Enterprise Risk Management Presentation

Enterprise Risk Management Presentation

CHALLENGE #4

Connect with a professional writer in 5 simple steps

Please provide as many details about your writing struggle as possible

Academic level of your paper

Type of Paper

When is it due?

How many pages is this assigment?

Your book states: ” …performance outcomes that drive organizations to adopt ERM are 1) enhanced regulatory compliance, 2) increased accountability, 3) improved performance and decision making, 4)pressure from the board members , senior leadership and external stakeholders, 5) enhanced understanding of organizational risk, 6) improved ability to navigate crises.”  Research and discuss an example of each.

After reading Chapter16, write 1-2 page speech and 2-3 slides.

Only Part 5!!! Enhanced understanding of organizational risk

Adopting Enterprise Risk Management in

Today’s World:

An Evidence-Based Guide for Implementation

 

by

 

Dr. Steven Deck

 

 

 

 

 

 

 

 

 

 

 

 

 

COPYRIGHT © Steven Deck, 2017

 

 

Biography

Dr. Steven Deck has over 25 years of experience developing and

implementing risk management, environmental health and safety,

international safety and security, emergency response, and continuity of

operation programs and processes in higher education and in biomedical and

pharmaceutical industries. Dr. Deck has also lead efforts to identify and treat

risks associated with implementing a strategic plan at a large research

university. Hence, he has experience managing risks at both the operational

and strategic level. He holds a doctorate in management, an MBA, and a

bachelor’s degree in safety and industrial hygiene management. Dr. Deck

also holds an associate in risk management and is a certified industrial

hygienist, safety professional, and hazardous materials manager.

 

 

 

Dedication

This book is dedicated to the people who tirelessly work to reduce

risks organizations face in today’s fast-paced world. Their efforts sometimes

go unnoticed since, if successful, risk managers prevent adverse events from

occurring or significantly reduce their impact on the organization. A good

day for a risk manager is one that is uneventful with operations continuing

without interruption. However, their work is critical to an organization’s

ability to achieve its mission. By reducing risks that threaten an

organization’s survival, risk managers preserve the organization’s ability to

offer people opportunities to earn a living and provide for their families.

Indeed, a risk manager role is critical to the success of society even if their

work sometimes goes unnoticed.

 

 

Acknowledgments

First, I would like to thank my advisory committee for my dissertation,

Dr. Thomas Mierzwa and Dr. Denise Breckon. The research for my

dissertation served as the foundation for the writing of this book. Their hard

work and commitment to my growth as a scholar enabled me to grow

intellectually and develop the skills needed to write this book. I would also

like to acknowledge Dr. Roger Ward, Senior Vice President for Operations

and Institutional Effectiveness and Vice Dean for the Graduate School at the

University of Maryland Baltimore for encouraging me to pursue my doctoral

degree and continuing to support me throughout my career. Thanks also goes

to Dr. Lauren Sweetman for her guidance and editing of this book. Last, and

most importantly, I would like to thank my wife, Bonnie, for her patience and

support as I fulfilled the demanding requirements of a doctoral program and

writing this book.

 

 

Table of Contents Introduction Part 1: Understanding Organizational Risk and Risk Management Chapter 1: Organizational Risk Chapter 2: Traditional Risk Management Chapter 3: Frameworks for ERM Part 2: Management Science and ERM: From Theory to Practice Chapter 4: Organizational Change I – Institutional Theory, Legitimacy Theory, and Organizational Culture Chapter 5: Organizational Change II – Change Management Chapter 6: Organizational Change III – Organizational Control and Resilience Chapter 7: Organizational Change and COSO’s ERM Framework Chapter 8: Decision Making I – Sensemaking Theory Chapter 9: Decision-Making II – Bias and Framing Chapter 10: Decision Making and the COSO ERM Framework Chapter 11: Organizational Learning I – Learning Organizations Chapter 12: Organizational Learning II – Sensemaking-Based and Team-Based Learning Chapter 13: Organizational Learning III – Action and Absorptive Capacity Chapter 14: Organizational Learning and COSO’s ERM Framework Part 3: Factors Affecting ERM Adoption and Implementation Chapter 15: The Program Implementation Process Chapter 16: Why Organizations Adopt an ERM Strategy Chapter 17: Factors Influencing the Implementation of an ERM Program

 

 

Chapter 18: A Model for ERM Implementation in Complex Organizations Part 4: Seven Principles for ERM Adoption and Implementation Chapter 19: The Seven Principles Chapter 20: Concluding Remarks References

 

 

Introduction

Risk is pervasive to conducting business. Consider any operation an

organization performs: each requires identifying and managing the risks that

can impede the execution of the operation. For example, production units

must manage risks such as employee safety or the loss of a critical supplier or

piece of equipment, human resource departments confront potential claims of

unfair labor practices, and information technology groups must be alert to

cyber threats. Moreover, organizations face external risks that arise due to

advances in technology, changing economic and market conditions, and

increased globalization. Even organizations that fall outside of the traditional

conversation on risk must now consider these challenges. Higher education

institutions (HEIs), for example, are under increased pressure from the

government, public, and campus community to manage risks (The Advisory

Board, 2008; University Risk Management and Insurance Association

[URMIA], 2007). Such institutions must manage a wide range of risks in

diverse areas such as safety and security, regulatory compliance, academic

affairs, research, information technology, finance, human resources, and

facilities management (Abraham, 2013). Furthermore, recent events such as

hurricanes Katrina, Harvey, and Maria, the economic downturn, and social

issues such as sexual assault on campus and protest actions point out the

importance of managing risk in higher education. Indeed, although the

 

 

institution may survive such events, leadership may not. For example, both

the Penn State Jerry Sandusky sexual abuse scandal in 2011 and the

University of Missouri social protests of 2015 resulted in leadership changes

at these institutions.

