Adopting Enterprise Risk Management in
Today’s World:
An Evidence-Based Guide for Implementation
by
Dr. Steven Deck
COPYRIGHT © Steven Deck, 2017
Biography
Dr. Steven Deck has over 25 years of experience developing and
implementing risk management, environmental health and safety,
international safety and security, emergency response, and continuity of
operation programs and processes in higher education and in biomedical and
pharmaceutical industries. Dr. Deck has also lead efforts to identify and treat
risks associated with implementing a strategic plan at a large research
university. Hence, he has experience managing risks at both the operational
and strategic level. He holds a doctorate in management, an MBA, and a
bachelor’s degree in safety and industrial hygiene management. Dr. Deck
also holds an associate in risk management and is a certified industrial
hygienist, safety professional, and hazardous materials manager.
Dedication
This book is dedicated to the people who tirelessly work to reduce
risks organizations face in today’s fast-paced world. Their efforts sometimes
go unnoticed since, if successful, risk managers prevent adverse events from
occurring or significantly reduce their impact on the organization. A good
day for a risk manager is one that is uneventful with operations continuing
without interruption. However, their work is critical to an organization’s
ability to achieve its mission. By reducing risks that threaten an
organization’s survival, risk managers preserve the organization’s ability to
offer people opportunities to earn a living and provide for their families.
Indeed, a risk manager role is critical to the success of society even if their
work sometimes goes unnoticed.
Acknowledgments
First, I would like to thank my advisory committee for my dissertation,
Dr. Thomas Mierzwa and Dr. Denise Breckon. The research for my
dissertation served as the foundation for the writing of this book. Their hard
work and commitment to my growth as a scholar enabled me to grow
intellectually and develop the skills needed to write this book. I would also
like to acknowledge Dr. Roger Ward, Senior Vice President for Operations
and Institutional Effectiveness and Vice Dean for the Graduate School at the
University of Maryland Baltimore for encouraging me to pursue my doctoral
degree and continuing to support me throughout my career. Thanks also goes
to Dr. Lauren Sweetman for her guidance and editing of this book. Last, and
most importantly, I would like to thank my wife, Bonnie, for her patience and
support as I fulfilled the demanding requirements of a doctoral program and
writing this book.
Table of Contents Introduction Part 1: Understanding Organizational Risk and Risk Management Chapter 1: Organizational Risk Chapter 2: Traditional Risk Management Chapter 3: Frameworks for ERM Part 2: Management Science and ERM: From Theory to Practice Chapter 4: Organizational Change I – Institutional Theory, Legitimacy Theory, and Organizational Culture Chapter 5: Organizational Change II – Change Management Chapter 6: Organizational Change III – Organizational Control and Resilience Chapter 7: Organizational Change and COSO’s ERM Framework Chapter 8: Decision Making I – Sensemaking Theory Chapter 9: Decision-Making II – Bias and Framing Chapter 10: Decision Making and the COSO ERM Framework Chapter 11: Organizational Learning I – Learning Organizations Chapter 12: Organizational Learning II – Sensemaking-Based and Team-Based Learning Chapter 13: Organizational Learning III – Action and Absorptive Capacity Chapter 14: Organizational Learning and COSO’s ERM Framework Part 3: Factors Affecting ERM Adoption and Implementation Chapter 15: The Program Implementation Process Chapter 16: Why Organizations Adopt an ERM Strategy Chapter 17: Factors Influencing the Implementation of an ERM Program
Chapter 18: A Model for ERM Implementation in Complex Organizations Part 4: Seven Principles for ERM Adoption and Implementation Chapter 19: The Seven Principles Chapter 20: Concluding Remarks References
Introduction
Risk is pervasive to conducting business. Consider any operation an
organization performs: each requires identifying and managing the risks that
can impede the execution of the operation. For example, production units
must manage risks such as employee safety or the loss of a critical supplier or
piece of equipment, human resource departments confront potential claims of
unfair labor practices, and information technology groups must be alert to
cyber threats. Moreover, organizations face external risks that arise due to
advances in technology, changing economic and market conditions, and
increased globalization. Even organizations that fall outside of the traditional
conversation on risk must now consider these challenges. Higher education
institutions (HEIs), for example, are under increased pressure from the
government, public, and campus community to manage risks (The Advisory
Board, 2008; University Risk Management and Insurance Association
[URMIA], 2007). Such institutions must manage a wide range of risks in
diverse areas such as safety and security, regulatory compliance, academic
affairs, research, information technology, finance, human resources, and
facilities management (Abraham, 2013). Furthermore, recent events such as
hurricanes Katrina, Harvey, and Maria, the economic downturn, and social
issues such as sexual assault on campus and protest actions point out the
importance of managing risk in higher education. Indeed, although the
institution may survive such events, leadership may not. For example, both
the Penn State Jerry Sandusky sexual abuse scandal in 2011 and the
University of Missouri social protests of 2015 resulted in leadership changes
at these institutions.
Many organizations have historically deferred responsibility to
managing risks to individual operating units within the organization.
However, this approach lacks an overarching strategy for managing risks
from an institutional perspective. The lack of a comprehensive risk
management strategy leads to inconsistent risk tolerance levels, inefficient
resource allocation for risk control activities, and a lack of knowledge on how
risk affects achieving the strategic objectives of the organization. Here, an
approach known as enterprise risk management (ERM) provides a method to
manage risks in organizations holistically. In this book, I unpack this
approach both theoretically and practically, providing a hands-on guide to
understanding, adopting, and implementing ERM within complex
organizations. First, however, in the remainder of this introduction, I describe
the concept of ERM along with the evidence on which this book is based—
my doctoral research—and the systematic review methodology I employed to
analyze it, followed by a brief summary of the structure of the book.
What is ERM?
Enterprise risk management is a senior leadership initiative that aims
to integrate an organization’s risk management practices in order to enhance
the organization’s ability to achieve its strategic objectives (The Committee
of Sponsoring Organizations [COSO], 2004; Hoyt & Liebenberg, 2011). In
doing so, ERM moves beyond traditional risk management approaches that
focus on managing risks in functional silos. Instead, ERM aspires to manage
risks as a portfolio in order to capture the full range of risks and multiple
interdependencies between them. It does this by positioning risk management
as a senior leadership responsibility, assessing risk from an entity-wide
perspective, aligning business strategies with risk tolerance levels, and
integrating accountability for managing risks across the entity (COSO, 2004;
Kimbrough & Componation, 2009; Kleffner, Lee, & McGannon, 2003;
McShane, Nair, & Rustambekov, 2011). Because of this holistic approach,
ERM provides a means to manage organizational risk in a comprehensive and
strategic manner.
Existing ERM models originate from the business sector and were
developed by practitioners in such fields as auditing, accounting, and
insurance (Andersen, 2010). Despite their comprehensive approach, these
original frameworks tend to emphasize hierarchal management structures,
quantifying risk exposure, and control systems for managing risks. And, as
ERM is a relatively new management practice, there is limited empirical
research on implementing the practice in complex organizational settings.
Therefore, today’s organizations face the challenge of introducing useful
ERM frameworks that are undeveloped for complex settings into an
organizational culture that may already be skeptical of new management
approaches due to their previous experiences with restructuring and efforts at
organizational change. With the right tools and knowledge, however, as I
show in this book, ERM can be utilized in any organizational setting to
improve the risk management practices of the organization effectively and
efficiently.
The Systematic Review: An Evidence Base for ERM
This book utilizes a broad evidence base on ERM that I gathered
through the rigorous systematic review study I conducted for my doctoral
research. In this study, I examined the utility of ERM particularly in relation
to complex organizations, using the case study of higher education
environments as a frame for analysis. These environments present a wide
range of risks that cross multiple organizational boundaries. Traditionally,
such institutions had deferred risk management to the individual units most
affected by the risks. Such an approach did not look at the overall risk profile
of the institution and risks’ effects on achieving the institution’s strategic
objectives. Consequently, higher education leaders had turned to ERM as a
strategy to manage institutional risks. However, ERM is a management
practice that originated from the corporate sector. This raised the question as
to whether an ERM strategy for managing risks was appropriate for higher
education. In addition, if an ERM strategy was deemed appropriate for
managing risks in higher education, how should leadership implement such a
program? Prior to my study, existing ERM frameworks lacked information
on how to implement this practice in complex organization settings.
