Page 1

Risk and control: Drivers, practices and consequences

October 2004

Paul M Collier, Aston Business School

Anthony J Berry, Manchester Metropolitan University Gary Burke, Aston Business School

Acknowledgements: The research described in this paper was carried out with funding provided by the Chartered Institute of Management Accountants. The authors are grateful to colleagues at the BAA and MCA conferences for their comments and especially to Lies Boukrami of MMU for his help with the financial market analysis. Please do not quote without the permission of the authors. Corresponding authors: Professor Tony Berry MMU Manchester UK. t.berry@mmu.ac.uk Dr Paul Collier, Aston Business School, Aston University, Birmingham B4 7ET p.m.collier@aston.ac.uk

Page 2

Risk and control: Drivers, practices and consequences Abstract Risk has been of considerable recent interest in the accounting literatures, (Hellier et al ,2002;Berry and Collier,2002) the corporate governance literature (COSO, 2003), management (Holt, 2004) and the social Literatures (Beck,1992;Beck et al. 2000). These literatures have not been well integrated.1 There is little published research on the relationship of Risk Management as derived from corporate governance as a mode of internal control and its consequences for organisational performance. The research reported here was designed to describe and understand how organizations risk management processes had developed and to seek explanations for those practices. A subsidiary theme was the exploration of the role of management accountants in these processes. The research data was collected from a small series of interviews and a postal survey of UK organisation in 2003. The survey was targeted at three groups: stock exchange listed companies (FTSE), small & medium enterprises (SMEs) and CIMA members, distributed in all sectors. The analysis of responses was followed by further interviews. A key question following Douglas and Wildavsky(1983) and Adams(1995) was whether the Risk Stance taken by an organisation was a determining factor in its performance. Risk management was observed to arise from institutional (corporate governance) and internal processes, that basic and heuristic methods of risk management were used much more than the systems-based approach that is associated with risk management in much of the literature. The Risk Stance of the organisations (fatalists, hierarchists, entrepreneurs and risk aware), were important determinants of risk management practices and reported organisation performance. From a sub sample of the data set it was found that there were strong indications that Risk Stance was related to the assessment and valuation of the organisation by capital markets. Further, management accountants in the overwhelming majority of organisations were both risk averse and being marginalised in relation to risk management. CIMA respondents were less convinced than FTSE and SME respondents of the extent to which risks were identified and factored in when formulating budgets. The research also concluded that a risk of control arises because of the emphasis on controlling threat based upon considerations of compliance to corporate governance imperatives and protection issues. This may be carried through into excessive control by establishing a range of prescriptive controls such that organisational actions are overly constrained and opportunities foreclosed. A second risk of control may be a consequence of controls being put in place for risk management that may have given an unjustifiable confidence that event uncertainty was being managed. Several further research topics were identified, especially a larger and wider study of the relationship of governance derived risk management, decision processes and capital market assessment and valuations of risk.

1 See the recent review articles by Zinn (Sociology, Economics and Risk) and Taylor-Gooby (Psychology and Risk) SCARR web site 2004.

Page 3

Risk and control: Drivers, practices and consequences Introduction Risk, typically defined in terms of the possibility of danger, loss, injury or other adverse consequences (Concise Oxford Dictionary) has been of considerable interest in the economic, governance and social theory literatures. But these economic (including accounting and finance), governance and social literatures are not well integrated. Indeed there is little published research on the relationship of risk as economic opportunity, as a governance problem or as a social issue. However Risk management has increased in visibility since the publication of the Turnbull Report and the adoption of that guidance for a risk-based approach to internal control into the Combined Code on Corporate Governance. It was argued, (Bettis & Thomas 1990), that researchers had very little knowledge about how managers in organizations perceived and took risks, or of the commonalities or differences between individual risk taking and risk taking by managers in the organizational context. Since then, in the last decade, there has been a myriad of publications on risk management by professional bodies and consulting firms and published research on various aspects of risk management, including technology (Shrivastava (1993);Bussen & Myers (1997); Kumar (2002)); outsourcing (Bhattacharya et al (2003)); reputation (Davies (2002a)); project management (Jiang & Klein (1999); Miller & Lessard (2001)); crisis (Davies (2002b)). This paper is arranged as follows. In the first section we provide a review of the relevant literature of risk management. The second section describes the research method, the third section presents the data followed by analysis and discussion in the fourth section. In the fifth section some issues and questions arising from the research are discussed and in the final section we present the conclusions. 1.Background Economics and Accounting. A distinction between risk and uncertainty is typically made in accounting and finance texts. following Knight’s Risk, uncertainty and profit, (1921). According to Knight, risk was not knowing what future events will happen, but having the ability to estimate the odds, while uncertainty was not even knowing the odds. While the first was calculable, the second was subjective. Sophisticated risk management techniques have been applied in finance, such as real options theory (Dixit & Pindyck (1994);Majd & Pindyck (1987)) and Value at Risk (Putnam et al (2002)). Research by Arnold & Hatzopooulos (2000) suggested that financial managers’ use of financial theory and techniques was continuing to grow. This implied a more educated managerial and financial workforce and a greater likelihood that financial managers and accountants would be open to more structured and analytic considerations of risk. However, there have been criticisms, such as that by Fatemi & Luft (2002) who argued that systematic hedging may be consistent with managerial risk aversion but is inconsistent with maximising shareholder value. A common rubric for dealing with risk is to follow a decision process including understanding and assessment, followed by a choice of mitigation, transfer (insurance) and holding as a minimum exposure or more adventurously as part of business opportunity. The accounting literature has addressed risk from a narrow perspective, largely based on a rationalist paradigm of techniques such as probability, standard deviation, decision trees, expected value tables,

Page 4

discounted cash flow and sensitivity analysis. These methods neglect a social construction paradigm and the inherent subjectivity of what managers do. The finance texts are typically concerned with financial exposures such as Foreign exchange and interest rate exposures and the use of hedging techniques for mitigation or adventure. Market theorists have concentrated upon the relationship between risk and return. A limitation of these financial approaches is the problematic value of quantification techniques and its reduction of human agency to irrelevance. It was noted (March & Shapira,1987) that managers were insensitive to probabilities but focused on performance in relation to critical performance targets. Managers saw risk taking as essential to success in decision making, associated risk taking with the expectations of their jobs and recognised the emotive aspects of risk taking. Hence, both individual and institutionalised risk preferences were important in understanding organizational responses to risk management. The value of quantification as a technique for managing risk was further questioned by McGoun (1995) who argued that measuring risk probabilistically was recognised in the 1930s as being questionable, although this had been “forgotten”. Pender (2001) claimed that probability-based risk management did not explain observed project management practice. A survey of managers and accountants by Helliar et al (2002) found that customers, competitors and large shareholders influence risk decisions and that loss aversion was dominant in decision makers' minds. Further these authors reported that probabilistic measures were not used but instead managers relied on instinct and experience, which was then tested against corporate procedures to minimise risk. Weber & Milliman (1997) found that risk preference may be a stable personality trait, and that the effect of situational variables on choice may be the result of changes in risk perception. Ruefli et al (1999) argued that researchers had not captured the concepts of risk employed by managers and investors employing ex post measures that different from managers' ex ante risk assessments. The further limitation is the view of risk as negative. Shareholders understand the risk/return trade-off as they invest in companies and expect boards to achieve a higher return than is possible from risk-free investments such as Government securities. This implies that they expect boards and managers to be entrepreneurial, but that risks taken will be considered and managed within the accepted risk profile of the organization. This risk/return trade-off has been reflected in the Turnbull Report.2 Governance. Risk in organisations can be classified in various ways, e.g. as operational, financial, environmental, technological, reputation, in relation to internal or external events, in relation to information about those events, (i.e. is it visible), in relation to managerial perception about events and information (i.e. how is it perceived, a matter of construction or interpretation); and in relation to how organisations use tacit or informal managerial processes or whether and how they construct explicit and formal procedures of risk management. Other risk issues, seemingly outside economic decision-orientation, including health and safety, environmental pollution, major crisis and business continuity, project risk, reputation risk, etc. has lead to the new function (or discipline) of risk management, which was initially closely related to the field of insurance. For example, Shrivastava (1993) argued that managing risks associated with new technologies and hazards should not be limited to buying insurance to cover the consequent financial burden. Preventive action implies a new management culture of safety. New approaches have been developed that have little reliance on financial information including systems thinking (Hollman 2 Jones & Dugdale (2001) developed the notion of an accounting regime as a set of social practices constructed through the dis-embedding and re-embedding of accounting, the power of which depends on its ability to provide guarantees of expertise in the face of risk. It provides a useful framework to study accounting as a totality and thus to detect its power in the modern world.

