Enterprise Risk Management Presentation

Adopting Enterprise Risk Management in

Today’s World:

An Evidence-Based Guide for Implementation




Dr. Steven Deck














COPYRIGHT © Steven Deck, 2017




Dr. Steven Deck has over 25 years of experience developing and

implementing risk management, environmental health and safety,

international safety and security, emergency response, and continuity of

operation programs and processes in higher education and in biomedical and

pharmaceutical industries. Dr. Deck has also lead efforts to identify and treat

risks associated with implementing a strategic plan at a large research

university. Hence, he has experience managing risks at both the operational

and strategic level. He holds a doctorate in management, an MBA, and a

bachelor’s degree in safety and industrial hygiene management. Dr. Deck

also holds an associate in risk management and is a certified industrial

hygienist, safety professional, and hazardous materials manager.





This book is dedicated to the people who tirelessly work to reduce

risks organizations face in today’s fast-paced world. Their efforts sometimes

go unnoticed since, if successful, risk managers prevent adverse events from

occurring or significantly reduce their impact on the organization. A good

day for a risk manager is one that is uneventful with operations continuing

without interruption. However, their work is critical to an organization’s

ability to achieve its mission. By reducing risks that threaten an

organization’s survival, risk managers preserve the organization’s ability to

offer people opportunities to earn a living and provide for their families.

Indeed, a risk manager role is critical to the success of society even if their

work sometimes goes unnoticed.




First, I would like to thank my advisory committee for my dissertation,

Dr. Thomas Mierzwa and Dr. Denise Breckon. The research for my

dissertation served as the foundation for the writing of this book. Their hard

work and commitment to my growth as a scholar enabled me to grow

intellectually and develop the skills needed to write this book. I would also

like to acknowledge Dr. Roger Ward, Senior Vice President for Operations

and Institutional Effectiveness and Vice Dean for the Graduate School at the

University of Maryland Baltimore for encouraging me to pursue my doctoral

degree and continuing to support me throughout my career. Thanks also goes

to Dr. Lauren Sweetman for her guidance and editing of this book. Last, and

most importantly, I would like to thank my wife, Bonnie, for her patience and

support as I fulfilled the demanding requirements of a doctoral program and

writing this book.



Table of Contents Introduction Part 1: Understanding Organizational Risk and Risk Management Chapter 1: Organizational Risk Chapter 2: Traditional Risk Management Chapter 3: Frameworks for ERM Part 2: Management Science and ERM: From Theory to Practice Chapter 4: Organizational Change I – Institutional Theory, Legitimacy Theory, and Organizational Culture Chapter 5: Organizational Change II – Change Management Chapter 6: Organizational Change III – Organizational Control and Resilience Chapter 7: Organizational Change and COSO’s ERM Framework Chapter 8: Decision Making I – Sensemaking Theory Chapter 9: Decision-Making II – Bias and Framing Chapter 10: Decision Making and the COSO ERM Framework Chapter 11: Organizational Learning I – Learning Organizations Chapter 12: Organizational Learning II – Sensemaking-Based and Team-Based Learning Chapter 13: Organizational Learning III – Action and Absorptive Capacity Chapter 14: Organizational Learning and COSO’s ERM Framework Part 3: Factors Affecting ERM Adoption and Implementation Chapter 15: The Program Implementation Process Chapter 16: Why Organizations Adopt an ERM Strategy Chapter 17: Factors Influencing the Implementation of an ERM Program



Chapter 18: A Model for ERM Implementation in Complex Organizations Part 4: Seven Principles for ERM Adoption and Implementation Chapter 19: The Seven Principles Chapter 20: Concluding Remarks References




Risk is pervasive to conducting business. Consider any operation an

organization performs: each requires identifying and managing the risks that

can impede the execution of the operation. For example, production units

must manage risks such as employee safety or the loss of a critical supplier or

piece of equipment, human resource departments confront potential claims of

unfair labor practices, and information technology groups must be alert to

cyber threats. Moreover, organizations face external risks that arise due to

advances in technology, changing economic and market conditions, and

increased globalization. Even organizations that fall outside of the traditional

conversation on risk must now consider these challenges. Higher education

institutions (HEIs), for example, are under increased pressure from the

government, public, and campus community to manage risks (The Advisory

Board, 2008; University Risk Management and Insurance Association

[URMIA], 2007). Such institutions must manage a wide range of risks in

diverse areas such as safety and security, regulatory compliance, academic

affairs, research, information technology, finance, human resources, and

facilities management (Abraham, 2013). Furthermore, recent events such as

hurricanes Katrina, Harvey, and Maria, the economic downturn, and social

issues such as sexual assault on campus and protest actions point out the

importance of managing risk in higher education. Indeed, although the



institution may survive such events, leadership may not. For example, both

the Penn State Jerry Sandusky sexual abuse scandal in 2011 and the

University of Missouri social protests of 2015 resulted in leadership changes

at these institutions.

Many organizations have historically deferred responsibility to

managing risks to individual operating units within the organization.

However, this approach lacks an overarching strategy for managing risks

from an institutional perspective. The lack of a comprehensive risk

management strategy leads to inconsistent risk tolerance levels, inefficient

resource allocation for risk control activities, and a lack of knowledge on how

risk affects achieving the strategic objectives of the organization. Here, an

approach known as enterprise risk management (ERM) provides a method to

manage risks in organizations holistically. In this book, I unpack this

approach both theoretically and practically, providing a hands-on guide to

understanding, adopting, and implementing ERM within complex

organizations. First, however, in the remainder of this introduction, I describe

the concept of ERM along with the evidence on which this book is based—

my doctoral research—and the systematic review methodology I employed to

analyze it, followed by a brief summary of the structure of the book.




What is ERM?

Enterprise risk management is a senior leadership initiative that aims

to integrate an organization’s risk management practices in order to enhance

the organization’s ability to achieve its strategic objectives (The Committee

of Sponsoring Organizations [COSO], 2004; Hoyt & Liebenberg, 2011). In

doing so, ERM moves beyond traditional risk management approaches that

focus on managing risks in functional silos. Instead, ERM aspires to manage

risks as a portfolio in order to capture the full range of risks and multiple

interdependencies between them. It does this by positioning risk management

as a senior leadership responsibility, assessing risk from an entity-wide

perspective, aligning business strategies with risk tolerance levels, and

integrating accountability for managing risks across the entity (COSO, 2004;

Kimbrough & Componation, 2009; Kleffner, Lee, & McGannon, 2003;

McShane, Nair, & Rustambekov, 2011). Because of this holistic approach,

ERM provides a means to manage organizational risk in a comprehensive and

strategic manner.

Existing ERM models originate from the business sector and were

developed by practitioners in such fields as auditing, accounting, and

insurance (Andersen, 2010). Despite their comprehensive approach, these

original frameworks tend to emphasize hierarchal management structures,

quantifying risk exposure, and control systems for managing risks. And, as



ERM is a relatively new management practice, there is limited empirical

research on implementing the practice in complex organizational settings.

Therefore, today’s organizations face the challenge of introducing useful

ERM frameworks that are undeveloped for complex settings into an

organizational culture that may already be skeptical of new management

approaches due to their previous experiences with restructuring and efforts at

organizational change. With the right tools and knowledge, however, as I

show in this book, ERM can be utilized in any organizational setting to

improve the risk management practices of the organization effectively and




The Systematic Review: An Evidence Base for ERM

This book utilizes a broad evidence base on ERM that I gathered

through the rigorous systematic review study I conducted for my doctoral

research. In this study, I examined the utility of ERM particularly in relation

to complex organizations, using the case study of higher education

environments as a frame for analysis. These environments present a wide

range of risks that cross multiple organizational boundaries. Traditionally,

such institutions had deferred risk management to the individual units most

affected by the risks. Such an approach did not look at the overall risk profile

of the institution and risks’ effects on achieving the institution’s strategic

objectives. Consequently, higher education leaders had turned to ERM as a

strategy to manage institutional risks. However, ERM is a management

practice that originated from the corporate sector. This raised the question as

to whether an ERM strategy for managing risks was appropriate for higher

education. In addition, if an ERM strategy was deemed appropriate for

managing risks in higher education, how should leadership implement such a

program? Prior to my study, existing ERM frameworks lacked information

on how to implement this practice in complex organization settings.