Therefore, in my study I posed the following research question: How do
critical success factors influence a decision to adopt and implement ERM in
higher education institutions? To answer this question, I reviewed both the
literature on this topic as well as its connections to academic theories of
change management, decision making, and organizational learning. Overall, I
showed how these theories could enhance the implementation of ERM in
complex organizations—findings I now bring to you. Although the study
used higher educational institutions as a framework for analysis, the findings
and recommendations from the study are transferable to any organization that
has a diverse range of operations, business units, and core functions.
More specifically, in the systematic review, I used a series of study
search terms related to ERM to search the electronic database OneSearch for
credible scholarly sources on ERM. Initially, the search yielded 999 citations
(after duplications were removed). I reviewed all articles in brief (e.g., titles,
abstracts, headings) based on the study’s inclusion and exclusion criteria. I
looked specifically for primary research articles (articles describing research
undertaken by the authors themselves) and articles directly relevant to the
study’s research questions. After this stage, 53 primary studies relevant to the
research question remained for review. I then conducted a quality appraisal
process to ensure the rigor and validity of the research, which resulted in the
further elimination of two studies due to poor quality. I subsequently added
four grey literature studies (reports on ERM by organizations), resulting in a
final dataset of 55 studies. Figure 1 provides a summary of the results of the
search process.
Several observations can be made of the studies included in the
systematic review. First, the studies from peer-reviewed journals included in
the dataset were published after 2003, with 84% published after 2009. This
highlights that ERM research is still in its infancy. Second, the studies
published in peer-reviewed journals were found in the following types of
publications: accounting and finance (n = 19), risk management and
insurance (n = 14), engineering (n = 6), management sciences (n = 5),
information technology (n = 4), energy management (n = 2), and higher
education (n = 1). These results point to the strong influence the accounting,
finance, risk management, and insurance fields have on ERM research. The
results also highlight the limited number of studies published in journals
dedicated to the management sciences.
As ERM is a global phenomenon, no geographic limitations were
placed on the literature reviewed in my study. Consistent with Scott’s (1992)
assertion that “we can understand much about a specific organization from
knowing about other organizations” (p. 1), studies from sectors outside of
higher education were also included in the study. This allowed me to observe
which ERM implementation mechanisms worked or failed to work across a
range of organizational settings. Due to the study’s focus on ERM as a high-
level framework for managing risk and the challenges of implementing ERM
in higher education, technical aspects of risk management were outside the
scope of this study. Examples of these include mathematical models for risk
assessment and developing information technology solutions for ERM
programs.
Of the studies included in the review, 23 included findings from
U.S.-based organizations, while the remaining were from a diverse set of
countries and regions including Australia, Brazil, Canada, China, India, Italy,
Germany, Malaysia, the Middle East, New Zealand, the Netherlands,
Scandinavia, Sri Lanka, Turkey, and Zimbabwe. The studies looked at a wide
range of industry sectors, including banking, construction, education, finance,
government agencies, insurance, manufacturing, nonprofit organizations, oil
and gas, research institutions, services, suppliers, and utilities. These results
indicate ERM is a management strategy that has received global attention
from a wide variety of industries.
Thirty-five studies employed quantitative methods to analyze data
gathered from surveys, controlled studies, or publicly available financial data
sources. Twelve studies were qualitative, using methodologies such as case
studies and four used mixed methods. Two pieces of grey literature were
based on survey findings and two were from roundtables. Hence, research on
ERM has been conducted using multiple research methodologies. Last,
consistent with the research question this study explored, research on ERM
focused on two aspects of ERM: (a) why an organization would adopt ERM
and (b) the critical factors that influence ERM implementation. Overall, when
looking at the evidence-base as a whole, this book is based on findings from
the 55 studies. This entails evidence from 5,614 survey respondents, publicly
available data from 935 companies, and data from 35 case studies.
A How-To Guide for ERM
In this book, I provide a detailed overview of ERM, along with a guide
for its adoption and implementation. In Part 1, I explain the concepts of
organizational risk and risk management in relation to the complex
organization, unpacking traditional risk management approaches as well as
ERM frameworks in more detail. Then, in Part 2, I review a series of
management theories and concepts that can be utilized to enhance
understanding and implementation of ERM, including: institutional theory,
legitimacy theory, change management models, sensemaking theory, decision
sciences, theories of action, absorptive capacity, and organizational
resiliency. This is followed in Part 3 by a discussion of factors that affect
ERM adoption and implementation. In Part 4, based on my experience as a
practitioner tasked with identifying and mitigating risks in his operational
unit, and later from my broader role in the University’s ERM efforts, I
introduce seven principles for ERM adoption and implementation, providing
a hands-on tool to guide the ERM process in complex organizational settings.
Lastly, in the concluding remarks, I comment to the wide applicability of
ERM for complex organizational settings, speaking to the implications of this
adopting ERM and areas for future research.
Overall, this book will provide you with both practical and
theoretical knowledge for adopting ERM to improve organizational
performance. This book expands the body of knowledge on ERM by
identifying factors that influence ERM implementation in complex
organizational settings, and linking them to a set of management theories that
enhance ERM implementation. To date, existing frameworks on ERM have
lacked practical information on implementing and integrating ERM across
the organization (Fraser, Schoening-Thiessen, & Simkins, 2008). Indeed, a
key difference between ERM and traditional risk management practices is
that ERM elevates managing risks to a senior leadership level. This entails
managing risk across the institution. Therefore, implementing ERM is a
broad organizational change initiative.
As a result, this book is useful for senior leadership and risk
management practitioners who are seeking evidence-based guidance on how
to implement ERM in their organization. This book addresses the interests of
senior leadership by providing answers as to why organizations implement
ERM, and the benefits and pitfalls of implementing an ERM program. This
book also demonstrates how ERM adoption and implementation—and risk
management practices more generally—can be enhanced through the
application of theories from management science on change management,
decision making, and organizational learning.
Part 1: Understanding Organizational Risk and Risk
Management
At its core, adopting and implementing ERM is simply a management
process for how an organization identifies and manages risks that threaten
achieving its mission and business objects. As such, it entails utilizing sound
management practices one would use when implementing a management
process in an organization. However, ERM does have distinct elements that
practitioners should be aware of when implementing an ERM strategy.
Hence, in order to understand how and why ERM may be a good choice for
the complex organization, we must first unpack in more detail three key
concepts or focus areas that underpin this book: organizational risk,
traditional risk management, and ERM. These concepts occur in modern
organizational environments that can entail a wide range of structures that
may change over time. In addition, such environments often include varying
cultural and individual elements such as the culture specific to a nation,
organization, or department, or may relate to certain professional disciplines
(e.g., teacher, police officer, doctor, accountant, and lawyer). In Part 1, I
describe the these three concepts in detail, in order to establish an essential
set of knowledge before discussing management theory and practice further
in Part 2.
Chapter 1: Organizational Risk
Prior to examining the ERM implementation process, it is necessary to
examine why risk presents challenges for complex organizations that
necessitate implementing an ERM strategy.
In this chapter, I discuss how the concept of risk has evolved into a critical
management function requiring senior leadership attention. I situate risk
within the context of the unpredictable, dynamic, and complex business
environments in which organizations operate, and how this influences an
organization’s decision to implement ERM.
Defining Risk
Definitions of risk associated with organizations operating in the
modern business environment utilize several unique concepts. For example,
Williams, Zainuba, and Jackson (2008) view risk as complex and
multidimensional. The authors added that risk is unavoidable, and defined
risk from a decision-maker’s perspective as
an assessment of whether an unfavorable outcome might occur
(possibility of loss), an assessment of the range of possible unfavorable
outcomes (probabilities of such loss), and an assessment of the extent to
which possible unfavorable outcomes can be managed or controlled
(exposure to hazard or danger). (Williams et al., 2008, p. 59–60)
A more precise definition of risk is “the uncertainty about outcomes that can
be either negative or positive,” where risk management is defined as “the
process of making and implementing decisions that will minimize the adverse
effects of accidental losses to an organization” (Baranoff, Harrington, &
Niehaus, 2005, p. 1.4–1.5).
Woon, Azizan, and Samad (2011) proposed three categories of risks
that affect an organization’s financial performance: (a) tactical risk, which
involves the uncertainty of expected earnings; (b) strategic risk, which entails
the uncertainty of performance outcomes; and (c) normative risk, which
addresses the risk penalty a firm pays for not conducting business within the
accepted norms of the industry and society. Similarly, Kaplan and Mikes
(2012) proposed a three-category system for classifying organizational risks.
First, preventable risks are internal to the organization and arise in the course
of business (e.g., safety hazards and improper employee actions). Preventable
risks lack strategic benefit but must be actively managed due to the negative
impact they can have on the organization. Second, strategic risks are risks a
company voluntarily takes in order to generate desired economic returns.
