Project Management Institute

Defining professionalism in risk management

Director of Consultancy, PMProfessional Solutions

7 Amersham Hill, High Wycombe, Bucks HP13 6NS, UK

[email protected]


Clearly professionalism is “A Good Thing”, but it is not always clear what it entails or how it can be measured. This is particularly true for risk management, which involves the inherently uncertain future. A risk management practitioner advises clients on things that may or may not become reality. It is therefore very difficult to measure quality or effectiveness. If a risk is identified and the risk management practitioner suggests a response to deal with it, the fact that the risk does not occur might be due to good luck or chance, or it might be due to the effectiveness of the recommended action. Whether or not specific risks occur cannot be used as a determinant of risk management professionalism. Other criteria must be used. This paper introduces the Risk Management Professionalism Manifesto, developed to capture the characteristics of a professional relationship between a risk management practitioner and the client. It provides ten criteria to test the relationship and determine whether it can be described as “professional” or not. This can be used by risk management practitioners to support and promote the service they offer clients, and it can also be used by clients to ensure that they are being treated professionally by those offering risk management services.


Most people in business aspire to being a “professional”, since this implies a desirable level of quality and competence deserving of respect, recognition and reward. However it is not always clear what is meant by this term. Is “professional” merely the opposite of “amateur”, or is something else required in order to qualify as one? Is “professional” synonymous with “trade” or “craft”? On-line dictionaries include the following definitions :


These definitions emphasise the need for knowledge and skills as a prerequisite for being a member of a profession as distinct from a tradesman or craftsman, but clearly there are many occupations which also require knowledge and skills which should perhaps not be called professions. Other defining characteristics are also required for professions (Fugate & Knapp, 1998), including :

  • A defined body of knowledge and/or theory, developed over time;
  • Accepted standards of practice, based on the body of knowledge;
  • Entry qualifications, leading to licensing and/or registration of “professionals”;
  • Ethical code of practice, sometimes evidenced by an oath or promise;
  • Dedication to “the public good”, resulting in public recognition and trust. Given these five elements to define whether an occupation can be called a “profession”, it is then possible to determine whether someone is a “professional” in their chosen field of endeavour. There are two primary characteristics :
  • Mastery of the body of knowledge, including both learned knowledge and the ability to apply this with skill (possibly with some differentiation into a recognised speciality);
  • Ethical conduct on the behalf of those to whom services are provided; There are also a number of secondary characteristics which professionals can be expected to demonstrate, including : formal training and licensing, maintenance of level of competence, appropriate behaviour, subordination of personal interests to the needs of clients and the public good, ability to act with autonomy, self-regulation (both personally and by the professional community), and membership of a professional body representing the profession.


Historically only a few occupations have been recognised as formal professions. Until recently there were only three true professions, namely law, religion and medicine. Lawyers, clerics and doctors held a special place in society as a result, being accorded a particularly high level of trust and respect. However modern society has adopted and broadened the term “professional” to apply to any paid occupation with standards that set practitioners apart from amateurs. Today it is possible to find people who refer to themselves as “professional” teachers, nurses, plumbers, footballers, social workers etc. Without denigrating the value of these occupations, they do not all meet the five criteria laid out above. This means either that they are in fact not professions, or that the common usage of the word has changed from its original definition. Of course it is possible for new professions to arise which meet the original criteria. This is likely to involve a process over time, which starts with a group of people within an occupation regarding themselves as “potential professionals”. Such self-perception and self-definition needs to lead to a development phase when the characteristics of a profession are evolved, including definition and documentation of the body of knowledge, standardisation of practices based on this body of knowledge, introduction of entry qualifications to test knowledge and competence, and statement of the ethical code to which professionals should adhere.

Once these have been developed there needs to be a period of consolidation when the body of knowledge is tested and standard practices are implemented, to ensure that they are feasible and practicable. During this time it is likely that public perception of the occupation will develop to match the self-perception of practitioners, leading to the level of recognition and trust accorded to a profession. Finally it is important for the new profession to engage in continual development of their professional standards and practice.


