Enterprise Risk Management Incentives and Practices in three Danish companies

Enterprise Risk ManagementIncentives and Practices in three

Danish companies

Niels Joseph Lennon (259089)

Aarhus School of Business

University of Aarhus

Master’s Thesis

September 2007

Academic advisor: Pall Rikhardsson

M.Sc. in Accounting and Controlling (Økonomistyring)

AbstractThe purpose of this thesis is to provide an academic contribution to the subjectEnterprise Risk Management. This is done by carrying out a study concerningtoday’s use of ERM in larger Danish companies and identification of structuresthat influence the choice of developing an ERM process in the company. Theunderlying assumption of the thesis is that such structures exist, and the objec-tive is to identify them by following a scientific method.

The paper begins with a definition of the study area and the methodologicalapproach to the study. Hereafter existing theory including applicable frame-works is examined to set up the theoretical framework for the study. Followingthis, the study method is explained and finally, the findings and conclusion arestated.

Enterprise Risk Management is a management tool focusing on risks, opera-tional as well as financial and strategic, related to a company across the entireorganization and hierarchical level. The idea is to focus on risks related to theachievement of given objectives and to manage them in a structured way.

Based on the theoretical framework of ERM and a preliminary study, the anal-ysis is carried out as a qualitative case study within three larger Danish compa-nies. The analysis concerns the two dimensions mentioned, the use of ERM todayand incentives for developing an ERM process in the company. The part treating in-centives are carried out by guidance from seven research propositions preparedon the basis of existing theory and the preliminary study.

The analysis shows that none of the case companies follow ERM frameworksstringently in their risk management process. When implementing ERM, theytake the existing frameworks and modify them to fit the organization in whichthey must apply. Components of the frameworks that are considered as non-value adding are ignored and only the beneficial components are used.

The following structures are identified to constitute the incentives for thecompanies to implement ERM. Several of them are context specific, meaningthat they are only identified in one single case. Others are identified in all cases.

i

1. The board and management’s attitude towards ERM

2. Compliance requirement concerning risk management

3. The company’s growth rate

4. Stakeholder demands

5. Negative events

6. The business

The study also showed two other mechanisms, even though they have notbeen directly identifiable. They are the culture of the organization and the ability offulfilling the formulated strategy.

It is the author’s hope by preparing this paper, that the subject will obtain moreattention in Danish academic circles. For that purpose, suggestions for furtherresearch are outlined in the end of the thesis.

ii

Contents

Abstract i

Preface vii

1 Introduction 11.1 Thesis Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.2 Delimitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.3 Contribution of the Thesis . . . . . . . . . . . . . . . . . . . . . . . 31.4 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.5 Target Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.6 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.7 Theory of Science from the Author’s Standpoint . . . . . . . . . . 51.8 Structure of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . 11

2 Theory of Risk Management 122.1 What is Risk? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122.2 History of Risk Management . . . . . . . . . . . . . . . . . . . . . 132.3 Reasons for Developing Risk Management . . . . . . . . . . . . . 152.4 Introduction to ERM . . . . . . . . . . . . . . . . . . . . . . . . . . 172.5 Construction of ERM . . . . . . . . . . . . . . . . . . . . . . . . . . 202.6 The Process of Implementing ERM . . . . . . . . . . . . . . . . . . 292.7 Risk Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292.8 COSO Internal Control - Integrated Framework . . . . . . . . . . 292.9 COSO Enterprise Risk Management - Integrated Framework . . . 352.10 Risk Management Standard AS/NZS 4360:2004 . . . . . . . . . . 412.11 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

3 The study 443.1 Methodical Procedure . . . . . . . . . . . . . . . . . . . . . . . . . 443.2 Research Propositions . . . . . . . . . . . . . . . . . . . . . . . . . 453.3 Design of the Study . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

iii

CONTENTS

3.4 Analytical Framework . . . . . . . . . . . . . . . . . . . . . . . . . 503.5 Construction of Interview Guide . . . . . . . . . . . . . . . . . . . 513.6 Transcription . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533.7 Analysis Technique . . . . . . . . . . . . . . . . . . . . . . . . . . . 543.8 Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563.9 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

4 Findings 574.1 Use of ERM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574.2 Risk Management Practices in the Case Companies . . . . . . . . 594.3 Reasons for Implementing ERM . . . . . . . . . . . . . . . . . . . . 674.4 Reflection of other Potential Structures . . . . . . . . . . . . . . . . 774.5 Verification of the Findings . . . . . . . . . . . . . . . . . . . . . . 79

5 Conclusion 815.1 Reflection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 815.2 Suggestions for Further Research . . . . . . . . . . . . . . . . . . . 835.3 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

References 90

Appendices 91

A 91

B 92

C 93

D 94

E 103

F 104

iv

List of Figures

1.1 Relations in the Theory of Science . . . . . . . . . . . . . . . . . . . 6

2.1 Risk as the Variability of Returns . . . . . . . . . . . . . . . . . . . 122.2 Traditional Risk Management Approach . . . . . . . . . . . . . . . 142.3 Doherty’s Risk Management Approach . . . . . . . . . . . . . . . 142.4 Development in Risk Management . . . . . . . . . . . . . . . . . . 152.5 10 ERM Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162.6 Interactions from Strategic Objectives to Outcome from Strategy . 182.7 Three elements of Risk Management . . . . . . . . . . . . . . . . . 202.8 Deloach’s Steps along the EWRM Journey . . . . . . . . . . . . . . 212.9 Risk Management Capability Maturity Continuum . . . . . . . . 262.10 Links to Business Performance . . . . . . . . . . . . . . . . . . . . 282.11 Favourable Risk Appetite . . . . . . . . . . . . . . . . . . . . . . . 282.12 COSO’s 1992 Internal Control Framework . . . . . . . . . . . . . . 302.13 COSO’s 2004 Enterprise Risk Management Framework . . . . . . 352.14 COSO’s 7 Concepts of ERM . . . . . . . . . . . . . . . . . . . . . . 362.15 External and Internal Events . . . . . . . . . . . . . . . . . . . . . . 382.16 AS/NZS 4360:2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

3.1 Design of Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . 483.2 Seven Stages in an Interview Investigation . . . . . . . . . . . . . 513.3 The Analysis Technique . . . . . . . . . . . . . . . . . . . . . . . . 54

4.1 Structures Influencing the Choice of Developing Risk Management 77

B.1 Arthur Andersen’s Business Risk Management Process . . . . . . 92

D.1 Interview Guide for the Preliminary Study page 1-2 of 8 . . . . . . 95D.2 Interview Guide for the Preliminary Study page 3-4 of 8 . . . . . . 96D.3 Interview Guide for the Preliminary Study page 5-6 of 8 . . . . . . 97D.4 Interview Guide for the Preliminary Study page 7-8 of 8 . . . . . . 98D.5 Interview Guide for the Case Interviews page 1-2 of 8 . . . . . . . 99

v

LIST OF FIGURES

D.6 Interview Guide for the Case Interviews page 3-4 of 8 . . . . . . . 100D.7 Interview Guide for the Case Interviews page 5-6 of 8 . . . . . . . 101D.8 Interview Guide for the Case Interviews page 7-8 of 8 . . . . . . . 102

E.1 Example of Transcription Including the Following Thematization 103

F.1 Coding of Documents . . . . . . . . . . . . . . . . . . . . . . . . . 104F.2 Hierarchy of Themes . . . . . . . . . . . . . . . . . . . . . . . . . . 105

vi

PrefaceThe present Master’s Thesis is made as part of the M.Sc. education in Account-ing and Controlling at Aarhus School of Business, University of Aarhus. Thelayout follows the standards for a Master’s Thesis set by the faculty.

References are constructed in accordance to the Harvard Referencing Sys-tem. In-text references are structured as follows. “Risk can be defined in sev-eral ways (Barth, 1996, 491)”. The reference refers to the source Barth, year1996, page number 491. Detailed information about the source is available inthe references part.

A special thanks to Malene Jørgensen, Cand. Ling. Merc., the Aarhus Schoolof Business, Sandra Hyo, BA student in English and Corporate Communica-tion, the Aarhus School of Business and Jonathan Bunde-Pedersen, Ph.D. stu-dent, University of Aarhus, for their critical reviews and proof-readings of thethesis.

Niels Joseph Lennon

vii

Chapter 1

Introduction

Whenever I prepare for a journey I prepare as though for death. Should I never return,all is in order.

— Katherine Mansfield

The focus of strategic planning has changed from what was characterized aspassive strategy preparation to today’s attempt on making interactive strategicmanagement tools.

The strategy is no longer viewed as a static statement, the modern companymakes it active, or interactive by introducing methods or models to monitorand control the strategy. Enterprise Risk Management (ERM) is an approachof taking risks into account in the strategy implementation process. Not onlyis it necessary to identify and possess knowledge of the potential risks of thebusiness, it is also necessary to perform the risk management activity on everyorganizational level and between every business unit. The focus of the ERMapproach is to make the risk process value adding and positive in the eyes ofemployees and managers, rather than a negative and limiting activity. Value-creation is the core of the modern company and the relation to ERM is clear.

Tirole, J. writes in his book “The Theory of Corporate Governance” that RiskManagement is one of the most important concerns. In his definition, Risk Man-agement is the activity of managing financial risks. Combined with the knowl-edge of strategic and operational risks as the most important triggers for dropin shareholder value (Walker et al., 2002), this makes the focus on a holistic,enterprise oriented risk management process even more attractive.

1

1.1 Thesis Statement

1.1 Thesis Statement

The thesis statement forms the basis of the study. It consists of the workinghypothesis and in the light of that, the problem statement.

Working Hypothesis

Strategy and strategic objectives are central concepts in relation to companies’long term development. In many Danish companies, strategic planning is apassive process (Morten Egelund, 2005), which limits the strategic maneuver-ability. ERM is a control tool with focus on risks related to the achievementof strategic objectives. It thereby helps to make the passive strategy processactive, even proactive. ERM as a management accounting tool can thereby ben-efit the organization by providing higher certainty of achieving a given strategy.However, only limited attention have been addressed ERM from the academicmanagement accounting society in Denmark, which have entailed the develop-ment of ERM mainly being carried out by consultancy companies. Higher at-tention from the academic society will probably spread the use of ERM, at leastby expanding knowledge about ERM among newly qualified management ac-countants.

Problem Statement

Underlying structures of companies are expected to influence the tendency touse ERM. If the structures of companies that influence the predisposition forusing ERM are known, it will be possible to identify why companies choose toimplement ERM and thereby discover in which contexts ERM will be beneficial.

The research question of the thesis is:

RQ Why are companies using ERM?

The research question is operationalized in the following sub-questions:

Q1 How are companies applying risk management?

Q2 Why do companies implement ERM?

The two sub-questions will constitute the basis of answering the researchquestion. Research question Q2 is studied through a number of research propo-sitions. They will be enumerated after the theoretical chapter, as they are based

2

1.2 Delimitation

on the theory elaborated there. The research propositions can be found in sec-tion 3.2 on page 45. They will not be further commented in this section.

In addition to explaining existing theory, the theory chapter will further-more examine practical ERM frameworks from a scientific basis. The ERM ap-proaches will be considered on the applied level and on their enterprise-wideembeddedness in the organization.

1.2 Delimitation

The present thesis focuses on larger Danish companies, in order not to biasthe research by external organizational variables (in relation to the thesis state-ment), which influence the willingness of starting new internal projects in gen-eral.

The subject matter is ERM. The thesis will focus on ERM alone and notconsider other theories or approaches as crisis management, strategic planningor implications of the Sarbannes-Oxley Act. Furthermore, applied ERM tech-niques, as risk identification and risk mapping, will not be covered. The thesiswill take a broad view of ERM and not detail individual operational techniques.ERM is in the thesis treated as a holistic view of the company’s risk exposureand risk integration between the company’s business units on all organizationallevels, in accordance with the definition section.

1.3 Contribution of the Thesis

The present thesis offers insight to ERM in Danish companies in two dimen-sions. The first is how risk management is conducted in three Danish compa-nies. In doing this, it provides extensive knowledge about risk managementpractices and describes the environment in which the other dimension of thestudy is investigated. The other dimension concerns why companies choose toimplement ERM.

The contribution of the thesis is considered to be leveled mainly at the aca-demic society. New knowledge will be provided about structures or mech-anisms influencing ERM implementation in larger Danish companies - whysome companies choose ERM and others leave it out of consideration, con-sciously or unconsciously.

3

1.4 Purpose

1.4 Purpose

ERM is a risk management philosophy, which’s development and improvementin Denmark are mostly driven by the large suppliers of consultancy services.Up until now, it has only earned limited attention in Danish academic circles.The purpose of this thesis is to bring the subject to attention in the Danishmanagement accounting research society and hopefully create greater futureattention on the subject. This is sought by providing information about ERMpractice in Denmark, comprising why Danish companies choose to use ERMas a management tool. The knowledge will point to structures influencing thedevelopment and improvement of ERM in Danish companies.

1.5 Target Audience

The present thesis is written as a Master’s thesis of the M.Sc. education inAccounting and Controlling at the Aarhus School of Business, University ofAarhus. The audience is, consistent with the purpose, mainly academic man-agement accounting personnel. However, others interested in holistic risk man-agement can find the thesis useful as well.

1.6 Definitions

Event The definition of an event originates in COSO’s ERM Framework. Anevent is a incident or occurence from internal or external sources that af-fects achievement of objectives.

Risk Risk is elaborated in in chapter 2.1 on page 12. In the ERM context, risk isseen as the possibility of an event occuuring, influencing the achievementof objectives negatively.

Risk Management Risk Management is in the present thesis defined as a broadterm of managing risks. Every activity of managing risks, i.e. insuranc-ing, hedging or assessing risk factors, will be characterized as Risk Man-agement.

Risk Management process The risk management process is broadly definedin the present thesis. When speaking of the “risk management process”,it does not necessarily imply a formal process. The risk managementprocess can also be viewed as an umbrella for all the sub processes in a

4

1.7 Theory of Science from the Author’s Standpoint

company concerning Risk Management. This entails that the risk man-agement process in this thesis is a common term, whether speaking of aformal process or informal, unstructured processes constituting the riskmanagement activity of the company all together.

Enterprise Risk Enterprise Risk is the extent to which the outcome from thecorporate strategy of a company may differ from those specified in its cor-porate objectives, or the extent to which they fail to meet these objectives(Dickinson, 2001, 361).

Enterprise Risk Management Enterprise Risk Management is mentioned in thethesis as ERM. It is the activity of managing the enterprise risks. ERM isa holistic, enterprise-wide approach to risk management which focus onrisks in every process of the company, on every organizational level of thecompany. In accordance with the definition of enterprise risk, ERM con-siders risks potentially occurring events which prevent the organizationin achieving its defined objectives. It is not defined through a frameworkor other practical approach. Thus, it is the pure activity concerning riskmanagement of the overall enterprise, independent of the practical ap-proach.

Interview persons “Interview persons” is the term used for the people inter-viewed in the study. They serve as units of analysis when collecting theevidence about the study area.


All scientific work is influenced by the researcher’s assumptions about real-ity (Arbnor and Bjerke, 1997, 4). Assumptions that affect the way the study iscarried out. They can be designated as the theory of science(Arbnor and Bjerke,1997, 11) and will permeate the entirety of every approach a researcher chooses.It influences the texts researchers write, and the studies researchers carry out.This section of the thesis will provide the author’s standpoint on theory of sci-ence. Arbnor and Bjerke state it as follows.

5


..how a problem appears to a creator of knowledge is intimately related to the approachhe or she will use for the research/consulting/investigation..

..every human being as a human being -including creators of knowledge- carriesaround certain ultimate presumptions about what his or her environment looks like,

and about his or her role in this environment..

— Arbnor and Bjerke, 6 and 7

As Arbnor and Bjerke state, a researcher is influenced by his/her ultimatepresumptions. Therefore, in the management accounting society as in everyother science, there is no unambiguous way to do research. It depends on thestudy to be carried out and the way the world is perceived. The present the-sis is, according to the aim, a thorough study of how ERM is used in Danishcompanies, and why they use it.

The methodological approach of a study is carried out on the basis of theauthor’s ultimate presumptions. The methodological approach affects the for-mulation of the problem and design of the study as well. This is detailed in thesection Methodology on page 9.

Arbnor and Bjerke illustrate the relations between the concepts of theory ofscience in figure 1.1.

Source: (Arbnor and Bjerke, 1997, 17)

Figure 1.1: Relations in the Theory of Science

The figure illustrates that the theory of science relates to the ultimate pre-sumptions, the paradigm and the methodological approach, whereas method-ology relates to the methodological approach, the operative paradigm and thestudy area.

6


The paradigm is the elaboration of the philosophical concepts of the theoryof science. That is; the conception of reality, the conception of science, the con-ception of the scientific ideals and the ethical/aesthetical considerations (Arb-nor and Bjerke, 1997, 15). The paradigm of the author will be clarified later inthis section. Not to be confused with the philosophical understanding of theparadigm, the operational paradigm is the methodical procedures and the me-thodics(Arbnor and Bjerke, 1997, 16). It changes as the study area changes andis, thereby, less static than the theory of science paradigm.

Paradigmatic Standpoint

How the applied classification or the textual manifestation of scientific schoolsinto paradigms is done, depends on the theorist of science. Examples on differ-ences can be found in Burrell and Morgan (2000, 29), Arbnor and Bjerke (1997,44) and Heldbjerg (2003, 30), though the underlying considerations are to asignificant extent identical. The overall considerations when speaking of meta-science, as theory of science is also designated, is the core of what science pro-duce; knowledge. Therefore, the overall consideration is on one hand: whatis reality, the environment in which knowledge is produced? These consider-ations are treated in the philosophical field ontology (Ryan and Scapens, 2002,36-49) (Burrell and Morgan, 2000, 1). On the other hand, it must be clear howthe researcher perceives how humans recognize knowledge and what knowl-edge is. Questions as what is knowledge and how do we obtain knowledge are thephilosophical field epistemology or the philosophical theory of knowledge. Together,ontology and epistemology form the meta-science, the theory of science and, ul-timately, the paradigmatic belonging (Heldbjerg, 2003, 26-28) (Burrell and Mor-gan, 2000, 1).

After the ontological and epistemological distinctions, a third dimensionmust be considered. This is the methodological question - how should the re-searcher act to obtain knowledge. (Heldbjerg, 2003, 29).

The author’s standpoint to theory of science is established below in terms ofontology and epistemology.

Ontology Ontology, the perception of reality, is a question about how the worldis perceived. Objectivists, or positivists, see reality as a concrete structureof laws, independent of the observer (Arbnor and Bjerke, 1997, 27). Theybelieve that what is true are the things that can be measured and are in-dependent of time (Buch-Hansen and Nielsen, 2005, 13-15). This implies

7


that patterns observed today also exist in the future. Positivists also con-sider reality as only consisting of what is experienceable by human senses(Buch-Hansen and Nielsen, 2005, 13). Subjectivists, or idealists, believethat reality is a product of social interactions and individual experiencesand is constructed in the mind of the one who experience it (Arbnor andBjerke, 1997, 27), (Morgan, 1980, 608). Ontology is a question about theresearcher’s perception of reality, as described above. The distinction ofreality is part of the researcher’s ultimate presumptions.The author’s conviction is that reality to some extent is objective. A givenreality exists independently of whether it is experienced or not. However,the perception of the objective reality is a matter of subjective interpreta-tion in the minds of human beings. Patterns or mechanisms. This meansthat the objective reality exists, but it is not possible to obtain a full un-derstanding of it, as it is experienced though the minds of human beings.This view is consistent with Bhaskar’s three domains of reality (the empir-ical, the actual and the real). This ontological conviction is called criticalrealism (Heldbjerg, 2003, 34) and (Buch-Hansen and Nielsen, 2005, 24).

In this thesis it means that ERM exists, there is an objective perceptionof what ERM is, but, applied in reality, it has been subject to interpreta-tion and thereby to some extent is rendered subjectively. The meaning ofthis understanding is that ERM can exist, though the application of it willdiffer depending on the environments.

Epistemology The epistemological question of what knowledge is and how itis obtained, it closely related to the ontological conviction. As with theontological view, the author of this thesis is of the belief that the world isconstructed of an independent reality, composed of the empirical, actualand real domains. In relation to knowledge, this implies that the objectiveof knowledge creation is to research the domain of “the real”. This meansthat it is reasonable to research closed systems to obtain knowledge of theactual domain, but it is only done to constitute the basis for researchingthe real domain - structures and mechanisms on a higher level of the hier-archy of reality (Buch-Hansen and Nielsen, 2005, 28-29), than knowledgefrom closed systems in the actual domain. The implication of this epis-temological view consists of a necessity to know existing knowledge andextent or change this knowledge according to the structures of focus inthe current social context. Also, this focus on mechanisms and structuresimplies that it is not possible to observe it directly. The visible events areconsequences of the actual domain under influence of the structures of in-

8


terest. This means that knowledge is not objective and is not static. It dif-fers within time and between the structures or mechanisms, from whichit is affected. The objective of knowledge creation is therefore to identifyand explain existing events and phenomena (Buch-Hansen and Nielsen,2005, 31).

