ICTMT 2025 | International Journal of Research and Innovation in Social Science (IJRISS)
ISSN: 2454-6186 | DOI: 10.47772/IJRISS
Special Issue | Volume IX Issue XXVIII November 2025
Page 195
www.rsisinternational.org
A Study on ISO 31000: Managing Risk Management System
Implementation to Improve the Organization Performance: The Case
of Malaysian Airline System Berhad
Syaiful Rizal Hamid
1
, Nur Syazwani Binti Mohd Hanapi
2
, Lay Hong Tan
3
, Boon Cheong Chew
4
1,2,3,4
Fakulti Pengurusan Teknologi dan Teknousahawanan, Universiti Teknikal Malaysia
Melaka,Centre of Technopreneurship Development (CTeD), 75450 Ayer Keroh, Melaka, Malaysia
*
Corresponding Author
DOI: https://dx.doi.org/10.47772/IJRISS.2025.92800019
Received: 10 November 2025; Accepted: 16 November 2025; Published: 18 December 2025
ABSTRACT
Risk management plays a vital role in safeguarding organizational operations against uncertainties that may
threaten their performance, safety, and reputation. The Malaysian Airline System Berhad (MAS) provides a
critical case study, as incidents such as the MH370 and MH17 highlight the consequences of inadequate risk
preparedness. This study examines the application of ISO 31000:2009, alongside AS/NZS 4360:2004 and
OHSAS 18000:2007, to evaluate how structured risk management systems can improve organizational
performance in the airline industry. Employing a qualitative research approach, data were collected through 3
interview session with MAS management to assess the implementation of the risk management framework. The
findings suggest that integrating international standards fosters systematic risk identification, assessment,
treatment, and monitoring, thereby enhancing decision-making, safety, and resilience. The study concludes that
adopting ISO 31000, in combination with other frameworks, can significantly strengthen organizational
performance by embedding proactive and adaptive risk management practices in complex operational
environments.
Keywords: ISO 31000; risk management system; organizational performance; Malaysian Airline System
INTRODUCTION
The airline industry in Malaysia is experiencing rapid growth and has become a significant sector in
transportation. In this context, any accident in the airline industry can adversely affect the business performance,
financial stability, and reputation of the company. As noted by George and Bob (2009), failure to adhere to
specific protocols can damage an organisation’s reputation. On 8 March 2014 a major incident occurred
involving the Malaysian Airline System Berhad (MAS) with the disappearance of Malaysia Airlines Flight
MH370 en route from Kuala Lumpur to Beijing, China. Additionally, Malaysia Airlines Flight MH17, travelling
from Amsterdam to Kuala Lumpur, was shot down in Ukraine. Both incidents had detrimental effects on the
company's financial performance and its reputation.
According to Borghesi and Barbara (2013), "Risk" cannot be eliminated. Therefore, organisations must manage
factors that increase and mitigate risks to achieve strategic advantages at a minimal cost. Consequently, risk
management is essential for ensuring workplace safety and managing adverse events. Malaysian Airlines had
implemented effective risk management and might have had alternative strategies for Flight MH17, such as
altering the flight path to avoid the "potentially hazardous situation" in the Ukrainian airspace. It appears that
Malaysia Airlines lacked a contingency plan in its risk-management strategy.
The objectives of this study are as follows: (1) to focus on the study of the ISO 31000:2009 system in managing
risk to enhance organizational performance; (2) to demonstrate how organizational performance can be improved
through the implementation of risk management systems and processes; and (3) to elucidate the improvements
ICTMT 2025 | International Journal of Research and Innovation in Social Science (IJRISS)
ISSN: 2454-6186 | DOI: 10.47772/IJRISS
Special Issue | Volume IX Issue XXVIII November 2025
Page 196
www.rsisinternational.org
in organizational performance that can be achieved through the ISO 31000 Risk Management System. In addition
to examining the International Organization for Standardization (ISO) 31000:2009, other systems such as
AS/NZS 4360 and OHSAS 18000 are reviewed in this study. Malaysian Airline System Berhad (MAS) was
selected as the case study to obtain the results.