Page 5

& Forrest (1991); Stewart & Fortune (1995)) which approach failures by using techniques such as failure mode and effect analysis, fault tree and event tree analysis, hazard and operability studies, human reliability analysis, cost benefit analysis and risk-benefit analysis,(White,1995). Latterly Enterprise risk management (ERM) (Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2003); Liebenberg & Hoyt (2003)) approaches encourage and enable firms to take an integrated approach to managing risk that broadens the focus of risk management from a protective stance to a strategic stance. The Turnbull report (Institute of Chartered Accountants in England & Wales, 1999) subsequently incorporated within the Combined Code on Corporate Governance (Financial Reporting Council (2003)) defined risk as any event that might affect a listed company’s performance, including environmental, ethical and social risks. The guidance in the report was based on Boards establishing, within their management and governance processes “a risk-based approach to establishing a sound system of internal control and reviewing its effectiveness” (p.4). Boards need to consider the extent to which each risk is acceptable, the likelihood of risk materialising and the ability of the organisation to reduce the incidence and impact of the identified risk. However, the Turnbull report acknowledged that “profits are, in part, the reward for successful risk-taking in business” so that the role of internal control was “to help manage and control risk appropriately rather than to eliminate it” (p.5). The Turnbull report was consistent with the view taken by the International Federation of Accountants (1999) which defined risk as uncertain future events that could influence the achievement of strategic, operational and financial objectives. The IFAC report contrasted the negative view of risk as hazard with a positive interpretation of risk as opportunity and was explicitly biased towards a perspective that favoured shareholder value in which risk management “establishes, calibrates and realigned the relationship between risk, growth and return” (p.4). There has been an implicit assumption in much research that governance and management control systems play an important part in risk management. For example, Amat et al (1994) found that such systems became increasingly important because of organizational complexity and higher financial risk. Research by Noy & Ellis (2003) found that risk strategy was not uniform but varied across activities in the same organization but that variations occurred based on core competencies and competitive advantage. Marshall et al (1996: 90) argued that an emphasis on internal control systems was insufficient as they could provide information but decision makers needed knowledge to interpret that information, and an excess of controls could produce "an illusion of control; hiding the very real risks that lie in those areas where much that was not quantifiable or constant must be factored into a decision". In the context of corporate governance, risk management implies control and reporting, Solomon et al (2000) built on the Turnbull Report to develop a conceptual framework for internal control, risk management and risk disclosure. Their empirical research findings indicated that institutional investors do not favour a regulated environment for corporate risk disclosure or a general statement of business risk, although respondents agreed that increased risk disclosure would assist in portfolio investment decisions. Critiques In the UK, Spira & Page (2003: 645) claimed that a "technico-scientific approach forms the basis of a rhetoric that links the processes of risk management to good governance" which assumes that risks can be objectively identified, quantified and managed. The corporate governance framework was designed to manage risk through the accountability mechanisms of financial reporting, audit and internal control, in which internal auditors aspire to the reframing of their role in terms of risk management. These authors also argued that developments in corporate governance reporting offered opportunities for the appropriation of risk and its management by groups wishing to advance their own interests by asserting their own conceptions of risk and how

Page 6

it should be managed in an environment in which the widespread failure to achieve corporate objectives provides a natural focus for risk management. The notion that accountants have a role in risk management is evident in the literature of the changing role of the accountant (e.g. Parker (2001); Scapens et al (2003); Burns et al (2003)), however this is not a view necessarily shared outside the profession. Power (1994) describes audit as a risk reduction technology in which risks are knowledge dependent and the audit society can be characterized by systems for the social recognition of risks. However, auditing fails to recognize precisely those risks that escape the norm of auditability. The view of risk is as a systematic, rational device with tools and techniques to manage risk was challenged (Beck,1986, 1992 in translation) with a wider view than the individual or the organization and the claim that we live in a ‘risk society’, from the stance that that risk is socially constructed. Similarly, Douglas & Wildavsky (1983) identified the perception of risk as a social process, with some risks being highlighted while others were downplayed. Adams (1995) developed the notion of the ‘risk thermostat’ which illustrated how the propensity to take risks varied from person to person, influenced by the potential rewards of risk-taking. Perceptions of risk were also influenced by experience of ‘accidents’ that cause losses and individual risk taking represented a balance between perceptions of risk and the propensity to take risks. Adams (1995) builds upon the Douglas & Wildavsky constructions to develop a model of risk compensation, a balancing behaviour related to a persons propensity to take risks; the expected rewards from risk taking; the perceived dangers; and accidents. Adams provides ideal-types for each group. Individualists “are enterprising self made people.” By contrast, hierarchists “inhabit a world of strong group boundaries and binding prescriptions.” Egalitarians “have strong group loyalties, but little respect for externally imposed rules”. Fatalists “have minimal control over their lives.” This dual approach of financial tools and social constructions in evident in recent work. Harris (1999, 2000) drew on psychological theories in developing a project risk assessment framework to study risk assessment in capital investment decision-making, in which managers used a range of analytical tools to assess the likely risks and returns. Managers also drew upon their intuition and influenced others involved in the decision process. In their study of risk in budgeting, Collier & Berry (2002) found that organizational participants constructed risk in four domains: financial, political, operational and personal. Collier & Berry argued that by excluding some risks and considering others, the budget process was seen to be different to, and needed to be interpreted separately from the content of the budget in which there was little evidence of risk modelling or the use of probabilities. Research Design Much of the financial and governance literature rests in the tradition of normative theorising or injunction. There was little research that set out to explain the organisational practice of Risk management and the degree to which it was influenced by considerations of economic rationality and corporate governance. The research reported here aimed to understand the drivers and practice of risk management and the consequences for performance for the organisations. A subsidiary theme was the role of accountants in risk management. The research described in this paper builds on prior research in this area, such as that by Helliar et al (2002) It was conjectured that Risk management practice is a function of The competitive intensity and uncertainty of the external environment (economic rationale)

Page 7

The Risk Stance of the organisation (derived from an understanding of risk as opportunity (an economic rationale, corporate governance rationale) and an understanding of risk as protection, (corporate governance rationale) And that the perceived improvement in performance would be a function of the fit of these. The Risk Management Stances was derived from Douglas and Wildavsky and Adams and is shown in the figure below. It was decided to drop the Douglas and Wildavsky term Egalitarian and substitute the term Risk Aware to describe organisations that might be high on both aspects of Risk Management approach. Degree to which RM is about avoiding negative consequences LOW HIGH

Degree to which RM is about Achieving Positive consequences

LOW HIGH

Fatalists

Hierarchists

Entrepreneurs

Risk Aware

A second theme of the study was to explore whether the risk stance of the company was related to its market performance (valuation). It was conjectured that the Risk aware companies would have lower Betas than the other groups, that is the Risk Aware companies would either signal their policy to the market place or that their performance would be such that the market actors would adjust their valuation. The implication of this argument is that Risk management in the Risk Aware category would increase the Market Value of the enterprise. The research was undertaken using a postal survey instrument targeted at three groups: stock exchange listed companies (FTSE), small & medium enterprises (SMEs) and CIMA members. The analysis of responses (n=333) was followed by further interviews The survey design was developed from the framework for the adoption and implementation of risk management practices in organisations, (Figure 1). The framework suggested that risk management practices in organisations would likely be adopted and maintained as a consequence both of the organisational risk appetite and various drivers. The role of accountant in risk management was a subsidiary theme. This was not to discount the importance of financial accountants in the disclosure of risk (following Solomon et al (2000)), but reflected the role of management accountants in risk-based internal control (after Spira & Page (2003)). Finally the perceived effectiveness of risk management practices was sought.

Page 8

Figure 1: Study framework for risk management practices in organisations External Regulation (Turnbull, Combined Code, etc.) Environment (Industry/sector) Competitive intensity Risk/Uncertainty Organisational demographics Ownership structure Industry, size (turnover/employees) Risk appetite (& propensity to change) Other drivers Risk management practices

Policy, procedure, methods, etc.

Involvement of accountants/ Accounting in risk management

Perceived effectiveness of risk management

Method We designed the survey to examine the research questions. As part of the preparation there were visits to six organisations, where interviews were conducted with managers responsible for risk management. In addition, there was an interview with the Chief Executive of a professional association of risk managers. The research instrument included questions on the following; A. 1.Company size, type. 2. Respondent type 3. Reported drivers of risk management practice 4. Risk propensity of the respondents and their organisations B. Risk Stance in relation to protection and opportunity C. 1. The degree of environmental uncertainty and risk; 2. Changes in environmental uncertainty and risk 3. Stakeholder involvement in risk management; 4. Supporting processes and culture 5. Use of basic methods of risk assessment; 6. Effectiveness of basic methods 7. Use of technical methods of risk assessment 8. Effectiveness of technical methods 9 The degree to which Risks were factored into organisational planning D. 1. Improvement in performance change from risk management 2. Improvement in External relationships

Page 9

3. The market performance (valuation). We tested the research instruments for comprehension and range of questions on ten respondents, which included all those we had interviewed as part of the survey design process as well as other respondents we approached who had no involvement in the survey design. As part of the survey design, we wanted to identify differences between the responses of three ‘survey groups’: accountants (CIMA members), large publicly quoted companies (FTSE) and small and medium sized organizations (SMEs). The questionnaire survey was mailed to 3,000 named people, (2,000 CIMA members; 500 FTSE Directors and 500 SME Directors). There were two separate survey instruments, although there were only minor differences between the two, to reflect the knowledge that all CIMA members were accountants, which modified two of the questions. In order to make it easier to answer and improve the response rate3, the survey was compressed into a printed four page document. CIMA produced a mailing list of 5,000 members based in the UK who had been members for more than 3 years and had the word ‘accountant’ in their job title. We randomly selected 2 from every 5. For the FTSE sample we obtained the details of UK companies listed on the London Stock Exchange from www.londonstockexchange.com. We excluded companies listed on the Alternative Investment Market, Investment Companies and Investment Entities, leaving a population of 1,179. These companies were arranged alphabetically and 500 companies were randomly selected. The Financial Director’s name was used in the first instance, if unavailable, the Chief Executive’s name was used. The covering letter accompanying the questionnaire asked the named person or a nominee from their senior management teams to complete the questionnaire. Using FAME, we identified UK SMEs with a minimum turnover of between £2 million and £11.2 million and a minimum number of 50 employees. This effectively eliminated the very small business sector and is in line with the Companies Act definition of an SME. 500 companies were randomly selected from a total population of 19,811 and addressed the survey to the named Chief Executive or Managing Director. We received 333 usable responses, a rate of 11% which we deemed adequate to enable analysis, particularly as we had sufficient responses over each of the three survey groups. The responses are shown in Table 1. Table 1: Summary of Survey Responses

Sample

CIMA FTSE SME Total

Questionnaires Issued 2000 500 500 3000 Total Responses Received 259 63 47 369 Response rate 13.0% 12.6% 9.4% 12.3% Non Usable Responses 17 13 6 36 Usable Responses 242 50 41 333 Usable Response Rate 12.1% 10.0% 8.2% 11.1%

We subdivided the CIMA responses by type of organisation, as Table 2 shows.

