Strategic Risk Management and the Role of the Management Accountant in Hospitals
A case study to the involvement of management accountants in a hospital in strategic risk management and the ways in which a management accountant in a hospital can contribute to strategic risk
management
Author: D.W. Postma Student ID: s2355493
Program: MSc BA – Organizational & Management Control Supervisor: Prof. dr. ir. P.M.G. van Veen-Dirks
Word count: 12.980
Groningen, January 21st 2019
ABSTRACT
In recent years, risk management has increasingly gained attention. Hospitals are increasingly adopting risk management practices in order to improve performance and to comply with external pressures.
Hospital’s business environments are changing more rapidly than before, and therefore the importance of strategic risk management should not be underestimated. One of the functions expected to be involved in strategic risk management is that of the management accountant. The role of the management accountant is changing from a bean counter to a business partner, being more and more involved in (strategic) decision-making. Current literature suggests that decentralization of the management accountant leads to increased involvement in strategy processes and strategic risk management. Yet, research on strategic risk management within the profession of management accounting is still scarce.
This research investigates the involvement of management accountants in strategic risk management in a case study at a large academic hospital in the Netherlands. Primary data is gathered through nine in- depth interviews with management accountants and medical managers. The findings show that the involvement of management accountants in strategic risk management depends upon the interaction with the manager, and that power issues and personality traits play an important role in this interaction.
Additionally, the positioning of the management accounting function within the organization is related to their involvement in strategic risk management, but decentralization does not always lead to increased involvement in strategic risk management. Moreover, a theoretical framework is proposed for strategic risk management in the public sector. These new insights and the proposed theoretical framework contribute to current literature regarding strategic risk management and the role of the management accountant in the public sector, and they provide new research opportunities.
KEY WORDS
Strategic Risk Management, Enterprise Risk Management, Management Accountant, Controller, Role Management Accountant.
INTRODUCTION
The financial crisis from 2007-2009 drew attention to the importance of embeddedness of risk management into organizations (Arena, Arnaboldi & Azzone, 2010; Hall, Mikes & Millo, 2015). Since this financial crisis, more and more organizations have embraced risk management as an important aspect of their way of conducting business. International initiatives such as Enterprise Risk Management by COSO (2004, 2017) and ISO:31000 (ISO, 2009) offer organizations guidelines and frameworks in adopting risk management practices. Organizations from many different areas have applied these practices with the aim to improve organizational performance. The health sector has been an underexplored area of research on risk management (Da Silva Etges, De Souza, Kliemann Neto & Felix, 2018). Hospitals increasingly need to give more financial transparency, economize, face more limitations in funding by banks and face higher pressures from health insurers, while working in a high complexity environment and being subject to many regulatory and governmental pressures (Da Silva Etges et al., 2018; Van Dijk, 2015). Healthcare organizations, hospitals included, are now more and more adopting risk management practices (Da Silva Etges et al., 2018) in order to improve organizational performance and to comply to external pressures.
An analysis of annual reports by Deloitte (2013) showed that in the risk section, organizations do not sufficiently make the connection between risk management and strategy. Organizations appear to mostly report on the negative aspects of strategic risks, but pay significantly less attention to risks that have been taken to seize or lose opportunities (Deloitte 2013, p.3). The literature also recognized the absence of a link between strategy formulation and risk management. Traditionally, risk management focuses on the downside of risks and the mitigation of those downsides, while little attention is paid to strategic opportunities (Slagmulder & Devoldere, 2018). Risk management is still limited in its way of dealing with external risks and uncertainties (Frigo & Anderson, 2011b). The Dutch Corporate Governance Code, made by the Monitoring Commissie Corporate Governance Code (2016), states that the board of an organization is responsible for the identification and managing of risks associated with the strategy and activities. Hospitals in the Netherlands are subject to a specific governance code for the health sector, called the Governancecode Zorg (2017), which also states that the board of the organization is responsible for managing risks associated with the strategy and activities of the health organization, employees’ actions and the social positioning of the health organization (Governancecode Zorg, 2017).
These risks may be external as well as internal. Bood & Postma (2018) state that, because the Corporate Governance Code does not define criteria for these risks, organizations themselves are responsible for identifying and reporting the most important risks. This is also true for the governance code for healthcare, hence, also for hospitals.
Not only the reporting of strategic risks in the annual report, but also the management of strategic risks is considered more and more important. As said, risk management practices are increasingly adopted to comply to external pressures and to improve organizational performance. These increasing pressures require trade-offs and choices, bringing challenges and also uncertainties for hospitals (Kroneman, Boerma, Van den Berg, Groenewegen, De Jong & Van Ginneken, 2016). Hospitals need to rethink their financial structures, need to think of new ways to deliver the same quality of care against lower costs, and need to change their policies (Kroneman et al., 2016). It is therefore important for hospitals to be able to identify and manage risks that are related to strategy and strategic objectives, i.e., strategic risk management.
One of the functions which is expected to be more involved within strategic risk management is that of the management accountant. Over the past years, there has been much debate on the changing role of controllers, or management accountants. It is argued that a shift takes place from the traditional bean counter towards a more advising role, being more involved in strategic decision-making (Janin, 2017).
This role is also called the business partner role (e.g., Järvenpää, 2007; Lambert & Sponem, 2012).
Accounting often forms the basis for many decisions made in organizations, and accounting practices are woven deep into organizations. Therefore, management accountants are often involved in many different aspects of an organization, and confronted with a wide variety of issues. The accounting and control systems are often used to identify problems, monitor the functioning of the organization, awareness of potential risks, and to mitigate these risks. As management accountants often use these systems, it seems therefore logical that management accountants often have to deal with risks, and that risk management is closely related to the profession of the management accountant. However, research that explores the position of risk management in the profession of management accounting is still scarce.
The question therefore arises what role management accountants are playing, can play, or should play in strategic risk management, in order to enhance the connection between strategy and risk management, and how this can best be achieved. In line with the previous reasoning, the following research question has been constructed: In what ways can management accountants in hospitals contribute to further development of strategic risk management?
The answering of this research question will contribute to the existing management accounting literature in several ways. Firstly, it will contribute to the academic discussion regarding the integration of risk management within organizations. There is a lot of debate upon the possibility of adopting integrated risk management within organizations (e.g., Arena, Arnaboldi & Palermo, 2017; Arena et al., 2010;
Jordan, Jørgensen & Mitterhofer, 2013; Kaplan & Mikes, 2016; Soin & Collier, 2013; Power, 2009).
Secondly, it will shed further light upon strategic risk management in the public sector (Ahmeti & Vladi, 2017). Thirdly, it will provide insights in the role of strategic risk management within the profession of
management accounting, an underexplored area within management accounting literature. Moreover, this research is of practical relevance as it may provide insights in how strategic risk management may be enhanced, and how management accountants can add more value to this, enhancing the connection between risk management and strategy (Bood & Postma, 2018; Deloitte, 2013; Slagmulder &
Devoldere, 2018).
LITERATURE REVIEW
This literature review will firstly cover strategy and will link this to hospitals. Next, the COSO ERM framework (2004), one of the most used frameworks in risk management, will be discussed. After that, its 2017 update will be covered, followed by a different approach to strategic risk management by Slagmulder & Devoldere (2018). Next, a review on the role of the management accountant will be given, and the literature review will be concluded with a section that combines these topics.
Strategy
Strategy is about being different, and requires the deliberate choice for a different set of activities from competitors in order to deliver a unique mix of value (McGee, Thomas & Wilson, 2010, p.5). Porter (1996, p.68) defines strategy as “the creation of a unique and valuable position, involving a different set of activities”. The chosen position needs to be unique and valuable. This requires a definition of value within healthcare. Porter & Lee (2013, p.4) state that “in health care, the overarching goal for providers, as well as for every other stakeholder, must be improving value for patients, where value is defined as the health outcomes achieved that matter to patients relative to the costs of achieving those outcomes”.
Strategies can exist at several layers of the organization. Johnson, Scholes & Whittington (2008) distinguish three levels of strategy, which are corporate strategy, business-level strategy and operational strategy. Firstly, corporate strategy is here concerned with the overall scope of an organization and how value will be added to the different parts or business units of the organization. Relevant issues on this level can be geographical decisions, product or service diversity and resource allocation. Specifically, for healthcare, Karuppan, Dunlap & Waldrum (2016) state that corporate strategy deals with “the various types of business units in which the health system wishes to operate, the allocation of resources among those business units and the coordination of business strategies to achieve cohesiveness”
(Karuppan et al., 2016, p.37). Secondly, business-level strategy deals with how businesses that are included in the corporate strategy should compete in their markets, and is therefore also sometimes referred to as competitive strategy. In the public sector, as Johnson et al. (2008) explain, business-level strategy decisions can be seen as decisions about how the best value services can be provided by units, often concerning pricing strategy issues, innovation issues or differentiation issues. Corporate-level strategy deals with decisions about the organization as a whole, and business-level strategy entails
strategic decisions that relate to strategic business units (SBU’s) within the organization. Johnson et al.
(2008) define an SBU as “a part of an organization for which there is a distinct external market for goods or services that is different from another SBU”. Hospitals are often arranged in departments based upon specialization, and these departments fit in the description of a SBU. Thirdly, the operational strategy is concerned with how the component parts of the organization can deliver the corporate- and business- level strategies in terms of resources, processes and people (Johnson et al., 2008). This operationalization determines for a large part whether business-level strategies succeed, making integration of operational decisions and business-level strategy crucial. The operations function represents the core essence of the business, and in healthcare this is related to the treatment of patients.
Successfully managed operations transform inputs into valuable outputs for patients.
Strategy is related to a company’s mission and vision as it provides an overarching direction (McGee et al., 2010). A mission is related to a company’s reason to exist. It should provide answers to what a company’s business is, and what it should be (Campbell & Yeung, 1991). The mission is a rather timeless concept. Vision deals with where an organization wants to go. It provides a possible and desirable goal towards which an organization can work, which should be achievable within 5 to 10 years (Campbell & Yeung, 1991). Strategy rather deals with the nature of the business, positioning and competition. Often, strategy is seen as a description of how to achieve the vision, and typically has a three to five-year timespan in Western companies (McGee et al., 2010). Now that strategy and value in healthcare have been explicated, strategic risk management can be further examined.
Strategic risk management
Strategic risk management can be defined as “a process for identifying, assessing and managing risks and uncertainties, affected by internal and external events or scenario’s, that could inhibit an organization’s ability to achieve its strategy and strategic objectives with the ultimate goal of creating and protecting shareholder and stakeholder value” (Frigo & Anderson, 2011b, p.22). This definition indicates that strategic risk management is a process that consists of three parts, the identification, assessment and management of risks related to the organizational strategy. Risk management is often defined by referring to the 2004 Guidance Document from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). They define Enterprise Risk Management (ERM) as follows:
“Enterprise Risk Management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of the entity’s objectives” (COSO, 2004, p.2). Risk appetite is the amount of risk an entity is willing to bear (Power, 2009) and is, in ERM, closely linked to strategy in that management should consider “the entity’s risk appetite in evaluating strategic alternatives, setting related objectives and developing mechanisms to manage related risks” (COSO, 2004, p.1).
Organizations find it difficult to define their risk appetite, and there has been much discussion about the possibility of a single risk appetite for an organization (Power, 2009). Within health care, it is common that a low-risk appetite for compliance, health and safety are communicated, and a higher-risk appetite for strategic objectives, as it seems to have greater negative consequences for risks related to compliance, health and safety to manifest themselves than missing strategic opportunities (Celona, Driver & Hall, 2011).
The definitions of strategic risk management and ERM seem to be very similar. Yet, ERM covers more areas than just
strategic risk management, and recognizes four categories in which organizations are believed to want to achieve objectives, namely strategic objectives, operational objectives, reporting objectives and compliance objectives. The ERM framework consists of eight interrelated components that influence all the objectives (see figure 1). Next to that, a third dimension depicts an entity’s units, enabling different levels of focus of ERM. These are the entity-level, division, business unit, and subsidiary level. A link can be made here with the layers of an organization at which strategies exist, as explained earlier. The COSO (2004) ERM framework takes a holistic approach to risk management, as risk management is believed to be an enterprise-wide phenomenon, and thought to be integrated with all of the aspects of the business. Specifically, in healthcare, Da Silva Etges et al. (2018) argue that the value that is created, is the result of the collaboration of teams of different processes that are interrelated. Risks may be caused by disruptions between the different processes and areas, as well as within the areas themselves.
Hospitals therefore should consider risk as a whole and not in isolation in specific sectors (Bromiley, McShane, Nair & Rustambekov, 2015; Da Silva Etges et al., 2018; Eckles, Hoyt & Miller, 2014).
In 2017, COSO came with an update to the 2004 framework in their work Enterprise Risk Management – Integrating with Strategy and Performance, highlighting the importance of considering risks in the strategy-setting process and in driving performance (COSO, 2017), as a response to the increasing complexity and fast emergence of new risks in doing business. It is claimed that the possibility of the strategy not aligning with the organizational mission and vision, and the implications from the strategy chosen, can have a great effect upon an entity’s value, possibly even more than risks to the chosen strategy (COSO, 2017). As long as an organization has a mission, a strategy and objectives, ERM can be applied, and every entity is said to have a mission, vision and core values that define what it is trying to achieve and how it wants to conduct business (COSO, 2017).
Strategic risk management can thus be considered as a part of Enterprise Risk Management. The COSO (2004) ERM framework shows that the eight ERM components influence, among others, the strategic objectives. This means that the internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring all influence the organization’s ability to achieve its strategic objectives. The updated COSO (2017) framework relates all of its concepts and underlying principles to the risks of (mis)alignment of the strategy with mission and vision, and to the risks related to the implications from the chosen strategy.
The COSO ERM (2004, 2017) frameworks have been criticized for being more focused on strategy execution than on strategy formulation. Despite the fact that the updated COSO (2017) framework highlights the importance of risk in the strategy setting process and in driving performance, it is still being criticized for its emphasis on risks related to strategy execution rather than on strategy formulation (Slagmulder & Devoldere, 2018). In order to achieve integration between risk management and strategy formulation, Slagmulder & Devoldere (2018) propose a different framework for strategic risk management. Based upon Frigo & Anderson (2011a), they argue that strategic risk management
“involves the development of processes, people, and practices toward identifying, assessing and responding to strategic risks with the ultimate goal of creating shareholder value” (Slagmulder &
Devoldere, 2018, p.736). Their proposed framework consists of three mechanisms to integrate risk management and strategy formulation, which are processes, people and practices (see figure 2). The following three paragraphs provide an explanation of the framework of Slagmulder & Devoldere (2018).
Risk management processes refer to the content integration of risk management and strategy formulation, which can be integrated or separate, and to the timing-wise relation between risk management and strategy, which can be sequential and simultaneous (see figure 2; Slagmulder &
Devoldere, 2018).
Risk management people can be further categorized into three categories: protecting the core business;
being a strategic challenger; or as a business partner. A difference can be seen in the responsibility for triggering discussions on strategic risk management, where sometimes this is the responsibility of the strategy function, and sometimes this is seen as a shared responsibility of the strategy function and the risk function. Protectors of the core business predominantly focus on operational excellence and optimal use of assets, and are usually not involved in strategy formulation but rather in its execution. Strategic challengers are incorporated at several points in time in strategy formulation, mostly for expert advice, and are usually not further incorporated in strategy formulation for efficiency and strategic responsiveness reasons. Business partners are fully incorporated in strategy formulation, and although this might impede efficiency, it is generally seen as an enhancement of quality (see figure 2; Slagmulder
& Devoldere, 2018).
There are many risk management practices that can be adopted to achieve integration between risk management and strategy formulation. Examples stretch from formal process interactions to incentive systems and risk dialogues. The degree to which practices are executed may differ, but companies that strive for more integration often have more advanced practices (Slagmulder & Devoldere, 2018).
Andersen & Schrøder (2010) mention that “strategic risk factors may include major competitor moves, product innovations, process improvements, new business designs, technology leaps and the like, all of which constitute exposures that can be difficult to identify in advance and hence also hard to quantify”
(Andersen & Schrøder, 2010, p.77). Moreover, they argue that strategic risks may cover the most significant effects on earnings development, and that this also constitutes the ability to exploit upside potential uncovered by strategic events. This is in line with the findings of Deloitte (2013) as mentioned before. Other examples of practices to deal with risks in strategy, or in making strategic decisions, are scenario planning (McGee et al., 2010; Slagmulder & Devoldere, 2018), PEST analysis (a macro- environmental analysis of political/legal, economic, socio-cultural and technological developments), net present value (NPV) and internal rate of return (IRR) techniques (McGee et al., 2010). In their Harvard Business Review published article, Slywotzky & Drzik (2005) categorize strategic risk into seven major classes: industry, technology, brand, competitor, customer, project, and stagnation. They argue that each class encompasses different types of risks and propose countermeasures to mitigate the risks from each class. Next to that, guidelines are offered, consisting of six steps, to help managers in dealing with strategic risk. Firstly, risks need to be identified and assessed. Secondly, risks need to be mapped.
Thirdly, risks have to be quantified. Fourthly, the potential upside for each risk needs to be identified.
Fifth, mitigation plans are to be developed. Sixth, capital decisions need to be adjusted accordingly. It is worth mentioning, however, that these risks and guidelines are focused on the profit sector, which leads to uncertainty about their applicability on hospitals.
As stated before, hospitals are usually organized in different departments according to medical specialism. The COSO ERM (2004) framework seems more applicable to this structure, as this framework, too, is organized in a rather structured way, where the entity’s units on the right side of the framework closely resemble the organizational structure of the hospital. Since hospitals are such large and complex organizations, this framework is expected to be more feasible for the execution of this study. The COSO ERM (2017) framework does not make a distinction between organizational layers.
It sees strategic risk management as an integrated whole with the organization. However, as explicated before, strategies can exist at different layers of the organization. The distinction between organizational layers is a useful way to study strategy in the context of risk management. Moreover, as will be elaborated upon hereafter, the role of the controller is changing, and it is expected that decentralization of the controller enhances its business orientation, which also entails strategy processes. To investigate this in the context of risk management, it is useful to use a framework that makes a distinction between this centralization and decentralization; i.e., between organizational layers. For this reason, too, the COSO ERM (2004) framework is more suitable than the COSO ERM (2017) framework in this study.
This research shall therefore focus on the COSO ERM (2004) framework.
The management accountant is, due to its changing role, expected to be increasingly involved within strategic risk management. Now that a review of the relevant literature on strategic risk management has been given, the literature on the role of the management accountant shall be covered.
Role of the management accountant
As mentioned earlier, there has been much debate upon the changing role of the management accountant from traditional bean counter to business partner (e.g., Järvenpää, 2007; Lambert & Sponem, 2012). The bean counter role refers to an independent role in which a management accountant operates within an organization, and is found to be limited and unsatisfactory in describing contemporary management accountants (Granlund & Lukka, 1998; Janin, 2017). The business partner role is characterized by more involvement in daily business activities and providing business-unit managers with relevant information for decision-making (Lambert & Sponem, 2012). Lambert & Sponem (2012) argue that the role of a management accountant is largely determined by the positioning of their function within the organization. The decentralization of the management accounting function appears to be linked to the increased business orientation of management accountants (Granlund & Lukka, 1998). The business orientation of management accounting may be defined using the definition of Järvenpää (2007):
“The business orientation of management accounting is defined […] as the willingness and ability of management accounting to provide more added value to the management (decision-making and control) of the company[,] […] where the ability refers to the more relevant accounting systems, personal competences and overall business knowledge of the management accounting function,
[…] [and] where willingness deals with the personal and organizational desire to accomplish this goal and to take part actively in the management of the business” (Järvenpää, 2007, p.100).
The business orientation of management accountants can be aided by new management accounting techniques such as strategic management accounting, strategic cost management, life-cycle costing, competitor accounting, customer profitability analysis, added economic value, non-financial measures, balanced scorecard (BSC) and target costing (Järvenpää, 2007). Moreover, new financial and operational control systems, such as ERP systems, have the ability to increase the business orientation of management accountants, as well as changes in corporate-wide planning and control practices (Järvenpää, 2007). Furthermore, the business-partner role of management accountants “encompasses assisting and advising operational managers, participating in strategic decision-making, contributing to the development of systems and actively partaking in everyday operational decisions” (Janin, 2017, p.16).
Similarly, Burns & Baldvinsdottir (2005) describe the upcoming role of the “hybrid accountant”, whose role was primarily located within the product stream, and who were encouraged to undertake their duties out of their primary function and rather within process streams (Burns & Baldvinsdottir, 2005). This is also in line with Granlund & Lukka (1998), who describe how the decentralization of the management accounting function aids their business orientation, and with Lambert & Sponem (2012), who argue that the role of the management accountant is “partly determined by both management accountants’ activity and the positioning of their function” within the organization (Lambert & Sponem, 2012, p.569). In their research, Lambert & Sponem (2012) also describe how this hybridization not only concerns the management accountants, but also the operational managers. As management accountants are increasingly involved in management activities, operational managers feel that in interacting with management accountants they are either wasting their time or they feel jeopardized in their freedom.
Miller, Kurunmäki & O’Leary (2008) describe several ways in which accounting is being hybridized that can have significant implications for the management of risk:
“Coordination across sub-units of a firm, cooperation and the sharing of expertise among firms, inter-professional knowledge transfer and even the emergence of new bodies of expertise, formal and informal cooperation across organizations and groups of experts, and the creation of novel metrics that draw upon different bodies of expertise are among the multiple dimensions of hybrids.
These are only some of the examples of accounting and hybridization, and how this can have significant implications for the management of risk” (Miller et al., 2008, p.962).
Miller et al. (2008) argue that much of the management of uncertainty happens beyond the formalized practices of risk management, meaning that many ways in which risk management is being practiced
happens informally, and implicitly, rather than formally and explicitly. Moreover, accounting practices are argued to be central to this. However, the exact way in which management accounting and risk management are intertwined is not clear. Risk management has shifted from a narrow financially focused concept towards a broader managerial concept (Power, 2007). As explicated earlier, management accountants are often involved in many different processes and decisions that relate to many aspects of the organization. This leads to the expectation that management accountants often deal with risks, and that risk management is closely related to the profession of the management accountant.
This has been a rather underexplored area in the literature (Soin & Collier, 2013). The business-partner role of the management accountant is known to be more involved in strategic decision-making (Janin, 2017), and the question arises how a management accountant with a business-partner role can contribute to further development of strategic risk management. On the other hand, the bean-counter role is known to be less involved in strategic decision-making, in which case the question arises if a management accountant with a bean-counter role could contribute to further development of strategic risk management, and how. More insight in the interrelation between the different roles of the management accountant and strategic risk management may provide better understanding of how to enhance strategic risk management. Next to that, it is expected to provide a better understanding of the position of strategic risk management in the profession of management accounting, as research on this area is still scarce.
Strategic risk management and the role of the management accountant
So far, this literature review has explicated the developments on the field of strategic risk management and elaborated on the changing role of the management accountant. Within strategic risk management, the COSO ERM framework (2004), its 2017 update and an alternative approach to strategic risk management by Slagmulder & Devoldere (2018) have been discussed. As may have become clear, there is not one approach that fits every company. An interesting difference can be observed in the risk management frameworks with regard to strategy; Slagmulder & Devoldere (2018) focus predominantly on risk management within strategy formulation, while the COSO ERM (2004) framework focuses predominantly on risk management in strategy execution. Risk appetite seems to be important in risk management in both strategy formulation and strategy execution.
The changing role of the management accountant incorporates an increased business focus. Coming from a rather isolated function, contemporary management accountants are increasingly business oriented, which leads to the expectation that they would also be increasingly involved in strategic risk management. Much of the risk management literature so far, especially with regard to strategy, has focused upon the profit sector. The different approaches give insight in how strategic risk management may be executed within hospitals and what aspects to strategic risk management need to be taken into account when trying to understand the underlying mechanisms. All of the mentioned developments in the field of strategic risk management are related to fields in which one may expect management
accountants to be active in, or come into contact with. Research on this involvement of the management accountant in strategic risk management, however, remains scarce. This research aims to shed light on this underexplored area by doing a case study within a large hospital in the Netherlands to enhance understanding of the role of the management accountant within strategic risk management.
Figure 3 shows a schematic depiction of the literature, which will be used as a basis for this research. It depicts how a distinction can be made in strategy between strategy formulation and strategy execution in the context of strategic risk management. Moreover, the two distinguishable roles of the management accountant have been included, and the arrow will be researched as to understand the role of the management accountant within strategic risk management.
METHODOLOGY
Research approach and design
There is little theory on the process of strategic risk management within the profession of management accounting. The literature review shows relevant literature on strategy, strategic risk management, and the role of the management accountant. In order to understand how management accountants can contribute to further development of the process of strategic risk management, a deeper understanding is needed. Qualitative research is therefore suitable, as this may result in a deeper insight in the emerging theory and may also provide better insights in the conflicting literature (Eisenhardt, 1989). A more detailed understanding could be gained from a case study. Case study research is “research that describes a single event or unit of analysis determined by the researcher” (Gephart, 2004, p.485). It is an empirical enquiry that studies the phenomenon in-depth and in a certain context. The research site could be fruitful in collecting relevant data, able of providing the context and insights that this research is trying to explore. As a side note, it is noted that qualitative research is an iterative process, and that alterations may be needed during the conduction of the research (Gephart, 2004). As described in the literature, the decentralization of the management accounting function seems to be linked to the increased business
orientation of the management accountants, hence it makes sense to investigate this involvement on a lower level than at the top of the organization. The unit of analysis will therefore be those functions within the case study on business unit level that are responsible for risk management in strategy formulation and execution.
Research site
The research question will be addressed through a case study at a large hospital in the north of the Netherlands, the UMCG. The UMCG is divided into departments based upon medical specialization. A reorganization has taken place 10 years ago, resulting in the current decentralized structure where many important decisions are also taken at a lower level. The departments are managed by a medical head and a business manager, who have shared responsibility over their department. At the UMCG, this is referred to as dual leadership. The departments are brought together in sectors, of which there are six in the UMCG, where characteristic similarities determine which departments are brought together in the same sector. Each sector has its own sector director. The departmental business managers report to this sector director, and the sector director in turn reports to the board of directors. The medical heads do not report to this sector director, but report to the board of directors immediately. During the reorganization, sector directors got the freedom to determine their own structure. This resulted in different ways in which the management accountant function was organized. Some sectors have overarching sector management accountants, whereas at other sectors, each department has their own management accountant.
Data collection
It is important for case studies that they draw upon multiple sources of evidence, making use of triangulation (Yin, 2014). Triangulation of multiple sources of data makes it possible to provide stronger evidence to support constructs and conclusions (Eisenhardt, 1989), eventually leading to better and stronger theorizing. Primary data will be gathered through the conduction of semi-structured interviews with business managers and medical heads of departments in the UMCG, as well as with the responsible management accountant for that same department. The choice for this unit of analysis is based upon the previously explained decision for the business unit level, and since departments are led through dual management structures by business managers and medical heads, the decision has been made to interview both as this is expected to provide a broader understanding from multiple views. Next to that, interviewing both the manager and medical head reduces the influence of respondent bias on the results.
Semi-structured interviews will provide a basis on which multiple interviews can be compared, but still give the researcher enough flexibility to ask follow-up questions on emerging topics. Table 1 gives an overview of the interviews, where formal interviews were recorded and informal interviews were not.
Next to that, secondary data will be gathered in the form of observations. The researcher shall be present at the case company for at least two days per week during the course of this research, and participant observations involve social interaction in the field with subjects, direct observation of relevant events, informal interviewing and collection of documents (Gephart, 2004). These internal documents will also give a deeper understanding of the underlying concepts and mechanisms which can be used as data within the research. Internal MEMO’s and informal interviews have proven to be useful for the understanding of strategy formulation and execution within the UMCG, as well as for an understanding of current risk management practices within the UMCG. This combination of data collection methods should provide a better and deeper understanding of the involvement of the management accountant in strategic risk management (Eisenhardt, 1989; Yin, 2014).
Interview questions for strategy formulation will be based upon Slagmulder & Devoldere (2018).
Interview questions for strategy execution will be based upon the COSO ERM (2004) framework. The components of the COSO (2004) ERM framework are interrelated, and not strictly consecutive (COSO, 2004). Interview questions (Appendix I) have therefore been based upon the description of all eight
components of the framework as given by COSO (2004, p.3). Schematically, this can be depicted as in figure 4, where MA resembles the role of the management accountant.
Data analysis
Various methods will be used to gather and analyze data. The interviews shall be recorded and transcribed. After that, the transcripts will be analyzed making use of deductive and inductive coding, where a balance between these two will be sought in order to both build on prior theory and to make an attempt at theory building. Deductive codes will be based upon the literature in the literature review.
Within-case analysis will be performed to allow the unique patterns of each case to emerge, before generalizing towards overarching concepts (Eisenhardt, 1989). After this, second-order coding will be performed to group the codes into groups and find overarching concepts. Both sources will be compared to find contradictory or complementary data, and the interrelations between categories and their subcategories are identified (i.e. cross-case analysis, Eisenhardt, 1989). Next, these second-order codes will be used to make an attempt at theory building, identifying and developing relations between the main categories (Wolfswinkel, Furtmueller & Wilderom, 2013).
FINDINGS
The findings are presented in the following order: first, relevant findings related to strategy shall be presented. Second, relevant findings that have to do with risk management will be presented. Third, an explanation will be given of the structuring of the management accounting function within the UMCG, together with relevant findings related to strategy and risk management. Lastly, the involvement of the controller within strategic risk management shall be discussed, where a separation will be made between strategy formulation and strategy execution.
Strategy
Strategy is difficult to define within the UMCG. Even higher in the organization, people give different answers to the question what the strategy is. In observations and informal interviews, the director policy claims there is no strategy, and that there are only ambitions, while other directors claim that there definitely is a strategy which is formulated in the “Route 2020” document, yet, a member of the board of directors clearly stated that the way the strategy is translated within the hospital is through the annual plans for the different departments. Strategy is claimed to be quite new in the hospital, and employees seem to be confused about how strategy is implemented within the organization. Members of the board of directors claim to take a “bottom-up approach”, since medical specialists are way better in determining the right course of action. Lower in the organization, within the medical departments, strategy is implemented from a “top-down approach”, as there it is claimed that the board of directors want something to happen. All in all, ownership of strategy and strategic goals for the organization is not clearly formulated.
Risk management
Informal interviews with, among others, the risk manager indicated that integral risk management is not (yet) implemented at the hospital, nor is strategic risk management. Both are still relatively undeveloped.
In 2017, an internal committee did recommendations on how to implement integral risk management within the UMCG. An internal document (a MEMO titled “RvB-Memo besluitvorming IRM”) shows that based upon their recommendations, the board of directors decided to appoint a risk manager and to adopt the COSO 2017 framework for reporting standards. A risk manager has recently been appointed (during the course of this study) and although there has been decided to adopt the COSO 2017 framework for reporting standards, an implementation of the model for management purposes has not taken place yet, nor has the COSO 2017 framework actually been used for reporting standards. Many operational risk management procedures are in place for patient security reasons, in the form of Safety Management Systems (“Veiligheidsmanagement Systemen”, VMS), but there is no process or system for strategic risk management in the UMCG.
Role of the management accountant
The positioning of management accountants in the UMCG differs per department. At some departments, the management accountant is literally next door, where the manager and the management accountant work together intensively. At other departments, the management accountant is positioned further away.
All of the managers see the management accountant mainly as a financial person. Interestingly enough, all of the management accountants claimed to see themselves as a business partner. One manager also stated this contradiction:
“I see that controllers who work here, that they have a tendency to… Maybe they feel undervalued, I don’t exactly know where it comes from. But they see themselves in a function that does not exist. […]
because as a controller, it is not your job to formulate the vision of the hospital. And some want to do that. I think that they are completely unsuitable for that.” – Manager Z
The reason that was given by one manager for this difference in positioning was the size of the department (see the quote below). The larger the department (in terms of turnover, employees or purchases), the closer a controller is to a department. When departments are smaller, a controller usually has multiple departments under his or her responsibility, which leads to a more distant positioning.
Closer positioning allows a controller to better support management of a department. Yet, the control function should remain an independent function according to this manager, as in that way the controller can better serve the broader organizational goals of the hospital instead of departmental goals. These departmental goals are more in the interests of the doctors and the manager of the department. The controller thus forms a connection between broader organizational goals and departmental goals.
“… it has to do with the fact that there are two controllers in sector B. I think that here in sector A, we have four controllers and one sector controller. We have large blocks, all departments are large, therefore each department also has a controller. […] However, I don’t think that control should fall under the manager in an organization as this one. That should be independent.” – Manager Z
“When you have a more distant controller, which is the case in other places within the UMCG, then the managers are completely serving the doctors, and not serving the organizational goals of the UMCG.
Because the goals of the doctors are only partially the same as the goals of the UMCG. A controller who is closer to the department has more inside information of this department, and can therefore make better estimations.” – Manager Z
“There is the strategic goal of the department and there is the strategic goal of the UMCG. We are more involved with the strategic goal of the UMCG than that of the department. […] One could say that we mediate between the departmental perspective and the concern perspective, that we try to find the connection.” – Controller W
Involvement of the controller within the department also seems to be linked to organizational politics and culture. It is therefore for a controller much harder to keep control over the finances, because the controller is sometimes kept in the dark deliberately. This also impedes them from being involved in the strategy process. A controller also confirmed this:
“… it may also be that a controller is deliberately kept less involved. When a controller watches what is happening, and says that you exceed your boundaries on certain things, you need to make adjustments.
[…] When you are not that much involved, you also get fewer difficult questions of course”. – Controller Z
Several of the interviewees stated that they saw it as a basic task of the controller to manage risks, that risk management is part of the work of a controller because he/she is constantly trying to make sure that departments stay within their budgets. Deviation from the budget is seen as a risk, and managing this risk is seen as the basic task of the controller. This is also due to the fact that the controller within the UMCG primarily has a financial focus.
Strategic risk management and the role of the management accountant General
The role of the controller within strategic risk management seems highly dependent upon the way the controlling function is organized within the organization. The way the controlling function is organized encompasses the positioning of the controller (i.e., decentralization), the main task of the controller (to support or to control), the organizational structure and reporting structure, responsibilities, and the interaction with the manager of the department. These factors have been indicated by both managers and controllers as influencing the way a controller is involved in strategic risk management. Dependent upon the way the controlling function is organized, a controller has the authority to make decisions. In the case organization, the controlling function was organized in a supporting financial role, while not carrying the responsibility over the financial status of the medical department. This responsibility lies with the manager. Hence, in his/her involvement within strategic risk management, the controller did not have the authority to make decisions for the department regarding strategic risks, but rather had a supporting role for the manager to make the right decisions.
One controller remarked that the extent to which he is involved with a department depended upon the capabilities of a manager, where the controller said he/she would be more involved if that was necessary to complement the manager in these capabilities (see quote below). Lack of financial knowledge would thus lead to higher involvement of the controller in this department. Moreover, this involvement of the controller within the department should lead to more involvement with strategy, and strategic risks.
However, at this same department, the manager said that because he/she understands finance so well, and because the controller is very interested in the business, it allows them to cooperate on a higher, strategic level. Here, knowledge of each other’s area of expertise actually enables them to discuss strategic risks.
“[Involvement of a controller with a department] is also dependent upon the size and complexity of the department. […] It also depends upon what support there is within the department itself, size of the department, complexity of the department, and knowledge and skills of the manager. It is also a bit customized to the department, where are the shortcomings and how can we fill those? […] Higher involvement is then sometimes necessary because otherwise there is no timely anticipation upon risks.”
– Controller Y
“I think the cooperation between [the controller] and me has a certain level. I think that level is higher than the average cooperation. […] That is actually very much on the strategic level. Very much on strategy, actually. […] That is also because I have done the executive MBA, and I have also been raised with finance, I have a financial background.” – Manager Y
The positioning of the controller has been pointed out by multiple interviewees as having influence on the involvement of the controller with strategic risk management. There is, however, an interesting contradiction. One controller (department W) pointed out that the closer a controller is positioned to a department, the more he is able to understand the complex interrelation between strategic risks and the departmental processes. Thus, the closer the positioning, the higher the involvement with strategic risk management. This is in line with expectations from literature section; decentralization of the controlling function leads to more of a business partner role of the controller, which also constitutes higher strategic involvement. However, another controller (department X) pointed out that because he is positioned further away from the department, he is better able to take a broad perspective upon strategic goals and is better able to estimate consequences (i.e., risks) of strategy. He claims that being positioned further away from the department helps in enhancing strategic risk management as a controller.
“I am positioned a bit further away as a controller. We have the boundaries. […] It are very contradictory interests; a department wants to grow, while the UMCG says okay, that is possible but then we need to downsize somewhere else. As a controller, you can play a role in this by making visible and concrete where this growth space is.” – Controller X
And later, when talking about the identification of strategic risks:
“You don’t want the business continuity to be affected [by strategic risks]. But, because I have a financial function, I have a certain role, and I can take a broader perspective and make things possible.
[…] By being positioned a bit further away form a department, you can keep a better overview and better estimate things.” – Controller X
That a controller needs to be able to take a broader perspective in order to be involved in strategy was also affirmed by manager Z. In contrast with what was stated above, this manager claimed the controller to be less suitable to be involved in strategic risk management:
“A controller and strategy in general do not go well together. […] Because controllers are certain type of people, with a certain type of education, which is not really vision and strategy oriented. That is namely about thinking broadly. And controllers can’t do that, that is not their field. They can think very small, that is what they are good at.” – Manager Z
The controller of department Z is positioned closer to the department than the controller of department X, which seems to be of influence on this different view of the involvement of the controller in strategy
and strategic risk management. Next to that, managerial characteristics also play an important role here.
The manager and the medical head are responsible for their department, also for the financial status of it. It is therefore up to the manager how much he or she wishes to involve the controller in their departmental activities, and thus also into strategic risk management. Controller Z mentioned that with the previous manager at the same department, he/she was less involved in strategic risk management than with the current manager. Next to personality traits of the manager, organizational politics were also an important reason.
“… could well be that a controller is deliberately kept away. Because if a controller is being difficult, then one may not get as much done as one would like. I think the current manager [of this department]
sees the added value of involving the controller, because he says that he’s not a financial and needs someone to watch along, advise and think along in that way. That is different for each manager, of course.” – Controller Z
“We have a very political organization. Maybe that is the way it used to be, I don’t know that. But money here is really a political issue, and not a hard cash topic. And I find that very annoying, because if you want the departments to be completely transparent, then you as an organization must also be completely transparent in the choices that you make.” – Manager Z
As said, it is up to the manager to involve the controller in strategic risk management, since strategic risk management for the department is mainly his responsibility. Another way through which the controller is involved in strategic risk management is through the planning and control cycle (P&C cycle). The yearly budgets for the departments are made around the summer. First, the sales budget is put together, where the controller is involved in the translation of the strategy of the department to financial numbers. After that, the cost budget is composed, where the controller is involved in how the strategic plans of the department can be achieved with the resources available. Next to that, this year there has been started with making multiple-year budgets. Since controllers predominantly have a financial function in the UMCG, it is through the P&C cycle that they are highly involved in estimating risks of strategic plans.
Related to the P&C cycle are the T-reports, which are the trimester reports. Some interviewees indicated that these T-reports also form a reason to think about strategic risks, as these T-reports include a risk section. In drawing up this section, managers and controllers interact to think about, among others, strategic risks and their impact on the department and the UMCG. These reports thus form a means for managers and controllers to interact, discuss, and think about strategic risks.
“The T-reports, those are for me also an important risk measure. […] the risk section is important, because it forces you to think. That is the nice part about it. By asking yourself that question, it forces you to think about where your risks are. And that is something that we do too little. So, we are busy
managing risks all day, but standing still and looking a bit further, and saying where do I detect a problem, that is something we should do more often.” – Manager X
The involvement of the controller in strategic risk management is also related to external pressures.
Politics, financing, laws and regulations, and the demands of patients all shape the way strategy is chosen and executed, and have influence on how a controller is involved within strategic risk management.
Since the scope of the role of the controller within the UMCG is mainly finance, the controller is involved when it comes to financial risks to strategy. The controller is in this way mostly involved in strategy formulation and strategy execution in relation to the resources the UMCG has at its disposal, and in what way strategy may form risks for these resources. One manager stated:
“A health insurer is really powerful. And they also have less money to spend. Because if it were up to the UMCG, we would do every treatment with every patient with the most beautiful techniques. But then, within three years we would be three times as expensive. We could very well do that, but we also know that within three years no euro has actually been added. So, that is not possible, and then you have to make choices with that new world, and there you have risks. And you also have risks if you are no longer going to do things. And there you need control.” – Manager Z
“Well, strategy. Change your course, because that is what we do and what we actually get imposed by the authorities. You don’t think of it all by yourself. The IGJ [Inspectie Gezondheidszorg en Jeugd] has an opinion on the UMCG, and on our role and function within healthcare. And the insurers also have an opinion on our role. Thus, strategy is also imposed on you, you don’t think of it all by yourself.” – Manager Z
And, related, a controller stated:
“… from the UMCG, we get the message; please note, high-complex care is our long-term objective. At the same time, we have a healthcare agreement that has a turnover ceiling. This also means we have a cost ceiling, which means that we have limited resources. Normally speaking, it is actually the case that because the healthcare agreement has received an indexing at best in the recent years, none of the departments could grow. So that is the message in general sense that we get; we don’t have more resources, so growth is not possible.” – Controller W
Strategy formulation
In the formulation of the strategy, all interviewees pointed out that a controller cannot be involved in the formulation of the strategy from the beginning. The main reason for this is that the strategy of a hospital can only be determined by the medical specialists, and that a controller lacks knowledge of these primary processes. When asked what role a controller played in the formulation of a department’s strategy, a controller replied:
