Copyright © 2013 by Anette Mikes and Robert Kaplan

Working papers are in draft form. This working paper is distributed for purposes of comment and discussion only. It may not be reproduced without permission of the copyright holder. Copies of working papers are available from the author.

Managing Risks: Towards a Contingency Theory of Enterprise Risk Management Anette Mikes Robert Kaplan

Working Paper

13-063 May 16, 2013

1  

Managing Risks: Towards a Contingency Theory of Enterprise Risk Management

Anette Mikes1  

Robert Kaplan  

Harvard Business School 

                                                            1 Corresponding author. Email: amikes@hbs.edu We gratefully acknowledge the research support provided by HBS Research Associate Dominique Hamel. 

2  

Managing Risks: Towards a Contingency Theory of Enterprise Risk Management

Abstract Enterprise Risk Management (ERM) has become a crucial component of contemporary corporate governance reforms. Now that principles, guidelines, and standards abound, it is time to take stock. Has the idea of ERM reached maturity with proven, unambiguous concepts and tools? Or is it still emerging and unproven? Or can it be simply taken for granted, its value “proven” by the apparent demand? This paper portrays ERM as an evolving discipline, and presents empirical findings from academic papers and our own field research on its current state of maturity. The academic studies explore factors that influence the adoption and impact of ERM but have produced few significant results because of an inadequate and insufficiently specified concept of ERM. Based on a ten-year field project, over 250 interviews with senior risk officers, and three detailed case studies in high reliability organizations, we propose a contingency framework for ERM, describing the emerging design parameters that help to explain the observable variation in the “ERM mix” adopted by organizations. We also propose a new contingent variable: the type of risk that the ERM practices address. We outline a “minimum necessary contingency framework” (Otley, 1980) that is sufficiently nuanced, yet observable to empirical researchers so that they may, in due course, hypothesize about “fit” between contingent variables, such as risk types and the ERM mix, as well as outcomes (organizational effectiveness).

An expanding list of companies – BP, Tokyo Electric, Boeing, Bear Sterns, Lehman

Brothers, Merrill Lynch. Barings Bank, Daiwa Bank, Sumitomo Corporation, Enron, Worldcom,

Tyco and the Mirror Group – has become identified with deficiencies in anticipating and

managing the risks within their complex organizations. These examples of man-made disasters

along with governance and corporate failures reveal the challenges (and in extremis, to some, the

futility) of enterprise risk management. Yet effective and efficient risk management practices

should be seen as the solution of how to avoid corporate disasters and failures, not as part of the

problem (National Commission, 2011: 90). At present, we have ample regulations and

frameworks for “enlightened” risk management, including the risk disclosure recommendations

in the UK Turnbull report, which were quickly incorporated into stock exchange listing rules, the

COSO Enterprise Risk Management Framework, and ISO 31000: 2009 – Principles and

Guidelines on Implementation by the International Organization for Standardization. More

recently, the U.S. Securities and Exchange Commission has mandated that the annual proxy

statements of publicly traded companies include a description of their board’s role in risk

3  

oversight. The Toronto Stock Exchange requires establishment and disclosure of a company’s

risk management function, and the Dodd–Frank Wall Street Reform and Consumer Protection

Act requires large publicly traded financial firms to have a separate board risk committee

composed of independent directors. Credit rating agencies also now evaluate how firms manage

risks, with Moody’s and Standard & Poor’s (S&P) having an explicit focus on ERM in the

energy, financial services, and insurance industries (Desender and Lafuente, 2012).

With this abundance of principles, guidelines, and standards, one could assume that risk

management has become a mature discipline, with proven, unambiguous concepts and tools that

need only regulations and compliance to be put into widespread practice. We disagree. We

believe that risk management approaches are largely unproven and still emerging. Apparently so

do the many organizations that have expressed dissatisfaction with the proposed normative and

regulatory ERM frameworks (CFO Research Services and Towers Perrin, 2008; Beasley et al.,

2010).

This paper portrays Enterprise Risk Management as an evolving discipline, and presents

empirical findings on its current state of maturity, as evidenced by a survey of academic research

and our own field research over the past ten years. While many empirical studies of the

prevalence and effectiveness of Enterprise Risk Management (ERM) have been conducted, most

use inadequate research designs. Based on a ten-year field project, over 250 interviews with

chief risk officers, and three detailed case studies on ERM in high reliability organizations, we

propose a more comprehensive specification of ERM, and identify the parameters that could

serve as a solid foundation for a contingency theory of ERM design and implementation.

4  

We studied three organizations in considerable depth. Each had recently instituted new

risk management practices that show considerable promise for helping it make better decisions

about mitigating and managing the risks from their strategies. Yet each organization had a

completely different structure for its risk management function. At this stage, we cannot be

certain about which of these will survive to be incorporated into a future common body of

knowledge for the emerging risk management profession. Prematurely adopting standards and

guidelines that aspire to be “applicable to all organizations” and “all types of risk” (as for

example ISO 31000 advocates) introduces a major risk into risk management by inhibiting

companies from searching for and experimenting with innovative risk management processes

that match their particular situation and circumstances.

Past Research on ERM Adoption and Performance

The academic literature on ERM can be classified into three research streams. One

attempts to identify variables that explain variations in the adoption of ERM in firms. The second

studies the performance implications of ERM implementations. Both of these streams use large

sample cross-sectional research methods. A third and recently emerging research stream

conducts small-sample and field studies to understand risk management in situ, as an

organizational and social practice.

Determinants of ERM adoption

Empirical studies have identified leverage (Liebenberg and Hoyt, 2003; Pagach and

Warr, 2011; Ellul and Yerramilli, 2012), size (Colquitt et al., 1999; Liebenberg and Hoyt, 2003;

Beasley et al., 2005; Hoyt and Liebenberg, 2011; Pagach and Warr, 2011) and the presence of

CEO incentives (Pagach and Warr, 2011; Ellul and Yerramilli, 2012) as company-specific

5  

factors associated with ERM adoption. Reflecting the normative literature on the subject (COSO,

2004; ISO, 2009), some have studied the influence of effective corporate governance on ERM

adoption (Baxter et al., 2012; Ellul and Yerramilli, 2012). Drawing on the hypothesis that strong

corporate governance agents are likely to advocate for ERM implementation, Beasley et al.

(2005) found that CEO and CFO support was associated with the extent of ERM

implementation, while others identified having an internal risk specialist to be associated with

ERM adoption (Kleffner et al., 2003; Beasley et al., 2005; Desender, 2011; Desender and

Lafuente, 2010; Paape and Speklé, 2012). Studies of other hypothesized ERM determinants, such

as institutional ownership and auditor influence, have yielded mixed results (Pagach and Warr,

2011; Paape and Speklé , 2012; Desender and Lafuente, 2010). As for regulatory pressure,

Kleffner et al. (2003) reported that Canadian companies cited compliance with Toronto Stock

Exchange (TSE) guidelines as the third most important reason (37%) for their ERM adoption.

Paape and Speklé (2012) also found that stock exchange listing helped to explain ERM

implementation, but failed to find any association with the existence governance codes or risk

management frameworks.

ERM and firm performance

Modern portfolio theory argues that shareholders can use portfolio diversification to

costlessly eliminate firm-specific (idiosyncratic) risks, leading many financial economists to

doubt whether ERM can add value to the firm. Stulz (1996), however, argues that risk

management creates value by reducing or eliminating the costs and losses of financial distress.