The above description of the author’s ontological and epistemological con-viction means that the author’s paradigmatic belonging is called critical realism(Buch-Hansen and Nielsen, 2005).

The last science philosophical element to consider is the methodological con-sequences of the ontological and epistemological points of view.

Methodology

The above ontological and epistemological considerations have a dominant in-fluence on the methodology used in research. Critical realists break away fromthe traditional dualism in science and do not join any of the dualistic poles (e.g.individualism/structuralism). Critical realism is pluralistic, which means thatit is not embedded in one single methodological practice (Buch-Hansen andNielsen, 2005, 57). As the objective is to gain knowledge about structures andmechanisms on the real domain, the methodology must support this objective.Not only by one single method, but by the choice of methodical procedure, oroperative paradigm in Arbnor Bjerke terms, must be based on individual rea-sons in each single situation.

On the applied level, this means that critical realists do not support dedu-cution, nor induction. Critical realists use retroduction and abstraction. That is;the retroductive reasoning is based on obtaining knowledge concerning struc-tures and mechanisms about the area of interest and thereby explain the phe-nomenon (Buch-Hansen and Nielsen, 2005, 62). Abstraction is a way of explain-ing a phenomenon on the basis of an abstract of the investigated area (in Marx’sway making an abstract which contains all the things, all types of the investi-gated object have in common(Buch-Hansen and Nielsen, 2005, 62)). The me-thodical procedure must be in accordance with the area of investigation. Natu-ral sciences research typically benefit mostly from quantitative methods. Socialsciences based on interrelations and structures in the real domain typically en-tail qualitative methods (Buch-Hansen and Nielsen, 2005, 63).

As Arbnor & Bjerke states it: Methods are the guiding principles for the cre-ation of knowledge (Arbnor and Bjerke, 1997, 9). In this thesis, the investigated

9


area is the application of ERM in Danish companies. ERM is of the actual do-main, but implemented in companies, it is influenced by the structures of thecompany, society and employees, and thus differs in the actual domain. Themethodical procedure for investigating this area is therefore of qualitative na-ture, as the aim is to obtain knowledge about structures and mechanisms andthereby explain how the ERM is being used.

Together, as explained above, the paradigmatic standpoint of this thesis is crit-ical realism and the study is carried out in accordance to this scientific convic-tion.

10

1.8 Structure of the Thesis

1.8 Structure of the Thesis

The thesis is divided into five main chapters, elaborated below.

Chapter 1 - Introduction The introduction is the present chapter which accountsfor the subject matter, the aim of the thesis and reasons for conducting thestudy the way is it done.

Chapter 2 - Theory The theory chapter explicates the theory of risk manage-ment and the historical development of the approach from the traditionalfinancial risk management until today’s ERM. It comprises the philoso-phy behind ERM and frameworks for applying ERM in a company. Thetheory chapter constitutes the existing knowledge behind the author’s ap-proach to the study.

Chapter 3 - The Study The study chapter encompasses the design of the studyand argumentation of the selected method. A detailed elaboration of theanalysis approach is also clarified here.

Chapter 4 - Findings The findings chapter contains the results from the analy-sis on both dimensions of the study - how ERM is used and reasons forimplementing ERM.

Chapter 5 - Conclusion The last chapter is the conclusion. It contains a reflec-tion over the subject matter, suggestions for further research and endswith the conclusion of the thesis.

11

Chapter 2

Theory of Risk Management

Do not repeat the tactics which have gained you one victory, but let your methods beregulated by the infinite variety of circumstances.

— Sun Tzu

The following chapter of the thesis will consider the theory of Risk Manage-ment. At first, the history of Risk Management will be considered and whatinitiated the development of it. Subsequently, ERM is introduced and will bethe focus of the chapter.

2.1 What is Risk?

Source: Own production

Figure 2.1: Risk as the Variability of Returns

No unique, unambiguous un-derstanding of risk can be de-fined for all imaginable sce-narios on the playing fieldof risk. Risk can be de-fined in several ways (Barth,1996, 491), (Deloach, 2000,48).

One way to explain risk is thetraditional mathematical way.Risk is by BT Financial Groupdefined as the variability of re-turns. In budget terminologywe can show this definition of risk as the deviation between the budgeted val-ues and the actual values.

12

2.2 History of Risk Management

Risk comprehended in this way means that risk is the measure of variability.This is similar to the standard deviation in statistics; the way risk is measuredin finance.

Others define risk from an action based approach, not necessarily from amathematical point of view. Walker et al. (2002) define risk from the ERMperspective as any event or action that will adversely affect an organization’sability to achieve its business objectives and execute its strategies successfully(Walker et al., 2002, 2). This broader and more literary definition is more ap-plicable in the sense of ERM. The reason for this is that ERM focuses on thebusiness’ - or enterprise’s - risk from a holistic standpoint, not just from theordinary financial point of view. ERM considers risks of the whole company;strategy, process, people, technology and knowledge (Thomson, 2007, 30) andthe definition of risk, therefore, has to reflect this approach.


ERM as we know it today has evolved over the past 10 years. Business SourcePremier dates the first academic article about the subject to 1998 (Schneier andMiccolis, 1998).

Until 1975, the activity of risk management could be characterized merelyas pure insurance management - the activity of managing risks by taking outinsurance (Doherty, 1985, 4). The employees working with risk managementwere therefore concerned with administering the company’s insurance portfo-lio. This approach to treating risks meant that Risk Management was predom-inantly concerned with insurable risks (Doherty, 1985, 6) and (Teuten, 2005, 2)and the pivotal point of the activity was insuring against risks. Around 1975,the nature of Risk Management faced a change from the insurance focus to anapproach based more on treating the risks, and not only managing insurances.

When looking at the literature, no integrated framework is found before the1990’s. Risk management was performed separately for each activity. Somewriters characterize it as a silo based approach, as the risk management activ-ity was carried out individually with no interaction between the activities R.(2004)(GARP Risk Review, 2004). Traditional procedures for how to handle riskmanagement existed (Doherty, 1985, 4), but not as comprehensive proceduresand therefore they cannot be designated as regular frameworks. The proce-dures were considered rather as a decision structure.

13


Source: (Doherty, 1985, 7)

Figure 2.2: Traditional Risk Management Ap-proach

As seen in the traditional ap-proach, the pivotal point of riskmanagement was still insur-ance activity. Either insuringthrough an insurer (3.a) or an-other party (3.c)(Doherty, 1985,7). But the ordinary insurancemanagement was changed to amore general risk managementapproach with identification, measurement and handling activities.

Doherty’s contribution was an approach which should comply with the or-dinary financial decision making in a company (Doherty, 1985, 7). The aim wastherefore to develop a framework for financial risk management. The frame-work is presented below. The aim was to measure the impact of loss againstfinancial objective used to measure the corporate performance as well.

Source: (Doherty, 1985, 7)

Figure 2.3: Doherty’s Risk Management Approach

The focus of themajority of Risk Man-agement literature fromthe 1980’s was an ap-proach consistent withDoherty’s financial riskmanagement approach(Thomson, 2007, 31-32) and (Deloach, 2000,24).

The historical development from this approach to Business Risk Manage-ment and later ERM is illustrated in the following continuum.

14

2.3 Reasons for Developing Risk Management

Source: (Deloach, 2000, 24)

Figure 2.4: Development in Risk Management

As it can be seen, the tra-ditional, financial risk man-agement changed over timein a direction where the goalis a contribution to sustain-able, competitive advantage,improving business perfor-mance and optimizing costs(the y axis in the figure).The development is a con-tinuum. This means thatthere is no specific and di-rect shift from the traditionalapproach. The change hap-pened over time partly caused by regulation and compliance (Teuten, 2005,2),(Thomson, 2007, 1) and partially by new demands from stakeholders due tochanges in the company’s environment (Teuten, 2005, 5),(Thomson, 2007, 31).


The above section enumerates two main reasons for developing the risk man-agement from the traditional insurance based approach to what is known asERM today.

The development of Risk Management is initiated by increasing expecta-tions of better management of risk from stakeholders (Schneier and Miccolis,1998, 1). In addition, new legislation regarding control has evolved due toevents in the past. The impacts from the IT bubble/Enron and latest 9/11 il-lustrated the needs for a preventive risk management approach.

From a financial point of view, another driver for improving ERM is thefact that investors are willing to give up a part of their dividend if the com-pany improves their Risk Management activity (Schneier and Miccolis, 1998,2). For example; if a company pays $100 in dividend per share each year andthe discount rate is 5%, the present value calculated as a discounted perpetu-ity is $100

5%= $2000. If improved risk management in the company decrease the

discount rate to 4% (because of a decrease in the share’s risk premium), the di-vided will be, to maintain the same value of 2000$, $2000 × 4% = $80. As itcan be seen, the reduction of the risk premium with 1% implies that the com-pany have to pay 20$ less each year in dividend. In other words, the improved

15


risk mangement lead to a lower cost of capital. The situation is analogue in thecalculation of WACC. Schneier and Miccolis (1998) postulate that 20-30% of thepremium over book value reflects how well the company manages risk.

If the aim is to obtain lower cost of capital, the traditional way of handlingrisk by financing it (e.g. hedging strategies or insurance) has a fundamen-tal problem according to Schneier and Miccolis (1998). Schneier and Miccolis(1998) adopt a market based approach to the matter (Schneier and Miccolis,1998, 2). That is, the market’s reaction to risk events is not based on the com-pany’s risk financing decisions, but, in contrast, how the management handlesthe events. The core of risk management must therefore be how to handle theevents and not how to manage financial risk.

All together, these reasons above trigger the demand for better Risk Man-agement.

Thomson (2007) enumerates ten drivers for the change, which drive the de-mand for the development of a new risk management paradigm. The driversare illustrated in figure 2.5.

Source: (Thomson, 2007, 31)

Figure 2.5: 10 ERM Drivers

Several of the drivers are out-come from the change in the busi-nesses’ environments over the past20 years. Globalization can be per-ceived as an empty phrase, used asargument for any unexplainable fac-tors. As driver for ERM, this is notthe case, though. Schneier writes inthe article “Enterprise Risk Management” the following reasoning:

Although profits and stock prices are generally healthy, delivering results is a lot morerisky today than in the past. The reason is simple: most businesses, whether we like it

or not, have become global. Parts and sub-assemblies come from places halfway aroundthe world, as do customers, competitors, and financing. This increased scope brings

increased opportunity, but it also brings increased complexity. And increasedcomplexity brings an increased potential for things to go wrong.

— Schneier and Miccolis (1998, 1)

As mentioned above, Schneier asserts that the globalization factor playsa significant role in the evolution of ERM. The other drivers enumerated by

16

2.4 Introduction to ERM

Thomson show that ERM is not only developed to satisfy the compliance re-quirements set by external regulatory bodies, though the Sarbannes-Oxley actand similar regulations. The need for improved risk management has alsoarisen internally in the company on account of the changing environment, inwhich the company acts (Thomson, 2007, 31).

Deloach adds a few additional key reasons for the changing needs for RiskManagement. He pinpoints the compliance requirement’s role, as mentionedabove, and thereby the demands for changes in corporate governance. Fur-thermore, a key reason is the need for ERM as a strategic management tool.The scandals in the late 1990’s and early 2000’s about the IT bubble/the Enronscandal and increasing terrorist threats after 9/11 also point towards needs forEnterprise-Wide Risk Management.

The key point to learn here is the fact that ERM approaches Risk Manage-ment by treating risks interrelatedly (Deloach, 2000, 42) and not through iso-lated silos as in the old paradigm.


It is clear that Risk Management faced a change from the insurance based ap-proach to a new perspective. A new approach, where focus should be onthe business risk, the enterprise risk. Deloach and Walker claim that it is aparadigm shift to a new strategic perspective (Deloach, 2000, 23), (Walker et al.,2002, 7). Schneier designates it a holistic approach (Schneier and Miccolis, 1998,2).

In other words, ERM is an approach, where the company is contemplatedas a whole, and value creation is stressed (Walker et al., 2002, 14). The ERMprocess is designed as a value-adding activity on account of its forward look-ing approach (Walker et al., 2002, 7).

When taking this enterprise risk approach, it is necessary to know how theterm enterprise risk is defined. The present thesis has adopted Gerry Dickin-son’s definition. The definition is presented in the definitions section on page 4.Dickinson extends the perception of enterprise risk by stating that the strategychosen entails a risk profile, composed of risk factors influencing the compa-nies’s activities, processes and resources(Dickinson, 2001, 361).

To illustrate the connection between strategic objectives, strategy implemen-tation, risk factors and outcomes from the strategy, figure 2.6 shows the inter-

17


actions.The figure shows that the enterprise risks relate to the choice of strategy

implementation the company makes in terms of activities, processes and re-sources. The risk factors are thereby influencing the outcomes from the strategyfrom an internal and external perspective (the dotted ellipse in the figure).

Source: (Dickinson, 2001, 362)

Figure 2.6: Interactions from Strategic Objectives to Outcome from Strategy

The following sub-sections will detail terminology and construction of ERM.

Terminology of ERM

As known, ERM is, because of its preventive approach, a value-creating pro-cess. It is necessary to be aware of the fact that the risk is the output of some-thing occurring, in accordance to the definition.

Risk Factors

To look forward, it is not satisfactory only to be aware of the risks as they occurex post. To consider risk management from an ex ante point of view, it is crucialfor the process of ERM to know what causes the risk. The causes are designatedas risk factors in the ERM context and also defined as events.

Risk factors are classified into two overall terms. External factors and inter-nal factors(Dickinson, 2001, 361-362),(Deloach, 2000, 50).

18


External factors are factors that the company’s management are not able tocontrol. Factors external to the operations of the company. Deloach ex-emplifies it as future values of interest rates, inflation, regulatory changes,market demand, labour supply etc. Dickinson split the variables into twoterms. Market factors which cover factors related to the market place;customer needs, product development, new entrants etc. and factors in awider context as macro economical variables, technology changes, politi-cal changes, demographic changes etc.

Internal factors are factors inside the company’s boundary. Variables, whichthe management can influence by decision making. Deloach split theminto 9 terms: brands, customers, suppliers, employees, operating pro-cesses, technology, channels, knowledge, opportunity costs, potential stop-the-show events. Every term is from an internal perspective, i.e. cus-tomers as a matter of meeting the customers’ needs and taste and potentialstop-the-show events as a matter of ethical considerations, fraud, illegalacts etc.

Deloach adds another dimension of Risk factors, inspired from Arthur Ander-sen’s Business Risk ModelTM.

Decision-driven factors are factors related to decision making in the company.It is divided into five fields of decision making. M&A, New markets, RDInvestment, Products and Services and the yield curve. The Decision-driven factors concern risks about decision making in the fields, i.e. theyield curve covers decisions about where to borrow capital to finance thecompany’s operations. (Deloach, 2000, 51)

In the ERM context, the risk classification is subdivided into other cate-gories, depending on the author. Smiechewicz categorizes them in the follow-ing way(Smiechewicz et al., 2001, 3-4).

Strategic Risk is risk related to the strategy. Not to the strategy formulationprocess, but to the strategy implementation and to obtaining the objec-tives. Eg. uncertainty about allocating enough capital to RD, uncertaintyabout identifying potential future markets, uncertainty about regulatorychanges etc.

Operations Risk is risk related to the company’s ongoing operations in accor-dance to the internal factors mentioned above. E.g. training, financing,continuity of operations etc.

19

2.5 Construction of ERM

Legal Risk is risk related to legal issues. Uncertainty about whether the com-pany violates other companies’ patents, uncertainty about to which de-gree the company fulfills its contracts and uncertainty about whether thecompany meets legislation etc.

Credit Risk is the risk related to giving credits to stakeholders. E.g. how thecompany monitors the credits and debtors and how they determine thecredit period etc.

Market Risk is equal to market factors as described above in the external factorsdefinition.

Walker uses the following four classes analogue to the above classification.

1. Strategic Risk 2. Operations Risk 3. Financial Risk 4. Hazard Risk

The classification of Walker is slightly different, as the hazard risk is the class ofinsurable risks such as fire and natural disasters (Walker et al., 2002, 3).

It is advantageous for a company in order to obtain a structured approach toERM, to consider a risk classification framework such as the above-mentioned.


Numerous researchers have prepared guidelines on how to approach ERM (De-loach, 2000; Teuten, 2005; Schneier and Miccolis, 1998; Smiechewicz et al., 2001).The majority of those are to some extent identical, and their components formthe construction of ERM.

The core element of risk management in general can be explained by thefollowing activities (Teuten, 2005, 2).

Source: (Teuten, 2005, 31) and own processing

Figure 2.7: Three elements of Risk Management

The practise above is the pivotal point of every Risk Management approach,according to Peter Teuten. Measurement is the identification stage where the

20


purpose is to determine the risks and quantify them on a scale, which makescomparison possible, e.g. costs of the risk. Management is the exercise of deal-ing with the risk by, as the term itself implies: to manage the risk. The lastelement of risk management is monitoring. This is the activity of surveiling therisk state of the company.

As mentioned, this is the general overall process of doing risk management.The approach to ERM adopted in the present paper, is Deloach’s Enterprise-Wide approach. He takes a meta perspective on applying ERM and not a directguide on how to implement Risk Management, as others tend to emphasize(Eg.Smiechewicz et al. (2001)).

Source: (Deloach, 2000, 34) and own processing

Figure 2.8: Deloach’s Steps along the EWRM Journey

Deloach’s basis is a eight step approach, starting by adopting a commonlanguage and ending by formulating an Enterprise-wide Risk Strategy.

The 8 steps along the EWRM journey

The present sub-section provides an overview of the steps along the EWRMjourney (Deloach, 2000, 34). For a more detailed study, please refer to JamesW. Deloach, Enterprise-Wide Risk Management - Strategies for linking risk andopportunity.

Step 1 - Adopt common language

The first thing to consider before initiating the ERM activity is communicationon risk and risk management. The staff, which will become the ERM team,consists of employees from different areas of the company, with different framesof reference and different views on the company. As for anything else, it isimportant for the ERM team to become a success, to erode the communicationbarriers between team members. This is done by aligning their view of risk andtheir risk language.

In an ideal world, the organization speaks the same risk language and un-derstands each other fully. Thereby the process will be more effective and thework can be concentrated on the core of the process; managing risk. Step one

21


can thereby be seen as communication enabler. (Deloach, 2000, 45-46), (Smiechewiczet al., 2001, 2).

Step 2 - Establish goals, objectives and oversight

This step is carried out analogously to the process of establishing strategic ob-jectives or operating budgets to implement a given strategy. It is done to makethe strategy manageable, measurable and to incentivize the organization towork toward fulfillment of the formulated strategy (Anthony and Govindara-jan, 2003, 7 & 349-352). Strategy formulation and implementation through es-tablishment of objectives are not subjects of this thesis and will not be covered.

The establishment of goals and objectives enables the ERM process to beeffective by being consistent with the overall strategy. Objectives are set to mo-tivate the ERM team to work in the direction, which the management find ap-propriate in order to fulfill the strategy. Step two can thereby be seen as stategyenabler (Deloach, 2000, 91-92).

Another perspective under consideration in step 2 is where the ERM pro-cess is to be placed in the organization and how the responsibility will be dis-tributed. The organization must be set up to support the ERM process (Deloach,2000, 101), (Dickinson, 2001).

The outcome from this step is to enable the organization to advance to the fur-ther steps of ERM.

Step 3 - Assess risk and develop strategies

The step assess risk and develop strategies concerns the practice of making the as-sessment and management of risk comprehensive, well controlled, consistentand effective (Deloach, 2000, 115). This emphasizes the need for tools to iden-tify, quantify and manage risks across the organization (Deloach, 2000, 115).

Deloach suggests Arthur Andersen’s Business Risk Management Process asframework for this step. The framework is shown in appendix B on page 92.Arthur Andersen’s overall process is composed of five sub processes. As seenin the framework, it is largely identical to several of the steps in figure 2.8 onpage 21, though with a higher degree of detail, where Deloach’s contributionis more comprehensive from a holistic/strategic standpoint. Presumably onaccount of that, Deloach only uses two of the Arthur Andersen Business RiskManagement Process steps. The complete model is shown in order to providethe reader with a satisfactory overview of the model.

22


The two sub processes relating to Assess risk and develop strategies are As-sess business risk and Develop business risk management strategies. They areexplained below.

• Assess Business Risks. This process concerns the identification, sourceanalysis (or root cause analysis) and measurement tasks. The process issupported by tools of varying complexity. Relatively simple tools as riskmaps can be used (Deloach, 2000, 118-119), as well as complex simulationbased approaches (Schneier and Miccolis, 1998, 4).

