Abstract
Purpose
Since the 1980s, New public management has fostered the introduction of managerial approaches similar to those of the private sector in public administrations. Recently, the advantages of performing risk management in the public sector have been recognized; however, to the best of our knowledge, research on risk management in public administrations is underdeveloped, and there is a need to understand how risk management is performed. This paper addresses these issues and investigates whether and how risk management is performed in Italian public administration.
Design/methodology/approach
This study focused on a sample of 503 Italian municipalities and used a mixed research method. Through a qualitative content analysis of documents published on municipalities’ websites, data and information were collected and elaborated using quantitative indicators.
Findings
The main results are that a high percentage of large Italian municipalities perform risk management and comply with theoretical provisions on risk management, sometimes displaying isomorphic behavior in risk management practices.
Originality/value
This study provides a new perspective on risk management in Italian municipalities, contributes to filling a gap in the literature and suggests a theoretical perspective on municipalities’ approaches when introducing new managerial practices.
Keywords
Citation
Castellini, M., Ferrario, C. and Riso, V. (2024), "New public management evolving agenda: risk management in Italian municipalities", International Journal of Public Sector Management, Vol. ahead-of-print No. ahead-of-print. https://doi.org/10.1108/IJPSM-06-2023-0210
Publisher
:Emerald Publishing Limited
Copyright © 2024, Monia Castellini, Caterina Ferrario and Vincenzo Riso
License
Published by Emerald Publishing Limited. This article is published under the Creative Commons Attribution (CC BY 4.0) licence. Anyone may reproduce, distribute, translate and create derivative works of this article (for both commercial and non-commercial purposes), subject to full attribution to the original publication and authors. The full terms of this licence may be seen at http://creativecommons.org/licences/by/4.0/legalcode
1. Introduction
Since the late 1980s, New Public Management (NPM) has fostered the introduction of managerial behaviors similar to those of the private sector into public sector organizations (Hood, 1991) to improve quality, efficiency and effectiveness in public service delivery (Newmann and Clarke, 1994). Indeed, public administrations in many countries have introduced new procedures and process innovations and have changed their bureaucratic culture, embracing a new managerial attitude (Rana and Parker, 2023) committed to the effective and efficient achievement of organizations’ goals (Parker et al., 2019) and more concerned with delivering to citizens-customers (Osborne et al., 2012).
Private organizations’ approaches and techniques were successfully transferred and applied in public organizations, generally with adjustments due to the different institutional settings (Bouckaert and Van Dooren, 2003). Indeed, public managers have adopted private sector techniques and tools, such as management by objectives, developed management, total quality management and performance management (Boyne, 2002). This transformation implied a shift from the traditional bureaucratic approach, primarily concerned with adherence to rules and regulations, to a new focus on delivering public services (Capalbo et al., 2017; Osborne, 2006), financial sustainability and the efficient allocation of public resources (O’Flynn, 2007).
Risk management practices integrated into the management control system were introduced in the private sector in the early 2000s (McRae and Balthazor, 2000) in response to the need to prevent financial crises and to actively respond to risks (Spira and Page, 2003). Consistently, international organizations created the first frameworks and standards (e.g. CoSO (2004) Framework or ISO 31000). Later, the International Organization of Supreme Audit Institutions (INTOSAI) provided guidelines for risk management in the public sector (Hatvanti, 2015; INTONSAI, 2007).
The importance of risk management in the public sector is recognized from different perspectives (Rana and Parker, 2023; Hatvani, 2015). First, risk management boosts the achievement of public organizations’ objectives (Bullock et al., 2019; Keban, 2017); second, risk management is critical for ensuring effective service delivery, improving performance (Gates et al., 2012), and increasing public organizations’ accountability (Mahama et al., 2020). Finally, it allows public administrations to manage risks rather than trying to avoid them (Eckerd, 2014; Hutter, 2006).
The first examples of risk management in the public sector date back to the early 1980s (Black, 2005). However, it expanded significantly in the 21st century, and it has been described as the most recent strand of NPM (Lapsley, 2009, p. 6). In the public sector, risk management initially focused on terrorism, health, transport, the environment, climate change and corruption (McPhee, 2005).
Similarly to other countries, in Italy NPM has also significantly influenced public administration reform since the late 1990s (Deidda Gagliardo and Saporito, 2021; Hinna and Ceschel, 2021; Reginato et al., 2010). In particular, the legislative obligation to implement a management control system in public organizations with an internal auditor was introduced in 2000 (Legislative decree 267/2000). In 2012, law 190 introduced a framework to prevent the risk of corruption and illegality in public administrations (Castellini and Riso, 2023). However, no specific law obliges public organizations to implement risk management for all risks. In practice, many public administrations in Italy are introducing risk management. This suggests that risk management is useful and effective. Thus, public administration in Italy provides an interesting case study of risk management introduction in the public sector (Hinna et al., 2018). The evidence presented is significant also from an international perspective, in particular as an example of risk management introduction in the public sector when no specific legal requirements or detailed legal frameworks exist (Vinnari and Skærbæk, 2014).
This paper aims to analyze the extent of risk management implementation by Italian public administration, using evidence from Italian municipalities (“comuni”). It also investigates whether the core process of risk management, namely, risk assessment, is effectively deployed in Italian municipalities. The analysis focuses only on the municipal level of government to eliminate biases due to the differing roles, competencies and financial endowments of different levels of government. We restrict our focus to Italian municipalities because of their significant responsibilities in service provision, as opposed to planning or programming competencies, which mostly rest with higher levels of government (regions or state). Total annual expenditures by Italian municipalities amount to approximately 30% of the total public budget and cover a wide span of services, from urban transportation to health care and social activities, from education and research to public support to businesses, and from public housing to cultural services. Therefore, the effective implementation of risk management practices by municipalities may significantly affect public service provision and, therefore, the overall efficiency of the Italian public sector (Lapsley, 2009, p. 15). Indeed, the recent COVID-19 pandemic has shown that municipalities play a central role in emergency management; thus, risk management is crucial (Keban, 2017). Furthermore, Italian municipalities have recently faced many challenges and risks and have increasingly adopted resilient behaviors (Sciulli et al., 2015). In addition, evidence on risk management implementation by municipalities may suggest its diffusion in the wider public sector in Italy. Finally, to investigate the effectiveness of risk management implementation, this paper also investigates whether there is an effective deployment of risk assessment in Italian municipalities.
The analysis used a mixed research method. Through a qualitative content analysis (Creamer and Ghoston, 2012) of documents published on municipalities’ official websites, information is collected and used to construct quantitative indicators that provide evidence to answer two research questions: whether Italian municipalities perform risk management (RQ1) and to what extent risk assessment is effectively implemented and properly performed (RQ2).
The structure of this paper is as follows: Section 2 presents a literature review on NPM and risk management in the Italian public sector. Section 3 describes our research purposes and approach. Section 4 describes the analysis and results, and Section 5 discusses them and proposes some concluding remarks.
2. Literature review: risk management in the public sector
There is consensus that NPM has influenced Italian public sector legislation, particularly the public sector reform implemented since the early 1990s. Management control systems were introduced in local public administrations (Legislative Decree 267/2000, art. 196) to enhance the achievement of institutional objectives and the efficient and effective use of public resources (Sancino and Turrini, 2009). This fostered a radical transformation in public administration management, from ensuring that public action complied with law requirements, to explicitly pursuing the efficiency and effectiveness of public action (Riso et al., 2022).
In these same years, in the private sector, the internal audit role changed. Risk management was integrated into management control systems (Spira and Page, 2003) and soon became widespread in private organizations.
