Implementing Enterprise Risk Management Solutions Book
Enterprise risk management: Factors associated with effective implementation
Abstract and Figures
Risk management is undergoing a great change, as organizations shift from the traditional and compartmental to an enterprise wide approach. Consequently, enterprise risk management (ERM) is gaining global attention among risk management professionals and academics. The demand for the adoption of ERM has led to several companies embracing it, yet its implementation has become challenging. Research shows that ERM approach emphasizes a holistic approach for assessing and evaluating the risks that an organization faces as against the "silo" approach of the traditional methods. The extant literature shows that through the reduction of the risk that an organization faces, ERM is capable of improving the performance and value. The study used a non-experimental correlational approach to explore the relationship between the presence of a chief risk officer (CRO) and an audit committee (AC), and the support of top management (TM) in relation to the implementation of ERM. A survey instrument was provided to self-identified risk-management professionals who are members of Survey Monkey Audience Service database. The target sample frame requested for analysis using a power of .95 was (n = 119). However, the final number analyzed was (n = 134). Frequencies and percentages were conducted on the demographic survey items and regression and correlational analyses were also performed. The study findings show that there was a significant relationship between the role of a CRO, the presence of an AC, and the support of TM and the level of ERM deployment. The study also found significant correlations between management support level and CRO, and AC. In addition, a much strong positive correlation was noted between the presence of a CRO and an AC
Content may be subject to copyright.
Discover the world's research
- 20+ million members
- 135+ million publications
- 700k+ research projects
Join for free
Content may be subject to copyright.
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
175
ENTERPRISE RISK MANAGEMENT: FACTORS
ASSOCIATED WITH EFFECTIVE
IMPLEMENTATION
Godson K. Mensah*, Werner D. Gottwald**
*Alumnus, Capella University, Minnesota, the USA
** Capella University, Minnesota, the USA
Abstract
Risk management is undergoing a great change, as organizations shift from the traditional and
compartmental to an enterprise wide approach. Consequently, enterprise risk management
(ERM) is gaining global attention among risk management professionals and academics. The
demand for the adoption of ERM has led to several companies embracing it, yet its
implementation has become challenging. Research shows that ERM approach emphasizes a
holistic approach for assessing and evaluating the risks that an organization faces as against the
"silo" approach of the traditional methods. The extant literature shows that through the
reduction of the risk that an organization faces, ERM is capable of improving the performance
and value. The study used a non-experimental correlational approach to explore the relationship
between the presence of a chief risk officer (CRO) and an audit committee (AC), and the support
of top management (TM) in relation to the implementation of ERM. A survey instrument was
provided to self-identified risk-management professionals who are members of Survey Monkey
Audience Service database. The target sample frame requested for analysis using a power of .95
was (n = 119). However, the final number analyzed was (n = 134). Frequencies and percentages
were conducted on the demographic survey items and regression and correlational analyses
were also performed. The study findings show that there was a significant relationship between
the role of a CRO, the presence of an AC, and the support of TM and the level of ERM
deployment. The study also found significant correlations between management support level
and CRO, and AC. In addition, a much strong positive correlation was noted between the
presence of a CRO and an AC.
Keywords: Enterprise Risk Management, Chief Risk Officer, Audit Committee, Top Management Support
1. INTRODUCTION
The current global financial crisis has seen the
collapse of numerous international businesses due
to inadequate or inappropriate risk management
(Beasley, Branson, & Hancock, 2010; Brown, Steen, &
Foreman, 2009; Power, 2009). Many organizational
failures and financial disasters can be attributed to
poor risk management (McConnell, 2009) and
inadequate governance practices (Yeoh, 2009).
Research indicates that, the percentage of business
initiatives that are unsuccessful is remarkably high
(e.g. Cozijnsen, Vrakking, & van Ijzerloo, 2000;
Rizova, 2006; Wycoff, 2003). As a result,
organizations have focused on remediating
weaknesses in risk management systems to improve
stakeholder protections (Bates, 2010; Paape &
Speklé, 2012). Consistent with this, Berinato (2004,
p. 48) observed that "balancing risk is becoming the
only effective way to manage a corporation in a
complex world."
Robust risk management has continued to be
of great concern to practitioners, academics, and the
business community because it augments
organizational performance and creates value for
shareholders (Dabari & Saidin, 2014). Inadequate
risk management policies create adverse economic
and social consequences for stakeholders as in
Yamato Life Insurance, American International
Group (AIG), Lehman Brothers, Fannie Mae, Freddy
Mac, among others (Kerzner, 2009). Nocco and Stulz
(2006) noted that poor risk management can result
in large "dead weight" costs in organizations, which
negatively affect organizational value. By reducing
risk, a company can reduce the amount of expensive
equity capital needed to support its operating risk
cost.
Organizations are regularly confronted with
issues of risk management as strategic decisions are
made (Bromiley, McShane, Nair, & Rustambekov,
2014). Consequently, developing an institution-wide
approach to proactively dealing with and optimizing
emerging threats and opportunities cannot be over
emphasized (Samanta, 2009). Effective risk
management offers significant benefits to
organizations, their projects, and their stakeholders
(Didraga, 2013). Example effective risk management
could potentially reduce variability in earnings and
possibly minimize economic distress on an entity
(Smith & Stulz, 1985). It also ensures that potential
risks are identified, understood, and subsequently
prioritized for better decision making which
promotes the realization of strategic goals, lowers
earnings volatility and subsequently increase
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
176
profitability (COSO, 2004; Gates, Nicholas, & Walker,
2012; Lin, Wen, & Yu, 2012).
As organizations expand, one of the keys to
successful growth is steady risk management
(Walker, Shenkir, & Barton, 2002). In order to yield
benefits, risk management must be addressed and
practiced at all levels of an organization (Hillson,
2005). For organizations to survive in this turbulent
environment and gain competitive advantage, a
holistic approach to handling risk needs to be
adopted (Meagher & O'Neil, 2000; Stroh, 2005).
Consistent with this, it's argued that holistic
approach to risk management needs to be adopted
(Stoke, 2004).
In the wake of increasing expectations that
organizations employ successful risk management, a
framework for managing risk called enterprise risk
management (ERM) has been developed (Buchanan,
2004). This framework is gaining substantial
momentum as a potentially effective response to
managing risk and related challenges (Paape &
Speklé, 2012). Regulators, professional associations,
and rating firms are calling for the adoption of a
consolidated risk management (Arena, Arnaboldi, &
Azzone, 2010). This approach emphasizes a holistic
and comprehensive approach for assessing and
evaluating risks in an organization as opposed to the
"silo" approach of traditional methods (Ai, Brockett,
Cooper, & Golden, 2012; Arena et al., 2010; Bromiley
et al., 2014).
While interest in enterprise wide risk
management is high and several organizations have
begun to utilize the framework, implementation has
been challenging (Mikes, 2008; Power, 2009). In
addition, there are few studies describing its
successful implementations (Aabo, Fraser, &
Simkins, 2005). Research examining the factors
associated with its implementation in North America
has largely focused on insurance and financial
institutions (Beasley, Clune, & Hermanson, 2005;
Bromiley, et al., 2014; Desender, 2011; Kraus &
Lehner, 2012), with insufficient research in the
management discipline (Bromiley et al., 2014).
Similarly, in spite of the substantial interest in the
holistic approach to managing risk on the part of
academics and practitioners and the prevalence of
collaborative risk management programs, there is
limited empirical evidence regarding its impact on
firm value (Hoyt & Liebenberg, 2011; Leech, 2002;
Liebenberg & Hoyt, 2003).
In the literature, ERM has been used
synonymously with integrated risk management,
holistic risk management, enterprise-wide risk
management, corporate risk management, and
strategic risk management (Beasley et al., 2005;
Committee of Sponsoring Organizations of the
Treadway Commission [COSO], 2004; Gordon, Loeb,
& Tseng, 2009; Liebenberg & Hoyt, 2003; Nocco &
Stulz, 2006; Pagach & Warr, 2011). Holistic risk
management is often equated with the objectives of
ERM (Borker & Vyatkin, 2012; Fraser & Simkins,
2010).
1.1. Background of the Study
Risk management as a formal part of the decision-
making processes within organizations is traceable
to the late 1940s and early 1950s (Dickinson, 2001).
Managing risk is a fundamental concern in today's
turbulent global environment (Berinato, 2004). In
support of this assertion, Wu and Olson (2010)
indicated that establishing acceptable levels of risk
has become a critical strategy to boost performance
and profitability in today's environment.
There has been a growing interest over the last
decade in risk management, and the expectation of
stakeholders concerning risk management have been
rising at a rapid rate especially after the recent
(2008) financial crisis (Gephart, Van Maanen, &
Oberlechner, 2009; Paape & Speklé, 2012; Power,
2007). The crisis has exposed the weakness in the
risk management practices, and organizations are
under continuous and significant pressure to
improve their risk management systems and adopt
appropriate actions that will improve stakeholder
value protection (Paape & Speklé, 2012). This
pressure has led to a paradigm shift regarding the
way risk management is perceived (Gordon et al.,
2009).
Instead of looking at risk management from a
silo-based perspective, ERM takes a holistic view of
risk management. For this reason, it has gained
substantial momentum as a potentially effective
response to risk management challenges (Paape &
Speklé, 2012). A holistic approach to managing risk
can enable organizations to deal with risks and
opportunities more effectively, enhancing the
organization's capability to create and preserve
value for stakeholders (Beasley, Pagach, & Warr,
2008; COSO, 2004; Lam, 2003; Liebenberg & Hoyt,
2003; Nocco & Stulz, 2006).
A general theory emerging from the literature
is that the implementation of such a system
improves organizational performance (COSO, 2004;
Hoyt & Liebenberg, 2009; Lam, 2003; Nocco & Stulz,
2006; Paape & Speklé, 2012; Stulz, 1996). Gordon et
al. (2009) argued that one factor driving practical
and scholarly interest in enterprise wide risk
management is the belief that it offers organizations
a more comprehensive approach to risk
management than the traditional silo-based risk
management perspective. By adopting a systematic
and consistent approach to managing the risk
confronting an organization, this approach is
presumed to lower an organization's overall risk of
failure and thereby increase performance and
subsequently the value of the organization.
Effective risk management systems equip
organizations to withstand adverse effects caused
by various environmental risks resulting in a steady
stream of business opportunities that could
potentially reduce variability in corporate earnings
(Torben, 2009). In addition to preventing losses,
effective risk management enables identification,
development, and exploitation of opportunities
(Torben, 2009) leading to the successfully pursue of
greater risk and the creation of better competitive
advantage (Galloway & Funston, 2000). However, in
spite of the attention that this approach has
received, little is known about the stages of
deployments or factors that affect its acceptance
within an organization (Beasley et al. 2005; Paape &
Speklé, 2012; Waweru & Kisaka, 2013).
The general perceived problem that supports a
need for the present study is the inability of
organizations to effectively and efficiently manage
risk, resulting in both failures and losses. The
specific problem the study will investigate is the
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
177
inadequacy of organizational risk management
practices aimed at improving organizational
performance and potentially reducing or preventing
losses. This problem is particularly important as
improved performance results in the creation of
value for shareholders (Nocco & Stulz, 2006). This
study could also contribute to emerging research on
corporate-wide risk management implementation
and to risk management literature. The purpose of
this research therefore is to study the factors
associated with the effective implementation of
holistic approaches to risk management as applied
to various industries of finance, manufacturing, IT
and telecommunication, insurance, business
services, transport and logistics, government or non-
profit, healthcare, energy or oil and gas industries,
and other industries in North America. Previous
research was mainly focused on the financial and
insurance institutions.
The purpose of this correlational study was to
assess the relationship between the role of a Chief
Risk Officer (CRO), the role of an Audit Committee
(AC), Top Management (TM) support and the
implementation of organizational wide risk
management. Paape and Speklé (2012) noted that
there have been very few studies examining how
different industries implement it. The results of
their findings suggested that firms in the financial
industry have a higher level of its implementation
(Kraus & Lehner, 2012; Paape & Speklé, 2012). Along
with banking and insurance firms, Beasley et al.
(2005) found the educational sector to have an
equally developed risk management program in
place.
Another concern regarding the literature on
holistic risk management is that the majority of the
studies examining multiple industries were
conducted in Europe (Paape & Speklé, 2012). Thus, it
is important to conduct similar research in other
parts of the world and across different
organizations to enhance the generalizability of
earlier findings. Unlike previous research, which
mainly focused on financial and insurance
institutions, the present study intends to investigate
its implementation across several industries and in
organizations of various sizes. In addition, the
sample for the present study will include private,
public, for profit, and non-profit organizations,
unlike earlier research conducted.
1.2. Rationale
Beasley et al. (2010) posited that during the recent
economic crisis some organizations failed because
there was less focus on identifying, assessing, and
managing their most important emerging risk. Other
organizations failed because their aggressive pursuit
of returns overshadowed under lying risk. In some
situations, however, organizational leaders were
blindsided by unknown risks, due to the lack of
sufficient infrastructure to identify, assess, and
monitor emerging risk within their enterprises
(Beasley et al., 2010). The recent economic failures
have therefore brought to light the consequences of
ineffective risk management (Kleffner, Lee, &
McGannon, 2003; Lam, 2001).
Poor risk management results in adverse
economic and social consequences for stakeholders
(Kerzner, 2009). According to McCafferty (2010), in
the U.S. alone, approximately $63 billion is spent
annually on IT projects that fail. However, even
when risk management processes appear to have
been effectively employed, many projects fail to
meet their goals and fall short of stakeholders'
expectations. Nocco and Stulz (2006) noted that
poor risk management could result in large dead
weight costs on organizations resulting in long-term
reduction of value. By properly managing risks, an
organization can reduce the amount of expensive
equity capital needed to support its operating risks
(Nocco & Stulz, 2006).
Corporate risk management can benefit
organizations in a variety of ways. Taking a holistic
approach to risk management allows organizations
to decrease the level of volatility in earnings and
stock price, reduce external capital costs, increase
capital efficiency, and create synergies between
different risk management activities (Beasley et al.,
2008; Lam, 2001; Meulbroek, 2002). Kleffner et al.
(2003) noted that the adoption of a holistic risk
management approach enables a coordinated and
consistent approach to managing risk, resulting in
lower costs and better communication across an
organization. A coordinated approach can also lead
to the avoidance of losses as there will be a better
approach to handle the overall risks.
Enterprise-wide risk management approach
provides organizations with a framework for
discipline as it enables management to deal
effectively with the uncertainty associated with risks
and opportunities (Stroh, 2005). This approach also
allows organizations to assess the variability of
target-performance levels with the view to enhancing
value and providing transparency to shareholders
(Stroh, 2005). Nocco and Stulz (2006) observed that
a holistic risk management approach creates value
for organizations through its effects on both macro
(organization-wide) and micro (business-unit) levels.
At the macro level, it creates value by enabling
senior management to quantify and manage the
organization's risk-return trade off. Consequently,
the organization is able to maintain access to the
capital market and other resources necessary to
implement its strategy and business plan. At the
micro level, holistic risk management becomes a way
of life for project team members, and managers and
employees throughout the organization (Nocco &
Stulz, 2006).
Through increased communication, the
collaborative perspective leads to a broader
understanding and recognition of risk throughout
the organization. It also ensures that all risks are
owned and risk-return tradeoffs are carefully
evaluated by operating managers and employees
throughout the organization (Bowling & Rieger,
2005; Nocco & Stulz, 2006). An effective and
efficient risk management approach has the
potential to reduce compliance cost, improve
operational performance, enhance corporate
governance and deliver increased shareholder value
(Bowling & Rieger, 2005; Cumming & Hirtle, 2001;
Lam, 2001). In today's economy, effective risk
management is a critical component of any winning
management strategy (Ingley & van der Walt, 2008;
Stroh, 2005).
The need for improvement in organizational
risk management has received substantial attention
from both practitioners and the field of academia
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
178
(Ingley & van der Walt, 2008; Kleffner et al., 2003;
Kraus & Lehner, 2012; Nocco & Stulz, 2006; Paape &
Speklé, 2012; Stroh, 2005). This study contributes to
and extends the emerging research on holistic risk
management adoption and implementation by
studying organizational factors associated with its
implementation in organizations. The study could
also potentially contribute to academic risk
management literature and the related body of
knowledge.
1.3. Significance of the Study
The 2008 financial crisis has led to the call for
extensive risk management in organizations (Hoyt &
Liebenberg, 2011). The increased importance of a
robust organizational-wide risk management
practice is also attributed to the dynamic business
environment characterized by threats emanating
from political, economic, natural, and technical
resources (Wu & Olson, 2010). Inefficient risk
management has adverse economic impact on
organizations and their stakeholders (Kerzner, 2009;
Nocco & Stulz, 2006). An organizational wide risk
management system facilitates a coordinated and
consistent approach to managing risk within an
organization, and thereby increasing productivity
and value (Kleffner et al., 2003). It advocates a
comprehensive approach to risk management,
aligning with the organization's strategy while
involving employees at all levels (Liebenberg & Hoyt,
2003). Also it provides a solid framework for
handling uncertainty and its associated risk, and for
assessing variability around target performance
levels (Stroh, 2005).
Through increased communication, ERM yields
a broader understanding throughout the
organization and ensures that all risks are owned
(Bowling & Rieger, 2005; Nocco & Stulz, 2006). A
holistic risk management approach has the potential
to reduce compliance cost, improve operational
performance, enhance corporate governance, and
deliver greater shareholder value (Bowling & Rieger,
2005; Cumming & Hirtle, 2001; Lam, 2001).
Consistent with this observation, Byrnes Williams,
Kamat, and Gopalakrishnan (2012) observed that
organizations that have adopted a proactive risk
management approach are able to practically deal
with uncertainty and associated risk and
opportunity, subsequently promoting brand value
and profitability.
This study extends emerging research on risk
management by examining organizational factors
such as audit committee (AC), top management (TM)
support, and chief risk officer (CRO) associated with
its implementation. As a result, this study could
potentially contribute to the body of knowledge and
literature in risk management. In addition, this study
could potentially benefit Practitioners considering
the implementation of robust risk management
systems. Gates et al. (2012) however cautioned that
the study of ERM could be challenging as
organizations are not under obligation to disclose
details of their corporate risk management
processes and stages.
1.4. Nature of the Study
A correlational research approach was used to
assess the relationship between the role of a chief
risk officer (CRO), the role of an audit committee
(AC), top management (TM) support and the
implementation of enterprise risk management
(ERM). According to Waweru and Kisaka (2013)
several theories lend themselves for the study of
holistic risk deployment. Examples include
stakeholder theory, decision theory, agency theory,
and contingency theory. This research was
conducted from the organizational contingency
model perspective. "Contingency theory is an
approach to the study of organizational behavior in
which explanations are given as to how contingent
factors such as technology, culture and the external
environment influence the design and function of
organizations" (Islam & Hu, 2012, p.5159).
This theory suggests that an organization's
effectiveness is dependent on its ability to adjust to
the environment, and the need for congruency
between environment and structure (Pennings,
1992). The main ideology of this theory is that there
is no single best approach of doing things. The best
and suitable approach is situation dependent
(Alboali, Hamid, & Moosavi, 2013).
Similarly, a review of the extant literature on
holistic risk management implementation in an
organization revealed the use of various contingent
variables (Daud & Yazid, 2009) such as firm size,
industry type, TM support, presence of CRO,
presence of AC, CG, auditor type, quality of the
internal auditor, risk culture, board independence,
ownership structure, board size, regulatory
compliance, education and training, and cross-
functional staff. Consistent with this observation,
Gordon et al. (2009) noted that the determination of
"key factors in contingency relations between a
firm's ERM system and its performance is far from
an exact science" (p. 303). Although, there is no
common theoretical framework that determines the
principal factors between an organizations strategic
risk management system and performance, Gordon
et al. observed that there is a general consensus that
it is dependent on factors as indicated above. The
characteristics of these variables however depend on
the peculiarity of each location and their context
(Dabari & Saidin, 2014).
In spite of the popularity of the contingency
theory in research, critics are concerned about the
adequacy of the underlying models employed
(Moores & Chenhall, 1991). The goal was to explain
how differences in contextual and structural
dimensions are related. For effectiveness, Drazin
and van de Ven (1985) and Islam and Hu (2012)
maintained that context and structure must fit
together. This study was based on this theory
because, it continues to remain a dominant
paradigm in management studies (Islam & Hu, 2012).
Secondly, as indicated by Gordon et al. (2009), ERM
has been studied from the contingency theory
perspective by various authors (e.g. Chenhall, 2003;
Gerdin & Greve, 2004, 2008; Gordon & Miller, 1976;
Gordon & Narayanan, 1984; Mai & Chenhall, 1994;
Otley, 1980; Waweru & Kisaka, 2013). Taking this
approach, Figure 1 shows the expected relationship
between factors influencing the level of its
implementation.
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
179
Figure 1. The expected relationship between factors influencing the level of its implementation
The remainder of the research is organized as
follows: The second section reviews the literature on
enterprise wide risk management with a specific
focus on implementation factors, benefits over
traditional risk management, and relation to
organizational performance. The third section
provides a description of the research study and
explores the variables. The data analysis and
findings follows. Finally, the fifth section discusses
the results in detail and presents the conclusions,
recommendations, and the implications associated
with the study.