• Develop Business Risk Management Strategies. After the Risk Assess-ment process, the company have identified and measured risks and theirexposure to them. This leads to the need of strategies to handle BusinessRisk Management. Deloach states five generic risk management strate-gies. Avoid, retain, reduce, transfer and exploit the risk (Deloach, 2000,129-135). The risk management strategies are obvious and will not be fur-ther detailed.

The work with the assessment and strategy development leads to the nextstep in Deloach’s model, the design and implementation of capabilities to ac-complish the strategies.

Step 4 - Design/Implement Capabilities

Capabilities to do Risk Management depends on two things. Design of infras-tructure and performance monitoring of the Risk Management process. Thisstep operationalizes the risk management activity in the company. The stepis composed of the 3 last sub processes in Arthur Andersen’s Business RiskManagement Process framework in appendix B treated as one single step, onaccount of the fact that the three sub processes are linked closely together.

Infrastructure This step concerns the dimensioning of capabilities neededto fulfill the strategies chosen in step two. The capabilities is in terms of pro-cesses, people, reports, methodologies and technologies (Deloach, 2000, 145). To-gether with the strategies, they are designated as the six infrastructure compo-nents. Each individual component is important focal points of the infrastruc-ture, but attention on interactions between the components is vital. If the designunderestimate one component then, because of the interrelations between thecomponents, the whole process of Risk Management can become useless.

The argument for considering processes as part of the risk management in-frastructure is the view of risk management as an integrated activity across the

23


enterprise. To satisfy this view, the existing processes in the company mustbe the foundation on which the ERM organization is built. Applying the riskmanagement activity in the existing processes will cause the activity to be inthe proximity on the identified risk’s origins. The closer to the origin, the betterbenefits from the activity.

People constitute the processes. Therefore, processes cannot be consideredwithout considering the people behind it. From the Risk Management stand-point, a person must be accountable for a given risk (not necessarily the sameperson for all risks). The responsible person is the Risk Owner in Deloach’s ter-minology. This person is in charge of carrying out the risk management activityin the desired way, and make sure it supports the business objectives. Without aperson in charge, no one will have the incentive of prioritize the Risk activities.deloach2000.

Management reports are information to the management about risks, levelof exposures against limits, what-if scenarios, trends in the risk drivers, riskdiversification and concentration, limit violations etc. All of it linked to the riskmanagement objectives (Deloach, 2000, 151) .

The technologies are considered in terms of systems and data. This impliesthat technology must supply the organization with the information they needfor decision analyses and reporting on a reliable basis. Moreover, the systemsmust be flexible to enable the possibility of future demands to be implemented.If technology does not provide the demanded information, users will lose con-fidence in the ERM process.

Monitoring risk management performance As with any other human in-tervened action, the performance of the risk management process must be mea-sured from an external part to incentivize the work. This can be done by settingup Key Performance Indicators and also by integrating the ERM process with abalanced scorecard. (Deloach, 2000, 160).

Continuously improve risk management capabilities As with other partsof the company’s operations processes, Risk Management capabilities can gainadvantages of implementing the continuous improvement philosophy. Contin-uous improvements are detailed in the next step of Deloach’s EWRM journey.

Step 5 - Continuously Improve

When the ERM process is set up and the infrastructure is dimensioned, theprocess is in its initial stage of maturity (Ho, 3). Next step is to anchor the

24


continuous improvement philosophy regarding ERM in the organization. Theway to achieve excellence in the work with ERM is to acknowledge that theprocess can be improved.

As guide for improvements, the tool Risk Management Capability MaturityContinuum can be used to structure and enhance the efficiency of the work(Deloach, 2000, 175). Capability Maturity Models are defined as follows:

A capability maturity model (CMM) is a formal archetype of the levels through whichan organization evolves as it defines, implements, measures, controls and improves its

processes in a particular area of operation.

— Kaner and Karni (2004, 230)

That means that the CMM are frameworks to describe the processes’ evolu-tion, and can be used to guide process improvements with concern for the ma-turity of the process, from the immature stage to a mature process, thoroughlyembedded in the organization.

The Risk Management Capability Maturity Continuum divides the processmaturity in the following five stages, starting at the top in figure 2.9.

The organization must initially decide where to be on the continuum foreach area of risk management, and strive to get there through the ERM workand improvement efforts. Some risk areas require a higher risk managementstate on the continuum than others, dependent on the exposure and impact ofthe risk. If the area is critical to the core business and strategy, it requires ahigher maturity state of risk management, than areas with lower impact on thecore business and strategy.

The use of RMCMC to improve the Risk Management Capability is carriedout by plotting the company’s current state and the desired state on the contin-uum. Then, management ought to make plans on how to achieve the desiredstate, if different from the current. And for changes in the impact and exposure,the company can advantageously rethink the desired state and use improve-ment plans to get there.

This approach of considering the maturity continuum gives a good, system-atic framework to continuous improvements (Deloach, 2000, 181). The com-pany can advantageously consider the development of the six infrastructurecomponents for each maturity state. The improvement process should therebyensure risk management to follow this continuum and not ignore any states.

25


Source: (Deloach, 2000, 177)

Figure 2.9: Risk Management Capability Maturity Continuum

This perspective will potentially reduce the complications of adopting continu-ous improvements in the risk management process (Deloach, 2000, 181).

Step 6 - Aggregate Multiple Risk Measures

From an enterprise-wide standpoint, it is beneficial to obtain an overall view ofthe company’s risk situation. This is carried out in this step on the EWRMMjourney by aggregating the risk measures. Several aspects outline the effective-ness and efficiency of the aggregation. Aggregation can either be expressed inone single number, or in risk pools with homogenous risk drivers (Deloach,2000, 202).

Improved modeling and management of risk The aggregation of risks and pool-ing makes it possible to consider interrelations between risk pools. In anideal world, a fully reliable, dynamic model is produced to show the gen-uine, objective relations between risk pools. The model is henceforth ableto forecast how changes affect the total risk state of the company.

Risk adds up, risk simplification From the management’s point of view, addingup risk and simplification makes it easier to form a general view of the risk

26


situation. This potentially entails an intensified focus on risk managementfrom the C-level. When viewing the risks pooled, it causes the pools’ in-terrelationships to be debated and thereby simplifies decision making andresource allocation. If two risk pools (homogeneous inside the groups,heterogeneous between the groups) are negatively interrelated, they con-stitute a natural hedge and call for less need for risk strategies to lower therisk. This holistic dimension of the risk management is only accomplishedby pooling and aggregating the risks. (Deloach, 2000, 200).

Aggregation is a thorough job and as the complexity increases for higheraggregation levels, it introduces the question about which aggregation level issatisfactory for a given company. Dependent on the level in the organizationalhierarchy, different users need different detail levels. Users low in the hierarchyneed a highly detailed view, and top level management need a enterprise-wideoverview of the risk scenario. An important argument in relation to the con-sideration of aggregation level is the linkage between the ERM activity and thecompany’s goal. If different risk pools have different goals, it makes no senseto aggregate them (Deloach, 2000, 202).

When the company achieves the state of Risk Management where risks areviewed holistically and aggregated, it will be possible to control the risk bysetting tolerances under which the company’s level of risk exposure must be.Risk tolerances constitute benchmarks and can therefore be employed as ob-jectives for the risk owners. However, the calculation of risk tolerances can bea comprehensive activity and in some cases result in a more or less arbitraryquantification of qualitative events.

Step 7 - Link to Enterprise Performance

As the former six steps on the EWRM journey have been carried through, thecompany begins to see links from the EWRM process to Enterprise Perfor-mance. A successful EWRM will result in reduction of unacceptable risks andstrategic errors, more timely corrective actions and better management of therisk profile. (Deloach, 2000, 208).

The risk management strategies will be in accordance with the overall goalsof the company. Thus, the link to the overall enterprise performance will beclarified over time.

The risk profile is the residual of the applied risk management strategies.Hence, the relation between risk management strategies and business perfor-mance can be measured by considering how the changes in the risk profile af-fect the business performance, as illustrated in figure 2.10 above.

27


Source: Own production, inspired from (Deloach, 2000, 209)

Figure 2.10: Links to Business Performance

Step 8 - Formulate Enterprise-wide Risk Strategy

The last step on the EWRM journey consists of formulating an enterprise-widerisk strategy. Risk strategies have been prepared in step 3, but the risk strat-egy tasks there was on an operational level and related to managing the iden-tified risks individually. Strategy formulation on this step is from a holistic,enterprise-wide level and requires the former aggregation and links to enter-prise performance steps to be completed. If no aggregation of risk is carriedout, it will be hard to formulate an effective enterprise-wide risk strategy (De-loach, 2000, 213).

The strategy formulation also provides the basis for further resource alloca-tion to risk management and naturally leads to considerations about the com-pany’s capacity to bear risk, its risk appetite. It is important to find the rightplace to be situated within the two extremes of the ability to bear risk and riskaversion.

Source: Own production, inspired from (Deloach, 2000, 214)

Figure 2.11: Favourable Risk Appetite

Used in the correct way, ERM is a management tool to obtain competitiveadvantages in the business. The objective is to continuously reduce the com-pany’s exposure to loss. The formulation of an enterprise wide risk manage-ment strategy is the last step on the journey toward that goal.

28

2.6 The Process of Implementing ERM

2.6 The Process of Implementing ERM

Opposite to Deloach’s meta approach in chapter 2.5, the present section accountfor the practical implementation and application of ERM. The section focuseson the COSO Internal Control Integrated Framework, COSO’s Enterprise RiskManagement Integrated Framework and the Australian risk management stan-dard AS/NZS 4360:2004.

2.7 Risk Frameworks

The majority of the ERM literature claims that basing the implementation ona predefined framework will benefit the organization. Adopting an existingframework will provide higher level of effectiveness and efficiency in the pro-cess.

The choice of focusing on the COSO Internal Control Integrated Frameworkand Enterprise Risk Management Integrated Framework emphasizes the de-velopment of COSO’s contribution to risk management over the past 15 years.The Australian standard is included in the section to show a different approachto ERM. Other ERM standards exist as well, i.e. the UK Risk Managementstandard published by the UK associations The Institute of Risk Management(IRM), The Association of Insurance and Risk Managers (AIRMIC) and ALARMThe National Forum for Risk Management in the Public Sector.

2.8 COSO Internal Control - Integrated Framework

The framework “Internal Control” created by the Committee of Sponsoring Or-ganizations of the Treadway Commission (COSO), published in 1992, is a re-sponse to organizations’ needs for a structured approach to manage the uncer-tainty regarding achievement of the following three objectives (O’Reilly et al.,1992, 1).

• Effectiveness and efficiency of operations

• Reliability of financial reporting

• Compliance with applicable laws and regulations

COSO states a set of conditions, which must be met for the framework tobe successful. That is; Internal Control is a process and must be incorporatedinto the existing organization. The process is carried out by the staff, which

29


entails human intervention. Furthermore, it must be well-known that internalcontrol does not provide absolute assurance for the risks considered, as it isa process with human intervention and assessments. The process, carried outsuccessfully, leads to well managed risk control, but not the one genuine, ob-jective solution to the problem of managing risks. Therefore, internal controltakes no account of bad decision making and other external events which causethe business to fail. The last condition is the fact that the internal control frame-work is designed to achieve the three objectives above. These are in focus andthereby the core of the internal control framework. (O’Reilly et al., 1992, 9-12)

COSO’s internal control is a framework with three dimensions. First of all,the three objectives. Secondly, 5 components, which together constitute the ap-proach to internal control. The third dimension considers the organizationalstructure and activities, eg. subsidiaries, divisions or functional activities(Eg.purchasing and production). (O’Reilly et al., 1992, 12-16).

Source: (O’Reilly et al., 1992, 15)

Figure 2.12: COSO’s 1992 Internal Control Framework

The figure is perceptually misleading regarding one of the components; In-formation and Communication. This component relates to both underlyingcomponents, risk assessment and control activities. Information and communi-cation is of vital importance to framework’s output reliability(O’Reilly et al.,1992, 14).

Below follows an elaboration of the model. The model is viewed from the bot-tom and up. The right side and the top side of the cube (the 3 objectives andthe units and activities) are included to ensure that every element of the Inter-nal Control framework is considered in accordance with the three objectives aswell as the companies’ units and activities. These perspectives are elaborated

30


for each component below.

The five components of Internal Control

The five components are composed of Control Environment, Risk Assessment,Control Activities, Information and Communication and Monitoring. They willbe elaborated below.

1. Control Environment The control environment deserves a detailed expla-nation to understand what it covers. The control environment shapes the con-text in which internal control is carried out. The control environment consistof the organizational construction of the company in terms of management in-tegrity, ethical values, competence of people, management’s philosophy andoperating style, authority and responsibility set-up, organization and develop-ment of personnel and attention from the board of directors (O’Reilly et al.,1992, 19).

Integrity is defined by O’Reilly et al. (1992) as management’s preferences,value judgments and management styles. These are interpreted into standardsof behavior, often translated to the written medium in a code of conduct for thecompany. The standards of behavior must be consistent with the company’sethical values relating to the enterprise, employees, suppliers, customers, com-petitors and the public. The ethical values, again, are translated to an ethicalbehavior, written in ethical policies.

Competence of people is comprehended as the management question of howwell the tasks in the company should be accomplished. (O’Reilly et al., 1992,22). It is a matter of education, training, experience, hiring considerations,employee responsibility and in the end a cost-benefit trade-off of these apects.Compentence of people is the management’s decision concerning this.

Management philosophy and operating style covers several aspects. Obviously,how the company is managed, i.e. informal or formal management. Addi-tionally, O’Reilly et al. (1992) see the aspect which in Deloach’s EWRM journeyterminology is designated Risk appetite as part of the management philosophy(refer to p. 28 for an elaboration). Management philosophy also relates to theauthority and responsibility set-up. The central question in this respect is to whichextent employees are encouraged to take initiative and where formal decision-making is carried out. O’Reilly et al. (1992) state that responsibility should notbe delegated to an extent beyond what is needed to achieve the business’ ob-jectives. Conversely, the level of responsibility and decision-making must not

31


limit the creativity and initiative, as the relation from those factors to CustomerSatisfaction is positive (O’Reilly et al., 1992, 25).

Organization and development of personnel concerns employees’ competencesfrom a Human Relations (HR) point of view. It is closely related to the compe-tence of people above, though the focus of organization and development of per-sonnel is the actual plans of carrying out the management’s decisions of com-petences. Organization and development of personnel concerns hiring policies,orientation, training, evaluating, counseling, promoting and compensation pro-grams.

The meaning of attention from the board of directors in the internal control con-text is the need of a board, which is involved in making the internal controleffective. For this to be a success, critical members external to the company,must be presented at the board.

The control environment can differ significantly between the company’sunits (divisions, subsidiaries etc.). O’Reilly et al. (1992) states that an ineffec-tive control environment will result in financial loss and potentially businessfailure. (O’Reilly et al., 1992, 26).

2. Risk Assessment The component Risk Assessment is to a great extent iden-tical with step two and three in Deloach’s EWRM journey on page 21. Thecomponent consists of establishment of objectives, identification of risks andassessment of the identified risks.

Internal control must, in relation to establishment of objectives, give reason-able assurance of the objectives to be fulfilled. This is done by:

Identifying key success factors and timely reporting to management of performanceand expectations

— O’Reilly et al. (1992, 35)

The definition of objectives in “operations” is related to the effectiveness andefficiency of the company’s operations (O’Reilly et al., 1992, 30). O’Reilly et al.(1992) state it as performance and profitability goals. Objectives in the Financialreporting dimension concern providence of reliable financial statements andavoidance of fraud (O’Reilly et al., 1992, 30), including the choice of accounting

32


principles. In the compliance dimension, objectives are set to obtain compliancewith laws and regulations in every respect of the company’s business.

When the objectives are set, the next activity of risk assessment is the identi-fication of risks related to the defined objectives. In the Internal Control frame-work, the risk identification is carried out by considering external risks andinternal risks analogue to the risk factors on page 18. Obviously, the risk iden-tification are considered for the 3rd dimension of the COSO 1992 cube as well;both on entity level referring to business units and activity level referring to theactivities carried out in the company.

The final activity of the risk assessment is the actual assessment. This isdone by considering the identified risks’ impacts on the company and theirlikelihood of occurrence (O’Reilly et al., 1992, 38), analogue to the assessmentin the EWRM journey’s step 3 on page 22.

3. Control Activities The next component of the Internal Control frameworkis the establishment of control activities to ensure the identified risks are han-dled. As is the case with the identification process, the control activities areconsidered on the three objectives dimensions Operations, Financial Reportingand Compliance (O’Reilly et al., 1992, 45).

Control activities are in the Internal Control framework classified as preven-tive controls, detective controls, manual controls, computer controls and man-agement controls. The idea is to implement controls on every function criticalto the achievement of the defined objectives at every level of the organization(O’Reilly et al., 1992, 2). The physical design of the controls can be approvals,authorizations, verifications, reconciliations, performance reviews, assert secu-rity and segregation of duties (O’Reilly et al., 1992, 2). The controls is to beconsidered according to the context of the entity as well as considered accord-ing to the different activities carried out in the company (O’Reilly et al., 1992,53).

4. Information and Communication As mentioned, the Information and Com-munication component relates to the past two components; Risk Assessmentand Control Activities. The idea behind explicating the Information and Com-munication’s role in the framework is to provide information for the responsiblepersons about the risk assessment process and the control activities. The infor-mation must concern the all three objectives: operations, financial reportingand compliance. Information and Communication can be seen as supportingthe responsible persons in doing managing the activities they are responsiblefor. As O’Reilly et al. (1992) states it:

33


Every enterprise must capture pertinent information - financial and non-financial,relating to external as well as internal event and practices.

— O’Reilly et al. (1992, 55)

The component of information and communication is ensuring the capabil-ity of the company to gather data, store the data, process the data and makingsure it will be communicated. The information must be appropriate, timely,current, accurate and accessible. These characteristics must be satisfied for theinformation and communication to be useful in relation to the controls to haveeffect.

5. Monitoring The last component of the Internal Control framework is themonitoring. As is the case in the general construction of ERM shown in fig-ure 2.7, the internal control approach is completed by monitoring the process.O’Reilly et al. (1992) state that internal control systems change over time, caus-ing the need for monitoring. The aim of the monitoring is to ensure the internalcontrol framework in continously being effective. Therefore, the monitoringprocess is an activity of assessing the quality of the internal control framework(O’Reilly et al., 1992, 3), either carried out continuously or by separate evalua-tions.

Summary

The Internal Control framework provides an approach for companies to satisfythe objectives of effective and efficient operations, reliability in the financialreporting and compliance with laws and regulations, by establishing controlactivities to ensure the objectives in being satisfied and avoiding fraud, assetloss and inefficiency. The central components of the framework are the identi-fication of possible risks related to the objectives and the establishment of con-trol activities. The internal control framework is based on controls in terms ofapprovals, authorizations, verifications, reconcilitations, performance reviews,assert security and segregation of duties.

34

2.9 COSO Enterprise Risk Management - Integrated Framework

2.9 COSO Enterprise Risk Management - Integrated

Framework

The Enterprise Risk Management Integrated Framework is published in 2004.At first glance, the difference between the 1992 internal control framework andthe 2004 enterprise risk management framework is limited. The five compo-nents are extended to eight and another objective -the strategic objective- hasbeen added to the objectives of the framework. The cube is presented below infigure 2.13.

Source: Steinberg et al. (2004, 23)

Figure 2.13: COSO’s 2004 Enterprise Risk Management Framework

However, a closer examination shows that the underlying idea behind theframework has changed. In the Internal Control framework, the idea was toaddress the risks related to the three objectives by establishing controls. In theEnterprise Risk Management framework, the idea is to address the risks bymanaging them through risk management strategies and viewing them in anintegrated way - consistent with the idea behind the EWRM journey.

The Enterprise Risk Management Integrated Framework is conceptualized inthe following seven items.

Four of the seven concepts are similar to the Internal Control framework’sconcepts. The first new concept is the condition about applying the ERM frame-work to the strategy setting. This implies the focus to be on achieving thestrategic goals. The second new concept is that the framework applies to ev-ery level and unit in the enterprise and the enterprise-level portfolio view. Thismeans that the framework is broader than the Internal Control framework, asit relates to every activity on every hierarchic level of the company, from thestrategic planning process to marketing, sales and production processes. This

35


Source: (Steinberg et al., 2004, 17)

Figure 2.14: COSO’s 7 Concepts of ERM

also applied in some extent in the Internal Control framework. However, itwas implicitly built in to the framework. In the ERM framework, it is explicitlytreated as a regular concept. The third new concept concerns the frameworksobjective of identifying potential events affecting the entity and management ofthe risks within the company’s risk appetite. This concept is from the author’spoint of view the most significant change from the Internal Control framework,even though it was mentioned within the components of the Internal Controlframework. By stating it as a concept of the ERM framework, it triggers com-prehensive considerations about the company’s risk appetite and identificationefforts across the company, as well as the new approach; management of therisks identified through risk strategies, carried out as an integrated approach,where the risk are considered interrelated.

