![Sample our Economics, Finance,Business & Industry journals, sign in here to start your access, latest two full volumes FREE to you for 14 days]({"type":"image" , "src" : "/sda/5931/TOC-Subject-Sample-2021-Economics-Finance-Business-Industry.jpg"})
Abstract
We examine (1) the extent of enterprise risk management (ERM) implementation and the factors that are associated with cross-sectional differences in the level of ERM adoption, and (2) specific risk management design choices and their effect on perceived risk management effectiveness. Broadly consistent with previous work in this area, we find that the extent of ERM implementation is influenced by the regulatory environment, internal factors, ownership structure, and firm and industry-related characteristics. In addition, we find that perceived risk management effectiveness is associated with the frequency of risk assessment and reporting, and with the use of quantitative risk assessment techniques. However, our results raise some concerns as to the COSO (Committee of Sponsoring Organizations) framework. Particularly, we find no evidence that application of the COSO framework improves risk management effectiveness. Neither do we find support for the mechanistic view on risk management that is implied by COSO's recommendations on risk appetite and tolerance.
Acknowledgements
The data on which this paper relies have been collected by a research team involving PwC, Royal NIVRA, the University of Groningen and Nyenrode Business University. We thank the research team for generously sharing its data with us. This paper has benefited from insightful comments and suggestions from two anonymous reviewers and the (past) editor Salvador Carmona. We also acknowledge valuable feedback on earlier versions from Max Brecher, Ivo De Loo, Jacques de Swart, Anne-Marie Kruis, Hans Strikwerda, Frank Verbeeten, Sally Widener, and conference participants at the 2010 Conference of the Management Control Association, the 2011 European Conference on Corporate Governance & Internal Auditing and the Annual Congress 2011 of the European Accounting Association.
Notes
In addition to these US-based and Canadian studies, Collier et al. Citation(2007) surveyed risk management practices in the UK. However, because their examination of the drivers of ERM implementation is limited to an analysis of bivariate correlations, it is difficult to relate their findings to the other studies in this line of research.
In our analysis of the factors associated with the extent of ERM implementation, we adopt a similar metric.
One of the authors of the current paper was involved in this team.
The fact that the respondents come from different functional groups and hierarchical levels does not affect our analyses. We included dummy variables in all regressions to control for possible effects related to the organisational position of the respondents, but found none. The dummies were insignificant in the regressions, and their inclusion did not alter the substantive findings of the analyses. The regression results we report in Sections 3 and 4 exclude the respondent dummies.
The Beasley scale is as follows: (1) no plans exist to implement ERM; (2) investigating ERM, but no decision made yet; (3) planning to implement ERM; (4) partial ERM is in place; and (5) complete ERM is in place (Beasley et al., Citation2005).
We considered using this information as an alternative to STAGE in the analyses. This, however, is not an attractive option for two reasons. First, using the alternative metric would complicate comparison with the results from previous studies (particularly Beasley et al., Citation2005). Second, using the alternative metric would cost us well over 200 observations due to missing values (the survey instrument instructed respondents only to complete the relevant questions in specific circumstances).
To the best of our knowledge, the only study that explores the relationship between ERM design and effectiveness is Collier et al. Citation(2007). This study, however, examines risk management practices at a high level of aggregation, using broad categories of practices as independent variables, rather than specific instruments and techniques.
Remarkably, COSO appears to be well aware of this behavioural literature (see, for instance, COSO, Citation2004a, pp. 51–52). It is unclear why COSO has chosen to ignore the implications of this work.
We mitigate this specific problem by restricting the empirical analysis of ERM effectiveness to organisations that have adopted ERM (see Section 4.3). This restriction ensures that all included respondents subscribe to the notion of ERM, and we can be reasonably assured that their point of reference in scoring their risk management system is sufficiently similar to allow a meaningful comparison. We thank an anonymous reviewer for suggesting this approach.
In the total sample (i.e. including organisations in stages 1–3), the average grade is 6.44, with approximately 20% of respondents indicating that their system is not sufficient.
In the total sample (including firms that have not (yet) adopted ERM), 21.5% of the respondents report to apply (elements of) COSO.
A diagnosis of the variance inflation factors (VIF) confirms this; the highest VIF in the analysis is only 1.382.
We thank an anonymous reviewer for this suggestion.