3 The financial sponsors of the research advised us to expect a low response rate if we exceeded four pages.

Page 10

Table 2: CIMA responses by type of organisation

CIMA employment Number % of total

Working in PLCs 67 28% Working in SMEs 54 22% Working in public or not-for-profit sector 60 25% Working in other sector 61 25% Total 242 100%

Following survey analysis, we tested the findings on a number of risk management professionals, management accountants and SMEs who helped to inform the interpretation of, and explanations for the statistical results. 3. Research Data 3.1 Drivers of risk management The reported drivers of risk management are given in Table 3. Table 3: Drivers of risk management

Disagree Neutral Agree Mean Std.Dev. Legislation 8% 20% 72% 3.79 0.82 Regulatory bodies 7% 24% 69% 3.79 0.83 Expectations of shareholders/analysts 18% 32% 51% 3.35 0.98 Competitive business environment 8% 22% 71% 3.72 0.79 Customers/clients 14% 30% 56% 3.51 0.90 Critical event or near miss 17% 27% 56% 3.54 0.97 Board/Top management 3% 24% 73% 3.84 0.70

There was general agreement in the responses that legislation, regulatory bodies, the board/top management and the competitive business environment were important drivers of risk management. However, the high ‘agree’ response to all the drivers raises questions about the value of these responses. However, during follow-up interviews the importance of compliance with legislation as the dominant driver for many organisations emphasised.

3.2 Choices in Risk Management. The extent to which various choices were used in risk management and the reported effectiveness of those choices are shown in Table 4. Table 4: Choices in risk management

Low Med High Mean Std.Dev. Transferring the risk using insurance, hedging, contracts, joint ventures or partnerships, etc. 28% 30% 42% 3.09 1.25 Effectiveness of transferring risk 29% 29% 42% 3.08 1.22 Decreasing the likelihood of risk through management action 11% 29% 60% 3.61 0.93 Effectiveness of decreasing the likelihood of risk 12% 37% 51% 3.48 0.94 Decreasing adverse consequences of risk using contingency, business continuity plans, etc. 22% 33% 45% 3.25 1.02 Effectiveness of decreasing adverse consequences 23% 39% 38% 3.14 1.02

Although all methods were in high use, management action to decrease the likelihood of risk was given the highest ranking. However decreasing any adverse consequences through planning was not seen to be as effective as the use of this method implied.

Page 11

These responses imply that the traditional methods of managing risk through transfer (insurance, hedging, etc.) were still seen as more effective than more proactive risk management processes. SME had responses suggesting that risk management had, more than the other survey groups, improved performance in management reporting, communication within the organisation, relationships with customers/clients, reputation and recognition and uptake of opportunities, and employee confidence in carrying out their duties. CIMA responses were slightly more sceptical about the benefits to corporate planning, management reporting and the management of organisational change but were more convinced than FTSE (but less than SME) of the improvements in relationships with customers/clients and of employee confidence in carrying out their duties. FTSE was slightly higher in their belief that relationships with shareholders had improved. 3.3 Risk Propensity (appetite) We asked respondents to identify their own propensity to take risks and their organisation’s propensity to take risks. The results are shown in Table 5. Table 5: Propensity to take risks

Refuse to/ Prefer not to Neutral Willing to/

Keen to Mean Std.Dev.

Personal propensity 31% 24% 45% 3.14 0.90 Organisational propensity 41% 17% 42% 3.03 0.95

We also asked the extent to which this propensity had changed over the last two years. The results are shown in Table 6. Table 6: Changing propensity to take risks

Reduced Not Changed Increased Mean Std.Dev.

Change in personal propensity to take risks 24% 46% 30% 3.06 0.82 Change in organisational propensity 21% 44% 35% 3.14 0.87

There were statistically significant differences between the three survey groups. 37% of CIMA were risk averse compared with 10% of FTSE and 24% of SME. 39% of CIMA were willing to take risk compared with 64% of FTSE and 56% of SME. We analysed personal risk propensity by demographic characteristics using the Chi-square test. There was no statistically significant associations between risk appetite (risk, averse, risk neutral and risk willing) and organisation type, sector, size. We compared the respondents risk appetite with their organisation’s risk appetite. The results are shown in Table 7. Table 7: Alignment of personal risk propensity and organisational risk propensity

Organisational risk appetite

Page 12

Risk

Averse Risk

Neutral Risk

Willing Risk

Averse

65 (63%)

11 (11%)

27 (26%)

Risk

Neutral

30 (38%)

21 (27%)

27 (35%)

Personal risk appetite

Risk Willing

38 (26%)

25 (17%)

86 (58%)

Whilst many respondents were matched between their personal risk appetite and that of their organisations, there were some significant mismatches between the two responses. 26% of respondents were risk willing but felt they were working in risk averse organisations. while 26% were risk averse working for risk willing organisations. 63% of respondents who considered themselves as risk neutral were working in either risk averse or risk willing organisations. Correlations between personal views and the organisational approach of risk taking and risk management are shown in Table 11. As would be expected, the personal risk propensity variable and the organisational risk propensity variable were positively correlated (0.33). However, there was a marked difference between the samples suggesting that the fit between propensity and organisational propensity was not as strong for CIMA members, as compared to FTSE and SMEs. This lower alignment of CIMA respondents was consistent for all the five dimensions of risk in Table 8. Table 8: Correlations between personal and the organisational risk

Personal view vs. organisational approach CIMA FTSE SME Total Propensity to take risks .210** .460** .702** .333** RM is about avoiding negative consequences .511** .615** .687** .546** RM is about achieving positive consequences .383** .530** .609** .440** RM should be more a matter of personal judgement .367** .417** .538** .401** RM should be handled through a formal control system .313** .421** .414** .342**

** Correlation is significant at the 0.01 level (2-tailed) 3.4 Risk Stance. Respondents were asked the extent to which they believed that risk management was about avoiding negative consequences and about achieving positive consequences. We combined their responses on both questions and compared their personal responses with risk management in their organisations. The results are shown in Table 9. Table 9: Personal and organisational perspectives about risk management

Page 13

I believe RM is about achieving positive consequences Disagree Neutral Agree Total

Disagree 2% 1% 11% 14% Neutral 1% 3% 8% 12% Agree 10% 15% 48% 73%

I believe RM is about avoiding negative consequences

Total 13% 19% 67% 100%

RM is about achieving positive consequences in my organisation

Disagree Neutral Agree Total Disagree 1% 1% 5% 7% Neutral 0% 5% 9% 14% Agree 14% 22% 43% 79%

RM is about avoiding negative consequences in my organisation

Total 15% 28% 57% 100%

While 73% of respondents agreed that risk management was about avoiding negative consequences, 67% believed it was about avoiding positive ones, 48% of responses agreed that risk management was as much about achieving positive consequences as avoiding negative ones. The respondents viewed their organisations as more about avoiding negative consequences (79%) than about achieving positive ones (57%) with 43% responding that it was about both in their organisations. There was a strong similarity of agreement across the survey populations that risk management in their organisations was about avoiding negative consequences (CIMA 80%, FTSE 78%, SME 73%). FTSE and SMEs agreed more than CIMA that risk management was about achieving positive consequences, reinforcing the stereotypical views about accountants. Responses about risk management in the respondent’s organisation being about positive/negative consequences was categorised into 4 stances (following Adams); Table 10. Table 10: Classification of risk management responses

RM is about achieving positive consequences in my organisation

Disagree Neutral Agree Disagree Neutral

Fatalists 7% Entrepreneurs 15% RM is about avoiding negative consequences in my organisation Agree Hierarchists 35% Risk aware 43%

From the survey responses, we were able to categorise 23 (7%) respondents as fatalists; 117 (35%) as hierarchists; 48 (15%) as entrepreneurs; and 141 (43%) as risk aware. Fatalists are those who do not see risk management as having any consequences, or were neutral. This group comprised only 7% of the respondents. Entrepreneurs agree that risk management is about positive consequences but disagreed or were neutral about negative consequences, perhaps a risk seeking group. Hierarchists disagreed or were neutral in relation to positive consequences but agreed in relation to negative ones. This is the risk-avoiding group. The risk aware group were balanced between risk management’s role in achieving both positive and avoiding negative consequences. Our research conjectures that this is the group that would embed risk in culture and decision-making. 3.5 Grouped responses

Page 14

Factor analysis was used on the raw data to simplify and to construct ‘group’ responses for the variables. These items were subjected to principal components analysis using SPSS. Cronbach’s alpha coefficient was the used to measure the internal consistency of the eleven ‘groups’ shown in Table 11 below. Table 11: Grouped variable constructs and descriptive statistics

Factor analysis’ constructs Descriptive statistics Variable description No.of

items Cronbach’s

alpha Mean Std.Dev.

1. Degree of uncertainty& risk faced 3 .7985 3.49 .732 2. Change in uncertainty & risk faced 3 .8039 3.85 .627 3. Supporting proceses and culture 8 .8833 3.49 .721 4. Stakeholder involvement 4 .6806 3.02 .825 5. Usage Rate of Basic Methods 4 .6696 2.91 .909 6. Usage Rate of technical methods 2 .7590 2.05 1.067 7. Effectiveness of Basic Methods 4 .6913 2.85 .918 8. Effectiveness of technical methods 2 .7735 2.15 1.094 9. Risks factored into organisational planning 6 .8784 3.44 .864 10. Improved performance 9 .8942 2.93 .783 11. Improved External Relationships 3 .8131 2.50 .949

Chi Square tests were used to analyse relations between categorical variables such as risk appetite and survey family. We also used one-way ANOVA to determine if there were any significant differences in mean scores across the three survey groups. Spearman’s Rank Order Correlation (rho) was used to calculate the strength of relationship between the groups, which are shown in Table 12.

Page 15

Table 12: Correlations of grouped responses

1 2 3 4 5 6 7 8 9 10 11

Degree of uncertainty & risk faced 1 1.000

Change in uncertainty & risk faced 2 .295** 1.000

Supporting processes & culture 3 .111* -.087 1.000

Stakeholder involvement 4 .083 -.032 .078 1.000

Usage rate of basic methods 5 .023 .055 .497** .095 1.000

Usage rate of technical methods 6 .120* .050 .373** .246** .508** 1.000

Effectiveness of basic methods 7 -.057 .017 .463** .102 .847** .447** 1.000

Effectiveness of technical methods 8 .062 .015 .302** .216** .425** .836** .525** 1.000

Risks factored into organisational planning 9 .083 -.065 .398** .212** .320** .301** .313** .268** 1.000

RM has improved performance 10 .080 .040 .491** .205** .357** .423** .366** .333** .455** 1.000

RM has improved external relationships 11 .055 -.047 .289** .466** .290** .411** .339** .364** .264** .606** 1.000 ** Correlation is significant at the 0.01 level (2-tailed) * Correlation is significant at the 0.05 level (2-tailed).

Page 16

The correlations reveal strong relationships between supporting processes and culture and the use of basic risk management methods (0.497**) and the effectiveness of basic risk management methods (0.463**). Supporting processess and culture was also correlated with risks being factored into plans (0.398**), improved performance (0.491**), and improved external relationships (0.289**). There were also strong correlations between stakeholder involvement and risks being factored into plans (0.212**), improved performance (0.205**) and improving external relationships (0.466**). The use of basic methods of risk management was also highly correlated with risks being factored into plans (0.320**), improved performance (0.357**) and external relationships (0.290**). The correlations present what appears to be a coherent view of risk taken by respondents. The correlations also suggest that respondents had a commonality of view of notions of uncertainty and risk. The correlations above were calculated for the organisations classified into in the four stances. For the fatalists, there were fewer significant correlations. There was no correlation between supporting processes and culture; and basic and technical risk management methods. There were positive correlations between risks being factored into organisational planning, risk management having improved organisational performance (.663**) and having improved external relationships(.652**). There were positive correlations between the use of basic (..632**) and technical (.623**) risk management methods and risk being factored into organisational planning but not with improved performance. For entrepreneurs the correlations of supporting processes and culture with the use of basic and technical risk management methods were .652** and .402**. Correlations between improvements to performance and the risk management methods were; for basic methods .314** , technical methods .610**, supporting processes and culture .484**. For hierarchists there were strong correlations around the supporting processes and culture grouped responses with the use of basic (.537**)and technical (.434**) risk management methods. There were also strong correlations with risk management having improved performance and having improved external relationships (.624**). Improved performance correlated with the degree to which risk was factored into planning .540**. The risk aware group similarly showed strong correlations around supporting processes and culture with the use of basic (.387**) and technical (.339**)risk management methods. For this group, the correlations of risk being factored into organisational planning and risk management having improved performance was .525** and having improved external relationships was .610**. The use of basic and technical methods correlated (.314**, .343**) with improved performance All these correlations point to a pattern of coherence in organisational procedures and the perceptions that they contribute to organisational performance. The differences between the four Stances were evident, although not great, lend support to the distinction between hierarchists, risk aware, entrepreneurs and fatalists. We therefore considered that the risk stance of managers did influence the risk management practices in use. 3.6 Demographics Applying correlations to demographic data provided by respondents, we found no significant correlations between either the ownership structure of the organisation or the nature of business and any of the grouped data. We did find some significant correlations (at the 0.01 level) with the size of the organisation and the use of basic and sophisticated methods of risk assessment and management, as Table 13 demonstrates.

Page 17

Table 13: Correlations between Company Turnover and Number of Employees

Group 5. Use of basic methods for RM .326** Company Turnover Group 6. Use of technical methods for RM .305** Group 7. Effectiveness of basic methods for RM .247** Group 8. Effectiveness of technical methods for RM .285**

Group 5. Use of basic methods for RM .330** Number of Employees Group 6. Use of technical methods for RM .312** Group 7. Effectiveness of basic methods for RM .281** Group 8. Effectiveness of technical methods for RM .328**

** Correlation is significant at the 0.01 level (2-tailed) 3.7 Environment al Uncertainty (GV 1 and 2) Respondents rated competitive intensity and degree of uncertainty in their industry/sector, as well as the degree of risk faced by the organisation and the sector. This is shown in Table 14a and 14b. Table 14a: Competitive intensity, uncertainty and risk

Low/ Very Low Medium High/

Very High Mean Std.Dev.

Degree of competitive intensity in industry/sector 18% 23% 59% 3.56 1.18 G1 Degree of uncertainty & risk faced by the organisation 6% 46% 48% 3.49 0.73

Table 14b: Competitive intensity, uncertainty and risk by survey group (high or very high)

CIMA FTSE SME Mean Std.Dev. Mean Std.Dev. Mean Std.Dev. Degree of competitive intensity in industry/sector high or very high 3.42 1.26 3.88 0.90 4.05 0.77 G1 Degree of uncertainty & risk faced by the organisation 3.47 0.73 3.65 0.78 3.44 0.67

This revealed that CIMA respondents generally had a lower perception of competitive intensity and uncertainty but a higher perception of risk faced by the organisation. The degree to which competitive intensity, uncertainty and risk in the organisation’s environment was perceived to be changing is shown in. Table 15. Table 15: Changing competitive intensity, uncertainty and risk

CIMA FTSE SME Mean Std.Dev. Mean Std.Dev. Mean Std.Dev. Change in competitive intensity in industry/sector 3.95 0.76 3.90 0.80 4.20 0.71 G2 Change in uncertainty & risk faced by the organisation 3.90 0.62 3.76 0.63 3.68 0.65

In Table 12, we presented the positive correlation between the degree of uncertainty and risk faced with the degree of change in uncertainty and risk. However, there was an absence of correlation between uncertainty and risk (or the change in uncertainty and risk) and other group variables. This negated one of the assumptions in the conceptual framework, that environmental factors influenced risk management practices. A higher proportion of CIMA respondents felt changes in the level of uncertainty were increasing rapidly but more SME respondents believed uncertainty was decreasing slowly or not changing. A higher proportion of CIMA respondents also believed change in the level of risk faced by the organisation was increasing rapidly, while less felt that it was decreasing slowly or not changing compared

Page 18

with FTSE and SME. Overall, CIMA respondents were more risk-concerned than the other respondent groups in relation to their organizations, despite having a lower perception of competitive intensity and uncertainty in their industry/sector. 3.8 Stakeholder Involvement (GV 4) The extent to which shareholders and analysts, suppliers, customers, and banks and financiers were involved in risk management in the respondents’ organisations is shown in Table 16.

Table 16: External involvement in risk management

CIMA FTSE SME Total Mean Std.Dev. Mean Std.Dev. Mean Std.Dev. Mean Std.Dev.

G4 External stakeholders are involved in RM 3.01 0.81 3.02 0.89 3.08 0.86 3.02 0.83

While about one quarter of the responses were neutral on this question, over a quarter agreed that shareholders & analysts and suppliers were involved, half agreed that customers were involved and 42% agreed that banks & financiers were involved in the organisations’ risk management. There were some differences between respondent groups in relation to the drivers of risk management. These are shown in Table 18. SME responses were stronger for the involvement of shareholders/analysts, suppliers, customers and banks/financiers in their organisations’ risk management, reflecting their greater dependence on external actors, but otherwise the difference in responses between the three survey groups was not significant. The researchers observed that there were external drivers of risk management practices other than competitive intensity. External stakeholders and the demands of regulators and legislation, enacted through boards of directors were likely to exert influence over the policies and methods adopted for risk management. 3.9(a) Risk processes and culture (GV 3)

We asked respondents the extent to which they agreed with the following statements. Although these responses were grouped, the individual responses were enlightening, particularly as to the emphasis on formal processes (questions 4, 6 & 7). Weaker responses were in relation to the softer issues and the embeddedness (or not) of risk into culture (questions 1, 2 & 5). Also important was the relatively poor response in relation to risk prioritisation (question 8). The results are shown in Table 17.

Table 17: Risk processes and culture

Disagree Neutral Agree Mean Std.Dev. G3 Organisation has supporting processes and culture 9% 36% 55% 3.49 0.72 Controlling risks is highly centralised 30% 21% 49% 3.21 1.04

In relation to risk management processes, FTSE respondents gave much higher responses with 80% agreeing compared with 53% for CIMA and 58% for SME. A higher proportion of FTSE respondents said that risks were well understood, formal procedures were in place and that controlling risk was decentralised. 59% of respondents agreed that the level of internal control was appropriate for the risks faced. However, CIMA respondents were less confident of this with 55% agreeing compared with 71% for FTSE and 76% for SME.

Page 19

45% of respondents noted that their organisation was effective at prioritising risks. Again, CIMA respondents were less confident with 40% agreeing compared with 57% for FTSE and 63% for SME. 56% agreed that changes to risks were assessed and reported on an ongoing basis. Once again, 52% of CIMA agreed compared with 76% of FTSE and 68% of SME. Overall, these responses suggest that more than half of respondents were satisfied with their risk management processes and internal control systems but weaker responses suggested that only about half of respondents organisations felt that risks were understood and embedded at the cultural level. The results also suggest that CIMA respondents were less confident in the formal control systems and, surprisingly, that SMEs responses suggest a higher degree of formality of controls than might have been expected. 3.9(b) Trends in Risk Management approaches. However, the trends in approach were important. Respondents indicated whether risk was not considered; considered tacitly, but not documented or formally managed; considered and formally documented in a systematic way; or considered, documented and used to aid decision making, all in relation to three time periods: two years ago; currently; and the planned approach in the next two years. The responses to the approach to risk in the past, present and future are summarised in Figure 2. This reflects the respondents’ experience that risk has shifted from being considered tacitly to being considered more formally and their expectation that this trend will shift markedly to a more holistic approach with risk being used to aid decision making. Figure 2: Trends in risk management approach Although the FTSE group saw their current approach as largely formal compared to the other survey groups, and the SME group reflected a lower degree of formality expected in the future, all survey groups (including CIMA) reflected a similar trend to that shown in the above figure. There was also a stronger view by CIMA respondents that risk was considered systematically and used in decision-making than that of FTSE who see it as largely tacit. There was a similarity in the expected shift by both CIMA and FTSE respondents from divergent positions historically and currently to a consistent planned approach in which risk is systematically considered rather than tacit and largely used to aid decision-making.

Risk not considered

Risk considered tacitly

Risk considered in a systematic way

Risk considered, and used to aid decisions

0% 10% 20% 30% 40% 50% 60% 70%

Historically Currently Planned

Page 20

3.10 Risk management methods and their perceived effectiveness (GV 5,6,7,8) As described earlier, we separated the risk management methods used into two categories: basic and technical. These are shown in Table18a and 18b. Table 18a: Categories of risk management methods

Basic methods of risk management Technical methods of risk management

• Brainstorming, scenario analysis, PEST/SWOT analysis • Interviews, surveys, questionnaires • Likelihood/consequences matrix • Monitoring using a risk register or written reports

• Stochastic modelling, statistical analysis • Risk management software

The usage rate of risk management methods are shown in Table 22. Table 18b: Usage rate of risk management methods

Low Medium High Mean Std.DG5 Usage Rate of Basic Methods 32% 44% 25% 2.91 0.91 G6 Usage Rate of Technical methods 71% 20% 9% 2.05 1.07 Use of experience, intuition, hindsight, judgement 6% 24% 70% 3.89 0.89 Use of auditors or external consultants 35% 30% 35% 2.91 1.23

The methods in highest use were the more subjective ones (particularly experience), with quantitative methods used least of all. There was also significant reliance on external advisers. This reinforces the conjecture that heuristic mechanisms may be more important for risk management than systematic mechanisms. The degree to which these methods were observed to be effective in helping respondents’ organisations to manage risk was highly correlated with the degree of use, as might be expected. If a method was not perceived as effective it was unlikely to continue in use. An exception was that there was less confidence in experience, intuition, hindsight and judgement with only 48% of respondents believing that these were the most effective methods, compared with the 70% of respondents who used that method. As noted earlier (derived from correlations between grouped responses), there were strong relationships between supporting processes and culture and the usage of basic and technical methods of risk management, risks being factored into plans and improved performance and external relationships. A stronger rating of the effectiveness of experience, intuition, hindsight and judgement was given by SME respondents. The likelihood/consequences matrix was considered more effective by FTSE respondents while stochastic modelling and statistical analysis and risk management software were rated highest by CIMA respondents. With the exception that FTSE responses suggested a lesser usage of auditors and external consultants than the other survey groups, there was little difference between the responses. A higher proportion of FTSE and SME respondents believed that risk management in their organisations was handled through a formal control system suggesting, interestingly, that CIMA respondents may have had less confidence in the use of control systems for risk management purposes, familiarity may lead to a more accurata view.

Page 21

3.11 Involvement of accountants and other managers. Those reported to be primarily accountable for the processes of: identifying risk; analysing & assessing risk; deciding on risk management action; and reporting & monitoring risk are shown in Table 19. Table 19: Who in your organisation is primarily accountable for:

Deciding on

Identifying Risks

Analysing assessing risks RM action

Reporting monitoring risk

Count % Count % Count % Count %

CEO/Managing Director 83 15% 44 9% 121 25% 33 7%

The Board/Audit committee 65 12% 59 12% 126 26% 57 12%

Director of Finance 72 13% 87 18% 97 20% 86 19%

Internal Audit 55 10% 63 13% 23 5% 60 13%

Risk Manager 70 13% 79 16% 42 9% 76 16%

Management Accountant 45 8% 63 13% 12 2% 63 14%

Line Managers 155 28% 87 18% 64 13% 86 19%

Total Count 545 100% 482 100% 485 100% 461 100%

The responses reveal that line managers were mostly concerned with identifying risk, analysing and reporting on risk. Finance Directors had a major role in analysing & assessing, and reporting & monitoring risk. Deciding on risk management action was predominantly the concern of the Chief Executive and the board. Management accountants scored lower than internal audit and risk managers on the identification of risk. They were equal with internal auditors but lower than risk managers on analysing & assessing risk. They were lower than internal auditors and risk managers in deciding on risk management action and only scored slightly higher than internal auditors in reporting and monitoring risk. The Finance Director was identified with more aspects of risk management than any other role, suggesting that they may have a pivotal role in risk management. The extent to which management accounting and risk management were reported to be integrated in organisations is given in Table 20. Table 20: Integration of accounting and risk management

Disagree Neutral Agree Mean Std.Dev. Organisation’s accounting and risk management functions are integrated 43% 30% 27% 2.81 0.97

Respondents were also asked whether, in terms of risk management, their level of involvement of management accounting was sufficient, (Table 21a) and whether the involvement of management accountants was changing (Table 21b). Table 21a: Involvement of the accounting function

Insufficient About right Too involved No view The level of involvement of accounting in your organisation’s risk management is: 37% 57% 2% 4%

Respondents were also asked. Table 21b: Involvement of management accountants in risk management

Increasing Not changing Decreasing No view The level of involvement of management accountants in your organisation’s risk management is: 42% 50% 3% 5%

Page 22

From these responses, it can be concluded that there was little integration between management accounting and risk management, and that management accountants in the overwhelming majority of organisations were marginalised in relation to risk management. As might be expected, 45% of CIMA respondents said that their involvement was insufficient with 50% saying it was about right. For FTSE, 10% answered it was insufficient with 80% saying it was about right. 20% of SMEs answered it was insufficient and 76% answered it was about right. While CIMA respondents answered that management accountants should have more involvement, this was not a view shared by other respondents. 3.12. Risks Factored into Organisational Planning.(GV 9) The grouped variable Risk Factored into Organisational Planning included an element in relation to budgeting. As Table 22 shows, CIMA respondents were less convinced than FTSE and SME respondents of the extent to which risks were identified and factored in when formulating budgets. This reinforces the suggestion that CIMA respondents are more sceptical about the value of accounting-based tools than other respondents. Table 22: Extent to which risks were identified and factored in when formulating budgets

CIMA FTSE SME TOTAL Not at all 20% 19% 7% 18% To some extent 38% 25% 33% 35% Fully 42% 56% 60% 47%

3.13 Consequences; (a) Perceived improvement in Organisational Performance (GV 10) The reported degrees of improvement brought about as a consequence of risk management are shown in Table 23. Table 23: Improvements as a consequence of risk management

Disagree Neutral Agree Mean Std.Dev. G10. RM practices have led to improved performance 22% 58% 20% 2.93 0.78 G11. RM practices have led to improved external relationships 48% 37% 15% 2.50 0.95

Responses were fairly evenly spread although more respondents believed there had been no improvement in relations with shareholders and suppliers, while management reporting and reputation had improved the most. (b) Do the Benefits of Risk Management exceed the Costs? The extent to which respondents agreed that risk management practices had delivered benefits that exceeded the cost of the practices is shown in Table 24. Table 24: The benefits of risk management

Disagree Neutral Agree Mean Std.Dev. RM practices employed in your organisation have delivered benefits that exceed the cost of those practices 10% 40% 50% 3.45 0.81

We concluded that while risk management was perceived to be costlier than the benefits by a tenth of respondents, almost half the respondents were reported to be cost neutral. This, given the major publicity and governance requirements suggest that risk management may be substantially seen as a compliance exercise. However half of the respondents reported that the benefits exceeded the costs, which taken together with the heuristic processed dominating the

Page 23

systematic processes, might imply that the costs of risk management differed widely across the respondents’ organisations. 4. Examining the model; Some Further Analysis of the data. The examination of correlations and differences reported in the grouped variables between the types of respondents and the risk stances suggested that the working hypothesis of this paper could be further examined. Firstly the hypothesis was explored via a regression equation to describe the relationship between the reported improvement in organisation performance and the other group variables. Secondly from some respondents voluntary disclosure of their organisation it was possible to explore the degree to which reported risk management practices were related to capital market views of these organisations to see whether risk management practices increased, was neutral to or decreased Beta, alpha and volatility. (a) Regression Analysis. Table.4.1 Regressions of improved performance on the group variables.

Category Constant Use of Basic Methods

Use of Technical Methods

Supporting processes

and Culture

Risk factored

into Plans R Squared

All 3.96 .174 .456 .364 .460 .45 Fatalist -5.06 -.24 .466 .683 .799 .68 Hierarchist -.61 .37 .69 .37 .418 .56 Entrepreneur 16.4 .143 .82 .08 .138 .25 Risk Aware 7.6 .015 .314 .337 .44 .37 CIMA 3.3 .17 .542 .357 .448 .485 CIMA PLC 5.46 .08 .55 .513 .248 .41 CIMA SME 7.24 .20 .395 .18 .54 .35 CIMA Public -.41 .285 .549 .492 .535 .80 FTSE 1.53 .391 .166 .466 .454 .403 SME 17.74 .75 .16 .27 From Table 4.1 of the regressions on the group variables being used to explain reported improvements in performance it may be seen that only four of the variables remain in the regression equations. (The other variables had very small coefficients and when included gave equation with smaller Rsq.) These group variables were the methods in use, both basic and technical, together with the supporting Processes and Culture and the Degree to which risk was factored into budgets and plans. The variable effectiveness of methods dropped out because they had high correlations with the usage variables. Of more interest was the fact that the stakeholder variable dropped out. As the correlations of the uncertainty variable with all the other variables were not statistically significant then it was not surprising that they did not appear in the regression equations. The R squared values for the equations were fairly good for this kind of research so there is some confidence that the four variables do relate quite strongly to the reported improvement in performance. The use of basic methods has very small coefficients for the whole sample equation. However there are differences in the equations in respect of the organisations risk stance. It seems odd that the fatalist group equation had the highest Rsq. and the strongest coefficient for risk factored into plans. This might mean that these organisations do little or no formal risk work but do consider risk in their day to day practice, not so much fatalist but perhaps more sceptical of the whole idea of Risk Management as organisational procedures. As interesting was the coefficient of technical methods for the Entrepreneur group, who appear to be reporting high use of technical methods to go along with their taking advantage of opportunities. The Risk Aware group equation and coefficients were similar to the total

Page 24

group, but the coefficient of Basic Methods in this group appears very small. In contrast the FTSE sub group has one strong coefficient in the use of basic methods. The respondents who were CIMA members, distributed across different organisation types, have an overall equation very similar to the equation for the total sample. This reflects their high loading in the sample. The CIMA public sector group equation is also similar. (b) The relation of Risk Management practice and Financial Market Risk assessment. It was open to the respondents to identify themselves or their organisations as they thought appropriate. From the 333 responses it was possible to draw a further smaller sample of quoted companies (n=41) for which it was possible to calculate Beta, alpha and volatility. Table. 4.2 Mean values of Risk Measures in relation to Risk Stance.

Stance Beta Alpha Volatility Fatalist 1.16 .0002 20.67 Hierarchist 1.06 .004 27.10 Entrepreneur 1.14 .0006 40.32 Risk Aware 0.82 .002 25.72 Total .98 .0022 28.72

The sample value of Beta .98 indicates that it was close to a reasonable sample of the market. Also the volatility in each class was very similar. Interestingly the alpha value for the Hierarchist group was the highest, perhaps suggesting that given risk stance, then risk protection might provide higher performance. Further it was observed that the Beta values correlated at 0.393 (p .011) with the Variable, Change in Uncertainty faced and correlated at -.558 (p .01) with the Variable Risks factored into Plans, suggesting that change in uncertainty would reduce market value and signalling that risks were factored into plans would increase it. The regression equations of Improved performance from this small sample were similar to the earlier equations with an adjusted Rsq of .57. The regression included the same four variables but the coefficient of the Use of Basic methods was negative. Hence it may be observed that there is an indication that the market Beta for the Risk Aware group was lower than that for the other groups. A Chi squared test on the four stances revealed that, because of the small numbers in each cell, these differences were not statistically significant. But the difference between the Risk Aware group and all the others was just not significant at the .11 level. This indicates, but does not substantiate beyond a one in ten chance that Risk Management practices of the Risk Aware group does lead to a market recognition. Whether this is because of profitability performance or signalling can not be answered here. However one Risk Manager noted in interview that one of the many benefits of risk management was the “favourable impression that it gave to analysts”. The implication of these observations is that the Risk Aware stance, in attending to both protection and to opportunity, does create organisations which the capital markets award a lower Beta, and hence a higher value. This is not to assert that the capital markets are correct in some absolute sense, nor is it to claim a stationary relationship. In this research we did not set out to explore the relationship between risk management as organisational process and the possible processes of financial risk management such as hedging and the use of derivatives. It may be that the observed relationships are interdependent due to processes of signalling. It is interesting too that it is both the stance and the factoring of risk into plans that is related. For here we might infer that the requirements of corporate governance does not necessarily have to work in opposition to economic rationales of risk as opportunity and adventure, indeed the

Page 25

Turnbull report noted earlier emphasised both of these. Given the small samples this research observation needs to be replicated on a larger scale. 5. Discussion (a) Summary of Findings. The survey findings have been presented in relation to the environment, demographics, and other risk management drivers; risk appetite; policies, culture and risk management practices; the role of accountants and accounting; and the perceived effectiveness of risk management. . Risk Stance; was observed to be an important determinant of risk management practices. We categorised the response about risk management in the respondent’s organisation being about positive/negative consequences using the Adams categorisation as fatalists (risk management has no consequences); hierarchists (disagreed or were neutral in relation to positive consequences but agreed in relation to negative ones); entrepreneurs (risk management is about positive consequences); and risk aware, the latter group being the one that would embed risk in culture and decision-making. The idea of stance does indicate the degree to which both the Turnbull Report(1999) and its COSO offspring (2003) was consistent with the IFAC report (1999) represent one of the possible stances, the Risk Aware. As this research was conducted in 2003, some of the responses may have been coloured by those publications or represented an organisational intent. Demographics, there was no significant correlations to demographic data between either the ownership structure of the organisation or the nature of business and any of the grouped data. We did find some significant positive correlations (at the 0.01 level) with the size of the organisation and the degree of use of basic and sophisticated methods of risk assessment and management. There was therefore little evidence of any contingent explanations for risk management based on either size or business sector. Risk propensity; The individual propensity to take risk was quite high, other than for CIMA respondents. Risk was also seen, on an individual level as much about achieving positive consequences as avoiding negative ones. However, organizational risk management was more about avoiding negative consequences. This suggests, at the organizational level, risk management being used more as a defence orientation than an opportunistic one. However there were significant differences in risk propensity between listed PLCs, unlisted PLCs, SMEs, public sector and not-for-profit organizations. This suggested a causal relationship between ownership and control and risk management. There were reported differences between the risk propensity in relation to the four Risk Stances Drivers; The external drivers of risk management practices, other than competitive intensity, risk or uncertainty, were observed to be External stakeholders and the demands of regulators and legislation, enacted through boards of directors which were likely to exert influence over the policies and methods adopted for risk management. This supports notions of compliance and legitimation as shaping risk management practices. Environment; There was an absence of correlation between environmental uncertainty and risk (or the change in uncertainty and risk) and other group variables. This variable was not present in the regression equations. This negated one of the assumptions in the conceptual framework, that environmental uncertainty and risk would influence risk management practices. But perhaps the respondents regarded the question as too abstract and would assume that the various aspects of the environment were subsumed in the manner in which risks were factored into planning.

Page 26

Supporting processes and culture; The correlations reveal strong relationships between supporting processes and culture and the usage of basic and technical methods of risk management, risks being factored into plans and improved performance and external relationships (para. 3.1). There was also strong correlation between stakeholder involvement and risks being factored into plans, improving performance and external relationships. The use of various methods of risk management was also highly correlated with risks being factored into plans, improved performance and external relationships. Practices: Risk management practices existed along a continuum from basic to sophisticated techniques, implemented on a continuum from systematic to heuristic. In concert with much managerial research (Hellier et al., 2002) but contrary to much of the management science literature, risk management practices here reported emphasised subjective methods rather than sophisticated analytic techniques. This reinforces other evidence that heuristic approach to risk management dominates the more systematic approach. A trend in Risk Management was observed from risk being considered tacitly in the past to it being considered formally in the present and with the expectation that in the future there would be a more holistic approach to risk being used to aid decision-making. This may be a reasonable expectation, an aspiration or it may reflect some unease in our respondents that risk management practices in use do not appear to connect to organisation or business problems. If the latter is so then the picture may represent a somewhat idealised picture, which would continue to exist Perceived effectiveness of risk management: Although risk transfer, decreasing likelihood and decreasing adverse consequences were in high use, management action to decrease the likelihood of risk was the highest-ranking choice. However decreasing any adverse consequences through planning was not seen to be as effective as the use of this method implied. These responses imply that the traditional methods of managing risk through transfer (insurance, hedging, etc.) were still seen as more effective than more proactive risk management processes. Risk management was perceived by fourty per cent of the respondents to be neutral or negative to cost and half reported that the benefits exceeded the cost. Finally, we found that the perceived effectiveness of risk management was largely through traditional methods rather than proactive management, even though risk management itself was seen to deliver benefits that outweighed the costs. Involvement of accountants and accounting: There was little integration between management accounting and risk management, and management accountants in the overwhelming majority of organisations were being marginalised in relation to risk management,. Thes observations do not cohere with those of Parker, (2001), Scapens, (2003) or Burns et al, (2003). While CIMA respondents feel that management accountants should have more involvement in risk management, this was not a view shared by other respondents. The summary of the analysis of CIMA responses relative to others revealed that CIMA respondents were more risk-concerned than the other respondent groups in relation to their organizations, having a higher perception of risk faced by their organization despite having a lower perception of competitive intensity and uncertainty in their industry/sector. CIMA respondents were more risk averse and less willing to take risks. FTSE and SME respondents agreed more than CIMA that risk management was about achieving positive consequences. These findings reinforce the stereotypical views about accountants being risk averse. There was a stronger view by CIMA respondents that risk was considered systematically and used in decision-making than that of FTSE who saw it as largely tacit. However, the results also suggest that CIMA respondents were less confident in the formal control systems and, surprisingly, SMEs responses suggested a higher degree of formality of controls than might have been expected. CIMA respondents were slightly more sceptical about the benefits to corporate planning, management reporting and the management of organisational change but were more convinced than FTSE (but less than SME) of the improvements that risk management had

Page 27

brought to relationships with customers/clients and of employee confidence in carrying out their duties. This survey found that the role of management accountants in risk management was at the margins of practice, which may be because of their different risk appetite or because they were considered as carrying out a valuable supportive and calculative role rather than a broader managerial one in relation to risk. While personal risk appetite was greater than organisational risk appetite for all survey groups there was a greater mismatch for CIMA respondents between their personal and organisation risk appetite than for the other survey groups. CIMA respondents were more risk-concerned than the other respondent groups in relation to their organizations, despite having a lower perception of competitive intensity and uncertainty in their industry/sector. (b) Exploring the model The evidence from the regression analysis suggests that the framework developed in Section 1 was quite robust, but provided only partial explanation. The reported improvement in organisational performance was described (and predicted) by the variables 3,5,6 and 9 Competitive intensity and uncertainty,(variables 1 and 2) effectiveness of methods in use (variables 7 and 8) and the stakeholder variables (4) did not enter the model equations. Examining the model by Risk Stance category it was observed there were differences in the variable coefficients but the equations were similar. The relationship between Risk Management practices and market valuation suggest that when organisations approach risk management from the standpoint of both preventing negative consequences and positive advantage of risk opportunities then the capital market will assign them a lower Beta. This finding was based upon a small sub sample but indicates that there nee not be conflict between the imperatives of corporate governance and business entrepreneurial behaviour. Where there was such difference then these organisations were assigned a higher Beta than the sample average.