Strategic risks are not inherently undesirable but require different strategies to
manage than those used to manage preventable risks. Last, external risks
surface from outside the organization and are beyond the control of the
organization. An organization must develop a process to identify potential
external risks and prepare contingency plans to manage them if they occur.
These two methodologies for categorizing risks illustrate that not all risks are
created equal. Hence, complex organizations need to consider the type of risk
when establishing risk assessment strategies and tolerance levels.
Dimensions of Risk
Brinkmann (2013) identified the following six dimensions of risk:
measurability, attributability, manageability, insurability, voluntariness, and
moral responsibility. Measurability is the quantifiable dimension of risk.
Attributability involves whether the risk can be ascribed to organizational
decisions. Manageability concerns actions that can prevent or eliminate the
risk. Insurability is whether the risk can be insured. Voluntariness deals with
whether a risk is chosen using free will and with sufficient knowledge to
make an informed decision. Finally, moral responsibility involves whether
risk is taken with the informed consent of all parties involved in the decision.
Each of Brinkmann’s dimensions suggests a certain level of understanding
and control an organization has over the risks it faces. However, it is
questionable to what extent the complex types of risks modern organizations
face are measurable and are under the control of the organization. Moreover,
complex organizations need to consider determining the appropriate decision
maker(s) for a risk, whether affected people are informed about the risk, and
if the financial liability for the risk can be controlled through insurance or
other risk transfer mechanisms (e.g., by holding harmless agreements or
contracting out the risk exposure).
Risk management processes tend to focus on analyzing risks from an
event perspective to determine cause and effect relationships. However, risk
is a complex phenomenon, and as Grabowski and Roberts (1997) showed,
implementing a risk mitigation system in large organizational settings is
difficult. The authors argued that such challenges are related to four
characteristics of large systems: (a) simultaneous autonomy and
interdependence, (b) intended and unintended consequences, (c) long
incubation periods that allow problems to develop, and (d) risk migration. As
large systems, complex organizations are likely to encounter these challenges
during ERM implementation.
Boisot and McKelvey (2010) used Ashby’s law of requisite variety
to explain complexity in organizational settings. According to Ashby’s law,
“only variety can destroy variety” (p. 421). As such, for an organism or social
entity to be adaptive, it must be able to match the variety of external stimuli
imposed on it. Consequently, the authors proposed that for an organization to
be adaptive, it must have a variety of responses available that match the
variety of external constraints or threats imposed on the organization.
Moreover, when the external variety exceeds the capacity of the organization,
adaptive tension develops that seeks to fill the gap between the system’s
capability and external demands so the system can survive. Consequently,
Boisot and McKelvey’s (2010) separation of complexity into three regions
(chaotic, complex, and ordered) helps explain why certain types of risks can
be understood and controlled by the organization, where other risks are more
difficult to recognize and comprehend. The chaotic region is typified by
stimuli that have no discernible regularities, while the complex region—
where most challenges fall—presents some regularity, though it may be
difficult to discern. The ordered region involves stimuli that, in theory, can be
planned for and controlled.
For example, Andersen (2010) suggested strategic risks can involve
significant exposure to organizations due to their high level of uncertainty.
Thus, strategic risks often lack easily discernible regularities yet present
significant risk to the organization. Hence, strategic risks share the
characteristics of the chaotic or complex regions depicted by Boisot and
McKelvey (2010). Despite this high exposure level, Andersen (2010)
suggested that most risk management approaches tend to focus only on
recognized exposures, and are ill-equipped to handle complex risks
associated with high levels of uncertainty. This is a particularly salient
challenge for ERM since ERM aspires to look at a broad range of
organizational risks, including those at the strategic level. However,
methodologies for evaluating risks are often based on assessing risks that are
more easily identified, measured, and controlled. Examples include risks such
as safety hazards or failing to meet regulatory requirements.
Uncertainty and ambiguity can add to the complexity of identifying and
understanding an organization’s risk exposure. Scott (1992) identified five
dimensions of uncertainty. First, the degree of homogeneity/heterogeneity
involves the level of diversity of customers and stakeholders an organization
must manage. Second, the degree of stability/variability is the extant an
organization experiences change. Third, the degree of threat/security
concerns how vulnerable an organization is to its environment. Forth, the
degree of interconnectedness/ isolation involves how dependent an
organization is on other organizations or agencies. Last, the degree of
coordination/noncoordination is the extent to which an organization deals
with external groups whose actions are coordinated. Due to the diverse set of
customers and stakeholders complex organizations regularly interact with and
the increasing complexity of the environment in which they operate, the
context within which organizations must identify, evaluate, and act on risks
also contains a high level of uncertainty. Indeed, Power (2007) stated that
“when uncertainty is organized, it becomes a risk to be managed” (p. 6).
The concept of risk is further complicated since leadership involves
taking risks and leading organizations through areas where success is not
guaranteed (Brinkmann, 2013). March and Shapira (1987) added that leaders
often define risk differently than the theoretical literature, and that even two
individuals can see the same risk differently. The authors explained that
leaders see risk as something they can control, and risk-taking as part of their
job and identity as leaders. The authors also found that leaders place more
weight on the potential positive outcomes of an activity over negative results.
Furthermore, leaders do not see risk as simply a statistical or probability
concept, or see value in reducing risk to a single quantifiable measure.
Risk also has social dimensions when situated within the context of
an organizational environment. Indeed, Power (2007) suggested risk has
“acquired social, political, and organizational significance as never before”
(p. 3). Weick (1995) proposed that organizations are networks of people
socially interacting through the use of shared meanings and language, and
that internal constructions of knowledge are developed in the presence or
perceived presence of others. Schein concluded that a social reality consists
of the items that groups form consensus around, such as how humans relate
to their environment, distribute power, form group boundaries, develop
ideology, and share cultural elements. More specific to risk, Argyris (1980)
suggested that the inability of organizations to discuss threatening or risky
issues is caused by how people are acculturated and socialized (i.e., their
values, skills, and action strategies for dealing with challenging issues).
Argyris continues that these social elements can inhibit attempts by the
organization to encourage employees to disclose information on actions such
as unethical behavior or hazardous working conditions. Consequently,
organizations must manage a diverse set of risks that require different means
to assess and control. Moreover, individual backgrounds and perceptions on
risks and the organizational environment influences how an organization
evaluates and responds to risk.
Risk and Opportunity
Enterprise risk management implies that effectively managing risk can
result in improving an organization’s ability to recognize and capitalize on
opportunity. Arnold, Benford, Canada, and Sutton (2011) conceived of ERM
as having either a defensive focus on risk control and avoidance or an
offensive focus that looks at the upside of risk in order to identify
opportunities the organization can exploit. Arnold, Benford, Hampton, and
Sutton (2012) made a similar argument that as ERM programs mature, they
increase their ability to manage risks and opportunity. Indeed, Power (2007)
argued that organizations that are more effective at aligning their business
strategy with organizational governance, regulatory compliance, and
enterprise goals will be better positioned to realize opportunities that emerge.
Hence, it is logical to conclude that an organization’s leadership would be
more likely to implement ERM if the program also enhances the
organization’s ability to identify and act on opportunities.
Brunswicker and Hutschek (2010) predicted that firms that use
active processes for identifying opportunities from external and distant
sources will be more successful at finding potentially exploitable
opportunities. Similarly, Baron and Ensley (2006) defined opportunity
recognition as “the process through which ideas for potentially profitable new
business ventures are identified by specific persons” (p. 1331). Riquelme
(2013) identified three factors that influence a person’s ability to recognize
opportunities: cognitive frameworks, self-efficacy, and social networks. The
decision on whether to exploit an opportunity is dependent on attitudes
toward the opportunity (favorable or unfavorable view of the opportunity),
subjective norms (peer pressure on whether or not to act on the opportunity),
and perceived behavioral control (perceived ease of difficulty to exploit the
opportunity successfully). Opportunities that are favorably perceived in these
areas are more likely to be acted on than those that are viewed less favorably
in one or more of these dimensions (De Jong, 2013). As such, the ability to
identify opportunities is influenced by individual and social dynamics similar
to those associated with identifying risks. Moreover, assessing whether the
organization should act on the opportunity should also include evaluating the
risks associated with the opportunity. Hence, organizations can integrate risk
identification and assessment processes with opportunity identification
processes so that each compliments and strengths the other.
