In the contemporary business environment, companies have to ensure that they remain effective in order to remain competitive and ensure positive financial performance. However, local and global changes, including legal, political, environmental, as well as internal organisational factors can impair the company’s efforts, posing a significant risk to the business. Therefore, risk management is a crucial component of any organisation’s planning and monitoring activities, as it allows to enhance productivity and minimise risks associated with different projects and initiatives.
Risk management is a well-researched field, with many studies aiming to define and test the particular tools and mechanisms that can be used by companies to evaluate, address, and minimise risks. For instance, strategic planning is perceived to be effective in predicting and mitigating risks, as it allows to determine potential threats and establish control and response mechanisms (Haines 2016). Strategic planning is also linked to enterprise risk management (ERM), a concept that stipulates a comprehensive approach to organisational risk management (Bromiley, McShane, Nair & Rustambekov 2015). However, in order for the organisation to be effective at managing internal and external risks, it is also crucial to establish adequate organisational mechanisms. For instance, research suggests that building an appropriate risk culture promotes responsibility and efficient mitigation of threats (Ingram, Underwood & Thompson, 2014). Risk appraisal, risk communication, and risk governance framework are some of the other components of risk management schemes that are used in research and practice.
Internal audits are also among the popular tools used by companies all over the global market in risk management process. Internal audits are important in determining any potential risks embedded in the company’s structure, operations, or workforce. By identifying the threat and its source, internal audits can help companies to target the risks directly, thus reducing their impact on the company. Moreover, internal audits are useful in monitoring the implementation or change processes, as they can be applied on a regular basis to track project outcomes and highlight any issues arising.
However, despite the abundance of research on risk management tools and their application in different organisations, few studies attempted to measure employee attitudes and perceptions regarding the mechanisms and their effectiveness. The majority of research on the topic measures the effectiveness of risk management tools and actions by connecting them to organisational outcomes, such as firm performance and market share. This is a significant gap, as employees are a crucial source of information. For instance, while the vast share of risk management programs uses several tools, employees can help to evaluate the contribution of each tool. Thus, information provided by employees can allow the business to decrease its expenses by focusing on the most effective components of risk management strategy. On the whole, concerning employees’ perspective would allow gaining additional insight into specific tools and their impact on risk management within the organisation, which is why this research will focus on employees’ perceptions and attitudes. This report aims to outline the various risk management tools and mechanisms that can help companies to be more effective, as well as to discuss the function and role of internal audits in risk management efforts. In addition, the conceptual model will seek to introduce research hypotheses regarding risk management, project events, and audit functions.
Theoretical Framework of the Model
The theoretical framework for the model is based on prior research and the conclusions drawn from it. Each risk management tool addressed in the research was considered separately to theorise about its impact on risk management and the occurrence of negative events. For instance, Dibrell, Craig, and Neubaum (2014) discuss the effects of strategic planning on the organisation, concluding that it is positively linked to firm performance and flexibility. Thus, it can be suggested that strategic planning contributes to risk management by allowing the firm to mitigate and avoid risks effectively. Risk ownership and accountability, on the other hand, were discussed by Andreeva, Ansell, and Harrison (2014), who show how the lack of established risk ownership and accountability policies can impair the organisation’s response to threats. Tekathen and Dechow (2013) also add that enterprise risk management works to improve accountability, thus linking strategic planning to risk ownership. All in all, the theoretical framework of the study reflects the interconnectedness of the topics considered in the exploration. However, it also highlights the complex nature of risk management in the organisations and the need to establish sufficient mechanisms and tools to avoid risks. Huber and Scheytt (2013) address the role played by risk management during the 2008 financial crisis, showing how negative risk management practices can lead to negative events and have an adverse effect on the company and its environment. Figure 1 represents the primary conceptual model to be used in the present research and indicates the key hypotheses that will be investigated.
The purpose of the present literature review is to establish a firm understanding of all the components of risk management and governance that will be addressed in the study. In addition, the review of past studies and theories is crucial to develop appropriate hypotheses about the contribution of various tools to risk management efficiency.
