Managing Risks: Towards a Contingency Theory of Enterprise Risk Management

Anette Mikes Robert Kaplan

Working Paper
13-063 May 16, 2013

Copyright 2013 by Anette Mikes and Robert Kaplan Working papers are in draft form. This working paper is distributed for purposes of comment and discussion only. It may not be reproduced without permission of the copyright holder. Copies of working papers are available from the author.

Managing Risks: Towards a Contingency Theory of Enterprise Risk Management

AnetteMikes1 RobertKaplan HarvardBusinessSchool

Correspondingauthor.Email:amikes@hbs.edu WegratefullyacknowledgetheresearchsupportprovidedbyHBSResearchAssociateDominiqueHamel.

Managing Risks: Towards a Contingency Theory of Enterprise Risk Management

Abstract Enterprise Risk Management (ERM) has become a crucial component of contemporary corporate governance reforms. Now that principles, guidelines, and standards abound, it is time to take stock. Has the idea of ERM reached maturity with proven, unambiguous concepts and tools? Or is it still emerging and unproven? Or can it be simply taken for granted, its value proven by the apparent demand? This paper portrays ERM as an evolving discipline, and presents empirical findings from academic papers and our own field research on its current state of maturity. The academic studies explore factors that influence the adoption and impact of ERM but have produced few significant results because of an inadequate and insufficiently specified concept of ERM. Based on a ten-year field project, over 250 interviews with senior risk officers, and three detailed case studies in high reliability organizations, we propose a contingency framework for ERM, describing the emerging design parameters that help to explain the observable variation in the ERM mix adopted by organizations. We also propose a new contingent variable: the type of risk that the ERM practices address. We outline a minimum necessary contingency framework (Otley, 1980) that is sufficiently nuanced, yet observable to empirical researchers so that they may, in due course, hypothesize about fit between contingent variables, such as risk types and the ERM mix, as well as outcomes (organizational effectiveness).

An expanding list of companies BP, Tokyo Electric, Boeing, Bear Sterns, Lehman Brothers, Merrill Lynch. Barings Bank, Daiwa Bank, Sumitomo Corporation, Enron, Worldcom, Tyco and the Mirror Group has become identified with deficiencies in anticipating and managing the risks within their complex organizations. These examples of man-made disasters along with governance and corporate failures reveal the challenges (and in extremis, to some, the futility) of enterprise risk management. Yet effective and efficient risk management practices should be seen as the solution of how to avoid corporate disasters and failures, not as part of the problem (National Commission, 2011: 90). At present, we have ample regulations and frameworks for enlightened risk management, including the risk disclosure recommendations in the UK Turnbull report, which were quickly incorporated into stock exchange listing rules, the COSO Enterprise Risk Management Framework, and ISO 31000: 2009 Principles and Guidelines on Implementation by the International Organization for Standardization. More recently, the U.S. Securities and Exchange Commission has mandated that the annual proxy statements of publicly traded companies include a description of their boards role in risk
2

oversight. The Toronto Stock Exchange requires establishment and disclosure of a companys risk management function, and the DoddFrank Wall Street Reform and Consumer Protection Act requires large publicly traded financial firms to have a separate board risk committee composed of independent directors. Credit rating agencies also now evaluate how firms manage risks, with Moodys and Standard & Poors (S&P) having an explicit focus on ERM in the energy, financial services, and insurance industries (Desender and Lafuente, 2012). With this abundance of principles, guidelines, and standards, one could assume that risk management has become a mature discipline, with proven, unambiguous concepts and tools that need only regulations and compliance to be put into widespread practice. We disagree. We believe that risk management approaches are largely unproven and still emerging. Apparently so do the many organizations that have expressed dissatisfaction with the proposed normative and regulatory ERM frameworks (CFO Research Services and Towers Perrin, 2008; Beasley et al., 2010). This paper portrays Enterprise Risk Management as an evolving discipline, and presents empirical findings on its current state of maturity, as evidenced by a survey of academic research and our own field research over the past ten years. While many empirical studies of the prevalence and effectiveness of Enterprise Risk Management (ERM) have been conducted, most use inadequate research designs. Based on a ten-year field project, over 250 interviews with chief risk officers, and three detailed case studies on ERM in high reliability organizations, we propose a more comprehensive specification of ERM, and identify the parameters that could serve as a solid foundation for a contingency theory of ERM design and implementation.

We studied three organizations in considerable depth. Each had recently instituted new risk management practices that show considerable promise for helping it make better decisions about mitigating and managing the risks from their strategies. Yet each organization had a completely different structure for its risk management function. At this stage, we cannot be certain about which of these will survive to be incorporated into a future common body of knowledge for the emerging risk management profession. Prematurely adopting standards and guidelines that aspire to be applicable to all organizations and all types of risk (as for example ISO 31000 advocates) introduces a major risk into risk management by inhibiting companies from searching for and experimenting with innovative risk management processes that match their particular situation and circumstances. Past Research on ERM Adoption and Performance The academic literature on ERM can be classified into three research streams. One attempts to identify variables that explain variations in the adoption of ERM in firms. The second studies the performance implications of ERM implementations. Both of these streams use large sample cross-sectional research methods. A third and recently emerging research stream conducts small-sample and field studies to understand risk management in situ, as an organizational and social practice. Determinants of ERM adoption Empirical studies have identified leverage (Liebenberg and Hoyt, 2003; Pagach and Warr, 2011; Ellul and Yerramilli, 2012), size (Colquitt et al., 1999; Liebenberg and Hoyt, 2003; Beasley et al., 2005; Hoyt and Liebenberg, 2011; Pagach and Warr, 2011) and the presence of CEO incentives (Pagach and Warr, 2011; Ellul and Yerramilli, 2012) as company-specific
4

factors associated with ERM adoption. Reflecting the normative literature on the subject (COSO, 2004; ISO, 2009), some have studied the influence of effective corporate governance on ERM adoption (Baxter et al., 2012; Ellul and Yerramilli, 2012). Drawing on the hypothesis that strong corporate governance agents are likely to advocate for ERM implementation, Beasley et al. (2005) found that CEO and CFO support was associated with the extent of ERM implementation, while others identified having an internal risk specialist to be associated with ERM adoption (Kleffner et al., 2003; Beasley et al., 2005; Desender, 2011; Desender and Lafuente, 2010; Paape and Spekl, 2012). Studies of other hypothesized ERM determinants, such as institutional ownership and auditor influence, have yielded mixed results (Pagach and Warr, 2011; Paape and Spekl , 2012; Desender and Lafuente, 2010). As for regulatory pressure, Kleffner et al. (2003) reported that Canadian companies cited compliance with Toronto Stock Exchange (TSE) guidelines as the third most important reason (37%) for their ERM adoption. Paape and Spekl (2012) also found that stock exchange listing helped to explain ERM implementation, but failed to find any association with the existence governance codes or risk management frameworks. ERM and firm performance Modern portfolio theory argues that shareholders can use portfolio diversification to costlessly eliminate firm-specific (idiosyncratic) risks, leading many financial economists to doubt whether ERM can add value to the firm. Stulz (1996), however, argues that risk management creates value by reducing or eliminating the costs and losses of financial distress. Froot, Scharfstein and Stein (1993) advocate that risk management adds value if it helps the firm avoid unfavorable outcomes, or states of the world, that prevent it because of insufficient internal funds from investing in attractive, positive net present value opportunities. This theory
5

