Final Project Management Plan

Exploring the Value of Risk Management for Projects: Improving Capability Through the Deployment of a Maturity Model —ROBERT JAMES CHAPMAN

Chapman and Associates Limited, Sandhurst, GU47 0FL U.K.

IEEE DOI 10.1109/EMR.2019.2891494

Abstract—This paper presents a maturity model structure to support effective project risk management. The structure is based on five maturity levels and nine categories. The premise of the paper is that the goals of risk management, the practices required to implement the discipline, and the common obstacles to implementation must be reflected within a model, otherwise fully developed mature practices will not be realized. Through a literature search, the paper examines the common goals and practices of project risk management together with the challenges experienced in its implementation. A maturity model structure to support embedding effective project risk management is proposed. The model is applied to four live projects and a direct correlation is drawn between the introduction of the model and improvements in the effectiveness of risk management.

Key words: Risk management, maturity model, category, competency, maturity level

1. INTRODUCTION

RISK management has attracted adversemedia coverage as a result of the repeated andwell-publicized failures associated with its implementation [Kimball, 2000]. Despite the increased professional and academic attention that risk management has received following these failures, further instances of failure are still prevalent [Chapman, 2011]. Against a backdrop of constant change, organisations appear unable to understand and respond to the risks that impact strategic decision-making and operational performance, (EYGM [2014]). Long-established organizations which have been implementing project risk management (PRM) for a number of years (such as the BBC, British Airways and BAESystems) are still struggling to establishmature risk management practices ([Kimball, 2000]; [White House, 2008]; [Hubbard, 2009]; [NAO, 2000], [2004] & [2014];

[Dietz &Gillespie, 2012]; [Minsky, 2016]; [Airmic, 2017]; and The Irish Times, [2017]). It has been argued that organizational performance has been undermined by poor lines of sight from the boardroom to project performance, (EYGM, [2014]). This is significant given the growing recognition that risk management is critical to the success of projects and as a consequence the performance of the organizations that implement them (EYGM, [2013]). The basic questions of what is it wewant to accomplish, what activities must be undertake to realize the goals defined andwhat barriers to riskmanagement implementation will wemost likely encounter are rarely explored in sufficient depth or together. The development of mature effective risk management practices is reliant on a combination of: establishing the goals of riskmanagement, determining the core riskmanagement activities to secure the goals, recognition of the common barriers to completing the activities and the creation of a road

126 IEEE ENGINEERING MANAGEMENT REVIEW, VOL. 47, NO. 1, FIRST QUARTER, MARCH 2019

Authorized licensed use limited to: Zovio. Downloaded on November 14,2022 at 10:53:10 UTC from IEEE Xplore. Restrictions apply.

map to increasematurity. While recent interest inmaturity models is demonstrated by the proliferation of models, their contribution to the development of effective risk management practice has been limited due to their structure and content.

2. THE IMPORTANCE OF

PROJECTS TO BUSINESSES

AND GOVERNMENTS

Projects are important for the financial success and longevity of individual businesses. These projects often represent major investments by individual businesses and are vital to business development, market share and organizational longevity. Project failure can be detrimental to an organization’s reputation, share price, stakeholder confidence, bottom line performance and significantly, realization of its strategic objectives. Ernst and Young’s analysis (EYGM [2015]) suggests that approximately US$682b is wasted on underperforming projects across the globe annually. As advised by the UK’s National Audit Office (NAO) “Ninety-five per cent of the UK government’s policies are delivered through major projects. Successful project delivery is therefore essential to the government in terms of delivering its promises and objectives. However historically the majority of major projects in government have not delivered the anticipated benefits within the original time and cost expectations” [NAO, 2013]. More recently, in a subsequent report, the NAO stated “the public sector has had a poor track record in delivering projects successfully” [NAO, 2016]. This track record is injurious given that within its 2016 report it stated there were 149 projects in the Government Major Projects Portfolio which had a combined whole-life cost of £511 billion with an expected spend of £25 billion in 2015-16 [NAO, 2016]. Project failure in this context is critical for the UK government. The 2013

NAO report emphasised the risk of over-optimism in government projects1. Project success has traditionally been measured by delivery of the scope on time, within budget to stakeholder satisfaction followed by satisfactory bringing- into-use.

2.1. Effective PRM Supports Project Delivery PRM is

internationally recognised as a vehicle to predict, examine and take proactive action to remove or reduce the threats to a project’s objectives [Woods et al 2007]. Research has shown that effective risk management is positively correlated with improved project performance, (Irimia-Di�eguez et. al., [2014], [Junior and Monteiro de Carvalho, 2013]; [Raz et al., 2002]; [Zwikael & Ahn, 2011]; [Ropponen & Lyytinen, 1997]; [McGrew & Bilotta, 2000]; [NASA 2011], and [Banjanin, 2010]). ISO 31000 [ISO, 2018] promotes risk management and suggests the discipline will enhance the likelihood of organisations achieving their objectives and protecting their assets. Conversely inadequate risk management has led to specific disasters such as the Deepwater Horizon oil rig which exploded in the Gulf of Mexico, causing one of the worst man-made disasters in history. A United States National Commission [NC, 2011] investigation attributed the disaster to management failures that crippled “the ability of individuals involved to

identify the risks they faced and to properly evaluate, communicate, and address them.” Given growing project complexity [Chapman, 2016], the importance of effective decision making is taking greater prominence. However effective analysis of alternative courses of action will only occur when there is an understanding of the threats and opportunities associated with each. As a consequence, risk management must be at the heart of decision making (Flyvbjerg, [2003]). The scale of projects and the ramification of delays and cost overruns has pushed risk management into the consciousness of senior management and boards. In addition, consultancies that are the most effective in managing risk on behalf of their clients and to their own existing operations will in the long run outperform those that are less so.

3. EFFECTIVENESS DRIVEN

BY RISK MANAGEMENT

MATURITY

For any organisation, risk management effectiveness is driven by the assessment, recognition and management of the maturity of its risk management practices (Antonucci, D. [2016]). This view is supported by research conducted by the following Ren and Yeo (2004), [Zou, Chen and Chan (2010)], [Hopkinson (2011)] and Mu, Cheng Chohr and Peng (2013) who have demonstrated the importance of employing a formalised risk management maturity assessment process to measure risk management processes, culture, practice and resources. Risk maturity is a measure of the capability of an organisation to take andmanage risks in a balanced and well-informed manner and is fundamental in ensuring risk is considered in decision making processes, [Airmic, 2017].

3.1. The Meaning of ‘Mature’ and ‘Risk Maturity’ There is

no universally accepted definition

1. The report refers to writers on optimism bias. Of interest is the extract from Dan Lovallo and Daniel Kahneman, Harvard Business Review (2003) Delusions of Success: How Optimism Undermines Executives’ Decisions: “When forecasting the outcomes of risky proj- ects, executives all too easily fall victim to what psychologists call the planning fallacy. In its grip, managers make decisions based on delusional optimism rather than on a rational weighting of gains, losses, and probabilities. They overestimate benefits and underestimate costs. They spin scenarios of success while overlooking the potential for mistakes and mis- calculations. As a result, managers pursue ini- tiatives that are unlikely to come in on budget or on time—or to ever deliver the expected returns”.

EXPLORING THE VALUE OF RISK MANAGEMENT FOR PROJECTS: IMPROVING CAPABILITY THROUGH THE DEPLOYMENT OFA MATURITY MODEL 127

Authorized licensed use limited to: Zovio. Downloaded on November 14,2022 at 10:53:10 UTC from IEEE Xplore. Restrictions apply.

of risk maturity. The term ‘mature’ adopted for this research is taken to mean a state of being fully developed or having reached its most advanced stage in a process, in the same way a mature technology is a technology that has been in use for such a length of time that most of its initial faults and inherent defects have been removed or reduced. The English Oxford Living Dictionaries [EOLD, 2018] provides the example of a mature market which is one which has developed to the point where substantial expansion and investment no longer takes place. By way of clarification antonyms of mature are under- developed, unprepared, inexperienced and incomplete.

3.2. Maturity Evaluation

A method of evaluating maturity and how well risk management is working across an organisation is through the use of a maturity model, [Airmic, 2017]. To be of value, project maturity models must reflect both the goals of risk management against the stages in an organisation’s project life cycle and the primary risk management practices required to deliver the process. In addition, they must address known hurdles or obstacles so the progression from one maturity level to another represents a clearly recognizable ‘gear change’ or process improvement, having overcome one or multiple challenges. The absence of a model within an organization implies a lack of understanding of the essential building blocks of effective risk management and the competencies required to incrementally develop mature practices.

3.3. Why Maturity Models are Important For the majority of

organisations, risk management practices exist in some form. However, to satisfy internal stakeholders that its risk management practices are effective there needs to be a clear

understanding of the ‘As-Is’ - in particular any shortcomings of the current approach, the desired future ‘To-Be’ state and a ‘road map’ of how to accomplish the required maturity level. Risk maturity models succinctly describe, by visual means, a structured approach to the description and communication of both the ‘As-Is’ and ‘To-Be’ states. The commonly recognised benefits of maturity models for organisations are as follows: � Improved risk management

culture. � Improved visibility of the threats

to a project’s objectives. � Improved management of

threats. � Improved overall project

performance and realisation of project objectives.

� Increased customer satisfaction. � Increased productivity through

smaller project teams retained for shorter durations.

� Increased profit due to fewer unpleasant surprises and resultant rework.

� Increased likelihood of securing new and repeat business.

� Improved compliance with ISO standards.

� Incorporation of lessons learned from areas of best practice

� Implementation of more robust, mature practices

� Improved visibility of the link between management and engineering activities

3.4. Understanding the ‘As-Is’ State Determining the ‘As-Is’

position is required to prepare an improvement plan from ‘where-we- are-now’ to ‘where-we-want-to-get- to’. To inform the ‘As-Is’ state of risk management maturity, a project would gather information directly from outputs of activities contained within the individual stages of the adopted project life cycle (PLC). The PLC would typically be based on a project management methodology, such as PRINCE2, the Project Management Body of Knowledge (PMBOK) or one developed in-house together with associated project governance processes. These outputs (as guided by the project management methodology) would include but not be restricted to: benchmarking, training reviews, internal audit findings, lessons learned, business case preparation requirements, project reviews, gate review findings, project closure reports and quality audit findings, as illustrated in Figure 1. These outputs are common to most projects and hence it is

Figure 1. Challenges to the implementation of project risk management.

