The role of management accountants in the
institutionalization process of risk management
MSc. BA Organizational and Management Control Faculty of Economics and Business
University of Groningen June 2017
Abstract
The aim of this study is to explore the role of management accountants in the institutionalization process of risk management. The framework of Burns and Scapens (2000) that is rooted in old institutional economics is used as the theoretical lens. A multiple case study consisting of seven interviews with managers, management accountants and lower level employees in two different organizations was
conducted to collect data. Within-case and cross-case analysis resulted in multiple findings. First, management accountants contribute in translating general risk management policies to the specific business situation. Second, they embedded risk management principles within their thinking and through their involvement in strategic planning and decision-making they reproduced risk management routines at
the top of the organizations. Third, they assist other managers in the design and implementation of risk controls. Fourth, by providing ex-ante and ex-post information, they fostered the reproduction of risk management routines throughout the organization. This study contributes to the literature by offering new
insights in the linkage between management accounting and risk management.
Key words: Risk management, Enterprise Risk Management, Management Accountant, Institutional theory, Institutionalization.
Roy Nusmeijer (S3256979)
Supervisor: Prof. Dr. Ir. P.M.G. Van Veen-Dirks Second assessor: A. Rehman Abbasi
TABLE OF CONTENTS
1 INTRODUCTION ... 1
2 LITERATURE REVIEW ... 4
2.1 Risk Management ... 4
2.2 Role of the management accountant in risk management ... 6
2.3 Institutional theory ... 7
2.4 Institutionalization process of Enterprise Risk Management ... 9
2.4.1 Encoding ... 10
2.4.2 Enactment ... 10
2.4.3 Reproduction... 10
2.4.4 Institutionalization ... 11
2.4.5 Role of the management accountant ... 11
3 RESEARCH METHODOLOGY ... 11 3.1 Research design... 12 3.2 Data collection ... 12 3.3 Data analysis ... 13 3.4 Quality criteria ... 13 4 RESULTS ... 13 4.1 Company A ... 14 4.1.1 Encoding ... 14 4.1.2 Enactment ... 15 4.1.3 Reproduction... 16 4.1.4 Institutionalization ... 16
4.1.5 Role of the management accountant ... 17
4.2 Company B ... 18
4.2.1 Encoding ... 18
4.2.2 Enactment ... 19
4.2.3 Reproduction... 20
4.2.4 Institutionalization ... 21
4.2.5 Role of the management accountant ... 22
4.3 Cross-case analysis on the role of the management accountant ... 23
5 DISCUSSION ... 24
6 CONCLUSION ... 26
6.1 Theoretical contributions and managerial implications ... 26
6.2 Limitations ... 27
6.3 Future research ... 27
REFERENCES ... 29
1
1 INTRODUCTION
Recent world events, in particular the global financial crisis have reoriented and increased the interest on risk. Risk management is increasingly seen as an important part in all aspects of the business and the interest in risk management has been increased (Bhimani, 2009; Power, 2009; Woods, 2009). Many financial disasters and organizational failures can be assigned to poor risk management practices (McConnell, 2009). Recently, there has been a shift in the perception and implementation of risk
management practices. Traditional risk management viewed risk separately, independent to other types of risk and only risks that fitted in the responsibility of departments were managed (Hoyt and Liebenberg, 2011). In the last decades, the focus has shifted from this silo approach to a more holistic approach of risk management. The need and demand for risk management as a holistic framework is a result of multiple changing external and internal factors in the corporate environment. These range from a broader risk scope and higher risk complexity to globalization and regulatory pressures (Gatzert and Martin, 2015).
Increasingly, organizations are considering the adoption of Enterprise Risk Management (ERM) programs or have already implemented them. ERM enables organizations to manage risks in an integrated, firm-wide fashion. This indicates that appropriate risk controls need to be implemented to help ensure that organizational objectives are achieved. ERM increases the awareness of risk within the entire
organization, which can lead to better operational and strategic decision-making (Hoyt and Liebenberg, 2011). In addition, an enterprise-wide approach to proactively dealing with risk and optimizing threats and opportunities can improve management control (Samanta, 2009), since risk management can be seen as “an attempt to intervene, to act upon individuals, entities and processes to transform them and achieve specific ends” (Miller, 1994, p.1). Risk management practices and frameworks such as ERM (COSO, 2004) can thus be seen as a strategic management control system. “ERM echoes the ambitions of such management control practices as value-based management, activity-based management and the balanced scorecard” (Mikes, 2009, p.20). In addition, Mikes (2009) argues that an integrated approach to risk management matches recent innovations in management control systems to bring various processes and techniques under a single umbrella.
Risk management can differ from organization to organization and can even differ in the same
organization over time (Arena et al., 2010). The implementation of a new risk management framework is a continuous process “where the difficult issue to tackle is how risk management is embraced throughout the organization” (Van der Stede, 2011, p. 615). According to a study of Deloitte (2011), many
2
at the same time meeting regulatory requirements was found to be another difficulty. Previous research on the implementation of ERM is mainly based on findings from surveys (Hoyt and Liebenberg, 2011), ignoring contextual factors and the actions of organizational members. In order to understand ERM as an organizational practice, attention has to be paid to wider cultural and social contexts. According to Miller (1994), management control systems (and also risk management systems) “could not, and should not, be studied as an organizational practice in isolation from the wider social and institutional context in which it operates” (p.9). If organizations are planning to implement ERM and to change risk management
practices, an accurate understanding of the organizational context is required (Hoyt and Liebenberg, 2011). For successful risk management, it is important that members of an organization at every level have a risk-management mindset (Krell, 2011). Therefore, risk management must be embedded into the routines and processes of managers and employees if organizations want to get serious about risk management (Moody, 2009; Kaplan, 2009).
This study will use institutional theory in order to understand the process of ERM implementation and embedding of risk management principles. Institutional theory tries to understand the institutionalization of rules and routines, designed by management accounting and control systems. Scapens (1993, 1994) argues that old institutional economics (OIE) provides an appropriate framework for the understanding of intra-organizational change. The old institutional economics approach studies organizational change as an ongoing process and emphasizes the importance of institutions, rules, routines, habits and norms (Burns & Baldvinsdottir, 2005). The change in risk management in organizations can be considered as an
institutional change, since it is influenced by the wider social and cultural environment (Jabbour and Abdel-Kader, 2015) and it is a continuous process (Van der Stede, 2011). The framework of Burns and Scapens (2000), rooted in old institutional economics, is used in this study to understand the interplay of actions and institutions and the influence of actors, routines and institutions on the institutionalization process of ERM.
