The Effect of Enterprise Risk Management on
Firms’ Competitive Advantage
Ivo Franssen (10990011)
Supervisor: Jeroen Kraaijenbrink
University of Amsterdam / Amsterdam Business School
Executive Program in Management Studies – Strategy Track
Saturday the 24th of June 2017
1
Statement of Originality
This document is written by Student Ivo Franssen who declares to take full responsibility for the contents of this document.
I declare that the text and the work presented in this document is original and that no sources other than those mentioned in the text and its references have been used in creating it.
The Faculty of Economics and Business is responsible solely for the supervision of completion of the work, not for the contents.
2
Abstract
Since the 1990s Enterprise Risk Management (ERM) has won heavily on popularity within organizational research, firms, rating agencies and public authorities. Despite its growing popularity there is still confusion about the benefits of ERM, and some benefits are subject to contradiction in empirical findings. Furthermore, less attention is being paid to the positive effects of ERM on managerial practices. This gap in past research resulted in the research question: To what extent and through which mechanisms does ERM provide firms a sustained
competitive advantage? Answering the research question is done via a qualitative research
approach in the form of a multiple case study. Within five insurance companies in The Netherlands both a representative from the risk function and the business are interviewed. In addition, five consultants have been interviewed. The results show ERM can be beneficial to insurance companies by creating lower costs, improving decision making at strategic level, and by creating a controlled operational learning environment. ERM can provide a sustained competitive advantage in combination with resource configuration and if an insurance company is able to create an intrinsic motivated risk culture in the business. Getting the employees to endorse risk management is the most difficult part of implementing ERM. Managers can use the results of this research for highlighting the importance of creating the right culture, motivating their employees to perform risk management activities with the right attitude and to decrease the bureaucracy that can come along when implementing an ERM system.
3
Table of Contents
1. Introduction ... 5
2. Literature Review ... 8
2.1 (Sustained) Competitive Advantage ... 8
2.2 Enterprise Risk Management ... 11
2.3 Types of Risk ... 14
2.4 Financial Performance ... 15
2.5 ERM at Strategic Level ... 17
2.6 ERM at Operational Level... 20
2.7 Resource Configuration ... 23
3. Data and Method ... 24
3.1 Research Design ... 24
3.2 Sampling ... 25
3.3 Data Collection ... 28
3.4 Data Analysis ... 29
4. Results ... 31
4.1 Lower Costs vs Extra Overhead ... 32
4.2 Threat and Opportunity Identification vs Risk Aversion ... 34
4.3 Controlled Operational Learning Environment vs Inertia ... 37
4.4 Types of Risk ... 39
4.5 Short Term vs Long Term Effects ... 40
4.6 Factors Related to ERM ... 41
4.7 Regulatory Environment ... 43
5. Discussion ... 44
5.1 Types of Risk in Relation to CA ... 44
5.2 Low Costs in Relation to CA... 45
5.3 Better Decision Making in Relation to CA ... 47
5.4 Controlled Learning Environment in Relation to CA ... 48
5.5 Resource Configuration & Culture in Relation to SCA ... 51
5.6 ERM Implementation Assessment Model ... 55
6. Conclusion ... 57
References ... 61
Appendix A Interview Questions ... 68
4
Appendix C Data Analysis Phase 2: Initial List of Codes ... 72
Appendix D Data Analysis Phase 3: Initial List of Themes ... 73
Appendix E Data Analysis Phase 4: Reviewed List of Themes ... 75
Appendix F Data Analysis Phase 5: Final List of Themes ... 77
List of figures Figure 1 Theoretical Framework ... 8
Figure 2 Level of Control Cycle ... 50
Figure 3 ERM Implementation Assessment Model ... 55
List of Tables Table 1 List of Participants Insurance Companies ... 27
5
1. Introduction
Risk management is the process which firms use to get control over their strategy process and processes in their operational environment. Firms appreciate risk management because it gives a level of certainty objectives are met according plan. Traditionally, risk management dealt with insurance contracts and hedging via derivatives. The main goal was to protect a firm’s assets and limiting the chance on bankruptcy (Nocco & Stulz 2006). The attention on the financial aspects of risk management has later been expanded to strategic, operational, and compliance risks. These different types of risk all were managed in separate groups, also called silos. ERM introduced managing all these different types of risk through an integrated system at the enterprise level. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) describes ERM as the culture, competencies, and activities to manage risk, taken into account strategy and execution, which results in value creation for the organization (COSO 2016).
Since the 1990s ERM won heavily on popularity within organizational research, firms, rating agencies and public authorities (Power 2004). The implementation of the ERM – integrated framework by COSO in 2004 can be seen as a formalization of this evaluation. The COSO framework can be seen as a best-practice document for implementing ERM. COSO opened a public exposure on their update of the framework in 2016. Within the updated framework there is a more intense focus on aligning risk with strategy. COSO claims ERM is helping to create predictable outcomes in a world that is changing continuously.
Public authorities highlighted their attention for ERM by implementing laws in which risk management has a strong presence. The most well-known examples are the Basel III and Solvency II regulations for respectively banks and insurance companies. But also outside the financial services industries are several initiatives for (mandatory) risk management
6
standards like the corporate governance code or the ISO 31000 code. Another example of ERM’s growing popularity is the incorporation of ERM by Standard & Poor’s (S&P) as a criterion into its rating methodology since 2007.
However, despite its growing popularity there remains to be confusion about the benefits of ERM, and some benefits are subject to contradiction in empirical findings. Organizational research mainly focused on the effects of ERM on a firm’s financial outcomes. Several researchers found evidence ERM creates a competitive advantage by resulting in less volatile earnings and stock prices, increased firm value, increased performance, and reduced external capital costs. There are contradictory findings on increased firm value and ERM’s effect on firm performance (Broeke 2014, Pagach & Warr 2010, Hoyt & Liebenberg 2011). Criticism on these studies is that they focus on the presence of an ERM system via either appointing a Chief Risk Officer (CRO) or having an S&P rating. Appointing a CRO or simply having an ERM program gives not an indication about the quality of the ERM system and an S&P rating is often a snapshot of the organization which is not always accurate. Among organizations there are different thoughts about how to implement ERM, resulting in a large variation in implementation techniques (Arena et al. 2010, Mikes 2009). This might be due to the absence of a uniform statement about the benefits of ERM among organizational researchers.