Many organizations have historically deferred responsibility to

managing risks to individual operating units within the organization.

However, this approach lacks an overarching strategy for managing risks

from an institutional perspective. The lack of a comprehensive risk

management strategy leads to inconsistent risk tolerance levels, inefficient

resource allocation for risk control activities, and a lack of knowledge on how

risk affects achieving the strategic objectives of the organization. Here, an

approach known as enterprise risk management (ERM) provides a method to

manage risks in organizations holistically. In this book, I unpack this

approach both theoretically and practically, providing a hands-on guide to

understanding, adopting, and implementing ERM within complex

organizations. First, however, in the remainder of this introduction, I describe

the concept of ERM along with the evidence on which this book is based—

my doctoral research—and the systematic review methodology I employed to

analyze it, followed by a brief summary of the structure of the book.

 

 

 

What is ERM?

Enterprise risk management is a senior leadership initiative that aims

to integrate an organization’s risk management practices in order to enhance

the organization’s ability to achieve its strategic objectives (The Committee

of Sponsoring Organizations [COSO], 2004; Hoyt & Liebenberg, 2011). In

doing so, ERM moves beyond traditional risk management approaches that

focus on managing risks in functional silos. Instead, ERM aspires to manage

risks as a portfolio in order to capture the full range of risks and multiple

interdependencies between them. It does this by positioning risk management

as a senior leadership responsibility, assessing risk from an entity-wide

perspective, aligning business strategies with risk tolerance levels, and

integrating accountability for managing risks across the entity (COSO, 2004;

Kimbrough & Componation, 2009; Kleffner, Lee, & McGannon, 2003;

McShane, Nair, & Rustambekov, 2011). Because of this holistic approach,

ERM provides a means to manage organizational risk in a comprehensive and

strategic manner.

Existing ERM models originate from the business sector and were

developed by practitioners in such fields as auditing, accounting, and

insurance (Andersen, 2010). Despite their comprehensive approach, these

original frameworks tend to emphasize hierarchal management structures,

quantifying risk exposure, and control systems for managing risks. And, as

 

 

ERM is a relatively new management practice, there is limited empirical

research on implementing the practice in complex organizational settings.

Therefore, today’s organizations face the challenge of introducing useful

ERM frameworks that are undeveloped for complex settings into an

organizational culture that may already be skeptical of new management

approaches due to their previous experiences with restructuring and efforts at

organizational change. With the right tools and knowledge, however, as I

show in this book, ERM can be utilized in any organizational setting to

improve the risk management practices of the organization effectively and

efficiently.

 

 

The Systematic Review: An Evidence Base for ERM

This book utilizes a broad evidence base on ERM that I gathered

through the rigorous systematic review study I conducted for my doctoral

research. In this study, I examined the utility of ERM particularly in relation

to complex organizations, using the case study of higher education

environments as a frame for analysis. These environments present a wide

range of risks that cross multiple organizational boundaries. Traditionally,

such institutions had deferred risk management to the individual units most

affected by the risks. Such an approach did not look at the overall risk profile

of the institution and risks’ effects on achieving the institution’s strategic

objectives. Consequently, higher education leaders had turned to ERM as a

strategy to manage institutional risks. However, ERM is a management

practice that originated from the corporate sector. This raised the question as

to whether an ERM strategy for managing risks was appropriate for higher

education. In addition, if an ERM strategy was deemed appropriate for

managing risks in higher education, how should leadership implement such a

program? Prior to my study, existing ERM frameworks lacked information

on how to implement this practice in complex organization settings.

Therefore, in my study I posed the following research question: How do

critical success factors influence a decision to adopt and implement ERM in

higher education institutions? To answer this question, I reviewed both the

 

 

literature on this topic as well as its connections to academic theories of

change management, decision making, and organizational learning. Overall, I

showed how these theories could enhance the implementation of ERM in

complex organizations—findings I now bring to you. Although the study

used higher educational institutions as a framework for analysis, the findings

and recommendations from the study are transferable to any organization that

has a diverse range of operations, business units, and core functions.

More specifically, in the systematic review, I used a series of study

search terms related to ERM to search the electronic database OneSearch for

credible scholarly sources on ERM. Initially, the search yielded 999 citations

(after duplications were removed). I reviewed all articles in brief (e.g., titles,

abstracts, headings) based on the study’s inclusion and exclusion criteria. I

looked specifically for primary research articles (articles describing research

undertaken by the authors themselves) and articles directly relevant to the

study’s research questions. After this stage, 53 primary studies relevant to the

research question remained for review. I then conducted a quality appraisal

process to ensure the rigor and validity of the research, which resulted in the

further elimination of two studies due to poor quality. I subsequently added

four grey literature studies (reports on ERM by organizations), resulting in a

final dataset of 55 studies. Figure 1 provides a summary of the results of the

search process.

 

 

 

Several observations can be made of the studies included in the

systematic review. First, the studies from peer-reviewed journals included in

the dataset were published after 2003, with 84% published after 2009. This

highlights that ERM research is still in its infancy. Second, the studies

published in peer-reviewed journals were found in the following types of

publications: accounting and finance (n = 19), risk management and

insurance (n = 14), engineering (n = 6), management sciences (n = 5),

information technology (n = 4), energy management (n = 2), and higher

education (n = 1). These results point to the strong influence the accounting,

finance, risk management, and insurance fields have on ERM research. The

results also highlight the limited number of studies published in journals

 

 

dedicated to the management sciences.