LITERATURE REVIEW
Risk Management
Risk management is a systematic process aimed at assessing risks, determining control measures, and mitigating
threats within companies and industries. It involves the regulation and monitoring of risks to ensure safety and
health, thereby reducing the likelihood and impact of adverse events. Although risks can be minimised to an
acceptable level, they cannot be entirely eliminated. The significance of risk management is increasing as
businesses expand globally and face increased competition (Ahmed et al., 2007). The process encompasses
establishing context, identifying, analysing, assessing, treating, monitoring, and communicating risks, which
facilitates the continuous enhancement of decision-making (Standards Australia, 1999). According to Stoddard,
J. (2004), risk management is a challenging endeavor that has the potential to motivate individuals. It is a
structured approach for identifying, assessing, and prioritising risks, followed by allocating resources to
minimise and control the impact of undesirable events (Smith and Merritt, 2002).
RISK MANAGEMENT FRAMEWORK
Figure 1: Risk Management Frameworks
(NIST Special Publication 800-37 Revision 1, 2010)
The Risk Management Framework (RMF) as shown in the Figure 1 provides a disciplined and structured process
that integrates information security and risk management activities into the system development life cycle. The
ICTMT 2025 | International Journal of Research and Innovation in Social Science (IJRISS)
ISSN: 2454-6186 | DOI: 10.47772/IJRISS
Special Issue | Volume IX Issue XXVIII November 2025
Page 197
www.rsisinternational.org
RMF operates primarily at Tier3 in the risk management hierarchy but can also interact at Tiers 1 and 2 as shown
in Figure 2.
Figure 2: Tiered Risk Management Approach
(NIST Special Publication 800-37 Revision 1, 2010)
Risk Management Process
Figure 3: Research model
(“Do effective risk management affect organizational performance”, European Journal of Business and
Management)
According to Standards Australia (1999) as shown in the Figure 3, the risk management process comprises the
following seven steps.
1. Establish the context: This initial phase involves defining the aims, objectives, and scope of risk
management and determining the criteria, resources, and authorities for risk treatment. It reflects the
project's status in terms of resources, equipment, budget, stakeholder involvement, deliverables, strategic
goals, and schedules (Ahmed et al., 2007).
2. Identify risks: Risk identification uncovers potential risks facing an organization and is considered the most
ICTMT 2025 | International Journal of Research and Innovation in Social Science (IJRISS)
ISSN: 2454-6186 | DOI: 10.47772/IJRISS
Special Issue | Volume IX Issue XXVIII November 2025
Page 198
www.rsisinternational.org
critical step, as it forms the foundation for risk control programs (Tchankova, 2002). The identification
method is influenced by the organizational culture and practices. A risk list should provide at least one
response to each identified risk (Chapman 1997). Cerevon (2006) views risk identification as collaborative,
examining project events across risk categories to identify their negative impacts. The identification process
must be continuous because of environmental changes.
3. Risk analysis: Following identification, analysis determines the characteristics and significance of each risk
for further review (Ahmed et al., 2007). Each risk is rated to assess its impact and probability. Risk analysis
provides information for decisions regarding priorities and treatments (Standards Australia, 2004). Two
types of analyses were employed: a) quantitative and b) qualitative (Kinch et al., 2007).
4. Risk evaluation: The complexity of the evaluation depends on the number of risks. With fewer risks,
evaluation is simpler but becomes challenging with numerous complex risks (Standards Australia, 2004).
Risks should be examined individually and for their combined project impact (Elkington et al., 2002). Risk
evaluation determines mitigation options and selects the most suitable option for a mitigation plan (Ahmed
et al., 2007).