In sum, risk is a complex phenomenon that has multiple dimensions. As
such, a one-size-fits-all strategy for evaluating and managing risks is unlikely
to be successful. Consequently, the complexity and multiple dimensions of
risks warrant managing risks using a holistic approach as offered by ERM.
Moreover, an organization’s capability to identify and control risks
effectively is linked with its ability to capitalize on opportunities.
Chapter 2: Traditional Risk Management
Now that we have an understanding of organizational risk more
generally, we can look at the different types of risk management that
ultimately may lead an organization to adopt an ERM program. In this
chapter, I review the concept of traditional risk management, which serves as
a basis to then understand the ERM framework presented in the following
chapter.
Traditional risk management is defined as “the process of making
and implementing decisions that will minimize the adverse effects of
accidental losses on an organization” (Baranoff et al., 2005, p. 1.5). This
approach to risk management aims to identify potential loss exposures and
examine the feasibility of various strategies to limit these exposures
(Baranoff et al., 2005). Strategies utilized to manage risks fall into two
categories: risk control and risk finance. According to Baranoff et al. (2005),
there are six core risk control techniques: “avoidance, loss prevention, loss
reduction, separation, duplication, and diversification” (p. 2.19). As the name
implies, avoidance simply means the organization does not take on an
activity that exposes it to certain risks. Loss prevention and reduction involve
actions to reduce the frequency and severity of losses from risks. Separation
entails splitting up assets so they are not all exposed to the same risk.
Duplication involves the use of redundant systems to prevent the shutdown of
an operation or process. Finally, diversification spreads risk exposures over a
range of operations, markets, or geographic regions. Examples of risk finance
techniques include transfer methods, such as insurance, hold-harmless
agreements, and hedging; while an example of retention is the self-funding of
losses (Baranoff et al., 2005).
Traditional risk management techniques fail to address the full range
of risk exposures a complex organization may face. Arena, Arnaboldi, and
Azzone (2011) argued that a limit of traditional risk management is its
tendency to manage risk categories separately. Traditional risk management
functions have often been located in the accounting, financial, compliance,
and internal auditor areas of organizations (Blaskovich & Taylor, 2011).
Moreover, March and Shapira (1987) contended that theories on managerial
perspectives of risk, such as classical decision theory, oversimplify human
behavior and thus do not accurately explain how managers perceive risk.
Brinkmann (2013) suggested that the complexity of modern risk combined
with increased pressure to hold organizations accountable for their actions
can lead to managers focusing on providing a defendable justification for
their decisions concerning risk at the expense of using sound professional
judgment. Accordingly, Brinkmann (2013) posited the need for “intelligent
risk management” based on the following tenets: (a) control systems that are
not allowed to overburden managerial attention and innovation, (b) higher
tolerance levels for disorganization and ambiguity in the risk management
process, and (c) internal control systems that focus on generating usable
knowledge and that are always challengeable. Enterprise risk management
frameworks such as the one offered by COSO begin to address the three
dimensions of intelligent risk management; however, they require more
insight on how to manage risks without stifling innovation, how to assess
risks with high levels of ambiguity, and how to create actionable knowledge
through the risk management process.
In sum, modern organizations face a wide range of complex risks that
challenge their ability to meet mission-critical objectives. In addition,
managing risk is more complicated in large institutions composed of multiple
subunits that operate in a global, changing economy (Grabowski & Roberts,
1997). Within the complex institution, the failure to manage risks properly
can lead to events that challenge an organization’s ability to meet critical
objectives and jeopardize its survival. As McShane et al. (2011) stated,
“Managing risks has become a critical function for CEOs as organizational
environments become increasingly turbulent and complex” (p. 653). A survey
by North Carolina State University and Protiviti (2015) identified the top
risks executives perceive their organizations face as regulatory changes,
economic conditions that restrict growth, attracting and retain talent, inability
to identify risks, cyber threats, managing unexpected crisis, sustaining
customer loyalty, resistance to change that restricts the ability adjust business
models, and not meeting performance expectations. Consequently, in light of
these issues, traditional approaches to risk management should be replaced by
methods that position risk management as part of an organization’s
governance process, allowing for a more holistic view of the organization’s
risk exposure. Enterprise risk management is such a strategy.
Chapter 3: Frameworks for ERM
There are several existing frameworks for ERM, including: the
Casualty Actuarial Society ERM framework, the COSO ERM integrated
framework, the International Organization for Standardization (ISO) 31,000
risk management framework and process, the Australian and New Zealand
standard for risk management, and the Federation of European Risk
Management Associations’ risk management standard (Andersen, 2010;
Kimbrough & Componation, 2009). These frameworks share similar risk
management steps and highlight how ERM influences a broad range of
activities and organizational levels (Kimbrough & Componation, 2009).
Moreover, these frameworks portray ERM as a top-down, driven risk
management approach (Andersen, 2010). In this chapter, I present the COSO
ERM integrated framework, which provides a basis for the discussion
throughout this book, since it is the most prevalent model referenced in the
literature.
In 1985, COSO was established to address the increased incidence of
fraudulent financial reporting. This initially resulted in COSO developing
frameworks to improve financial reporting and compliance, followed by the
publication of the ERM integrated framework in 2004, which is referenced
by several U.S. and international standard-setting bodies (Landsittel &
Rittenberg, 2010). The committee is composed of five sponsoring
organizations: the American Accounting Association, the American Institute
of Certified Public Accountants, Financial Executives International, the
Institute of Internal Auditors, and the Institute of Management Accountants.
Its mission is “to provide thought leadership through the development of
comprehensive frameworks and guidance on enterprise risk management,
internal control, and fraud deterrence designed to improve organizational
performance and governance and to reduce the extent of fraud in
organizations” (Landsittel & Rittenberg, 2010, p. 457). The committee’s
composition and mission are especially important as they reveal the
professional background of the framework’s developers and, subsequently,
the challenges organizations may have implementing a framework that relies
heavily on internal controls and top-down management strategies.
According to COSO (2004), enterprise risk management is a process,
affected by an entity’s board of directors, management and other personnel,
applied in strategy setting across the enterprise, designed to identify potential
events that may affect the entity, and manage risk to be within its risk
appetite, to provide reasonable assurance regarding the achievement of entity
objectives (p. 4).
This definition outlines the following six key elements of ERM: (a)
led by senior management, (b) integrated throughout the organization, (c)
considers risk from a strategic perspective, (d) provides reasonable assurance
of meeting an organization’s goals, (e) identifies risks that affect the
organization, and (f) manages risk based on the organization’s risk appetite
and tolerance level. In addition, COSO proposed four critical areas for
establishing risk management objectives: (a) strategic objectives, which
involve high-level goals and the mission of the organization; (b) operation
objectives, which outline the efficient use of organizational resources; (c)
objectives to meet an organization’s reporting requirements; and (d)
regulatory compliance objectives. According to COSO (2004), organizations
need to set objectives for managing risk at each organizational level to
include the entity, divisional, business unit, and subsidiary levels of the
organization.
The COSO (2004) ERM framework is composed of eight
interrelated components. These include: (a) the internal environment, such as
the organization’s risk management philosophy, ethical values, and the
operating environment; (b) objectives that align with the organization’s
tolerance for risk; (c) the identification of internal and external events that
present risks to the organization; (d) the assessment of events to determine
the likelihood and impact risks may have on the organization; (e) the
selection of responses to control risks, such as avoiding, accepting, reducing,
or sharing the risk; (f) the establishment of control activities, such as policies
and procedures to help ensure risks are adequately addressed; (g) the
adoption of mechanisms to communicate and capture information on risks;
and (h) the implementation of processes to assess and monitor the state of the
ERM program continually. Figure 2 illustrates the basic logic of the COSO
framework. Here, risk objectives are set in their respective domains for each
level of the organization, and realized through the application of the eight
interrelated components. Although portrayed in the illustration as a linear
operation, the process is, in practice, more iterative with activities co-
occurring across each area.
In sum, the COSO framework reflects practices found in mechanistic
organizational settings typified by management practices that focus on
control and top-down decision making. Mikes (2009) described this
framework as advocating for ERM as a “strategic management control
system” (p. 20). Consequently, the framework provides limited information
on managing risks in global, multiorganizational, large-scale systems with
diverse management processes led by a wide variety of people (Grabowski &
Roberts, 1997). Formal approaches to risk management such as these may
lead to a focus on identifiable and quantifiable risks instead of the strategic
risks that have more uncertainty (Andersen, 2010). Indeed, Fraser,
Schoening-Thiessen, and Simkins (2008) found that executives expressed
concern over the lack of information on integrating ERM across their
organizations, and viewed the framework as impractical to implement.