Risk management allows organizations to identify the risks they may be exposed to and prepare themselves to face these issues, either by solving the issues entirely or mitigating them or trying to fully eliminate them or their consequences (OECD, 2014, p. 13). The same concept of risk assumes different meanings depending on the context (Andersen and Young, 2020). Bullock et al. (2019) investigate the concept of “risk”, distinguishing it from other concepts such as uncertainty, hazard, and errors. They define “risk” as “determined by the known (or estimated) probability of an event occurring and the resulting consequences” (Bullock et al., 2019, p. 77) and apply this concept to risk management in the public sphere. In the following, we shall embrace this definition.
Both researchers and practitioners have investigated the most appropriate structure of risk management processes and identified a series of subsequent steps in risk management implementation. One of the most commonly used schemes, reported in ISO 31000 (2009), outlines seven steps: communication and consultation with the organization, context analysis, risk identification, risk analysis, risk evaluation, risk treatment, monitoring and review activities (Purdy, 2010; Lark, 2015). The three stages of risk identification, risk analysis and risk evaluation make up the central and core process, named “risk assessment” (Spira and Page, 2003; Lark, 2015), as depicted in Figure 1. In this paper, we focus on this core process and its three stages (Figure 1).
Some studies investigate how to improve the individual risk management stages and how to improve the overall risk management process (Olsson, 2007). However, there are significant differences between risk management in the public and private sectors. According to Ahmeti and Vladi (2017, p. 323), “risk in the first case is much more complex, and the scope of its impact is societal. (…) The degree and variety of risks government bodies face in their daily activity are enormous, and the key responsibility of these authorities is to assure the public that no current or potential risk will threaten the perceived public value”. For this reason, risk management can be beneficial to public organizations (Cuganesan et al., 2014) to the extent that “‘New’ risk management has come to be seen as an emerging key element of NPM” (Lapsley, 2009, p. 16). Rana et al. (2019) maintain that a management control system, a performance management system and strategy-oriented control practices may help us understand how risk and risk management are implemented in the public sector, but further analyses are needed (Bullock et al., 2019).
The extent of risk management implementation in the public sector is a rather neglected issue (Bullock et al., 2019, p. 79), some scholars advocate for a better understanding of public risk management (Bracci et al., 2020; Hinna et al., 2018; Leung and Isaacs, 2008) and of the process of risk management introduction in public administrations (Rana and Parker, 2023; Bui et al., 2019; Rana et al., 2019; Hinna et al., 2018; Soin and Coiller, 2013). According to Bracci et al. (2021), there is little knowledge about risk management processes in the public sector. The literature on public sector risk management has a rather generic theoretical approach, and only a few studies on risk management are concerned with the core operative process of risk assessment, with none of them providing an in-depth analysis of each single risk management stage.
Risk management in the public sector is described as a “black box” that deserves to be better investigated from a theoretical perspective (Bracci et al., 2021). In addition, the absence of guidelines and provisions for risk management implementation is considered a risk for public organizations (Vinnari and Skærbæk, 2014).
Furthermore, at the municipal level, there are few studies on risk management (Bracci et al., 2021). D’Onza et al. (2017) propose a study on Italian municipalities focused on corruption risk management and on disclosing information on risk management as a tool to increase participation and accountability.
There is also evidence that municipalities are implementing risk management at the international level. For instance, Sippola et al. (2023) provide a critical analysis of risk management in Finnish municipalities and argue for the introduction of a municipal risk manager. Nilsen and Olsen (2005) study public managers’ behavior in two UK municipalities to understand how they implement risk management in the absence of legal provisions on this topic. The authors note that despite organizational differences, municipalities’ choices and results are very similar. This evidence is consistent with the new institutionalist idea that municipalities may exhibit isomorphic behavior (DiMaggio and Powell, 1983).
2.1 Isomorphic behavior in public administration: theoretical framework
According to DiMaggio and Powell (1983), there are three types of isomorphic behavior: coercive isomorphism, when external pressures force an organization to conform; mimetic isomorphism, when an organization spontaneously imitates other organizations to deal with conditions of uncertainty; and normative isomorphism, when conforming to a model results from awareness of the superiority of the model itself.
Consistent with the idea of mimetic isomorphism in public organizations, Power et al. (2009) showed that when introducing risk management, uncertainty about behaviors and practices to adopt induces organizations to follow “first movers”, who often become benchmarks for other organizations that tend to imitate them (Power et al., 2009).
Significantly, Reginato et al. (2010) observed that Italian municipalities exhibited isomorphic behaviors when implementing managerial reforms in the early 2000s. The presence of similar processes and rules suggests isomorphic behavior.
For the purposes of our research, municipalities’ choices concerning how to carry out risk management (whether to outsource some functions or not) and the risk assessment process in particular, as described in the municipalities’ documents of our analysis, allow us to identify isomorphic behaviors and provide evidence on whether the choices undertaken reveal isomorphic features.
2.2 Research context
The Italian legislation regulates internal control systems and corruption risk management, but in general terms, this legislation is not informed by the logic of risk (Peta, 2016, p. 24). In addition, although the definition of a management control system seems to also include risk assessment, public organizations rarely integrate risk management and management control systems (Bracci et al., 2020; Riso and Castellini, 2019; Arena et al., 2017). In addition, Castellini and Riso (2023) showed that in selected Italian municipalities, there is low integration between risk management and management control systems, and Riso et al. (2022) showed that large Italian municipalities disclose information on their risks but not on risk management practices. Furthermore, Italian legislation addresses some specific risks (e.g. corruption, environmental damage), but there is no provision on implementing risk management for all possible public organizations’ risks (Peta, 2016; Riso and Castellini, 2019).
Indeed, Reginato et al. (2012, p. 395) show that the Italian legislative framework accounts for all control activities included in the INTOSAI guidelines and in the Public Internal Financial Control (PIFC) model, but there are no specific rules on how to establish a system to identify, evaluate and respond to organizations’ risks. The only guidelines are provided by the International Standards of INTONSAI (2007).
More recently, law decree 80/2021 obliges Italian municipalities to prepare an Integrated Plan of Activities and Organization (the so-called “PIAO”), which should integrate planning tools and create public value. The importance of coordinating the risk management cycle with the performance management cycle is also recognized (Deidda Gagliardo and Saporito, 2021; Riso et al., 2022). These reforms foster the diffusion of risk management in the public sector in Italy. However, the introduction of risk management is slowed down, particularly in municipalities, by various factors, such as bureaucracy, lack of understanding of its potential, absence of institutionalized modes of task performance (Power et al., 2009; Nilsen and Olsen, 2005, p. 45), and the existing risk culture (Halachmi, 2005).
3. Research purpose and methodology
This paper aims to contribute to the understanding of risk management implementation in the Italian public sector. Given the wide span of such a research agenda, we restricted our focus to two specific and related issues: whether Italian municipalities perform risk management (RQ1) and whether risk assessment is effectively implemented and properly performed (RQ2). We derive our conclusions from the analysis of a sample of Italian municipalities, and we focus on the core process of risk assessment (Lark, 2015). The research method applied is a two-phase mixed method (Creswell and Plano Clark, 2011).
Mixed methods are widely used in empirical studies from a variety of disciplines, such as social, management, behavioral and health sciences (Tashakkori and Creswell, 2007). In mixed-methods research, “the investigator collects and analyses data, integrates the findings, and draws inferences using both qualitative and quantitative approaches or methods in a single study” (Tashakkori and Creswell, 2007, p. 4). Mixed methods are applied for information disclosure (Guthrie et al., 2004) and consist of “codifying qualitative information in anecdotal and literary form into categories in order to derive quantitative scales of varying levels of complexity” (Abbot and Monsen, 1979, p. 504).
