Implementing Enterprise Risk Management (ERM) Under Contingency and Institutional Theory: Preliminary study of Listed Companies in Thailand
Abstract
Globalization makes an integrated world by generating advanced information and technology, timeless connection, shorted time transportation, and so on while its pitfall is about to incline the number of uncertainty-risk-. Hence, public management, currently, needs to aware to manage risk under the organizational appetite. However, the maturity level in Enterprise Risk Management (ERM) in Thailand is low; therefore, ERM knowledge will be indispensable to incline its maturity level. The first aim in this studying was about to educate ERM performance in Thai-listed companies as a preliminary study. Based on empirical data, analysis of ERM maturity came across that there were some distinctive levels of ERM maturity across industries in which financial, industrial, resources and service sectors were better performed compared to technology, consumer product and agro. The significant aim of this study, next, is about to studying determinate of ERM in listed companies. Even there is a distinction between public and private management (Hatch and Cunlife, 2006), under open system, the best way to manage both public and private organizations is about ability to adapt themselves with the turbulence of internal and external environment (Scott, 2003). From the contingency and institutional theory, embedded ERM should rest upon many factors; yet it significantly divides into internal and external factors (Galbraith, 1973). Based on empirical analysis, with structure equation modelling (SEM) encapsulated with qualitative senior management in-depth interview, the findings concluded that even listed companies initially embed ERM as one of the compulsory function due to uncertainty and volatility-external factors-, successful implementing ERM significantly depended on internal factors: leader’s role, organizational context and ERM resources. The most determinant in ERM was about leadership style and followed by organizational characteristics. Ultimately, to research implication, this paper also proposed ERM prototypes for public organizations.
Keywords: Enterprise Risk Management; Determinant, Public and Private Management, Structure Equation Modelling
*Ph.D. candidate from Doctor of Philosophy Program in Development Administration at National Institute of Development Administration (NIDA).
Introduction
Globalization is not a panacea (Nye and Donahue, 2000). While it composes of many benefits, some pitfalls of globalization still exist. Localization tries to utilize its benefit to make integrated world rather than that of isolation, to reduce operation and transportation cost with the adoption of technology, to make a shorten time of communication by generating advanced information and communication technology, to encounter global sourcing and so on. Such mentioned benefits of globalization lead localization to operating business with boundless nation. Proprietorship today will then vanish and transform themselves as a corporation. However, globalization itself produces inter-dependency to all. The negative events in one country, one organization are spread to others. For example, according to the tragedy in World War II, it displayed that the effect in one nation was spread to other nations. By this it means that one hazard of globalization is about to incline uncertainty events-risks-.
Risk is a multidimensional meaning and varying interpretation (Davidson, 2003). Risks, normally, defines as a negative event that leads organization deviated from goals. Even, in modernism, theories try to define risk as a positive, as the limited maturity level of risk management system in Asia, risk is defined as unexpected-events.
In organization level, the concept of risk has become a buzzword after the scandal of well-known organization, these are, Worldcom and Enron. To be as corporation or listed companies, they need to disclose the financial statement in order to show the ability of generating income and deduce to a new shareholder. At that time, the Worldcom demand stock was sharply inclined due to the attractive financial statement but management was constructed it up by reported underreporting line costs and corporate unallocated revenue accounts. Next a very few days, after this phenomenon disclosed to the shareholder, they constantly sold stock until company having a lack of liquidity and running till bankruptcy later. To prevent such tragedy, U.S. Congress in 2002 enacted Sarbanes-Oxley Act of 2002 (SOX) to force listed companies to verify their accounting and financial statement with external auditors-third parties- to protect investors right from the possibility of fraudulent accounting activities by corporations. Furthermore, apart from financial statement, capital, organization, committee structure as well as risk factors are all the disclosure.
In the context of Thai-listed companies, Thai Securities and Exchange Commission (SEC.) aligns with the global standard by forcing listed companies to disclose both financial statement and risk factors to shareholder. SEC intentionally protect shareholder’s right by endorsing them to posit risk factors before encountering to be company’s equity. However, in the issue of risk, it is inadequate to disclose only risk factors but it should in fact disclose how to manage such risk effectively too.
From above rationale of scandal of global listed companies as well as the alignment of regulatory, it concludes that at least, Thai-listed companies are aware of risk issue; however, how to manage risk appropriately is also a questionable. Based on document analysis throughout reliable disclosure documents, listed-companies most often disclose key risks but do not comprehend on how to manage them. With this importance, the first objective in this research is about to empirically study the performance of ERM across 8 industries composing of agro& food, consumer products, financials, industrials, property & construction, resources, services and technology to perceive on the maturity level of ERM. Indeed, performance of ERM could be identified from how to identify, assess, mitigate and monitoring risks (Deloach, 2000).
While nowadays Thai listed companies employ well-known international standards: COSO (Committee of Sponsoring Organizations of the Treadway Commission), ISO and so on, such standards are plentiful putting forward of process of embedded ERM but leaving on how to successful implement ERM system (Yaraghi and Roland, 2011: 552). Significantly, even studying ERM determinants is not new, there are two problematic. Firstly, studying ERM determinants based on previous article was limited industrial type and most often located in financial and construction sectors (Xiabbo, 2013). It is having a lack of generalization process across industries. Secondly, it is a concerning of how to come up with such ERM determinants as they did not reveal particularly relating theories. With this limitation, this paper, secondly, aims to empirically analyze ERM determinants with the convergence of ERM theory and management theories (contingency and institutional theory).