Froot, Scharfstein and Stein (1993) advocate that risk management adds value if it helps the firm

avoid unfavorable outcomes, or states of the world, that prevent it – because of insufficient

internal funds – from investing in attractive, positive net present value opportunities. This theory

6  

suggests that risk management is more valuable for highly leveraged companies that also have

volatile earnings, and limited cash reserves. Companies with high growth options associated with

future unrealized cash flows and high levels of current research and development R&D should

also benefit from ERM (Desender and Lafuente, 2010).

Corporate governance advocates, consultants and regulators, unlike financial economists,

assume that it is obvious that ERM systems add value to firms. Some point to the widespread and

voluntary adoption of ERM systems as evidence of their benefits (Desender and Lafuente, 2010;

2012). But can the value of ERM be “proven” by other than the apparent demand for it? The ISO

31000 risk management guidance treats risk as two-sided variability, advocating that ERM

should not only reduce the negative impact of unfavorable events, but also help managers to

identify upside opportunities. Others claim that ERM helps firms improve their resource

allocation, leading to better capital efficiency and greater return on equity (Meulbroek 2002;

Hoyt and Liebenberg, 2011). By improving public risk management disclosures, ERM might

also reduce the firm’s cost of capital and regulatory scrutiny (Meulbroek 2002; Hoyt and

Liebenberg, 2011). Academic researchers, however, have had little success finding empirical

evidence to test and support these various performance improvement theories from ERM

adoption.

Assessment of Findings

The empirical studies, described above, have used different methods to define and

measure ERM, making it problematic to compare results across them (Hoyt and Liebenberg,

2011; Baxter et al., 2012; Pagach and Warr, 2010; Gordon et al., 2009). The studies are

constrained by the limited datasets that are available and limited by their use of “somewhat

7  

naïve” (Paape and Speklé, 2012) construction of explanatory and dependent variables. For

example, a 0-1 dummy variable of ERM adoption fails to capture the complexity of how ERM is

actually implemented in companies. Studies that rely on S&P’s ERM ratings must assume that

the rating agency’s arm’s length assessment of a firm’s ERM processes, based on public

information, is a valid indicator of how ERM is actually used in situ. Further, none of the

empirical studies attempts to explain the actual mechanism through which their ERM variable

affects proposed outcome variables, such as stock price reactions and cumulative abnormal

returns, and in a recent study, managers’ accruals-estimation errors (Johnston and Soileau, 2013).

The studies do not capture the variation and effects of actual ERM processes, and omit

organizational and institutional contingencies that would affect the success of ERM

implementation. Because of these severe measurement problems in the independent and

dependent variables used to study ERM adoption and impact, the empirical studies explain only

a small fraction of the variability in outcome variables, and have low levels of statistical

significance for key explanatory variables.

Further, the large sample cross-sectional studies focus on the adoption or not of a

particular risk management framework, and ignore the impact of people and leadership in

shifting a company’s risk profile. Risk management ultimately depends on the people who set

up, coordinate and contribute to risk management processes; people are the ones that identify,

analyze and act on risk information. Their actions often require approval from the CEO and

board. So organizational and cultural contexts can cause companies that follow the same ERM

framework to implement and use their risk management function very differently.

For example, all Wall St. financial firms had risk management functions and CROs

during the expansionary period of 2002-2006. But some of these firms failed during 2007 and

8  

2008 while others survived quite well despite the turmoil. Some of the firms had a robust set of

high-impact, customized practices that met their risk-management needs very well while others

obviously did not. The existence of a risk management department and an individual with a title

of chief risk officer explains very little about the quality, depth, breadth, and impact of risk

management processes. Knowing that a company had a risk management department and CRO

does not predict that it also had the commitment of the CEO and board to encourage the

production and dissemination of risk information, or the resources and support to mitigate the

principal risks identified.

Statistical studies on large public data bases also cannot capture the fascinating variety of

risk-management practices, deployed at different levels, for different purposes, by different staff

groups even by companies in the same industry. Cross-sectional empirical studies that ignore

such important variation end up explaining little, especially about what works and what does

not.

ERM in situ

Cultural theorists such as Mary Douglas, Aaron Wildavsky and John Adams have shown

that risk means different things in different settings and organizations (Douglas and Wildavsky,

1983; Adams, 1995). Experience has taught risk managers that a given risk model will work in

some contexts and not in others (Nocera, 2009). Descriptive and critical research has uncovered

a fascinating diversity of context-specific practices that could help us understand the role for

each innovative variation. Those interested in the relationship between risk experts – particularly

the chief risk officer – and business decision makers have found that risk experts do not operate

in a vacuum (Hall et al., 2012). Risk managers are but one contending group offering to take the

9  

measure of the organization’s future. “Fit-for-purpose” guidelines could not prepare risk experts

for the cut-throat competition for visibility and voice in the C-suite. This intellectual struggle for

risk attention is also a political and cultural struggle in which survival of the fittest is not

necessarily survival of the most theoretically sound. While many commentators find this state

frustrating (Bonisch, 2012), at this stage of the risk-management endeavor, we can learn and

contribute by studying risk practices in situ, in the trenches, as it were. After a brief overview of

the emerging descriptive research body on risk-management, we describe three case studies, each

illustrating a particular purpose and application of risk management. We then set out to catalogue

these practices to propose a contingency framework to explain how such different approaches for

the same objective can co-exist successfully. At this stage, we are not claiming general truths on

the subject; we are merely exploring and making sense of a fascinating and emerging discipline.

A small number of field-based studies of ERM point to a diversity of practices across

organizations, in the same industry (Mikes, 2009; 2011) and even within the same organization

(Hall et al., 2013; Woods, 2009). These studies seek to explicate and understand the reasons for

this variation and the reasons for the different roles that risk experts, particularly the chief risk

officer, fulfill. Mikes (2008, 2009, and 2011) presents field-based evidence of systematic

variations in risk-management practices in the financial services industry and developed the

concept of calculative cultures to explain these differences. Arena et al. (2010) describe three

comparative case studies and document a continuous and evolving interaction between pre-

established management practices and ERM, which makes the latter unique to each

organizational setting.

But as with the large sample cross-sectional studies, field researchers struggle to produce

persuasive comparisons across their multiple studies. The practices they observe in one firm

10  

differ substantially from those observed elsewhere. Due to the complexity of the different risks

faced by any enterprise, organizations have put in place different risk management processes and

structures.

In some firms risk management processes police the business for compliance with risk

limits and risk policies. In others, the risk management function oversees processes that help the

organization learn about uncertainties so that they can be converted into “manageable risks”

(Mikes, 2009; Hall et al., 2012). We have observed firms operate dynamic risk management

processes causing managers to periodically review and, if necessary, revise risks and controls in

light of new information and evolving objectives. Among the most interesting are firms that have

consciously introduced highly interactive risk management processes to counter the individual

and organizational biases that inhibit constructive thinking about risk exposures. These firms

worried that managers and employees would become so inured to risks that they would override

controls as they accept deviances and near misses as the “new normal.”

With this plethora of risk management processes occurring in practice, we have used a

taxonomy introduced in Kaplan and Mikes (2012) to organize our field observations. The

taxonomy describes three different risk categories – preventable, strategy, and external – each

with a different source for the risk events, different degrees of controllability, and different

approaches for identification, mitigation and management. We do a deeper dive into the

preventable and strategy risk categories since the practices for these two categories were the ones

most commonly observed at our field sites. Our description and analysis will therefore exclude

risk management practices such as scenario analysis, war games, and stress tests that are more

relevant for managing external risks.