In this paper, we use a mixed-method approach based on content analysis, with a first qualitative and a second quantitative phase following the approach proposed by Creamer and Ghoston (2012). As described by Krippendorff (1980, p. 27), qualitative methods involve code selection and text analysis, while quantitative methods involve counting codes and treating them as quantitative data. Then, qualitative data are converted into quantitative data to inform analysis and discussion (Creamer and Ghoston, 2012). These two steps are consistent with one of the typologies of mixed methods classified by Tashakkori and Creswell (2007).
Specifically, our analysis is articulated in three different steps. First, we constructed a significant sample of Italian municipalities. Then, we investigated whether risk assessment is performed by municipal organizations in our sample using qualitative content analysis (QCA) applied to documents published on municipalities’ official websites (Di Fatta et al., 2016). For this purpose, we analyzed various documents from each municipality (Hood and Smith, 2013) and collected data about the three crucial stages of risk assessment: risk identification, risk analysis and risk evaluation (Lark, 2015). This analysis was implemented through focus groups that analyzed all relevant documents (i.e. contracts, tender documents, budgets, government plans, strategic plans, corruption and transparency plans). Finally, in the third step, descriptive statistics and synthetic indicators were calculated using the data collected through the QCA. Thus, the qualitative information published and disclosed by the municipalities is summarized in a quantitative, synthetic, and comparable way, which suggests interesting conclusions on the extent and effectiveness of risk assessment in Italian municipalities. At the end of the analysis, several similar characteristics were identified across municipalities, both in terms of municipalities’ choices of risk management implementation and in terms of features of risk assessment practices.
3.1 Sample construction
The sample comprises 503 municipalities out of the 7.914 existing in Italy (6.3%), distributed across 20 regions. Italian municipalities vary significantly in terms of population, from the largest, Rome, with 2,872,800 inhabitants, to the smallest, Monterone, with only 30 inhabitants.
The sample includes only the most populated municipalities. In fact, risk management is useful, especially in large municipalities, due to the high variety and complexity of services offered to a significantly large population. In addition, large municipalities may also have sufficiently developed administrative capacity, greater financial and technical endowments, more sophisticated information systems, more structured organizations, and more personnel to implement risk management schemes and to fulfill transparency provisions requiring information disclosure on their activities. This approach is consistent with existing studies on risk management and risk communication in the private sector, which focus only on large organizations for the same reasons listed above (Beretta and Bozzolan, 2004; Linsley and Shrives, 2006). For the public sector, in their empirical study of new public financial management, Reginato et al. (2010) use a sample of Italian municipalities above 5,000 inhabitants based on evidence that reforms are hindered by limited financial and human resources in smaller municipalities. In addition, in a study on e-government, Nasi et al. (2011) select only large municipalities (183) based on the argument that sophisticated ICT is found only in larger public organizations. Finally, Brudney and Selden (1995) maintain that larger municipalities have more complex and diverse setups and are characterized by a greater propensity to innovate in search for improvement.
In addition to dimensional concerns, geographical issues were also accounted for in sample construction. Italy is characterized by significant territorial disparities from an institutional perspective, which may also affect managerial attitudes and performance in the public and private sectors (Putnam et al., 1994). For this reason, our sample also pursues territorial representativeness. Given the high variability of municipality numbers across regions (Figure 2), for each region, our sample comprises the same percentage of municipalities and includes only the most populated municipalities. Thus, first, each region’s municipalities were ranked in descending order of population, and then the top municipalities in each region were included in the sample (up to approximately 6.3%).
Figure 2 describes the distribution of the municipalities included in the sample across regions and displays the total number of municipalities in each region. Table 1 details the regional composition of the sample, and for each region, information on the largest and smallest municipalities and their population is provided. The largest municipality in the sample is Rome (2,872,800 inhabitants), and the smallest is Quart (4,066 inhabitants).
3.2 Data collection
Documents published by municipalities were analyzed to detect whether risk management was performed. Risk management (and risk assessment) is new to the Italian public sector, and public organizations are likely to lack adequate competencies and knowledge to perform it. Therefore, to implement risk management, municipalities need to contract out at least some of these activities (Mussari and Sorrentino, 2017). By law (Legislative Decree 33/2013), to ensure transparency, public administration contracts with third parties (professionals, insurance or consultancy firms) must be published online. Therefore, municipalities that perform risk management activities can be identified through the contracts they sign with external professionals or other documents that disclose this information, such as tender documents, budgets, government plans, strategic plans, corruption and transparency plans.
Our research method uses content analysis, which requires codifying qualitative information. Some methodological choices were needed (Krippendorff, 1980). As regards the unit of analysis of the text (words, sentences, paragraphs, themes, etc.), we used the following words as both coding and counting units: risk identification, risk analysis and risk evaluation (Table 2). These words were selected on the basis of the theoretical conceptualizations of risk management stages by Lark (2015, p. 14).
QCA was chosen against the alternative approach of collecting information through questionnaires submitted to municipalities because it provides more objective data and information. The answers to questionnaires may be influenced by the attitudes of the respondents or, worse, by their desire to show that their organizations are (or are not) implementing a specific policy or programme. At this very early stage of risk management process development, these biases could be significant.
3.3 Data analysis
The qualitative information collected through the QCA was then analyzed through specific descriptive statistics and quantitative indicators to measure the extent to which risk management was performed and to assess its main features. Based on these quantitative, synthetic and comparable indicators, conclusions are drawn on risk management implementation by Italian municipalities, thus providing answers to the two initial research questions. Table 3 summarizes the descriptive statistics and indicators depicting the features of risk management processes in the sample of Italian municipalities.
In detail, S is the sample numerosity, and N is the number of municipalities in the sample that published documents on risk management (a percentage α of the total sample). The following three indicators related to risk assessment were measured: X1, the absolute frequency of municipalities whose documents contained at least once the phrase “Risk identification”; X2, the absolute frequency of municipalities whose documents contained at least once the phrase “Risk analysis”; and X3, the absolute frequency of municipalities whose documents contained at least once the phrase “Risk evaluation”. These indicators were used to determine whether, in addition to declaring that risk management was in operation, municipalities were also actually implementing risk management measures. An additional indicator, Xmax, indicates which of the three processes has the highest frequency. Furthermore, the Nsum provides information on how many municipalities in the sample display at least one of the three phrases identifying the fundamental stages of risk assessment. In addition, according to Lark (2015), only the joint presence of all three fundamental stages ensures that risk management is properly and effectively implemented. Therefore, the NX indicator was also measured, which gives the number of municipalities jointly performing all three activities (risk identification, risk analysis, risk evaluation).
Finally, to gain a better understanding of risk management practices in Italian municipalities, an additional indicator was measured: the absolute frequency of municipalities whose documents contained at least two of the three phrases that identify the fundamental stages of risk management (risk identification, risk analysis, risk evaluation), that is, any of the three possible pairwise combinations: X1 X2; X1 X3; and X2 X3.
4. Results
The data reported in Table 4 distinctively for each Italian region, show that 366 municipalities (N), 73.2% of the selected sample (α), publish documents about their risk management activities.
In detail, α shows high variability across the 20 regions, varying from a minimum of 8% to a maximum of 100%. This finding suggests that in some regions, large municipalities are largely involved in risk management and confirms the initial hypothesis that risk management activities could show relevant territorial disparities in Italy. Three regions displaying particularly low percentages of publishing municipalities are in the center-south of the country (Umbria, Campania, and Calabria), and two are in the north (Trentino Alto Adige and Valle d’Aosta); interestingly, the latter two regions are characterized by rather small municipalities.
