., 2019b; Woods, 2009). However, except for the regulatory initiatives and often superficial efforts to implement the RM framework, little has been done to practically establish an overall internal public sector control system on RM basis (Kolisovas and Andrius, 2011). Accordingly, RM may be distorted from its rationale by focussing in a standardized model (Huber, 2009) seeking to convey legitimacy (Bhimani, 2009) and to manage reputation (Power et al., 2009).

The growing research interest in public sector RM focuses on various aspects of RM, like the impact and diffusion of formal RM practices and systems (Palermo, 2014; Rocher, 2011; Vinnari and Skærbæk, 2014; Woods, 2009) as well as informal ones (Carlsson-Wall et al., 2019); integration of RM within an organizational process (Rana et al., 2019b) and contingency factors that impact on RM (Subramaniam et al., 2011). Moreover, empirical evidence regarding the RM remains limited. RM has been addressed only to a minimal extent in the academic literature; little has been investigated, also, on the perception and implementation of RM at various organizational levels (Bhimani, 2009). To date, while there are some literature reviews that examine RM in the private sector, and in particular enterprise risk management (ERM) systems (like Bromiley et al., 2015; Olson and Dash Wu, 2010), it is surprising to observe there are no overviews of published material relating to the public sector. Bromiley et al. (2015) highlighted that RM is conceived as an accounting and finance tool but rarely as a management tool. The authors in identifying some of the limitations and challenges in ERM research and practice called to move to a holistic RM approach. The authors called to address managerial issues, like strategic management and ERM and managerial models about risks, which represent opportunities contributing to the RM debate. Olson and Dash Wu (2010) analyzed the literature about supply chain RM and identified a general framework to deal with RM in the supply chain. Nevertheless, for the private sector RM provides a neoliberal logic where entrepreneurial subjects are oriented towards new economic citizenships (O'Malley, 2012) and where everything (or nothing) can become calculable (Power, 2004, 2009). RM in the private sector displaces the risk to profitability unlike the public sector where risk is understood in terms of failing to deliver public services (Black, 2005). RM in the public sector is an essential element in the pursuit of the public interest. Considering that, an overview of the literature about RM in the public sector is helpful to better define the research agenda. It could also be a guide for policymakers to shift through the various opportunities for RM improvement.

This paper aims to fill this gap by providing a review of the available literature in the public administration/management and accounting fields. In so doing, our contribution highlights the pattern and diffusion of the main topics addressed as well as avenues for future research directions. We use a structured literature review (SLR) approach, which combines quantitative analysis of diffusion and the dynamics of the extant literature with a qualitative understanding of the main topics addressed by scholars. In so doing, it applies a structured process to limit the use of discretionary choices, which thus allows a high level of replicability (Massaro et al., 2016). The SLR method complements traditional literature reviews because the approach helps to yield different outcomes that are more defensible. Therefore, in this SLR, we develop findings from the corpus of literature relating to RM in the public sector, and we offer likely explanations of the data.

The paper is structured as follows: the next section describes the methodology. We then present the quantitative analysis of the results to highlight the pattern and diffusion of the RM literature. This is followed by discussion of the qualitative content analysis structured according to the emerging themes. Thus, we conclude with some final reflections.

2. Methodology

In order to give an answer to the overall aim of this SLR, we attempt to uncover the state of RM research through the following research questions:


What is the current state of research on RM in the public sector?


What are the emerging themes of RM literature in the public sector?

In particular, to answer the RQ1, drawing on a SLR research protocol based on previous academic contributions, we attempt to depict the current state of research. To answer the RQ2, we performed a qualitative analysis on the content of the selected papers in order to identify the main issues they debated.

An SLR approach is able to make the review replicable, scientific and transparent (Tranfield et al., 2003). SLRs are considered suitable for contexts with well-established topics (Cuozzo et al., 2017; Dumay et al., 2016; Massaro et al., 2016). To develop the SLR, we followed four methodological steps, summarized in Table 1.

To search for the published articles (Step 1), we chose Scopus as the research source. We applied the search terms “risk management” AND NOT “health” AND NOT “care”. We excluded the terms “health” and “care” to avoid the risk to include papers regarding clinical risk theme in the sample. The terms were searched in the title, abstract, keywords and in three specific types of documents written in English: “articles”, “review” and “in press”. In addition, specific scientific journals were selected using the academic journal guide (AJG) 2018[1]. In the definition of the time span of the research, we chose all papers on Scopus until 31th December 2018. In particular, all the journals belonging to “public sector and health care” were considered, excluding those relating to the health sector. All the generalist “accounting” journals (with scores 3, 4 and 4*) and “accounting” journals were with a score 2, but the journals related to the research topic were taken. This provided us with 114 papers.

The second step aimed to exclude articles not related to the research topics. The abstract of every article selected in step 1 was read, and contributions were eliminated if they were considered not relevant to the specific research object but related to the following sectors: banking, insurance, environmental disasters, climate change and healthcare. As shown in Table 2 a final sample of 63 papers was found.

After selecting the relevant and final sample of the papers, each was read by the researchers separately and coded using a research protocol (Phase 3). Table 3 shows the 11 codes used in the protocol and their content.

Criteria 1, 2 and 7 are adopted from the study of Torchia et al. (2015), criteria 3, 4, 5, 6 and 8 are adopted from the study of Cuozzo et al. (2017) and criteria 9, 10 and 11 are adapted from the study of Brancia (2011).

To verify the reliability and validity of the coding (Step 4), the reliability statistic, known as Cohen's kappa (Cohen, 1960), was computed on a sample of 30 papers coded independently by three researchers. According to this empirical approach [2], researchers can rely mostly on variables with reliabilities above 0.81 and consider variables with reliabilities between 0.61 and 0.80 only for drawing possible conclusions. Table 4 shows all of the Cohen's kappa are statistically different from zero, applying the usual normal approximation (z test), except for the “theory applied” item, where Cohen's kappa is equal to one (perfect agreement with no variability). The greater reliability and agreement of the criteria “research position” and “type of risk” is confirmed by their lower variability expressed by standard errors.