In addition, ERM is a relatively new practice. The first evidence of
such activity occurred in 1998, with the first academic study on ERM
published in 1999 by Colquitt, Hoyt, and Lee. In this initial study, Colquitt et
al. investigated the role risk managers have in nonoperational risks and the
techniques they use to control these risks. Subsequently, the majority of
research on ERM has been published in peer-reviewed insurance and
accounting journals (Iyer, Rogers, & Simkins, 2010), and tends to favor
quantitative approaches to risk analysis and the use of management control
systems. Landsittel and Rittenberg (2010) have argued that ERM research
needs to go deeper than simple assessments of current best practices. Iyer et
al. (2010) further stated that ERM research lacks a natural “disciplinary
home” and, as such, is a topic that can be studied from a variety of
management theory perspectives (p. 420). As such, in Part 2, I explore how
concepts from the management sciences in areas such as change
management, decision making, and organizational learning can advance
understanding on ERM from both practical and theoretical perspectives.
Part 2: Management Science and ERM: From Theory
to Practice
In Part 1, I discussed the key concepts of organizational risk, traditional
risk management, and the COSO ERM framework. One of the key findings
from my research is that knowledge on ERM implementation has been
disconnected from management concepts, despite its clear connection to
senior leadership and management strategy. This is true both of research on
ERM as well as in how it is practically implemented in organizations.
Therefore, in order to provide a comprehensive understanding of ERM, in
Part 2, I review concepts in management science theory that may enhance
ERM implementation within complex organizations (see Figure 3). In the
chapters that follow, I focus on three main areas: organizational change,
decision making, and organizational learning. For each area, I first explain
aspects of the theories more generally, followed by how that area connects to
the COSO ERM framework.
Chapter 4: Organizational Change I – Institutional
Theory, Legitimacy Theory, and Organizational
Culture
Concepts relating to institutional theory, legitimacy theory, and
organizational culture can be used to analyze how external and internal
factors in an organization’s environment influence the decision to adopt ERM
and the implementation process. In this chapter, I unpack these models to
provide a context to understand change management more generally.
Institutional Theory
Institutional theory speaks to how external pressures from
governmental agencies, laws and regulations, stakeholders, professional
norms, and the public influence an organization (Wicks, 2001). Scott (2014)
explained that “institutions comprise regulative, normative, and cultural
cognitive elements that, together with associated activities and resources,
provide stability and meaning to social life” (p. 56). Moreover, he proposed
that each element operates through distinct mechanisms and forms the “three
pillars of institutional theory,” which are: (a) regulative, which focuses on
expedience, coercive mechanisms, and regulative rules; (b) normative, which
relies on social obligation, normative mechanisms, and binding expectations;
and (c) culture-cognitive, which values shared understanding, mimetic
mechanisms, and cultural influences. These elements help to provide
institutions with the meaning and stability that create organizational
structures and guide behavior.
However, each has distinct underlying assumptions and mechanisms
that can be used as analytical elements for understanding institutions. More
specifically, the regulative element focuses on expedience, coercive
mechanisms, and regulative rules; the normative component relies on social
obligation, normative mechanisms, and binding expectations; and the culture-
cognitive element values shared understanding and mimetic mechanisms.
Consequently, institutional theory is used to analyze how an organization’s
history, culture, and operating environment shape the decision to adopt ERM
and influence the type of program implemented.
Legitimacy Theory
Suchman (1995) defined legitimacy as “a generalized perception or
assumption that the actions of an entity are desirable, proper, or appropriate
within some socially constructed system of norms, values, beliefs, and
definitions” (p. 574). Suchman (1995) also asserted that there are three broad
types of organizational legitimacy: pragmatic, moral, and cognitive.
Pragmatic legitimacy relates to whether the activity is perceived as beneficial
to the organization and its stakeholders. Thomas and Lamm (2012) stated that
such perceived benefits may include items such as better use of resources,
reduced risk and legal liability, and improved reputation; items similar to
those benefits touted by ERM proponents. Secondly, Suchman (1995) argued
that legitimacy has a moral dimension that involves whether an
organization’s actions and image are consistent with socially accepted norms.
This moral legitimacy includes beliefs stakeholders share about an activity’s
value in advancing the interests of society. However, Suchman (1995)
cautioned that resistance and organizational politics can significant affect
moral legitimacy. Lastly, cognitive legitimacy involves how easily an activity
is comprehended and how consistent it is with existing organizational culture
and belief system. Here, people assess whether the activity will make their
job easier or more difficult (Thomas & Lamm, 2012).
Protecting and enhancing the organization’s identity can also have
positive effects on the overall perceptions members have of the organization.
For example, people develop their personal identities in part through their
perception of how others view the organization where they work (Weick,
1995). Indeed, Ravasi and Schultz (2006) found that how people perceive
identity threats to an organization is influenced by how they believe the
organization is perceived externally and their assumptions about the
distinctive behavioral patterns of the organization. The authors also found
that organizational responses to identity threats can be limited by the need to
reconcile responses with external changes. Moreover, the organization’s
culture provides the context for the sensemaking process the organization
undergoes as it seeks to understand, reevaluate, and redefine the organization
in response to the identity threat.
Within the context of complex organizations, the reasons
organizations adopt a new business practice such as ERM can vary. For
example, Gioia and Thomas (1996) found measures like profit and return are
not as relevant to higher education leadership. Instead, items such as prestige
and ranking are critical, making an institution’s image a critical strategic
issue. According to the authors, leadership issues can be separated into two
categories: strategic and political. Strategic issues are items associated with
creating the desired future state, while political issues involve the status quo
and managing competing interests. The authors found that image and identity
powerfully influence how leaders in organizations interpret the critical issues
they confront and that strategy and information processing are critical to how
leaders interpret these issues. Consequently, the literature suggests that
organizational leadership will be moved to adopt ERM when leadership sees
linkage between adopting ERM and protecting and enhancing the
institution’s reputation. Legitimacy theory thus addresses the issue of why a
certain course of action is accepted by an organization and hence helps
explain the factors that influence whether members of the organization accept
an initiative such as ERM (Suchman, 1995). Therefore, legitimacy theory is
used to explain the logic for why leadership at a complex organization may
select an ERM strategy and factors that affect employee perceptions on the
validity of the program.
Organizational Culture
Mintzberg and Westley (1992) posited that changing an organization’s
culture involves shifting the collective mindset of the organization. On the
other hand, Schein (2010) proposed that culture is formed as organizations
solve problems of external adaption and internal integration, such as an
organization’s mission, strategy, goals, and methods to measure progress.
Internal integration problems include creating a common language and
defining group boundaries, power distribution, and behavioral norms. Schein
(2010) added that an organization’s overall culture is influenced by national
and ethnic identities, cultures from other organizations with which the
organization interacts, cultures associated with different occupations, and
microcultures that develop in cross-functional organizational groups. He
found that these cultural forces are powerful and significantly affect the
actions of the organization. Schein (2010) also argued that an organization’s
culture is, in part, a “learned defense mechanism to avoid uncertainty,” which
can cause the organization to fail to address uncertainty proactively (p. 277).
Lastly, Schein stated that a concern for an organization’s culture is an issue
unique to leadership and one that differentiates leadership from general
management and administration. Based on Schein’s broader definition of
organizational culture, Cooper, Faseruk, and Kahn (2013) defined risk culture
as
a pattern of basic assumptions that the group learned as it identified,
evaluated, and managed its internal and external risks that has worked
well enough to be considered valid, and therefore to be taught to new
members as the correct way to perceive, think, and feel in relation to
those risks. (p. 65)
As Cooper’s definition of risk culture illuminates, developing a risk culture at
a complex organization entails building the organization’s understanding of
how it identifies, understands, and manages risks. Therefore, leadership plays
a critical role in ERM programs that aspire to change the culture surrounding
how the institution understands and responds to risks.
As further discussed in relation to decision making, Osland and Bird
(2000) utilized the concept of sensemaking to help explain how people
understand different cultures. In particular, they explored cultural paradoxes
where situations cause different and contradictory responses. The authors
stressed the need for context to understand actions and responses in a cultural
setting. They further determined that cultural values and histories influence
the schema people select in a situation. They defined a schema as “a pattern
of social interaction that is characteristic of a particular cultural group” (p.
71). Indeed, Schein (1993) warned that complex business and societal
problems are often caused by cultural misunderstandings. These issues can be
amplified in complex organizational settings with multiple cultural elements.