Only a subset of municipalities publishing documents on risk management also make reference to the three specific stages of risk management (risk identification, risk analysis, risk evaluation). The frequency analysis revealed that 205 of the 366 municipalities used the concept of “risk identification” (X1) in their documents (56% of the total), 234 municipalities used the concept of “risk analysis” (X2) (64% of the total), and 220 municipalities used “risk evaluation” (X3) (60% of the total). Therefore, none of the processes were performed significantly more often than the others. However, risk analysis (X2) is slightly more common throughout the sample. This information is conveyed by the indicator Xmax, which measures, in each region, the most common phrase among the three (i.e. the one with the highest absolute frequency). For many regions, Xmax cannot be defined, as there is no single phrase that has a higher frequency than the other two. However, if one phrase was more common, this was always X2.
Turning to the indicator Nsum, at the country level, 238 out of 366 municipalities display at least one of the three crucial phrases. Therefore, approximately 65% of municipalities that publish documents perform at least one of the three critical stages of risk assessment processes.
Furthermore, NX is equal to 191 at the country level; thus, 191 municipalities perform all three fundamental activities that make up a risk assessment process. The percentage of municipalities performing all three activities is 52% at the country level (indicator NX/N), a rather high value, implying that more than half of the municipalities implementing risk management are performing all three fundamental processes. This indicator’s territorial distribution shows that regions with values above the national average are all in the center-north of the country (Piemonte, Veneto, Lazio, Emilia-Romagna, Abruzzo, Trentino Alto Adige, Toscana, Valle d’Aosta), with two exceptions: Basilicata, a southern region, has an indicator equal to 67% (above the national average). However, this result is not very informative due to the very limited number of municipalities from this region included in our sample. More interestingly, and somewhat unexpectedly, this indicator is only 34% in Lombardia, a northern region. There is not enough information to support a reasoned interpretation of this result. However, a comparison with the relative frequencies of X1, X2 and X3 for the Lombardia region showed that the relative frequency of X1 was significantly lower than 35% (X1/N). Therefore, the rather low involvement in risk identification by the municipalities of Lombardia explains the low results in terms of the indicator NX. Why municipalities in Lombardia are more reluctant to contract out risk identification processes and, specifically, to disclose this information remains to be determined. However, this might also be due to the fact that municipalities in this region have internalized this process and that they externalize only the other two processes. Unfortunately, this is a mere hypothesis that can be tested only through a direct survey. However, this hypothesis is supported by the rather high values of the relative frequency of the other two processes, namely, risk analysis (X2/N = 60%) and risk evaluation (X3/N = 56%).
Finally, with reference to the pairwise frequency (X1X2, X1X3, X2X3), the pair X2X3 was the most frequently observed (215 municipalities out of 366), while the other two pairs were observed in 202 and 195 municipalities. This countrywide result is essentially driven by data from the three northern regions of Lombardia, Piemonte and Veneto, while in the other regions, there is no difference in the frequency of the three pairs. This finding suggests that risk identification is the least externalized process in these three northern regions. It is unclear whether this implies that municipalities in these regions internalized or neglected the risk identification process, but surely, this result suggests that the attitudes of these municipalities about the three fundamental processes of risk management display some degree of mimetic isomorphism (DiMaggio and Powell, 1983; Power et al., 2009). Overall, there is a greater propensity for externalizing (and thus implementing) risk analysis and evaluation rather than risk identification processes.
Overall, evidence suggests that risk management is performed by Italian municipalities and that risk recognition and management are becoming relevant issues.
Finally, Figures 3 and 4 depict the variability of the main indicators across Italian regions, and they account for significant differences. Figure 3 depicts α and NX/N. Figure 4 shows the relative frequencies X1/N, X2/N, and X3/N. These figures graphically describe the above considerations and show the significant interregional differences.
5. Discussion and conclusions
The analysis and the data presented above provide interesting evidence on the two interrelated issues addressed in this paper and show how Italian municipalities embed risk management practices in their organizations.
Specifically, with reference to risk management implementation (RQ1), approximately 73% of the municipalities in the sample published documents about risk management activities. In addition, 63% performed at least one of the three critical risk assessment phases, and slightly more than half (52%) performed all the three of them. Therefore, municipalities are performing risk assessment activities to a good extent. Another notable result is that municipalities rely on external professionals to carry out all three types of fundamental risk assessment processes on their behalf (X1/N = 55%, X2/N = 64%; X3/N = 60%). Indeed, Petak (1985) explains how risk management practices are rather specific and require adequate competencies to be carried out, to the extent that not all public administrations may have skilled personnel and technical tools and competencies to implement a control system to evaluate risk management and operational risks. This also implies a relevant problem of accountability, as Petak (1985, p. 5) clearly recognizes: “it is important to note that current decision-making approaches tend to put a great deal of power in the hand of technical experts and professional administrator who are not directly accountable to the public”. In another work, Young and Hood (2003) explain how local governments carry out risk management outsourcing. On this issue, Qiao (2007) investigates the origins of public risk management and the involvement in the risk management process of external professionals and advisors such as insurers or law firms.
The decision to outsource some of the risk assessment phases is a common practice among the municipalities analyzed, suggesting the existence of an isomorphic behavior of a mimetic type (DiMaggio and Powell, 1983; Power et al., 2009). In fact, no legislation obliges municipalities to outsource this specific activity. This interesting hypothesis deserves further investigation. The results from further research could improve the understanding of municipalities’ approaches to the introduction and implementation of new managerial processes. They could also shed more light on the existence and extent of isomorphic behavior and should focus on the rationale and effectiveness of such an attitude.
A further consideration concerns the website documents “layouts”, which are very similar and often exactly the same for different municipalities. Additionally, this result could be explained using the concept of mimetic isomorphism, where municipalities tend to imitate the behavior of other entities and emulate it. Specifically, in the Italian case, the absence of organic legislation on risk management implementation may have produced uncertainty in municipalities as to which practices to adopt. This uncertainty may have fed imitation and isomorphic behavior by municipalities seeking a less risky strategy.
Moreover, with regard to whether risk assessment is effectively implemented and properly performed (RQ2), the NX index details how risk assessment activities (identification, analysis and evaluation of risks) are developed in municipal organizations. It appears that in almost all regions, the three processes are jointly activated, with only a few large northern regions displaying a more complex configuration, characterized in particular by a lower externalization of risk analysis with respect to the other two processes. In this respect, while the reasons cannot be derived from our data, it is clear that some sort of isomorphic behavior characterizes these municipalities, which follow a similar approach. Evidence on isomorphic behavior is not new with reference to Italian public administration. In fact, since the early 1990s, Italian municipalities have displayed isomorphic behavior in implementing NPM reforms (Reginato et al., 2010). However, whether this approach is desirable remains to be determined. Surely, when a new process is introduced in an organization, isomorphism may help individuals find a way to implement novelty. However, in later stages, blind isomorphism may prevent effective innovations, correction of errors and efficient adaptation to individual organizations’ peculiarities. At this stage, differentiation and benchmarking across different organizations may be a much more useful and effective tool for improving managerial practices.
This paper provides a description of many facets of risk management in the public sector that are considered worth investigating (Hinna et al., 2018; Leung and Isaacs, 2008; Woods, 2009). It does so by focusing on a specific geographical and institutional setting, that of Italian municipalities, and derives conclusions that advance the understanding of this specific context but also shed light on the more general process of risk management introduction in the public sector, in particular with reference to the role of law obligations, external professionals, and mimetic isomorphism. It also contributes to providing evidence to fill some knowledge gaps that are identified by the existing theoretical and empirical literature.