suggests that risk management is more valuable for highly leveraged companies that also have volatile earnings, and limited cash reserves. Companies with high growth options associated with future unrealized cash flows and high levels of current research and development R&D should also benefit from ERM (Desender and Lafuente, 2010). Corporate governance advocates, consultants and regulators, unlike financial economists, assume that it is obvious that ERM systems add value to firms. Some point to the widespread and voluntary adoption of ERM systems as evidence of their benefits (Desender and Lafuente, 2010; 2012). But can the value of ERM be proven by other than the apparent demand for it? The ISO 31000 risk management guidance treats risk as two-sided variability, advocating that ERM should not only reduce the negative impact of unfavorable events, but also help managers to identify upside opportunities. Others claim that ERM helps firms improve their resource allocation, leading to better capital efficiency and greater return on equity (Meulbroek 2002; Hoyt and Liebenberg, 2011). By improving public risk management disclosures, ERM might also reduce the firms cost of capital and regulatory scrutiny (Meulbroek 2002; Hoyt and Liebenberg, 2011). Academic researchers, however, have had little success finding empirical evidence to test and support these various performance improvement theories from ERM adoption. Assessment of Findings The empirical studies, described above, have used different methods to define and measure ERM, making it problematic to compare results across them (Hoyt and Liebenberg, 2011; Baxter et al., 2012; Pagach and Warr, 2010; Gordon et al., 2009). The studies are constrained by the limited datasets that are available and limited by their use of somewhat

nave (Paape and Spekl, 2012) construction of explanatory and dependent variables. For example, a 0-1 dummy variable of ERM adoption fails to capture the complexity of how ERM is actually implemented in companies. Studies that rely on S&Ps ERM ratings must assume that the rating agencys arms length assessment of a firms ERM processes, based on public information, is a valid indicator of how ERM is actually used in situ. Further, none of the empirical studies attempts to explain the actual mechanism through which their ERM variable affects proposed outcome variables, such as stock price reactions and cumulative abnormal returns, and in a recent study, managers accruals-estimation errors (Johnston and Soileau, 2013). The studies do not capture the variation and effects of actual ERM processes, and omit organizational and institutional contingencies that would affect the success of ERM implementation. Because of these severe measurement problems in the independent and dependent variables used to study ERM adoption and impact, the empirical studies explain only a small fraction of the variability in outcome variables, and have low levels of statistical significance for key explanatory variables. Further, the large sample cross-sectional studies focus on the adoption or not of a particular risk management framework, and ignore the impact of people and leadership in shifting a companys risk profile. Risk management ultimately depends on the people who set up, coordinate and contribute to risk management processes; people are the ones that identify, analyze and act on risk information. Their actions often require approval from the CEO and board. So organizational and cultural contexts can cause companies that follow the same ERM framework to implement and use their risk management function very differently. For example, all Wall St. financial firms had risk management functions and CROs during the expansionary period of 2002-2006. But some of these firms failed during 2007 and
7

2008 while others survived quite well despite the turmoil. Some of the firms had a robust set of high-impact, customized practices that met their risk-management needs very well while others obviously did not. The existence of a risk management department and an individual with a title of chief risk officer explains very little about the quality, depth, breadth, and impact of risk management processes. Knowing that a company had a risk management department and CRO does not predict that it also had the commitment of the CEO and board to encourage the production and dissemination of risk information, or the resources and support to mitigate the principal risks identified. Statistical studies on large public data bases also cannot capture the fascinating variety of risk-management practices, deployed at different levels, for different purposes, by different staff groups even by companies in the same industry. Cross-sectional empirical studies that ignore such important variation end up explaining little, especially about what works and what does not. ERM in situ Cultural theorists such as Mary Douglas, Aaron Wildavsky and John Adams have shown that risk means different things in different settings and organizations (Douglas and Wildavsky, 1983; Adams, 1995). Experience has taught risk managers that a given risk model will work in some contexts and not in others (Nocera, 2009). Descriptive and critical research has uncovered a fascinating diversity of context-specific practices that could help us understand the role for each innovative variation. Those interested in the relationship between risk experts particularly the chief risk officer and business decision makers have found that risk experts do not operate in a vacuum (Hall et al., 2012). Risk managers are but one contending group offering to take the

measure of the organizations future. Fit-for-purpose guidelines could not prepare risk experts for the cut-throat competition for visibility and voice in the C-suite. This intellectual struggle for risk attention is also a political and cultural struggle in which survival of the fittest is not necessarily survival of the most theoretically sound. While many commentators find this state frustrating (Bonisch, 2012), at this stage of the risk-management endeavor, we can learn and contribute by studying risk practices in situ, in the trenches, as it were. After a brief overview of the emerging descriptive research body on risk-management, we describe three case studies, each illustrating a particular purpose and application of risk management. We then set out to catalogue these practices to propose a contingency framework to explain how such different approaches for the same objective can co-exist successfully. At this stage, we are not claiming general truths on the subject; we are merely exploring and making sense of a fascinating and emerging discipline. A small number of field-based studies of ERM point to a diversity of practices across organizations, in the same industry (Mikes, 2009; 2011) and even within the same organization (Hall et al., 2013; Woods, 2009). These studies seek to explicate and understand the reasons for this variation and the reasons for the different roles that risk experts, particularly the chief risk officer, fulfill. Mikes (2008, 2009, and 2011) presents field-based evidence of systematic variations in risk-management practices in the financial services industry and developed the concept of calculative cultures to explain these differences. Arena et al. (2010) describe three comparative case studies and document a continuous and evolving interaction between preestablished management practices and ERM, which makes the latter unique to each organizational setting. But as with the large sample cross-sectional studies, field researchers struggle to produce persuasive comparisons across their multiple studies. The practices they observe in one firm
9

differ substantially from those observed elsewhere. Due to the complexity of the different risks faced by any enterprise, organizations have put in place different risk management processes and structures. In some firms risk management processes police the business for compliance with risk limits and risk policies. In others, the risk management function oversees processes that help the organization learn about uncertainties so that they can be converted into manageable risks (Mikes, 2009; Hall et al., 2012). We have observed firms operate dynamic risk management processes causing managers to periodically review and, if necessary, revise risks and controls in light of new information and evolving objectives. Among the most interesting are firms that have consciously introduced highly interactive risk management processes to counter the individual and organizational biases that inhibit constructive thinking about risk exposures. These firms worried that managers and employees would become so inured to risks that they would override controls as they accept deviances and near misses as the new normal. With this plethora of risk management processes occurring in practice, we have used a taxonomy introduced in Kaplan and Mikes (2012) to organize our field observations. The taxonomy describes three different risk categories preventable, strategy, and external each with a different source for the risk events, different degrees of controllability, and different approaches for identification, mitigation and management. We do a deeper dive into the preventable and strategy risk categories since the practices for these two categories were the ones most commonly observed at our field sites. Our description and analysis will therefore exclude risk management practices such as scenario analysis, war games, and stress tests that are more relevant for managing external risks.

