its a project done by kevin antonio with an aim of encouraging enterprise risk management in companies within kenya as a method of controlling risk.
ADVANCING ENTERPRISE RISK MANAGEMENT GOOD PRACTISES AND ITS
CONCEPTUAL FRAMEWORK IN, KENYA.
KEVIN ANTONIO ANYOKA
SC281-0637/2012
A RESEARCH PROPOSAL SUBMITTED TO THE DEPARTMENT OF STATISTICS IN
THE SCHOOL OF MATHEMATICAL SCIENCE IN PARTIAL FULFILMENT FOR THE
DEGREE OF ACTUARIAL SCIENCE OF JOMO KENYATTA UNIVERSITY OF
AGRICULTURE AND TECHNOLOGY
2015
DECLARATIONI hereby declare that this is original work and has
not been submitted in any other university for an award of a
degreeNAME: KEVIN ANTONIO ANYOKAREG NOSC281-0637/2012SIGNATURE DATE
DECLARATION BY SUPERVISORThis research proposal has been submitted
for examination with my approval as the university
supervisor(s)Signature. DATEMr. SIJE
DEDICATIONThis research is dedicated to all my dear close
friends and family and also to all who made proposal possible
ACKNOWLEDGEMENTI would like to thank my lecturer, Mr. Sije, for
the valuable advice and support he has given me in the writing of
this report. I would also like to thank my classmates for their
encouragement support and guidance. My deepest thanks go to
understanding and support of all.
ABSTRACTThe aim of this paper will be to review previous studies
on Enterprise Risk Management (ERM). Previous studies show that
empirical works on ERM are still limited. Research using both
primary and secondary data will be discussed. From the previous
studies, it was found that most of the studies in Kenya on risk
management or ERM used primary data. The scopes of the previous
studies in Kenya include construction, financial institutions,
service sector, technology, industrial products, consumer products,
plantation and trade and services, and these studies used mail
questionnaires and interviews. While studies from the secondary
data focus on industrial product companies, of which data are
gathered from their annual reports.Another objective of this study
on enterprise risk management will be to gather information on the
impact of advancing ERM Kenya industries whether positive or
negative. There has been a significant discussion about the natural
fit for actuaries in the growing area of enterprise risk management
.although here has been considerable literature on the benefits of
enterprise risk management ,it has been typically targeted at large
,global corporations in the financial sector, that is insurance and
also banking. This proposal shall advance the practice of ERM in
Kenya and push the boundaries of ERM beyond its traditional
applications in the insurance and financial sector. The key
objective these proposal shall be to summarize the behavior
patterns in the adoption of risk management practices by the
companies that will be surveyed. Another objective of the proposal
will be to move into a convergence between theoretical practices
i.e. the use of traditional approaches, and those adopted by the
companies .this proposal shall be theoretical with descriptive
objectives and the procedure shall be multiple study of nine
companies in kiambu county, Kenya. The method we shall use or adopt
in the selection nine companies will be the diversity of the
industry segments, representativeness of the companies in their
segments and also the use of enterprise risk management segment.to
verify if there will be patterns between the practices employed in
the companies, they will be separated by the size of the company
and location too. All the small companies will be of traditional
approach in risk management. The same will happen to all companies
in different locations of Kiambu County. Yet, all the traditional
approach companies, but one, adopt all the seven risk management
practice found in accordance to enterprise risk management. Without
the enterprise risk management the market will always be
insufficient since many risks affect individual companies.to deal
with this problem of using of using traditional methods of risk
management, these proposal will take the measure of encouraging
enterprise risk management to all companies in growth areas such as
ERM and pensioner and health care, ERM and general insurance, ERM
for smaller companies, ERM for non-financial institutions and ERM
hazard risk management.
Table of ContentsDECLARATION BY
SUPERVISORiiDEDICATIONiiiABSTRACTvLIST OF FIGURESixTABLE OF
FIGURESxDEFINITION OF TERMSxi1.1 OVERVIEW11.2 BACKGROUND
INFORMATION11.3 STATEMENT OF THE PROBLEM61.4 OBJECTIVES71.5
HYPOTHESIS81.6 SIGNIFICANCE OF THE STUDY8CHAPTER TWO: LITRATURE
REVIEW102.1 INTRODUCTION102.2 DEFINITION OF CONCEPT102.3
DEVELOPMENT OF ENTERPRISE RISK MANAGEMENT122.4 LEVELS OF EVOLUTION
OF THE RISK MANAGEMENT STRUCTURE172.5 GOOD PRACTICES IN THE
ENTERPRISE RISK MANAGEMENT202.6 THE NEED FOR RESEARCH232.7
CONCLUSION23CHAPTER THREE: RESEARCH DESIGN AND METHODOLOGY243.1
OVERVIEW243.2 INTRODUCTION243.3 Research design243.4 Target
population253.5Sampling method253.6Purposive or judgmental
sampling253.7Random sampling263.8Sampling procedures and sample
size263.9Sampling size determination273.10Data collection
instruments273.11Data collection
procedure283.12Questionnaires283.13Interviews283.14Secondary
instruments293.15Observation293.16 Reliability of the research
instruments293.17 Ethical consideration29
LIST OF FIGURESCASCASUAL ACTUARIAL SOCIETYCOSO.COMMITTEE OF
SPONSORING ORGANIZATIONS OF THE TREADWAY
COMMISSIONTCRO........................CHIEF RISK
OFFICERTRM.......................TRADITIONAL RISK
MANAGEMENTEWRM...................ENTERPRISE -WIDE RISK
MANAGEMENTBRM......................BUSINESS RISK
MANAGEMENTHRM.......................HOLISTIC RISK
MANAGEMENTEIU..ECONOMIST INTELLIGENCE UNITERMENTERPRISE RISK
MANAGEMENT
TABLE OF FIGURES
Figure 1: enterprise risk management maturity model.22
Figure 2: approaches of enterprise risk management..23
DEFINITION OF TERMS
Conceptual framework-conceptual framework is the structure under
which companies follow to control and manage risk. Risk
management-can be dened as the culture, processes, and structures
Directed towards the effective management of potential
opportunities and adverse effects Enterprise Risk Management-as the
discipline by which an organization in any industry assess,
control, exploits finances and monitoring risks from all sources
for the purpose of increasing the organizations short and long term
value to its stakeholders risk management practices-this are
practices put in place to control and manage risk also
determination of risk and processing risk.
