Next Article in Journal
Fostering Productive Open Source Systems: Understanding the Impact of Collaborator Sentiment
Previous Article in Journal
Political Connection Heterogeneity and Green Technological Innovation: Evidence from Chinese Listed Companies
Previous Article in Special Issue
An AHP-Based Assessment of the Relative Importance of Risk Factors in Project Management: Designing a Bid Preparation Checklist
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Systems
Volume 13
Issue 6
10.3390/systems13060444
systems-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Risk Management Practices in the Purchasing System of an Automotive Company

by
Anabela Tereso
1,*,
Cláudia Santos
2 and
João Faria
1
1
Centro ALGORITMI, University of Minho, 4710-057 Guimarães, Portugal
2
Engineering and Industrial Management, University of Minho, 4710-057 Guimarães, Portugal
*
Author to whom correspondence should be addressed.
Systems 2025, 13(6), 444; https://doi.org/10.3390/systems13060444
Submission received: 1 May 2025 / Revised: 3 June 2025 / Accepted: 5 June 2025 / Published: 6 June 2025
(This article belongs to the Special Issue Risk Management in Project Management—How Two Major Dimensions (Relational and Processual) Influence Risk Management in Project Management)
Browse Figures
Versions Notes

Abstract

This paper presents the results of a case study conducted in the purchasing department of Bosch Car Multimedia Portugal, aiming to analyze and improve risk management practices within its project environment. Projects in this department are characterized by high complexity and uncertainty, making effective risk management essential. The study adopts a multi-method qualitative approach, integrating document analysis, direct observation, semi-structured interviews, and questionnaires. A comprehensive literature review established the theoretical foundation and guided the identification of best practices in project risk management. The field research revealed significant gaps in the structuring, standardization, and cultural integration of risk management processes. A comparative analysis between theoretical models and current practices led to the development of a tailored risk management framework, including a practical good-practices manual and a workshop format designed to promote internal engagement and capacity-building. This work contributes both theoretically—by validating literature-based models in an industrial setting—and practically, by offering replicable tools for similar departments in the automotive sector. The findings highlight the necessity of fostering a proactive risk culture to ensure the sustained implementation and effectiveness of the proposed measures.

1. Introduction

The current business scenario has become increasingly challenging, forcing organizations to compete intensely to remain in the market [1,2]. The current situation points to a more competitive future, where only those capable of doing more and better with fewer resources will stand out in the industrial scenario [3]. In this context, particularly in the automotive industry, risk management plays a crucial role [4]. The current imposition of constant challenges requires increasingly rapid and innovative responses, sometimes including the implementation of new projects, in order to ensure that market developments remain up to date [5]. Companies in the automotive sector are, therefore, faced with the need to launch increasingly innovative and efficient products, within the requested deadlines, while minimizing the risks associated with these ventures in a sector characterized by rapid technological changes and high demands in the global market [6]. This pressure for change is driving companies to deeply reevaluate their structures, design strategies and operating systems, aiming not only to survive but also to stand out in an increasingly saturated environment [6]. It is critical to understand and effectively manage decisions related to ordering parts and equipment over the long term [7]. Anticipating and proactively responding to market fluctuations and changes in raw material prices, ensuring product quality and optimizing costs, are fundamental aspects for success and competitiveness [8]. Preventive quality is considered one of the tools for success in the automotive industry [9]. Any change involves uncertainty and entails threats to be mitigated and opportunities to be explored [10]. The effect that this uncertainty has on an organization’s objectives is called risk. These are managed through their identification and analysis, treating them in a way that satisfies defined criteria [11].
Risk management can be applied at any time and to any function, activity, or project [4]. Risk management is essential to mitigate the challenges and uncertainties inherent to projects in the automotive industry [12]. This includes proactively identifying and analyzing risks related to suppliers, emerging technologies, government regulations, and market fluctuations, among others [13]. By effectively anticipating and responding to risks, companies can minimize production disruptions, avoid additional costs, and protect their reputation in the market [14]. By adopting strategic approaches and using appropriate project and risk management tools, automotive companies can gain competitive advantage, drive innovation, and ensure their long-term sustainability [15].
The main objective of this research was to develop a risk management strategy to support sales department teams in long-term purchasing planning. The challenge was to develop a plan for the process of ordering mold parts and tools approximately 2 years in advance, minimizing the identified risks and safeguarding the interests of the company, Bosch Car Multimedia Portugal, S.A., contributing to organizational success. The plan drawn up to successfully achieve this objective consisted of the following:
  • Understand the current state of the long-term procurement planning process and characterize the current approach to risk management;
  • Identify the main risks associated with the current risk management approach;
  • Define premises based on Bosch guidelines and risk management principles;
  • Create a risk management strategy to support the department;
  • Develop a strategy/manual of good practices, which incorporates a solution based on the defined premises and allows for better decision making;
  • Weave a future action plan with potential improvements.
After this research, the company is expected to be able to anticipate and proactively respond to existing risks, in particular, to fluctuations in market demand, maintaining an adequate balance between supply and demand, avoiding excess or deficit of stocks. Furthermore, it is expected to be better equipped to manage production costs efficiently, protecting itself against increases in raw material prices and maintaining sustainable profit margins. It is also expected to improve the quality and effectiveness of the tools ordered, minimizing problems and rework in production. Finally, we expect that the company will be able to adapt quickly to political, regulatory, and market changes, cultivating strong and trusting relationships with suppliers. By achieving expected results, the company can be better prepared to face future challenges and opportunities, promoting long-term growth and success.
Given the objectives outlined, the research questions (RQ) were as follows:
RQ1: What is the impact of risk management on the planning of the direct purchasing department in an automotive industry company?
RQ2: How to improve the risk management system of the direct purchasing department in an automotive industry company?
After this introduction (Section 1), Section 2 will present a literature review that will focus on introducing the main concepts about risk and risk management (Section 2.1), risk management processes (Section 2.2), and the importance of risk management to organizations (Section 2.3). Section 3 discusses the materials and methods used in the research, presenting the research philosophy and design (Section 3.1), the data collection methods (Section 3.2), the participants (Section 3.3), validity, reliability, and rigor (Section 3.4), and scope and limitations (Section 3.5). Section 4 presents the case study. Section 5 presents the results of the data collection, including a thematic analysis of interview data. Section 6 presents the proposal to improve risk management. Section 7 presents a discussion of the results, focusing on the topics organizational culture and risk maturity (Section 7.1), process structuring at the project level (Section 7.2), tool utilization and practical limitations (Section 7.3), and continuous monitoring and lessons learned (Section 7.4). The paper concludes in Section 8 with a summary of contributions (Section 8.1), challenges and considerations (Section 8.2), and study limitations and future research (Section 8.3).

2. Literature Review

2.1. Risk and Risk Management

Organizations of all types and sectors face various risks that can have a negative or positive influence on defined objectives [16]. In order to move towards success, an organization must be committed to approaching risk management proactively and consistently. This increases the probability of success and reduces both the probability of failure and the uncertainty of achieving the organization’s global objectives [17].
According to the International Organization for Standardization (ISO) [18], risk can be defined as an uncertain event or condition that, in the event of occurrence, has a positive or negative impact on the objectives of a project. It involves the combination of the probability of an event occurring and its consequences, and may be influenced by internal and external factors, including environmental, financial, operational, regulatory, and strategic uncertainties. Any change brings with it uncertainties, but it is also closely linked to opportunities [10].
Risk management is a process by which organizations analyze the risks inherent to their activities and which require the systematic application of risk management procedures aimed at controlling risks in order to ensure that objectives are achieved in the most efficient and effective way possible [19]. This systematic application, called risk management, includes procedures for identifying, analyzing, evaluating, treating, monitoring, and reviewing these uncertain events, aiming to maximize opportunities and minimize threats, contributing to informed decision making and the sustainability of organizational operations and strategies [20]. Raz and Hillson [21] provide a comparative analysis of prevailing risk management standards, highlighting both their commonalities and gaps, and emphasizing the need for adaptable frameworks that can be tailored to the specific contexts of diverse projects. Kerzner [22] highlights that effective risk management is a fundamental component of successful project execution, emphasizing the need for an integrated, systems-oriented approach to planning, scheduling, and controlling project activities.

