Search results

The purpose of this paper is to highlight the main findings of a successfully defended doctoral thesis that studied factors or interventions causing the discrepancy between how adequate project risks should be managed and how project risks are actually managed.

The approach involved interviews and a survey using questionnaires gathered data from project managers about their experiences with project risk management during two phases of fieldwork. The first phase included in‐depth interviews with information technology (IT) project managers in order to explore patterns involving risk mediators and their influence on project risk management. A web‐based survey was used in the second phase for the purpose of testing these patterns on a wider range of project managers.

Specific risk‐related interventions strongly influence the effective use of project risk management: project managers tended to deny, avoid, ignore risks and to delay the management of risk. Risks were perceived as discomforting, not agreed upon. IT project managers were unaware of risks and considered them to be outside their scope of influence and preferred to let risks resolve themselves rather than proactively engaging with them. As a consequence, factors such as the lack of awareness of risks by IT project managers appeared to constrain the application of project risk management with the result that risk had an adverse influence on the outcome of IT projects.

The underlying rational assumptions of project risk management and the usefulness of best practice project risk management standards as a whole need to be questioned because of the occurrence of interventions such as the lack of information. IT project managers should first prevent risk‐related interventions from influencing the use of project risk management. However, if this is not possible, they should be prepared to adapt to risks influencing the project outcome.

The paper contradicts the myth of a “self‐evidently” correct project risk management approach. It defines interventions that constrain project manager's ability to manage project risk.

Understanding the context of any subject is crucial and this is certainly true of risk management in the public sector. Undoubtedly, what we face today is the highly path-dependent result of what has happened in the past. And, what happens today in a local government, for example, is very much influenced by the wider current situation that surrounds it. Further, it must be said that even the future can be part of the present context (climate change would be a stark example of this).

Described in this way, it seems a daunting challenge to understand past, present, and future – and, indeed, it verges on the impossible. The remaining chapters of this book revisit the context through the lens of the various components of risk management (assessment, analysis, forecasting, and more) and by looking at the present and future through the concepts and principles used by risk managers. Here, in Chapter Three, the issue of context is first considered by examining the relationship between past and present with specific reference to risk management as a management practice. Thus, the chapter does not specifically address how uncertainty is assessed, or how insurance is used, or even how a risk management programme operates – these are topics for later chapters. Rather, the history of risk management is presented as a narrative that seeks to explain how risk management has evolved into what it is today.

Finally, the chapter leads into the present by providing an overview of the current public environment in Europe. This allows the book to develop both a history of how risk management became what it is today, and to understand the key risks and uncertainties that define the current context. Chapter Four presents the administrative nature of today’s practices and offers some speculation about alternative ways of thinking about risk management practices now and in the future.

This study aimed at exploring the differential effects of different corporate governance (CG) indicators on risk management practices in Islamic financial institutions (IFIs) and conventional financial institutions (CFIs) of Pakistan. It also investigated the moderating role of institutional quality (IQ) in shaping the effects of CG practices on financial institutions of Pakistan.

A sample of 57 financial institutions including commercial banks, insurance companies and Modarba companies over the period 2006–2017 is used to carry out the empirical analysis. The authors applied the robust two-step system-generalized method of moments estimator, which is also called the dynamic panel data estimator. They also built the PCA-based composite index of CG and IQ by using different indicators to investigate the moderating role of IQ. They used three proxies for risk taking, five for CG and one for Shari’ah governance. To test the validity of the instruments, they applied the Arellano and Bond’s (1991) AR (1) and AR (2) tests and the J-statistic of Hansen (1982).

The results provided strong evidence that several individual characteristics of CG and the composite index are significantly related to the operational risk, the liquidity risk and the Z-score (a proxy for solvency risk). The results also revealed that IQ significantly and substantially contributes in reducing the level of risks. Finally, the estimation results indicated that the effects of CG on risk management are significantly different at IFIs and CFIs. This differential impact is mainly attributed to the fundamental differences in business models, operational strategies and contractual obligations of both types of institutions.