2. LITERATURE REVIEW
2.1. Risk Management
Although risk can be viewed as the possibility of
loss or exposure to loss, a hazard, an uncertainty, or
an opportunity (Rosenberg & Schuermann, 2006),
risk is ultimately a multilayered concept indicating
that there is a great deal at stake for organizations
(Smith & Mckeen, 2009). Risk is commonly measured
on two scales: severity and frequency. Severity refers
to the intensity or magnitude of loss or damage,
whereas frequency is the likelihood of loss, damage,
or a missed opportunity (Hampton, 2009). In this
light, risk could be viewed as an opportunity or a
threat. The management of risk and reward is
challenging, as evidenced by the recent (2008 –
2009) economic crisis and its related uncertainty
(Gordon et al., 2009).
The concept of organizational uncertainty has
frequently been discussed in organizational theory,
psychology, and economics (Petit & Hobbs, 2010). It
has become more complex with a rise in the number
and intensity, as a result, risk management is
essential to organizational success (Ben-Amar,
Boujenoui, & Zeghal, 2014). Risk management helps
make the presence of risk in a firm's environment
much clearer and more apparent, and management
decides on the course of action based on the
acceptability of each risk (Dia & Zéghal, 2008;
McShane, Nair, & Rustambekov, 2011; Razali & Tahir,
2011). According to Ingley and van der Walt (2008),
risk management is considered to be an integral part
of an organization's strategic process and central to
performance, competitive advantage, and
shareholder and stakeholder value creation.
Risk management has been widely debated as
firms and institutions adopt strategic risk
management (McShane et al., 2011). In recent times,
there have been significant changes in how risk is
managed on an organizational level. Previously, it
was managed in silos, where different organizational
units handled risk independently (Lam, 2003).
However, some practitioners believe that risks are
interconnected and must be managed accordingly.
Consequently, most failures associated with poor
risk management can often be attributed to a
convergence of multiple factors (Maingot, Quon, &
Zeghal, 2013). There is not one correct approach for
managing risk, but there appears to be some
consensus about the need for the
institutionalization of enterprise wide risk
management (Bromiley et al., 2014; Maingot et al.,
2013). Hence, it is emerging as a priority for most
organizations (Altuntas, Berry-Stolze, & Hoyt, 2011).
2.2. The Portfolio Theory and Integrated Risk
Management
he rationale behind a consideration of Portfolio
theory before turning to ERM is based on the
argument that Portfolio theory and holistic risk
management are closely related. According to
Alviniussen and Jankensgard (2009) it is believed
that organizational-wide risk management is related
to, and originated from the Portfolio theory
proposed by Markowitz (1952) as they both suggest
that risk should be managed on a portfolio basis.
The goal of this theory is to minimize the overall
impact of a given risk through a holistic
management approach (Alviniussen & Jankensgard,
2009). Another proposition of this theory is that, the
expected variance in the returns of a firm is best
minimized by bringing the independent, non-
interactive business units together (Rumelt, 1974 as
noted by Lubatkim & Chatterjee, 1994).
The Portfolio Theory enables the determination
of the highest return for a given level of risk
(Sanchez, Benoit, & Pellerin, 2008). In other words, it
enables the determination and selection of a
portfolio with the lowest risk possible (Vaclavik &
Jablonsky, 2012). The assumption of the modern
Portfolio theory is based on the notion that, the
effect of the overall risk in a portfolio is expected to
be less than the impact of the individual risks
(Markowitz, 1952). Consistent with this observation,
Eckles, Hoyt, and Miller (2014) observed that by
implementing an integrated risk management
framework, an organization could combine its
various risks into a risk portfolio resulting in an
increased productivity and profitability through cost
savings. Further developments and improvements
of the Portfolio theory include; Postmodern Portfolio
Theory, Stochastic Portfolio Theory, and Fuzzy
Portfolio Theory (Vaclavik & Jablonsky, 2012).
Level of ERM implementation
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
180
2.3. Enterprise Risk Management
In the late 1980s, collaborative risk management
emerged as an extension of hazard risk
management, which posited that organizations must
manage risk in a comprehensive, coordinated
manner (Hampton, 2009). It is a complex concept
that affects every major aspect of an organization
(Hampton, 2009; Kimbrough & Componation, 2009).
Dickhart (2008) asserted that for a risk management
system to be effective, it must be able to coordinate
the various sectors responsible for risks. According
to Bowling and Rieger (2005), corporate risk
management is the highest level of risk management
in an organization, and it occurs when a holistic
approach is adopted. At this level, related activities
are linked to strategy and incorporated in daily
business processes.
ERM is a new paradigm for dealing with
organizational risk that allows policy makers to
focus on ways to improve CG and general risk
management (Beasley et al., 2005; Gordon et al.,
2009). Global initiatives on CG, internal control, and
risk management have driven the use of corporate
wide risk management systems (Muralidhar, 2010).
Consolidated risk management allows organizations
to overcome limitations associated with traditional
silo-based risk management practices (McShane et
al., 2011). However, McShane et al. (2011) observed
that in spite of its popularity, little is known about
its effectiveness. Although, the extant literature
suggests that ERM deployment leads to value
creation, most of the systematic studies however
failed to specifically indicate the components that
lead to value creation (Kraus & Lehner, 2012).
Similarly, although the findings in the literature
suggest a correlation between ERM and value
creation, Kraus and Lehner (2012) indicated that it is
unclear which of these benefits are attributable to
ERM or traditional risk management. In addition,
Altuntas et al. (2011) posited that there was no
consensus on a definition for it, involving specific
management tools that make it more effective.
According to Power (2009, p. 853) "risk
management designs like ERM are fundamentally
unable to process and represent internal systematic
risk issues, since this would require an imagination
of externalities well beyond their design". Challenges
associated with implementing holistic risk
management systems include unsuitable
organizational structures (OS), resistance to change,
poor understanding of how to incorporate new risk
management frameworks, and difficulty measuring
risk (Kleffner et al., 2003). Beasley, Branson, and
Hancock (2009) found that competing priorities,
inadequate resources, an absence of TM support,
and misconceptions that consolidated risk
management complicates corporate bureaucracy
result in low desire to implement it within
organizations.
Consolidated risk management enables an
organization to diligently work through a process of
identifying and analyzing risks with the view to
making informed decisions (Brown et al., 2009). It
also facilitates open discussions of risks (Liebenberg
& Hoyt, 2003) as they are effective in identifying,
assessing, and monitoring organizational risk while
ensuring effective communication (Beasley et al.,
2009). Ben-Amar et al. (2014) noted that a
collaborative risk management approach identifies,
manages, and mitigates risk allowing organizations
to capitalize on opportunities. A holistic risk
management approach provides a framework for
identifying circumstances that influence
organizational objectives, evaluating risk prevalence,
noting responses and strategies that attenuate risks,
and establishing a process to monitor risks (Ben-
Amar et al., 2014). Effective monitoring with an ERM
system, enables organizations to detect, restrict, and
rectify any discrepancies that would have affected
its strategic decisions and for that matter its long
term goals (Byrnes et al., 2012).
Holistic risk management can be viewed as a
paradigm shift, in which senior executives and
management realign organizational risk
management (Gordon et al., 2009). Rochette (2009)
maintained that due to the changing risk
environment, any strategic risk management
approach must cover a range of projects, processes,
products, and services. Power (2009), however,
argued that instead of focusing beyond the horizon
and serving as a mechanism that challenges the way
complex issues are assessed and managed by an
organization, organizational wide risk management
serves as a boundary perpetuating system of risk
management.
ERM is usually described as comprehensive,
integrated, complex, and cross-divisional
(Liebenberg & Hoyt, 2003). Meagher and O'Neil
(2000, p.10) described it as an "approach that is
positive and proactive, value-based and broadly
focused, embedded in processes, integrated in
strategy and total operations, and continuous." A
comprehensive risk management approach
considers interdependencies as well as contradictory
components of the risk management process (Borker
& Vyatkin, 2012). It also identifies optimal objectives
when dealing with internal issues (Kimbrough &
Componation, 2009). The lack of a holistic risk
theory has the potential to disrupt the development
of an applied risk management system (Borker &
Vyatkin, 2012).
According to Brown et al. (2009) ERM is the
method and the process organizations use to
management risk, seize opportunities, and achieve
objectives. Stroh (2005) defined it as a way to
identify risk factors in business, assess severity,
quantify magnitude, and mitigate the downside
exposure associated with risks while capitalizing on
the upside opportunities. De Loach (2000) also
defined it as a disciplined approach to align
strategy, processes, people, technology, and
knowledge, with the purpose of evaluating and
managing uncertainty to create value. COSO (2004)
noted that ERM is an approach for identifying and
managing risk events, to be within an organizations
risk appetite in order to provide reasonable
assurance for achieving objectives. It is usually
affected by board of directors (BOD), management,
and other personnel in a strategic setting. Manab,
Kassim, and Hussin (2010) referred to it as a
rigorous system by which organizations can assess a
number of variables simultaneously. In this study,
COSO's (2004) definition will be adopted.
An integrated approach to managing risk
demands commitment and support from leadership,
requires all employees to be responsible for risk
assessment and response, and utilizes a wide range
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
181
of tools and methodologies within a unifying
framework (Manab et al., 2010). In collaborative risk
management, risk is broadly defined to include any
action that could prevent an organization from
achieving its objectives. It reinforces employee
involvement, with a focus on risk practices, and
enables organizations to manage risks in an
integrated, enterprise-wide fashion (Hoyt &
Liebenberg, 2011). Gupta (2004) observed that this
holistic approach of dealing with risk is rapidly
emerging as a powerful approach to facilitate better
decision-making as it provides a uniform approach
to risk identification and measurement.
2.4. ERM versus Traditional Risk Management
Enterprise-wide risk management incorporates a
comprehensive approach to risk management,
aligning with the organization's strategy while
involving employees at all levels (Liebenberg & Hoyt,
2000). Sobel and Reding (2004) argued that risk has
holistic effects, creating the need for similar
management. COSO's (2004) definition of
organizational wide risk management addressed
how risk is managed, providing a basis for
application across organizations, industries, and
different sectors. It also focused on achievement of
objectives and provided a basis for defining its
effectiveness.
According to Pagach and Warr (2011), this
strategic approach of dealing with risk identifies and
assesses risks an organization might encounter and
examines potential control measures. Although
these processes are consistent with a traditional risk
management approach, certain variations exist.
Managing risks separately as in the traditional
approach, results in inefficiency due to the lack of
coordination between departments. Advocates of
institutional wide risk management find that by
integrating decision-making across all risk types,
organizations can avoid risk expenditure by
exploiting natural hedges (Liebenberg & Hoyt, 2003).
Hedging could be viewed as a traditional risk
management activity that reduces the chances of
financial distress on an organization (Smith & Stulz,
1985). Through the exploitation of natural hedges,
holistic risk management reduces the extreme cost
of capital and subsequently improves the
performance and value of the organization (Nocco &
Stulz, 2006). Separate risk- management activities
can reduce earnings volatility from specific sources,
but the holistic risk management aims to reduce
volatility by preventing aggregation of risk across
different entities (Hoyt & Liebenberg, 2011).
The traditional risk management approach is
compartmentalized in organizations, whereas ERM
usually involves a broader perspective, considering
the various types of risk associated with
organizational objectives (Borker & Vyatkin, 2012). It
purports to gain a systemic perspective of the
interdependence among risks (McShane et al., 2011).
Instead of concentrating on a single risk,
consideration is given to the risks that could impede
a firm's objectives and value; it may not be possible
to control all risks; however, sources of risk can be
identified and managed in relation to the
organization's overall objectives (Ben-Amar et al.,
2014). Corporate risk management, unlike
traditional risk management approaches (silo,
department-by -department, or risk-by-risk
approaches), requires an organizational-wide
approach be taken in identifying, assessing, and
managing risk (Kleffner et al., 2003). While the
traditional approach to risk management mainly
purports to protect an organization from financial
losses, corporate risk management on the other
hand considers risk management as a component of
an organization's strategy, thereby allowing for
better decision making (Liebenberg & Hoyt, 2003).
The traditional approach has also caused excessive
cost to organizations, and does not provide a clearer
and comprehensive view of risk to management and
BOD (Lam, 2000).
In addition, traditional approaches to risk
management have not considered shareholder value
and responsibilities to investors when making
decisions (Meier, 2000). Collective risk management
takes a much broader view of risk compared to the
fragmented, silo-structured risk management at
many organizations (Bowling & Rieger, 2005). An
organizational wide approach of risk management
also looks within and across organizational
activities, in contrast to the silo approach to risk
management (Bowling & Rieger, 2005). Whereas
traditional risk management is largely concerned
with protecting organizations against adverse
financial effects, collaborative risk management
allows for more wide-ranging risk-adjusted decisions
that maximize shareholder value (Meulbroek, 2000).
Whereas individual risk management activities
may reduce earnings volatility by reducing the
probability of catastrophic losses, potential
interdependencies between risks exist across
activities that might go unnoticed in the traditional
risk management model. Enterprise wide risk
management, however, provides a structure that
combines all risk management activities into one
integrated framework enabling the identification of
such interdependencies (Hoyt, & Liebenberg, 2011).
Thus, whereas individual risk management activities
limit earnings volatility from specific sources, an
institutional wide strategy reduces volatility by
preventing the aggregation of risk from different
sources.
2.5. Antecedents of ERM Implementation
The implementation of strategic risk management is
driven by a combination of external and internal
factors (Kraus & Lehner, 2012; Lam, 2001;
Liebenberg & Hoyt, 2003). The major external
influences driving organizations to take a more
holistic approach to risk management include a
broader scope of risks associated with CG issues,
institutional investor pressure, competitive
advantage, technology advancement, increasing
complexity of risk, and globalization (Miccolis &
Shah, 2000; Rosen & Zenios, 2006), failures
(Dickinson, 2001). Some internal drivers include
maximization of shareholder wealth (Lam, 2001),
market expectations, anticipated losses (Kraus &
Lehner, 2012), BOD, ACs, internal audit, TM
(Deloitte, 2008).
Other contributing factors are changes in
investor regulations, heightened sensitivity to
earnings volatility, and increased accountability by
organizational boards (Kleffner et al., 2003). In
addition, technological advancement in computer
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
182
software and increasingly sophisticated statistical
and economic analytical models have made holistic
risk management systems more viable (Green, 2001).
Manab et al. (2010) maintained that CG and
shareholder value are the motivational factors for
corporate entities adopting and implementing it, and
Miccolis and Shah (2000) identified the desire to
maximize shareholder wealth as a primary external
factor driving its implementation.
According to Kraus and Lehner (2012) the
introduction of regulatory bodies and other
frameworks such as Sarbanes Oxley Act (SOA) in
2002, Basel II in 2003, the Casualty Actuarial Society
(CAS, 2003), the joint Australia/New Zealand
Standard (AS/NZS, 2009), The New York Stock
Exchange corporate governance rules (NYSE, 2009),
the Dodd Frank Act (2010) have greatly influenced
the adoption and implementation of a corporate
wide risk management by organizations. Bowling
and Rieger (2005) argued that the wide-spread
implementation is increasing for two reasons. First,
increased emphasis on CG and mounting compliance
costs associated with the Sarbanes-Oxley Act of
2002 (SOA) are motivating factors. Second, the
release of COSO's risk management framework has
provided impetus for organizations by making its
implementation easier. Galloway and Funston (2000)
however opined that the two main drivers for the
deployment of an ERM system are the creation of
low risk management cost and the need to achieve
competitive advantage.
Stroh (2005) noted that ERM is becoming an
emerging standard, and based on these factors, it
may well be the key to survival for many
organizations. Increased global competition has
created a shift in the emphasis of risk management
from a defensive to a more strategic focus
(Meulbroek, 2002). In this sense, effective risk
management has become highly essential for all
types of organizations (Manab et al., 2010). In spite
of these driving factors, its implementation is
usually faced with several challenges (Gates, 2006).
According to Nocco and Stulz (2006), its
implementation is not straight forward even though
conceptually it appears to be. Altuntas et al. (2011)
observed that, the success of an integrated risk
management system is greatly depended on how
efficiently it is implemented in an organization.
Consistent with this observation, Nocco and Stulz
(2006) observed that a major challenge in strategic
risk management implementation is ensuring that
both TM and business managers take proper account
of risk return-tradeoff within an organization.
2.6. Adoption and Implementation of ERM
Byrnes et al. (2012) observed that the deployment of
an ERM framework serve as a linkage between
strategy, risk management, and corporate
governance, consequently it is indispensable in the
achievement of organizational goals. These authors
therefore proposed that a proactive risk
management system should;
Incorporate risk management into business
planning and decision making process
Promote the identification of the various
risk an organization faces and thereby establishing
an appropriate risk management process.
Perceive risk not just as a threat, but also as
an opportunity and through that seek a balance
between risk-reward tradeoffs.
Promote the involvement of members of the
entire organization
Have an organizational-wide approach to
risk monitoring and reporting, and corrections for
the improvement of the risk management process.
It has been argued that a corporate risk
management framework requires a top-down,
holistic view of potentially critical risks that can
undermine an organization's ability to achieve
objectives (Beasley et al., 2009). Based on its holistic
approach, it must be developed with stakeholders in
mind, assessing the suitability of the approach for
individual organizations (Bowling & Rieger, 2005).
ERM has been discussed and debated for more than
a decade, but implementation has been limited to
only a few larger financial institutions (Bowling &
Rieger, 2005; Paape & Speklé, 2012). Research on
factors associated with its execution is limited
(Beasley et al., 2005). Kleffner et al. (2003) noted that
the poor adaptation rate of this new risk
management paradigm could be due to uncertainty
about how value is created, as well as how to
optimize organizational goals and vision. As a
result, Kleffner et al. noted that a strategic risk
management system must be accompanied by a risk
management culture to be successful.
Colquitt, Hoyt, and Lee (1997) found that
enterprise wide risk management implementation
depended on industry size and the individual(s)
responsible for risk management. Liebenberg and
Hoyt (2003) noted the presence of a risk office as
driving the implementation of an integrated risk
management framework in an organization. Kleffner
et al. (2003) found that the risk officer, support of
the BOD, and related regulations were key factors in
the corporate inclusion of holistic risk management
systems.
In 2005, Beasley et al. observed that ERM
incorporation is positively related to the presence of
a risk office, BOD independence, support of the
Chief Executive Officer (CEO) and Chief Financial
Officer (CFO), presence of auditors, entity size, and
type of industry (banking, education, and insurance
industries). Bowling (2005) observed that the
implementation of such a system is usually initiated
as a result of compliance issues (CG). Yazid, Razali,
and Hussin (2012) also suggested that its
implementation was largely dependent on variables
related to an organization's risk champion, leverage,
profitability, turnover, internal diversification, size,
and shareholders.
In extending the work of Liebenberg and Hoyt
(2003), Pagach and Warr (2011) noted that, the
implementation of a holistic risk management
framework was supported by larger organizational
size, presence of more volatile cash flow, and riskier
stock returns. Furthermore, Paape and Speklé (2012)
found that the extent of institutional wide risk
management use within an organization was
influenced by the regulatory environment, internal
factors, ownership structure, and organizational and
industry-related characteristics. Eckles et al. (2014)
in their study concluded that the adoption of a
strategic risk management system was related to the
diversified nature of the organization,
organizational size, and the returns on stock
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
183
volatility. Based on this observation, Paape and
Speklé concluded that the factors associated with its
implementation are globally similar.
2.7. Benefits of Holistic and Effective Risk
Management
Risk management is a key driver of organizational
performance, competitive advantage, and
shareholder and stakeholder value creation (Ingley &
van de Walt, 2008). In emphasizing the importance
of the structural approach to risk management,
Gates et al. (2012) noted that strategic risk
management enhances management and improves
organizational performance by leading to consensus
among management and strengthening decision
making and accountability. Rochette (2009) observed
that an effective risk management system serves as
a link between compliance and performance in CG.
Through an effective risk management frame work,
an organization's TM and BOD address potential
risks during strategic planning (Beasley et al., 2009).
Apart from considering the different categories of
risk, corporate risk management regards each risk as
part of an organization's overall risk portfolio
managed holistically (Liebenberg & Hoyt, 2003).
Enterprise wide risk management also
increases risk awareness and subsequently increases
knowledge that leads to sound decision making
throughout the organization (Kleffner et al., 2003).
With traditional risk management, important risks
can elude the attention of TMs (Drew & Kendrick,
2005). Drew, Kelley, and Kendrick (2006) observed
that without an enterprise-wide approach to risk
management, organizations can have an acceptable
risk level, yet have an unacceptable combination of
risk aversion and risk seeking. Management's ability
to control risk can result in an organizational growth
and increased investor confidence (Meier, 2000).
The success of a business entity depends on
effective risk management as risk has the potential
to impact organizational value (Archer, 2002).
Holistic risk management benefits organizations by
decreasing volatility of earnings and stock prices,
reducing external capital costs, increasing capital
efficiency, and creating synergy between different
risk management activities (Beasely, Pagach, & Warr,
2001; Lam, 2001; Meulbroek, 2002). Kleffner et al.
(2003) noted that such an approach enables a
coordinated approach to managing risk, resulting in
lower cost and better communication. This leads to
the avoidance of losses, as overall risk management
improves.