As ERM is a global phenomenon, no geographic limitations were

placed on the literature reviewed in my study. Consistent with Scott’s (1992)

assertion that “we can understand much about a specific organization from

knowing about other organizations” (p. 1), studies from sectors outside of

higher education were also included in the study. This allowed me to observe

which ERM implementation mechanisms worked or failed to work across a

range of organizational settings. Due to the study’s focus on ERM as a high-

level framework for managing risk and the challenges of implementing ERM

in higher education, technical aspects of risk management were outside the

scope of this study. Examples of these include mathematical models for risk

assessment and developing information technology solutions for ERM

programs.

Of the studies included in the review, 23 included findings from

U.S.-based organizations, while the remaining were from a diverse set of

countries and regions including Australia, Brazil, Canada, China, India, Italy,

Germany, Malaysia, the Middle East, New Zealand, the Netherlands,

Scandinavia, Sri Lanka, Turkey, and Zimbabwe. The studies looked at a wide

range of industry sectors, including banking, construction, education, finance,

government agencies, insurance, manufacturing, nonprofit organizations, oil

and gas, research institutions, services, suppliers, and utilities. These results

 

 

indicate ERM is a management strategy that has received global attention

from a wide variety of industries.

Thirty-five studies employed quantitative methods to analyze data

gathered from surveys, controlled studies, or publicly available financial data

sources. Twelve studies were qualitative, using methodologies such as case

studies and four used mixed methods. Two pieces of grey literature were

based on survey findings and two were from roundtables. Hence, research on

ERM has been conducted using multiple research methodologies. Last,

consistent with the research question this study explored, research on ERM

focused on two aspects of ERM: (a) why an organization would adopt ERM

and (b) the critical factors that influence ERM implementation. Overall, when

looking at the evidence-base as a whole, this book is based on findings from

the 55 studies. This entails evidence from 5,614 survey respondents, publicly

available data from 935 companies, and data from 35 case studies.

 

 

 

A How-To Guide for ERM

In this book, I provide a detailed overview of ERM, along with a guide

for its adoption and implementation. In Part 1, I explain the concepts of

organizational risk and risk management in relation to the complex

organization, unpacking traditional risk management approaches as well as

ERM frameworks in more detail. Then, in Part 2, I review a series of

management theories and concepts that can be utilized to enhance

understanding and implementation of ERM, including: institutional theory,

legitimacy theory, change management models, sensemaking theory, decision

sciences, theories of action, absorptive capacity, and organizational

resiliency. This is followed in Part 3 by a discussion of factors that affect

ERM adoption and implementation. In Part 4, based on my experience as a

practitioner tasked with identifying and mitigating risks in his operational

unit, and later from my broader role in the University’s ERM efforts, I

introduce seven principles for ERM adoption and implementation, providing

a hands-on tool to guide the ERM process in complex organizational settings.

Lastly, in the concluding remarks, I comment to the wide applicability of

ERM for complex organizational settings, speaking to the implications of this

adopting ERM and areas for future research.

Overall, this book will provide you with both practical and

theoretical knowledge for adopting ERM to improve organizational

 

 

performance. This book expands the body of knowledge on ERM by

identifying factors that influence ERM implementation in complex

organizational settings, and linking them to a set of management theories that

enhance ERM implementation. To date, existing frameworks on ERM have

lacked practical information on implementing and integrating ERM across

the organization (Fraser, Schoening-Thiessen, & Simkins, 2008). Indeed, a

key difference between ERM and traditional risk management practices is

that ERM elevates managing risks to a senior leadership level. This entails

managing risk across the institution. Therefore, implementing ERM is a

broad organizational change initiative.

As a result, this book is useful for senior leadership and risk

management practitioners who are seeking evidence-based guidance on how

to implement ERM in their organization. This book addresses the interests of

senior leadership by providing answers as to why organizations implement

ERM, and the benefits and pitfalls of implementing an ERM program. This

book also demonstrates how ERM adoption and implementation—and risk

management practices more generally—can be enhanced through the

application of theories from management science on change management,

decision making, and organizational learning.

 

 

Part 1: Understanding Organizational Risk and Risk

Management

At its core, adopting and implementing ERM is simply a management

process for how an organization identifies and manages risks that threaten

achieving its mission and business objects. As such, it entails utilizing sound

management practices one would use when implementing a management

process in an organization. However, ERM does have distinct elements that

practitioners should be aware of when implementing an ERM strategy.

Hence, in order to understand how and why ERM may be a good choice for

the complex organization, we must first unpack in more detail three key

concepts or focus areas that underpin this book: organizational risk,

traditional risk management, and ERM. These concepts occur in modern

organizational environments that can entail a wide range of structures that

may change over time. In addition, such environments often include varying

cultural and individual elements such as the culture specific to a nation,

organization, or department, or may relate to certain professional disciplines

(e.g., teacher, police officer, doctor, accountant, and lawyer). In Part 1, I

describe the these three concepts in detail, in order to establish an essential

set of knowledge before discussing management theory and practice further

in Part 2.

 

 

Chapter 1: Organizational Risk

Prior to examining the ERM implementation process, it is necessary to

examine why risk presents challenges for complex organizations that

necessitate implementing an ERM strategy.

In this chapter, I discuss how the concept of risk has evolved into a critical

management function requiring senior leadership attention. I situate risk

within the context of the unpredictable, dynamic, and complex business

environments in which organizations operate, and how this influences an

organization’s decision to implement ERM.

 

 

Defining Risk

Definitions of risk associated with organizations operating in the

modern business environment utilize several unique concepts. For example,

Williams, Zainuba, and Jackson (2008) view risk as complex and

multidimensional. The authors added that risk is unavoidable, and defined

risk from a decision-maker’s perspective as

an assessment of whether an unfavorable outcome might occur

(possibility of loss), an assessment of the range of possible unfavorable

outcomes (probabilities of such loss), and an assessment of the extent to

which possible unfavorable outcomes can be managed or controlled

(exposure to hazard or danger). (Williams et al., 2008, p. 59–60)

A more precise definition of risk is “the uncertainty about outcomes that can

be either negative or positive,” where risk management is defined as “the

process of making and implementing decisions that will minimize the adverse

effects of accidental losses to an organization” (Baranoff, Harrington, &

Niehaus, 2005, p. 1.4–1.5).