Strategic planning refers to the complex process of developing a strategy in accordance with the external and internal environment of the business. In strategic planning, organisations are viewed as organisms that develop and grow in response to their environment while at the same time being impacted by internal organisational factors (Haines 2016). Such approach highlights the influence of various factors on the performance of the organisation, as well as the need to evaluate these factors to predict and respond to threats. Thus, effective risk management is one of the key functions of strategic planning, with internal audits and environmental scanning being the two main tools used by strategic managers to determine and plan for various risks (Haines 2016). However, strategic planning is also important to align risks with strategic objectives of the company. As explained by Haines (2016), aligning all of the company’s activities with its strategic goals, objectives, and vision is among the core principles of strategic planning. Therefore, strategic planning helps to ensure that all of the risks taken by the company, as well as the processes for responding to and mitigating threats, contribute to the company’s overall strategy and vision. According to Bromiley et al. (2015, p. 265), “ERM proposes the integrated management of all the risks an organisation faces, which inherently requires alignment of risk management with corporate governance and strategy”. Thus, strategic planning is useful to the organisation’s risk management not only because it provides a framework for predicting risks, but also because it allows creating a comprehensive approach to risk management.
Hypothesis 1. Companies who use strategic planning are likely to be effective in risk management.
Risk Appraisal, Decision, Controls, and Implementation
A lot of researchers argue that risk-based processes, including risk appraisal, decision-making, controlling, and change implementation are the basis of effective risk management in the organisation. Indeed, these processes contribute to the organisation’s capacity for identifying and mitigating threats. Risk management processes target various departments and units of the company; however, the strategic and financial aspects of risk management are perceived by many researchers as the most significant.
For instance, precautionary risk appraisal can help companies to identify and prevent risks during the times of uncertainty (Stirling 2017). This, in turn, ensures a proactive approach to risk management, which can provide the company with a significant advantage by facilitating preparedness to the threat (Eriksson 2017b). Moreover, appraisal of known threats can form a basis for decision-making in response to risks. For instance, detailed risk appraisal can help the organisation to understand if the risk is worth taking or whether the identified threat can cause serious harm to the business. The latter benefit allows prioritising the risks and the actions needed to mitigate them, thus contributing to organisational efficiency. Finally, risk appraisal can also help organisations to identify the potential and existing sources of risk, which could contribute to its elimination and prevention (Harris 2017). Thus, risk appraisal has a significant impact on the strategy used by the business to mitigate and respond to risks.
Controlling mechanisms are also important to risk management, as they allow to prevent negative events (Hopkin 2017). However, whereas some scholars believe that separate control mechanisms are needed for efficient risk management, others stress that risks should be addressed as part of existing control schemes. For instance, according to Woods and Linsley (2017), incorporating risk considerations into control systems used by the business can help it to avoid extra expenditures on risk management and reduce the occurrence of harmful events. Similarly, planning organisational change implementation in accordance with the possible risks adds to effective risk management by ensuring a proactive approach. On the whole, a comprehensive approach to risk management that incorporates all of the stipulated processes is likely to help the organisation in achieving its goals.
Hypothesis 2. Companies with established risk management processes are more effective in preventing and addressing the risks.
Risk communication is also a widely studied organisational factor that can have a significant influence on the overall success of risk management efforts. Risk communication can be both internal and external depending on the intended recipient of the message. In the case of internal risk communication, it is the workers who receive information about potential risks that could impact their work and the organisation in general.
Internal risk communication allows promoting transparency and trust within the organisation while at the same time ensuring that employees are informed of their responsibilities regarding the prevention and mitigation of risk. Eriksson (2017a) studies risk communication in the environmental context, noting that effective and ongoing risk communication has a significant impact on project outcomes. The same applies to business, especially at the time of major crisis, when a consistent effort of all employees is required to avoid negative events.
External risk communication, on the other hand, targets a wider range of stakeholders, including the local community, shareholders, and other people affected by the company’s operations. In essence, “The intention of effective risk communication is to share knowledge and understanding about potential risks in a manner that helps the industry and consumer make well-informed decisions” (O’Sullivan 2017). The need for external risk communication is usually justified by the company’s accountability towards its stakeholders.
Hypothesis 3. Risk communication is an integral part of risk management and governance framework.