Ultimately, Thai Institute of Directors (IOD.) disclosed that there are marginal portions of successful implementation of ERM, this paper then could be somehow inclined ERM maturity model in Thai-listed companies when organizations need to embed them as a compulsory system. Moreover, next, the important contribution in this preliminary research is to propose empirical way on how to embed ERM successfully to public organizations as they also need to educate ERM but having a lack of knowledge on it. Finally, there is a theoretical contribution to converge between ERM standards and theory with management theories.
Review Literature, Theories Construction and Conceptual Framework
Studying ERM determinants was a lack of backing-up theories; therefore, in this part the author intentionally integrated the concepts of risk management with organizational and management theories: contingency and institutional theory. Next, the author explained how paradigms of ERM have been shifted from Traditional Risk Management (TRM) to Enterprise Risk Management (ERM). Lastly, analysis Thai-listed companies in ERM was proposed.
Convergence between Management and Risk Theory
The concept of risk management has become a buzz-word in open system (Scott, 2003). To open system, organizations can not solely interact only internal environment while external environment is also indispensable. Therefore, close system cannot support how to implement successfully of ERM. However, as the linkage between risk management and management theories, it is a lack of the integration between them.
As mentioned, studying about ERM determinants-critical success factors (CFS)- is not new; nevertheless, the problems concerning are about the lack of the supportive of theories as well as unsystematic manner. Based on previous researches, Gordon , Loeb and Tseng (2009) concluded that there were some common mentioned determinants of ERM accounting for: leadership, risk management resources, risk culture, risk standard, organizational size, sectors, readiness of corporate strategies, and so on; nonetheless, how such factors came from and in which theories supported such the mentioned factors that are skeptical.
To rectify, the author intentionally ended up that if risk management perceives as one of the importance system for organizations, it should converse to some management theories in open system: these are, contingencies and institutional theories.
First and foremost, to contingency theory, the concept of contingency is about “ no one best way” to embed particular system in organization (Galbraith, 1973). The best way to embed any system will then rely on the internal and external context to organization. Based on the previous study of ERM determinants, internal environment related to embed ERM accounted for leader role, scale of organization, strategic plan, risk awareness culture, selected renowned ERM standard, robustness of ERM process as well as invested in ERM resources (Garvey, 2008). On the centrality, external environment, the obviously critical success factors accounted for industrial competition. According to the prior studying, researchers hypothesized that intensified competitors leaded more robust system of ERM.
Indeed, to external environment, institutional theory is somehow incorporated to explain the phenomenon of ERM (DigMaggio and Powell, 1983). Institutional environment perceives as one of the vitally external factors in which lead the very different level of ERM maturity level across business industries. Institutional environment composed of isomorphism, institutionalization process, volatility across business types as well as the intensifying of regulators. To be precise, institutional environment displays the level of intensified of implementation of ERM why posits differently across sectors. For instance, financial and industry sectors have more high maturity of ERM that those of other sectors. Consequently, the author then hypothesized that the numbers or level of regulators will be correlated with the maturity level of embed ERM.
From such two mentioned theories: contingency and institutional theory, the author incorporated two latent variables: internal and external environment, into the proposed conceptual framework. For the former, there are leader role, organizational context and ERM resources. For the latter, there are competitiveness, senstivity and institutional environment.
Enterprise Risk Management (ERM) Theory
The concept of risk management became a buzz-word after world-war II (Crockford, 1982) even the risk concepts have studied for several decades initially in insurance industry. As the long time journey of risk management (RM), there are many defined definitions of risks. While there are many definitions of risk, there might be possible to have some common characteristics that we can mention (Spikin, 2013):
- Risk has an equal meaning to expected loss.
- Risk has an equal meaning to expected disutility.
- Risk is the probability of an adverse outcome.
- Risk accounts for the combination of probability of an event and its consequence.
- Risk can be referred to the fact that a decision is made under conditions of known probabilities.
- Risk means to uncertainty of outcome of actions and events.
Indeed, there are several paradigm of RM accounting for: the birth of RM (1738), early beginning (1995-1960), Risk Management in Quantitative Analysis Predominants-1980s, Traditional Risk Management (TRM)- 1990s and currently, Enterprise Risk Management (ERM) (Merna and Al-Thani, 2008). The objective of current paradigm is trying to rectify the pitfall of the former one.
Although there was a long term of the development of risk management system, the most two importance is about TRM and ERM as the researchers most often mentioned them. TRM’s approach concerns the disaggregated methods, in which it composes of identifying, assessing, mitigating and monitoring risks different units of firms (Liebenberg & Hoyt, 2003). The problem of TRM concerns when the mitigating risks somehow needs to across business functions. With the limitation of TRM, ERM tries to rectify such mentioned pitfall of TRM. To be precise, ERM emphasizes comprehensive risk management throughout the process of risk across entities and functions-integrated methodology-. COSO (2014) defined ERM as… “ process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives” .
From above definitions, ERM involves to every level of staff in organization and posited as an integrated methodology. Moreover, importantly, ERM considers precondition of ERM before sophisticated implementing ERM process through way of identifying, assessing, mitigating and monitoring risk is adopted. Precondition of ERM can define as an infrastructure of ERM relating to risk appetite, policy and procedure, Risk Management Committee (RMC), for example,.
Ultimately, in order to quantify the concepts of ERM, there are relating variables of ERM implementation as table 1.
Implementing Enterprise Risk Management (ERM)
19 มิ.ย. 2561