Date of Award
Doctor of Business Administration (DBA)
Dr. Dana R. Hermanson
Dr. Mark S. Beasley
Dr. Jeffrey Cohen
This paper investigates the processes that comprise enterprise-wide risk management (ERM) programs implemented by organizations. ERM is a holistic approach of risk management that looks at organization-level risks on a portfolio basis, unlike traditional risk management that looks at silos of individual risks within an organization. The practitioner and academic literatures provide many insights into different frameworks that could be used to implement ERM, but there is little written about the processes and activities that represent actual organizations’ ERM approaches. By looking at the way an organization accomplishes its mission through its management style and communication methods, the role corporate culture plays in an ERM implementation are examined.
Employing interviews and surveys of ERM champions in 14 organizations, this study provides rich insights into ERM implementation. The interviews revealed that organizations were most likely to undertake an ERM implementation to meet strategic needs often motivated by encouragement for the process from the board of directors (BOD) and audit committee, with few objections raised. The ERM process typically began with a list of risks developed with senior management input, and ERM often resulted in organizational changes with new responsibilities being the most common change. Few of the organizations had a formal definition of risk appetite, with many describing the appetite definition as included in strategic objectives or procedures.
When it came to identifying and assessing top risks, an iterative process was used which crossed multiple layers of the organization and cross-functional groups. The key players in the ERM process were Internal Audit (IA), general counsel, audit committee, CFO, and BOD, with IA most commonly identified having ownership over the day-today ERM leadership. Most organizations had management level ERM committees, but few had departments dedicated to ERM. The interviewees identified positive impacts of ERM more often than negative effects of ERM. While most of the organizations had an organic culture and had relatively advanced ERM implementations, there were some differences in interview responses between the organic and “less organic” groups. This study has implications for corporate governance in the areas of successful ERM methods and overall risk management of an organization.