First, this paper shows that risk management is performed by Italian municipalities, thus answering Hinna et al. (2018), who advocated for an investigation of “if” and “how” risk management is implemented in Italian public administrations. Our results show that risk management is embedded in public administration in Italian municipalities. In addition, it partially contributes to answering the second question (how), with a specific focus on the risk assessment process (Lark, 2015). Indeed, QCA shows that large Italian municipalities perform risk management by delegating risk management to external professionals. Moreover, the details on how risk management is implemented in the public sector allow us to draw conclusions on how managerial theories are, in practice, embraced by Italian municipalities. The evidence confirms Nilsen and Olsen’s (2005) conclusions about public managers’ behavior in municipalities when there are no guidelines for implementing risk management. Furthermore, this study provides a first focus on risk management in Italian municipalities and contributes to filling a gap in the literature (Bracci et al., 2021). Finally, we observed that for many risks, there are no provisions on how to implement risk management, and this is considered a risk itself (Vinnari and Skærbæk, 2014). The lack of guidelines could explain municipalities’ isomorphic behavior (DiMaggio and Powell, 1983; Power et al., 2009).
Although the analysis conducted in this paper unveils interesting facets of risk management in Italian municipalities, there is surely a need for further investigation to improve the understanding of risk management processes in the public domain. In particular, this study performed an analysis from an external perspective to understand if and how municipalities perform risk management; therefore, it did not allow us to collect details on the procedures implemented by public managers. It also does not allow us to derive information on whether there is a specific organizational culture or knowledge of risk management techniques; future research could study these aspects from an internal perspective to shed light on the proper implementation of risk management. Finally, the analysis did not investigate which types of risk were addressed. This is an additional area of interest, particularly because Italian public administrations are compelled by law to consider and manage some risks, such as corruption or environmental risks. Future research could investigate which types of risk are addressed and whether there are differences in the approaches to risk management between those for which there is a legal obligation to risk management and those for which such an obligation is not in place. This would shed further light on the role of law provision in risk management.
In addition, there is a need to investigate the extent to which competencies and knowledge about risk management are transferred from external professionals to public organizations and internalized by them. The extent to which public organizations are able to embed these practices in their organizational processes is crucial for the effective and lasting use of these approaches. Evidence on isomorphic behavior also calls for an investigation of the features of this attitude and whether it is mutually enriching or produces only a stubborn imitation (Hinna et al., 2018; Bracci et al., 2021).
The introduction of risk management in public administrations, particularly in Italian municipalities, is a work in progress, and its features are not yet fully understood. This study aims to improve the existing knowledge on this process for the purpose of contributing to theoretical understanding and improving practitioners’ actions.
Figures
Sample composition: smallest and largest municipality by population in each region
| Region | Municipality with the largest population | Municipality with the smallest population | |||
|---|---|---|---|---|---|
| N | Name | Name | Inhabitants | Name | Inhabitants |
| 1 | Lombardia | Milano | 1,366,180 | Porto Mantovano | 16,479 |
| 2 | Piemonte | Torino | 882,523 | Carignano | 9,334 |
| 3 | Veneto | Venezia | 261,321 | Oderzo | 20,466 |
| 4 | Campania | Napoli | 966,144 | Arzano | 34,217 |
| 5 | Calabria | Reggio Calabria | 181,447 | Scalea | 11,022 |
| 6 | Sicilia | Palermo | 668,405 | Augusta | 35,854 |
| 7 | Lazio | Roma | 2,872,800 | Cerveteri | 37,977 |
| 8 | Sardegna | Cagliari | 154,106 | La Maddalena | 11,233 |
| 9 | Emilia-Romagna | Bologna | 389,261 | Lugo | 32,317 |
| 10 | Abruzzo | Pescara | 119,217 | Pineto | 14,889 |
| 11 | Trentino-Alto Adige | Trento | 117,997 | Renon | 7,979 |
| 12 | Puglia | Bari | 323,370 | Monopoli | 48,964 |
| 13 | Toscana | Firenze | 382,258 | Capannori | 45,497 |
| 14 | Liguria | Genova | 580,097 | Lavagna | 12,617 |
| 15 | Friuli-Venezia Giulia | Trieste | 204,338 | Latisana | 13,478 |
| 16 | Marche | Ancona | 100,924 | Falconara Marittima | 26,063 |
| 17 | Molise | Campobasso | 49,262 | Guglionesi | 5,246 |
| 18 | Basilicata | Potenza | 67,211 | Lauria | 12,694 |
| 19 | Umbria | Perugia | 165,683 | Gubbio | 31,736 |
| 20 | Valle d'Aosta | Aosta | 34,082 | Quart | 4,066 |
Source(s): Our elaborations on Istat data, year 2018
Qualitative content analysis coding units
| N | Coding units (words) | N. of municipalities (sample) |
|---|---|---|
| 1 | Risk identification | 205 |
| 2 | Risk analysis | 234 |
| 3 | Risk evaluation | 220 |
Source(s): Our elaborations on Municipalities web published documents, 2021
Risk assessment in Italian municipalities – indicators
| Indicator | Description |
|---|---|
| S | Number of municipalities in the sample |
| N | Number of municipalities in the sample that publish documents on risk management on their websites |
| percentage of municipalities that publish documents on risk management on their website. When | |
| X1 | Absolute frequency of municipalities whose documents contain AT LEAST ONCE the phrase “Risk Identification” |
| X2 | Absolute frequency of municipalities whose documents AT LEAST ONCE contain the phrase “Risk Analysis” |
| X3 | Absolute frequency of municipalities whose documents contain AT LEAST ONCE the phrase “Risk Evaluation” |
| X1/N | Relative frequency of municipalities whose documents contain AT LEAST ONCE the phrase “Risk Identification” |
| X2/N | Relative frequency of municipalities whose documents AT LEAST ONCE contain the phrase “Risk Analysis” |
| X3/N | Relative frequency of municipalities whose documents contain AT LEAST ONCE the phrase “Risk Evaluation” |