3. Results

In this section, we present and discuss the results emerging from the analysis of the protocol codes, providing a quantitative representation of the findings.

3.1 Diffusion and distribution of the research

All the articles analyzed were published in peer-reviewed academic journals (in English) and are available through an electronic database (Scopus). Our final sample consists of 65 articles published in 22 journals. Table 5 shows the journals together with an indication of their impact factor and the specific AJG 2018 category such as “public sector” and “accounting”. The majority of the articles appeared in public administration/management journals (48 papers, 73.8%) and only partially in accounting journals (17 papers, 26.2%). The most prolific journals on the subject are Public Money and Management (11 papers, 16.9%) and International Journal of Public Sector Management (10 papers, 15.3%) (see Table 5). In addition, relevant journals in terms of the impact factor include Management Accounting Research (five papers) with an impact factor of 4.53, Public Management Review (four papers) with an impact factor of 3.31 and Accounting, Auditing and Accountability Journal (three papers) with an impact factor of 4.33.

In order to understand the evolution of the subject and the academic interest in it, an analysis of the number of publications per single year up to 2018 was conducted. As depicted in Figure 1, the first contribution was published in 1990. Up to 2004, academic interest in the subject was very low. From 2004, academic production was increased, in particular within generalist accounting journals. This evolution over time was determined by the diffusion of the NPM (Hood, 1991), in which the increasing importance of RM is represented one of the key elements of NPM (Lapsley, 2009).

Table 6 shows that the majority of the most-cited [3] articles were published after 2008 (Table 6), year in which there was a peak in the publication of contributions (see Figure 1). The paper with the most citations is Lapsley (2009) with 178 citations, followed by Woods (2009) with 80 citations. Lapsley (2009) and Stanton (2013) deal with the origin and widespread of RM, thanks to the diffusion of NPM; Woods (2009), Bhimani (2009) and Soin and Collier (2013) identify a theoretical setting of RM topic. Other authors proposed a critical perspective towards RM. Stanton (2011) deals with the poor effectiveness of RM laws, regulations and policy in case of financial crisis, and Kane and Patapan (2006) deal with the treat of the misapprehended problem of prudence in RM. Finally, other actors discuss the role of RM systems in public private partnership (PPP) and public finance initiative (PFI), and in particular risks associated with services provided by multiple actors (Nisar, 2007) or projects involving private and public actors (Asenova and Beck, 2003).

Identifying the most-cited papers allows us to correct the potential distortion deriving from the consideration of the journal's impact factor. At the same time, it does not highlight recent important publications. In fact, none of the relevant works published in 2018 is in the above-mentioned ranking.

All the selected articles were coded using the classification proposed by Cuozzo et al. (2017). The analysis of the localization of research (Figure 2) shows that 37% are from Europe, 17% Australia and 12% from America. This evidence correlates with the introduction of public reforms that were also related to RM systems. A total of 25% of publications are not related to a geographical location, which is in line with the percentage of “theoretical analysis/normative analysis/policy analysis” and “viewpoint/commentary” publications, which present general conceptualizations and do not refer to specific contexts.

In terms of the research context, 63% of the publications focus on a national scale, followed by 18% that are not related to any context, 14% that have a local focus and only 5% that make international comparisons (Figure 3). This result is not surprising, as the research interest was in national cases, presenting central government reforms to introduce RM. There are examples for Australia (Barrett, 2014) and England (Woods, 2009), with only one paper adopting an international comparative approach (Collier and Woods, 2011). In future, more comparative studies will be necessary in order to compare trends, technologies and outcomes in different contexts.

This topic is strongly linked to the specificities of the national context, in terms of political and normative structure. In line with Cuozzo et al. (2017), the organizational focus of each paper was classified as follows:

  1. Public administration,

  2. Public–private partnerships (either users or other organizations),

  3. Not for profit and

  4. Private.

Figure 4 shows that public administration (64%) is the prevailing organizational context, followed by public–private partnerships or PPPs (31%) and the private sector (5%). No contribution was examined the not-for-profit sector. In relation to public administrations, 29% are of local government (both municipalities and local authorities), and 18% are of central government. In total, 29% deal with public administrations, in general, 21% government agencies and 4% universities.

3.2 Methodology and theory

In line with Cuozzo et al. (2017), the papers were coded according to their method in the following manner:

  1. Case study/interview/field research,

  2. Textual analysis/content analysis/historical analysis,

  3. Empirical analysis/survey/questionnaire,

  4. Theoretical analysis/regulatory analysis/policy analysis,

  5. Literature analysis and

  6. Viewpoint/commentary.

The analysis showed a strong predominance of qualitative methods (86%) (Figure 5), in particular: 42% “case study/interview/field research”, followed by the 23% “theoretical analysis/normative analysis/policy analysis”, 15% “viewpoint/commentary”, 5% “textual analysis/content analysis/historical analysis” and 1% “literature analysis”. Only 14% of publications used “empirical analysis/survey/questionnaire”. These results are not surprising because qualitative methods that have an exploratory purpose tend to be the norm in a new field, as cases are few. At a later stage of greater maturity, quantitative research, often with an explanatory aim, tends to become more relevant.

In terms of theory used (Figure 6), the majority of the articles (69%) are not based on a specific theory, and most have a descriptive aim and not an interpretative one. Only a low percentage of the papers used the most well-known theories (3% institutional theory and 2% critical theory), while the 26% are based on other theories including the actor–network theory and contingency theory. The actor–network theory is used by Vinnari and Skærbæk (2014) to analyze the implementation of RM as a tool for internal audit activities; They also analyzed public and confidential documents as well as semi-structured interviews through the lens of actor–network theory to identify the effects of RM devices in a Finnish municipality. (Woods, 2009) uses a case study on the RM control system at Birmingham City Council to extend the existing theory by developing a contingency theory for the public sector; he demonstrates that controls are contingent upon three core variables: central government policies, information and communication technology (ICT) and organizational size. Collier and Woods (2011) adopt institutional, contingency and resource dependence theories but conclude “each theory was necessary but not sufficient” (Collier and Woods, 2011, p. 1) to explain practice variations across the country. It is evident that future RM research on the public sector needs to be more theorized in order to provide findings that are more solidly grounded. It is also important to develop a theoretical framework to explain the diffusion (or lack of diffusion) of RM, the variations in practice and the outcomes.