11  

Classifying risks and risk-management practices

Kaplan and Mikes (2012) argues that existing risk practices, despite all the rhetoric and

proposed standards and guidelines for enterprise risk management, remain too often rooted in

compliance or else are segregated and fragmented into arbitrarily chosen functional silos such as

market, human resources, credit, and supply chain risks. Neither the rules-based compliance

approach nor the silo-based functional approach helped companies avoid risk management

disasters such as the Global Financial Crisis, the BP Deep Horizons well explosion, and the

developmental and operational problems with the new Boeing 787 Dreamliner aircraft. The

authors (Kaplan and Mikes (2012)) argue that risk-management practices need to be customized

to the different types of risks they are intended to mitigate as shown in Table 1.

-------INSERT TABLE 1 AROUND HERE -----------

Category I preventable risks arise from routine operational breakdowns or employees’

unauthorized, illegal, unethical, incorrect or inappropriate actions. Management should strive to

eliminate the incidence of this category of risk events entirely since the firm gets no benefits

from taking them on, and they can be avoided by deploying known, established procedures. In

contrast, organizations voluntarily take on Category II strategy execution risks in order to

generate superior returns from their strategies. For example, some companies operate in

hazardous industries, such as mining, chemical, and oil and gas exploration. Others, such as

high-technology, pharmaceutical, medical device, and aerospace companies conduct high-risk

research projects to develop the next generation of products. Managers can identify and influence

both the likelihood and impact of their strategy execution risks but they cannot drive all the risks

out of their strategies; some residual risk always remains.

12  

Category III external risks arise from events outside the company’s ability to influence or

control. Managers often are unaware of these risks and even for those they do anticipate, they are

usually unable to plausibly assess their likelihood of occurrence. Identifying external risks

requires a process of risk envisionment, using experience, intuition, and creative imagination to

generate plausible future scenarios and strategic uncertainties. Once envisioned, managers can

then contemplate whether and how to mitigate an external risk’s impact should it occur.

The power of this multi-dimensional risk taxonomy arises from the very different

processes, organizational units, and actions that are most effective for managing the risks in each

category. Internal audit can be an effective tool for managing preventable risks, but may be

inadequate for managing strategy execution and external risks. Conversely, the different risk

practices that are effective for managing strategy execution and external risks are likely

ineffective for preventable risks. This is a why organizations need to tailor their risk management

units and processes to the inherent nature and controllability of the different risks they face.

Corporate governance and internal control frameworks for managing preventable risks

have been studied extensively (Power, 2011 and 2012; Spira and Page, 2003; Simons, 1995). In

addition to boundary and belief systems (Simons, 1995), best practices in corporate governance

mandate strong internal control systems, with board-level oversight, including segregation of

duties and an active whistle-blowing program, to reduce the occurrence of employee

misbehavior and the temptations for fraud and abuse (Power, 2012). Internal audit departments,

by continually checking employees’ compliance with internal controls and standard operating

processes, strive to discourage and deter employees from violating the company's operating

procedures and policies, and to detect violations when they do occur. Survey evidence shows an

active role by the internal audit functions in championing ERM projects in the majority of non-

13  

financial companies (Rizzi et al. 2011; Grant Thornton Advisory Services, 2012). This high level

of activity helps explain why many observers and companies believe that risk management is

primarily about specifying rules and validating compliance (Power, 2009; Kaplan and Mikes,

2012).

But rules and compliance are not effective for managing the risks of strategies, especially

those that reach for high expected returns. Risk management’s role should not be to inhibit or

stop risky projects and strategies. Rather it should be to help line managers identify the principal

risks that accompany their strategy and guide the adoption of cost-effective interventions that

mitigate the most likely and consequential ones, recognizing that some residual risk, inherent to

the strategy, will almost always remain (Merton, 2005). In this view, a risk management function

can provide a company with competitive advantage by enabling it to undertake higher expected-

return projects. The function can potentially reveal that, even after cost-effective mitigation, the

residual risk exposure of a strategy remains too high relative to a strategy’s expected return. In

this case, the risk management process should, ideally, influence the company to modify its

strategy into a lower risk/return profile.

Research design

Site selection

During the past ten years, we have conducted more than 250 interviews with senior risk

officers and general managers in companies where the risk management function had the

following characteristics:

1. had been in existence for at least 5 years

2. was perceived as adding value to the business

14  

3. had introduced several new interactive and intrusive risk management tools and

processes to manage preventable and strategy risks

4. was headed by a visible risk officer, often but not always titled “chief risk

officer,” who had a direct reporting line to the chief executive (or another senior

C-level executive).

We selected three companies in three industries that we considered high reliability

organizations (HROs) (Weick and Sutcliffe, 2001); those where the alternative to consistent,

high-reliable operations could be severe harm, damage, and loss. The three industries were

aerospace engineering, which required capital intensive, time-critical technological innovations;

high-voltage electricity transmission, where lack of reliability could lead to financial and asset

damage, and potential human injury and death; and fund management in volatile capital markets,

where long-term client relationships, trust and clients’ private wealth were at stake, and where

risk exposures change rapidly, possibly hourly or even trade by trade.

In examining processes used to manage both preventable and strategy execution risks, we

wanted to learn how senior risk management officers handled the tensions between a rules and

compliance oriented risk function and one that had to be deeply embedded in line operations to

manage continually evolving risks. A strongly independent rules and compliance function can be

seen as so independent and removed from business operations that line managers find it

irrelevant in helping them cope with strategy execution risks. Conversely, an embedded risk

function, helping line managers address day-to-day risks, can “go native” and lose the

independence required for maintenance of a strong compliance culture. Therefore, an important

aspect of our case studies was to investigate how the risk functions balance their roles in

addressing both preventable and strategy execution risks.

15  

We carried out 38 interviews with the three HROs between 2008-2012, (see Appendix 1

for a list of case-specific interviews and dates), including ongoing communications, via email, to

receive updates from their evolving risk management processes.

Data analysis

We conducted our analysis in two stages. First, we analyzed each of the cases

independently and produced an analytical narrative of the innovations introduced by the risk

function. This within-case analysis captured how a group of experts increased the understanding

of the different types of risk the organization faced. The story is a complex, multi-faceted

historical narrative, the origins and some of the outcomes of which would be outside our data-

collection abilities. Hence, we captured the actors’ accounts of events as they perceived them,

and then triangulated these accounts, using publicly available documents, such as annual reports

and third-party publications, to produce a more comprehensive picture of the organizational

changes (Abbott, 1992). In this way, we identified actor-presented themes in the data (Glaser and

Strauss, 1967), highlighted distinct categories such as contextual factors, important

organizational processes, risk activities, decision-making forums, strategic planning and the

resource allocation process. We also documented how the relationships between these processes

changed over time.

After obtaining these detailed within-company narratives, we compared and contrasted

the three detailed analytical accounts, using the cross-organizational insights to enrich our

understanding of within-company processes we had previously analyzed. We used these insights

to draft a contingency framework for risk management that we present and discuss in the paper’s

final section.

16  

Findings

Aerotech (a pseudonym)

Aerotech was a research and development center, managed and operated by a major

technology university under a contract from the U.S. National Aeronautics and Space

Administration (NASA). Aerotech employed approximately 5,000 full-time employees and

managed several thousand contractors. The company developed technological innovations for

NASA’s unmanned space missions, including sending Mariner spacecrafts to Venus, Mars, and

Mercury, the Galileo mission to Jupiter and its moons, and Voyager missions to Jupiter, Saturn,

Uranus and Neptune. Aerotech also developed the camera for NASA’s Hubble Space Telescope

and operated the Deep Space Network for communication with all its various inter-planetary

robotic missions.