Most of the research about ERM is published in financial and accounting journals, and hardly in management journals. As a result, less attention is being paid to managerial
practices like strategy, organizational change and the positive effects of ERM on competitive advantage (Bromiley et al. 2015). This gap in past research resulted in the research question:
To what extent and through which mechanisms does ERM provide firms a sustained
7
Answering this question is done via a multiple case study among five insurance companies in The Netherlands in which the positive and negative effects of ERM are identified and to study if these effects result in increased competitive advantage or disadvantage.
Competitive advantage is about the differences between firms in the way they create value; a firm has an advantage if it’s able to create more value than its competitors. This advantage is sustained if a firm can maintain this advantage for a longer period without a competitor being able to imitate or copy the foundations that created these benefits. Two streams in the field of organizational research about differences in value creation between firms are taken into account in conducting this study; dynamic capabilities and routines. Dynamic capabilities can result in a competitive advantage because it creates value for a firm in changing the organization in a volatile environment (Eisenhardt & Martin 2000). Dynamic capabilities and ERM both relate to identifying opportunities which a firm must take in order to survive. Routines can result in a competitive advantage because they help improving the organization via learned patterned behaviors which are performed using tacit knowledge of employees (Lubit 2001). ERM relates to routines because both concepts are about improving
organizational processes via learning mechanisms.
The aim of this research is to enrich the literature with a research on how ERM is related to competitive advantage by explaining how to create or change dynamic capabilities and/or routines via an effective ERM system. This thesis is structured in the following way. In the second section the theoretical framework is presented and, based on reviewing the literature, propositions are presented. In the third section the research design is given including
sampling, data collection, and analysis methods. Next the results of the research are given, followed by a discussion section in which the results are related to the theoretical framework. Lastly, conclusions are given including implications for real-world practice and
8
2. Literature Review
Figure 1 presents the theoretical framework for answering the research question. Within the theoretical framework ERM is classified as the independent variable and competitive advantage and sustained competitive advantage as the dependent variables. ERM’s advantages and disadvantages are mediating the effect between ERM and competitive advantage. The relationship between ERM and competitive advantage is being moderated by types of risk. Resource configuration functions as a moderator between ERM and sustained competitive advantage.
As can be concluded from the theoretical framework this research identifies three main advantages of ERM. Because both in practice and in organizational researches there is criticism on ERM, its disadvantages are also taken into account. Furthermore, three types of risk have been identified. Both the (dis)advantages and the types of risk are being used as a grouping for several underlying subcategories which will be further elucidated in the remainder of this section.
Figure 1 Theoretical Framework
2.1 (Sustained) Competitive Advantage
Within organizational research there is a broad range of definitions about competitive advantage. When taken all these definitions into account the common team is value creation in comparison to competitors. How this value is created differs between school of thought
(Dis)advantages ERM Types of risk Competitive (dis)advantage Resource configuration Enterprise Risk Management Strategic risks External risks Preventable risks Sustained competitive (dis)advantage
Less volatile financial performance vs overhead costs
Threat and opportunity identification vs risk aversion Controlled operational learning
9
(Rumelt 2003). Some relate value creation to the characteristics of the external environment, and some to the characteristics of the internal environment. These two positions are further elucidated in the remainder of this paragraph. The definition of competitive advantage must always be separated from performance, because increased performance or superior results are the outcome of a firm’s advantage over competitors. In other words; competitive advantage drives superior performance.
When looking at competitive advantage from a more distant point of view one could distinguish between the industrial organization and the Resource Based View (RBV). Within the industrial organization Michael Porter has been heavily influential. His main idea is that firms should look at the structure of an industry and take the position that assures the highest profits (Porter 1979b). When choosing the most appropriate strategy the five-forces must be taken into account (Porter 1979a); threat of new entrants, threat of substitutes, bargaining power suppliers, bargaining power customers, and competition in the industry. To realize sustained competitive advantage a firm must create barriers to competition (Porter 1979b). An example of a barrier to competition is an entry barrier. In this case an existing firm makes sure a new entrant is not capable of producing as cheap as the existing firm. The existing firm can create this, for example, by realizing economies of scale.
Within the RBV Jay Barney has been heavily influential. His mains idea is that firms create a competitive advantage because they own unique resources. These unique resources are acquired in a so called strategic factor market. Firms buy these resources based on better insights about the future than competitors or just because they are lucky (Barney 1986a). In his 2011 article Barney describes the evolution of the RBV using three stages; introduction, growth and maturity (Barney et al. 2011). The article of Barney (1986a) relates to the introduction stage of the RBV in which the importance of resources is highlighted. Dierickx & Cool (1989) contributed to the introduction stage by describing that strategic resources are
10
not acquired in a strategic factor market but accumulated within the organization. This accumulation is done by acquiring capabilities. Resources are strategic when they give
potential access to a wide variety of markets, add value to the end product, and are difficult to imitate (Prahalad & Hamel 1990). The introduction stage later developed into the growth stage in which there is a focus on developing capabilities. Capabilities can be developed by integrating the right knowledge into the firm (Grant 1996, Kogut & Zander 1992). In the last phase of the introduction stage dynamic capabilities became influential (Teece et al. 1997). Dynamic capabilities relate to honing internal technological, organizational and managerial processes to changing environments. In the maturity stage criticism to the RBV has been reviewed (e.g. Kraaijenbrink et al. 2010) and empirical evidence is given for the core principles of the theory (e.g. Crook et al. 2008).
For resources to create a sustained competitive advantage they must meet the VRIN criteria (Barney 1991); they need to be valuable in exploiting opportunities or neutralizing threats; they need to be rare in the market; they need to be difficult to imitate by competitors; and they need to be non-substitutable by other resources. In a later stage Barney argues that firms, in addition to the VRIN criteria, need to be well organized to exploit opportunities (Barney 1995). Another point of view regarding sustained competitive advantage is given by Peteraf (1993). She gives two conditions for creating competitive advantage (heterogeneity and ex-ante limits to competition) and two criteria’s for sustaining competitive advantage (ex-post limits to competition and imperfect mobility).
Within this study the definition of the RBV regarding competitive advantage is followed (in the broadest sense of the definition); a firm has a competitive advantage if it acquires external tangible resources or integrates intangible resources into the organization which give benefits over competitors in creating value. These benefits lead to sustained competitive
11
advantage if these resources meet the valuable, rare, imitate, non-substitutable, and organized criteria (referred to as VRIN(O) in the remainder of this report).
In the next paragraph, there will be given an understanding of the independent variable within this research; Enterprise Risk Management.