Consolidated risk management also provides a
disciplined framework enabling management to deal
with uncertainty; this framework includes
associating risks and opportunities to assess
variability around target performance levels that
enhance value and provide transparency for
shareholders (Stroh, 2005). Nocco and Stulz (2006)
similarly observed that it creates value for
organizations through its effect on both macro
(company-wide) and micro (business-unit) levels. At
the macro level, it creates value by enabling TM to
quantify and manage risk-return tradeoffs. Thus,
organizations are able to maintain access to capital
markets and other necessary resources to
implement their strategies and business plans. At
the micro level, such as system becomes a technique
for managers and employees to address risks at all
organizational levels.
By increasing communication, collective risk
management leads to an improved understanding of
risk throughout the organization (Bowling & Rieger,
2005). This ensures that individuals take
responsibility for all risks and operating managers
and employees carefully evaluate risk-return
tradeoffs (Nocco & Stulz, 2006). This system can also
reduce compliance costs, improve operational
performance, enhance CG, and deliver greater
shareholder value (Bowling & Rieger, 2005; Cumming
& Hirtle, 2001; Lam, 2001). In addition, a
collaborative risk system increases the chance that
an organization will achieve its goals by ensuring
that the risk managed is within the scope of
stakeholders' risk appetite (Beasley & Frigo, 2007).
However, Bowling and Rieger (2010) noted that while
organizations can use it to focus on improving
corporate compliance and shareholder value, only a
few have fully achieved these objectives.
An effective risk management framework has
numerous benefits. It ensures organizations
encounter fewer surprises, allows for enhanced
planning and performance, promotes information
processing and communication, improves
accountability, and protects organizational and
individual reputations (Brown et al., 2009). This
strategic risk management system even reduces
global risk by addressing opportunities and threats
associated with supply chain relationships (Anold,
Benford, Hampton, & Sutton, 2012). Paape and
Speklé (2012) argued that even though prominent
frameworks (such as the COSO framework) claim to
represent "best practices", there appears to be no
theoretical or empirical evidence about such claims.
These authors believe that the ability of these
frameworks in advancing sound risk management
still remains unanswered. Abrams et al. (2007)
however observed that the optimization of
organizational operations and the elimination of
duplicate business functions is critical for making a
robust risk management system rewarding.
Consequently, Pagach and Warr (2011) cautioned
that many of these benefits are still debatable, and
further research is needed.
The growing empirical research on ERM is not
without limitations. For example, according to
Bromiley et al. (2014) the issue of endogeneity and
other related issues, especially of methodology make
it challenging to draw a general conclusion about
ERM's effectiveness. In addition, the extant literature
has not adequately addressed inter-firm differences
in entity-wide approach to risk management. To
better understand these variations, it is
recommended that further research be conducted on
a contingency theory of ERM implementation (Mikes
& Kaplan, 2013). Although, ERM is believed to be a
potential remedy to the myriad challenges faced by
organizations, Power (2009, p. 850) argued that this
approach to risk management could be misleading
in design for three reasons;
1. "That the enterprise-wide view and related
notion of a singular organization risk appetite are
highly problematic".
2. "Sources of these impoverishment lie in the
deep complicity of ERM in the expanded significance
of a logic of auditability".
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
184
3. That "the resulting expensive narratives of
risk accountability have proven to be incapable of
articulating and comprehending critical risks,
particularly those associated with
interconnectedness".
2.8. Measuring the Levels or Stages of ERM
Adoption and Implementation
The implementation of an institutional wide risk
system is a multilevel or stage process (Beasley et
al., 2005; Waweru & Kisaka, 2013). There is limited
research on the strategies for measuring the level or
stage of ERM implementation (Waweru & Kisaka,
2013). Most of the approaches developed were by
consulting firms (e.g. Standard & Poor, Deloitte)
which are however not suitable for measuring the
level of implementation in an organization (Waweru
& Kisaka, 2013). In 2005, Beasley et al. developed an
approach for measuring the level or stage of its
deployment. This approach, unlike some of the
others, which basically assumed that, an ERM system
was either in place or not, measured implementation
level or stage using an ordinal variable ranging from
stages 1 – 5 as follows:
Stage 1 = no plans present regarding
implementation (i.e., risk management is usually
incident-driven);
Stage 2 = investigating or considering ERM
and making a decision (i.e., there is the active
control of risk in specific areas, e.g., health and
safety, financial and project risk);
Stage 3 = planning to implement (i.e., there
is the identification, assessment, and control of risk
in specific areas);
Stage 4 = partial ERM in place (i.e., there is
the identification, assessment, and control of
strategic, financial, operational, and compliance
risks in the process of implementing a complete
system), and
Stage 5 = complete ERM in place (i.e., there
is identification, assessment, and control of
strategic, financial, operational, compliance risks as
an integral part of the strategic planning and control
cycle).
This approach of measurement introduces
some degree of subjectivity, however, it could be
employed in different organizations (Waweru &
Kisaka, 2013). Consequently, it has been used in
other studies (e.g. Beasley et al., 2009; Daud Yazid, &
Hussin, 2010; Daud, Haron, & Ibrahim, 2011;
Waweru & Kisaka, 2013). This approach of assessing
the level or stage of deployment will be adopted for
this study.
2.9. Contingency Theory a Theoretical Background
The origin of the Contingency theory in
organizational study is traceable to the 1950s
(Hanisch & Wald, 2012; Rejc, 2003). This theory is
broad, varies in form and implementation, and is
applicable to various disciplines (Hanisch & Wald,
2012). The Theory "may best be described as a
loosely organized set of propositions which are
committed to some form of multivariate analysis of
the relationship between key organizational
variables as a basis for organizational analysis, and
which endorses the view that there are no
universally valid rules of organizing and
management" (Burrell & Morgan, 1979 as noted by
Rejc, 2003, p. 246).
According to Hanisch and Wald (2012), the
seminal works of Woodward (1958), Burns and
Staker (1961), and Lawrence and Lorsch (1967) set
forth the argument that there was no single best
approach to managing and organizing. The basic
tenets of the Contingency theory are a) that all
processes must fit the environment, and b) not all
environments are the same. Howell et al. (2010)
observed that for effectiveness, the various external
challenges that an organization is presented with
requires the application of different organizational
characteristic; and "an optimal fit may require
different organizational characteristics to suit
different external conditions" (p.257).
The classic work of Burns and Stalker (1961)
proposed two basic organizational structures. The
first, a mechanistic structure, is characterized by
centralized features and formal decision making.
Mechanistic structures also have strict rules and top-
down communication. Decisions are made at the
top, and employees have a narrow set of
responsibilities. The second type of organizational
structure identified by Burns and Stalker was an
organic structure, characterized by flatter features,
informal communication lines, and flexible roles. In
an organization with an organic structure, decision
making is decentralized, and responsibility and
authority are not as critical. When the structure of
an organization is in line with elements of its
contextual environment, the organization or its work
units are seen to be effective; this is the perspective
of the contingency theory (Teasley & Robinson,
2005).
van Donk and Molloy (2008) approached the
Contingency theory through an organizational
design perspective. In relating to the work of
Mintzberg (1979), van Donk and Molloy (2008)
observed that, the structure of an organization is
greatly influenced by the contingency factors which,
in turn correlates to the design elements. Thompson
(1967) observed that uncertainty was the principal
challenge to organizations, with changes in
technology and environments being the contingency
factors. Thompson proposed appropriate strategies
of interactions and organizational design as
remedies for such challenges. Similarly, Burkhardt
and Brass (1990) noted changes in technology as the
principal source of uncertainty in organizations.
They discussed remedies using social structures and
power.
The goal of contingency theory is to explain
how differences in contextual and structural
dimensions are related. This does not look at
universal principles applicable in all situations, but
instead purports to explain how one attribute or
characteristic is dependent upon another (Vecchio as
cited by Mullins, 2005). Similarly, the level of
strategic risk management implementation in an
organization is affected by several contingent
variables such as: board independence, firm size,
ownership structure, growth rate, support of TM, the
CRO, the AC, CG, effective communication,
organization risk culture, regulation, and industry
type. These variables support the use of contingency
theory for this study. The presence of a risk officer,
CG, and TM support were used for this research, and
are discussed further in the literature review.
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
185
2.10. Review of Related Factors for ERM
Implementation
The CRO and ERM Implementation
Collaborative risk management strategy requires an
individual or group of individuals at the senior
management level who coordinate various
framework processes (Lam, 2001; Waweru & Kisaka,
2013). The role of managers is critical in the
implementation of effective risk management within
organizations (Waweru & Kisaka, 2013). For this
reason, risk officers are important influencers when
implementing a corporate wide risk system. The key
benefit of a risk champion is the ability to expand
risk management responsibilities throughout an
organization's leadership structure (De La Rosa,
2007). Such an executive works with other managers
to set up a risk management system and
disseminates risk information throughout the
organization (COSO, 2004; Saeidi, Sofian, Rasid, &
Saeid, 2012). The presence of a CRO can also reduce
risk-related information asymmetry between
shareholders (Beasley et al., 2008). As they are
ultimately responsible for uniting all the risk
management activities across the organization, risk
officers reduce the duplication of efforts across the
various sectors within the organization and increase
an organization's efficiency (De La Rosa, 2007). To
ensure effectiveness, a risk champion must develop
a strategic understanding of an organization's core
activities in both products and services (Rochette,
2009).
Rochette (2009) also demonstrated that strong
written and oral communication skills, the ability to
adapt to various conditions, good interpersonal and
leadership skills, the ability to negotiate, and team-
building skills are essential for CROs to be effective.
This supported the assertion by De La Rosa (2007)
that an effective and efficient risk champion is a
generalist who advocates for team work and
effective communication. As a strategic controller
and advisor, the risk champion advises TM about
risk, performance, and how capital investments can
be made (Mikes, 2008). For an organizational wide
system to be value-based, the role of such a
champion is critical (Rochette, 2009). Demidenko
and McNutt (2010) observed that when the CRO does
not report to the entire BOD, information
discrepancy about risk priorities can result.
Researchers studying the influence of the CRO
on holistic system of handling risk have noted that
the presence of a risk officer was related to the
adoption and implementation of an institutional
wide approach of managing risk (Beasley et al., 2005;
Hoyt & Liebenberg, 2008; Kleffner et al., 2003;
Liebenberg, 2003; Liebenberg & Hoyt, 2003; Pagach &
Warr, 2011; Waweru & Kisaka, 2013). Similarly, Daud
et al. (2010) contended that the quality of the risk
champion influenced collaborative risk management
implementation and its related practices. Consistent
with this assertion, Saeidi et al. (2012) observed that
the presence and quality of the risk officer strongly
correlated with enterprise risk management strategy.
However, it should be understood that the risk
officer is not the risk owner, but instead the
facilitator of the risk system, so there is a need for
the risk champion to coordinate with other risk
specialists (Rochette, 2009). To do this, the risk
champion establishes a risk management framework
to determine how identified risks will be managed
(Mikes, 2008). The risk officer must have an
understanding of critical strategic uncertainties and
be able to communicate that understanding to
management (Mikes, 2008).
The presence and influence of the risk officer
in an organization promotes the adoption and
implementation of an effective risk management
system (Beasley et al., 2005). The presence of such
an executive also indicates an organization's serious
desire to implement risk management strategies
(Rochette, 2009). The risk champion is ultimately
responsible for uniting all risk management
activities across the organization and reducing the
duplication of efforts across the various sectors
within the organization (De La Rosa, 2007).
Liebenberg and Hoyt (2003) observed that although
the presence of a risk champion suggested
enterprise wide risk management usage, the reverse
however, did not suggest the absence of such a
system. Liebenberg and Hoyt simply concluded that
creating a risk champion's position signified the
degree of commitment to organizational wide risk
management. Pagach and Warr (2007) opined that
organizations engaging a risk champion in the
implementation of corporate risk management
sometimes did so as a response to poor stock
performance. They added that such organizations
tend to be less opaque (more prone to stock price
crushes) with fewer growth options. In other words,
organizations "with more opaque assets and more"
chances of expansion were less likely to engage a
CRO (p. 3).
The CRO is an important proxy noted in the
literature as being necessary for the deployment of a
consolidated risk management system. However, the
use of a CRO as a sole indication of the readiness for
the deployment of a robust risk management system
(e.g. Aabo et al., 2005; Beasley & Hoyt, 2003; Beasley,
Pagach, & Warr, 2008; Liebenberg & Hoyt, 2003;
Pagach & Warr, 2010) could be misleading and needs
to be done with caution, as this could potentially
result in the oversight of critical ERM activities such
as idiosyncratic risks (Kraus & Lehner, 2012).
Liebenberg and Hoyt (2003) observed that there was
no agreement about the structure of the entity that
should oversee the implementation of an ERM
framework within an organization. While some
proponents advocate having a risk champion, others
recommend the use of risk management
committees. Taking an alternative approach,
Hanbenstock suggested that risk should be managed
through a single organizational unit (as cited in
Liebenberg & Hoyt, 2003).
Audit Committee (AC) and ERM Implementation
In an uncertain global environment, the AC is critical
for organizational success (Lloyd & Fanning, 2007),
and it plays a significant role in risk management
(Livingston, 2005). Paape and Speklé (2012)
indicated that ACs are essential in the oversight of
risk management practices. Demidenko and McNutt
(2010) clarified that ACs spend time assessing risk
instead of monitoring the risk management process,
and Carcello, Hermanson, and Ye (2011) noted that
ACs and BODs internally monitor the financial
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
186
reporting from TM in order to mitigate potential
financial risk.
The AC is responsible for issues related to the
relationship between the organization and its
auditors (Taher & Boubaker, 2013). According to the
National Commission on Fraudulent Financial
Reporting, ACs create a platform where directors,
management, and auditors can coordinate issues
pertaining to risk management and financial
reporting (as cited in Turley & Zaman, 2004). The AC
is able to influence the BOD to ensure that risk
management processes are allotted attention and
resources in order to be successful (Paape & Speklé,
2012). The AC is also instrumental in promoting CG
principles to safeguard public interest
(Szczepankowski, 2012; Vasile & Croitoru, 2013).
Szczepankowski (2012) further observed that the
formulation of effective management practices
requires a congenial relationship between the AC,
CG, shareholders, and management. Ho, Lai, and Lee
(2013) asserted that ACs must be independent and
financially knowledgeable; however, Brown et al.
(2009) argued that ACs did not necessarily need to
be knowledgeable in finance, as risk is not limited to
that realm.
Organizational effectiveness can be enhanced
by good CG and the AC process (Szczepankowski,
2012). The effectiveness of the AC is largely
dependent on the BOD, and it is vital for
organizations to maintain sound controls and
ensure the strong presence of independent auditors
(Cohen, Krishnamoorthy, & Wright, 2007). Hundal
(2013) observed that the AC has an important
responsibility to review financial information on a
continuous basis to promote reliability and ensure
organizations maintain strong control mechanisms.
Beasley et al. (2005) suggested that organizations
with high-quality auditors might be more devoted to
effective risk management. Others have argued that
auditors can be persuasive in encouraging clients to
improve their risk management practices (Paape &
Speklé, 2012).
It is sometimes difficult for the AC to be
independent and unbiased, especially in instances
where committee selection is based on the influence
of management or members of the BOD (Beaseley,
Carcello, Hermanson, & Neal, 2009). In view of this,
ACs might not satisfy the interest of shareholders
(Cohen, Gaynor, Krishnamoorthy & Wright, 2011).
García, Barbadillo, and Parez (2012) observed that
ACs composed of independent, external members
were more likely to be accountable and transparent
as autonomy reduces or prevents potential
interference and manipulation from TM.
For effectiveness of the AC, Brown et al. (2009)
suggested the establishment of a risk management
committee separate from the AC as well as an
interface between the AC and the BOD. The risk
management committee is responsible for reporting
to both the BOD and the AC. According to Brown et
al. (2009), members of the risk management
committee could be individuals from various
departments including finance, compliance, human
resources management, logistics, quality control and
assurance, research and development, or
production.
An effective AC can be influential in resolving
disputes, as they tend to be unbiased towards the
shareholder and supportive towards the auditor
(Cohen et al., 2011). The CEO's influence on an
auditor's judgment depends on AC effectiveness,
and the effectiveness of the AC is influenced by the
frequency of meetings (Garcia et al., 2012). These
and many other roles of the AC require their
independence (Szczepankowski, 2012).
Brown et al. (2009) observed that the AC could
be limited in its risk management oversight for
several reasons including but not limited to:
Being overburdened with several
responsibilities,
Focusing on the oversight of financial
reporting and other compliance issues instead of on
a wider scope of risk management
Having to deal with the presence of
discrepancies in the requirements of the AC
The risk factors an organization faces being
better understood by members of an organization
rather than outsiders.
It has been suggested that the AC has
significant influence on external and internal
controls (Turley & Zaman, 2004). Turley and Zaman
(2004) found that ACs were responsible for
overseeing management's assessment of business
risk as well as management's capability of both
identification and assessment of potential risk.
Bostrom (2003) recommended that the BOD
regularly receive reports from the AC and assess
identified risks and recommendations (as cited in
Ingley and van de Walt, 2008). In addition, ACs can
influence an organization's financial reporting
systems, the extent of the organization's
disclosures, and the organization's adherence to
policies and practices (Turley & Zaman, 2004). AC
independence also improves accounting information
and market value of an organization (Hundal, 2013).
The presence of an AC can potentially improve
performance through enhancement of appropriate
management and governance structures (Turley &
Zaman, 2004). Menon and Williams argued that the
existence of an AC does not necessarily indicate
effectiveness, nor does it suggest that the BOD rely
on the AC to enhance effective monitoring (as cited
in Turley & Zaman, 2004). In addressing this point,
Szczepankowski (2012) cited Kajola observation that
the presence of an AC does not contribute positively
to firm development. Turley and Zaman (2004)
argued that the presence of an AC can reduce
weaknesses in governance but that there is no
relationship between the presence of an AC and
achievement of specific governance effects.
Similarly, Cohen et al. (2004) argued that ACs are
ineffective and lack the power to ensure governance
mechanisms.
Larger ACs may be ineffective in executing their
duties when compared to smaller committees
(Garcia et al., 2012). Szczepankowski (2012) noted
that a small AC can improve the effectiveness of an
organization versus a larger one. It has been
suggested that larger ACs could result in poor
communication and poor decision-making, and
could be difficult to control. When discussing AC
effectiveness, Lipton and Lorsch (1992)
recommended seven to nine individuals as ideal.
However, Buchalter and Yokomoto (2003) contended
that an effective AC must be made up of an average
of three to five members. According to
Szczepankowski (2012), research has indicated a
positive correlation between the size of the AC and
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
187
performance; however, Yermack (1996) noted a
negative correlation between AC size and the
profitability of an organization.
TM Support and ERM
Felekoglu and Moultrie (2014) observed that TM
involvement and support are often used
interchangeably. Similarly, TM and senior
management are also used interchangeably, so for
the purpose of consistency in this study, TM support
will be used. Enterprise wide risk management
implementation can encounter setbacks and even
fail. De La Rosa (2007) identified some potential
causes of setbacks as a lack of buy-in from TM and
oversight committees such as the AC, a lack of
theoretical risk knowledge, a poorly customized
approach, a poorly defined language, an
inappropriate oversight structure, insufficient
resources, insufficient supervision, the inability to
maintain the momentum of the implementation, and
a poor tone at the top.
In the wake of the 2008 economic crisis, risk
management has become a major concern of TM
(Schneider, Sheikh, & Simione, 2012). Consistent with
this, Beasley et al. (2009) observed that there has
been a significant increase in the requests for TM to
fortify oversight in risk management. According to
Jarvenpaa and Ives, TM support involves the
participation of executives or TM (as cited in
Komala, 2012). Felekoglu and Moultries (2014)
argued that TM support is vital as TM hold the
primary decision-making responsibilities within an
organization. TM are influential because of their
authority, and they are more likely to overcome
potential resistance (Keen, 1981). TM support could
result in the availability of appropriate resources for
the execution of new projects (Rodriguez, Perez,
Juan, & Gutierrez, 2008). Scholars agree that
effective risk management initiatives cannot succeed
without TM support (Beasley et al., 2008; Walker et
al., 2002). Davenport observed that with strong TM
commitment, many endeavors could be successful
(as cited in Ifinedo, 2008).
TM can influence knowledge sharing and
learning through the creation of appropriate climate,
culture, and resources (Lin, 2007). Lin (2007)
explained that through knowledge donation and
collection, an organization is able to enhance its
innovation abilities. Effective TM support influences
the setting of organizational values and encourages
the development of appropriate management styles
in order to enhance the performance of an
organization (Chen & Paulraj, 2004). Pringle and
Kroll asserted that TM's implementation of new
programs usually signals the importance of the
programs, which can promote team commitment (as
cited in Salomo, Keinschmidt, & De Brentani, 2010).
The effectiveness of a management system is
closely related to the integrity and ethical values of
TM (Demidenko & MuNutt, 2010). Andrews and
Beynon (2011) observed that the processes and
environment within an organization influence TM's
ability to achieve their goals. Cohen,
Krishnamoorthy, and Wright (2004) asserted that an
effective AC requires a strong organizational
charter, as well as TM cooperation and support. TM
support greatly enhances organizational
performance (Khan, Lederer, & Mirchandani, 2013).
In short, TM support is critical for organizational
success (Ragu-Nathan, Aigian, Ragu-Nathan, & Tu,
2004).
Enterprise-wide risk management is strategic
and thus cannot succeed without TM support
(Bowling & Rieger, 2005). Andriole (2009) argued
that in the absence of TM support, opportunities can
be missed and projects can fail. According to Tiller
(2012), strong leadership and management support
creates success for most strategies, and
organizations that satisfy stakeholders and maintain
profitability must promote it. Consequently, TM
must participate in the early stages of implementing
a collaborative risk management system (Bowling &
Rieger, 2005). Zwikael (2008) cautioned, however,
that the effectiveness of TM support may vary
across industries and organizations.
