Risk management: the management accountant as a risk
or as a controller of risk
Elske Hof
S2737841
j.e.hof.1@student.rug.nl
Lecturer: prof. dr. ir. P.M.G. van Veen Dirks
01/21/2019
Word count: 11.989
MSc Business Administration – Organizational & Management Control
Faculty of Economics and Business
Abstract
Risk management has been an important focal point for any business, and while it received increased interest in the last decades, the world experienced the financial crisis of 2007-2009. Ever since, risk management itself has been analyzed from several perspectives. However, the involvement of the management accountant within risk management has received relatively little attention. In this case-study of IPG Mediabrands NL, a subsidiary of Inter Public Group, the role of the management accountant in risk management and the consequences of this involvement in the service sector are discussed. By means of interviews, internal documents and observations the role of the management accountant and the culture towards risk management are studied. I discovered that their role focusses on compliance and control and the culture is quantitative enthusiastic, which is strongly influenced by the parent organization. However, when circumstances allow, the management accountants, include quantitative skepticism in their approach. I found a possible link between the role of the management accountant and culture towards risk management. I argue however that transparency distinguishes the service sector from other sectors. My research also highlights that the management accountant does not experience a tension, or dilemma, in performing on the one hand their role as compliance and control expert, and on the other their activities regarding risk management.
Introduction
Risk management has been increasingly embraced by organizations across the globe (Hayne & Free, 2014). Risk has received attention in academic circles, in business, the accounting profession and in the media (Bhimani, 2009; Huber & Scheytt, 2013; Soin & Collier, 2013). As a result, organizations have increasingly organized their practices around controlling risks (Soin & Collier, 2013). Moreover, the role of the traditional risk manager has shifted from a mainly financial and legal perspective towards a company-wide perspective (Gates, 2006). Risk management has been used by organizations in their search for legitimacy instead of being embedded into the strategic decision-making process (Power, 2009; Viscelli, Hermanson, & Beasley, 2017; Mikes, 2009). According to Soin and Collier (2013) three factors have influenced the interest in risks and managing risks: the increased interest in corporate governance, the regulations that focus on internal control mechanisms and increases of media scandals. Despite the increasing role of risk management over the years, the world experienced the financial crisis of 2007-2009. This crisis has demonstrated shortcomings of risk management on a large scale (Huber & Scheytt, 2013). There were several big risk management failures, such as the Citigroup which had ineffective risk oversight over their organization (Hall, Mikes, & Millo, 2015; Mikes, 2011).
According to Mikes (2011), the role of risk managers in corporate governance is growing. Corporate governance is associated with the concept of risk and has been linked to internal control (Spira & Page, 2003). Internal control is about identifying, assessing, treating and monitoring risks as well as the effectiveness in managing risk. According to the literature, the roles of management accountants include developing and implementing risk management and internal control (Collier, Berry, & Burke, 2007; Giovannoni, Quarchioni, & Riccaboni, 2016; Lambert & Sponem, 2012). On the one hand, the management accountant is expected to focus on compliance and control, while on the other hand, the management accountant is expected to provide operational managers with relevant information for decisions (Lambert & Sponem, 2012; Friedman & Lyne, 2001; Mikes, 2008). These two different roles could create a conflict of interest for the management accountant, the so-called independence dilemma (Mikes, 2008; Giovannoni, et al., 2016). As such, we can make a distinction between the two roles and the focus of these roles.
accountant. As the management accountants role within the organization is growing, it is currently unclear what the consequences are of the tension between independence and involvement (Mouritsen, 1996). Moreover, Lambert & Sponem (2012) suggests that combining independence and involvement of the management accountant within the organization is hard to achieve. This situation arises when the management accountant is both compliance and control expert and business partner. So far, few studies investigate the consequences of this management accountant’s dilemma. Within risk management a similar distinction can be made, as the literature describes a calculative approach and a management control approach. The current literature argues that the calculative approach is shifting towards a management control approach, resulting in a focus shift from only the numerical towards a company-wide perspective. These two perspectives are described by Mikes (2009, 2011) as quantitative enthusiasm and quantitative skepticism, where the first centers on numbers and the second on a company-wide perspective.
Focused research on the effects of risk management and the consequences of the management accountants actions within an organization has gotten little attention (Soin & Collier, 2013). There are some reports on risk management in the financial sector (Mikes, 2009, 2011; Giovannoni, et al., 2016). Additionally, there is a little bit of focus on the organizational dynamics of enterprise risk management (ERM) (Arena, Arnaboldi, & Azzone, 2010), the interdependence between risk management, corporate governance and management accounting (Bhimani, 2009), reputational risk (Power, Scheytt, Soin, & Sahlin, 2009), the interrelation between risk and budgeting (Collier & Berry, 2002), the interrelation with other aspects of a business (Scheytt, Soin, Sahlin-Andersson, & Power, 2006) and two applied studies by Wahlström (2009) and Woods (2009). Soin and Collier (2013) also argue that the interrelation between management accounting and risk management is not understood. Little is known about the effect of the actual management of risk within organizations or the effects for risk management (Soin & Collier, 2013). Moreover, Bhimani (2009, pp. 3, 4) argues “the relationships between management accounting, corporate governance and risk management have been addressed only to a minimal extent in the academic literature” and “the particularity of risk management characteristics in specific organizational settings has not to date been the subject of vast research”. Additionally, Byrne and Pierce (2007) argue that previous research has focused on the manufacturing sector and it would be helpful to look into an organization within the service sector. For the future it will be beneficial to study risk management characteristics within the institutional context of an organization (Soin & Collier, 2013; Goretzki, Strauss, & Weber, 2013).
specifically, I will look at the role the management accountant has as compliance and control expert or business partner and the culture towards risk management within the manager’s organization. Thus, I pose the following research question:
“What are the consequences of the involvement of the management accountant for risk management as well as the role of the management accountant in the organization, and is this role interconnected to the organization’s calculative culture towards risk management?”
First, by answering the research question, I will contribute to the independence-involvement discussion regarding the role of the management accountant (Lambert & Sponem, 2012; Mikes, 2008; Giovannoni, et al., 2016). Secondly, I try to connect the two different roles of the management accountant to the calculative cultures of Mikes (2009, 2011), to extend our knowledge about risk management and the role of the management accountant herein. The possible link between the role of the management accountant and the calculative culture enables organizations and researchers to understand why risks are managed in a certain manner and how the management accountant influences this. Thirdly, I try to broaden our knowledge in the field of risk management by researching another setting than the manufacturing and banking sector about the role of the management accountant. This is important because there is the notion that different sectors might exhibit different practices of managing organizational risks (Giovannoni, et al., 2016; Bhimani, 2009; Byrne & Pierce, 2007; Lambert & Sponem, 2012). Finally, as I will do a case study within an organization, it will extend the knowledge about the role of the management accountant in their environment within the organization.
Literature Review
In this section an overview of the existing literature, related to the role of the management accountant and risk management is given. It starts with a short overview of the literature on the role of the management accountant. This is followed by an overview on risk management. Finally, the management accountant will be further discussed and the calculative cultures towards risk management. In the last part of this section I will connect the different parts and discuss my expectations based on the literature.
Overview of the role of the management accountant
& Lyne, 2001; Lambert & Sponem, 2012; Chang, Ittner, & Paz, 2014). In the article: “Role conflicts of management accountants and their position within organization structures” Hopper (1980) already discussed the two roles and concluded that the management accountant will take the role which corresponds with the expectations of the environment. Mourtisen (1996) has extended the research and argues that the management accountant will adapt to the expectation of the environment. Consequently, it is about the interplay between the management accountant, the qualifications of the management accountant and the organization itself.
Risk management
Over 50 years ago risk management was mainly regarded as a mechanism for cost control (Gallagher, 1956). The predominant view in the early research on risk management was that risks were manageable (Spira & Page, 2003). Therefore, the assumption arose that risks could be measured, and it was possible to develop strategies and models to avoid or protect an organization from these risks. However, due to several failures in risk management and the financial crisis of 2007-2009, changes within the risk management practices arose and the models developed for managing risks were blamed for triggering the financial crisis (Huber & Scheytt, 2013; Millo & MacKenzie, 2009). Subsequently a new definition of risk management emerged in the literature. Giovannoni et al. (2016, p. 109) define risk management as processes and techniques both explicitly aligned with mechanisms of internal control (Spira & Page, 2003) and fully integrated with operational activities and corporate strategies. Thus, in the post-crisis environment, the embeddedness of risk management in all organizational aspects becomes more important (Collier & Berry, 2002).
Corporate governance and the management accountant
are considered, for example by granting a bonus based on preset earnings goals to management. Thus, the expertise of the management accountant in relation to compliance and control is valued by the shareholders as they monitor their investments. However, the management accountant as business partner is valued by the management, since they provide them with information to meet earnings goals. As a result, both the shareholders and the organizational management depend on the management accountant for transparency and fair and truthful presentation of the financial data (Lambert & Pezet, 2011). These additional aspects of the management accountant role change the profession as a whole.
Transparency regarding the effective utilization of the control mechanisms within the organization is becoming essential for organizations (Bhimani, 2009; Lambert & Pezet, 2011). Since this is the responsibility of the management accountant, their role as compliance and control expert becomes more important; showing transparency to the external environment is ever more relevant (Bhimani, 2009). Because of this, management accounting, corporate governance and risk management are becoming increasingly intertwined and interdependent (Bhimani, 2009; Spira & Page, 2003). That being the case, there still is no clarification in the literature what this means for the management accountant. Previous studies looked at different participants within risk management, such as directors, risk experts, top managers and management accountants in banking (Giovannoni, et al., 2016; Mikes, 2011). The developments on the macro-level but not the micro-level have been discussed but no studies have investigated the influence of individuals’ perception towards risk management as well as risk management within different organizational settings (Giovannoni, et al., 2016; Goretzki, et al., 2013). Overall, knowledge about individual actors and their changing roles is scarce (Goretzki, et al., 2013).
Calculative cultures of risk management
The second approach has a culture of quantitative skepticism, where risk managers provide top management with relevant information regarding strategic decision-making. Within this approach risk managers take numbers as indicators towards a certain trend and emphasize the underlying risks of a trend (Mikes, 2009, 2011). This approach assembles what we know as ERM and has increased rapidly (Mikes, 2009, 2011). “ERM is a board-supervised process that aims to identify, evaluate, and manage all major corporate risks in an integrated framework” (Gates, 2006, p. 81). In this situation the management accountant combines initial risk measurement with experience and intuition. Management accountants who approach risk management in this way, lack analytical mystique, however they blur the boundaries between themselves and other parts of the organization (Mikes, 2009, 2011). Consequently, the management accountant can influence others in their decision-making and grant themselves more power (Mikes, 2009, 2011). Their experience and intuition provide expertise and secure their position. This allows the situation as described by Arena et al. (2010, p. 672) where management accountants find and create their own space within the organization.
Power (2004) noted in his book “the risk management of everything” that the rise of ERM could be seen as an explosion of different risk management practices for every social phenomenon. He argued that if organizations hold on to expanding performance measurement, even in areas where human judgement is needed, then risk management is likely to be dysfunctional (Power, 2004). This is in line with Berry, Collier and Helliar (2005) who argued that as the degree of prescriptiveness and dependency on controls increases, the risks may increase instead of decrease and control is lost as seen during the 2007-2009 financial crisis. They further argue that this may result from the turbulent environment with numerous control mechanisms, making it difficult for management accountants to react in a flexible way.
Soin and Collier (2013) argue there is a shift within risk management from quantitative enthusiasm towards quantitative skepticism. Consequently, risk management is moving more towards enterprise-wide strategies, which complicates the role of management accountants. Power (2004) argues that risk management is becoming integrated in management accounting, leading to a more proactive role in risk management (Burns & Baldvinsdottir, 2005). Baldvinsdottir, Burns, Nørreklit and Scapens (2010) argue that management accountants might be entering a new phase combining all these roles. Management accountants today spend far more time as a business partner and less on data analysis or organizational policy (Burns & Baldvinsdottir, 2005). As compliance and control expert management accountants are expected to ensure fair financial data and compliance with the procedures and policies (Sathe, 1983). As business partners, they should deliver high-quality information for strategic decision-making. Organizations depend nowadays more on strategic decision-making for their financial performance, resulting in increased power of management accountants as found by Lambert & Sponem (2012).
Based on current literature, it could be argued that the roles of management accountants as compliance and control expert or business partner influences their approach towards risk management. I expect that when the management accountant’s role is mainly focused on the compliance and control practices, they would approach risk management in a more quantitative enthusiastic fashion. Both strategies are focused on numbers and models; the management accountant needs to ensure fair data, and that controls are in place. Based on models, data and controls decisions are made for the organization as well as for risk management. Hence, when a management accountant sees her or his role as a business partner, they approach risk management in a more quantitative sceptic way, blurring the boundaries between themselves and the rest of the organization. They are able to provide decision makers with important information and can influence the decision-making process through their position as important informational sources. In addition, the consequences of the involvement of the management accountant for risk management as well as their role will be researched. Furthermore, I expect the management accountants’ function within the organization to also depend upon their specific interest, their expertise and power. This is summarized in figure 1.
To explore this expectation, it is important to observe the management accountant at their workplace because it enables me to observe the calculative culture as described by Mikes (2011). Therefore, I will study the management accountants within their own organization, at the micro level, to document the consequences of involvement in risk management as well as their role within an organization.
Research Method
This section describes the method used for this research. I explain why I selected my case, what kind of organization I have selected, and I describe how I have analyzed the data collected from my case study. The next section will present the findings I derived from my data.
Research site
For this study I selected the organization IPG Mediabrands NL, hereafter Mediabrands. The organization was chosen for two reasons. First, I had the opportunity to work within the organization one day a week, giving me the possibility of observing while working. Additionally, I was able to collect information within the organization more easily since I was known and had close contact with the management accountants and the finance director. The management accountants within the organization are called group controllers and controllers. The second reason is that Mediabrands is a fairly large organization with over 400 staff members. Mediabrands works in a very dynamic sector where transparency is becoming more important and a comprehensive control system is in place. Furthermore, the organization can not completely control their business activities because they are in the service sector and their core business dependents on people. That makes it very interesting to research how they set up their compliance and control and risk management. Next, I will describe what kind of organization Mediabrands is and how it is designed.
framework describes the controls, how they should be performed and by whom. It also states for what label, when and who has to review the functioning of the controls.
The structure of the organization is divided into a front-office and a back-office. Each label has its own office, which performs core business tasks of the organization. The responsibility of the front-office is client contact. They provide clients with all their marketing needs. This could be for example the marketing strategy to execute, the production of an advertising commercial or methods for increasing data traffic on their websites. Labels have their own discipline within the endless possibilities of marketing. The back-office is a shared service center and works for all the labels. It consists of the finance department, the controlling department, IT, credit management and legal support, all headed by the Finance Director (FD) and the Chief Financial Officer (CFO). In figure 2, a graphical representation of the structure of the back-office, I have specified the department of controlling because the management accountants within the organization are part of that department.
Figure 2 – Organogram back-office Mediabrands
specific label, while the group controllers are expected to oversee the whole organization. Moreover, the group controllers are ultimately responsible for the financial data reported. The FD is responsible for the functioning of the department controlling, business analyst and finance. Furthermore, the CFO is responsible for everything which is financially related within the organization. This includes the responsibility for financial data, clients contracts, contact with the headquarters in New York and related responsibilities.
Data collection
The use of qualitative research is justified because it enables me to study the management accountant within their own environment in which they perform their activities (Denzin & Lincoln, 1994). As previously stated, the management accountant adapts to the expectations of the environment. Studying the role of the management accountant within their own environment will contribute to finding an answer to the research question as stated in the introduction. In this research I will use primary and secondary data. I will collect primary data through interviews. The aim of the research is to link the roles of the management accountant with the cultures of risk management identified in the literature. Furthermore, I want to research the consequences of the different roles and cultures for the management accountant and risk management. For the interviews I used a questionnaire but also listened to issues the management accountant experiences and asked in-depth questions about those issues to get a comprehensive understanding (Tillmann & Goddard, 2008; Ritchie & Lewis, 2003). Additionally, internal documents, such as the SP&P’s and Open Pages, were analyzed as a source of secondary data. Furthermore, I was present at the company one day a week and made observations. Different sources of data were used to strengthen the grounding of the theory, i.e. triangulation (Eisenhardt, 1989; Baxter & Jack, 2008). That is, the triangulation made possible by multiple data collection methods provides stronger substantiation of the constructs (Eisenhardt, 1989, p. 538).
al., 2012). To control for internal validity, rival explanations are considered, negative evidence will be accounted for and areas of uncertainty are going to be reported (Miles, Huberman, & Saldana, 2013). Finally, to control for external validity, Miles et al. (2013) argue it would be preferable to check the outcomes in a comparable setting but because of time constraints this will not be an option for this research. However, I describe the process for obtaining data such that the outcomes and conclusions could be replicated in comparable settings.
Data analysis
I have recorded the interviews and transcribed them afterwards for analysis. Baxter and Jack (2008) argue that to enhance the overall study quality or trustworthiness data should be collected and managed systematically. I used Atlas.ti to manage data and code transcripts. Atlas.ti supports structuring of huge amounts of raw data gathered during interviews. Muhr (1991) states that Atlas.ti supports researchers in the process of interpretation of interviews. Codes are important parts of studies to classify and order data (Miles & Huberman, 1994). The coding process will be both deductive and inductive. The deductive codes arose from the literature. Examples include the two calculative cultures of Mikes (2009, 2011): quantitative enthusiasm and quantitative skepticism. The indicative codes will emerge from the data (Corbin, Strauss, & Strauss, 2014), an example is role assistant controller. Because of staff changes, one of the respondents was still performing activities of her former role. At first, I did not take this into account, but it became clear during the interview. The analysis of the SP&P’s, and Open Pages will be done in a way to check the information provided by the interviewees. In the finding section I will report the outcome of the analysis of the primary and secondary data.
Findings
The findings will be presented in the following order, first I describe the role of the management accountant within Mediabrands. This will be described (i) from the perspective of the controllers, (ii) the group controllers, (iii) the FD and (iiii) the CFO. Similarly, in the second paragraph I describe the observed calculative culture towards risk management and the involvement of the management accountant herein. In the last paragraph I describe my findings on the consequences of the involvement of the management accountant in compliance and control as well as in risk management. Finally, I will present my findings in relation to the existing literature on this subject in the discussion.
Role of the management accountant
and complete. No big difference was observed between the description the group controller or the controllers gave about their role. This similarity is illustrated by the following quotes:
“… as a group controller I am responsible for the fact that the financial data is fair and complete” – GC2 and “In principle the basis is to report fair and complete financial data towards IPG” – C3
One controller mentioned that her role was more operational since she has been promoted but still needed to transfer her former role as assistant controller onto the trainees. The trainees are recent hires, so this process is still ongoing. Not only the (group)controllers argue that their role as management accountants is to ensure the financial data is fair and complete; this is also in accordance with the answers of the FD and the CFO.
“Very theoretically, I expect them to report the financial data in an accurate and complete way. That we have the right reports and have them timely” - CFO and “That they report in a correct and complete way” - FD
However, if we look further into the role the (group)controllers have within the organization there is a distinction between the two different functions described above. Whereas controllers are expected to know details about the label or labels they focus on, the group controllers are expected to oversee their part of the organization, consisting of multiple labels. The FD describes it as follows:
“Controllers should be more informed about the details. And the group controllers more about selecting the important things which need an extra look. Or which are subjected to strict regulation.” - FD
front-office to ensure the financial data is correct. When the financial data is incorrect, they have to go back to the source: the front-office staff responsible for filling clients’ procuration data. A procuration is a proposition for a client about the marketing budget and it has to be signed by the client before a campaign can start. Procurations are the basis for the financial data and the responsibility of the controller. In other words, this is a continuously process within the organization:
“…you are constantly discussing with the people from the front-office but if I really need to choose, I would be more on the compliance and control site” – C1
Although the controllers contact the front-office more frequently, still controllers and group controllers see themselves as the compliance and control expert. So, both provide the front-office with information. However, they all agree the focus should be on the fairness and completeness of the financial data. One described the process of providing information if necessary, in a very clear way:
“Well first of all it is about controlling and if something is not right you will have to go back. Because if the numbers are right, I do not need to provide them with information” – GC2
The information provision towards the front-office is important to make sure the financial data is complete. When something is incorrect, it has to be fixed and communicated towards the front-office avoiding future issues. The influence of the front-office on the financial data is extensive. They need to make a procuration for every project they execute; these are the basis for clients’ invoices. Billing clients is automated thus the front-office is actually responsible for the amount’s clients are billed. This makes sense looking at the quote mentioned above, since if the front-office functions accurately, the billing process will go as supposed and the financial data will be correct. But if the front-office does provide the systems with inaccurate amounts, clients receive incorrect invoices.
“I will give the actual financial data and costs that have been made but you have to take the decision by yourself” – GC1 and “… they will use the report as input to look if they can make more profit, and where that profit will come from. […] so yes, I have a supporting role” – C3
However, the department of controlling is involved in decision-making when it concerns compliance and reporting. Because of the following:
“… if it is about how we report in a financially correct way within the rules of IPG, or if there is a constrain within the policies then they definitely will be involved” – CFO
These decisions are related to the responsibility of the (group)controllers in contrast to the decisions operational managers often make. An example is one of the controllers who is responsible for updating EYE, a tool controllers use to report clients’ revenue. To present revenue accurately, it is important that billable hours per client are coded correctly based on type of work, thus clarifying where revenue comes from. The controller who is responsible for reporting data in EYE is also involved in the decision-making process regarding codes:
“Yes, I am involved in the decision-making process regarding the work codes. Because of EYE, since that is something which is my responsibility” – C2
Besides the tools available, the front-office gathers information through contacting the FD. She has a central position within the organization and knows the organization intimately and seems easy to approach by the operational managers. Consequently, when people need information from the department of controlling, they often turn to her:
“Apparently because I respond alertly or because I am kind or because I know more about what is happening in the rest of the organization” - FD
The CFO is responsible for all the financial issues and ensure political issues are handled so the controllers and group controllers can focus on their work. An example is updating headquarters in New York about financial data in relation to targets which have been set. Because IPG is very centralized, they want updates on how the subsidiary is performing in an extremely detailed way and any budget deviation has to be reported and justified. In this way they want to keep control over the subsidiary. In Open Pages all the controls are described in detail, including the control activity, the test steps and the accounts which effect the control. Furthermore, there is a notation to which SP&P the control belongs, whom must perform the control, when it’s done and who reviews it. Additionally, the applicable label is noted. The (group)controllers need to certify they perform the control, and this is audited by internal auditors for execution and accurately. All these controls together ensure correct and fair financial data and the controlling department works according to the SP&P’s.
“Well it is part of my daily work routine with the financial data. Because the controls are actually based upon the SP&P’s, so I think I am busy with checking the controls and checking the financial data in accordance with the SP&P’s about 75% of my time” – GC1
To sum up, IPG as well as the controlling department are very focused on the compliance and control practices. This is seen within the very comprehensive SP&P’s, Open Pages as well as the answers from the (group)controllers, the FD and the CFO in the interviews. Because of this the role of the management accountant within the organization could be described as compliance and control expert.
Calculative culture towards risk management
The observed culture towards risk management within the organization, wherein the management accountant is involved, is focused on financial risk. The risk management policies are centralized and determined in New York where the Chief Risk Officer (CRO) is responsible for the policies of the whole group. IPG provides a very comprehensive description of all policies and its execution.
“Actually, we always let ourselves be guided by what IPG wants” – GC2
The culture of risk management of IPG is very comprehensive and strict. IPG wishes to exclude almost every risk. They are very risk averse and wish complete control to ensure risks are managed. However, if we look into how the respondents describe the risk management within my case organization, they approach risk management in a slightly different way. The goal is to comply with the parent organization, within reason.
“I think that if you would be compliant in every way IPG wishes then almost every risk is being excluded” – FD
The case organization has gotten some exceptions from IPG after they argued that certain controls were not applicable. For example, IPG does not allow their subsidiaries to have cash. However, Mediabrands is allowed cash as a distinct exception because one of the labels, which was acquired about 2 years ago, was used to working with cash.
“… we are not supposed to have cash. […] we do have exemption for it however we need to make a request every year and then it is allowed by God’s grace. However, in principle cash is not allowed by IPG, risk excluded” - FD
Furthermore, according to the SP&P’s, no undocumented transactions are allowed, meaning that for every transaction a receipt has to be present. Some staff hand in receipts late, leading to an undocumented transaction, which the rules prohibit. However, in reality, these kinds of situations are almost unavoidable and are accepted through the department of controlling.
As indicated before the responsibility of the (group)controllers is to make sure the financial data is complete and correct. Every post on the balance sheet is checked for deviations. If they even have the smallest premonition something on the balance sheet is not right, they will look into it to make sure the financial data will be complete and correct. So, the numbers are a very important indicator for the (group)controllers.
Consequently, (group)controllers act on intuition when looking at the balance sheet, or a certain post of the balance sheet, giving this a role in the identification of incorrect financial data. So, the financial risks within the organization are covered based on the financial data and the feeling a (group)controller has about this data.
“…you have a certain expectation based on your experience so that is why I think that I follow my intuition in risk management. What can go wrong? I will think in scenarios, if this goes wrong what kind of influence will it have” – GC1
However, the (group)controllers do not want to be involved in strategic decision-making. There is a clear line for the (group)controllers to what extend they should be involved within a decision-making process. Therefore, they only provide top management with information. They describe their role within those processes in a very clear way:
“Not the operational or the strategic decisions, for example about clients I do not have that knowledge. Because I don’t have the knowledge and the stakeholders involved are very specific and sometimes even complex. [..] I don’t have the experience, I do know what is in our books and how I should organize that part” – GC1
They are very aware of the knowledge they have and the role they want to have within the organization. IPG has designed a culture wherein the (group)controller fulfills her or his role. Within the culture there is a clear segregation of duties and the people around the (group)controllers make sure that they can perform their role as good as possible.
“Part of my job is to manage the political network and to keep that away from the controllers and other people within the organization, so they can focus on their responsibilities” - CFO
understand the importance of complying. At this point characteristics from both cultures described by Mikes (2009, 2011) arise.
Consequences of involvement for risk management and the role of the management accountant
In this section I will describe how the management accountant experiences their role combined with risk management. None of the respondents experiences a tension in performing these different roles. Most of them even argue you cannot see them separately.
“… your compliance and control are IPG driven. Your risk management is also IPG driven, since IPG has policies for everything” – CFO and “… as I said before, the controls are based on the risks, so they are based on the financial data” – GC1
The role they have is focused on compliance and control and because they are involved in compliance and control, they are also involved in risk management, since this is the way IPG designed it. Moreover, the policies, which are translated into controls for risk management, are determined from above. The respondents cannot influence the policies themselves, they are executing the policies and making sure the organization is in compliance with IPG.
“We are part of IPG and IPG has a lot of compliancy elements” - CFO
Due to the strictness of the policies for both activities the (group)controllers do not have a lot of leeway to fill in the way of reporting or the way risks are managed. They are trying to be quantitative skeptic where possible but are forced to work in a quantitative enthusiastic culture. As IPG established the role of the management accountants, the (group)controllers are performing both activities. The (group)controllers argue there are more gains than losses doing both activities. One respondent argued for example:
“You cannot execute risk management if you do not understand the processes and the financial data. Because the financial data is the end point and your risk management is more the starting point, so you need the two of them to understand the process” – GC1 and another respondent said the following: “I think it is pretty logical to make the controller responsible since they are one of the few who recognize the risks within the organization” - FD
tasks supports them in managing risks. Although, as mentioned before risk management is mainly financial within the organization. Due to this financial oriented way of managing risks the (group)controllers are very valuable within the process. Furthermore, it is not seen as a risk to involve the (group)controller in control practices and risk management. This is illustrated by the following quote:
“I do not think it is a risk that the controlling department is very involved because it is the way IPG has designed it” – CFO
In other words, the (group)controllers do not experience a dilemma between performing both roles. They see more gains than losses being involved in both and argue the roles are complementary. Consequently, it is also not seen as a risk because the (group)controllers are audited by IPG and PWC it seems very unlikely they are able to grant themselves more power.
Discussion
Within Mediabrands it is clear the role of the management accountant is focused on compliance and control. All the respondents argue their main responsibility is reporting fair and complete financial data. The group controllers and controllers provide operational managers with information relevant for decision-making but are not involved in the decision-making process itself. There is a very clear line for them of what knowledge they have and what knowledge they lack, thus they are very clear where they want to be involved. This illustrates that they are not seen as business partner, by themselves or by the organization. The controllers are more closely related to the front-office compared to the group controllers. They have more contact with the front-office to collect data for the representation of the financial data, such as what the status is on a project to determine when to recognize revenue. However, they collect information and only occasionally provide information, but don’t take decisions. Therefore, neither controllers and group controllers are seen as business partners.
The strictness of IPG comes through in the way risk management is organized. The culture towards risk management is influenced both by the strictness and the way the management accountants’ function is formalized. Currently, the focus of their risk management deals with financial risks. Whereas Soin and Collier (2013) argued the interrelation between risk management and management accounting is not understood, I argue based on my findings that the management accountants are some of the few within an organization who actually know the risks.
I expected that management accountants with a compliance and control expert role would approach risk management in a quantitative enthusiastic way. I observed some characteristics from this culture as IPG sets out the framework to be executed and followed in the different subsidiaries. This framework is very comprehensive and could be seen as a model to be followed, so called box-ticking. With the framework IPG wants to control for every possible risk the organization could have. This fits in what Mikes (2009, 2011) describes about the quantitative enthusiastic culture where first-order measures are being expanded to create a degree of organizational control. This ‘box-ticking’ process does not affect the daily operations (Soin & Collier, 2013). However, I argue that within Mediabrands daily operations are affected by risk management. In the first place because the management accountants take the financial data as a starting point but also take their intuition into consideration. Intuition is part of the quantitative skeptic culture, where the emphasis is on the underlying trend of data. Furthermore, the management accountants try to manage risks in a quantitative skeptic way as much as possible. However, the influence of IPG is extensive and does not give a lot of leeway to the management accountants. As a result, the culture towards risk management is mainly quantitative enthusiastic. The models for managing risks have to be followed. Thus, the degree of control within the organization is high.
For an organization with a high degree of control, Berry et al. (2005) argued that risks may increase instead of decrease. However, I argue based on the interviews and my observations the organization has a lot of controls but still can react to unexpected situations. The department of controlling is really working as a team to make sure the organization is not lost in the many controls present. Furthermore, Berry et al. (2005) argued that a lot of controls are hard to manage when an organization is acting in a turbulent environment. The environment of Mediabrands is very turbulent, as marketing is really a people business and you have to trust your own employees but also the clients. Transparency is becoming more important within this business as argued by the CFO, which is in accordance with the statement by Bhimani (2009). He argued that showing transparency to the external environment is more relevant than it has ever been. I argue that one of the differences between a service industry organization and a manufacturing organization is the growing importance of transparency, as illustrated by the following quote:
“… we are in the middle of the whole transparency discussion, with all the different services we offer to clients we have a lot of places where something can go wrong. In comparison to a company I have worked before, which is also a big multinational, we produced all different kinds of products. [..] which is from a finance and compliancy and control perspective very simple” – CFO
As such, the (group)controllers are very important within the process of being and becoming transparent. They are able to make the accounting of the organization transparent, which is difficult since they are working with hours instead of products. In accordance with Spira & Page (2003) I found that showing transparency to the external environment makes the role of the management accountant and risk management increasingly intertwined. Thus, the management accountants are important because they are the ones within the organization who recognize risks as argued by the FD. This is in accordance with the work of Burns and Baldvinsdottir (2005) as they found that a management accountant today is spending more time on risk management. Because they are one of the few who see the risks of the organization, they are spending time on managing risks as risk management is becoming more and more important.
from the rest of the organization by chasing the goal of fair and complete financial data. I think the background of these people really influences their way of working. This is in accordance with the study of Goretzki et al. (2013, p. 59): “… a role is not merely ‘God-given’ but arises as a product of purposive actions of actors that have particular interest”. Besides this, they make sure risks are being managed, and they do this without having a feeling that these two responsibilities are in contrast with each other.
In addition, I also argued that the management accountant could gain more power. Firstly, based on Mikes (2011) when displaying the quantitative skeptic culture as they “appear to have deliberately left the boundaries between themselves and the rest of the organization blurred and porous in order to influence decision makers in the business lines” (p. 227). Secondly, by using their expertise to secure their position within the organization (Spira & Page, 2003). Even though they do display some characteristics of this culture and are seen as the experts they cannot grant themselves more power. The segregation of duties which has been determined by IPG makes it impossible for the management accountant to gain more power. The management accountants at Mediabrands are audited every year by IPG besides the audit done by PWC. If they fail the internal audits, two or even four additional audits will be done. Whilst I expected the management accountant could grand her/himself more power the strong influence of IPG prohibited this. This is also confirmed by the following quote:
“In theory I agree with you if you are talking about a stand-alone organization. […] Because theoretically you are right that as a controller within risk management you can update and tweak your own policies” – CFO
It clearly indicates that my expectations regarding the management accountant granting her/himself more power when displaying the quantitative skeptic culture could be visible. Only IPG restricts the management accountant in doing so.
Conclusion
management is seen as part of the responsibility of the management accountant and as such their role and risk management are seen as complementary. Involvement in both activities gives the management accountant the ability to control the organization and be compliant with the policies. This is important as the involvement of the management accountants can help the organization to be transparent.
This research has some theoretical implications. The interrelation between risk management and management accounting was not understood (Soin & Collier, 2014). This research has revealed that the management accountant is one of the few who recognizes risks. As such, this could clarify the relation between the concepts. Furthermore, there is the notion that the way risks are managed dependents on the business sector (Giovannoni, et al., 2016; Byrne & Pierce, 2007). I found that within the service-sector transparency is important and influences how business is practiced. The management accountants’ actions are important factors in the process of being transparent. Next, there are some practical implications of this research. Organizations where risk is managed in a quantitative skeptic manner should make sure there are controls in place to restrict the management accountant gaining more power. Furthermore, organizations where the management accountant is expected to be involved as well as independent should ensure the balance between involvement and independence is kept through the segregation of duties.
A limitation of this research is that this study only takes the perspective of the management accountant within Mediabrands and does not take the perspective of the parent organization into account. Therefore, the issue is not illuminated from all sides as I only looked into the subsidiary and argue IPG strongly influences how Mediabrands functions. A second limitation is the number of controllers I interviewed: interviewing more controllers from the organization would have given a more comprehensive understanding. Unfortunately, due to staff changes I could not interview additional controllers.
References
Aken, J. E., Berend, J. J., & Bij, J. D. (2012). Problem solving in organizations – A methodological handbook for business and management students. Cambridge: Cambridge University Press. Arena, M., Arnaboldi, M., & Azzone, G. (2010). The organizational dynamics of enterprise risk
management. Accounting, Organizations and Society, 35(7), 659-675.
Baldvinsdottir, G., Burns, J., Nørreklit, H., & Scapens, R. (2010). Professional accounting media: accountant handling over control to the system. Qualitative Research in Accounting & Management, 7(3), 395-414.
Baxter, P., & Jack, S. (2008). Qualitative case study methodology: Study design and implementation for novice researchers. The qualitative report, 13(4), 544-559.
Berry, A. J., Collier, P., & Helliar, C. (2005). Risk and control: the control of risk and the risk of control. In A. J. Berry, J. Broadbent, & D. Otley, Management Control: Theories, Issues and
Performance (2nd ed., pp. 279-299). New York: Palgrave Macmillan.
Bhimani, A. (2009). Risk management, corporate governance and management accounting: Emerging interdependencies. Management Accounting Research, 20(1), 2-5.
Burns, J., & Baldvinsdottir, G. (2005). An institutional perspective of accountants' new roles - the interplay of contradictions and praxis. European Accounting Review, 14(4), 725-757.
Byrne, S., & Pierce, B. (2007). Towards a More Comprehensive Understanding of the Roles of Management Accountants. European Accounting Review, 16(3), 469-498.
Chang, H., Ittner, C., & Paz, M. (2014). The multiple roles of the finance organization: Determinants, effectiveness, and the moderating influence of information system integration. Journal of Management Accounting Research, 26(2), 1-32.
Collier, P. M., & Berry, A. J. (2002). Risk in the process of budgeting. Management Accounting Research, 13(3), 273-297.
Collier, P. M., Berry, A. J., & Burke, G. T. (2007). Risk and management accounting: Best practice guidelines for enterprise-wide internal control procedures. Oxford: Elsevier.
Corbin, J., Strauss, A., & Strauss, A. L. (2014). Basics of qualitative research. Thousand Oaks: Sage.
COSO. (2004). Enterprise Risk Management - Integrated Framework.
Denzin, N., & Lincoln, Y. S. (1994). Introduction: Entering the field of qualitative research. In N. K. Denzin, & Y. W. Lincoln, Handbook of qualitative research (pp. 1-17). Thousand Oaks: CA: Sage.
Eisenhardt, K. M. (1989). Building theories from case study research. Academy of management review, 14(4), 532-550.
Gallagher, R. B. (1956). Risk management: a new phase of cost control. Harvard Business Review, 34(5), 75-86.
Gates, S. (2006). Incorporating strategic risk into enterprise risk management: A survey of current corporate practice. Journal of Applied Corporate Finance, 18(4), 81-90.
Giovannoni, E., Quarchioni, S., & Riccaboni, A. (2016). The Role of Roles in Risk Management Change: The Case of an Italian Bank. European Accounting Review, 25(1), 109-129.
Goretzki, L., Strauss, E., & Weber, J. (2013). An institutional perspective on the changes in
management accountants' professional role. Management Accounting Research, 24(1), 41-63.
Hall, M., Mikes, A., & Millo, Y. (2015). How do risk managers become influential? A field study of toolmaking in two financial institutions. Management Accounting Research, 26, 3-22.
Hayne, C., & Free, C. (2014). Hybridized professional groups and institutional work: COSO and the rise of enterprise risk management. Accounting, Organizations and Society, 39(5), 309-330.
Hopper, T. M. (1980). Role conflicts of management accountants and their position within organisation structures. Accounting, Organizations and Society, 5(4), 401-411.
Huber, C., & Scheytt, T. (2013). The dispositif of risk management: Reconstructing risk management after the financial crisis. Management Accounting Research, 24(2), 88-99.
Lambert, C., & Pezet, E. (2011). The making of the management accountant - Becoming the producer of truthful knowledge. Accounting, Organizations and Society, 36(1), 10-30.
Lambert, C., & Sponem, S. (2012). Roles, Authority and Involvement of the Management Accounting Function: A Multiple Case-study Perspective. European Accounting Review, 21(3), 565-589.
Mikes, A. (2008). Chief risk officers at crunch time: Compliance champions or business partners? Journal of Risk Management in Financial Institutions, 2(1), 7-25.
Mikes, A. (2009). Risk management and calculative cultures. Management Accounting Research, 20(1), 18-40.
Mikes, A. (2011). From counting risk to making risk count: Boundary-work in risk management. Accounting, Organizations and Society, 36(4-5), 226-245.
Miles, M. B., & Huberman, A. M. (1994). Qualitative data analysis: An expanded sourcebook. London: Sage.
Miles, M. B., Huberman, A. M., & Saldana, J. (2013). Qualitative Data Analysis: A Methods Sourcebook. Thousands Oaks: Sage.
Millo, Y., & MacKenzie, D. (2009). The usefulness of inaccurate models: towards an understanding of the emergence of financial risk management. Accounting, Organizations and Society, 34(5), 638-653.
Muhr, T. (1991). ATLAS/ti—A prototype for the support of text interpretation. Qualitative sociology, 14(4), 349-371.
Power, M. (2004). The Risk Management of Everything. London: Demos.
Power, M. (2009). The risk management of nothing. Accounting, Organizations and Society, 34(6), 849-855.
Power, M., Scheytt, T., Soin, K., & Sahlin, K. (2009). Reputational risk as a logic of organizing in late modernity. Organization Studies, 30(2-3), 30-324.
Ritchie, J., & Lewis, J. (2003). Qualitative Research Practice. London: Sage.
Sathe, V. (1983). The controller's role in management. Organizational Dynamics, 3(11), 31-48.
Scheytt, T., Soin, K., Sahlin-Andersson, K., & Power, M. (2006). Introduction: organizations, risk and regulation. Journal of Management Studies, 43(6), 1331-1337.
Soin, K., & Collier, P. (2013). Risk and risk management in management accounting and control. Management Accounting Research, 24(2), 82-87.
Spira, L. F., & Page, M. (2003). Risk management: The reinvention of internal control and the changing role of internal audit. Accounting, Auditing & Accountability Journal, 16(4), 640-661.
Tillmann, K., & Goddard, A. (2008). Strategic management accounting and sense-making in a multinational company. Management Accounting Research, 19(1), 80-102.
Viscelli, T. R., Hermanson, D. R., & Beasley, M. S. (2017). The Integration of ERM and Strategy: Implications for Corporate Governance. Accounting Horizons, 31(2), 69-82.
Wahlström, G. (2009). Risk management versus operational action: Basel II in a Swedish context. Management Accounting Research, 20(1), 53-68.
Appendix 1
Interview introduction
First, thank you for making time for me to do an interview with you. I expect that the interview will take about one hour of your time. The purpose of my research is to find out what the consequences are for the management accountant to be involved in compliance and control as well as in risk management. Besides I want to research if there is a connection between the role the management accountant has within the organization and the culture towards risk management. I would like to point out that the data from the interviews will only be used for writing my thesis and quotes that will be used will be anonymous. Do you agree that I will record the interview?
General questions:
→ How long do you work for IPG Mediabrands Nederland? → Would you describe your function within the organization?
→ Would you describe the responsibilities that come with your function? → Could you indicate what the most important tasks are within your function? Questions (group)controller: role within the organization
→ Could you describe your role as (group)controller within the organization? → How do you make sure controls are functioning well?
→ How do you review if controls are functioning? Could you give an example?
→ Could you describe what part of your time you are reviewing the compliance with the standard practices and policies and reporting about this? Are there any other policies of importance?
→ Could you describe what part of your time you are analyzing and reporting financial data? → Could you describe what part of your time you are providing operational managers with
information? What kind of information do you provide and with what purpose? Ask deepening question; ask for examples
→ In your role as controller are you involved in preparing strategic decision-making? In what way are you involved?
Questions (group)controller: role within risk management
→ Could you describe how risks are identified and what your role and tasks are in this process? → How important is financial data within this process?
→ In what way are risks being reported?
→ To whom do you report about risk management?
→ Are you present when reports about risk management are discussed? What is your role in this process?
→ What kind of decision-making is based on the report(s)?
→ Does risk management directly influence the core tasks of the organization? Ask deepening questions; ask for examples
→ Does risk management directly influence the core tasks of your function? Ask deepening questions; ask for examples
→ Could you describe what you like about the current way risk management is performed within the organization and what could be done better or differently?
→ Do you as a controller look to the financial in the same way as you do in role in risk management? Ask deepening questions; ask for examples
→ Do you as a controller review your own advice which you have given in your role in risk management? Ask deepening question; ask for examples
→ Do you experience advantages performing controlling as well as risk management activities? → Do you experience disadvantages performing controlling as well as risk management
activities?
→ Are there any conflicts in performing both activities? Ask deepening questions; ask for examples
I have some theses I would like to discuss to check for myself if I understood your answers right: → Looking at your role as a (group)controller would you be someone who will look at the
numbers/models or intuition/sense?
→ Looking at your role in risk management would you be someone who will look at the numbers/models or intuition/sense?
→ Looking at your role as a (group)controller would you be someone who is evaluating the financial data or providing information towards colleagues
→ Looking at your role in risk management would you be someone who is evaluating the financial data or providing information towards colleagues
→ How do you collect information for decision-making? → What kind of decision are we talking about?
→ Does the (group)controller have a role in this? If yes, what kind of role? → What do you expect from a (group)controller within the organization?
→ What is the most important task from a (group)controller? → Are they an important source for information? → Are they involved in the decision-making process?
→ Do you see them as compliance and control expert or as a business partner? → Are you involved in reviewing the functioning of the controls?
→ How do you review the functioning of a control? Could you give an example? → Are you involved in reviewing the compliance with the standard practices and policies (open
pages) and the reporting about this? Are there any other checks which are important? → Are you involved in analyzing and reporting financial data? Ask deepening questions; ask for
examples
→ Are you involved in providing information towards operational managers (MD)? What kind of information do you provide and with what purpose? Ask deepening questions; ask for
examples
Questions CFO/FD: role of the (group)controller in risk management:
→ How are risks identified and what is your role and tasks in this process? → How important is the financial data within this process?
→ What other information is important for the identification of risks? → In what way are risks reported?
→ How do you see the role of the (group)controller within risk management?
→ Does risk management directly influence the core tasks of your function? Ask deepening questions; ask for examples
→ Does risk management directly influence the core tasks of the organization? Ask deepening questions; ask for examples
→ Are there advantages that the (group)controller is involved in compliance and control as well as in risk management?
→ Are there disadvantages that the (group)controller is involved in compliance and control as well as in risk management?
Is there anything I did not mentioned in this interview but may be of importance for my research?