3.3 Risk stream and process

We investigated the papers' approach to RM by using the classification proposed by Brancia (2011). As shown in Figure 7, most of contributions (55%) do not refer to a specific approach but deal with RM in general, followed by 14% of papers that adopt a financial RM approach, 10% that adopt a project RM approach and 8% that use a strategic approach to RM. The other approaches represent a residual part of the selected contributions.

The above result is connected to the type of risks that were addressed in the research. Figure 8 shows 42% of papers deal with strategic risk, followed by 34% that deal with operational risk, 18% that deal with financial risk and 6% that deal with hazard risk. The prevalent interest in strategic and operational risk is coherent with the focus on RM in general terms, as this represents the base of any RM system.

Moreover, there is a correlation between the types of risk studied and the type of organization examined: operational and strategic risks are related local administrations; strategic risk, on the other hand, is the greatest risk studied in relation to central administrations and universities. There is no correlation between the types of risk studied and the type of organization examined in relation to government agencies and public administrations in general.

With reference to the phases of the RM process (Brancia, 2011), the majority (52%) of the publications do not deal with specific phases of the risk process. In keeping with the general focus outlined above, it seems that most of the papers address RM in general terms, and as a system, without focussing on a specific phase. Figure 9 shows that only 5% of the contributions explicitly deal with risk assessment, 5% are related to the risk treatment phase and 4% deal with the risk identification phases. Enterprise RM systems are present in only 8% of the papers. Not surprisingly, 26% of contributions are not linked to the management process, probably because they refer to “theoretical analysis/normative analysis/policy analysis” and “viewpoint/commentary” publications, aimed at presenting general conceptualizations.

4. Qualitative analysis of the results: a discussion

In our literature analysis, we identify four macro areas of emerging themes regarding the implementation of RM systems in the public sector. These four areas emerged as the most debated issues amongst the selected papers:

  1. Management control systems (MCSs) and RM, considering all aspects related to MCS involved in RM (Rana et al., 2019a);

  2. Performance, accountability and RM, focussing on the interrelation between performance measurement, internal/external accountability and RM (Barrett, 2014; Hood and Smith, 2013; Palermo, 2014);

  3. Integrated approach of RM, in relation to the RM frameworks (ERM) (Crawford and Stein, 2004; Christopher and Sarens, 2018) and

  4. Building blocks in the implementation of RM systems (Hinna et al., 2018; Capaldo et al., 2018).

The following sections will deal with these issues in detail. Through these categories, we aim to provide a systematic and critical analysis of the main findings of the previous studies to outline under-investigated areas.

4.1 MCSs and RM

MCS aims to direct individual behaviour or decisions towards organizational goals and strategies (Merchant and Otley, 2006). Effective MCSs help organizations to identify and mitigate material threats (risks) (Rana et al., 2019a) and identify and enhance opportunities. Risks and opportunities are the subject of RM systems that can therefore positively or negatively influence an organization's ability to achieve its objectives (Huber, 2009; COSO, 2009). RM and MCSs therefore play a fundamental role both in explaining and implementing political choices (Froud, 2003) and in reducing and overcoming uncertainties (Gray et al., 1995; Simons, 1991). Risk and uncertainty are in fact closely related and their distinction is based on the possibility of quantifying uncertainty through probability calculations.

MCSs could have a central role in the implementation of RM, in which RM helps in shifting the focus from compliance to greater managerial approach (Rana et al., 2019a). MCSs strengthen this shift by directing behaviour towards efficiencies. Despite the importance of RM for MCSs, in practice, this opportunity is not fully exploited, which means a radical cultural shift is still required if reforms are to be fully realized (ANAO, 2017; Rana et al., 2019a). However, the dominant risk in MCSs is linked to financial risk, with a focus on compliance (Rana et al., 2019a). Accordingly, Asenova and Beck (2003) highlighted that that current RM approach adopted by PFI financiers could be inadequate as it focus in financial risk and cost overruns. This is probably due to austerity policies in the various contexts, which result in tight financial controls aiming at “balancing the books” (Bracci et al., 2015). The continuous focus on compliance and regulatory requirements may result in a formal process of implementation of RM without the benefits that MCSs could have within an integrated system. However, in the public sector, rules and regulations have an enormous influence in terms of individual behaviour, resulting in rationally based systems of management control that reduce individual decision-making processes to formal predetermined solutions and procedures set by rules and regulations. On the other hand, RM requires more individual involvement in decision- making, with more a flexible approach for managing uncertainty at the process level (Hinna et al., 2018). This is because managers' awareness of risk allows them to better define goals by anticipating and prioritizing threats and opportunities according to the characteristics of the expected scenario. Managers would thus be more optimistic and would adopt challenging goals rather the cautious ones (Capaldo et al., 2018). However, in line with Rana et al. (2019a), RM seems to fulfil the requirement of control activities by expanding and not changing the internal MCSs. In this sense, as highlighted by Hinna et al. (2018), greater social interaction could be crucial to benefit from the potential of RM, and therefore improves MCSs. Social interaction, defined as a collaboration among RM experts and those who are not experts, helps organizations transfer cultural values, problematize RM and instil urgency in managers to more clearly visualize the impacts of their actions and responsibilities. The control systems of risk that emerge, as highlighted by Woods (2009), are contingent upon three core variables: central government policies, ICT and organizational size. The central government policy is important for two main reasons. First, a government policy drives many of the strategic objectives of public organizations, and performance against objectives is the focus of the RM system. Second, central government determines the resources available at the local level, and therefore implicitly influences the scope to invest in control systems. ICT directly influences RM because specialist software is integral to the risk control process. It provides the mechanism for the collection and collation of both performance and risk-related information. In relation to organizational size, the author affirms that larger organizations have a greater tendency for formalized control systems (Woods, 2009, p. 79).