The findings of this study are important for enhancing our understanding of how CG relates to risk taking in Islamic and conventional financial services industries and how good quality institutions are important for formulating the governance effects on the risk-taking behavior of financial institutions. The findings suggest that a suitable size of board should be chosen to manage the risk effectively. As the findings show that the risk-taking behavior of IFIs differs from that of CFIs, the regulators and international standard setting bodies should tailor the regulatory frameworks accordingly.

This paper is different from the existing studies in four aspects. First, to the best of the authors’ knowledge, this is the first empirical investigation in Pakistan, which does the comparison of IFIs and CFIs while examining the impacts of CG on risk management. Second, the paper constructs the composite index of CG by considering several different indicators of governance and examines the combined effect of governance indicators on risk management process. Third, this paper adds to the growing literature on the role of IQ by investigating whether it acts as a moderator between CG structures and risk management and if yes, then whether this moderating role is different for IFIs and CFIs. Finally, the paper builds upon the existing research work on the CG effects for different types of financial institutions by proposing a single regression based analytical framework for comparing the effects across two different types of institutions, harvesting the benefits of higher degrees of freedom and avoiding/minimizing the measurement error.

The purpose of this paper is to illustrate how information technology (IT) governance supports the process of enterprise risk management (ERM). In particular, the paper illustrates how the Control Objectives for Information and related Technology (COBIT) framework helps a company reach its objectives by integrating and supporting the Enterprise Risk Management by the Committee of Sponsoring Organizations (COSO ERM) framework.

This paper explains how the integration between the two frameworks (COSO ERM and COBIT 5) can represent, for any organization, a good way to achieve the objectives of internal control and risk management and, more generally, corporate governance.

The paper identifies some gaps in the COSO ERM and illustrates how the COBIT framework facilitates the implementation of an adequate system of internal control.

The originality of the work presented here is in analyzing the COBIT 5 together with the COSO ERM framework. This paper highlights that is not enough to apply only an internal control framework for achieving the risk management and internal control system objectives. An IT governance framework, such as COBIT 5 is proposed as a tool that support risk management in order to develop an adequate system of internal control.

The purpose of this paper is to explore how companies approach the management of cyber and information risks in their supply chain, what initiatives they adopt to this aim, and to what extent along the supply chain. In fact, the increasing level of connectivity is transforming supply chains, and it creates new opportunities but also new risks in the cyber space. Hence, cyber supply chain risk management (CSCRM) is emerging as a new management construct. The ultimate aim is to help organizations in understanding and improving the CSCRM process and cyber resilience in their supply chains.

This research relied on a qualitative approach based on a comparative case study analysis involving five large multinational companies with headquarters, or branches, in the UK.

Results highlight the importance for CSCRM to shift the viewpoint from the traditional focus on companies’ internal information technology (IT) infrastructure, able to “firewall themselves” only, to the whole supply chain with a cross-functional approach; initiatives for CSCRM are mainly adopted to “respond” and “recover” without a well-rounded approach to supply chain resilience for a long-term capacity to adapt to changes according to an evolutionary approach. Initiatives are adopted at a firm/dyadic level, and a network perspective is missing.

This paper extends the current theory on cyber and information risks in supply chains, as a combination of supply chain risk management and resilience, and information risk management. It provides an analysis and classification of cyber and information risks, sources of risks and initiatives to managing them according to a supply chain perspective, along with an investigation of their adoption across the supply chain. It also studies how the concept of resilience has been deployed in the CSCRM process by companies. By laying the first empirical foundations of the subject, this study stimulates further research on the challenges and drivers of initiatives and coordination mechanisms for CSCRM at a supply chain network level.

