Introduction
Different periodicals and texts have discussed or introduced concepts such as holistic risk management, integrated risk management, and strategic risk management. The concepts are similar to, and could even be considered to be synonymous with enterprise risk management (ERM) for the fact that they stress on a comprehensive perception of risk and its management, which is a step away from the silo approach of dealing with different risks distinctly and separately within an organization. In addition, the concepts also have a perception that risk management could be value creating. This paper adopts the Casualty Actuarial Society’s (CAS) definition of ERM. According to CAS, ERM relates to a discipline through which an institution existing in any industry can assess, control, exploit, finance, and monitor risks that emanate from all sources with the goal of increasing the institution’s long and short-term value to the stakeholders (CASERMC, 2003).
Several components of the definition of ERM call for individual attention. First, ERM as a discipline implies that it is a prescribed or orderly pattern or conduct of behavior for an organization, which has the total commitment and support of company’s management such that it influences corporate decision making and has ultimately emerged as a part of the culture of the institution. Another consideration is that as much as the definition adopted by CAS could be for its purposes, it is applicable to all industries. For these reasons, different frameworks of ERM such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the International Organization for Standardization (ISO), the BS 31100, the Federation of European Risk Management Associations (FERMA), the King Report South Africa, and the UK Combined code have been developed for use in ERM.
Delegate your assignment to our experts and they will do the rest.
The purpose of this paper is to examine ERM and how it is implemented within organizations. It reports the factors that influence the decision for the implementation of ERM, the ways to approach the implementations and gives advice to businesses that want to implement ERM frameworks. It is concluded that companies need to adopt frameworks of ERM that they find suitable for their business types and culture. However, the goal of all the frameworks is to ensure that firms deal with risks appropriately.
Factors Influencing Decision to Implement ERM
Literature reporting the factors that determine the adoption of ERM within companies is not unanimous concerning such factors. The reason could be that most researchers have narrowed down to specific industries, and that the differences in the nature of the industries have resulted in the lack of uniformity on the factors. However, according to Golshan and Rasid (2012), the size of the firm is one of the factors determining the adoption of ERM. Considering this factor, the author posits that an increase in the size of a company results in a proportional increase in the extent, timing, and nature of the events that threaten it. This implies that larger companies have the ability to dedicate more of their resources towards the implementation of ERM (Beasley, Clune and Hermanson, 2005). Due to their strong resource capacity, bigger companies have the ability to implement integrated ERM concepts compared to the smaller ones. It is worthy of notice that bigger companies have higher risks of financial distress and more volatile operating cash flows, hence these factors make them to want to implement ERM practices faster than the smaller firms (Colquitt, Hoyt & Lee, 1999; Pagach & Warr, 2011).
Another factor reported to have an influence on the decision by firms to adopt ERM practices is the complexity of the firms. The complexity of a firm relates to the number of business segments found within it. It implies that a company that has a larger number of business segments is considered to be more complex than that with fewer segments (Doyle, Ge & McVay, 2007; Gordon, Loeb and Tseng, 2009). Therefore, companies that are more complex are more likely to consider the adoption of ERM practices. The industry in which the firm operates in is another factor influencing the adoption of ERM practices. The number and type of regulations differ from one industry to another and this implies that companies existing within industries with intensive regulations have a higher probability of adopting ERM and are at the forefront concerning the implementation of ERM (Golshan and Rasid, 2012). The energy and financial industries for instance, are two of the most regulated industries; hence companies operating in them have higher rates of adoption of ERM. Similarly, firms operating in competition intensive industries face substantial risks of failing to earn substantial levels of profit, which calls for an urge to adopt ERM practices.