Therefore, in my study I posed the following research question: How do

critical success factors influence a decision to adopt and implement ERM in

higher education institutions? To answer this question, I reviewed both the



literature on this topic as well as its connections to academic theories of

change management, decision making, and organizational learning. Overall, I

showed how these theories could enhance the implementation of ERM in

complex organizations—findings I now bring to you. Although the study

used higher educational institutions as a framework for analysis, the findings

and recommendations from the study are transferable to any organization that

has a diverse range of operations, business units, and core functions.

More specifically, in the systematic review, I used a series of study

search terms related to ERM to search the electronic database OneSearch for

credible scholarly sources on ERM. Initially, the search yielded 999 citations

(after duplications were removed). I reviewed all articles in brief (e.g., titles,

abstracts, headings) based on the study’s inclusion and exclusion criteria. I

looked specifically for primary research articles (articles describing research

undertaken by the authors themselves) and articles directly relevant to the

study’s research questions. After this stage, 53 primary studies relevant to the

research question remained for review. I then conducted a quality appraisal

process to ensure the rigor and validity of the research, which resulted in the

further elimination of two studies due to poor quality. I subsequently added

four grey literature studies (reports on ERM by organizations), resulting in a

final dataset of 55 studies. Figure 1 provides a summary of the results of the

search process.




Several observations can be made of the studies included in the

systematic review. First, the studies from peer-reviewed journals included in

the dataset were published after 2003, with 84% published after 2009. This

highlights that ERM research is still in its infancy. Second, the studies

published in peer-reviewed journals were found in the following types of

publications: accounting and finance (n = 19), risk management and

insurance (n = 14), engineering (n = 6), management sciences (n = 5),

information technology (n = 4), energy management (n = 2), and higher

education (n = 1). These results point to the strong influence the accounting,

finance, risk management, and insurance fields have on ERM research. The

results also highlight the limited number of studies published in journals



dedicated to the management sciences.

As ERM is a global phenomenon, no geographic limitations were

placed on the literature reviewed in my study. Consistent with Scott’s (1992)

assertion that “we can understand much about a specific organization from

knowing about other organizations” (p. 1), studies from sectors outside of

higher education were also included in the study. This allowed me to observe

which ERM implementation mechanisms worked or failed to work across a

range of organizational settings. Due to the study’s focus on ERM as a high-

level framework for managing risk and the challenges of implementing ERM

in higher education, technical aspects of risk management were outside the

scope of this study. Examples of these include mathematical models for risk

assessment and developing information technology solutions for ERM


Of the studies included in the review, 23 included findings from

U.S.-based organizations, while the remaining were from a diverse set of

countries and regions including Australia, Brazil, Canada, China, India, Italy,

Germany, Malaysia, the Middle East, New Zealand, the Netherlands,

Scandinavia, Sri Lanka, Turkey, and Zimbabwe. The studies looked at a wide

range of industry sectors, including banking, construction, education, finance,

government agencies, insurance, manufacturing, nonprofit organizations, oil

and gas, research institutions, services, suppliers, and utilities. These results



indicate ERM is a management strategy that has received global attention

from a wide variety of industries.

Thirty-five studies employed quantitative methods to analyze data

gathered from surveys, controlled studies, or publicly available financial data

sources. Twelve studies were qualitative, using methodologies such as case

studies and four used mixed methods. Two pieces of grey literature were

based on survey findings and two were from roundtables. Hence, research on

ERM has been conducted using multiple research methodologies. Last,

consistent with the research question this study explored, research on ERM

focused on two aspects of ERM: (a) why an organization would adopt ERM

and (b) the critical factors that influence ERM implementation. Overall, when

looking at the evidence-base as a whole, this book is based on findings from

the 55 studies. This entails evidence from 5,614 survey respondents, publicly

available data from 935 companies, and data from 35 case studies.




A How-To Guide for ERM

In this book, I provide a detailed overview of ERM, along with a guide

for its adoption and implementation. In Part 1, I explain the concepts of

organizational risk and risk management in relation to the complex

organization, unpacking traditional risk management approaches as well as

ERM frameworks in more detail. Then, in Part 2, I review a series of

management theories and concepts that can be utilized to enhance

understanding and implementation of ERM, including: institutional theory,

legitimacy theory, change management models, sensemaking theory, decision

sciences, theories of action, absorptive capacity, and organizational

resiliency. This is followed in Part 3 by a discussion of factors that affect

ERM adoption and implementation. In Part 4, based on my experience as a

practitioner tasked with identifying and mitigating risks in his operational

unit, and later from my broader role in the University’s ERM efforts, I

introduce seven principles for ERM adoption and implementation, providing

a hands-on tool to guide the ERM process in complex organizational settings.

Lastly, in the concluding remarks, I comment to the wide applicability of

ERM for complex organizational settings, speaking to the implications of this

adopting ERM and areas for future research.

Overall, this book will provide you with both practical and

theoretical knowledge for adopting ERM to improve organizational



performance. This book expands the body of knowledge on ERM by

identifying factors that influence ERM implementation in complex

organizational settings, and linking them to a set of management theories that

enhance ERM implementation. To date, existing frameworks on ERM have

lacked practical information on implementing and integrating ERM across

the organization (Fraser, Schoening-Thiessen, & Simkins, 2008). Indeed, a

key difference between ERM and traditional risk management practices is

that ERM elevates managing risks to a senior leadership level. This entails

managing risk across the institution. Therefore, implementing ERM is a

broad organizational change initiative.

As a result, this book is useful for senior leadership and risk

management practitioners who are seeking evidence-based guidance on how

to implement ERM in their organization. This book addresses the interests of

senior leadership by providing answers as to why organizations implement

ERM, and the benefits and pitfalls of implementing an ERM program. This

book also demonstrates how ERM adoption and implementation—and risk

management practices more generally—can be enhanced through the

application of theories from management science on change management,

decision making, and organizational learning.



Part 1: Understanding Organizational Risk and Risk


At its core, adopting and implementing ERM is simply a management

process for how an organization identifies and manages risks that threaten

achieving its mission and business objects. As such, it entails utilizing sound

management practices one would use when implementing a management

process in an organization. However, ERM does have distinct elements that

practitioners should be aware of when implementing an ERM strategy.

Hence, in order to understand how and why ERM may be a good choice for

the complex organization, we must first unpack in more detail three key

concepts or focus areas that underpin this book: organizational risk,

traditional risk management, and ERM. These concepts occur in modern

organizational environments that can entail a wide range of structures that

may change over time. In addition, such environments often include varying

cultural and individual elements such as the culture specific to a nation,

organization, or department, or may relate to certain professional disciplines

(e.g., teacher, police officer, doctor, accountant, and lawyer). In Part 1, I

describe the these three concepts in detail, in order to establish an essential

set of knowledge before discussing management theory and practice further

in Part 2.



Chapter 1: Organizational Risk

Prior to examining the ERM implementation process, it is necessary to

examine why risk presents challenges for complex organizations that

necessitate implementing an ERM strategy.

In this chapter, I discuss how the concept of risk has evolved into a critical

management function requiring senior leadership attention. I situate risk

within the context of the unpredictable, dynamic, and complex business

environments in which organizations operate, and how this influences an

organization’s decision to implement ERM.



Defining Risk

Definitions of risk associated with organizations operating in the

modern business environment utilize several unique concepts. For example,

Williams, Zainuba, and Jackson (2008) view risk as complex and

multidimensional. The authors added that risk is unavoidable, and defined

risk from a decision-maker’s perspective as

an assessment of whether an unfavorable outcome might occur

(possibility of loss), an assessment of the range of possible unfavorable

outcomes (probabilities of such loss), and an assessment of the extent to

which possible unfavorable outcomes can be managed or controlled

(exposure to hazard or danger). (Williams et al., 2008, p. 59–60)

A more precise definition of risk is “the uncertainty about outcomes that can

be either negative or positive,” where risk management is defined as “the

process of making and implementing decisions that will minimize the adverse

effects of accidental losses to an organization” (Baranoff, Harrington, &

Niehaus, 2005, p. 1.4–1.5).

Woon, Azizan, and Samad (2011) proposed three categories of risks

that affect an organization’s financial performance: (a) tactical risk, which

involves the uncertainty of expected earnings; (b) strategic risk, which entails

the uncertainty of performance outcomes; and (c) normative risk, which

addresses the risk penalty a firm pays for not conducting business within the



accepted norms of the industry and society. Similarly, Kaplan and Mikes

(2012) proposed a three-category system for classifying organizational risks.

First, preventable risks are internal to the organization and arise in the course

of business (e.g., safety hazards and improper employee actions). Preventable

risks lack strategic benefit but must be actively managed due to the negative

impact they can have on the organization. Second, strategic risks are risks a

company voluntarily takes in order to generate desired economic returns.