2.2 Enterprise Risk Management
The most common feature of an ERM system is identifying threats and opportunities that come along when a firm executes its strategy. The main goals are to realize or preserve value for the firm and to create more predictable performance. It can be distinguished from single risk management because it takes into account all the risks of a firm through an integrated system, where single risk management is only interested in a single silo of risks (e.g. IT, compliance or operational). ERM claims to be more effective than single risk management because of its integrated approach (Bromiley et al. 2015). An aspect of ERM is controlling threats a firm is facing. Examples of internal and external threats facing a firm are competitor strategies, regulatory actions, economic cycle, technological developments, or operational losses (human error, fraud, system failures). Controlling threats can either be done by taken opportunities but also via classical risk management instruments like insurance or derivatives. Another way of controlling risks is not executing certain parts of a strategy because these parts are too risky or transferring risks to another firm via outsourcing. Within the firm the Executive Board is responsible for ERM, which includes identifying threats and
implementing opportunities and other control mechanisms. The Executive Board usually appoints a CRO which has his focus on managing the total integrated risks profile of the firm.
ERM started its evolution in the 1990s and is also been referred to as holistic risk
management (Cardona 2004) or strategic risk management (Clarke & Varma 1999). ERM its rise in the 1990s can be contributed to two main developments. First, some big corporate
12
firms were facing failures and preventable large losses. Second, strategic planning models started to take into account shareholder value which is inspired by finance theory which in turns has a focus on risk management (Dickinson 2001).
Within this paper the definition of ERM as given by COSO (2016) is being used. COSO defines ERM as ‘the culture, capabilities, and practices, integrated with strategy and
execution, that organizations rely on to manage risk in creating, preserving, and realizing
value’. Comparing COSO’s updated framework in 2016 to its framework in 2004 results in an
overview of how ERM developed in this period. Through the years ERM have put more emphasis on the relationship between risk and value, the role of culture within ERM, the importance of strategy, the alignment between performance and ERM, and decision-making processes (COSO FAQ, 2016).
In addition to the COSO framework the three lines of defense model can be taken into account when implementing an ERM system (Lyons 2011). A three lines of defense model protects the organization from being confronted with failure and gives assurance to the management and supervisory body that the organization functions in a controlled environment. In this model the first line (of defense) consists out of the employees and managers who are performing daily business activities. These include the front office, middle office and back office. The first line is responsible for managing the risks of the firm. The second line (of defense) consists out of tactical oversight functions like risk management and compliance. The second line supports the business in managing risks by implementing
procedures and tooling. Functions like risk management do not own risks, only the first line of defense can own risks. The third line of defense gives independent assurance to the Executive Board and supervisory body of a firm about the effectiveness of the system for managing risks as performed by the first two lines of defense.
13
The three lines of defense model helps to create a risk aware culture in the organization. Bozeman & Kingsley (1998) define risk culture as ‘the organization’s propensity to take risks
as perceived by the managers in the organization’. They claim that if you have insight in how
top managers perceive risks you have insight in acceptable behavior about risk for that specific organization. Within the COSO (2016) framework culture is an important element. Within the framework there is emphasizes on tone at the top, defining desired behaviors related to the firm’s core values and attitudes toward risk, commitment to integrity and
accountability at all levels in the organization. Despite the fact that COSO (2016) gives a very comprehensive description about risk culture there is still not consensus in literature and practice about the definition of risk culture and what it means in practice, but organizations are currently trying to find out. (Power et al. 2013).
Criticasters on ERM are claiming the system does not add value to the end product, seeing the organization as an integrated whole is not realistic, it slows down decision making, and it has the tendency to be bureaucratic and therefore too expensive (Power 2009). Another point of criticism regarding ERM is it did not prove its value during the financial crisis in the period 2007 to 2010 for firms in the financial services industry (Bromiley et al. 2015). This can either be due to incorrect implementation of the system or to incompleteness of the system itself.
Despite this criticism, every insurance company in The Netherlands, the unit of analysis within this research, has an ERM system and also uses a three lines of defense model in their organization. This is because legislation obligates an insurance company to implement an ERM system, regardless of whether the company agrees with the advantages or
disadvantages. The name of this legislation is Solvency II which came in force as per the 1st of January 2016. The aim of this legislation is to better align risk management and capital requirements; effective risk management is rewarded with lower capital requirement and vice
14
versa. Solvency II requires every insurance company within Europe to, amongst others, appoint a risk function and to implement a risk management system which at least covers the following areas; a risk management strategy, procedures on decision making, definition and categorization of material risks and reporting processes (European Commission 2015). 2.3 Types of Risk
ERM literature distinguishes between various levels of risk management by grouping risks in categories. Nocco & Stulz (2006) distinguishes between macro- and micro level risk management. Macro risk management relates to managing the risk-return trade-off and micro risk management is concerned with process in all levels of the organization. Dickinson (2001) distinguishes between external enterprise risk and internal enterprise risk. External risks are related to changes in the environment in the field of the marketplace, economy, financial markets, politics, technology or demographics. Internal risks tend to be more operational and relate to human errors, system failures or fraud. The COSO 2016 framework does not indicate different types of risk, but it stresses the importance of developing a portfolio view by
grouping risks into categories. Via a portfolio view a firm can assess the impact per category at the enterprise level and identify linkages between categories.
Within this research the categorizing of Kaplan and Mikes (2012) is used because their categorization distinguishes between both internal and external risks and risks at two levels within the organization. These authors divide risks into three categories: preventable, strategic, and external. Preventable risks are about internal risks which can be managed or avoided. Examples are operational or compliance risks. Taking these risks will not end up in a strategic advantage, therefore they should be eliminated. Strategic risks are those taken in order to get superior returns. For example, risks taken through Resource & Development or risky events related to the core-business of a firm (e.g. drilling for oil in the sea). These risks should not be eliminated but managed via a system which lowers the probability and impact
15
of these events. External risks are outside the firm, examples are risks in relation to political, regulatory, and competitive environments. Because firms cannot lower the probability of these events, they should focus on identification and minimizing impact.
As part of their contingency theory for implementing ERM Mikes & Kaplan (2013) claim that managing preventable risks is not dependent on a firm's structure and strategy, and should therefore not be included in a contingency model. Preventable risks do not relate to the
structure and strategy of a firm so the tools and processes for managing these risks can be standardized. As a result, these tools and processes can be copied by competitors which inhibit competitive advantage. Because preventable risks do not relate to a firm’s structure and strategy in this research the proposition is taken that they do not lead to competitive advantage. On the contrary, strategic and external risks relate to the structure and strategy of a firm. Because the strategy and structure of a firm is unique, in this research the proposition (P) is taken that managing these types of risk can create a competitive advantage.
P1: Only managing strategic and external risks lead to competitive advantage where
managing preventable risks does not lead to competitive advantage.