This new approach triggers comprehensive considerations about the com-pany’s risk appetite and identification efforts across the company, as well asthe new approach; management of the risks identified through risk strategies,carried out in an integrated way where risks are considered interdependent.

The ERM cube is built in analog to the Internal Control cube above. Theframework consists of eight components, where the Internal Control frame-work consisted of five. Furthermore, the cube is reversed implying the com-ponents to be read from the top starting with the Internal Environment to thebottom ending with Monitoring. As is the case with Internal Control, the ERMcomponents must be considered both in relation to the four objectives and in re-lation to organizational dimension on entity level, division level, business unitlevel and subsidiary level, enabling the framework to be applied on every levelacross the company.

The components are briefly explained below.

36


The 8 components of COSO’s ERM framework

As it can be seen in figure 2.13 the eight components consist of the Internal En-vironment, Objective Setting, Event Identification, Risk Assessment, Risk Re-sponse, Control Activities, Information & Communication and Monitoring.

1. Internal Environment The internal environment is the context in whichthe risk management activity is carried out. It consists of the attitudes of em-ployees towards risk management, the culture of the company, ethical values,management style and risk appetite (Steinberg et al., 2004, 27-34). The attitudesof employees towards risk management is comprehended as the organization’s per-ception of the significances of the risks in relation to the company’s operations.

It is obvious that the Internal Environment is important in relation to thechoice of implementation approach. If the potential impacts from the internalenvironment are ignored in the development of ERM in the company, the neg-ative effects can be significant, causing the ERM implementation to go wrongand thereby creating huge losses (Steinberg et al., 2004, 34).

2. Objective Setting This component is to a great extent identical with theEWRM journey’s step 2 on page 22.

When a company chooses a given strategy, they normally formulate strate-gic objectives in the strategic planning process (Steinberg et al., 2004, 35). Thiscomponent, objective setting, is addressing the need of strategic objectives tocarry out an effective ERM process. The objectives should be decomposed tobusiness unit level and from here to a functional level (Steinberg et al., 2004, 36).This objective setting approach enables the identification process and therebythe whole ERM process to obtain strategic focus. By decomposing the strategicobjectives into measurable subsets, the intention behind ERM, achievement ofthe overall strategy and hence survival of the company, can be obtained by con-sidering the risks according to the decomposed goals on every organizationallevel of the company (Steinberg et al., 2004, 36). Since the framework suggeststhe objectives to be strategic, operations, reporting and compliance, the objec-tives can advantageously be grouped into these four categories. The strategic ob-jective is implicitly treated according to the argumentation above. Additionally,it is necessary on enterprise-level to consider the overall strategy of the com-pany. Operations objectives relate to the efficiency and effectiveness of the com-pany’s operations (Steinberg et al., 2004, 36). Reporting objectives deal with thereporting activities to be appropriate for the intended purpose of the reports,including accuracy and completeness of the reports (Steinberg et al., 2004, 37).

37


Compliance objectives is concerned with the company acting in accordance withmarket, pricing, tax, environmental, employee welfare and international traderequirements.

An important note is that the strategic focus of ERM does not entail the overallstrategy as the strategic dimension to consider. The strategic focus is applied bythe decomposement of the overall strategy to business unit level and functionallevel. However, as mentioned earlier the strategic objectives on overall level arealso in focus, as the process applies on entity-level as well.

3. Event Identification The third component of the ERM framework is theEvent Identification. As written in the definition section, an event is the po-tential occurrence of an incident, affecting the achievement of objectives. Theidentification of possible events is the first step of the framework directly con-cerning management of risks.

COSO decomposes the events into external and internal factors. The factorsare enumerated and explained in accordance with Steinberg et al. (2004, 42).

Source: (Steinberg et al., 2004, 42)

Figure 2.15: External and Internal Events

When the identification has been carried out, interdependencies betweenthe events must be considered. Eventually, the events can be placed in cat-egories analogue to the classification in figure 2.15, to maintain a structuredapproach in the further steps.

4. Risk Assessment When the events are identified, the next step is to assessthe risk. Two terms of risk are introduced by the ERM framework; inherent risk

38


and residual risk. The inherent risk is the risk as it is seen before risk manage-ment activity has been applied. The residual risk is the risk remaining after therisk responses have been applied. Therefore, the inherent risk is the risk to beassessed and the residual risk is the risk left when the responsible parts haveapplied a given strategy to manage it.

Risk assessment is carried out both on the likelihood of the event occur-ring and the impact of the event if occurring. The practical approach to riskassessment will not be covered in this thesis, as it is a question of operationaltechniques.

An important perspective of the Risk Assessment is to take an integratedview on the risk portfolio, implying a consideration of correlations between therisks. Risks can by nature be mitigated simply because of different risks draw-ing in different directions. An example of this could be the effects of naturalhedges. When treated isolatedly, natural hedges are not identified, since theevents are managed separately. When treated integratedly, relations betweenevents must be treated, enabling identification of natural hedges.

5. Risk Response The risk response is similar to the develop strategies part ofin the EWRM journey (step 3). The risk responses in the ERM framework areclassified in 4 groups: Avoidance, Reduction, Sharing and Acceptance (Stein-berg et al., 2004, 55). Avoidance is obvious; completely reduce the possibility ofthe event occurring. This can be done by the choice of leaving a market, stop-ping the production of a product etc. Reduction is the strategy of implementinga response to reduce the likelihood of the event to occur, reduce the impact ofthe event or both. An example of this could be to ensuring to have at least twosuppliers of raw materials (impact reduction if one supplier goes bankrupt) ora more reliable machine (likelihood reduction if the event is breakdown on themachine). Sharing is the strategy of transferring a part of the risk to anotherparty. This is done when buying insurance. Acceptance is the strategy of do-ing nothing. Accepting the risk can be the response in some cases where thecompany chooses not to do anything, e.g. if the cost of another risk responseexceeds the benefit of doing it.

It is necessary to persist the integrated view, also in the risk response pro-cess, as the risk response can influence other risks in the risk portfolio (Steinberget al., 2004, 59). After all risk responses have been set up, it will be possible forthe management to assess the new risk position by preparing a residual riskreport.

39


6. Control Activities According to the ERM framework, it is not enough tocarry out risk responses. To ensure the responses to be effectuated, control ac-tivities must be set up. The controls are grouped in six categories: top level re-views, direct functional or activity management (management’s review of theirareas of responsibility), information processing (accuracy and completeness ofinformation), physical controls, performance indicators and segregation of du-ties. The framework also considers controls in information systems, and appli-cation controls related to completeness, accuracy, authorization and validity ofdata capturing and processing (Steinberg et al., 2004, 65).

7. and 8. Information & Communication and Monitoring The last two com-ponents, information & communication and monitoring is only briefly described.The two components are to a great extent adopted in the ERM framework forthe same reasons as they are in the Internal Control framework. Informationand communication must be present for the responsible parts to be able tocarry out the ERM process. The Information and Communication is therebyan enabler of responsibility. If no persons know what to manage and have noinformation on which directions the activities are going, it will be unreasonableto demand any responsibility from them. Furthermore, another implicationof the communication is to ensure stakeholders get knowledge about the riskmanagement activity. If a company is required by a stock exchange to do riskmanagement, their way of conducting it must be communicated.

Monitoring relates to all components in the ERM framework. Monitoringof the ERM process must be carried out over time, to ensure the system to beeffective. As it is the case in the Internal Control framework, the monitoringcan either be carried out on a continuous basis or separated recurrently.

Summary

The ERM Framework cannot be considered as a simple development of the In-ternal Control framework. The underlying idea of the framework has changedfrom a control view to a proactive management of risk view. Moreover, themanagement of risk is considered from an enterprise-wide perspective with anintegrated view on the risk portfolio, ensuring interdependencies to be identi-fied. The ERM cube itself looks to a great extent similar to the Internal Controlcube, but the objectives and approach are fairly different.

40

2.10 Risk Management Standard AS/NZS 4360:2004


Another standard for risk management developed in Australia is the AS/NZS4360:2004. This section will give a brief overview of the standard.

Source: (Dale F. Cooper, 2007, 1)

Figure 2.16: AS/NZS 4360:2004

AS/NZS 4360:2004 can be considered an ERM standard, as it satisfies thedefinition of ERM; an activity of risk management from a holistic, enterprise-wide viewpoint. The purpose of the standard is to reduce the barriers of achiev-ing the business objectives (Dale F. Cooper, 2006, 2). The standard is illustratedin figure 2.16.The Australian standard defines risk as The chance of something occurring thatwill impact objectives (Dale F. Cooper, 2006, 1). The definition implies risks to berelated to a set of objectives. Not necessarily the strategic objectives, but in anenterprise context, the strategic objectives would be reasonable to use.

The main components of the model are to some extent identical with theERM framework. It consists of Establishing the Context, Identifying risks, An-alyzing the risks, Evaluating the risks and Treating the risks. Communicationand consulting as well as monitoring and reviewing are related to all compo-nents.

Below, the 7 steps of the standard are described.

1. Establish the Context The context is described in the AS/NZS 4360:2004standard as Objectives, Stakeholders, Criterias and Defining Key Elements. As is thecase in the ERM framework’s approach, AS/NZS 4360:2004 starts at the objec-tives of the enterprise. It is necessary to know the objectives and know how they

41


are decomposed into objectives on lower levels of the organization. When theobjectives are known, the standard recommends focusing on stakeholders po-tentially influencing the objectives. Risks are bound closely to the stakeholdersand their individual objectives. According to the standard it is easier to identifypotential risks when the stakeholder groups and their individual objectives areknown, and how the stakeholders are related to the company’s own objectivesare known (Dale F. Cooper, 2007, 2).

After the stakeholder analysis, the risk management process must considersuccess criteria bound to each objective. The success criteria are the measureused to evaluate whether the objectives are met or not.

The last consideration of Establish the Context is the definition of key ele-ments. Key elements are the elements created by a break-up of the enterprise.These are topics of the enterprise’s overall activities used as basis for the rest ofthe risk management activity.

2. Identify the risks The next step of the standard is to carry out risk iden-tification. It is necessary for the risk management to be effective not to takea generic checklist approach to the risk identification, as such an approachdoes not consider company specific structures. Therefore, the risk identificationmust be a comprehensive, thorough activity. The risk identification is based onthe subdivision of the context, which was the result of the Establish the Contextstep.

3. Analyze the risks The risk analysis is based on an assessment of the like-lihood and impact. The underlying approach behind the assessment can varya lot, though. In simple contexts, the approach chosen can be of qualitativenature. In risk scenarios of greater complexity with interrelated events, the ap-propriate approach can be advanced simulations or scenario analyses (Dale F.Cooper, 2007, 4). No generic approach is appropriate in every given situation.

4. Evaluate the risks This step is carried out to compare the identified risksand their appertaining impact and likelihood with the organization’s priorities(Dale F. Cooper, 2007, 4). If the outcomes from the previous step, risk analysis,are considered wrong, the likelihood and/or impact can be changed. The out-put from this step is a list of the risks and their importance with respect to theorganization.

5. Treat the risks As is the case in the ERM framework, the step after theassessment of the risks deals with treatment of the risk; the preparation of risk

42

2.11 Summary

responses. The risk treatment in AS/NZS 4360:2004 covers both proactive plan-ning and recovering plans if the events are occurring.

6. and 7. Monitor & Review and Communicate & Consult The monitoring& review and the communication & consultation are supporting activities re-lated to every one of the above steps. The monitoring must lead to a reviewof each step over time, to ensure an effective approach. Communication is theenabler of the risk management process. It is stated as needed to give adequateopportunity to the implicated people to carry out the risk management activity.

2.11 Summary

As stated in the beginning, the thesis is not taking a specific risk managementstandard, or framework, as focal point. ERM is considered from a general pointof view and it is clear from the previous sections that it can be carried out indifferent ways. The Internal Control framework is not considered as ERM, butis included both to show the development of the risk management approachfrom the 1990’s until today, and also to see how COSO has developed the ap-proach of Risk Management in an integrated, enterprise-wide direction. Boththe ERM framework and the AS/NZS 4360:2004 standard are considered asERM approaches. Even though their approaches are different, the underlyingideas are to a great extent similar.

43

Chapter 3

The study

If we knew what it was we were doing, it would not be called research, would it?

— Albert Einstein

3.1 Methodical Procedure

The study is carried out in accordance with the methodology stated in section1.7. It is conducted as a case study, based on interviews with three companies.The case study design and analytical approach are based on Yin (2003) andKvale (1997). The motive for carrying out a case study based on qualitative datais to conduct a study as consistent with the ontological conviction as possible.As structures and mechanisms are influencing how ERM is implemented in thereal domain (refer to section 1.7 for an elaboration), it is of vital importance todesign the study so that these structures will be identifiable. As Yin defines thescope of the case study:

A case study is an empirical inquiry that investigates a contemporary phenomenonwithin its real-life context, especially when the boundaries between phenomenon and

context are not clearly evident.

— Robert K. Yin

It is exactly the situation in this study. The boundaries between the ERMprograms and the context within the companies are not clearly evident. Whythe companies choose to make use of ERM the way they do cannot be clearlyisolated from the structures and mechanisms that rule within the context, orwithin the real domain.

44

3.2 Research Propositions

This approach and conviction implies that the objective of the study is not toprovide generalizable findings. It does not make sense to search for empiricalknowledge, that can be generalized to some kind of “population”. As the actualdomain where generalizable knowledge can be found is, in the real domain,influenced by structures and mechanisms which is situation-specific, the aimof the study is to identify and describe the structures and thereby create newknowledge from the existing knowledge in the field, enumerated in the theory,chapter 2.

3.2 Research Propositions

The study’s propositions (Yin, 2003, 22) rely on existing theory on ERM. Re-searchers have to some extent focused on the area of ERM implementation andreasons for implementing ERM. Though nothing is found regarding ERM im-plementation in Danish companies, the international findings are used as basisfor the propositions (The initial propositions based on existing literature aloneis shown in appendix C). With respect to the differences that possibly exist be-tween structures in an international context and Danish companies, a prelimi-nary expert interview is carried out with a key figure in the Danish consultancybusiness (Neergaard, 2001, 30). The resulting propositions developed by com-bining the existing literature and the preliminary study, form the expectationsabout the structures of decisive importance influencing ERM in the actual do-main.

The Research propositions are:

P1 The board and management’s attitude towards ERM. If the board and man-agement’s attitude towards ERM is positive, the company is more likelyto start implementing ERM.

P2 The business. If the business is regulated with regard to risk management,e.g. demanding controls in the production processes which is the casein the medical-sector, the company is more likely to start implementingERM. The structures of non-regulated sectors (e.g. technology-driven) arealso expected to influence the choice of implementing ERM. Hence, thebusiness influences the companies’ tendency to implement ERM.

P3 Compliance. If a company must carry out risk management to be in compli-ance with requirements, regardless if it is a written or unwritten require-ment, the company is more likely to implement ERM.

45

3.3 Design of the Study

P4 Structure of ownership. If a company is a public limited company it is ex-pected to be more likely to implement ERM. The reason is partly becauseseveral stock exchanges require, at a minimum, that companies tradedon the exchange respond to risk management (the ”comply or explain”principle), whether they do it or not, and partly to meet the shareholdersinterests.

P5 Event driven. Companies that have been exposed to cost-intensive eventsare more likely to use ERM after the events have occurred.

P6 Relative position in relation to competitors. If competitors use ERM, thecompany is more likely to start implementing ERM.

P7 Size and growth rate. If a company is growing heavily, increase in turnoveror growth from M&A activity, the company is expected to be more likelyto implement ERM.

The propositions can be read as generalities, though they are not meant forthat. The propositions are meant as an assessment of structures that can beexpected to influence ERM in the actual domain, and not propositions of gen-eralities.

Therefore, the approval or denial of the propositions will not be generaliz-able to a population, as it is not the purpose of the study. The approval or denialwill show how the structures influence the case companies and thereby providenew knowledge about ERM in the actual domain.


The propositions are stated. The next stage is to prepare an appropriate designof the study. The design of the case study used in the thesis is outlined below.

Case Definition

It is clear from the research question in section 1.1 that the appropriate unit ofanalysis, i.e. the case, is an entity that gives the best possibility for the study toilluminate how ERM is implemented in Danish companies (Yin, 2003, 24). Yinstates the case to be, in the classic case study, an individual (Yin, 2003, 22). Itcould be the CFO or the risk manager etc. However, in this study the case isnot an individual. The reason for this is that Danish companies possess a greatdeal of variation in the organization of the risk management activity. It is notpossible to limit a case into one single individual, who can give the best basis

46


for answering the research question in every single company. Therefore, thecase is defined more broadly.

Case definition A case in this study is a company in the top 100 of the biggestDanish companies, measured by net income. The ownership of the com-pany and the number of employees is of no importance. If the companyis a holding or parent company, the case is viewed as the whole group.

Applied in the study it means that the entity, the case, is a company as awhole. The type of informants used to obtain knowledge about the case canvary. It is clear that the informant will be one or several individuals with knowl-edge about Risk Management in the case company. But as a result of the broadcase definition, the position of the informant in the company can vary. In somecases it can be a CFO, in other cases it can be risk managers, etc. In addition,data collection does not limit to interviews alone. The data can also be writtenmaterial from the company. This implies that every data source is of qualita-tive nature. Even though documents quantitatively describe something relatedto risk management in the case, the objective of the study is to gain thoroughknowledge about structures in the actual domain. Quantitative data will there-fore be assessed qualitatively to support the objective of researching structuresin the actual domain.

Case Selection and Evidence

The study is based on three cases. This section will explain the case selection,reasons for selecting the three cases and how the evidence is collected.

Case Selection

The reason for selecting three cases is not to provide a multiple case study usedto make literal or theoretical replications, but to provide different patterns andthereby a broader view of the subject (Yin, 2003, 47). One case would pro-vide knowledge, but the knowledge provided from three different cases willbroaden the knowledge of structures influencing the implementation of ERM.This means that the conclusions are more reliable than if the study was carriedout as a single case design (Yin, 2003, 46). Verification, reliability and validitycriteria is considered after the findings. The holistic case study with multiplecase designs (refer to figure 3.1) is carried out to explore the global nature of theorganization (Yin, 2003, 43). One can argue, that the setup is embedded, as two

47


interview persons are present in two of the three cases. But as only one inter-view is held for each case, whether it involves one or two interview persons, ittends to follow the holistic design.

Source: (Yin, 2003, 40)

Figure 3.1: Design of Case Study

As it can be seen in the figure, each case acts in its own context. The casesselected differ in business and hence core service, production complexity andcustomer group. Also the ownership structures differ. The reason for the diver-sity found in the cases is making it possible to identify structures influencingERM across different patterns in companies.

Evidence

The present case study is based on evidence collected from interviews with key-personnel in the case companies. The interview method is by Yin described asone of the most important sources of case study information (Yin, 2003, 89). Inthis study, interviews are seen as the method with which the best informationin relation to the subject is provided.

The design has been set up to satisfy the three principles of data collection(Yin, 2003, 97), where it is possible. The principle of using multiple sources isfollowed by interviewing two individuals at each case. In Case 1, though, itwas not possible to interview two persons. Therefore the data in Case 1 must

48


rely on a single source, where Case 2 and Case 3 is a triangulation from twosources of evidence. To provide a more reliable analysis in case 1, the findingsare validated by the interview person after the analysis has been carried out.Principle 2 create a case study database and principle 3 maintain a chain of evidenceare both satisfied by using the IT software application for qualitative AnalysisNVIVO. The software is engineered to provide the methods for doing qualita-tive research with as many degrees of freedom as possible. It is to a great extentcustomizable, which enables the use in a lot of different scenarios of analysis.It provides the possibility of keeping the data itself, the analysis documentsand reports from the analysis separated, and maintains the chains of evidenceby keeping the steps from the research questions to the conclusions traceable.This enables the possibility of a reliability check (Yin, 2003, 105) from a externalobserver.

Case Description

The three case companies are described below. To be in accordance with thecases’ anonymity demands, it is not possible to fully describe the companies.An overview of the cases is found below. The cases are designated case 1, case2 and case 3.

Case 1 The company is a large food supplier. It produces the food itself. Themajority of its production is export to other countries. Case 1 owns its owninsurance company, which holds all Case 1’s insurances. Case 1 is ownedby the suppliers, who apply for membership of the association. When themembership is gained, the suppliers have more or less the same rights asshareholders in a public limited company.