Despite some spectacular successes, Aerotech had a mixed track record of managing

risks. Its most visible failure occurred when the Mars Observer, launched in 1992, lost contact

with ground controllers in 1993. Some described this $1 billion project as “a huge amount of

taxpayers’ money spent for nothing.” In the early 1990s, the political and public mood demanded

reforms to NASA, leading to the appointment, in 1992, of Daniel Goldin, as the new NASA

administrator. Goldin, formerly an executive at a major aerospace contractor, believed that new

management techniques and technologies, along with accepting more risk, would dramatically

reduce the cost of NASA’s missions. In a 1992 speech, he challenged Aerotech to adopt "faster,

better, cheaper" techniques so that it could do more without spending more money. But the new

strategy did not reverse the incidence of major failures. The Mars Climate Orbiter disappeared,

during orbit insertion on Sept. 23, 1999, due to a navigation error; and in the same year the Mars

17  

Polar Lander crashed as it neared the surface of Mars. To save money, the Lander did not have

telemetry during its descent to Mars and subsequent analysis suggested that the failure was

probably due to a software fault that shut off the descent rocket too early, causing the spacecraft

to fall the last 40 meters onto the surface. These two failures ended the “faster, better, cheaper”

management philosophy at Aerotech.

In 2000, Aerotech hired a new chief system engineer (CSE), a former Aerotech

employee, who agreed to return to help architecture a new innovation stream complete with a

risk management program that would significantly increase Aerotech’s mission success rate. As

the de facto chief risk officer, the CSE defined his role as “minister without portfolio, the person

who makes sure everything works the way it is supposed to on a global scale.” Recognizing that

Aerotech’s previous risk management practices were too narrowly focused on quality assurance

and checklists for (preventable) risks that were already known and well understood, the CSE

advocated a new approach to risk management. He described how he thought about Aerotech’s

risks:

At the start of a project, try to write down everything you can that is risky. Then put

together a plan for each of those risks, and watch how the plan evolves. Some risks are “business

as usual risks.” We are familiar with these risks and know how to quantify and mitigate them.

Others are “development risks,” in which the project’s engineering enters territory we have never

experienced before.

His challenge was to create a process that could help Aerotech employees and decision

makers identify and mitigate the risks in highly innovative ventures. This, according to the CSE,

was not only a matter of risk anticipation, but required a new risk culture as well:

18  

[Aerotech] engineers graduate from top schools at the top of their class. They are used

to being right in their design and engineering decisions. I have to get them comfortable thinking

about all the things that can go wrong. … Innovation, looking forward, is absolutely essential, but

innovation needs to be balanced with reflecting backwards, learning from experience about what

can go wrong.

Having defined risks as threats to the achievement of Aerotech’s objectives, the CSE

effectively applied the same risk definition advocated by COSO when it issued its ERM

framework (corresponding author’s interview with Rittenberg, March 2006):

1. It is a strategic activity, addressing risks that threaten the achievement of strategic

objectives);

2. It is a governance activity;

3. It is a monitoring activity.

Aerotech’s CSE introduced three risk management processes into every project, which

corresponded to the three ERM requirements:

1. For each major innovation stream, the CSE established an independent and expert risk

review board, with him serving as chairman. The risk review board had an explicit role to

actively challenge project engineers' risk assessments and risk mitigation decisions

(governance/board-level activity).

2. For its monitoring activity, the risk review board required project engineers to carry

out early risk identification and assessment - likelihood and impact - summarized on two-

dimensional risk maps and to continue to update these in subsequent quarterly reviews (presented

19  

to the CSE in face-to-face meetings) and in annual (or bi-annual) highly confrontational and

interactive three-day risk review board meetings (strategic activity).

3. The risk review board allocated risk-based cost and time reserves to allow problems to

be solved during the course of the multi-year project without exceeding the project’s budget or

jeopardizing its scheduled launch date (a monitoring activity linked to the company’s resource

allocation process).

At the start of the project, the board conducted its initial risk review board meeting. By

the end of that meeting, the board had established cost and time reserves based on the degree of

innovation embedded in the project. This link, from the risk monitoring activity to a resource

allocation activity, gave real power to the risk review board – it could reject proposals, cancel

projects, withdraw funding entirely or reallocate funds between project components. As the

project proceeded, the risk review board authorized disbursement from the cost reserves to

employ teams of outside experts (tiger teams) to help the project team solve difficult and

seemingly intractable design and engineering problems. As the launch date approached, the risk

review board either recommended that the launch proceed as planned or, alternatively, be

deferred if it determined that the residual risks remained too high. The built-in time reserves and

the ultimate but costly deferral option reduced deadline pressures, an oft-cited cause of man-

made disasters such as the Challenger decision launch and Deepwater Horizon. The rigorous

monitoring and governance processes motivated engineers to build robustness and reliability into

their everyday design decisions rather than ignoring potential problems or implementing

shortcuts to bypass known problems. The project that eventually led to the highly-successful

Mars landing of the Curiosity Rover, in August 2012, was actually delayed by 2½ years because

20  

the project’s risk review board decided, in 2009, that several technological risks remained too

high 45 days prior to the targeted launch date.

Electroworks (pseudonym)

Electroworks was a major Canadian power transmission and power distribution utility.

The government of its home province actively promoted energy conservation initiatives, and was

rigorously phasing out coal-fired power stations throughout the province. It had capped the price

that Electroworks could charge while also requiring it to lead conservation initiatives that would

adversely affect the company’s revenues and earnings. Electroworks had to manage a complex

web of conflicting interests—the multiple agendas of government ministers, regulators,

consumers, environmental groups, aboriginal (Third Nation) landowners, and the capital market

debt holders that had subscribed to the company’s C$1billion bond issue.

Electroworks’ chief risk officer (CRO) implemented a quite different risk management

approach from that deployed by CSE at Aerotech. The CRO had much less domain expertise

than the CSE. He had been originally hired from the banking industry to be Electroworks’ head

of internal audit. He also was a less intrusive and hands-on risk manager. With no formal

qualifications to challenge Electroworks’ engineers at risk-assessment workshops and at resource

allocation meetings, the CRO saw his role as a facilitator, not a devil’s advocate. His risk

management department collected and moved information about Electroworks’ critical and

material risks up, across, and down the organization. The CRO established a “Chinese wall”

separation between internal audit and risk-assessment activities. No one, besides himself, could

be involved in both activities, and records of the risk workshops were kept confidential and

separate from internal audit assessments. He also benefited from the strong endorsement of

21  

Electroworks’ CEO, who advocated a no-blame culture and encouraged people to speak up and

report deviances, issues, and potential threats that they were worried about.

The CRO, like Aerotech’s CSE, customized the COSO framework’s board-level, strategy

and monitoring activities to the needs and capabilities of the organization. Assisted by a small

team of risk managers, the CRO introduced a three-phase enterprise risk management program.

In Phase 1, he organized a series of workshops for employees to collectively identify and

quantify the principal risks they saw to the company’s strategic objectives. The risk workshops

used an anonymous voting technology that allowed employees to quantify their judgments, on a

scale of 1 to 5, about the impact of each risk discussed, the strength of existing controls, and the

likelihood of occurrence. These judgments were summarized into a visual 5×5 risk map.

Multiplying the likelihood and impact scores of each risk discussed gave a high-level ranking of

the highest priority risks to be mitigated. The risk map, albeit a simple and subjective tool,

facilitated communication and discussion about the focus and direction for Electroworks’ risk-

mitigating actions.2 Each meeting concluded with a consensus on the principal risks identified,

recommended actions to cost-efficiently mitigate each principal risk, and the selection of a

manager to be accountable for each risk and the implementation of recommended actions.