2.4 Financial Performance
The first characteristic of ERM relates to financial performance of a firm. ERM can be beneficial for a firm’s performance by creating less volatile performance which is appreciated by external stakeholders. On the other hand, an ERM system is costly which can impact a firm’s financial performance because the commercial benefits of ERM are neglectable. Both points of view are further elucidated in this paragraph.
ERM identifies risks and opportunities which threaten the achievement of strategic objectives. By managing these threats firms have more certainty they will execute strategy according plan. As a result, they will have more certainty their financial performance is in line
16
with expectations from shareholders, banks, and other stakeholders (Pagach & Warr 2011, Power 2004). Past research identifies several financial parameters which remain more constant or increase due the implementation of ERM. Ten Broeke (2014) found that the implementation of ERM increases firm value but does not increases firm performance. Hoyt & Liebenberg (2011) also found empirical evidence that ERM increases firm value, in
addition they claim that ERM leads to less volatile stock prices. Pagach & Warr (2010) found evidence that firms have less volatile earnings after appointing a CRO. They found no support for ERM creating value for a firm or improving its performance. Nocco & Stulz (2006) claim that ERM limits the probability on financial distress and that outcomes of an effective ERM system are a better estimate of expected value and better understanding of unexpected losses.
An instrument ERM uses to align performance with expectations is risk appetite (Nocco & Stulz 2006, Liebenberg & Hoyt 2003). COSO (2016) defines risk appetite as ‘the types and
amount of risk, on a broad level, an organization is willing to accept in pursuit of value’. In
the process of risk appetite setting strategic objectives are translated into so called Key Risk Indicators (KRI). For every KRI a tolerance is set including tolerances in which the value of the measure may fluctuate. By measuring periodically the performance against these preset measures a firm can create less volatile performance. The risk appetite process is often part of the strategy setting process.
Within this study less volatile performance is, in line with past research, related to the financial parameters of a firm. These parameters include: firm value, financial performance, earnings, stock prices, and unexpected losses. Reporting these parameters at a constant level will benefit the firm in managing the relationship with shareholders, banks, credit agencies and other stakeholders by meeting their expectations. Managing this relationship successfully will result in increased capital efficiency, and lower capital costs for acquiring new capital. This new capital can be acquired by either issuing shares or bonds, or by getting a loan. The
17
issuers of this capital will appreciate less volatile predictable performance because this will give more certainty they will receive interest according plan. In turn they will accept a lower yield than for firms with more volatile performance. When a firm can acquire capital at a lower cost than its competitors this firm has a competitive advantage (Baldwin 1986, Barney 1986a).
P2a: ERM creates a competitive advantage for a firm by creating less volatile results which
are in line with strategic objectives.
A critique about risk management often heard in practice is; risk management did not ever make me sell an extra product to my customers, it only costs me a lot of money to satisfy regulators. A clarification for this critique might be that it is difficult to measure the returns of the investment made for implementing ERM (Kleffner at al. 2003). In this study the first advantage of ERM is creating less volatile financial performance which result in increased capital efficiency and lower capital costs. A counterargument for this advantage is the costs that come along with the implementation of ERM. These costs can be classified as overhead costs which reduce the profit of a firm.
P2b: ERM creates a competitive disadvantage for a firm because it increases overhead costs
which lower the effect of less volatile performance.
2.5 ERM at Strategic Level
At a strategic level ERM can be beneficial for a firm by identifying threats and
opportunities which must be managed in order to survive in a competitive environment. This can be contradicted by the risk aversion element of an ERM system. If there is too much focus on controlling risks than management can be become reluctant in taking opportunities which can become disadvantageous for a firm. In this paragraph both characteristics of ERM are further explained.
18
ERM can be seen as a dynamic capability or a creator of dynamic capabilities because it identifies threats within the firm and in its environment. Because of recent technological developments those threats are related to a changing environment including changing consumer needs. ERM identifies these threats but also assess and prioritize these threats in relation to a firm’s strategy. Based on this assessment there is put a certain urgency on these threats which must be controlled by changing the organization. These control activities are the functional dynamic capabilities because they are actually changing the organization. In recent years ERM has broaden its scope to opportunities besides identifying threats. These
opportunities are partly responses to the identified threats.
Eisenhardt & Martin (2000) define dynamic capabilities as ‘specific strategic and
organizational processes like product development, alliancing and strategic decision making
that create value for firms within dynamic markets by manipulating resources into new
value-creating strategies’. Dynamic capabilities in high-velocity markets are simple, not
complicated as they are in moderately dynamic markets. In moderately dynamic markets dynamic capabilities take the form of routines. Learning mechanisms guide the evolution of dynamic capabilities. The description of dynamic capabilities in this article is in line with ERM, both are related to manipulating resources into new value-creating strategies. Via the ERM processes can be identified if a firm needs to change in a moderately or high velocity market because ERM is about analyzing the threats and opportunities in the environment. This argumentation can also be applied to the article of Teece et al. (1997) in which a similar definition is used for describing dynamic capabilities. Both articles put an emphasis on adapting resources or competences to a changing environment.
Teece (2012) groups dynamic capabilities in three types of expertly activities and
adjustments; (1) identification and assessment of an opportunity (sensing); (2) mobilization of resources to address an opportunity and to capture value from doing so (seizing); and (3)
19
continued renewal (transforming). ERM is also about sensing, seizing, and transforming. ERM is not only sensing opportunities, it uses as a starting point the identification of threats which can be controlled by taking an opportunity for which resources must be mobilized. These identified threats and opportunities are assessed and prioritized. By taking opportunities to control risks ERM helps to transform a firm into a more controlled business.
Sensing, seizing and transforming is related to risk taking. Past research has found evidence that managers are more likely to take risks in changing the organization when they face poor performance or organizational slack even though these decisions result in even more poor performance (Bromiley 1992, Fiegenbaum & Thomas 1985). These findings are in line with Bowman’s (1982) conclusion that troubled firms take bigger risks.
Firms which implemented ERM effectively have a competitive advantage over firms who manage risks independently (Nocco & Stulz 2006). If a firm manages continuously its risk profile and transfers this information to business managers, it will have managers who are better capable of managing risk and return in relation to the strategic plan of the firm (sensing opportunities). Via a comparative advantage in risk bearing (Nocco & Stulz 2006), which means that a firm has special ability to forecast market variables, a firm has a benefit over its competitors because the firm is better informed about its risk profile. A firm that is better informed about its risk profile will be better capable to addressing resources to an opportunity to capture value (seizing). Also, it will be better able to take risks because the firm is more aware of which projects it should invest its capital in. As a result the firm will be better capable to transform the organization by acquiring resources (transforming).