2.2. Risk Management Processes

Risk management processes can vary slightly depending on the source or author, but they generally follow a similar structure. According to ISO [18], the risk management process is divided into six stages, ordered as follows: risk management planning, risk identification, qualitative and quantitative risk analysis, risk response planning, risk response implementation, and risk monitoring.
The objectives of risk management planning are defining how the different activities should be conducted for project risk management, namely, with regard to the development of a global risk management strategy for the project, the decision on how this management should be carried out, and, also, the integration of this strategy with all other project management activities [18].
A risk cannot be mitigated unless it is identified [23]. According to ISO-31000 [18], an organization must identify risk sources, impact areas, events, causes, and possible consequences [24]. The purpose of this step is to create a detailed list of risks based on the events that can create, enhance, prevent, degrade, accelerate, or delay the achievement of objectives [25]. It is also important to identify the risks associated with not pursuing a particular opportunity [26]. Identification must include risks, regardless of whether their origin is under the organization’s control or not, since if they are not included in the initial phase, they will not be considered for analysis in the following stages [27]. Risk identification should include an analysis of the indirect effects of specific consequences, including cascading and cumulative effects [28].
After identifying the risks, it is crucial to carry out their analysis. Qualitative risk analysis provides input for assessing risks and making decisions about whether or not to act on them. It also serves as an aid in building the most appropriate risk treatment strategies and methods [29]. The process of carrying out qualitative risk analysis aims to prioritize the identified risks [30], evaluating the probability of the risk occurring and its effect on the project objectives, if it occurs, for subsequent quantitative analysis and action. The probability and impact matrix (P-I Matrix) is a tool widely used in qualitative risk assessment [31]. This matrix combines estimates of the probability of occurrence and the impact a risk may have on project objectives. Based on this combination, risks are classified into low, moderate, and high levels. This approach allows for a clearer understanding of potential risks and helps in prioritizing appropriate response actions [32].
After the qualitative assessment of risks and identification of the most significant ones, it is crucial to carry out a quantitative analysis [33,34]. This stage involves a more accurate numerical assessment of the effects of previously identified risks, providing a solid basis for prioritizing risks and taking corrective measures that reduce uncertainty in projects [30]. Although more accurate and objective, this analysis is often expensive and time-consuming to implement [35]. Quantitative analysis employs techniques such as decision trees, sensitivity analysis, and simulation to quantify possible project outcomes, along with their associated probabilities [36]. This enables more informed decision making in the face of uncertainty, contributing to effective project management [23].
Risk response planning has the function of developing options and determining appropriate actions to deal with threats, reducing them, and opportunities, exploring them, taking into account the priority of the individual risk and the overall risk for the project [37]. At this point, the person responsible for the risk should activate the risk response plans delegated to him/her, ensuring the effectiveness of the risk response and, if necessary, planning additional risk responses [23].
According to the Project Management Institute (PMI) [23], implementing risk responses involves identifying and selecting appropriate actions for each individual risk as well as for the overall project. These responses are then integrated into a project management plan with the aim of minimizing threats to project objectives. For threats, four primary response strategies are defined: avoid, mitigate, transfer, and accept [38]. Hillson [39] expands on this by emphasizing that effective risk management should address not only threats but also opportunities. By proactively identifying and exploiting opportunities, organizations can enhance project value. Accordingly, the four typical response strategies for opportunities are explore, improve, share, and accept [38].
Risk monitoring and review should be a planned part of the risk management process and involve regular verification. This can occur periodically or for a specific purpose. This frequency should be determined based on the level of risk and the complexity of the project. Effective risk monitoring ensures that staff are aware of changes in the likelihood or impact of risks and can take timely action to address these changes [40].

2.3. The Importance of Risk Management

Recent studies emphasize the importance of embedding risk management into broader management control systems. Monazzam and Crawford [41] illustrate how a Swedish iron ore producer transitioned from a traditional risk management approach to an Enterprise Risk Management (ERM) system, integrating risk considerations into strategic planning and decision-making processes. This integration fosters resilience by aligning risk awareness with organizational objectives. Kutsch and Hall [42] argue that risk management in projects must account for the intervening conditions that influence decision-making under uncertainty, highlighting the limitations of purely rational approaches in complex and dynamic environments. Effective risk management requires a holistic understanding of both technical and human factors, stressing the importance of communication, stakeholder engagement, and organizational culture in shaping risk responses throughout the project lifecycle [43]. Zwikael and Ahn [44] demonstrate that the effectiveness of risk management is significantly influenced by the thoroughness of risk planning, with variations observed across industries and countries, underscoring the importance of contextualizing risk practices to enhance project success.
A robust organizational risk culture is pivotal for effective risk management. A recent literature review [45] synthesizes findings from 83 peer-reviewed articles, identifying key dimensions of risk culture and their impact on firm performance. The study highlights the necessity of regular assessments and targeted improvements in risk culture to enhance organizational resilience, a focus also of our research. Global supply chains are susceptible to various disruptions, including geopolitical tensions and natural disasters. An article in The Wall Street Journal (2024) [46] reports that companies investing in supply chain resilience practices, such as diversifying suppliers and adopting predictive analytics, have experienced higher revenue growth. However, many organizations still lack comprehensive contingency plans, exposing them to significant risks.
According to Hopkinson [47], it is important to increase an organization’s risk management maturity, to allow the improvement of project risk management practices over time. Olsson [48] questions the adequacy of traditional risk management processes in capturing positive uncertainties, advocating for the integration of opportunity management as a distinct yet complementary practice to enhance project outcomes.
Despite advancements, several gaps persist in risk management practices, such as integration challenges, since organizations often struggle to fully integrate risk management into all levels of decision making, leading to fragmented approaches, and technological adaptation, since rapid technological changes outpace the development of corresponding risk management frameworks, leaving organizations vulnerable to unforeseen risks [49]. This research aims to support organizations facing similar challenges by presenting a risk management framework tailored to the purchasing systems of automotive companies. It emphasizes the importance of fostering a strong risk culture, along with continuous assessment and ongoing improvement.

3. Materials and Methods

To address the research objectives, a single embedded case study methodology was adopted [50], focusing on the purchasing department of Bosch Car Multimedia Portugal. This approach was selected to enable an in-depth exploration of risk management practices within their real-world context, where complex and dynamic project conditions prevail. A case study was deemed appropriate due to the practical, organizational nature of the research questions and the need to integrate multiple data sources and perspectives [51].

3.1. Research Philosophy and Design

Guided by Saunders et al.’s “research onion” framework [52], the study adopted an interpretivist philosophy, acknowledging the socially constructed nature of organizational realities and emphasizing the importance of context-specific understanding. A deductive approach was employed to assess how existing risk management theories and frameworks apply to the case setting. The research is exploratory and descriptive, aiming to both map current practices and suggest tailored improvements. The embedded single-case study design allowed analysis of multiple subunits within the department (e.g., roles, processes, and tools), ensuring rich insights without losing contextual depth.