4.2 Performance, accountability and RM

RM helps organizations to improve performance (ANAO, 2017; Barrett, 2014; Hood and Smith, 2013) and accountability systems (Palermo, 2014). To do this, organizations in the public sector, like in PPP, consider risk a determinant factor in performance measurement and accountability systems, adopt risk-based strategic decision-making and go beyond financial performance (Rana et al., 2019a). In fact, adopting a strategic decision-making approach could enhance goal setting within the performance measurement process and provide interesting insights into policymakers to improve the effectiveness of current performance measurement. Hood and Smith (2013) show that good RM contributes to the achievement of business objectives as well as strategic ones, with better project success, more effective use of resources and less fraud. This is because the predominant rationality of the RM implementation is represented by organizational performance (Hinna et al., 2018). Consequently, RM ensures that the management system is oriented towards efficiency and stakeholders' satisfaction, and that it creates value in order to engage a virtuous cycle. Accordingly, RM in PPP/PFI could help to increase value for money and performance in public organizations by allocating risks to those who can best able to manage them provides incentives for sustained and effective performance over time. The allocation of risks allows controlling and managing the real possible benefits of PFI (Nisar, 2007). Moreover, rigorous RM strategies could help to attract public sources of finance (i.e. the European Investment Bank) that are relatively lower cost. This enhances value for money and performance (Reeves and Palcic, 2017). In fact, as highlighted by Graham and Scarborough (1997) in the PPP context, managing risk could be determinant to enhance performance. Asenova and Beck (2003) shown that PFI financial companies in managing risk may transfer many operational and financial risks, but reputation and political risk are often difficult to avoid. In this sense, managing risk (i.e. reputational risk) and accountability play a central role in expanding awareness of risks to stakeholders (Hood and Smith, 2013). Furthermore, public organizations have to find an appropriate balance between process-oriented RM controls and performance principles management (Barrett, 2014). In practice, this is not always verified. As highlighted by Burke and Demirag (2019), RM provides, in the PPP/PFI context, opportunities for mitigating and managing risk, but the problem is how to measure and obtain value for money for taxpayers. Chung and Hensher (2015) suggested that to enhance RM performance in the PPP/PFI, it is recommendable to perform a good contractual framework, allied with good relationship skills between partners. Rana et al. (2019a) affirmed that the RM reform in the Australian public sector failed to enhance performance measurement due to the dominance of compliance accountability and financial performance. This is also confirmed by the type of performance and RM diffused. Financial performance combined with logic of compliance continues to be dominant, considering that the public context strengthens Hood's (2002) “blame game”, leaving little space for taking risks or learning from mistakes. However, the typology of risks monitored and reported in the public sector mainly concern reputational and political risk (Power, 2004; Power et al., 2009). To enhance performance risk culture, policymakers and organizations have to adopt an ongoing and continuous approach rather than just reflecting a short-term or fixed-term focus (Flemig et al., 2016; Rana et al., 2019a) by balancing process and performance principles (Barrett, 2014), building up the level of accountability and promoting efficiency. Without an effective risk culture in the organization, individual perceptions of risk are not sufficient for developing a real propensity to take risks (Capaldo et al., 2018).

4.3 Integrating approach of RM

Research shows that RM is perceived and implemented in multiple forms in the public sector. Crawford and Stein (2004) highlight various areas of weakness guidance and policies adopted by local authorities, which could give rise to subjectivity in the implementation of RM. Christopher and Sarens (2018) argue this is to satisfy stakeholders at different managerial levels across organizations. They define three different levels of governance, namely a strategic level of governance, which includes policy and procedures to support a RM culture, an operational level of governance, which concerns the formalization of the RM structure and practices, and risk and control awareness at strategic and operational levels. They also suggest that different logic of implementation and integration with managerial systems could relate to the fact that key players are influenced differently across the governance levels. In this sense, Coetzee (2016) highlights the different views of RM at various organizational levels. Hood (2003) in analyzing RM in PPP /PFI highlights that local authorities do not maximize the involvement of their own RM staff in managing risk. According to the author, local authorities focused on the formal aspects of allocation of responsibilities or seek to manage risk by outsourcing this to consultants. The formal process of implementation due the continuous focuses on compliance and regulatory requirements could hinder the benefits and potentials of RM and may result in lack of integration of RM with MCSs. Furthermore, Vinnari and Skærbæk (2014) report that the formal structure of RM can destabilize existing practices. The authors argue that at the operational level, standardized RM solutions clash with professional conceptions of managers. However, integrating RM with other process requires developing a culture of second-order change to encourage culture of ongoing learning (Crawford and Stein, 2005). Consequently, public organizations could adopt informal rather than formal approaches for managing risk. In this case, risks are largely managed outside the apparatus of formal RM systems (Carlsson-Wall et al., 2019). The tension between informal and formal approaches to managing risk is not static. Over time, this tension turns RM into a hybridized mode of interaction (Carlsson-Wall et al., 2019). In fact, organizations could also adopt a silos approach and an informal or vernacular system that only later integrates with a global approach and a formal system. This could be due to the lack of immediate benefits from the implementation of RM (Oulasvirta and Anttiroiko, 2017), which determines a greater utility deriving from an hybrid approach, first informal and then formal (Carlsson-Wall et al., 2019). Flemig et al. (2016) emphasize the importance of adopting soft rather than hard RM, as it enhances learning and innovation within organizations. Hard RM encompasses technocratic and rule/regulation-driven RM.

RM is not a stand-alone activity, since it is influenced by and influences the organization's functioning (Hinna et al., 2018). RM processes should relate to organizational and sub-organizational objectives and to accounting and auditing norms and control systems (Power, 2009). However, the implementation of RM systems could affect and change organizational and management control practices (Power et al., 2009), and RM needs to be included in business processes (Financial Reporting Council, 2005). Rana et al. (2019a) reported RM that due to the dominance of compliance approach RM is not well integrated at the process level.

4.4 RM building blocks

The “building blocks” are organizational or structural factors that modify the internal context in order to implement a RM system. Our literature review finds three building blocks that help to implement an efficient and integrated RM system (UK Cabinet Office and Civil Service, 2017; Hinna et al., 2018; Capaldo et al., 2018): the development of risk culture, the definition of roles and responsibilities and the role of technologies.

