| Key Takeaways |
| 92% of capital projects fail to deliver predicted outcomes on time and on budget (Accenture, 2025). Only 6% of organizations consistently meet targets, saving an average of 14% of project costs through effective risk management. Complex projects magnify these failure rates. |
| Complex projects differ from standard projects in four dimensions: technical uncertainty, stakeholder multiplicity, interdependency density, and environmental volatility (VUCA). Each dimension amplifies risk in ways that standard risk matrices cannot capture. |
| The six-step complex project risk management process (Identify, Analyze, Evaluate, Treat, Monitor, Communicate) must be adapted with probabilistic tools: Monte Carlo simulation replaces single-point estimates, scenario analysis replaces static heatmaps, and integrated cost-schedule models replace separate budget and timeline tracking. |
| Risk ownership is the single biggest predictor of treatment effectiveness. Every identified risk must have a named owner with the authority and resources to act. Unowned risks are unmanaged risks. |
| Stakeholder complexity is a distinct risk category in complex projects. Multi-party governance, competing objectives, and communication chain length all increase the probability that decisions are delayed, misunderstood, or reversed. |
| A risk register alone is insufficient. Complex projects require a risk breakdown structure (RBS), an integrated risk-schedule model, a stakeholder risk map, and a contingency drawdown plan that links reserves to specific trigger events. |
| A 90-day roadmap takes complex project teams from ad hoc risk tracking to a structured, probabilistic risk management capability aligned with ISO 31000 and PMI standards. |
Accenture’s 2025 Blueprint for Success report found that 92% of capital projects fail to deliver predicted outcomes on time and on budget. The majority, 66% of organizations, miss targets by over 10%, suffering average cost overruns of 29%.
Gartner’s research puts the opportunity cost from delayed product launches due to unmanaged risks at $99 million annually for a typical $5 billion revenue company.
These are not abstract statistics. They represent real projects staffed by competent teams that underestimated how complexity amplifies risk.
Standard project risk management works well on straightforward projects with clear scope, stable requirements, and limited stakeholder complexity. Complex projects break those assumptions.
Technical novelty introduces uncertainty that historical data cannot predict. Multiple interdependent workstreams create cascading failure paths where a delay in one package propagates through the entire schedule.
Stakeholder networks with competing objectives generate governance risks that purely technical risk models overlook.
This guide provides the framework, tools, and techniques that distinguish risk management in complex projects from risk management in routine ones.
Each section anchors to ISO 31000, COSO ERM, and PMI’s Practice Standard for Project Risk Management, with practitioner-ready tables, worked examples, and a 90-day implementation roadmap.
What Makes a Project Complex?
Not every large project is complex, and not every complex project is large. Complexity is a function of uncertainty, interdependence, and stakeholder dynamics, not just budget size.
The VUCA framework (Volatility, Uncertainty, Complexity, Ambiguity) describes the operating environment of complex projects.
The table below defines the four complexity dimensions and maps each to the specific risk management implications.
Four Dimensions of Project Complexity and Their Risk Implications
| Complexity Dimension | Definition | Risk Implication | Risk Management Response |
| Technical Uncertainty | The project involves novel technology, unproven methods, or first-of-kind integration that cannot be fully specified at the planning stage. | Requirements may change as understanding evolves. Estimation accuracy is low. Design-build iteration creates rework loops. | Use probabilistic estimation (three-point, Monte Carlo). Plan iterative risk reassessment at each design gate. Build prototyping and testing into the schedule with buffer. |
| Stakeholder Multiplicity | Multiple parties (sponsors, regulators, communities, contractors, end-users) with different objectives, risk tolerances, and decision-making authority. | Governance delays. Conflicting requirements. Scope changes driven by political rather than technical factors. Communication failures across organizational boundaries. | Build a stakeholder risk map. Assign a risk liaison to each stakeholder group. Include governance risk as a formal category in the risk register. |
| Interdependency Density | The project has many work packages with finish-to-start or resource dependencies, where a delay in one package cascades through the schedule. | Schedule risk is non-linear: a single-week delay on a critical path task can add three weeks to project completion. Cost risk amplifies because time-dependent costs accumulate. | Use integrated cost-schedule risk analysis. Run Monte Carlo on the network schedule. Identify convergence points where multiple dependencies meet. |
| Environmental Volatility | The project operates in a VUCA environment: volatile markets, uncertain regulations, complex supply chains, and ambiguous success criteria. | External risks (commodity prices, regulatory changes, geopolitical events) can invalidate assumptions mid-project. Planning horizons are short. | Conduct quarterly horizon scanning. Build scenario-based contingency plans. Use contractual mechanisms (escalation clauses, force majeure) to share external risk. |
A project scoring high on two or more of these dimensions qualifies as complex and requires the enhanced risk management approaches described in this guide.