The nations of domicile for the headquarters of companies and their subsidiaries play a critical role on the desire to adopt ERM practices. In relation to this factor, different rules and regulations developed in different nations such as the New Zealand and Australia 4360 standard and the Sarbanes Oxley Act have impacted an external pressure for companies to adopt the practices of ERM. Beasley, Clune and Hermanson (2005) report that frameworks of ERM are the UK’s, South Africa’s, New Zealand’s and Australia’s inventions before the COSO ERM framework was introduced. In addition, it is observed that more Asian-Pacific managers than US managers consider ERM to be a top priority for their companies (Pricewaterhousecoopers, 2004). According to Liebenberg and Hoyt (2003), companies based in Canada and the UK have a higher likelihood of adopting ERM programs compared to those in the US. Financial leverage, the existence of the big four auditors, and the independence of the members of the board of directors also influence the adoption of EMR by companies (Yatim, 2016, Chase-Jenkins, Farr and Lebbens, 2010). Other factors include the opacity of assets, the volatility of stock prices, and institutional ownership.
How to Approach the Implementation of ERM
There are different approaches to the implementation of ERM within institutions. However, the approaches are related in the manner they are supported by the stakeholders of the businesses. The approaches to the implementation focus on the response to future changes within the organization while realizing that they are uncertain and could as well be of a lager magnitude or in a different direction as it might be foreseen currently. For this reason, EMR should not only envisage the scenarios or events in future as far as it might be practicable, but should also develope holistically, proactively and methodically for threats as well as opportunities (Fraser, Simkins & Narvaez, 2014). There is need for a high-level thinking and flexibility in systems and processes, organization and behavior among the senior management and executives of the companies. Crucially, the executives need to seek to transform their businesses themselves as flexible and robust as possible so that they can survive the threats that are unknown presently or those that could have much impact than anticipated. Implementation of EMR within the firms is tasked to the board of directors and the senior management (Fraser, Simkins & Narvaez, 2014). The parties concerned are required to undertake a review of the risk practices in existence within their institutions and if possible, undertake a series of other activities as described subsequently.
The boards should introduce a framework of ERM, and should do so in stages. The framework may retain most of the conventional risk management of foreseeable downside events of risk while making amendments where they find necessary. The framework should also take an extra step in studying and managing further the likely future variability of the outcomes of the business both downside and upside (Chapman, 2011). This move ensures that the rest of the staff does not find problems in adopting the ERM framework because it will fit in their organization risk management culture. Next, the boards need to ensure that their businesses take proactive and unbiased approaches to the management of risk, to minimize it as much as it could be reasonably practicable to achieve and to design a suitable cost-effective response to the risk that remains. It is recommended that a holistic, iterative and methodical approach that entails deep reasoning concerning the different aspects of risk and the effects which they may cause to the businesses be adopted by the board (Fraser, Simkins and Narvaez, 2014). This approach, when adopted, has the focus of the development of a greater understanding of both the individual uncertainties and the extents to which they might be related to each other.
It is also required that the boards create specific attention to matters of incompatibility between the changing outside world and their businesses (Moeller, 2011). This consideration has the focus of ensuring that the companies identify the pressures that might pile on them and fail to be recognized. There is, therefore, a need to develop systems of early warning of emerging uncertainties so that the management teams can develop responses before it becomes too late to mitigate the losses. The boards should also consider introducing qualitative perspectives of modeling their businesses that will enable the uncertainties taken to be compared with the risk capacity by exploring various possible scenarios in the future. Arrangements need to be made concerning the interweaving of the ERM with the corporate strategy and the processes of business development, and taken into account fully as fundamental inputs to them with the purpose of raising the flexibility and robustness of the firms as well as the attainment of suitable risk-reward balances (Aloini, Dulmin and Mininno, 2007). There is a need for the implementers to pay attention to attainment of enough financial flexibility to ensure that the businesses survive the setbacks that could be more severe than expected.
Effective and entirely independent central risk functions should be established by businesses (Fraser, Simkins and Narvaez, 2014). The functions need to have a direct access to the firms’ boards if need be as a way of attaining and sustaining holistic and focused approaches to the uncertainty for the firms at large. However, it ought to be understood that risk management functions will continue to be tasked to the line managers. In addition, if central risk functions are already existent within the companies, their remits will likely need to be expanded and revised along the indicated lines. Inspirational leadership should also be given, which is considered to flow from the board to the rest of the management (Fraser, Simkins and Narvaez, 2014). This type of leadership is essential in the establishment of principles in the minds of each stakeholder that the management of risk concerns outcome-variability and attaining success as opposed to only guarding the company against the possibilities of a downside. To attain this, the boards should allocate enough time resources to board meetings and, if required, increase board membership (Chapman, 2011).