Therefore, understanding how diverse cultural units and associated views on
risk affect ERM implementation is critical, worthy of deeper exploration, and
directly related to the internal environment COSO speaks to in its ERM
framework.
For example, at universities and colleges, Birnbaum (1988) noted
the cultural divide between faculty and administrators, where faculty viewed
administrators as imposing red tape and constraints on their work, and
administrators viewed faculty as unconcerned with costs and reasonable
appeals for accountability. To address the different priorities between faculty
and administrators, Birnbaum suggested that HEIs have two distinct control
structures: one for administrative decisions and another for faculty. Birnbaum
(1988) also explained there are four basic models for how HEIs function:
collegial, bureaucratic, political, and anarchical. As the name implies,
collegial institutions value shared power and consensus with leadership that
seeks input on decisions, and where responsibility is collectively shared.
However, Birnbaum noted that collegial institutions only work for relatively
small organizational settings. In contrast, a bureaucratic institution is
common to colleges in which large-scale administrative functions are
organized to reduce uncertainty and improve performance. In this setting,
people can be more easily replaced and are not as critical to the overall
performance of the institution (e.g., in community colleges where faculty
only teach part-time). On the other hand, faculty members at political
institutions are deeply connected to the organization and are often part of a
wide array of specialized subunits. Consequently, such an organization is too
complex for a bureaucratic structure and thus relies on decentralized decision
making with diffused power. This results in constant competition among
subunits for resources and influence on the direction of the organization.
Lastly, anarchical institutions are characterized by having several schools or
units that appear to operate independently from the overall organization.
Anarchical institutions often have vague goals, ambiguous understandings of
how inputs are converted to outputs, and unclear decision-making processes.
Consequently, from a broad perspective, there are unique cultures at
universities and colleges that require adapting the ERM process so it is
compatible with the existing culture and management style at the institution.
Chapter 5: Organizational Change II – Change
Management
Theories on change management can be used to analyze how to
implement a broad organizational initiative such as ERM. Therefore, in this
chapter, I explain change management and models for change management
within the context of the complex organization. Change requires leaders to
manage the interests of diverse and vast groups of stakeholders (Jongbloed,
Enders, & Salerno, 2008). According to Kezar and Eckel (2002), strategies
for transformational change at complex organizations include leadership
support, collaboration, well-designed programs, staff development, and
observable action. The authors found that these strategies are effective
because they provide opportunities for key stakeholders to help create
direction and priorities for change, clarify roles, and understand what change
means for them. The authors pointed out that the real value of such strategies
is their ability to generate organizational sensemaking.
Gioia and Chittipeddi (1991) studied a major change initiative at a large
public university. The authors defined change as an effort to alter how an
organization thinks and acts, and strategic change as organizational change
that seeks to capitalize on critical opportunities and respond to potential
threats. The authors concluded that change requires organizational members
to make sense of the organization’s internal and external environment, and to
understand change in relation to their existing cognitive interpretation of what
the change initiative means for them. Gioia, Thomas, Clark, and Chittipeddi
(1994) also conducted research on strategic change. They found that task
forces that are charged with implementing change go through four stages.
First, people interpret who they are, their responsibilities for the change
initiative, and what external forces influence their ability to act. Next,
members of the task force define their role in the change initiative and
determine the methods for implementing the initiative. The group then moves
to the legitimation stage, which focuses on how to enhance the organization’s
perception of the group as legitimate agents for the change initiative. Last, the
task force works to increase its influence in an effort to institutionalize
change so it has a lasting impact on the organization. Hence, complex
organizations that choose to use a team for ERM implementation should
select members who can be effective at guiding the program through the
strategic change process.
Woon et al. (2011) posited that ERM is a change management initiative
that requires a significant shift in an organization’s mindset about managing
risk. However, Schein (2010) cautioned that leaders must first understand the
general process for organizational change before attempting to change the
culture of an organization. In keeping with these findings, the literature on
change management has identified key elements of the organizational change
process. For example, Cinite et al. (2009) identified factors that indicate
whether an organization is ready for change (e.g., senior management’s
commitment, competent change agents, and immediate managers’ support).
According to the authors, employees desire competent change champions that
consider options prior to implementing change, a senior management team
that is decisive about an organization’s strategies and goals for change, and
leadership that is committed to the success of the change initiative. In
addition, employees desire managers that encourage participation in change,
share information, and acknowledge the impact of change on people. Cinite,
Duxbury, and Higgins (2009) also found that factors indicative of a lack of
readiness for change include poor communication of the reasons for and
benefits of the change initiative, increased workloads, and workloads that do
not allow employees to participate in the change initiative.
Change Management Models
Organizational change is defined by Van de Ven and Poole (1995)
as “a difference in form, quality, or state over time in an organizational
entity” (p. 512). Kurt Lewin, a social scientist that studied how to resolve
social conflict, forged understanding of organizational change through his
development of a 3-step model for change based on unfreezing existing
behaviors, moving (learning) new behaviors, and refreezing new behaviors
by making them congruent with the environment (Burnes, 2004). Schein
(2010) further elaborated on Lewin’s work by proposing a conceptual model
for managed cultural change. Consistent with Lewin’s theory on change,
Schein (2010) proposed that change consists of three stages: unfreezing,
changing, and refreezing. The unfreezing stage entails creating the motivation
to change by using information to challenge existing beliefs. This is paired
with the creation of survival anxiety to motivate change, and psychological
safety to overcome learning anxiety. The changing stage takes place by
learning new concepts, meanings, and standards for judgment. This stage is
aided by providing role models with whom people can identify and fostering
opportunities to pursue new solutions and for trial-and-error learning. The
refreezing stage involves internalizing these new concepts, meanings, and
standards, and incorporating them into self-conception and identity, and
ongoing relationships. Such organizational change models were used to
examine how the type and stage of the change management process
influences ERM implementation. Orlikowski and Hofman (1997) add that
organizational change is a dynamic ongoing process involving multiple
stages of change interacting in an iterative manner. The authors referred to
this as the improvisational model for managed change that “recognizes that
change is typically an ongoing process made up of opportunities and
challenges that are not necessarily predictable at the start” (p. 13). Theoretical
work on change management provides a means to clarify the process of
implementing an organizational-wide initiative such as ERM and the
challenges likely to be encountered in such an endeavor.
Mintzberg and Westley (1992) explained how organizational change
occurs at different levels in an organization. In this model, the highest level
of change occurs in an organization’s culture and vision, followed by changes
in structure and positions, systems and programs, and people and facilities.
Mintzberg and Westley (1992) argued that changing an organization’s culture
and vision must include change at the lower levels. Similarly, Schein (2010)
stated that embedding mechanisms for cultural change fall into two
categories. The first category entails primary embedding mechanisms such as
what leadership pays attention to, measures and controls, how leaders react to
critical events or crises, how resources and rewards are allocated, intentional
role modeling and coaching, and how people are recruited, selected, and
promoted. Schein referred to the other category as secondary articulation and
reinforcement mechanisms that include items such as organizational structure
and procedures, rituals, building design and layout, stories regarding
important organizational events, and formal statements and creeds.
Orlikowski and Hofman (1997) proposed that change is an ongoing
process that involves three different types of change that build on each other
in an iterative manner: anticipated, emergent, and opportunity-based.
Anticipated change is planned for and happens as designed, while emergent
change occurs suddenly, was not intended, and is generated by local
innovation. Opportunity-based change is not planned but implemented in
response to opportunities that arise while the change initiative is being
implemented. The authors noted that this type of change requires flexibility
and that management’s role should be focused on guiding change, not
controlling it. Furthermore, employees responsible for change must be
provided the responsibility, resources, and ability to influence the change
process.
Chapter 6: Organizational Change III – Organizational
Control and Resilience
Various ERM frameworks propose implementing organizational
control mechanisms to manage risks. Therefore, understanding organizational
control and resilience—the concepts featured in this chapter—is important to
understanding organizational change more broadly. Simon (1994) defined
organizational control systems as the recognized information-driven routines
and practices used to sustain or change organizational activities. He specified
four types of organizational control systems: (a) belief systems, which top
management uses to communicate direction and purpose; (b) boundary
systems, which set limits for the organization and its members; (c) diagnostic
control systems, which generate feedback for monitoring outcomes; and (d)
interactive control systems, which top managers use to inject themselves into
the decision-making process of subordinates. Simon (1994) found that new
managers use control systems to overcome organizational complacency,
communicate new agendas, establish implementation objectives and
timelines, focus attention through incentives, and concentrate organizational
learning on addressing the uncertainty of the new direction. Consequently,
control systems—when used effectively—can be powerful tools for
communicating organizational goals and boundaries, and can assist in
creating commitment and shared beliefs for organizational activities.
