INTEGRATING PROJECT RISK INTO RISK MANAGEMENT STRATEGIES IN PUBLIC SECTOR ORGANIZATIONS

The article aims to present possibilities for integrating project risk management processes into public sector organizational risk management strategies. The relative isolation of project risk from management systems is a weakness in organizational functioning. Integrating project risk management processes into the overall management system and in risk management strategies in particular, significantly contributes to enhancing organizational culture. Thus, a practice is established for systematic and purposeful impact on risks accompanying each project.


INTRODUCTION
Each public sector organization in Bulgaria has to develop a risk management strategy. This obligation results from the European Union regulations implemented in national legislation. Complying with the Financial Management and Control Act and the Methodological Guidelines of the Bulgarian Ministry of Finance, risk management strategies must reasonably ensure that organizational goals will be achieved.
Risk management faces challenges related to the fact that civil servants lack expertise, experience and understanding of the risks accompanying organizational functioning. As far as project risk management and integration in the overall risk management strategy are concerned, constraints are related to the lack of regulation, methodological assistance and a comprehensive concept of the need and the way different types and groups of risks should be bound in a document, strategic for public sector organizations.

REGULATORY AND METHODOLOGICAL FRAMEWORK OF RISK MANAGEMENT IN THE PUBLIC SECTOR IN BULGARIA
The regulatory and methodological framework in Bulgaria introduces the requirement for mandatory risk management in the public sector. Up until 2007, this was a random process, initiated by enthusiastic innovators in individual public organizations, while evaluations were largely subjective. After the Financial Management and Control in the Public Sector Act entered into force (Financial Management and Control in the Public Sector Act, Prom. SG 21/ 10 March 2006, last amended and suppl. SG 13/ 12 February 2019), this process became a mandatory component of financial management and control. Risk management is part of the managerial responsibility of public sector organizations' managers. In this regard, they are committed to establishing "a strategy updated every three years or when significant changes occur in the risk environment" (Financial management and Control in the Public Sector Act, Prom. SG 21/ 10 March 2006, last amended and suppl. SG 13/ 12 February 2019).
The risk management process involves "identifying, evaluating and controlling potential events or situations that may adversely affect the achievement of organizational objectives and is intended to reasonably assure that objectives will be achieved" (National Assembly, Prom. SG 21/ 10 March 2006, last amended and suppl. SG 13/ 12 February 2019). Practically, this means that goal setting is the basis of risk management.
Administrative structures in the Republic of Bulgaria are obliged to set goals annually for their activities that will ensure the fulfillment of their strategic goals. The obligation results from the provisions of Art. 33a of the Administration Act (Administration Act, Prom. SG 130/ 5 November 1998, last amended SG 80/ 28 September 2018), and was imposed by amending the Act in 2006. The same Act, Art. 63 also regulates the obligation to promulgate the reports on achieving the objectives of respective administrative structures. This is done through preparing an annual activity report for each public organization a budget spending authority (Parashkevova, 2015a).
In order for the risk management process to be adequate, public sector organizations must have clear hierarchy of goals, which means that the definition of strategic goals must invariably be related to detailing them into operational ones.
Operational objectives have their own specifics, which attach them a different importance while implementing business processes in the public sector. Generally, these specifics are as follows:  Correspondenceoperational objectives in the public sector contribute to achieving strategic objectives;  Measurabilityoperational objectives can be measured in terms of the degree to which it is achieved; this measurability is related to the direction of change in indicators;  Manageabilitythe respective administration must be able to make a significant contribution to the achievement of an operational objective, i.e. the objective must be within the scope of interventions that the administration concerned can implement;  Responsibilityeach operational objective is related to specifically responsible administrative structures or officials who play a leading role in achieving the operational objective;  Prospectivityadministration should know what it aims to, i.e. the objectives achieved should not be subject to planning again;  Objectivityoperational objectives are realistic and achievable, they are in accordance with the current situation and take into account trends in the development of external environment;  Time horizonoperational objectives must indicate a specific deadline within which they must be achieved;  Stakeholder and target group orientationwhere possible, operational objectives should aim at specific target groups in the community. In case this is not possible, at least stakeholders interested in their implementation should be identified;  Resource provisionthe last but not the least, specificity is related to the fact that operational objectives are necessarily resource secured by including them in the estimates for the budget period.
Operational goal setting is also related to almost all other processes in administration, such as: budget process, risk management, human resources management, investment process, etc., i.e. it is of great importance and its formal implementation has a direct or indirect impact on the overall functioning of administration in almost all policy areas (Parashkevova, 2015a). At operational level, the daily implementation of risk management procedures (Ministry of Finance, 2019c) is obligatory in order to ensure adequate progress of other processes.
The Consolidated annual report on internal control in the public sector in the Republic of Bulgaria for 2018 states that "risk management in public sector organizations still needs consistency of efforts, stability and compliance with the identified objectives. It is necessary to ensure that employees participate in training related to the implementation and operation of risk management in public sector organizations in order to ensure effective and adequate risk management procedures. Integrating risk management into the work of public sector organizations will help modernize the internal control and increase the efficiency and effectiveness of processes" (Ministry of Finance, 2019b). At the same time, the 2018 Report on the status of administration explains that the main focus in employee training is on topics related to administration management, and particularly on "strategic planning, public policies, performance management, change management, project management, quality management, risk management, etc" (Council of Ministers of the Republic of Bulgaria, 2019).
From methodological point of view, the Guidelines for implementing management responsibility in public sector organizations state that each manager must ensure the following management actions in relation to risk management: "1) To ensure that a sound risk management system exists and functions in accordance with an approved risk management strategy and to regularly review the strategy. 2) To create conditions and prerequisites for integrating risk management into the planning and decision-making process" (Ministry of Finance, 2019c). At the same time, it is found out that "risk assessment, which should be an essential part when making key management decisions, is viewed as an unnecessary increase in bureaucracy and as a result, local risk management is largely ineffective or lacking. This logic exactly leads to a number of managerial decisions in case of negative situations and risks that have already occurred" (Ministry of Finance, 2019c).
The 2016-2020 Strategy for the development of financial management and control and internal audit in the public sector in the Republic of Bulgaria focuses on improving the status of risk management processes. This objective is planned to be achieved through a series of measures, related to improving risk management strategies, more training, institutionalization of internal bodies, and more (Council of Ministers of the Republic of Bulgaria, 2016).
As a result of the content analysis of these strategic analyzes and documents at a national level, it can be concluded that risk management in Bulgarian administrative structures is formal and employees perceive it as useless and unnecessary, i.e. organizational culture and environment are unfavorable for implementing risk management.