3.2. Data Collection Methods

A multi-method qualitative approach was used, combining data collected from several sources to triangulate findings and strengthen validity. Data were collected from four main sources:
  • Document Analysis: Internal documents, procedural manuals, and project reports were reviewed to understand current risk protocols and trace past risk-related events;
  • Direct Observation: Researchers conducted structured observations of team meetings, risk assessments, and procurement workflows. Observation protocols were used to ensure consistency and reduce bias;
  • Semi-Structured Interviews: All six members of the department were interviewed individually. The interviews, conducted between February and March 2024, followed a guide structured around key risk management themes (e.g., identification, evaluation, communication, and mitigation). Interviews were audio-recorded, transcribed, and analyzed using thematic coding to uncover patterns and discrepancies across perspectives;
  • Questionnaire Survey: A structured questionnaire was administered to all team members in March 2024. The questionnaire covered personal and professional profiles, conceptual understanding of risk management, identification and assessment capabilities, familiarity with tools and techniques, and perception of internal risk culture and communication. It included Likert-scale and open-ended questions. The questionnaire was pilot tested with two external project managers for clarity and relevance, and adjusted accordingly before final deployment.

3.3. Participants

The entire purchasing project management team—comprising six professionals with experience ranging from 3 months to 5 years—participated in the study. This complete departmental participation ensured comprehensive coverage of roles and insights within the purchasing system. Participants were selected based on their involvement in project-related purchasing processes and exposure to risk-related decisions.

3.4. Validity, Reliability, and Rigor

To ensure methodological rigor, multiple strategies were employed:
  • Triangulation of data sources (documents, interviews, observations, and questionnaires) strengthened internal validity;
  • Member checking was conducted by sharing preliminary findings with participants to validate interpretations;
  • Audit trails documented analytical steps and coding decisions;
  • Thematic saturation was observed during qualitative analysis, indicating sufficient depth of data collection.

3.5. Scope and Limitations

This is a cross-sectional study, conducted over a defined period in early 2024. While limited to a single department, the embedded case study design allowed exploration of various risk management dimensions across roles and processes. Although findings may not be statistically generalizable, they offer analytic generalization—providing insights and tools applicable to similar industrial contexts, particularly in the automotive procurement sector.

4. Case Study

The Bosch Group is a leading global supplier of technology and services. It employs roughly 417,900 associates worldwide (as of December 31, 2024). The company generated sales of 90.5 billion euros in 2024. Its operations are divided into four business sectors: Mobility, Industrial Technology, Consumer Goods, and Energy and Building Technology [53]. In 1960, Bosch established its commercial headquarters for the Portuguese market in Lisbon [54]. The Bosch unit in Braga, where this study was developed, belongs to the Automotive Electronics division and is the Group’s largest unit in Portugal. Focused on the development and production of multimedia solutions and automotive sensors, this Bosch location also houses teams from other Mobility divisions such as Cross-Domain Computing Solutions, Chassis Systems, and Automotive Aftermarket [54].
Around 400,000 Bosch employees in the Mobility sector worldwide use an internal tool to manage their tasks and risks, called Super OPL (Open Points List) [55]. Super OPL allows users to record individual project tasks using open item lists, where they can track their status. In addition, the software allows to organize meetings, create agendas, record minutes, and define tasks for discussion in future meetings. Super OPL includes a list of risks with several useful features for risk management. It also helps in solving problems in projects and recording lessons learned. The use of this tool begins once a risk is identified, meaning it needs to be documented in the project risk list. The platform allows users to make a clear distinction between threats and opportunities in the first mandatory field when creating a risk, and to specify the risk category as technical, management, commercial, or external. In order to encourage the formulation of risks in the “If… Then…” format, the software prompts users to enter the risk referring to the event and the effect, its consequence, separately. It is also possible to perform a qualitative and quantitative analysis if the respective data are provided. Different responses can also be created according to the strategy to be used, with their respective start dates. Task responsibilities can be delegated or shared with other team members, who are notified via email of any relevant information [55]. Although this tool is very useful in theory, it is not always used by all departments within the different business units, nor is it used in a way that maximizes its benefits. It often serves only to record information and not to process it, which ends up with the information being lost and without future treatment.
This research was conducted in the M/PPV-VDS1 (Purchasing Project Management Vehicle Motion) department, at Bosch Braga [54]. As part of the annual business planning, at the end of May, the sales of the Manufacturing Global (MFG) departments, for each business unit, prepare the Plant Volume Allocation (PVA) for the second half of the current year and also for the following five years—the example considered in this case study was the PVA 2023. This is an estimate of part volumes that cover the short, medium and long term of products that may already be in production, new projects still starting, and all the activities involved. Before the official release of the document, a review of the information is carried out by a team from each business unit to ensure that the official information is as correct and up to date as possible. The official PVA is then distributed back to each business unit, which then works it within the scope of each function: production, control, planning, purchasing, etc.
For this case study, attention was focused only on the subsequent process, in the M/PPV-VDS1 department, of purchasing project management, which is responsible for preparing the Material Requirements Planning (MRP), whether electrical or mechanical. This work involves a detailed analysis of current suppliers’ capabilities and future needs for new products. This analysis is essential to ensure that the company can meet the needs and expectations of customers, with the flexibility and quality they demand, always paying attention to the time, cost, and objectives defined by the business unit.
The problem under analysis that justified the critical look in this case study is related to the discrepancies in the sales estimate and the real demand, in the year 2024, for the Low Pressure Sensor (LPS). The PVA 2023 document, which contains sales forecast information for the years 2023 through 2028, presented forecasts for LPS sensor sales that were significantly higher than actual demand figures. More specifically, as shown in Figure 1, the 2024 sales forecasts exceeded actual sales by approximately 4 million units—a substantial discrepancy for a business unit. This significant forecasting error can have serious financial implications, as it impacts production planning, inventory management, resource allocation, and logistics strategies. The resulting inefficiencies lead to reduced profit margins and, ultimately, a loss of expected revenue.
To determine whether the discrepancy between forecasted volumes and actual demand was an isolated case or a recurring pattern, a comparative study was conducted of between the PVAs from 2019 to 2023 and actual sales data recorded in the Systems Applications and Products (SAP) system (Figure 2).
As can be clearly seen in the figure, as the years go by, the actual sales of the LPS5 sensor are consistently below forecasts, with a maximum discrepancy of approximately 10 million units, in just 2 years. After a critical look at this problem and after speaking with the team members, it could be concluded that part of the responsibility for this disparity lies with the lack of critical response to market changes and also the lack of quick decision-making capacity on the part of the purchasing department. In response to this problem, the research aimed to explore risk management practices within the department more deeply and to improve processes at the initial part of Bosch’s sensors production chain.
In order to carry out a qualitative analysis of the maturity, routines, and decision making of the PPV-VDS1 department in relation to risk management concepts and their application, a questionnaire (already described in the Section 3) was carried out and distributed to the entire team.

5. Results of the Data Collection

The following section presents the results of the data collection, followed by a thematic analysis of the interview data, and concludes with a summary of the key findings.

