Journal of Accounting and Public Policy 24 (2005) 521–531

www.elsevier.com/locate/jaccpubpol

Enterprise risk management: An

empirical analysis of factors associated
with the extent of implementation
Mark S. Beasley a,1, Richard Clune b,2
,
Dana R. Hermanson b,*
a
North Carolina State University, Box 8113, Raleigh, NC 27695-8113, United States
b
Department of Accounting, Kennesaw State University, 1000 Chastain Road,
Kennesaw, GA 30144-5591, United States

Abstract

Enterprise risk management (ERM) has emerged as a new paradigm for managing
the portfolio of risks that face organizations, and policy makers continue to focus on
mechanisms to improve corporate governance and risk management. Despite these
developments, there is little research on factors associated with the implementation of
ERM. Research is needed to provide insights as to why some organizations are respond-
ing to changing risk profiles by embracing ERM and others are not.
This exploratory study examines factors associated with the stage of ERM imple-
mentation at a variety of US and international organizations. Based on data gathered
from 123 organizations, we find the stage of ERM implementation to be positively
related to the presence of a chief risk officer, board independence, CEO and CFO appar-
ent support for ERM, the presence of a Big Four auditor, entity size, and entities in the

*
Corresponding author. Tel.: +1 770 423 6077; fax: +1 770 499 3420.
E-mail addresses: Mark_Beasley@ncsu.edu (M.S. Beasley), Richard_Clune@kennesaw.edu
(R. Clune), Dana_Hermanson@kennesaw.edu (D.R. Hermanson).
1
Tel.: +1 919 515 6064; fax: +1 919 515 4446.
2
Tel.: +1 770 423 6514; fax: +1 770 499 3420.

0278-4254/$ - see front matter Ó 2005 Elsevier Inc. All rights reserved.
doi:10.1016/j.jaccpubpol.2005.10.001
522 M.S. Beasley et al. / Journal of Accounting and Public Policy 24 (2005) 521–531

banking, education, and insurance industries. We also find US organizations to have

less-developed ERM processes than international organizations. We believe this paper
will provide an initial foundation for more advanced research about ERM.
Ó 2005 Elsevier Inc. All rights reserved.

Keywords: Enterprise risk management; Corporate governance; Board of directors; Chief risk officer

1. Introduction

In the aftermath of recent corporate financial reporting scandals, entity

stakeholders are demanding greater oversight of key risks facing the enterprise
to ensure that stakeholder value is preserved and enhanced (Walker et al.,
2002). Numerous regulatory reforms, particularly the Sarbanes-Oxley Act of
2002 (SOX 2002), are significantly expanding public policies related to effective
corporate governance and risk management. Recent changes in New York
Stock Exchange (NYSE) Corporate Governance Rules now include explicit
requirements for NYSE registrant audit committees to assume specific respon-
sibilities with respect to ‘‘risk assessment and risk management’’, including
risks beyond financial reporting (NYSE, 2003). If corporate governance mech-
anisms are not in place to effectively manage the ever-changing portfolio of
risks facing the enterprise, stakeholder value is at risk, leading to significant
public policy concerns if left unaddressed.
One response to these growing expectations is the emergence of a new para-
digm known as ‘‘enterprise risk management’’ (or ‘‘ERM’’), designed to increase
the boardÕs and senior managementÕs ability to oversee the portfolio of risks fac-
ing an enterprise. ERM provides a significant source of competitive advantage
for those who can demonstrate a strong ERM capability and discipline (Stoh,
2005). While ERM is on the rise, not all organizations are adopting it. Little is
known about why some organizations embrace ERM while others do not.
This study contributes to the emerging stream of research on ERM adoption
by exploring organizational factors associated with an entityÕs stage of ERM
adoption. Based on data gathered from 123 organizations, we find the stage
of ERM implementation to be positively related to the presence of a chief risk
officer, board independence, CEO and CFO apparent support for ERM, the
presence of a Big Four auditor, entity size, and entities in the banking, educa-
tion, and insurance industries. We also find US organizations to have less-
developed ERM processes than international organizations.