Case 2 The company is a large producer of machinery. Its production is locatedseveral places around the globe and it covers the whole world. Most of itsactivity is outside Denmark. The company is a public limited company,traded at the OMX Nordic Exchange.

Case 3 The company produces a special product. It focuses on a niche market.Case 3 produces the products in Denmark but is opening production de-partments in other countries at the moment. It is a joint-stock company,though it is not traded on a stock exchange.

49

3.4 Analytical Framework

3.4 Analytical Framework

The case study design has been explained above. In this section, the analyt-ical framework is detailed. This means that both the theoretical and applieddimensions of the analysis are covered below.

Analytic Strategy

The strategy of the analysis is based on Yin’s methodology. The strategy usedin this thesis is one of Yin’s three anaysis strategies, designated Relying on the-oretical propositions. This strategy is chosen to provide a structured analysis inrespect to the theoretical structures explained in the research propositions out-lined on page 45. The approach is to maintain emphasis on the research propo-sitions and find evidence in the interviews to accept or reject the propositions.The trade-off in choosing this approach is that the analysis framework is notsupporting the potential appearance of other structures in the context of thestudy carried out (Yin, 2003, 112). To respect other possible structures, the strat-egy is combined with Kvale’s interview approach, explained below. When thetwo methods are used in common, it provides both the theoretical focus on re-search propositions and enables other structures to appear in the analysis.

The approach of the Relying on theoretical propositions is a pattern matchingtechnique. The research propositions are the predicted patterns, or structures,and the objective of the pattern matching technique is to match the predictedones to the empirical patterns found in the case studies (Yin, 2003, 116). Theapproach prepared by Steinar Kvale is relying on the explanation building tech-nique (Yin, 2003, 120). The aim of this technique is to use the interviews as thestarting point and build the structures influencing the study area from it. It cre-ates the opportunity to explore context specific structures not mentioned in theresearch propositions.

The practical approach used to support the chosen analytic strategy is outlinedin the section Method of analysis on page 51.

50

3.5 Construction of Interview Guide

Method of Analysis

The method of analysis follows Kvale’s seven stages in an interview investiga-tion (Kvale, 1997, 95). The stages are as follows.

Source: (Kvale, 1997, 95) customized to the present study

Figure 3.2: Seven Stages in an Interview Investigation

The seven stage technique ensures that the analysis is carried out in a struc-tural way and enables the researcher with little qualitative research experienceto provide a reasonable and, combined with the chain of evidence principle(Yin, 2003, 105), reliable analysis.


For an interview guide to support the case study successfully, several dimen-sions must be considered. The degree of openness in the interviews - does theinterview guide set the stage for an exploratory interaction between the inter-viewer and the interview person(s), where the interview persons can providetheir own attitudes to the study area? Or is the interview guide constructed in

51


such a manner that the interview persons are expected only to answer a pre-defined set of questions and not provide their own insight? In this interview,the interview guide is prepared to support a interview context which is kept asopen as possible, with respect to the interviewer’s experience with interviews.This means that the interview guide is prepared as semi-structured, with somethemes which must be covered and open questions under the themes. The in-terview guide is prepared with respect to the thematic treatment of the studyarea and the dynamics between the interviewer and the interview person. Bothdimensions are weighted, to support a positive interaction between interviewerand interview persons and to obtain the best information possible with regardto the interview scenarios.

The thematizing is made by keeping the operationalized questions withina theme together to ensure that the theme is fully covered in the interview sit-uation. The dynamism is maintained by considering how the perceptual un-derstanding of the questions are and aligning the interview guide with briefingat first, interview starting with easy questions, harder questions in the mid-dle, and easy questions at the end of the interview. The interview is endedwith a debriefing, where the themes covered are outlined and a private conver-sation between the interview persons and the interviewer is possible (Kvale,1997, 134). As the interview is not of personal, psychological nature and theinterview persons are experts on the study area, it is expected not to be hard tomaintain the dynamism during the interview.

The interview guide for the preliminary study and the interview guide usedin the case study is illustrated in appendix D.

Objectivism in Interviews

The traditional critisism of qualitative studies and interviews is the lack of ob-jectivity (Kvale, 1997, 72). This is from the author’s point of view an effect ofparadigmatic affiliation. It is not the aim of the present study to provide objec-tive, generalizable knowledge from the study, as this type of knowledge relatesto the actual domain, not the real domain as this study emphasizes, accordingto the theory of science section in chapter 1.

Some researchers discuss whether objectivism is a subjective term, as objec-tivism can be defined as intersubjective agreement (Kvale, 1997, 72). By adopt-ing this understanding, the aim is not to provide objectivism, it is a question ofthe degree of intersubjective agreement. This intersubjectivism can be seen astwo different methods of agreement. Arithmetic intersubjectivity and dialogicintersubjectivity (Kvale, 1997, 73). To obtain knowledge about structures in the

52

3.6 Transcription

real domain, the dialogic intersubjectivity is a strong method of agreement, inaccordance with the critical rationalism. The method is to obtain intersubjectiveagreement through rational dialogue between researchers or researcher and in-terview persons (Kvale, 1997, 73-74). This is central to knowledge creation inthe interviews.

3.6 Transcription

The transcriptions of the interviews are made as close to the oral expressions aspossible. As mentioned, written texts are based on some other linguistic rulesthan the oral language. This implies that a totally exact transcription will depictthe interview persons less intellectual than is the case, as the rules of the orallanguage make little sense in written texts.

To exemplify this fact, a totally exact transcription is showed below. In Dan-ish, though.

Sa jo lovgivningsmæssigt er vi øøh er vi øøh er vi meget fokuserede øøh og øøh menmen det er ikke anderledes for os end det er for alle mulige andre virksomheder, Niels.

Altsa indenfor for alle omrader er der jo sadan noget nar nu snakker case 1, jamen heleføve fødevarersikkerhedsomradet er jo lige sa enormt øøh i den henseende. Sa øøh øøh

sa det er det er ikke sa meget anderledes.

— Case 3, 73 min. and 27 sec.

In the transcriptions, the most significant differences between the spokenand written languages are changed with regard to how the interview personsare depicted. However, it is done only where it is not compromising the mean-ing, or interpretation, of the context.

The above example is changed, to the following in the transcription.

Sa jo, lovgivningsmæssigt er vi [kort pause] meget forkuserede. [kort pause] men deter ikke anderledes for os, end det er for alle mulige andre virksomheder, Niels. Altsa

indenfor alle omrader er der jo altsa; nar du nu snakker CASE 1; helefødevaresikkerhedsomradet er jo lige sa enormt i den henseende. Sa det er [kort pause]

det er ikke sa meget anderledes.

— Transcription of Case 3, page 23

53

3.7 Analysis Technique

Transcription reliability can be tested when two persons transcribe each in-terview and an IT application is set up to compare the transcriptions and cal-culate a similarity level. However, the reliability of the transcription is nottestable, as only one person transcribes the interviews. Yet, this does not implythe reliability dimension to be ignored. Using the IT application SoundScriber,the sentences are repeated a number of times. The writer can then, by listeningto the repeated interview, test the reliability of the written sentences within thetranscription process.

With reference to the anonymity demands, some parts of the transcribedinterviews are left out or changed. The parts where this is applied are writtenin square brackets.

An example on a transcription combined with the following coding can befound in appendix E. The entire transcriptions are attached electronically inappendix A.


Analysis of qualitative data can be hard to structure, as the technique to be usedoften will vary between studies (Yin, 2003, 110). The chosen technique must bein accordance with the analytic strategy. In this study, the analysis technique isas follows (Kvale, 1997, 186-202).

Source: (Kvale, 1997, 186-202) customized to the present study

Figure 3.3: The Analysis Technique

As figure 3.3 shows, the analysis is based on the transcriptions of the inter-views.

Structuring the transcriptions is the process of finding a good structure in thedata for the analysis to be carried out and to enable the chaining of the informa-tion used to extract findings with the raw data in the interviews. Also enablingthe findings to be split into the cases where they are found is a matter of struc-turing the data. In the present study, this is done in the IT application NVIVOas mentioned.

54


The themes in step two must be prepared in accordance with the researchquestion and the operationalized questions. This means that the thematizationmust fulfill the aim of providing data about ERM structures in the case com-panies. Thematizing is the process of extracting data strings about the themesfrom the transcriptions and thereby provide arrays of themes, contending theinformation available in the transcriptions about the actual theme. This way ofusing the thematization is a narrative form in accordance with the next step; thecondensation of the themes.

The condensation is the next step in the technique towards the findings. Thisimplies taking the extracts of data within the themes and writing a condensedtext, which concludes on the categories. The end product of the condensationis a set of narratives describing the categories found in the analysis.

The condensations equal the findings of the analysis. The very last step ofthe analysis is to transform the condensed texts into the findings to make aconclusion on each case and on each theme in the study. This step is carriedout with reference to the research propositions. The findings are a summary ofthe analysis, presented as a narrative. It is found in chapter 4 and provides theknowledge obtained in the study.

Example of Thematization and Condensation

The processes of thematization and condensation are made less complicated bythe support of IT. When the transcription documents are read with the purposeof thematizing, the texts are split into themes, where the themes are treated inthe text. This process is called coding. The codes consist of the theme and thepart of the text covering the theme. The entire process of thematization andcondensation is carried out in NVIVO. The coding process in NVIVO is shownin appendix F. When the coding of the texts is done, the text pieces within thethemes can be extracted to see the entire text a given theme contains. Thisprovides control of the vast amount of data from the transcriptions. The textswithin each theme are attached electronically in appendix A.

Arranging the data and themes this way makes the analysis less compli-cated. When the data is arranged in the themes, the themes constitute the un-derlying basis for the condensation. The condensation is the process of writingthe parts of the transcriptions underneath each theme to one single narrativeabout the given theme. The condensations are, as mentioned, the sections thatall together constitute the findings chapter.

55

3.8 Verification

3.8 Verification

To verify the findings in a qualitative study, several quality criteria must be met.In the present thesis, this is done in chapter 4 after the findings are reported, andwill not be covered here.

3.9 Reporting

The last step of the seven stages in an interview investigation, figure 3.2, is thereporting of the findings. It is done according to the standards of reportingresearch in the sociological sciences and provides the data supporting the find-ings of the study. That is; thoroughly explaining how the study is conducted,describing the applied analysis framework, providing the evidence supportingthe findings and publishing the results in a paper available to other researchers.

As mentioned, the seven stages in an interview investigation are followedto provide a structural way of carrying out the analysis to ensure that the studyhas academic validity.

56

Chapter 4

Findings

There is nothing like looking, if you want to find something. You certainly usually findsomething, if you look, but it is not always quite the something you were after.

— J.R.R. Tolkien

The present chapter will account for the findings in the study. It will consistof two overall foci. One of which is the today’s ERM practice, the other is thestructures influencing the choice of ERM as management tool.

4.1 Use of ERM

The investigation of the three case companies shows several interesting points.The author’s preunderstanding of ERM was that ERM would be a generic man-agement tool containing a set of steps to be carried out for the ERM process tobe implemented. This understanding entails an implemented ERM process tolook more or less identical between different companies.

Implementation of ERM

The study shows that when the case companies choose ERM as their risk man-agement approach, they take a broad view on the frameworks of ERM andmodify the models to benefit the companies’ present situation. This means thatthe companies, when starting the implementation of ERM, to a great extentmake a custom implementation of the models chosen. They do a critical as-sessment of components in the models and locate the elements of ERM, whichwill match the companies’ current situation and thereby contribute to the man-agement control systems. If components of an ERM model do not fit in thecompany, they redesign the component, leave it out, or use a component fromanother ERM approach.

57

4.1 Use of ERM

This is exemplified in Case 2 and Case 3. Case 2 states their ERM implemen-tation to occur where it is needed in the company.

.. it (the implementation of ERM) is to a great extent driven by the needs occurring. Inany case not driven by corporate governance, opposite to the example from Coloplast.

It is the worst selling point one can find to an organization as CASE 2. It is driven bythe needs occurring, and for this reason, it will take place where the need is greatest.

And as Risk Management have all-round skills, such needs occur around in thecompany..

— Transcription of Case 2, p. 12 (translated)

..Several tools and several standards exist, some of which describe a report form. Thesustainability report is not based on a systematic ERM reporting, as we are developing

such a reporting at the moment.. We construct it from our needs. Our strategies. Ofcourse with input from the respective standards, but we do not construct it based on asingle standard. And I think that is important to make clear, because we don’t believe

one single standard can fulfill the needs of a company. Companies are too special.. ..weare very focused on that it must be something that fits our stakeholders and owners

and the way we want the company to be operated in the years to come..


This customization of the ERM process implies that companies to some ex-tent follow a framework, but it is customized to fit the situation the companyacts in. For this reason, ERM is not a generic tool, when applied in companies.Generic approaches exist, but they are customized to fit the companies’ needs,at least in the contexts of the case companies.

Another consequence of the implementation customization is that the linebetween traditional risk management and ERM is not clear. One can not classifythe risk management process of a company to be ERM by looking at the formaldescription of the risk management process alone. The Risk management pro-cess in a company cannot be reduced to a consideration of two possibilities;either ERM or not. The question of whether a company uses ERM or not tendsto be an assessment of where on a contiuum between “traditional risk manage-ment” and ERM, the company is. To do so, it is necessary to obtain comprehen-sive knowledge of how the elements constituting a risk management process

58

4.2 Risk Management Practices in the Case Companies

in the company is carried out and how the structure behind the risk manage-ment process looks. By obtaining this comprehensive knowledge about the riskmanagement elements, it will be possible to assess whether the company doesERM or not. The assessment is based on to what extent a company follows theguidelines by using the risk management process to support the strategy andto manage the company on the top-level. If a company is in a position wherethey actively use risk management to support and achieve the strategic goals,it is considered as using ERM from the author’s point of view. If a risk man-agement process consists of the elements of an ERM approach, but is not usedto support and achieve the strategic goals, it is not considered as ERM. In otherwords, designating the risk management process in a company ERM does notnecessarily mean that the process is a concrete ERM approach.

4.2 Risk Management Practices in the Case Compa-

nies

In this section, the risk management practices in the case companies are de-tailed. As mentioned in the prior section, there is a tendency to customize theERM process and only make use of the parts, which fit the companies’ situa-tions. This can be seen in the descriptions of ERM practices below.

Risk Management in Case 1

From an overall point of view, case 1 considers their business as managing risks.They consider the economic results from their operations as residuals of therisks they choose to undertake, e.g. new markets or new customers.

Risk management in case 1 is carried out in three activities. Financial risk,insurable risk and the remainder: business risk. The risk management activityis organisationally positioned in a financial department and an insurance de-partment. The finance department deals with interest rate risk, currency riskand other financial risks. The insurance department deals with all insurablerisks as fire, workplace injuries etc. In relation to this, the company owns theirown insurance provider, dealing with case 1’s insurances alone. The businessrisks are dealt with by the board. When a new strategy is formulated or thebudget has to be approved, the board considers and assesses risks related tothat. When the company decides to enter a new market, the risks related to thisdecision is assessed. This activity is solely carried out at the board. The over-all responsibility for the risk management activity is placed at the CFO of the

59


company.In relation to reporting the risks, the CFO dedicates one board meeting a

year to present the risk management. The company does not have a formalreporting from the departments to the CFO and onward to the board. The CFOcollaborates with the departments that are managing risks continuously. Themain reason why case 1 follows certain requirements when dealing with riskmanagement is merely to gain access to the markets in which they act. Forinstance; the reason for them to obtain the Danish food approvals is for themto get permission to sell their products on the Danish market. The interviewperson states it this way.

..We only comply with the rules to get permission to export our products to thecountry where they apply. We only comply with the environment regulations because

we want to run a company in Denmark..


The company does not follow a certain risk management approach; theyhave the composition described above, which means they cover the financial,compliance and insurable risks as well as their strategic risks. The danger of notusing a specific approach is that the company’s risk management focus can be-come, at least to some extent, arbitrary as the complexity grows. They managerisks related to the activities they find important themselves. As mentioned, itis unusual for a Danish company to have an implementation of ERM follow-ing the approach precisely. Companies take what they find useful in the con-text of their business and modify the ERM approach to benefit their company.When comparing case 1’s risk management activity with ERM, it is clear thatthe company does not follow this approach. They have some of the same con-siderations, as they focus on risks related to the survival of the company; thestrategic risks. However, the possible benefits from the integration of the riskmanagement activity as is the though behind ERM, is not carried out in case1. They consider some of the same aspects, but in a more desultory way that ifthey had followed the ERM approach. Thus it is not to say that their approachis less effective. It can easily be the case that the way case 1 carries out their riskmanagement activity is benefiting their company to the same degree, or even agreater degree, than if they used ERM. The risk is for them to ignore ERM andnot to explore the possible benefits from this approach. The focus would beto assess ERM and extract the potential beneficial activities from ERM in their

60


context, and thereby use what is reasonable, if any aspect of the ERM approachis considered in the context of case 1. An example of where case 1’s presentrisk management process could benefit from the ERM approach is given in thefollowing quotation.

..You can analyze the probability of a power breakdown in Denmark. But where is thelimit for your considerations? Some elements exist where we say; we choose not to payattention to this because we live in Denmark. If we ran a factory in Nigeria, we would

face power breakdowns daily. Then it would be more appropriate to consider thecircumstance. It is obvious; it depends on the probability for it to happen. And there isno reason for every factory to waste resources on the consideration, if we assume fromthe headquarters, that the electricity supply in Denmark is reliable. Then, there is no

reason for me to contact the factories and ask them what the cost of a power breakdownwould be.


The above example shows, that the assessment of the risk is already carriedout before the identification of the risk is done. Maybe the interview personassesses it wrongly. It is correct that the power supply in Denmark is reliable,but that does not imply it to be irrelevant. If for example a power breakdownwould be critical to the adherence to a factory’s budget, it would be a relevantconsideration. The power breakdown should not be viewed isolated, but alsothe knock-on effect from it should be considered. If a power breakdown causesa delivery to be late, it could release consequence costs or in worst case the lossof a customer. Then, the assumption made centrally would remove the controlfrom the factory’s manager, which is not the intention. An ERM process wouldenable the company to identify such knock-on effects and thereby provide abetter assessment of the risks.

When discussing the practical procedure, the interview person states case1’s approach to risk management to be aligned in a control environment ap-proach. Case 1 has a “case 1 control environment”, approved by the board. Itstates the areas important for case 1 to control and how it is controlled acrossthe organization. Furthermore the board receives a control environment reportannually stating the condition of the controls implemented through the case 1control environment.

The conclusion on the above description of risk management in case 1 is that

61


they do not follow the ERM approach, even though they do have the strategicfocus in their risk management activities. Case 1’s risk management approach isto a greater extent similar with the Internal Control approach, even though theydo consider risk response strategies more thoroughly than the internal controlframework implies.


Risk management in case 2 is carried out not only in the financial and insurancerisk management dimensions, but also for risks related to the operations, sales,products and product development and achievement of the strategic goals. Themain responsibility for risk management is placed in the group finance depart-ment located in the corporate functions division. Responsibility for the separateactivities within risk management is placed at the unit that carries out the ac-tivity.

The risk management activities are carried out as a decentralized process, spreadall over the company. Risks related to production is dealt with by the manage-ment in the factories, risks related to sales are managed in the sales departmentsetc. Only the insurable risks related to the company’s activities are managedcentrally. Today, there are no required guidelines in case 2 to follow when man-aging risks; it is up to the people doing it to choose a preferable method. Thismeans, that Case 2 up until today is using risk management, also in the areastreated by ERM, but their approach is not uniform. That is why Case 2 is at themoment focusing on the development of the existing risk management processin the direction of ERM. The incentives for Case 2 to develop the risk manage-ment are detailed in section 4.3.

Risk management in case 2 today is to some extent carried out in accordancewith the ERM idea. As mentioned, they already consider the four areas of ERM(strategic, operations, reporting, and compliance according to COSO). How-ever, it is not carried out in a structured way. This implies that the process ishard to manage at an overall level. The lack of structure entails the aggregationand reporting of the risk to be a hard, almost impossible exercise and the riskmanagement activity to be reactive rather than proactive, as should be the aim.

As mentioned, Case 2 has started a risk management improvement project,which has entailed them to work with the implementation of ERM. The de-velopment of the risk management activities is carried out with the purposeto align the risk management activity in a structured way and to provide datafrom the persons responsible for the risk management activities, which enables

62


the group finance department to aggregate the company’s risk position and re-port it to the board and management. Case 2 has carried out a risk identificationworkshop, with a purpose identical to the identification process in ERM. Theidentified risks are distributed to the responsible units together with a set ofsuggestions about how to manage the risks. The quotation below is an exampleon the division of responsibility and the use of the identification project andhow the group finance is supporting the responsible units in practice.

One of the biggest risks we identified in the identification project was that the differentsubsidiaries manage their risks in different ways. And since we did it, it is our

responsibility to communicate the knowledge we collected to the responsible persons.And to supporting it to the extent it is possible..

