New public management evolving agenda: risk management in Italian municipalities

Since the late 1980s, New Public Management (NPM) has fostered the introduction of managerial behaviors similar to those of the private sector into public sector organizations (Hood, 1991) to improve quality, efficiency and effectiveness in public service delivery (Newmann and Clarke, 1994). Indeed, public administrations in many countries have introduced new procedures and process innovations and have changed their bureaucratic culture, embracing a new managerial attitude (Rana and Parker, 2023) committed to the effective and efficient achievement of organizations’ goals (Parker et al., 2019) and more concerned with delivering to citizens-customers (Osborne et al., 2012).

Private organizations’ approaches and techniques were successfully transferred and applied in public organizations, generally with adjustments due to the different institutional settings (Bouckaert and Van Dooren, 2003). Indeed, public managers have adopted private sector techniques and tools, such as management by objectives, developed management, total quality management and performance management (Boyne, 2002). This transformation implied a shift from the traditional bureaucratic approach, primarily concerned with adherence to rules and regulations, to a new focus on delivering public services (Capalbo et al., 2017; Osborne, 2006), financial sustainability and the efficient allocation of public resources (O’Flynn, 2007).

Risk management practices integrated into the management control system were introduced in the private sector in the early 2000s (McRae and Balthazor, 2000) in response to the need to prevent financial crises and to actively respond to risks (Spira and Page, 2003). Consistently, international organizations created the first frameworks and standards (e.g. CoSO (2004) Framework or ISO 31000). Later, the International Organization of Supreme Audit Institutions (INTOSAI) provided guidelines for risk management in the public sector (Hatvanti, 2015; INTONSAI, 2007).

The importance of risk management in the public sector is recognized from different perspectives (Rana and Parker, 2023; Hatvani, 2015). First, risk management boosts the achievement of public organizations’ objectives (Bullock et al., 2019; Keban, 2017); second, risk management is critical for ensuring effective service delivery, improving performance (Gates et al., 2012), and increasing public organizations’ accountability (Mahama et al., 2020). Finally, it allows public administrations to manage risks rather than trying to avoid them (Eckerd, 2014; Hutter, 2006).

The first examples of risk management in the public sector date back to the early 1980s (Black, 2005). However, it expanded significantly in the 21st century, and it has been described as the most recent strand of NPM (Lapsley, 2009, p. 6). In the public sector, risk management initially focused on terrorism, health, transport, the environment, climate change and corruption (McPhee, 2005).

Similarly to other countries, in Italy NPM has also significantly influenced public administration reform since the late 1990s (Deidda Gagliardo and Saporito, 2021; Hinna and Ceschel, 2021; Reginato et al., 2010). In particular, the legislative obligation to implement a management control system in public organizations with an internal auditor was introduced in 2000 (Legislative decree 267/2000). In 2012, law 190 introduced a framework to prevent the risk of corruption and illegality in public administrations (Castellini and Riso, 2023). However, no specific law obliges public organizations to implement risk management for all risks. In practice, many public administrations in Italy are introducing risk management. This suggests that risk management is useful and effective. Thus, public administration in Italy provides an interesting case study of risk management introduction in the public sector (Hinna et al., 2018). The evidence presented is significant also from an international perspective, in particular as an example of risk management introduction in the public sector when no specific legal requirements or detailed legal frameworks exist (Vinnari and Skærbæk, 2014).