| X1X2 | Absolute frequency of municipalities whose documents contain AT LEAST ONCE the phrases “Risk Identification” AND “Risk Analysis |
| X2X3 | Absolute frequency of municipalities whose documents contain AT LEAST ONCE the phrases “Risk Analysis” AND “Risk Evaluation” |
| X1X3 | Absolute frequency of municipalities whose documents contain AT LEAST ONCE the phrases “Risk Identification” AND “Risk Evaluation” |
| NX | Number of municipalities whose documents contain AT LEAST ONCE all the three phrases “Risk Identification”, “Risk Analysis” and “Risk Evaluation” |
| NX/N | Percentage of municipalities whose documents contain AT LEAST ONCE all the three phrases “Risk Identification”, “Risk Analysis” and “Risk Evaluation” |
| Nmax | Number of municipalities whose documents contain AT LEAST ONE of the phrases “Risk Identification”, “Risk Analysis”, “Risk Evaluation” (absolute frequency) |
| Xmax | Most frequently observed characteristic among X1, X2, X3 |
Source(s): Our elaborations
Risk assessment in Italian municipalities – results
| N | Region | S | N | α | X1 | X2 | X3 | X1/N | X2/N | X3/N | X1X2 | X1X3 | X2X3 | Xmax | NX | Nsum |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | Lombardia | 97 | 68 | 0.70 | 24 | 41 | 38 | 0.35 | 0.60 | 0.56 | 24 | 23 | 38 | X2 | 23 | 41 |
| 2 | Piemonte | 75 | 53 | 0.71 | 36 | 41 | 37 | 0.68 | 0.77 | 0.70 | 34 | 29 | 36 | X2 | 29 | 44 |
| 3 | Veneto | 36 | 34 | 0.94 | 24 | 27 | 24 | 0.71 | 0.79 | 0.71 | 24 | 24 | 27 | X2 | 24 | 27 |
| 4 | Campania | 35 | 14 | 0.40 | 6 | 8 | 7 | 0.43 | 0.57 | 0.50 | 5 | 5 | 7 | X2 | 5 | 9 |
| 5 | Calabria | 26 | 2 | 0.08 | 1 | 1 | 0 | 0.50 | 0.50 | 0.00 | 1 | 0 | 0 | – | 0 | 1 |
| 6 | Sicilia | 25 | 24 | 0.96 | 8 | 8 | 8 | 0.33 | 0.33 | 0.33 | 8 | 8 | 8 | – | 8 | 8 |
| 7 | Lazio | 24 | 21 | 0.88 | 17 | 17 | 17 | 0.81 | 0.81 | 0.81 | 17 | 17 | 17 | – | 17 | 17 |
| 8 | Sardegna | 24 | 20 | 0.83 | 10 | 11 | 10 | 0.50 | 0.55 | 0.50 | 10 | 10 | 10 | X2 | 10 | 11 |
| 9 | Emilia-Romagna | 21 | 21 | 1.00 | 20 | 20 | 20 | 0.95 | 0.95 | 0.95 | 20 | 20 | 20 | – | 20 | 20 |
| 10 | Abruzzo | 19 | 16 | 0.84 | 9 | 9 | 9 | 0.56 | 0.56 | 0.56 | 9 | 9 | 9 | – | 9 | 9 |
| 11 | Trentino-Alto Adige | 18 | 6 | 0.33 | 4 | 4 | 4 | 0.67 | 0.67 | 0.67 | 4 | 4 | 4 | – | 4 | 4 |
| 12 | Puglia | 16 | 14 | 0.88 | 5 | 6 | 5 | 0.36 | 0.43 | 0.36 | 12 | 12 | 12 | X2 | 5 | 6 |
| 13 | Toscana | 16 | 16 | 1.00 | 12 | 12 | 12 | 0.75 | 0.75 | 0.75 | 5 | 5 | 5 | – | 12 | 12 |
| 14 | Liguria | 15 | 12 | 0.80 | 4 | 4 | 4 | 0.33 | 0.33 | 0.33 | 4 | 4 | 4 | – | 4 | 4 |
| 15 | Friuli-Venezia Giulia | 14 | 13 | 0.93 | 5 | 5 | 5 | 0.38 | 0.38 | 0.38 | 11 | 11 | 11 | – | 5 | 5 |
| 16 | Marche | 14 | 14 | 1.00 | 11 | 11 | 11 | 0.79 | 0.79 | 0.79 | 5 | 5 | 5 | – | 11 | 11 |
| 17 | Molise | 9 | 7 | 0.78 | 2 | 2 | 2 | 0.29 | 0.29 | 0.29 | 2 | 2 | 2 | – | 2 | 2 |
| 18 | Basilicata | 8 | 6 | 0.75 | 4 | 4 | 4 | 0.67 | 0.67 | 0.67 | 4 | 4 | 4 | – | 4 | 4 |
| 19 | Umbria | 6 | 2 | 0.33 | 1 | 1 | 1 | 0.50 | 0.50 | 0.50 | 1 | 1 | 1 | – | 1 | 1 |
| 20 | Valle d'Aosta | 5 | 3 | 0.60 | 2 | 2 | 2 | 0.67 | 0.67 | 0.67 | 2 | 2 | 2 | – | 2 | 2 |
| Italy | 503 | 366 | 0.73 | 205 | 234 | 220 | 0.56 | 0.64 | 0.60 | 202 | 195 | 215 | X2 | 195 | 238 |
Note(s): Regions are listed from the largest to the smallest in terms of number of municipalities
Source(s): Our elaborations based on QCA of documents published on the municipalities’ website
References
Abbot, W.F. and Monsen, R.J. (1979), “On the measurement of corporate social responsibility: self-reported disclosures as a method of measuring corporate social involvement”, The Academy of Management Journal, Vol. 22 No. 3, pp. 501-515, doi: 10.2307/255740.
Ahmeti, R. and Vladi, B. (2017), “Risk management in public sector: a literature review”, European Journal of Multidisciplinary Studies, Vol. 2 No. 5, pp. 323-329, doi: 10.26417/ejms.v5i1.p323-329.
Andersen, T.J. and Young, P.C. (2020), Strategic Risk Leadership: Engaging a World of Risk, Uncertainty, and the Unknown, Routledge, New York.
Arena, M., Arnaboldi, M. and Palermo, T. (2017), “The dynamics of (dis) integrated risk management: a comparative field study”, Accounting, Organizations and Society, Vol. 62, pp. 65-81, doi: 10.1016/j.aos.2017.08.006.
Beretta, S. and Bozzolan, S. (2004), “A framework for the analysis of firm risk communication”, The International Journal of Accounting, Vol. 39 No. 3, pp. 265-288, doi: 10.1016/j.intacc.2004.06.006.
Black, J. (2005), “The emergence of risk-based regulation and the new public risk management in the United Kingdom”, Public Law, pp. 512-548.
Bouckaert, G. and Van Dooren, W. (2003), “Performance measurement and management in public sector organizations”, in Bovaird, T. and Loeffler, E. (Eds), Public Management and Governance, Routledge, pp. 127-136, doi: 10.4324/9781315693279.
Boyne, G.A. (2002), “Public and private management: what's the difference?”, Journal of Management Studies, Vol. 39 No. 1, pp. 97-122, doi: 10.1111/1467-6486.00284.
Bracci, E., Bruno, A. and Gobbo, G. (2020), “L’integrazione tra gestione del rischio e gestione della performance negli Enti Locali: il caso del Comune di Ferrara”, Azienda Pubblica, Vol. 3, pp. 293-310.
Bracci, E., TallakiGobbo, M.G. and Papi, L. (2021), “Risk management in the public sector: a structured literature review”, International Journal of Public Sector Management, Vol. 34 No. 2, pp. 205-223, doi: 10.1108/IJPSM-02-2020-0049.
Brudney, J.L. and Selden, S.C. (1995), “The adoption of innovation by smaller local governments: the case of computer technology”, American Review of Public Administration, Vol. 25 No. 1, pp. 71-86, doi: 10.1177/027507409502500105.
Bui, B., Cordery, C.J. and Wang, Z. (2019), “Risk management in local authorities: an application of Schatzki's social site ontology”, The British Accounting Review, Vol. 51 No. 3, pp. 299-315, doi: 10.1016/j.bar.2019.01.001.
Bullock, J.B., Greer, R.A. and O'Toole Jr, L.J. (2019), “Managing risks in public organizations: a conceptual foundation and research agenda”, Perspectives on Public Management and Governance, Vol. 2 No. 1, pp. 75-87, doi: 10.1093/ppmgov/gvx016.
Capaldo, G., Costatino, N., Pellegrino, R. and Rippa, P. (2017), “The role of risk in improving goal setting in performance management practices within public sector: an explorative research in courts offices in Italy”, International Journal of Public Administration, pp. 1-13, doi: 10.1080/01900692.2017.1317799.
Castellini, M. and Riso, V. (2023), “Risk management in practice: a multiple case study analysis in Italian municipalities”, Journal of Risk and Financial Management, Vol. 16 No. 1, p. 30, doi: 10.3390/jrfm16010030.