In Phase 2, CRO conducted a series of one-on-one interviews twice a year with senior

managers to review the corporate risk profile, which he then presented to the CEO and the board

of directors. In Phase 3, conducted during the annual planning process, the senior executive

team allocated hundreds of millions of capital investment dollars among investment projects that

had been proposed to mitigate the principal risks faced by the company. By tying the investment

                                                            2 Interestingly, the risk review workshops at Aerotech also used 5×5 risk maps to summarize the principal risks to the mission. While seemingly simplistic, especially for the Ph. D. rocket scientists at Aerotech, the risk

22  

management process to risk assessments, business managers had an incentive to disclose, not

hide, risks, so that they could obtain resources for risk mitigation. The mantra was “If you have

no risk, you get no money.” The investment management department rigorously pre-screened

project proposals, prior to their presentation at the two-day annual resource allocation meeting.

The meetings, like Aerotech’s risk review board meetings, were intensively interactive as risk

managers challenged the engineers’ “bang for the buck” investment proposals.

All three phases channeled risk information vertically and horizontally throughout the

company, enabling executives and employees to develop a shared understanding of the

company's risk profile and its high priority to continually reduce the residual risks from high-

impact events. Indeed, the CRO attributed the success of ERM to the multiple points of “contact”

it made with people in the organization:

Enterprise risk management is a contact sport. Success comes from making contact with

people. Magic occurs in risk workshops. People enjoy them. Some say, “I have always worried

about this topic, and now I am less worried, because I see that someone else is dealing with it, or I

have learned it is a low probability event.” Other people said, “I could put forward my point and

get people to agree that it is something we should be spending more time on, because it is a high

risk.”

Wealthfunds (a pseudonym)

Wealthfunds was a private asset management bank within a very large money center

financial institution. Wealthfunds offered clients investment opportunities in internally-managed

and external funds, and had an award-winning reputation for service and innovation in the global

private banking business. The company’s regulators, wary of the bank's ample opportunities for

                                                                                                                                                                                                maps’ simple summary of highly complex phenomena was adequate to generate active discussion and debates

23  

self-dealing and conflicts of interest, required the company to perform substantial due diligence

not only on the external funds it offered its clients, but especially on the internally managed

funds it used. Regulators did not want investment managers directing client assets internally

when better options existed with externally-managed funds. Wealthfunds’ risk management

function had to operate with independence and authority to approve the population of funds that

asset managers could use, and to ensure that all investment managers complied with external and

internal requirements.

At the onset of the global financial crisis in 2007, Wealthfunds introduced another set of

risk managers whose mandate was to work closely with managers in the business line. These

“embedded” risk managers had dual reporting lines: one to the line manager and a second to their

superiors in the independent risk management function. Wealthfunds’ CRO, who also served as

one of the embedded risk managers, explained the novelty of his dual responsibilities for

improving the risk-adjusted returns for his manager’s funds while protecting the portfolios from

major downside shocks:

My colleagues in independent [compliance] risk management who sit outside the [fund

management] team don’t necessarily have the proximity and real time visibility of what trades and

risks are being taken. So we want somebody on the inside looking out for everybody’s interest,

and that person is me. I serve as a close business partner to portfolio managers … responsible for

keeping portfolios in alignment with both broad Private Bank-level policies … as well as [fund]-

specific, market-risk related items such as trade approvals, portfolio risk analysis, positional

concentrations, etc.. … [M]y role is to keep portfolio managers honest … I listen to their views so

I can help them fine tune what they should sell and buy in order to reflect their views in their

portfolios.

                                                                                                                                                                                                during the meetings.

24  

The CRO and Wealthfunds’ other embedded risk managers continually asked “what-if”

questions that forced portfolio managers to think about the implications on the private bank's

performance from different scenarios. The risk managers challenged portfolio managers’

assumptions and actions and helped them design trades prior to approval at investment

committee meetings. For this, they had to help portfolio managers assess how proposed trades

contributed to the risk of the entire investment portfolio—not just under normal circumstances,

but under extreme stresses, as well. For example, under conditions of market distress, the

correlation of returns across different asset classes such as stocks and bonds increases

dramatically. Stress-testing helped investment managers estimate potential extreme losses from

low probability events. The CRO explained that stress-testing made managers consider system

effects and the unintended consequences of their planned actions:

Portfolio managers come to me with three trades, and the model may say all three trades are

adding to the same type of risk. Nine times out of ten a manager will say, ’No, that’s not what I

was trying to do.’ Then, we can sit down and redesign the trades.

Discussion

The structures for risk management used by the three HROs were completely different

from each other; yet, in our assessment, each served its company well. For example, Aerotech’s

CSE and Wealthfunds’ CRO addressed high-risk technical problems. These two risk managers

needed domain expertise if they were to be credible when actively questioning the assumptions

of project engineers and investment managers, and have confidence in their judgments on asset

allocations and whether to accept or veto line managers’ decisions. The two risk officers,

however, differed along a time dimension. Aerotech’s CSE conducted in-depth risk analysis

every one or two years while Wealthfunds’ risk managers analyzed risk exposures minute by

25  

minute.

Electroworks’ CRO, unlike his counterparts at Aerotech or Wealthfunds, dealt with wide-

ranging enterprise risks that included human resources, aboriginal access rights across vast

territories, governmental regulation of prices and service, ice storms, asset maintenance and

reliability, and financing. No individual could have expertise in all these domains. For this

reason, Electroworks’ CRO facilitated information production and dissemination for decision

making but he and his group did not make or veto risk-based resource allocation decisions. For

major investment decisions, the CRO collaborated with the company’s former field- and project

engineers in the investment planning department to provide the expertise and rigor to engage

with project engineers.

One aspect, however, common to all three was that each used highly-interactive

processes – risk review meetings at Aerotech, employee risk assessment meetings at

Electroworks, and face-to-face interactions at Wealthfunds – that encouraged debate, discussion,

and solicitation of contrary opinions. This feature seems essential to generate the required

dialogue and confrontation for identifying key strategy risks and selecting cost-efficient risk

initiatives. Interactive risk meetings cannot be replaced by filling out and auditing checklists or

using GRC [governance, risk and compliance] software solutions.

Table 1 summarizes the case comparisons and outlines the design parameters that

differentiate among the three ERM processes we observed.

--------INSERT TABLE 1 AROUND HERE-------

Unpacking the “ERM mix”

26  

The three field studies confirm an important feature of ERM, first suggested by Mikes

(2009) for financial services: companies should implement ERM by adapting a variety of

practices to their specific needs and context. A major weakness of past and current academic

research is their treatment of risk management as uni-dimensional; either you have adopted ERM

or not; either you have a CRO, or don’t. In only slightly more advanced forms, the research

parameterizes ERM along a single-dimensional “maturity” scale. If academic research on ERM

is to be grounded in reality and have some potential for explanatory power and impact, it must

unpack the “ERM mix” (Mikes, 2009) into its fundamental components.

ERM design dimensions include:

Processes for identifying, assessing, and rolling up risks: Risk identification can take

place face-to-face (as in our three HROs) or remotely, via self-assessments prompted by a

centralized database or risk register (Mikes, Tufano, Werker and De Neve, 2009). Face-to-face

meetings can take the form of intensive, interactive meetings between the risk expert and line

managers, or in open discussions among diverse employees from different organizational

functions, specialist groups, and hierarchical levels. Risk discussions can be confined to senior

line managers and staff only, or decentralized with front line, support and administrative

employees participating in risk identification and assessments.