Strategic risks are not inherently undesirable but require different strategies to

manage than those used to manage preventable risks. Last, external risks

surface from outside the organization and are beyond the control of the

organization. An organization must develop a process to identify potential

external risks and prepare contingency plans to manage them if they occur.

These two methodologies for categorizing risks illustrate that not all risks are

created equal. Hence, complex organizations need to consider the type of risk

when establishing risk assessment strategies and tolerance levels.



Dimensions of Risk

Brinkmann (2013) identified the following six dimensions of risk:

measurability, attributability, manageability, insurability, voluntariness, and

moral responsibility. Measurability is the quantifiable dimension of risk.

Attributability involves whether the risk can be ascribed to organizational

decisions. Manageability concerns actions that can prevent or eliminate the

risk. Insurability is whether the risk can be insured. Voluntariness deals with

whether a risk is chosen using free will and with sufficient knowledge to

make an informed decision. Finally, moral responsibility involves whether

risk is taken with the informed consent of all parties involved in the decision.

Each of Brinkmann’s dimensions suggests a certain level of understanding

and control an organization has over the risks it faces. However, it is

questionable to what extent the complex types of risks modern organizations

face are measurable and are under the control of the organization. Moreover,

complex organizations need to consider determining the appropriate decision

maker(s) for a risk, whether affected people are informed about the risk, and

if the financial liability for the risk can be controlled through insurance or

other risk transfer mechanisms (e.g., by holding harmless agreements or

contracting out the risk exposure).

Risk management processes tend to focus on analyzing risks from an

event perspective to determine cause and effect relationships. However, risk



is a complex phenomenon, and as Grabowski and Roberts (1997) showed,

implementing a risk mitigation system in large organizational settings is

difficult. The authors argued that such challenges are related to four

characteristics of large systems: (a) simultaneous autonomy and

interdependence, (b) intended and unintended consequences, (c) long

incubation periods that allow problems to develop, and (d) risk migration. As

large systems, complex organizations are likely to encounter these challenges

during ERM implementation.

Boisot and McKelvey (2010) used Ashby’s law of requisite variety

to explain complexity in organizational settings. According to Ashby’s law,

“only variety can destroy variety” (p. 421). As such, for an organism or social

entity to be adaptive, it must be able to match the variety of external stimuli

imposed on it. Consequently, the authors proposed that for an organization to

be adaptive, it must have a variety of responses available that match the

variety of external constraints or threats imposed on the organization.

Moreover, when the external variety exceeds the capacity of the organization,

adaptive tension develops that seeks to fill the gap between the system’s

capability and external demands so the system can survive. Consequently,

Boisot and McKelvey’s (2010) separation of complexity into three regions

(chaotic, complex, and ordered) helps explain why certain types of risks can

be understood and controlled by the organization, where other risks are more



difficult to recognize and comprehend. The chaotic region is typified by

stimuli that have no discernible regularities, while the complex region—

where most challenges fall—presents some regularity, though it may be

difficult to discern. The ordered region involves stimuli that, in theory, can be

planned for and controlled.

For example, Andersen (2010) suggested strategic risks can involve

significant exposure to organizations due to their high level of uncertainty.

Thus, strategic risks often lack easily discernible regularities yet present

significant risk to the organization. Hence, strategic risks share the

characteristics of the chaotic or complex regions depicted by Boisot and

McKelvey (2010). Despite this high exposure level, Andersen (2010)

suggested that most risk management approaches tend to focus only on

recognized exposures, and are ill-equipped to handle complex risks

associated with high levels of uncertainty. This is a particularly salient

challenge for ERM since ERM aspires to look at a broad range of

organizational risks, including those at the strategic level. However,

methodologies for evaluating risks are often based on assessing risks that are

more easily identified, measured, and controlled. Examples include risks such

as safety hazards or failing to meet regulatory requirements.

Uncertainty and ambiguity can add to the complexity of identifying and

understanding an organization’s risk exposure. Scott (1992) identified five



dimensions of uncertainty. First, the degree of homogeneity/heterogeneity

involves the level of diversity of customers and stakeholders an organization

must manage. Second, the degree of stability/variability is the extant an

organization experiences change. Third, the degree of threat/security

concerns how vulnerable an organization is to its environment. Forth, the

degree of interconnectedness/ isolation involves how dependent an

organization is on other organizations or agencies. Last, the degree of

coordination/noncoordination is the extent to which an organization deals

with external groups whose actions are coordinated. Due to the diverse set of

customers and stakeholders complex organizations regularly interact with and

the increasing complexity of the environment in which they operate, the

context within which organizations must identify, evaluate, and act on risks

also contains a high level of uncertainty. Indeed, Power (2007) stated that

“when uncertainty is organized, it becomes a risk to be managed” (p. 6).

The concept of risk is further complicated since leadership involves

taking risks and leading organizations through areas where success is not

guaranteed (Brinkmann, 2013). March and Shapira (1987) added that leaders

often define risk differently than the theoretical literature, and that even two

individuals can see the same risk differently. The authors explained that

leaders see risk as something they can control, and risk-taking as part of their

job and identity as leaders. The authors also found that leaders place more



weight on the potential positive outcomes of an activity over negative results.

Furthermore, leaders do not see risk as simply a statistical or probability

concept, or see value in reducing risk to a single quantifiable measure.

Risk also has social dimensions when situated within the context of

an organizational environment. Indeed, Power (2007) suggested risk has

“acquired social, political, and organizational significance as never before”

(p. 3). Weick (1995) proposed that organizations are networks of people

socially interacting through the use of shared meanings and language, and

that internal constructions of knowledge are developed in the presence or

perceived presence of others. Schein concluded that a social reality consists

of the items that groups form consensus around, such as how humans relate

to their environment, distribute power, form group boundaries, develop

ideology, and share cultural elements. More specific to risk, Argyris (1980)

suggested that the inability of organizations to discuss threatening or risky

issues is caused by how people are acculturated and socialized (i.e., their

values, skills, and action strategies for dealing with challenging issues).

Argyris continues that these social elements can inhibit attempts by the

organization to encourage employees to disclose information on actions such

as unethical behavior or hazardous working conditions. Consequently,

organizations must manage a diverse set of risks that require different means

to assess and control. Moreover, individual backgrounds and perceptions on



risks and the organizational environment influences how an organization

evaluates and responds to risk.



Risk and Opportunity

Enterprise risk management implies that effectively managing risk can

result in improving an organization’s ability to recognize and capitalize on

opportunity. Arnold, Benford, Canada, and Sutton (2011) conceived of ERM

as having either a defensive focus on risk control and avoidance or an

offensive focus that looks at the upside of risk in order to identify

opportunities the organization can exploit. Arnold, Benford, Hampton, and

Sutton (2012) made a similar argument that as ERM programs mature, they

increase their ability to manage risks and opportunity. Indeed, Power (2007)

argued that organizations that are more effective at aligning their business

strategy with organizational governance, regulatory compliance, and

enterprise goals will be better positioned to realize opportunities that emerge.

Hence, it is logical to conclude that an organization’s leadership would be

more likely to implement ERM if the program also enhances the

organization’s ability to identify and act on opportunities.

Brunswicker and Hutschek (2010) predicted that firms that use

active processes for identifying opportunities from external and distant

sources will be more successful at finding potentially exploitable

opportunities. Similarly, Baron and Ensley (2006) defined opportunity

recognition as “the process through which ideas for potentially profitable new

business ventures are identified by specific persons” (p. 1331). Riquelme



(2013) identified three factors that influence a person’s ability to recognize

opportunities: cognitive frameworks, self-efficacy, and social networks. The

decision on whether to exploit an opportunity is dependent on attitudes

toward the opportunity (favorable or unfavorable view of the opportunity),

subjective norms (peer pressure on whether or not to act on the opportunity),

and perceived behavioral control (perceived ease of difficulty to exploit the

opportunity successfully). Opportunities that are favorably perceived in these

areas are more likely to be acted on than those that are viewed less favorably

in one or more of these dimensions (De Jong, 2013). As such, the ability to

identify opportunities is influenced by individual and social dynamics similar

to those associated with identifying risks. Moreover, assessing whether the

organization should act on the opportunity should also include evaluating the

risks associated with the opportunity. Hence, organizations can integrate risk

identification and assessment processes with opportunity identification

processes so that each compliments and strengths the other.