128 IEEE ENGINEERING MANAGEMENT REVIEW, VOL. 47, NO. 1, FIRST QUARTER, MARCH 2019

Authorized licensed use limited to: Zovio. Downloaded on November 14,2022 at 10:53:10 UTC from IEEE Xplore. Restrictions apply.

considered do not warrant individual explanation here or reference to the PLC stage they would be derived from.

3.4.1. Application of Maturity Models:

Maturity models are similar to change management processes in terms of assessing the performance of all or aspects of an organization; planning improvements; designing interventions; communicating the interventions; implementing improvement actions and assessing their effectiveness. However, models are designed to offer all of these elements of change management in a single parcel. The timing of the use of maturity models is critical to ensure that a PMO for instance is not in ‘change overload’ resulting in lack- lustre participation in the initiative. For ease of implementation, the adopted model should be aligned to the structured project management method adopted by the organisation.

3.5. Risk Management Guidance The ICPM [ICPM,

2014] considers that there is an overdependence on ISO 31000 which is often used as a benchmark for risk management practice. The Centre contends that almost all infrastructure projects (let alone “major” projects) are too complex for ISO 31000 and similar approaches to be effective. In addition, it claims it is a guide (rather than a standard) and at best it is a guide to “accepted practice” in risk management, not best practice, especially for complex projects. Given the demands of complex projects combined with the difficulties of delivering effective risk management, a fresh approach may be warranted.

3.6. Development of Risk Management To achieve

effective risk management there must be a clear understanding of (1) the goals of risk management, (2) the challenges facing the implementation

of risk management (3) the building blocks of risk management and (4) how to develop change management tools such as maturity models to bring about change.

4. RESEARCH METHODOLOGY

4.1. Research Questions In order to develop a model based on both theory and professional project actor perceptions, the main research questions to be answered by this paper are:

“What are the relevant levels of project maturity?”

“What are appropriate categories of effective risk management?”

“What are the competencies of PRM maturity?”

4.2. Methodology The research methodology has involved 8 steps: (1) examination of the importance of

risk management to project performance,

(2) examination of the significance of maturity models,

(3) development of research questions,

(4) literature review of the goals of PRM,

(5) literature review of the primary PRM activities to support the goals,

(6) examination of the barriers to the implementation of PRM,

(7) synthesis of the literature to develop the structure for a maturity model composed of levels, categories and competencies.

(8) validation of the instrument for assessing the maturity of risk management by its application during four live programmes (composed of a number of interrelated projects)

4.3. Terminology The language or terminology adopted within maturity models is not consistent and hence

the terms adopted for this research are set out below for clarity.

4.3.1. Mature: The term ‘mature’ adopted for this research is taken to mean a state of being fully developed or having reached its most advanced stage in a process. ‘Mature’ can be expressed as a mnemonic acronym [Chapman, 2018] which describes practices which support the implementation of effective risk management, as follows:

M Meritorious capabilities which directly contribute to effective risk management.

A Advanced technical capabilities which are developed, forward- thinking and to some degree inno- vative.

T Transformational capabilities which when applied bring about significant improvements in capa- bility.

U Utilitarian capabilities which are practical, unambiguous and can be readily implemented.

R Reliable capabilities which have supported the realisation of project objectives.

E Evolved established capabilities which have been refined and revised over such a length of time that most of the initial challenges and inherent problems have been removed or reduced.

4.3.2. Definition of a Maturity Model: The definition of a model adopted here is drawn from the publication ‘Management of Risk: Guidance for Practitioners’ [M_o_R, 2010], which states a [risk management] maturity model is: “a commonly accepted reference model or framework of mature practices for appraising an organisation’s risk management competency”. A model can be described as a structured hierarchy of distinct levels of incremental improvement in capability that progressively deliver greater quality and benefits. Each individual maturity level is a well-defined evolutionary

EXPLORING THE VALUE OF RISK MANAGEMENT FOR PROJECTS: IMPROVING CAPABILITY THROUGH THE DEPLOYMENT OFA MATURITY MODEL 129

Authorized licensed use limited to: Zovio. Downloaded on November 14,2022 at 10:53:10 UTC from IEEE Xplore. Restrictions apply.

step of improvement in the implementation of the discipline of risk management. A popular format for a risk maturity model is the matrix (or grid) with levels of maturity recorded along one axis, categories of risk management practice along the other axis and competencies at the intersection of levels and categories [Antonucci, 2016].

4.3.3. Levels of Maturity: Levels represent incremental steps or interim ‘stations’ on the route to full maturity. An example of maturity levels are those included within the UK P3M3 model (AXELOS [Ltd 2015]): Level 1—Awareness of process, Level 2—Repeatable process, Level 3—Defined process, Level 4—Managed process, and Level 5—Optimized process. The roots of P3M3 model can be traced to the Software Engineering Institute’s (SEI) Capability Maturity Model (CMM), now called CMMI (Capability Maturity Model Integration) and managed by the CMMI Institute.

4.3.4. Descriptions of the Different Levels of Maturity:

The descriptions offered for the different levels vary across the different maturity models developed to-date. They may focus on for instance the processes, as described in Table 1, or the central risk

management team, the risk culture, the implementation of risk management as a discipline or lastly compliance. Given that all of these categories are important, to single out one category is very questionable.

4.3.5. Categories of Effective Risk Management:

Categories (sometimes referred to as attributes, elements, criteria, perspectives, capabilities, domains, details, dimensions and process areas) are groupings of capabilities or practices which drive effective risk management. They are referred to for instance as: � ‘attributes’ within the ERM Risk

and Insurance Management Society (RIMS) model [RIMS, 2006],

� ‘elements’ within the RM3 model produced by the collaboration of the ORR and HSL [ORR/HSL 2017],

� ‘criteria’ within the Chapman ERM model [Chapman, 2011],

� ‘perspectives’ within the Hopkinson maturity model [Hopkinson, 2011],

� ‘capabilities’ within UK Treasury publication “Risk Management assessment framework: a tool for departments” [HMT, 2009],

� ‘domains’ within the cybersecurity capability maturity model [US DoE, 2014],

� ‘details’ within the Deloitte’s Risk Intelligence maturity model [Deloitte, 2015],

� ‘dimensions’ within the Forrester’s digital maturity model [Forrester, 2016] and

� ‘process areas’ within the Software Engineering Institute Capability Model Integration [CMMI, 2010]

4.3.6. Competencies of the Risk Management Function:

The competencies included in the cells of the matrix describe how well developed these capabilities or practices should be for each of the different levels. For instance, the competencies will describe the incremental improvements in risk management culture across the five levels of maturity. See Section 6.3.1.

4.3.7. Maturity Model Matrix: The model structure within Figure 2 describes the relationship between the levels, categories and the competencies (for each category at each level).

5. LITERATURE REVIEW

The following paragraphs provide an overview of the approach adopted to the literature review.

Table 1. Development of Processes Over Time

Level Heading Description of Level

Level 5 Leading Typically characterised by a focus on continually improving processes through both incremental and innova- tive improvements derived from internal developments and the adoption of approaches from different industries.

Level 4 Advanced Typically characterised by evidence of achievement of process objectives across a range of projects. The suitability of the processes in multiple environments has been tested and the processes refined and adapted. Process users have experienced the processes on multiple projects, and are able to demonstrate competence. The process maturity enables adaptions to a process for particular projects without erosion of benefits. Process capability is established from this level.

Level 3 Evolving Typically characterised by a set of completed standard processes which are subject to some degree of improvement over time. The processes are not systematically or repeatedly used as a consequence of the culture and hence insufficient for the users to become competent or the process to be validated in a range of situations. This could be considered an evolving stage where post use in a wider range of conditions the processes can develop to next level of maturity

Level 2 Developing Typically characterised by some processes being repeatable, sometimes with consistent results. Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that existing processes are maintained during times of change.

Level 1 Basic Typically characterised by undocumented processes that are driven in an ad hoc, uncontrolled and reactive manner by users or events. This provides a chaotic or unstable environment for the processes.

130 IEEE ENGINEERING MANAGEMENT REVIEW, VOL. 47, NO. 1, FIRST QUARTER, MARCH 2019

Authorized licensed use limited to: Zovio. Downloaded on November 14,2022 at 10:53:10 UTC from IEEE Xplore. Restrictions apply.

5.1. Approach to Literature Review The literature review

entailed a search for relevant literature by the examination of academic science, engineering, and business databases (e.g., LexisNexis, Engineering Village; ScienceDirect, Science Citation Index, ABI/INFORM, ProQuest; PMI Online Library) and general internet search engines. The review focussed predominantly on papers published during or after 2000 other than key works. The literature reviewed was predominantly peer-reviewed academic papers, although some grey literature was also examined. In addition, papers which did not focus specifically on construction were included in the review for the benefit of a broad perspective. The literature was examined to answer the research questions included above.

5.2. The Goals of PRM For effective PRM, the natural starting point is to understand what an organization (or a specific project) wishes to accomplish through the execution of risk management. This entails determining the goals for project risk management which are distinctly different from potential benefits. While authors have described enterprise risk management goals within the literature, surprisingly there is extremely limited reference to the specific goals of project risk management. The PMI Practice Standard for project risk management [PMI, 2009] refers to critical success factors which may be interpreted as risk management goals. In addition, researchers have identified barriers to be surmounted for PRM which again may be

interpreted as the goals to be pursued ([Tah & Carr, 2001]; [Aven, 2011]; [Goh et al, 2013]; [Xanbo et al, 2012]). The goals must address the whole project life cycle for any stage not addressed will be the ‘weak link in the chain’. Hence where projects commence with inception and terminate with handover, depending on the project management method adopted-risk management should commence with the business case and finish with handover and the commencement of operations. Table 2 lists the primary publications reviewed to discern the common core PRM goals for project implementation. The goals ‘distilled’ from the publications are Included in Table 3. The goals have been gleaned (or distilled) from the publications as they describe benefits or desired behaviors rather

Figure 2. Maturity model structure.