Having set out the characteristics of a profession, risk management can now be tested to see whether it qualifies as one. Clearly it does not have the historical track record of law, religion or medicine, but perhaps it has embarked on the process necessary to develop into a new profession. Since the criteria are clear, it is possible to make an assessment of the current status of risk management against them, as follows :

  • A defined body of knowledge and/or theory developed over time: While there are a wide range of risk management guidelines in existence (British Standards Institute 1996, 2000a, 2000b, 2001, 2002; Canadian Standards Association 1997; Godfrey 1996; Institute of Electrical & Electronics Engineers 2001; Institution of Civil Engineers 1998; Institute of Risk Management 2002; Norges Standardiseringsforbund 1991; Office of Government Commerce 2002; Project Management Institute 2000; Simon et al. 1997; Standards Australia/Standards New Zealand 1999; US DoD DSMC 2000), there is currently no single risk management “body of knowledge”. There is growing consensus over what such a body of knowledge might contain, but the theoretical and knowledge base of risk management appears to be still developing.
  • Accepted standards of practice based on the body of knowledge : Since the risk management body of knowledge is not yet stable, risk management practice is also variable and there is no single accepted standard of practice.
  • Entry qualifications leading to licensing and/or registration of “professionals: Several organisations have introduced risk management examinations (for example the UK Association for Project Management Risk Management Certificate, UK Institute of Risk Management FIRM examinations; Project Management Institute proposed Certificate of Additional Qualification in Project Risk Management PRM-CAQ), but there is currently no widely-recognised certification in risk management which could be used to distinguish professional practitioners from others.
  • Ethical code of practice, sometimes evidenced by an oath or promise : Risk management practitioners usually act ethically, although there is currently no formal code to which they adhere.
  • Dedication to “the public good”, resulting in public recognition and trust: Risk management is not currently recognised by the general public or many clients as a distinct profession, and may be associated in the public mind with the low level of trust accorded to “management consultants”.

This assessment indicates that risk management cannot yet be described as a full profession since it does not currently meet the five typical criteria, although progress is being made on several fronts towards this. There is a particular problem for risk management practitioners in being regarded as professional. This relates to the test of whether or not their services are effective, which is set firmly in the future. Risk management deals with things which may or may not happen, and there is no certainty that an identified risk would actually occur even if nothing were done. As a result, it is almost impossible to test the quality and effectiveness of risk management advice. If action is taken to address an identified risk and that risk does not occur, it is possible that the action was effective in removing the risk. Alternatively the action may have been ineffective but just by chance the risk did not occur. A third option is that the identification was faulty and the so-called risk never existed and never would have happened. Given the inherently uncertain nature of the future, it is not usually possible to distinguish between these three options.

As a result, clients receiving risk management advice cannot tell whether they are getting a professional service or not, simply by looking at whether identified risks occur or not. Other criteria are therefore required in order to evaluate the performance and behaviour of risk management practitioners.


Five characteristics of a profession have been listed above. Of these, the presence of the first four can be tested objectively (body of knowledge, standards of practice, entry qualifications, ethical code of practice), since they either exist or do not. Risk management is making some limited progress towards achieving these four criteria, but still has some way to go.

The fifth criterion (trust) is however less easily demonstrable, yet it is perhaps the most important (Hosmer 1995; Mayer et al. 1995; Hartman 1999, 2000; Solomon & Flores 2001; Ward & Smith 2003). Even in the classical professions (law, religion, medicine), the trust relationship is fundamental. One would not permit a surgeon to operate unless he was trusted, even if the surgeon possessed all the required qualifications, knowledge and experience. The same is true of the barrister defending one's case in court, or the priest advising on one's eternal destiny or personal spirituality.

It is therefore important for risk management practitioners and their clients to consider together how a relationship of trust can be developed and maintained as part of the delivery of risk services, especially if risk management practitioners aspire to be recognised and accepted as professionals.

The Risk Management Professionalism Manifesto (Ward & Hillson 2002; Hillson 2002a, 2002b) was developed to make a contribution towards the definition of the standards of behaviour and ethics required for a professional approach to provision of risk management services. It does not attempt to define the body of knowledge. Instead it defines the psychological contract between a risk management practitioner and the client, outlining what could be reasonably expected of someone offering a professional level of service within an environment of mutual trust and respect. The Manifesto provides a leadership statement defining demonstrable characteristics and competencies specially associated with a professional approach to risk management, which would be expected to engender and encourage trust between the parties involved in working together. Practitioners, clients and sponsors can use it to distinguish professional from unprofessional practice. The Manifesto is not however intended to define the limits of legal or contractual liability, or to detail remedies in cases where the client is not satisfied with the relationship.

Ten points are offered to define professionalism in terms of developing and demonstrating trust as applied to risk management. These cover the following areas :

  1. Scope
  2. Context
  3. Competence
  4. Processes & tools
  5. Quality of advice
  6. Language
  7. Recommendations
  8. Conflict of interests
  9. Inappropriate application
  10. Objectives

The ten detailed Manifesto points are described below :


The scope of a risk management intervention is the responsibility of the client. However the risk management professional is responsible for providing advice regarding the likely effectiveness of the proposed scope of work. Risk management professionals must inform the client if they believe that the chosen scope will be ineffective in achieving the intended outcomes, regardless of the client's possible reaction.


Risk management professionals must be able to demonstrate understanding of the context in which they offer advice, and explain the boundaries within which their advice is given.


Risk management professionals must be aware of and stay within the limits of their competence. If they encounter areas outside their competence, they will notify the client. They will also call for review where there is substantive doubt about their proposed advice.

Processes & tools

Risk management professionals take responsibility for the appropriateness and effectiveness of the processes and tools used by themselves or recommended to the client.

Quality of advice

Risk management professionals take responsibility for the quality of their advice. The client must be informed of any limitations in the processes or tools used, together with possible consequences for the quality or reliability of advice offered.


Risk management advice is likely to be ineffective if expressed in a language or framework foreign to its recipients, such as offering engineering risk advice to business managers. Risk management professionals will frame advice in the language and framework understood by its recipients.


Risk management professionals must ensure that recommendations are feasible, achievable and justifiable within the context of the client's constraints, and that they are communicated in an appropriate and timely manner.

Conflict of interests

All advice and recommendations given by risk management professionals must have the explicit aim of managing risks to client objectives. Advice whose purpose is to defend or promote the interests of the professional, their business or colleagues is inappropriate. Risk management professionals will protect the client's competitive and proprietary information at all times.

Inappropriate application

Where a client indicates that they intend to use risk management advice or risk assessment results for ends other than the management of risk, risk management professionals will point out the consequences of such uses.


The client, their organisation and stakeholders have many interlocking sets of objectives : strategic, business, project, safety, operational etc. Risk management professionals ensure that their advice relates to risks affecting those specific objectives for which they have been consulted, while taking into account the effect of risks on other objectives where they are aware of them.


The Risk Management Professionalism Manifesto outlines the characteristics and competencies associated with a professional approach to risk management. It is intended for use by both sides of the professional relationship, namely risk management practitioners, as well as the clients, sponsors or employers who use their services (“clients”). The Manifesto provides a framework or benchmark against which risk management practice can be assessed to determine the extent to which it can be regarded as professional, particularly in terms of developing and sustaining trust. It is intended to provoke discussion between the various parties on the key points of a professional relationship, and to ensure common understanding and expectations. It can be used either for engagements where the risk management practitioner is an external consultant, or for in-house engagements where the service is provided from within the client organisation.

The first step is before an engagement is started, for the parties to define their expectations using the Manifesto. For the client this might include issuing an Invitation To Tender (ITT) or Request For Proposal (RFP), or the internal informal equivalent. This would inform potential providers of risk management services that the client expects work to be conducted in line with the Manifesto, and request them to confirm understanding and state their commitment to implementation. The risk management professional could also present the Manifesto to a potential client prior to undertaking an engagement, stating that it describes the characteristics and competencies to which the professional intends to adhere.

Before commencement of the job, the client and risk management professional should ensure a common understanding of the purpose, scope and objectives of the project or business area to which the risk management exercise applies. They could work through each point in the Manifesto to ensure that the implications for the engagement are clearly understood. This might be done through a structured discussion, or using a facilitated workshop. The workshop approach can be used to involve a wider group of stakeholders, exploring the boundaries of each Manifesto point, using test cases to demonstrate their applicability, and ensuring shared understanding and commitment to work within the parameters of the Manifesto.

Agreement on the issues covered by the Manifesto should be reached prior to starting an engagement. Although the Manifesto is not intended to be a legal or contractual document, it might be helpful for both risk management professional and client to sign a copy at the start of the engagement as a record of their agreement. Where a particular Manifesto point has been modified during the initial discussions between risk management professional and client, this should be recorded for future reference.

Throughout the engagement the risk management professional should apply the principles embodied in the Manifesto at all times. It may be necessary to draw the client's attention to this from time to time, to ensure that expectations are managed and met on both sides. In cases where the relationship requires clarification during an engagement, the Manifesto could be used to resolve disputes and provide a framework for modifying the relationship to enable it to continue where possible.


This paper has defined five main characteristics associated with a profession, and tested risk management against them. While some progress is being made, it does not appear that risk management currently qualifies to be described as a profession. Further development work is required in terms of producing a body of knowledge and theory with which all risk management practitioners concur, together with accepted standards of practice, recognised qualifications and an ethical code. The biggest gap however is in the area of building trust in the relationship between risk management practitioners and their clients. The Risk Management Professionalism Manifesto is an attempt to bridge that gap.

One might ask whether this matters, since simply being labelled as a “profession” does not guarantee good service. There are however a number of potential adverse effects if risk management professionalism is not defined in a way which is broadly recognised and accepted, and if there is a failure of trust :

  • It will be easier for unscrupulous practitioners to offer an inadequate service to clients, concealing their lack of results under the cloak of uncertainty.
  • This is likely to lead to disillusioned and dissatisfied clients, and less work for all risk management practitioners.
  • Confidence in risk management as a useful management discipline will be damaged, leading to reduced attention to proactive management of risk, and more failures in projects and business as risk goes unmanaged.

    Conversely, clear definition of risk management professionalism with concomitant mutual trust between the parties can result in the following benefits :

  • Increased quality of service offered to clients by professional risk management practitioners.
  • The ability for clients to discriminate between service providers before engaging them, rather than hoping for the best and waiting to see whether advice turns out to be beneficial.
  • Increased prestige and recognition for those risk management practitioners offering a professional service.
  • Improved perception of the value of risk management, leading to increased take-up and use of risk management to ensure more successful projects and better business decisions.

It can be argued that professionalism is more than just “A Good Thing” – it is essential for any occupation which claims to offer benefits to its clients and users. Risk management is no exception, and the uncertain context in which risk management practitioners operate places additional importance on the need for a professional approach built on mutual trust and respect.


Dr David Hillson PMP FAPM FIRM is Director of Consultancy with PMProfessional Solutions in High Wycombe UK, with a particular interest in risk management. His speciality is risk technology transfer, assisting organisations to develop in-house risk processes. David is recognised as an international expert in project risk management, and regularly writes and speaks on the subject.

David is an active member of the Project Management Institute (PMI®) and its Risk SIG, and received the 2002 PMI Distinguished Contribution Award for his work in developing risk management and promoting project management in Europe. He is also a Fellow of the UK Association for Project Management, and is co-editor of the APM “Project Risk Analysis & Management (PRAM) Guide”, and Fellow of the UK Institute of Risk Management. David Hillson can be contacted on [email protected].


British Standards Institute. (1996). Risk management : Part 3 – Guide to risk analysis of technological systems. (British Standard BS8444-3:1996; previously issued as IEC 300-3-9:1995) London, UK: British Standards Institute.

British Standards Institute. (2000a). Project Management – Part 3 : Guide to the management of business-related project risk. (British Standard BS6079-3:2000) London, UK. British Standards Institute.

British Standards Institute. (2000b). Managing risk for corporate governance. BSI PD 6668:2000 London, UK. British Standards Institute

British Standards Institute. (2001). Project risk management – Application guidelines. (BS IEC 62198:2001) London, UK. British Standards Institute

British Standards Institute. (2002). Risk management – Vocabulary – Guidelines for use in standards. (BSI PD ISO/IEC Guide 73:2002). London, UK. British Standards Institute.

Canadian Standards Association. (1997). Risk management : Guideline for decision-makers. (National Standard of Canada CAN/CSA-Q850-97) Ontario, Canada: Canadian Standards Association,.

Fugate M. & Knapp J. (1998). The development of bodies of knowledge in the professions. (Study for the Project Management Institute). Princeton, New Jersey, US:Project Management Institute.

Godfrey P. (1996). Control of Risk : A Guide to the Systematic Management of Risk from Construction. London, UK: Construction Industry Research & Information Association (CIRIA).

Hartman F. (1999). The role of trust in project management. Proceedings of the 1999 PMI Research Conference. Newtown Square, PA. US: Project Management Institute,.

Hartman F. (2000, Jerusalem). Trust-based contracts – a competitive advantage or a high-risk proposition? Proceedings of the 3rd European Project Management Conference.

Hosmer L. T. (1995). Trust : The connecting link between organisational theory and philosophical ethics. Academy of Management Review,20 (2), 1-25.

Hillson D. A. (2002a). Defining professionalism : Introducing the risk management professionalism manifesto. High Wycombe, UK:. PMProfessional Solutions

Hillson D. A. (2002b, London). Risk Management Professionalism. Proceedings of the 5th UK Risk Conference.

Institute of Electrical and Electronics Engineers (IEEE). (2001). IEEE 1540:2001 Software Life Cycle Processes -Risk Management. New York, US :IEEE,.

Institution of Civil Engineers (ICE) and Faculty & Institute of Actuaries. (1998). Risk Analysis & Management for Projects (RAMP). London, UK :Thomas Telford,.

Institute of Risk Management (IRM). (2002). A Risk Management Standard. London, UK:AIRMIC/ALARM/IRM.

Mayer R., Davis C. & Schoorman F. (1995). An integrative model of organisational trust. Academy of Management Review, 20 (2), 709-734.

Norges Standardiseringsforbund (NSF). (1991). Krav til risikoanalyser (Norsk Standard NS5814:1991)

Office of Government Commerce. (2002). Management of Risk – Guidance for Practitioners. London, UK:The Stationery Office.

Project Management Institute. (2000). A Guide to the Project Management Body of Knowledge (PMBoK®), 2000 Edition. Philadelphia, US:Project Management Institute.

Simon P. W., Hillson D. A. & Newland K. E. (eds.) (1997). Project Risk Analysis & Management (PRAM) Guide. High Wycombe, Bucks UK:APM Group.

Solomon R. C. & Flores F. (2001). Building trust : In business, politics, relationships and life. Published by New York :OUP.

Standards Australia/Standards New Zealand. (1999). Risk management. (Australian/New Zealand Standard AS/NZS 4360:1999) Australia, Homebush NSW 2140:Australia Standards & Wellington 6001, New Zealand:Standards New Zealand.

US DoD DSMC (2000). Risk Management Guide for DoD Acquisition, Third edition, January 2000. US Department of Defense, Defense Acquisition University, Defense Systems Management College. Fort Belvoir, Virginia 22060-5565, US: DSMC Press.

Ward A. & Hillson D. A. (2002). Professionalism in risk management. PMReview, February, 18-19.

Ward A. & Smith J. (2003). Trust and Mistrust : Radical risk strategies in business relationships. Chichester UK.: John Wiley.

This material has been reproduced with the permission of the copyright owner. Unauthorized reproduction of this material is strictly prohibited. For permission to reproduce this material, please contact PMI or any listed author.

© Copyright 2003, David Hillson



Related Content