In sum, risk is a complex phenomenon that has multiple dimensions. As

such, a one-size-fits-all strategy for evaluating and managing risks is unlikely

to be successful. Consequently, the complexity and multiple dimensions of

risks warrant managing risks using a holistic approach as offered by ERM.

Moreover, an organization’s capability to identify and control risks

effectively is linked with its ability to capitalize on opportunities.



Chapter 2: Traditional Risk Management

Now that we have an understanding of organizational risk more

generally, we can look at the different types of risk management that

ultimately may lead an organization to adopt an ERM program. In this

chapter, I review the concept of traditional risk management, which serves as

a basis to then understand the ERM framework presented in the following


Traditional risk management is defined as “the process of making

and implementing decisions that will minimize the adverse effects of

accidental losses on an organization” (Baranoff et al., 2005, p. 1.5). This

approach to risk management aims to identify potential loss exposures and

examine the feasibility of various strategies to limit these exposures

(Baranoff et al., 2005). Strategies utilized to manage risks fall into two

categories: risk control and risk finance. According to Baranoff et al. (2005),

there are six core risk control techniques: “avoidance, loss prevention, loss

reduction, separation, duplication, and diversification” (p. 2.19). As the name

implies, avoidance simply means the organization does not take on an

activity that exposes it to certain risks. Loss prevention and reduction involve

actions to reduce the frequency and severity of losses from risks. Separation

entails splitting up assets so they are not all exposed to the same risk.

Duplication involves the use of redundant systems to prevent the shutdown of



an operation or process. Finally, diversification spreads risk exposures over a

range of operations, markets, or geographic regions. Examples of risk finance

techniques include transfer methods, such as insurance, hold-harmless

agreements, and hedging; while an example of retention is the self-funding of

losses (Baranoff et al., 2005).

Traditional risk management techniques fail to address the full range

of risk exposures a complex organization may face. Arena, Arnaboldi, and

Azzone (2011) argued that a limit of traditional risk management is its

tendency to manage risk categories separately. Traditional risk management

functions have often been located in the accounting, financial, compliance,

and internal auditor areas of organizations (Blaskovich & Taylor, 2011).

Moreover, March and Shapira (1987) contended that theories on managerial

perspectives of risk, such as classical decision theory, oversimplify human

behavior and thus do not accurately explain how managers perceive risk.

Brinkmann (2013) suggested that the complexity of modern risk combined

with increased pressure to hold organizations accountable for their actions

can lead to managers focusing on providing a defendable justification for

their decisions concerning risk at the expense of using sound professional

judgment. Accordingly, Brinkmann (2013) posited the need for “intelligent

risk management” based on the following tenets: (a) control systems that are

not allowed to overburden managerial attention and innovation, (b) higher



tolerance levels for disorganization and ambiguity in the risk management

process, and (c) internal control systems that focus on generating usable

knowledge and that are always challengeable. Enterprise risk management

frameworks such as the one offered by COSO begin to address the three

dimensions of intelligent risk management; however, they require more

insight on how to manage risks without stifling innovation, how to assess

risks with high levels of ambiguity, and how to create actionable knowledge

through the risk management process.

In sum, modern organizations face a wide range of complex risks that

challenge their ability to meet mission-critical objectives. In addition,

managing risk is more complicated in large institutions composed of multiple

subunits that operate in a global, changing economy (Grabowski & Roberts,

1997). Within the complex institution, the failure to manage risks properly

can lead to events that challenge an organization’s ability to meet critical

objectives and jeopardize its survival. As McShane et al. (2011) stated,

“Managing risks has become a critical function for CEOs as organizational

environments become increasingly turbulent and complex” (p. 653). A survey

by North Carolina State University and Protiviti (2015) identified the top

risks executives perceive their organizations face as regulatory changes,

economic conditions that restrict growth, attracting and retain talent, inability

to identify risks, cyber threats, managing unexpected crisis, sustaining



customer loyalty, resistance to change that restricts the ability adjust business

models, and not meeting performance expectations. Consequently, in light of

these issues, traditional approaches to risk management should be replaced by

methods that position risk management as part of an organization’s

governance process, allowing for a more holistic view of the organization’s

risk exposure. Enterprise risk management is such a strategy.



Chapter 3: Frameworks for ERM

There are several existing frameworks for ERM, including: the

Casualty Actuarial Society ERM framework, the COSO ERM integrated

framework, the International Organization for Standardization (ISO) 31,000

risk management framework and process, the Australian and New Zealand

standard for risk management, and the Federation of European Risk

Management Associations’ risk management standard (Andersen, 2010;

Kimbrough & Componation, 2009). These frameworks share similar risk

management steps and highlight how ERM influences a broad range of

activities and organizational levels (Kimbrough & Componation, 2009).

Moreover, these frameworks portray ERM as a top-down, driven risk

management approach (Andersen, 2010). In this chapter, I present the COSO

ERM integrated framework, which provides a basis for the discussion

throughout this book, since it is the most prevalent model referenced in the


In 1985, COSO was established to address the increased incidence of

fraudulent financial reporting. This initially resulted in COSO developing

frameworks to improve financial reporting and compliance, followed by the

publication of the ERM integrated framework in 2004, which is referenced

by several U.S. and international standard-setting bodies (Landsittel &

Rittenberg, 2010). The committee is composed of five sponsoring



organizations: the American Accounting Association, the American Institute

of Certified Public Accountants, Financial Executives International, the

Institute of Internal Auditors, and the Institute of Management Accountants.

Its mission is “to provide thought leadership through the development of

comprehensive frameworks and guidance on enterprise risk management,

internal control, and fraud deterrence designed to improve organizational

performance and governance and to reduce the extent of fraud in

organizations” (Landsittel & Rittenberg, 2010, p. 457). The committee’s

composition and mission are especially important as they reveal the

professional background of the framework’s developers and, subsequently,

the challenges organizations may have implementing a framework that relies

heavily on internal controls and top-down management strategies.

According to COSO (2004), enterprise risk management is a process,

affected by an entity’s board of directors, management and other personnel,

applied in strategy setting across the enterprise, designed to identify potential

events that may affect the entity, and manage risk to be within its risk

appetite, to provide reasonable assurance regarding the achievement of entity

objectives (p. 4).

This definition outlines the following six key elements of ERM: (a)

led by senior management, (b) integrated throughout the organization, (c)

considers risk from a strategic perspective, (d) provides reasonable assurance



of meeting an organization’s goals, (e) identifies risks that affect the

organization, and (f) manages risk based on the organization’s risk appetite

and tolerance level. In addition, COSO proposed four critical areas for

establishing risk management objectives: (a) strategic objectives, which

involve high-level goals and the mission of the organization; (b) operation

objectives, which outline the efficient use of organizational resources; (c)

objectives to meet an organization’s reporting requirements; and (d)

regulatory compliance objectives. According to COSO (2004), organizations

need to set objectives for managing risk at each organizational level to

include the entity, divisional, business unit, and subsidiary levels of the


The COSO (2004) ERM framework is composed of eight

interrelated components. These include: (a) the internal environment, such as

the organization’s risk management philosophy, ethical values, and the

operating environment; (b) objectives that align with the organization’s

tolerance for risk; (c) the identification of internal and external events that

present risks to the organization; (d) the assessment of events to determine

the likelihood and impact risks may have on the organization; (e) the

selection of responses to control risks, such as avoiding, accepting, reducing,

or sharing the risk; (f) the establishment of control activities, such as policies

and procedures to help ensure risks are adequately addressed; (g) the



adoption of mechanisms to communicate and capture information on risks;

and (h) the implementation of processes to assess and monitor the state of the

ERM program continually. Figure 2 illustrates the basic logic of the COSO

framework. Here, risk objectives are set in their respective domains for each

level of the organization, and realized through the application of the eight

interrelated components. Although portrayed in the illustration as a linear

operation, the process is, in practice, more iterative with activities co-

occurring across each area.



In sum, the COSO framework reflects practices found in mechanistic

organizational settings typified by management practices that focus on

control and top-down decision making. Mikes (2009) described this

framework as advocating for ERM as a “strategic management control

system” (p. 20). Consequently, the framework provides limited information

on managing risks in global, multiorganizational, large-scale systems with



diverse management processes led by a wide variety of people (Grabowski &

Roberts, 1997). Formal approaches to risk management such as these may

lead to a focus on identifiable and quantifiable risks instead of the strategic

risks that have more uncertainty (Andersen, 2010). Indeed, Fraser,

Schoening-Thiessen, and Simkins (2008) found that executives expressed

concern over the lack of information on integrating ERM across their

organizations, and viewed the framework as impractical to implement.