In order to understand how risk management becomes institutionalized in organizations, more knowledge is required about the people that are involved in this process. According to prior research, multiple actors are involved in the process of embedding risk management within organizations (Arena et al., 2010; Mikes 2009, 2011). However, the role of management accountants in this process has been overlooked by the literature (Giovannoni et al., 2016; Soin and Collier, 2013). Since risk management has moved away from silo approaches to more holistic approaches, this change might also have implications for
3
management accountants in integrated business situations and decision-making processes. They are also increasingly involved in the design and implementation of accounting and control systems in
organizations. According to Soin and Collier (2013), there might also be a more proactive role for the implementation and communication of risk control systems. Similar to Williamson (2004) and Soin (2005), Collier et al. (2007) stated that “management accountants, whose professional training included the analysis of information and systems, performance and strategic management, can have a significant role to play in developing and implementing risk management and internal control systems within their organizations” (p.22). This expertise could bring certain advantages to organizations for communicating and embedding risk management practices across the whole organization (Rasid et al., 2011).
In order to explore the role of the management accountants in the institutionalization process of risk management, the research question of this paper is:
What is the role of the management accountant in the institutionalization process of risk management in the organization?
This study contributes to the academic literature in multiple ways. Previous literature suggested that management accounting and risk management are becoming increasingly interdependent (Bhimani, 2009; Soin and Collier, 2013; Culasso et al., 2016). This study expands this linkage by investigating the role of management accountants in risk management. Additionally, previous literature found that many
organizations are facing difficulties in embedding risk management throughout the whole organization (Deloitte, 2011). Bhimani (2009) explains this by stating that risk management is a social construct that is shaped by the wider social, institutional and organizational context. Soin and Collier (2013) emphasized the lack of knowledge regarding the influence of specific organizational settings. Therefore this study tries to close this gap by investigating how risk management becomes institutionalized in organizations. There is evidence that multiple actors are involved in implementing and adopting ERM (Arena et al., 2010; Mikes, 2011), but no research is done to date that looks at the involvement of organizational actors
throughout the whole process of implementing and embedding risk management (Haji Togok et al., 2014). Therefore, this study is the first to address this issue. The study contributes to practice by providing managers a better understanding of the social and cultural factors that influence the institutionalization process of risk management in organizations. The results may be valuable for organizations that are planning to implement ERM or having issues with institutionalizing risk management in the organization, since the results illustrate how the management accountant can influence this process.
4
Second, the research methods are explained and motivated. Third, the results of the case studies are analyzed and compared. Fourth, the results are discussed in relation to the research question and academic literature. Finally, the theoretical contributions, managerial implications, limitations of the study and opportunities for future research are described.
2 LITERATURE REVIEW 2.1 Risk Management
This section first explains the principles of risk and risk management. Second, it describes the
development of risk management towards ERM. Finally, this section will address the shortcomings of ERM and the difficulties regarding implementation and adoption.
All organizations face a great multitude of risks in their operational activities. Risk refers here to “all events, occurrences and actions that may prevent you or your organization from realizing its ambitions, plans and goals” (Alhawari et al., 2012, p.51).
There are numerous types of risk, both financial and non-financial, which vary from organization to organization and can broadly be classified into the following categories (Melnick and Everit, 2008):
Financial risk: risk from capital and financial market forces on financial assets and liabilities. Hazard risk: risk arising from property, liability, or personnel loss exposures.
Operational risk: risk resulting from inadequate internal processes, controls, people and systems or from external events.
Strategic risk: risk that affect or are created by the overall business strategies (reputation, competition, regulation).
5
Today, managers can analyze and control various risks within a coordinated and strategic framework. This approach is often called enterprise risk management (ERM). ERM is a “process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives” (COSO, 2004). In other words, it is an integrated, organization-wide process and control framework for the identification of all critical risks; the assessment of the impact of these risks on financial and strategic objectives; and the implementation of organizational solutions to address these risks (COSO, 2004; ISO, 2009). The fundamental difference between ERM and its predecessors is that all risks are viewed together in a coordinated and strategic framework (Hoyt and Liebenberg, 2011; Nocco and Stulz, 2006). ERM can create value at the macro or firm-wide level and micro or business-unit level. At the macro level, ERM can create value by enabling top management to maintain the firm’s strategy and resources. At the micro level, ERM can create value if it becomes a way of life for all managers and employees in the organization (Nocco and Stulz, 2006). This study will focus on both levels, since institutionalization means that all managers and employees throughout the organization take proper account of risk management practices, both in daily work and in strategic decision-making and planning.
Developments as the COSO framework (COSO, 2004) and ISO 31000 (ISO, 2009) have been globally diffused and risk management is high on the agenda of managers and political elites (Huber and Scheytt, 2013). These frameworks provide guidance for the implementation of a holistic way of risk management. The framework of COSO (2004) is widely used and one of the most cited, but it is also criticized. Power (2009) describes multiple flaws: 1) the idea of a single, firm-wide risk appetite is simplistic; 2) the rule-based approach discourages debate and dialogue about risks; 3) it ignores the wider environment and contextual factors. Regardless of which framework is used, the point is to involve all stakeholders and to create an organization-wide risk culture (Nocco and Stulz, 2006).
6
2.2 Role of the management accountant in risk management
This section will first address the evolving role of management accountants in the last decades, followed by a discussion of their involvement in risk management.
The role of management accountants has been studied since the early work of Simon et al. (1954), who found a change from a passive role of producing financial information to a more proactive role involved in decision-making processes and in the production of non-financial information. According to Granlund and Lukka (1998) the role of the management accountant is expanded beyond the role of watchdog to a more business-oriented controller being part of the overall management and involved in decision-making. There are several terms used in the literature for the new role of management accountants: business-partner (Siegel and Sorenson, 1999), business-oriented controller (Granlund and Lukka, 1998) and hybrid accountant (Burns and Baldvinsdottir, 2005). These terms have some common characteristics. In the new role – while still important – there is less emphasis placed on traditional skills and technical knowledge and more on non-financial information (Burns and Baldvinsdottir, 2007). Moreover, the MA is closely involved in decision-making and advising activities on operational and strategic issues and its orientation is more forward-looking (Burns and Baldvinsdottir, 2005; Byrne and Pierce, 2007; Granlund and Lukka, 1998). Finally, leadership and management skills are becoming more important activities (Burns and Baldvinsdottir, 2007; Granlund and Lukka, 1998). The possible drivers for this development are
globalization, fierce competition, new management accounting philosophies, organizational restructuring and decentralization of the accounting function (Burns and Baldvinsdottir, 2005; Granlund and Lukka, 1998; Järvenpää, 2007).