Page 28

From these consideration a revised model is given in Figure 3. Figure 3: A Revised Model External drivers Stakeholders, regulators, legislation enacted through board of directors) Organisational demographics Ownership structure Organisation size (turnover/employees) Risk stance (hierarchists, risk aware, entrepreneurs and fatalists) Risk management practices (a)Policy, procedure, methods, etc. (b)Continuum: Heuristic Systematic (c)Phases: Heuristic Systems-dependent Culturally-embedded

Involvement of accountants/ accounting in risk management

Perceived effectiveness of Organisational performance

And Lower Capital Market Risk Profile

(d) The Control of Risk and the Risk of Control. In this study, at the organisational level, the most significant driver of risk management practice was seen to be corporate governance, enacted through boards of directors and other key stakeholders. This may be seen as constituting a reliance on legitimation, i.e. avoiding the risk of being seen not to have a risk management and internal control system. While managers reported some influence on risk management practices from external uncertainty the regression analysis demonstrated that this was not definitive. There is an implicit assumption in corporate governance literature that the higher the risk (in terms of likelihood and consequence), the higher must be the control of that risk. However, this is a circular argument. Risk is deemed to be high because something is either uncertain or has significant consequences, or both. If the likelihood and consequence of risks could be controlled, then by definition they would not be considered risky. While risk management techniques may be effective for risks over which the organization has the capacity to exercise control, external risks are a different matter. Organizations can develop methods of anticipation, contingency plans and adopts flexible practices but in those cases ‘control’ may impede or prevent

Page 29

anticipation, contingency and flexibility. There is then a risk of control, (Berry, Collier & Helliar,2005,forthcoming). The capital market analysis of the sub sample suggests that either taking a hierarchist stance (no opportunity seeking) or an entrepreneurial stance (no protection) or neither is associated with higher values of Beta. Risk management practices may also lead to an organisation taking (unwittingly) higher risks. This effect is similar to that discussed by Adams (1995), where he noted that higher levels of perceived safety might lead individuals with stable risk preferences to undertake more dangerous activities. A first risk of control may have arisen because of the emphasis on controlling threat based upon considerations of compliance to corporate governance imperatives following upon the Turnbull recommendation for a “risk-based approach” to establishing a system of internal control to provide against worst-case scenarios. A second risk of control could have been that controls put in place for risk management may have given an unjustifiable confidence that event uncertainty (Galbraith, 1974) was being managed. This may have been especially true for those organisations which emphasised both of the aspects of risk management as opportunity or as containing threat. In this study, while noting that risk management may be the creation of illusions of control (Marshall et al. 1996), we did not seek to establish the degree to which organisations understood the relationship of the control of risk and the risk of control. Nor were we able to examine the differences in the types of control procedures which were designed to deal with the problems of threat and opportunity, except for the possibility that the opportunity risk controls may have been handled in the context of planning and strategic decision making and that the threat controls may have been handled in the risk management procedures. This was perhaps recognised in the research results that highlighted the organisational preference for the use of heuristic rather than systematic risk management practices. (c) Some reflections on the study The study used a modified version of the Douglas and Wildavsky model of risk stances as a tool for constructing the four categories of organisations as fatalists, entrepreneurs, hierarchist (bureaucratic) or risk aware in their risk management. Their approach was rooted in cultural considerations, but here we have a more functional approach. Rooted in reports of organisational practice. A case based interpretative approach would illuminate the degree to which individuals were able to agree on understandings of risk stance both across organisations and within their constituent parts. While we argue that these were useful distinctions to draw based upon the response to threat and opportunity, it was clear that construct validity and reliability needs further examination. The reported approach to risk management via compliance to corporate governance and the low level of attention to environmental stress may have been accompanied by a wider strategic approach to risk, which varied in different parts of the organisation (Noy and Ellis,2003). It was not clear in this research what the relationship of various kinds of risk management approaches might have been in any of the organisations, or whether practices differed in different domains (Collier and Berry, 2002). Risk management construed and enacted as a set of organisational controls introduces the idea of the risk of control where the control of risk may be related to a higher than average Beta. Risk management from compliance and opportunity stances has been indicated to have a relationship with risk assessment in the capital market. But it is not possible to state that there is a causal relationship here. The question arises as to whether and how the capital market takes notice of and values risk management practices, especially disclosure and other

Page 30

signalling processes, (Solomon et al,2000). The significant issue of the matching of Risk Stance and market valuation deserves further study. This study has been centred in organisational procedure. While decision processes reported here appear to be largely unsophisticated it would be a useful next study to explore whether sophisticated risk management in organisations such as hedging could provide an additional or a more efficient solution to the problems faced by a Board of Directors. We were constrained in this study to use a questionnaire survey of acceptable and limited length. This did not shape the research questions but it did limit the range of issues we could pursue. It complemented a previous case based study of risk and budgeting (Collier and Berry 2002), but it also sharpened the sense of obvious limitations of survey based research. These limitations here include the fact that organisations were in various stages of developing their risk management practices, following on from recent public and professional imperatives. (COSO ,2003). This study focused upon the organisation as its unit of analysis but from the literature of inter-organisation relations it is clear that the construction of what are now called hybrid organisations (supply chains, joint ventures, alliances, networks, public-private partnerships) organisations may be both be re-construing as well reducing, increasing or redistributing both risk and the risk management processes that may or may not accompany such relations. A similar set of problems may exist in trans-national and multi divisional organisations. The literature on risk has been based in positivism or objectivism (as this study) and also in constructivism. This latter approach is interested to examine how individuals and organisations construct their understandings, procedures and measures of risk. This study was not designed to gain evidence into how the individuals’ and organisations’ constructions of risk were related. But it was clear from some of the interviews and from the reported differences between individuals and between different kinds of organisations that risk was construed differently. The notion of risk stance implies a difference of view of the nature and meaning of risk as well as an observation of organisational practice. The wider societal debates on the risk society (Beck et al, 2000) imply that there may be a need for a consideration as the societal role of risk management by a variety of organisations. This consideration may include some further analysis of the possibility that the control of risk may lead to both an organisational and a societal risk of control. The latter effect may occur because of either a lack of risk taking in the society as a whole or an “accidental” redistribution of risk taking between private, public and voluntary sectors. It may also occur via the corporate governance of society that is emerging through the extensive and extending requirements for regulation and compliance, arising out of understandable crises of risk distribution, (e.g.financial, medical and operational). It is consistent with the risk society hypothesis that organisational risk management practices may be externalising (exporting) private risk into the public space. There is also the unresolved question as whether organisational attempts to manage risk could be less economically effective that allowing the market to signal its assessment and for investors to adjust their portfolios and managers to adjust their behaviour of the organisation. The further research problems that arose included: To replicate this study with a different population, especially to examine the proposed relationship of organisational risk management and capital market assessment. Is for example, the signalling about a true state of affairs or does it include some element of presentation, or the giving of comfort to allay anxiety?

Page 31

To understand how risk and risk management practices are constructed in the context of organisational management, especially how these organisational procedures were changing across complex organisations. This can be approached from a wide number of methods, including the actors’ narrative accounts of their experience, in depth case studies etc. To further examine the relationship of the control of risk and the risk of control by seeking clarification of these concepts and how the relationship between them may be examined. To explore the concept of an organisational risk stance especially to consider how the four stances of Douglas and Wildavsky (op.cit) map onto an organisation; whether the stances are mutually exclusive domains and whether an organisation or any of its parts may be characterised as being in one or more of these domains either on the same issues or on different issues. To consider the relationship of financial market construction, assessment and measurement of risk in relation to the processes of management of risk as opportunity (corporate strategy) and risk as threat (corporate governance). Conclusions The cross sectional study of risk management practices in UK organisations has lead to the following conclusions. 1. Risk management was observed to arise from institutional and internal processes rather than strategic or economic calculation. The absence of correlation between uncertainty and risk (or the change in uncertainty and risk) and other groups negated one of the assumptions in the original conceptual framework, that market based environmental factors influenced risk management practices. 2.The research found that heuristic methods of risk management were used much more than the systems-based approach that is associated with risk management in much of the literature. The methods in highest use were the more subjective ones (particularly experience), with quantitative methods used least of all. There was also evidence of significant reliance on external advisers. This reinforces the research conjecture (Hellier et al,2002) that heuristic mechanisms may be more important for risk management than systematic mechanisms. It was observed that managers did not follow the formal distinction between uncertainty and risk and hence this academic distinction might need some reconsideration. 3. In particular, we found that logics of governance, the ownership and control of the organization and following Douglas and Wildavsky the organizational stance towards risk (fatalists, hierarchists, entrepreneurs and risk aware), were important determinants of risk management practices. 4. The risk management practices in use were perceived, on the whole, by respondents to have delivered benefits that exceeded the cost and also to have lead to improvements in organisational performance and external relations, which may imply signalling into the capital markets. In the case of Risk Aware organisations, the small capital market study also gave tentative indications of improved market performance. 5. Accountants and accounting were seen not to play a significant part in risk management practices. Risk managers were not viwed as decision makers. In terms of primary accountability, we found that the Finance Director was identified with more aspects of risk

Page 32

management than any other role, suggesting that they may have a pivotal role in risk management. However, management accountants in the overwhelming majority of organisations were being marginalised in relation to risk management. CIMA respondents thought that management accountants should have more involvement in risk management, although this was not a view shared by other respondents. CIMA respondents were less convinced than FTSE and SME respondents of the extent to which risks were identified and factored in when formulating budgets. 6. The research findings are summarised in the revised theoretical framework and Phases model. The revised model suggests that risk management as an organisational procedure leads to perceived improvements in organisational performance and in the case of the risk aware organisations is related to capital market valuation. 7. The risk of control arises because of the emphasis on controlling threat based upon considerations of compliance to corporate governance imperatives. Risk management via an internal control system appears oriented towards reducing information uncertainty rather than event uncertainty. This may be carried through into excessive control by establishing a range of prescriptive controls such that organisational actions are overly constrained and opportunities foreclosed. A second risk of control may be a consequence of controls being put in place for risk management which may have given an unjustifiable confidence that event uncertainty was being managed. References Adam B, Beck U, Van Loon J. (2002) The Risk Society and Beyond, Sage, London. Adams J. (1995). Risk: UCL Press Amat J, Carmona S, Roberts H. (1994). Context and change in management accounting

systems: a Spanish case study. Management Accounting Research 5: 107-22 Arnold G, Hatzopooulos PD. (2000). The theory practice gap in capital budgeting: evidence

from the United Kingdom. Journal of Business Finance and Accounting Beck U. (1986, 1992 in translation). Risk Society. London: Sage Bettis RA, Thomas H. (1990). Risk, Strategy, and Management: JAI Press Bhattacharya S, Behara RS, Gunderson DE. (2003). Business risk perspectives on information

systems outsourcing. International Journal of Accounting Information Systems 4: 75-93

