Effective risk management

This study analyses the risk performance effects of organisations that combine formalised enterprise risk management (ERM) with a decentralised risk management system (DRM) that allow low-level managers and employees to engage in risk-reducing and opportunity exploiting activities without prior approval from top management. Based on survey responses from 295 of the 500 largest Danish companies, the study develops measures of ERM and DRM to be applied in empirical analysis finding that the combination of ERM and DRM enhances risk management effectiveness. The study further reveals that employee and low-level managerial risk management competences strengthens the positive risk management effects of DRM and without these risk competences, DRM may significantly impede risk effectiveness. Finally, the study shows how a participative leadership style in support of involvement creates a risk effective culture where risk management processes integrate all levels of the organisation as a vital feature of effective risk management.

The interest in enterprise risk management (ERM) has increased rapidly over the last decades (Choi, Ye, Zhao and Luo, 2015) due to more dynamic business environments that enhance the need to measure and hedge risks across the entire organisation and at the same time decentralise decisions to allow different departments rapid reactions to new threats and opportunities (McMullen and Shepherd, 2006). As risk is an inevitable part of the business environment, the capability to effectively hedge downside risks while at the same time quickly exploit opportunities has become an important means to achieve competitive advantages.

The concept of ERM was developed during the 1990s based on a need for a more holistic and strategic approach to risk management. As opposed to traditional risk management, which is scattered around specialist functions in the company, with financial risks hedged in the finance department, operational risks in the production, sales or purchase departments, and strategic risks addressed (if at all) only in the top management team, ERM focuses on identifying, measuring and addressing risks across departments using a holistic approach. ERM takes a systematic approach to risk management across the entire organisation “for identifying, assessing, deciding on responses to, and reporting on opportunities and threats that affect the achievement of its 340objectives” (Institute of Internal Auditors, 2009). The purpose of ERM is to handle the total risks that firms face in an integrated manner (Barton, Shenkir and Walker, 2002).

While an increasing amount of research in ERM has dealt with methods to identify and measure different kinds of risk or how to implement ERM, some scholars still see the research field as largely unproven and emerging (Mikes and Kaplan, 2014). A number of practitioners have called for more applicable frameworks and empirical evidence on the effectiveness of the proposed frameworks (Beasley, Branson and Hancock, 2010), while other scholars claim that formal ERM is too narrow and only captures traditional and measurable risks, while unforeseeable risks and uncertainty business conditions are neglected, despite the potential significant impact on company performance (Andersen, 2009, 2010). Andersen (2009) finds that effective risk management needs to combine a centrally structured holistic risk management system, which systematically identifies, measures and addresses risks across the company, with a decentralised dynamic organisation of empowered employees that increase responsiveness, adaptability and speed. This emphasises the need for more research into the effects of different types of ERM on risk effectiveness and the combined effect of a central ERM system and different organisational approaches that can support empowerment, decentralisation and, eventually, a responsive and dynamic risk management culture in the entire organisation.

The creation of a dynamic company culture that involves all employees in the identification and assessment of threats and opportunities has been at the core of strategy research for a number of decades. Teece (2007) proposes that the creation of dynamic capabilities, as a construct based on distinct skills, processes, procedures, organisational structures, decision rules and specific disciplines, enables the company to more rapidly sense changes in the business environment, seize opportunities and reconstruct the company. Similarly, the concept of strategic responsiveness highlights the company’s ability to “assess the environment, identify firm resources, and mobilize them in effective response actions” (Andersen, Denrell and Bettis, 2007). While the main interest in the strategy literature has been the effect on company performance, the insights can also be used to understand how dynamic capabilities or strategic responsiveness creates a company that can address threats and exploit opportunities more rapidly and effectively to eventually reduce earnings volatility and thereby achieve lower corporate performance risk.

The scope of the current research on ERM focuses on the development of systems to systematise and measure a number of different risks, like climate risk, tax-related risks, IT risk, and so forth, and create scorecards, computer systems and measurement models that, in a standardised way, can be applied by a central risk management department headed by a chief risk officer, or CRO (Choi et al., 2015). This is contrasted by the research on dynamic capabilities and strategic responsiveness, which is embedded in organisational studies, motivation theory, psychology and strategic management (Helfat and Peteraf, 2014; Teece, 2007). The combination of systematic centralised ERM practices and decentralised, empowering organisational processes might, on the one hand, support each other in a more effective risk management system, but might, on the other, crowd out the individual positive risk effects. While the two approaches have been analysed separately, more research into the combined effects is warranted. The current study aims at unfolding some of the individual and combined effects of ERM in a decentralised organization structure. Decentralisation of identification and decisions of risk-reducing action has been argued to enhance risk performance (Andersen, 2010), but empirical tests of the effects are limited, and a discussion of whether or not the employees have the necessary competences to effectively use this autonomy has, to our knowledge, never been tested. Based on a survey among the top 500 Danish companies, the current study tests the individual and combined effects of ERM, decentralised risk management and a supportive leadership style on risk performance. The findings support earlier findings by Paape and Speklé (2012) indicating 341that ERM enhances risk performance, thus underpinning the importance of ERM as a path to effective risk management. Additionally, a leadership style that supports the involvement of employees, thereby creating a more dynamic company, is also found to enhance risk performance. The importance of management and the conducted leadership style in supporting employee involvement, empowering employee initiatives and creating a dynamic company has been highlighted in a number of studies (Mantera and Vaara, 2008; Torp and Linder, 2014), and emphasise that risk management is not something that can be stored in a lower-level department or can be expected to automatically develop in the organisation. A responsive organisation is initiated by the management and imposed by its leadership style. Furthermore, the paper finds that decentralisation by itself is not enough to ensure effective risk performance; on the contrary, decentralisation by itself is negatively associated with risk effectiveness, unless the employees have the necessary competences. Hence, the study extends our knowledge about how a dynamic company might support effective risk management practices by empirically testing the effect of ERM and decentralisation and showing that positive effects also need employee competencies for identifying and addressing new opportunities and threats. The study finds that decentralisation and ERM combined enhance overall risk performance when the ERM system develops risk awareness and engagement across the entire organisation. As Senge (1990) writes: To survive and excel in environments with rapid changes, organisations must “discover how to tap people’s commitment and capacity to learn at all levels” (p. 4). This indicates that formalising ERM and decentralising risk management put the company in a position where it can benefit from the best of two worlds. It can identify, measure and address foreseeable risks in a systematic way using a number of ERM techniques and at the same time develop a dynamic organization with risk-aware employees with autonomy to quickly address these risks and opportunities. Consequently, the chapter expands our knowledge of how to combine ERM with strategic responsiveness and highlights the need for more research to elaborate on how the two fields can be combined effectively and how to ensure that employees acquire the necessary risk management competences. Effective risk management is not only essential to reduce adverse risk outcomes but also to enhance competitive advantage and increase company value (Choi et al., 2015; Gordon, Loeb and Tseng, 2009; Teece, 2007).