Table 2. Reference Documents to Discern the Common PRM Goals

Authors / Publication Title of paper or publication

[Rae, Alexander & McDermid 2014] “Fixing the cracks in the crystal ball: A maturity model for quantitative risk assessment” [Serpella et al, 2015] “Evaluating risk management practices in construction organizations” [Tah & Carr 2001]. “Knowledge-based approach to construction project risk management. Journal of Computing in Civil Engineer-

ing” [MORiG 2017] “Management of Risk in Government, A framework for boards and examples of what has worked in practice – A

Non-Executives’ Review” [Chapman 2014] “The rules of project risk management, implementation guidelines for major projects”, Gower Publishing Lim-

ited, UK and USA [NAO 2011] “Managing risk in government”, National Audit Office [M_o_R 2010] “Management of Risk: Guidance for Practitioners”, Axelos Limited (see ‘Management of risk principles’) ISO 31000: 2009 International Standard ISO 31000: 2009 [HMT 2009] “Risk Management framework: a tool for departments, published by HM Treasury [PMI 2009] “PMI practice standard for project risk management” published by the Project Management Institute, Inc.USA [Westcott 2005] “The risks of risk management” Paper presented at PMI� Global Congress 2005. [Chapman & Ward 1997] “Project risk management, processes, techniques and insights”, published by John Wiley and Sons Limited.

EXPLORING THE VALUE OF RISK MANAGEMENT FOR PROJECTS: IMPROVING CAPABILITY THROUGH THE DEPLOYMENT OFA MATURITY MODEL 131

Authorized licensed use limited to: Zovio. Downloaded on November 14,2022 at 10:53:10 UTC from IEEE Xplore. Restrictions apply.

than explicit objectives for risk management. Hence the goals listed in Table 3 have been interpreted from the source documents listed in the column headed ‘source’. Only

when an organization has determined what it wishes to accomplish in terms of risk management can desired measures of maturity be determined.

5.3. The Core Activities of PRM The core PRM

activities to satisfy the goals are included in Table 4 below. Only the core activities are examined given the

Table 3. PRM Goals

Ref Common core PRM goals Source

G1 Leadership Secure a mandate (and commitment) for risk management and the direct involvement of direc- tors/senior management.

ISO 31000 2009 [Chapman 2014] [NAO 2011] [PMI 2009]

G1 Leadership Preserve the organisation’s reputation in the market place. [Chapman 2014] G1 Leadership Increase the likelihood of projects realizing their objectives and support organisational efficiency ISO 31000 2009

[M_o_R 2010] G1 Leadership Provide a budget for risk management (people, hardware, software, office space, mini library,

travel, training and staff development) [Chapman 2014]

G1 Governance Make accountability and responsibility for risk management explicit ISO 31000 2009 [MORiG 2017] [NAO 2011]

G1 Governance Establish a reliable basis for decision making (at inception, business case development and stage gates) including assuring the quality of the risk information and addressing optimism bias.

ISO 31000 2009 [HMT 2009] [M_o_R 2010] [Chapman 2014] [NAO 2011]

G2 Culture Develop a culture where risk management is: seen as a value-add discipline; used as a manage- ment tool not a reporting tool; ‘second nature’ and a reflex action; automatically undertaken at key stages in the project life cycle; a vital element of go/no go decisions and gate reviews.

ISO 31000 2009 [HMT 2009] [MORiG 2017] [M_o_R 2010] [PMI 2009] [Westcott 2005]

G3 Compliance Understand the threats arising from a breach of compliance/legislation ISO 31000 2009 G4 Continuous

Improvement Improve organizational knowledge, learning (lessons learned) and resilience and support contin- uous improvement

ISO 31000 2009 [MORiG 2017] [M_o_R 2010] [Chapman 2014] [NAO 2011] [Serpella et al, 2015]

G4 Continuous Deploy a risk management maturity model to understand the adequacy of current practices and highlight where improvements are required.

[MORiG 2017] Improvement [M_o_R 2010]

[Chapman 2014] [Serpella et al, 2015]

G5 Commun-ication Establish open and honest communication, escalation processes, meeting hierarchy, meeting TOR, reporting and create dashboards for quick assimilation of the risk data.

ISO 31000 2009 [HMT 2009] [MORiG 2017] [PMI 2009]

G6 Composition and context

Improve the identification of threats and opportunities against the objectives, scope, constraints and context of projects

ISO 31000 2009

G7 People Recruit and develop human resources and a risk management capability (‘risk literacy’) to support the implementation of the risk management discipline (risk function and project personnel).

ISO 31000 2009 [HMT 2009] [MORiG 2017] [Chapman 2014] [Tah & Carr, 2001].

G8 Process Improve the understanding of project uncertainty (opportunities & threats: probability, proximity, source, impact, interdependencies, assumptions) including threat combinations and a ‘domino’ event.

ISO 31000 2009

[MORiG 2017]

G8 Process Encourage proactive management involving the direct treatment of threats and the exploitation of opportunities throughout the project life cycle

ISO 31000 2009 [MORiG 2017]

G8 Process Improve knowledge of stakeholders and engender their confidence and trust through articulation of the benefits of risk management

ISO 31000 2009 [M_o_R 2010] [Chapman 2014]

G8 Process Engage and gain support from the supply chain in the implementation of risk management (con- tractors, sub-contractors, suppliers, specialists)

[HMT 2009] [Chapman 2014]

G8 Process Prepare contingency assessments based on the perceived uncertainty [MORiG 2017] to support the creation of budget and schedule contingency [Westcott 2005]

[Rae et al 2014] G8 Process Integrate risk management with the procurement process [Chapman 2014]

[PMI 2009] G9 System Provide an appropriate web-based risk database. Drive Risk Owners and Risk Actionees to

regularly update the details of the threats and issues that they are managing. [Chapman 2014]

132 IEEE ENGINEERING MANAGEMENT REVIEW, VOL. 47, NO. 1, FIRST QUARTER, MARCH 2019

Authorized licensed use limited to: Zovio. Downloaded on November 14,2022 at 10:53:10 UTC from IEEE Xplore. Restrictions apply.

extensive number of common risk management activities. The goal reference numbers from Table 3 are cross-referenced to the risk management activities. The activities are drawn from the following documents: “Practice standard for project risk management” [PMI, 2009]; “Project Risk Analysis and Management” [APM, 2014]; “Risk Analysis and Management for Projects”-RAMP [ICE, 2014]; ISO 31000 [ISO, 2018], “Management of Risk, guidance for practitioners” [M_o_R, 2010]; “Risk assessment framework, a tool for departments”, [HMT, 2009]; and “The rules of project risk management, implementation guidelines for major projects” [Chapman, 2014].

5.4. Barriers to Project Risk Management While there is

growing recognition of the value-add of PRM there are numerous barriers to effective implementation ([Chapman 2014], [2016]). While there is extensive literature offering guidance to project managers on how to manage project risk, there is far less guidance on how to assess the relative effectiveness of risk practices, [Kutsch and Hall, 2010]. There are a considerable number of barriers to the implementation of PRM. The literature typically does not describe barriers to implementation directly but rather questions what is in place or has been implemented, inferring the absence or lack of the completion of these actions would be detrimental. The barriers recorded in Table 5 are described as actions not completed or inadequate.

6. PROPOSED STRUCTURE

FOR A PROJECT RISK

MANAGEMENT MATURITY

MODEL

Taking account of the goals of project risk management, the common core activities and the recognised barriers to implementation discussed above

the following model structure is proposed as described in Figure 3.

6.1. Selected Maturity Model Levels Proença and Borbinha

examined twenty-two risk maturity models spanning a number of industries and the number of maturity model levels ranged from four to six [Proença & Borbinha, 2016]. Six maturity levels it is argued provides too much granularity in that it makes it more difficult to describe the difference between one level and another and similarly users of the model find it difficult to judge what level of maturity they have attained for a particular capability. Four maturity model levels do not afford organisations and projects the ability to describe a sufficient number of steps of incremental improvement. It is recommended that five levels are adopted as illustrated in Figure 4 below. It is recognised that level five may only ever be reached for a small number of the categories or a conscious decision is made not to strive for level five on all categories as the return would not warrant the cost, time and effort.

6.2. Selected Maturity Model Categories As a consequence

of the literature search and taking account of the goals of risk management, the common core activities and the recognised barriers to implementation, the following maturity model categories have been selected: leadership and governance, culture, compliance, continuous improvement, communication, composition and context, people, process and system. If a larger number of categories were selected there would be the risk of the duplication of competencies. The categories of risk management process, people and culture were identified by [Wibowo & Taufik (2017)]. [Zou et al (2010)] identify the categories of management, risk identification, risk analysis, and systematic risk management and

culture. It is of note that a large number of the authors and publications single out ‘culture’ as one of the key determinants in the development of mature risk management practices: [Abrahim, Henry, & Keith, 2012]; [ISO, 2009]; [Farrel and Hoon, 2009]; [IRM, 2012]; [Smits and van Hillegersberg, 2015]; and [CIMA, 2010]. Respondents to a survey conducted by the Economist Intelligence Unit seeking to understand the key challenges and opportunities facing risk management identified a strong culture and awareness of risk throughout the organization as the key determinant of success. Respondents considered with the battle for support from the board largely won, the key determinant of success in risk management had become the need to ensure that a strong culture and awareness of risk permeated every layer of the organisation [EIU, 2007].

6.3. Selected Maturity Model Competencies An example of

the competencies reflecting the risk management goals, core activities and barriers to implementation are recorded below for the culture category. These competencies have been drawn from a number of UK government and institute papers including but not limited to HM Treasury’s “Risk Management assessment framework: a tool for departments” [HMT, 2009], the IRM’s “Risk culture under the microscope, Guidance for Boards” [IRM, 2012] and the London School of Economics report: “Risk culture in financial organisations: a research report”, (LSE, 2013).

6.3.1. Culture: Level 5: Leading � Senior management attitude to

risk management: Actively champion risk management and call to task individuals or teams that do not adhere to published practices.

EXPLORING THE VALUE OF RISK MANAGEMENT FOR PROJECTS: IMPROVING CAPABILITY THROUGH THE DEPLOYMENT OFA MATURITY MODEL 133

Authorized licensed use limited to: Zovio. Downloaded on November 14,2022 at 10:53:10 UTC from IEEE Xplore. Restrictions apply.

Table 4. Core PRM Activities to Satisfy the Goals

Mandate

G1 � Record the mandate in a risk management policy-which states the commitments of the organisation to realise effective risk man- agement.

Reputation

G1 � Develop a reputation management plan for issue by senior management to explain the aims, activities and required participation.