5.1. Results

Through observation and interviews, it was quickly realized that in the department PPV-VDS1, the Super OPL was not used.
Concerning the qualitative analysis of the maturity, routines, and decision making in relation to risk management concepts and their application, the questionnaire presented the following next:
Observing the responses to the question “Which of the following sentences do you consider to be the definition of risk?”, visible in Figure 3, it is possible to see that the team does not have a clear or complete understanding of what the real definition of risk is.
According to the literature, the correct answers to this question would be the options “A potential problem that could negatively impact our work” [56] and “An opportunity for project improvement” [57]. This question makes clear the negative view that the department has of risks, with more focus on risk as a threat. Only one member considered it an opportunity. Another issue that emerges is the lack of clarity in the difference between concepts such as risk, problem, and the probabilities. The option “A situation that will certainly happen and will impact the project’s objectives” refers to the definition of a problem, and the results show that one team member considers that a situation with a 100% probability of occurrence is also a risk, when it is a fact.
In Figure 4, it is possible to assess the team’s level of knowledge and familiarity with risk management. The results reflect that a large part of the department does not appear confident on the topic. Three out of six team members, representing 50%, selected level 2, on a scale of one to five. Additionally, one member selected level 1, which represent the most basic level of knowledge.
Following the previous question, the importance attributed by the department to risk management practices in the context of the company purchases was also assessed (Figure 5). Five out of six participants attributed maximum importance to this topic, which, together with the analysis of the previous question, suggests that the team would be willing to receive additional training on risk management, in order to increase the solid knowledge base in the area, allowing to mitigate existing difficulties in the department’s decision-making tasks.
In Figure 6, the effectiveness of the use of resources available for risk management was subjectively assessed, according to the participants’ opinions. Only one person considers that there is effective use of resources, while five members consider that resources are not used so effectively.
Regarding the question “Are you aware of the existence of risk identification tools in the department?”, by observing Figure 7, it is possible to see that only one person in the department is aware of these tools.
In the question “Typically, when you identify a risk, what steps do you take?”, whose answers are shown in the graph in Figure 8, it is possible to recognize the diversity of actions when a risk is identified by a member of the department. The lack of standardization in procedures stands out, which often leads to confusion, loss of information, and increased response time to any emerging risk.
In order to complement the analysis of risk communication within the department, participants then responded to the subjective evaluation of the effectiveness of this process. The results, visible in Figure 9, indicate a very unsatisfactory average for the process. This answer highlights the potential loss of data and misunderstandings that can arise due to poor communication of information.
Regarding the question “Are you aware of the existence of risk mitigation/exploitation plans in the department?”, the responses in Figure 10 reveal that such plans are nonexistent. This indicates that, even after risks are identified, there is no structured approach to addressing them—highlighting a critical gap in the department’s risk management process and a lack of follow-up mechanisms.
Figure 11 presents an assessment of the frequency of participation in training and education on risk management. The results show that only one of the members participates in these trainings once a year while the other five never participate. After asking the department about the reason for the poor attendance, the answers gathered point to a lack of training on the part of the company.

5.2. Thematic Analysis of Interview Data

To strengthen the qualitative dimension of our multi-methods case study, semi-structured interviews and direct observations were re-analyzed using a basic thematic coding approach. Key comments and reflections gathered from six department members were transcribed from field notes and grouped into themes through an inductive process. Three major themes emerged: (1) conceptual confusion and lack of training, (2) procedural inconsistencies, and (3) openness to improvement.
  • Theme 1: Conceptual Confusion and Lack of Training
Several team members expressed uncertainty in distinguishing between key risk management concepts such as risk, problem, issue, and certainty. This confusion mirrors the findings from the questionnaire.
“Sometimes I think of risks as things that are already happening. Like, if we’re already late, that’s a risk, right?”—Team Member A
“I’ve never had training in this area. I just use common sense most of the time.”—Team Member D
The lack of formal education or consistent terminology was a recurring issue. Even experienced employees reported limited exposure to structured risk frameworks.
  • Theme 2: Procedural Inconsistencies
Interviewees described a wide range of practices when asked how they handle risk situations, reflecting a lack of standard procedures. The diversity of individual responses contributes to inefficiencies and miscommunication.
“I usually talk to the team, but I don’t know if that’s the right way. Others might just write it in Excel and move on.”—Team Member B
“There’s no clear process. If something serious comes up, I go to my manager, but otherwise we just deal with it.”—Team Member E
This theme complements the questionnaire result indicating low effectiveness in both risk communication and the use of available tools and resources.
  • Theme 3: Openness to Improvement
Despite the challenges, there was a strong shared interest in improving risk management practices. Employees recognized the strategic importance of risk and expressed willingness to invest in better systems and training.
“If we had clearer guidelines, I think everyone would follow them. It’s not that people don’t care—it’s just not well structured.”—Team Member C
“I’d definitely attend a workshop or training if it helped us make better decisions.”—Team Member F
This positive attitude forms a strong basis for future implementation of the proposed framework and training modules.

5.3. Summary

After analyzing the results, the lack of coherence in the information, confusion between concepts, lack of standardization, and poor communication became evident. In order to detail and collect even more in-depth information, several semi-structured interviews were conducted with the members of the department, taking place in the context of everyday activities. The team’s needs in relation to risk management have been recognized, and the importance of work based on proactive measures was highlighted. The team was receptive to the idea of investing more time and effort in this area, justified by the importance attributed to the topic. This appreciation suggested a strong and positive foundation for implementing effective strategies within the department.

6. Proposal to Improve Risk Management

The company under study carries out projects that involve a wide diversity of people, areas of training, years of experience, and actions from different teams and departments. Largely due to this variety, projects face numerous challenges and uncertainties that, if not managed in a planned and effective manner, can compromise their success. It is, therefore, essential to have a well-defined and mature risk management process that ensures that emerging risks do not jeopardize the achievement of the project’s objectives, which are significant for ensuring the company’s good name, as well as the return on investments.
After experiencing the reality of the LPS5 project, it became clear that there was a lack of debate and consideration in decision making when planning the needs of these sensors. As part of the efforts to ensure that all of the above premises are met, and with a view to improving existing risk management practices, a risk management plan was developed. This plan was based on the structure and guidelines suggested by the PMBOK Guide [32]. After observing the challenges faced, it became clear that strategy planning should diverge into two complementary approaches: department culture and LPS5 project improvement.

6.1. Department Culture

After assessing the department’s level of risk management maturity, a Risk Management Workshop was proposed to clarify concepts and procedures that should be present when building a culture that takes risk into account in its day-to-day activities. The purpose of this session was to ensure that, despite differences in academic background and years of experience among the team, everyone was at approximately the same level of knowledge of the topic under discussion, at least from a theoretical perspective. The Risk Management Workshop begins with the definition and comparison of basic concepts and continues with the division of the different phases of risk management planning. In each of these phases there was space for discussion with the team, functioning as an attempt to clarify each of the processes in a natural way. Finally, the department was divided into two teams, and a practical case was presented, outside the business environment, in which the implementation of all the steps mentioned above was requested. To complete the process, a document was also created that brings together all the theoretical information on the training in a more extensive manner, functioning as a handbook that should be used in case of doubts regarding the topic. This document, a Risk Management Manual, was presented to the team at the workshop. This presentation and document were discussed further with the department team leader in order to serve as an integral part of the onboarding process for any new member.