Woon, Azizan, and Samad (2011) proposed three categories of risks

that affect an organization’s financial performance: (a) tactical risk, which

involves the uncertainty of expected earnings; (b) strategic risk, which entails

the uncertainty of performance outcomes; and (c) normative risk, which

addresses the risk penalty a firm pays for not conducting business within the

 

 

accepted norms of the industry and society. Similarly, Kaplan and Mikes

(2012) proposed a three-category system for classifying organizational risks.

First, preventable risks are internal to the organization and arise in the course

of business (e.g., safety hazards and improper employee actions). Preventable

risks lack strategic benefit but must be actively managed due to the negative

impact they can have on the organization. Second, strategic risks are risks a

company voluntarily takes in order to generate desired economic returns.

Strategic risks are not inherently undesirable but require different strategies to

manage than those used to manage preventable risks. Last, external risks

surface from outside the organization and are beyond the control of the

organization. An organization must develop a process to identify potential

external risks and prepare contingency plans to manage them if they occur.

These two methodologies for categorizing risks illustrate that not all risks are

created equal. Hence, complex organizations need to consider the type of risk

when establishing risk assessment strategies and tolerance levels.

 

 

Dimensions of Risk

Brinkmann (2013) identified the following six dimensions of risk:

measurability, attributability, manageability, insurability, voluntariness, and

moral responsibility. Measurability is the quantifiable dimension of risk.

Attributability involves whether the risk can be ascribed to organizational

decisions. Manageability concerns actions that can prevent or eliminate the

risk. Insurability is whether the risk can be insured. Voluntariness deals with

whether a risk is chosen using free will and with sufficient knowledge to

make an informed decision. Finally, moral responsibility involves whether

risk is taken with the informed consent of all parties involved in the decision.

Each of Brinkmann’s dimensions suggests a certain level of understanding

and control an organization has over the risks it faces. However, it is

questionable to what extent the complex types of risks modern organizations

face are measurable and are under the control of the organization. Moreover,

complex organizations need to consider determining the appropriate decision

maker(s) for a risk, whether affected people are informed about the risk, and

if the financial liability for the risk can be controlled through insurance or

other risk transfer mechanisms (e.g., by holding harmless agreements or

contracting out the risk exposure).

Risk management processes tend to focus on analyzing risks from an

event perspective to determine cause and effect relationships. However, risk

 

 

is a complex phenomenon, and as Grabowski and Roberts (1997) showed,

implementing a risk mitigation system in large organizational settings is

difficult. The authors argued that such challenges are related to four

characteristics of large systems: (a) simultaneous autonomy and

interdependence, (b) intended and unintended consequences, (c) long

incubation periods that allow problems to develop, and (d) risk migration. As

large systems, complex organizations are likely to encounter these challenges

during ERM implementation.

Boisot and McKelvey (2010) used Ashby’s law of requisite variety

to explain complexity in organizational settings. According to Ashby’s law,

“only variety can destroy variety” (p. 421). As such, for an organism or social

entity to be adaptive, it must be able to match the variety of external stimuli

imposed on it. Consequently, the authors proposed that for an organization to

be adaptive, it must have a variety of responses available that match the

variety of external constraints or threats imposed on the organization.

Moreover, when the external variety exceeds the capacity of the organization,

adaptive tension develops that seeks to fill the gap between the system’s

capability and external demands so the system can survive. Consequently,

Boisot and McKelvey’s (2010) separation of complexity into three regions

(chaotic, complex, and ordered) helps explain why certain types of risks can

be understood and controlled by the organization, where other risks are more

 

 

difficult to recognize and comprehend. The chaotic region is typified by

stimuli that have no discernible regularities, while the complex region—

where most challenges fall—presents some regularity, though it may be

difficult to discern. The ordered region involves stimuli that, in theory, can be

planned for and controlled.

For example, Andersen (2010) suggested strategic risks can involve

significant exposure to organizations due to their high level of uncertainty.

Thus, strategic risks often lack easily discernible regularities yet present

significant risk to the organization. Hence, strategic risks share the

characteristics of the chaotic or complex regions depicted by Boisot and

McKelvey (2010). Despite this high exposure level, Andersen (2010)

suggested that most risk management approaches tend to focus only on

recognized exposures, and are ill-equipped to handle complex risks

associated with high levels of uncertainty. This is a particularly salient

challenge for ERM since ERM aspires to look at a broad range of

organizational risks, including those at the strategic level. However,

methodologies for evaluating risks are often based on assessing risks that are

more easily identified, measured, and controlled. Examples include risks such

as safety hazards or failing to meet regulatory requirements.

Uncertainty and ambiguity can add to the complexity of identifying and

understanding an organization’s risk exposure. Scott (1992) identified five

 

 

dimensions of uncertainty. First, the degree of homogeneity/heterogeneity

involves the level of diversity of customers and stakeholders an organization

must manage. Second, the degree of stability/variability is the extant an

organization experiences change. Third, the degree of threat/security

concerns how vulnerable an organization is to its environment. Forth, the

degree of interconnectedness/ isolation involves how dependent an

organization is on other organizations or agencies. Last, the degree of

coordination/noncoordination is the extent to which an organization deals

with external groups whose actions are coordinated. Due to the diverse set of

customers and stakeholders complex organizations regularly interact with and

the increasing complexity of the environment in which they operate, the

context within which organizations must identify, evaluate, and act on risks

also contains a high level of uncertainty. Indeed, Power (2007) stated that

“when uncertainty is organized, it becomes a risk to be managed” (p. 6).

The concept of risk is further complicated since leadership involves

taking risks and leading organizations through areas where success is not

guaranteed (Brinkmann, 2013). March and Shapira (1987) added that leaders

often define risk differently than the theoretical literature, and that even two

individuals can see the same risk differently. The authors explained that

leaders see risk as something they can control, and risk-taking as part of their

job and identity as leaders. The authors also found that leaders place more

 

 

weight on the potential positive outcomes of an activity over negative results.

Furthermore, leaders do not see risk as simply a statistical or probability

concept, or see value in reducing risk to a single quantifiable measure.

Risk also has social dimensions when situated within the context of

an organizational environment. Indeed, Power (2007) suggested risk has

“acquired social, political, and organizational significance as never before”

(p. 3). Weick (1995) proposed that organizations are networks of people

socially interacting through the use of shared meanings and language, and

that internal constructions of knowledge are developed in the presence or

perceived presence of others. Schein concluded that a social reality consists

of the items that groups form consensus around, such as how humans relate

to their environment, distribute power, form group boundaries, develop

ideology, and share cultural elements. More specific to risk, Argyris (1980)

suggested that the inability of organizations to discuss threatening or risky

issues is caused by how people are acculturated and socialized (i.e., their

values, skills, and action strategies for dealing with challenging issues).

Argyris continues that these social elements can inhibit attempts by the

organization to encourage employees to disclose information on actions such

as unethical behavior or hazardous working conditions. Consequently,

organizations must manage a diverse set of risks that require different means

to assess and control. Moreover, individual backgrounds and perceptions on

 

 

risks and the organizational environment influences how an organization

evaluates and responds to risk.

 

 

Risk and Opportunity

Enterprise risk management implies that effectively managing risk can

result in improving an organization’s ability to recognize and capitalize on

opportunity. Arnold, Benford, Canada, and Sutton (2011) conceived of ERM

as having either a defensive focus on risk control and avoidance or an

offensive focus that looks at the upside of risk in order to identify

opportunities the organization can exploit. Arnold, Benford, Hampton, and

Sutton (2012) made a similar argument that as ERM programs mature, they

increase their ability to manage risks and opportunity. Indeed, Power (2007)

argued that organizations that are more effective at aligning their business

strategy with organizational governance, regulatory compliance, and

enterprise goals will be better positioned to realize opportunities that emerge.

Hence, it is logical to conclude that an organization’s leadership would be

more likely to implement ERM if the program also enhances the

organization’s ability to identify and act on opportunities.

Brunswicker and Hutschek (2010) predicted that firms that use

active processes for identifying opportunities from external and distant

sources will be more successful at finding potentially exploitable

opportunities. Similarly, Baron and Ensley (2006) defined opportunity

recognition as “the process through which ideas for potentially profitable new

business ventures are identified by specific persons” (p. 1331). Riquelme

 

 

(2013) identified three factors that influence a person’s ability to recognize

opportunities: cognitive frameworks, self-efficacy, and social networks. The

decision on whether to exploit an opportunity is dependent on attitudes

toward the opportunity (favorable or unfavorable view of the opportunity),

subjective norms (peer pressure on whether or not to act on the opportunity),

and perceived behavioral control (perceived ease of difficulty to exploit the

opportunity successfully). Opportunities that are favorably perceived in these

areas are more likely to be acted on than those that are viewed less favorably

in one or more of these dimensions (De Jong, 2013). As such, the ability to

identify opportunities is influenced by individual and social dynamics similar

to those associated with identifying risks. Moreover, assessing whether the

organization should act on the opportunity should also include evaluating the

risks associated with the opportunity. Hence, organizations can integrate risk

identification and assessment processes with opportunity identification

processes so that each compliments and strengths the other.

In sum, risk is a complex phenomenon that has multiple dimensions. As

such, a one-size-fits-all strategy for evaluating and managing risks is unlikely

to be successful. Consequently, the complexity and multiple dimensions of

risks warrant managing risks using a holistic approach as offered by ERM.

Moreover, an organization’s capability to identify and control risks

effectively is linked with its ability to capitalize on opportunities.

 

 

Chapter 2: Traditional Risk Management

Now that we have an understanding of organizational risk more

generally, we can look at the different types of risk management that

ultimately may lead an organization to adopt an ERM program. In this

chapter, I review the concept of traditional risk management, which serves as

a basis to then understand the ERM framework presented in the following

chapter.

Traditional risk management is defined as “the process of making

and implementing decisions that will minimize the adverse effects of

accidental losses on an organization” (Baranoff et al., 2005, p. 1.5). This

approach to risk management aims to identify potential loss exposures and

examine the feasibility of various strategies to limit these exposures

(Baranoff et al., 2005). Strategies utilized to manage risks fall into two

categories: risk control and risk finance. According to Baranoff et al. (2005),

there are six core risk control techniques: “avoidance, loss prevention, loss

reduction, separation, duplication, and diversification” (p. 2.19). As the name

implies, avoidance simply means the organization does not take on an

activity that exposes it to certain risks. Loss prevention and reduction involve

actions to reduce the frequency and severity of losses from risks. Separation

entails splitting up assets so they are not all exposed to the same risk.

Duplication involves the use of redundant systems to prevent the shutdown of

 

 

an operation or process. Finally, diversification spreads risk exposures over a

range of operations, markets, or geographic regions. Examples of risk finance

techniques include transfer methods, such as insurance, hold-harmless

agreements, and hedging; while an example of retention is the self-funding of

losses (Baranoff et al., 2005).

Traditional risk management techniques fail to address the full range

of risk exposures a complex organization may face. Arena, Arnaboldi, and

Azzone (2011) argued that a limit of traditional risk management is its

tendency to manage risk categories separately. Traditional risk management

functions have often been located in the accounting, financial, compliance,

and internal auditor areas of organizations (Blaskovich & Taylor, 2011).