2. Background and research questions

In September 2004, the Committee of Sponsoring Organizations of

the Treadway Commission (COSO) issued Enterprise Risk Management—
 M.S. Beasley et al. / Journal of Accounting and Public Policy 24 (2005) 521–531 523

Integrated Framework, to provide a model framework for ERM. That frame-

work defines ERM as
[A] process, effected by an entity’s board of directors, management and
other personnel, applied in strategy setting and across the enterprise,
designed to identify potential events that may affect the entity, and manage
risk to be within its risk appetite, to provide reasonable assurance regarding
the achievement of entity objectives (COSO, 2004).
Many organizations are implementing ERM processes to increase the effective-
ness of their risk management activities, with the ultimate goal of increasing stake-
holder value. In fact, a recent survey of insurance executives worldwide finds that
enterprise risk management has ‘‘come of age’’, with insurers giving ‘‘enterprise-
level risk management increasing attention, high-level accountability, and clear
responsibilities’’ (Tillinghast-Towers Perrin, 2004). However, despite the progress,
ERM approaches are in various stages of implementation across organizations.

2.1. Research motivation

Little is known about the stages of ERM deployments or factors that affect the
embrace of ERM within organizations. Two academic studies address ERM adop-
tion. Kleffner et al. (2003) examined characteristics of Canadian companies and
their ERM adoption status. Companies adopting ERM cited ‘‘the influence of
the risk manager (61%), encouragement from the board of directors (51%), and
compliance with Toronto Stock Exchange (TSE) guidelines (37%)’’ as the key fac-
tors causing their adoption of ERM. Liebenberg and Hoyt (2003) used Chief Risk
Officer appointments to examine the determinants of ERM adoption. The authors
found that companies appointing a Chief Risk Officer had higher leverage.
To further examine this area, we explore seven research questions regarding
an entityÕs stage of ERM deployment. We consider a range of ERM adoption
levels, rather than viewing ERM adoption as yes or no, as in previous research.

2.2. Presence of a Chief Risk Officer

Given the important role of risk managers in promoting ERM (Kleffner

et al., 2003), we explore the following research question:
RQ1: Is the presence of a Chief Risk Officer positively associated with an
enterpriseÕs stage of ERM deployment?

2.3. Independence of the Board of Directors

Kleffner et al. (2003) found that many Canadian companies adopting ERM
cited encouragement from the board of directors as a main factor underlying
524 M.S. Beasley et al. / Journal of Accounting and Public Policy 24 (2005) 521–531

their adoption of ERM. The extant corporate governance academic literature and
recent calls for board of director reform emphasize the importance of the boardÕs
independence from management as a key factor affecting the boardÕs oversight
effectiveness. In general, these sources argue that a more independent board is
more objective in the assessment of management actions than is one with a
lower percentage of independent directors. We explore the following research
question:
RQ2: Is a higher percentage of board of director members who are indepen-
dent positively associated with an enterprise’s stage of ERM deployment?

2.4. Management expectations for ERM

Walker et al. (2002) note than an ERM initiative cannot succeed without
strong support in the organization from senior management, and many studies
(e.g., Ivancevich et al., 1998) have found that top management support is cru-
cial to the success of a variety of initiatives. Because internal auditors have pri-
mary responsibilities related to risk identification and assessment, they are
likely to be interacting with senior management on ERM implementation
issues. As a result, we explore the following research question:
RQ3: Are explicit calls from the CEO or CFO for internal audit involve-
ment in ERM positively associated with an enterprise’s stage of ERM
deployment?

2.5. Auditor type

There is an extensive academic literature that examines audit quality.

Despite presenting some limitations, most of those studies classify the largest
international accounting firms, now known as the Big Four firms, as high qual-
ity auditors. It is possible that organizations committed to engaging such high
quality auditors also are more committed to risk management. We examine the
following research question:
RQ4: Is the presence of a Big Four auditor positively associated with an
enterprise’s stage of ERM deployment?

2.6. Organization size

As an organizationÕs size increases, the scope of events threatening it is likely

to differ in nature, timing, and extent. In addition to having a greater need for
more effective enterprise-wide risk management techniques, larger entities may
have greater ability to implement ERM due to greater resources. In fact, Colquitt
 M.S. Beasley et al. / Journal of Accounting and Public Policy 24 (2005) 521–531 525

et al. (1999) found that large firms are more likely to adopt integrated risk
management processes than smaller firms. We examine the following research
question:
RQ5: Are larger firms more likely to have further-developed ERM
deployments?

2.7. Industry

Anecdotal evidence suggests that certain industries are more likely to have
embraced ERM than others. Banks have been leaders in ERM adoption due
to the emphasis on risk management in upcoming global regulation (Basel
II, 2004) as a way to reduce minimum capital requirements. In fact, the US
Federal Reserve Board has recently announced expectations for expanded
ERM processes in US financial institutions (Bies, 2004). Educational institu-
tions also face significant regulation and have been strongly encouraged to
adopt ERM (Whitfield, 2004). Finally, ‘‘Insurers have come to recognize
enterprise risk management as fundamental in creating and improving share-
holder value through better risk-based decision making and capital alloca-
tion’’ (Tillinghast-Towers Perrin, 2004). We examine the following research
question:
RQ6: Are entities in the banking, education, or insurance industries more
likely to have further-developed ERM deployments?

2.8. Country of domicile

Despite growing expectations in the US for stronger corporate governance,

ERM-related frameworks were issued in Australia, New Zealand, South
Africa, and the United Kingdom before the issuance of the COSO ERM
framework in the US. In addition, survey data indicate that 46% of Asia-
Pacific CEOs strongly agree that ERM is a top priority as compared to only
28% of US CEOs who strongly agree with that statement (PWC, 2004). We
explore the following research question:
RQ7: Are non-US enterprises more likely to have further-developed ERM
deployments?

3. Method

We surveyed chief audit executives to obtain data related to ERM deploy-

ments and other organizational characteristics. The survey instrument
provided the COSO definition and elements of ERM. We pre-tested the survey
526 M.S. Beasley et al. / Journal of Accounting and Public Policy 24 (2005) 521–531

instrument with five academics and four practitioners and made revisions
based on feedback received. The survey also was revised based on suggestions
from an Institute of Internal Auditors (IIA) official who converted the survey
to an online format.

3.1. Sample

Members of the IIAÕs Global Audit Information Network (GAIN), who are
primarily chief audit executives, have access to and agree to participate in a
variety of surveys on emerging issues in internal auditing. The IIA sent an elec-
tronic invitation to participate in our password-protected survey to approxi-
mately 1770 GAIN members in March 2004. A few weeks later the IIA sent
a second request in order to improve the response rate.3 The survey process
was controlled by the IIA to protect the anonymity of the respondents. Survey
responses were automatically tabulated by the IIA and electronically transmit-
ted to us in an electronic spreadsheet. All data used in the study were obtained
from the surveys.4
We received 175 survey responses, a rate of 10.3%.5 This rate is lower than
in some other surveys of internal auditors, which have response rates near
30% (e.g., Scarbrough et al., 1998; Raghunandan et al., 2001). However,
our survey response rate appears consistent with other recent surveys
electronically administered to the GAIN group, and the IIA informed us that
there are some inactive GAIN members still included in the email list (which
would decrease the response rate). Fifty-two observations had to be deleted
due to incomplete/not applicable data for one or more variables in the
regression model (e.g., some organizations did not have a CFO; therefore,
the question related to the CFO was left blank). The final sample is 123
organizations.6

3.2. Multivariate model

To address our seven research questions, we used the following ordinal

logistic regression model:

3
The addition of an ‘‘early/late’’ variable to the model has no effect on the results. The coefficient
on the early/late variable is not significant.
4
The survey is available upon request. Please contact the third author.
5
Approximately 90% of the respondents were chief audit executives. Adding a variable for CAE
versus non-CAE respondent has no effect on the results.
6
It is difficult to calculate an accurate response rate based on the 123 observations in the final
sample, for it is unclear how many organizations in the group of 1770 would have not applicable
responses for certain questions, such as those relating to the CFO.
 M.S. Beasley et al. / Journal of Accounting and Public Policy 24 (2005) 521–531 527

ERM STAGE ¼ f ½CRO; BOD INDEP; CEO REQUEST;

CFO REQUEST; BIG4; LNREV; BANKING;
EDUCATION; INSURANCE; USBASED
.

The ordinal dependent variable, ERM STAGE, reflects a value ranging

from 1 to 5 as follows:

ERM STAGE = 5, if complete ERM is in place;

ERM STAGE = 4, if partial ERM is in place;
ERM STAGE = 3, if planning to implement ERM;
ERM STAGE = 2, if investigating ERM, but no decision made yet;
ERM STAGE = 1, if no plans exist to implement ERM.

CRO is a dummy variable which represents whether or not the organization

has a Chief Risk Officer. The percentage of board members who are indepen-
dent is represented by the BOD INDEP variable. We use an interval scale for
CEO REQUEST and CFO REQUEST that has a value ranging from 1 = not
at all to 5 = a great deal, reflecting the extent of CEO and CFO calls for internal
audit involvement in ERM. We include a dummy variable, BIG4, reflecting
whether the company has a Big Four auditor. LNREV measures the natural
log of the organizationÕs most recent annual revenues, first expressed in millions
of US dollars. BANKING, EDUCATION, and INSURANCE are dummy
variables for these three industry groups.7 The variable USBASED has a value
equal to 1 if the company is a US based organization and a value of 0 otherwise.

4. Results

4.1. Descriptive statistics

Table 1 presents descriptive statistics on the variables used in the regression

model. There is variation in the stage of ERM deployments across entities
included in our sample. Fifty-percent of the entities (n = 62) in the sample have
either partially or completely implemented ERM, while 35% (n = 43) have not
made a decision to implement ERM or have no plans to implement ERM.
Thirty-one percent of the entities have appointed a Chief Risk Officer. Boards
of directors, on average, have 76% of their members representing independent
directors. The extent of CEO or CFO calls for internal audit involvement in
ERM processes is near the midpoint of the scale. Most of the entities (88%)
are audited by a Big Four firm, while 68% of the entities are based in the US.

7
We also tested for industry differences using dummy variables for utilities, government, and
healthcare. None of these variables was significant, and the other results were unaffected.
528 M.S. Beasley et al. / Journal of Accounting and Public Policy 24 (2005) 521–531

Table 1
Descriptive statistics for variables in model (n = 123)
Variable Mean Std. Dev. Min. Max.
CRO 0.31 0.46 0 1
BOD INDEP 76.46 23.60 7 100
CEO REQUEST 2.51 1.42 1 5
CFO REQUEST 2.87 1.51 1 5
BIG4 0.88 0.33 0 1
REVENUES $4663.59 $8712.04 $1 $47,962
BANKING 0.13 0.34 0 1
EDUCATION 0.11 0.31 0 1
INSURANCE 0.10 0.30 0 1
USBASED 0.68 0.47 0 1
n %
ERM STAGE
5 = Complete ERM in Place 11 9
4 = Partial ERM in Place 51 41
3 = Planning to Implement ERM 18 15
2 = Investigating ERM; No Decision Yet 20 16
1 = No Plans to Implement ERM 23 19
Total 123 100
Variable definitions: CRO = 1 if have a CRO, else 0. BODINDEP = percentage of board members
who are independent. CEO REQUEST = extent to which CEO has called for greater internal audit
activity in ERM-related processes (interval scale from 1 = not at all to 5 = a great deal). CFO
REQUEST = extent to which CFO has called for greater internal audit activity in ERM-related
processes (interval scale from 1 = not at all to 5 = a great deal). BIG4 = 1 if a Big 4 auditor, else 0.
REVENUES = annual revenues in millions of US $s. BANKING = 1 if organization is a bank,
else 0. EDUCATION = 1 if organization is an educational institution, else 0. INSURANCE = 1 if
organization is an insurance company, else 0. USBASED = 1 if US based organization, else 0.
ERM STAGE = organizationÕs stage of ERM development (ordinal scale above).

Approximately one-third of the sample entities are in the banking, education, or

insurance industries. Average revenues for the sample entities are $4.7 billion,
reflecting a range from $1 million to $48 billion.8

4.2. Regression results

The multivariate regression results are presented in Table 2. The explanatory

power of the model is significant (Model Chi-Square = 100.66, p < 0.0001) with
a Pseudo R-Square of 28%. The independent variable results suggest that sev-
eral factors are associated with an enterpriseÕs stage of ERM deployment.

8
We examined a correlation matrix of the variables presented in Table 1 and found generally low
correlations, except for CEO REQUEST and CFO REQUEST (r = 0.68; all others < 0.37). Either
of these two variables can be deleted from the model with similar results.
 M.S. Beasley et al. / Journal of Accounting and Public Policy 24 (2005) 521–531 529

Table 2
Ordinal logistic regression results
ERM STAGE ¼ f ½CRO; BOD INDEP; CEO REQUEST; CFO REQUEST; BIG4; LNREV;
BANKING; EDUCATION; INSURANCE; USBASED

Variable Research question Exp. sign Coefficient Z Stat p-Value*
CRO RQ1 + 1.712 3.65 0.00
BOD INDEP RQ2 + 0.021 2.59 0.01
CEO REQUEST RQ3 + 0.413 2.36 0.01
CFO REQUEST RQ3 + 0.295 1.76 0.04
BIG4 RQ4 + 1.806 2.73 0.00
LNREV RQ5 + 0.131 1.37 0.09
BANKING RQ6 + 1.764 2.92 0.00
EDUCATION RQ6 + 1.064 1.56 0.06
INSURANCE RQ6 + 1.476 2.05 0.02
USBASED RQ7  2.509 5.08 0.00
Pseudo R-Square = 28%. Model Chi-Square (10 df) = 100.66, p < 0.0001. Variable definitions: see
Table 1.
*
p-Values are one-tailed.

The positive and significant coefficient for CRO suggests that the presence of
a Chief Risk Officer is positively associated with the extent of ERM deploy-
ment. This finding suggests that the presence of a ‘‘risk champion’’ among
the senior management team significantly increases the entityÕs stage of ERM
deployment. Similarly, a more independent board of directors and explicit calls
from the CEO and CFO for internal audit involvement in ERM also are pos-
itively associated with an enterpriseÕs extent of ERM deployment. Collectively,
these results suggest that the tone at the top towards ERM coming from the
board and senior management leadership is critical to ERM implementation.
Other firm characteristics also are associated with the extent of ERM
deployments. Enterprises that are larger and those audited by Big Four audit
firms are more likely to be further into ERM implementation than smaller
firms or those audited by non-Big Four auditors. Similarly, firms in the bank-
ing, education, and insurance industries are further into their ERM implemen-
tations, which is likely due to explicit calls for more effective risk management
emerging from industry regulators or leaders.9 Finally, US firms are not as
advanced in their ERM implementations.
4.3. Sensitivity tests

While our main model included a measure reflecting the board of directorsÕ
level of independence, we separately considered additional board-related mea-
sures: the number of directors, the percentage of independent audit committee

9
We note that the results for LNREV and EDUCATION are marginally significant.
530 M.S. Beasley et al. / Journal of Accounting and Public Policy 24 (2005) 521–531

members, board and audit committee requests for internal audit involvement
in ERM, and the number of meetings per year between the audit committee
and internal audit. None of these variables is significant.10
Also, to assess the organizationsÕ investment in internal auditing, we added
LNIABUDGET, the natural log of the internal audit budget, to the model.
LNIABUDGET is positive and significant (p = 0.02), indicating that organiza-
tions with larger internal audit investments are farther down the path to full
ERM adoption. When LNIABUDGET is added, LNREV is no longer signif-
icant, and the p-values on CFO REQUEST and BIG4 are both 0.07.