‘A firm’s ability to weather storms depends on how seriously executives take risk management when the sun is shining and no clouds are on the horizon (Mikes & Kaplan
2012)’. Within this paper the assumption is taken that identifying threats and opportunities
20
that threaten successfully executing its strategy in the future. Due to this timely identification the firm is capable of dynamically changing the organization to be ready for stormy periods.
P3a: ERM creates a competitive advantage for a firm by identifying threats and opportunities
which must be managed to change the organization.
The second advantage of ERM, identifying threats and opportunities, can be countered by the risk aversion element of ERM which inhibits seizing and transforming as described by Teece (2012). Because firms become averse to take risks they fail to mobilize resources to address an opportunity (seizing), as a result the desired change does not happen at all (transforming). A second critique regarding this advantage is actually a critique on dynamic capabilities which also applies to ERM. In this study the argument is given that ERM helps to identify opportunities which in turn creates change within a firm. A critique on dynamic capabilities is that it provides a general and vague method for change effectiveness (winter, 2003). As a result, by describing ERM as a dynamic capability, it can become a general and vague method for initiating change.
P3b: ERM creates a competitive disadvantage for a firm because it creates a risk averse
organization which inhibits taking opportunities and changing the organization.
2.6 ERM at Operational Level
At an operational level ERM can be beneficial for a firm by seeking for possibilities to improve the control environment of the organization. By controlling the organization there is a risk of organizational inertia if the firm implements too much controls. Both sides are explained in the remainder of this paragraph.
Where dynamic capabilities are related to changing an organization, routines relate to operational processes in the firm’s day-to-day activities which are modified by dynamic capabilities (Zollo & Winter 2002). ERM can both be related to dynamic capabilities as to
21
operational routines. Operational routines are created through experience and learning processes. ERM is like a learning cycle for improving the organization both at the strategic and the operational level (Gangadin 2016). An important element in improving the
organization from an ERM perspective is creating a controlled environment. One could argue therefore that an ERM system contains elements of routines which result in a controlled operational learning environment.
Routines structure organizational behavior which lead to collective action (Cohen & Bacdayan 1994). When they are transferred into the right situations they benefit the organization. In wrong situations they do not benefit the organization. Cohen & Bacdayan (1994) describe organizational routines as ‘patterned sequences of learned behavior involving
multiple actors who are linked by relations of communication and/or authority’. Routines
differ from standard operating procedures. Routines have three basis characteristics; actor which make them harder to understand; they are an emergent quality (through multi-actor learning); and routines are partly in multi-actors’ unconscious which makes them tacit and hard to replicate.
Routines can be seen as an indicator for flexibility and change (Pentland & Feldman 2005). Routines can be divided into an ostensive and a performative element which both are
necessary for flexibility and change. Ostensive elements refer to abstract patterns that guide actors through a routine. Performative elements refer to specific actions from people and between people. Performative and ostensive elements are complementary to each other because they are mutually constitutive. ERM also consists of abstract patterns that guide actors through risk analysis on a periodical basis. These risk analyses are performed by people and based on discussions between actors.
Mikes & Kaplan (2013) introduce a contingency approach for implementing ERM which they developed via three case studies and interviewing 250 CRO’s. They claim there is no
22
uniform way for implementing ERM because environments, strategies and structures differ between firms. This lack of uniformity is partly due to social interactions between actors inside a firm. In all three case studies social interaction plays an important role when applying ERM tools. This relates to the performative part of routines as described by Pentland & Feldman (2005).
Based on literature review Becker (2004) identifies that routines have the next effects on organizations; coordination and control, truce (avoiding conflict), economizing on cognitive resources (when using routines there is more space for using cognitive modes), reducing uncertainty, increases stability in predictability of behavior of others, and storing tacit knowledge which is applied in the firm. When comparing these effects with the effects of ERM on the organization there are similarities regarding coordination and control, reducing uncertainty, and increasing stability. When ERM can been seen as a routine itself, one could argue that if ERM is applied unconsciously there is more space for cognitive modes.
Within this paper the assumption is taken that ERM creates a controlled operational environment and serves as a learning system for creating this controlled operational
environment. This creates a competitive advantage because resources and routines are created via this learning system which give the firm a benefit over its competitors.
P4a: ERM creates a competitive advantage for a firm by managing risks in all parts of the
organization resulting in a controlled operational learning environment.
This third advantage of ERM, realizing a controlled operational environment, can be countered by the inertia aspect of overcontrolling the environment. As a result of this inertia the organization becomes less flexible because the organization gets lost in its ERM routines of controlling the organization. This effect expresses itself when the organization should be more open to risk taking because the outside world is changing, but the ERM routines prevent
23
this. As a result the ERM system becomes bureaucratic (Power 2009). This counterargument is in line with disadvantages regarding organization routines (Pentland & Feldman 2005, Hannan & Freeman 1984).
P4b: ERM creates a competitive disadvantage for a firm because it leads to overcontrolling
the organization which lead to inertia and makes the organization’s processes less adaptable
to change.
2.7 Resource Configuration
Dynamic capabilities have greater homogeneity and substitutability compared to owning unique tangible resources, therefore they can be a source of competitive, but not sustained competitive advantage. This is because they have commonalities in key features and are idiosyncrasy in details (Eisenhardt & Martin 2000). In more general words this means that the abilities and processes which compromise dynamic capabilities are generic between firms and can therefore be easily transferred to another firm. On the other hand, dynamic capabilities are very detailed for every individual firm because they are related to the culture, interactions between people, and the specific strategy of a firm. These details make dynamic capabilities idiosyncrasy and less easy to transfer to another firm. Eisenhardt & Martin claim that dynamic capabilities must always be looked at taken into account resources to create a sustained
competitive advantage. Dynamic capabilities must change or create resources which meet the VRIN(O) criteria as given by Barney (1991). In this paragraph we argue, similar to dynamic capabilities, that for ERM to create a sustained competitive advantage the system always must be looked at taken into account resources.
One part of Mikes & Kaplan’s (2013) definition of ERM consists of the system being capable of challenging existing assumptions about the internal and external environment of the firm. If ERM is capable of challenging these assumptions it is also capable of addressing
24
new resources that need to be acquired in the so-called factor market or that need to be
configurated or created within the organization. This is in line with the comparative advantage described by Nocco & Stulz (2006). Being better informed about your risk profile in relation to the future environment, a comparative advantage, gives opportunities for more successfully adjusting resources and competences which will end up in a sustained competitive advantage. This sustained competitive advantage will only be realized if the resources, which are
addressed for change via the ERM system and accordingly configurated, meet the VRIN(O) criteria. Without additional resources ERM cannot create a sustained competitive advantage. This is mainly because an ERM system can be transferred to another firm.