Moreover, March and Shapira (1987) contended that theories on managerial

perspectives of risk, such as classical decision theory, oversimplify human

behavior and thus do not accurately explain how managers perceive risk.

Brinkmann (2013) suggested that the complexity of modern risk combined

with increased pressure to hold organizations accountable for their actions

can lead to managers focusing on providing a defendable justification for

their decisions concerning risk at the expense of using sound professional

judgment. Accordingly, Brinkmann (2013) posited the need for “intelligent

risk management” based on the following tenets: (a) control systems that are

not allowed to overburden managerial attention and innovation, (b) higher

 

 

tolerance levels for disorganization and ambiguity in the risk management

process, and (c) internal control systems that focus on generating usable

knowledge and that are always challengeable. Enterprise risk management

frameworks such as the one offered by COSO begin to address the three

dimensions of intelligent risk management; however, they require more

insight on how to manage risks without stifling innovation, how to assess

risks with high levels of ambiguity, and how to create actionable knowledge

through the risk management process.

In sum, modern organizations face a wide range of complex risks that

challenge their ability to meet mission-critical objectives. In addition,

managing risk is more complicated in large institutions composed of multiple

subunits that operate in a global, changing economy (Grabowski & Roberts,

1997). Within the complex institution, the failure to manage risks properly

can lead to events that challenge an organization’s ability to meet critical

objectives and jeopardize its survival. As McShane et al. (2011) stated,

“Managing risks has become a critical function for CEOs as organizational

environments become increasingly turbulent and complex” (p. 653). A survey

by North Carolina State University and Protiviti (2015) identified the top

risks executives perceive their organizations face as regulatory changes,

economic conditions that restrict growth, attracting and retain talent, inability

to identify risks, cyber threats, managing unexpected crisis, sustaining

 

 

customer loyalty, resistance to change that restricts the ability adjust business

models, and not meeting performance expectations. Consequently, in light of

these issues, traditional approaches to risk management should be replaced by

methods that position risk management as part of an organization’s

governance process, allowing for a more holistic view of the organization’s

risk exposure. Enterprise risk management is such a strategy.

 

 

Chapter 3: Frameworks for ERM

There are several existing frameworks for ERM, including: the

Casualty Actuarial Society ERM framework, the COSO ERM integrated

framework, the International Organization for Standardization (ISO) 31,000

risk management framework and process, the Australian and New Zealand

standard for risk management, and the Federation of European Risk

Management Associations’ risk management standard (Andersen, 2010;

Kimbrough & Componation, 2009). These frameworks share similar risk

management steps and highlight how ERM influences a broad range of

activities and organizational levels (Kimbrough & Componation, 2009).

Moreover, these frameworks portray ERM as a top-down, driven risk

management approach (Andersen, 2010). In this chapter, I present the COSO

ERM integrated framework, which provides a basis for the discussion

throughout this book, since it is the most prevalent model referenced in the

literature.

In 1985, COSO was established to address the increased incidence of

fraudulent financial reporting. This initially resulted in COSO developing

frameworks to improve financial reporting and compliance, followed by the

publication of the ERM integrated framework in 2004, which is referenced

by several U.S. and international standard-setting bodies (Landsittel &

Rittenberg, 2010). The committee is composed of five sponsoring

 

 

organizations: the American Accounting Association, the American Institute

of Certified Public Accountants, Financial Executives International, the

Institute of Internal Auditors, and the Institute of Management Accountants.

Its mission is “to provide thought leadership through the development of

comprehensive frameworks and guidance on enterprise risk management,

internal control, and fraud deterrence designed to improve organizational

performance and governance and to reduce the extent of fraud in

organizations” (Landsittel & Rittenberg, 2010, p. 457). The committee’s

composition and mission are especially important as they reveal the

professional background of the framework’s developers and, subsequently,

the challenges organizations may have implementing a framework that relies

heavily on internal controls and top-down management strategies.

According to COSO (2004), enterprise risk management is a process,

affected by an entity’s board of directors, management and other personnel,

applied in strategy setting across the enterprise, designed to identify potential

events that may affect the entity, and manage risk to be within its risk

appetite, to provide reasonable assurance regarding the achievement of entity

objectives (p. 4).

This definition outlines the following six key elements of ERM: (a)

led by senior management, (b) integrated throughout the organization, (c)

considers risk from a strategic perspective, (d) provides reasonable assurance

 

 

of meeting an organization’s goals, (e) identifies risks that affect the

organization, and (f) manages risk based on the organization’s risk appetite

and tolerance level. In addition, COSO proposed four critical areas for

establishing risk management objectives: (a) strategic objectives, which

involve high-level goals and the mission of the organization; (b) operation

objectives, which outline the efficient use of organizational resources; (c)

objectives to meet an organization’s reporting requirements; and (d)

regulatory compliance objectives. According to COSO (2004), organizations

need to set objectives for managing risk at each organizational level to

include the entity, divisional, business unit, and subsidiary levels of the

organization.

The COSO (2004) ERM framework is composed of eight

interrelated components. These include: (a) the internal environment, such as

the organization’s risk management philosophy, ethical values, and the

operating environment; (b) objectives that align with the organization’s

tolerance for risk; (c) the identification of internal and external events that

present risks to the organization; (d) the assessment of events to determine

the likelihood and impact risks may have on the organization; (e) the

selection of responses to control risks, such as avoiding, accepting, reducing,

or sharing the risk; (f) the establishment of control activities, such as policies

and procedures to help ensure risks are adequately addressed; (g) the

 

 

adoption of mechanisms to communicate and capture information on risks;

and (h) the implementation of processes to assess and monitor the state of the

ERM program continually. Figure 2 illustrates the basic logic of the COSO

framework. Here, risk objectives are set in their respective domains for each

level of the organization, and realized through the application of the eight

interrelated components. Although portrayed in the illustration as a linear

operation, the process is, in practice, more iterative with activities co-

occurring across each area.

 

 

In sum, the COSO framework reflects practices found in mechanistic

organizational settings typified by management practices that focus on

control and top-down decision making. Mikes (2009) described this

framework as advocating for ERM as a “strategic management control

system” (p. 20). Consequently, the framework provides limited information

on managing risks in global, multiorganizational, large-scale systems with

 

 

diverse management processes led by a wide variety of people (Grabowski &

Roberts, 1997). Formal approaches to risk management such as these may

lead to a focus on identifiable and quantifiable risks instead of the strategic

risks that have more uncertainty (Andersen, 2010). Indeed, Fraser,

Schoening-Thiessen, and Simkins (2008) found that executives expressed

concern over the lack of information on integrating ERM across their

organizations, and viewed the framework as impractical to implement.

In addition, ERM is a relatively new practice. The first evidence of

such activity occurred in 1998, with the first academic study on ERM

published in 1999 by Colquitt, Hoyt, and Lee. In this initial study, Colquitt et

al. investigated the role risk managers have in nonoperational risks and the

techniques they use to control these risks. Subsequently, the majority of

research on ERM has been published in peer-reviewed insurance and

accounting journals (Iyer, Rogers, & Simkins, 2010), and tends to favor

quantitative approaches to risk analysis and the use of management control

systems. Landsittel and Rittenberg (2010) have argued that ERM research

needs to go deeper than simple assessments of current best practices. Iyer et

al. (2010) further stated that ERM research lacks a natural “disciplinary

home” and, as such, is a topic that can be studied from a variety of

management theory perspectives (p. 420). As such, in Part 2, I explore how

concepts from the management sciences in areas such as change

 

 

management, decision making, and organizational learning can advance

understanding on ERM from both practical and theoretical perspectives.

 

 

Part 2: Management Science and ERM: From Theory

to Practice

In Part 1, I discussed the key concepts of organizational risk, traditional

risk management, and the COSO ERM framework. One of the key findings

from my research is that knowledge on ERM implementation has been

disconnected from management concepts, despite its clear connection to

senior leadership and management strategy. This is true both of research on

ERM as well as in how it is practically implemented in organizations.

Therefore, in order to provide a comprehensive understanding of ERM, in

Part 2, I review concepts in management science theory that may enhance

ERM implementation within complex organizations (see Figure 3). In the

chapters that follow, I focus on three main areas: organizational change,

decision making, and organizational learning. For each area, I first explain

aspects of the theories more generally, followed by how that area connects to

the COSO ERM framework.

 

 

 

 

 

 

Chapter 4: Organizational Change I – Institutional

Theory, Legitimacy Theory, and Organizational

Culture

Concepts relating to institutional theory, legitimacy theory, and

organizational culture can be used to analyze how external and internal

factors in an organization’s environment influence the decision to adopt ERM

and the implementation process. In this chapter, I unpack these models to

provide a context to understand change management more generally.

 

 

Institutional Theory

Institutional theory speaks to how external pressures from

governmental agencies, laws and regulations, stakeholders, professional

norms, and the public influence an organization (Wicks, 2001). Scott (2014)

explained that “institutions comprise regulative, normative, and cultural

cognitive elements that, together with associated activities and resources,

provide stability and meaning to social life” (p. 56). Moreover, he proposed

that each element operates through distinct mechanisms and forms the “three

pillars of institutional theory,” which are: (a) regulative, which focuses on

expedience, coercive mechanisms, and regulative rules; (b) normative, which

relies on social obligation, normative mechanisms, and binding expectations;

and (c) culture-cognitive, which values shared understanding, mimetic

mechanisms, and cultural influences. These elements help to provide

institutions with the meaning and stability that create organizational

structures and guide behavior.

However, each has distinct underlying assumptions and mechanisms

that can be used as analytical elements for understanding institutions. More

specifically, the regulative element focuses on expedience, coercive

mechanisms, and regulative rules; the normative component relies on social

obligation, normative mechanisms, and binding expectations; and the culture-

cognitive element values shared understanding and mimetic mechanisms.

 

 

Consequently, institutional theory is used to analyze how an organization’s

history, culture, and operating environment shape the decision to adopt ERM

and influence the type of program implemented.

 

 

Legitimacy Theory

Suchman (1995) defined legitimacy as “a generalized perception or

assumption that the actions of an entity are desirable, proper, or appropriate

within some socially constructed system of norms, values, beliefs, and

definitions” (p. 574). Suchman (1995) also asserted that there are three broad

types of organizational legitimacy: pragmatic, moral, and cognitive.

Pragmatic legitimacy relates to whether the activity is perceived as beneficial

to the organization and its stakeholders. Thomas and Lamm (2012) stated that

such perceived benefits may include items such as better use of resources,

reduced risk and legal liability, and improved reputation; items similar to

those benefits touted by ERM proponents. Secondly, Suchman (1995) argued

that legitimacy has a moral dimension that involves whether an

organization’s actions and image are consistent with socially accepted norms.

This moral legitimacy includes beliefs stakeholders share about an activity’s

value in advancing the interests of society. However, Suchman (1995)

cautioned that resistance and organizational politics can significant affect

moral legitimacy. Lastly, cognitive legitimacy involves how easily an activity

is comprehended and how consistent it is with existing organizational culture

and belief system. Here, people assess whether the activity will make their

job easier or more difficult (Thomas & Lamm, 2012).

Protecting and enhancing the organization’s identity can also have

 

 

positive effects on the overall perceptions members have of the organization.