6.2. LPS5 Project Improvement

Focusing attention on the problem situation presented previously, the need to follow the risk management planning steps explained in the literature review was established. The following sections concern the evaluation and improvement of the LPS5 project.
  • Risk identification: It was quickly realized that there were no measures or tools to identify the Risks (R) inherent to a project. There was also no relevant past documentation relating to risk management. In order to collect which risks need to be considered, a SWOT analysis was carried out. Through this analysis, the project’s Strengths, Weaknesses, Opportunities, and Threats were collected. To be used as a complement to the analysis carried out previously, an Ishikawa diagram was created. A cost–benefit analysis was also carried out to evaluate the following possible actions: development and implementation of new forecasting models, improvement of data collection and analysis, improvement in communication of internal processes, and continuous monitoring and feedback. After risk collection, the team was advised to register the risks in the Super OPL tool.
  • Risk analysis: After identifying the risks inherent to the project, it becomes necessary to define their prioritization with the aim of ordering their treatment in the most appropriate way. There are two types of analysis: quantitative and qualitative. Both analyses use numbers, but their approaches differ in how they assess risks. Only the most important risks from the qualitative analysis should proceed to the quantitative analysis. In order to analyze the collected data, the most relevant risks were divided into categories and listed in Table 1. The probability and impact of each risk were then qualitatively assessed, and the probability–impact matrix represented in Table 2 was prepared. According to the color system, warmer tones represent more urgent risks to be addressed, since, according to its assessment, they have a high probability and a great impact if they occur. In this case, risks R8 and R18 should be prioritized, followed by risks R16, R1, and R10. On the other hand, cooler tones should be last on the list of action priorities, since the combination of their probability and impact are lower than the others. In this case, we are talking about risks R17, R5, R12, R3, R14, and R15. Risks with the lowest scores, R7, R2, R11, R13, R9, and R4, must be monitored to ensure the correct assessment of their evolution. In case of change, the matrix must be updated. In addition to this method, the use of the Super OPL tool is also proposed.
3.
Quantitative risk analysis: Quantitative risk analysis is a process considered more difficult and, therefore, less practical and left aside, justified by its non-applicability to the vast majority of risks. This analysis requires sensitive information that, due to the size of the company, becomes difficult to obtain, in addition to the fact that, often, the information is not provided due to the lack of appreciation of risk management. However, this analysis is considered important. Therefore, it is recommended that, in the initial phase, the analysis focus exclusively on risks numbered 1, 8, 10, 16, and 18. Once again, Super OPL appears to help in this risk assessment step. When the probabilities and impacts are filled in, the tool calculates the Expected Monetary Value (EMV). It is worth noting that, normally, the values used in this analysis represent mere estimates.
4.
Risk response planning: Once there is a clear understanding of which risks are considered threats and which are considered opportunities, it is important to take steps to minimize the former and maximize the latter. It is up to the project team leader to delegate responsibilities for each risk. The person responsible for the risk in question must prioritize organizing meetings and discussion moments so that information can be gathered in order to follow the most appropriate treatment plan. According to the literature review, the risk management plan must include a description of the activities that will be carried out and how they will be structured. The tools to be used, the individuals responsible, and the guidelines for the approaches to be applied in managing the project’s risks must also be clearly defined and documented. It is still necessary (mandatory) to define the project life cycle periods and its contingency limits [32]. To assist in this step of risk management, the use of Super OPL was once again recommended, as it allows for effective support and detailed monitoring of the project. One of the points to be filled in is the strategy to be adopted, which should be aligned with the bibliographic review. Possible threat response strategies are avoidance, mitigation, transfer, and acceptance. Regarding opportunities, we can explore, improve, share, and accept. The topics “type” and “owner” are filled in by the tool automatically. These two topics define the measure and the person responsible for the project. The topic priority is defined by the user based on the graph in Table 3. It is also possible to add more detailed information regarding the strategy chosen to respond to the risk in consideration. The other fields such as categories, identification labels, costs, responsible parties. and people involved must also be filled in, in order to ensure transparency and the rapid flow of information through automatic emails from the tool itself.
5.
Implementation of risk responses: Once risk responses have been planned, it is time for implementation. Despite being a case study, it is important to consider the practical application of the proposed measures, ensuring that the defined strategies are viable in the real context. The monitoring of implementations must be done using Super OPL. It is important to understand that one of the key points at this time is finding the so-called “right moment” to implement new measures. As experience shows, when a process is not given due importance, the right moment to implement it will never truly emerge. This results from a combination of several factors, including the availability of resources, their suitability for addressing the specific problem, and—most importantly—the ability to anticipate the potential consequences of not mitigating the risk. The mentioned tool should be used to register the risk responses, as an open point list, and as a complement; the project manager must then dynamize and always seek the involvement of those responsible for these actions, through periodic meetings and updating the status of this list.
6.
Risk monitoring: As mentioned previously, project risk management is an ongoing process that spans the entire project life cycle, and it is essential to monitor both threats and opportunities. The measures adopted to manage these risks may need to be adjusted over time, as they may be unreliable or not have the expected effects. In the purchasing department, risk monitoring involves actions such as creating a risk map, with regular categorization and updates, as well as developing Key Performance Indicators (KPIs), such as delivery delays or cost variations. The use of automated indicators and alerts facilitates the early detection of changes in risk severity, while systematic incident logging enables timely adjustments to mitigation strategies. Integrating the mitigation plan into the overall project schedule and resource allocation ensures efficient execution. Therefore, it is recommended that the first weekly meeting of the project team, in the case of LPS5, be dedicated to updating the status of the actions taken for each identified risk, monitored by the Super OPL Risk Management Tool. The status of the most critical risks and the review of the risk list should be constant topics in meetings, so as not to be forgotten. If new risks arise, they must be included in the open points list, restarting the risk management cycle presented. These periodic review measures and the guarantee of recording lessons learned are essential to ensure continuous monitoring and the promotion of adjustments whenever necessary. This cycle ensures the evolution of each decision taken in a positive direction and, consequently, the exponential growth of the business unit involved.

7. Discussion

The findings from this case study at Bosch Car Multimedia Portugal underscore the critical importance of developing robust, culturally embedded risk management practices in highly complex and uncertain project environments, such as those found in the automotive sector. This chapter discusses the implications of the research findings in light of the literature review and theoretical frameworks explored earlier, focusing on the dual-pronged proposal—department culture enhancement and project-level process improvement.

7.1. Organizational Culture and Risk Maturity

One of the most striking findings was the limited cultural integration of risk management principles in the purchasing department. Despite the technical capabilities of team members, there was a clear knowledge gap in structured risk management concepts and practices. The Risk Management Workshop and the accompanying Manual aimed to address this gap, offering a common language and framework to standardize understanding and expectations. This initiative aligns with best practices in change management, suggesting that fostering a shared baseline of risk literacy is essential for cultural maturity in this domain [39,47].
Notably, the interactive and inclusive design of the workshop served not only as a knowledge-sharing mechanism but also as a team-building exercise that promoted ownership and engagement—two key ingredients for long-term behavioral change. This supports the assertion from the literature that risk management is as much a social and communicative practice as it is a technical one [43].

7.2. Process Structuring at the Project Level

The deep-dive into the LPS5 project illuminated multiple process-level deficiencies, particularly the absence of structured risk identification, documentation, and prioritization mechanisms. The integration of tools such as SWOT analysis, Ishikawa diagrams, cost–benefit evaluations, and the Super OPL platform into the risk management plan helped bridge these gaps effectively. The use of a probability–impact matrix and selective quantitative analysis using Expected Monetary Value (EMV) calculations helped to introduce data-driven decision making into what had previously been an informal or reactive process [23].
The prioritization of risks, especially high-impact issues like R8 (market demand uncertainty) and R18 (human error in production decisions), illustrates how aligning risk management with project strategy can mitigate potential disruptions. The categorization of risks into financial, operational, market, regulatory, reputational, and human domains also enabled more targeted response planning, enhancing both visibility and accountability [34].

7.3. Tool Utilization and Practical Limitations

The Super OPL tool proved instrumental in enhancing the visibility, traceability, and responsiveness of risk management efforts. However, the research also highlighted a cultural resistance to adopting quantitative methods—largely due to data unavailability and the undervaluation of formal risk processes. While this aligns with findings in similar industrial studies [44], it also points to the need for stronger leadership advocacy and systematized data collection practices. The fact that only a subset of risks was deemed suitable for quantitative analysis (due to data constraints) suggests that a phased approach may be necessary for widespread adoption [21].