RISK MANAGEMENT IN PUBLIC SECTOR ORGANIZATIONS IN BULGARIA
Risk is a concept with complicated and complex content, based on objectively existing ambiguity, uncertainty and relatively probabilistic nature of processes and phenomena, and probabilistic nature of processes (Eremin, 2010b).
Risk is a natural, normal phenomenon underlying ongoing changes in the environment (Andreeva, 1997).
Risk is not the danger of a possible adverse outcome or of not achieving goals. It is a property, feature, characteristic of a particular organizational or project activity or process and is part of systemic uncertainty (Granaturov, 2010).
Risk is associated with a high degree of uncertainty about achieving the goals set. "Risk management is perceived as a choice between achieving a specific goal through alternative means and results, under conditions of probability and uncertainty. The definition is related to the expected change and its positive or negative impact on the entity" (Kostadinova, 2012a). From this point of view, it is extremely important to integrate risk management into administration work processes and to provide information at all levels in decision making. This provides a positive culture towards it, which is defined as "a set of encouraged and acceptable behaviours, discussions, decisions and attitudes to take and manage risk in an institution" (Risk Management Association and Protiviti, 2014).
Risk management is a complex task that must be based on clearly defined organizational parameters, goals and objectives, a detailed description of ongoing processes and analysis of potential weaknesses and environmental threats, anticipated responses to identified risks and residual risk value, the way of communicating regarding the process. Good planning in the public sector would give better results when regularly updating risk levels and diagnosing emerging risks (Parashkevova, 2009).
However, it is worth noting that the public sector is highly deterministic and bureaucratic, which complicates risk management (Leung, 2008a). In addition, there is a large number of stakeholders, especially when defining public policies, where interests are often the opposite (Braig, 2011). At the same time, risks facing public organizations are diverse and often variable, both in the likelihood of occurrence and the impact on the entity. This indicates that risk management must be flexible and proactive with respect to changes in risk environment and тhе risk appetite of organizations (Parashkevova, 2017).
The main challenges to risk management processes in public organizations relate to (Braig, 2011): 1. Mission objectives outweighing other considerations; 2. Frequent changes in managerial positions and resignation of experienced employees; 3. Managers having no knowledge of risk management; 4. Separation of operational budgets from budget programmes, i.e. lack of programme budgeting; 5. Lack of clear and unambiguous indicators for measuring risk; 6. Complex procedures and instructions; 7. Limited risk management culture and risk appetite.
The very risk management process in a public sector organization can be divided into two separate sub- 20-22 January, 2020 -DUBAI (UAE) processes: 1) Risk analysis, where risks are identified, quantified, and classified according to their impact on the organization and the likelihood of their occurrence; 2) Real risk management where activities such as planning, decision making, documentation, monitoring and control and updating are performed. These two sub-processes are interrelated and run cyclically. Their boundaries are difficult to define, and they are repeated over time. The main parameters of these sub-processes are implemented in the risk management strategy. It aims to support risk management by outlining a strategic framework for implementing risk management. In the methodological developments of the Ministry of Finance of Bulgaria a model of strategy is proposed (Ministry of Finance, 2010a). However, it has a number of imperfections. It is an instruction document rather than a strategic one. The fact is, however, that for almost 10 years, strategies under this model have existed in administrations, further complicating risk management and formalizing it.

