Professional Documents
Culture Documents
Risk and Crisis 3.7
Risk and Crisis 3.7
www.elsevier.com/locate/jaccpubpol
Abstract
Enterprise risk management (ERM) has emerged as a new paradigm for managing
the portfolio of risks that face organizations, and policy makers continue to focus on
mechanisms to improve corporate governance and risk management. Despite these
developments, there is little research on factors associated with the implementation of
ERM. Research is needed to provide insights as to why some organizations are respond-
ing to changing risk profiles by embracing ERM and others are not.
This exploratory study examines factors associated with the stage of ERM imple-
mentation at a variety of US and international organizations. Based on data gathered
from 123 organizations, we find the stage of ERM implementation to be positively
related to the presence of a chief risk officer, board independence, CEO and CFO appar-
ent support for ERM, the presence of a Big Four auditor, entity size, and entities in the
*
Corresponding author. Tel.: +1 770 423 6077; fax: +1 770 499 3420.
E-mail addresses: Mark_Beasley@ncsu.edu (M.S. Beasley), Richard_Clune@kennesaw.edu
(R. Clune), Dana_Hermanson@kennesaw.edu (D.R. Hermanson).
1
Tel.: +1 919 515 6064; fax: +1 919 515 4446.
2
Tel.: +1 770 423 6514; fax: +1 770 499 3420.
0278-4254/$ - see front matter Ó 2005 Elsevier Inc. All rights reserved.
doi:10.1016/j.jaccpubpol.2005.10.001
522 M.S. Beasley et al. / Journal of Accounting and Public Policy 24 (2005) 521–531
Keywords: Enterprise risk management; Corporate governance; Board of directors; Chief risk officer
1. Introduction
Little is known about the stages of ERM deployments or factors that affect the
embrace of ERM within organizations. Two academic studies address ERM adop-
tion. Kleffner et al. (2003) examined characteristics of Canadian companies and
their ERM adoption status. Companies adopting ERM cited ‘‘the influence of
the risk manager (61%), encouragement from the board of directors (51%), and
compliance with Toronto Stock Exchange (TSE) guidelines (37%)’’ as the key fac-
tors causing their adoption of ERM. Liebenberg and Hoyt (2003) used Chief Risk
Officer appointments to examine the determinants of ERM adoption. The authors
found that companies appointing a Chief Risk Officer had higher leverage.
To further examine this area, we explore seven research questions regarding
an entityÕs stage of ERM deployment. We consider a range of ERM adoption
levels, rather than viewing ERM adoption as yes or no, as in previous research.
Kleffner et al. (2003) found that many Canadian companies adopting ERM
cited encouragement from the board of directors as a main factor underlying
524 M.S. Beasley et al. / Journal of Accounting and Public Policy 24 (2005) 521–531
their adoption of ERM. The extant corporate governance academic literature and
recent calls for board of director reform emphasize the importance of the boardÕs
independence from management as a key factor affecting the boardÕs oversight
effectiveness. In general, these sources argue that a more independent board is
more objective in the assessment of management actions than is one with a
lower percentage of independent directors. We explore the following research
question:
RQ2: Is a higher percentage of board of director members who are indepen-
dent positively associated with an enterprise’s stage of ERM deployment?
Walker et al. (2002) note than an ERM initiative cannot succeed without
strong support in the organization from senior management, and many studies
(e.g., Ivancevich et al., 1998) have found that top management support is cru-
cial to the success of a variety of initiatives. Because internal auditors have pri-
mary responsibilities related to risk identification and assessment, they are
likely to be interacting with senior management on ERM implementation
issues. As a result, we explore the following research question:
RQ3: Are explicit calls from the CEO or CFO for internal audit involve-
ment in ERM positively associated with an enterprise’s stage of ERM
deployment?
et al. (1999) found that large firms are more likely to adopt integrated risk
management processes than smaller firms. We examine the following research
question:
RQ5: Are larger firms more likely to have further-developed ERM
deployments?
2.7. Industry
Anecdotal evidence suggests that certain industries are more likely to have
embraced ERM than others. Banks have been leaders in ERM adoption due
to the emphasis on risk management in upcoming global regulation (Basel
II, 2004) as a way to reduce minimum capital requirements. In fact, the US
Federal Reserve Board has recently announced expectations for expanded
ERM processes in US financial institutions (Bies, 2004). Educational institu-
tions also face significant regulation and have been strongly encouraged to
adopt ERM (Whitfield, 2004). Finally, ‘‘Insurers have come to recognize
enterprise risk management as fundamental in creating and improving share-
holder value through better risk-based decision making and capital alloca-
tion’’ (Tillinghast-Towers Perrin, 2004). We examine the following research
question:
RQ6: Are entities in the banking, education, or insurance industries more
likely to have further-developed ERM deployments?
3. Method
instrument with five academics and four practitioners and made revisions
based on feedback received. The survey also was revised based on suggestions
from an Institute of Internal Auditors (IIA) official who converted the survey
to an online format.
3.1. Sample
Members of the IIAÕs Global Audit Information Network (GAIN), who are
primarily chief audit executives, have access to and agree to participate in a
variety of surveys on emerging issues in internal auditing. The IIA sent an elec-
tronic invitation to participate in our password-protected survey to approxi-
mately 1770 GAIN members in March 2004. A few weeks later the IIA sent
a second request in order to improve the response rate.3 The survey process
was controlled by the IIA to protect the anonymity of the respondents. Survey
responses were automatically tabulated by the IIA and electronically transmit-
ted to us in an electronic spreadsheet. All data used in the study were obtained
from the surveys.4
We received 175 survey responses, a rate of 10.3%.5 This rate is lower than
in some other surveys of internal auditors, which have response rates near
30% (e.g., Scarbrough et al., 1998; Raghunandan et al., 2001). However,
our survey response rate appears consistent with other recent surveys
electronically administered to the GAIN group, and the IIA informed us that
there are some inactive GAIN members still included in the email list (which
would decrease the response rate). Fifty-two observations had to be deleted
due to incomplete/not applicable data for one or more variables in the
regression model (e.g., some organizations did not have a CFO; therefore,
the question related to the CFO was left blank). The final sample is 123
organizations.6
3
The addition of an ‘‘early/late’’ variable to the model has no effect on the results. The coefficient
on the early/late variable is not significant.
4
The survey is available upon request. Please contact the third author.
5
Approximately 90% of the respondents were chief audit executives. Adding a variable for CAE
versus non-CAE respondent has no effect on the results.
6
It is difficult to calculate an accurate response rate based on the 123 observations in the final
sample, for it is unclear how many organizations in the group of 1770 would have not applicable
responses for certain questions, such as those relating to the CFO.
M.S. Beasley et al. / Journal of Accounting and Public Policy 24 (2005) 521–531 527
4. Results
7
We also tested for industry differences using dummy variables for utilities, government, and
healthcare. None of these variables was significant, and the other results were unaffected.
528 M.S. Beasley et al. / Journal of Accounting and Public Policy 24 (2005) 521–531
Table 1
Descriptive statistics for variables in model (n = 123)
Variable Mean Std. Dev. Min. Max.
CRO 0.31 0.46 0 1
BOD INDEP 76.46 23.60 7 100
CEO REQUEST 2.51 1.42 1 5
CFO REQUEST 2.87 1.51 1 5
BIG4 0.88 0.33 0 1
REVENUES $4663.59 $8712.04 $1 $47,962
BANKING 0.13 0.34 0 1
EDUCATION 0.11 0.31 0 1
INSURANCE 0.10 0.30 0 1
USBASED 0.68 0.47 0 1
n %
ERM STAGE
5 = Complete ERM in Place 11 9
4 = Partial ERM in Place 51 41
3 = Planning to Implement ERM 18 15
2 = Investigating ERM; No Decision Yet 20 16
1 = No Plans to Implement ERM 23 19
Total 123 100
Variable definitions: CRO = 1 if have a CRO, else 0. BODINDEP = percentage of board members
who are independent. CEO REQUEST = extent to which CEO has called for greater internal audit
activity in ERM-related processes (interval scale from 1 = not at all to 5 = a great deal). CFO
REQUEST = extent to which CFO has called for greater internal audit activity in ERM-related
processes (interval scale from 1 = not at all to 5 = a great deal). BIG4 = 1 if a Big 4 auditor, else 0.
REVENUES = annual revenues in millions of US $s. BANKING = 1 if organization is a bank,
else 0. EDUCATION = 1 if organization is an educational institution, else 0. INSURANCE = 1 if
organization is an insurance company, else 0. USBASED = 1 if US based organization, else 0.
ERM STAGE = organizationÕs stage of ERM development (ordinal scale above).
8
We examined a correlation matrix of the variables presented in Table 1 and found generally low
correlations, except for CEO REQUEST and CFO REQUEST (r = 0.68; all others < 0.37). Either
of these two variables can be deleted from the model with similar results.
M.S. Beasley et al. / Journal of Accounting and Public Policy 24 (2005) 521–531 529
Table 2
Ordinal logistic regression results
ERM STAGE ¼ f ½CRO; BOD INDEP; CEO REQUEST; CFO REQUEST; BIG4; LNREV;
BANKING; EDUCATION; INSURANCE; USBASED
Variable Research question Exp. sign Coefficient Z Stat p-Value*
CRO RQ1 + 1.712 3.65 0.00
BOD INDEP RQ2 + 0.021 2.59 0.01
CEO REQUEST RQ3 + 0.413 2.36 0.01
CFO REQUEST RQ3 + 0.295 1.76 0.04
BIG4 RQ4 + 1.806 2.73 0.00
LNREV RQ5 + 0.131 1.37 0.09
BANKING RQ6 + 1.764 2.92 0.00
EDUCATION RQ6 + 1.064 1.56 0.06
INSURANCE RQ6 + 1.476 2.05 0.02
USBASED RQ7 2.509 5.08 0.00
Pseudo R-Square = 28%. Model Chi-Square (10 df) = 100.66, p < 0.0001. Variable definitions: see
Table 1.
*
p-Values are one-tailed.
The positive and significant coefficient for CRO suggests that the presence of
a Chief Risk Officer is positively associated with the extent of ERM deploy-
ment. This finding suggests that the presence of a ‘‘risk champion’’ among
the senior management team significantly increases the entityÕs stage of ERM
deployment. Similarly, a more independent board of directors and explicit calls
from the CEO and CFO for internal audit involvement in ERM also are pos-
itively associated with an enterpriseÕs extent of ERM deployment. Collectively,
these results suggest that the tone at the top towards ERM coming from the
board and senior management leadership is critical to ERM implementation.
Other firm characteristics also are associated with the extent of ERM
deployments. Enterprises that are larger and those audited by Big Four audit
firms are more likely to be further into ERM implementation than smaller
firms or those audited by non-Big Four auditors. Similarly, firms in the bank-
ing, education, and insurance industries are further into their ERM implemen-
tations, which is likely due to explicit calls for more effective risk management
emerging from industry regulators or leaders.9 Finally, US firms are not as
advanced in their ERM implementations.
4.3. Sensitivity tests
While our main model included a measure reflecting the board of directorsÕ
level of independence, we separately considered additional board-related mea-
sures: the number of directors, the percentage of independent audit committee
9
We note that the results for LNREV and EDUCATION are marginally significant.
530 M.S. Beasley et al. / Journal of Accounting and Public Policy 24 (2005) 521–531
members, board and audit committee requests for internal audit involvement
in ERM, and the number of meetings per year between the audit committee
and internal audit. None of these variables is significant.10
Also, to assess the organizationsÕ investment in internal auditing, we added
LNIABUDGET, the natural log of the internal audit budget, to the model.
LNIABUDGET is positive and significant (p = 0.02), indicating that organiza-
tions with larger internal audit investments are farther down the path to full
ERM adoption. When LNIABUDGET is added, LNREV is no longer signif-
icant, and the p-values on CFO REQUEST and BIG4 are both 0.07.
5. Conclusion
Little is known about why some organizations embrace ERM while others
do not. This study provides some initial exploratory empirical evidence that
highlights organizational characteristics associated with the entityÕs extent of
ERM deployment. The results suggest that board and senior management
leadership on ERM is critical to extensive ERM deployment, and other orga-
nizational characteristics, such as size, auditor type, industry, and country of
domicile also help to explain the extent of ERM implementation.
We acknowledge limitations in our research approach. First, we use survey
data obtained from chief audit executives. To the extent those executives do
not have accurate first-hand knowledge about ERM deployments within their
organizations, our results are limited. Second, the response rate to our survey
instrument is not as high as some other survey-based research, although it
appears consistent with other recent surveys sponsored by the IIAÕs GAIN
organization. Third, due to the limited data, we have not considered interac-
tions among the independent variables in our model. Finally, there may be
important organizational characteristics or dimensions of ERM deployments
that were not reflected in our study.
We believe this study provides an initial foundation that can spawn addi-
tional research on ERM. We encourage researchers to examine such issues
as ERM effectiveness, particularly specific ways that ERM protects or
enhances shareholder value; ways to measure risks that may not be quantita-
tive in nature; effective methods for measuring correlations and interactions
of various risk events in order to have a portfolio view of risks; and incentives
and barriers to ERM deployments. We believe the academic community is
positioned to greatly contribute to this growing public policy need for more
effective enterprise risk management and corporate governance.
10
In four cases, LNREV is no longer significant at p 6 0.10, and in two cases EDUCATION is no
longer significant at p 6 0.10. In one case, CEO REQUEST has p = 0.07.
M.S. Beasley et al. / Journal of Accounting and Public Policy 24 (2005) 521–531 531
Acknowledgements
References
Basel II, 2004. International convergence of capital measurement and capital standards: a revised
framework. Bank for International Settlements, Basel, Switzerland. Available from: <http://
www.bis.org/press/p040626.htm>.
Bies, S., 2004. Using enterprise-wide risk management to effectively execute business strategies.
Speech made July 16 by Governor Bies. Available from: <http://www.federalreserve.gov/
boarddocs/speeches/2004/20040716/default.htm>.
Colquitt, L.L., Hoyt, R.E., Lee, R.B., 1999. Integrated risk management and the role of the risk
manager. Risk Management and Insurance Review 2, 43–61.
Committee of Sponsoring Organizations (COSO), 2004. Enterprise Risk Management—Integrated
Framework. COSO, New York.
Ivancevich, D.M., Hermanson, D.R., Smith, L.M., 1998. The association of perceived disaster
recovery plan strength with organizational characteristics. Journal of Information Systems 12
(Spring), 31–40.
Kleffner, A., Lee, R., McGannon, B., 2003. The effect of corporate governance on the use of
enterprise risk management: evidence from Canada. Risk Management and Insurance Review 6
(1), 53–73.
Liebenberg, A., Hoyt, R., 2003. The determinants of enterprise risk management: evidence from
the appointment of chief risk officers. Risk Management and Insurance Review 6 (1), 37–52.
New York Stock Exchange (NYSE), 2003. Final NYSE Corporate Governance Rules. NYSE,
New York. Available from: <http://www.nyse.com/pdfs/finalcorpgovrules.pdf>.
PricewaterhouseCoopers LLP(PwC), 2004. Managing risk: An assessment of CEO perspectives.
PwC, New York.
Raghunandan, K., Read, W.J., Rama, D.V., 2001. Audit committee characteristics, ÔgrayÕ
directors, and interaction with internal auditing. Accounting Horizons 15 (June), 105–118.
Sarbanes-Oxley Act, of 2002. (SOX), 2002. Public Law No. 107–204. Government Printing Office,
Washington, DC.
Scarbrough, P., Rama, D.V., Raghunandan, K., 1998. Audit committeesÕ interaction with internal
auditing: Canadian evidence. Accounting Horizons 12 (March), 51–62.
Stoh, P.J., 2005. Enterprise risk management at United Health Group. Strategic Finance 87 (July),
26–35.
Tillinghast-Towers Perrin, 2004. Adding Value Through Risk and Capital Management.
Tillinghast-Towers Perrin, New York.
Walker, P.L., Shenkir, W.G., Barton, T.L., 2002. Enterprise Risk Management: Putting it all
together. Institute of Internal Auditors Research Foundation, Altamonte Springs, FL.
Whitfield, R., 2004. Creating a risk-conscious climate. NACUBO Business Officers (March), 27–32.