5. Treat risks: Risk treatment is the primary outcome of risk management. Risks can be addressed using
proactive or reactive approaches. Reactive approaches involve actions taken after risk events occur, whereas
proactive approaches are based on potential risks (Ahmed et al., 2007). Standards Australia (2004) identifies
treatment options as reducing likelihood, reducing consequences, transferring risk, accepting risk, and
avoiding risk.
6. Monitor and review: This step involves monitoring risks and reviewing the effectiveness of the treatment
plan. Risks must be monitored as changing circumstances may alter priorities. As risks rarely remain static,
the management process requires regular repetition to capture new risks (Standards Australia, 2004).
7. Communicate and consult with relevant authorities: Effective risk management requires contributions from
all organizational participants (Ahmed et al., 2007). Communication is essential and involves stakeholders
to achieve successful outcomes (Standards Australia, 2004). Future risk communication will be twofold:
organisations must expand internal communication as external stakeholder demand increases (Ryan et al.,
2005).
Critical success factors of effectiveness in Risk Management
Table 1: The Critical Success Factors (Ranong P. N.& Phuenngam W., 2009)
Critical Success Factors
1. Commitment and support from top management
2. Communication
3. Culture
4. Organization Structure
5. Trust
6. Information Technology (IT)
7. Training
The factors of effectiveness in Risk Management are:
Commitment and Support from Top Management
Ifinedo (2008) examined contingency factors, including top management support, business vision, and external
ICTMT 2025 | International Journal of Research and Innovation in Social Science (IJRISS)
ISSN: 2454-6186 | DOI: 10.47772/IJRISS
Special Issue | Volume IX Issue XXVIII November 2025
Page 199
www.rsisinternational.org
expertise. Zwikael (2008) posits that top management support is a critical success factor in project management.
Young and Jordan (2008) assert that "the essence of top management support relates to effective decision-making
to manage risk and to authorize business process change." Top management support is vital to the success of
organizational initiatives (Hasanali, 2002). Top management formulates objectives and strategies for
organizational risk management (Henriksen and Uhlenfeldt, 2006).
Communication
Internal communication should align with the business strategy and enhance performance (Quirke, 1996). This
ensures that team members understand their current status and objectives (Clutterbuck and Hirst, 2002).
Finniston (1975) highlighted the importance of gathering, storing, delivering, and communicating information
in business. Communication is essential for effective risk management in construction projects. Grabowski and
Roberts (1999) emphasised the role of communication in risk mitigation, providing opportunities for
clarification, understanding progress, and discussing improvements.
Culture
Hofstede (2001, p.9) defines culture as "the collective programming of the mind that distinguishes the members
of one group or category of people from another." Culture comprises patterns of values, ideas, and feelings
transmitted through symbols that shape behaviour. Hasanali (2002) describes culture as "the combination of
shared history, expectations, unwritten rules, and social customs that compel behaviours. It is the set of
underlying beliefs influencing perceptions of actions and communications of all employees."
Organizational Structure
Stank, Daugherty, and Gustin (1994) state that organizational structure defines an organisation’s internal pattern
of relationships, authority, and communication. It allocates tasks and resources and provides coordination.
Hunter (2002) supports the organizational structure that determines how employees work.
Training
Organisations use formal training processes and external consultants for employee training (Hughey and
Mussnug, 1997). Treven (2003) categorises training methods into two types: on-the-job training, including one-
on-one instruction, coaching, job rotation, and apprenticeship/internship, and off-the-job training, which is
conducted away from the worksite.
Trust
Trust, according to Mayer, Davis, and Schoorman (1995, p.711), is "the willingness of a party to be vulnerable
to the actions of another party based on the expectation that the other will perform a particular action important
to the trustor, irrespective of the ability to monitor or control that other party." This definition applies to
relationships with identifiable parties who are perceived to act toward the trustor.