7
with the risks. In addition, they can analyze if risk management is beneficial or that the costs of managing are higher than the possible losses.
The role of management accountants can be seen as intra-organizational. Without the involvement of management accountants in risk management, it is often a costly compliance exercise, which means that the implementation of risk management frameworks is aimed at increasing legitimacy and forced by legislation, rather than at improving long-term performance (Culasso et al., 2016). In addition, Culasso et al. (2016) note that the changing role of management accountants is an important factor in “permitting a pivotal role in analyzing and assessing risks, but also in reporting and monitoring them” (p.10). Since management accountants are increasingly involved in the design and implementation of accounting and control systems in organizations they could also play a role in the implementation of ERM (Culasso et al., 2016). According to Shenkir and Walker (2006), management accountants can contribute in the transition from silo based risk management to ERM by educating others about the principles of ERM and by resolving conflicts between proponents and opponents of ERM. According to Lees (2017), organizations have to tailor general risk management principles to their specific organizational context. Lees (2017) argues that management accountants, through education and training, have the skills to apply general techniques and tools to the specific circumstances of the organization and can therefore assist in the implementation of ERM.
However, there is also evidence that the role of management accountants in risk management is limited. Collier et al., (2004, 2007) found little integration between management accounting and risk management and a marginalization of management accountants in risk management in UK organizations, because they had a more supportive and calculative role instead of a managerial role. This is in line with the research of CIMA (2002) and Soin (2005) who also found a marginalized role. In the Netherlands, the traditional role of the management accountant as bookkeeper is still dominant (De Loo et al., 2011). These contradictory findings of previous studies may be the result of differences in culture, organizational context, industry (Granlund and Lukka, 1998) and methodological differences across studies.
2.3 Institutional theory
This section will explain the main concepts of institutional theory and the framework of Burns and Scapens (2000), which is taken as the theoretical lens for this study.
8
of wider social and cultural factors. There are three strands of institutional theory: old institutional economics, new institutional economics, and new institutional sociology (Moll et al., 2006). This study will follow old institutional economics (OIE), which looks at the intra‐organizational processes of organizational change. Unlike new institutional economics and new institutional sociology, which look at external pressures from a macro perspective, OIE takes a micro perspective. OIE is helpful to explain how management accounting and control practices in organizations evolve over time and which factors shape these practices (Moll et al., 2006). Since risk management in organizations is far more than a simple technical device and is influenced by the organization’s social and cultural context, institutional theory provides a useful theoretical lens to study how risk management becomes institutionalized and how actors can influence this process. The framework of Burns and Scapens (2000), which is rooted in OIE, will be used as the institutional lens, because it depicts the interplay between actions and institutions and stresses the importance of organizational routines and institutions in shaping organizational change. The basic principle of this framework is that changes in management controls are conceptualized in organizational rules and routines that can both shape and be shaped by institutions, which “comprise the shared
taken‐for‐granted assumptions” (Burns and Scapens, 2000, p.8). Institutions are thus the shared ways of thinking and behaving, which bring form and structure to behavior.
According to Burns and Scapens (2000), management accounting and control systems constitute an interrelated set of rules on how to do things and a set of routines which are the actual ways of working. Rules refer here to formal practices to give meaning to and coordinate the actions of people. They describe how ‘things should be done’. Routines refer here to informal practices which are actually in use. They provide stability in daily activities. The interaction between rules and routines lead to institutional change (Burns and Scapens, 2000). Through specific actions people enact the system consisting of rules and routines and by the collected behavior of people they reproduce or strengthen the system. Over time, these rules become routines and routines become institutionalized. Routines can also provide resistance when organizational members feel that the new practices or rules are in conflict with the current ways of
working. Therefore, managers require in-depth knowledge about the prevailing routines and institutions in order to break this pattern of interrelated rules and routines and institutions so that people are becoming aware of the fact that they cannot proceed in the way that they are used to. Despite this resistance, institutional change can still occur, since people are often curious, leading to innovation and experimentation, and thus in new routines and institutions. Change and stability are therefore not independent (Burns and Scapens, 2000).
The framework of Burns and Scapens (2000) is shown in figure 1. At the top of the figure is the
9
rules and routines, the encoding process (arrow a). As organizations change their management control systems, these changes are effected by the institutions. The ‘new’ set of rules and routines trickles down in specific actions or individual behavior, the enacting process (arrow b). Arrow c is the process of
reproduction, where repeated actions lead to routine ways of behaving. This process can occur both consciously and unconsciously. When actors have control and can modify the existing rules and routines, the reproduction is conscious. When rules and routines are not understood fully or when actors do not have the means to change them, they can be handled differently than was intended, leading to unconscious reproduction. Finally, arrow d is the process of institutionalization, where the new routines become ‘taken for granted’ (Burns and Scapens, 2000). The institutions influence action at a specific moment in time, therefore arrows a and b are vertical. The daily actions of agents produce and reproduce institutions over time, through the creation of routines and rules, therefore arrows c and d are diagonal. The change process at the institutional level requires more time than the change process at the action level. Therefore, the slope of arrow c is steeper than arrow d.
Figure 1 Institutionalization process (Burns and Scapens, 2000)
2.4 Institutionalization process of Enterprise Risk Management
10
Scapens (2000) will be used to investigate how this process works and how the management accountant contributes to this process. The institutionalization process of risk management is divided in the four phases of Burns and Scapens’ (2000) framework: encoding, enactment, reproduction and
institutionalization. These four phases will be discussed first, followed by a discussion of the role of the management accountant in these phases.
2.4.1 Encoding
Risk management in organizations is in this study conceptualized as a set of rules and routines. The introduction of risk management practices is similar to the introduction of rules in the encoding phase of Burns and Scapens’ (2000) framework. These formal rules are the formal risk management practices, such as procedure manuals, risk registers, risk maps and risk responsibilities. Organizations planning to
implement ERM have to encode the general risk management principles into specific rules for their organizational setting, since there is no universal risk management system (Arena et al., 2010; Power, 2009).