In addition, ERM is a relatively new practice. The first evidence of

such activity occurred in 1998, with the first academic study on ERM

published in 1999 by Colquitt, Hoyt, and Lee. In this initial study, Colquitt et

al. investigated the role risk managers have in nonoperational risks and the

techniques they use to control these risks. Subsequently, the majority of

research on ERM has been published in peer-reviewed insurance and

accounting journals (Iyer, Rogers, & Simkins, 2010), and tends to favor

quantitative approaches to risk analysis and the use of management control

systems. Landsittel and Rittenberg (2010) have argued that ERM research

needs to go deeper than simple assessments of current best practices. Iyer et

al. (2010) further stated that ERM research lacks a natural “disciplinary

home” and, as such, is a topic that can be studied from a variety of

management theory perspectives (p. 420). As such, in Part 2, I explore how

concepts from the management sciences in areas such as change



management, decision making, and organizational learning can advance

understanding on ERM from both practical and theoretical perspectives.



Part 2: Management Science and ERM: From Theory

to Practice

In Part 1, I discussed the key concepts of organizational risk, traditional

risk management, and the COSO ERM framework. One of the key findings

from my research is that knowledge on ERM implementation has been

disconnected from management concepts, despite its clear connection to

senior leadership and management strategy. This is true both of research on

ERM as well as in how it is practically implemented in organizations.

Therefore, in order to provide a comprehensive understanding of ERM, in

Part 2, I review concepts in management science theory that may enhance

ERM implementation within complex organizations (see Figure 3). In the

chapters that follow, I focus on three main areas: organizational change,

decision making, and organizational learning. For each area, I first explain

aspects of the theories more generally, followed by how that area connects to

the COSO ERM framework.







Chapter 4: Organizational Change I – Institutional

Theory, Legitimacy Theory, and Organizational


Concepts relating to institutional theory, legitimacy theory, and

organizational culture can be used to analyze how external and internal

factors in an organization’s environment influence the decision to adopt ERM

and the implementation process. In this chapter, I unpack these models to

provide a context to understand change management more generally.



Institutional Theory

Institutional theory speaks to how external pressures from

governmental agencies, laws and regulations, stakeholders, professional

norms, and the public influence an organization (Wicks, 2001). Scott (2014)

explained that “institutions comprise regulative, normative, and cultural

cognitive elements that, together with associated activities and resources,

provide stability and meaning to social life” (p. 56). Moreover, he proposed

that each element operates through distinct mechanisms and forms the “three

pillars of institutional theory,” which are: (a) regulative, which focuses on

expedience, coercive mechanisms, and regulative rules; (b) normative, which

relies on social obligation, normative mechanisms, and binding expectations;

and (c) culture-cognitive, which values shared understanding, mimetic

mechanisms, and cultural influences. These elements help to provide

institutions with the meaning and stability that create organizational

structures and guide behavior.

However, each has distinct underlying assumptions and mechanisms

that can be used as analytical elements for understanding institutions. More

specifically, the regulative element focuses on expedience, coercive

mechanisms, and regulative rules; the normative component relies on social

obligation, normative mechanisms, and binding expectations; and the culture-

cognitive element values shared understanding and mimetic mechanisms.



Consequently, institutional theory is used to analyze how an organization’s

history, culture, and operating environment shape the decision to adopt ERM

and influence the type of program implemented.



Legitimacy Theory

Suchman (1995) defined legitimacy as “a generalized perception or

assumption that the actions of an entity are desirable, proper, or appropriate

within some socially constructed system of norms, values, beliefs, and

definitions” (p. 574). Suchman (1995) also asserted that there are three broad

types of organizational legitimacy: pragmatic, moral, and cognitive.

Pragmatic legitimacy relates to whether the activity is perceived as beneficial

to the organization and its stakeholders. Thomas and Lamm (2012) stated that

such perceived benefits may include items such as better use of resources,

reduced risk and legal liability, and improved reputation; items similar to

those benefits touted by ERM proponents. Secondly, Suchman (1995) argued

that legitimacy has a moral dimension that involves whether an

organization’s actions and image are consistent with socially accepted norms.

This moral legitimacy includes beliefs stakeholders share about an activity’s

value in advancing the interests of society. However, Suchman (1995)

cautioned that resistance and organizational politics can significant affect

moral legitimacy. Lastly, cognitive legitimacy involves how easily an activity

is comprehended and how consistent it is with existing organizational culture

and belief system. Here, people assess whether the activity will make their

job easier or more difficult (Thomas & Lamm, 2012).

Protecting and enhancing the organization’s identity can also have



positive effects on the overall perceptions members have of the organization.

For example, people develop their personal identities in part through their

perception of how others view the organization where they work (Weick,

1995). Indeed, Ravasi and Schultz (2006) found that how people perceive

identity threats to an organization is influenced by how they believe the

organization is perceived externally and their assumptions about the

distinctive behavioral patterns of the organization. The authors also found

that organizational responses to identity threats can be limited by the need to

reconcile responses with external changes. Moreover, the organization’s

culture provides the context for the sensemaking process the organization

undergoes as it seeks to understand, reevaluate, and redefine the organization

in response to the identity threat.

Within the context of complex organizations, the reasons

organizations adopt a new business practice such as ERM can vary. For

example, Gioia and Thomas (1996) found measures like profit and return are

not as relevant to higher education leadership. Instead, items such as prestige

and ranking are critical, making an institution’s image a critical strategic

issue. According to the authors, leadership issues can be separated into two

categories: strategic and political. Strategic issues are items associated with

creating the desired future state, while political issues involve the status quo

and managing competing interests. The authors found that image and identity



powerfully influence how leaders in organizations interpret the critical issues

they confront and that strategy and information processing are critical to how

leaders interpret these issues. Consequently, the literature suggests that

organizational leadership will be moved to adopt ERM when leadership sees

linkage between adopting ERM and protecting and enhancing the

institution’s reputation. Legitimacy theory thus addresses the issue of why a

certain course of action is accepted by an organization and hence helps

explain the factors that influence whether members of the organization accept

an initiative such as ERM (Suchman, 1995). Therefore, legitimacy theory is

used to explain the logic for why leadership at a complex organization may

select an ERM strategy and factors that affect employee perceptions on the

validity of the program.




Organizational Culture

Mintzberg and Westley (1992) posited that changing an organization’s

culture involves shifting the collective mindset of the organization. On the

other hand, Schein (2010) proposed that culture is formed as organizations

solve problems of external adaption and internal integration, such as an

organization’s mission, strategy, goals, and methods to measure progress.

Internal integration problems include creating a common language and

defining group boundaries, power distribution, and behavioral norms. Schein

(2010) added that an organization’s overall culture is influenced by national

and ethnic identities, cultures from other organizations with which the

organization interacts, cultures associated with different occupations, and

microcultures that develop in cross-functional organizational groups. He

found that these cultural forces are powerful and significantly affect the

actions of the organization. Schein (2010) also argued that an organization’s

culture is, in part, a “learned defense mechanism to avoid uncertainty,” which

can cause the organization to fail to address uncertainty proactively (p. 277).

Lastly, Schein stated that a concern for an organization’s culture is an issue

unique to leadership and one that differentiates leadership from general

management and administration. Based on Schein’s broader definition of

organizational culture, Cooper, Faseruk, and Kahn (2013) defined risk culture




a pattern of basic assumptions that the group learned as it identified,

evaluated, and managed its internal and external risks that has worked

well enough to be considered valid, and therefore to be taught to new

members as the correct way to perceive, think, and feel in relation to

those risks. (p. 65)

As Cooper’s definition of risk culture illuminates, developing a risk culture at

a complex organization entails building the organization’s understanding of

how it identifies, understands, and manages risks. Therefore, leadership plays

a critical role in ERM programs that aspire to change the culture surrounding

how the institution understands and responds to risks.

As further discussed in relation to decision making, Osland and Bird

(2000) utilized the concept of sensemaking to help explain how people

understand different cultures. In particular, they explored cultural paradoxes

where situations cause different and contradictory responses. The authors

stressed the need for context to understand actions and responses in a cultural

setting. They further determined that cultural values and histories influence

the schema people select in a situation. They defined a schema as “a pattern

of social interaction that is characteristic of a particular cultural group” (p.

71). Indeed, Schein (1993) warned that complex business and societal

problems are often caused by cultural misunderstandings. These issues can be

amplified in complex organizational settings with multiple cultural elements.