Accountability and Responsibility

G1 � Record within risk management plans with the aid of PRACI matrices the accountability and responsibility for specific risk manage- ment activities

Project go/no go – business cases

G1 � Support the development of business cases and the calculation of benefit cost ratios; G1 � Produce optimism bias calculations to support the preparation of the project cost estimate; G1 � Review project assumptions, dependencies, issues and exclusions to support the business case preparation; G1 � Drive option analysis by the assessment of the threat exposure of and opportunities presented by each option;

Gate reviews

G1 � Provide a picture of the current risk exposure at gate reviews to support go/no go decisions for the organisation or clients to decide whether they wish to proceed to the next project stage;

Integration

G1 � Integrate risk management activities with the other core disciplines such as estimating, scheduling, change management, quality management, reporting, design, and contracts management/procurement.

Culture

G2 � Senior management mandate and transparently champion and sponsor risk management � Provide clear guidance and documentation, undertake training, produce guidance sheets, provide case study seminars and provide tailored plans

Compliance

G3 � Establish compliance / legislation and approval requirements

Lessons learned

G4 � Conduct lessons learned workshops prior to project commencement, during implementation and on completion

Reporting

G5 � Provide dashboard reports of risk exposure. G5 � Escalate risk exposure to senior management G5 � Report on the most serious threats, planned response actions and risk reduction to-date

Composition and context

G6 � Establish threats and opportunities against the objectives, scope, constraints and context of projects

People

G7 � Build risk management capability to deliver the risk management goals

Stakeholder review

G8 � Conduct an assessment of the project stakeholders and their ability to impact the project objectives Design G8 � Support the evaluation of assumptions around scope definition; G8 � Support design coordination; G8 � Examine threats to approvals (environmental, safety, quality, design, planning, security, building authority etc.);

Scheduling

G8 � Calculate schedule uncertainty and risk exposure;

Estimating

G8 � Calculate contingencies and prepare a contingency drawdown process; G8 � Calculate cost uncertainty (quantities and rates) to support preparation of contingencies; G8 � Review assumptions and exclusions

Tender Action/Procurement

G8 � Analyse the threat proposed by suppliers, contractors and sub-contractors to project delivery; G8 � Analysis of the risk profile of different forms of contract; G8 � Pre-qualification of contractors; G8 � Analysis of contractor’s capabilities; G8 � Describe the risk activities to be undertaken by contractors (submitting tenders); G8 � Contribute to the preparation of tender documents stipulating the risk management functions to be implemented by the successful

tenderer;

Project life cycle

G8 � Predict, examine and take proactive action to remove or reduce the threats to a project’s objectives; G8 � Support assessment of the threats against the business case and its validity;

Database

G9 � Procure and implement a risk management database with an appropriate number of licences

134 IEEE ENGINEERING MANAGEMENT REVIEW, VOL. 47, NO. 1, FIRST QUARTER, MARCH 2019

Authorized licensed use limited to: Zovio. Downloaded on November 14,2022 at 10:53:10 UTC from IEEE Xplore. Restrictions apply.

� Project personnel attitude to risk management: The value-add of risk management is understood, the ramifications or poor

implementation accepted and recognised and participation ‘second nature’.

� Policy, plans and processes: Completed, regularly reviewed and being implemented

Table 5. Barriers to Implementation

Leadership and governance

� Risk management has not been mandated by senior management. [M_o_R, 2010]

� Lack of adequate budget [M_o_R, 2010]

� Lack of central risk function [M_o_R, 2010]

� Responsibility for risk management has not been made explicit or accepted [M_o_R, 2010]

� Senior management pay lip service to risk management and the discipline is not seen to add value. [M_o_R, 2010]

� Risk Policy not prepared, reviewed, signed-off or disseminated. [M_o_R, 2010]

� Risk management is not a central focus within gate reviews. [MITRE, 2014]

� Risk management is not used to assess alternative options and support decision making. [M_o_R, 2010]

� Project leadership does not have the authority too quickly (and regularly if required) engage subject matter experts to review risk exposure. [MITRE,

2014]

� Risk management is not formally integrated into project management [MITRE, 2014]

� Risk management is not a priority for leadership and throughout the project’s management levels. [MITRE, 2014]

� Different approaches to the implementation of risk management are adopted across the organization. [HMT, 2009]

� Failure to acknowledge systemic risk [Chapman, 2011]

� Lack of integration of risk management with change management, procurement, value management, scheduling, option analysis, business case

preparation, and optimism bias calculations. [PMI, 2009];

Culture

� Lack of common acceptance that risk management adds value. [M_o_R, 2010]

� Lack of application of lessons learned to support risk identification. [Chapman, 2014]

� Participants not trained in a project’s specific risk management practices and procedures. [MITRE, 2014]

� The project team do not support risk management as they feel the risk information will not be used to support management decisions (they pay lip

service to the process and the information is not informative [MITRE, 2014]

� Technology maturity and its future readiness is not understood by the project team [MITRE, 2014]

� Risk management delegated to staff that lack authority.

� Risk management is outsourced. [MITRE, 2014]

� The management culture does not encourage and reward staff at all levels to identify risk. [MITRE, 2014]

� No benchmarking of approach and processes with similar organizations.

� Lack of common understanding of the risk management terms in use and their meaning (including risk appetite and tolerance). ([M_o_R, 2010],

Aven, 2010; [Xanbo et al, 2012]; [Goh et al, 2013]),

Compliance

� Failure to record legislation to be complied with and penalties for non-compliance

Communication

� Failure to communicate risk exposure to senior management. (Stultz, 2008)

� Lack of clear escalation process (timing, content and recipients) [HMT, 2009]

Composition and context

� The aims/goals/objectives of the project are not made explicit leading to unfocussed identification. [M_o_R, 2010]

� The scope/content of the project is not adequately described and communicated. [M_o_R, 2010]

� A communications plan has not been prepared and stakeholders not provided with timely, specific and clear information. [M_o_R, 2010]

� Project dependencies not described [PMI, 2009]

� Lack of design coordination

� External stakeholders with the ability to impact the aims/goals/objectives of the project have not been fully identified. [MITRE, 2014]

� External stakeholders have not been fully described. Involvement of stakeholders in the project not adequately documented. The risk to or emanat-

ing from stakeholders not captured. [M_o_R, 2010]

People (Risk Personnel)

� Risk personnel do not have adequate experience, skills and capabilities [M_o_R, 2010] ! Specific inability to carry out quantitative analysis, (optimism bias calculations) or prepare decision trees [PMI, 2009] ! Poor oral and written communication skills, lack of facilitation skills, lack of awareness of ISO 31000 ! Inadequate training and development of risk personnel [M_o_R, 2010]

� Lack of induction training [M_o_R, 2010]

� Lack of role descriptions [M_o_R, 2010]

EXPLORING THE VALUE OF RISK MANAGEMENT FOR PROJECTS: IMPROVING CAPABILITY THROUGH THE DEPLOYMENT OFA MATURITY MODEL 135

Authorized licensed use limited to: Zovio. Downloaded on November 14,2022 at 10:53:10 UTC from IEEE Xplore. Restrictions apply.

� Terminology: Common understanding of the terms and definitions and are in everyday use. Additional terms added as required.

� Risk appetite: Limitations of appetite and capacity reflected in

the assessment of threats and the approach adopted towards the supply chain.

� Engagement with the supply chain: Clear understanding of the transfer and retention of risk and contract documents prepared on

the basis of the agreed ownership of risk.

� Risk management integrated with the other core project disciplines: Fully integrated with other project disciplines such as estimating, scheduling and change control

Table 5. (Continued )

Leadership and governance

Process

� Lack of agreement on the correlation between risks, issues, assumptions, dependencies and exclusions. [PMI, 2009]

� The nature and needs of the project are not reflected in the design of the risk management process and the supporting risk management tool/data-

base conforms. [MITRE, 2014]

� Personnel have not adopted a tailored approach to risk management. [ISO, 2009]

� Lack of understanding of when risk management activities should be undertaken. [M_o_R, 2010]

� Risks are not identified, assessed, and reviewed continuously—only prior to major reviews. [MITRE, 2014]

� Lack of a formal and repeatable risk management process which is balanced with the complexity and data needs of the project, leading to a dispro-

portionate burden. [MITRE, 2014]

� Absence of full recognition of the nature of risk exposure of different forms of procurement. [UN 2006]

� Risk management plans contain practices and procedures which are not consistent with corporate processes. [MITRE, 2014]

� Lack of recognition of when and how suppliers and contractors should be engaged in the process. [Chapman, 2014]

� Contractor risk management responsibilities not included in contract documents. [Chapman, 2014]

� Contractors not required to provide a risk management representative or hold regular risk meetings. [Chapman, 2014]

� Contractors not required to make explicit the risks they are and are not pricing in their submissions. [Chapman, 2014]

� Project interdependencies are not identified, recorded, disseminated, scheduled are understood in terms of their degree of significance. [M_o_R,

2010]

� Risk management execution is not shared among all stakeholders. [MITRE, 2014]

Process: Identification

� Risks are not clearly written using the Cause-Threat-Impact protocol. [Chapman, 2014]

� Poor description of threats, their causes, impacts and responses (poorly written, not readily understood, open to interpretation) [M_o_R, 2010]

� Threat descriptions are a jumble of project background, cause, threat and impact). Ensure risk descriptions are succinct, readily understood (by the

project not just the project). [Chapman, 2014]

� Threats are not identified against the project objectives including the scope using common risk discipline techniques (such as prompt lists, check-

lists, risk registers, scenario analysis, brainstorming, nominal group method, Delphi technique, SWOTanalysis, PESTLE etc.). [M_o_R, 2010]

� Not all project disciplines are involved in the identification process to ensure it is comprehensive. [M_o_R, 2010]

Process: Analysis

� The sensitivity/importance of the aims/goals/objectives of the project are not reflected in the assessment of the risks (the sensitivity of time or cost

overrun is not reflected in the scoring matrix) [M_o_R, 2010]

�Mismeasurement of known risks (likelihood and impact). (Stultz, 2008, DHSG,2011, [NC, 2011])

Process: Evaluation

� Lack of awareness of risk relationships between risks in the same project, or with other projects and projects. [M_o_R, 2010]

� Lack of understanding of how to apply correlation (positive and negative)

� Lack of identification and management of the critical success factors of quantitative analysis. [PMI, 2009]

Process: Response Planning

� Risk response planning not rigorously or consistently implemented. [M_o_R, 2010]

� Risks are not assigned to staff with the authority to implement mitigation actions and engage internal/external resources as required [MITRE, 2014]

� Risk mitigation plans are not monitored to assess their effectiveness. [MITRE, 2014]

� Responses do not address the threat they were designed to address. [ISO, 2009]

Process: Reporting

� Lack of common understanding of risk reporting requirements. [M_o_R, 2010]

� Failure to monitor and manage identified risks. (Stultz, 2008)

System

� Risk management tool/database is not maintained with the current risk status information [MITRE, 2014]

� Inability to quickly produce “dashboard-like” status reports for management. [MITRE, 2014]

� Inability of project staff to simultaneously enter risk data into the risk management tool/database [Chapman, 2014]

136 IEEE ENGINEERING MANAGEMENT REVIEW, VOL. 47, NO. 1, FIRST QUARTER, MARCH 2019

Authorized licensed use limited to: Zovio. Downloaded on November 14,2022 at 10:53:10 UTC from IEEE Xplore. Restrictions apply.