Burns J, Ezzamel M, Scapens RW. (2003). The Challenge of Management Accounting Change, Elsevier, Oxford

Bussen W, Myers MD. (1997). Executive information system failure: a New Zealand case study. Journal of Information Technology 12: 145-53

Collier PM, Berry AJ. (2002). Risk in the process of budgeting. Management Accounting Research 13: 273-97

Committee of Sponsoring Organizations of the Treadway Commission (COSO). (2003). Enterprise Risk Management Framework

Davies D. (2002a). Risk Management - Protecting Reputation. Computer Law & Security Report 18: 414-20

Davies D. (2002b). World Trade Centre Lessons. Computer Law & Security Report 18: 117-9 Dixit A, Pindyck R. (1994). Investment Under Uncertainty. Princeton, NJ: Princeton

University Press Douglas M, Wildavsky A. (1983). Risk and Culture: An Essay on the Selection of

Technological and Environmental Dangers: University of California Press Fatemi A, Luft C. (2002). Corporate risk management: Costs and benefits. Global Finance

Journal 13: 29-38 Financial Reporting Council. (2003). The Combined Code on Corporate Governance

Page 33

Harris EP. (1999). Project Risk Assessment: A European Field Study. British Accounting Review 31: 347-71

Harris EP. (2000). Strategic Investment Decision-Making: managerial Judgement on Project Risk and Return. Journal of Applied Accounting Research 5: 87-110

Helliar CV, Lomie AA, Power DM, Sinclair CD. (2002). Managerial attitudes to risk: a comparison of Scottish chartered accountants and U.K. managers. Journal of International Accounting, Auditing & Taxation 11: 156-90

Hollman KW, Forrest JE. (1991). Risk Management in a Service Business. International Journal of Service Industry Management 2: 49-65

Institute of Chartered Accountants in England & Wales. (1999). Internal Control: Guidance for Directors on the Combined Code, (Turnbull Report)

International Federation of Accountants. (1999). Enhancing Shareholder Wealth by Better Managing Business Risk. Rep. International Management Accounting Study No. 9

Jiang JJ, Klein G. (1999). Risks to different aspects of systems success. Information & Management 36: 263-72

Jones TC, Dugdale D. (2001). The Concept of an Accounting Regime. Critical perspectives on Accounting 12: 35-63

Kumar RL. (2002). Managing risks in IT projects: an options perspective. Information & Management 40: 63-74

Liebenberg AP, Hoyt RE. (2003). The determinants of enterprise risk management: Evidence from the appointment of chief risk officers. Risk Management and Insurance Review 6: 37

Majd S, Pindyck P. (1987). Time to build, option value and investment decisions. Journal of Financial Economics 18: 7-27

March JG, Shapira Z. (1987). Managerial Perspectives on Risk and Risk Taking. Management Science 33: 1404-18

Marshall C, Prusak L, Shpilberg D. (1996). Financial Risk and the Need for Superior Knowledge Management. California Management Review 38: 77-101

McGoun EG. (1995). The History of Risk "Measurement". Critical Perspectives on Accounting 6: 511-32

Miller R, Lessard D. (2001). Understanding and managing risks in large engineering projects. International Journal of Project Management 19: 437-43

Noy E, Ellis S. (2003). Corporate Risk Strategy: Does it Vary Across Business Activities? European Management Journal 21: 119-28

Parker LD. (2001). Back to the Future: The Broadening Accounting Trajectory. British Accounting Review 33: 421-53

Pender S. (2001). Managing incomplete knowledge: Why risk management is not sufficient. International Journal of Project Management 19: 79-87

Power M. (1994). The Audit Society. In Accounting as social and institutional practice, ed. AG Hopwood, P Miler, pp. 299-316: Cambridge University Press

Putnam BH, Wilford DS, Zecher PD. (2002). A short note on the concept of risk management and VaR for asset management firms. Review of Financial Economics 11: 205-12

Ruefli TW, Collins JM, Lacugna JR. (1999). Risk Measures in Strategic Management: Auld Lang Syne ? Strategic Management Journal 20: 167-94

Scapens RW, Ezzamel M, Burns J, Baldvinsdottir G. (2003). The Future Direction of UK Management Accounting Practice, Elsevier, Oxford

Shrivastava P. (1993). The Greening of Business. In Business and the Environment: Implications of the New Environmentalism, ed. D Smith: Paul Chapman Publishing

Solomon JF, Solonon A, Norton SD. (2000). A Conceptual Framework for Corporate Risk Disclosure Emerging from the Agenda for Corporate Governance Reform. British Accounting Review 32: 447-78

Spira LF, Page M. (2003). Risk management: The reinvention of internal control and teh changing role of internal audit. Accounting, Auditing & Accountability Journal 16: 640-61

Page 34

Stewart RW, Fortune J. (1995). Application of systems thinking to the identification, avoidance and prevention of risk. International Journal of Project Management 13: 279-86

Weber EU, Milliman RA. (1997). Perceived Risk Attitudes: Relating Risk Perception to Risky Choice. Management Science 43: 123-44

White D. (1995). Application of systems thinking to risk management: a review of the literature. Management Decision 33: 35-45

Appendix 1 Respondents and their organisations. The balance of opinion regarding whether risk management should be a matter of personal judgement and whether it should be handled through a formal control system results are shown in Table A1. Table A1: Formal controls v. personal judgement In my view RM should be handled

through a formal control system

Disagree Neutral Agree Total Disagree 0% 4% 52% 56% Neutral 1% 3% 18% 22% In my view RM should be more

a matter of personal judgement Agree 3% 5% 13% 21%

Total 4% 12% 83% 100%

In my organisation RM is handled through a formal control system

Disagree Neutral Agree Total Disagree 3% 5% 35% 43% Neutral 4% 11% 18% 33% In my organisation RM is more a

matter of personal judgement Agree 8% 8% 9% 25%

Total 15% 24% 62% 100%

83% of respondents agreed that risk should be managed through a formal control system but only 62% said it was managed formally in their organisations. 21% of respondents agreed that it should be more a matter of personal judgement, 25% saying that this was how risk was managed in their organisations. Only 13% of respondents agreed that risk should be handled both through a formal control system and as a matter of personal judgement. Only 9% said

Page 35

their organisations reflected both types of risk management. This has implications for informal, intuitive risk management processes. It suggests a heuristic method of risk management is at work in contrast to the systems-based approach that is associated with risk management in the professional literature. Appendix 2 Figure A1 Figure 4 shows how the individual and organisational levels were separated by a mismatch of risk perceptions and risk appetite. It also shows that an absence of information separates the information uncertainty within the organisational boundary from the event uncertainty in the external environment. The whole risk management and internal control system appears oriented towards reducing information uncertainty rather than event uncertainty. Organisational level Organisational perceptions of risk Organisational risk appetite MISMATCH OF RISK PERCEPTIONS & RISK APPETITE Individual level Managerial perceptions and social constructions of risk Managerial risk appetite Risk management and internal control system & (Perceived) effectiveness of control system FOCUS: CONTROL & CONFORMANCE RISK AS HAZARD OR THREAT INFORMATION UNCERTAINTY INFORMATION GAP FOCUS: IMPROVEMENT & PERFORMANCE TAKING ADVANTAGE OF OPPORTUNITIES EVENT UNCERTAINTY Risk and Uncertainty

Page 36

Following Galbraith4, it can be argued that the greater the risk (task uncertainty) the greater the amount of control is needed in order to achieve a given level of performance. Uncertainty makes a difference to organisation structure and increases the amount of information that must be processed during task execution. Task uncertainty, division of labour, diversity of output and level of performance determine the amount of information that must be processed. [Galbraith, 1977 #147: p.4] argued that “the greater the uncertainty of the task, the greater the amount of information that has to be processed between decision makers during its execution”. Uncertainty is defined as the difference between the amount of information required to perform the task and the amount of information already possessed by the organisation. Uncertainty limits the ability of the organisation to make decisions in advance. Task uncertainty, distinguished from event uncertainty, was defined as that which is within the organisational boundary and which it is possible (but not necessarily feasible) to control. Event uncertainty is that which was external to the organisation, (environmental factors), over which little or no control can be exercised. Figure A2 shows the relationships. Where there is low task uncertainty and low environmental uncertainty, the low risk can be approached through a first order control loop of governance processes of risk identification, assessment, management, etc. Where task uncertainty increases and event uncertainty is low, the result is one of control uncertainty where controls may be inadequate to deal with the possible variety (or probabilities) although external risks are minimal. Where there is high task uncertainty and high event uncertainty, a position of high risk, there is both uncertainty about the nature and value of available control procedures and uncertainty about the information held about the environment. This is essentially a position in which there is a lack of both information and control. Where there is low task uncertainty and high event uncertainty there is information uncertainty. However, as a consequence of the control of risk, a further problem emerges for consideration, that is the risk of control.

4 [Galbraith, 1974 #578] argued that as task uncertainty increases, the number of exceptions increases until the hierarchy is overloaded. The need for information processing can be reduced by the creation of slack resources (reducing the required level of performance) and the creation of self-contained tasks (from functional to multi-tasking design). The capacity to process information can be increased by investment in vertical information systems (which involve continual re-planning to reduce exceptions) and the creation of lateral relations (cross functional liaison roles or problem-solving team). The effect of a combination of these design strategies is to reduce the number of exceptions referred upward in the organisational hierarchy. If one of these design strategies is not chosen, Galbraith argued that reduced performance standards will happen automatically.

Page 37

Figure A2

Event uncertainty

Low High Task uncertainty Control uncertainty & High Control information

uncertainty uncertainty Information uncertainty & Low Control of risk risk of control