Carrel (2010, p. 6) argues that “the risk is managed as a corporate culture and brought a core value to the forefront of corporate strategies”. RM is a fundamental aspect of the corporate culture; thus, risk must be managed at all organizational levels. Recent NPM reforms drive the cultural changes needed within entities to, among other things, promote effective RM and performance cultures (Barrett, 2014). In light of this evidence, it is necessary to develop a corporate risk culture that creates greater awareness of risk issues in all operators and a shared specific language (Dittmeier, 2015). Krause (2014) shown in the PPP that RM strategies depend on the risk perceptions of managers, the political environment and the interrelatedness of formal and informal governance characteristics.

RM implementation takes place in the context of pre-existing systems of control, working practices, rules, norms and well-established organizational culture. This means social interactions are relevant (Miller, 2009), and greater social interaction is crucial for transferring cultural values and increasing managers' ability to evaluate the possible impacts of their activities and behaviours.

Hinna et al. (2018) underlines how the analysis of RM's assimilation into organizational practices are presented using the theoretical building blocks previously developed (risk rationalities, uncertainty experts and technologies) (Arena et al., 2010), enriched by individual perspectives that emerged during the interviews with top and middle managers. The authors also highlight the importance of key elements, such as the involvement of several actors in risk analysis, identification and assessments, training programs for managers and staff, actions and activities for the processes (survey, interviews, meetings, etc.) that lead to the implementation of new practice (Hinna et al., 2018, p. 126). In addition, Palermo (2014) argues that the use of RM is dependent on relational skills, knowledge of business activities and professional experience. Risk managers can be a source of innovation in the public sector when they adopt a “soft” relational approach to RM rather than a technocratic one.

RM should become an organizational practice that allows organizational learning (Hinna et al., 2018). However, public context reinforces, as discussed before, the tenets of Hood's (2002) “blame game”: structural incentives (for example reward/promotion schemes and statutory regulation) are set to avoid blame, leaving little space for learning from either mistakes or failed innovation. This block learning is a fundamental problem for public sector innovation. Because risk and failure are both seen as normatively “bad” in public services (for good reasons, in most cases), this breaks down the “innovation cycle”: learning and evolving from risk cannot occur because, by definition, failure is normatively negative (Flemig et al., 2016).

Another important building block is the identification of the roles and responsibilities of the subjects involved in the system. The literature review highlights the involvement of subjects belonging, in a top-down and bottom-up approach, to all levels of the organization. In particular, political leaders must play a strong role in the development of a risk culture and strategy both by providing specific long-term policies and by assigning the required resources (human, technical and financial) for system development and monitoring. Political leaders can identify a more restricted RM managerial committee to share the principles and the overall methodological and practical approach of the system (Dittmeier, 2015).

The operation of the system must be performed by the risk manager, who is responsible for the following activities: proper functioning of the RM process on the basis of the strategic lines established by the top management and the inputs collected by all the operators; training and support activities of the subjects involved in the system and monitoring and updating the system (Dittmeier, 2015).

Finally, in support of the risk manager, there are managers and referents, belonging to different operating units and involved in RM and decision- making. Often these subjects work in operational committees, coordinated by the risk manager (Dittmeier, 2015). The literature identifies, within this category of subjects, the “risk champions” or “change champions”. These subject experts are strongly oriented towards RM logics and seek to spread the culture of risk (Palermo, 2014).

The last building block is the development of an information system to support the integrated RM system. This perspective is particularly relevant to integrate IT governance models with integrated management systems (Rubino and Vitolla, 2014). As mentioned above, the literature review reveals how RM is not a stand-alone activity but must be integrated with all the other corporate processes and systems (Hinna et al., 2018). ICT directly influences RM because the specialist software is integral to the risk control process. It provides the mechanism for the collection and collation of both performance and risk-related information (Woods, 2009). The information system must support all phases of the risk process, in particular the risk assessment phase, providing all the useful information for estimating risks and to reduce the uncertainty of the risk estimates (Dittmeier, 2015).

5. Conclusion

Current RM research in the public sector appears to have a mixed picture. On the one hand, the field has developed with an increasing number of publications from different geographical contexts. On the other hand, there is still a need for more effort to consolidate a strong corpus of knowledge. The evidence has shown a lack of theorization, with a limited explanatory capacity of most studies, which remains descriptive. Future research should pay more attention for developing a strong theoretical basis and by combining different theory streams (Collier and Woods, 2011). In addition, cross-case, cross-country comparison would also help to move beyond contextual specificity. We propose four main areas for future developments to increase the body of knowledge of the field. In particular, future research should focus on the ways in which RM and its effects influence and are influenced by other managerial systems (i.e. MCSs and performance management), and how these evolve into integrated RM systems. These areas should not neglect the behavioural and cultural implications of RM. The building blocks of RM that we identified will also play a role in helping us to understand the diffusion of RM within public sector organizations.

Through this SLR, we expose early research in the field, showing its scope and evolution as well as issues and prospects. In so doing, this paper contributes to the literature by showing the limitations of the existing research and by proposing ideas for further research to improve our understanding of RM in public management and accounting and its practical relevance.

As other literature reviews, this paper also has some limitations. The first one is related to the use of Scopus as a source of analysis, which does not consider conference papers or working papers. However, Scopus offers more reliability in terms of replicability. Finally, the qualitative analysis of the paper is intrinsically interpretative although the inter-author discussion helped to reduce the discretion of single authors.