Frequency of risk roll-ups: Aerotech’s project engineers faced trade-offs between

quantity and quality of scientific instruments in missions and coping with the immutable laws of

physics. Project risk exposures changed slowly during product development so formal project

risk reviews occurred only annually or bi-annually. Electroworks’ risks, from changes in

demand, regulations, interest rates, and equipment evolved continually during the year, so it

27  

conducted multiple risk workshops throughout the year, semi-annual senior executive risk

assessments, and an annual resource allocation process. Wealthfunds’ risk changed hourly and

even trade-to-trade requiring continuous monitoring and assessment by embedded risk managers.

We conclude that the frequency of risk identification and assessment processes must match the

velocity of risk evolution within the firm, an obvious conclusion but not one that emerges from a

simplistic rules-based and compliance framework.

Risk tools: Most companies use multidimensional visualizations, such as risk maps, to

quantify risks along likelihood and impact dimensions. Some, like Electroworks, also develop

high-level subjective rankings – top-10 lists – of their most significant risks. Some go beyond

these simple summaries to employ data-and analysis-intensive statistical tail assessments, such as

value-at-risk calculations in financial institutions. Field research in financial services suggests

that the selection of particular risk tools tends to be associated with (and at the same time, is

constitutive of) the calculative culture of the organization: the measurable attitudes that senior

decision makers display towards the output of sophisticated risk models (Mikes, 2008, 2009,

2011).

Linkages from risk management to other important control processes: for risk

management to be influential, it must link to already institutionalized, important and influential

processes, such as strategic planning and resource allocation. In all three HROs, the risk

assessment process linked to major resource allocation processes in the firm; cost and time

reserve allocation at Aerotech; capital investments at Electorworks; and asset allocations at

Wealthfunds. Other firms use their existing strategy execution tools, strategy maps and Balanced

Scorecards, as the starting point for their strategy risk identification and monitoring processes

(see discussion of Infosys and Volkswagen do Brasil in Kaplan & Mikes, 2012). Finally, some

28  

risk functions aspire to link risk assessments with performance measurement, such as embedding

it within the enterprise’s balanced scorecard (Woods, 2009) or by single risk-adjusted measures

(Mikes, 2009) – thereby realizing the ideal of risk-based performance management.

The roles played by the CRO / risk function: Empirically, one can observe risk officers

playing different roles in the enterprise. Some risk managers act as independent compliance

champions, focusing on preventable risks, particularly in highly-regulated industries where

compliance with stringent rules and regulations is a necessary success factor. In lightly-regulated

industries, risk managers who lean too much on “the regulatory crutch” of governance standards

and external guidelines (such as from ISO or COSO) to establish their legitimacy, may actually

undermine their credibility. Line managers tend to characterize them as disengaged and even

ignorant of actual business operations and strategies. Risk officers whose mandate covers

strategy execution risks, can earn their legitimacy within the C-suite by facilitating risk

awareness and risk monitoring efforts throughout the organization (as they did at Electroworks).

In a more intrusive role, risk managers may take on the devil’s advocate role to challenge

assumptions made by line and project managers and force elevation and discussion of previously

hidden risks. Such a role, especially when combined with veto rights for projects or strategies

whose risks cannot be mitigated in a cost-efficient manner, helps risk managers (as in Aerotech)

protect the firm from taking on excessive risks or escalating the commitment of additional

resources to them, while still allowing those complex and innovative projects to proceed when

they have adequate risk mitigation plans and resources. Finally, as we have observed in

Wealthfunds, risk functions can balance compliance with business orientation by deploying

separate groups of independent and embedded risk managers. The former act as compliance

champions, while the latter, with a strong business orientation and subject matter expertise, play

29  

an active advisory role vis a vis line management.

From the above discussions, a contingency framework emerges that departs from existing

approaches in three substantive ways (Figure 2). First, it advocates unpacking the “ERM mix”

into its fundamental building blocks (Mikes, 2009). Second, among the determinants of ERM,

we highlight the importance of the type of risk that ERM processes in question are designed to

address. It is only then that we can establish a “minimum necessary contingency framework”

(Otley, 1980) that is sufficiently nuanced, yet observable so that empirical researchers can

hypothesize and collect data about “fit” and “outcomes” (organizational effectiveness). Finally,

the organizational effectiveness of ERM in a firm cannot be assessed by its compliance with

externally-imposed standards. Researchers must uncover and understand the multiplicity of other

variables that can condition the performance of the firm, even with the most sophisticated and

well-matched ERM capabilities in place. Although the measurement of organizational

effectiveness is vital in developing a true contingency theory of ERM, it may be sensible as an

interim measure to be content with the measurement of intervening variables, that is, variables

that are thought to predispose an organization towards effective rather than ineffective operations

(Otley, 1980). In sum, what constitutes the organizational performance of ERM may have to be

determined, in part, by the objectives of the ERM implementation, user satisfaction surveys and

managerial perceptions of its functioning.

------–INSERT FIGURE 2 AROUND HERE----------

Conclusion: Towards a contingency framework for ERM

Establishing propositions about the fit between contingent variables, such as risk types

30  

(and other organizational or industry variables) and the ERM mix is relatively straightforward,

and this paper has suggested several plausible propositions that can be tested further.

In line with Kaplan and Mikes (2012), we propose that organizations need to tailor their

risk control processes to the type of risks they face, because the treatment of preventable,

strategy and external risks involves very different processes, expertise and technology. Our

research confirms there are indeed tools and practices that can help organizations make better

decisions and overcome inherent biases that prevent open and productive discussions about the

downsides from the current strategy (ref. to organizational biases literature here).

One aspect that is not contingent is that all organizations should use existing and proven

tools to manage the preventable risks that are conceptually unrelated to strategy and the type of

organization. These tools have been under development for decades and can be standardized.

Our contingency model applies to the risks that vary with strategy and firm-specific variables.

While some extant risk management frameworks suggest that risk managers should

predominantly be preoccupied with preventable risks (as an enhancement of the internal audit

process), others suggest that the ERM mix should predominantly address strategy execution risks

- threats that are linked to the organization’s strategic objectives (COSO, 2004; ISO 31000). Our

cases suggest that chief risk officers currently have flexibility and many opportunities to expand

their remit to address more than one risk type – particularly, if no one else in the organization

does. Wealthfunds used independent risk managers to address preventable risks related to the

fiduciary duties of its specific business model and the security and accessibility of collateral.

And it also used embedded risk managers to address strategy risks. So the risk management

function can have multiple mandates – but the different mandates likely require multiple

31  

skillsets. The embedded risk managers earned the respect of the chief investment officer and

portfolio managers because of their capital market experience and expertise, and their “passion

for the markets and savvyness”.

Towards the end of our research horizon, at Electroworks, the CRO and his team decided

to initiate so called “black swan workshops” – a separate process to allow managers to address

uncontrollable (external) risk issues. This suggests that well-established risk functions can claim

additional ground, particularly in new areas such as the control of external risks; but they could

be competing with other control agents for acquiring such new mandates.

At present ERM is not sufficiently institutionalized to close the boundaries of risk

functions around a standardized set of concerns. Recent industry surveys indicate that risk

functions have been strengthened since the financial crisis, and they have been endowed with

more resources and visibility (Ernst & Young, 2011). As risk functions exploit a favorable

institutional context that can feed their ambition for expanding their reach in the organization,

tensions and fault lines are inevitable. Much depends on the ambitions and skillset (technical,

social and political savvyness) of risk officers as they stamp out their territories (Mikes, 2008).