Proceedings of INTCESS 2020-7th International Conference on Education and Social Sciences
The development of a risk management strategy must answer strategic questions. These are as follows: What is the relationship between the document and the other strategic documents in administration and how is this relationship ensured?; What are the main tasks and objectives of the strategy?; What is the risk appetite of an organization?; What methods of diagnosis, analysis, and risk assessment are applied?; What responses are selected, towards which risks and how will their effectiveness be evaluated?; What monitoring and documentation activities will be implemented?; What will the reporting and corrective action system be?; What outcomes are expected to be achieved and how will they be measured?; What resources are needed to implement the strategy?
Risk management issues facing the public sector in Bulgaria are mainly related to the development and subsequent implementation of the strategies. Practically, this means that the difficulties are related to the overall risk management, since the strategy is the result of the risk management activities.
Without dwelling on methodological issues involved in the development of a strategic document, we present a simple yet meaningful structure of a Public Sector Risk Management Strategy, which includes the following indicative sections (Parashkevova, 2009):  Introduction. The reasons (external and internal regulations) for preparing a Risk Management Strategy are stated here. The approaches used to identify and evaluate the identified risk areas in organizational activities are described. The basis and manner of responses worked out and proposed (control activities) to reach a reasonable level of risk are pointed out. The position of the strategy is defined in relation to the other strategic documents of the public institution;  Organizational framework. The organizational goals, the capacity of the organization to counteract risk factors, the principles applied in practice, and the basic prerequisites for the existence and presence of risk areas, activities and processes are indicated. Existing controls in the institution are described and their level of objectivity, as well as favorable prerequisites for effective risk management in the organization are indicated;  Analysis and evaluation of the situation. The status of the organization, the risk areas and specific activities carrying a high degree of risk for the organization and its units are described. The analysis of the existing and potential risk in the work of the public institution is presented on the basis of preliminary identification of risks and their objective assessment. It is recommended to present risks to each area, which is individually studied, without overlapping data and making general conclusions about the situation as a whole (e.g. by areas included in questionnaires);  Strategic goals. The most important objectives the strategy aims at are described. They are long-term and affect the overall development of organizational activities. The risk appetite of institutions is defined;  Specific objectives. The specific objectives that will be achieved with this strategy are outlined. They are specificat the level of functional area, position, and have a limited scope, although they all contribute to achieving the strategic goals;  Risk management measures. Based on the risk profile described and on recommendations made, expert opinions and practice studied, control measures are outlined to reduce the risk for the organization as a whole, i.e. applicable to the overall business activity, as well as specificto particular functional areas or other selected risk responses;  Conclusion. Determines the way to implement the strategy, to monitor and control it, to document and report on its implementation, as well as the responsible officials;  Terminology. Specific terms used with specific meaning in the Risk Management Strategy (if any) are presented; 20-22 January, 2020 -DUBAI (UAE)  References. External and internal organizational regulations, rules, instructions, guidelines, etc., which correspond to the Risk Management Strategy, are described.