A need also exists to establish a suitable culture of risk awareness within the firms, which focuses on the threats as well as opportunities together with meticulously developed systems of risk communication (Moeller, 2011). This move should also be accompanied by and embedded in strong procedures of risk and solid risk governance. This step should be accompanied by a guarantee for adequate systems of the identification, analysis and management of strategic operational risks and project both downside and upside and that the systems are integrated properly. It is also important to review systems of crisis management and, if possible, to overhaul it. The boards also need to ensure that adequate attention is given to the views of outside stakeholders of the institutions concerning the risks that the businesses face and seek to influence the stakeholders if necessary.
Advice to Firms that Would Like to Adopt EMR
When adopted, an effective EMR practice has many benefits. For example, an EMR system will create a more risk-focused culture for the companies especially at the senior levels of management. It should be noted that the existence of a culture of risk awareness at the top-level management positions would also incline the rest of the workers to be aware of the same culture. Companies stand to benefit in terms of the communications about risk, which helps them to mitigate the losses likely to be suffered. Another benefit of the adoption of EMR is the creation of a standardized reporting of risks because it supports a better structure for the analysis and reporting of risks (Kreiser, 2013). The development of standardized risk reporting by firms can better the focus of all the management staff as well and directors through the provision of data, which enables an improvement in risk mitigation decision-making process. The adoption of an EMR also improves the focus of the company on and its perspective on risk. For example, the companies will start to realize that EMR frameworks give them a perspective that appropriate risk management practices should not only focus on the downside, but also on the upside; the opportunities and the threats. This perspective is a variation from the conventional practices of risk management, which focuses on the avoidance, acceptance and mitigation of risks (Kreiser, 2013). The existence of risk culture within the firms will also impact on the nature of resource allocations because the management will be conscious about the likelihood of uncertainty. The businesses will also benefit from the generation of an effective coordination between the compliance and regulatory issues. The few mentioned benefits are reasons for companies to want to consider adopting an EMR practice.
However, the discussion about the factors that determine the adoption of EMR by companies and the approach to an effective adoption make two major things considerable for companies wishing to adopt EMR practices. First, the companies need to consider the nature of their industries. It is noted that some industries have more risks than others do, therefore, the companies should ascertain the exact nature of the risks that face them. This step is critical because the company will also consider the regulatory and compliance issues that face them before proceeding to choose the right framework to adopt. The next factor to consider is finding an appropriate framework for adoption because of the geographical factors influencing their usage. The frameworks might also be adopted based on the nature of the industries from which the firms operate.
Before proceeding to adopt and implement an ERM, the companies need to consider the values that will be generated from the process of risk management and stop focusing on the EMR itself ( Khalamayzer, 2017 ). For this reason, there is a need to consider the organization’s objectives, values and motivations so that the ERM adopted will help the firm attain them. Another effort of critical importance is the determinations of the firm’s risk tolerance and appetite. The companies, upon successful execution of the three steps, should proceed to research the best ERM frameworks that will suit the organizational needs defined by the objectives. Before the implementation of the ERM framework chosen, the companies should consider the approach to implementation, which should also be done as a way of sensitizing the stakeholders about the need to give the conventional approach to risk management for a new one. There is also a need to the management of the companies to work closely with their boards of directors to establish the appropriate policies that will make implementation a smooth process ( Khalamayzer, 2017) .
Conclusion
The contemporary business world is faced with growing levels of uncertainty, which means that companies have to seek methods that will improve their risk culture. Enterprise Risk Management practices could be solutions to their problem. This paper has discussed enterprise risk management and has heighted the frameworks for implementation as well as the considerations for businesses worldwide before the exact adoption. It has been reported that enterprise risk management practices differ from the conventional practices of risk management for the fact that it establishes the culture of risk management among the stakeholders of the institutions while generating a new perspective of risk.