A standard construction project with proven technology, a single client, and a stable regulatory environment does not.
An AI-driven healthcare platform with a government sponsor, three technology vendors, and pending privacy regulations scores high on all four dimensions and demands the full complex-project toolkit.
The Six-Step Complex Project Risk Management Process
The risk management process defined by ISO 31000 (Identify, Analyze, Evaluate, Treat, Monitor, Communicate) applies to all projects.
Complex projects do not need a different process; they need enhanced techniques within each step. The table below maps each step to the specific tools that address complexity.
| Step | Objective | Standard Project Technique | Complex Project Enhancement | Key Output |
| 1. Identify | Surface all risks that could affect project objectives | Brainstorming, checklists, lessons learned | Risk breakdown structure (RBS) across technical, stakeholder, schedule, cost, environmental categories. Structured interviews with all contractor and vendor leads. Assumption analysis. | Comprehensive risk register with 50-200 risks categorized by RBS. Assumption log with explicit uncertainty ranges. |
| 2. Analyze | Understand likelihood, impact, and interdependencies | 5×5 risk matrix (qualitative) | Monte Carlo simulation on schedule and cost. Sensitivity analysis (tornado charts). Bow-tie analysis for high-consequence risks. Correlation modeling between linked risks. | Probability distributions for total cost and schedule. Top 10 risk drivers identified via tornado chart. Bow-tie diagrams for top 5 risks. |
| 3. Evaluate | Compare risks against appetite to prioritize treatment | Risk ranking by residual score | Overlay Monte Carlo outputs on risk appetite thresholds. Compare P50, P80, P95 confidence levels against approved budget and schedule. Flag risks that push the project beyond appetite. | Prioritized treatment list. P-level budget recommendation. Risks exceeding appetite flagged for executive decision. |
| 4. Treat | Select and implement treatment plans for prioritized risks | Avoid, reduce, transfer, accept | Add contingency reserves tied to specific risk triggers (not a single lump sum). Negotiate risk-sharing mechanisms in contracts (FFP vs. cost-plus). Pre-position fall-back plans for critical path risks. | Treatment action register with owners, budgets, and trigger conditions. Contract risk allocation matrix. Contingency drawdown plan. |
| 5. Monitor | Track risk status and treatment effectiveness over time | Monthly risk register review | Real-time KRI dashboards with automated threshold alerts. Earned value analysis integrated with risk data. Quarterly risk reassessment with updated Monte Carlo runs. | Monthly risk report. KRI dashboard. Quarterly re-baselined Monte Carlo outputs. Trend analysis on risk exposure. |
| 6. Communicate | Keep all stakeholders informed and aligned on risk status | Status report to project sponsor | Tiered communication plan: weekly operational risk updates to project team, monthly risk committee report, quarterly board summary. Stakeholder-specific risk narratives. | Communication plan document. Tiered report templates. Stakeholder feedback loop. |
The most critical enhancement is Step 2 (Analyze). Standard qualitative scoring (5×5 matrix) breaks down on complex projects because the matrix treats each risk as independent and assigns a single point estimate.
Complex projects have correlated risks: if one vendor is late, the integration work is delayed, which delays testing, which delays commissioning. Monte Carlo simulation captures these cascading dependencies by running thousands of iterations through the full project network.
Risk Identification: Building the Risk Breakdown Structure
Complex projects typically generate 50-200 identified risks, far too many to manage without structure.
The Risk Breakdown Structure (RBS) organizes risks into categories and subcategories, just as the Work Breakdown Structure (WBS) organizes scope.
The table below provides an RBS template designed for complex projects.