Therefore, understanding how diverse cultural units and associated views on

risk affect ERM implementation is critical, worthy of deeper exploration, and

directly related to the internal environment COSO speaks to in its ERM


For example, at universities and colleges, Birnbaum (1988) noted

the cultural divide between faculty and administrators, where faculty viewed

administrators as imposing red tape and constraints on their work, and

administrators viewed faculty as unconcerned with costs and reasonable

appeals for accountability. To address the different priorities between faculty

and administrators, Birnbaum suggested that HEIs have two distinct control

structures: one for administrative decisions and another for faculty. Birnbaum

(1988) also explained there are four basic models for how HEIs function:

collegial, bureaucratic, political, and anarchical. As the name implies,

collegial institutions value shared power and consensus with leadership that

seeks input on decisions, and where responsibility is collectively shared.

However, Birnbaum noted that collegial institutions only work for relatively

small organizational settings. In contrast, a bureaucratic institution is

common to colleges in which large-scale administrative functions are

organized to reduce uncertainty and improve performance. In this setting,

people can be more easily replaced and are not as critical to the overall

performance of the institution (e.g., in community colleges where faculty



only teach part-time). On the other hand, faculty members at political

institutions are deeply connected to the organization and are often part of a

wide array of specialized subunits. Consequently, such an organization is too

complex for a bureaucratic structure and thus relies on decentralized decision

making with diffused power. This results in constant competition among

subunits for resources and influence on the direction of the organization.

Lastly, anarchical institutions are characterized by having several schools or

units that appear to operate independently from the overall organization.

Anarchical institutions often have vague goals, ambiguous understandings of

how inputs are converted to outputs, and unclear decision-making processes.

Consequently, from a broad perspective, there are unique cultures at

universities and colleges that require adapting the ERM process so it is

compatible with the existing culture and management style at the institution.



Chapter 5: Organizational Change II – Change


Theories on change management can be used to analyze how to

implement a broad organizational initiative such as ERM. Therefore, in this

chapter, I explain change management and models for change management

within the context of the complex organization. Change requires leaders to

manage the interests of diverse and vast groups of stakeholders (Jongbloed,

Enders, & Salerno, 2008). According to Kezar and Eckel (2002), strategies

for transformational change at complex organizations include leadership

support, collaboration, well-designed programs, staff development, and

observable action. The authors found that these strategies are effective

because they provide opportunities for key stakeholders to help create

direction and priorities for change, clarify roles, and understand what change

means for them. The authors pointed out that the real value of such strategies

is their ability to generate organizational sensemaking.

Gioia and Chittipeddi (1991) studied a major change initiative at a large

public university. The authors defined change as an effort to alter how an

organization thinks and acts, and strategic change as organizational change

that seeks to capitalize on critical opportunities and respond to potential

threats. The authors concluded that change requires organizational members

to make sense of the organization’s internal and external environment, and to



understand change in relation to their existing cognitive interpretation of what

the change initiative means for them. Gioia, Thomas, Clark, and Chittipeddi

(1994) also conducted research on strategic change. They found that task

forces that are charged with implementing change go through four stages.

First, people interpret who they are, their responsibilities for the change

initiative, and what external forces influence their ability to act. Next,

members of the task force define their role in the change initiative and

determine the methods for implementing the initiative. The group then moves

to the legitimation stage, which focuses on how to enhance the organization’s

perception of the group as legitimate agents for the change initiative. Last, the

task force works to increase its influence in an effort to institutionalize

change so it has a lasting impact on the organization. Hence, complex

organizations that choose to use a team for ERM implementation should

select members who can be effective at guiding the program through the

strategic change process.

Woon et al. (2011) posited that ERM is a change management initiative

that requires a significant shift in an organization’s mindset about managing

risk. However, Schein (2010) cautioned that leaders must first understand the

general process for organizational change before attempting to change the

culture of an organization. In keeping with these findings, the literature on

change management has identified key elements of the organizational change



process. For example, Cinite et al. (2009) identified factors that indicate

whether an organization is ready for change (e.g., senior management’s

commitment, competent change agents, and immediate managers’ support).

According to the authors, employees desire competent change champions that

consider options prior to implementing change, a senior management team

that is decisive about an organization’s strategies and goals for change, and

leadership that is committed to the success of the change initiative. In

addition, employees desire managers that encourage participation in change,

share information, and acknowledge the impact of change on people. Cinite,

Duxbury, and Higgins (2009) also found that factors indicative of a lack of

readiness for change include poor communication of the reasons for and

benefits of the change initiative, increased workloads, and workloads that do

not allow employees to participate in the change initiative.



Change Management Models

Organizational change is defined by Van de Ven and Poole (1995)

as “a difference in form, quality, or state over time in an organizational

entity” (p. 512). Kurt Lewin, a social scientist that studied how to resolve

social conflict, forged understanding of organizational change through his

development of a 3-step model for change based on unfreezing existing

behaviors, moving (learning) new behaviors, and refreezing new behaviors

by making them congruent with the environment (Burnes, 2004). Schein

(2010) further elaborated on Lewin’s work by proposing a conceptual model

for managed cultural change. Consistent with Lewin’s theory on change,

Schein (2010) proposed that change consists of three stages: unfreezing,

changing, and refreezing. The unfreezing stage entails creating the motivation

to change by using information to challenge existing beliefs. This is paired

with the creation of survival anxiety to motivate change, and psychological

safety to overcome learning anxiety. The changing stage takes place by

learning new concepts, meanings, and standards for judgment. This stage is

aided by providing role models with whom people can identify and fostering

opportunities to pursue new solutions and for trial-and-error learning. The

refreezing stage involves internalizing these new concepts, meanings, and

standards, and incorporating them into self-conception and identity, and

ongoing relationships. Such organizational change models were used to



examine how the type and stage of the change management process

influences ERM implementation. Orlikowski and Hofman (1997) add that

organizational change is a dynamic ongoing process involving multiple

stages of change interacting in an iterative manner. The authors referred to

this as the improvisational model for managed change that “recognizes that

change is typically an ongoing process made up of opportunities and

challenges that are not necessarily predictable at the start” (p. 13). Theoretical

work on change management provides a means to clarify the process of

implementing an organizational-wide initiative such as ERM and the

challenges likely to be encountered in such an endeavor.

Mintzberg and Westley (1992) explained how organizational change

occurs at different levels in an organization. In this model, the highest level

of change occurs in an organization’s culture and vision, followed by changes

in structure and positions, systems and programs, and people and facilities.

Mintzberg and Westley (1992) argued that changing an organization’s culture

and vision must include change at the lower levels. Similarly, Schein (2010)

stated that embedding mechanisms for cultural change fall into two

categories. The first category entails primary embedding mechanisms such as

what leadership pays attention to, measures and controls, how leaders react to

critical events or crises, how resources and rewards are allocated, intentional

role modeling and coaching, and how people are recruited, selected, and



promoted. Schein referred to the other category as secondary articulation and

reinforcement mechanisms that include items such as organizational structure

and procedures, rituals, building design and layout, stories regarding

important organizational events, and formal statements and creeds.

Orlikowski and Hofman (1997) proposed that change is an ongoing

process that involves three different types of change that build on each other

in an iterative manner: anticipated, emergent, and opportunity-based.

Anticipated change is planned for and happens as designed, while emergent

change occurs suddenly, was not intended, and is generated by local

innovation. Opportunity-based change is not planned but implemented in

response to opportunities that arise while the change initiative is being

implemented. The authors noted that this type of change requires flexibility

and that management’s role should be focused on guiding change, not

controlling it. Furthermore, employees responsible for change must be

provided the responsibility, resources, and ability to influence the change




Chapter 6: Organizational Change III – Organizational

Control and Resilience

Various ERM frameworks propose implementing organizational

control mechanisms to manage risks. Therefore, understanding organizational

control and resilience—the concepts featured in this chapter—is important to

understanding organizational change more broadly. Simon (1994) defined

organizational control systems as the recognized information-driven routines

and practices used to sustain or change organizational activities. He specified

four types of organizational control systems: (a) belief systems, which top

management uses to communicate direction and purpose; (b) boundary

systems, which set limits for the organization and its members; (c) diagnostic

control systems, which generate feedback for monitoring outcomes; and (d)

interactive control systems, which top managers use to inject themselves into

the decision-making process of subordinates. Simon (1994) found that new

managers use control systems to overcome organizational complacency,

communicate new agendas, establish implementation objectives and

timelines, focus attention through incentives, and concentrate organizational

learning on addressing the uncertainty of the new direction. Consequently,

control systems—when used effectively—can be powerful tools for

communicating organizational goals and boundaries, and can assist in

creating commitment and shared beliefs for organizational activities.