According to Ingley and van de Walt (2008),
organizational boards and TM must ensure that
mechanisms enhance standards of cost, codes of
conduct, and other required policies. Management
impacts the CG mechanism through influence on
board appointments and information shared with
members (Cohen et al., 2007). The effectiveness of a
CG structure for achieving objectives requires
support of TM and leadership (Vasile & Croitoru,
2013).
Sharma and Yetton (2003) ascribed that in the
context of low task interdependence, TM support
regarding collective risk management
implementation success was low, while conversely,
TM support had a significant impact on
implementation success with high task
interdependence. TM perception about risk could
influence cooperation, trust, and commitment in
terms of performance (Rodriguez et al., 2008).
Rodriguez et al. explained that a favorable TM
attitude towards risk encourages various
departments to undertake more tasks. Beasley et al.
(2008) observed that TM played a critical role in the
success of any effective risk management system.
TM support facilitates the integration of risk
management philosophy and strategy across the
organization. Finally, the nature, scope, and impact
of corporate risk management must have strong
support from TM in order to be successful (Walker
et al., 2002). Employees of an organization are likely
to accept and adopt an enterprise wide risk
management system when it is noted that TM and
BOD are supportive and actively involved in the risk
management process (Brown et al., 2009). Hence, for
any collaborative risk management framework to
succeed, it is critical that the entire organization
gets involved.
3. METHODOLOGY
3.1. Research Design
A non-experimental (correlational) approach was
used to explore the presence of a chief risk officer
(CRO) and an audit committee (AC), and the support
of top management (TM) in relation to the
implementation of enterprise risk management
(ERM). This was used to assess the relationship
among variables (Creswell, 2012). The use of the
non-experimental approach is consistent with the
works of researchers such as Arnold, Benford,
Hampton, and Sutton (2012); Beasley et al. (2005);
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
188
Beasley et al. (2007); Gordon et al. (2009); Hoyt and
Liebenberg (2011); McShane et al. (2011); Paape and
Speklé (2012); Pagach and Warr (2010); Tahir and
Razali (2011), and Waweru and Kisaka (2013).
The correlational research approach placed
emphasis on methodology, procedure, and statistical
measures of validity, as such a method depends on
both measurement and analysis of statistical data to
produce quantifiable deductions and conclusions
(Eldabi, Irani, Paul, & Love, 2002). A survey
instrument was provided to pre-screened self-
identified risk-management and other related
professionals (e.g., CFOs, CROs) who are members of
SurveyMonkey Audience Service database and met
the inclusion criteria. Survey Monkey Audience
Service was chosen because it provides a random
sample which increases generalizability of the
results (Creswell, 2009).
The survey instrument was used to obtain data
on the level of agreement or disagreement about
ERM elements. The data collected was imported into
statistical package for social sciences (SPSS) software
for further analysis to determine any possible
statistical relationship between the independent and
depend variables.
Descriptive frequencies and chi–square tests
were used in this study. In addition, logistic
regression was used for further analysis of the data
as it was suitable for describing and testing
hypotheses about the relationships between the
categorical outcome variable and the predictor
variables (LaValley, 2008; Peng, Lee, & Ingersoll,
2002). "Logistic regression is a multiple regression
but with an outcome variable that is a categorical
variable and a predictor variable that is continuous
or categorical" (Field, 2009, p. 265). Logistic
regression, unlike other forms of regression allows
the prediction of categorical outcomes based on
predictor variables (Field, 2009).
This study involved a categorical outcome
variable and three predictors which were also
categorical, making logistic regression an
appropriate model for addressing the research
questions. Also, because the categorical outcome
variable was of ordinal measurement, logistic
regression appeared to be appropriate. In logistic
regression, if the outcome variable has more than
two categories as in this study, it is known as
multinomial logistic regression (MLR). A great
benefit to the use of MLR is that it does not assume
a linear relationship between the variables
(Tabachnick, Fidell, & Osterlind, 2001). MLR is
capable of generating more suitable findings with
respect to model fit and correctness of the analysis
irrespective of any assumption (Das & Gope, 2014).
For each null hypothesis, a regression analysis
was used to determine the relationship, if any,
between the dependent and independent variable. A
correlational analysis was also conducted to
determine the strength and direction of the
relationship between theses variables. Using a
probability (p) value of .05, a null hypothesis was
either rejected or accepted. It was accepted if p was
greater than .05 (i.e. p > .05) while it was rejected if p
value was less than .05 (i.e. p < .05). In addition,
correlations were performed to assess the
relationship between the independent variables
using a p value of .01.
3.2. Sample
The population for this study consisted of risk
management and risk related professionals from
various sectors (e.g. finance, manufacturing, IT and
telecommunication, insurance, business services,
transport and logistics, government or non-profit,
healthcare, energy or oil and gas industries, and
other industries) in North America. The sample
frame were self-identified risk management and risk
related professionals within the SurveyMonkey
Audience data base. The inclusion criteria were
professional engaged in risk management and risk
related activities. Respondents were also required to
able to read and comprehend English and were 18
years of age or above.
The process of recruiting and sampling for this
study was undertaken by SurveyMonkey Audience
who sent out invitations to respondents who met the
inclusion criteria to voluntarily participate. Self-
administered surveys were used for quick and
reliable feedback (Cooper & Schindler, 2006). A
random sampling method was used, giving each
member of the sample frame an equal and
independent chance of being selected (Bartlett,
2005). The use of SurveyMonkey Audience Service
was expected to result in the randomness required
for rigorous data collection. The purpose of seeking
a random sample was to obtain a representative
sample (Trochim, 2001; Orcher, 2005). This made
the responses statistically valid and representative
subset of the target population (Kitchenham &
Pfleeger, 2002; Leedy & Ormond, 2009). To minimize
sampling errors, the following were done; a good
sample frame was selected; a large sample was
selected; an instrument with clear and straight
forward questions was employed; and rigorous
survey administration procedure was adopted
(Creswell, 2012). In the determination of the needed
sample size, the present research, adopted the
G*Power 3 approach, as it was a stand-alone analysis
program used in numerous research studies (Faul et
al., 2009).
3.3. Data Collection
The Survey Monkey audience service was used to
obtain a sample of the target population. The survey
link included informed consent information and
participants were informed of their right to opt-out
of the study. The survey was administered on the
internet using Survey Monkey, and completion of the
survey was used as confirmation of participant
consent. The duration of the data collection period
was two weeks, after which time the response rate
had declined and the minimum study sample was
reached. The data was subsequently downloaded
from the Survey Monkey web site for analysis onto a
secure computer and processed with Predictive
Analytics Software (PASW) Statistics 18 software that
was purchased from SPSS, Inc.
Through SurveyMonkey Audience Service, a
total of 134 valid responses were received. This was
more than the minimum of 119 needed for the
study. The questionnaire gathered information
about ERM adoption and implementation in
participants' organizations. The response data was
downloaded to an excel spread sheet, and coded
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
189
appropriately in preparation for analysis using the
SPSS software tool.
3.4. Data Analysis
The statistical package for social sciences (SPSS) was
used to analyze the data collected. Descriptive
statistics were used to display results. This included
percentages, frequencies, z-tests, chi –square tests,
and independent t-tests. In addition, logistic
regression was used for further analysis of the data
as it was suitable for describing and testing
hypotheses about the relationships between the
categorical outcome variable and the predictor
variables (LaValley, 2008; Peng, Lee, & Ingersoll,
2002). This approach was consistent with previous
research (e.g. Beasley et al., 2005; Beasley et al.,
2007; Gordon et al., 2009; Tahir & Razali, 2011;
Waweru & Kisaka, 2013).
Secondly, it does not violate any assumptions
involved in regression for a categorical dependent
variable (Vogt, 2007). In this current study, the
dependent variable (extent of ERM implementation/
STAGE) was measured on an ordinal scale, and the
independent variables were categorical, hence
logistic regression was deemed appropriate for
hypotheses testing and was subsequently used to
answer the research questions.
Prior to analysis, the scores of the outcome
variables were typically transformed using natural
logs of odds (Vogt, 2007). Cronbach's alpha was
used to analyze the survey constructs for internal
consistency and reliability. In addition, extreme
responses (e.g., outliers) from the data analysis were
excluded (Cohen, Manion, & Morrison, 2007).
For Research Question 1, regression analysis
was used to determine the relationship, if any,
between the presence of a Chief Risk Officer (CRO)
and the implementation of ERM. A correlational
analysis was also conducted to determine the
strength and direction of the relationship between
the presence of a CRO and the stage of ERM
implementation.
For Research Question 2, a regression analysis
was conducted to examine the extent to which the
presence of an Audit Committee (AC) influenced the
implementation of ERM. A correlational analysis was
conducted to determine the strength and direction
of the relationship between the presence of an AC
and the stage of ERM implementation.
For Research Question 3, regression analysis
was conducted to determine the extent to which,
Top Management (TM) support predicted the stage
of ERM implementation. Similarly, a correlational
analysis was conducted to determine the strength
and direction of the relationship between the
presence of Top Management and the stage of ERM
implementation. Statistical analyses that were used
for the research questions are shown in Table 2
below.
Table 1. Variables and statistics for Research Questions
R1 . What is the relationship, if any,
between the presence of a Chief Risk
Officer (CRO) and the implementation of
ERM?
Independent variable:
Presence of CRO
Dependent variable:
Stage of ERM implementation
Logistic regression,
Correlation
R2 . What is the relationship, if any,
between the presence of an Audit
Committee (AC) and the implementation
of ERM?
Independent variable:
Presence of AC
Dependent variable:
Stage of ERM implementation
Logistic regression,
Correlation
R3 . What is the relationship, if any,
between Top Management (TM) support
and the implementation of ERM?
Independent variable:
TM support (Level of management support)
Dependent variable:
Stage of ERM implementation
Logistic regression,
Correlation
3.5. Validity and Reliability
In order to address internal consistency in this
study, Cronbach's Alpha was determined using SPSS
and subsequently used as a measure for assessing
the quality of the data collected. For this study, the
Cronbach's Alpha values were .70 for CRO, .70 for
AC, and .73 for TM. These values suggested that a
reliable measurement was used (Nunnally, 1978;
Vogt, 2007).
4. RESULTS
The purpose of this study was to assess the
relationship between the role of a Chief Risk Officer
(CRO), the role of an Audit Committee (AC), Top
Management (TM) support and the implementation
of organizational wide risk management. The
following primary research questions were
addressed in this study:
RQ1. What is the relationship, if any, between
the presence of a Chief Risk Officer (CRO) and the
implementation of enterprise risk management
(ERM)?
RQ2. What is the relationship, if any, between
the presence of an Audit Committee (AC) and the
implementation of enterprise risk management
(ERM)?
RQ3. What is the relationship, if any, between
Top Management (TM) support and the
implementation of (enterprise risk management)
ERM?
The target sample frame requested for analysis
prior to the survey using a power of .95 was (n =
119). However, the final number analyzed from
random respondents generated from SurveyMonkey
Audience Service was (n = 134). Initially, a total of
159 responses were collected, of which 25 were
removed from the data because they were
incomplete, resulting in a total of 134 responses.
Table 2 displays participants' industry of
employment which varied across the demographic
for the sample.
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
190
Table 2. Participants' industry of employment
Information technology(IT)
Education
Hospitality
Defense
Banking and finance
Legal
Construction
Engineering
Real estate
Utilities
5.2
0.8
2.2
8.9
0.8
2.9
3.7
0.8
0.8
The survey results indicated that the business
services group were the majority (n = 28, 20.0 %) and
hospitality, legal, real estate, and utilities were the
minority (n = 1, 0.8%) each. Two respondents (1.5%)
were in the transport and logistic industry. Defense
had three (2.2%) participants, energy/oil & gas and
construction sector each had four participants
(2.9%), engineering five (3.7%) respondents,
education seven (5.2%) participants, government
eight (5.9%), not for profit and healthcare groups
both had the same representation (n = 9, 6.7%) and
the insurance sector ten (7.5%). The rest were the
banking and finance sector represented by 12 (8.9%)
participants, manufacturing 14 (10.5%) and the
information technology sector 15 (11.2%). Table 3
represents the various categories of respondents'
job function or position.
Table 3. Participants Job Function/Position
Chief executive officer (CEO)
Chief financial officer (CFO)
Executive management team
Majority of the respondents were regular staff
members (n = 48, 35.8%) and the minority were CFOs
(n = 3, 2.2%). The remaining respondents were CRO
(n = 4, 3.0%), CEO (n = 7, 6.7%), other (n = 24, 17.9%).
This group was diversified comprising job functions
such as: analysts, business development managers,
process engineers, and educators.
Table 4. Presence of a Chief Risk Office
Seventy-eight (58.2%) participants noted their
organization had a CRO, while 56 (41.8%) indicated
there was no CRO. Table 5 shows the presence of an
AC in participants' organization.
Table 5. Presence of an audit committee
Eighty-nine (66.4%) respondents indicated an
AC was present in their organization, while 45
(33.6%) noted there was none in their organization.
Table 6 displays management support for risk
management.
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
191
Table 6. Management communicating about being in control of risk
Yes, in the field of financial reporting
Yes, on all risk areas (such as; strategic, operational, financial
reporting, and compliance)
Forty-one (30.6%) of the participants indicated
management supported and communicated about
the need of being in control of all categories of risk
in their organization. Forty-seven (35.1%) also
indicated management was supportive, but
communicated mainly about financial reporting.
Forty-six (34.3%) however noted management was
not supportive and there was no communication
about risk management.
Table 7. Stage of ERM implementation
ERM implementation stage/level
Table 8. Organizational Stage of ERM deployment
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
192
A greater number of the respondents ( n = 40,
29.9%), indicated their ERM system were in stage 3,
while the minority 14 (10.5%) participants were at
stage 5 of implementation. Thirty-seven (27.6%) were
in stage 2, 28 (20.1%) were in stage 1, 15 (11.2%)
respondents were in stage 4. Table 8 displays
organizational stage of ERM deployment.
Results regarding stage of ERM deployment
indicate the transport and logistics, education,
hospitality and government sectors had no
respondents for Stage 1 of ERM deployment. The
majority (n = 7, 25.0%) belonged to the business
services group. In between were health ( n = 1, 3.6%),
IT, insurance, and not for profit making up 7.1% (n =
2) each, manufacturing ( n = 3, 10.7%), and business
services (n = 7, 25.0%). For Stage 2, the insurance,
utilities, education, hospitality, defense, legal, real
estate, and transport and logistics sectors had no
respondents. The energy/oil & gas, and not for profit
organizations had one respondent each (2.7%). The
construction and engineering sectors consisted of
two (5.4%) participants each. The manufacturing, IT,
and government sectors had five respondents
(13.5%) each. The banking and finance and health
sectors had four (10.8%) respondents each. The
majority (n = 8, 21.6%) were in the business services
sector.
At stage 3 of deployment, where there was a
plan in place to implement a holistic risk
management system, most of the respondents were
in the business services (n = 9, 22.5%). The minority
were in energy/oil and gas, utilities, legal,
construction, engineering, and real estate industries
(n = 0, 0.0%). Health, hospitality, and defense
consisted of one participant (2.5%) each. Two
participants (5.0%) each were noted to be in
transport and communication, government, and
banking and finance. The insurance and
manufacturing industries comprised three (7.5%)
respondents each. The rest are; not for profit and
education consisting of five (12.5%) participants
each, and the IT industries represented with six
(15%) participants.
At stage 4, where all the organizational risks
were assessed and managed, the transport and
logistics and government sectors had no
respondents. The majority however were the
insurance, manufacturing, business services, and the
IT industries (n = 2, 13.3%). This was followed by
energy/oil and gas, health, not for profit, education,
defense, banking and finance, and engineering (n =
1, 6.7%) each. The minority in this stage of
implementation were transport and logistic,
government, utilities, hospitality, legal, construction,
and the real estate sectors with no representation
each. Stage 5, the highest level of deployment where
ERM forms an integral component of the
organizational planning and control mechanism, IT,
not for profit, education, utilities, hospitality,
defense, legal, construction, real estate, and the
transport and logistics sectors had no fully
developed ERM in place. Most of the respondents (n
= 3, 21.4%) were in the insurance industries. This
was followed by the Business services, banking and
finance, and health which had the same number of
respondents (n = 2, 14.3%). Manufacturing,
government, education, engineering, and energy/oil
& gas sectors were next (n = 1, 7.1%).
4.1. Details of Analysis and Results
The study utilized multinomial logistic regression to
explore the relationship between the dependent and
independent variables. The dependent variable here
was ERM (enterprise risk management), which had
five stages; from stage 1 to stage 5. Stage 1 is the
lowest level of ERM implementation while stage 5 is
the best stage. In this analysis, Audit committee
(AC), presence of chief risk officer (CRO) and Top
management (TM) support levels were the
independent variables. Based on these variables, for
each stage of ERM there was one regression and this
depicted the relations between the dependent and
independent variables in comparisons with the
reference category in terms of odds ratio as shown
in Table 9. This table presents the multinomial
logistic regression model parameter estimation.
With regards to exp.(B) or odds ratio, for TM
support, the largest value (1.479) was noted at stage
4 of deployment of ERM, followed by exp. (B) = 1.418
at stage 2, exp. (B) = 1.191 at stage 3 and exp.( B) =
1,130 at stage 5. For CRO, the largest value exp. (B) =
6.592 was at stage 4, followed by exp. (B) = 5.048 a t
stage 2, exp. (B) = 4.381 at stage 5 and exp. ( B) =
1.172 at stage 3. For AC, the highest value exp. ( B) =
3.756 was realized at stage 5, and the least exp. (B) =
1.139 at stage 4. Between these were exp. (B) = 2.146
for stage 3 and exp. (B) = 1.728 at stage 2.
In terms of p-values, for TM support, the
highest value (p = .503) was at stage 5 and the least
(p = .023) at stage 2. Between these were stage 3 ( p =
.170) and stage 4 (p = .064). For CRO, the highest
value (p = .796) was noted at stage 4 followed by (p =
.090) at stage 5. At stage 4, p = .033 and at stage 2, p
= .016. For AC, the highest (p = .877) was observed
at stage 4, followed by stage 2 (p = .418), stage 3 (p =
.202), and stage 5 (p = .173).
Concerning the logistic coefficient (B), for TM
support, stage 3 was noted with the highest (B =
1.75) followed by stage 4 ( B = .391). Stage 2 was next
(B = .349) and stage 5 the least (B = .122). For the
presence of CRO, stage 4 had the largest value (B =
1.886) and stage 3 realized the least (B = 1.477). In
between were stages 2 (B = 1.619) and stage 5 (B =
1.477). For AC, the least was in stage 4 (B = .130) and
the highest in stage 5 (B = 1.323). Stage 2 was B =
.547 and stage 3, B = .763. Table 10 illustrates the
Pseudo Model R-squared.
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
193
Table 9. Multinomial logistic regression model parameter estimation
Stage 2: Risks are
assessed and
preventatively
managed for certain
areas/parts of the
organization like
security, finance, etc
Stage 3: Risks are
proactively assessed
and managed for
certain areas/parts of
the organization
Stage 4: We are
implementing an ERM
Stage 5: Objectives and
risks are aligned and
an ERM is implemented
and is an integral part
of our strategic
planning & control
cycle
a. The reference category is: Stage 1: No attempts to develop an ERM
b. This parameter is set to zero because it is redundant.
Table 10. Model Pseudo R-Square (strength of association)
Nagelkerke's Pseudo R-Squared
From the table above, Nagelkerke R-squared
was .251(ranges from 0 – 1) and shows that the
model can explain 25% of the relationship between
dependent and independent variables. Table 11
presents the model fitting information.
Table 11. Model Fitting Information
The 2 Log likelihood value was 137.953 and
Chi-Square 36.636 at a 12-degree freedom. It shows
that the model is statistically significant (Chi-square
= 36.63, p < .05) to establish the relationship
between the dependent and independent variables.
Research Question 1
Research Question 1 asked, what is the relationship,
if any, between the presence of a Chief Risk Officer
and the implementation of ERM?
To address Research Question 1, a regression
analysis was used to determine the relationship, if
any, between the presence of a CRO and the
implementation of ERM. A correlational analysis was
also conducted to determine the strength and
direction of the relationship. From Table 19, Stage 1
of ERM implementation is the reference category; all
other stages are computed in reference to stage 1.
For Stage 2 of ERM implementation, there was a
significant positive relation between the presence of
CRO and ERM (B = 1.691, p < .05). Compared to No-
CRO, the organizations with Yes-CRO had a better
ERM implemented for this stage. The odd ratio in
this case shows, for one No-CRO organization there
would be five organizations with Yes-CRO for stage
two compared to stage one (which is the lower
stage). All these indicate that, with better ERM there
would be more CRO for the organizations, in other
words the presence of CRO would better the ERM
(stage 2).
Furthermore, for stage three of ERM
implementation there was a positive relation
between ERM and presence of a CRO, despite the
fact that this relation was not statistically significant
(B = 1.59, p = .796). However, for stage four, there
was a statistically significant relationship between
ERM and CRO (B = 1.886, p < .05), here the odd ratio
shows, for each company with No-CRO there would
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
194
be around six companies for Yes-CRO (Odd ratio =
6.5).