.. The responsibility for an operational risk, e.g. power breakdown lies in the concernedproduction subsidiary. What we do centrally is to insure that type of events, if they are

insurable. Then we make sure it is covered by insurance. At the same time, we say tothem: do you have a plan to control this risk? You can start by making disaster

recovery plans. Where you say; which are the largest risks that are likely to occur onthis factory? And then make sure you have a plan for the factory in order to recover as

fast as possible if it happens. The responsibility lies in the current productionsubsidiary, but what we try to do is to say; are they doing it in the same way as the

others, and try to get attention towards it.

— Transcription of Case 2, p. 7-8 (translated)

In addition to this, the risk identification project also contained an assess-ment of the risks and a management report on the company’s risk situation. Itis case 2’s idea that this risk report is going to be prepared continuously in thefuture to satisfy the need of management reporting of the risk position.

Group finance in Case 2 is currently developing an assessment and manage-ment of risk tool for the people in the organization who carry out the manage-ment of risks associated with their area of the business. This tool enables theaggregation and reporting of risk, as it gathers the data in a homogeneous way.Case 2 states its risk management position as follows.

63


..Status of today is that we have a fragmented approach to the management of risk inCase 2 and we don’t, or let me say, we do have a plan for how to move up and become

better, but we are only in the early phase of implementing the plan, which will move ustoward ERM. We have initiated a process, one can say.


In relation to implementing a new risk management approach, Case 2 is notusing a predefined framework. They take what is applicable in their situation,and modify it to benefit their organization. It is not the purpose of the newapproach to centralize the process of risk management. It is still the units ex-posed to the risks, who manage them. The new approach does not restructurethe organizational position of risk management, it only differs with respect tothe method of managing the risks in preparation for standardizing the methodsused.

Risk management in Case 2 today cannot be seen as a full extensive imple-mentation of ERM. That said, they are in a process of improving the existingrisk management system towards ERM. When the new risk assessment andmanagement approach is implemented in the organization, they are to a greatextent using the ideas of ERM. The new risk management approach also en-ables them to obtain future advantages from the risk management aggregationand integrative view on risk by avoiding sub optimization in the organization’srisk management activities. Case 2 is therefore seen as a company which hasstarted their journey towards ERM and to some extent already complies withthe ideas behind ERM.


Risk management in Case 3 is carried out in accordance with the ERM idea.Case 3 manages risks related to strategic goals, operations, and compliance.The fourth perspective in COSO, the reliability of reporting, is not directly partof their risk management approach, but is treated in another project with thecompany’s auditors.

Case 3 has been working on the ERM approach in ten months and they havecovered a relatively long distance of the ERM journey. The risk managementprocess of case 3 started with an identification workshop, with the objectiveof discovering the risks associated with case 3’s way of doing business. The

64


result from the identification workshop was a database containing all the risksidentified. Afterwards, a group of experts on case 3’s operations was appointedto make a substantiated assessment of the probability of the risks occurring andthe impact of the occurrence. Then the responsible persons had to considerstrategies for managing the risks together with the persons in charge of theaffected areas. The persons responsible for the ERM project in case 3 are at themoment preparing a management report with the purpose of communicatingthe overall risk situation to the board and management. This is where case 3is on their risk management journey today. As can be read, case 3 follows theEWRM journey detailed in the theory section closely.

The above description explains the approach case 3 has adopted in theirERM implementation. As with case 2, case 3 is not implementing a predefinedframework strictly following the framework’s approach. The basis of Case3’s ERM approach is grounded in existing frameworks as COSO or AZ/NZS4360:2004, but they are modified to benefit Case 3’s business. They are delib-erate in the way they use risk strategies and the risk management process isclosely related to the company’s operational processes, i.e. the value creatingactivities of Case 3. The goal is to enable the ERM process to identify and man-age the risks proactively before the events happens. Case 3’s approach is inproximity of its operations. An example follows in the quotation below.

..We look at the competitors’ products and consider the competitive image that facesus. And to do so, we use the big trade fairs to see what is coming. Fortunately, they are

held in the beginning of a year....and the mitigation of competitor products. It is a question of us saying this

competitor product is coming. It is a direct competitor to our product. OK, then wewill turn up the marketing on exactly these things, not to lose momentum against

these things..


Another example is the company’s consideration concerns when it comes tooutsourcing the production to another country. The example is briefly shownbelow.

..Today we take care of the whole production ourselves. It is automated processes withalmost no human intervention. Red boxes contain 8000 of part A, blue and green

65


boxes contain a given number of other components. When we choose to outsource theproduction, the factory producing the products is to a great extend manual. This

means that when the operator runs out of red boxes, he takes a green or blue box to partA. Vice versa with part B and C - here the operaters pick red boxes when running outof green and blue boxes. Then, our logistics master data will fail. The blue and green

boxes do not contain part A in our master data and as the blue or green boxes aresmaller, they cannot contain the same number of part A as the red boxes; the amount is

also wrong. When our automated product mounting process needs part A, B and C,some of the red, green and blue boxes may contain other products than the automated

mounting process know of. The parts will get mixed and nobody knows, because of thehigh level of automation. Then, the end products will end in the stores containing awrong number of parts, which makes it impossible for the customer to assemble the

product..

— Transcription of Case 3, p. 16 (translated and condensed)

Considerations about operational risks analogue to the above example arecontemplated by Case 3. Not only is the ERM process to a great extent imple-mented, even though it is a customized implementation, but also the quality interms of proactiveness is in focus.

Concerning Case 3’s organizational position of the ERM process, the riskmanagement activities are centralized in the three areas: Operational and haz-ard risk management, strategic risk management and financial risk manage-ment. The three activities are positioned in different subsidiaries within thegroup, but they work closely together between the subsidiaries. Case 3 definesit as an ERM organization, not an ERM function, which underlines the impor-tance of the whole organization’s support, if the process is to become a success.

As can be read above, the method of carrying out risk management in case 3is to a great extent identical to the ERM approach, even though the companyhas not covered the total distance of the ERM journey. The same applies in case3 as in case 2 regarding the choice of framework. They take what is consideredbeneficial for their business and leave out the other things. A good example ofthis, is the dimension of reliability of reporting in the COSO framework, whichin case 3 is left out of the ERM process and treated elsewhere in the organiza-tion.

66

4.3 Reasons for Implementing ERM

Summary

The explanations above concerning the choice of risk management approach inthe three case companies show that the companies under investigation do nottake a framework and implement it independently. Even though the three casesare all in top 100 of the largest Danish companies, none of them are consideredas having a fully implemented ERM process. In case 2 and 3, however, the in-terview persons clearly indicate that the implementation of the ERM process istaken seriously and of major importance to the future survival as managementtool and thereby fully backed up by the board and management. The reasonsfor the companies to choose to develop or improve their risk management pro-cess are explained in the following section.


The above section provides an overview on how the risk management practicesare carried out in the case companies. This part will answer the question ofwhy companies choose to implement ERM. The section is based on the researchpropositions on page 45 combined with the considerations clarified in the in-terviews. Each topic starts with the proposition and subsequently a detailedexposition of the result.

P1 - The Board and Management

If the board and management’s attitude towards ERM is positive, the company is morelikely to start implementing ERM.

The board and management’s attitude towards ERM is of vital importance inthe three cases. The structures influencing the attitude differ, though. The dif-ferences between the cases are explained below.

Case 1 and Case 2 state that their boards are aware of the importance of riskmanagement. They take it seriously and leave the impression that risk man-agement is of vital importance in the company. The argumentation in case 1 iseven more reliable as the interview person is a board member. Therefore, theopinions of the interview person equal the board’s. He states throughout theinterview the opinion that risk management is an important management tool.In case 1, the board is clearly the initiating unit regarding development and im-provement of their risk management process. It is the interview person, who is

67


responsible and he addresses the importance of a good risk management pro-cess. However, the risk management process in case 1 is not considered as trueERM, in accordance with the section about risk management practice in case 1,even though the company is carrying out some of the elements of ERM.

In case 2, the board is not directly the initiating unit when it comes to im-plementing ERM. Case 2 has a designated risk management director, who isresponsible for the risk management process. As stated, the board knows ofthe importance of risk management, but keeps passive in relation to the de-velopment and improvement of the risk management process. The interviewpersons explain the passive role of the board with the huge growth the orga-nization faces at the moment. The employees’ environment is changing a lot,which result in the fact that top management must limit the top-down initia-tives in order not to push the employees too much.

..the situation is, for case 2, that there are enough of other things, which must bepressed down from the top to keep control over the organization, and it will not be

appropriate on the risk management side.


Case 3 is in a special position. Case 3 has a chairman of the board, whocomes from an organization that has been using risk management for manyyears, and also has applied ERM. Therefore, the chairman has actively pushedthe organization towards ERM, as he knows how his former organization wasbenefiting from the process. The process is done bottom-up, but the chairmanof the board is to a great extent one of the main drivers behind case 3’s devel-opment and improvement of the risk management towards ERM.

..You can not [short break] It is important with commitment from the top. It (ERM)must have its rise from the top. But it must come from below. It is something youbuild up from the bottom and up. And if you do not have the commitment and the

culture and the attitude, then it will be hard to practice.


As can be read, the importance of the board’s attitude in relation to devel-opment and improvement of the risk management process differs between the

68


case companies. In two of the case companies it is initiated from the top, but theboard and management in the last case company do not actively take part in thedevelopment and improvement of ERM. And, as seen in case 2, that does notnecessarily trigger a more ineffective process. In all three cases the interviewpersons clearly stress that the board’s true attitude influences the company’stendency to develop an ERM process. The boards of the case companies’ atti-tudes are all positive, and this causes the focus on developing the risk manage-ment process toward ERM to be stronger.

P2 - The Business

If the business is regulated with regard to risk management, e.g. demanding controlsin the production processes which is the case in the medical-sector, the company ismore likely to start implementing ERM. The structures of non-regulated sectors (e.g.technology-driven) are also expected to influence the choice of implementing ERM.Hence, the business influences the companies’ tendency to implement ERM.

The structure of the business a company acts in influences the choice of de-veloping the ERM process. Structure in this context means the way the envi-ronment is composed, i.e. competitive conditions, customers or sales patterns.Case 3 stress the fact that the structure of their sector influences the develop-ment of the ERM process. The sector in which case 3 acts in is built on unequallogistic conditions, however, applying to all players in the sector. 2/3 of thesector’s annual sales take place within the last ten weeks of the year and 2/3 ofthe product portfolio is new every year. If the Christmas sales go wrong, case 3can lose half a billion DKK. Furthermore, case 3’s survival is dependent on theirlargest customers. The fact that the sale of Case 3’s products account for only0,04 % of their largest customer’s total turnover, complicates the conditions ofdependence between them. Case 3 is greatly dependent on the customer butcase 3 accounts for almost nothing in the customer’s annual accounts. This im-balanced relationship exists between case 3 and the majority of its customers,nationally as internationally. Case 3’s interview persons both express these con-ditions to be very important facts in relation to their choice of developing anERM process. The conditions are more or less static and are almost impossiblefor them to change, both concerning the sales patterns and the conditions ofdependence between them and their customers.

..not said, that it (the conditions of their business) is a risk, the company does notconsider and must consider. It is what we through [interview person’s name] position

69


started to take the holistic approach to. Before, we considered it as a business risk andcould not do anything about it. But we also chose not to try to do anything about it.

Today after all, we focus on it and try to manage it.


P3 - Compliance

If a company must carry out risk management to be in compliance with requirements,regardless if it is a written or unwritten requirement, the company is more likely toimplement ERM.

The situation in Denmark is that no compliance requirements on risk man-agement exist today, though the ”Nørby committee” (Nørby udvalget in Dan-ish) in 2005 completed a set of corporate governance guidelines, including riskmanagement activity. This guideline follows the ”comply or explain” princi-ple, which means that companies are allowed to disregard the guideline, if theyexplain why they do so (Lars Nørby Johansen et al., 2005, 15). The comply orexplain principle applies to companies traded at the OMX Nordic Exchange.

The focus of the corporate governance guideline’s risk management sectionis to a great extent similar to the ERM idea (Lars Nørby Johansen et al., 2005, 42).This implies that the guideline’s risk management suggestions advantageouslycan be satisfied by implementing ERM. Hence, all three cases indicate that com-pliance is not influencing their choice of implementing risk management. Thatsaid, they also expressed clearly, that from the day a formal compliance require-ment is introduced, this will presumably be a major driver for risk managementin Denmark. Case 1 states it this way.

..Requirements to the model can come, implying that we have to adapt to the thingscoming from the outside. And they can come from IAS as well. It does not necessarily

have to be the government. It can be accounting standards saying that risk has to bereported in this way and that way..


Regarding case 3, the same situation influences the compliance dimensionas influences the board and management as driving the risk management de-velopment. The chairman has taken part in preparing the corporate governance

70


guidelines. This implies, even though the interview persons did not clarify it,that one of the main reasons for him to support the development of an ERMprocess, could be to comply with the Nørby committee’s guidelines. Opposite,in case 2, corporate governance does not influence the decision of doing ERMat all, which is a good example of oppositely directed effects from the samephenomenon in the real domain. Case 2 states it this way.

..It (the choice of implementing ERM) is to a great extent driven by needs occurring.It is definitely not driven by corporate governance (understood as compliance with

corporate governance guidelines in the interview interaction). Opposite to the examplewith Coloplast..


Another aspect of compliance is the companies’ compliance in relation toexisting requirements about product quality, product safety, working environ-ment, not violating other companies’ patents etc. All three companies must liveup to such rules because of their business, some to a greater degree than oth-ers. This aspect of compliance is, in accordance with the theory chapter, partof COSO’s ERM model. However, none of the case companies suggest this asa reason for implementing ERM. It seems like the case companies have beensubject to these compliance requirements in many years and do not use ERMas framework for complying with the rules. In Case 2’s risk management pro-cess, this compliance dimension of risk management is implemented. Case 1 istreating it as a business risk, also treated in the risk management process (eventhough not as formalized as case 2’s approach). Case 3 treats this compliancedimension outside the ERM process, though embedded in the same board asthe ERM process - the compliance board. Compliance and risk managementare linked in this board, but not carried out in the same process.

The result is that compliance is not yet one of the prime forces of the devel-opment and improvement of the risk management process, as it is not a com-pliance requirement in Denmark to do risk management. From the day ERMbecomes a compliance requirement, companies not using ERM must start im-plementing it. Then compliance will presumably become a major prime forcebehind ERM. Additionally, compliance in relation to legislative conditions con-cerning the companies’ operations does not seem to directly influence the ten-dency to do risk management.

71


P4 - Structure of Ownership

If a company is a public limited company it is expected to be more likely to implementERM. The reason is partly because several stock exchanges require, at a minimum,that companies traded on the exchange respond to risk management (the ”comply orexplain” principle), whether they do it or not, and partly to meet the shareholders in-terests.

None of the case companies consider the ownership as a structure influencingtheir choice of developing ERM. All three case companies face different owner-ship structures and only one of the case company is a public limited company,traded at a stock exchange.

..We do risk management in case 2 not to satisfy the investors, but to obtain a higherdegree of control and to provide better certainty when you make a forecast telling that

the company will grow a given proportion next year and we will earn this on that. Wecan say that with a higher probability. That is what it is about..


Even though the case companies do not view the type of ownership as aninfluencing structure, case 2 indicates that the board and management handlesthe shareholders’ interests. With this in mind, the owners’ interests may beinfluencing the board and management’s attitude towards ERM and therebyindirectly influence the choice of developing ERM in the company, as the boardand management’s attitude is considered to have a great influence on the de-cision. However, nothing in the study indicates the structure of ownership tohave direct influence on the decision about whether to use ERM or not.

P5 - Event Driven

Companies that have been exposed to cost-intensive events are more likely to use ERMafter the events have occurred.

One of the cases explains negative historical events which occurred in the pastas one of the main reasons for developing an ERM process in the company.Some events happened in a period of years, causing red ink in the profit andloss statement in a period of 10 years. The situation turned out so bad thatthe company did not expect to survive if any event influencing the financial

72


situation of the company occurred again. The company knew about ERM, butdid not use it. While investigating the benefits of an effective ERM process, theorganization evolved the understanding that if an ERM process was used tomanage the risks related to the business’ long term survival, i.e. obtaining thestrategic goals, they would have been able to identify the events before they oc-curred, control them and thereby, at least to some extent, have avoided the badsituations in the past. This reason for developing ERM is analogue to the ba-sis for the legislative changes on risk management in the international context,detailed in section 2.3 on page 15. Case 3 states the influence from the negativehistorical events as follows.

..We must admit in shame, if I may say so, that the period from 1994 - 2004 where welost money, made some huge holes in the ground, we cannot blame the market, the

consumers, the retailing or our competitors for the development. It is our ownresponsibility. It was choices we made ourselves, it was a strategy and some

initiatives, with which we did not succeed....And unfortunately, one must say, that the reason (for developing an enterprise riskmanagement process) often is, that something happened to the company, which wasabsolutely not positive. We have seen that in the big scandals. Nor is it a secret that

one of the reasons for us to focus on this (ERM) was that we made some enormousholes in our profit and loss statement a couple of years ago and said; we have to find a

whole new way of conducting business. This (ERM) is one of the tools, which mustsupport the top management in predicting and assuring that the most important risks

case 2 are facing will be handled in a way in accordance with the overall strategy forthe company..

— Transcription of Case 3, p. 6 and 9 (translated)

The consideration about conducting business differently, caused by negativehistorical financial events, is probably applying to other companies as well. Ifthese companies are familiar with ERM, the negative events will probably affectthe choice of implementing ERM to align the management of negative eventsin a preventive way.

P6 - Relative Position in Relation to Competitors

If competitors use ERM, the company is more likely to start implementing ERM.

73


The proposition insinuates that a company is more likely to implement ERM,if their competitors are using it. The reasoning is derived from the relativityconsideration of competitive advantages. The proposition cannot be approvedin the study. However, another structure occurred, concerning the risk man-agement position. The structure is not bound to the company’s competitivedimension; it is bound to the stakeholders in the company’s value chain.

A company’s stakeholders can have a significant influence on the companyas related to risk management. Two of the three cases elucidate to the fact thattheir stakeholders could be possible authorities demanding the participants intheir value chains to improve their risk management processes. The reason forthe stakeholders to be a driver of developing risk management is dual.

The one reason is with reference to compliance. In the interview, the argu-mentation is not directly focused on risk management. It is considered in a partregarding Sarbannes-Oxley, but the argumentation could have been used onrisk management as well. The contemplation is that if a variant of Sarbannes-Oxley is introduced on the European stock exchanges, it may very well im-ply that companies not traded on a stock exchange have to implement theSarbannes-Oxley variant as well. The legislation may require that companiessubject to the rules must ensure the other participants in their value chain toimplement the control framework as well. If they ignore to do so, they do notto meet the requirements themselves. Thereby, the entire value chain is affectedby the new rules. This has been the case in case 3 in relation to one of their cus-tomers ISO certification. For the customer to obtain the certification, they hadto demand their suppliers to obtain an ISO certification as well. The same couldhappen with risk management. If future compliance requirements demand thevalue chain to use ERM, stakeholders in the terms of customers or supplierspotentially can become a significant force for developing an ERM process in acompany.

The second reason based on a logistic point of view. Companies, who havesuppliers critical to their own adherence to the contracts with customers, mustpay attention to the supply security from their suppliers. The supply securityrelates to re-establishment plans in case of production breakdowns, control ofsub-suppliers’ quality and supply security, long-term survival etc. One way ofensuring this is to demand the suppliers to use ERM.

Obviously, both reasons apply only where suppliers or customers are criti-cal to the survival of the company. If small customers demands the companyto do risk management, and the cost of doing it exceeds the benefit of havingthem as customers, the alternative, which could be the best choice, would be todrop the co-operation with them.

74


The above argumentation explains structures where stakeholders of a companyare a major driver of developing a risk management process. The central pointis that it presumably only applies where the stakeholders are critical for thecompany’s long-term survival.

P7 - Size and Growth Rate

If a company is growing heavily, increase in turnover or growth from M&A activity,the company is expected to be more likely to implement ERM.

One of the expectations based on the preliminary study is that a company’s sizeand growth rate influence the tendency to develop an ERM process. In relationto size, none of the cases indicated that it had an influence on the company’stendency to do ERM. Conversely, the interview persons in case 2 expressed,that ERM is a management tool they would use in companies, regardless of itssize. They asserted that for very small companies, the idea behind ERM couldbe even more applicable to support the survival of the company, as small com-panies are more sensitive to negative impacts. They state it as follows.