Information Technology
According to Halliday, Badenhorst, and Solms (1996, p.22), Information Technology (IT) comprises two
components: "first is the information systems including related information on which critical business functions
depend. Second are the computer technologies (hardware and software) which support the processing, storage,
and distribution of data." IT connects humans to information and each other (Wong 2005).
ISO 31000 in Risk Management
ISO 31000:2009, Risk management about the principles and guidelines, provides principles, framework, and a
process for managing risk. It can be used by any organisation, regardless of its size, activity, or sector. Using
ISO 31000 can help organisations increase the likelihood of achieving objectives, improve the identification of
opportunities and threats, and effectively allocate and use resources for risk treatment. However, ISO 31000
ICTMT 2025 | International Journal of Research and Innovation in Social Science (IJRISS)
ISSN: 2454-6186 | DOI: 10.47772/IJRISS
Special Issue | Volume IX Issue XXVIII November 2025
Page 200
www.rsisinternational.org
cannot be used for certification purposes but does provide guidance for internal or external audit programs.
Organisations using it can compare their risk management practices with an internationally recognised
benchmark, providing sound principles for effective management and corporate governance (ISO, n.d.).
The Structure of the Standard
Figure 4: Relationship between principles, framework and process (Vandijck I., (2014))
The structure of the ISO 31000 standard is based on three fundamental components: principles, framework, and
process (Figure 4). This structure is concise, clear, and relatively straightforward. It does not introduce any
radical innovations, as the principles delineate widely accepted best practices. The framework is grounded in
Deming’s 'Plan-Do-Check-Act' cycle, while the process embodies international best practices in risk
management (Vandijck I., 2014).
The Principles
According to Vandijck I. (2014), the principles assert that risk management should primarily focus on value
creation, followed by the protection of assets. Additionally, risk management should be an integral component
of organizational processes, considered in decision-making, and explicitly account for uncertainty. It must be
systematic, structured and timely. Furthermore, risk management should be based on the best available
information, including historical data, experiences, stakeholder feedback, and observations.
The Framework
As illustrated in Diagram 1, the framework is predicated on a mandate and commitment from the top
management. The design of a risk management framework within an organisation is informed by an
understanding of the internal and external contexts, including political, economic, social, technological, legal,
and environmental (PESTLE) factors.
ICTMT 2025 | International Journal of Research and Innovation in Social Science (IJRISS)
ISSN: 2454-6186 | DOI: 10.47772/IJRISS
Special Issue | Volume IX Issue XXVIII November 2025
Page 201
www.rsisinternational.org
The Process
The process comprises several key steps: risk identification, assessment, and evaluation. Following risk
evaluation, the subsequent step is risk treatment, during which various options or combinations of options are
considered. These include risk avoidance, acceptance or increase based on opportunities, elimination of the risk
source, response to the likelihood or consequences of the risk, and risk sharing with other parties. Throughout
all stages, effective communication between internal and external stakeholders and continuous monitoring and
refinement of the process are required (Vandijck I., 2014).
Managing Risk on ISO 31000
According to Ramiro (n.d), ISO 31000:2009 gives a list in order of preference on how to deal with risk:
1. Avoiding the risk of deciding not to start or continue with the activity that gives rise to the risk
2. Accepting or increasing the risk in order to pursue an opportunity
3. Remove the risk source
4. Changing the likelihood
5. Changing the consequences
6. Sharing the risk with another party or parties (including contracts and risk financing)
7. Retaining the risk of an informed decision
AS/NZS 4360 in Risk Management
Dr. Dale F. Cooper, serving as a Director at Broadleaf, is a founding member of the joint Standards Australia
and Standards New Zealand Technical Committee OB-007, which was instrumental in the development of the
Australia and New Zealand Standard for risk management, AS/NZS 4360:2004, along with its associated
Handbook. Grant Purdy, an Associate Director at Broadleaf, currently holds the position of Chair of the
Committee. This standard was formulated in response to the identified need for practical guidance in
implementing risk management within both public and private sector organisations. Since its inception, it has
emerged as one of the most widely adopted standards, with various supplementary handbooks subsequently
produced.