Research Question 2
Research Question 2 asked, what is the relationship,
if any, between the presence of an Audit Committee
and the implementation of enterprise risk
management?
To address Research Question 2, a regression
analysis was used to determine the relationship, if
any, between the presence of an AC and the
implementation of ERM. A correlational analysis was
also conducted to determine the strength and
direction of the relationship. For stage 2, the study
found a positive relation between the presence of an
AC and ERM deployment. This relation was however
not statistically significant (B = .547, p = .418). For
stage three of ERM implementation, there was a
positive relation between ERM and presence of an
AC, although this relation was not statistically
significant (B =. 763, p = .202). Similarly, for stage 4,
there was a positive relation between ERM and
presence of an AC, but this relation was not
statistically significant (B =. 130, p = .877). At stage 5
of deployment, a positive relationship was noted
between the presence of an AC and ERM although,
this was not statistically significant (B = 1.323, p =
.173).
Research Question 3
Research Question 3 asked, what is the relationship,
if any, between Top Management support and the
implementation of enterprise risk management?
To address Research Question 3, a regression
analysis was used to determine the relationship, if
any, between TM support and the implementation of
ERM. A correlational analysis was also conducted to
determine the strength and direction of the
relationship. Again from Table 19, for stage 2, there
is a positive and significant relationship between
ERM and Management Support level (B = .349, p
<.05). This indicated for stage 2 of ERM, one-unit
increase in management level or better management
level would have positive impact on ERM by 1.418
times. Thus, higher management support level
would increase the higher level of ERM (Stage 2)
compared to lower ERM (Stage 1).
In addition, for stage 3 of ERM there was a
positive relation between ERM and Management
Support level, despite the fact that this relation was
not statistically significant (B = .175, p = .170). For
stage 4 of ERM implementation, although there was
a positive relation between ERM and TM support,
this relation was not statistically significant (B =.
391, p = .064). Again for stage 5 of ERM, there was a
positive relation which was not statistically
significant (B = .122, p = .503).
Furthermore, to make judgment about the
relationship between ERM and CRO, ERM and AC, a
non-parametric (Spearman's rho) correlation was
conducted.
ERM and CRO Correlation Analysis
Table 12 illustrates the correlation between CRO and
ERM for the respondents in the survey.
Table 12. Correlation between ERM and CRO
Correlation between ERM and CRO
*. Correlation is significant at the .05 level (2-tailed).
As per the correlation value in Table 12 above,
there is a positive and weak correlation between
CRO and ERM, the correlation is statistically
significant at .05. This relationship shows, as CRO
increased from No-CRO to Yes-CRO, there would be
higher ERM (from lower stage to higher stage). This
indicates, as CRO is present in a company, it would
have better ERM.
ERM and Audit Committee Correlation Analysis
Table 13 presents the correlation between ERM and
Audit committee (AC).
Table 13. Correlation between ERM and Audit committee
Correlation between ERM and Audit committee
*. Correlation is significant at the 0.05 level (2-tailed).
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
195
As provided in Table 13, there is a positive and
weak correlation between ERM and presence of AC.
This correlation is also statistically significant. This
shows, if there is an increase in AC, from No - AC to
Yes - AC, there would be better ERM (as positive
relationship). Thus, with the presence of ACs,
organizations have better ERM performance level.
Relationship between CRO and Implementation of
an ERM
H10 : There is no significant relationship, if any,
between the presence of a CRO and the
implementation of an ERM.
H1A : There is a significant relationship between
the presence of a CRO and the implementation of an
ERM.
Based on the regression and correlation
analysis, the null hypothesis has been rejected and
the alternative has been accepted. Thus, it is
indicative that, there is a significant relationship
between the presence of a CRO and the
implementation of an ERM. Here, the relationship
between presence of a CRO and the implementation
of an ERM is positive as shown in Table 22.
Relationship between the Presence of an Audit
Committee and the Implementation of an ERM
H20 : There is no significant relationship if any,
between the presence of an Audit Committee and
the implementation of an ERM.
H2A : There is a significant relationship between
the presence of an Audit Committee and the
implementation of an ERM.
The regression result and the correlation
analysis suggested that there is a significant
relationship between the presence of an AC and the
implementation of an ERM. Thus the null hypothesis
has been rejected here and the alternative has been
accepted. The correlation also found a positive
relationship between the presence of an Audit
Committee and the implementation of an ERM
displayed in Table 13.
Relationship between the Support of Top
Management and the Implementation of an ERM
H30 : There is no significant relationship, if any,
between the support of Top Management and the
implementation of an ERM.
H3A : There is a significant relationship between
the support of Top Management and the
implementation of an ERM.
As per the regression analysis the null
hypothesis has been rejected and the alternative has
been accepted, which ensures, there is a significant
relationship between the support of Top
Management and the implementation of an ERM.
This relationship is also positive, thus with the
increase of management support the
implementation of ERM would be more effective.
Relationship among the Independent Variables
(CRO, AC and Management Support Level)
Table 14 shows the correlations between the
independent variables.
Table 14. Correlations between the independent variables
Correlations between the independent variables
**. Correlation is significant at the 0.01 level (2-tailed).
From the table above, it shows there are
positive correlations between management support
level and CRO (r = .263, p < .01) as well as AC ( r =
.308, p < .01). These indicate as management
support increase so does the presence of CRO and
AC and vice versa. Moreover, there is a strong
positive correlation between presence of CRO and
AC (r = .519, p <.01), this relation shows the
presence of CRO would be higher with the presence
of an Audit Committee and vice versa.
5. DISCUSSION, IMPLICATIONS, RECOMMEN-
DATIONS
This section provides a summary and discussion of
the study's findings related to the three research
questions, implications for researchers and
practitioners, limitations of the research,
recommendations for further research, and
conclusions that can be drawn from the study. The
purpose of this study was to examine the impact of
Chief Risk Officers (CRO), Audit Committees (AC),
and Top Management (TM) as well as the
implementation of enterprise risk management
(ERM). This study investigated the inadequacy of
organizational risk management practices aimed at
improving performance and reducing or preventing
losses. This problem was particularly important as
improved performance creates value for
shareholders (Nocco & Stulz, 2006). This study
contributed to emerging research on organization-
wide risk management implementation and the body
of risk management literature. This study examined
factors associated with the effective implementation
of holistic approaches to risk management as
applied to financial institutions, manufacturing,
insurance companies, business services, healthcare
industries, government, not for profit organizations,
information technology (IT), and the oil and gas
industries in North America.
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
196
The study used a non-experimental,
correlational approach to explore the relationship
between the presence of a CRO and an AC and the
support of TM in relation to the implementation of
ERM. A survey instrument was administered to a
group of self-identified risk-management
professionals who were members of Survey Monkey
Audience Service database. The survey instrument
was used to obtain data on the level of agreement or
disagreement about ERM elements. The use of the
non-experimental approach is consistent with
previous research (e.g., Arnold et al., 2012; Beasley
et al., 2005; Beasley et al., 2007; Gordon et al., 2009;
Hoyt & Liebenberg, 2011; McShane et al., 2011; Paape
& Speklé, 2012; Pagach & Warr, 2010; Tahir & Razali,
2011; Waweru & Kisaka, 2013).
5.1. Discussion of the Results
The results of the statistical analysis demonstrated
that there was a statistically significant relationship
between the three independent variables (CRO, AC,
and TM support) and the implementation of ERM.
Consequently, the three null hypotheses tested in
this study were rejected.
Research Question 1
RQ1. What is the relationship, if any, between the
presence of a Chief Risk Officer (CRO) and the
implementation of ERM?
Based on the regression and correlation
analysis for Research Question 1, the null hypothesis
has been rejected. Thus, it was indicative that, there
was a significant positive relationship between the
presence of a CRO and the implementation of ERM.
Research Question 2
RQ2. What is the relationship, if any, between the
presence of an Audit Committee and the
implementation of ERM?
The regression result and the correlation
analysis for Research Question 2 suggested there
was a positive and significant relationship between
the presence of an AC and the deployment of an
ERM system. Thus, the null hypothesis was rejected.
Research Question 3
RQ3. What is the relationship, if any, between Top
Management support and the implementation of
ERM?
For Research Question 3, the regression
analysis led to the rejection of the null hypothesis,
as a significant positive relationship was observed
between the support of TM and the implementation
of an ERM. These are further elaborated in this
chapter.
The CRO and ERM Deployment
Researchers studying the influence of the CRO on an
integrated system of handling risk have noted that
the presence of a risk champion was related to the
adoption and implementation of an institutional
wide approach of managing risk (Beasley et al., 2005;
Daud et al., 2010; Hoyt & Liebenberg, 2008; Kleffner
et al., 2003; Liebenberg, 2003; Liebenberg & Hoyt,
2003; Pagach & Warr, 2011; Waweru & Kisaka, 2013).
Although the presence and quality of the risk officer
strongly correlated with enterprise risk management
strategy (Saeidi et al., 2012), Liebenberg and Hoyt
(2003) argued that the reverse however, did not
suggest the absence of such a system.
Based on the results of the regression and
correlational analyses, a significant positive
correlation was noted between presence of CRO and
ERM at Stage 2 of the implementation process ( B =
1.691, P < .05). According to the odd ratio, at Stage 2
of the ERM implementation process, for each
organization without a CRO, there were five
organizations that had a CRO. This demonstrates
that the presence of CRO is linked to ERM
deployment (at Stage 2).
At Stage 3 of ERM implementation, there was
positive correlation between ERM and CRO, but the
relationship was not statistically significant ( B =
1.59, p = .796). However, at Stage 4 of ERM
implementation, there was a positive and
statistically significant relationship between ERM
and CRO (B = 1.886, p < .05). This implies that, at
Stage 4 of ERM implementation, more companies
have a CRO, and thus, their ERM is stronger or well
advanced. At Stage 5 of ERM implementation, there
was also a positive correlation between ERM and
CRO; however, the relationship was not statistically
significant (B = 1.477, p = .090).
Based on the correlational analysis (Table 22),
there was a weak, positive correlation between CRO
and ERM deployment. Correlations were considered
statistically significant at .05. This relationship
shows, as the presence of CROs increased,
organizations demonstrated higher levels of ERM
implementation (based on lower and higher stages).
This indicated that the presence of a CRO in an
organization is linked to an organization having a
better ERM system.
Based on these analyses, this study found a
positive relationship between the level of ERM
deployment and the presence of a CRO. This result
was expected, and was consistent with previous
research (e.g., Baxter, Bedard, Hoitash, & Yezegel,
2013; Beasley et al., 2005; Kleffner et al., 2003;
Liebenberg & Hoyt, 2003; Paape & Speklé, 2012;
Pagach & Warr, 2011; Wan Daud et al., 2010; Waweru
& Kisaka, 2013). These researchers observed a
significant positive relationship between the
presence of a senior management role such as a CRO
or its equivalent and the effective deployment of
organization-wide risk management systems.
The presence, influence, and role of the CRO
are important in the promotion and implementation
of an ERM system (Beasley et al., 2005; Kleffner et
al., 2003; Lam, 1999). The study by Liebenberg and
Hoyt (2003) found that the relationship between
ERM implementation and appointment of a CRO
could be viewed as a strong signal for its use. In
addition, Beasley et al. (2005) in investigating the
relationship between the presence of a CRO and ERM
implementation, found that the presence of a CRO
significantly increased the organization's level of
ERM implementation.
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
197
The AC and ERM Deployment
With the exception of Paape and Speklé (2012) most
of the extant literature reviewed during this study
did not employ the AC as a variable during the
deployment of an ERM systems. This is consistent
with the contingency theory which endorses the view
that there are no universally valid rules of
organizing and management" (Burrell & Morgan,
1979 as noted by Rejc, 2003, p. 246). This does not
look at universal principles applicable in all
situations, but instead purports to explain how one
attribute or characteristic is dependent upon
another (Vecchio as cited by Mullins, 2005).
The analyses further revealed that for stage 2, a
positive correlation existed between the presence of
an AC and ERM deployment. This relation was
however not statistically significant (B = .547, p =
.418). For stage three of ERM implementation, there
was a positive relation between ERM and presence of
an AC, although this relation was not statistically
significant (B = .763, p = .202). Similarly, for stage 4,
there was a positive relation between ERM and
presence of an AC, but this relation was not
statistically significant (B = .130, p = .877). At stage 5
of deployment, a positive relationship was noted
between the presence of an AC and ERM although,
this was not statistically significant (B = 1.323, p =
.173). The data analysis demonstrated a weak
positive correlation between the presence of AC and
ERM implementation. This correlation was
statistically significant. This implied that
organizations with an AC would have better ERM
implementation and performance.
The correlation analysis also found a positive
relationship between the presence of an AC and an
organization's level of ERM implementation. This
outcome was expected and consistent with
observation made by Paape and Speklé (2012). The
present study also found a strong positive
correlation between presence of an AC and CRO ( r =
.519, p < .01). This relationship demonstrated that
the presence of an AC would be higher with the
presence of CRO and vice versa.
TM Support and ERM Deployment
It was observed that for Stage 2, there was a
significant positive relationship between ERM and
TM support level (B = .349, p < .05). At Stage 2 of
ERM deployment, a one-unit increase in TM support
level had a positive impact on ERM by a factor of
1.418. Thus, higher TM support was reflected in an
increase in the level of ERM implemented (for
example Stage 1 vs. Stage 2). At Stage 3 of ERM
implementation, a positive correlation between ERM
and TM support was observed; however, this
relationship was not statistically significant (B =
.175, p = .170). Stage 4 of deployment demonstrated
a positive correlation between ERM and TM support
even though this relation was not statistically
significant (B = .391, p = .064). At Stage 5 of ERM
implementation, there was a positive correlation
between ERM and TM support despite the fact this
relation was not statistically significant (B = .122, p =
.503).
The regression analysis also demonstrated a
significant positive relationship between TM support
and ERM implementation. Therefore, as the support
of senior management increases, the quality and
effectiveness of ERM implementation increased. The
study also found positive correlations between TM
support level and the presence of a CRO (r = .263, p
< .01) as well as AC (r = .308, p < .01). These
outcomes suggest that TM support increased with
the presence of a CRO and AC and vice versa. Based
on the findings of the data analysis, the support of
TM and the presence of a CRO and an AC are related
to successful ERM deployment.
Beasley et al. (2005) observed that the existence
of a CRO, managerial involvement, and auditor type
were associated with more advanced stages of ERM
adoption. Lam (1999) noted that the role of TM was
critical for the success of an ERM endeavor, as TM
defines what acceptable risks are and establishes the
needed organizational structures and frameworks
for effective performance. In addition, TMs provide
vision, goals, and strategy for risk management and
models for the desired behaviors (Drew et al., 2006).
In the present study, a majority of the
respondents (n = 65, 48.5%) affirmed the absence of
an integrated risk management system within their
organizations (suggesting risks were assessed and
managed reactively or assessed and preventatively
managed for certain areas of the organization). A
total of 40 respondents (29.9%) indicated their
organizations had planned the deployment of an
ERM system and that certain risks were proactively
assessed and managed. Twenty-nine respondents
(21.7%) indicated their organization had fully
implemented an organizational wide risk
management system (where all strategic, financial,
operational, project, and compliance risks were
proactively assessed and managed). Nearly half of
these respondents (10.5% of the total population, n =
14) noted their organizations were in Stage 5 (the
highest level) of the implementation process, while
the remainder of the respondents (11.2% of the total
study population, n = 15) indicated their
organizations were in Stage 4 of the deployment
process. At stage 5 of deployment, ERM becomes an
integral part of the organization's strategic planning
and control cycle. The low percentage of
organizations in stage 5 (10.5%, n = 14) suggests that
ERM deployment remains immature. This finding is
consistent with observations made by previous
researchers (e.g., Beasley et al., 2005; Paape & Speklé,
2012; Waweru & Kisaka, 2013).
Studying the ERM and organizational oversight
in 2010, Beasley, Branson, and Hancock noted that
28% of respondents indicated their ERM deployment
was effective and efficient, while 60% acknowledged
their systems were under developed and risk
management was unsystematic. Wan Daud, Yazid &
Hussain, (2010) in their study involving publicly
listed Malaysian firms found that 43% of
respondents noted that their organizations had a
complete ERM mechanism in place, 38% indicated
their ERM was partially developed, 5% were planning
to adopt an ERM system, whereas 14% were still
considering adoption options. Paape and Speklé
(2012) found that only 11% of respondents in their
study had fully functional ERM system in place,
another 12.5% were in the implementing process,
23.5% were planning to implement an ERM
mechanism, 38.9% were also considering the
deployment of such a system, and 14% did not have
a robust risk management system. Waweru and
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
198
Kisaka (2013) found that 27% of respondents had
ERM systems in place in their organizations, while
36% had not implemented any ERM. Based on the
findings of other researchers in combination with
the present study's data analysis, it appears as
though organizations have been slow to adopt a
holistic approach to risk assessment and
management. The low adoption rates could indicate
that ERM remains immature a noted earlier (Beasley
et al., 2010; Waweru & Kisaka, 2013). Despite the
fact that ERM is still in the early stages of
development, organizations that have implemented
it are assumed to be managing their risks holistically
and strategically (Kleffner, Lee, & McGannon, 2007).
5.2. Implication of the Study Results
The results of the study revealed that, there was a
significant positive relationship between the
presence of a chief risk officer (CRO) and the
implementation of enterprise risk management
(ERM). The null hypothesis was rejected and the
alternative accepted. This implies that organizations
wanting to improve the efficiency of their risk
management systems need to engage a CRO during
implementation. The key benefit of the presence of a
risk champion is the ability to expand risk
management responsibilities throughout an
organization's leadership structure (De La Rosa,
2007). Such an executive works with other managers
to set up a risk management system and
disseminates risk information throughout the
organization (COSO, 2004; Saeidi, Sofian, Rasid, &
Saeid, 2012). The CRO can also reduce risk-related
information asymmetry between shareholders
(Beasley et al., 2008). As they are ultimately
responsible for uniting all the risk management
activities across the organization, risk officers
reduce the duplication of efforts across the various
sectors within the organization and increase an
organization's efficiency (De La Rosa, 2007).
The regression result and the correlation
analysis suggested there was a positive and
significant relationship between the presence of an
audit committee (AC) and the deployment of an ERM
system; leading to the null hypothesis being rejected
and the alternative accepted. This suggests that the
inclusion of ACs during the implementation of an
entity-wide risk management system is critical. ACs
play critical roles in the oversight of risk
management practices (Livingston, 2005; Paape &
Speklé, 2012). The AC is responsible for issues
related to the relationship between the organization
and its auditors (Taher & Boubaker, 2013). According
to the National Commission on Fraudulent Financial
Reporting, ACs create a platform where directors,
management, and auditors can coordinate issues
pertaining to risk management and financial
reporting (as cited in Turley & Zaman, 2004). The AC
is able to influence the board of directors (BODs) to
ensure that risk management processes are allotted
attention and resources in order to be successful
(Paape & Speklé, 2012). The AC is also instrumental
in promoting CG principles to safeguard public
interest (Szczepankowski, 2012; Vasile & Croitoru,
2013). Menon and Williams argued that the existence
of an AC does not necessarily indicate effectiveness
(as cited in Turley & Zaman, 2004).
In addition, it was observed that there are
positive correlations between support levels of top
management (TM) and the implementation of an
ERM. This implies that the inclusion of TM and
leadership support is instrumental to the successful
deployment of an ERM management system. TM can
influence knowledge sharing and learning through
the creation of appropriate climate, culture, and
resources (Lin, 2007). Lin (2007) further explained
that through knowledge donation and collection, an
organization is able to enhance its innovation
abilities. Effective TM support influences the settin g
of organizational values and encourages the
development of appropriate management styles in
order to enhance the performance of an
organization (Chen & Paulraj, 2004).
Enterprise-wide risk management is strategic
and thus cannot succeed without TM support
(Bowling & Rieger, 2005). Andriole (2009) argued
that in the absence of TM support, opportunities can
be missed and projects can fail. According to Tiller
(2012), strong leadership and management support
creates success for most strategies, and
organizations that satisfy stakeholders and maintain
profitability must promote it. Consequently, TM
must participate in the early stages of implementing
a collaborative risk management system (Bowling &
Rieger, 2005).
TM played a critical role in the success of any
effective risk management system (Beasley et al.,
2008). TM support facilitates the integration of risk
management philosophy and strategy across the
organization. The nature, scope, and impact of
corporate risk management must have strong
support from TM in order to be successful (Walker
et al., 2002). Employees of an organization are likely
to accept and adopt an enterprise wide risk
management system when it is noted that TM and
BODs are supportive and actively involved in the risk
management process (Brown et al., 2009). Hence, for
any collaborative risk management framework to
succeed, it is critical that the entire organization
gets involved.
The research model accounted for 25% of the
relationship between dependent and independent
variables, indicating there could have been other
contingent organizational features or variables of
ERM deployment which were not considered in this
study, an assertion corroborated by Beasley et al.
(2005). However, the model was statistically
significant (Chi-square = 36.63, p < 0.05) to establish
the relationship between the dependent and
independent variables.
Consistent with the contingency theory, this
study found that the presence and role of a CRO, an
AC, and TM support significantly influenced the
deployment of an ERM system. The contingency
theory endorses the view that there are no
universally valid rules of organizing and
management" (Burrell & Morgan, 1979 as noted by
Rejc, 2003, p. 246). The augment is that there was no
single best approach to managing and organizing
(Hanisch & Wald, 2012; Burns & Staker, 1961;
Lawrence & Lorsch, 1967). Howell et al. (2010)
observed that for effectiveness, the various external
challenges that an organization is presented with
requires the application of different organizational
characteristic; and "an optimal fit may require
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
199
different organizational characteristics to suit
different external conditions" (p.257).
The outcome of this study is useful when
assessing factors related to an organization's ERM
deployment. Based on the present research findings
and evidence in the scholarly literature, when
implementing an ERM system, it is important for an
organization to engage a CRO, form an AC, and
enlist the support of TM. By so doing, organizations
can enhance effective risk management and thereby
increase shareholder value (Baxter et al. 2013;
Beasley et al. 2005; Bowling & Rieger, 2005;
Cumming & Hirtle, 2001; Lam, 2001). These
measures also allow organizations to deploy
systems that can better facilitate a well-coordinated
and consistent approach to managing risk, thereby
increasing productivity and profitability (Bowling &
Rieger, 2005; Kleffner et al., 2003; Nocco & Stulz,
2006). With a consolidated mechanism in place, a
comprehensive approach to risk management in
alignment with the organization's strategy, can be
realized (Liebenberg & Hoyt, 2003; Stroh, 2005).
Previous studies have only examined
organizations with ERM or drawn samples
exclusively from publicly traded firms. The present
study, however, expanded the research sample to
include professionals from various sectors of
finance, manufacturing, IT and telecommunication,
insurance, business services, transport and logistics,
government or non-profit, healthcare, and energy/oil
and gas industries in North America. In terms of
industry type, this study found that organizations in
the financial, banking, insurance, and educational
sectors had better developed ERM programs in place.
This observation was consistent with previous
findings of Beasley et al. (2005) and Paape and
Speklé (2012). The study also noted that
organizations in the manufacturing, healthcare,
automotive, government, not for profit, engineering,
utilities, energy/oil & gas and utilities also had ERM
systems in place.
5.3. Limitations
There were several limitations with this study. The
reluctance of firms to disclose information about
their risk management strategies makes it difficult
to locate organizations implementing enterprise risk
management (ERM). As a result, there could be
crucial organizational features of ERM deployment
that might not have been considered in this study
(Beasley et al., 2005). Some of these variables may
have impacted the outcome of this study.
Secondly, given that the model was statistically
significant to establish the relationship between the
variables used in the study (Chi-square = 36.63, p <
.05), although the results of the detailed statistical
analysis indicated the model could explain 25% of
the relationship between dependent and
independent variables. The remaining 75% could be
the contributions of other variables not considered
in this study. These could include those mentioned
in the literature such as BOD independence,
presence of auditors, entity size, and type of
industry (Beasley, 2005); compliance issues (Bowling,
2005); organizational leverage, profitability,
turnover, internal diversification, and shareholders
(Yazid, Razali, & Hussin, 2012); presence of more
volatile cash flow, and riskier stock returns (Pagach
& Warr, 2011); regulatory environment, internal
factors, ownership structure, and organizational and
industry-related characteristics (Paape & Speklé,
2012); the diversified nature of the organization, and
the returns on stock volatility (Eckles et al., 2014).
Such a wide range of potential factors suggest the
level of strategic risk management implementation
in an organization is affected by several contingent
variables.
The levels of ERM implementation in
participants' organizations were self-reported, which
may not have accurately reflected the reality of the
ERM maturity level. Similarly, the effectiveness of
organizational risk management systems were self-
reported and based on participants' perceived
judgment, which could potentially led to the
introduction of bias resulting from inaccurate
observations. Also, some participants were not
directly involved in the ERM deployment, and as a
result, they may have lacked first-hand knowledge of
the entire process (Beasley et al., 2005).
In addition, the research method may not have
been able to account for the complexities related to
an organizational risk management implementation
process. The study assumed that survey data would
be obtained from individuals involved in managing
risk and that there would be a sufficient number of
participants who were involved in and
knowledgeable of enterprise risk management.
Unfortunately, 20.9% of the participants (n = 28)
worked in organizations that had no such systems in
place while 27.6% of participants (n = 37) worked in
organizations considering ERM implementation.
5.4. Recommendations for Further Research
The results of this research have implications for
practice and future research in the field of risk
management. To better understand the factors that
influence the deployment of an integrated risk
management system, it is suggested that the
influence of organizational structure on the
effectiveness of risk management be investigated.
Similarly, the ability of a holistic risk management
system to effectively manage organizational risk
should be investigated. In relating risk to
organizational structure, it is recommended that
further research should assess how organizational
hierarchy impacts ERM implementation.
In addition, through the use of contingency
theory, further research should investigate whether
additional factors such as board independence, firm
size, ownership structure, growth rate, regulation,
industry type, corporate governance, effective
communication, and organization risk culture could
impact the effective implementation of
organizational wide risk management. Although, this
study did not directly explore the role of ERM in
value creation, it's suggested that the impact of the
various level of deployment and their related
contributions towards value creation be explored.
Such a study could potentially elucidate if any, and
how a collaborative approach to risk management
influences stakeholder value creation (Kraus et al.,
2012). Finally, an experimental research approach
could be used to establish a possible cause and
effect relationship between variables.
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
200
5.5. Conclusion
This study extends emerging research on enterprise
risk management by examining organizational
factors (such as the role of a Chief Risk Officer
(CRO), the role of an Audit Committee (AC), and Top
Management (TM) support) associated with its
implementation. The major findings indicated a
positive and significant relationship between the
deployment of an ERM system and the presence of; a
CRO, an AC, and TM support. An indication that the
presence and role of a CRO, AC, and TM support
influenced the deployment of an enterprise wide
risk management system. In addition, the study
found that as TM support increased so did the
presence of the CRO, and AC and vice versa.
Moreover, there was a strong positive correlation
between the presence of a CRO and an AC,
suggesting that organizations with a CRO were more
likely to also have an AC and vice versa.
Although the extant literature presents ERM as
an effective risk management mechanism, this study
noted a minority of respondents (n = 14, 10.5%) as
having a fully developed ERM tool in place. These
findings indicate that ERM is still in the
developmental stages, which corroborates earlier
studies. In addition, the findings suggest
organizational risk management requires more
advancement (Paape & Speklé, 2012).
The study findings are important for decision
makers in organizations implementing strategic risk
management, as they suggest that organizations
need to engage a CRO, an AC, and enlist the support
of TM in the deployment of effective risk
management policies and mechanisms. For
organizations to harness the potential benefits of
implementing ERM, a CRO and an AC should be in
place and TM support should be high. This study
adds to the body of knowledge by suggesting that
the implementation of an ERM system is not only
limited to the financial or insurance industries but
also extends to various sectors such as; education,
business services, government, manufacturing, legal,
not for profit, engineering, utilities, energy/oil & gas
and healthcare.
REFERENCES:
1. Aabo, T., Fraser, J. R. S., & Simkins, B. J. (2005), The
rise and evolution of the chief risk officer:
Enterprise risk management at Hydro One, Journal
of Applied Corporate Finance, 17(3), 62-75.
doi:10.1111/j.1745-6622. 200500045.x
2. Abrams, C., J, V. K., Müller, S., Pfitzmann, B., &
Ruschka-Taylor, S. (2007), Optimized enterprise
risk management, IBM Systems Journal, 46(2),
219-234.
3. Ai, J., Brockett, P. L., Cooper, W. W., & Golden, L. L.
(2012), Enterprise risk management through
strategic allocation of capital, Journal of Risk and
Insurance 79(1), 29-55. doi:10.1111/j.1539-
6975.2010. 01403.x
4. Aiken, M., & Hage, J. (1971), The organic
organization and innovation, Sociology, 5(1), 63-
82. doi:10.1177/003803857100500105
5. Alboali, S., hamid, E., & Moosavi, S.A. (2013). The
study of contingency components roles in the
design of municipals' accounting systems: A case
study, Journal of Business and Management
Science, 1(5), 96-104. doi: 10.12691/jbms-1-5-3
6. Allayannis, G., & Weston, J. P. (2001), The use of
foreign currency derivatives and firm market
value, Review of Financial Studies, 14(1), 243-276.
doi:10.1093/rfs/14.1.243
7. Altuntas, M., Berry-Stölzle, T. R., & Hoyt, R. E.
(2011), Implementation of enterprise risk
management: Evidence from the German property-
liability insurance industry, Geneva Papers on Risk
& Insurance, 36(3), 414-439.
doi:10.1057/gpp.2011.11
8. Alviniussen, A., & Jankensgård, H. (2009),
Enterprise risk budgeting: Bringing risk
management into the financial planning process,
Journal of Applied Finance, 19(1/2), 178-192.
Retrieved from
http://www.fma.org/Publications/JAFIndex.htm
9. Andrews, R., & Beynon, M. J. (2011), Organizational
form and strategic alignment in a local authority:
A preliminary exploration using fuzzy clustering,
Public Organization Review, 11(3), 201-218.
doi:10.1007/s11115-010-0117-4
10. Andriole, S. J. (2009), Boards of directors and
technology governance: The surprising state of the
practice, Communications of the Association for
Information Systems, 24(22), 373-394. Retrieved
from http://aisel.aisnet.org/cais/
11. Archer, D. (2002), Creating a risk management
framework, CMA Management, 76(1), 16-19.
12. Arena, M., Arnaboldi, M., & Azzone, G. (2010), The
organizational dynamics of enterprise risk
management, Accounting, Organizations and
Society, 35(7), 659-675 doi:
10.1016/j.aos.2010.07.003
13. Aretz, K., Söhnke M. B., & Dufey, G. (2007), Why
hedge? Rationales for corporate hedging and value
implications, The Journal of Risk Finance, 8(5),
434-449. doi:10.1108/15265940710834735
14. Arnold, V., Benford, T. S., & Hampton, C., & Sutton,
S. G. (2012), Enterprise risk management as a
strategic governance mechanism in B2B-enabled
transnational supply chains, Journal of
Information Systems, 26(1), 51-76.
doi:10.2308/isys-10253
15. Bartlett, K. R. (2005), Survey research in
organizations: In R. A. Swanson & E. F. Holton III
(Eds.), Research in organizations: Foundations and
method of inquiry (pp. 97-113). San Francisco, CA:
Berrett-Koehler Publishers.
16. Bates, L. (2010), Avoiding the pitfalls of enterprise
risk management, Journal of Risk Management in
Financial Institutions, 4(1), 23-28. Retrieved from
http://web.ebscohost.com
17. Baxter, R., Bedard, J. C., Hoitash, R., & Yezegel, A.
(2013), Enterprise risk management program
quality: Determinants, value relevance, and the
financial crisis, Contemporary Accounting
Research, 30(4), 1264-1295. doi:10.1111/j.1911-
3846.2012. 01194.x
18. Beasley, M. S., Branson, B. C., & Hancock, B. V.
(2009), ERM: Opportunities for improvement,
Journal of Accountancy, 208(3), 28-32. Retrieved
from http://www.journalofaccountancy.com
19. Beasley, M. S., Branson, B. C., & Hancock, B. V.
(2010), Are you identifying your most significant
risks? Strategic Finance, 92(5), 29-35. Retrieved
from http://sfmagazine.com
20. Beasley, M. S., Branson, B. C, & Hancock, B. V.
(2010a), COSO's 2010 report on enterprise risk
management (2nd ed): Current state of enterprise
risk oversight and market perceptions of COSO's
ERM framework. Retrieved from
http://poole.ncsu.edu/d/erm/weblogs/summaries
/2008/state-erm -2nd-2010.pdf
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
201
21. Beasley, M. J., Carcello, J. V., Hermanson, D. R., &
Neal, T. L. (2009), The audit committee oversight
process, Contemporary Accounting Research, 26,
65-122. doi:10.1506/car.26.1.3
22. Beasley, M. S., Clune, R., & Hermanson, D. R.
(2005), Enterprise risk management: An empirical
analysis of factors associated with the extent of
implementation, Journal of Accounting and Public
Policy 24(6), 521-531. doi:
10.1016/j.jaccpubpol.2005.10.001
23. Beasley, M. S., & Frigo, M. L. (2007), Strategic risk
management: Creating and protecting
value, Strategic Finance, 88(11), 25-53. Retrieved
from http://sfmagazine.com
24. Beasley, M., Pagach, D., & Warr, R. (2008),
Information conveyed in hiring announcements of
senior executives overseeing enterprise-wide risk
management processes, Journal of Accounting,
Auditing & Finance, 23(3), 311-332.
doi:10.1177/0148558X0802300303
25. Ben-Amar, W., Boujenoui, A., & Zeghal, D. (2014),
The relationship between corporate strategy and
enterprise risk management: Evidence from
Canada, Journal of Management and Strategy, 5(1),
1-17. doi:10.5430/jms. v5n1p1
26. Berinato, S. (2004). Risks rewards: Are you on
board with enterprise risk management? You had
better be, It's the future of how businesses will be
run. CIO, 18(3), 1-58. Retrieved from
http://www.cio.com
27. Borker, D. R., & Vyatkin, V. N. (2012), Toward a
general holistic theory of risk, Journal of American
Academy of Business, Cambridge, 18(1), 33-38.
Retrieved from http://www.jaabc.com/journal.htm
28. Bostrom, R. (2003), Corporate governance:
Developments and best practices one year after
Sarbanes– Oxley, International Financial Law
Review 22(10), 189-204. Retrieved from
http://www.iflr.com/
29. Bowling, D. M., & Rieger, L. (2005), Success factors
for implementing enterprise risk
management, Bank Accounting & Finance, 18(3),
21- 26.
30. Bromiley, P., McShane, M., Nair, A., &
Rustambekov, E. (2014), Enterprise risk
management: Review, critique, and research
directions, Long Range Planning [In press,
corrected proof online]. doi:
10.1016/j.lrp.2014.07.005
31. Brown, I., Steen, A., & Foreman, J. (2009), Risk
management in corporate governance: A review
and proposal, Corporate Governance: An
International Review, 17(5), 546-558.
doi:10.1111/j.1467-8683.2009. 00763.x
32. Buchalter, S. D., & Yokomato, K. L. (2003), Audit
committees' responsibilities and liability, The CPA
Journal, 73(3), 18-23. Retrieved from
http://www.cpajournal.com/
33. Buchanan, L. (2004), Breakthrough ideas for 2004:
Watch your back, Harvard Business Review, 82(2),
13-16. Retrieved from https://hbr.org/
34. Burkhardt, M. E., & Brass, D. J. (1990), Changing
patterns or patterns of change: The effect of a
change in technology on social network structure
and power, Administrative Science Quarterly,
35(1), 104-127. doi:10.2307/2393552
35. Burns, T., & Stalker, G. M. (1961), The management
of innovation. London, UK: Tavistock,
36. Byrnes, S. E., Williams, C., Kamat, S., &
Gopalakrishnan, S. (2012). Making the case for an
enterprise risk management program, The Journal
of Equipment Lease Financing, 30(2), 1-10.
37. Carcello, J. V., Hermanson, D. R., & Ye, Z. (2011),
Corporate governance in accounting and auditing:
Insights, practice implications, and future research
directions, Auditing: A Journal of Practice &
Theory 30(3), 1-31. doi:10.2308/ajpt-10112
38. Chen, I. J., & Paulraj, A. (2004), Towards a theory
of supply chain management: The constructs and
measurements, Journal of Operations
Management, 22(2), 119-150. doi:
10.1016/j.jom.2003.12.007
39. Churchill, G. A., Jr. (1979), A paradigm for
developing better measures of marketing
constructs, Journal of Marketing Research, 16(1),
64-73. doi:10.2307/3150876
40. Cohen J. R., Gaynor, L. M., Krishnamoorthy, G., &
Wright, A. M. (2011), The impact on auditor
judgments of CEO influence on audit committee
independence, Auditing: Journal of Practice &
Theory, 30(4), 129-147. doi:10.2308/ajpt-10146
41. Cohen, J., Krishnamoorthy, G., & Wright, A. (2004),
The corporate governance mosaic and financial
reporting quality, Journal of Accounting
Literature, 23(1), 87-98. Retrieved from
http://www.journals.elsevier.com/journal-of-
accounting-literature
42. Cohen, J. R., Krishnamoorthy, G., & Wright, A. M.
(2007), The impact of roles of the board on
auditors' risk assessments and program planning
decisions, Auditing: A Journal of Practice &
Theory, 26(1), 91-112.
doi:10.2308/aud.2007.26.1.91
43. Cohen, L., Manion, L., & Morrison, K. (2007),
Research methods in education (6th ed.), New
York, NY: Routledge.
44. Collins, D. (2003), Pretesting survey instruments:
An overview of cognitive methods, Quality of Life
Research, 12(3), 229-238. Retrieved from
http://www.isoqol.org/research/quality-of-life-
research
45. Colquitt. L, L., & Hoyt, R. E. (1997), Determinants
of corporate hedging behavior: Evidence from the
life insurance industry, Journal of Risk and
Insurance, 64(4), 649-671. doi:10.2307/253890
46. Committee of Sponsoring Organizations of the
Treadway Commission [COSO]. (2004), Enterprise
risk management - Integrated framework, New
York, NY: Author.
47. Cooper, D. R., & Schindler, P. S. (2007). Business
research methods, New York, NY: McGraw-Hill.
48. Cozijnsen, A. J., Vrakking, W. J., & van IJzerloo, M.
(2000), Success and failure of 50 innovation
projects in Dutch companies, European Journal of
Innovation Management, 3(3), 150-159.
doi:10.1108/14601060010322301
49. Creswell, J. W. (2012), Educational research:
Planning, conducting, and evaluating quantitative
and qualitative research (4th ed.), Boston, MA:
Pearson.
50. Csaszar, F. A. (2012), Organizational structure as a
determinant of performance: Evidence from
mutual funds, Strategic Management
Journal, 33(6), 611-632. doi:10.1002/smj.1969
51. Cumming, C. M., & Hirtle, B. J. (2001), The
challenges of risk management in diversified
financial companies, Economic Policy Review, 7(1),
1-17. Retrieved from
http://www.ny.frb.org/research/epr/
52. Dabari, I. J., & Saidin, S. Z. (2014), A theoretical
framework on the level of risk management
implementation in the Nigerian banking sector:
The moderating effect of top management
support, Social and Behavioral Sciences 164
(2014), 627 – 634. doi:
10.1016/j.sbspro.2014.11.156
53. Daft, R. L. (2001), Organizational theory and
design, Cincinnati, OH: Southwestern.
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
202
54. Damanpour, F. (1991), Organizational innovation:
A meta-analysis of effects of determinants and
moderators, Academy of Management Journal,
34(3), 555-590. doi:10.2307/256406
55. Das, S. C., & Gope, A. K. (2014), Impact of
demographic features of employees on HRD in life
insurance corporation of India: The multinomial
logistic regression modeling, Review of HRM, 3,
236-244
56. Daud, W. N. W., Haron, H., & Ibrahim, D. N. (2011),
The role of quality board of directors in enterprise
risk management (ERM) practices: Evidence from
binary logistic regression, International Journal of
Business and Management, 6(12), 205-211.
doi:10.5539/ijbm. v6n12p205
57. Daud, W. N. W., Yazid, A. S., & Hussin, H. M. R.
(2010), The effect of chief risk officer (CRO) on
enterprise risk management (ERM) practices:
Evidence from Malaysia, The International
Business & Economics Research Journal, 9(11), 55-
64. Retrieved from http://www.cluteinstitute.com/
58. De La Rosa, S. (2007), Moving forward with ERM,
Internal Auditor, June, 50-54. Retrieved from
https://iaonline.theiia.org/
59. De Loach, J. W. (2000), Enterprise-wide risk
management: Strategies for linking risk &
opportunity, London, UK: Prentice Hall.
60. Deloitte. (2008), Perspectives on ERM and the risk
intelligent enterprise: Enterprise risk management
benchmark survey, Retrieved from
http://www.ipai.pt/fotos/gca/
surveyerm_pt_1_1233338524.pdf
61. Demidenko, E., & McNutt, P. (2010), The ethics of
enterprise risk management as a key component
of corporate governance, International Journal of
Social Economics, 37(10), 802-815.
doi:10.1108/03068291011070462
62. Desender, K. (2011), On the determinants of
enterprise risk management implementation, In N.
S. Shi & G. Silvius (Eds.), Enterprise IT governance,
business value, and performance measurement
(pp. 87-100). doi:10.4018/978-1-60566-346-
3.ch006
63. Devers, C. E., McNamara, G., Wiseman, R. M., &
Arrfelt, M. (2008), Moving closer to the action:
Examining compensation design Effects on firm
risk, Organization Science, 19(4), 548-566. doi
10.1287/orsc.1070.0317
64. Dia, M., & Zéghal, D. (2008), Fuzzy evaluation of
risk management profiles disclosed in corporate
annual reports, Canadian Journal of
Administrative Sciences, 25(3), 237-254.
doi:10.1002/cjas.66
65. Dickhart, G. (2008), Risk: Key to governance,
Internal Auditor, 65(6), 27-34. Retrieved from
https://iaonline.theiia.org/
66. Dickinson, G. (2001), Enterprise risk management:
Its origins and conceptual foundation, The Geneva
Papers on Risk and Insurance, 26(3), 360-366.
doi:10.1111/1468-0440.00121
67. Didraga, O. (2013), The role and effects of risk
management in IT project success, Informatica
Economica, 17(1), 86-98.
doi:10.12948/issn14531305/17.1.2013.08
68. Draft. R. L. (2001), Organizational theory and
design (7th ed.), Boston, M.A: South-Western
College.
69. Drazin, R., & van de Ven, A. H. (1985), Alternative
forms of fit in contingency theory, Alternative
Administrative Science Quarterly, 30(4), 514-539.
doi: 10.2307/2392695
70. Drew, S. A., Kelley, P. C., & Kendrick, T. (2006), Five
elements of corporate governance to manage
strategic risk, Business Horizons, 49(2), 127-138.
doi: 10.1016/j.bushor.2005.07.001
71. Drew, S. A. W., & Kendrick, T. (2005), Risk
management: The five pillars of corporate
governance, Journal of General
Management, 31(2), 19-36. Retrieved from
http://www.braybrooke.co.uk/JournalofGeneralMa
nagement/tabid/56/Default.aspx
72. Eckles, D. L., Hoyt, R. E., & Miller, S. M. (2014), The
impact of enterprise risk management on the
marginal cost of reducing risk: Evidence from the
insurance industry, Journal of Banking & Finance,
43, 247-261. doi: 0.1016/j.jbankfin.2014.10.006
73. Eldabi, T., Irani, Z., Paul, R. J., & Love, P. E. D.
(2002), Quantitative and qualitative decision-
making methods in simulation modelling,
Management Decision, 40(1/2), 64-73.
doi:10.1108/00251740210413370
74. Faul, F., Erdfelder, E., Buchner, A., & Lang, A.
(2009), Statistical power analyses using G*Power
3.1: Tests for correlation and regression
analyses, Behavior Research Methods, 41, 1149-
1160. doi:10.3758/BRM.41.4.1149
75. Felekoglu, B., & Moultrie, J. (2014), Top
management involvement in new product
development: A review and synthesis, Journal of
Product Innovation Management, 31(1), 159-175.
doi:10.1111/jpim.12086
76. Field, A. (2009), Discovering statistics using SPSS
(3rd ed.), Thousand Oaks, CA: Sage
77. Fraser, J., & Simkins, B. J. (Eds.). (2010), Enterprise
risk management, Today's leading research and
best practices for tomorrow's executives,
Hoboken, NJ: John Wiley.
78. Galloway, D., & Funston, R. (2000), The challenges
of enterprise risk management, Balance Sheet,
8(6), 22-25.
79. García, L.S., Barbadillo, E. R., & Pérez, M. O. (2012),
Audit committee and internal audit and the
quality of earnings: Empirical evidence from
Spanish companies, Journal of Management
Governance, 16(2), 305-331. doi:10.1007/s10997-
010-9152-3
80. Gates, S. (2006), Incorporating strategic risk into
enterprise risk management: A survey of current
corporate practice, Journal of Applied Corporate
Finance, 18(4), 81-90. doi:10.1111/j.1745-
6622.2006. 00114.x
81. Gates, S., Nicolas, J., & Walker, P. L. (2012),
Enterprise risk management: A process for
enhanced management and improved
performance, Management Accounting Quarterly,
13(3), 28-38. Retrieved from
http://www.imanet.org/resources-
publications/management-accounting-quarterly
82. Gephart, R. P., Jr., Van Maanen, J., & Oberlechner,
T. (2009), Organizations and risk in late
modernity. Organization Studies, 30(2/3), 141-155.
doi:10.1177/0170840608101474
83. Gibbs, G. R. (2007), Analyzing qualitative data. In
U. Flick (Ed.), The Sage qualitative research kit,
London, UK: Sage.
84. Gordon, L. A., Loeb, M. P., & Tseng, C. (2009),
Enterprise risk management and firm
performance: A contingency perspective, Journal
of Accounting and Public Policy, 28, 301-327. doi:
10.1016/j.jaccpubpol.2009.06.006
85. Green, P. (2001), Risk managers cover enterprise
exposure, Global Finance, 15, 72-74. Retrieved
from https://www.gfmag.com/
86. Gupta, P.K. (2004), Enterprise risk management,
sub-optimality to optimality, Journal of Insurance
and Risk Management, 2(4), 73-84. Retrieved from
http://bimtech.ac.in /research/journal-and-
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
203
publications/journal-of-insurance-and-risk-
management-journal/
87. Hamptom, J. J. (2009), Fundamentals of enterprise
risk management: How top companies assess risk,
manage exposures, and seize opportunities, New
York, NY: AMACOM.
88. Hanisch, B., & Wald, A. (2012), A bibliometric view
on the use of contingency theory in project
management research, Project Management
Journal, 43 (3), 4-23. doi:10.1002/pmj.21267
89. Hayes, R. H., & Wheelwright, S. C. (1984), Restoring
our competitive edge: Competing through
manufacturing, New York, NY: John Wiley.
90. Hillson, D. (2005), Risk management: Important or
effective (or both)? Retrieved from
http://www.riskdoctor.com/pdf-briefings/risk-
doctor126e.pdf.
91. Ho, C. L., Lai, G. C., & Lee, J.-P. (2013),
Organizational structure, board composition, and
risk taking in the U.S. property casualty insurance
industry, The Journal of Risk and Insurance, 80(1),
169-203. doi:10.1111/j.1539-6975.2012. 01464.x
92. Howell, D., Windahl, C., & Seidel, R. (2010), A
project contingency framework based on
uncertainty and its consequences, Internal Journal
of Project Management, 28(3), 256 – 264. doi:
10.1016/j.ijproman.2009.06.00
93. Hoyt, R. E., & Liebenberg, A. P. (2011), The value of
enterprise risk management, Journal of Risk and
Insurance, 78(4), 795-822. doi:10.1111/j.1539-
6975.2011. 01413.x
94. Huang, X., Kristal, M. M., & Schroeder, R. G. (2010),
The impact of organizational structure on mass
customization capability: A contingency
view, Production and Operations
Management, 19(5), 515-530. doi:10.1111/j.1937-
5956.2009. 01117.x
95. Hundal, S. (2013), Independence, expertise and
experience of audit committee: Some aspects of
Indian corporate sector, American International
Journal of Social Science, 2(5), 58-75. Retrieved
from www.aijssnet.com
96. Ifinedo, P. (2008), Impacts of business vision, top
management support, and external expertise on
ERP success. Business Process Management
Journal, 14(4), 551-568.
doi:10.1108/14637150810888073
97. Ingley, C., & van der Walt, N. (2008), Risk
management and board effectiveness,
International Studies of Management &
Organization, 38(3), 43-70. doi:10.2753/IMO0020-
8825380302
98. Islam, J., & Hu, H. (2012), A review of literature on
contingency theory in managerial accounting,
African Journal of Business Management, 6(15),
5159-5164. doi: 10.5897/AJBM11.2764
99. Jin, Y., & Jorion, P. (2006), Firm value and hedging:
Evidence from U.S oil and gas producers. The
Journal of Finance, 61(2), 893-919.
doi:10.1111/j.1540-6261.2006. 00858.x
100. Keen, P. G. W. (1981), Information system and
organizational change, Communications of the
ACM, 24(1), 24-33. doi:10.1145/358527.358543
101. Kerzner, H. (2009), Project management systems
approach planning, scheduling, and controlling
(10th ed.), Hoboken, NJ: John Wiley.
102. Khan, S. A., Lederer, A. L., & Mirchandani, D. A.
(2013), Top management support, collective
mindfulness, and information systems
performance, Journal of International Technology
and Information Management, 22(1), 95-122.
Retrieved from http://scholarworks.lib.
csusb.edu/jitim/
103. Kimbrough, R. L., & Componation, P. J. (2009), The
relationship between organizational culture and
enterprise risk management, Engineering
Management Journal, 21(2), 18-26.
doi:10.1080/10429247.2009.11431803
104. Kitchenham, B., & Pfleeger, S. L. (2002), Principles
of survey research: Part 5: Populations and
samples, ACM SIGSOFT Software Engineering
Notes, 27(5), 17-20. doi:10.1145/571681.571686
105. Kleffner, A. E., Lee, R. B., & McGannon, B. (2003),
The effect of corporate governance of the use of
enterprise risk management: Evidence from
Canada, Risk Management and Insurance
Review, 6(1), 53-73. doi:10.1111/1098-1616.00020
106. Komala, A. R. (2012), The influence of the
accounting manager's knowledge and the top
manager's support on the accounting information
system and its impact on the quality of accounting
information: A case of Zakat institutions in
Bandung, Journal of Global Management, 4(1), 33-
73. Retrieved from
https://ideas.repec.org/s/grg/03mngt.html
107. Kunda, G. (1995), Engineering culture: Control and
commitment in a high-tech corporation,
Organization Science, 6(2), 228-230.
doi:10.1287/orsc.6.2.228
108. Kraus, V., & Lehner, O. M. (2012), The nexus of
enterprise risk management and value creation: A
systematic literature review, ACRN Journal of
Finance and Risk Perspective, 1(1), 91-163.
Retrieved from http://www.acrn-journals.eu/
109. Lajili, K., & D. Zéghal. (2005), A content analysis of
risk management disclosures in Canadian annual
reports, Canadian Journal of Administrative
Sciences, 22(2), 125-142. doi:10.1111/j.1936-4490.
2005.tb00714.x
110. Lam, J. (2000), Enterprise-wide risk management
and the role of the chief risk officer, E-Risk. March,
1-5. Retrieved from
http://www.erisk.com/Learning/Research/011_la
mriskoff.pdf
111. Lam, J. (2001), The CRO is here to stay, Risk
Management, 48(4), 16-20. Retrieved from
http://www.rmmagazine.com/
112. Lam, J., (2003), Enterprise risk management: From
incentives to controls, Hoboken, NJ: John Wiley.
113. Lam, J. (2006), Managing risk across the
enterprise: Challenges and benefits. In M. Ong
(Ed.), Risk management: A modern perspective (pp.
3-19), Burlington, MA: Elsevier.
114. Lai, F., Azizan, N, & Samad, M. (2009), Shareholder
value creation through enterprise risk
management, International Journal of Business
Research, 10(1), 44 – 57.
115. LaValley, M. P. (2008), Logistic regression,
Circulation, 117(18), 2395-2399.
doi:10.1161/CIRCULATIONAHA.106.682658
116. Leech, T. (2002), Regulatory revolution risk civil
war, Algo Research Quarterly, 5(2), 1-11. Retrieved
from
http://www.leechgrc.com/pdf/grc/Algo%20Resear
ch%20Quarterly%20Summer%202002.pdf
117. LeCompte, M. D., & Goetz, J. P. (1982), Problems of
reliability and validity in ethnographic research,
Review of Educational Research, 52(1), 31-60.
doi:10.3102/00346543052001031
118. Leedy, P., & Ormond, J. (2009), Practical research:
Planning and design, Upper Saddle River, NJ:
Pearson.
119. Liebenberg, A. P., & Hoyt, R. E. (2003), The
determinants of enterprise risk management:
Evidence from the appointment of chief risk
officers, Risk Management and Insurance
Review, 6(1), 37-52. doi:10.1111/1098-1616.00019
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
204
120. Lin, H. (2007), Knowledge sharing and firm
innovation capability: An empirical study,
International Journal of Manpower, 28(3/4), 315-
332. doi:10.1108/01437720710755272
121. Lin, Y., Wen, M., & Yu, J. (2012), Enterprise risk
management: Strategic antecedents, risk
integration, and performance, North American
Actuarial Journal, 16(1), 1-28.
doi: 10.1080/10920277.2012.10590630
122. Lipton, M., & Lorsch, J. W. (1992), A modest
proposal for improved corporate governance, The
Business Lawyer, 48(1), 59-77. Retrieved from
http://www.jstor.org/journal/busilawyer
123. Livingston, P. (2005), The job of the audit
committee: Getting directors on the same page,
Financial Executive, March, 24-25. Retrieved from
http://www.financialexecutives.org
124. Lloyd, K., & Fanning, J. (2007), The audit
committee, Financial Executive, March, 54-56.
Retrieved from http://www.financialexecutives.org
125. Lubatkin, M., & Chatterjee, S. (1994), Extending
modern portfolio theory into the domain of
corporate diversification: Does it apply? Academy
of Management Journal, 37(1), 109-136.
doi:10.2307/256772
126. Maingot, M., Quon, T., & Zeghal, D. (2013), The
disclosure of enterprise risk management (ERM)
information: An over view of Canadian regulations
for risk disclosure, Journal of Governance &
Regulation, 2(4), 13-21. Retrieved from
http://www.virtusinterpress.org/-Journal-of-
Governance-and-.html
127. Manab, N. A., Kassim, I., & Hussin, M. R. (2010),
Enterprise wide risk management practices:
Between corporate governance compliance and
value creation, International Journal of Business
Research Papers, 6(2), 239-252. Retrieved from
http://www.irbrp.com/
128. Markowitz, H. M. (1952). Portfolio selection. The
Journal of Finance 7(1), 77-91.
doi:10.2307/2975974
129. McCafferty, D. (2010), Why IT projects fail, CIO
Insight. Retrieved from
http://www.cioinsight.com/c/a/IT-
Management/Why-IT -Projects-Fail-762340/
130. McConnell, P. (2009), Prime loss: A case study in
operational risk, Journal of Risk Management in
Financial Institutions, 3(1), 84-104. Retrieved from
http://www.henrystewartpublications.com/jrm
131. McShane, M. K., Nair, A., & Rustambekov, E. (2011),
Does enterprise risk management increase firm
value? Journal of Accounting, Auditing & Finance,
26(4), 641-658. doi:10.1177/0148558X11409160
132. Meier, R. L. (2000), Integrating enterprise-wide risk
management concepts into industrial technology
curricula, Journal of Industrial Technology, 16(4),
1-15. Retrieved from
http://j.cit.kmutnb.ac.th/?lang=en
133. Meagher, D., & O'Neil, G. (2000), Enterprise wide:
Risk management, Accountancy Ireland, 32(6), 10-
12. Retrieved from http://search.proquest.com
134. Meijaard, J., Brand, M. J., & Mosselman, M. (2005),
Organizational structure and performance in
Dutch small firms, Small Business
Economics, 25(1), 83-96. doi:10.1007/s11187-005-
4259-7
135. Meulbroek, L. K. (2002), A senior manager's guide
to integrated risk management, Journal of Applied
Corporate Finance, 11(4), 56-70.
doi:10.1111/j.1745-6622. 2002.tb00449.x
136. Miccolis, J., & Shah, S. (2000), Enterprise risk
management: An analytical approach. Parsippany,
NJ: Tillinghast-Towers Perrin.
137. Mikes, A. (2008), Chief risk officers at crunch time:
Compliance champions or business partners.
Journal of Risk Management, 2(1), 7-25. Retrieved
from http://www.ingentaconnect
.com/content/hsp/jrmfi
138. Mikes, A., & Kaplan, R. S. (2013), Managing Risks:
Towards a Contingency Theory of Enterprise Risk
Management: Working Paper 13-063, Harvard
Business School.
139. Mintzberg, H. (1979), The structuring of
organization, Englewood Cliffs, NJ: Prentice Hall.
140. Moores, K., & Chenhall, R.H. (1991), Organizational
contexts and management accountancy systems:
An evaluation of accountancy frame works.
Retrieved from
http://epublications.bond.edu.au/discussion_pape
rs/22.
141. Mullins, L. J. (2005), Management and
Organizational behaviour (7th ed.). Essex, UK:
Prentice Hall.
142. Muralidhar, K. (2010), Enterprise risk management
in the Middle East oil industry: An empirical
investigation across GCC countries, International
Journal of Energy Sector Management, 4(1), 59-86.
doi:10.1108/17506221011033107
143. Nahm, A. Y., Vonderembse, M. A., & Koufteros, X.
A. (2003), The impact of organizational structure
on time-based manufacturing and plant
performance, Journal of Operations Management,
21(3), 281-306. doi:10.1016/S0272-6963(02)00107-
9
144. Nocco, B. W., & Stulz, R. M. (2006), Enterprise risk
management: Theory and practice, Journal of
Applied Corporate Finance, 18(4), 8-20.
doi:10.1111/j.1745-6622.2006. 00106.x
145. Nunnally, C. J. (1978), Psychometric theory, New
York, NY: McGraw-Hill.
146. Önder, Ş., & Ergin, H. (2012), Determiners of
enterprise risk management applications in
Turkey: An empirical study with a logistic
regression model of the companies included in ISE
(Istanbul Stock Exchange), Business & Economic
Horizons, 7(1), 19-26. doi:
10.1016/j.sbspro.2014.11.156
147. Orcher, L. T. (2005), Conducting research: Social
and behavioral science methods, Glendale, CA:
Pyrczak.
148. Paape, L., & Speklé, R. F. (2012), The adoption and
design of enterprise risk management practices:
An empirical study, European Accounting
Review, 21(3), 533-564.
doi:10.1080/09638180.2012.661937
149. Pagach, D., & Warr, R. (2007), An empirical
investigation of the characteristics of firms
adopting enterprise risk management. Retrieved
from http://mgt.ncsu.edu/documents/
Risk_officer_hazard_JBF.pdf
150. Pagach, D., & Warr, R. (2010), The effects of
enterprise risk management on firm performance.
Social Science Research Network.
doi:10.2139/ssrn.1155218
151. Pagach, D., & Warr, R. (2011), The characteristics
of firms that hire chief risk officers, Journal of
Risk and Insurance, 78(1), 185-211.
doi:10.1111/j.1539-6975.2010. 01378.x
152. Peng, C.-Y. J., Lee, K. L., & Ingersoll, G. M. (2002),
An introduction to logistic regression analysis and
reporting, Journal of Educational Research, 96(1),
3-14. doi:10.1080/00220670209598786
153. Pennings, J. M. (1992), Structural contingency
theory: A reappraisal, Research in Organizational
Behavior, 14(1), 267-309. Retrieved from
http://www.journals.elsevier.com/research-in-
organizational-behavior/
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
205
154. Petit, Y., & Hobbs, B. (2010), Project portfolio in
dynamic environments: Sources of uncertainty and
sensing mechanisms, Project Management Journal,
41(4), 46-58. doi:10.1002/pmj.20201
155. Power, M. (2007), Organized uncertainty:
Designing a world of risk management, New York,
NY: Oxford University Press.
156. Power, M. (2009), The risk management of nothing,
Accounting, Organizations and Society, 34(6), 849-
855. doi: 10.1016/j.aos.2009.06.001
157. Project Management Institute [PMI]. (2008), A
guide to the project management body of
knowledge (4th ed.), Newtown Square, PA: Author.
158. Ragu-Nathan, B. S., Apigian, C. S., Ragu-Nathan, T.
S., & Tu, Q. (2004), A path analytic study of the
effect of top management support for information
system performance, Omega, 32(6), 459-471. doi:
10.1016/j.omega.2004.03.001
159. Razali, A. R., & Tahir, I. M. (2011), Review of the
literature on enterprise risk management,
Business Management Dynamics, 1(5), 8-16.
Retrieved from www.bmdynamics.com
160. Rejc, A. (2004), Toward contingency theory of
performance measurement, Journal for East
European Management Studies, 9(3), 243-364.
Retrieved from http://www.jstor.org/journal/
jeasteuromanastu
161. Rizova, P. S. (2006), Are you networked for
successful innovation? MIT Sloan Management
Review, 47(3), 49-55. Retrieved from
http://sloanreview.mit.edu/
162. Roberts, C., Vandenplas, C., & Stähli, M. E. (2014),
Evaluating the impact of response enhancement
methods on the risk of nonresponse bias and
survey cost, Survey Research Methods, 8(2), 67-80.
doi:10.18148/srm/2014.v8i2.5459 #sthash.
9uSIAY5e.dpuf
163. Rochette, M. (2009), From risk management to
ERM, Journal of Risk Management in Financial
Institutions, 2(4), 394-408. Retrieved from
http://www.henrystewartpublications.com/jrm
164. Rodríguez, N. G., Sanzo Pérez, M. J., & Trespalacios
Gutiérrez, J. A. (2008), Can a good organizational
climate compensate for a lack of top management
commitment to new product development?
Journal of Business Research, 61(2), 118–131. doi:
10.1016/j.jbusres.2007.06.011
165. Rolls, R. (1986), The Hubris hypothesis of
corporate takeover, Journal of Business, 59(2), 197
– 216. Retrieved from
http://pendientedemigracion.ucm.es/info/jmas/d
octor/roll.pdf
166. Rosen, D., & Zenios, S. A. (2006), Enterprise-wide
asset and liability management: Issues,
institutions, and models, In S. A. Zenios & W. T
Ziemba (Eds.), Handbook of asset and liability
management: Theory and methodology (Vol. 1, pp.
1-21). Amsterdam, The Netherlands: North-
Holland.
167. Rosenberg, J. V., & Schuermann, T. (2006), A
general approach to integrated risk management
with skewed, fat-tailed risk, Journal of Financial
Economics, 79(3), 569-614. doi:
10.1016/j.jfineco.2005.03.001
168. Sadler, P. (1971), Designing an organizational
structure. Management International Review, 11
(6), 19-33. Retrieved from
http://www.springer.com/business+%26+manage
ment/ journal/11575
169. Saeidi, P., Sofian, S., Rasid, S. Z. A., & Saeid, S. P.
(2012), The role of chief risk officer in adoption
and implementation of enterprise risk
management: A literature review, International
Research Journal of Finance and Economics, 88,
118-123. Retrieved from
http://www.internationalresearchjournaloffinance
andeconomics.com/
170. Salomo, S., Keinschmidt, E. J., & De Brentani, U.
(2010), Managing new product development teams
in a globally dispersed NPD program, Journal of
Product Innovation Management, 27(7), 955-971.
doi:10.1111/j.1540-5885.2010. 00764.x
171. Samanta P. (2009), Enterprise risk management: A
strategic tool for hedging performance
disruptions, Journal of Risk Management in
Financial Institutions, 2(3), 232 – 237.