This paper aims to analyze the extent of risk management implementation by Italian public administration, using evidence from Italian municipalities (“comuni”). It also investigates whether the core process of risk management, namely, risk assessment, is effectively deployed in Italian municipalities. The analysis focuses only on the municipal level of government to eliminate biases due to the differing roles, competencies and financial endowments of different levels of government. We restrict our focus to Italian municipalities because of their significant responsibilities in service provision, as opposed to planning or programming competencies, which mostly rest with higher levels of government (regions or state). Total annual expenditures by Italian municipalities amount to approximately 30% of the total public budget and cover a wide span of services, from urban transportation to health care and social activities, from education and research to public support to businesses, and from public housing to cultural services. Therefore, the effective implementation of risk management practices by municipalities may significantly affect public service provision and, therefore, the overall efficiency of the Italian public sector (Lapsley, 2009, p. 15). Indeed, the recent COVID-19 pandemic has shown that municipalities play a central role in emergency management; thus, risk management is crucial (Keban, 2017). Furthermore, Italian municipalities have recently faced many challenges and risks and have increasingly adopted resilient behaviors (Sciulli et al., 2015). In addition, evidence on risk management implementation by municipalities may suggest its diffusion in the wider public sector in Italy. Finally, to investigate the effectiveness of risk management implementation, this paper also investigates whether there is an effective deployment of risk assessment in Italian municipalities.

The analysis used a mixed research method. Through a qualitative content analysis (Creamer and Ghoston, 2012) of documents published on municipalities’ official websites, information is collected and used to construct quantitative indicators that provide evidence to answer two research questions: whether Italian municipalities perform risk management (RQ1) and to what extent risk assessment is effectively implemented and properly performed (RQ2).

The structure of this paper is as follows: Section 2 presents a literature review on NPM and risk management in the Italian public sector. Section 3 describes our research purposes and approach. Section 4 describes the analysis and results, and Section 5 discusses them and proposes some concluding remarks.

There is consensus that NPM has influenced Italian public sector legislation, particularly the public sector reform implemented since the early 1990s. Management control systems were introduced in local public administrations (Legislative Decree 267/2000, art. 196) to enhance the achievement of institutional objectives and the efficient and effective use of public resources (Sancino and Turrini, 2009). This fostered a radical transformation in public administration management, from ensuring that public action complied with law requirements, to explicitly pursuing the efficiency and effectiveness of public action (Riso et al., 2022).

In these same years, in the private sector, the internal audit role changed. Risk management was integrated into management control systems (Spira and Page, 2003) and soon became widespread in private organizations.

Risk management allows organizations to identify the risks they may be exposed to and prepare themselves to face these issues, either by solving the issues entirely or mitigating them or trying to fully eliminate them or their consequences (OECD, 2014, p. 13). The same concept of risk assumes different meanings depending on the context (Andersen and Young, 2020). Bullock et al. (2019) investigate the concept of “risk”, distinguishing it from other concepts such as uncertainty, hazard, and errors. They define “risk” as “determined by the known (or estimated) probability of an event occurring and the resulting consequences” (Bullock et al., 2019, p. 77) and apply this concept to risk management in the public sphere. In the following, we shall embrace this definition.

Both researchers and practitioners have investigated the most appropriate structure of risk management processes and identified a series of subsequent steps in risk management implementation. One of the most commonly used schemes, reported in ISO 31000 (2009), outlines seven steps: communication and consultation with the organization, context analysis, risk identification, risk analysis, risk evaluation, risk treatment, monitoring and review activities (Purdy, 2010; Lark, 2015). The three stages of risk identification, risk analysis and risk evaluation make up the central and core process, named “risk assessment” (Spira and Page, 2003; Lark, 2015), as depicted in Figure 1. In this paper, we focus on this core process and its three stages (Figure 1).

Some studies investigate how to improve the individual risk management stages and how to improve the overall risk management process (Olsson, 2007). However, there are significant differences between risk management in the public and private sectors. According to Ahmeti and Vladi (2017, p. 323), “risk in the first case is much more complex, and the scope of its impact is societal. (…) The degree and variety of risks government bodies face in their daily activity are enormous, and the key responsibility of these authorities is to assure the public that no current or potential risk will threaten the perceived public value”. For this reason, risk management can be beneficial to public organizations (Cuganesan et al., 2014) to the extent that “‘New’ risk management has come to be seen as an emerging key element of NPM” (Lapsley, 2009, p. 16). Rana et al. (2019) maintain that a management control system, a performance management system and strategy-oriented control practices may help us understand how risk and risk management are implemented in the public sector, but further analyses are needed (Bullock et al., 2019).

The extent of risk management implementation in the public sector is a rather neglected issue (Bullock et al., 2019, p. 79), some scholars advocate for a better understanding of public risk management (Bracci et al., 2020; Hinna et al., 2018; Leung and Isaacs, 2008) and of the process of risk management introduction in public administrations (Rana and Parker, 2023; Bui et al., 2019; Rana et al., 2019; Hinna et al., 2018; Soin and Coiller, 2013). According to Bracci et al. (2021), there is little knowledge about risk management processes in the public sector. The literature on public sector risk management has a rather generic theoretical approach, and only a few studies on risk management are concerned with the core operative process of risk assessment, with none of them providing an in-depth analysis of each single risk management stage.

Risk management in the public sector is described as a “black box” that deserves to be better investigated from a theoretical perspective (Bracci et al., 2021). In addition, the absence of guidelines and provisions for risk management implementation is considered a risk for public organizations (Vinnari and Skærbæk, 2014).

Furthermore, at the municipal level, there are few studies on risk management (Bracci et al., 2021). D’Onza et al. (2017) propose a study on Italian municipalities focused on corruption risk management and on disclosing information on risk management as a tool to increase participation and accountability.

There is also evidence that municipalities are implementing risk management at the international level. For instance, Sippola et al. (2023) provide a critical analysis of risk management in Finnish municipalities and argue for the introduction of a municipal risk manager. Nilsen and Olsen (2005) study public managers’ behavior in two UK municipalities to understand how they implement risk management in the absence of legal provisions on this topic. The authors note that despite organizational differences, municipalities’ choices and results are very similar. This evidence is consistent with the new institutionalist idea that municipalities may exhibit isomorphic behavior (DiMaggio and Powell, 1983).

According to DiMaggio and Powell (1983), there are three types of isomorphic behavior: coercive isomorphism, when external pressures force an organization to conform; mimetic isomorphism, when an organization spontaneously imitates other organizations to deal with conditions of uncertainty; and normative isomorphism, when conforming to a model results from awareness of the superiority of the model itself.

Consistent with the idea of mimetic isomorphism in public organizations, Power et al. (2009) showed that when introducing risk management, uncertainty about behaviors and practices to adopt induces organizations to follow “first movers”, who often become benchmarks for other organizations that tend to imitate them (Power et al., 2009).

Significantly, Reginato et al. (2010) observed that Italian municipalities exhibited isomorphic behaviors when implementing managerial reforms in the early 2000s. The presence of similar processes and rules suggests isomorphic behavior.

For the purposes of our research, municipalities’ choices concerning how to carry out risk management (whether to outsource some functions or not) and the risk assessment process in particular, as described in the municipalities’ documents of our analysis, allow us to identify isomorphic behaviors and provide evidence on whether the choices undertaken reveal isomorphic features.

The Italian legislation regulates internal control systems and corruption risk management, but in general terms, this legislation is not informed by the logic of risk (Peta, 2016, p. 24). In addition, although the definition of a management control system seems to also include risk assessment, public organizations rarely integrate risk management and management control systems (Bracci et al., 2020; Riso and Castellini, 2019; Arena et al., 2017). In addition, Castellini and Riso (2023) showed that in selected Italian municipalities, there is low integration between risk management and management control systems, and Riso et al. (2022) showed that large Italian municipalities disclose information on their risks but not on risk management practices. Furthermore, Italian legislation addresses some specific risks (e.g. corruption, environmental damage), but there is no provision on implementing risk management for all possible public organizations’ risks (Peta, 2016; Riso and Castellini, 2019).

Indeed, Reginato et al. (2012, p. 395) show that the Italian legislative framework accounts for all control activities included in the INTOSAI guidelines and in the Public Internal Financial Control (PIFC) model, but there are no specific rules on how to establish a system to identify, evaluate and respond to organizations’ risks. The only guidelines are provided by the International Standards of INTONSAI (2007).

More recently, law decree 80/2021 obliges Italian municipalities to prepare an Integrated Plan of Activities and Organization (the so-called “PIAO”), which should integrate planning tools and create public value. The importance of coordinating the risk management cycle with the performance management cycle is also recognized (Deidda Gagliardo and Saporito, 2021; Riso et al., 2022). These reforms foster the diffusion of risk management in the public sector in Italy. However, the introduction of risk management is slowed down, particularly in municipalities, by various factors, such as bureaucracy, lack of understanding of its potential, absence of institutionalized modes of task performance (Power et al., 2009; Nilsen and Olsen, 2005, p. 45), and the existing risk culture (Halachmi, 2005).

This paper aims to contribute to the understanding of risk management implementation in the Italian public sector. Given the wide span of such a research agenda, we restricted our focus to two specific and related issues: whether Italian municipalities perform risk management (RQ1) and whether risk assessment is effectively implemented and properly performed (RQ2). We derive our conclusions from the analysis of a sample of Italian municipalities, and we focus on the core process of risk assessment (Lark, 2015). The research method applied is a two-phase mixed method (Creswell and Plano Clark, 2011).

Mixed methods are widely used in empirical studies from a variety of disciplines, such as social, management, behavioral and health sciences (Tashakkori and Creswell, 2007). In mixed-methods research, “the investigator collects and analyses data, integrates the findings, and draws inferences using both qualitative and quantitative approaches or methods in a single study” (Tashakkori and Creswell, 2007, p. 4). Mixed methods are applied for information disclosure (Guthrie et al., 2004) and consist of “codifying qualitative information in anecdotal and literary form into categories in order to derive quantitative scales of varying levels of complexity” (Abbot and Monsen, 1979, p. 504).

In this paper, we use a mixed-method approach based on content analysis, with a first qualitative and a second quantitative phase following the approach proposed by Creamer and Ghoston (2012). As described by Krippendorff (1980, p. 27), qualitative methods involve code selection and text analysis, while quantitative methods involve counting codes and treating them as quantitative data. Then, qualitative data are converted into quantitative data to inform analysis and discussion (Creamer and Ghoston, 2012). These two steps are consistent with one of the typologies of mixed methods classified by Tashakkori and Creswell (2007).

Specifically, our analysis is articulated in three different steps. First, we constructed a significant sample of Italian municipalities. Then, we investigated whether risk assessment is performed by municipal organizations in our sample using qualitative content analysis (QCA) applied to documents published on municipalities’ official websites (Di Fatta et al., 2016). For this purpose, we analyzed various documents from each municipality (Hood and Smith, 2013) and collected data about the three crucial stages of risk assessment: risk identification, risk analysis and risk evaluation (Lark, 2015). This analysis was implemented through focus groups that analyzed all relevant documents (i.e. contracts, tender documents, budgets, government plans, strategic plans, corruption and transparency plans). Finally, in the third step, descriptive statistics and synthetic indicators were calculated using the data collected through the QCA. Thus, the qualitative information published and disclosed by the municipalities is summarized in a quantitative, synthetic, and comparable way, which suggests interesting conclusions on the extent and effectiveness of risk assessment in Italian municipalities. At the end of the analysis, several similar characteristics were identified across municipalities, both in terms of municipalities’ choices of risk management implementation and in terms of features of risk assessment practices.

The sample comprises 503 municipalities out of the 7.914 existing in Italy (6.3%), distributed across 20 regions. Italian municipalities vary significantly in terms of population, from the largest, Rome, with 2,872,800 inhabitants, to the smallest, Monterone, with only 30 inhabitants.

The sample includes only the most populated municipalities. In fact, risk management is useful, especially in large municipalities, due to the high variety and complexity of services offered to a significantly large population. In addition, large municipalities may also have sufficiently developed administrative capacity, greater financial and technical endowments, more sophisticated information systems, more structured organizations, and more personnel to implement risk management schemes and to fulfill transparency provisions requiring information disclosure on their activities. This approach is consistent with existing studies on risk management and risk communication in the private sector, which focus only on large organizations for the same reasons listed above (Beretta and Bozzolan, 2004; Linsley and Shrives, 2006). For the public sector, in their empirical study of new public financial management, Reginato et al. (2010) use a sample of Italian municipalities above 5,000 inhabitants based on evidence that reforms are hindered by limited financial and human resources in smaller municipalities. In addition, in a study on e-government, Nasi et al. (2011) select only large municipalities (183) based on the argument that sophisticated ICT is found only in larger public organizations. Finally, Brudney and Selden (1995) maintain that larger municipalities have more complex and diverse setups and are characterized by a greater propensity to innovate in search for improvement.

In addition to dimensional concerns, geographical issues were also accounted for in sample construction. Italy is characterized by significant territorial disparities from an institutional perspective, which may also affect managerial attitudes and performance in the public and private sectors (Putnam et al., 1994). For this reason, our sample also pursues territorial representativeness. Given the high variability of municipality numbers across regions (Figure 2), for each region, our sample comprises the same percentage of municipalities and includes only the most populated municipalities. Thus, first, each region’s municipalities were ranked in descending order of population, and then the top municipalities in each region were included in the sample (up to approximately 6.3%).

Figure 2 describes the distribution of the municipalities included in the sample across regions and displays the total number of municipalities in each region. Table 1 details the regional composition of the sample, and for each region, information on the largest and smallest municipalities and their population is provided. The largest municipality in the sample is Rome (2,872,800 inhabitants), and the smallest is Quart (4,066 inhabitants).

Documents published by municipalities were analyzed to detect whether risk management was performed. Risk management (and risk assessment) is new to the Italian public sector, and public organizations are likely to lack adequate competencies and knowledge to perform it. Therefore, to implement risk management, municipalities need to contract out at least some of these activities (Mussari and Sorrentino, 2017). By law (Legislative Decree 33/2013), to ensure transparency, public administration contracts with third parties (professionals, insurance or consultancy firms) must be published online. Therefore, municipalities that perform risk management activities can be identified through the contracts they sign with external professionals or other documents that disclose this information, such as tender documents, budgets, government plans, strategic plans, corruption and transparency plans.

Our research method uses content analysis, which requires codifying qualitative information. Some methodological choices were needed (Krippendorff, 1980). As regards the unit of analysis of the text (words, sentences, paragraphs, themes, etc.), we used the following words as both coding and counting units: risk identification, risk analysis and risk evaluation (Table 2). These words were selected on the basis of the theoretical conceptualizations of risk management stages by Lark (2015, p. 14).

QCA was chosen against the alternative approach of collecting information through questionnaires submitted to municipalities because it provides more objective data and information. The answers to questionnaires may be influenced by the attitudes of the respondents or, worse, by their desire to show that their organizations are (or are not) implementing a specific policy or programme. At this very early stage of risk management process development, these biases could be significant.

The qualitative information collected through the QCA was then analyzed through specific descriptive statistics and quantitative indicators to measure the extent to which risk management was performed and to assess its main features. Based on these quantitative, synthetic and comparable indicators, conclusions are drawn on risk management implementation by Italian municipalities, thus providing answers to the two initial research questions. Table 3 summarizes the descriptive statistics and indicators depicting the features of risk management processes in the sample of Italian municipalities.

In detail, S is the sample numerosity, and N is the number of municipalities in the sample that published documents on risk management (a percentage α of the total sample). The following three indicators related to risk assessment were measured: X₁, the absolute frequency of municipalities whose documents contained at least once the phrase “Risk identification”; X₂, the absolute frequency of municipalities whose documents contained at least once the phrase “Risk analysis”; and X₃, the absolute frequency of municipalities whose documents contained at least once the phrase “Risk evaluation”. These indicators were used to determine whether, in addition to declaring that risk management was in operation, municipalities were also actually implementing risk management measures. An additional indicator, X_max, indicates which of the three processes has the highest frequency. Furthermore, the N_sum provides information on how many municipalities in the sample display at least one of the three phrases identifying the fundamental stages of risk assessment. In addition, according to Lark (2015), only the joint presence of all three fundamental stages ensures that risk management is properly and effectively implemented. Therefore, the NX indicator was also measured, which gives the number of municipalities jointly performing all three activities (risk identification, risk analysis, risk evaluation).

