[Paper] Integrative Analysis of Risk Management Methodologies in Data Science Projects
Published: (December 2, 2025 at 08:06 AM EST)
3 min read
Source: arXiv
Source: arXiv - 2512.02728v1
Overview
Data‑science projects are notorious for flopping—often because risk isn’t managed systematically. Sabrina Delmondes da Costa Feitosa’s integrative literature review dissects the most widely‑used risk‑management methods (ISO 31000, PMBOK, NIST RMF) and newer data‑science‑specific frameworks (CRISP‑DM, DS EthiCo RMF). The paper maps where these approaches overlap, where they diverge, and where critical gaps—especially around ethics and sociotechnical risk—still exist.
Key Contributions
- Comprehensive taxonomy of risk‑management methodologies applied to data‑science initiatives.
- Side‑by‑side comparison of classic standards (ISO 31000, PMBOK, NIST RMF) with data‑science‑centric models (CRISP‑DM, DS EthiCo RMF).
- Identification of coverage gaps, notably the limited treatment of ethical, governance, and sociotechnical risks in traditional frameworks.
- Evidence‑based recommendation for hybrid risk‑management frameworks that blend technical rigor with responsible‑AI oversight.
- Research agenda outlining under‑explored areas (e.g., continuous ethical monitoring, cross‑functional risk ownership).
Methodology
The author performed an integrative literature review:
- Database search – systematic queries across IEEE Xplore, Scopus, Web of Science, and ACM DL using keywords like “risk management”, “data science”, “ethical risk”.
- Screening protocol – inclusion/exclusion criteria filtered 112 papers down to 38 high‑relevance sources.
- Content analysis – each source was coded for risk‑identification practices, mitigation tactics, governance structures, and ethical considerations.
- Synthesis matrix – the coded data were plotted against the five frameworks to expose commonalities, unique features, and missing elements.
The approach is deliberately non‑technical: think of it as a structured “literature audit” that extracts the “what, how, and why” of each methodology.
Results & Findings
| Framework | Core Focus | Ethical/Sociotechnical Coverage | Continuous Monitoring | Governance Integration |
|---|---|---|---|---|
| ISO 31000 | Generic risk management | Minimal (principles only) | No | Optional |
| PMBOK | Project‑level risk | Low (mostly technical) | No | Limited |
| NIST RMF | Security‑centric risk | Low‑moderate (privacy) | Yes (continuous) | Strong (policy) |
| CRISP‑DM | Data‑science workflow | None | No | None |
| DS EthiCo RMF | Data‑science lifecycle + ethics | High (ethical, sociotechnical) | Yes (feedback loops) | Embedded (governance checkpoints) |
- Traditional standards excel at technical risk identification but fall short on ethical and sociotechnical dimensions.
- DS EthiCo RMF introduces a multidimensional risk view, embedding ethical review points at each stage of the data‑science pipeline.
- Across all frameworks, continuous risk monitoring is rare; only NIST RMF and DS EthiCo RMF provide mechanisms for ongoing oversight.
- The analysis surfaces a gap: no single framework currently offers a seamless blend of technical, organizational, and responsible‑AI risk controls.
Practical Implications
- Hybrid Framework Adoption – Teams can start with a solid technical base (e.g., ISO 31000 or NIST RMF) and layer in DS EthiCo‑style ethical checkpoints, creating a “best‑of‑both‑worlds” risk regime.
- Tooling Roadmap – Existing risk‑management platforms (Jira, ServiceNow) can be extended with custom fields for ethical risk scores, aligning with the DS EthiCo model.
- Cross‑Functional Ownership – The paper’s taxonomy clarifies who should own each risk bucket (data engineers → technical risk, product owners → business risk, ethics officers → sociotechnical risk).
- Regulatory Readiness – By incorporating ethical governance early, organizations are better positioned for emerging AI regulations (EU AI Act, US AI Bill of Rights).
- Continuous Monitoring Pipelines – Implement automated alerts (e.g., drift detection, bias metrics) that feed back into the risk register, mirroring NIST RMF’s “continuous monitoring” loop.
Limitations & Future Work
- Scope limited to published literature – real‑world case studies or proprietary frameworks were not examined, which may affect external validity.
- Rapidly evolving field – New ethical‑risk frameworks (e.g., IBM AI Fairness 360 integrations) could emerge after the review period, requiring updates.
- Future research suggested includes empirical validation of hybrid frameworks in live projects, development of quantitative metrics for sociotechnical risk, and tooling prototypes that automate ethical risk tracking throughout the data‑science lifecycle.
Authors
- Sabrina Delmondes da Costa Feitosa
Paper Information
- arXiv ID: 2512.02728v1
- Categories: cs.SE
- Published: December 2, 2025
- PDF: Download PDF