Proceedings of INTCESS 2020-7th International Conference on Education and Social Sciences
Project risk management should also find place in this strategy. The analytical and strategic part must integrate activities aimed at achieving levels of risk (accompanying each project) adequate to the risk appetite of the organization.

A CONCEPT OF INTEGRATED PROJECT RISK MANAGEMENT IN PUBLIC ORGANIZATIONS
Project risk is a manifestation of fluctuations in internal and external environmental factors and their impact on an organization, project or the course of ongoing processes. Project risk is characterized by uncertainty since it always relates to the future. "Uncertainty is related to the lack of sufficient information beyond the influence of random factors. These factors further affect the ability to process information and make decisions" (Nikolova, 2011a).
Successful project management is associated with existing risk management culture (California Department of Transportation, 2012). Culture is determined not only by the risk appetite of an organization, but also by teamwork skills, efficiency, ownership of business processes and risks associated with them. Projectoriented organizations apply an individual risk management approach to each individual project and group of activities . The new management paradigm emphasized by project management is characterized by authorizing and delegating rights and responsibilities, permanent pursuit of organizational change, improving business processes, promoting teamwork and networking, customer orientation, i.e. users of public services. The effectiveness of this type of management is related to the commitment of project teams to the overall process of project implementation, meeting specific deadlines and obtaining results by each team member, provided there is a high motivation for achieving project goals. This also means a high degree of employee involvement in project risk management.
It should be noted that differences in the risk management process also imply an individual approach to each project, depending on its phase. The main project phases depend on the specific case. Generally speaking, they are as follows: conceptualization; design, evaluation and planning; implementation; putting to use and functioning during the start-up phase (Georgiev, 2008). It is therefore advisable to give greater freedom and autonomy to team members in managing project risk. This is also one of the main features and benefits of agile project management. Adapted from: Deloitte. Introduction to risk management. Training materials under the project "Enhancing managerial responsibility and strengthening financial management and control in central and municipal administration", 2010.

Fig. 2. Risk intelligence framework
The proposed conceptual framework (Fig. 1) is based on the idea that risk management in a public project must be part of the public sector risk management strategy. This does not mean that risks for each individual project must be identified, analyzed, evaluated, and responses identified, etc. and be included in an organization's strategy. The strategy is to outline adequate measures, approaches and tools for project risk management in the context of an organization's risk appetite.
In conventional risk management, project risk management involves developing a project risk management plan and risk register that take into account both organizational risk management strategy and the organizational risk register. This is how integration is ensured.
If an organization and its project risk management strategy envisage the application of innovative or agile management approaches, they must be framed in order to find particular application in individual projects. In this context, the strategy is viewed as a starting point when choosing project risk management approaches, without going beyond the organizational framework set out in it (Terziev, Georgiev, 2019d-g;Terziev, Nichev, Georgiev, 2019h-i).
Generally, two approaches to integrating risk into a project and the risk management strategy exist: topdown and bottom-up. Centralism is leading with the first. Framework is predefined in the risk management strategy and project risk management should aim to fit into it. The second enables the project risk management organization practice to find its place in the Risk Management Strategy thus giving scope to the risk management framework in future projects. A combination of the two approaches is the mixed one, which, on the basis of the existing centralized framework, provides the highest degree of approximation to the specifics of each particular project. It gives a higher degree of freedom and autonomy to the decisions made by the persons responsible for the project.
An up-to-date development of the risk management concept is the creation of a risk intelligence framework within organizations. The first step in implementing it is to create and execute a strategy. It, among other activities of identification, analysis, evaluation, measurement, response identification, etc. is an effective measure of an organization's capacity to manage risk which includes three areas: 1) Risk management; 2) Risk management expertise; 3) Technologies (Fig. 2).
Smart risk management is based on the understanding that this process ensures making informed decisions. In managerial terms this implies a focus on management through objectives and conducting sustainable actions to achieve them, as well as on the development of expert capacity to identify, evaluate and analyze, measure and identify adequate risk responses. The constant improvement of responses, including defined controls, documentation, monitoring and reporting, are an integral part of the risk management process, both in terms of an organization and a particular project. However, to what extent the process will be successful depends mainly on the degree of maturity of organizations with regard to risk management (Table 1). Degree of maturity of the project risk management process