For example, people develop their personal identities in part through their

perception of how others view the organization where they work (Weick,

1995). Indeed, Ravasi and Schultz (2006) found that how people perceive

identity threats to an organization is influenced by how they believe the

organization is perceived externally and their assumptions about the

distinctive behavioral patterns of the organization. The authors also found

that organizational responses to identity threats can be limited by the need to

reconcile responses with external changes. Moreover, the organization’s

culture provides the context for the sensemaking process the organization

undergoes as it seeks to understand, reevaluate, and redefine the organization

in response to the identity threat.

Within the context of complex organizations, the reasons

organizations adopt a new business practice such as ERM can vary. For

example, Gioia and Thomas (1996) found measures like profit and return are

not as relevant to higher education leadership. Instead, items such as prestige

and ranking are critical, making an institution’s image a critical strategic

issue. According to the authors, leadership issues can be separated into two

categories: strategic and political. Strategic issues are items associated with

creating the desired future state, while political issues involve the status quo

and managing competing interests. The authors found that image and identity

 

 

powerfully influence how leaders in organizations interpret the critical issues

they confront and that strategy and information processing are critical to how

leaders interpret these issues. Consequently, the literature suggests that

organizational leadership will be moved to adopt ERM when leadership sees

linkage between adopting ERM and protecting and enhancing the

institution’s reputation. Legitimacy theory thus addresses the issue of why a

certain course of action is accepted by an organization and hence helps

explain the factors that influence whether members of the organization accept

an initiative such as ERM (Suchman, 1995). Therefore, legitimacy theory is

used to explain the logic for why leadership at a complex organization may

select an ERM strategy and factors that affect employee perceptions on the

validity of the program.

 

 

 

Organizational Culture

Mintzberg and Westley (1992) posited that changing an organization’s

culture involves shifting the collective mindset of the organization. On the

other hand, Schein (2010) proposed that culture is formed as organizations

solve problems of external adaption and internal integration, such as an

organization’s mission, strategy, goals, and methods to measure progress.

Internal integration problems include creating a common language and

defining group boundaries, power distribution, and behavioral norms. Schein

(2010) added that an organization’s overall culture is influenced by national

and ethnic identities, cultures from other organizations with which the

organization interacts, cultures associated with different occupations, and

microcultures that develop in cross-functional organizational groups. He

found that these cultural forces are powerful and significantly affect the

actions of the organization. Schein (2010) also argued that an organization’s

culture is, in part, a “learned defense mechanism to avoid uncertainty,” which

can cause the organization to fail to address uncertainty proactively (p. 277).

Lastly, Schein stated that a concern for an organization’s culture is an issue

unique to leadership and one that differentiates leadership from general

management and administration. Based on Schein’s broader definition of

organizational culture, Cooper, Faseruk, and Kahn (2013) defined risk culture

as

 

 

a pattern of basic assumptions that the group learned as it identified,

evaluated, and managed its internal and external risks that has worked

well enough to be considered valid, and therefore to be taught to new

members as the correct way to perceive, think, and feel in relation to

those risks. (p. 65)

As Cooper’s definition of risk culture illuminates, developing a risk culture at

a complex organization entails building the organization’s understanding of

how it identifies, understands, and manages risks. Therefore, leadership plays

a critical role in ERM programs that aspire to change the culture surrounding

how the institution understands and responds to risks.

As further discussed in relation to decision making, Osland and Bird

(2000) utilized the concept of sensemaking to help explain how people

understand different cultures. In particular, they explored cultural paradoxes

where situations cause different and contradictory responses. The authors

stressed the need for context to understand actions and responses in a cultural

setting. They further determined that cultural values and histories influence

the schema people select in a situation. They defined a schema as “a pattern

of social interaction that is characteristic of a particular cultural group” (p.

71). Indeed, Schein (1993) warned that complex business and societal

problems are often caused by cultural misunderstandings. These issues can be

amplified in complex organizational settings with multiple cultural elements.

 

 

Therefore, understanding how diverse cultural units and associated views on

risk affect ERM implementation is critical, worthy of deeper exploration, and

directly related to the internal environment COSO speaks to in its ERM

framework.

For example, at universities and colleges, Birnbaum (1988) noted

the cultural divide between faculty and administrators, where faculty viewed

administrators as imposing red tape and constraints on their work, and

administrators viewed faculty as unconcerned with costs and reasonable

appeals for accountability. To address the different priorities between faculty

and administrators, Birnbaum suggested that HEIs have two distinct control

structures: one for administrative decisions and another for faculty. Birnbaum

(1988) also explained there are four basic models for how HEIs function:

collegial, bureaucratic, political, and anarchical. As the name implies,

collegial institutions value shared power and consensus with leadership that

seeks input on decisions, and where responsibility is collectively shared.

However, Birnbaum noted that collegial institutions only work for relatively

small organizational settings. In contrast, a bureaucratic institution is

common to colleges in which large-scale administrative functions are

organized to reduce uncertainty and improve performance. In this setting,

people can be more easily replaced and are not as critical to the overall

performance of the institution (e.g., in community colleges where faculty

 

 

only teach part-time). On the other hand, faculty members at political

institutions are deeply connected to the organization and are often part of a

wide array of specialized subunits. Consequently, such an organization is too

complex for a bureaucratic structure and thus relies on decentralized decision

making with diffused power. This results in constant competition among

subunits for resources and influence on the direction of the organization.

Lastly, anarchical institutions are characterized by having several schools or

units that appear to operate independently from the overall organization.

Anarchical institutions often have vague goals, ambiguous understandings of

how inputs are converted to outputs, and unclear decision-making processes.

Consequently, from a broad perspective, there are unique cultures at

universities and colleges that require adapting the ERM process so it is

compatible with the existing culture and management style at the institution.