Risk Culture and Appetite
Risk culture and appetite refer to the organisation’s general practices for addressing risks. Risk appetite usually features a “Clear statement of risk that the organisation is willing to accept”, thus reflecting the company’s overall attitude to risk (Ingram, Underwood & Thompson 2014). For example, the limits of the organisation’s risk appetite are determined by the competitive landscape and the market in which the company operates. New companies operating in highly competitive markets tend to have higher risk appetite limits and take more risks to obtain a larger market share. Well-established large companies, on the other hand, would normally lower their risk appetite, ripping the benefits of traditional products, services, and schemes instead. Risk appetite of the organization has a significant impact on its strategy (Zahradníčková & Vacík 2014). Therefore, Ensuring that there are mechanisms to build awareness of the organisation’s risk appetite with the employees can help to prevent unwanted risk or promote opportunity-seeking in accordance with the company’s goal. As company goals are subject to change due to external and internal influences, it is crucial to ensure that the company’s risk appetite limits are regularly reviewed.
Risk culture reflects the organisations’ choices and behaviours in response to future and existing risks (Ingram, Underwood & Thompson 2014). The organisation’s risk culture depends not only on the strategic goals and the current position of the business but also on the core beliefs shared by its leaders (Ingram, Underwood & Thompson 2014). Thus, risk culture can be both beneficial and harmful to risk management efforts and the organisation in general. In addition, risk culture can influence the company’s ability to recover from a financial crisis, as noted by Palermo, Power, and Ashby (2017). Companies with appropriate risk cultures would be more efficient in avoiding and recovering from risks, whereas those that do not have an adequate risk cultures in place would be less effective.
Hypothesis 4. Companies that are successful in risk management have appropriate risk culture and appetite.
Risk ownership and accountability are usually perceived to be similar in their meaning. Both concepts refer to the allocation of risk and risk management efforts within the organisation. Mapping risk ownership is a required step in coordinating response and prevention efforts, as this process allows to identify those responsible for certain processes and actions (Young, Symons & Jones 2016). In essence, institutional risk ownership allows establishing the owner of the resource at risk and the delegated risk manager (Young, Symons & Jones 2016). Apart from directly assisting in risk management processes, a strong risk ownership an accountability framework promotes appropriate corporate culture and increases employees’ responsibility. It also allows sharing the responsibility for the risk, which improves the coordination of response and mitigation actions (Andreeva, Ansell & Harrison 2014). Based on the information provided, it can be suggested that companies with clear risk ownership and accountability structures are more efficient in risk management and risk governance than those that do not.
Hypothesis 5. Effective risk management requires clear risk ownership and accountability structures.
Audit Processes in Risk Management
As noted in previous sections, risk management requires both internal and external processes related to the identification, evaluation, and planning for risks. Risk-based audits can help companies to handle threats by providing information and control mechanisms. As explained by Nedelcu (2015), external audits are crucial for companies looking to enhance performance, profitability, and other company outcomes. External audits are performed by independent auditors who are not affiliated with the company and can thus provide an objective view of its strengths and weaknesses. The effect of external audits on business outcomes is well-documented, with most scholars reporting improved performance, compliance, and decision-making with the help of external audits (Nedelcu 2015). When applied to risk management, external audit seeks to provide complete information on the company’s problem areas and to identify any potential risks that could damage its performance. Internal audits, on the other hand, are applied to the company on a regular basis, as they require fewer resources and can be scaled according to the organisation’s needs. Whereas external audits are usually broad in terms of their scope, internal audits can focus on a specific aspect of the company.
Risk-based internal audits are different from other types of audits, as they are focused on identification and mitigation of risks that are evident within the company (Coetzee & Lubbe 2014). Thus, risk based-audits are a valuable tool for the company’s risk management schemes. Ismajli, Ferati, and Ferati (2017) investigate the perceived role and function of internal audit in risk management. The study found that only 23% of companies performed risk assessment with the help of internal auditors, and that risk assessment activities tended to focus on areas other than finance, production, and IT (Ismajli, Ferati & Ferati 2017). However, internal audits allowed the companies to gain an enhanced insight into the risks, thus becoming more efficient in risk management. Thus, internal audit informs the companies’ risk management efforts by providing comprehensive information about the risks and prompting the organisation to implement a formal risk management program.
Hypothesis 6. Internal audit guides risk management efforts by providing information and assessing effectiveness.