..It (ERM’s justification in small companies) depends on how you define ERM.Because an ordinary, down-to-earth approach to how to look at risks and who does

what and where, the risk tolerance is and where the risk appetite is and how you reportrisks, and a division of roles, I am of the opinion that all companies, big and small,

could benefit from....In small companies it (ERM) does not necessarily have to be as systematic and

proveable, but in the internal processes, it will be interesting.. ..I think, regardless ofturnover, it is extremely important. I even think it is even more important for a

newcomer, a brand new company. Because it only takes a little for them to be forcedout of business.


Regarding growth, the situation is different. Case 2 is in a position with hugegrowth rates. They state very clearly that growth is one of the main reasons,maybe the most important reason, for them to do ERM. The rationale behind isthat growth, if ignored, entails losing control and makes it harder to maintainand appraise the overall situation of the company. Implementing ERM in case 2

75


helps them to keep focus on the fields most important for the company to fulfillits goals, hence its survival.

..I think one of the main drivers (of implementing ERM) is both the growth itself, thatis; it becomes more and more unpredictable for individuals to recognize which

consequences different things have. And for this reason, one must have a systematicway of assessing it..


In summary; the size does not seem to influence the tendency to developan ERM process in the case companies. Oppositely, growth is one of the majorreasons for case 2 to implement ERM. Clearly, it must be considered that highgrowth rates over a period result in a larger size, but the size alone does notseem to drive implementation of ERM.

Summary

The above explained reasons for developing or improving the case companies’risk management process are illustrated in figure 4.1, grouping the structuresby the cases where they are found. Several structures influence the choice ofdeveloping the risk management process in each case and the structures can bemutually correlated, as elaborated in the previous sections. Some structures arefound in several cases, e.g. the board and management, which could cause thereader to consider this structure as more valid than the others. This is not thecase from the author’s paradigmatic point of view, as the case study is made togive a broad view on the subject matter. The repetition of structures betweencases can therefore be coincidence, as the case design is not constructed to fol-low the replication logic in accordance with section 3.3 on page 46. A givenstructure can even pull in different directions between cases due to differentcontexts, as is the case with compliance.

The figure is an overall illustration of the findings. Is not meant for iso-lated use, but must be considered together with the elaboration of the drivers,detailed in the above sections of the chapter.

76

4.4 Reflection of other Potential Structures

Source: own production

Figure 4.1: Structures Influencing the Choice of Developing Risk Management


The study not only provides the findings above, but also indicate some otherreasons behind developing the risk management process. The following shouldonly be considered as reflectory considerations, not structures identified di-rectly in the interviews. They originate in the interviews, but is only treatedbriefly in the study.

Culture

One of the case companies, case 2, insinuates the culture of the company as in-fluential in relation to the development of ERM in the company. The reason forthe company to implement ERM the way they do, is the employee’s perceptionof the signals, the management sends by implementing the ERM process theway they do. The interview persons indicate that the choice of implementingERM in phases, where it is most important and not as a top down approachat the whole company at once, is substantiated in the way, the employees willreact to the new management tool. If they chose to implement it in the entirecompany at once, they expected the employees to back out and not support thenew initiative. The norms and behavior patterns implies, that the employeeswould repulse and neglect the ERM process, if they were forced to do it. In case2 for the ERM to be successful, it must gain organizational embeddedness, be-fore applying it to the whole organization. One of the case 2 interview personsstate it this way.

77


If we implemented the whole setup at once, it would create problems in theorganization. Because it would be something you should do on top of all other things

you do, something you suddenly should take care of. In stead of doing it the other wayby letting the employees discover, that it is something we need and somebody can helpus doing it and then they will be part of a bigger cooperation, dealing with this. It will

be less problematic to do it that way.


It is not clearly expressed, but it indicates the culture of the company as animportant mechanism to consider, when choosing to implement ERM.

Strategy

Uncertainty related to achievement of strategic goals is a a central considerationin relation to developing the risk management system in case 3. One couldargue that this perspective is a reason every company doing ERM would pointout, as it is the purpose of ERM to support the strategy. However, only one caseexplicitly express this as a driver of their development of ERM, which indicate,that it can be a structural driver in some cases.

Higher certainty in the achievement of strategic goals can also be assumedimplicitly to be a motive force in every company, as it can be seen as the mainobjective in every company choosing to implement ERM (or at least ought tobe). The other reasons for developing ERM, such as the board and manage-ment, compliance, negative historical events etc., can thereby be thought of asproducts, or the operationalization of this overall strategic objective. Whetherthis consideration is true or not cannot directly be confirmed or disproved, andwhether it is true or not does not neglect the importantness of the other find-ings. It is those, which are considered as directly influencing the decision ofdeveloping or improving an ERM process.

The above discussion of whether the objective of providing a higher degreeof certainty about achieving the strategic goals lead to the argumentation, thatin some cases it can be seen as a direct driver. In other cases, it can be the under-lying objective behind the actual incentives for the company to start developingERM.

78

4.5 Verification of the Findings


The quality of the findings are assessed on the basis of the study’s reliabilityand the validity criteria of qualitative research (Kvale, 1997, 231),(Yin, 2003, 33).The reflections are consistent with the design of the study, though it is explicitlyconsidered from a verification point of view in this section.

Reliability

Reliability is concerning the credibility of the results. It is the question of towhat extent the findings are evidence of the interview persons true meaningsor coincidences. The reliability of the study have been considered from the be-ginning, where the design of the study is constructed to instigate the study toprovide the true meanings of the interview persons. This is done by makingthe semi-structured interview guide, in accordance with the research designin chapter 3. During the interview, the interviewer focused on finding the in-terview persons’ true meanings and not to affect the interviews in a certaindirection. This is done by asking open questions and using leading questionsthoughtfully. The reliability consideration is in the analysis incited by estab-lishing a case study database in NVIVO. The purpose of this analysis approachis, besides conducting the analysis in a structured way, to justify the reliabilityby making a transparent analysis with direct connection from the data to theresults provided.

Validity

The validity of the study is considered in three dimensions (Yin, 2003, 34). Theconstruct validity, the internal validity and the external validity.

Construct Validity

The aim of the construct validity is to form an interview context which aimsat identifying valid structures. This is endeavoured by using multiple units ofanalysis, shown in figure 3.1. As is the case with the reliability of the analysis,the intentional usage of leading questions and the open questions is used to ob-tain a higher degree of construct validity. The interview persons are consultedwith the findings, after the analysis have been carried through, to approve theresults and thereby obtain a higher degree of construct validity.

79


Internal Validity

Internal validity relates to situations, where causal relations are identified (Yin,2003, 36). As explained in the theory of science, the aim of this study is not toexplain causal relations, as it is not the belief of the critical realist philosophy,that causal relations can be proved. As it is not possible to get knowledge of allstructures influencing a given element in the real domain, the aim is to identifystructures related to the subject matter. However, it is not the belief that thefindings can be directly seen as causal relations.

Internal validity exactly relates to situations where a causal relation has beenidentified, but the relations does not reflect the real truth. If a third factor is thereal causal explanatory variable, the knowledge obtained is not seen as internalvalid. In this study, internal validity is achieved by critically viewing the dif-ferent structures identified and thereby consider them in relation to the overallcontext in which they are identified. As an example, proposition four aboutstructure of ownership can be considered. The ownership is not identified inthe interview context as a reason for developing ERM, but as the board andmanagement have a significant influence the ownership cannot be ignored as apossible structure influencing it. As the boards represents the owners interests,the ownership can be a underlying structure influencing the boards positiontowards development of ERM. This is an example on how the internal valid-ity is considered in this study, following the idea of the explanation buildingtechnique (Yin, 2003, 120). The basis for the study is the research propositionsstated in section 3.2, with respect for the explorability which is on of the mainadvantages in the qualitative study and which enables the research design toidentify new perspectives on the study area.

External Validity

External validity is concerning the generalizability of the findings (Yin, 2003,37). As have been written in section 3.1 the aim is not to provide generalizablefindings, on the contrary, the aim is to provide new knowledge about struc-tures in the real domain; structures, which can be generalized to theory, not to apopulation, as is the aim in quantitative studies. The important perspective ofthe external validity is that the aim is not to provide generalizable findings. Thefindings are context specific in the cases, but can be subject to later generalizablestudies, regardless of the choice of a qualitative or quantitative approach.

80

Chapter 5

Conclusion

Reasoning draws a conclusion, but does not make the conclusion certain, unless themind discovers it by the path of experience.

— Roger Bacon

This final chapter forms the ending of the thesis. A reflection over the studywill be covered and subsequently suggestions for further research within thesubject matter. The chapter will be finalized by the conclusion of the thesis.

5.1 Reflection

After the study has been conducted, some of the potential problems and bene-fits with ERM have been identified. However, these are not directly explicatedin the interviews. Contrarily, the perspectives presented here have turned upin the author’s awareness continuously during the study.

The Size of the Company

People talk about which size a company must have, to benefit from the use ofERM. To some extent, the author shares the attitude, that a company must havea given size to benefit from a stringent use of COSO’s ERM Framework. How-ever, it is the author’s conviction that the idea behind ERM will potentiallybenefit all companies, regardless of their sizes. An example is the AS/NZS4360:2004 framework. This approach is to some extent more applicable forsmaller companies, as it is more operational and less complex. As is the casefor Case 2 and Case 3, companies can benefit from taking the frameworks as abasis and modify the approaches to fit their companies in their given situations.The idea behind ERM can be beneficial for every company.

81

5.1 Reflection

Reliability and Benefits of ERM

People argue about the reliability of the techniques behind ERM. Some could beblamed to result in more or less arbitrary outcomes, as complex quantificationsof (maybe even unquantifiable) integrated risks. When setting up too many in-terdependencies between risks based on assessments, one can question markthe reliability of the outcome. And in situations where the reliability perspec-tive is not commented in risk reports, the quantification could be blamed to beperceived as truth, even though it might not be the case as the models rely onmore or less arbitrary assumptions.

The true benefit of ERM, from the author’s point of view, is the fact thatwhen applying the ERM philosophy in a company, the organization adopts therisk awareness across the entire company. This entails risk scenarios to be as-sessed and gives rise to considering the company not only by its operations andbudgets, but also by risks and root causes related to the risks, potentially pre-venting the company to achieve the objectives, it has set. Quantifications andnumber crushing, if not carried out with focus on reliability and validity analy-ses, are not beneficial activities of ERM as these activities might hide the true na-ture of how risks influence the company. The true benefit from ERM, seen fromthe author’s point of view, is the organizational change towards risk awarenessand thus, attention on increasing the likelihood of achieving the company’s ob-jectives.

Contexts Where ERM is Beneficial

The findings have resulted in identification of structures that influence the choiceof implementing ERM. They will in this section be projected to outline contexts,where ERM could be beneficial.

The obvious context where ERM could be beneficial is in companies whosestrategy process is passive and they want to implement a management toolto make implement the strategy actively. As this is the idea behind ERM, it isself-evident that ERM would benefit there. Additionally, some of the structuresdescribe contexts in which ERM would benefit. They are outlined below.

Unequal competitive conditions If a company face unequal competitive con-ditions or the business is related with a high degree of uncertainty (as is apply-ing to case 3), the company could probably benefit from implementing ERM.ERM would be designed to identify risks related to the uncertainty in their en-vironment and thereby create a structural approach to managing it.

82

5.2 Suggestions for Further Research

Critical stakeholders Companies who have stakeholders critical to their achieve-ment of the strategic objectives would also benefit from implementing ERM.Furthermore, if they are in a position where they can demand their stakehold-ers to implement ERM as well, it could also benefit the company, as case 2 andcase 3 state.

Companies who experienced negative events Evidently, companies as case3 that have experienced negative events in the past, which they were unable tocontrol, would probably be better off by implementing ERM to manage suchevent in the future.

High growth As is the case with unequal competitive conditions, also compa-nies facing high growth could use ERM to maintain the appropriate overviewof the company. Case 2 have succeeded by doing that.

As outlined, ERM would benefit organizations facing different issues. Fromthe author’s point of view, ERM could benefit in numerous situations, as theunderlying idea is to make the strategy implementation active. Carried out inthe appropriate way, ERM would be beneficial in various contexts.


During the analysis, other research perspectives concerning ERM arose. Beloware suggestions for further research shown.

Quantitative ERM study The findings of the conducted study are not general-izable to a population. However, it would be straightforward for furtherresearch, to carry out a quantitative study with the purpose of generaliz-ing the findings. Though the scientific conviction is arguing that it willnot be possible to know all structures relating to the subject, quantitativeinformation concerning the findings could be interesting to investigate.These could provide knowledge which could be used to predict how thefuture situation of the ERM usage in Denmark will be.

Employee’s perspective on ERM The present thesis is considering the approachesof ERM and how it is applied in the case companies. Another perspectiveof ERM could be an organizational point of view; the employees’ attitudestowards ERM. A central question would be are the tool motivating the em-ployees or do they consider it as a limiting their working conditions?

83


Exploiting Opportunities Opportunities are events potentially occurring thatinfluences the achievement of objectives positively. COSO’s ERM Frame-work calls attention to exploiting opportunities. The perspective of ex-ploiting opportunities is COSO’s argumentation of ERM as adding valueto the company. It could be interesting to see if this perspective of ERM isapplied in companies using ERM, or if they only concentrate on the riskside. The study could result in an argumentation of which type of respon-sibility center (Revenue center, Profit center, Cost center etc.) that wouldbe appropriate to control the ERM process.

Investigating of attitude towards ERM from a new institutional perspectiveThe present thesis has shown various structures influencing the tendencyto use ERM. The board and management is a structure identified in allthree cases. It could be interesting to investigate this structure from a newinstitutional perspective. Can new institutional theory explain how theboard and management hold a certain attitude towards ERM from theirprevious jobs? The present thesis’ study has insinuated board and man-agement holding a certain institutional perspective, but it is not explicitlyidentified, as the new institutional approach has not been directly incor-porated in the study.

Investigating attitude to ERM from a contingency theory approach Another per-spective on ERM could be to investigate which contingency factors influ-ence the contexts in which ERM will benefit and thereby set up a con-tingency model explaining in which contexts a fit between contingencyfactors and usage of ERM is present.

84

5.3 Conclusion

5.3 Conclusion

The present thesis has processed the subject ERM with attention on the appli-cation and reasons for companies use it. The study has been carried out as aqualitative study.

The underlying theory behind the study have been based on existing theoryabout risk management and theory regarding ERM from a meta perspectiveshowing the overall idea behind ERM as well as from an applied level con-cerning applicable frameworks. The section dealing with frameworks is basedon COSO’s Internal Control Framework, COSO’s ERM Framework and theAS/NZS 4360:2004 standard for risk management.

The analysis is a qualitative case study of three companies. It results in newknowledge concerning risk management practices in the companies; how ERMis applied and reasons for the companies to develop an ERM process.

Regarding the application of risk management, the findings show that the casecompanies do not apply a risk management framework directly. Their riskmanagement processes originate in existing frameworks, but they modify themto fit their organizations, implying that only the components of the frameworksregarded as benefiting the organization, are implemented. Two of the threecases, case 2 and case 3, are considered following the ERM idea in the risk man-agement processes they perform today. The last case, case 1, is carrying out riskmanagement more arbitrary, however to a great extent in accordance with theInternal Control Framework.

The study’s dimension concerning reasons for implementing ERM is supportedby seven research propositions, set up from existing literature and a preliminarystudy with an expert on the field. The propositions are elaborated below.

P1 The board and management’s attitude towards ERM

P2 The business

P3 Compliance

P4 Structure of ownership

P5 Event driven

P6 Relative position in relation to competitors

P7 Size and growth rate

85

5.3 Conclusion

Regarding the reasons for the companies to develop an ERM process, the find-ings show that they are context specific. Structures applying in one case com-pany are not necessarily present in the other cases. However, case 2 and 3 con-sider Proposition 1, the Board and Managements’ attitude towards ERM, to beone of the main reasons for them to carry out risk management the way theydo. The same applies to case 1. The board and management’s attitude is to agreat extent the deciding factor influencing how they carry out risk manage-ment. The business has in the context of case 3 been one of the main reasons forthem to start developing an ERM process. Compliance, is a structure influencingthe development of risk management in case 1. A special circumstance relatesto compliance. If the regulatory bodies in the future formulate compliance re-quirements regarding ERM, compliance will suddenly become a main structurefor companies to implement ERM. However, this is not the case in Denmark to-day. Structure of ownership is not considered to directly influence the choice ofimplementing ERM in either of the cases. Event driven concerns experiencedevents that have influenced the company negatively in the past. Case 3 is stat-ing negative events in the past as a reason for their board and management tohave supported the ERM implementation in the company. It is not the case inthe other companies, however. Relative position in relation to customers is in noneof the cases regarded as a reason for the companies to implement ERM. How-ever, risk management demands from their stakeholders are by case 1 and case2 considered becoming an incentive for companies in general, in the future. Thelast proposition, size and growth rate, is dualistic. None of the case companies areregarding size as a matter for implementing ERM. However, case 2 faces hugegrowth at the moment. They state ERM to be one of the tools for them to main-tain control of the company during the heavy growth. Growth can therefore insome contexts be considered as a reason for companies to implement ERM.

Two other structures influencing case 2 and case 3’s choices of implementingERM have been identified as well. In case 2, the culture of the company is amechanism that demands the company to implement ERM in a certain way.The culture implies that the company must be aware of only implementingERM in the areas of the business where it will benefit immediately. Otherwise,if they choose to take a given framework and stringently apply it across theentire company, they believe because of the culture in the company to meet re-sistance from the employees. The other structure originates in the company’sachievement of their strategy. Although is the definite idea behind ERM to en-sure a higher possibility of achieving the strategy, case 2 also explicitly statesthis dimension as one of the reasons for them to carry out ERM; as an approach

86

5.3 Conclusion

to give them higher assurance for achieving the chosen strategy.

The present study focuses on the two dimensions how companies are applyingERM and why companies implement ERM. By carrying out a qualitative study, it isnot the intention to provide generalized knowledge. The intention has been toprovide new knowledge about structures influencing ERM in Denmark thougha thorough case study. The main interesting findings in the author’s point ofview, is the fact that ERM as management tool are customized to fit the organi-zations and that the identified structures influencing the development of ERMin the companies seems to be context specific - several contexts where ERMwould benefit are clarified. Even though, the board and management’s attitudetowards ERM seem to have great impact on companies’ choice of implementingERM, as the matter have been identified in all cases analyzed.

87

References

Robers N. Anthony and Vijay Govindarajan. Management Control Systems.McGraw-Hill, 2003. 22

Ingeman Arbnor and Bjrn Bjerke. Methodology for Creating Business Knowledge.SAGE Publications, 1997. 5, 6, 7, 8, 9

Mary E. Barth. Discussion: Banks, Risk, and FAS 105 Disclosures¨. Journal of Accounting, Auditing & Finance, 11, 1996. 12

Hubert Buch-Hansen and Peter Nielsen. Kritisk realisme. Roskilde Universitets-forlag, 2005. 7, 8, 9

Gibson Burrell and Gareth Morgan. Sociological paradigms and organisational anal-ysis. Ashgate, 2000. 7

Dale F. Cooper. Tutorial Notes: The Autralian and New Zealand Standard onRisk Management, AS/NZS 4360:2004. Published by: Broadleaf Capital In-ternational Pty Ltd, 2007. 41, 42

Dale F. Cooper. Enterprise Risk Management. Published by: Broadleaf CapitalInternational Pty Ltd, 2006. 41

James W. Deloach. Enterprise-Wide Risk Management. FT Prentice Hall, 1 edition,2000. 12, 14, 15, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 92

Gerry Dickinson. Enterprise Risk Management: Its Origins and ConceptualFoundation. The Geneva Papers on Risk and Insurance, 26, 2001. 5, 17, 18, 22

Neil A. Doherty. Corporate Risk Management. McGraw-Hill, 1985. 13, 14

Grethe Heldbjerg. Grøftegravning i metodisk perspektiv. Samfundslitteratur, 2003.7, 8

Danny Ho. Business Process Maturity Model - A CMM-based Business Pro-cess Reengineering research. Technical report, HOWE School of TechnologyManagement. 24

88

REFERENCES

Maya Kaner and Reuven Karni. A Capability Maturity Model for Knowledge-Based Decisionmaking. Information Knowledge Systems Management, 4(4),2004. 25

Steinar Kvale. InterView. Hans Reitzel, 1997. 44, 51, 52, 53, 54, 79

Lars Nørby Johansen et al. Københavns Fondsbørs’ komite for god selskab-sledelse, Rapport om god selskabsledelse i Danmark 2005. Print: TGS-GroupRødovre, 2005. 70

Gareth Morgan. Paradigms, Metaphors, and Puzzle Solving in OrganizationTheory. Administrative Science Quarterly, 25(4), 1980. 8

Morten Egelund. Enterprise Risk Management. Published by: Deloitte Stat-sautoriseret Revisionsaktieselskab, 2005. 2

Helle Neergaard. Udvælgelse af cases i kvalitative undersøgelser. Samfundslitter-atur, 2001. 45

Vincent M. O’Reilly, Frank J. Tanki, R Malcolm Schwartz, Robert J. Spear, andRichard M. Steinberg. Internal Control - Integrated Framework. COSO, 1992. 29,30, 31, 32, 33, 34

GARP Risk R. ERM, Operational Risk and Risk Management Evolution. GARPRisk Review, 2004. 13

Bob Ryan and Robert W. Scapens. Research method and methodology in finance andaccounting. Thomson, 2002. 7

Robert Schneier and Jerry Miccolis. Enterprise risk management. Strategy &Leadership, 26, 1998. 13, 15, 16, 17, 20, 23

Smiechewicz, Walter, and Bank. Case Study: Implementing Enterprise RiskManagement. Accounting & Finance, 14, 2001. Published by Euromoney Pub-lications PLC. 19, 20, 21, 22

Richard M. Steinberg, Frank J. Martens, Miles E.A. Everson, and Lucy E. Not-tingham. Enterprise Risk Management - Integrated Framework. COSO, 2004. 35,36, 37, 38, 39, 40

Peter Teuten. Enterprise Risk Management: Its Evolution And Where It StandsToday. The John Liner Review, 19, 2005. 13, 15, 20

Jeffrey C. Thomson. Sox 404 and ERM: Perfect Partners. . . Or Not? Journal ofCorporate Accounting & Finance (Wiley), 18, 2007. 13, 14, 15, 16, 17

89

REFERENCES

Paul L. Walker, William G. Shenkir, and Thomas L. Barton. Enterprise risk man-agement : pulling it all together. The Institute of Internal Auditors ResearchFoundation, 2002. 1, 13, 17, 20

Robert K. Yin. Case Study Research - design and methods. SAGE Publications,2003. 44, 45, 46, 47, 48, 49, 50, 51, 54, 79, 80

90

Appendix ACD containing the data used in the analysis (coded transcriptions and themes).