Results invite companies to break the “silos” of their activities in CSCRM, embracing the whole supply chain network for better resilience. The adoption of IT security initiatives should be combined with organisational ones and extended beyond the dyad. Where applicable, initiatives should be bi-directional to involve supply chain partners, remove the typical isolation in the CSCRM process and leverage the value of information. Decisions on investments in CSCRM should involve also supply chain managers according to a holistic approach.

A supply chain perspective in the existing scientific contributions is missing in the management of cyber and information risk. This is one of the first empirical studies dealing with this interdisciplinary subject, focusing on risks that are now very high in the companies’ agenda, but still overlooked. It contributes to theory on information risk because it addresses cyber and information risks in massively connected supply chains through a holistic approach that includes technology, people and processes at an extended level that goes beyond the dyad.

Information technology (IT) projects are renowned for their high failure rate. Risk management is an essential process for the successful delivery of IT projects. In‐depth interviews with IT professionals from leading firms in Western Australia were undertaken to determine how IT risks were managed in their projects. The respondents ranked 27 IT risks in terms of likelihood and consequences to identify the most important risks. The top five risks, in order, were: personnel shortfalls; unreasonable project schedule and budget; unrealistic expectations; incomplete requirements; and diminished window of opportunity due to late delivery of software. The respondents overwhelmingly applied the treatment strategy of risk reduction to manage these risks. Furthermore, these strategies were primarily project management processes, rather than technical processes. This demonstrates that project management is a risk management strategy. Scope, quality management, and human resource management were solutions applied to several risks. In particular, managing stakeholders’ expectations is a specific risk treatment that helps to manage several key IT risks.

The purpose of this paper is to study the recognition, application and understanding (status) of risk management in information technology (IT) projects in the South African public sector and thus contribute to the research gap.

A quantitative approach in the form of a survey design was adopted, with data being collected through a questionnaire. The results from the study are compared to the theory and practice of risk management before drawing conclusions on the status of risk management in IT projects.

The findings provide significant statistical support for the conclusion that risk management is being applied in current IT projects and that it is understood by the respective project clients.

Though risk management has been studied by several authors, very little is known about its status in the South African public sector. This study sheds light on its application in IT projects and its understanding by IT project clients.

The study findings encourage project executives to develop knowledge bases for risk management in IT projects, as well as the corresponding tools. This will ultimately assist in knowledge sharing, which increases chances of IT project success. Importantly, the study also highlights that the relationship between project clients and project teams can be accelerated through knowledge sharing and continuous project communication.

The research addresses one of the questions held by many scholars on the status of risk management in IT projects. It advances the recognition of risk management as a knowledge base and the practical implications thereof.

This paper aims to investigate various institutional pressures driving the adoption and implementation of a new risk management system; enterprise risk management (ERM).

The implementation of ERM-related practices is analysed based on an institutional framework and drawing on empirical evidence from multiple sources in ten large/medium-sized insurance companies. This paper focuses on extra-organisational pressures exerted by political, social and economic institutions on insurance companies which drove the adoption decision.

It was found that different change agents have taken part in the decision to introduce new risk management system as a part of ERM implementation process. Further, the institutional pressures, coercive, mimetic and normative, were found to differ in character and strength over different intervals of time in relation to the adoption of ERM. Companies that adopted ERM early were mostly driven by internal strategic drivers, whereas the recent adoption decision was more driven by coercive and mimetic pressures. Thus, evidence of divergence between insurance companies was found.

The findings have implications for policy makers, regulatory agencies and innovation developers. ERM was considered not only as a necessity but also as a value added to the insurance companies under study. Thus, regulators and innovation developers should survey main players in any specific organisational field to understand their views before issuing new compulsory regulations or developing innovations. They also need to consider exploring companies’ experiences with ERM, which can provide a basis for the development of strengthened and more informative regulatory ERM frameworks. This will support a faster and easier understanding and implementation of ERM framework hindered by the confusions companies may face when considering the complicated/changing regulatory and risk requirements.