Finally, to gain a better understanding of risk management practices in Italian municipalities, an additional indicator was measured: the absolute frequency of municipalities whose documents contained at least two of the three phrases that identify the fundamental stages of risk management (risk identification, risk analysis, risk evaluation), that is, any of the three possible pairwise combinations: X₁ X₂; X₁ X₃; and X₂ X₃.

The data reported in Table 4 distinctively for each Italian region, show that 366 municipalities (N), 73.2% of the selected sample (α), publish documents about their risk management activities.

In detail, α shows high variability across the 20 regions, varying from a minimum of 8% to a maximum of 100%. This finding suggests that in some regions, large municipalities are largely involved in risk management and confirms the initial hypothesis that risk management activities could show relevant territorial disparities in Italy. Three regions displaying particularly low percentages of publishing municipalities are in the center-south of the country (Umbria, Campania, and Calabria), and two are in the north (Trentino Alto Adige and Valle d’Aosta); interestingly, the latter two regions are characterized by rather small municipalities.

Only a subset of municipalities publishing documents on risk management also make reference to the three specific stages of risk management (risk identification, risk analysis, risk evaluation). The frequency analysis revealed that 205 of the 366 municipalities used the concept of “risk identification” (X₁) in their documents (56% of the total), 234 municipalities used the concept of “risk analysis” (X₂) (64% of the total), and 220 municipalities used “risk evaluation” (X₃) (60% of the total). Therefore, none of the processes were performed significantly more often than the others. However, risk analysis (X₂) is slightly more common throughout the sample. This information is conveyed by the indicator X_max, which measures, in each region, the most common phrase among the three (i.e. the one with the highest absolute frequency). For many regions, X_max cannot be defined, as there is no single phrase that has a higher frequency than the other two. However, if one phrase was more common, this was always X₂.

Turning to the indicator N_sum, at the country level, 238 out of 366 municipalities display at least one of the three crucial phrases. Therefore, approximately 65% of municipalities that publish documents perform at least one of the three critical stages of risk assessment processes.

Furthermore, NX is equal to 191 at the country level; thus, 191 municipalities perform all three fundamental activities that make up a risk assessment process. The percentage of municipalities performing all three activities is 52% at the country level (indicator NX/N), a rather high value, implying that more than half of the municipalities implementing risk management are performing all three fundamental processes. This indicator’s territorial distribution shows that regions with values above the national average are all in the center-north of the country (Piemonte, Veneto, Lazio, Emilia-Romagna, Abruzzo, Trentino Alto Adige, Toscana, Valle d’Aosta), with two exceptions: Basilicata, a southern region, has an indicator equal to 67% (above the national average). However, this result is not very informative due to the very limited number of municipalities from this region included in our sample. More interestingly, and somewhat unexpectedly, this indicator is only 34% in Lombardia, a northern region. There is not enough information to support a reasoned interpretation of this result. However, a comparison with the relative frequencies of X₁, X₂ and X₃ for the Lombardia region showed that the relative frequency of X₁ was significantly lower than 35% (X₁/N). Therefore, the rather low involvement in risk identification by the municipalities of Lombardia explains the low results in terms of the indicator NX. Why municipalities in Lombardia are more reluctant to contract out risk identification processes and, specifically, to disclose this information remains to be determined. However, this might also be due to the fact that municipalities in this region have internalized this process and that they externalize only the other two processes. Unfortunately, this is a mere hypothesis that can be tested only through a direct survey. However, this hypothesis is supported by the rather high values of the relative frequency of the other two processes, namely, risk analysis (X₂/N = 60%) and risk evaluation (X₃/N = 56%).

Finally, with reference to the pairwise frequency (X₁X₂, X₁X₃, X₂X₃), the pair X₂X₃ was the most frequently observed (215 municipalities out of 366), while the other two pairs were observed in 202 and 195 municipalities. This countrywide result is essentially driven by data from the three northern regions of Lombardia, Piemonte and Veneto, while in the other regions, there is no difference in the frequency of the three pairs. This finding suggests that risk identification is the least externalized process in these three northern regions. It is unclear whether this implies that municipalities in these regions internalized or neglected the risk identification process, but surely, this result suggests that the attitudes of these municipalities about the three fundamental processes of risk management display some degree of mimetic isomorphism (DiMaggio and Powell, 1983; Power et al., 2009). Overall, there is a greater propensity for externalizing (and thus implementing) risk analysis and evaluation rather than risk identification processes.

Overall, evidence suggests that risk management is performed by Italian municipalities and that risk recognition and management are becoming relevant issues.

Finally, Figures 3 and 4 depict the variability of the main indicators across Italian regions, and they account for significant differences. Figure 3 depicts α and NX/N. Figure 4 shows the relative frequencies X₁/N, X₂/N, and X₃/N. These figures graphically describe the above considerations and show the significant interregional differences.

The analysis and the data presented above provide interesting evidence on the two interrelated issues addressed in this paper and show how Italian municipalities embed risk management practices in their organizations.

Specifically, with reference to risk management implementation (RQ1), approximately 73% of the municipalities in the sample published documents about risk management activities. In addition, 63% performed at least one of the three critical risk assessment phases, and slightly more than half (52%) performed all the three of them. Therefore, municipalities are performing risk assessment activities to a good extent. Another notable result is that municipalities rely on external professionals to carry out all three types of fundamental risk assessment processes on their behalf (X₁/N = 55%, X₂/N = 64%; X₃/N = 60%). Indeed, Petak (1985) explains how risk management practices are rather specific and require adequate competencies to be carried out, to the extent that not all public administrations may have skilled personnel and technical tools and competencies to implement a control system to evaluate risk management and operational risks. This also implies a relevant problem of accountability, as Petak (1985, p. 5) clearly recognizes: “it is important to note that current decision-making approaches tend to put a great deal of power in the hand of technical experts and professional administrator who are not directly accountable to the public”. In another work, Young and Hood (2003) explain how local governments carry out risk management outsourcing. On this issue, Qiao (2007) investigates the origins of public risk management and the involvement in the risk management process of external professionals and advisors such as insurers or law firms.

The decision to outsource some of the risk assessment phases is a common practice among the municipalities analyzed, suggesting the existence of an isomorphic behavior of a mimetic type (DiMaggio and Powell, 1983; Power et al., 2009). In fact, no legislation obliges municipalities to outsource this specific activity. This interesting hypothesis deserves further investigation. The results from further research could improve the understanding of municipalities’ approaches to the introduction and implementation of new managerial processes. They could also shed more light on the existence and extent of isomorphic behavior and should focus on the rationale and effectiveness of such an attitude.

A further consideration concerns the website documents “layouts”, which are very similar and often exactly the same for different municipalities. Additionally, this result could be explained using the concept of mimetic isomorphism, where municipalities tend to imitate the behavior of other entities and emulate it. Specifically, in the Italian case, the absence of organic legislation on risk management implementation may have produced uncertainty in municipalities as to which practices to adopt. This uncertainty may have fed imitation and isomorphic behavior by municipalities seeking a less risky strategy.

