ABSTRACT
Using data from 596 organizations located in the Netherlands, we examine contemporary risk management practices and their association with perceived risk management system quality. Working from the COSO ERM framework as our main point of reference, we identify the major design choices organizations encounter when configuring their risk management systems, and then proceed to explore these choices empirically. The results indicate that organizations generally subscribe to the key ERM idea that risk management should be broad and inclusive, and that strategic, operational, reporting and compliance risks should be addressed simultaneously rather than separately. We find no support, however, for the premise that risk management should start from an explicit and objectified assessment of the organization’s risk appetite and tolerance. Furthermore, the analysis underscores the importance of risk reporting and monitoring. These findings may help managers to make evidence-based decisions when designing their risk management processes and systems.
Research in risk management has moved beyond the specialized fields of health and safety, insurance, investment management and treasury, and has started to address more inclusive issues of how risk-based controls help organizations deal with risks and opportunities in the pursuit of organizational objectives (Soin and Collier, 2013). Examples of such research include Arena et al. (2010), Collier et al. (2007), Mikes (2008; 2009), Paape and Speklé (2012), Wahlström (2009), and Woods (2009). This incipient literature, however, has only just begun to scratch the surface of risk management design choices, and we still know very little about these choices and their effects on organizational effectiveness (Kaplan, 2011; Paape and Speklé, 2012; Speklé and Kruis, 2014). In this chapter, we seek to add some empirical insights into this matter. Using survey data from 596 organizations located in the Netherlands, we examine current risk management practices and their association with perceived risk management system quality. Because the field of risk management lacks sound theory (Power, 2009; Schiller and Prpich, 2014), our approach is explicitly exploratory. Instead of testing theory-based hypotheses, we propose a series of research questions and seek empirical answers to these questions. The COSO ERM framework (COSO, 2004) serves as an important point of reference in developing these research questions, which include truly fundamental choices as to the scope and objectives of risk management, but also 375more technical issues in the area of risk identification and risk reporting. We also look at the organizational position of the risk management function, covering the major design parameters organizations need to address when configuring their risk management systems.
This chapter is closely connected to an earlier study of risk management effectiveness, on which we reported in Paape and Speklé (2012). The empirical model we estimate in the current chapter is very similar to the one we analyse in Paape and Speklé (2012), and the data come from the same source. However, whereas we restricted the earlier examination to organizations that adopted enterprise risk management (ERM), we now also include organizations that rely on more traditional forms of risk management. This inclusion acknowledges that the distinction between ERM and traditional risk management may be a difference in degree rather than in kind, and that the organizational effects of specific design choices may be similar, irrespective of whether they have been made in an ERM context or whether they are part of a more traditional risk management system. Furthermore, it acknowledges that the decision whether or not to adopt ERM is a design choice itself, and that – normative claims by for instance COSO notwithstanding – some firms may be better of with a well-designed traditional system than with a full-fledged ERM system (McShane et al., 2011). The inclusion of non-ERM organizations, thus, allows a broader examination of the relevant issues. Moreover, it increases sample size from 193 responses included in the effectiveness analysis in Paape and Speklé (2012) to 596 observations in the current study, considerably strengthening the empirical basis underlying our findings and inferences.
The analysis broadly confirms the earlier findings. The results indicate that organizations generally prefer ERM over traditional forms of risk management, supporting a key idea underlying regulatory frameworks such as COSO ERM. Also consistent with Paape and Speklé (2012) is that we find no support for the premise commonly found in these normative frameworks that risk management should start from an explicit and objectified assessment of the organization’s risk appetite and tolerance, thus suggesting that a heuristic approach to risk control is also feasible. Furthermore, the analysis underscores the importance of risk reporting and monitoring. These findings have important implications for risk management practice, and may help managers to make evidence-based decisions when designing their risk management processes and systems.
The remainder of this chapter is structured as follows. First, we review the literature and derive the research questions that drive the analysis. Then, we discuss data collection and variable measurement and present the analysis. Finally, we conclude and offer a discussion of the findings.