Weick (1995) outlined three levels of control in an organization: (a)
first-order control, which entails direct supervision; (b) second-order control,
which involves programs and routine activities; and (c) third-order control,
which is based on assumptions that are taken for granted by organization
members. Weick (1995) explained that first- and second-order controls
require that the work is understood by the organization and affected
employees and is sub dividable in order for controls, rules, and standardized
procedures to work effectively. Weick (1995) also specified that third-order
controls are more important at the top of organizations where nonroutine
work is common. However, third-order controls are highly influenced by
personal and cultural biases that can result in defensive and self-justifying
behavior. Therefore, challenges may arise with using control systems in
organizations. For example, faculty members with significant freedom to
conduct non-routine research activities may oppose imposing controls on
them. Hence, complex organizations may encounter resistance implementing
first- or second-order control systems for non-routine research while the
application of third order controls may be hindered due to the personal
preferences of faculty.
Organizational Resilience
Despite efforts to address risk, organizations need to have the capacity
to respond to crises that develop from the residual and inherent risks of
conducting business. For example, Williams et al. (2008) noted that risk is
unavoidable and exists only when uncertainty exists about a positive
outcome. Similarly, Roberts and Bea (2001) pointed out that any complex
and interdependent system will eventually fail, and thus organizations must
plan for such occasions. However, this does not mean organizations should
not take proactive steps to prevent these breakdowns. Therefore,
organizational resilience is used to explain how complex organizations can
prepare for the adverse events that affect the institution. Resilient
organizations actively try to understand what they do not know, and
communicate the larger picture of the organization’s mission and employees’
roles in fulfilling that mission (Roberts & Bea, 2001). In addition, resilient
organizations utilize multiple and diverse decision-making methods and
focus on developing shared mental models to mitigate risk (Grabowski &
Roberts, 1997).
Weick (2011) proposed that resilient organizations expect interruptions
to operations, take steps to identify the impacts of failure, and create early
warning signs that indicate potential failure points. Roberts and Bea (2001)
found that critical characteristics of high-reliability organizations include
aggressively trying to know what they do not know, utilizing a balanced
reward and incentive plan that looks at costs from a long-term perspective,
and ensuring everyone understands the big picture and their role in realizing
this vision. Therefore, organizations need to plan for organizational crises
that may occur due to residual risk; that is, the risk that remains after risk
response actions have been implemented as part of the ERM program.
In another study, Bigley and Roberts (2001) examined the Incident
Command System used at a large California fire department to determine
what attributes of the system could be applied to organizations facing
complex and ambiguous situations. The Incident Command System is a
management system agencies use to respond to emergencies. It is both highly
structured and flexible. Based on their findings, the authors proposed that
organizations that face potential situations that require a reliable and error-
free response develop a temporary system to manage these situations. This
system should be based on the following: preplanned design structures and
response guidelines, methods to develop and maintain mental models during
the response, discouragement of uncoordinated or ad lib responses; training
and development programs; and after-action reviews. Such a program should
be developed in a manner that integrates resources across the entity.
Consequently, ERM can help an organization’s planning process for
emergencies by capturing and sharing critical information on the risks the
institution faces. Incorporation of such information into the organization’s
emergency training and exercise initiatives can aid in facilitating
organizational learning on both the risks the organization faces and its
emergency response process and capabilities.
Moreover, resilient organizations provide a roadmap of a culture that
captures the essence of organizations that effectively manage risk. For
example, Weick and Sutcliffe (2007) propose that resilient organizations have
five characteristics. First, they have a preoccupation with failure. Resilient
organizations encourage reporting errors and use failures as an opportunity to
learn how to improve processes. Second, they are reluctant to accept
simplification. Instead, they take active steps to thoroughly understand the
risks the organization faces and value diverse expertise and opinions. Third,
resilient organizations are sensitive to operations. This allows them to
develop situational awareness through a dedication to understanding the
challenges front line personnel confront. Fourth, they are committed to
resilience. This entails a willingness to acknowledge that no system is perfect
and thus they constantly seek to identify and learn from errors and/or failures.
Last, they have deference to expertise. Resilient organizations push decision-
making authority out to the people who are the most knowledgeable of the
process, regardless of their position in the organization. Consequently,
complex organizations should look to develop these cultural dimensions as
part of the ERM program, especially in operations that present significant,
complex risks such developing new industrial technologies.
In sum, critical findings from the literature related to change
management are: (a) designing the program to reflect the organization’s
culture, (b) ERM implementation as a significant organizational change
initiative, (c) implementation as a dynamic and ongoing process, (d) long-
term commitment to implementing ERM, and (e) ERM as means to build
organizational resiliency. Hence changing the culture at an organization is a
long, ongoing, complex process. To improve the acceptability of ERM at the
early stages of implementation, the organization should design the program to
be compatible with the existing culture and practices at the organization.
Achieving the long-term goal of improving the risk management culture at
the institution requires understanding ERM as a long-term process that is
ongoing and dynamic in nature. Hence, the ERM program will need to be
continually adapted to the new realities and challenges encountered
throughout implementation. Last, the attributes of resilient organizations can
form the basis for the attributes of an effective risk management culture.
Thus, organizations should seek to build organizational resiliency by
implementing ERM.
Chapter 7: Organizational Change and COSO’s ERM
Framework
With our new understanding of the broader concepts of organizational
change, in this chapter I show how these concepts relate to the
implementation of ERM in the complex organization. The literature suggests
implementing a significant organizational initiative such as ERM at a
complex organization is a complex process requiring leadership commitment.
To affect change requires that leadership understand the process of change
and whether the organization is ready for change. Therefore, the complexity
and diverse cultures found at complex organizations necessitate that a change
initiative such as ERM be designed and implemented in a manner that is
consistent with management theories on organizational change. The findings
further highlight the difficulty organizations may encounter when
implementing an ERM program that aspires to change existing practices at
the institution. Hence, an organization should first consider designing the
ERM program to fit the culture and management practices at the institution.
Starting with an ERM program that recognizes the existing institutional
cultural and practices should reduce the initial level of organization change
needed to launch the program. However, organizations should not neglect
that the long-term object of ERM is to integrate risk management into the
institution’s management practices. Therefore, consistent with the change
models, organizations need to determine the ERM program goals for each
organizational level and establish mechanisms for embedding risk
management into the institution’s management practices.
In sum, organizational change entails the environment conditions at the
organization that influence ERM implementation. Hence, the organizational
change area involves the internal environment, objective setting, and internal
control components of the COSO ERM framework. An organization’s
internal environment includes items such as the history and culture of the
organization, its risk management philosophy, the level of risk it is
comfortable accepting, its ethical values, its organizational structure, and how
it distributes authority (COSO, 2004). The objective setting component
requires objectives to be aligned with an organization’s risk appetite and
tolerance levels (COSO, 2004).
Risk appetite is the balance the organization chooses between growth,
risk, and return; and risk tolerance is the level of variation it accepts to
achieve its objectives (COSO, 2004, p. 20). To accomplish this, an
organization must evaluate the risks associated with the strategic objectives
the organization sets to achieve its mission and vision. Moreover, strategic
objectives are used as the basis for establishing risk management objectives
in areas such as operations, reporting, and compliance. The COSO (2004)
framework also includes control activities to ensure the organization’s
exposure to risk is kept within the tolerance limits set by the organization.
Control activities involve establishing and implementing policies and
procedures that outline risk management activities at all levels of the
organization. Examples include requiring preapproval, authorizations,
verifications, assessing operations, and the segregation of duties.
Several authors have found evidence to support COSO’s (2004)
assertion that ERM needs to speak to an organization’s internal environment
and objective-setting process. For example, Gates, Nicolas, and Walker’s
(2012) survey of risk management executives from companies with ERM
programs suggested that improvements in an organization’s internal
environment builds management consensus, leads to better decision making,
and creates higher levels of accountability for the ERM program. In addition,
Cooper et al.’s (2013) meta-analysis of existing ERM literature found
organizational culture can be either a major benefit or a major barrier to ERM
implementation. However, the authors found only limited support for the
“tone at the top” impact on understanding and controlling risk. Furthermore,
they found that defining an organization’s risk appetite improves the ability
to manage risk.