Evolution over time

Figure 1

Evolution over time

Location of the research

Figure 2

Location of the research

Research context

Figure 3

Research context

Organizational focus

Figure 4

Organizational focus

Research method

Figure 5

Research method

Applied theories

Figure 6

Applied theories

Risk stream

Figure 7

Risk stream

Risk type

Figure 8

Risk type

RM process

Figure 9

RM process

Our approach to the structured literature review process

Step 1Search published articles
Step 2Delete articles which are not related to the research topic
Step 3Read and code full papers
Step 4Conduct reliability and validity coding test

Selection of final sample of the papers

Selection criteriaNumber of papers
All selected papers114
Papers not related to the research topic51
Final sample of papers63

Research protocol

1Scientific source
2Year of publication
3Number of citations
4Research methods
4.1Case/field study/interviews/action research
4.2Content analysis/historical analysis/other textual analysis
4.3Survey/questionnaire/other empirical
4.5Literature review
5Location of the research
6Theory applied
6.1Theory not applied
6.2Agency theory
6.3Critical theory
6.4Institutional theory
6.5Legitimacy theory
6.6Other theories
8Organizational focus
8.1Public administrations
8.2Public–private partnerships (either users or other organizations)
8.3Not for profit
9Risk stream
9.1Strategic risk management (SRM)
9.2Financial risk management (FRM)
9.3Enterprise risk management (ERM)
9.4Insurance risk management (IRM)
9.5Project risk management (PRM)
9.6Engineering risk management (EnRM)
9.7Supply chain risk management (ScRM)
9.8Disaster risk management (DRM)
9.9Risk management (RM)
10Risk type
10.1Hazard risks
10.2Financial risks
10.3Operational risks
10.4Strategic risks
11Risk management process
11.1Context analysis
11.2Risk identification
11.3Risk evaluation
11.4Risk treatment or handling
11.5Risk monitoring and control
11.6Risk management system
11.7Integrated risk management

Cohen's kappa and standard error

CriteriaCohen's kappaStd errorStrength of agreement
Research method0.870.070Very good
Location of the research0.960.044Very good
Theory applied1.00///
Jurisdiction0.900.067Very good
Organizational focus0.840.105Very good
Risk stream0.910.064Very good
Risk type0.950.049Very good
Risk management process0.850.084Very good

Journals, impact factor and number of papers

JournalImpact factorNumber of papers
Public sector
1Public Money and Management0.8811
2International Journal of Public Sector Management1.3810
3Public Management Review3.314
4International Journal of Public Administration0.824
5Public Policy and Administration2.343
6Public Administration Review2.033
7Australian Journal of Public Administration1.073
8Public Organization Review0.793
9Local Government Studies1.602
10Journal of Public Administration Research and Theory4.411
11International Review of Administrative Sciences1.941
12Administration and Society1.321
13Policy Studies1.011
14Asia and the Pacific Policy Studies0.881
15Management Accounting Research4.535
16Accounting, Auditing and Accountability Journal4.333
17Financial Accountability and Management1.762
18Australian Accounting Review0.872
20Critical Perspectives on Accounting3.181
21Accounting Horizons2.111
22European Accounting Review1.851
Total 65

The 10 most-cited articles

AuthorTitleJournalNumber of citations
1Lapsley (2009)New public management: The cruellest invention of the human spirit?Abacus178
2Woods (2009)A contingency theory perspective on the risk management control system within Birmingham City CouncilManagement Accounting Research80
3Stanton (2011)Governance implications of the Global Financial Crisis: United States experiencePublic Organization Review72
4Bhimani (2009)Risk management, corporate governance and management accounting: Emerging interdependenciesManagement Accounting Research66
5Nisar (2007)Risk management in public–private partnership contractsPublic Organization Review49
6Kane and Patapan (2006)In search of prudence: The hidden problem of managerial reformPublic Administration Review45
7Stanton (2013)Risk management is essential at a time of downsizingPublic Administration Review36
8Soin and Collier (2013)Risk and risk management in management accounting and controlManagement Accounting Research30
9Asenova and Beck (2003)The UK financial sector and risk management in PFI projects: A surveyPublic Money and Management28
10Barrett (2014)New development: Financial reform and good governancePublic Money and Management27



The AJG is a guide to the range, subject matter and relative quality of journals in which business and management academics publish their searches. It is based on peer review, editorial and expert judgements, following from the evaluation of many hundreds of publications, and is informed by statistical information relating to citation. The journals are classified in 22 research fields (accounting; business history and economic history; economics, econometrics and statistics; entrepreneurship and small business management; finance; general management, ethics, gender and social responsibility; human resource management and employment studies; information management; innovation; international business and area studies; management development and education; marketing; operations research and management science; operations and technology management; organizations studies; psychology [general]; psychology [organizational]; public sector and healthcare; regional studies, planning and environment; sector studies; social sciences and strategy), and each journal is assigned with an increasing score: 1, 2, 3, 4 to 4 * (Source: AJG 2018 –Methodology).


Rules of thumb for Cohen's kappa: 0.81–1 “very good”; 0.61–0.80 “good”; 0.41–0.6 “moderate”; 0.21–0.4 “fair” and 0–0.2 “poor”.


Extracted from database Scopus on 5 December 2018.


Australian National Audit Office (ANAO) (2017), “The management of risk by public sector entities”, available at: https://www.anao.gov.au/sites/default/files/ANAO_Report_2017-2018_6b.pdf.

Arena, M., Arnaboldi, M. and Azzone, G. (2010), “The organizational dynamics of enterprise risk management”, Accounting, Organizations and Society, Vol. 35, pp. 659-675.

Asenova, D. and Beck, M. (2003), “The UK financial sector and risk management in PFI projects: a survey”, Public Money and Management, Vol. 23, pp. 195-202.

Barrett AO, P. (2014), “New development: risk management – how to regain trust and confidence in government”, Public Money and Management, Vol. 34, pp. 459-464.

Bhimani, A. (2009), “Risk management, corporate governance and management accounting: emerging interdependencies”, Management Accounting Research, Vol. 20, pp. 2-5.

Black, J. (2005), “The emergence of risk-based regulation and the new public risk management in the United Kingdom”, Public Law, Vol. 3, pp. 512-548.

Boin, A. and Lodge, M. (2016), “Designing resilient institutions for transboundary crisis management: a time for public administration”, Public Administration, Vol. 94, pp. 289-298.

Bracci, E., Humphrey, C., Moll, J. and Steccolini, I. (2015), “Public sector accounting, accountability and austerity: more than balancing the books?”, Accounting, Auditing and Accountability Journal, Vol. 28, pp. 878-908.

Brancia, A. (2011), “SMES risk management: an analysis of the existing literature considering the different risk streams”, The 8th AGSE International Entrepreneurship Research Exchange, pp. 225-239.