� Meeting attendance: Scheduled meetings regularly attended and absences challenged and not tolerated.

Level 4: Advanced � Senior management attitude to

risk management: Directly engaged in risk management

� Project personnel attitude to risk management: Value-add of risk

management understood but not

yet second nature. � Policy, plans and processes:

Prepared, signed-off, disseminated, briefed-out to the

project and updated as required � Terminology: Terms and

definitions complete and being

augmented as required

� Risk appetite: Appreciation of

appetite, capacity and tolerance

and reflected in approaches to

procurement � Engagement with the supply

chain: Engagement being

refined. � Risk management integrated

with the other core project disciples: Almost completely

integrated � Meeting attendance: Standing

meeting agenda refined as required.

Level 3: Evolving � Senior management attitude to

risk management: Support the concept but not directly engaged.

� Project personnel attitude to risk management: Visible improvement over time.

� Policy, plans and processes: Revised and updated as required.

� Terminology: Common vocabulary starting to evolve

� Risk appetite: The terms appetite, capacity, tolerance and target defined as they relate to the organisation

� Engagement with the supply chain: Being improved over time.

� Risk management integrated with the other core project disciples: Integration commenced but not completed.

� Meeting attendance: Improved attendance but preparation for

Figure 3. Proposed maturity model.

Figure 4. Maturity model levels.

EXPLORING THE VALUE OF RISK MANAGEMENT FOR PROJECTS: IMPROVING CAPABILITY THROUGH THE DEPLOYMENT OFA MATURITY MODEL 137

Authorized licensed use limited to: Zovio. Downloaded on November 14,2022 at 10:53:10 UTC from IEEE Xplore. Restrictions apply.

meetings inadequate diminishing effectiveness.

Level 2: Developing � Senior management attitude to

risk management: Passive support.

� Project personnel attitude to risk management: Disciplines pay lip service to risk management and treat it as a chore.

� Policy, plans and processes: Under development and not yet put into practice

� Terminology: Common vocabulary starting to evolve.

� Risk appetite: Evolving comprehension of appetite, capacity, tolerance and target

� Engagement with the supply chain: Emerging awareness of the need for risk management to be integrated with the procurement processes

� Risk management integrated with the other core project disciples: Emergence of the recognition of the need to integrate risk management with the other disciplines.

� Meeting attendance: Poor, inconsistent, late, ill prepared

Level 1: Basic � Senior management attitude to

risk management: Unsupportive, unaccommodating, obstructive, hostile

� Project personnel attitude to risk management: Disciplines address risk matters if all other activities are complete

� Policy, plans and processes: Not prepared, signed-off, disseminated or briefed-out

� Terminology: No common vocabulary leading to different interpretation of the same terms and confusion

� Risk appetite: No common understanding of risk appetite, capacity, tolerance or target

� Engagement with the supply chain: Lack of integration of risk management with the supply

chain and procurement processes

� Risk management integrated with the other core project disciples: Not commenced.

� Meeting attendance: Need for meetings challenged or project personnel decline to attend

7. DISCUSSION

To help develop effective risk management practices, this paper presented a maturity model primarily for infrastructure projects. To guide the research to determine a suitable model structure and competencies, three questions were posed. A specific focus was placed on consideration of appropriate levels, categories and competencies. The model structure was based solely on a literature search. Prior to deciding upon the composition of the model, models described in the literature were examined and compared at a high level for instructive guidance. The sequence of stages within a generic life cycle were used to guide examination of the literature. The weaknesses as well as the strengths of the models examined informed the composition of the model structure described in this paper. To structure the literature search to avoid compiling a confused mixture of categories not relevant to projects or the construction industry, nine categories of risk management practice were selected. The selection was informed by publications by PMI, the UK APM, the OGC/AXELOS [Ltd 2015] suite of project management documents and the UK government’s publications. In summary the maturity model proposed in this paper places greater emphasis on understanding: the goals of PRM; the risk management activities to be completed; and barriers to implementation. In other words what are we trying to accomplish, what do we need to do to realise those goals

and what will prevent us from doing so. Previous models have not made these aspects explicit.

8. VALIDATION

8.1. Internal Validation Internal validation was examined in terms of the reliability of inferences that could be drawn from the application of the model in real-world circumstances. The risk maturity model described was introduced on the following programmes (where each programme was composed of a series of interrelated projects). In all cases the maturity model categories were accepted as pertinent and applicable. � UK rail project � Malaysian rail project � UK Smart metering project

undertaken by a large energy company

� UK road project

A cause-and-effect relationship could be established between the introduction of the maturity model and discernable improvements in risk management maturity and as a consequence, improvements in effective risk management. Improvements were unambiguous. Improvements related to actions drawn from the activities described on the improvement plan. For example, if a mandate for risk management was prepared and issued there was a clear directive for risk management, if roles and responsibilities for risk management were described and applied, participation in risk management became explicit and if risk escalation was performed, decision making was more informed. However, observation of the degree and speed of improvement varied considerably across the programmes as a consequence of a myriad of issues, such as whether for instance: � The model was introduced early

or late in the project life cycle. � The size of the central risk

function and whether risk

138 IEEE ENGINEERING MANAGEMENT REVIEW, VOL. 47, NO. 1, FIRST QUARTER, MARCH 2019

Authorized licensed use limited to: Zovio. Downloaded on November 14,2022 at 10:53:10 UTC from IEEE Xplore. Restrictions apply.

personnel where changed, (on one programme the entire risk management team was changed).

� A formal assessment was made of the as-is and to-be risk management maturity states and agreed by senior management.

� A formal improvement plan was prepared (and approved by senior management) to realize the to-be state with a timeframe and allocated resource.

� The project management team remained static or was changed (onmany programmes very significant changesweremade in the composition of the senior management teamwhich required a re-introduction of themodel).

� The scope of the projects within the programmes remained static or changed.

� The mandate for risk management remained static or changed.

� The prioritization of risk management resources remained unchanged (in many cases the level of risk management resource was insufficient to implement prioritized risk management effort at the same time as the implementation of the improvement plan).

� The timing of risk management training to provide an across-the- board understanding of the discipline of risk management.

� The degree of resistance to change.

� The compatibility of approach adopted by the company risk function and the programme risk function.

There was no confusion over causal direction due to the incremental steps in the models.

8.2. External Validation (or Generalizability) It is

considered reasonable to generalize that in the short term the same model would generate improvements in risk management maturity on other projects (and the programmes within which they reside). The rationalization for this supposition is based on the composition of the model where the categories and competencies are drawn from a significant number of sources spanning both institute publications and research. However, over time repetition of the research will not produce identical results in the same way that mixing two static chemical substances together (under controlled laboratory conditions) would do. The reason being that the project environment is dynamic and over time the perception of what is mature changes. In addition, multiple groups of project professionals, (based on individuals’ experiences and their project profession), will have different perceptions of maturity although it would be expected that there would be significant areas of commonality. The intention is to produce a model that will be suitable for all infrastructure projects. It will not be suitable for other industries such as information technology, aerospace or ship building as they do not involve creating permanent physical assets on the ground.

9. CONCLUSIONS

The contribution this paper makes is the presentation of a maturity model which goes beyond existing PRM

maturity models in that it considers three critical areas together: PRM goals, core PRM activities and barriers to the implementation of effective PRM. While there is extensive research on maturity models the attention to risk management goals is very limited. For any project, identification of the risk management goals before embarking on risk management and particularly the preparation of a maturity model is considered vital. This paper considers that a project’s PRM goals dictate the activities to be implemented and the activities and barriers combined inform the competencies to be included in a PRM maturity model. Examination of the goals, activities and barriers has permitted the construction of a model which proposes 5 levels of maturity, 9 categories or ‘building blocks’ of effective risk management and a format for capturing risk competencies. In addition, through the application of the model during four live programmes, the paper draws the conclusion that there is a direct correlation between the use of the model and improvements in the effectiveness of project risk management. It also highlights that models are not deployed in a vacuum and that the circumstances of a project will influence the degree to which a model will aid the delivery of effective risk management. Possible avenues of further research are the application of the model on a large sample of live projects so that the appropriateness of the categories and competencies can be more rigorously assessed with the goal of determining a universally applicable model.

REFERENCES

Abrahim, A., Henry, K., & Keith, J., (April 18—20, 2012). ERM culture alignment to enhance competitive advantage. 2012 ERM Symposium, Washington, DC, USA, 2012.

EXPLORING THE VALUE OF RISK MANAGEMENT FOR PROJECTS: IMPROVING CAPABILITY THROUGH THE DEPLOYMENT OFA MATURITY MODEL 139

Authorized licensed use limited to: Zovio. Downloaded on November 14,2022 at 10:53:10 UTC from IEEE Xplore. Restrictions apply.

Airmic, (2017). Organisations struggling to implement effective risk appetite, warn Airmic and Alvarez & Marsal. [Online]. Available: https://www.airmic.com/news/ guest-stories/organisations-struggling-implement-effective-risk-appetite-warn- airmic-and-alvarez-marsal. Accessed on: Aug. 19, 2018.

Antonucci, D. (2016). Risk maturity models: How to assess risk management effectiveness. London, U.K.: Kogan Page Limited.

APM Risk Management Specific Interest Group. (2014). Project Risk Analysis and Management (PRAM) Guide, 2nd ed., Princes Risborough, U.K.: Assoc. Project Manage.

Aven, T. (2011). On the new ISO guide on risk management terminology. Reliability Engineering and System Safety, 96: 719–726.