10

Classifying risks and risk-management practices

Kaplan and Mikes (2012) argues that existing risk practices, despite all the rhetoric and proposed standards and guidelines for enterprise risk management, remain too often rooted in compliance or else are segregated and fragmented into arbitrarily chosen functional silos such as market, human resources, credit, and supply chain risks. Neither the rules-based compliance approach nor the silo-based functional approach helped companies avoid risk management disasters such as the Global Financial Crisis, the BP Deep Horizons well explosion, and the developmental and operational problems with the new Boeing 787 Dreamliner aircraft. The authors (Kaplan and Mikes (2012)) argue that risk-management practices need to be customized to the different types of risks they are intended to mitigate as shown in Table 1. -------INSERT TABLE 1 AROUND HERE ----------Category I preventable risks arise from routine operational breakdowns or employees unauthorized, illegal, unethical, incorrect or inappropriate actions. Management should strive to eliminate the incidence of this category of risk events entirely since the firm gets no benefits from taking them on, and they can be avoided by deploying known, established procedures. In contrast, organizations voluntarily take on Category II strategy execution risks in order to generate superior returns from their strategies. For example, some companies operate in hazardous industries, such as mining, chemical, and oil and gas exploration. Others, such as high-technology, pharmaceutical, medical device, and aerospace companies conduct high-risk research projects to develop the next generation of products. Managers can identify and influence both the likelihood and impact of their strategy execution risks but they cannot drive all the risks out of their strategies; some residual risk always remains.

11

Category III external risks arise from events outside the companys ability to influence or control. Managers often are unaware of these risks and even for those they do anticipate, they are usually unable to plausibly assess their likelihood of occurrence. Identifying external risks requires a process of risk envisionment, using experience, intuition, and creative imagination to generate plausible future scenarios and strategic uncertainties. Once envisioned, managers can then contemplate whether and how to mitigate an external risks impact should it occur. The power of this multi-dimensional risk taxonomy arises from the very different processes, organizational units, and actions that are most effective for managing the risks in each category. Internal audit can be an effective tool for managing preventable risks, but may be inadequate for managing strategy execution and external risks. Conversely, the different risk practices that are effective for managing strategy execution and external risks are likely ineffective for preventable risks. This is a why organizations need to tailor their risk management units and processes to the inherent nature and controllability of the different risks they face. Corporate governance and internal control frameworks for managing preventable risks have been studied extensively (Power, 2011 and 2012; Spira and Page, 2003; Simons, 1995). In addition to boundary and belief systems (Simons, 1995), best practices in corporate governance mandate strong internal control systems, with board-level oversight, including segregation of duties and an active whistle-blowing program, to reduce the occurrence of employee misbehavior and the temptations for fraud and abuse (Power, 2012). Internal audit departments, by continually checking employees compliance with internal controls and standard operating processes, strive to discourage and deter employees from violating the company's operating procedures and policies, and to detect violations when they do occur. Survey evidence shows an active role by the internal audit functions in championing ERM projects in the majority of non12

financial companies (Rizzi et al. 2011; Grant Thornton Advisory Services, 2012). This high level of activity helps explain why many observers and companies believe that risk management is primarily about specifying rules and validating compliance (Power, 2009; Kaplan and Mikes, 2012). But rules and compliance are not effective for managing the risks of strategies, especially those that reach for high expected returns. Risk managements role should not be to inhibit or stop risky projects and strategies. Rather it should be to help line managers identify the principal risks that accompany their strategy and guide the adoption of cost-effective interventions that mitigate the most likely and consequential ones, recognizing that some residual risk, inherent to the strategy, will almost always remain (Merton, 2005). In this view, a risk management function can provide a company with competitive advantage by enabling it to undertake higher expectedreturn projects. The function can potentially reveal that, even after cost-effective mitigation, the residual risk exposure of a strategy remains too high relative to a strategys expected return. In this case, the risk management process should, ideally, influence the company to modify its strategy into a lower risk/return profile. Research design Site selection During the past ten years, we have conducted more than 250 interviews with senior risk officers and general managers in companies where the risk management function had the following characteristics: 1. 2.

had been in existence for at least 5 years was perceived as adding value to the business
13

3.

had introduced several new interactive and intrusive risk management tools and processes to manage preventable and strategy risks

4.

was headed by a visible risk officer, often but not always titled chief risk officer, who had a direct reporting line to the chief executive (or another senior C-level executive).

We selected three companies in three industries that we considered high reliability organizations (HROs) (Weick and Sutcliffe, 2001); those where the alternative to consistent, high-reliable operations could be severe harm, damage, and loss. The three industries were aerospace engineering, which required capital intensive, time-critical technological innovations; high-voltage electricity transmission, where lack of reliability could lead to financial and asset damage, and potential human injury and death; and fund management in volatile capital markets, where long-term client relationships, trust and clients private wealth were at stake, and where risk exposures change rapidly, possibly hourly or even trade by trade. In examining processes used to manage both preventable and strategy execution risks, we wanted to learn how senior risk management officers handled the tensions between a rules and compliance oriented risk function and one that had to be deeply embedded in line operations to manage continually evolving risks. A strongly independent rules and compliance function can be seen as so independent and removed from business operations that line managers find it irrelevant in helping them cope with strategy execution risks. Conversely, an embedded risk function, helping line managers address day-to-day risks, can go native and lose the independence required for maintenance of a strong compliance culture. Therefore, an important aspect of our case studies was to investigate how the risk functions balance their roles in addressing both preventable and strategy execution risks.
14

We carried out 38 interviews with the three HROs between 2008-2012, (see Appendix 1 for a list of case-specific interviews and dates), including ongoing communications, via email, to receive updates from their evolving risk management processes. Data analysis We conducted our analysis in two stages. First, we analyzed each of the cases independently and produced an analytical narrative of the innovations introduced by the risk function. This within-case analysis captured how a group of experts increased the understanding of the different types of risk the organization faced. The story is a complex, multi-faceted historical narrative, the origins and some of the outcomes of which would be outside our datacollection abilities. Hence, we captured the actors accounts of events as they perceived them, and then triangulated these accounts, using publicly available documents, such as annual reports and third-party publications, to produce a more comprehensive picture of the organizational changes (Abbott, 1992). In this way, we identified actor-presented themes in the data (Glaser and Strauss, 1967), highlighted distinct categories such as contextual factors, important organizational processes, risk activities, decision-making forums, strategic planning and the resource allocation process. We also documented how the relationships between these processes changed over time. After obtaining these detailed within-company narratives, we compared and contrasted the three detailed analytical accounts, using the cross-organizational insights to enrich our understanding of within-company processes we had previously analyzed. We used these insights to draft a contingency framework for risk management that we present and discuss in the papers final section.