Bromiley, P., McShane, M., Nair, A. and Rustambekov, E. (2015), “Enterprise risk management: review, critique, and research directions”, Long Range Planning, Vol. 48, pp. 265-276.

Bui, B., Cordery, C. and Wang, Z. (2019), “Risk management in local authorities: an application of Schatzki's social site ontology”, The British Accounting Review, Vol. 51, pp. 299-315, doi: 10.1016/j.bar.2019.01.001.

Burke, R. and Demirag, I. (2019), “Risk management by SPV partners in toll road public private partnerships”, Public Management Review, Vol. 21, pp. 711-731.

Capaldo, G., Costantino, N., Pellegrino, R. and Rippa, P. (2018), “The role of risk in improving goal setting in performance management practices within public sector: an explorative research in courts offices in Italy”, International Journal of Public Administration, Vol. 41, pp. 986-997.

Carlsson-Wall, M., Kraus, K., Meidell, A. and Tran, P. (2019), “Managing risk in the public sector – the interaction between vernacular and formal risk management systems”, Financial Accountability and Management, Vol. 35, pp. 3-19, doi: 10.1111/faam.12179.

Carrel, P. (2010), The Handbook of Risk Management, John Wiley Sons, Chichester.

Christopher, J. and Sarens, G. (2018), “Diffusion of corporate risk-management characteristics: perspectives of chief audit executives through a survey approach”, Australian Journal of Public Administration, Vol. 77, pp. 427-441.

Chung, D. and Hensher, D. (2015), “Risk management in public-private partnerships”, Australian Accounting Review, Vol. 25, pp. 13-27.

Coetzee, P. (2016), “Contribution of internal auditing to risk management”, International Journal of Public Sector Management, Vol. 29, pp. 348-364.

Cohen, J. (1960), “A coefficient of agreement for nominal scales”, Educational and Psychological Measurement, ST-A coefficient of agreement for nominal, Vol. 20, pp. 37-46.

Collier, P.M. and Woods, M. (2011), “A comparison of the local authority adoption of risk management in England and Australia”, Australian Accounting Review, Vol. 21, pp. 111-123.

Commitee of Sponsoring Organizations of the Treadway Commision (2009), “COSO Internal control-integrated framework: guidance on monitoring internal control systems, volume III: examples Committee of Sponsoring Organizations of the Treadway Commission”.

Crawford, M. and Stein, W. (2004), “Risk management in UK local authorities. The effectiveness of current guidance and practice”, International Journal of Public Sector Management, Vol. 17 No. 6, pp. 498-512, doi: 10.1108/09513550410554788.

Crawford, M. and Stein, W. (2005), “‘Second order’ change in UK local government: the case of risk management”, International Journal of Public Sector Management, Vol. 18, pp. 414-423.

Cuozzo, B., Dumay, J., Palmaccio, M. and Lombardi, R. (2017), “Intellectual capital disclosure: a structured literature review”, Journal of Intellectual Capital, Vol. 18, pp. 9-28.

Dittmeier, C. (2015), La governance dei rischi. Un riferimento per gli organi e le funzioni di governo e controllo, EGEA spa, Milano.

Dumay, J., Bernardi, C., Guthrie, J. and Demartini, P. (2016), “Integrated reporting: a structured literature review”, Accounting Forum, Vol. 40, pp. 166-185.

Financial Reporting Council (2005), Internal Control – Revised Guidance for Directors on the Combined Code, London.

Flemig, S., Osborne, S. and Kinder, T. (2016), “Risky business – reconceptualizing risk and innovation in public services”, Public Money and Management, Vol. 36, pp. 425-432.

Froud, J. (2003), “The private finance initiative”, Accounting, Organizations and Society, Vol. 28, pp. 567-589.

Graham, M. and Scarborough, H. (1997), “Information technology outsourcing by state governments in Australia”, Australian Journal of Public Administration, Vol. 56, pp. 30-39.

Gray, R., Kouhy, R. and Lavers, S. (1995), “Corporate social and environmental reporting”, Accounting, Auditing and Accountability Journal, Vol. 8, pp. 47-77.

Hinna, A., Scarozza, D. and Rotundi, F. (2018), “Implementing risk management in the Italian public sector: hybridization between old and new practices”, International Journal of Public Administration, Vol. 41, pp. 110-128.

Hood, C. (1991), “A public management for all seasons?”, Public Administration, John Wiley & Sons, Vol. 69, pp. 3-19, doi: 10.1111/j.1467-9299.1991.tb00779.x.

Hood, C. (2002), “The risk game and the blame game”, Government and Opposition, Vol. 37, pp. 15-37.

Hood, J. (2003), “Minimising risk: the role of the local authority risk manager in PFT/PPP contracts”, Public Policy and Administration, Vol. 18, pp. 57-70.

Hood, J. and Smith, T. (2013), “Perceptions of quantifiable benefits of local authority risk management”, International Journal of Public Sector Management, Vol. 26, pp. 309-319.

Huber, C. (2009), “Risks and risk-based regulation in higher education institutions”, Tertiary Education and Management, Vol. 15, pp. 83-95.

Hutter, B.M. (2005), The Attractions of Risk-Based Regulation: Accounting for the Emergence of Risk Ideas in Regulation, CARR, London, Vol. 33.

Hutter, B. and Power, M. (Eds) (2005), Organizational Encounters with Risk, Cambridge University Press, Cambridge.

Kane, J. and Patapan, H. (2006), “In search of prudence: the hidden problem of managerial reform”, Public Administration Review, Vol. 66, pp. 711-724, doi: 10.1111/j.1540-6210.2006.00636.x.

Kolisovas, D. and Andrius, Š. (2011), “Risk management in Lithuania's public sector: starting point, current situation and future perspectives”, Intellectual Economics, Vol. 5, pp. 547-559.

Krause, T. (2014), “A contingency framework on partnership risk”, International Journal of Public Sector Management, Vol. 27, pp. 317-333.

Lapsley, I. (2009), “New public management: the cruellest invention of the human spirit?”, Abacus, Vol. 45, pp. 1-21.