2.4.2 Enactment
Enactment is the next phase in the institutionalization process (Burns and Scapens, 2000). In this phase, the encoded risk management principles are enacted by organizational members in their daily routines. In order to enact these new risk management rules, organizational members should have incentives to change their current routines. New ways of working can contradict old ways of working and can result in
resistance if organizational members see the new rules as annoying, time-consuming, restricting, etc. (Burns and Scapens, 2000). Since this resistance hinders the enactment of new rules, this study will investigate whether organizational members are being prepared or motivated to enact the new rules in their routines.
2.4.3 Reproduction
11
2.4.4 Institutionalization
The final phase is where the new risk management routines become the ‘taken-for-granted’ way of behaving (Burns and Scapens, 2000). This study will investigate whether ERM is institutionalized. The level of institutionalization can differ from department to department and from top management to lower levels of the organization. Since risk management is performed at different organizational levels, this study will investigate the structure and formalization of risk management frameworks, the roles and responsibilities of organizational members involved in risk management, and the methodologies and tools that are used for risk management to understand the diversity in risk management rules and routines along organizational members and to explore whether this diversity hinders the institutionalization process.
2.4.5 Role of the management accountant
If management accountants are acting more like business partners and are involved in strategic planning and decision-making, it is likely that they also play a role in the implementation and embedment of risk management in the organization. According to the above discussion in the literature review about the role of management accountants in risk management, there are three roles that management accountants can play in the institutionalization process of risk management. First, in the encoding phase, they can support (risk) managers in the translation of ERM practices to the organizational level, because of their
understanding of the business processes and management control systems (Lees, 2017). Second, in the enactment phase, they can promote a risk culture and enhance risk awareness through training and education and thereby reduce resistance among employees (Shenkir and Walker, 2006). Third, with their expertise in the analysis and communication of data and information (for performance measurement and control), they can assist (risk) managers in the reproduction phase by providing them with relevant information and data and in the communication of risk management information throughout the entire organization (Williamson, 2004; Rasid et al., 2011). This supports the embeddedness of risk management throughout the entire organization since risk information flows from department to department and could help the organization to truly institutionalize risk management.
The next section discusses the research design, the data collection and analysis methods, and the quality criteria.
3 RESEARCH METHODOLOGY
multiple-12
case study will be conducted to answer the research question: What is the role of the management accountant in the institutionalization process of risk management in the organization? Next, the research design, data collection and data analysis methods will be described.
3.1 Research design
Research in management control, risk management and research drawing on institutional theory is often conducted under the paradigm of interpretive research (e.g. Arena et al., 2010; Mikes, 2009; Woods, 2009). It allows for studying phenomena in wider cultural and social contexts (Strati, 2000), explaining not only what happens in organizations, but also how and why it happens (Ferreira and Merchant, 1992). This research is aimed at exploring risk management in organizations with the emphasis on social aspects, since the institutionalization process of risk management and role of management accountants are studied.
Case study methodology is used in this study since this form of research is useful for the study of ERM and is consistent with institutional theories (Arena et al., 2010; Woods 2007, 2009). Additionally, case studies attempt to understand phenomena in depth within its real-life context (Yin, 2014). This study aims at understanding how management accountants can influence the process of institutionalization and case studies are the preferred qualitative research method when ‘how’ and ‘why’ questions are to be answered (Yin, 1994). This study uses multiple case studies, because this allows comparison of management accountant roles in different organizational contexts and for studying the process of institutional change in multiple settings. In multiple case studies, the same questions are asked in different situations and
compared with each other to compare the phenomena and to check variation in the institutionalization process. The cases in this study are selected through theoretical sampling (Eisenhardt, 1989). They meet the following requirements: 1) the organizations consist of multiple departments to study
institutionalization process at multiple levels; 2) the organizations have implemented an ERM framework; 3) management accountants are not completely isolated from risk management. Four organizations were contacted and introductory conversations took place in order to find suitable cases. Two organizations did not fulfill these requirements. One of them had not implemented ERM and the other organization was in the middle of a takeover and did not want to cooperate with this research.
3.2 Data collection
13
international operating parent companies. In case company A, three interviews were conducted. In case company B, four interviews were conducted. All interviews were semi-structured, consisting of open-ended questions. Before an interview question was asked, the concepts and context were explained to the interviewee. An overview of interview question is given in the Appendix. The interviews were held in Dutch, because they were conducted with Dutch representatives of the organizations. The interviews lasted between 30 and 60 minutes. The interviews were digitally recorded and transcribed. The interview structure consisted of three parts: questions about the persons role in the organization and about the organization in general, questions about the implementation and adoption of risk management practices and questions about the role of management accountants in risk management. The results of the cases studies will be compared to the research question and existing academic literature.
3.3 Data analysis
The interviews were recorded and fully transcribed in Microsoft Word. These were then analyzed using the method of Eisenhardt (1989). First, within-case analyses were performed for each organization with the use of Burns and Scapens’ (2000) framework. Each interview was analyzed by reading and
interpreting them separately. This helped to gain a rich understanding of each case and to find unique patterns. After that, cross-case analysis was performed to compare the cases. Finally, after conclusions were being made, the interviews were reviewed to see if the interpretations were correct.
3.4 Quality criteria
This section discusses the main quality criteria, since they provide the basis for inter-subjective agreement on research results (Van Aken et al., 2012). Controllability of research results is the first quality criterion for research. To make the research replicable for other researchers, precise and detailed descriptions about the research methods are presented in the methodology section. In addition, the results of the study are presented as precisely as possible (Swanborn, 1996). Reliability is another criterion for research
(Swanborn, 1996) and is enhanced in two ways. First, researcher bias is controlled through the use semi-structured interview questions to reduce the personal influence of the researcher. Second, circumstance bias is controlled by interviewing people in the same setting: at their offices and in a closed room (Van Aken et al., 2012).
4 RESULTS
14
of Burns and Scapens (2000) will be described. After that, the role and responsibility of the management accountant in this process will be described. In the end of this section, a cross-case analysis will be performed to compare the cases.