15

Findings Aerotech (a pseudonym) Aerotech was a research and development center, managed and operated by a major technology university under a contract from the U.S. National Aeronautics and Space Administration (NASA). Aerotech employed approximately 5,000 full-time employees and managed several thousand contractors. The company developed technological innovations for NASAs unmanned space missions, including sending Mariner spacecrafts to Venus, Mars, and Mercury, the Galileo mission to Jupiter and its moons, and Voyager missions to Jupiter, Saturn, Uranus and Neptune. Aerotech also developed the camera for NASAs Hubble Space Telescope and operated the Deep Space Network for communication with all its various inter-planetary robotic missions. Despite some spectacular successes, Aerotech had a mixed track record of managing risks. Its most visible failure occurred when the Mars Observer, launched in 1992, lost contact with ground controllers in 1993. Some described this $1 billion project as a huge amount of taxpayers money spent for nothing. In the early 1990s, the political and public mood demanded reforms to NASA, leading to the appointment, in 1992, of Daniel Goldin, as the new NASA administrator. Goldin, formerly an executive at a major aerospace contractor, believed that new management techniques and technologies, along with accepting more risk, would dramatically reduce the cost of NASAs missions. In a 1992 speech, he challenged Aerotech to adopt "faster, better, cheaper" techniques so that it could do more without spending more money. But the new strategy did not reverse the incidence of major failures. The Mars Climate Orbiter disappeared, during orbit insertion on Sept. 23, 1999, due to a navigation error; and in the same year the Mars

16

Polar Lander crashed as it neared the surface of Mars. To save money, the Lander did not have telemetry during its descent to Mars and subsequent analysis suggested that the failure was probably due to a software fault that shut off the descent rocket too early, causing the spacecraft to fall the last 40 meters onto the surface. These two failures ended the faster, better, cheaper management philosophy at Aerotech. In 2000, Aerotech hired a new chief system engineer (CSE), a former Aerotech employee, who agreed to return to help architecture a new innovation stream complete with a risk management program that would significantly increase Aerotechs mission success rate. As the de facto chief risk officer, the CSE defined his role as minister without portfolio, the person who makes sure everything works the way it is supposed to on a global scale. Recognizing that Aerotechs previous risk management practices were too narrowly focused on quality assurance and checklists for (preventable) risks that were already known and well understood, the CSE advocated a new approach to risk management. He described how he thought about Aerotechs risks:
At the start of a project, try to write down everything you can that is risky. Then put together a plan for each of those risks, and watch how the plan evolves. Some risks are business as usual risks. We are familiar with these risks and know how to quantify and mitigate them. Others are development risks, in which the projects engineering enters territory we have never experienced before.

His challenge was to create a process that could help Aerotech employees and decision makers identify and mitigate the risks in highly innovative ventures. This, according to the CSE, was not only a matter of risk anticipation, but required a new risk culture as well:

17

[Aerotech] engineers graduate from top schools at the top of their class. They are used to being right in their design and engineering decisions. I have to get them comfortable thinking about all the things that can go wrong. Innovation, looking forward, is absolutely essential, but innovation needs to be balanced with reflecting backwards, learning from experience about what can go wrong.

Having defined risks as threats to the achievement of Aerotechs objectives, the CSE effectively applied the same risk definition advocated by COSO when it issued its ERM framework (corresponding authors interview with Rittenberg, March 2006): 1. It is a strategic activity, addressing risks that threaten the achievement of strategic objectives); 2. It is a governance activity; 3. It is a monitoring activity. Aerotechs CSE introduced three risk management processes into every project, which corresponded to the three ERM requirements: 1. For each major innovation stream, the CSE established an independent and expert risk review board, with him serving as chairman. The risk review board had an explicit role to actively challenge project engineers' risk assessments and risk mitigation decisions (governance/board-level activity). 2. For its monitoring activity, the risk review board required project engineers to carry out early risk identification and assessment - likelihood and impact - summarized on twodimensional risk maps and to continue to update these in subsequent quarterly reviews (presented

18

to the CSE in face-to-face meetings) and in annual (or bi-annual) highly confrontational and interactive three-day risk review board meetings (strategic activity). 3. The risk review board allocated risk-based cost and time reserves to allow problems to be solved during the course of the multi-year project without exceeding the projects budget or jeopardizing its scheduled launch date (a monitoring activity linked to the companys resource allocation process). At the start of the project, the board conducted its initial risk review board meeting. By the end of that meeting, the board had established cost and time reserves based on the degree of innovation embedded in the project. This link, from the risk monitoring activity to a resource allocation activity, gave real power to the risk review board it could reject proposals, cancel projects, withdraw funding entirely or reallocate funds between project components. As the project proceeded, the risk review board authorized disbursement from the cost reserves to employ teams of outside experts (tiger teams) to help the project team solve difficult and seemingly intractable design and engineering problems. As the launch date approached, the risk review board either recommended that the launch proceed as planned or, alternatively, be deferred if it determined that the residual risks remained too high. The built-in time reserves and the ultimate but costly deferral option reduced deadline pressures, an oft-cited cause of manmade disasters such as the Challenger decision launch and Deepwater Horizon. The rigorous monitoring and governance processes motivated engineers to build robustness and reliability into their everyday design decisions rather than ignoring potential problems or implementing shortcuts to bypass known problems. The project that eventually led to the highly-successful Mars landing of the Curiosity Rover, in August 2012, was actually delayed by 2 years because

19

the projects risk review board decided, in 2009, that several technological risks remained too high 45 days prior to the targeted launch date. Electroworks (pseudonym) Electroworks was a major Canadian power transmission and power distribution utility. The government of its home province actively promoted energy conservation initiatives, and was rigorously phasing out coal-fired power stations throughout the province. It had capped the price that Electroworks could charge while also requiring it to lead conservation initiatives that would adversely affect the companys revenues and earnings. Electroworks had to manage a complex web of conflicting intereststhe multiple agendas of government ministers, regulators, consumers, environmental groups, aboriginal (Third Nation) landowners, and the capital market debt holders that had subscribed to the companys C$1billion bond issue. Electroworks chief risk officer (CRO) implemented a quite different risk management approach from that deployed by CSE at Aerotech. The CRO had much less domain expertise than the CSE. He had been originally hired from the banking industry to be Electroworks head of internal audit. He also was a less intrusive and hands-on risk manager. With no formal qualifications to challenge Electroworks engineers at risk-assessment workshops and at resource allocation meetings, the CRO saw his role as a facilitator, not a devils advocate. His risk management department collected and moved information about Electroworks critical and material risks up, across, and down the organization. The CRO established a Chinese wall separation between internal audit and risk-assessment activities. No one, besides himself, could be involved in both activities, and records of the risk workshops were kept confidential and separate from internal audit assessments. He also benefited from the strong endorsement of

20

Electroworks CEO, who advocated a no-blame culture and encouraged people to speak up and report deviances, issues, and potential threats that they were worried about. The CRO, like Aerotechs CSE, customized the COSO frameworks board-level, strategy and monitoring activities to the needs and capabilities of the organization. Assisted by a small team of risk managers, the CRO introduced a three-phase enterprise risk management program. In Phase 1, he organized a series of workshops for employees to collectively identify and quantify the principal risks they saw to the companys strategic objectives. The risk workshops used an anonymous voting technology that allowed employees to quantify their judgments, on a scale of 1 to 5, about the impact of each risk discussed, the strength of existing controls, and the likelihood of occurrence. These judgments were summarized into a visual 55 risk map. Multiplying the likelihood and impact scores of each risk discussed gave a high-level ranking of the highest priority risks to be mitigated. The risk map, albeit a simple and subjective tool, facilitated communication and discussion about the focus and direction for Electroworks riskmitigating actions.2 Each meeting concluded with a consensus on the principal risks identified, recommended actions to cost-efficiently mitigate each principal risk, and the selection of a manager to be accountable for each risk and the implementation of recommended actions. In Phase 2, CRO conducted a series of one-on-one interviews twice a year with senior managers to review the corporate risk profile, which he then presented to the CEO and the board of directors. In Phase 3, conducted during the annual planning process, the senior executive team allocated hundreds of millions of capital investment dollars among investment projects that had been proposed to mitigate the principal risks faced by the company. By tying the investment