AXELOS Ltd. (2015). Portfolio, Programme and Project Management Maturity Model (P3M3, V3). [Online]. Available: https://www.apm.org.uk/sites/default/files/ introduction%20to%20p3m3,%2019th%20jan%20bolton.pdf. Accessed on: Aug. 19, 2018.

Banjanin, G., (2010). Resolving troubled agile development by applying mature project management—Composite model of structural and process integration. Paper presented at PMI Global Congress 2010—EMEA, Milan, Italy.

Chapman, R. J., (2011). Simple Tools and Techniques for Enterprise Risk Management, 2nd ed. New York, NY, USA: Wiley.

Chapman, R.J., (2014). The Rules of Project Risk Management, Implementation Guidelines for Major Projects, Aldershot, U.K.: Gower Publ. Limited.

Chapman, R. J., (August 2016). A framework for examining the dimensions and characteristics of complexity inherent within rail megaprojects. International Journal of Project Management, 34(6): 937–956.

Chapman, R. J., (September 2018). A M.A.T.U.R.E. way to describe highly developed project risk management capabilities. PMWorld Journal, VII(IX): 1–6. [Online]. Available: www.pmworldjournal.net

Chapman, C., & Ward, S. (1997). Project Risk Management, Processes, Techniques and Insights. New York, NY, USA: Wiley.

CIMA, (2010). Reporting and managing risk. A look at current practice at Tesco, RBS, local and central government.

CMMI, (2010). CMMI for development, version 1.3, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, USA, Tech. Rep. CMU/SEI-2010-TR-033.

Deloitte, (2015). Enterprise risk management, a risk intelligent approach. Deloitte Risk Advisory.

Dietz, G., & Gillespie, N., (2012). The recovery of trust: Case studies of organisational failures and trust repair. The Institute of Business Ethics.

Economist Intelligence Unit, (2007). Best practice in risk management. A function comes of age. Economist Intelligence Unit, London, U.K., Tech. Rep.

English Oxford Living Dictionaries, (2018). [Online]. Available: https://en. oxforddictionaries.com/definition/mature. Accessed on: August 19, 2018.

EYGM Limited, (2013). Turning risk into results. How leading companies use risk management to fuel better performance.

EYGM Limited, (2014). Expecting more from risk management. Drive business results through harnessing uncertainty.

EYGM Limited, (2015). Predicting project risks improves success. How predictive analytics provides the insight to unlock the value of your program investments.

Farrel, J. M. & Hoon, A. (April 15, 2009). What’s your company Risk Culture? National Association of Corporate Directors Directorship.

Flyvbjerg, B., Bruzelius, N., & Rothengatter, W., (2003).Megaprojects and Risk: An Anatomy of Ambition. Cambridge, U.K.: Cambridge Univ. Press.

140 IEEE ENGINEERING MANAGEMENT REVIEW, VOL. 47, NO. 1, FIRST QUARTER, MARCH 2019

Authorized licensed use limited to: Zovio. Downloaded on November 14,2022 at 10:53:10 UTC from IEEE Xplore. Restrictions apply.

Gill, M., & VanBoskirk, S., (January 22, 2016). The digital maturity model 4.0 benchmarks: Digital business transformation playbook. Forrester, Tech. Rep.

Goh, C. S., Abdul-Rahaman, H., & Abdul Samad, Z. (2013). Applying risk management workshop for public construction projects: Case study. Journal of Construction Engineering and Management, 139: 572–580.

HM Treasury, (2009). Risk management assessment framework: A tool for departments

Hopkinson, M., (2011). The project risk maturity model: Measuring and Improving Risk Management Capability. New York, NY, USA: Gower.

Hubbard, D. W. (2009). The Failure of Risk Management: Why It’s Broken and How to Fix It. New York, NY, USA: Wiley.

ICE, (2014). Risk Analysis and Management for Projects (RAMP), 3rd ed. Gurugram, India: Inst. Civil Eng.

ICPM, (February 2014). Submission for the Australian Government’s productivity commission public enquiry into public infrastructure. International Centre for Complex Project Management. [Online]. Available: www.iccpm.com

Irimia-Di�eguez, A. I., Sanchez-Cazorla, A., & Alfalla-Luque, R., (2014). Risk management in megaprojects. 27th IPMA World Congress. Procedia—Social and Behavioral Sciences 119: 407–416.

IRM, (2012). Risk culture under the microscope guidance for boards. The Institute of Risk Management.

Risk Management—Guidelines, International Standards Organisation ISO 31000, 2009.

Risk management—Guidelines, International Standards Organisation ISO 31000, 2018.

Junior, R. R. & Monteiro de Carvalho, M., (2013). Understanding the Impact of project risk management on project performance: An empirical study. Journal of Technology Management and Innivation, 8.

Kimball R. C. (January/February 6, 2000) Failures in risk management. New England Economic Review.

Kutsch, E. & Hall, M. A. (2010), Deliberate ignorance in project risk management. International Journal of Project Management, 28(3): 245–255.

Power, M., Ashby, S., & Palermo, T. (2013) Risk culture in financial organisations: A research report. London School of Economics, London, U.K., Tech. Rep.

McGrew, J., & Bilotta, J. (2000). The effectiveness of risk management: Measuring what didn’t happen.Management Decision, 28(4), 293–300.

Minsky, S. (2016). The Wells Fargo Scandal is a failure in risk management. [Online]. Available: https://www.logicmanager.com/erm-software/2016/09/20/ wells-fargo-scandal-risk-management/. Accessed on: August 19, 2018.

MITRE, (2014). [Online]. Available: https://www.mitre.org/publications/systems- engineering-guide/acquisition-systems-engineering/risk-management/risk- management-approach-and-plan. Accessed on: August 1, 2018.

Murray-Webster, R., & Office of Government Commerce, (December 15, 2010). Management of Risk: Guidance for Practitioners (Office of Government Commerce). London, U.K.: Stationary Office.

MORiG, (2017). Management of risk in government. A framework for boards and examples of what has worked in practice—A non-executives’ review.

NASA, (2011). NASA Risk Management Handbook. Washington, DC, USA: Nat. Aeronaut. Space Admin. [Online]. Available: https://ntrs.nasa.gov/archive/nasa/ casi.ntrs.nasa.gov/20120000033.pdf

NAO, (2000). Supporting Innovation: Managing Risk in Government Departments. London, U.K.: Stationery Office.

NAO, (2004) Reforming NHS dentistry: Ensuring effective management of risks. [Online]. Available: https://www.nao.org.uk/press-release/reforming-nhs-dentistry- ensuring-effective-management-of-risks-2/. Accessed on: August 19, 2018.

EXPLORING THE VALUE OF RISK MANAGEMENT FOR PROJECTS: IMPROVING CAPABILITY THROUGH THE DEPLOYMENT OFA MATURITY MODEL 141

Authorized licensed use limited to: Zovio. Downloaded on November 14,2022 at 10:53:10 UTC from IEEE Xplore. Restrictions apply.

NAO, (2011). Managing risk in government. National Audit Office. NAO, (2013), Over-optimism in government projects. National Audit Office. [Online]. Available: https://www.nao.org.uk/wp-content/uploads/2013/12/10320-001-Over- optimism-in-government-projects.pdf

NAO, (2014). Memorandum on the BBC’s digital media initiative. [Online]. Available: https://www.nao.org.uk/press-release/memorandum-bbcs-digital-media-initiative. Accessed on: August 19, 2018.

NAO, (2016). Delivering major projects in government: A briefing for the Committee of Public Accounts. National Audit Office. [Online]. Available: https://www.nao.org. uk/press-release/delivering-major-projects-in-government-a-briefing-for-the- committee-of-public-accounts/. Accessed on: August 19, 2018.

NC, (January 2011). The gulf oil disaster and the future of offshore drilling: Report to the President. National Commission on the BP Deepwater Horizon Oil Spill and Offshore Drilling.

ORR/HSL, (2017). Risk Management Maturity Model (RM3). Jointly developed by the Office of Road and Rail (ORR) and Health & Safety Laboratory (HSL).

PRINCE2, (2017).Managing Successful Projects With PRINCE2. London, U.K.: AXELOS.

Proença, D., & Borbinha, J., (October 5–7, 2016). Maturity models for information systems—A state of the art. Conference on Enterprise Information Systems/ International Conference on Project Management/Conference on Health and Social Care Information Systems and Technologies (CENTERIS/ProjMAN/HCist 2016).

PMI, (2009). PMI practice standard for project risk management, Project Management Institute, Inc., Newtown Square, PA, USA.

Rae, R., Alexander, R., & McDermid, J., (2014). Fixing the cracks in the crystal ball: A maturity model for quantitative risk assessment. Reliability Engineering and System Safety, 125: 67–81.

Raz, T., Shenhar, A. J., & Dvir, D., (2002). Risk management, project success and technological uncertainty. R & D Management. Oxford, U.K.: Blackwell, 32: 2.

RIMS (2006). The RIMS risk maturity model (RMM)—A best practice framework for enterprise risk management.

Ropponen, J., & Lyytinen, K., (1997). Can software risk management improve system development: An exploratory study? European Journal of Information Systems, 6: 41–50.

Serpella, A., Ferradab, X., Rubioa, L., & Arauzoa, S., (2015). Evaluating risk management practices in construction. 28th IPMA World Congress, IPMA 2014, 29 Sept.–1 Oct. 2014, Rotterdam, The Netherlands. Procedia–Social and Behavioral Sciences. 194: 201–210.

Mossolly, M., (2015) Global projects: A conceptual review on execution attitude in multinational corporations. 28th IPMA World Congress, 194, Rotterdam, The Netherlands, 201–210.

Smits, D., & van Hillegersberg, J., (2015). IT governance maturity: Developing a maturity model using the Delphi method. 48th Hawaii International Conference on System Sciences.

Tah, J., & Carr, V. (2001). Knowledge-based approach to construction project risk management. Journal of Computing in Civil Engineering, 15: 170–177.

The Irish Times.com, (June 1, 2017). Willie Walsh breaks silence on British Airways fiasco. Huge IT failure stranded 75,000 passengers following damage to servers. [Online]. Available: https://uk.search.yahoo.com/search?fr¼mcafee& type¼C211GB105D20151203&p¼poorþriskþmanagementþatþtheþBritishþ Airways. Accessed on: August 19, 2018.

UN, (2006). United Nations procurement practitioner’s handbook, Interagency Procurement Working Group (IAPWG).