172. Sanchez, H., Benoit, R., & Pellerin, R. (2008), A
project portfolio risk-opportunity identification
framework, Project Management Journal, 39 (3), 97-
109. doi:10.1002/pmj.20072
173. Schein, E. H. (2004), Organizational culture and
leadership (3rd ed.), San Francisco, CA: John Wiley.
174. Schneider, G. P., Sheikh, A., & Simione, K. A. (2012),
Holistic risk management: An expanded role for
internal auditors, Academy of Accounting and
Financial Studies Journal, 16(1), 25-33. Retrieved
from http://www.alliedacademies.org
175. Sharma, R., & Yetton, P. (2003), The contingent
effect of top management support and task
independence on successful information systems
implementation, MIS Quarterly, 27(4), 533-555.
Retrieved from http://www.misq.org/
176. Smith, H. A., & McKeen, J. D. (2009), Developments
in practice XXXIII: A holistic approach to managing
IT-based risk, Communications of the Association
for Information Systems, 25(41), 519-530.
Retrieved from http://aisel.aisnet.org/cais/
177. Smith, C. W., & Stulz, R. M. (1985), The
determinants of firms' hedging policies, Journal of
Financial and Quantitative Analysis, 20(4), 391-
405. doi:10.2307/2330757
178. Smithson, C., & Simkins, B. J. (2005), Does risk
management add value? A survey of the evidence,
Journal of Applied Corporate Finance, 17(3), 8-17.
doi:10.1111/j.1745-6622.2005. 00042.x
179. Sobel, P. J., & Reding, K. F. (2004), Aligning
corporate governance with enterprise risk
management, Management Accounting Quarterly,
5(2), 34-58. Retrieved from
http://www.imanet.org/resources-
publications/management-accounting-quarterly
180. Stoke, M. (2004), Taking full advantage of
enterprise-wide risk management, The Treasurer,
association of Corporate Treasurers, London, May
Edition.
181. Stroh, P. J. (2005), Enterprise risk management at
United Health Group, Strategic Finance, 87(1), 26-
35. Retrieved from http://sfmagazine.com
182. Stulz, R. M. (1996), Rethinking risk management,
Journal of Applied Corporate Finance, 9(3), 8-24.
doi:10.1111/j.1745-6622. 1996.tb00295.x
183. Smith, C. W., & Stulz, R. M. (1985), The
Determinants of Firms' Hedging Policies, Journal
of Financial & Quantitative Analysis, 20(4), 391-
405. Retrieved from
http://fisher.osu.edu/supplements/10/10402/det
erminants-firms.pdf
184. Szczepankowski, P. (2012), Audit committee
practice in the Polish stock companies, Present
situation and development perspectives, Business,
Management and Education, 10(1), 50-65.
doi:10.3846/bme.2012.05
185. Tabachnick, B. G., Fidell, L. S., & Osterlind, S. J.
(2001), Using multivariate statistics (4th ed.),
Boston, MA: Allyn and Bacon
186. Taher, M. A., & Boubaker, A. (2013), Interaction
between audit committee and internal auditor:
Evidence from Tunisia, The IUP Journal of
Risk Governance & Control: Financial Markets & Institutions / Volume 6, Issue 4, Fall 2016, Continued - 1
206
Corporate Governance, 12(2), 59-80.
doi.org/10.2139/ssrn.2213533. Retrieved from
http://www.iupindia.in/default.asp
187. Teasley, R., & Robinson, R. (2005), Understanding
technology transfer effectiveness in Japanese
organizations: A test of contingency theory,
Academy of Strategic Management Journal, 4, 77-
97. Retrieved from
http://www.alliedacademies.org
188. Thompson, J. D. (1967), Organizations in action,
New York, NY: Mcgraw-Hill.
189. Tiller, S. R. (2012), Organizational structure and
management systems, Leadership and
Management in Engineering, 12(1), 20-23.
doi:10.1061/(ASCE)LM.1943-5630.0000160
190. Torben, J. A. (2006), Global derivatives: A strategic
risk management perspective, Harlow: Pearson
Education.
191. Torben, J. A. (2009), Effective risk management
outcomes: Exploring effects of innovation and
capital structure, Journal of Strategy and
Management, 2(4), 352-379.
doi:10.1108/17554250911003845
192. Tourangeaus, R., Rips, L. J., & Rasinski, K. (2000),
The psychology of survey response, Cambridge,
MA: Cambridge University Press.
193. Trochim, W. M. (2001), The research methods
knowledge base, Cincinnati, OH: Atomic Dog.
194. Trochim, W. M. (2006), The research methods
knowledge base (2nd ed.). Retrieved from:
http://www.socialreserachmethods.net/k/b/desty
p es.php
195. Turley, S, & Zaman, M. (2004), The corporate
governance effects of audit committees, Journal of
Management and Governance, 8(3), 305-332.
doi:10.1007/s10997-004-1110-5
196. Vasile, E., & Croitoru, I. (2013), Corporate
governance in the current crisis, Internal Auditing
& Risk Management, 8(2), 1-11. Retrieved from
http://univath.ro/aimr/en/content/home
197. Vaclavik, M., & Jablonsky, J. (2012), Revisions of
modern portfolio theory optimization model,
Central European Journal of Operations research,
20(3), 473-483. doi:10.1007/s10100-011-0227-2
198. van Donk, D. P., & Molloy, E. (2008), From
organizing as projects to projects as
organizations. International Journal of Project
Management, 26(2), 129-137. doi:
10.1016/j.ijproman.2007.05.006
199. Vogt, W. P. (2007), Quantitative research methods
for professionals, New York, NY: Pearson
Education.
200. Walker, P. L., Shenkir, W. G., & Barton, T. L. (2002),
Enterprise risk management: Pulling it all together,
Altamonte Springs, FL: Institute of Internal
Auditors Research Foundation.
201. Waweru, N., & Kisaka, E. (2013), The effect of
enterprise risk management implementation on
the value of companies listed on the Nairobi stock
exchange, Journal of Applied Finance and
Banking, 3(3), 81-105. doi:10.2139/ssrn.1907248
202. Wester, K. L. (2011), Publishing ethical research: A
step-by -step overview, Journal of Counseling and
Development, 89(3), 301-307. doi:10.1002/j.1556-
6678. 2011.tb00093.x
203. Wu, D., & Olson, D. L. (2010), Enterprise risk
management: Coping with model risk in a large
bank, The Journal of the Operational Research
Society, 61(2), 179-190.
doi:http://dx.doi.org/10.1057/jors.2008.144
204. Wycoff, J. (2003), The "big 10" innovation killers,
Journal for Quality and Participation, 26(2), 17-22.
Retrieved from http://asq.org/pub/jqp/
205. Yazid, A. S., Razali, A. R., & Hussin, M. R. (2012),
Determinant of enterprise risk management: A
proposed framework for Malaysian public listed
companies, International Business Research, 5(1),
80-86. doi:10.5539/ibr.v5n1p80
206. Yeoh, P. (2009), Causes of the global financial
crisis: Learning from the competing insights,
International Journal of Disclosure and
Governance, 7(1), 42 – 69. doi:
10.1057/jdg.2009.18
207. Yermack, D. (1996), Higher market valuation of
companies with a small board of directors, Journal
of Financial Economics, 40(2), 185-212.
doi:10.1016/0304-405X(95)00844-5
208. Yin, R. K. (2003), Case study research: Designs and
methods (3rd ed.), Thousand Oaks, CA: Sage.
209. Zwikael, O. (2008), Top management involvement
in project management: A cross country study of
software industry, International Journal on
Management in Project Business, 1(4), 498-511.
doi:10.1108/17538370810906228.
... According to Beasley et al. (2005), the existence of a CRO constitutes a highly significant determinant for an existing ERM system. Other studies note that there is a significant relationship between the presence of a CRO and the level of ERM implementation (Godson and Werner, 2016). Hence, this study hypothesizes that: ...
... The positive and significant coefficient for CRO suggests that the presence of a CRO is positively associated with the extent of ERM implementation. This finding supports other works (Beasley et al., 2005;Godson and Werner, 2016), suggesting that the presence of a CRO among the senior management team significantly increases the entity's stage of ERM deployment. Liebenberg and Hoyt (2003, p. 43) argued that if companies fail to hire a CRO, it does not mean the companies do not have an ERM program in place. ...
Purpose Enterprise risk management (ERM) has become an important subject of increasing interest among companies throughout the world. It is gaining global attention among risk management professionals and academics. However, little is known about the extent of ERM implementation in the Tunisian context. More importantly, there are limited studies in literature that examine the determinants of this implementation. The purpose of this study is threefold 1) to propose an index to measure the level of ERM implementation, 2) to examine the level of ERM implementation in Tunisian companies and 3) to propose a conceptual framework for the determinants of this implementation. From the review of literature, several factors are found to be determinants of ERM implementation. Such factors are the presence of a Chief Risk Officer, the appointment of an internal auditor, the type of industry and the firm size. Design/methodology/approach To further understand the relation between ERM implementation and its determinants, a questionnaire survey was conducted in 2016 and administrated to 80 companies. Respondents were CRO and more often internal auditors or financial directors. Other data were collected from annual reports and notes to the financial statements. Along with this, the ordinal regression was applied to test the dependence between ERM implementation and its determinants. Findings Based on the data gathered, Tunisian companies have shown an increasing interest in risk management in the post-revolution context, however, an integrated approach of ERM implementation is still at an early stage. Descriptive statistics suggest that ERM is essentially developed in financial institutions especially in banks and some large companies operating in non- financial industries. With regard to the multivariate regression results, the level of ERM implementation is positively related to the presence of a Chief Risk Officer, internal auditor, the type of industry and the firm size. Originality/value This study attempts to contribute to the risk management literature in two ways. Conceptually, this study proposes an ERM index to assess the level of ERM implementation. Empirically, it provides some empirical evidence that highlights factors which determine the level of ERM implementation. Therefore, this study will extend the scope of literature by providing novel empirical evidence by exploring the Tunisian context.
... Gordon, Loeb, and Tseng [11] indicated that five factors affect a firm's value: environmental uncertainty, industry competition, firm size, firm complexity, and board of directors' monitoring. Furthermore, Mensah and Gottwald [12] also presented that they found a significant relationship between the role of a CRO and an audit committee and the support of top management in relation to the implementation of ERM. Moreover, Wu and Li [13] explored the influence of changing the proportion of outsider directors on corporate governance in China, finding that the level of board independence is positively associated with firm performance. ...
- Chien-Ming Huang
- Wei Yang
- Ren-Qing Zeng
Since a firm's profitability is associated with a degree of risk taking, risk indicators have been extensively treated as exogenous variables and affected firm performance. The level of risk taking should be determined through internal control quality and firm-specific characteristics to effectively understand the relationship between risk management and firm performance. This study aims to investigate the effects of risk management efficiency on the production efficiency of Chinese listed companies from 2002 to 2016 using the two-step data envelopment analysis (DEA) approach. Empirical results indicate that risk management differs from traditional financial theory, which means that high-level risk would earn high expected returns. Firms with a low efficiency index of enterprises risk management will have low performance. In particular, internal controls were significantly improved after the 2008 financial crisis. Our overall results also suggest that information asymmetry is still a problem in financial markets. To achieve maximum benefits for shareholders and improve the quality of information disclosure, methods for enacting market regulations are still very important issues in China.
... Previous research (Kovaitė & Stankevičienė, 2019) identified six areas of risk, which proposed two particular risk areas, relevant for implementation of Industry 4.0 -acceptance by staff, and competence, which is closely related to the human factor. The former refers to the habits of organising work during times of uncertainty and relates to organisational culture, social skills and the human factor (Maarit Lipiäinen, et al, 2014; Reim, et al, 2016;Mensah & Gottwald, 2016). The latter refers to organisational structure, responsibilities, structure, procedures and the qualifications of personnel, as well as the knowledge base and know-how (Jacobsson, et al, 2016;Karimi & Walter, 2016). ...
Industry 4.0 describes a phenomenon which augments business models and also communication channels in commercial enterprises. This paper analyses scientific publications related to the business model changes driven by Industry 4.0, and also digital internal communication channels used to reduce risks in the process. The paper is based upon a systematic review of scientific publications and evaluation by experts. The research revealed a gap between internal communication through digital channels and the change process in Industry 4.0-driven business models. Each channel has its mission and contributes to reducing risk during the change process. Since there is no universal digital channel for internal communication, different digital communication channels are efficient at different stages of change. The paper makes recommendations for enterprises, related to the effectiveness of digital communication channels during the business model transformation. It further contributes to existing knowledge by expanding the change process model and aligning the change process with features of digital communication channels. The research focused on the manufacturing sector, exploring digital communication channels used to reduce risk during the change process, which is a limitation of this study, along with assumption of a basic level of digital competences in the enterprise.
... Mohamed Metwally, Ali, Diab, and Hussainey (2019) reviewed risk management and its relationship to management accounting and control and argued that an illusion of control led to some unintended consequences. Mensah and Gottwald (2016) surveyed 134 risk management professionals and found a significant relationship between the role of a chief risk officer, the presence of an audit committee, and the support of top management and the level of ERM deployment. Grove and Clouse (2016) developed a risk management approach, using financial fraud prediction models and ratios, for a strategy of international investing with improved corporate governance. ...
Artificial intelligence (AI) has moved from theory into the global marketplace. The United Nations World Intellectual Property Organization released the first report of its Technology Trends series on January 31, 2019. It considered more than 340,000 AI-related patent applications over the last 70 years. 50 percent of all AI patents have been published in just the last five years. The challenges, potential risks, and opportunities for business and corporate governance from emerging technologies, especially artificial intelligence, have been summarized as whereby machines and software can analyze, optimize, prophesize, customize, digitize and automate just about any job in every industry. Boards of directors and executives need to recognize and understand the new risks associated with these emerging technologies and related reputational risks. The major research question of this paper is how boards of directors and executives can deal with both risk challenges and opportunities to strengthen corporate governance. Accordingly, the following sections of this paper discuss key risk management issues: deep shift risks, global risks, digital risks and opportunities, AI initiatives risks, business risks from millennials, business reputational risks, and conclusions.
... influence of top management support on ERM (e g., Barton et al., 2002;Dabari & Saidin, 2014;Mensah & Gottwald, 2015) and found a positive effect on ERM. Hence, this study introduced a relatively new variable namely; top management stress. ...
The Malaysian listed companies are still struggling to maintain their enterprise risk management (ERM) system efficiently due to improper implementation problems of risk management practices. Therefore, the prime objective of this study is to reveal the audit effectiveness in mitigation of risk management implementation (RMI) problem and to examine the effect on financial performance. To achieve this objective, three hundred (300) questionnaires were distributed among the managerial employees of Malaysia listed firms by using simple random sampling. Data were analyzed by using SmartPLS 3. It is found that external audit effectiveness (EAE) and internal audit effectiveness (IAE) has a significant positive relationship with an ERM system. However, top management stress has a significant negative relationship with RMI. Additionally, ERM system has positive effect on financial performance of companies.It is also found that level of RMI playing a mediating role. Thus, this study is contributed in the body of knowledge by highlighting the vital factors to mitigate the crucial problem of RMI, particularly in Malaysian firms. Hence, the current study is quite beneficial for practitioners to implement ERM system effectively. Keywords: Enterprise risk management, internal audit, external audit, top management stress, implementation.
... The second approach, or Integrated Risk Management (IRM), encompasses all risks in a strategic and coordinated framework (Nocco and Stulz, 2006). Using this approach, management can manage uncertainty and assess how risks and opportunities in a company can create, destroy or preserve the value of the business (Fabozzi and Drake, 2009; Maingot et al., 2012;Mensah and Gottwald, 2016). Despite recent increased risk research on the Canadian and international scene, there are few research studies that specifically address the relation between corporate governance systems and risk management practices. ...
-
![Raef Gouiaa]()
Despite recent increased risk research attention being focussed on the Canadian and international scene, there are few research studies that specifically address the relation between corporate governance systems and risk management practices. This paper examines the relation between corporate governance systems and enterprise risk management. More specifically, we analyze how corporate governance attributes and particularly board characteristics can affect risk management practices in the context of Canadian listed companies. Using a content analysis approach, the level of exposure to risk in terms of likelihood, the consequences of such risk and the strategies for managing that risk were identified for each type of risk. The results reveal that corporate governance attributes related to board's structure, directors' characteristics and the board's operating process play a significant and important role in establishing an integrative risk management approach. The results show that directors' characteristics and the board's process significantly determine the quality of risk management through the level of risk-taking in decisions, especially in terms of financial risks.
The present research aimed to identify which critical success factors have the most influence on the implementation of Enterprise Risk Management – ERM, taking into consideration the important mission to ensure the survival, growth, and perpetuity of businesses in an environment with strong technology integration, global competition, and political, cultural, and economic contexts. To achieve this objective, a systematic and structured literature review was conducted, making it possible to identify 10 critical success factors for ERM initiatives that were analyzed and detailed, based on the literature findings and consultation with experts.
-
![Shab Hundal]()
The current study is based on review of literature to analyses how independence, expertise and experience of audit committees can influence the quality of financial reporting. After studying a vast and diverse range of literature pertaining to the audit committees and governance issues, it has been possible through this study to demonstrate several aspects of independence of audit committee, for example, informativeness, CEO's power, frequency of meetings, substitutability and complementarity with alternative corporate governance mechanisms, directors' share ownership, earning management etc. Similarly a wide range of literature based on utility of financial and accounting knowhow and experience of audit committee members has been reviewed. An attempt is made to establish association litigation risk that the firm faces and market reaction, to the firm's appointment of audit committee members with accounting and financial expertise and experience. This study also includes the various aspects of audit committee in India * , based on regulations, corporate governance reforms and limited number of empirical research findings. Lack of independence, expertise and experience of audit committees have rendered them less effective in performing their oversight functions. The Companies Bill (2009), a major governance reform, has not become an Act as it is delayed due to political apathy, and at the same time some interim reforms have eroded the independence of audit committees even further. There is ad-hocism and vagueness in reference to corporate governance reforms in general and auditing process in particular. There are very few empirical studies undertaken so far that assess the various aspects of the audit committees in India. * This paper is a part of my doctoral project based on corporate governance in India 2 Research Contributions: This study is an effort to systematically arrange a diverse range of studies covering multiple aspects of independence, expertise and experience of the audit committees of the publicly traded companies. This is one of the very few review of literature based studies of audit committees in the Indian context.
The purpose of this research study is to explore the impact of select demographic variables on Human Resource Development (HRD) in Life Insurance Corporation of India. The study falls into a descriptive framework based on cross sectional design. It is confined to only eight constructs of human resource development (HRD) i.e., performance appraisal, autonomy, polyvalence, technological advancement, opportunity for job training, chance of professional growth, initiative for higher education and human resource politic. The sample included 360 respondents from Varanasi Division of LIC of India using stratified random sampling technique. All the eight variables of HRD are tested with eleven demographic features of employees through multinomial regression analysis technique (MLR).The results revealed that three demographic variables have statistically significant impact on human resource development i.e., education level (.002 <0.05), work experience (.000 <0.001) and Branch Location (.033 <0.05). Further, the remaining eight demographic variables (districts, gender, age, marital status, designation, monthly income, residential background and earner size) have not approved any significant effect on Human Resource Development practices as significance value is more than 5% level of significance. (P>0.05). The Pseudo R 2 values shows that 67.4% of variation on human resource development is explained by eleven identified demographic variables and are statistically significant at 1% level. It can be concluded that the study has important implications for HRD practitioners, trainees and managers of life insurance industry. As it provide insight on how life insurance industry could design the best HRD policy and programmes by linking with individual demographic features.
Enterprise risk management (ERM) is the process of analyzing the portfolio of risks facing the enterprise to ensure that the combined effect of such risks is within an acceptable tolerance. While more firms are adopting ERM, little academic research exists about the costs and benefits of ERM. Proponents of ERM claim that ERM is designed to enhance shareholder value; however, portfolio theory suggests that costly ERM implementation would be unwelcome by shareholders who can use less costly diversification to eliminate idiosyncratic risk. This study examines equity market reactions to announcements of appointments of senior executive officers overseeing the enterprise's risk management processes. Based on a sample of 120 announcements from 1992-2003, we find that the univariate average two-day market response is not significant, suggesting that a general definitive statement about the benefit or cost of implementing ERM is not possible. However, our multiple regression analysis reveals that there are significant relations between the magnitude of equity market returns and certain firm specific characteristics. For nonfinancial firms, announcement period returns are positively associated with firm size and the volatility of prior periods' reported earnings and negatively associated with leverage and the extent of cash on hand relative to liabilities. For financial firms, however, there are fewer statistical associations between announcement returns and firm characteristics. These results suggest that the costs and benefits of ERM are firm-specific.
Implementing Enterprise Risk Management Solutions Book
Source: https://www.researchgate.net/publication/310839554_Enterprise_risk_management_Factors_associated_with_effective_implementation
0 Response to "Implementing Enterprise Risk Management Solutions Book"
Post a Comment