Interestingly, the risk review workshops at Aerotech also used 55 risk maps to summarize the principal risks to the mission. While seemingly simplistic, especially for the Ph. D. rocket scientists at Aerotech, the risk

21

management process to risk assessments, business managers had an incentive to disclose, not hide, risks, so that they could obtain resources for risk mitigation. The mantra was If you have no risk, you get no money. The investment management department rigorously pre-screened project proposals, prior to their presentation at the two-day annual resource allocation meeting. The meetings, like Aerotechs risk review board meetings, were intensively interactive as risk managers challenged the engineers bang for the buck investment proposals. All three phases channeled risk information vertically and horizontally throughout the company, enabling executives and employees to develop a shared understanding of the company's risk profile and its high priority to continually reduce the residual risks from highimpact events. Indeed, the CRO attributed the success of ERM to the multiple points of contact it made with people in the organization:
Enterprise risk management is a contact sport. Success comes from making contact with people. Magic occurs in risk workshops. People enjoy them. Some say, I have always worried about this topic, and now I am less worried, because I see that someone else is dealing with it, or I have learned it is a low probability event. Other people said, I could put forward my point and get people to agree that it is something we should be spending more time on, because it is a high risk.

Wealthfunds (a pseudonym) Wealthfunds was a private asset management bank within a very large money center financial institution. Wealthfunds offered clients investment opportunities in internally-managed and external funds, and had an award-winning reputation for service and innovation in the global private banking business. The companys regulators, wary of the bank's ample opportunities for

maps simple summary of highly complex phenomena was adequate to generate active discussion and debates

22

self-dealing and conflicts of interest, required the company to perform substantial due diligence not only on the external funds it offered its clients, but especially on the internally managed funds it used. Regulators did not want investment managers directing client assets internally when better options existed with externally-managed funds. Wealthfunds risk management function had to operate with independence and authority to approve the population of funds that asset managers could use, and to ensure that all investment managers complied with external and internal requirements. At the onset of the global financial crisis in 2007, Wealthfunds introduced another set of risk managers whose mandate was to work closely with managers in the business line. These embedded risk managers had dual reporting lines: one to the line manager and a second to their superiors in the independent risk management function. Wealthfunds CRO, who also served as one of the embedded risk managers, explained the novelty of his dual responsibilities for improving the risk-adjusted returns for his managers funds while protecting the portfolios from major downside shocks:
My colleagues in independent [compliance] risk management who sit outside the [fund management] team dont necessarily have the proximity and real time visibility of what trades and risks are being taken. So we want somebody on the inside looking out for everybodys interest, and that person is me. I serve as a close business partner to portfolio managers responsible for keeping portfolios in alignment with both broad Private Bank-level policies as well as [fund]specific, market-risk related items such as trade approvals, portfolio risk analysis, positional concentrations, etc.. [M]y role is to keep portfolio managers honest I listen to their views so I can help them fine tune what they should sell and buy in order to reflect their views in their portfolios.

during the meetings.

23

The CRO and Wealthfunds other embedded risk managers continually asked what-if questions that forced portfolio managers to think about the implications on the private bank's performance from different scenarios. The risk managers challenged portfolio managers assumptions and actions and helped them design trades prior to approval at investment committee meetings. For this, they had to help portfolio managers assess how proposed trades contributed to the risk of the entire investment portfolionot just under normal circumstances, but under extreme stresses, as well. For example, under conditions of market distress, the correlation of returns across different asset classes such as stocks and bonds increases dramatically. Stress-testing helped investment managers estimate potential extreme losses from low probability events. The CRO explained that stress-testing made managers consider system effects and the unintended consequences of their planned actions:
Portfolio managers come to me with three trades, and the model may say all three trades are adding to the same type of risk. Nine times out of ten a manager will say, No, thats not what I was trying to do. Then, we can sit down and redesign the trades.

Discussion The structures for risk management used by the three HROs were completely different from each other; yet, in our assessment, each served its company well. For example, Aerotechs CSE and Wealthfunds CRO addressed high-risk technical problems. These two risk managers needed domain expertise if they were to be credible when actively questioning the assumptions of project engineers and investment managers, and have confidence in their judgments on asset allocations and whether to accept or veto line managers decisions. The two risk officers, however, differed along a time dimension. Aerotechs CSE conducted in-depth risk analysis every one or two years while Wealthfunds risk managers analyzed risk exposures minute by
24

minute. Electroworks CRO, unlike his counterparts at Aerotech or Wealthfunds, dealt with wideranging enterprise risks that included human resources, aboriginal access rights across vast territories, governmental regulation of prices and service, ice storms, asset maintenance and reliability, and financing. No individual could have expertise in all these domains. For this reason, Electroworks CRO facilitated information production and dissemination for decision making but he and his group did not make or veto risk-based resource allocation decisions. For major investment decisions, the CRO collaborated with the companys former field- and project engineers in the investment planning department to provide the expertise and rigor to engage with project engineers. One aspect, however, common to all three was that each used highly-interactive processes risk review meetings at Aerotech, employee risk assessment meetings at Electroworks, and face-to-face interactions at Wealthfunds that encouraged debate, discussion, and solicitation of contrary opinions. This feature seems essential to generate the required dialogue and confrontation for identifying key strategy risks and selecting cost-efficient risk initiatives. Interactive risk meetings cannot be replaced by filling out and auditing checklists or using GRC [governance, risk and compliance] software solutions. Table 1 summarizes the case comparisons and outlines the design parameters that differentiate among the three ERM processes we observed. --------INSERT TABLE 1 AROUND HERE------Unpacking the ERM mix

25

The three field studies confirm an important feature of ERM, first suggested by Mikes (2009) for financial services: companies should implement ERM by adapting a variety of practices to their specific needs and context. A major weakness of past and current academic research is their treatment of risk management as uni-dimensional; either you have adopted ERM or not; either you have a CRO, or dont. In only slightly more advanced forms, the research parameterizes ERM along a single-dimensional maturity scale. If academic research on ERM is to be grounded in reality and have some potential for explanatory power and impact, it must unpack the ERM mix (Mikes, 2009) into its fundamental components. ERM design dimensions include: Processes for identifying, assessing, and rolling up risks: Risk identification can take place face-to-face (as in our three HROs) or remotely, via self-assessments prompted by a centralized database or risk register (Mikes, Tufano, Werker and De Neve, 2009). Face-to-face meetings can take the form of intensive, interactive meetings between the risk expert and line managers, or in open discussions among diverse employees from different organizational functions, specialist groups, and hierarchical levels. Risk discussions can be confined to senior line managers and staff only, or decentralized with front line, support and administrative employees participating in risk identification and assessments. Frequency of risk roll-ups: Aerotechs project engineers faced trade-offs between quantity and quality of scientific instruments in missions and coping with the immutable laws of physics. Project risk exposures changed slowly during product development so formal project risk reviews occurred only annually or bi-annually. Electroworks risks, from changes in demand, regulations, interest rates, and equipment evolved continually during the year, so it