Risk Breakdown Structure Template
| Level 1 Category | Level 2 Subcategory | Example Risks | Identification Technique |
| Technical | Design and engineering | Unproven technology fails integration testing. Design assumptions invalidated by field conditions. Rework due to late-stage specification changes. | Assumption analysis, expert interviews, prototype testing, lessons learned from analogous projects |
| Technical | Quality and performance | Deliverable does not meet performance specifications. Testing reveals latent defects. Supplier quality below standard. | Quality risk assessment, supplier audits, acceptance criteria review |
| Schedule | Dependencies and critical path | Critical path task delayed by vendor. Convergence point where 4+ work packages merge. Resource conflict between parallel tasks. | Network schedule analysis, Monte Carlo simulation, resource leveling |
| Schedule | Approvals and permits | Regulatory approval delayed beyond planned date. Environmental permit conditions change mid-project. Client sign-off delayed by internal governance. | Regulatory timeline analysis, stakeholder risk mapping, permit dependency register |
| Cost | Estimation accuracy | Base estimate underestimates complexity. Labor rates escalate beyond forecast. Currency fluctuation on international procurement. | Three-point estimation, historical benchmarking, sensitivity analysis |
| Cost | Scope and change management | Scope creep adds unplanned deliverables. Change orders accumulate beyond contingency. Gold-plating by engineering teams. | Change control process, earned value tracking, scope baseline monitoring |
| Stakeholder | Governance and decision-making | Sponsor changes mid-project. Steering committee cannot reach consensus. Conflicting directives from multiple stakeholder groups. | Stakeholder analysis, governance risk register, RACI matrix review |
| Stakeholder | Communication | Information loss across organizational boundaries. Contractor-to-client communication chain too long. Language or cultural barriers on international projects. | Communication plan review, stakeholder interviews, lessons learned |
| External | Market and supply chain | Commodity price spike. Key supplier exits the market. Trade restrictions on imported materials. | Supply chain risk assessment, market monitoring, scenario analysis |
| External | Regulatory and environmental | New regulation enacted mid-project. Environmental incident triggers stop-work order. Community opposition delays permitting. | Regulatory horizon scanning, environmental impact review, community engagement plan |
The RBS should be populated during the project planning phase through a combination of risk identification techniques: structured workshops with all work package leads, one-on-one interviews with the project sponsor and key contractors, and historical data mining from analogous completed projects.
Project risk assessments should be repeated at each major gate review, adding new risks and closing risks that have been fully mitigated or have expired.
Quantitative Risk Analysis: Monte Carlo and Sensitivity Techniques
On complex projects, qualitative heatmaps provide a starting point but not a sufficient basis for budget and schedule decisions.
Monte Carlo simulation and sensitivity analysis via tornado charts convert qualitative risk data into probability distributions that leadership can use to set budgets at defined confidence levels.
Integrated Cost-Schedule Risk Analysis: How to Build the Model
| Step | Description |
| 1 | Map the project schedule in a network model (e.g., Primavera, MS Project). Define all task dependencies, durations, and resource assignments. |
| 2 | Assign three-point duration estimates (optimistic, most likely, pessimistic) to each task. Use historical data, expert judgment, and analogous project benchmarks to calibrate. |
| 3 | Assign three-point cost estimates to each cost element. Separate time-dependent costs (labor burn rates, equipment rental) from time-independent costs (material purchases, licenses). |
| 4 | Identify correlations between tasks. If two tasks share the same supplier, they are positively correlated: if one is late, the other is likely late. Model correlations at 0.3-0.7 depending on strength. |
| 5 | Add discrete risk events from the risk register. Each event has a probability of occurrence and an impact on specific tasks (schedule delay) and/or cost elements (cost increase). |
| 6 | Run 5,000-10,000 Monte Carlo iterations. Each iteration samples from all distributions, applies correlations, activates risk events probabilistically, and calculates total project cost and completion date. |
| 7 | Generate outputs: S-curve (cumulative probability of total cost), schedule distribution (cumulative probability of completion date), and tornado chart (sensitivity of each input variable to total outcome). |
| 8 | Present P50, P80, and P95 confidence levels to the steering committee. Recommend the budget and schedule at the P80 level (80% confidence), with the P50-P80 difference funded as contingency. |
The three-point estimation technique provides the input distributions. The tornado chart shows which tasks and risk events drive the most variance, focusing management attention on the two or three variables that matter most.
Scenario analysis should supplement Monte Carlo by testing named scenarios: “what if the vendor delivers 8 weeks late?” or “what if the regulatory approval requires a design change?” These named scenarios give the steering committee concrete stories to reason about, not just probability curves.
Risk Treatment and Ownership in Complex Projects
Risk treatment in complex projects goes beyond the standard four options (avoid, reduce, transfer, accept).
Complex projects add two critical elements: contractual risk allocation and contingency trigger mechanisms. The table below maps treatment strategies to the complexity dimensions that drive them.
| Treatment Strategy | When to Apply | Example in Complex Projects | Risk Owner | Success Metric |
| Avoid | Risk exceeds appetite and is caused by a discretionary scope element | Remove a non-critical feature that requires unproven technology. Reject a subcontractor with a poor track record. | Project Manager | Avoided risk does not materialize; scope reduction accepted by sponsor. |
| Reduce (Mitigate) | Risk can be lowered through additional controls, resources, or schedule buffer | Add a parallel testing track to compress the critical path. Deploy two suppliers rather than one for critical materials. | Work Package Lead | Residual risk score reduced by 50%+ after mitigation action. |
| Transfer | A third party can manage the risk more effectively | Negotiate a fixed-price contract with the vendor (transfers cost risk). Purchase builder’s risk insurance for the construction phase. | Procurement / Legal | Contractual risk allocation documented. Insurance coverage confirmed. |
| Share | The risk is too large for one party and must be distributed across the project coalition | Joint venture structure where parties share cost overrun above a defined threshold. Public-private partnership with government absorbing regulatory risk. | Project Sponsor / Commercial Lead | Risk-sharing agreement executed and funded. |
| Accept (with contingency) | Risk is within appetite but must be funded if the risk materializes | Accept the 25% probability of a 4-week weather delay on an outdoor construction phase. Fund a $400K contingency reserve tied to a weather-delay trigger. | Risk Owner + PMO | Contingency reserve available and released only when the trigger event occurs. |
| Escalate | Risk exceeds the project team’s authority to manage | Regulatory change that requires a strategic business decision beyond the project scope. Geopolitical risk affecting the entire supply chain. | Project Sponsor / Executive Committee | Risk escalated to the appropriate governance level within 48 hours. Decision and action documented. |
Risk ownership is the single biggest predictor of treatment effectiveness. On complex projects, risk ownership must be specific: a named individual with the authority and budget to act. “The project team” is not a valid owner.
Risk registers must enforce this rule by making the owner field mandatory and flagging any risk without a named owner as an open governance gap.
Monitoring and Reporting: Keeping Complex Risks Visible
Complex projects require monitoring frequency and depth that go beyond monthly risk register reviews. The table below defines a tiered monitoring approach that matches reporting frequency to risk severity and audience.
| Monitoring Activity | Frequency | Audience | Inputs | Output |
| Risk register update (new, changed, closed risks) | Weekly | Project Manager, Risk Coordinator | Work package status reports, incident logs, change requests | Updated risk register; new risk alert notifications |
| KRI dashboard review | Weekly | Project Manager, Work Package Leads | KRI data feeds (schedule performance index, cost performance index, open issues count) | KRI dashboard with RAG status and trend arrows |
| Monthly risk committee report | Monthly | Project Steering Committee | Aggregated risk register, KRI dashboard, contingency drawdown status | One-page risk summary + detailed appendix; decision requests |
| Monte Carlo re-run (schedule and cost) | Quarterly or at each gate review | Project Sponsor, Finance Lead | Updated schedule, revised cost estimates, refreshed risk probabilities | Re-baselined S-curve; updated P50/P80/P95 confidence levels |
| Scenario stress test | Quarterly | Steering Committee, Key Contractors | Named scenarios (vendor failure, regulatory change, weather event) | Stress test report; contingency adequacy assessment |
| Lessons learned capture | At each phase gate and project close | PMO, Future Project Teams | Post-gate reviews, incident reports, treatment effectiveness data | Lessons learned register; recommendations for future projects |
Earned Value Management (EVM) is an essential monitoring tool on complex projects because EVM integrates scope, schedule, and cost performance into a single framework.
The Schedule Performance Index (SPI) and Cost Performance Index (CPI) serve as KRIs that trigger risk escalation when they fall below 0.90.
