Introduction

Theoretical positioning

Toward a formal definitions of risk

A framework for risk identification

Validating the framework

Implications for research and practice

References

Abstract

Purpose – This study aims to examine the factors influencing enterprise risk management and propose a framework for identifying and explaining the components of enterprise risk management. To enable broader analytical thinking about risk factors, the framework utilizes the resource-based theory to link various classes of risks to an extended set of organizational resources.
Design/methodology/approach – The paper opted for an exploratory study using a sample from an online survey. The survey subjects were recruited from the membership database of the American Institute of Certified Public Accountants, focusing primarily on CFOs. The survey consisted of six sections: demographics, a section on each of the four risk types included in ERM: strategic risk, operational risk, financial risk and hazard risk, and exit questions (where very general questions about ERM were asked). The survey yielded a data set of 227 valid responses.
Findings – Using the associated sample survey data, the paper provides empirical validation of the proposed framework that managers in any organizations could use to identify and manage risks.
Research limitations/implications – The proposed model does have limitations that predominantly exist from the fact that human judgment in decision-making is not always data-driven, and hence, a proper risk exposure could be ignored based on pure arguments of cost and benefits from domain experts. Therefore, researchers and practitioners are encouraged to test the proposed framework further.
Practical implications – Risk exposure is not a snapshot event in an organization’s time horizon. Rather, risk identification is an ongoing process and the proposed framework allows organizations to handle increasing complex risks and/or identifying them based on how the organizational resources may be exposed over time. Managers could use a form of risk control analytics (monitoring dashboard of all identified risks under each interaction sets on a regular basis) to become more proactive in managing risk or exploiting opportunities across enterprise.
Originality/value – This paper fulfills an identified need to study how enterprise risks exposure can be proactively assessed and managed.

Introduction

Risk management is an important activity for organizations that are striving to provide value for their stakeholders in the face of real-world uncertainties. Efficient risk management could potentially present value-creating opportunities that may not have been identified otherwise. For a number of years, organizations have been attempting to identify and manage the risks inherent in their operations. The perceptions were that risks could result in negative events. Certain risks, such as hazard risks, are often addressed though insurance. Financial risks are dealt with by modifying business exposure such that the risk was minimized or avoided or through a transfer of the risk, or with hedges against risk exposure. The heightened awareness of the operational and strategic risks in recent years has demonstrated the increasing complexity of managing risks. These risks have the potential to add tremendous value to the organization when appropriately managed, while failure to manage them properly can vastly damage or even the cause demise of the organization. Organizations are constantly examining their enterprise risk management (ERM) systems and are often particularly motivated by publicized failures of organizational risk management such as in Volkswagen, Enron, AIG and BP. In addition, risk exposure identified in the aftermath of natural catastrophes such as Katrina also drives new ERM effort. Regulators, corporate governance oversight bodies, rating agencies, investors and stock exchanges have increased the pressure for swift action to cure many of the perceived weaknesses in ERM. ERM has been elevated to much higher levels of management so that risks are managed across the enterprise, but actual practice varies greatly across organizations and industries. In addition, ERM practice has also been expanded to exploiting risks as opportunities.