P5: Resource configuration moderates the positive effect of ERM on sustained competitive
advantage.
3. Data and Method
The translation of the propositions into a sound research method will be given in this section. In sequential order the research design, sampling method, data collection, and
analysis method will be given. Key features in explaining the research method are confidence and relevance. Confidence is about giving certainty the research results are the outcome of a sound process. Relevance is about the relevance of the research to theory but also to
managerial implications (Gaskell and Bauer 2000). 3.1 Research Design
Answering the research question is done via a qualitative research approach in the form of a multiple case study. The aim of the study is to find new insights about the relation between ERM and sustained competitive advantage. Finding new insights about a topic can be
classified as exploratory research (Saunders & Lewis 2012). A research design which is suitable for finding new knowledge is a case study (Eisenhardt 1989).
25
3.2 Sampling
Selecting cases is done by non-probability purposive sampling based on the reasons given in this section. The most important condition for a firm to participate in the research is
experience with risk management. Access is preferably only granted if the firm has five-years or more experience with risk management. From this requirement is only departed if it proves impossible in practice or if a participant has other experiences which are relevant for
answering the research question. To be able to investigate if ERM has a competitive advantage it is important the organization is well known with the principles of ERM and is not learning about how to use the system. The number of cases included in this case-research is five. Each case is a single firm in the insurance industry in The Netherlands. I deliberately focused only on the insurance industry to be able to include or exclude certain trends in analyzing the data (e.g. Solvency II) that specifically relate to this industry.
As a starting point I interviewed from each case both a senior risk officer and a senior line manager. In addition to these 10 interviews data is collected from five senior consultants in the area of ERM, resulting in a total amount of 15 interviewees. The decision if the number of interviews conducted is sufficient is taken based on the principle of saturation. As part of this principle only new interviewees are added to the research if this would result in new insights (Marshal et al. 2013). While conducting these 15 interviews I have checked during the latest interviews if they created new insights. Because this was not the case I concluded data saturation was reached.
The five-year experience condition applies to all participants (senior risk officers, senior line managers, and consultants). Interviewing both risk managers, line managers, and
consultants is done because of the triangulation perspective. By interviewing these three types of actors I wanted to make sure the propositions are evaluated taken into account different
26
perspectives. This approach increases the confidence of the research (Gaskell and Bauer 2000).
It is notable that many studies in the field of ERM only interviewed CRO’s or senior risk officers (e.g. Mikes & Kaplan 2013). Interviewing only senior risk officers might result in biased outcomes because risk managers tend to speak in favor of their profession. Based on my own experience, being an ERM management consultant for several years, I know senior line managers can be more realistic about the benefits of ERM. I have experienced that senior line managers have a more reserved attitude towards ERM in the beginning of implementing an ERM system. When the system is implemented and is functioning for a couple of years they start to speak more favorable about risk management. Within this study this reserved attitude is overcome by selecting only participants with five-years or more experience with risk management.
Finding five insurance companies and within each company a senior risk officer and line manager was done via my personal network or via (former) colleagues’ networks. Several old colleagues are working at partner level within consultancy firms in The Netherlands. These former colleagues have been approached and asked to introduce me to their clients for participating in the research. This resulted in below overview of participants from insurance companies. The insurance companies are ranked from large to small based on annual Gross Written Premium (GWP) in the year 2015. This data is extracted from the website of DNB, the Dutch supervisory authority (https://www.dnb.nl/statistiek/statistieken-dnb/). The ranking is deliberately presented in ranges to assure anonymity of the insurance companies. The participants are presented using job titles to assure anonymity of the interviewees. For every representative (in parentheses) the years of experience with risk management are indicated.
27
Reference GWP range Representative risk
management (years’ experience)
Representative business (years’ experience)
Large 1 > € 1 billion Enterprise Risk Manager (6 years) Product Manager (5 years)
Large 2 > € 1 billion Managing Director Risk (15 years) Manager Product Pricing (5 years) Medium 1 € 500 million
- € 1 billion
Chief Risk Officer (20 years) Country Manager (17 years) Small 1 € 100 - € 500
million
Chief Risk & Compliance (16 years)
Financial Director (10 years) Small 2 € 100 - € 500
million
Manager Risk & Compliance (9 years)
Manager Internal Advice (3 years) Table 1 List of Participants Insurance Companies
Business representative of insurance company Small 2 did not meet the five-years of risk management experience requirement. This person is included in the research because this person has a great level of experience with both internal and external commercial processes in relation to risk management. Furthermore, this person added to the research understanding of how the business is experiencing ERM.
Finding five consultants was done via my personal network of former colleagues. These former colleagues have either worked at the same consultancy firm as I did or we have worked together at a project within the financial services industry. The sampling process resulted in below lists of consultants which participated in the interviews. The participants are presented using job titles to assure anonymity of the interviewees. For every consultant (in parentheses) the years of experience with risk management are indicated.
Reference Job title consultant (years’
experience)
Consultant 1 Partner Risk Management (20 years)
Consultant 2 Director Risk Management (20 years)
Consultant 3 Insurance Lead (4 years) Consultant 4 Consultant Risk Management (6
years)
Consultant 5 Risk & Compliance Expert (8 years)
28
Consultant three did not meet the five-years of risk management experience requirement. I concluded that the comprehensive experience of this person within the insurance industry was more valuable to the research than the shortcoming of one year of risk management
experience. Within this consideration is taken into account that this person is very well known with the regulatory environment of insurance companies.
3.3 Data Collection
Data collection has been done using cross-sectional (single point in time interviews). The interviews were conducted in the form of semi-structured interviews (see appendix A for the interview questions). This gave me the possibility of getting to the core of certain topics or put emphasis on topics that arise during the interview. The interviews were held using open-ended questions. The interviews were audio recorded, provided the participants gave their written consent for this beforehand (a template of the consent form used is included in
appendix B). From every interview a report was made including all the literally spoken words and the time and the location to increase transparency and thick description. These reports were shared with every interviewee including a summary of my interpretations. Every
interviewee was asked to confirm or correct the interpretations where necessary. This process is a form of communicative validation. Transparency increases the confidence of the research, where communication validation and thick description increases the relevance of the research (Gaskell and Bauer 2000).
Because I am experienced in the field of ERM there is a risk of me being biased. This risk can manifest itself in the way I conduct the interviews with the effect of the outcomes being too positive in the favor of ERM. This risk of being biased is controlled by using Popper’s objective knowledge techniques. Within objective knowledge theory Popper (2012) takes the stand that humans can reason rationally despite their predictions and expectations. He makes a
29
distinction between subjective and objective knowledge. Subjective knowledge is about beliefs and sensing. Objective knowledge is about knowing the truth and is the main source for science. In order to remain objective I have taken a critical stand regarding ERM while conducting the interviews. More specific, I made sure I was not talking too positive about the propositions and I have taken a critical stand regarding the propositions where necessary. Taken a critical stand regarding ERM is a form of reflexivity which in turn increased confidence of the research (Gaskell and Bauer 2000).
3.4 Data Analysis
Searching for themes within the interviews is done by first looking for techniques to identify themes. This resulted in a strategy in which I aimed to look for repetitions,
similarities and differences, theory-related material, and cutting and sorting (Ryan & Bernard, 2003). Searching for repetitions resulted in an overview of themes that occurred regularly within an interview or re-occurred in multiple interviews. These themes have been analyzed to search for similarities and differences and to look for relations with theory. In this strategy looking for theory-related material is deliberately done as one of the last steps to prevent missing themes that are outside the theoretical framework. The data is grouped to the themes via cutting and sorting. This involves searching for quotes within the interviews and link them to one of the specific themes.
The analysis strategy is operationalized using the first five phases as described by Braun & Clarke (2006). The sixth and last phase described by Braun & Clarke relates to producing the report. In the first phase I familiarized myself with the data by transcribing the recordings of the interviews. This is done purposefully by myself and not by others or a software program to get thorough understanding of the data.
30
A list of initial codes is generated based on the list of interview questions as part of the second phase. This initial list of codes is discussed with both my thesis supervisor as the teacher of the course Thesis Research Methods to incorporate their experiences. The initial list of codes is based on the topics used in the list of interview questions. After generating the list of initial codes the transcripts of the interviews are analyzed to search for quotations. These quotations are grouped to one of the initial codes. The quotations from the interviews have been codified using NVivo. Appendix C presents the outcome of this phase including number of sources and references.
In the third phase the codes have been analyzed to identify underlying themes within the codes but also themes that occurred in multiple codes. Where the coding outcomes from phase two resulted in a rather high-over list of categories, this phase resulted in a far more detailed overview of the data. As last step in this phase the data is matched with the proposition to find any similarities. In addition, new themes have been identified which cannot be linked to the propositions but appeared to be relevant to the research question (e.g. regulatory environment and intrinsic motivation). Appendix D presents the outcome of the third phase including number of sources and references.
Reviewing the themes has been done as part of the fourth phase. This included merging themes because they relate to the same phenomena or lead to the same conclusion. This is done to make sure there is no overlap between the themes. Furthermore, themes are deleted if there was not enough data to support them. In reviewing the themes the transcripts of the interviews have been analyzed one more time to make sure the context of the selected quotations can be linked to a specific theme. Appendix E presents the outcome of the fourth phase including number of sources and references.
Out of the list of reviewed themes the final list of themes is named and defined. A list of final themes including number of sources and references is presented in appendix F. The final
31
list of themes consists mainly out of subthemes. This is done because the highest level of a theme relates to a specific proposition. The subthemes give an explanation whether or not a subtheme supports a specific proposition.
The next section explains the results of the analysis and includes a detailed description of the final themes including anonymized quotations from the actual data.
4. Results
This section presents the outcomes of the analyzed semi-structured interviews. Quotations from the interviews are used for every different element of the results to give insight in the data. Quotations are presented in italics. The quotations are representative for the whole dataset. Each interview began with an introduction, followed by questions related to the following topics: 1. Lower costs vs extra overhead, 2. Threat and opportunity identification vs risk aversion, 3. Controlled operational learning environments vs inertia, 4. Types of risk and 5. Other factors that have a positive or negative effect on ERM. The first three subjects were defined to include the characteristics of ERM. The characteristics were to be interpreted as meaning both positive and negative. The interviewee was asked whether he / she could best identify with the positive or negative attributes by indicating which statement he / she found most applicable. Additionally, it was for the interviewee to determine whether additional advantages or disadvantages were to be appointed. Finally, different types of risk, and also the subject sustained competitive advantage were discussed.
The results do not show notable differences between line managers, risk managers and consultants. All these actors talk relatively positive about ERM. This might be due to the five-year experience requirement. Line managers tend to speak more favorable about ERM when they are getting more experienced with the system. Nevertheless, the triangulation perspective definitely did enrich the analyses and outcomes especially for the negative attributes of ERM.
32
Representatives from the business did recognize the positive elements of ERM but could also highlight how the negative attributes hindered them in doing their daily business activities. ERM’s impact on daily business activities is discussed in the third paragraph (Controlled operational learning environment vs inertia) of this section.
4.1 Lower Costs vs Extra Overhead
To distinguish if ERM could lead to lower costs for acquiring new capital or if it functions as extra overhead costs below statements were presented to the interviewees.
a) ERM creates lower costs for acquiring new capital because it results in less volatile performance.
b) ERM creates extra overhead costs, which offset the advantage of less volatile performance and lower costs for acquiring new capital.
All 15 interviewees indicated they could best identify themselves with statement a. A sound ERM system helps a firm to be able to acquire new capital at lower costs. External investors like banks and shareholders appreciate less volatile performance. In return for this stable performance they are willing to lend out money at a lower rate. The interviewees indicated that in practice a higher credit rating leads to lower capital costs and that ERM is an important subject within the rating methodology as the Managing Director Risk of insurance company Large 2 indicated: ‘Lower costs for attracting new capital, that should be the case.
Rating agencies use ERM as an important element in their assessment framework.’
Not only costs for acquiring new capital are lower as a result of ERM. Also costs for supervisory related activities and failure costs tend to be lower as a result of implementing ERM. The costs for supervisory related activities relate both to costs for managing the relationship with DNB and the external auditor. By having processes implemented which create a controlled environment at all levels a firm get trusted by a supervisor or external
33
auditor. This increased trust leads to less supervisory pressure and in turn to lower costs for supervisory related activities (as described by the Partner Risk Management within a consultancy firm, Consultant 1): ‘You are not delayed or inhibited because you have the
supervisor sitting on your neck, we want you to do this, you did not do it well. And that also
creates lower costs.’