Approach
The risk management process is set out in the Standard in the Figure 5 and Figure 6 below.
Figure 5: Risk Management Process
(Tutorial: Risk Management Standard, AS/NZS 4360:2004)
ICTMT 2025 | International Journal of Research and Innovation in Social Science (IJRISS)
ISSN: 2454-6186 | DOI: 10.47772/IJRISS
Special Issue | Volume IX Issue XXVIII November 2025
Page 202
www.rsisinternational.org
Australia was one of the first countries that define the risk management model in a national standard (AS/NZ
4360-1999) shown diagrammatically below.
Figure 6: Risk management process model
(Taken from website, Risk Chase (2013))
OHSAS 18000
OHSAS 18000:2007 Occupational Health and Safety Management Certification is an international standard that
offers a framework for identifying, controlling, and mitigating risks associated with health and safety in an
organization as shown in Figure 7. Implementing this standard communicates to stakeholders that the health and
safety of employees are prioritised within the organisation (taken from website certification Europe: OHSAS
18001 Occupational Health and Safety, (n.d.)). Similar to the ISO standards, OHSAS 18000 emphasises
continuous improvement, which is crucial for maintaining health and safety in an organisation. It can effectively
reduce the risks within an organisation.
OHSAS 18000 is an international specification for occupational health and safety management. It consists of
two parts, 18001 and 18002, and incorporates BS8800 along with several other publications (taken from website
OHSAS 18001 Health & Safety Standard, n.d.). OHSAS can assist in minimising risks for the company and its
employees and enhance an existing occupational health and safety management system.
The benefits of obtaining OHSAS 18000 certification include the establishment of optimal working conditions
throughout an organisation, identification of hazards and implementation of controls to manage them, and
reduction of workplace accidents and illnesses, thereby decreasing associated costs and downtime. This
certification enhances organizational performance, ensures safe working conditions, and motivates employees.
It also fosters reassurance among stakeholders and improves the company's image and credibility among
stakeholders, regulators, customers, prospective clients and the public. Furthermore, it involves the adoption of
best practices in risk management and minimises employer liability through proactive approaches and controls.
Finally, it ensures regulatory awareness and compliance (DAS Certification USA, n.d.). According to OHSAS
18001 Health and Safety Zone (n.d.), the OHSAS specification is applicable to any organisation seeking to
establish an Occupational Health and Safety (OHAS) management system to eliminate or minimise risks to
employees and other interested parties exposed to OHSAS risks associated with its activities. It also enables the
organisation to assure itself of its conformance with its stated OHAS policy and to demonstrate such
conformance to others. The OHSAS framework allows for the implementation, maintenance, and continual
ICTMT 2025 | International Journal of Research and Innovation in Social Science (IJRISS)
ISSN: 2454-6186 | DOI: 10.47772/IJRISS
Special Issue | Volume IX Issue XXVIII November 2025
Page 203
www.rsisinternational.org
improvement of an OHAS management system, as well as the self-determination and declaration of conformance
with the OHSAS specification.
Model
Figure 7: OHAS Management System Model for OHSAS Standard
(OHSAS 18001:2007 Occupational Health and Safety Assessment Series: Requirements)
Based on Figure 7 and Figure 8, OHSAS Standard is based on the methodology known as Plan-Do-Check-Act
(PDCA). PDCA can be briefly described as follows:
1. Plan: establish the objectives and processes necessary to deliver results in accordance with organization’s
OHAS policy
2. Do: implement the processes
3. Check: monitor and measure processes against OHAS policy, objectives, legal and other requirements, and
report the results
4. Act: take actions to continually improve OHAS performance.
ICTMT 2025 | International Journal of Research and Innovation in Social Science (IJRISS)
ISSN: 2454-6186 | DOI: 10.47772/IJRISS
Special Issue | Volume IX Issue XXVIII November 2025
Page 204
www.rsisinternational.org
Figure 8: OHSAS 18000 Model (Win Management Services: OHSAS 18000)
METHOD
In this study, a qualitative research methodology was employed, as it allowed the researcher to obtain
comprehensive and direct information through interviews with respondents. The interviews were conducted via
email and in person, targeting 3 respondents from the top management. According to Yin (2009), qualitative
research often begins with a deductive approach to test existing theoretical perspectives using qualitative
methods.