142 IEEE ENGINEERING MANAGEMENT REVIEW, VOL. 47, NO. 1, FIRST QUARTER, MARCH 2019

Authorized licensed use limited to: Zovio. Downloaded on November 14,2022 at 10:53:10 UTC from IEEE Xplore. Restrictions apply.

U.S. DoE, (February 2014), Cybersecurity capability maturity model (C2M2) Version 1.1. U.S. Department of Energy.

Wibowo, A., & Taufik, J., (2017). Developing a self-assessment model of risk management maturity for client organisations of public construction projects: Indonesian context. Sustainable civil engineering structures and construction materials ESCSCM 2016. Procedia Engineering 171: 274–281.

Westcott, T. (2005). The risks of risk management. Paper presented at PMI� Global Congress 2005, Toronto, ON, Canada.

White House, (November 2008). Declaration of G20. [Online]. Available: http:// georgebush-whitehouse.archives.gov/news/releases/2008/11/2008

Woods, M., Kajuter, P., & Linsley, P., (2007). International Risk Management: Systems, Internal Control and Corporate Governance, 1st ed. CIMA publishing, United Kingdom.

Xanbo, Z., Bon-Gang, H., & Sui Pheng, L. (2012). Implementing enterprise risk management in a Chinese construction firm based in Singapore. Proceedings of the World Construction Conference—Global Challenges in Construction Industry. Colombo, Sri Lanka.

Zou, W. P. X., Chen, Y., & Chan, T. (August 2010). Understanding and improving your risk management capability: Assessment model for construction organisations. Journal of Construction Engineering and Management. 136(8): 854–863.

Zwikael, O., & Ahn, M., (January 2011). The effectiveness of risk management: An analysis of project risk planning across industries and countries. Risk Analysis, 31(1): 25–37.

EXPLORING THE VALUE OF RISK MANAGEMENT FOR PROJECTS: IMPROVING CAPABILITY THROUGH THE DEPLOYMENT OFA MATURITY MODEL 143

Authorized licensed use limited to: Zovio. Downloaded on November 14,2022 at 10:53:10 UTC from IEEE Xplore. Restrictions apply.