COSO (2004), “Enterprise risk management”, available at: https://www.coso.org/Documents/COSO-ERM-Executive-Summary-Italian.pdf (accessed July 2022).
Creamer, E.G. and Ghoston, M. (2012), “Using a mixed methods content analysis to analyze mission statements from colleges of engineering”, Journal of Mixed Methods Research, Vol. 7 No. 2, pp. 110-120, doi: 10.1177/1558689812458976.
Creswell, J.W. and Plano Clark, V.L. (2011), Designing and Conducting Mixed Methods Research, 2nd ed., Sage, Thousand Oaks.
Cuganesan, S., Guthrie, J. and Vranic, V. (2014), “The riskiness of public sector performance measurement: a review and research agenda”, Financial Accountability and Management, Vol. 30 No. 3, pp. 279-302, doi: 10.1111/faam.12037.
Deidda Gagliardo, E. and Saporito, R. (2021), “Il PIAO come strumento di programmazione integrata per la creazione di valore pubblico”, Rivista Italiana di Public Management, Vol. 4 No. 2, pp. 196-235, doi: 10.59724/ripm.2021.2.3.
Di Fatta, D., Musotto, R. and Vesperi, W. (2016), “Analyzing E-commerce websites: a quali-quantitive approach for the user perceived web quality (UPWQ)”, International Journal of Marketing Studies, Vol. 8 No. 6, pp. 33-44, doi: 10.5539/ijms.v8n6p33.
DiMaggio, P.J. and Powell, W.W. (1983), “The iron cage revisited: institutional isomorphism and collective rationality in organizational fields”, American Sociological Review, Vol. 48 No. 2, pp. 147-160, doi: 10.2307/2095101.
D’onza, G., Brotini, F. and Zarone, V. (2017), “Disclosure on measures to prevent corruption risks: a study of Italian local governments”, International Journal of Public Administration, Vol. 40 No. 7, pp. 612-624, doi: 10.1080/01900692.2016.1143000.
Eckerd, A. (2014), “Risk management and risk avoidance in agency decision making”, Public Administration Review, Vol. 74 No. 5, pp. 616-629, doi: 10.1111/puar.12240.
Gates, S., Nicolas, J.L. and Walker, P.L. (2012), “Enterprise risk management: a process for enhanced management and improved performance”, Management Accounting Quarterly, Vol. 13 No. 3, pp. 28-38.
Guthrie, J., Petty, R., Yongvanich, K. and Ricceri, F. (2004), “Using content analysis as a research method to inquire into intellectual capital reporting”, Journal of Intellectual Capital, Vol. 5 No. 2, pp. 282-293, doi: 10.1108/14691930410533704.
Halachmi, A. (2005), “Governance and risk management: challenges and public productivity”, International Journal of Public Sector Management, Vol. 18 No. 4, pp. 300-317, doi: 10.1108/09513550510599238.
Hatvani, E.N.C. (2015), “Risk analysis and risk management in the public sector and in public auditing”, Public Finance Quarterly, Vol. 1 No. 7, pp. 7-28.
Hinna, A. and Ceschel, F. (2021), “Public management reform in Italy”, in Decastri, M., Battini, S., Buonocore, F. and Gagliarducci, F. (Eds), Organizational Development in Public Administration, Palgrave Macmillan, Cheltenam, pp. 105-137. doi: 10.1007/978-3-030-43799-2_4.
Hinna, A., Scarozza, D. and Rotundi, F. (2018), “Implementing risk management in the Italian public sector: hybridization between old and new practices”, International Journal of Public Administration, Vol. 41 No. 2, pp. 110-128, doi: 10.1080/01900692.2016.1255959.
Hood, C. (1991), “A public management for all seasons?”, Public Administration, Vol. 69 No. 1, pp. 3-19, doi: 10.1111/j.1467-9299.1991.tb00779.x.
Hood, J. and Smith, T. (2013), “Perceptions of quantifiable benefits of local authority risk management”, International Journal of Public Sector Management, Vol. 26 No. 4, pp. 309-319, doi: 10.1108/IJPSM-01-2012-0016.
Hutter, B.M. (2006), “Risk, regulation, and management”, Risk in Social Science, pp. 202-227, doi: 10.1093/oso/9780199285952.003.0010.
INTOSAI (2007), “Intosai gov 9130”, Guidelines for Internal Control Standards for the Public Sector – Further Information on Entity Risk Management, available at: https://ms.hmb.gov.tr/uploads/2019/06/6887-0C4367F8CC04548E4960293ABE341FE111CEF21C.pdf (accessed July 2022).
ISO 31000 (2009), Risk Management: Principles and Guidelines, available at: https://www.iso.org/standard/43170.html (accessed September 2023).
Keban, Y.T. (2017), “Risk management: a neglected vital instrument in public administration in Indonesia”, Management Research and Practice, Vol. 9 No. 4, pp. 5-21.
Krippendorff, K. (1980), Content Analysis. An Introduction to its Methodology, Sage, Thousand Oaks, CA.
Lapsley, I. (2009), “New public management: the cruelest invention of the human spirit?”, Abacus, Vol. 45 No. 1, pp. 1-21, doi: 10.1111/j.1467-6281.2009.00275.x.
Lark, J. (2015), “ISO31000: risk management: a practical guide for SMEs”, International Organization for Standardization, ISO, Switzerland.
Leung, F. and Isaacs, F. (2008), “Risk management in public sector research: approach and lessons learned at a national research organization”, RandD Management, Vol. 38 No. 5, pp. 510-519, doi: 10.1111/j.1467-9310.2008.00529.x.
Linsley, P.M. and Shrives, P.J. (2006), “Risk reporting: a study of risk disclosures in the annual reports of UK companies”, The British Accounting Review, Vol. 38 No. 4, pp. 387-404, doi: 10.1016/j.bar.2006.05.002.
Mahama, H., Elbashir, M., Sutton, S. and Arnold, V. (2020), “New development: enabling enterprise risk management maturity in public sector organizations”, Public Money and Management, pp. 1-5, doi: 10.1080/09540962.2020.1769314.
McPhee, I. (2005), Risk and Risk Management in the Public Sector, Australian National Audit Office, Canberra.
McRae, M. and Balthazor, L. (2000), “Integrating risk management into corporate governance: the Turnbull guidance”, Risk Management: An International Journal, Vol. 2 No. 3, pp. 35-45, doi: 10.1057/palgrave.rm.8240057.
Mussari, R. and Sorrentino, D. (2017), “Italian public sector accounting reform: a step towards European public sector accounting harmonisation”, Accounting, Economics, and Law: A Convivium, Vol. 7 No. 2, pp. 137-153, doi: 10.1515/ael-2017-0006.
Nasi, G., Frosini, F. and Cristofoli, D. (2011), “Online service provision: are municipalities really innovative? The case of larger municipalities in Italy”, Public Administration, Vol. 89 No. 3, pp. 821-839, doi: 10.1111/j.1467-9299.2010.01865.x.
Newmann, J. and Clarke, J. (1994), “Going about our business: the managerialization of public services”, in Clarke, J., Cochran, A. and McLaughlin, E. (Eds), Managing Social Policy, Sage, London, pp. 182-209.
Nilsen, A.S. and Olsen, O.E. (2005), “Different strategies - equal practice? Risk assessment and management in municipalities”, Risk Management, Vol. 7 No. 2, pp. 37-47, doi: 10.1057/palgrave.rm.8240211.