Key risk indicators should be connected directly to the risk register: when a KRI breaches its threshold, the linked risk is automatically flagged for review. KRI dashboard best practices provide the design patterns for building this automated feedback loop.
Aligning Complex Project Risk to ISO 31000 and COSO ERM
| Complex Project Risk Activity | ISO 31000 Alignment | COSO ERM / PMI Alignment |
| Build the Risk Breakdown Structure | Clause 6.4.2: Identify sources, events, causes, consequences systematically | PMI PMBOK: Risk Identification process. COSO: Strategy & Objective-Setting. |
| Run Monte Carlo cost-schedule analysis | Clause 6.4.3: Analyze risk using quantitative methods where data supports them | PMI Practice Standard: Quantitative Risk Analysis. COSO: Performance (assess severity). |
| Compare P-levels against risk appetite | Clause 6.4.4: Evaluate risks against criteria to determine treatment priority | COSO: Performance (risk appetite comparison). PMI: Plan Risk Responses. |
| Assign named risk owners with authority | Clause 5.4.4: Accountability for risk management at all levels | COSO: Governance & Culture (assigns authority and accountability). |
| Tie contingency reserves to trigger events | Clause 6.5: Select and implement treatment that modifies risk | PMI: Contingency Reserve Analysis. COSO: Review & Revision. |
| Monthly KRI monitoring with automated alerts | Clause 6.6: Monitor effectiveness and detect changes in risk context | PMI: Monitor Risks process. COSO: Information, Communication & Reporting. |
The three lines model adapts to project settings: the project team (first line) owns risk identification and treatment execution; the PMO or risk management function (second line) validates, aggregates, and reports; internal audit (third line) periodically reviews the effectiveness of the project risk management process against the organization’s standards.
Implementation Roadmap
| Phase | Actions | Deliverables | Success Metrics |
| Days 1-30: Foundation | Define project complexity dimensions (score each VUCA dimension). Build the Risk Breakdown Structure. Conduct the initial risk identification workshop (target: 50+ risks). Assign risk owners. Select three-point estimation as the baseline quantitative method. | Complexity assessment scorecard. RBS template customized to the project. Populated risk register (50+ risks with owners). Three-point estimation training for work package leads. | Complexity assessment completed. 50+ risks identified and categorized by RBS. 100% of risks have named owners. All work package leads trained on three-point estimation. |
| Days 31-60: Build | Run the first Monte Carlo simulation on the integrated cost-schedule model. Produce tornado chart sensitivity analysis. Set P80 budget and schedule recommendation. Establish the KRI dashboard with SPI, CPI, and top 5 risk-specific indicators. Design the tiered communication plan. | Monte Carlo S-curves (cost and schedule). Tornado chart identifying top 10 risk drivers. P80 budget recommendation to steering committee. KRI dashboard (prototype). Communication plan document. | Monte Carlo results reviewed by the steering committee. P80 budget approved. KRI dashboard operational. Communication plan signed off by the sponsor. |
| Days 61-90: Operationalize | Launch weekly risk register updates and KRI monitoring. Deliver the first monthly risk committee report. Tie contingency reserves to specific trigger events in a drawdown plan. Conduct the first quarterly scenario stress test. Capture lessons learned from the planning phase. | First monthly risk report. Contingency drawdown plan with triggers. First stress test report. Phase-gate lessons learned document. | Monthly report delivered on schedule. Contingency drawdown plan approved by the sponsor. At least one risk treatment action triggered by KRI monitoring. Lessons learned documented and shared with the PMO. |
Common Pitfalls and How to Avoid Them
| Pitfall | Root Cause | Remedy |
| Treating complex projects with standard risk tools | The PMO applies the same 5×5 matrix and monthly register review to a $500M megaproject as to a $2M internal initiative | Score project complexity using the four-dimension model. Apply enhanced tools (Monte Carlo, RBS, integrated cost-schedule analysis) to any project scoring high on 2+ dimensions. |
| Single-point budget estimates presented as commitments | Leadership interprets the base estimate as the budget, leaving no room for the uncertainty inherent in complex work | Present every budget with a confidence level. “The P50 estimate is $48M; the P80 estimate is $54M. Funding at P80 gives us an 80% chance of staying within budget.” |
| Risk register with 200 risks and no prioritization | The team identifies risks thoroughly but never completes the analysis and evaluation steps, leaving a flat list with no action hierarchy | Run Monte Carlo and tornado analysis. Rank risks by contribution to total cost and schedule variance. Focus treatment resources on the top 10-15 risks that drive 80% of the uncertainty. |