Main characteristics
Immature risk management Unregulated, partial and chaotic risk management in an organization based on individual initiative and experience.
Misunderstanding of the risk management process by the majority of employees.
Lack of organizational culture and manager's will to integrate this process into the management system of a public sector organization.
Lack of project risk management.

Fragmented risk management
Implementation of individual risk management activities, which lack process character. Lack of planned response to risks, lack of prevention.

Lack of a clear relationship between organizational goals and risk
Managers are aware of the need to manage risk.
Project risk management is carried out only in the presence of a specific requirement, imposed for example by a funding institution and it is formal.

Centralized risk management
A risk management policy and strategy exist in an organization.
Formal risk identification and assessment, without any relation to organizational objectives.
Implementation of standardized and routine risk responses.
Unclear channels of communication and various forms of risk documentation.
Adequate management will and tone on the top regarding the integration of risk management in organizational processes.
Project risk management according to the requirements of the funding organization and the risk register of an organization.
Systematic risk management Actual implementation of the risk management strategy.
Managers are committed to risk management within the organization.
Transparently designed risk register.
Broad participation to determine risk appetite.
Risk is integrated into the overall management of an organization.
Risk management is a systematic and structured process.
Risk management capacity building through training, etc.
Project risk management is integrated into the risk management organizational strategy and is carried out in accordance with the established procedures and experience in the organization.
Smart risk management Risk management is part of an organization's strategic management.
Different models are used to predict risk and develop response scenarios.
Risk management is an integral part of work processes and is based on established rules, procedures, instructions, expertise and lessons learned.
A bottom-up approach to risk management is promoted, with everyone understanding their own risk management commitments within the scope of the authority conferred on them.
Project risk management is closely integrated into the organization's philosophy, stimulating innovation and implementing agile risk management methods.
Achieving a high level of maturity for an organization with regard to project risk management means that managers and all the staff involved are aware of the importance of the process, seek to integrate it into all public institution activities and workflows, and invest the necessary resources and efforts to have reasonable assurance that project objectives will be achieved in the context of the organizational development strategy (Terziev, Nichev, Stoyanov, Georgiev, 2017a-c;Terziev, Nichev, Stoyanov, Georgiev, Bogdanov, 2017d). 20-22 January, 2020 -DUBAI (UAE)

CONCLUSION
The public sector faces a number of challenges in an evolving social and economic environment, such as the Bulgarian one. The large number of problems that require quick resolution often evade risk management issues on the agenda. The application of traditional management models to public institutions does not emphasize the importance of risk management. Conventional management in administrations does not stimulate innovation and the introduction of new approaches. The public resource used by administrative structures does not imply a risk analysis that is typical of business. This also underlies the lack of understanding of the need and importance of risk management, both with regard to a particular project and for the organization as a whole.
Partial risk management is neither effective nor appropriate. Achieving a high level of maturity with regard to the overall and integrated risk management in line with the goal-management concept implies a complete review of existing practices in each organization, self-assessment, and identification of specific measures and areas for improvement or overall implementation of a real working risk management system.