Massaro, M., Dumay, J. and Guthrie, J. (2016), “On the shoulders of giants: undertaking a structured literature review in accounting”, Accounting, Auditing and Accountability Journal, Vol. 29, pp. 767-801.

Merchant, K.A. and Otley, D.T. (2006), “A review of the literature on control and accountability”, Handbooks of Management Accounting Research, Vol. 2, pp. 785-802.

Mikes, A. (2011), “From counting risk to making risk count: boundary-work in risk management”, Accounting, Organizations and Society, Vol. 36, pp. 226-245.

Miller, K.D. (2009), “Organizational risk after modernism”, Organization Studies, Vol. 30, pp. 157-180.

Nisar, T.M. (2007), “Value for money drivers in public private partnership schemes”, International Journal of Public Sector Management, Vol. 20, pp. 147-156.

Olson, D.L. and Dash Wu, D. (2010), “A review of enterprise risk management in supply chain”, Emerald.com, Vol. 39, pp. 694-706.

O'Malley, P. (2012), Risk, Uncertainty and Government, Risk, Uncertainty and Government, Taylor and Francis, London.

Osgood, D.E., McLaurin, M., Carriquiry, M., Mishra, A., Fiondella, F., Hansen, J., Peterson, N., Ward, N. and Malawi, I. (2007), Designing Weather Insurance Contracts for Farmers in Malawi, Tanzania and Kenya: Final Report to the Commodity Risk Management Group, ARD, World Bank.

Oulasvirta, L. and Anttiroiko, A.-V. (2017), “Adoption of comprehensive risk management in local government”, Local Government Studies, Vol. 43, pp. 451-474.

Palermo, T. (2014), “Accountability and expertise in public sector risk management: a case study”, Financial Accountability and Management, Vol. 30, pp. 322-341.

Power, M. (2004), “The risk management of everything”, The Journal of Risk Finance, Vol. 5, pp. 58-65.

Power, M. (2007), Organized Uncertainty: Designing a World of Risk Management, Oxford University Press, New York, NY.

Power, M. (2009), “The risk management of nothing”, Accounting, Organizations and Society, Vol. 34, pp. 849-855.

Power, M., Scheytt, T., Soin, K. and Sahlin, K. (2009), “Reputational risk as a logic of organizing in late modernity”, Organization Studies, Vol. 30, pp. 301-324.

Rana, T., Hoque, Z. and Jacobs, K. (2019a), “Public sector reform implications for performance measurement and risk management practice: insights from Australia”, Public Money and Management, Vol. 39, pp. 37-45.

Rana, T., Wickramasinghe, D. and Bracci, E. (2019b), “New development: integrating risk management in management control systems – lessons for public sector managers”, Public Money and Management, Vol. 39, pp. 148-151.

Reeves, E. and Palcic, D. (2017), “Getting back on track: the expanded use of PPPs in Ireland since the global financial crisis”, Policy Studies, Vol. 38, pp. 339-355.

Rocher, S. (2011), “‘Re-opening the black box’: the story of implementing a risk analysis method in a French local government”, Financial Accountability and Management, Vol. 27, pp. 63-82.

Rubino, M. and Vitolla, F. (2014), “Corporate governance and the information system: how a framework for IT governance supports ERM”, Corporate Governance, Vol. 14, pp. 320-338.

Soin, K. and Collier, P. (2013), “Risk and risk management in management accounting and control”, Management Accounting Research, Academic Press, Vol. 24, pp. 82-87, doi: 10.1016/J.MAR.2013.04.003.

Simons, R. (1991), “Strategic orientation and top management attention to control systems”, Strategic Management Journal, Vol. 12, pp. 49-62.

Spira, L.F. and Page, M. (2003), “The reinvention of internal control and the changing role of internal audit”, Accounting, Auditing and Accountability Journal, Vol. 16, pp. 640-661.

Subramaniam, N., Collier, P., Phang, M. and Burke, G. (2011), “The effects of perceived business uncertainty, external consultants and risk management on organisational outcomes”, Journal of Accounting and Organizational Change, Vol. 7, pp. 132-157.

Stanton, T.H. (2011), “Governance implications of the global financial crisis: United States experience”, Public Organization Review, Vol. 11, pp. 45-59, doi: 10.1007/s11115-010-0146-z.

Stanton, T.H. (2013), “Risk management is essential at a time of downsizing”, Public Administration Review, John Wiley & Sons, Vol. 73, pp. 219-220, doi: 10.1111/puar.12039.

Torchia, M., Calabrò, A. and Morner, M. (2015), “Public–private partnerships in the health care sector: a systematic review of the literature”, Public Management Review, Vol. 17, pp. 236-261.

Tranfield, D., Denyer, D. and Smart, P. (2003), “Towards a methodology for developing evidence-informed management knowledge by means of systematic review”, British Journal of Management, Vol. 14, pp. 207-222.

UK Cabinet Office and Civil Service (2017), “Management of risk in government: a framework for boards and examples of what has worked in practice – a non-executives' review”, UK Government Publication, available at: https://www.gov.uk/government/publications/management-of-risk-in-government-framework.

Vinnari, E. and Skærbæk, P. (2014), “The uncertainties of risk management”, Accounting, Auditing and Accountability Journal, Vol. 27, pp. 489-526.

Woods, M. (2009), “A contingency theory perspective on the risk management control system within Birmingham City Council”, Management Accounting Research, Vol. 20, pp. 69-81.


The authors' contribution to the development of the paper is a follow: Sections 1, 2, 4.1, 4.2, 5 to Enrico Bracci; Sections 2, 4.1, 4.2, 4.3 to Mouhcine Tallaki; Sections 3.1, 3.2, 3.3, 4.4 to Giorgia Gobbo; Sections 3.1, 3.2, 3.3 to Luca Papi. The authors wish to thanks the editors and the two anonymous referees for their contributions in the development of the paper. The research benefited from research funds awarded by the Department of Public Function under the title “Performance organizzativa – integrazione tra risk management e misurazione della performance organizzativa: analisi dello stato attuale” (DFP-0074306-P-21/12/2017).

Corresponding author

Enrico Bracci can be contacted at: enrico.bracci@unife.it

Related articles