Weick (1995) outlined three levels of control in an organization: (a)

first-order control, which entails direct supervision; (b) second-order control,

which involves programs and routine activities; and (c) third-order control,

which is based on assumptions that are taken for granted by organization

members. Weick (1995) explained that first- and second-order controls

require that the work is understood by the organization and affected

employees and is sub dividable in order for controls, rules, and standardized

procedures to work effectively. Weick (1995) also specified that third-order

controls are more important at the top of organizations where nonroutine

work is common. However, third-order controls are highly influenced by

personal and cultural biases that can result in defensive and self-justifying

behavior. Therefore, challenges may arise with using control systems in

organizations. For example, faculty members with significant freedom to

conduct non-routine research activities may oppose imposing controls on

them. Hence, complex organizations may encounter resistance implementing

first- or second-order control systems for non-routine research while the

application of third order controls may be hindered due to the personal

preferences of faculty.



Organizational Resilience

Despite efforts to address risk, organizations need to have the capacity

to respond to crises that develop from the residual and inherent risks of

conducting business. For example, Williams et al. (2008) noted that risk is

unavoidable and exists only when uncertainty exists about a positive

outcome. Similarly, Roberts and Bea (2001) pointed out that any complex

and interdependent system will eventually fail, and thus organizations must

plan for such occasions. However, this does not mean organizations should

not take proactive steps to prevent these breakdowns. Therefore,

organizational resilience is used to explain how complex organizations can

prepare for the adverse events that affect the institution. Resilient

organizations actively try to understand what they do not know, and

communicate the larger picture of the organization’s mission and employees’

roles in fulfilling that mission (Roberts & Bea, 2001). In addition, resilient

organizations utilize multiple and diverse decision-making methods and

focus on developing shared mental models to mitigate risk (Grabowski &

Roberts, 1997).

Weick (2011) proposed that resilient organizations expect interruptions

to operations, take steps to identify the impacts of failure, and create early

warning signs that indicate potential failure points. Roberts and Bea (2001)

found that critical characteristics of high-reliability organizations include



aggressively trying to know what they do not know, utilizing a balanced

reward and incentive plan that looks at costs from a long-term perspective,

and ensuring everyone understands the big picture and their role in realizing

this vision. Therefore, organizations need to plan for organizational crises

that may occur due to residual risk; that is, the risk that remains after risk

response actions have been implemented as part of the ERM program.

In another study, Bigley and Roberts (2001) examined the Incident

Command System used at a large California fire department to determine

what attributes of the system could be applied to organizations facing

complex and ambiguous situations. The Incident Command System is a

management system agencies use to respond to emergencies. It is both highly

structured and flexible. Based on their findings, the authors proposed that

organizations that face potential situations that require a reliable and error-

free response develop a temporary system to manage these situations. This

system should be based on the following: preplanned design structures and

response guidelines, methods to develop and maintain mental models during

the response, discouragement of uncoordinated or ad lib responses; training

and development programs; and after-action reviews. Such a program should

be developed in a manner that integrates resources across the entity.

Consequently, ERM can help an organization’s planning process for

emergencies by capturing and sharing critical information on the risks the



institution faces. Incorporation of such information into the organization’s

emergency training and exercise initiatives can aid in facilitating

organizational learning on both the risks the organization faces and its

emergency response process and capabilities.

Moreover, resilient organizations provide a roadmap of a culture that

captures the essence of organizations that effectively manage risk. For

example, Weick and Sutcliffe (2007) propose that resilient organizations have

five characteristics. First, they have a preoccupation with failure. Resilient

organizations encourage reporting errors and use failures as an opportunity to

learn how to improve processes. Second, they are reluctant to accept

simplification. Instead, they take active steps to thoroughly understand the

risks the organization faces and value diverse expertise and opinions. Third,

resilient organizations are sensitive to operations. This allows them to

develop situational awareness through a dedication to understanding the

challenges front line personnel confront. Fourth, they are committed to

resilience. This entails a willingness to acknowledge that no system is perfect

and thus they constantly seek to identify and learn from errors and/or failures.

Last, they have deference to expertise. Resilient organizations push decision-

making authority out to the people who are the most knowledgeable of the

process, regardless of their position in the organization. Consequently,

complex organizations should look to develop these cultural dimensions as



part of the ERM program, especially in operations that present significant,

complex risks such developing new industrial technologies.

In sum, critical findings from the literature related to change

management are: (a) designing the program to reflect the organization’s

culture, (b) ERM implementation as a significant organizational change

initiative, (c) implementation as a dynamic and ongoing process, (d) long-

term commitment to implementing ERM, and (e) ERM as means to build

organizational resiliency. Hence changing the culture at an organization is a

long, ongoing, complex process. To improve the acceptability of ERM at the

early stages of implementation, the organization should design the program to

be compatible with the existing culture and practices at the organization.

Achieving the long-term goal of improving the risk management culture at

the institution requires understanding ERM as a long-term process that is

ongoing and dynamic in nature. Hence, the ERM program will need to be

continually adapted to the new realities and challenges encountered

throughout implementation. Last, the attributes of resilient organizations can

form the basis for the attributes of an effective risk management culture.

Thus, organizations should seek to build organizational resiliency by

implementing ERM.



Chapter 7: Organizational Change and COSO’s ERM


With our new understanding of the broader concepts of organizational

change, in this chapter I show how these concepts relate to the

implementation of ERM in the complex organization. The literature suggests

implementing a significant organizational initiative such as ERM at a

complex organization is a complex process requiring leadership commitment.

To affect change requires that leadership understand the process of change

and whether the organization is ready for change. Therefore, the complexity

and diverse cultures found at complex organizations necessitate that a change

initiative such as ERM be designed and implemented in a manner that is

consistent with management theories on organizational change. The findings

further highlight the difficulty organizations may encounter when

implementing an ERM program that aspires to change existing practices at

the institution. Hence, an organization should first consider designing the

ERM program to fit the culture and management practices at the institution.

Starting with an ERM program that recognizes the existing institutional

cultural and practices should reduce the initial level of organization change

needed to launch the program. However, organizations should not neglect

that the long-term object of ERM is to integrate risk management into the

institution’s management practices. Therefore, consistent with the change



models, organizations need to determine the ERM program goals for each

organizational level and establish mechanisms for embedding risk

management into the institution’s management practices.

In sum, organizational change entails the environment conditions at the

organization that influence ERM implementation. Hence, the organizational

change area involves the internal environment, objective setting, and internal

control components of the COSO ERM framework. An organization’s

internal environment includes items such as the history and culture of the

organization, its risk management philosophy, the level of risk it is

comfortable accepting, its ethical values, its organizational structure, and how

it distributes authority (COSO, 2004). The objective setting component

requires objectives to be aligned with an organization’s risk appetite and

tolerance levels (COSO, 2004).

Risk appetite is the balance the organization chooses between growth,

risk, and return; and risk tolerance is the level of variation it accepts to

achieve its objectives (COSO, 2004, p. 20). To accomplish this, an

organization must evaluate the risks associated with the strategic objectives

the organization sets to achieve its mission and vision. Moreover, strategic

objectives are used as the basis for establishing risk management objectives

in areas such as operations, reporting, and compliance. The COSO (2004)

framework also includes control activities to ensure the organization’s



exposure to risk is kept within the tolerance limits set by the organization.

Control activities involve establishing and implementing policies and

procedures that outline risk management activities at all levels of the

organization. Examples include requiring preapproval, authorizations,

verifications, assessing operations, and the segregation of duties.

Several authors have found evidence to support COSO’s (2004)

assertion that ERM needs to speak to an organization’s internal environment

and objective-setting process. For example, Gates, Nicolas, and Walker’s

(2012) survey of risk management executives from companies with ERM

programs suggested that improvements in an organization’s internal

environment builds management consensus, leads to better decision making,

and creates higher levels of accountability for the ERM program. In addition,

Cooper et al.’s (2013) meta-analysis of existing ERM literature found

organizational culture can be either a major benefit or a major barrier to ERM

implementation. However, the authors found only limited support for the

“tone at the top” impact on understanding and controlling risk. Furthermore,

they found that defining an organization’s risk appetite improves the ability

to manage risk.

