A new CIMA paper explores how enterprise risk management (ERM) may be considered the culmination of the risk management ‘explosion’ which started during the 1990s. Report authors Michela Arnaboldi and Irvine Lapsley consider the challenge it poses for management.
ERM is intended to be a holistic approach for assessing and evaluating the risks that an organisation faces (COSO, 2004). In this reconfiguration of risk management, ERM has been claimed as a tool for improving the capability of companies to predict and manage risks, enhancing planning and the achievement of their goals.
Despite these claims, recent failures have proved that risk management is far from being embedded effectively in planning processes. Furthermore there is still little empirical evidence of companies’ risk practice, rendering ERM a black box within which significant different organisational ‘solutions’ can be implemented.
To enhance knowledge on these issues, we carried out a comparative international study to analyse how ERM is implemented and how it relates to budgeting processes. A multiple case study approach was adopted, investigating six companies that implemented ERM – three Italian companies and three UK companies. The data was collected between 2002 and 2010.
This research implies that the managerial role of ERM and its link with budgeting is both a strategic and a management challenge for companies. Three main issues emerged from the international comparison of the six cases.
- The first issue is related specifically to ERM implementations and its possible identification as a compliance and corporate governance device, adopted mainly for external purposes. This situation may pose a risk to the managerial significance of ERM, as evidenced in particular by two Italian examples.
- ERM champions emerged as central in shaping the managerial usefulness of ERM. Particularly useful cases pointed out the benefit of establishing alliances with other corporate functions, while always trying to find (and highlight) gaps in current systems of control. This was shown by two cases (one in Italy and one in the UK), where ERM champions have set alliances with key figures in planning.
- The cases showed diversity of practice in terms of integration with budgeting which ranged from full integration to complete separation. What is key in the diversity is the awareness of choice.
In four cases the diversity is the result of a deliberate process of defining a general framework of control, where ERM and budgets may or may not be integrated. Yet in two other examples the wider framework of managerial control was neglected, without considering existing processes. This led to ERM becoming a tool that was distant from managers and their actions.
Read the full report to find out more.