4.1 Company A 4.1.1 Encoding
The first phase in the institutionalization process is the encoding phase, where new rules and principles are introduced to organizational members. Those new rules and principles are being shaped by existing rules and routines (Burns and Scapens, 2000). In 2003, when Company A was established, the Operational Risk Management and Compliance (ORMC) department was created to overview the risks. Risk management was at that time performed in ‘silo’s’, where each department was responsible for the management of risks in their ‘silo’. Operational risks were seen as the most important and gained most attention. The ORMC department focused on compliance risks and evaluated the risk management of all departments. In 2011, Company A became fully owned by a new subsidiary of its parent company. A new risk management framework was designed and came as a compulsory order from the parent company. This framework was loosely based on Enterprise Risk Management (COSO, 2004). However, the new risk management remained strongly focused on operational risk management, as explained by Interviewee A-1.
“The largest part of risk management concentrates on operational risks. Currently, we are broadening our risk management to include more risks, such as financial and strategic. However, those risks are less concrete. For operational risks you can invent more clear actions, strategic and financial risks are less tangible” (Interviewee A-1).
15
“The set of demands from the parent company are the same for all subsidiaries, but many of them do not relate to our organization. We see it as a challenge to translate those demands, rather than resisting them” (Interviewee A-2).
4.1.2 Enactment
The decision of the board of directors of the parent company to implement ERM in the organization was in accordance with the norms and values of employees in Company A.
“Employees feel that they have the responsibility to control and manage risks. They want to do their jobs in the best possible ways and want to help each other. These norms and values are embedded in the organizational culture. Therefore, the organization is suitable for proper risk management” (Interviewee A-1).
According to the framework of Burns and Scapens (2000), the new ways of working were thus in accordance with the existing rules and routines. There was no tension in the encoding process of existing institutions into new rules and routines. The process of encoding is followed by the process of enactment, where the new rules and routines are enacted in the daily work of employees. There was little resistance from employees in the enactment of the new rules and routines due to their relatively low power positions, educational background and conformity to regulations. To foster the process of enactment, the ORMC department designed education and awareness programs to embed the desired risk management practices throughout the organization. Workshops with representatives from all departments were organized to create a single risk language across the organization and to make everyone aware of the risk appetite. In addition, the risk managers provided technical instructions for the assessments of risks.
“The group dynamics are very important for risk management. Therefore, we put a lot of effort in this” (Interviewee A-1).
“With the use of e-learnings and workshops, we are making employees aware of the risk rules, how they should deal with risks and the importance of transparency. . . . That is also a
16
4.1.3 Reproduction
Creating acceptance for the new rules and routines is key in the institutionalization process of risk management, since this creates conformity with the rules and routines designed in the encoding process. These rules and routines become in the end the appropriate rules and routines in the organization when they are continuously repeated by employees. However, during this process, employees can unconsciously or consciously create new rules and routines through resistance or lack of technical knowhow (Burns and Scapens, 2000). At Company A, this process of reproduction was steered by risk managers through regular meetings and workshops.
“Transparency and fairness are very important for risk management. Therefore, on a regular basis, we organize meetings and workshops with employees from multiple departments to find out where things go wrong, what obstacles there are and how we can improve our risk management process” (Interviewee A-1).
This led to a long process of reproduction where rules and routines changed evolutionary. The regular meetings about risk management shed light on the problems and resistance facing employees. The risk managers made incremental changes to the rules and routines to prevent unconscious institutionalization. An example of these changes is in the amount of data that employees had to report in risk maps to managers. This gave rise to resistance from employees and let to negligent risk maps. Therefore, the risk managers decided to make some minor changes to the reporting rules.
4.1.4 Institutionalization
Ideally, organizations desire that the implemented rules and routines become the ‘taken-for-granted’ ways of behaving and that they contribute to organizational performance (Burns and Scapens, 2000). There is evidence for the institutionalization of risk management.
“Everyone in the organization has fully accepted risk management. . . . We are a given, risk management is here to stay forever” (Interviewee A-1).
17
risks. The employees of F&C are used to manage and control the risks in the perspective of individual departments rather than from a holistic perspective. The holistic way of managing risks is therefore not the taken-for-granted way of behaving in all departments, resulting in a less integrated view of risks than intended. Another barrier for further institutionalization is the control over IT risks, because they are in essence hard to control and automation causes rapid development of risks. The risk managers are continuously faced with new techniques and practices (rules and routines) and a lack of resources.
4.1.5 Role of the management accountant
The MA of Company A plays a contributing role in the encoding process by building new (risk) controls in the processes, since process management is one of the tasks of the MA. In the processes, it is clearly defined what the roles and responsibilities of employees are, which steps they have to undertake and what the controls are. As the introduction of ERM brought new roles, responsibilities and procedures, the MA had to build new controls in the processes. This was done in cooperation with the risk managers.
“I helped building controls in the processes. . . . For example second man checks, four eyes principle and checklists for tasks . . . and reducing power of individuals so that they cannot transfer money to themselves” (Interviewee A-3).
The MA did not play a role in the training and education of employees to make them more aware of the importance of risk management. This was not considered to be a task for the risk managers, as explained by the MA.
“We take part in e-learnings and workshops, but it is not our task to train people in risk management. That is the task of the ORMC department. I do consider it my task to train the colleagues in my department. Or more to make them risk aware” (Interviewee A-3).
However, the MA enacted risk management principles in work activities and considered risks in planning and performance evaluations. Therefore, the MA embedded risk management in the F&C department. Since the role of the MA is moving more towards that of business partner, this could also bring risk management into the decision-making process of the higher management. Both the risk managers and the MA acknowledged that the management of strategic risks is lagging behind and that here lies an
opportunity to institutionalize risk management further.
“We look strongly at the operational risks and risk management of clients, but the risk
18
the strategic risks are. Those are issues that demand more and we are currently working to incorporate that as well” (Interviewee A-2).
“Risk management is well included in the processes. The strategic risks are less covered” (Interviewee A-3).
In addition, the ORMC department and F&C department could work more closely together to connect the risks with the objectives of the organization.
“Management accountants often think in KPI’s to find out how the organization is
performing. . . . We look more at risk indicators. So, how can you see that a risk is changing? Ideally, those worlds could be combined as they are both indicators. It would be nice if you could integrate those two worlds into one framework” (Interviewee A-2).
“I would like to be more involved with the strategic risks. The ORMC department is mostly focused on operational risks and compliance risks. I could look more at risks on the strategic level and respond to those” (Interviewee A-3).