7.4. Continuous Monitoring and Lessons Learned

The recommendation to integrate risk discussions into weekly project meetings reflects a shift toward continuous risk management, rather than a one-off or compliance-driven approach. This aligns with contemporary project management paradigms that emphasize iterative, flexible responses to dynamic project environments [22]. Furthermore, the establishment of KPIs and incident logs within the Super OPL framework introduces a feedback loop critical for adaptive learning and long-term capability building [48].
In sum, the proposed framework effectively marries theoretical rigor with practical adaptability. However, its sustainability will depend on the department’s commitment to cultural change, the maturity of supporting systems, and leadership reinforcement of risk-conscious behavior.

8. Conclusions

This research sought to analyze and improve risk management practices within the purchasing system of Bosch Car Multimedia Portugal, focusing on the LPS5 project as a case study. The findings reveal that while technical competence and execution capabilities are present, there is a significant lack of standardized processes and a consistent, risk-aware organizational culture. These gaps were addressed through a dual approach: promoting cultural alignment via workshops and training, and implementing structured, tool-supported risk management processes at the operational level.

8.1. Summary of Contributions

This study provides the following key contributions:
  • Theoretical Validation: By applying PMBOK-based risk management frameworks to an industrial setting, the study confirms the practical applicability of established models in the automotive sector [32].
  • Practical Outputs: The development of a Risk Management Manual, implementation of the Super OPL tool, and design of a replicable workshop format offer concrete, scalable solutions for similar project-based environments in manufacturing.
  • Cultural Evolution: The study emphasizes the critical role of cultural transformation in risk management—an aspect often underestimated in project literature [58]. By fostering shared understanding and internal engagement, the groundwork for long-term change has been established.

8.2. Challenges and Considerations

While the interventions introduced represent meaningful progress, their sustainability depends on continued leadership commitment, strategic alignment, and routine monitoring. Cultural resistance, coupled with a legacy of informal practices and skepticism toward quantitative tools, remains a barrier to full implementation. Overcoming this will require ongoing investment in capacity-building and the demonstration of tangible value from proactive risk strategies [42].
This study reinforces that successful risk management in complex project settings extends beyond technical tools—it requires a mindset shift at both individual and organizational levels. By bridging theoretical models with real-world practices, the research contributes to academic knowledge while offering actionable pathways for improving risk governance in the automotive supply chain context.

8.3. Study Limitations and Future Research

As with any case study, certain limitations affect the scope and generalizability of the findings. Firstly, access to comprehensive data was limited by both the small size of the participating team and the absence of historical performance records related to risk management. This constrained the depth of statistical analysis and calls for a cautious interpretation of patterns.
Secondly, although cultural attitudes toward risk were discussed qualitatively, the relationship between organizational culture and risk orientation was not systematically measured. This limits the ability to generalize the cultural findings across departments or to other organizations.
Finally, given that the study was conducted within a single department of a multinational company, the results may reflect local dynamics rather than broader organizational realities. Future research could expand this work by incorporating longitudinal data, larger sample sizes, and cross-functional perspectives to enhance both internal validity and external applicability.

Author Contributions

Conceptualization, A.T.; methodology, A.T. and C.S.; validation, A.T. and C.S.; formal analysis, A.T. and C.S.; investigation, C.S.; writing—original draft preparation, C.S. and J.F.; writing—review and editing, A.T. and J.F.; supervision, A.T. All authors have read and agreed to the published version of the manuscript.

Funding

This work has been supported by FCT—Fundação para a Ciência e Tecnologia within the R&D Unit Project Scope UID/00319/Centro ALGORITMI (ALGORITMI/UM).

Data Availability Statement

No new data were created besides the one included in the paper.

Acknowledgments

We would like to thank Bosch Car Multimedia Portugal, S.A., for the opportunity to carry out this work, especially the team from the M/PPV-VDS1 (Purchasing Project Management Vehicle Motion) department at the Braga factory in Portugal.

Conflicts of Interest

The authors declare no conflicts of interest.

Abbreviations

The following abbreviations are used in this manuscript:
EMVExpected Monetary Value
ISOInternational Organization for Standardization
KPIKey Performance Indicator
LPSLow Pressure Sensor
M/PPV-VDS1Purchasing Project Management Vehicle Motion
MFGManufacturing Global
MRPMaterial Requirements Planning
OPLOpen Points List
P-I MatrixProbability and Impact Matrix
PMIProject Management Institute
PVAPlant Volume Allocation
RRisk
RQResearch Question
SWOTStrengths, Weaknesses, Opportunities, and Threats