The decision to use qualitative research was based on its ability to yield original and detailed data from
respondents, in contrast to quantitative research. Through qualitative methods, the researcher conducts
interviews using tools such as tape recorders, videos, and photographs. It is noted that the ability to replicate data
is lower than that of quantitative research. This approach enables the researcher to gather direct data from
respondents regarding the quality management system (QMS) within the risk management framework, thereby
achieving the research objectives. A series of interviews were conducted to collect respondents' answers, and the
data collected were analysed qualitatively using thematic analysis. Transcripts were analyzed using thematic
analysis, following Braun and Clarke’s (2006) six-step procedure: familiarization, coding, theme development,
reviewing themes, defining/naming themes, and reporting. To enhance trustworthiness, triangulation was
attempted through cross-checking participants’ responses and comparing findings with existing literature.
Herbert and Irene (1995) assert that qualitative interviewing serves as an exploratory process for understanding
teaching practices across different countries, including their cultural perspectives, challenges, solutions, and the
similarities and differences compared to one's own practices. The approach to interviewing is contingent on the
specific information sought. It involves discerning the feelings and thoughts of others regarding their world, with
the aim of comprehending the key aspects of their message and how these aspects compare to one's own context.
Effective interviewing requires not only proficient conversational skills, but also attentive listening abilities.
Primary Data
The primary data used in this study was obtained through interviews with company respondents. The researcher
engaged in face-to-face interviews with participants to gather data, document information, record all relevant
data, and capture photographs, all of which were instrumental for the research. Additionally, interviews were
conducted via email, facilitating the acquisition of direct information from respondents in relevant positions who
ICTMT 2025 | International Journal of Research and Innovation in Social Science (IJRISS)
ISSN: 2454-6186 | DOI: 10.47772/IJRISS
Special Issue | Volume IX Issue XXVIII November 2025
Page 205
www.rsisinternational.org
could provide insights into the quality management system (QMS) within the risk management framework. For
this research, the researcher prepared open-ended questions to elicit respondents' opinions on the QMS in the
context of risk management, ensuring that the findings demonstrate improvements in organizational performance
through the integration of a risk management system within the company. The respondents included managers
from each department. To effectively schedule interview sessions, the researcher must identify an appropriate
time and location to collect the comprehensive data.
Research Techniques
In this study, the research techniques employed included observation and interviews. Observation is a
fundamental method for understanding the issues present in our surroundings. Researchers are well-equipped to
gather detailed information about the environment through sensory perception. The data observed in this study
were analysed to gain insights into the research topic. The second technique involved interviews, conducted both
face-to-face with participants and via email. Through these interviews, the researcher obtained original
information and direct responses from the respondents. This technique is deemed the most effective for analyzing
the collected data in this research.ates tasks and resources and provides coordination. Hunter (2002) supports
that organizational structure determines how employees work.
Saleem and Abideen (n.d.) advocated for the implementation of a systematic process for risk management within
organizations. They referenced the steps proposed by Boehm W. P. (1991) as potentially beneficial in this
context. Additionally, their findings indicated a lack of documented risk management policies in organizations,
highlighting a critical gap that needs to be addressed.