91

Appendix BArthur Andersen’s Business Risk Management Process framework. The figureshows the complete process including the 3 sub processes not used in Deloach’smodel in 2.8 on page 21.

Source: (Deloach, 2000, 116) and own processing

Figure B.1: Arthur Andersen’s Business Risk Management Process

92

Appendix CResearch propositions from existing literature.

P1 The board and management’s position to ERM. If the board and manage-ment’s position on ERM is positive, the company is more likely to startimplementing ERM.

P2 Risk Management Maturity Continuum state. The company’s actual RiskManagement Maturity Continuum state influences the choice of whetherto start implementing ERM or not. If the company’s state is high meaningthey are close to doing ERM, they are more likely to start implementingERM than companies stated low on the RM Maturity Continuum.

P3 Expectations of problems related to implementing ERM. If the decision-makers expect ERM implementation to be too problematic, the companyare less likely to implement ERM. Note that decision-makers does not nec-essarily equate to the management or the board. E.g. ERM can be a projectfounded in the finance department.

P4 Lack of knowledge about ERM. If the company is lacking knowledge aboutERM, it will be less likely to start implementing ERM.

P5 Willingness to seek out companies providing consultancy services. If thecompany is not willing to seek out companies providing consultancy ser-vices, they will be less likely to start implementing ERM.

93

Appendix DThe interview guides used in the preliminary study and the case studies willfollow on the next pages.

94

Enterprise Risk Managem

ent

Incentives and Practices in Danish

Companies

INTERVIEWGUIDE

preliminary study

11. juni 2007

N

iels

Jos

eph

Lenn

on

Aar

hus

Sch

ool o

f Bus

ines

s U

nive

rsity

of A

arhu

s M

aste

r’s T

hesi

s 20

07

Briefing

Hvem er jeg?

Niels Joseph Len

non, 27 år, læ

ser Cand. M

erc. i Økonomistyring og Regnskab. V

ed at skrive speciale.

Overordnet formål med interview

Interviewet skal i specialet fungere som et ekspert‐interview hvor jeg kan få inform

ation fra Jer omkring om

ERM/risikostyring i D

anmark, fra jeres synspunkt som specialister på området.

Jeg vil også gerne drøfte det forslag, jeg indtil videre har for undersøgelsen

, med Jer.

Anonymitet

Gen

erelt: Ønsker I anonym

itet ifbm. selve undersøgelsen

?

I outputtet fra interviewet vil alt væ

re anonym

t.

• Virksomhed

anonym

• person anonym

Intet laves, så det kan

identificere virksomhed

en eller interviewperson.

Emner i interview

Hvad påvirker virksomhed

ers villighed til at starte ER

M im

plemen

tering

‐faktorer gennem

gås i løbet af interview

Hen

blik på at opstille en m

odel, som skal testes via en

spørgeskemaundersøgelse

Spørgsmål

Stil dem

undervejs i interviewet, hvis der bliver noget

Præsentation af interviewpersonen

Hvor kommer du fra?

Forudsæ

tninger for at arbejde med

ERM

Hvilke arbejdsområder?

Erfaring med

ERM fra andre steder?

Virksom

heden som konsulenthus

Hvad er virksomhed

en s rolle som konsulent i ERM projekter? Hvor meget laver virksomhed

en af projektet?

Kun vejledning

‐ Alt incl. Projektledelse fra projektstart til implementering

Figure D.1: Interview Guide for the Preliminary Study page 1-2 of 8

95

Interview

Emne: Virksom

heders tilbøjelighed til at starte ERM

Er det din overbevisning, der er virksomhed

sspecifikke karakteristika, som betyder noget i forhold til

tilbøjelighed

en til at starte med

ERM?

– brancher

– Størrelse

–Omsæ

tning

– Antal m

edarbejdere

– Ejerforhold (A/S, international virksomhed

, ApS)

– Incitamen

ter ‐ hvorfor starte ERM?

Interview

Emne: faktorer

Hvilke faktorer mener du, påvirker virksomhed

ers villighed

til at im

plementere ERM?

‐Opfattelse af risikostyring generelt

‐Stadie på RM m

aturity Continuum (hvor befinder vksh’s RM sig nu)

‐Fremtidsplaner ifbm. risikostyring/corp. governance

‐Indstilling overfor risikostyring (fra en finansiel vinkel – SHV forbed

res, cost/benefit osv.)

‐Perceptuelt problem‐niveau

‐Mangel på viden

om ERM

‐Villighed til at opsøge konsulenthjæ

lp

Andre faktorer, du kan

komme på?


96

Interview

Emne: Problem

områder ifbm. implem

entering og drift af ERM proces

Hvor opstår problemerne typisk hos virksomhed

er, som skal implemen

tere ERM?

Perceptuelle – forven

tede problemer

‐ Uoverskuelig fremgangsmåde

‐ Manglende succeshistorier

‐ ER

M for omfangsrigt

‐ For svært at iden

tificere og måle operationelle risici

‐ Manglende opbakning fra topledelsen

Interview

Yderligere input ifbm. Virksom

heders villighed til at starte ERM

Kan

du forestille dit andre faktorer, som påvirker virksomhed

ers nuvæ

rende villighed

til at im

plementere

ERM?

Villighed

til at købe konsulentydelser

‐ Cost/ben

efit

‐ Overbevisning ifht. ekstern konsulentbistand

‐ Evt noget med m

anglende IT red

skaber eller overblik over IT red

skaber, som er til rådighed

inden

for

ERM (IT støttet process)

Risikovillighed

‐ Går virksh. m

ed livrem

og seler, eller er de villige til at tage store risici?

Virksomhedens innovations‐niveau

‐ Altid first‐m

overs, eller konservativ styring?

‐ Fx m

ht. IT

Hvilke frameworks bruger I?

‐COSO

’s ERM

‐COSO

’s Internal Control

‐Basel II (finansiel sector, ang. kapital allokering skal være risk sensitiv, operating risk, credit risk)

(ikke del af undersøgelsen

)

‐Andre?

Hvilke frameworks er mest udbredt?

‐ Blandt ikke‐finansielle virksomhed

er

‐ Blandf inansielle virksomhed

er


97

Interview

Emne: Frem

tiden

Hvordan

vurderer du, at udbredelsen af ER

M vil væ

re i frem

tiden

(markedspotentialet)?

Hvilke virksomhed

er vil væ

lge at im

plemen

tere ERM i frem

tiden?

Hvad er årsagen til, at virksomhed

er vil væ

lge at im

plemen

tere ERM i frem

tiden?

‐ Større konkurren

ceevne

‐ SH

V

‐ Corp. G

overnance regulering

Hvilke mål har virksomhed

er m

ed ERM im

plemen

teringsprojektet?

‐ Finansielle m

ål

‐ Strategiske mål (mindre usikkerhed)

‐ Udnyt m

ulighed

er

Har fremtidsforven

tninger betydning for virksomhed

ers villighed

til at im

plemen

tere ERM?

Deb

riefing

Interviewet slut

Tak for inform

ationer.

Noget at arbejde videre m

ed.

• Yderligere kommen

tarer

• Spørgsm

ål

• noget vi ikke har drøftet

Snak om den strukturelle m

odel incl. æ

ndringer ifbm. Input fra interview.


98

Enterprise Risk Managem

ent

Incentives and Practices in Danish

companies

INTERVIEWGUIDE

CASE X

Juli 2007

N

iels

Jos

eph

Lenn

on

Aar

hus

Sch

ool o

f Bus

ines

s U

nive

rsity

of A

arhu

s M

aste

r’s T

hesi

s 20

07

Briefing

Q1

How

are

com

pani

es a

pply

ing

risk

man

agem

ent?

Hvem er jeg?

Niels Joseph Len

non, 27 år, læ

ser Cand. M

erc. i Økonomistyring og Regnskab. V

ed at skrive speciale.

Overordnet formål med interview

Interviewet skal i specialet fungere som et ekspert‐interview hvor jeg kan få inform

ation fra Jer omkring om

ERM/gen

erel risikostyring i CASE X, sam

t CASE X’s overvejelser omkring udvikling af RM.

Anonymitet

Gen

erelt: Såfremt CASE X ønsker anonym

itet, vil det selvfølgelig blive form

idlet anonym

t.

Helst ikke lukket opgave, anonym

isering af cases bedre – fx ”case 1”

Emner i interview

Hvad påvirker CASE X’s s villighed

til at lave risk managem

ent og udvikle processen

fremover?

‐faktorer gennem

gås i løbet af interview.

Spørgsmål

Stil dem

undervejs i interviewet, hvis der bliver noget

Præsentation af interviewpersonen

Hvor kommer du/I fra?

Hvilke arbejdsområder?

Erfaring med

Risk Managemen

t?

Figure D.5: Interview Guide for the Case Interviews page 1-2 of 8

99

Q1

How

are

com

pani

es a

pply

ing

risk

man

agem

ent?

Interview

Risk Managem

ent i CASE X

Kan

I fortælle hvordan

CASE X laver Risk Managemen

t i dag og på hvilke områder, R

isk Managemen

t

fokuserer hos CASE X?

‐Intern aktivitet ifht. ekstern afrapportering?

Emne: Virksom

heders tilbøjelighed til at udvikle ERM

Hvis virksomhed

en arbejder m

ed at forbed

re RM processen

: Hvad er årsagerne til, at virksomhed

en

arbejder m

ed at udvikle Risk Managem

ent processen

?

‐ Incitamen

ter ‐ hvorfor starte ERM?

‐ Ifht. Enterprise Risk Managem

ent, eller integreret risk managem

ent/holistisk risk managemen

t?

Q2

Why

do

com

pani

es im

plem

ent E

RM

?

Interview

Emne: faktorer

Hvilke faktorer mener du, påvirker virksomhed

ers villighed

til at im

plementere ERM?

Idéoplæ

g fra litteraturen:

‐Opfattelse af risikostyring generelt (direktion og bestyrelse)

‐Stadie på RM m

aturity Continuum (hvor befinder vksh’s RM sig nu)

‐Fremtidsplaner ifbm. risikostyring/corp. governance

‐Indstilling overfor risikostyring (fra en finansiel vinkel – SHV forbed

res, cost/benefit osv.)

‐Perceptuelt problem‐niveau

‐Mangel på viden

om ERM

‐Villighed til at opsøge konsulenthjæ

lp

Raffineret model:


100

Q2

Why

do

com

pani

es im

plem

ent E

RM

?

Interview

Emne: Problem

områder ifbm. implem

entering og drift af ERM proces

Er der problemer, som på forhånd afholder jer fra at im

plemen

tere ERM?

Perceptuelle – forven

tede problemer

‐ Uoverskuelig fremgangsmåde

‐ Manglende succeshistorier

‐ ER

M for omfangsrigt

‐ For svært at iden

tificere og måle operationelle risici

‐ Manglende opbakning fra topledelsen

Q2

Why

do

com

pani

es im

plem

ent E

RM

?

Interview

Yderligere input ifbm. Virksom

heders villighed til at starte ERM

Kan

du forestille dit andre faktorer, som påvirker virksomhed

ens nuvæ

rende villighed

til at im

plementere

ERM – hvis ikke det er den fulde ERM, som virksomhed

en arbejder m

ed i dag?

Villighed

til at købe konsulentydelser

‐ Cost/ben

efit

‐ Overbevisning ifht. ekstern konsulentbistand

‐ Evt noget med m

anglende IT red

skaber eller overblik over IT red

skaber, som er til rådighed

inden

for

ERM (IT støttet process)

Risikovillighed

‐ Går virksh. m

ed livrem

og seler, eller er de villige til at tage store risici?

Virksomhedens innovations‐niveau

‐ Altid first‐m

overs, eller konservativ styring?

‐ Fx m

ht. IT

Hvilke fremgangsmåd

er bruger CASE X?

‐COSO

’s ERM

‐COSO

’s Internal Control

‐Andre?


101

Q1

How

are

com

pani

es a

pply

ing

risk

man

agem

ent?

Interview

Emne: Frem

tiden

Hvordan

vurderer du/i, at frem

tiden

s Risk Managem

ent i CASE X vil væ

re?

Hvad er årsagen til, at CASE X udvikler RM processen

i frem

tiden

?

‐ Større konkurren

ceevne

‐ SH

V

‐ Corp. G

overnance regulering

Hvilke mål har CASE X’s Risk Managem

ent proces?

‐ Finansielle m

ål

‐ Strategiske mål (mindre usikkerhed)

‐ Udnyt m

ulighed

er

Betyder fremtidsforven

tninger noget for villigheden

til at im

plementere ERM?

Hvis ikke det er klarlagt godt nok under briefingen, i starten

af interviewet:

Hvordan

foretages risk managem

ent i CASE X i dag?

Deb

riefing

Interviewet slut

Tak for inform

ationer.

Noget at arbejde videre m

ed.

• Yderligere kommen

tarer

• Spørgsm

ål

• noget vi ikke har drøftet?


102

Appendix EBelow follows an example on the transcription including the colored coding.The entire transcriptions are found on the attached CD in appendix A.

5 / 28

[kontraktvurderingsudvalg], som kigger det hele igennem og så laver dé en indstilling til en[kontraktvurderings-] [kort pause] udvalget, som så siger; jamen det er go eller no-go. Så der liggerjo ekstrem meget risikostyring i hele den proces. Så kan man sige, mht. sådan nogle risici som atvores produkter og [kort pause] at det er de rigtige produkter vi har i markedet, at det er [kort pause]nogle [kort pause] produkter der fungerer godt i markedet, det tager technology sig af. Så man kansige; nogle af de største risici, de er placeret nogle forskellige steder i organisationen. At det hertager I jer af, og det her tager I jer af. Og det samme også med sådan noget som hedging af voresvalutarisici, det tager treasury sig af. Og alle de risici, som kan forsikres væk, dem gør vi alt for heri Risk Management afdelingen, for at forsikre væk. Så vi sørger for at holde så tæt kontakt til heleorganisationen som muligt, her i selve forretningen. Og kigge på, hvor går forretningen hen, og sålaver vi en vurdering af hvilke forsikringsprodukter, vi kan tage ned fra hylderne i de forskelligeforsikringsselskaber, eller kan udvikle i samarbejde med forsikringsselskaberne. Som dækker voresrisiko af så meget som muligt. Men man kan sige; det er derfor jeg siger, at det er sådan lidtfragmenteret. Og hvis man skal have et overblik over den samlede risikoeksponering, som CASE 2står overfor, så har vi indtil for ganske få måneder siden ikke kunnet levere et overblik over det.fordi netop at ansvaret var så fragmenteret rundt omkring. Og man gør det ikke på en måde, så manlige umiddelbart kan konsolidere det op og sige; så ser det sådan og sådan ud. Så det [kort pause]altså der er vi så gået i gang med at lave [kort pause] for godt og vel ½ år siden gik vi i gang i GroupFinance, primært Bjarne og jeg, med at lave et projekt, der skulle identificere de største risici iCASE 2, og de største dertil knyttede handlinger eller planer, som ligesom reducerede den derrisiko. Så vi ligesom fik et katalog af, hvad er det egentlig vi gør i dag, for at kontrollere de herrisici. [kort pause] Og det projekt, det er færdiggjort nu, og i enden af det, er vi kommet med enrække anbefalinger til hvordan man ligesom bevæger sig op ad trappen, væk fra at gøre nogetreaktivt her og nu og heroisk nu skal vi ud og løse en masse problemer og slukke en masse branderundtomkring, stoppe nogle huller til. Også bevæge sig imod at gøre det og lave risikostyring på enlidt mere struktureret og systematisk måde. [kort pause] men man kan sige, det er sådan set ikkeimplementeret endnu. Så det her med, hvis man kigger reelt set på hvordan man styrer risici [kortpause] så gør man det indenfor nogle meget specifikke, selvfølgelig også meget tunge, risikotungeområder. Der gør man det meget struktureret. Et eksempel er, at vi har lavet et, i group finance harvi lavet et prækalkulationsværktøj, som gør at alle salgsdatterselskaberne de kalkulerer den [kortpause] margin, som de forventer at tjene på det her projekt på den samme måde, ved brug af det herkalkulationsværktøj. Og i det kalkulationsværktøj, der er også en risk-assessment del, som gør at vifår risikovurderet projekter. Igen på en struktureret måde, så vi kan sammenligne projekter imellemhinanden.

Og der er ingen tvivl om at den risiko, den er meget afgørende for CASE 2. Den bliver egentligkontrolleret på en meget systematisk måde. Men [kort pause] vi har identificeret igennem det herrisikoprojekt, mange andre områder, hvor man ikke gør det, i nær udstrækning på en lige såstruktureret måde. Og derfor virker de risici [kort pause] meget store ifht. mange andre risici.

Så status i dag, sådan som jeg mener det, det er at vi stadigvæk har en meget fragmenteret tilgang tilhvordan man styrer risici i CASE 2 og vi har ikke pt. en plan for – jo vi har, lad os sige det sådan –vi har en plan for hvordan vi flytter os op og bliver bedre, men vi står lige før at skulleimplementere den, sådan at vi rent faktisk får skubbet os på vej imod ERM. Så vi er i gang med enproces, kan man sige.

Int

case2

bottomup

case2

business

case2

consultancyservices

case2

corpgovernance

case2

developmentofR

M

case2

experiencefrom

othercom

panies

case2

growth

case2

IPbackground

case2

mode

ofRM

case2

needfor

controlora

generalview(sub

togrow

th)

case2

organizationalstructure

case2

ownership

case2

problems

with

ER

M

case2

riskquantification

(subto

mode)

case2

risktolerance

case2

size

case2

stakeholderdem

ands

case2

topm

anagementfocus

case2

typesofrisk

5A

Figure E.1: Example of Transcription Including the Following Thematization

103

Appendix FExample on thematization and condensation in NVIVO.

When opening the documents in NVIVO, the codings are shown to the rightwith different colors for different themes. The coding is highlighted by a redsquare in figure F.1.

Source: Own processing

Figure F.1: Coding of Documents

When the thematization has been carried out, a hierarchy of the themes canbe constructed. This is done by arranging the themes. The example below isfrom the preliminary interview.

The red square shows the hierarchy of the themes. On the highest level, thetheme is called preliminary analysis. It consists of two sub levels. “Factors in-fluencing ERM implementation” and “general topics of ERM”. They both con-sist of a number of themes, relating to the higher level topic. As an example,it can be seen that the theme “board and management” consist of 10 referencesto the transcribed text and only 1 document is referred to (which is obvious,as one interview was carried out in the preliminary investigation). The themecan be opened, and doing that provides an extraction of the parts of the textswithin the current theme. This provides control of the vast amount of data from

104

Source: Own processing

Figure F.2: Hierarchy of Themes

the transcriptions. The application also enables the themes to refer to severaltranscribed documents, which makes it amenable for the analysis.

105

Enterprise Risk Management Incentives and Practices in three Danish companies

Documents

Transcript of Enterprise Risk Management Incentives and Practices in three Danish companies