O'flynn, J. (2007), “From new public management to public value: paradigmatic change and managerial implications”, Australian Journal of Public Administration, Vol. 66 No. 3, pp. 353-366, doi: 10.1111/j.1467-8500.2007.00545.x.
OECD (2014), Risk Management and Corporate Governance, OECD, Paris.
Olsson, R. (2007), “In search of opportunity management: Is the risk management process enough?”, International Journal of Project Management, Vol. 25 No. 8, pp. 745-752, doi: 10.1016/j.ijproman.2007.03.005.
Osborne, S.P. (2006), “The new public governance?”, Public Management Review, Vol. 8 No. 3, pp. 377-387, doi: 10.1080/14719030600853022.
Osborne, S.P., Radnor, Z. and Nasi, G. (2012), “A new theory for public service management? Toward a (public) service-dominant approach”, The American Review of Public Administration, Vol. 43 No. 2, pp. 135-158, doi: 10.1177/0275074012466935.
Parker, L.D., Kerry, J. and Schmitz, J. (2019), “New public management and the rise of public sector performance audit”, Accounting, Auditing and Accountability Journal, Vol. 32 No. 1, pp. 280-306, doi: 10.1108/AAAJ-06-2017-2964.
Peta, A. (2016), “I controlli Interni Della Pubblica Amministrazione: Criticità E Prospettive Evolutive”, SSRN Electronic Journal Bank of Italy Occasional Paper, Vol. 312, doi: 10.2139/ssrn.2765401.
Petak, W.J. (1985), “Emergency management: a challenge for public administration”, Public Administration Review, Vol. 45, pp. 3-7, doi: 10.2307/3134992.
Power, M., Scheytt, T., Soin, K. and Sahlin, K. (2009), “Reputational risk as a logic of organizing in late modernity”, Organization Studies, Vol. 30 No. 3, pp. 301-324, doi: 10.1177/0170840608101482.
Purdy, G. (2010), “ISO 31000: 2009—setting a new standard for risk management”, Risk Analysis: An International Journal, Vol. 30, pp. 881-886, doi: 10.1111/j.1539-6924.2010.01442.x.
Putnam, R.D., Leonardi, R. and Nanetti, R.Y. (1994), Making Democracy Work, Princeton University Press, Princeton.
Qiao, Y. (2007), “Public risk management: development and financing”, Journal of Public Budgeting, Accounting and Financial Management, Vol. 19 No. 1, pp. 33-55, doi: 10.1108/JPBAFM-19-01-2007-B002.
Rana, T. and Parker, L. (2023), “Management control systems and risk management: mapping public sector accounting and management research directions”, The Routledge Handbook of Public Sector Accounting, Routledge, New York, pp. 279-295.
Rana, T., Wickramasinghe, D. and Bracci, E. (2019), “New development: integrating risk management in management control systems—lessons for public sector managers”, Public Money and Management, Vol. 39 No. 2, pp. 148-151, doi: 10.1080/09540962.2019.1580921.
Reginato, E., Fadda, I. and Pavan, A. (2010), “Italian municipalities' NPFM reforms: an institutional theory perspective”, Pecvnia: Revista de la Facultad de Ciencias Económicas y Empresariales, Universidad de León, Vol. 11, pp. 153-175, doi: 10.18002/pec.v0i11.633.
Reginato, E., Nonnis, C. and Pavan, A. (2012), “Modern public internal control systems and accountability in health care organisations”, Economia Aziendale Online, Vol. 2 No. 4, pp. 381-396, doi: 10.4485/ea2038-5498.381-396.
Riso, V. and Castellini, M. (2019), “Poor integration between operational risk management activities and internal control system in the municipalities: an analysis of the Italian legislative framework”, Economia Aziendale Online, Vol. 10 No. 1, pp. 149-158, doi: 10.13132/2038-5498/10.1.1956.
Riso, V., Tallaki, M. and Enrico, B. (2022), “La risk disclosure nei comuni italiani: uno studio esplorativo”, Azienda Pubblica, Vol. 4, pp. 343-362.
Sancino, A. and Turrini, A. (2009), “The managerial work of Italian city managers: an empirical analysis”, Local Government Studies, Vol. 35 No. 4, pp. 475-491, doi: 10.1080/03003930903003704.
Sciulli, N., D'Onza, G. and Greco, G. (2015), “Building a resilient local council: evidence from flood disasters in Italy”, International Journal of Public Sector Management, Vol. 28 No. 6, pp. 430-448, doi: 10.1108/IJPSM-11-2014-0139.
Sippola, K., Pellinen, J., Rautiainen, A., Mättö, T. and Voutilainen, Voutilainen. (2023), “The formation of municipal risk management: a comparison of seven cities”, Journal of Public Budgeting, Vol. 35 No. 6, pp. 219-239, doi: 10.1108/JPBAFM-01-2023-0011.
Soin, K. and Collier, P. (2013), “Risk and risk management in management accounting and control”, Management Accounting Research, Vol. 24 No. 2, pp. 82-87, doi: 10.1016/j.mar.2013.04.003.
Spira, L.F. and Page, M. (2003), “Risk management: the reinvention of internal control and the changing role of internal audit”, Accounting, Auditing and Accountability Journal, Vol. 16 No. 4, pp. 640-661, doi: 10.1108/09513570310492335.
Tashakkori, A. and Creswell, J.W. (2007), “The new era of mixed methods”, Journal of Mixed Methods Research, Vol. 1 No. 1, pp. 3-7, doi: 10.1177/2345678906293042.
Vinnari, E. and Skærbæk, P. (2014), “The uncertainties of risk management: a field study on risk management internal audit practices in a Finnish municipality”, Accounting, Auditing and Accountability Journal, Vol. 27 No. 3, pp. 489-526, doi: 10.1108/AAAJ-09-2012-1106.
Woods, M. (2009), “A contingency theory perspective on the risk management control system within Birmingham City Council”, Management Accounting Research, Vol. 20 No. 1, pp. 69-81, doi: 10.1016/j.mar.2008.10.003.
Young, P.C. and Hood, J. (2003), “Risk and the outsourcing of risk management services: the case of claims management”, Public Budgeting and Finance, Vol. 23 No. 3, pp. 109-119, doi: 10.1111/1540-5850.2303006.
Acknowledgements
The authors are listed in alphabetical order. Each author participated equally in the work.
Corresponding author
About the authors
Monia Castellini is Associate Professor of business economics at the University of Ferrara, Department of Economics and Management, where she is also vice-coordinator of two Masters degrees (economics and management for value creation, economics management and policies for global challenges). She is also Director of the Master in cultural management (MUSEC) and member of the University of Ferrara PhD Commission. She holds a PhD in business economics from the University of Ferrara. Her main research interests are in accounting history, accounting and management, performance measurement and non-financial reporting of public administrations and no-profit organizations.
Caterina Ferrario is Associate Professor of public economics at the University of Milan, Department of Law “Cesare Beccaria”, and member of the Dondena Research Center on Social Dynamics and Public Policy – Bocconi University. She is member of the Scientific Committee of the research center CRIET (Research Network on Territorial Economics). She holds a MSc in Economics and social sciences from Bocconi University, Milan, a MSc in Public Economic Management and Finance from the University of Birmingham (UK) and a PhD in Economics from the University of Ferrara and the University of Birmingham (joint degree). Her main research interests are in public economics, public sector reform, territorial income redistribution, fiscal decentralization.
Vincenzo Riso is Assistant Professor at the Department of Management of the University of Verona. He was a Research Fellow at the Department of Economics Management of the University of Ferrara. His main research area concerns risk management in public sector, sustainability, corporate social responsibility, business model developments and innovation.