THEORETICAL FRAMEWORK
Figure 9: Theoretical Framework
The theoretical framework (as shown in the Figure 9) for this study is built upon the integration of international
standards and guidelines in risk management systems, which serve as the independent variables. Specifically,
ISO 31000:2009, AS/NZS 4360:2004, and OHSAS 18000 provide structured approaches, principles, and best
practices for identifying, assessing, and managing organizational risks. These frameworks collectively guide the
adoption of systematic processes that enhance organizational resilience, safety, and compliance. The dependent
variable, improvement of organizational performance, is expected to be achieved through the effective
implementation of an integrated risk management system that leverages these standards. By aligning these
international standards, the framework demonstrates how risk management integration can lead to more
consistent decision-making, reduced vulnerabilities, and enhanced organizational outcomes.
CONCLUSION
This study encompasses a literature review centred on the research topic. ISO 31000 is a standard pertaining to
risk management codified by the International Organization for Standardization. Specifically, ISO 31000:2009,
which addresses risk management principles and guidelines, offers a framework and process for risk
ICTMT 2025 | International Journal of Research and Innovation in Social Science (IJRISS)
ISSN: 2454-6186 | DOI: 10.47772/IJRISS
Special Issue | Volume IX Issue XXVIII November 2025
Page 206
www.rsisinternational.org
management. This standard is applicable to any organisation, regardless of its size, activity, or sector.
Implementing ISO 31000 can enhance an organisation’s likelihood of achieving its objectives, improve the
identification of opportunities and threats, and facilitate the effective allocation and utilisation of resources for
risk treatment. The integration of ISO 31000, AS/NZS 4360, and OHSAS 18000 into a risk management system
is demonstrated in the proposed model, which aims to validate that an integrated risk management system can
enhance the organizational performance of the Malaysian airline industry. Consequently, a robust risk
management system can assist an organization in successfully improving its performance while mitigating risks
or threats to the company.
ACKNOWLEDGEMENT
The authors would like to express their heartfelt gratitude to Ministry of Higher Education and UTeM for the
financial support provided through the FRGS grant secured under grant number FRGS/1/ 2024/ SS01/UTEM/
02/11 (NO UTEM: FRGS-EC/1/2024/FPTT/F00603).
REFERENCES
1. Ahmed, H., & Khan, T. (2007). Risk management in Islamic banking. In M. Kabir Hassan & M. K. Lewis
(Eds.), Handbook of Islamic Banking (pp. 144158). Edward Elgar.
2. Boehm, B. W. (1991). Software risk management: Principles and practices. IEEE Software, 8(1), 3241.
https://doi.org/10.1109/52.62930
3. Borghesi, A., & Gaudenzi, B. (2013). Risk management: How to assess, transfer and communicate critical
risks. Springer-Verlag Italia.
4. Certification Europe. (n.d.). OHSAS 18001 occupational health and safety management. Retrieved from
https://www.certificationeurope.com
5. Chapman, C. (1997). Project risk analysis and managementPRAM the generic process. International
Journal of Project Management, 15(5), 273281. https://doi.org/10.1016/S0263-7863(96)00071-1
6. Clutterbuck, D., & Hirst, S. (2002). Talking business: Making communication work. Butterworth-
Heinemann.
7. DAS Certification USA. (n.d.). OHSAS 18001 occupational health and safety management systems.
Retrieved from https://www.dascertificationusa.com
8. Elkington, P., Smallman, C., et al. (2002). Managing project risks: A case study. International Journal of
Project Management, 20(1), 4957.
9. Finniston, M. (1975). Information and communication in industry.
10. George, A. Z., & Ritchie, B. (2009). Supply chain risk: A handbook of assessment, management, and
performance. Springer.
11. Grabowski, M., & Roberts, K. (1999). Risk mitigation in virtual organizations. Organization Science,
10(6), 704721.
12. Halliday, S., Badenhorst, K., & Solms, R. von. (1996). A business approach to effective information
technology risk analysis and management. Information Management & Computer Security, 4(1), 1931.