5. Conclusion

Little is known about why some organizations embrace ERM while others
do not. This study provides some initial exploratory empirical evidence that
highlights organizational characteristics associated with the entityÕs extent of
ERM deployment. The results suggest that board and senior management
leadership on ERM is critical to extensive ERM deployment, and other orga-
nizational characteristics, such as size, auditor type, industry, and country of
domicile also help to explain the extent of ERM implementation.
We acknowledge limitations in our research approach. First, we use survey
data obtained from chief audit executives. To the extent those executives do
not have accurate first-hand knowledge about ERM deployments within their
organizations, our results are limited. Second, the response rate to our survey
instrument is not as high as some other survey-based research, although it
appears consistent with other recent surveys sponsored by the IIAÕs GAIN
organization. Third, due to the limited data, we have not considered interac-
tions among the independent variables in our model. Finally, there may be
important organizational characteristics or dimensions of ERM deployments
that were not reflected in our study.
We believe this study provides an initial foundation that can spawn addi-
tional research on ERM. We encourage researchers to examine such issues
as ERM effectiveness, particularly specific ways that ERM protects or
enhances shareholder value; ways to measure risks that may not be quantita-
tive in nature; effective methods for measuring correlations and interactions
of various risk events in order to have a portfolio view of risks; and incentives
and barriers to ERM deployments. We believe the academic community is
positioned to greatly contribute to this growing public policy need for more
effective enterprise risk management and corporate governance.

10
In four cases, LNREV is no longer significant at p 6 0.10, and in two cases EDUCATION is no
longer significant at p 6 0.10. In one case, CEO REQUEST has p = 0.07.
 M.S. Beasley et al. / Journal of Accounting and Public Policy 24 (2005) 521–531 531

Acknowledgements

We gratefully acknowledge the financial support of the IIA Research Foun-

dation and the assistance and feedback of Don Sparks of the IIA. We also
thank several academics and practitioners for their input on the survey, and
we thank participants in a faculty workshop at North Carolina State Univer-
sity for their suggestions on this line of research. Finally, we are grateful for
comments provided by Joe Carcello, Paul Walker, and the editors.

References

Basel II, 2004. International convergence of capital measurement and capital standards: a revised
framework. Bank for International Settlements, Basel, Switzerland. Available from: <http://
www.bis.org/press/p040626.htm>.
Bies, S., 2004. Using enterprise-wide risk management to effectively execute business strategies.
Speech made July 16 by Governor Bies. Available from: <http://www.federalreserve.gov/
boarddocs/speeches/2004/20040716/default.htm>.
Colquitt, L.L., Hoyt, R.E., Lee, R.B., 1999. Integrated risk management and the role of the risk
manager. Risk Management and Insurance Review 2, 43–61.
Committee of Sponsoring Organizations (COSO), 2004. Enterprise Risk Management—Integrated
Framework. COSO, New York.
Ivancevich, D.M., Hermanson, D.R., Smith, L.M., 1998. The association of perceived disaster
recovery plan strength with organizational characteristics. Journal of Information Systems 12
(Spring), 31–40.
Kleffner, A., Lee, R., McGannon, B., 2003. The effect of corporate governance on the use of
enterprise risk management: evidence from Canada. Risk Management and Insurance Review 6
(1), 53–73.
Liebenberg, A., Hoyt, R., 2003. The determinants of enterprise risk management: evidence from
the appointment of chief risk officers. Risk Management and Insurance Review 6 (1), 37–52.
New York Stock Exchange (NYSE), 2003. Final NYSE Corporate Governance Rules. NYSE,
New York. Available from: <http://www.nyse.com/pdfs/finalcorpgovrules.pdf>.
PricewaterhouseCoopers LLP(PwC), 2004. Managing risk: An assessment of CEO perspectives.
PwC, New York.
Raghunandan, K., Read, W.J., Rama, D.V., 2001. Audit committee characteristics, ÔgrayÕ
directors, and interaction with internal auditing. Accounting Horizons 15 (June), 105–118.
Sarbanes-Oxley Act, of 2002. (SOX), 2002. Public Law No. 107–204. Government Printing Office,
Washington, DC.
Scarbrough, P., Rama, D.V., Raghunandan, K., 1998. Audit committeesÕ interaction with internal
auditing: Canadian evidence. Accounting Horizons 12 (March), 51–62.
Stoh, P.J., 2005. Enterprise risk management at United Health Group. Strategic Finance 87 (July),
26–35.
Tillinghast-Towers Perrin, 2004. Adding Value Through Risk and Capital Management.
Tillinghast-Towers Perrin, New York.
Walker, P.L., Shenkir, W.G., Barton, T.L., 2002. Enterprise Risk Management: Putting it all
together. Institute of Internal Auditors Research Foundation, Altamonte Springs, FL.
Whitfield, R., 2004. Creating a risk-conscious climate. NACUBO Business Officers (March), 27–32.