References

  1. Vassolo, R.S.; Weisz, N.; Laker, B. Survival of the Fittest: Decoding Competition and Its Evolution. In Advanced Strategic Management; Springer: Berlin/Heidelberg, Germany, 2024; pp. 35–53. [Google Scholar] [CrossRef]
  2. del Pilar Barrera, A.; Jimenez-Hernandez, P.R.; Medina-Ricaurte, G.F. Dynamic Capabilities to Drive Innovation and Competitivenss in a Changing Business World. In Models, Strategies, and Tools for Competitive SMEs; Perez-Uribe, R., Ocampo-Guzman, D., Lozano-Correa, L., Eds.; IGI Global Scientific Publishing: New York, NY, USA, 2025; pp. 95–116. ISBN 9798369340479. [Google Scholar]
  3. Dinis-Carvalho, J.; Santos, D.; Menezes, M.; Sá, M.; Almeida, J. Process Mapping in a Prototype Development Case. Lect. Notes Electr. Eng. 2019, 505, 354–360. [Google Scholar] [CrossRef]
  4. Fernandes, G.; Domingues, J.; Tereso, A.; Micán, C.; Araújo, M. Risk Management in University–Industry R&D Collaboration Programs: A Stakeholder Perspective. Sustainability 2023, 15, 319. [Google Scholar] [CrossRef]
  5. Koen, P.A.; Bertels, H.M.J.; Elsum, I.R. The Three Faces of Business Model Innovation: Challenges for Established Firms. Res. Technol. Manag. 2011, 54, 52–59. [Google Scholar] [CrossRef]
  6. Boghani, A.; Brown, A. Meeting the Technology Management Challenges in the Automotive Industry; SAE International: Warrendale, PA, USA, 2000; ISBN 0768005329. [Google Scholar]
  7. Baluch, N.; Sobry Abdullah, C.; Mohtar, S. Evaluating Effective Spare-Parts Inventory Management for Equipment Reliability in Manufacturing Industries. Eur. J. Bus. Manag. 2013, 5, 69–76. [Google Scholar]
  8. Chin, K.S.; Yeung, I.K.; Pun, K.F. Development of an Assessment System for Supplier Quality Management. Int. J. Qual. Reliab. Manag. 2006, 23, 743–765. [Google Scholar] [CrossRef]
  9. Smith, A.D. Component Part Quality Assurance Concerns and Standards: Comparison of World-Class Manufacturers. Benchmarking 2011, 18, 128–148. [Google Scholar] [CrossRef]
  10. Ganhão, F.N.; Pereira, A. A Gestão Da Qualidade—Como Implementá-La Na Empresa, 1st ed.; Editorial Presença: Lisboa, Portugal, 1992. [Google Scholar]
  11. Luko, S.N. Risk Management Principles and Guidelines. Qual. Eng. 2013, 25, 451–454. [Google Scholar] [CrossRef]
  12. Gonçalves, M.H.; Tereso, A.P.; Costa, H.R. Project Risk Management in an Automotive Company. In Proceedings of the International Conference on Quality Engineering and Management, Braga, Portugal, 21–22 September 2020; pp. 275–292. [Google Scholar]
  13. Klassen, R.D.; Vereecke, A. Social Issues in Supply Chains: Capabilities Link Responsibility, Risk (Opportunity), and Performance. Int. J. Prod. Econ. 2012, 140, 103–115. [Google Scholar] [CrossRef]
  14. Kleindorfer, P.R.; Saad, G.H. Managing Disruption Risks in Supply Chains. Prod. Oper. Manag. 2005, 14, 53–68. [Google Scholar] [CrossRef]
  15. Brook, J.W.; Pagnanelli, F. Integrating Sustainability into Innovation Project Portfolio Management—A Strategic Perspective. J. Eng. Technol. Manag. 2014, 34, 46–62. [Google Scholar] [CrossRef]
  16. Harland, C.; Knight, L.; Lamming, R.; Walker, H. Outsourcing: Assessing the Risks and Benefits for Organisations, Sectors and Nations. Int. J. Oper. Prod. Manag. 2005, 25, 831–850. [Google Scholar] [CrossRef]
  17. FERMA—Federation of European Risk Management Associations. Norma de Gestão de Riscos. Available online: https://www.ferma.eu/wp-content/uploads/2011/11/a-risk-management-standard-portuguese-version.pdf (accessed on 1 May 2025).
  18. ISO 31000; Risk Management–Principles and Guidelines. International Organization for Standardization: Geneva, Switzerland, 2009.
  19. De Wulf, L.; Sokol, J.B. Customs Modernization Initiatives: Case Studies; World Bank Publications: Washington, DC, USA, 2004; ISBN 0821383736. [Google Scholar]
  20. Mizrak, K.C. Crisis Management and Risk Mitigation: Strategies for Effective Response and Resilience. In Trends, Challenges, and Practices in Contemporary Strategic Management; IGI Global: New York, NY, USA, 2024; pp. 254–278. [Google Scholar]
  21. Raz, T.; Hillson, D. A Comparative Review of Risk Management Standards. Risk Manag. 2005, 7, 53–66. [Google Scholar] [CrossRef]
  22. Kerzner, H. Project Management: A Systems Approach to Planning, Scheduling, and Controlling; Wiley: Hoboken, NJ, USA, 2017; ISBN 9781119165354. [Google Scholar]
  23. PMI. A Guide to the Project Management Body of Knowledge (PMBOK® Guide), 7th ed.; Project Management Institute, Inc.: Newton Square, PA, USA, 2021; ISBN 9781628256642. [Google Scholar]
  24. Zhang, H. A Redefinition of the Project Risk Process: Using Vulnerability to Open up the Event-Consequence Link. Int. J. Proj. Manag. 2007, 25, 694–701. [Google Scholar] [CrossRef]
  25. Leveson, N. A Systems Approach to Risk Management through Leading Safety Indicators. Reliab. Eng. Syst. Saf. 2015, 136, 17–34. [Google Scholar] [CrossRef]
  26. Ardichvili, A.; Cardozo, R.; Ray, S. A Theory of Entrepreneurial Opportunity Identification and Development. J. Bus. Ventur. 2003, 18, 105–123. [Google Scholar] [CrossRef]
  27. Stoneburner, G.; Goguen, A.; Feringa, A. Risk Management Guide for Information Technology Systems. NIST Spec. Publ. 2002, 800, 800–830. [Google Scholar]
  28. Zuccaro, G.; De Gregorio, D.; Leone, M.F. Theoretical Model for Cascading Effects Analyses. Int. J. Disaster Risk Reduct. 2018, 30, 199–215. [Google Scholar] [CrossRef]
  29. Haimes, Y.Y. Risk Modeling, Assessment, and Management; Wiley Series in Systems Engineering and Management; John Wiley & Sons: Hoboken, NJ, USA, 2015; ISBN 111901798X. [Google Scholar]
  30. Greiman, V.A. Megaproject Management: Lessons on Risk and Project Management from the Big Dig; PMI Project Management Institute; Wiley: Hoboken, NJ, USA, 2013; ISBN 9781118115473. [Google Scholar]
  31. Acebes, F.; González-Varona, J.M.; López-Paredes, A.; Pajares, J. Beyond Probability-Impact Matrices in Project Risk Management: A Quantitative Methodology for Risk Prioritisation. Humanit. Soc. Sci. Commun. 2024, 11, 670. [Google Scholar] [CrossRef]
  32. PMI. A Guide to the Project Management Body of Knowledge (PMBOK® Guide), 6th ed.; Project Management Institute, Inc.: Newton Square, PA, USA, 2017. [Google Scholar]
  33. Hugo, F.D.; Pretorius, L.; Benade, S.J. Some Aspects of the Use and Usefulness of Quantitative Risk Analysis Tools in Project Management. S. Afr. J. Ind. Eng. 2018, 29, 116–128. [Google Scholar] [CrossRef]
  34. Aven, T. Risk Analysis; Wiley: Hoboken, NJ, USA, 2015; ISBN 9781119057796. [Google Scholar]
  35. Vose, D. Risk Anaysis—A Quantitative Guide; John Wiley and Sons: Hoboken, NJ, USA, 2008; p. 729. [Google Scholar]
  36. Gupta, V.K.; Thakkar, J.J. A Quantitative Risk Assessment Methodology for Construction Project. Sadhana—Acad. Proc. Eng. Sci. 2018, 43, 116. [Google Scholar] [CrossRef]
  37. Allen, G.; Derr, R. Threat Assessment and Risk Analysis: An Applied Approach; Butterworth-Heinemann: Waltham, MA, USA, 2015; ISBN 9780128024935. [Google Scholar]
  38. Peixoto, J.; Tereso, A.; Fernandes, G.; Almeida, R. Project Risk Management Methodology: A Case Study of an Electric Energy Organization. Procedia Technol. 2014, 16, 1096–1105. [Google Scholar] [CrossRef]
  39. Hillson, D. Extending the Risk Process to Manage Opportunities. Int. J. Proj. Manag. 2002, 20, 235–240. [Google Scholar] [CrossRef]
  40. António Miguel Gestão Moderna de Projetos Melhores Técnicas e Práticas; FCA: London, UK, 2024.
  41. Hiebl, M.R. The Integration of Risk into Management Control Systems: Towards a Deeper Understanding across Multiple Levels of Analysis. J. Manag. Control 2024, 35, 1–16. [Google Scholar] [CrossRef]
  42. Kutsch, E.; Hall, M. Intervening Conditions on the Management of Project Risk: Dealing with Uncertainty in Information Technology Projects. Int. J. Proj. Manag. 2005, 23, 591–599. [Google Scholar] [CrossRef]