Overall, risk management is a complicated process that is affected by a variety of factors. In order to ensure that the organisation’s risk management process is useful in minimising and responding to possible threats, it is crucial for the company to establish an appropriate risk management and governance framework, consisting of various tools and mechanisms. These tools and mechanisms can assist in the organisation’s risk management efforts by evaluating the risks and their potential effect on the company, as well as by assessing the current risk management processes. The use of specific tools largely depends on the company’s structure, goals, and the market in which it operates, which is why it is essential for risk managers to have excellent knowledge of the company.
The present study will seek to explore the proposed hypotheses by reviewing the respondents’ perceptions of risk management tools and processes. The research can thus help to gain an additional perspective on risk management tools and their effectiveness in different organisations. Depending on the results of the study, it can be used in practice to minimise risk management expenditures or to develop new organisational mechanisms for risk management.
Andreeva, G, Ansell, J & Harrison, T 2014, ‘Governance and accountability of public risk’, Financial Accountability and Management, vol. 30, no. 3, pp. 342-361.
Bromiley, P, McShane, M, Nair, A & Rustambekov E 2015, ‘Enterprise risk management: review, critique, and research directions’, Long Range Planning, vol. 48, no. 4, pp. 265-276.
Coetzee, P & Lubbe, D 2014, ‘Improving the efficiency and effectiveness of risk‐based internal audit engagements’, International Journal of Auditing, vol. 18, no. 2, pp. 115-125.
Dibrell, C, Craig, JB & Neubaum, DO 2014, ‘Linking the formal strategic planning process, planning flexibility, and innovativeness to firm performance’, Journal of Business Research, vol. 67, no. 9, pp. 2000-2007.
Eriksson, L 2017a, ‘Components and drivers of long-term risk communication: exploring the within-communicator, relational, and content dimensions in the Swedish forest context’, Organization & Environment, vol. 30, no. 2, pp.162-179.
Eriksson, L 2017b, ‘The importance of threat, strategy, and resource appraisals for long-term proactive risk management among forest owners in Sweden’, Journal of Risk Research, vol. 20, no. 7, pp. 868-886.
Haines, S 2016, The systems thinking approach to strategic planning and management, CRC Press, Boca Raton, FL.
Harris, E 2017, Strategic project risk appraisal and management, Routledge, Abington.
Hopkin, P 2017, Fundamentals of risk management: understanding, evaluating and implementing effective risk management, Kogan Page Publishers, London.
Huber, C & Scheytt, T 2013, ‘The dispositif of risk management: reconstructing risk management after the financial crisis’, Management Accounting Research, vol. 24, no. 2, pp. 88-99.
Ingram, D, Underwood, A & Thompson, M 2014, ‘Risk culture, neoclassical economics, and enterprise risk management’, 2014 Enterprise Risk Management Symposium, vol. 1, no. 1, pp. 12-22.
Ismajli H, Ferati MG & Ferati A 2017, ‘The role of internal audit in risk management-evidence from private sector of Kosovo’, Acta Universitatis Danubius: Oeconomica, vol. 13, no. 5, 146-154.
Nedelcu, M 2015, ‘Study on the relationship between the quality of external audit-financial performance, solvency and risk management in the Romanian banking system’, in Proceedings of International Academic Conferences (No. 1003389), International Institute of Social and Economic Sciences, Rome, pp. 741-751.
O’Sullivan F 2017, ‘Effective risk communication for the food industry’, Veterinary Ireland Journal, vol. 7, no. 11, pp. 609-612.
Palermo, T, Power, M & Ashby, S 2017, ‘Navigating institutional complexity: the production of risk culture in the financial sector’, Journal of Management Studies, vol. 54, no. 2, pp. 154-181.
Stirling, A 2017, ‘Precautionary appraisal as a response to risk, uncertainty, ambiguity and ignorance’, in CL Spash (ed.), Routledge handbook of ecological economics, Routledge, Abingdon, pp. 267-277.
Tekathen, M & Dechow, N 2013, ‘Enterprise risk management and continuous re-alignment in the pursuit of accountability: a German case’, Management Accounting Research, vol. 24, no. 2, pp. 100-121.
Woods, M & Linsley, P (eds.) 2017, The Routledge companion to accounting and risk, Taylor & Francis, Oxford.
Young, CK, Symons, J & Jones, RN 2016, Institutional maps of risk ownership for strategic decision making. Web.
Zahradníčková, L & Vacík, E 2014, ‘Scenarios as a strong support for strategic planning’, Procedia Engineering, vol. 69, no. 1, pp. 665-669.