ERM also has an indirect effect on the business expenses of a firm by preventing the firm from failure costs. A firm has lower failure costs because ERM helps to implement controls in the organization that prevent failure. This is an indirect effect because the costs are not getting lower on a regular basis, but costs would have been higher if there was not a sound ERM system. The effect from lower failure costs in practice is explained by the Chief Risk Officer of insurance company Medium 1: ‘This is another area where you have less expenses, make
more progression, better and more effective in what you do, less losses, less operational
downtime, or operational interruption.’
Extra overhead costs apply when ERM is implemented in a bad way because this leads to bureaucracy. A bad implementation leads to an overcontrolled environment which is costly because processes are not conducted as effective as they could have been performed if there were less controls. This is well worded by the Partner Risk Management within a consultancy firm (Consultant 1): ‘If you do not implement it properly, you have a six-eyes principle and a
ten-eyes principle, you create a bureaucracy and a high degree of overhead costs.’
Furthermore, a bad implementation is extrinsic motivated. If an employee does something because another person tells him to do there is less opportunity to benefit from the positive elements of ERM.
A second theme regarding extra overhead costs relate to start-up time and costs as Country Manager of insurance company 1 explained: ‘ERM must be implemented, and that costs extra
34
the ERM system. The interviewees indicated that once the ERM system is implemented the extra overhead arguments does not hold anymore.
The positive effects can be empowered while lowering the negative effects by performing the risk management activities with an intrinsic motivation. If the first line of business is performing their risk management activities with an intrinsic motivation than their will be lower failure costs, lower costs for supervisory related activities and less volatile
performance. But this works also the other way around, if employees perform their activities with an extrinsic motivation there will be higher failure costs, more costs for supervisory related activities and more volatile performance. This intrinsic motivated culture in the first line is created by making the employees understand why they need to do risk management. If they understand why they have to think about implementing certain controls they will do this with much more effort and as a result failure costs will go down. Also, when a firm manage its relationship with a regulator with an extrinsic motivation they will be responsive to all the requirements from the regulators instead of managing the relationship. If they manage the relationship with the regulator with an intrinsic motivation than the firm will try to understand why they have to comply with specific requirements. As a result the relationship with the regulator will be more beneficial because the regulator creates trust in the firm. This in turn leads to less regulatory pressure and lower supervisory related costs. Lastly, if costs are better controlled there will be less volatile costs which in turn creates more predictable performance and lower costs for acquiring new capital.
4.2 Threat and Opportunity Identification vs Risk Aversion
To distinguish if ERM could help a firm in identifying and managing threats and
opportunities or it creates a risk averse organization below statements were presented to the interviewees.
35
a) ERM helps changing the organization at a strategic level via identifying threats and opportunities.
b) ERM inhibits changing the organization at a strategic level because it creates a risk averse organization.
All 15 interviewees indicated they could best identify themselves with statement a. ERM supports the management of a firm in identifying threats and opportunities by facilitating discussion at a strategic level about topics that are otherwise less likely to be discussed. These discussions increase the insight of the involved actors about the internal and external
environment of the firm. Even more important, it helps to create a shared vision on the threats and opportunities that are relevant for the business because actors involved learn about the insights that are valuable to their colleagues. This increased insight, individually and as a team, helps a firm in making better decisions about the future, as elucidated by the Consultant Risk Management (Consultant 4): ‘So, in other words, making good decisions, making
strategic decisions. If you know what risks you face, you can make better decisions.’
Although ERM has an important supportive function in creating change via threat and opportunity identification it is not leading in the process. The results of this research indicate that it is the strategizing process which is leading for identifying opportunities for further growth or expanding the business. ERM should be part of the strategizing process by making sure also the risks of a strategy are taken into account when making decisions. This result is amongst others derived from the Director Risk Management within a consultancy firm (Consultant 2) which explained that: ‘Making choices and decisions has always been part of
what a Board or management is doing. So as risk management, you support the process of
structuring and doing analytics.’
Because ERM is not leading in the strategizing process, it is also not leading in resource configuration. The decision to configurated resources is being made by the Executive Board
36
or higher management of the Firm. The same principle as with the strategizing process applies; ERM makes decisions to configure resources better by making sure different perspectives and scenarios are taken into account. Furthermore, ERM helps in prioritizing which resources need to be configurated first, this is because the urgency to configurated specific resources might be higher if it could eliminate risks with a higher impact. The coherence between threats and opportunities is nicely expressed by the Enterprise Risk Manager of insurance company Large 1: ‘We do not only take risks into account at the
strategic risk level, we are also performing scenario analysis to see the linkage with
opportunities. So actually we make some sort of SWOT analysis’.
For threat and opportunity identification applies the same finding as for the lower costs vs overhead section; if a firm does their threat and opportunity identification process, as part of the strategizing process, with an intrinsic motivation than the results are far more beneficial compared to performing the process with an extrinsic motivation. The interviewees explained that creating this culture in the Board room is very challenging because risk management is not always perceived as the most interesting element of a manager’s job. As a result there is a certain risk threat and opportunity identification is done with an extrinsic motivation. If a firm does their threat and opportunity identification with a spirit of doing the right thing than they are far more likely to create better insights and make better decisions as elucidated by
Manager Risk & Compliance from insurance company small 2: ‘For example, at certain
times, choices were made about specific topics that would otherwise not have been discussed.’
The data shows that it is not ERM that creates a risk averse organization at strategic level. It is the type of organization or management which is leading in risk aversion as explained by the Partner Risk Management within a consultancy firm (Consultant 1): ‘Risk averse does not
necessarily have to be a limiting factor, it can match the type of organization.’ Some firms,
37
funds). This risk aversion does not have to be a problem if it fits with the nature of the firm. When you are working with public money risk aversion can also be indicated as a positive attribute of a firm.
4.3 Controlled Operational Learning Environment vs Inertia
To distinguish if ERM could create an operational learning environment or it creates inertia in processes below statements were presented to the interviewees.
a) ERM helps to change organizational processes because it creates a controlled operational learning environment.
b) ERM inhibits changing organizational processes because it creates inertia due to an overcontrolled operational environment.
12 interviewees indicated they could best identify themselves with statement a. Three interviewees indicated they could best identify themselves with statement b. Out of these three, two interviewees were a business representative and one person is working as a consultant. These results show that ERM helps to change operational processes because managers are obligated to take a critical look at the processes under their control. Also, via ERM a risk event or incident register is implemented in a firm. These registers aim to motivate employees to report risks that did materialize or events which almost lead to a material impact (so called near misses) and come up with solutions to improve the
organization to prevent the risk from happening again. Via these improvements organizational processes are changed as indicated by the Financial Director of insurance company Small 1: ‘I
also have led a number of projects in which risk management was an important element and
that only led to better controlled processes, because it requires you to implement them in an