It has also been reported that different factors influence the decisions by companies to adopt enterprise risk management practices. The most notable factors are the size of the firm, the nature of the industries from which the firms operate and the decisions by the members of the boards of directors. These three factors are of critical importance because they point at the levels of risks faced by the firms and the levels of commitment the management of the same firms need to have before the risks are mitigated. The management requires to take the driving seat in terms of directing and ensuring proper implementation of the enterprise risk management practices. The companies are also required to be largely aware of the levels of risk they face through an analysis of the nature of their industry. There is a reason why firms should adopt the enterprise risk management practices; the many benefits associated with them. However, before adopting a given framework, there is a need for a thorough analysis of the status of the companies to determine the most appropriate framework for adoption.
References
Aloini, D., Dulmin, R., & Mininno, V. (2007). Risk management in ERP project introduction: Review of the literature. Information & Management , 44 (6), 547-567.
Beasley, M. S., Clune, R., & Hermanson, D. R. (2005). Enterprise risk management: An empirical analysis of factors associated with the extent of implementation. Journal of Accounting and Public Policy , 24 (6), 521-531.
Casualty Actuarial Society Enterprise Risk Management Committee. (CASERMC) (2003). Overview of enterprise risk management . Retrieved from https://www.casact.org/area/erm/overview.pdf
Chapman, R. J. (2011). Simple tools and techniques for enterprise risk management . New Jersey: John Wiley & Sons.
Chase-Jenkins, L., Farr, I., & Lebbens, J. (2010). Risk Appetite: The Foundation of Enterprise Risk Management. Towers Watson .
Colquitt, L. L., Hoyt, R. E., & Lee, R. B. (1999). Integrated risk management and the role of the risk manager. Risk Management and Insurance Review , 2 (3), 43-61.
Doyle, J., Ge, W., & McVay, S. (2007). Determinants of weaknesses in internal control over financial reporting. Journal of Accounting and Economics , 44 (1), 193-223.
Fraser, J., Simkins, B., & Narvaez, K. (2014). Implementing enterprise risk management: Case studies and best practices . New Jersey: John Wiley & Sons.
Golshan, N. M., & Rasid, S. A. (2012). Determinants of enterprise risk management adoption: An empirical analysis of Malaysian public listed firms. International Journal of Social and Human Sciences , 6 , 119-126.
Gordon, L. A., Loeb, M. P., & Tseng, C. Y. (2009). Enterprise risk management and firm performance: A contingency perspective. Journal of Accounting and Public Policy , 28 (4), 301-327.
Khalamayzer, A. (2017). Key Steps in Implementing ERM in Your Organization . Propertycasualty360.com . Retrieved 17 March 2017, from http://www.propertycasualty360.com/2012/05/14/key-steps-in-implementing-erm-in-your-organization
Kreiser, J. (2013). Five Benefits of Enterprise Risk Management ERM . Claconnect.com . Retrieved 17 March 2017, from http://www.claconnect.com/resources/articles/five-benefits-of-enterprise-risk-management
Liebenberg, A. P., & Hoyt, R. E. (2003). The determinants of enterprise risk management: Evidence from the appointment of chief risk officers. Risk management and insurance review , 6 (1), 37-52.
Moeller, R. R. (2011). COSO Enterprise Risk Management: Establishing Effective Governance. Risk, and Compliance Processes, Second Edition: John Wiley & Sons .
Pagach, D., & Warr, R. (2011). The characteristics of firms that hire chief risk officers. Journal of risk and insurance , 78 (1), 185-211.
Pricewaterhousecoopers. (2004). Managing risk: An assessment of CEO perspectives. PwC, New York .
Yatim, P. (2016). Audit committee characteristics and risk management of Malaysian listed firms. Malaysian Accounting Review , 8 (1).