One of the risk managers pointed to the reporting issues that employees encountered. Employees considered that to be time-consuming and non-productive. It was asked whether the MA could play a supporting role here since their expertise is the reporting of information (both financial and non-financial). According to the MA:
“The reporting of risk is mostly done by the ORMC department, as they have to report to supervisors and auditors. While I do see it as our expertise, I do not think that we can support the employees because we are not closely involved in the operations and risk policies that they follow” (Interviewee A-3).
4.2 Company B 4.2.1 Encoding
19
a project team to lead the implementation process. The project team consisted of six people: four regional managers, the management accountant and one operational manager. Together with the board of directors, the project team developed a risk framework wherein 32 risks were identified. For each risk an evaluation was made in which possible causes, effects and mitigation strategies were established. All risks were included, except health & safety risks as they were found to be too complex and out of scope of the project team. In addition, health & safety issues are in large extent regulated by policies from the government and from the parent company. Therefore, a new department was established to manage health & safety risks. New safety rules were introduced to prevent unwanted behavior. These ranged from safety knives and seatbelt obligation in forklift trucks to speed limits and reflective clothing.
Risk management principles were not encoded in rules and routines throughout the entire organization. Responsibilities for risk management were given to managers. Lower level employees were isolated from risk management.
“I believe that we [the department heads] are able to identify and manage the most important risks. . . . I don’t believe that the lower level employees should take part in this, because they are not trained and educated for that” (Interviewee B-1).
There were no formal guidelines or manuals introduced to support risk management at lower levels of the organization (with the exception of health & safety risks). Branch managers had to make an assessment of the risks and had to report semiannually to the operational manager. They were also responsible for the creation of a risk aware environment to foster proactive risk management.
4.2.2 Enactment
In the enactment phase, the encoded risk management principles are enacted by organizational members in their daily routines (Burns and Scapens, 2000). ERM was implemented and used mainly at the managerial level. However, some lower level employees also enacted the principles of ERM, meaning that they now considered the risk appetite and addressed the influence of one risk to other risks facing the department.
“I always had a ‘gut feeling’ that some risks can influence other parts of the organization, but now I have to report on them” (Interviewee B-2).
20
accountant, the risks that lower level employees could face were mostly health & safety risks and those were managed by a different department. As health & safety risks were considered very important to the organization, branch managers had the responsibility to make everyone aware of all the safety risks in daily practice. Every employee had to participate in semiannual safety lessons where all the risks in daily practices were examined and the importance and value of safety rules were explained. However, there was a lot of resistance among lower level employees to enact those rules.
“Many employees were never involved in accidents. . . . The safety rules were seen as annoying and caused dissatisfaction” (Interviewee B-3).
The reactions of employees to the new safety regulations were not taken into account and there was little effort to reduce the resistance among lower level employees.
“I think that they should communicate with the employees to see where the safety is really at stake and how it can be improved to reduce the negative influence on the work” (Interviewee B-4).
However, when employees find that the new rules actually improve the safety situation, they show little resistance.
“There are also enough rules that improve the safety and those are being closely followed” (Interviewee B-4).
4.2.3 Reproduction
In the reproduction phase, organizational members have enacted the new risk management principles in their actions and start reproducing them in their routine behavior (Burns and Scapens, 2000). At top management, new risk management routines emerged as the new rules, such as risk maps and risk assessments were enacted in daily practice. There was little resistance, because higher managers viewed them as value-adding. However, lower level employees perceived the new rules as restrictions in their daily work, leading to actions contrary to what was expressed in rules. Consequently, the employees did not reproduce the new rules in their routines.
21
Quarterly meetings were organized, where the head of Finance, Internal Control, Human Resources, Operations and the board of directors evaluated the risk management process. In those meetings, several issues were discussed that prevented the reproduction of risk management routines. It came to light that the many safety regulations were not effective. Instead of improving the safety of employees, they led to more dangerous behavior as people tried to bypass the rules. This opened the discussion with the parent company for an integration of the health & safety risks with the current risk management process. Company A is planning to integrate those risks in the coming years.
4.2.4 Institutionalization
In the final phase, new risk management routines become the ‘taken-for-granted’ way of behaving (Burns and Scapens, 2000). The reproduced actions of higher managers led to institutionalized routines that embraced the principles of ERM. There is evidence that ERM contributes to performance management and decision-making.
“The risk information provided by higher managers in the quarterly meetings is helpful in the decisions about which locations need expansion, which locations need more resources. . . .” (Interviewee B-1).
In addition, there has been a shift in risk management routines from being mainly based on gut feelings to a more process-based approach. Risk management routines have become more extensive and stronger.
“I think it broadened my view on risk management. I view risks more in detail and look more at risks from multiple perspectives” (Interviewee B-2).
22
4.2.5 Role of the management accountant
The MA of Company B had an important role in the encoding process of ERM. Together with other members of the project team, the MA identified 32 key risk indicators (KRIs) and developed mitigation strategies. The MA’s knowledge of the organization and technical skills were valuable in this.
“I think that my experience and knowledge of the goals, strengths and weaknesses of the business were of great importance . . . my knowledge of Excel and financial
calculations help in determining the likelihood and impact of risks” (Interviewee B-1).
To determine which risks would have the greatest impact on the business and where risk management’s focus should be, the MA had to make risk assessments.
“It’s all about money, probability times magnitude. . . . I calculate which risks are acceptable, thus whether the possible loss exceeds the costs of managing” (Interviewee B-1).
In addition, the MA designed and built (risk) controls in the processes.
“Take for example unusual transactions. If there has to be paid an amount in cash higher than €15.000, then people should contact me . . . I also monitor that people do not perform tasks for which they are not authorized” (Interviewee B-1).
The MA communicates with other departments to collect the data and information about risks and to encourage them to look from a holistic perspective. This supports the institutionalization of ERM principles. However, the MA does not support the embedding of risk management practices into lower levels of the organization, while new or emerging risks might be identified by lower level employees. According to the MA, many risks have a low impact and don’t have to be reported to him.
“We expect and believe that those risks [with low impact] are managed by lower level managers on the work floor. I think that integrating those risks in our risk framework will not enhance risk management” (Interviewee B-1).
Despite the low level of embeddedness, risk management is integrated in strategic decision-making and planning processes.
23
In this company, the MA has to provide a risk report of the risk management processes to the internal audit of the parent company. This report consists of an overview of the KRIs, risk controls and mitigation strategies.
4.3 Cross-case analysis on the role of the management accountant
In the cross-case analysis, the two organizations will be compared to find some interesting differences and similarities in the roles that management accountants have in the institutionalization process of risk management. The overall risk management role of the MA in Company A is less extensive than the role of the MA in Company B. This can be explained by the presence of the ORMC department in company A that is responsible for the implementation, embedding, monitoring and evaluation of the risk management practices. In Company B, the MA was part of a project group that was responsible for the implementation and evaluation of risk management. However, the management accountants also play similar roles in the institutionalization process of risk management. These will be explained next.
First, in the encoding process, the management accountants were involved in translating risk management practices to the specific business situation. With their knowledge of the business (strategy, performance, opportunities and painful area’s) and involvement in management control they assisted the (risk) managers and directors in the design and implementation of risk controls. The MA of Company B also had the task to translate risk policies from regulators and the parent company to the organizational context. In company A, this was done by the risk managers.
Second, the management accountants embedded the ERM principles within their thinking. They considered these principles in strategic planning and budgeting and decision-making. Through the close collaboration with managers and the board of directors, the management accountants supported the reproduction of risk management routines at the higher level of the organization. However, risk
management at the strategic level is less advanced in Company A, because the collaboration between the risk managers and MA is marginal. All interviewees of Company A acknowledge this and see
opportunities to integrate these two functions since they are both complementary to organizational control. In company B, risk management and internal control are fully integrated. This promoted
institutionalization of the concepts of risk management at the higher level of the organization.
24
company B focuses on communication with higher levels. This could explain why risk management is less integrated at the lower level in Company B.
Fourth, as ERM becomes more embedded in the organization, more critical information becomes visible and enhances the management accountants’ knowledge of the business. This in turn enhances performance measurement and allows the management accountants to improve risk management processes. So even if management accountants do not have a clear role or responsibility in risk management, they can still contribute to the institutionalization process if they use the information provided by risk management in performance evaluations and advisements to managers.
Fifth, both management accountants did not play a role in training and educating employees to make them more risk aware and to foster the enactment process, but for different reasons. Company A acknowledged the importance of a risk culture and proper norms and values, but the ORMC department was responsible for promoting risk awareness. Company B did not put effort in the establishment of a risk aware culture, it was not seen as necessary prerequisite for risk management.
5 DISCUSSION
This section will sum up the main results of the study and discuss it in relation to the research question and relevant literature.
First, current management accounting literature suggests that the role of management accountants is evolving from watchdog to business partner. They are involved in the overall management instead of purely analyzing financial data and information (Granlund and Lukka, 1998; Burns and Baldvinsdottir, 2005). The results of this study confirm these suggestions as both the management accountants are involved in the decision-making process, strategic planning and in advising managers and the board of directors. While traditional skills such as financial reporting are still part of their job (Burns and Baldvinsdottir, 2007), they are increasingly automated or performed by other financial employees. The management accountants spend more time on supporting and enhancing the business by ‘standing above the numbers’, communicating information and data to other parts of the business and they are involved in risk management. This is in line with the argument of Collier et al. (2007) that management accountants’ role need this shift towards a more strategic role if they are being involved in risk management. Current literature also provided contradicting evidence about the role of management accountants in risk
25
information was used in risk management. In that sense the two fields can be seen as complementary (Bhimani, 2009; Mikes, 2006; Rasid et al., 2011).
Second, both management accountants assisted the ‘risk’ managers and board of directors in the design of specific risk controls. In Company A, the MA is responsible for process management and helped risk managers to build general risk controls in the specific organizational processes. In Company B, the MA is responsible for both the risk controls as the translation of general risk policies to the firm-level. These findings are in line with the study of Lees (2017), who suggested that management accountants’ education and training in applying a broad range of tools and techniques to the specific circumstances can help organizations to tailor risk management to the specific needs of organizations.
Third, according to Williamson (2004), management accountants can perform risk-based management accounting in which risks are compared to standards, budgets and forecasts to measure performance. Incorporating risk into performance measurement processes can improve the understanding of the overall risk exposure of the organization and also improve the results of the business (Palermo, 2011). The results of this study confirm this and provide evidence that the management accountants embedded the ERM principles within their thinking and considered these principles in strategic planning and decision-making processes with managers and the board of directors. Through regular meetings with managers and
directors, they supported the reproduction of risk management routines at the higher level of the organization. Performance measurement in Company A is less integrated with risk management, since KPIs and KRIs are determined in isolation and the cooperation between the Finance and Control department and Operational Risk Management and Compliance department is marginal. In Company B, risk management and performance measurement are fully integrated since the MA considers the risks in management control and performance evaluations.
Fourth, the management accountants in this study were like a hub in the communication of (risk)
26
critical information about the business becomes available. With this information and data, management accountants are better able to perform their planning, budgeting and performance measurement exercises. This in turn can help managers and directors to better evaluate risk management.
Fifth, the management accountants in this study did not actively promote a risk culture to make everyone aware of the importance of risk management. Additionally, they did not organize training sessions and workshops to strengthen risk management practices and to assist other employees in the assessment of risks. These results contradict the argument of Shenkir and Walker (2006) that management accountants contribute to ERM by educating other organizational members about the principles of ERM and by promoting a risk culture through training sessions. While Company A acknowledged the importance of a risk culture, Company B did not saw this as important. This might explain why risk management is not institutionalized at the lower levels of Company B (Nocco and Stulz, 2006; Woods, 2007; Kinuthia, 2013).
6 CONCLUSION
The aim of this study was to gather a deeper understanding of the institutionalization process of risk management in organizations and the role of management accountants in this process. Therefore, two qualitative case studies were conducted. It can be concluded that management accountants are able to influence this process in several ways if they move towards the business partner role. Even if they perform their traditional role of watchdog, they can still play a marginal role in the institutionalization process if they embed the principles of ERM within their thinking and consider these in their routines.
6.1 Theoretical contributions and managerial implications
27
institutional theory literature in the management accounting and risk management field. Exploring risk management through the institutional lens of Burns and Scapens (2000) has been the subject of research before (Jabbour and Abdel-Kader, 2015; Culasso et al., 2016), but this study is the first to address the involvement of management accountants in the institutionalization process of risk management. Fourth, the framework of Burns and Scapens (2000) allowed risk management to be conceptualized as rules and routines influenced by intra-organizational institutions. Through this theoretical lens, the study showed that risk management differs from organization to organization and even in the same organization over time and that multiple actors are involved in the institutionalization process (Arena et al., 2010; Mikes 2007, 2009).
There are three managerial implications. First, the study contributes to practice by illustrating that
management accountants can have different roles in the institutionalization of risk management if they act like business partners. This can motivate top managers to involve management accountants in the
transition towards ERM. Second, the study shows that Enterprise Risk Management differs in organizations. This enables managers to better grasp the importance of adapting ERM to the specific organizational circumstances. Third, the principles of ERM are to a large extent in accordance with the way of thinking of management accountants. This allows organizations to make the transition towards ERM more effectively, because it enhances the integration between management control and risk management.
6.2 Limitations
This research study has some limitations. First, Burns and Scapens (2000) advice that their framework is best suited for longitudinal case studies of organizational change. Due to time constraints, the interviews were held in a short period of time. This could result in a static view of the constructs. To overcome this problem to some extent people were interviewed about earlier periods. But it might cause interviewees to interpret their actions and beliefs in the past differently than at the time of action. Second, while the interviews gave good insights in the case studies, the generalizability of the outcomes is low due to the limited amount of interviews. Third, the research is conducted only in the Netherlands, while the role of management accountants can differ in other national and cultural settings (Granlund and Lukka, 1998).
6.3 Future research
28
subject of research before. This research study gives initial insights and provide a direction for future research. It would be interesting to develop a longitudinal analysis of this study to gain a deeper understanding of the institutionalizations process of ERM in organizations. This can be done in organizations that are planning to implement ERM to gain valuable insights in the institutionalization process and the role of the management accountant. In addition, future research is more valuable if more respondents are included and if organizations in different sectors and cultures (national and
29
REFERENCES
Alhawari, S., Karadsheh, L., Talet, A. N., & Mansour, E. (2012). Knowledge-based risk management framework for information technology project. International Journal of Information Management, 32(1), 50-65.
Armenakis, A. A., & Harris, S. G. (2002). Crafting a change message to create transformational readiness. Journal of organizational change management, 15(2), 169-183.
Arena, M., Arnaboldi, M., & Azzone, G. (2010). The organizational dynamics of enterprise risk management. Accounting, Organizations and Society, 35(7), 659-675.
Benbasat, I., Goldstein, D. K., & Mead, M. (1987). The case research strategy in studies of information systems. MIS quarterly, 369-386.
Bessis, J. (2002). Risk Management in Banking, John Willey & Sons. Inc., New York.
Bhimani, A. (2009). Risk management, corporate governance and management accounting: Emerging interdependencies.
Burns, J., & Baldvinsdottir, G. (2005). An institutional perspective of accountants' new roles– the interplay of contradictions and praxis. European Accounting Review, 14(4), 725-
757.
Burns, J., & Baldvinsdottir, G. (2007). The changing role of management accountants. Issues in management accounting, 3, 117-132.
Burns, J., & Scapens, R. W. (2000). Conceptualizing management accounting change: an institutional framework. Management accounting research, 11(1), 3-25.
Burns, J., & Vaivio, J. (2001). Management accounting change. Management accounting research, 12(4), 389-402.
Byrne, S., & Pierce, B. (2007). Towards a more comprehensive understanding of the roles of management accountants. European Accounting Review, 16(3), 469-498.
30
Collier, P. M., Berry, A. J., & Burke, G. (2004). Risk and control: drivers, practices and consequences. Chartered Institute of Management Accountant.
Collier, P. M., Berry, A. J., & Burke, G. T. (2007). Risk and management accounting: best practice guidelines for enterprise-wide internal control procedures (Vol. 2, No. 11). Elsevier.
Committee of Sponsoring Organizations of the Treadway Commission. (2004). Enterprise risk management—integrated framework.
Crouhy, M., Galai, D., & Mark, R. (2000). A comparative analysis of current credit risk models. Journal of Banking & Finance, 24(1), 59-117.
Culasso, F., Broccardo, L., Manzi, L. M., & Truant, E. (2016). Management accounting and enterprise risk management. A potential integration as a new change in managerial systems. Global Business and Economics Review, 18(3-4), 344-370.
Deloitte. (2011). Global risk management survey. Seventh Edition: Navigating in a Changed World. Deloitte Global Services Limited, UK
De Loo, I., Verstegen, B., & Swagerman, D. (2011). Understanding the roles of management accountants. European Business Review, 23(3), 287-313.
Drennan, L. T., McConnell, A., & Stark, A. (2014). Risk and crisis management in the public sector. Routledge.
Eisenhardt, K. M. (1989). Building theories from case study research. Academy of management review, 14(4), 532-550.
Ferreira, L. D., & Merchant, K. A. (1992). Field research in management accounting and control: a review and evaluation. Accounting, Auditing & Accountability Journal, 5(4).
Gatzert, N., & Martin, M. (2015). Determinants and value of enterprise risk management: empirical evidence from the literature. Risk Management and Insurance Review, 18(1), 29-53.
31
Granlund, M., & Lukka, K. (1998). It's a small world of management accounting practices. Journal of management accounting research, 10, 153.
Haji Togok, S., Isa, C. R., & Zainuddin, S. (2014). Review of enterprise risk management (ERM) Literature.
Hoyt, R. E., & Liebenberg, A. P. (2011). The value of enterprise risk management. Journal of risk and insurance, 78(4), 795-822.
Huber, C., & Scheytt, T. (2013). The dispositif of risk management: Reconstructing risk management after the financial crisis. Management Accounting Research, 24(2), 88-
99.
Institute of Risk Management (2002). A Risk Management Standard. London, IRM.
ISO, I. (2009). 31000: 2009 Risk management–Principles and guidelines. International Organization for Standardization, Geneva, Switzerland.
Jabbour, M., & Abdel-Kader, M. (2015). Changes in capital allocation practices–ERM and organisational change. In Accounting Forum (Vol. 39, No. 4, pp. 295-311). Elsevier.
Järvenpää, M. (2007). Making business partners: a case study on how management accounting culture was changed. European Accounting Review, 16(1), 99-142.
Kaplan, R. S. (2009). Risk management and the strategy execution system. Balanced Scorecard Report, 11(6), 1-6.
Kinuthia, W. N. (2013). Relationship between financial risk management systems and financial performance of micro finance institutions in Kenya (Doctoral dissertation, University of Nairobi).
Krell, E. (2011). Forecasting the future role of the management accountant. The Society of Management Accountants of Canada, Mississauga, Ontario. Lam, J. (2003). Enterprise risk management. John Wiley&Sons, New Jersey.