| Risk ownership assigned to committees, not individuals | “The steering committee owns this risk” means nobody owns the risk | Assign one named individual per risk. The individual must have budget authority and decision-making power proportional to the risk severity. |
| Contingency reserves treated as a single lump sum | A $5M contingency exists but is not linked to specific risks, making the reserve a slush fund that gets consumed by scope creep | Create a contingency drawdown plan that links each reserve portion to a specific risk trigger. Release contingency only when the trigger event occurs or the risk expires. |
| Risk management stops after the planning phase | The team builds a thorough risk register during planning, then never updates the register as the project progresses through execution | Embed risk review into the weekly project cadence. Re-run Monte Carlo quarterly. Add new risks from change requests, incidents, and stakeholder feedback continuously. |
Looking Ahead: Complex Project Risk Management 2025-2027
AI-driven risk analytics are entering complex project management. Predictive models trained on historical project data can flag schedule delays before they occur by detecting patterns in EVM data, change order frequency, and resource utilization.
Organizations using AI-enhanced tools identify and contain issues faster, according to research across multiple sectors. Expect AI to augment, not replace, Monte Carlo simulation by improving the calibration of input distributions and detecting risk correlations that human analysts miss.
Integrated project delivery (IPD) and collaborative contracting are changing how risk is allocated on complex projects. Rather than transferring risk through adversarial fixed-price contracts, IPD models share risk and reward across the project coalition, aligning incentives and reducing disputes.
This contractual innovation requires risk management to extend beyond the project boundary into the entire supply chain, linking third-party risk management and supply chain resilience to the project risk register.
Climate risk is becoming a standard risk category on long-duration infrastructure projects. Business impact analysis for construction projects now includes extreme weather scenarios, heat-stress days that reduce labor productivity, and flood risk to site access.
Projects that fail to account for climate variability in their Monte Carlo models will systematically underestimate both cost and schedule risk. Scenario analysis and stress testing should include at least one climate-related scenario on any project with a duration exceeding 18 months.
Complex projects will always carry more risk than simple ones. That is the nature of doing novel, interdependent, multi-stakeholder work. The difference between organizations that deliver complex projects successfully and those that do not comes down to one thing: the quality of their risk management.
The teams that invest in probabilistic analysis, named ownership, trigger-based contingency, and continuous monitoring will outperform those relying on static heatmaps and annual risk reviews. The data is clear: effective risk management saves an average of 14% of project costs. On a $100M complex project, that is $14M in value protected.
Ready to improve risk management on your complex projects? Visit riskpublishing.com to access risk register templates, Monte Carlo guides, and project risk assessment frameworks. Need a tailored risk management workshop? Contact our consulting team to design a program calibrated to your project’s complexity profile.
References
1. ISO 31000:2018 Risk Management Guidelines — International Organization for Standardization
2. ISO/IEC 31010:2019 Risk Assessment Techniques — International Electrotechnical Commission
3. COSO Enterprise Risk Management Framework — Committee of Sponsoring Organizations
4. PMI Practice Standard for Project Risk Management — Project Management Institute
5. Accenture 2025 Blueprint for Success: Capital Project Performance — Accenture
6. Project Risk Management 2025: 5-Step Framework for PMO Success — Cora Systems
7. Integrated Cost and Schedule Project Risk Analysis — PMI (Hulett, 2004)
8. Top 5 Biggest Types of Risks for Mega-Projects — Safran Risk Management
9. The State of Enterprise Risk Management, 2025 — Forrester Research
10. NASA: Assessments of Major Projects, GAO-25-107591 — U.S. Government Accountability Office
11. 2025 Global GRC Benchmarking Survey — McKinsey & Company
12. Cost of a Data Breach Report 2024 — IBM Security
13. NIST Cybersecurity Framework 2.0 — National Institute of Standards and Technology 14. 2025 KPMG Business Resiliency Survey — KPM
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.