26

conducted multiple risk workshops throughout the year, semi-annual senior executive risk assessments, and an annual resource allocation process. Wealthfunds risk changed hourly and even trade-to-trade requiring continuous monitoring and assessment by embedded risk managers. We conclude that the frequency of risk identification and assessment processes must match the velocity of risk evolution within the firm, an obvious conclusion but not one that emerges from a simplistic rules-based and compliance framework. Risk tools: Most companies use multidimensional visualizations, such as risk maps, to quantify risks along likelihood and impact dimensions. Some, like Electroworks, also develop high-level subjective rankings top-10 lists of their most significant risks. Some go beyond these simple summaries to employ data-and analysis-intensive statistical tail assessments, such as value-at-risk calculations in financial institutions. Field research in financial services suggests that the selection of particular risk tools tends to be associated with (and at the same time, is constitutive of) the calculative culture of the organization: the measurable attitudes that senior decision makers display towards the output of sophisticated risk models (Mikes, 2008, 2009, 2011). Linkages from risk management to other important control processes: for risk management to be influential, it must link to already institutionalized, important and influential processes, such as strategic planning and resource allocation. In all three HROs, the risk assessment process linked to major resource allocation processes in the firm; cost and time reserve allocation at Aerotech; capital investments at Electorworks; and asset allocations at Wealthfunds. Other firms use their existing strategy execution tools, strategy maps and Balanced Scorecards, as the starting point for their strategy risk identification and monitoring processes (see discussion of Infosys and Volkswagen do Brasil in Kaplan & Mikes, 2012). Finally, some
27

risk functions aspire to link risk assessments with performance measurement, such as embedding it within the enterprises balanced scorecard (Woods, 2009) or by single risk-adjusted measures (Mikes, 2009) thereby realizing the ideal of risk-based performance management. The roles played by the CRO / risk function: Empirically, one can observe risk officers playing different roles in the enterprise. Some risk managers act as independent compliance champions, focusing on preventable risks, particularly in highly-regulated industries where compliance with stringent rules and regulations is a necessary success factor. In lightly-regulated industries, risk managers who lean too much on the regulatory crutch of governance standards and external guidelines (such as from ISO or COSO) to establish their legitimacy, may actually undermine their credibility. Line managers tend to characterize them as disengaged and even ignorant of actual business operations and strategies. Risk officers whose mandate covers strategy execution risks, can earn their legitimacy within the C-suite by facilitating risk awareness and risk monitoring efforts throughout the organization (as they did at Electroworks). In a more intrusive role, risk managers may take on the devils advocate role to challenge assumptions made by line and project managers and force elevation and discussion of previously hidden risks. Such a role, especially when combined with veto rights for projects or strategies whose risks cannot be mitigated in a cost-efficient manner, helps risk managers (as in Aerotech) protect the firm from taking on excessive risks or escalating the commitment of additional resources to them, while still allowing those complex and innovative projects to proceed when they have adequate risk mitigation plans and resources. Finally, as we have observed in Wealthfunds, risk functions can balance compliance with business orientation by deploying separate groups of independent and embedded risk managers. The former act as compliance champions, while the latter, with a strong business orientation and subject matter expertise, play
28

an active advisory role vis a vis line management. From the above discussions, a contingency framework emerges that departs from existing approaches in three substantive ways (Figure 2). First, it advocates unpacking the ERM mix into its fundamental building blocks (Mikes, 2009). Second, among the determinants of ERM, we highlight the importance of the type of risk that ERM processes in question are designed to address. It is only then that we can establish a minimum necessary contingency framework (Otley, 1980) that is sufficiently nuanced, yet observable so that empirical researchers can hypothesize and collect data about fit and outcomes (organizational effectiveness). Finally, the organizational effectiveness of ERM in a firm cannot be assessed by its compliance with externally-imposed standards. Researchers must uncover and understand the multiplicity of other variables that can condition the performance of the firm, even with the most sophisticated and well-matched ERM capabilities in place. Although the measurement of organizational effectiveness is vital in developing a true contingency theory of ERM, it may be sensible as an interim measure to be content with the measurement of intervening variables, that is, variables that are thought to predispose an organization towards effective rather than ineffective operations (Otley, 1980). In sum, what constitutes the organizational performance of ERM may have to be determined, in part, by the objectives of the ERM implementation, user satisfaction surveys and managerial perceptions of its functioning.

------INSERT FIGURE 2 AROUND HERE---------Conclusion: Towards a contingency framework for ERM Establishing propositions about the fit between contingent variables, such as risk types
29

(and other organizational or industry variables) and the ERM mix is relatively straightforward, and this paper has suggested several plausible propositions that can be tested further. In line with Kaplan and Mikes (2012), we propose that organizations need to tailor their risk control processes to the type of risks they face, because the treatment of preventable, strategy and external risks involves very different processes, expertise and technology. Our research confirms there are indeed tools and practices that can help organizations make better decisions and overcome inherent biases that prevent open and productive discussions about the downsides from the current strategy (ref. to organizational biases literature here). One aspect that is not contingent is that all organizations should use existing and proven tools to manage the preventable risks that are conceptually unrelated to strategy and the type of organization. These tools have been under development for decades and can be standardized. Our contingency model applies to the risks that vary with strategy and firm-specific variables. While some extant risk management frameworks suggest that risk managers should predominantly be preoccupied with preventable risks (as an enhancement of the internal audit process), others suggest that the ERM mix should predominantly address strategy execution risks - threats that are linked to the organizations strategic objectives (COSO, 2004; ISO 31000). Our cases suggest that chief risk officers currently have flexibility and many opportunities to expand their remit to address more than one risk type particularly, if no one else in the organization does. Wealthfunds used independent risk managers to address preventable risks related to the fiduciary duties of its specific business model and the security and accessibility of collateral. And it also used embedded risk managers to address strategy risks. So the risk management function can have multiple mandates but the different mandates likely require multiple

30

skillsets. The embedded risk managers earned the respect of the chief investment officer and portfolio managers because of their capital market experience and expertise, and their passion for the markets and savvyness. Towards the end of our research horizon, at Electroworks, the CRO and his team decided to initiate so called black swan workshops a separate process to allow managers to address uncontrollable (external) risk issues. This suggests that well-established risk functions can claim additional ground, particularly in new areas such as the control of external risks; but they could be competing with other control agents for acquiring such new mandates. At present ERM is not sufficiently institutionalized to close the boundaries of risk functions around a standardized set of concerns. Recent industry surveys indicate that risk functions have been strengthened since the financial crisis, and they have been endowed with more resources and visibility (Ernst & Young, 2011). As risk functions exploit a favorable institutional context that can feed their ambition for expanding their reach in the organization, tensions and fault lines are inevitable. Much depends on the ambitions and skillset (technical, social and political savvyness) of risk officers as they stamp out their territories (Mikes, 2008). The case against codifying risk management (prematurely) Given the evolving nature of the risk control landscape, it is unclear which of the tools and practices that have been deployed by various control agents will ultimately underpin and legitimize a profession of risk management, and the professional common body of knowledge for enterprise risk management. Currently, the repertoire that organizations deploy to address preventable, strategy and external risks stretches across multiple disciplines and functional boundaries: not only risk specialists, but internal auditors, strategic planners, finance staff and
31