A key element of COSO’s (2004) objective-setting process involves

integrating risk management into the process an organization uses to establish

its strategic objectives. In addition, the risks associated with strategic



objectives are evaluated and used as a basis for gauging risk in other areas,

such as operations, reporting, and compliance. Throughout this process, risks

are identified in each area and assessed based on the organization’s risk

appetite and tolerance (COSO, 2004). In this regard, Louisot and Ketcham

(2009) stated that ERM improves an organization’s strategic decision making

by integrating discussions on threats and opportunities into the strategic

planning process. Similarly, COSO (2004) stresses the importance of

understanding and developing risk management objectives for each

organizational level.

Kimbrough and Componation (2009) noted that the major

frameworks for ERM implementation (i.e., Casualty Actuarial Society ERM

framework, COSO ERM integrated framework, and ISO 31,000 risk

management framework and process) all suggest culture change as a primary

concern with ERM implementation. However, these frameworks provide

limited guidance on the impact culture has on ERM implementation, or how

to change an organization’s culture to improve the ERM implementation

processes. Moreover, the authors posited that existing frameworks portray

ERM implementation in a manner that reflects only mechanistic

organizational cultures. Mechanistic cultures are characterized by controlling

management who believe employees need detailed direction and coercion to

act for the organization. This raises a concern that ERM is viewed as needing



to change the organization’s culture versus the organization adopting ERM to

fit with the existing culture. For example, implementing an ERM strategy that

relies heavily on quantifying risks and control mechanisms may fit the culture

at a financial firm while not holding relevance for the culture at a complex


In regards to theory, although the COSO (2004) ERM framework refers

to normative and culture-cognitive elements, the framework relies heavily on

the regulative element outlined in institutional theory. Thus, the framework

lacks insight on key mechanisms that enable organizations to build shared

understandings on how they manage risk. Institutions with diverse

organizational cultures require an ERM framework that reflects the existing

institutional forces that drive action in each subculture of the organization.

Moreover, the ERM framework should recognize how the organization’s

existing assumptions and behaviors influence ERM effectiveness.

Lastly, Beasley, Clune, and Hermanson’s (2005) research on ERM

implementation in the banking, education, and insurance industries found that

senior management and board of directors’ leadership were the most critical

factors for ERM implementation. Kleffner et al. (2003) found that that key

deterrents to ERM implementation are organizational structure, culture,

resistance to change, and lack of qualified personnel to implement ERM. In

addition, Yaraghi and Langhe (2011) concluded that having a well-defined



and clear long-term strategy for risk management is the most critical element

in ERM implementation. Consequently, ERM touches on key strategic issues

at a complex organization such as its risk management philosophy and

culture, and the institution’s strategic objectives. Moreover, as an

organizational initiative that aspires to affect how the organization thinks

about and manages its risks, ERM requires the attention and commitment of

senior leadership.



Chapter 8: Decision Making I – Sensemaking Theory

Moving to the second of the three main concepts reviewed in Part 2, in

this chapter I examine the concept of decision making, first in relation to

sensemaking theory. Decision making concerning risk can be adversely

affected by failure to recognize and use available relevant data. Bazerman

and Moore (2009) described this phenomenon as bounded awareness, and

posited that it is caused by people’s assumptions about where to focus their

attention. Bounded awareness causes people to miss information due to

focusing on another item, not recognizing that a situation has changed, or

over-focusing on a specific event. Furthermore, research suggests people in

group settings often discuss information that is already known by the group

and do not consider unique or unshared information. In contrast, Weick,

Sutcliffe, and Obstfeld (2005) said that managers often focus on obtaining

scarce data instead of using data that is readily available to create action that

fosters developing a better understanding of the situation. Consequently, prior

to creating new processes for gathering data on risks, organizations can

benefit from determining the existing data the institution already has

available that may aid in the risk assessment process.

COSO’s (2004) ERM framework is based on a rational decision-

making model (further discussed below) that offers limited theoretical insight

on how decisions actually occur in an organization. Sensemaking theory can



offer more robust explanations of the factors associated with organizational

decision-making than rational decision-making models. According to Smerek

(2013), sensemaking focuses on action, shifting the analysis from individual

events to a more comprehensive examination of the continuous stream of

events and situations in organizational life. Weick (2007) further specifies

that sensemaking is an ongoing and continuous process of change, enactment,

selecting, and retention that people utilize to provide plausible meanings and

to develop actions in response to a perceived abnormality or unexplained

event. Weick et al. (2005) stated that once awareness of an abnormal event

occurs, people start to assign new meaning to the previously unrecognized or

undefined event. This leads to labeling and categorizing the event in order to

provide stable interpretations that allow for the development of viable

alternatives to manage and coordinate a response to the event.

Weick et al. (2005) state that sensemaking also entails building

retrospective interpretations through a process of reciprocal exchanges

between people and their environments. In this scenario, the actions of people

iteratively interact with changes to the environment. The interactions between

people and their environments continuously cycle to provide an ongoing

retrospective update of the event. Consequently, certain interpretations of the

event are selected and those determined plausible are retained by the

individual and/or group as valid and meaningful.



Weick et al. (2005) pointed out that sensemaking is influenced by

social factors and the sharing and coordination of information across the

organization. The authors added that actions and discussions cycle back and

forth during the sensemaking process as individuals use existing frameworks

to help interpret events and, in some cases, develop new frameworks for

interpretation. In essence, sensemaking is thus an ongoing dialogue people

use to make sense of a situation in order to take action. Sensemaking is also

driven by plausibility since people need accounts that are socially acceptable

and credible in order to act, even if the account lacks

accuracy (Weick, 1995). Social dimensions of sensemaking are consistent

with Wall’s (2011) finding that a person’s perception of risk is related to the

social context surrounding their assessment of the risk. Specific social

dimensions Wall (2005) found central to how people understand risk include

their experience, personal and group orientation, attachment to a place, and

social class.

Beach and Connolly (2005) stated that image theory, similar to

sensemaking theory, regards decision making as a social act in which groups

and organizations influence and constrain individual decisions. More

specifically, three types of images influence decision making: value images,

trajectory images, and strategic images. Value images consist of the decision

maker’s values, morals, and ethics; and define standards for how things



should be and how people ought to act in a given situation. Trajectory images

address the decision maker’s agenda, goals, and overall vision for the future.

Strategic images speak to the individual’s predictions of the future and plans

for attaining their goals. Indeed, many complex organizations are comprised

of people with diverse national and cultural backgrounds. Hence, the ERM

risk assessment process needs to account for the diverse backgrounds, values,

and beliefs of its members and the social dimensions of the decision-making

processes that sensemaking and image theory illustrate.

Sensemaking theory also suggests that people do not rely solely on

accurate information to act but instead base decisions on whether an action is

plausible (Weick, 1995). Weick (1995) stated that executives’ perceptions are

often not accurate with regards to their organization and environment.

Furthermore, most organizational action is time sensitive, and consequently a

tradeoff exists between speed and accuracy. Therefore, sensemaking theory

maintains that decisions on a course of action for an organization are often

made based on plausibility, coherence, reasonableness, and explanations that

are credible and socially acceptable. Consequently, ERM programs that

overemphasize accuracy over plausibility may fail to address the practical

and real ways people make decisions in today’s complex organizational




Chapter 9: Decision-Making II – Bias and Framing

Many things may influence decision making in a complex organization.

In this chapter, I review two of these factors: bias and framing. Weick (1995)

stated that sensemaking is “grounded in identity,” as people make sense of

events by questioning the effect it will have on who they are (p. 19). In other

words, “Depending on who I am, my definition of what is ‘out there’ will

also change” (Weick et al., 2005, p. 20). As such, human biases affect the

quality of the risk decision-making process. Bazerman and Moore (2009)

pointed out several common biases inherent to decision making, such as

availability heuristics, representativeness heuristics, and confirmation

heuristics. Availability heuristics biases are tendencies to judge events that

are easily remembered or recalled as more common and likely to happen.

Representative heuristics are biases caused by ignoring base rates and sample

size, holding inaccurate beliefs that small samples of chance events will occur

as a random data set, overestimating an abnormal event’s effect on future

outcomes, and overrating the probability of coincidental events. Confirmation

heuristics biases include seeking information to confirm a person’s beliefs,

overvaluing initial assessments of an event, underestimating the probability

of separate events, overconfidence in a person’s judgment, and

overestimating how accurately a person would have predicted an event that

already occurred.

"Looking for a Similar Assignment? Get Expert Help at an Amazing Discount!"
Looking for a Similar Assignment? Our Experts can help. Use the coupon code SAVE30 to get your first order at 30% off!

Hi there! Click one of our representatives below and we will get back to you as soon as possible.

Chat with us on WhatsApp