<< /ASCII85EncodePages false /AllowTransparency false /AutoPositionEPSFiles true /AutoRotatePages /None /Binding /Left /CalGrayProfile (Gray Gamma 2.2) /CalRGBProfile (sRGB IEC61966-2.1) /CalCMYKProfile (U.S. Web Coated \050SWOP\051 v2) /sRGBProfile (sRGB IEC61966-2.1) /CannotEmbedFontPolicy /Warning /CompatibilityLevel 1.4 /CompressObjects /Off /CompressPages true /ConvertImagesToIndexed true /PassThroughJPEGImages true /CreateJobTicket false /DefaultRenderingIntent /Default /DetectBlends true /DetectCurves 0.0000 /ColorConversionStrategy /sRGB /DoThumbnails true /EmbedAllFonts true /EmbedOpenType false /ParseICCProfilesInComments true /EmbedJobOptions true /DSCReportingLevel 0 /EmitDSCWarnings false /EndPage -1 /ImageMemory 1048576 /LockDistillerParams true /MaxSubsetPct 100 /Optimize true /OPM 0 /ParseDSCComments false /ParseDSCCommentsForDocInfo true /PreserveCopyPage true /PreserveDICMYKValues true /PreserveEPSInfo false /PreserveFlatness true /PreserveHalftoneInfo true /PreserveOPIComments false /PreserveOverprintSettings true /StartPage 1 /SubsetFonts false /TransferFunctionInfo /Remove /UCRandBGInfo /Preserve /UsePrologue false /ColorSettingsFile () /AlwaysEmbed [ true /Algerian /Arial-Black /Arial-BlackItalic /Arial-BoldItalicMT /Arial-BoldMT /Arial-ItalicMT /ArialMT /ArialNarrow /ArialNarrow-Bold /ArialNarrow-BoldItalic /ArialNarrow-Italic /ArialUnicodeMS /BaskOldFace /Batang /Bauhaus93 /BellMT /BellMTBold /BellMTItalic /BerlinSansFB-Bold /BerlinSansFBDemi-Bold /BerlinSansFB-Reg /BernardMT-Condensed /BodoniMTPosterCompressed /BookAntiqua /BookAntiqua-Bold /BookAntiqua-BoldItalic /BookAntiqua-Italic /BookmanOldStyle /BookmanOldStyle-Bold /BookmanOldStyle-BoldItalic /BookmanOldStyle-Italic /BookshelfSymbolSeven /BritannicBold /Broadway /BrushScriptMT /CalifornianFB-Bold /CalifornianFB-Italic /CalifornianFB-Reg /Centaur /Century /CenturyGothic /CenturyGothic-Bold /CenturyGothic-BoldItalic /CenturyGothic-Italic /CenturySchoolbook /CenturySchoolbook-Bold /CenturySchoolbook-BoldItalic /CenturySchoolbook-Italic /Chiller-Regular /ColonnaMT /ComicSansMS /ComicSansMS-Bold /CooperBlack /CourierNewPS-BoldItalicMT /CourierNewPS-BoldMT /CourierNewPS-ItalicMT /CourierNewPSMT /EstrangeloEdessa /FootlightMTLight /FreestyleScript-Regular /Garamond /Garamond-Bold /Garamond-Italic /Georgia /Georgia-Bold /Georgia-BoldItalic /Georgia-Italic /Haettenschweiler /HarlowSolid /Harrington /HighTowerText-Italic /HighTowerText-Reg /Impact /InformalRoman-Regular /Jokerman-Regular /JuiceITC-Regular /KristenITC-Regular /KuenstlerScript-Black /KuenstlerScript-Medium /KuenstlerScript-TwoBold /KunstlerScript /LatinWide /LetterGothicMT /LetterGothicMT-Bold /LetterGothicMT-BoldOblique /LetterGothicMT-Oblique /LucidaBright /LucidaBright-Demi /LucidaBright-DemiItalic /LucidaBright-Italic /LucidaCalligraphy-Italic /LucidaConsole /LucidaFax /LucidaFax-Demi /LucidaFax-DemiItalic /LucidaFax-Italic /LucidaHandwriting-Italic /LucidaSansUnicode /Magneto-Bold /MaturaMTScriptCapitals /MediciScriptLTStd /MicrosoftSansSerif /Mistral /Modern-Regular /MonotypeCorsiva /MS-Mincho /MSReferenceSansSerif /MSReferenceSpecialty /NiagaraEngraved-Reg /NiagaraSolid-Reg /NuptialScript /OldEnglishTextMT /Onyx /PalatinoLinotype-Bold /PalatinoLinotype-BoldItalic /PalatinoLinotype-Italic /PalatinoLinotype-Roman /Parchment-Regular /Playbill /PMingLiU /PoorRichard-Regular /Ravie /ShowcardGothic-Reg /SimSun /SnapITC-Regular /Stencil /SymbolMT /Tahoma /Tahoma-Bold /TempusSansITC /TimesNewRomanMT-ExtraBold /TimesNewRomanMTStd /TimesNewRomanMTStd-Bold /TimesNewRomanMTStd-BoldCond /TimesNewRomanMTStd-BoldIt /TimesNewRomanMTStd-Cond /TimesNewRomanMTStd-CondIt /TimesNewRomanMTStd-Italic /TimesNewRomanPS-BoldItalicMT /TimesNewRomanPS-BoldMT /TimesNewRomanPS-ItalicMT /TimesNewRomanPSMT /Times-Roman /Trebuchet-BoldItalic /TrebuchetMS /TrebuchetMS-Bold /TrebuchetMS-Italic /Verdana /Verdana-Bold /Verdana-BoldItalic /Verdana-Italic /VinerHandITC /Vivaldii /VladimirScript /Webdings /Wingdings2 /Wingdings3 /Wingdings-Regular /ZapfChanceryStd-Demi /ZWAdobeF ] /NeverEmbed [ true ] /AntiAliasColorImages false /CropColorImages true /ColorImageMinResolution 150 /ColorImageMinResolutionPolicy /OK /DownsampleColorImages false /ColorImageDownsampleType /Bicubic /ColorImageResolution 900 /ColorImageDepth -1 /ColorImageMinDownsampleDepth 1 /ColorImageDownsampleThreshold 1.00111 /EncodeColorImages true /ColorImageFilter /DCTEncode /AutoFilterColorImages false /ColorImageAutoFilterStrategy /JPEG /ColorACSImageDict << /QFactor 0.76 /HSamples [2 1 1 2] /VSamples [2 1 1 2] >> /ColorImageDict << /QFactor 0.40 /HSamples [1 1 1 1] /VSamples [1 1 1 1] >> /JPEG2000ColorACSImageDict << /TileWidth 256 /TileHeight 256 /Quality 15 >> /JPEG2000ColorImageDict << /TileWidth 256 /TileHeight 256 /Quality 15 >> /AntiAliasGrayImages false /CropGrayImages true /GrayImageMinResolution 150 /GrayImageMinResolutionPolicy /OK /DownsampleGrayImages false /GrayImageDownsampleType /Bicubic /GrayImageResolution 1200 /GrayImageDepth -1 /GrayImageMinDownsampleDepth 2 /GrayImageDownsampleThreshold 1.00083 /EncodeGrayImages true /GrayImageFilter /DCTEncode /AutoFilterGrayImages false /GrayImageAutoFilterStrategy /JPEG /GrayACSImageDict << /QFactor 0.76 /HSamples [2 1 1 2] /VSamples [2 1 1 2] >> /GrayImageDict << /QFactor 0.40 /HSamples [1 1 1 1] /VSamples [1 1 1 1] >> /JPEG2000GrayACSImageDict << /TileWidth 256 /TileHeight 256 /Quality 15 >> /JPEG2000GrayImageDict << /TileWidth 256 /TileHeight 256 /Quality 15 >> /AntiAliasMonoImages false /CropMonoImages true /MonoImageMinResolution 1200 /MonoImageMinResolutionPolicy /OK /DownsampleMonoImages false /MonoImageDownsampleType /Bicubic /MonoImageResolution 1600 /MonoImageDepth -1 /MonoImageDownsampleThreshold 1.00063 /EncodeMonoImages true /MonoImageFilter /CCITTFaxEncode /MonoImageDict << /K -1 >> /AllowPSXObjects false /CheckCompliance [ /None ] /PDFX1aCheck false /PDFX3Check false /PDFXCompliantPDFOnly false /PDFXNoTrimBoxError true /PDFXTrimBoxToMediaBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXSetBleedBoxToMediaBox true /PDFXBleedBoxToTrimBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXOutputIntentProfile (None) /PDFXOutputConditionIdentifier () /PDFXOutputCondition () /PDFXRegistryName () /PDFXTrapped /False /CreateJDFFile false /Description << /CHS <FEFF4f7f75288fd94e9b8bbe5b9a521b5efa7684002000410064006f006200650020005000440046002065876863900275284e8e55464e1a65876863768467e5770b548c62535370300260a853ef4ee54f7f75280020004100630072006f0062006100740020548c002000410064006f00620065002000520065006100640065007200200035002e003000204ee553ca66f49ad87248672c676562535f00521b5efa768400200050004400460020658768633002> /CHT <FEFF4f7f752890194e9b8a2d7f6e5efa7acb7684002000410064006f006200650020005000440046002065874ef69069752865bc666e901a554652d965874ef6768467e5770b548c52175370300260a853ef4ee54f7f75280020004100630072006f0062006100740020548c002000410064006f00620065002000520065006100640065007200200035002e003000204ee553ca66f49ad87248672c4f86958b555f5df25efa7acb76840020005000440046002065874ef63002> /DAN <FEFF004200720075006700200069006e0064007300740069006c006c0069006e006700650072006e0065002000740069006c0020006100740020006f007000720065007400740065002000410064006f006200650020005000440046002d0064006f006b0075006d0065006e007400650072002c0020006400650072002000650067006e006500720020007300690067002000740069006c00200064006500740061006c006a006500720065007400200073006b00e60072006d007600690073006e0069006e00670020006f00670020007500640073006b007200690076006e0069006e006700200061006600200066006f0072007200650074006e0069006e006700730064006f006b0075006d0065006e007400650072002e0020004400650020006f007000720065007400740065006400650020005000440046002d0064006f006b0075006d0065006e0074006500720020006b0061006e002000e50062006e00650073002000690020004100630072006f00620061007400200065006c006c006500720020004100630072006f006200610074002000520065006100640065007200200035002e00300020006f00670020006e0079006500720065002e> /DEU <FEFF00560065007200770065006e00640065006e0020005300690065002000640069006500730065002000450069006e007300740065006c006c0075006e00670065006e0020007a0075006d002000450072007300740065006c006c0065006e00200076006f006e002000410064006f006200650020005000440046002d0044006f006b0075006d0065006e00740065006e002c00200075006d002000650069006e00650020007a0075007600650072006c00e40073007300690067006500200041006e007a006500690067006500200075006e00640020004100750073006700610062006500200076006f006e00200047006500730063006800e40066007400730064006f006b0075006d0065006e00740065006e0020007a0075002000650072007a00690065006c0065006e002e00200044006900650020005000440046002d0044006f006b0075006d0065006e007400650020006b00f6006e006e0065006e0020006d006900740020004100630072006f00620061007400200075006e0064002000520065006100640065007200200035002e003000200075006e00640020006800f600680065007200200067006500f600660066006e00650074002000770065007200640065006e002e> /ESP <FEFF005500740069006c0069006300650020006500730074006100200063006f006e0066006900670075007200610063006900f3006e0020007000610072006100200063007200650061007200200064006f00630075006d0065006e0074006f0073002000640065002000410064006f00620065002000500044004600200061006400650063007500610064006f007300200070006100720061002000760069007300750061006c0069007a00610063006900f3006e0020006500200069006d0070007200650073006900f3006e00200064006500200063006f006e006600690061006e007a006100200064006500200064006f00630075006d0065006e0074006f007300200063006f006d00650072006300690061006c00650073002e002000530065002000700075006500640065006e00200061006200720069007200200064006f00630075006d0065006e0074006f00730020005000440046002000630072006500610064006f007300200063006f006e0020004100630072006f006200610074002c002000410064006f00620065002000520065006100640065007200200035002e003000200079002000760065007200730069006f006e0065007300200070006f00730074006500720069006f007200650073002e> /FRA <FEFF005500740069006c006900730065007a00200063006500730020006f007000740069006f006e00730020006100660069006e00200064006500200063007200e900650072002000640065007300200064006f00630075006d0065006e00740073002000410064006f006200650020005000440046002000700072006f00660065007300730069006f006e006e0065006c007300200066006900610062006c0065007300200070006f007500720020006c0061002000760069007300750061006c00690073006100740069006f006e0020006500740020006c00270069006d007000720065007300730069006f006e002e0020004c0065007300200064006f00630075006d0065006e00740073002000500044004600200063007200e900e90073002000700065007500760065006e0074002000ea0074007200650020006f007500760065007200740073002000640061006e00730020004100630072006f006200610074002c002000610069006e00730069002000710075002700410064006f00620065002000520065006100640065007200200035002e0030002000650074002000760065007200730069006f006e007300200075006c007400e90072006900650075007200650073002e> /ITA (Utilizzare queste impostazioni per creare documenti Adobe PDF adatti per visualizzare e stampare documenti aziendali in modo affidabile. I documenti PDF creati possono essere aperti con Acrobat e Adobe Reader 5.0 e versioni successive.) /JPN <FEFF30d330b830cd30b9658766f8306e8868793a304a3088307353705237306b90693057305f002000410064006f0062006500200050004400460020658766f8306e4f5c6210306b4f7f75283057307e305930023053306e8a2d5b9a30674f5c62103055308c305f0020005000440046002030d530a130a430eb306f3001004100630072006f0062006100740020304a30883073002000410064006f00620065002000520065006100640065007200200035002e003000204ee5964d3067958b304f30533068304c3067304d307e305930023053306e8a2d5b9a3067306f30d530a930f330c8306e57cb30818fbc307f3092884c3044307e30593002> /KOR <FEFFc7740020c124c815c7440020c0acc6a9d558c5ec0020be44c988b2c8c2a40020bb38c11cb97c0020c548c815c801c73cb85c0020bcf4ace00020c778c1c4d558b2940020b3700020ac00c7a50020c801d569d55c002000410064006f0062006500200050004400460020bb38c11cb97c0020c791c131d569b2c8b2e4002e0020c774b807ac8c0020c791c131b41c00200050004400460020bb38c11cb2940020004100630072006f0062006100740020bc0f002000410064006f00620065002000520065006100640065007200200035002e00300020c774c0c1c5d0c11c0020c5f40020c2180020c788c2b5b2c8b2e4002e> /NLD (Gebruik deze instellingen om Adobe PDF-documenten te maken waarmee zakelijke documenten betrouwbaar kunnen worden weergegeven en afgedrukt. De gemaakte PDF-documenten kunnen worden geopend met Acrobat en Adobe Reader 5.0 en hoger.) /NOR <FEFF004200720075006b00200064006900730073006500200069006e006e007300740069006c006c0069006e00670065006e0065002000740069006c002000e50020006f0070007000720065007400740065002000410064006f006200650020005000440046002d0064006f006b0075006d0065006e00740065007200200073006f006d002000650072002000650067006e0065007400200066006f00720020007000e5006c006900740065006c006900670020007600690073006e0069006e00670020006f00670020007500740073006b007200690066007400200061007600200066006f0072007200650074006e0069006e006700730064006f006b0075006d0065006e007400650072002e0020005000440046002d0064006f006b0075006d0065006e00740065006e00650020006b0061006e002000e50070006e00650073002000690020004100630072006f00620061007400200065006c006c00650072002000410064006f00620065002000520065006100640065007200200035002e003000200065006c006c00650072002e> /PTB <FEFF005500740069006c0069007a006500200065007300730061007300200063006f006e00660069006700750072006100e700f50065007300200064006500200066006f0072006d00610020006100200063007200690061007200200064006f00630075006d0065006e0074006f0073002000410064006f00620065002000500044004600200061006400650071007500610064006f00730020007000610072006100200061002000760069007300750061006c0069007a006100e700e3006f002000650020006100200069006d0070007200650073007300e3006f00200063006f006e0066006900e1007600650069007300200064006500200064006f00630075006d0065006e0074006f007300200063006f006d0065007200630069006100690073002e0020004f007300200064006f00630075006d0065006e0074006f00730020005000440046002000630072006900610064006f007300200070006f00640065006d0020007300650072002000610062006500720074006f007300200063006f006d0020006f0020004100630072006f006200610074002000650020006f002000410064006f00620065002000520065006100640065007200200035002e0030002000650020007600650072007300f50065007300200070006f00730074006500720069006f007200650073002e> /SUO <FEFF004b00e40079007400e40020006e00e40069007400e4002000610073006500740075006b007300690061002c0020006b0075006e0020006c0075006f0074002000410064006f0062006500200050004400460020002d0064006f006b0075006d0065006e007400740065006a0061002c0020006a006f0074006b006100200073006f0070006900760061007400200079007200690074007900730061007300690061006b00690072006a006f006a0065006e0020006c0075006f00740065007400740061007600610061006e0020006e00e400790074007400e4006d0069007300650065006e0020006a0061002000740075006c006f007300740061006d0069007300650065006e002e0020004c0075006f0064007500740020005000440046002d0064006f006b0075006d0065006e00740069007400200076006f0069006400610061006e0020006100760061007400610020004100630072006f0062006100740069006c006c00610020006a0061002000410064006f00620065002000520065006100640065007200200035002e0030003a006c006c00610020006a006100200075007500640065006d006d0069006c006c0061002e> /SVE <FEFF0041006e007600e4006e00640020006400650020006800e4007200200069006e0073007400e4006c006c006e0069006e006700610072006e00610020006f006d002000640075002000760069006c006c00200073006b006100700061002000410064006f006200650020005000440046002d0064006f006b0075006d0065006e007400200073006f006d00200070006100730073006100720020006600f60072002000740069006c006c006600f60072006c00690074006c006900670020007600690073006e0069006e00670020006f006300680020007500740073006b007200690066007400650072002000610076002000610066006600e4007200730064006f006b0075006d0065006e0074002e002000200053006b006100700061006400650020005000440046002d0064006f006b0075006d0065006e00740020006b0061006e002000f600700070006e00610073002000690020004100630072006f0062006100740020006f00630068002000410064006f00620065002000520065006100640065007200200035002e00300020006f00630068002000730065006e006100720065002e> /ENU (Use these settings to create PDFs that match the "Suggested" settings for PDF Specification 4.0) >> >> setdistillerparams << /HWResolution [600 600] /PageSize [612.000 792.000] >> setpagedevice