Moreover, with regard to whether risk assessment is effectively implemented and properly performed (RQ2), the NX index details how risk assessment activities (identification, analysis and evaluation of risks) are developed in municipal organizations. It appears that in almost all regions, the three processes are jointly activated, with only a few large northern regions displaying a more complex configuration, characterized in particular by a lower externalization of risk analysis with respect to the other two processes. In this respect, while the reasons cannot be derived from our data, it is clear that some sort of isomorphic behavior characterizes these municipalities, which follow a similar approach. Evidence on isomorphic behavior is not new with reference to Italian public administration. In fact, since the early 1990s, Italian municipalities have displayed isomorphic behavior in implementing NPM reforms (Reginato et al., 2010). However, whether this approach is desirable remains to be determined. Surely, when a new process is introduced in an organization, isomorphism may help individuals find a way to implement novelty. However, in later stages, blind isomorphism may prevent effective innovations, correction of errors and efficient adaptation to individual organizations’ peculiarities. At this stage, differentiation and benchmarking across different organizations may be a much more useful and effective tool for improving managerial practices.

This paper provides a description of many facets of risk management in the public sector that are considered worth investigating (Hinna et al., 2018; Leung and Isaacs, 2008; Woods, 2009). It does so by focusing on a specific geographical and institutional setting, that of Italian municipalities, and derives conclusions that advance the understanding of this specific context but also shed light on the more general process of risk management introduction in the public sector, in particular with reference to the role of law obligations, external professionals, and mimetic isomorphism. It also contributes to providing evidence to fill some knowledge gaps that are identified by the existing theoretical and empirical literature.

First, this paper shows that risk management is performed by Italian municipalities, thus answering Hinna et al. (2018), who advocated for an investigation of “if” and “how” risk management is implemented in Italian public administrations. Our results show that risk management is embedded in public administration in Italian municipalities. In addition, it partially contributes to answering the second question (how), with a specific focus on the risk assessment process (Lark, 2015). Indeed, QCA shows that large Italian municipalities perform risk management by delegating risk management to external professionals. Moreover, the details on how risk management is implemented in the public sector allow us to draw conclusions on how managerial theories are, in practice, embraced by Italian municipalities. The evidence confirms Nilsen and Olsen’s (2005) conclusions about public managers’ behavior in municipalities when there are no guidelines for implementing risk management. Furthermore, this study provides a first focus on risk management in Italian municipalities and contributes to filling a gap in the literature (Bracci et al., 2021). Finally, we observed that for many risks, there are no provisions on how to implement risk management, and this is considered a risk itself (Vinnari and Skærbæk, 2014). The lack of guidelines could explain municipalities’ isomorphic behavior (DiMaggio and Powell, 1983; Power et al., 2009).

Although the analysis conducted in this paper unveils interesting facets of risk management in Italian municipalities, there is surely a need for further investigation to improve the understanding of risk management processes in the public domain. In particular, this study performed an analysis from an external perspective to understand if and how municipalities perform risk management; therefore, it did not allow us to collect details on the procedures implemented by public managers. It also does not allow us to derive information on whether there is a specific organizational culture or knowledge of risk management techniques; future research could study these aspects from an internal perspective to shed light on the proper implementation of risk management. Finally, the analysis did not investigate which types of risk were addressed. This is an additional area of interest, particularly because Italian public administrations are compelled by law to consider and manage some risks, such as corruption or environmental risks. Future research could investigate which types of risk are addressed and whether there are differences in the approaches to risk management between those for which there is a legal obligation to risk management and those for which such an obligation is not in place. This would shed further light on the role of law provision in risk management.

In addition, there is a need to investigate the extent to which competencies and knowledge about risk management are transferred from external professionals to public organizations and internalized by them. The extent to which public organizations are able to embed these practices in their organizational processes is crucial for the effective and lasting use of these approaches. Evidence on isomorphic behavior also calls for an investigation of the features of this attitude and whether it is mutually enriching or produces only a stubborn imitation (Hinna et al., 2018; Bracci et al., 2021).

The introduction of risk management in public administrations, particularly in Italian municipalities, is a work in progress, and its features are not yet fully understood. This study aims to improve the existing knowledge on this process for the purpose of contributing to theoretical understanding and improving practitioners’ actions.

The authors are listed in alphabetical order. Each author participated equally in the work.