13. Hasanali, F. (2002). Critical success factors of knowledge management. Retrieved from
https://www.kmworld.com
14. Henriksen, P., & Uhlenfeldt, A. (2006). Contemporary risk management in project-based environments.
Project Management Journal, 37(3), 3646.
15. Herbert, R., & Irene, W. (1995). Qualitative interviewing in education research.
16. Hofstede, G. (2001). Culture's consequences: Comparing values, behaviors, institutions, and organizations
across nations (2nd ed.). Sage.
17. Hughey, A. W., & Mussnug, K. J. (1997). Designing effective employee training programmes. Training
for Quality, 5(2), 5257.
18. Hunter, J. (2002). Improving organizational structure and workflow.
19. Ifinedo, P. (2008). Impacts of business vision, top management support, and external expertise on ERP
success. Business Process Management Journal, 14(4), 551568.
20. International Organization for Standardization (ISO). (2009). ISO 31000: Risk management Principles
and guidelines. ISO.
ICTMT 2025 | International Journal of Research and Innovation in Social Science (IJRISS)
ISSN: 2454-6186 | DOI: 10.47772/IJRISS
Special Issue | Volume IX Issue XXVIII November 2025
Page 207
www.rsisinternational.org
21. International Organization for Standardization (ISO). (n.d.). ISO 31000: Risk management. Retrieved from
https://www.iso.org
22. Mayer, R. C., Davis, J. H., & Schoorman, F. D. (1995). An integrative model of organizational trust.
Academy of Management Review, 20(3), 709734.
23. National Institute of Standards and Technology (NIST). (2010). Guide for applying the Risk Management
Framework to federal information systems: A security life cycle approach (NIST SP 800-37, Rev. 1). U.S.
Department of Commerce.
24. OHSAS 18001 Health & Safety Standard. (n.d.). Retrieved from https://www.ohsas-18001-occupational-
health-and-safety.com
25. Quirke, B. (1996). Communicating corporate change: A practical guide to communication and corporate
strategy. McGraw-Hill.
26. Ranong, P. N., & Phuenngam, W. (2009). Critical success factors for effective risk management.
Proceedings of the International Conference on Applied Business Research.
27. Ryan, B., Scapens, R. W., & Theobald, M. (2005). Research method and methodology in finance and
accounting. Cengage Learning.
28. Saleem, M., & Abideen, Z. U. (n.d.). Risk management practices in organizations.
29. Smith, P. G., & Merritt, G. M. (2002). Proactive risk management: Controlling uncertainty in product
development. Productivity Press.
30. Stank, T. P., Daugherty, P. J., & Gustin, C. M. (1994). Organizational structure and logistics service
strategy. International Journal of Logistics Management, 5(2), 4154.
31. Standards Australia. (1999). AS/NZS 4360:1999 Risk management. Standards Australia/Standards New
Zealand.
32. Standards Australia. (2004). AS/NZS 4360:2004 Risk management. Standards Australia/Standards New
Zealand.
33. Tchankova, L. (2002). Risk identificationBasic stage in risk management. Environmental Management
and Health, 13(3), 290297.
34. Treven, S. (2003). International training: The training of managers for assignment abroad. Journal of
Business Economics and Management, 4(1), 101110.
35. Vandijck, I. (2014). Risk management according to ISO 31000:2009. Journal of Emergency Management,
12(6), 435444.
36. Win Management Services. (n.d.). OHSAS 18000 consultancy process. Retrieved from
http://www.winms.com
37. Wong, A. (2005). The impact of information technology on supply chain capabilities and firm performance.
International Journal of Production Economics, 95(3), 273289.
38. Yin, R. K. (2009). Case study research: Design and methods (4th ed.). Sage.
39. Young, R., & Jordan, E. (2008). Top management support: Mantra or necessity? International Journal of
Project Management, 26(7), 713725.
40. Zwikael, O. (2008). Top management involvement in project management: Exclusive support practices for
different project scenarios. International Journal of Managing Projects in Business, 1(3), 387403.