This study extends the scope of institutional analysis to the risk management field, particularly ERM and to the explanation of how different institutions affect the decision to move towards ERM and modify the risk management rules applied within the organisational environment. It looks not only at convergences but also divergences associated with the period of time when ERM adoption decision was made. Thus, it develops a processual view of change.

The purpose of this paper is to analyse the implementation of risk management as a tool for internal audit activities, focusing on unexpected effects or uncertainties generated during its application.

Public and confidential documents as well as semi-structured interviews are analysed through the lens of actor-network theory to identify the effects of risk management devices in a Finnish municipality.

The authors found that risk management, rather than reducing uncertainty, itself created unexpected uncertainties that would otherwise not have emerged. These include uncertainties relating to legal aspects of risk management solutions, in particular the issue concerning which types of document are considered legally valid; uncertainties relating to the definition and operationalisation of risk management; and uncertainties relating to the resources available for expanding risk management. More generally, such uncertainties relate to the professional identities and responsibilities of operational managers as defined by the framing devices.

The paper offers three contributions to the extant literature: first, it shows how risk management itself produces uncertainties. Secondly, it shows how internal auditors can assume a central role in the risk management system. Thirdly, it develops Callon's framing/overflowing framework with the notion that multiple frames are linked and create unexpected dynamics, and applies it to the study on the effects of risk management tools in an internal audit context. It shows how, despite recurring attempts to refine risk management, further uncertainties are continuously produced, thus providing an empirical illustration of how reframing and overflowing intertwine in a continual process.

This study aims to investigate the extent of Shariah compliance in wakalah sukuk and Shariah non-compliant risk disclosure in the sukuk documents and to analyse the risk management techniques associated with the disclosed risks.

This study uses qualitative document analysis as both data collection and analysis methods. The document analysis acts as a data collection method for 23 wakalah sukuk documents selected from 32 issuances of wakalah sukuk from 2017 to 2021. These sukuk documents were selected based on their availability from relevant websites. Document analysis, both content analysis and thematic analysis, were used to analyse the data. Codes were grounded from that data through keywords search of Shariah noncompliant risk and its risk management. Besides these, interviews were also conducted with four active industry players, i.e. two legal advisors of wakalah sukuk, a wakalah sukuk trustee and a sukuk institutional issuer. These interview data were analysed based on categorical themes, on the aspects of the extent of Shariah compliance in sukuk, and the participant’s views on the risk management techniques associated with the risks or used in the sukuk documents.

Overall, the findings reveal three types of Shariah non-compliant risks disclosed in the sukuk documents and seven risk management techniques associated with them. However, the disclosure and the risk management techniques can be considered minimal in contrast to the extent of Shariah compliance in a sukuk, i.e. Shariah compliance at the pre-issuance stage, ongoing stage and post-issuance stage. On top of these, it was also found from the interviews that not all risk management techniques are workable to manage Shariah non-compliant risk in sukuk. As a result, these findings suggest rigorous reviews of the existing Shariah non-compliance risk (SNCR) disclosures and risk management techniques by the relevant parties.

Sukuk documents used in the study are limited to corporate wakalah sukuk issued in Malaysia. Out of 32 issuances from 2015 to 2021, only 23 documents are available in relevant website. Thus, Shariah non-compliant risk disclosure and its risk management techniques analysed in this study are only limited in those documents.

The findings of this study suggest rigorous reviews on the existing Shariah non-compliance disclosures and risk management techniques. Other than these, future research in relation to uncommon risk management clauses, i.e. assurance, Shariah waiver and transfer of risk, are needed.

The insights presented in the analysis are of importance to sukuk issuers and the sukuk due diligence working group in enhancing the sukuk Shariah compliance and Shariah non-compliant risks disclosure and towards sukuk investors, in capturing and assessing Shariah non-compliant risks in a sukuk and to assist them to make informed investment decisions. More importantly, this study has found few areas of future study in relation to SNCR disclosures and SNCR risk management techniques.