management accountants have also been reported to be involved in enterprise-wide efforts to identify risks and help the business lines manage them more effectively (Rizzi et al. 2011; Grant Thornton Advisory Services, 2012). Those interested in the relationship between risk experts particularly the chief risk officer and business decision makers will have to recognize that risk experts do not operate in a vacuum. Even fit-for-purpose guidelines would not prepare the experts for the cut-throat competition for visibility and voice in the C-suite. Risk managers are but one contending group offering to take the measure of the organizations future. Therefore, this laudably audacious intellectual struggle is also a political and cultural struggle in which survival of the fittest is not necessarily survival of the most theoretically sound. So we must keep studying the various risk management practices emerging in the trenches, as it were, before we jump to conclusions about a universal form of ERM. A more nuanced, descriptive, field-based contingency theory research (as advocated in this paper) may uncover a fascinating diversity of context-specific practices and, in due course, help us understand the need for this variation. Many risk managers, consultants, standard setters, and academics have invested themselves heavily in different and competing concepts, definitions, and technologies to codify ERM. We can lament the lack of closure, but this diversity is our key to moving ahead in the great endeavour to tame uncertainty.

32

APPENDIX 1 LIST OF INTERVIEWS Firm Aerotech Aerotech Aerotech Aerotech Aerotech Aerotech Aerotech Aerotech Aerotech Electroworks Electroworks Electroworks Electroworks Electroworks Electroworks Electroworks Electroworks Electroworks Electroworks Electroworks Electroworks Electroworks Electroworks Electroworks Electroworks Date 2008-10-08 2009-02-26 2009-06-05 2009-08-07 2009-08-10 2009-08-10 2012-03-01 2012-05-16 2012-05-29 2008-05-07 2008-05-07 2008-05-07 2008-05-08 2008-05-08 2008-05-08 2008-05-08 2008-05-08 2008-05-09 2008-05-09 2011-11-01 2011-11-01 2011-11-01 2011-11-01 2011-11-01 2011-11-02 Interviewee Chief Systems Engineer Chief Systems Engineer Chief Systems Engineer Project engineer Chief Systems Engineer Project Engineer Risk Review Board Member Risk Review Board Member Risk Review Board Member CFO CRO Risk Manager Manager Head of Investment Management Operations manager CEO Director of Public Relations CRO Director of Regulatory relations CRO, Senior Risk Manager #1 CRO, Senior Risk Manager #2 CRO, Senior Risk Manager #3 Operations Managers Project Manager CRO, Senior Risk Manager #1

33

Firm Electroworks Electroworks Wealthfunds Wealthfunds Wealthfunds Wealthfunds Wealthfunds Wealthfunds Wealthfunds Wealthfunds Wealthfunds Wealthfunds Wealthfunds

Date 2011-11-02 2011-11-02 2008-06-20 2008-06-08 2008-09-10 2009-02-18 2010-04-09 2010-04-09 2010-04-09 2010-04-09 2010-05-12 2010-05-12 2010-05-12

Interviewee CRO, Senior Risk Manager #2 Project Managers Group CRO Senior Manager Group CRO Group CRO CRO (Embedded) CRO (Business Unit) Risk Manager (Independent) Chief Investment Officer Manager CRO (Embedded) Chief Investment Officer

34

APPENDIX 2 FIGURES AND TABLES TABLE 1 Three Categories of Risk Risk categories I. Preventable risks Controllability and relationship to strategy Organizations may (in theory) prevent, or cost-efficiently minimize, occurrence of risk; There is no strategic benefit from taking these risks. Organizations may reduce the likelihood and impact of such risks in cost-efficient ways; Taking these risks is essential for achieving strategic returns Organizations cannot control the occurrence of such risks; But may be able to prepare and reduce impact should external risk events occur. Control approaches Internal control; Boundary systems; Mission and value statements; Internal audit Risk identification with risk maps and registers; Risk mitigation initiatives; Risk monitoring linked to strategy review meetings and resource allocation Risk envisionment via scenarios, war games and expertise-based mental models; Contingency planning; insurance and hedging programs (limited use)

II.

Strategy execution risks

III. External risks

Contingent variables Firmvariables Industryvariables Risktypes (preventable, strategy execution, external)

ERMmix ERMdesignparameters:rollupprocesses; frequencyof rollups;tools; linkagestootherMCSs; therolesoftherisk function Interveningvariables Otherfactors Organizationaleffectiveness (measured partlyinrelation toERMimplementationobjectives)

Figure 1. The minimum necessary contingency framework for ERM

35

TABLE 1 Design parameters: Case: Aerotech Rolling-up risks and frequency of risk identification Risk communication tools Linking to ERM The role of the CRO skillset Devils advocate and decision maker - technical expert

Risk review boards: independent and/or executive directors regular (annual or bi-annual)

Risk maps (impact and probability)

Project planning and monitoring; Resource allocation (and contingency funds allocation)

Electroworks

Risk workshops: cross-functional groups at all staff levels both regular and on demand Face-to-face meetings (CRO and line management) regular (twice a year)

Risk maps (impact, control strength and probability) Risk registr

Annual planning and resource allocation

Facilitator generalist and networker

Wealthfunds

Face-to-face meetings (CRO and line management) regular (weekly)

Statistical tail risk and sensitivity analyses (what if?)

Investment planning (asset allocation)

Advisor technical expert

Table 1. Comparing ERM across the three cases design parameters

36

REFERENCES Abbott, A. 1992. From Causes to Events: Notes on narrative positivism. Sociological Methods and Research 20(4): 428-455. Arena, M., Arnaboldi, M., and G. Azzone. 2010. The organizational dynamics of Enterprise Risk Management. Accounting, Organizations and Society 35(7): 659675. Baxter, R., Bedard, J.C., Hoitash, R., and A. Yezegel. 2012. Enterprise Risk Management Program Quality: Determinants, Value Relevance, and the Financial Crisis. Contemporary Accounting Research, forthcoming. Beasley, M.S., Clune, R., and D.R. Hermanson. 2005. Enterprise risk management: an empirical analysis of factors associated with the extent of implementation. Journal of Accounting and Public Policy 24(6): 521-531. Beasley, M., Pagach, D., and R. Warr. 2008. Information Conveyed in Hiring Announcements of Senior Executives Overseeing Enterprise-Wide Risk Management Processes. Journal of Accounting, Auditing and Finance 28(3): 311-332. Beasley, M.S, Branson, B.C., and B.V. Hancock. 2010. Are You Identifying Your Most Significant Risks? Strategic Finance 92(5): 29-35. Bonisch, P. 2012. ERM and the Kaplan-Mikes (Harvard) heresy: ISO 31000 is not relevant, The risk debate (blog), May 3, 2012, http://paradigmrisk.wordpress.com/2012/05/03/erm-and-the-kaplanmikes-harvard-heresy-iso-31000-is-not-relevant/, accessed January 2013. CFO Research Services, and Towers Perrin. 2008. Senior Finance Executives on the Current Financial Turmoil. Boston, MA: CFO Publishing Corp. Colquitt, L.L., Hoyt, R.E., and R.B. Lee. 1999. Integrated risk management and the role of the risk manager. Risk Management and Insurance Review 2(3): 43-61. Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2004. Enterprise risk management framework. New York, NY: American Institute of Certified Public Accountants. Desender, K. 2011. On the Determinants of Enterprise Risk Management Implementation. In N. Si Shi, and G. Sivlius (Eds.), Enterprise IT Governance, Business Value and Performance Measurement. Hershey, PA: IGI Global.

37

Desender, K., and E. Lafuente. 2010. The influence of board composition, audit fees and ownership concentration on enterprise risk management. SSRN Working Paper. Desender, K., and E. Lafuente. 2012. The Role of Enterprise Risk Management in Determining Audit Fees: Complement or Substitute. In J. Abolhassan, J., and A.G. Malliaris (Eds.), Risk Management and Corporate Governance. New York, NY: Routledge (Taylor & Francis Group). Ellul, A., and V. Yerramilli. 2012. Stronger Risk Controls, Lower Risk: Evidence from U.S. Bank Holding Companies. Journal of Finance, forthcoming. Ernst&Young. (2011). Making strides in financial services risk management Fowler, T. 2012. BP Slapped With Record Fine; Oil Giant to Pay $4.5 Billion, Plead Guilty to Criminal Charges in 2010 Gulf Spill, The Wall Street Journal November 15, 2012. Froot, K. A., Scharfstein, D.S. and Stein, J. 1993. Risk Management: Coordinating Corporate Investment and Financing Policies. Journal of Finance 48(5): 16291658. Glaser, B., and A. Strauss. 1967. The discovery of grounded theory: Strategies in qualitative research. London: Wiedenfeld and Nicholson. Gordon, L.A., Loeb, M.P., and C.Y. Tseng. 2009. Enterprise risk management and firm performance: A contingency perspective. Journal of Accounting and Public Policy 28(4): 301327. Grant Thornton Advisory Services. 2012. Rising to new challenges: The view from the office of the CAE. (PDF file), downloaded from http://www.gt.com/staticfiles/GTCom/Advisory/Advisory%20publications/CAE%20survey/CAE -Survey- 2012_Executive_Summary.pdf, accessed January 2013. Hall, M., Mikes, A., and Y. Millo. 2013. How Do Risk Managers Become Influential? A Field Study in Two Financial Institutions. Harvard Business School Working Paper No. 11068. Hoyt, R.E., and A.P. Liebenberg. 2011. The Value of Enterprise Risk Management. The Journal of Risk and Insurance 78(4): 795822. International Standards Organisation (ISO). 2009. ISO 31000:2009, Risk ManagementPrinciples and Guidelines. Geneva: International Standards Organisation. Johnston, J. and Soileau, J. 2013. Enterprise Risk Management and Accruals Estimation Error. Paper presented at the EAA Annual Congress, Paris, 7 May 2013. 38

Kaplan, R.S. 2011. Accounting scholarship that advances professional knowledge and practice. The Accounting Review 86(2): 367-383. Kaplan, R. S., and A. Mikes. 2012. Managing Risks: A New Framework. Harvard Business Review 90(6): 48-6. Kleffner, A.E., Lee, R.B., and B. McGannon. 2003. The Effect of Corporate Governance on the Use of Enterprise Risk Management: Evidence From Canada. Risk Management and Insurance Review 6(1): 53-73. Latour, B. 1987.Science in action: How to follow scientists and engineers through society. Cambridge, MA: Harvard University Press. Liebenberg, A.P., and R.E. Hoyt. 2003. The Determinants of Enterprise Risk Management: Evidence from the Appointment of Chief Risk Officers. Risk Management and Insurance Review 6(1): 3752. McShane, M.K., Nair, A., and E. Rustambeko. 2011, Does Enterprise Risk Management Increase Firm Value? Journal of Accounting, Auditing & Finance 26(4): 641-658. Merton, R.C. 2005. You Have More Capital Than You Think. Harvard Business Review, November 2005. ReprintR0511E:1-10. Meulbroek, L. 2002. The Promise and Challenge of Integrated Risk Management. Risk Management and Insurance Review 5(1): 55-66. Mikes, A. 2008. Chief Risk Officers at Crunch Time: Compliance Champions or Business Partners? Journal of Risk Management in Financial Institutions 2(1): 7-25. Mikes, A. 2009. Risk Management and Calculative Cultures. Management Accounting Research 20(1): 18-40. Mikes, A. 2011. From Counting Risk to Making Risk Count: Boundary-Work in Risk Management. Accounting, Organizations and Society 36(4-5): 226-245. Mikes, A, Tufano, P., Werker, E.D. & De Neve, J-E. 2009. The World Food Programme during the Global Food Crisis (A). Harvard Business School Case 709-024. (Revised from original December 2008 version.)

39

National Commission on the BP Deepwater Horizon Oil Spill and Offshore Drilling (National Commission). 2011. Deep Water: The Gulf Oil Disaster and the Future of Offshore Drilling, Report to the President. (PDF file), downloaded from http://www.oilspillcommission.gov/finalreport, accessed January 2013. Nocera, J. 2009. Risk Mismanagement. The New York Times Magazine January 2, 2009. Otley, D.T. 1980. The contingency theory of management accounting: Achievement and prognosis. Accounting, Organizations and Society 5(4): 413-428. Paape, L., and R.F. Spekl. 2012. The Adoption and Design of Enterprise Risk Management Practices: An Empirical Study. European Accounting Review 21(3): 533-564. Pagach, D., and R. Warr. 2010. The Effects of Enterprise Risk Management on Firm Performance. SSRN Working Paper. Pagach, D., and R. Warr. 2011. The Characteristics of Firms that Hire Chief Risk Officers. The Journal of Risk and Insurance 78(1): 185-211. Power, M. 2009. The risk management of nothing. Accounting, Organizations and Society 34(67): 849855. Power, M. 2010. Fair value, financial economics and the transformation of accounting reliability. Accounting and Business Research 40(3): 97-210. Power, M. 2011. Smart and Dumb Questions to Ask About Risk Management. Risk Watch: Thought Leadership in Risk and Governance (May 2011): 2-5. Power, M. 2012. The apparatus of fraud risk. Accounting, Organizations and Society, forthcoming. Reed, S., and J. Werdiger. 2012. Despite Accord, Spill Aftermath Shadows BP. The New York Times November 16, 2012. Rizzi, J., Simkins, B.J. and K. Schoening-Thiessen. 2011. Enterprise Risk Management : A Review of Prevalent Practices. Ottawa: Conference Board of Canada. Simons, R. 1995. Levers of Control: How Managers Use Innovative Control Systems to Drive Strategic Renewal. Boston, MA: Harvard Business School Press.

40

Spira, L. F., and M. Page. 2003. Risk management: the reinvention of internal control and the changing role of internal audit, Accounting, Auditing and Accountability Journal 16(4): 640-661. Stulz, R. 1996. Rethinking risk management. Journal of Applied Corporate Finance 9(3): 8-24. Weick, K.E., and K.M. Sutcliffe. 2001. Managing the Unexpected: Assuring High Performance in an Age of Complexity. San Francisco, CA: John Wiley & Sons, Inc. Woods, M. 2007. Linking risk management to strategic controls: a case study of Tesco plc. International Journal of Risk Assessment and Management 7(8): 10741088. Woods, M. 2009. A contingency theory perspective on the risk management control system within Birmingham City Council. Management Accounting Research 20(1): 68-91.

41