A key element of COSO’s (2004) objective-setting process involves
integrating risk management into the process an organization uses to establish
its strategic objectives. In addition, the risks associated with strategic
objectives are evaluated and used as a basis for gauging risk in other areas,
such as operations, reporting, and compliance. Throughout this process, risks
are identified in each area and assessed based on the organization’s risk
appetite and tolerance (COSO, 2004). In this regard, Louisot and Ketcham
(2009) stated that ERM improves an organization’s strategic decision making
by integrating discussions on threats and opportunities into the strategic
planning process. Similarly, COSO (2004) stresses the importance of
understanding and developing risk management objectives for each
organizational level.
Kimbrough and Componation (2009) noted that the major
frameworks for ERM implementation (i.e., Casualty Actuarial Society ERM
framework, COSO ERM integrated framework, and ISO 31,000 risk
management framework and process) all suggest culture change as a primary
concern with ERM implementation. However, these frameworks provide
limited guidance on the impact culture has on ERM implementation, or how
to change an organization’s culture to improve the ERM implementation
processes. Moreover, the authors posited that existing frameworks portray
ERM implementation in a manner that reflects only mechanistic
organizational cultures. Mechanistic cultures are characterized by controlling
management who believe employees need detailed direction and coercion to
act for the organization. This raises a concern that ERM is viewed as needing
to change the organization’s culture versus the organization adopting ERM to
fit with the existing culture. For example, implementing an ERM strategy that
relies heavily on quantifying risks and control mechanisms may fit the culture
at a financial firm while not holding relevance for the culture at a complex
institutions.
In regards to theory, although the COSO (2004) ERM framework refers
to normative and culture-cognitive elements, the framework relies heavily on
the regulative element outlined in institutional theory. Thus, the framework
lacks insight on key mechanisms that enable organizations to build shared
understandings on how they manage risk. Institutions with diverse
organizational cultures require an ERM framework that reflects the existing
institutional forces that drive action in each subculture of the organization.
Moreover, the ERM framework should recognize how the organization’s
existing assumptions and behaviors influence ERM effectiveness.
Lastly, Beasley, Clune, and Hermanson’s (2005) research on ERM
implementation in the banking, education, and insurance industries found that
senior management and board of directors’ leadership were the most critical
factors for ERM implementation. Kleffner et al. (2003) found that that key
deterrents to ERM implementation are organizational structure, culture,
resistance to change, and lack of qualified personnel to implement ERM. In
addition, Yaraghi and Langhe (2011) concluded that having a well-defined
and clear long-term strategy for risk management is the most critical element
in ERM implementation. Consequently, ERM touches on key strategic issues
at a complex organization such as its risk management philosophy and
culture, and the institution’s strategic objectives. Moreover, as an
organizational initiative that aspires to affect how the organization thinks
about and manages its risks, ERM requires the attention and commitment of
senior leadership.
Chapter 8: Decision Making I – Sensemaking Theory
Moving to the second of the three main concepts reviewed in Part 2, in
this chapter I examine the concept of decision making, first in relation to
sensemaking theory. Decision making concerning risk can be adversely
affected by failure to recognize and use available relevant data. Bazerman
and Moore (2009) described this phenomenon as bounded awareness, and
posited that it is caused by people’s assumptions about where to focus their
attention. Bounded awareness causes people to miss information due to
focusing on another item, not recognizing that a situation has changed, or
over-focusing on a specific event. Furthermore, research suggests people in
group settings often discuss information that is already known by the group
and do not consider unique or unshared information. In contrast, Weick,
Sutcliffe, and Obstfeld (2005) said that managers often focus on obtaining
scarce data instead of using data that is readily available to create action that
fosters developing a better understanding of the situation. Consequently, prior
to creating new processes for gathering data on risks, organizations can
benefit from determining the existing data the institution already has
available that may aid in the risk assessment process.
COSO’s (2004) ERM framework is based on a rational decision-
making model (further discussed below) that offers limited theoretical insight
on how decisions actually occur in an organization. Sensemaking theory can
offer more robust explanations of the factors associated with organizational
decision-making than rational decision-making models. According to Smerek
(2013), sensemaking focuses on action, shifting the analysis from individual
events to a more comprehensive examination of the continuous stream of
events and situations in organizational life. Weick (2007) further specifies
that sensemaking is an ongoing and continuous process of change, enactment,
selecting, and retention that people utilize to provide plausible meanings and
to develop actions in response to a perceived abnormality or unexplained
event. Weick et al. (2005) stated that once awareness of an abnormal event
occurs, people start to assign new meaning to the previously unrecognized or
undefined event. This leads to labeling and categorizing the event in order to
provide stable interpretations that allow for the development of viable
alternatives to manage and coordinate a response to the event.
Weick et al. (2005) state that sensemaking also entails building
retrospective interpretations through a process of reciprocal exchanges
between people and their environments. In this scenario, the actions of people
iteratively interact with changes to the environment. The interactions between
people and their environments continuously cycle to provide an ongoing
retrospective update of the event. Consequently, certain interpretations of the
event are selected and those determined plausible are retained by the
individual and/or group as valid and meaningful.
Weick et al. (2005) pointed out that sensemaking is influenced by
social factors and the sharing and coordination of information across the
organization. The authors added that actions and discussions cycle back and
forth during the sensemaking process as individuals use existing frameworks
to help interpret events and, in some cases, develop new frameworks for
interpretation. In essence, sensemaking is thus an ongoing dialogue people
use to make sense of a situation in order to take action. Sensemaking is also
driven by plausibility since people need accounts that are socially acceptable
and credible in order to act, even if the account lacks
accuracy (Weick, 1995). Social dimensions of sensemaking are consistent
with Wall’s (2011) finding that a person’s perception of risk is related to the
social context surrounding their assessment of the risk. Specific social
dimensions Wall (2005) found central to how people understand risk include
their experience, personal and group orientation, attachment to a place, and
social class.
Beach and Connolly (2005) stated that image theory, similar to
sensemaking theory, regards decision making as a social act in which groups
and organizations influence and constrain individual decisions. More
specifically, three types of images influence decision making: value images,
trajectory images, and strategic images. Value images consist of the decision
maker’s values, morals, and ethics; and define standards for how things
should be and how people ought to act in a given situation. Trajectory images
address the decision maker’s agenda, goals, and overall vision for the future.
Strategic images speak to the individual’s predictions of the future and plans
for attaining their goals. Indeed, many complex organizations are comprised
of people with diverse national and cultural backgrounds. Hence, the ERM
risk assessment process needs to account for the diverse backgrounds, values,
and beliefs of its members and the social dimensions of the decision-making
processes that sensemaking and image theory illustrate.
Sensemaking theory also suggests that people do not rely solely on
accurate information to act but instead base decisions on whether an action is
plausible (Weick, 1995). Weick (1995) stated that executives’ perceptions are
often not accurate with regards to their organization and environment.
Furthermore, most organizational action is time sensitive, and consequently a
tradeoff exists between speed and accuracy. Therefore, sensemaking theory
maintains that decisions on a course of action for an organization are often
made based on plausibility, coherence, reasonableness, and explanations that
are credible and socially acceptable. Consequently, ERM programs that
overemphasize accuracy over plausibility may fail to address the practical
and real ways people make decisions in today’s complex organizational
settings.
Chapter 9: Decision-Making II – Bias and Framing
Many things may influence decision making in a complex organization.
In this chapter, I review two of these factors: bias and framing. Weick (1995)
stated that sensemaking is “grounded in identity,” as people make sense of
events by questioning the effect it will have on who they are (p. 19). In other
words, “Depending on who I am, my definition of what is ‘out there’ will
also change” (Weick et al., 2005, p. 20). As such, human biases affect the
quality of the risk decision-making process. Bazerman and Moore (2009)
pointed out several common biases inherent to decision making, such as
availability heuristics, representativeness heuristics, and confirmation
heuristics. Availability heuristics biases are tendencies to judge events that
are easily remembered or recalled as more common and likely to happen.
Representative heuristics are biases caused by ignoring base rates and sample
size, holding inaccurate beliefs that small samples of chance events will occur
as a random data set, overestimating an abnormal event’s effect on future
outcomes, and overrating the probability of coincidental events. Confirmation
heuristics biases include seeking information to confirm a person’s beliefs,
overvaluing initial assessments of an event, underestimating the probability
of separate events, overconfidence in a person’s judgment, and
overestimating how accurately a person would have predicted an event that
already occurred.
"Looking for a Similar Assignment? Get Expert Help at an Amazing Discount!"
