Integrating Project Risk Management into Enterprise Risk Management

Abstract

Project Risk Management (PRM) with its long-standing presence in both the literature and the project profession is a formal methodology for managing risks at the project level and focuses primarily on project objectives. In contrast, Enterprise Risk Management (ERM) deals with risks at the organisational level, encompassing strategic, operational, reporting, and compliance objectives (Coso, 2004). The disparities in objectives and scope pose difficulties in integrating these two systems. PRM empowers project managers to make decisions within their project's the scope of an individual project, while ERM's requirement for interdisciplinary expertise enables a holistic view of risks across the total projects, departments, and functions, fostering a comprehensive understanding that is unattainable when risks are managed in isolation. The evolution of risk perception, from an objective quantitative hazard to a subjective qualitative assessment influenced by cultural and human values, is evident in the risk management literature. While a positivist perspective dominates PRM, rooted in mathematical predictability, ERM acknowledges the need for subjectivity in managing uncertainties arising from a broader internal and external environment. Nevertheless, integrating PRM into ERM can yield benefits by enhancing risk awareness and fostering strong collaboration among projects throughout the organisation. This integration facilitates the incorporation of risk considerations into broader business decision-making processes, aligning them with organisational objectives (Agarwal & Virine, 2019). Additionally, ERM contributes to improving PRM by enhancing the communication of project risk information, aiding management in making better-informed decisions and handling project risks more effectively (Zhao et al., 2015). Consequently, this research advocates for the incorporation of Complex Adaptive System (CAS) theory into these organisational risk management systems to accommodate the two distinct perspectives on risk, facilitating their integration to support decision making processes. Stemming from a critical realism mindset, a qualitative methodological approach is adopted, employing three case studies in Saudi and British companies within the oil, petrochemical, and hospitality industries. Semi-structured interviews, supported by documentary analysis form the basis of data collection. A deductive analysis, guided by the Institute for Risk Management's (IRM) successful risk culture criteria, was used to examine the risk cultures of the three organisations. Additionally, an inductive exploration of their risk governance structures was conducted to understand and explain their roles in integrating (PRM) and (ERM). The findings reveal that Key cultural attributes such as openness, compliance, continuous learning, and adaptability were crucial for fostering a unified approach to risk management aiding the integration of PRM and ERM. Similarly, adaptable risk governance structures that consider their environment’s needs played an important role in shaping the risk governance structures that facilitate the integration. In contrast, siloed and closed risk cultures coupled with rigid governance structures hindered the integration of the two systems. Organisations with adaptive risk governance structures and open risk cultures showed alignment with their values, which acknowledged and responded to the complexities of their internal and external environments.