The case against codifying risk management (prematurely)

Given the evolving nature of the risk control landscape, it is unclear which of the tools

and practices that have been deployed by various control agents will ultimately underpin and

legitimize a profession of risk management, and the professional “common body of knowledge”

for enterprise risk management. Currently, the repertoire that organizations deploy to address

preventable, strategy and external risks stretches across multiple disciplines and functional

boundaries: not only risk specialists, but internal auditors, strategic planners, finance staff and

32  

management accountants have also been reported to be involved in enterprise-wide efforts to

identify risks and help the business lines manage them more effectively (Rizzi et al. 2011; Grant

Thornton Advisory Services, 2012). Those interested in the relationship between risk experts –

particularly the chief risk officer – and business decision makers will have to recognize that risk

experts do not operate in a vacuum. Even “fit-for-purpose” guidelines would not prepare the

experts for the cut-throat competition for visibility and voice in the C-suite. Risk managers are

but one contending group offering to take the measure of the organization’s future. Therefore,

this laudably audacious intellectual struggle is also a political and cultural struggle in which

survival of the fittest is not necessarily survival of the most theoretically sound.

So we must keep studying the various risk management practices emerging in the

trenches, as it were, before we jump to conclusions about a universal form of ERM. A more

nuanced, descriptive, field-based contingency theory research (as advocated in this paper) may

uncover a fascinating diversity of context-specific practices and, in due course, help us

understand the need for this variation. Many risk managers, consultants, standard setters, and

academics have invested themselves heavily in different and competing concepts, definitions,

and technologies to codify ERM. We can lament the lack of closure, but this diversity is our key

to moving ahead in the great endeavour to “tame uncertainty”.

33  

APPENDIX 1 – LIST OF INTERVIEWS

Firm Date Interviewee

Aerotech 2008-10-08 Chief Systems Engineer

Aerotech 2009-02-26 Chief Systems Engineer

Aerotech 2009-06-05 Chief Systems Engineer

Aerotech 2009-08-07 Project engineer

Aerotech 2009-08-10 Chief Systems Engineer

Aerotech 2009-08-10 Project Engineer

Aerotech 2012-03-01 Risk Review Board Member

Aerotech 2012-05-16 Risk Review Board Member

Aerotech 2012-05-29 Risk Review Board Member

Electroworks 2008-05-07 CFO

Electroworks 2008-05-07 CRO

Electroworks 2008-05-07 Risk Manager

Electroworks 2008-05-08 Manager

Electroworks 2008-05-08 Head of Investment Management

Electroworks 2008-05-08 Operations manager

Electroworks 2008-05-08 CEO

Electroworks 2008-05-08 Director of Public Relations

Electroworks 2008-05-09 CRO

Electroworks 2008-05-09 Director of Regulatory relations

Electroworks 2011-11-01 CRO, Senior Risk Manager #1

Electroworks 2011-11-01 CRO, Senior Risk Manager #2

Electroworks 2011-11-01 CRO, Senior Risk Manager #3

Electroworks 2011-11-01 Operations Managers

Electroworks 2011-11-01 Project Manager

Electroworks 2011-11-02 CRO, Senior Risk Manager #1

34  

Firm Date Interviewee

Electroworks 2011-11-02 CRO, Senior Risk Manager #2

Electroworks 2011-11-02 Project Managers

Wealthfunds 2008-06-20 Group CRO

Wealthfunds 2008-06-08 Senior Manager

Wealthfunds 2008-09-10 Group CRO

Wealthfunds 2009-02-18 Group CRO

Wealthfunds 2010-04-09 CRO (Embedded)

Wealthfunds 2010-04-09 CRO (Business Unit)

Wealthfunds 2010-04-09 Risk Manager (Independent)

Wealthfunds 2010-04-09 Chief Investment Officer

Wealthfunds 2010-05-12 Manager

Wealthfunds 2010-05-12 CRO (Embedded)

Wealthfunds 2010-05-12 Chief Investment Officer

35  

APPENDIX 2 – FIGURES AND TABLES TABLE 1 Three Categories of Risk Risk categories Controllability and relationship to

strategy Control approaches

I. Preventable risks Organizations may (in theory) prevent, or cost-efficiently minimize, occurrence of risk; There is no strategic benefit from taking these risks.

Internal control; Boundary systems; Mission and value statements; Internal audit

II. Strategy execution risks

Organizations may reduce the likelihood and impact of such risks in cost-efficient ways; Taking these risks is essential for achieving strategic returns

Risk identification with risk maps and registers; Risk mitigation initiatives; Risk monitoring linked to strategy review meetings and resource allocation

III. External risks Organizations cannot control the occurrence of such risks; But may be able to prepare and reduce impact should external risk events occur.

Risk “envisionment” via scenarios, war games and expertise-based mental models; Contingency planning; insurance and hedging programs (limited use)

Contingent variables

Firm variablesIndustry variables

Risk types(preventable, strategy execution, external)

ERM mix

ERM design parameters: roll‐up processes; frequency of roll‐ups; tools; linkages to other MCSs; the roles of the risk function

Intervening variables

Organizational effectiveness(measured partly in relation to ERM implementation objectives)

Other factors

Figure 1. The minimum necessary contingency framework for ERM

36  

TABLE 1

Design parameters: Case:

Rolling-up risks – and frequency of risk identification

Risk communication tools

Linking ERM to…

The role of the CRO - skillset

Aerotech Risk review boards: independent and/or executive directors – regular (annual or bi-annual)

Risk maps (impact and probability)

Project planning and monitoring;

Resource allocation (and contingency funds allocation)

Devil’s advocate and decision maker - technical expert

Electroworks Risk workshops: cross-functional groups at all staff levels – both regular and on demand

Face-to-face meetings (CRO and line management) – regular (twice a year)

Risk maps (impact, control strength and probability)

Risk registr

Annual planning and resource allocation

Facilitator – generalist and networker

Wealthfunds Face-to-face meetings (CRO and line management) – regular (weekly)

Statistical “tail risk” and sensitivity analyses (what if?)

Investment planning (asset allocation)

Advisor – technical expert

Table 1. Comparing ERM across the three cases – design parameters

37  

REFERENCES

Abbott, A. 1992. From Causes to Events: Notes on narrative positivism. Sociological Methods and

Research 20(4): 428-455.

Arena, M., Arnaboldi, M., and G. Azzone. 2010. The organizational dynamics of Enterprise Risk

Management. Accounting, Organizations and Society 35(7): 659–675.

Baxter, R., Bedard, J.C., Hoitash, R., and A. Yezegel. 2012. Enterprise Risk Management Program

Quality: Determinants, Value Relevance, and the Financial Crisis. Contemporary Accounting

Research, forthcoming.

Beasley, M.S., Clune, R., and D.R. Hermanson. 2005. Enterprise risk management: an empirical analysis

of factors associated with the extent of implementation. Journal of Accounting and Public Policy

24(6): 521-531.

Beasley, M., Pagach, D., and R. Warr. 2008. Information Conveyed in Hiring Announcements of Senior

Executives Overseeing Enterprise-Wide Risk Management Processes. Journal of Accounting,

Auditing and Finance 28(3): 311-332.

Beasley, M.S, Branson, B.C., and B.V. Hancock. 2010. Are You Identifying Your Most Significant

Risks? Strategic Finance 92(5): 29-35.

Bonisch, P. 2012. ERM and the Kaplan-Mikes (Harvard) heresy: ISO 31000 is “not relevant,” The risk

debate (blog), May 3, 2012, http://paradigmrisk.wordpress.com/2012/05/03/erm-and-the-kaplan-

mikes-harvard-heresy-iso-31000-is-not-relevant/, accessed January 2013.

CFO Research Services, and Towers Perrin. 2008. Senior Finance Executives on the Current Financial

Turmoil. Boston, MA: CFO Publishing Corp.

Colquitt, L.L., Hoyt, R.E., and R.B. Lee. 1999. Integrated risk management and the role of the risk

manager. Risk Management and Insurance Review 2(3): 43-61.

Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2004. Enterprise risk

management framework. New York, NY: American Institute of Certified Public Accountants.

Desender, K. 2011. On the Determinants of Enterprise Risk Management Implementation. In N. Si Shi,

and G. Sivlius (Eds.), Enterprise IT Governance, Business Value and Performance Measurement.

Hershey, PA: IGI Global.

38  

Desender, K., and E. Lafuente. 2010. The influence of board composition, audit fees and ownership

concentration on enterprise risk management. SSRN Working Paper.

Desender, K., and E. Lafuente. 2012. The Role of Enterprise Risk Management in Determining Audit

Fees: Complement or Substitute. In J. Abolhassan, J., and A.G. Malliaris (Eds.), Risk

Management and Corporate Governance. New York, NY: Routledge (Taylor & Francis Group).

Ellul, A., and V. Yerramilli. 2012. Stronger Risk Controls, Lower Risk: Evidence from U.S. Bank

Holding Companies. Journal of Finance, forthcoming.

Ernst&Young. (2011). Making strides in financial services risk management

Fowler, T. 2012. BP Slapped With Record Fine; Oil Giant to Pay $4.5 Billion, Plead Guilty to Criminal

Charges in 2010 Gulf Spill, The Wall Street Journal November 15, 2012.

Froot, K. A., Scharfstein, D.S. and Stein, J. 1993. Risk Management: Coordinating Corporate Investment

and Financing Policies. Journal of Finance 48(5): 1629–1658.

Glaser, B., and A. Strauss. 1967. The discovery of grounded theory: Strategies in qualitative research.

London: Wiedenfeld and Nicholson.

Gordon, L.A., Loeb, M.P., and C.Y. Tseng. 2009. Enterprise risk management and firm performance: A

contingency perspective. Journal of Accounting and Public Policy 28(4): 301–327.

Grant Thornton Advisory Services. 2012. Rising to new challenges: The view from the office of the CAE.

(PDF file), downloaded from

http://www.gt.com/staticfiles/GTCom/Advisory/Advisory%20publications/CAE%20survey/CAE

-Survey- 2012_Executive_Summary.pdf, accessed January 2013.

Hall, M., Mikes, A., and Y. Millo. 2013. How Do Risk Managers Become Influential? A Field Study in

Two Financial Institutions. Harvard Business School Working Paper No. 11–068.

Hoyt, R.E., and A.P. Liebenberg. 2011. The Value of Enterprise Risk Management. The Journal of Risk

and Insurance 78(4): 795–822.

International Standards Organisation (ISO). 2009. ISO 31000:2009, Risk Management—Principles and

Guidelines. Geneva: International Standards Organisation.

Johnston, J. and Soileau, J. 2013. Enterprise Risk Management and Accruals Estimation Error. Paper

presented at the EAA Annual Congress, Paris, 7 May 2013.

39  

Kaplan, R.S. 2011. Accounting scholarship that advances professional knowledge and practice. The

Accounting Review 86(2): 367-383.

Kaplan, R. S., and A. Mikes. 2012. Managing Risks: A New Framework. Harvard Business Review

90(6): 48-6.

Kleffner, A.E., Lee, R.B., and B. McGannon. 2003. The Effect of Corporate Governance on the Use of

Enterprise Risk Management: Evidence From Canada. Risk Management and Insurance Review

6(1): 53-73.

Latour, B. 1987.Science in action: How to follow scientists and engineers through society. Cambridge,

MA: Harvard University Press.

Liebenberg, A.P., and R.E. Hoyt. 2003. The Determinants of Enterprise Risk Management: Evidence

from the Appointment of Chief Risk Officers. Risk Management and Insurance Review 6(1): 37-

52.

McShane, M.K., Nair, A., and E. Rustambeko. 2011, Does Enterprise Risk Management Increase Firm

Value? Journal of Accounting, Auditing & Finance 26(4): 641-658.

Merton, R.C. 2005. You Have More Capital Than You Think. Harvard Business Review, November

2005. ReprintR0511E:1-10.

Meulbroek, L. 2002. The Promise and Challenge of Integrated Risk Management. Risk Management and

Insurance Review 5(1): 55-66.

Mikes, A. 2008. Chief Risk Officers at Crunch Time: Compliance Champions or Business Partners?

Journal of Risk Management in Financial Institutions 2(1): 7-25.

Mikes, A. 2009. Risk Management and Calculative Cultures. Management Accounting Research 20(1):

18-40.

Mikes, A. 2011. From Counting Risk to Making Risk Count: Boundary-Work in Risk Management.

Accounting, Organizations and Society 36(4-5): 226-245.

Mikes, A, Tufano, P., Werker, E.D. & De Neve, J-E. 2009. The World Food Programme during the

Global Food Crisis (A). Harvard Business School Case 709-024. (Revised from original

December 2008 version.)

40  

National Commission on the BP Deepwater Horizon Oil Spill and Offshore Drilling (National

Commission). 2011. Deep Water: The Gulf Oil Disaster and the Future of Offshore Drilling,

Report to the President. (PDF file), downloaded from http://www.oilspillcommission.gov/final-

report, accessed January 2013.

Nocera, J. 2009. Risk Mismanagement. The New York Times Magazine January 2, 2009.

Otley, D.T. 1980. The contingency theory of management accounting: Achievement and prognosis.

Accounting, Organizations and Society 5(4): 413-428.

Paape, L., and R.F. Speklé. 2012. The Adoption and Design of Enterprise Risk Management Practices:

An Empirical Study. European Accounting Review 21(3): 533-564.

Pagach, D., and R. Warr. 2010. The Effects of Enterprise Risk Management on Firm Performance. SSRN

Working Paper.

Pagach, D., and R. Warr. 2011. The Characteristics of Firms that Hire Chief Risk Officers. The Journal of

Risk and Insurance 78(1): 185-211.

Power, M. 2009. The risk management of nothing. Accounting, Organizations and Society 34(6–7): 849-

855.

Power, M. 2010. Fair value, financial economics and the transformation of accounting reliability.

Accounting and Business Research 40(3): 97-210.

Power, M. 2011. Smart and Dumb Questions to Ask About Risk Management. Risk Watch: Thought

Leadership in Risk and Governance (May 2011): 2-5.

Power, M. 2012. The apparatus of fraud risk. Accounting, Organizations and Society, forthcoming.

Reed, S., and J. Werdiger. 2012. Despite Accord, Spill Aftermath Shadows BP. The New York Times

November 16, 2012.

Rizzi, J., Simkins, B.J. and K. Schoening-Thiessen. 2011. Enterprise Risk Management : A Review of

Prevalent Practices. Ottawa: Conference Board of Canada.

Simons, R. 1995. Levers of Control: How Managers Use Innovative Control Systems to Drive Strategic

Renewal. Boston, MA: Harvard Business School Press.

41  

Spira, L. F., and M. Page. 2003. Risk management: the reinvention of internal control and the changing

role of internal audit, Accounting, Auditing and Accountability Journal 16(4): 640-661.

Stulz, R. 1996. Rethinking risk management. Journal of Applied Corporate Finance 9(3): 8-24.

Weick, K.E., and K.M. Sutcliffe. 2001. Managing the Unexpected: Assuring High Performance in an Age

of Complexity. San Francisco, CA: John Wiley & Sons, Inc.

Woods, M. 2007. Linking risk management to strategic controls: a case study of Tesco plc. International

Journal of Risk Assessment and Management 7(8): 1074–1088.

Woods, M. 2009. A contingency theory perspective on the risk management control system within

Birmingham City Council. Management Accounting Research 20(1): 68-91.