  43. Loosemore, M.; Raftery, J.; Reilly, C.; Higgon, D. Risk Management in Projects, 2nd ed.; Taylor and Francis: Abingdon, UK, 2012; ISBN 9780203963708. [Google Scholar]
  44. Zwikael, O.; Ahn, M. The Effectiveness of Risk Management: An Analysis of Project Risk Planning Across Industries and Countries. Risk Anal. 2011, 31, 25–37. [Google Scholar] [CrossRef]
  45. Bockius, H.; Gatzert, N. Organizational Risk Culture: A Literature Review on Dimensions, Assessment, Value Relevance, and Improvement Levers. Eur. Manag. J. 2024, 42, 539–564. [Google Scholar] [CrossRef]
  46. WSJ. Supply Chain Woes Carry High Risks, Big Rewards for Some Companies. The Wall Street Journal, 30 October 2024. [Google Scholar]
  47. Hopkinson, M. The Project Risk Maturity Model: Measuring and Improving Risk Management Capability; Taylor & Francis: Abingdon, UK, 2017; ISBN 9781351883467. [Google Scholar]
  48. Olsson, R. In Search of Opportunity Management: Is the Risk Management Process Enough? Int. J. Proj. Manag. 2007, 25, 745–752. [Google Scholar] [CrossRef]
  49. Kour, R.; Karim, R.; Dersin, P.; Venkatesh, N. Cybersecurity for Industry 5.0: Trends and Gaps. Front. Comput. Sci. 2024, 6, 1434436. [Google Scholar] [CrossRef]
  50. Baxter, P.; Jack, S. Qualitative Case Study Methodology: Study Design and Implementation for Novice Researchers. Qual. Rep. 2008, 13, 544–559. [Google Scholar] [CrossRef]
  51. Yin, R.K. Case Study Research and Applications: Design and Methods, 6th ed.; SAGE Publications: Thousand Oaks, CA, USA, 2018; ISBN 9781506336176. [Google Scholar]
  52. Saunders, M.; Lewis, P.; Thornhill, A. Research Methods for Business Students, 8th ed.; Pearson: Harlow, UK, 2019; ISBN 978-1292208787. [Google Scholar]
  53. Bosch. Company|Bosch Global. Available online: https://www.bosch.com/company/ (accessed on 1 May 2025).
  54. Bosch. A Nossa Empresa|Bosch Em Portugal. Available online: https://www.bosch.pt/a-nossa-empresa/bosch-em-portugal/ (accessed on 1 May 2025).
  55. Bosch. Bosch Internal Documentation; Bosch’s Private Portal: Braga, Portugal, 2024. [Google Scholar]
  56. Becker, K.; Smidt, M. A Risk Perspective on Human Resource Management: A Review and Directions for Future Research. Hum. Resour. Manag. Rev. 2016, 26, 149–165. [Google Scholar] [CrossRef]
  57. Qazi, A.; Dikmen, I.; Birgonul, M.T. Mapping Uncertainty for Risk and Opportunity Assessment in Projects. Eng. Manag. J. 2020, 32, 86–97. [Google Scholar] [CrossRef]
  58. Hillson, D.; Murray-Webster, R. Understanding and Managing Risk Attitude, 2nd ed.; Routledge: London, UK, 2007; ISBN 9781315235448. [Google Scholar]
Systems 13 00444 g001
Figure 1. Comparison of PVA2023 volumes and SAP demands.
Figure 1. Comparison of PVA2023 volumes and SAP demands.
Systems 13 00444 g001
Systems 13 00444 g002
Figure 2. Comparison of PVAs and SAP demands.
Figure 2. Comparison of PVAs and SAP demands.
Systems 13 00444 g002
Systems 13 00444 g003
Figure 3. Team perception of risk definition.
Figure 3. Team perception of risk definition.
Systems 13 00444 g003
Systems 13 00444 g004
Figure 4. Team’s level of knowledge and familiarity with risk management.
Figure 4. Team’s level of knowledge and familiarity with risk management.
Systems 13 00444 g004
Systems 13 00444 g005
Figure 5. Importance of risk management practices in the context of company purchases.
Figure 5. Importance of risk management practices in the context of company purchases.
Systems 13 00444 g005
Systems 13 00444 g006
Figure 6. Effectiveness of the use of resources available for risk management.
Figure 6. Effectiveness of the use of resources available for risk management.
Systems 13 00444 g006
Systems 13 00444 g007
Figure 7. Awareness of the existence of risk identification tools in the department.
Figure 7. Awareness of the existence of risk identification tools in the department.
Systems 13 00444 g007
Systems 13 00444 g008
Figure 8. Measures taken after a risk is identified.
Figure 8. Measures taken after a risk is identified.
Systems 13 00444 g008
Systems 13 00444 g009
Figure 9. Evaluation of risk communication within the purchasing department.
Figure 9. Evaluation of risk communication within the purchasing department.
Systems 13 00444 g009
Systems 13 00444 g010
Figure 10. Awareness of risk mitigation/exploitation plans in the department.
Figure 10. Awareness of risk mitigation/exploitation plans in the department.
Systems 13 00444 g010
Systems 13 00444 g011
Figure 11. Frequency of participation in training and education on risk management.
Figure 11. Frequency of participation in training and education on risk management.
Systems 13 00444 g011
Table 1. Risks relevant to the project.
Table 1. Risks relevant to the project.
Type of RisksRisk DescriptionRisk Number
FinancialOverly optimistic sales forecasts resulting in lower-than-expected revenue.R1
Higher-than-anticipated production costs that may lead to reduced profit margins.R2
Investing in a large amount of inventory and equipment that ties up capital that could be used for other investment opportunities.R3
Possible fluctuations in the exchange rate may impact production costs and revenues if there are imported components or exports.R4
OperationalThe possibility that production capacity is not sufficient to manufacture the sensors efficiently.R5
Product quality issues that may result in returns, repairs, or replacements.R6
Difficulties in storing and transporting sensors.R7
MarketThe risk that actual demand will differ from forecast demand, resulting in excess or shortfalls in inventory.R8
Competitor actions that may affect market share and demand for sensors.R9
New technologies or changes in consumer preferences that may make the product obsolete.R10
RegulatoryChanges in regulations that may impact the production or sale of sensors.R11
Risk of non-compliance with standards and regulations, resulting in fines or sanctions.R12
ReputationalProblems with product quality or customer service that could damage the company’s reputation.R13
Negative impact on brand image due to problems with project management.R14
HumanDifficulties in attracting and retaining qualified talent necessary for the company’s strategy.R15
Failures in marketing and sales strategies that may not be able to reach the target audience effectively.R16
Possibility of human error when reading forecasts, due to the use of an easily fallible tool.R17
Possibility of human errors when making decisions about the volumes of the product to be produced.R18
Table 2. Project probability-impact matrix.
Table 2. Project probability-impact matrix.
ProbabilityImpact
12345
1 R4
2 R2, R11, R13R9
3 R7R14, R15R5, R12
4 R3R17R1, R10
5 R16R8, R18
Table legend: Risks are categorized by color: red means extreme, dark green means high, light green means moderate, yellow means low, and gray means very low risk.
Table 3. Setting priorities for a risk.
Table 3. Setting priorities for a risk.
High ImpactPlan
Important but not urgent		Immediate
The best action, take it as soon as possible
Low ImpactPostpone
To do, but not to waste time		Consider
Urgent but not important
Low UrgencyHigh Urgency
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Tereso, A.; Santos, C.; Faria, J. Risk Management Practices in the Purchasing System of an Automotive Company. Systems 2025, 13, 444. https://doi.org/10.3390/systems13060444

AMA Style

Tereso A, Santos C, Faria J. Risk Management Practices in the Purchasing System of an Automotive Company. Systems. 2025; 13(6):444. https://doi.org/10.3390/systems13060444

Chicago/Turabian Style

Tereso, Anabela, Cláudia Santos, and João Faria. 2025. "Risk Management Practices in the Purchasing System of an Automotive Company" Systems 13, no. 6: 444. https://doi.org/10.3390/systems13060444

APA Style

Tereso, A., Santos, C., & Faria, J. (2025). Risk Management Practices in the Purchasing System of an Automotive Company. Systems, 13(6), 444. https://doi.org/10.3390/systems13060444

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop