Risk Management in Project Governance
Introduction
Nova: Imagine a world where nearly 70% of large-scale projects fail to meet their original goals. That is not a dystopian fiction — it is the reality documented across decades of project management research. And here is the twist: the root cause is rarely bad execution. It is bad governance.
Nova: : So you are telling me that the reason projects crash and burn is not because the project manager messed up the Gantt chart?
Nova: Exactly. Ralf Müller — Professor Emeritus at BI Norwegian Business School and one of the world's most cited scholars in project management — has spent over two decades arguing that risk management cannot live in a silo. It has to be woven into the very fabric of how organizations govern their projects. His books, particularly "Project Governance" and "Governance and Governmentality for Projects," have reshaped how corporations from Sweden to China think about steering their project portfolios.
Nova: : Alright, I am intrigued. Who is Ralf Müller and why should anyone outside of academia care about his ideas?
Nova: Great question. Müller is a German-born scholar who has consulted in 47 countries, co-founded PMI chapters in Frankfurt and Munich, and has over 26,000 citations to his name. He is someone who bridges the gap between rigorous academic research and hard-nosed corporate practice. His core insight is deceptively simple: without a governance structure, organizations run the risk of conflicts and inconsistencies between the various means of achieving organizational goals, the processes and resources — causing costly inefficiencies that impact both smooth running and bottom-line profitability.
Nova: : So governance is the operating system for projects, and risk management is one of its core applications?
Nova: That is a perfect analogy. And today we are going to unpack exactly how Müller thinks about that operating system, why risk management is a governance function — not just a project management one — and what it means for anyone who touches projects, from the C-suite to the project team. Welcome to the podcast. I am Nova.
Nova: : And I am. Let us dive in.
Why Risk Management Sits at the Governance Level
Governance Is the Operating System, Not the App
Nova: Let us start with the most fundamental distinction Müller makes — one that trips up even seasoned professionals. He draws a sharp line between project governance and the governance of projects. They sound almost identical, but they are not.
Nova: : Okay, you have to unpack that. What is the difference?
Nova: Project governance is the governance of a single project — who makes decisions, how risks are escalated, what the steering committee oversees. The governance of projects is the umbrella framework for a group of projects — think portfolios, programs, networks. It is the difference between managing the traffic at one intersection versus designing the entire city's traffic grid.
Nova: : So risk management at the single-project level might be about identifying that a key supplier could go bankrupt. But at the governance-of-projects level, it is about asking whether the organization's entire supplier diversification strategy is adequate?
Nova: Exactly. And Müller's research, especially in his 2016 PMI-funded study "Organizational Enablers for Project Governance" with Jingting Shao and Sofia Pemsel, shows that organizations that treat risk management as a governance function — not just a project-level checklist — consistently outperform those that do not. They studied companies across Sweden and China, from small firms to multinationals, and found that governance practices directly mediate project success.
Nova: : What does "mediate" mean in plain English?
Nova: It means governance is the bridge. You can have the most brilliant risk identification techniques in the world, but if your governance structure does not create clear pathways for those risks to be escalated, discussed, and acted upon, those techniques are worthless. Governance is the delivery mechanism. Müller's quantitative studies show statistically significant relationships between governance quality and project success across all five dimensions of success: process, product, business, strategic, and stakeholder.
Nova: : That is a strong claim. Did he find any exceptions or countries where governance mattered less?
Nova: Fascinatingly, the pattern held across geographies. But the specific governance practices did differ. Swedish companies, for example, tended toward more consensus-driven, stakeholder-oriented governance. Chinese companies leaned more toward hierarchical, compliance-driven models. Yet in both contexts, governance remained the critical enabler for effective risk management. The form differed; the function did not.
A Framework for Understanding Organizational Risk Appetite
The Four Governance Paradigms
Nova: One of Müller's most cited contributions — maybe his signature framework — is the four governance paradigms model. Picture a two-by-two matrix.
Nova: : I love a good matrix. Give me the axes.
Nova: The horizontal axis captures governance orientation: on one end, shareholder orientation, where the primary duty is to maximize return for investors. On the other end, stakeholder orientation, where the organization balances the interests of all parties — employees, communities, suppliers, the environment.
Nova: : And the vertical axis?
Nova: Organizational control. On one end, you have behavior-based control — governing through process compliance, rules, and standardized procedures. Think agile or Scrum methodologies where you govern by ensuring the process is followed correctly. On the other end, outcome-based control — governing by results. You do not micromanage how the team works; you hold them accountable for what they deliver.
Nova: : So that gives us four boxes. What are they?
Nova: Let me walk through them. Paradigm one: the Conformist — shareholder orientation plus behavior control. This is your classic heavily regulated industry. Risk management here is about compliance checklists and audit trails. Think pharmaceutical companies governed by FDA regulations.
Nova: : That feels familiar. What about paradigm two?
Nova: Paradigm two is the Flexible Economist — shareholder orientation plus outcome control. Here, the organization cares about shareholder returns but gives managers latitude on how to get there. Risk management is about protecting the business case. Hedge funds and private equity portfolio companies often fit here.
Nova: : So the next two must flip the orientation to stakeholder?
Nova: Exactly. Paradigm three is the Versatile Artist — stakeholder orientation plus outcome control. These organizations balance multiple stakeholder needs but give teams autonomy. Think of a tech company building open-source platforms. Risk management here is about reputation, community trust, and ecosystem health — not just the bottom line.
Nova: : And the fourth?
Nova: Paradigm four is the Agile Pragmatist — stakeholder orientation plus behavior control. This sounds contradictory, but it is not. These organizations have strong stakeholder mandates — think government agencies or NGOs — but they govern through defined processes and methodologies. Risk management emphasizes transparency, public accountability, and procedural fairness.
Nova: : So if I am a project sponsor, I should figure out which paradigm my organization lives in, and that determines how I should approach risk?
Nova: Precisely. And Müller's research shows that tension arises when a project's risk profile demands one paradigm but the organization defaults to another. Imagine a high-uncertainty innovation project governed with Conformist-style compliance checklists. That is a recipe for disaster. The governance paradigm must match the risk reality.
What Does Good Governance Look Like in Practice?
The Eight Governance Components and the Centrality of Risk
Nova: So far we have talked about high-level paradigms. But Müller's work also gets very practical. In his book "Project Governance," and echoed in PMI's guidance, he identifies eight core components of a functioning governance framework. Risk and issue management is explicitly one of them — but here is the crucial point: risk management cannot function in isolation from the other seven.
Nova: : Walk me through them. Give me the full picture.
Nova: Component one: Governance Models. This is about choosing the right level of rigor. Müller warns that overzealous governance annoys stakeholders, and absent governance leads to chaos. Component two: Accountability and Responsibilities — defining who is responsible, accountable, consulted, and informed for every deliverable.
Nova: : The classic RACI matrix.
Nova: Exactly. Component three: Stakeholder Engagement. Müller emphasizes that if you miss even one stakeholder, it can derail the entire project. Component four: Stakeholder Communication. Component five: Meeting and Reporting — getting concise, efficient, timely information to the right people.
Nova: : And then we get to risk.
Nova: Component six: Risk and Issue Management. Müller's position is emphatic: it is not enough to identify risks. The governance framework must establish consensus on how risks are classified, prioritized, escalated, and acted upon. The PMI research paper based on Müller's work frames it this way — quite frankly, how you handle the risk is more important than the risk itself.
Nova: : That is counterintuitive. Most people obsess over identifying every possible risk.
Nova: And that obsession often becomes performative. Teams fill out exhaustive risk registers that nobody reads. Müller's governance lens says: stop asking "what are the risks" and start asking "who has the authority to accept or mitigate this risk, and what decision-making process will we follow."
Nova: : What about the last two components?
Nova: Component seven: Assurance — defining the metrics that give visibility into project performance and delivery confidence. Component eight: the Project Management Control Process — the ongoing monitoring and measuring against baseline scope, budget, time, and resources. And here is the critical link: those last two components only work if the risk and issue management component is functioning. If risks are not surfaced, assurance metrics become a Potemkin village.
Nova: : So all eight components are interdependent. You cannot just bolt risk management onto a broken governance structure and expect it to work.
Nova: That is Müller's point in a nutshell. The integrated governance model he proposes in the final chapters of "Project Governance" argues that governance of project management, governance of programs and portfolios, and governance of individual projects must all be aligned. Risk flows through all three levels. A risk identified at the project level might have portfolio-level implications, and the governance structure must enable that information to travel upward — and decisions to travel downward — seamlessly.
Why the Soft Side Determines Whether Risk Management Actually Works
Governmentality: The Art and Soul of Governance
Nova: Here is where Müller's thinking gets genuinely distinctive. In his 2017 book "Governance and Governmentality for Projects," he introduces a concept that many project management frameworks overlook entirely.
Nova: : Governmentality? That sounds like a word Michel Foucault would use.
Nova: It is indeed a Foucauldian concept, and Müller borrows it deliberately. He defines governmentality as the way the governing part of an organization presents itself to those who are governed — the attitude governors have toward the people they govern. Think of it as the "tone" or the "culture" of governance.
Nova: : So governance is the hardware — the committees, the RACI charts, the stage-gate processes. Governmentality is the software — the mindset, the trust level, the way leaders actually interact with project teams?
Nova: That is exactly how Müller frames it. He says looking at governance alone is like looking at a computer system solely in terms of its hardware. It only becomes useful when complemented by its soft side. And this is where risk management lives or dies in practice.
Nova: : What do you mean?
Nova: Imagine two organizations with identical governance structures on paper — same steering committees, same escalation paths, same risk registers. In one organization, governmentality is characterized by trust, psychological safety, and a learning orientation. When a project manager surfaces a risk, leaders say "thank you for flagging this early." In the other organization, governmentality is characterized by blame and fear. The same risk gets buried because nobody wants to be the messenger who gets shot.
Nova: : So the governance structure is the same, but the actual risk management outcomes are completely different?
Nova: Radically different. Müller's cross-national research in Sweden and China found that governmentality was a statistically significant predictor of project success, independent of the formal governance structure. His quantitative studies measured governmentality through constructs like "the attitude of governors toward the governed" and found that positive governmentality mediated the relationship between governance enablers and success.
Nova: : That feels like a wake-up call for organizations that think they can governance their way to success by adding more checkpoints and approvals.
Nova: It is the central paradox Müller identifies. You can layer on more governance controls hoping to reduce risk, but if the governmentality is toxic, you actually increase risk because people stop being transparent. The art of governance, as he calls it, is balancing structure with trust, control with empowerment, compliance with adaptability.
Nova: : Does Müller offer any practical advice for improving governmentality?
Nova: His research points to organizational enablers — things like leadership development, clear career paths for project managers, and governance training for steering committee members. But the most powerful enabler, based on his case studies, is modeling from the top. When senior leaders visibly respond constructively to bad news, it cascades through the organization. Governmentality is not something you announce with a memo. It is demonstrated through behavior.
Practical Lessons from Müller's Research
Risk as a Governance Conversation, Not a Technical Exercise
Nova: Let us bring this all together into some actionable takeaways. Müller's body of work — spanning "Project Governance" in 2009, the PMI organizational enablers study in 2016, and "Governance and Governmentality for Projects" in 2017 — offers a coherent philosophy of risk management that differs markedly from the mainstream.
Nova: : How would you characterize the mainstream view?
Nova: The mainstream view treats risk management as a technical discipline within project management — identify, assess, quantify, mitigate, monitor. It is a process, often delegated to a risk manager or treated as a section in the project plan. Müller turns this on its head.
Nova: : By saying risk management is a governance function?
Nova: By saying risk is fundamentally a governance conversation. Every risk — whether it is a supplier going bankrupt, a regulatory change, or a technology not working — raises a governance question: who decides what to do, with what information, under what authority, and with what accountability? If your governance framework cannot answer those questions cleanly, your risk management process is just theater.
Nova: : That reframes everything. So when Müller's research identifies the most successful organizations, what do they do differently?
Nova: Three things consistently emerge from his cross-national studies. First, they define risk appetite at the governance level — not the project level. The steering committee, not the project manager, decides how much risk is acceptable. Second, they integrate risk conversations into every governance meeting, not as a separate agenda item but as a lens applied to every decision. And third, they maintain what Müller calls "assurance" — independent oversight that verifies risks are being managed, not just reported.
Nova: : Let me challenge that third point. Does not independent assurance just add another layer of bureaucracy?
Nova: Müller addresses this head-on. He argues that assurance should be proportional — what some practitioners call "T-shirt sizing" governance. A small, low-risk project gets a lightweight assurance review. A billion-dollar megaproject gets intensive scrutiny. The key is that assurance is independent of the project team, creating what Müller describes as an honest feedback loop that the project manager cannot manipulate.
Nova: : So the project manager cannot be the one grading their own risk management homework?
Nova: Precisely. And Müller's case studies — particularly the longitudinal studies in Swedish and Chinese companies — show that organizations which implemented independent assurance saw measurable improvements in both risk identification and risk response over time. It created a virtuous cycle: better governance led to better risk management, which led to better project outcomes, which reinforced trust in the governance system.
Nova: : It strikes me that Müller's approach demands a lot from senior leaders. They cannot just sign off on project charters and wait for the quarterly update.
Nova: That is the uncomfortable truth at the heart of his work. Effective risk management in project governance requires active, informed, and consistent engagement from the top. Sponsors and steering committee members must understand the projects they govern, not just review dashboards. Müller's research found that in the highest-performing organizations, steering committee members received governance training — they were not just appointed because of their functional role. This is a profound shift from the "any senior executive can sponsor a project" assumption that prevails in many organizations.
Conclusion
Nova: So let us step back and synthesize what Ralf Müller's work on risk management in project governance really teaches us.
Nova: : We have covered a lot of ground. Distill it for me.
Nova: At its core, Müller's message is that risk management is not a project management technique — it is a governance responsibility. Organizations succeed or fail based on whether their governance framework creates the conditions for risks to be identified, escalated, and acted upon effectively. That framework has both a hard side — the structures, roles, and processes — and a soft side, what he calls governmentality — the culture, trust, and leadership behavior that determines whether people actually use those structures honestly.
Nova: : The four governance paradigms — Conformist, Flexible Economist, Versatile Artist, Agile Pragmatist — give organizations a way to diagnose their own governance DNA and align their risk management approach accordingly.
Nova: Exactly. And the eight governance components — from governance models and accountability to risk management, assurance, and control processes — are not a checklist to be completed but an interdependent system to be cultivated. Müller's research across Sweden and China demonstrates that these principles are not culturally bounded; they apply globally, even as their expression adapts to local context.
Nova: : If I were a project manager listening to this, what is my one takeaway?
Nova: Ask yourself: does my governance framework give me a clear, uncluttered pathway to escalate a risk that could kill my project? If the answer is murky, you have a governance problem — not a risk management problem. And share Müller's insight with your sponsor: how you handle risk is more important than the risk itself.
Nova: : And if I am a senior leader or steering committee member?
Nova: Your job is not to review project status reports. Your job is to set the risk appetite, model the governmentality you want to see, and maintain the governance system that makes transparency safe and accountability clear. Müller's research shows that organizations where leaders do this consistently outperform those where governance is treated as a paperwork exercise.
Nova: : So the final word: risk management lives or dies at the governance level. Structure matters, but so does soul.
Nova: Beautifully put. And that is the enduring contribution of Ralf Müller's work — he reminds us that governing projects is not merely an administrative function. It is a leadership discipline. When done well, it creates the conditions for courage, clarity, and successful delivery. When done poorly, no amount of risk-register-filling can save you.
Nova: : This is Aibrary. Congratulations on your growth!