xi
CHAPTER ONE: INTRODUCTION1.1 OVERVIEWThis chapter deals with
providing an in depth understanding about the phenomena under
study. This chapter contains some background information in
Enterprise risk management good practice and conceptual
framework.1.2 BACKGROUND INFORMATIONIn early 1970s,the concept of a
holistic approach of risk management was traced when Gustar
Hamilton of Sweden statforetag proposed the risk management circle
to describe the interaction of all elements in the risk management
process (assessment control, financing and communication).in 20th
century ,risk managers were primarily responsible for managing pure
risks through the purchase of insurance ,though the concept of risk
management soon became associated with financial risk management
with the use of derivative financial products. Up to now people are
still using the traditional approaches to deal with these risk.
When the traditional approaches are used the market becomes
inefficient leading to insolvency of many companies. Major
companies have demonstrated a growing concern with the need for
risk management, considering the recent financial scandals
involving companies like Parmalat, Enrom, Metallgesellschaft, among
others.in Kenya companies in Thika faces several risks but only
rely on insurance company for insurance cover. This proposal aims
at reaching major companies in Kiambu counting and educate them the
benefits of putting up an enterprise management program in their
companies. Also this proposal targets other individual who will be
able to discover more of what ERM is really about. Thus, it is
possible to note that enterprise risk management is a very present
issue and has been the agenda of many debates.In 2003, the casual
actuarial society (CAS) defined ERM as the discipline by which an
organization in any industry assess, control, exploits finances and
monitoring risks from all sources for the purpose of increasing the
organizations short and long term value to its stakeholders.
According to CAS, risks are being considered as source of
opportunities for value creation and not something to be avoided or
minimized. The risk is not fully avoidable but knowing to assess it
and its return is a way to gain competitive edge. Many companies
have demonstrated a growing concern with the need for risk
management, considering the recent financial scandals involving
companies like Parmalat, Enrom, Metallgesellschaft, among others.
Thus, it is possible to note that enterprise risk management is a
very present issue and has been the agenda of many debates.The risk
management should analyze the company in a holistic manner and not
in an ad-hoc manner by business silo or by each risk type. Risk
management must be conducted in a structured way, integrated across
the whole company. Businesses have started to embrace the
enterprise risk management ERM approach. There are many definitions
of ERM, however a representative example is the following from the
Committee of Sponsoring Organizations of the Tread way Commission
COSO : ERM is a process, effected by an entitys board of directors,
management and other personnel, applied in strategy setting, and
across the enterprise, designed to identify potential events that
may affect the entity, and manage risk to be within its risk
appetite, to provide reasonable assurance regarding the achievement
of entity objectives. Yet, with the aim to optimize the process and
maintain its quality,A survey was jointly conducted by the
Association of Governing Boards of Universities and Colleges (AGB)
and United Educators (UE) and reports data on attitudes, practices,
and policies regarding enterprise risk management1 among American
colleges and universities. The survey was completed by more than
600 respondents between June 11 and 25, 2008. Forty-one percent of
respondents mostly agreed that risk management is a priority at
their institution and companies. Twenty three percent of
respondents mostly agreed that their governing boards monitors
institution risk through regular, formal reports from the
administrator who is assigned responsibility .a majority of sixty
one percent of respondents reported that their company do not
identify major risks to companys mission success through
comprehensive ,strategic risk assessments. Fewer than half of
respondents reported frequent or routine monitoring of political or
reputational risks which pose serious threats for companies and
institutions. Half of the respondents, almost fifty one percent,
reported that board members and senior administrators at their
companies evaluated major risks identified by strategic risk
assessment only on an as needed basis.When talking about enterprise
risk management one has just to look at his backyard and he wont
miss a case of this. In Kenya management of risk is a sore issue
that can be traced to our ancient traditional way of doing things.
In many African countries traditional way of approaching risk is
considered as a way of life as it pertains their strategy in
dealing with risks. This issue is more pronounced in developing
countries as more and more companies are getting dissolved each and
every day without their consent. It should be noted that a minimum
percentage of companies in Kenya are willing to loss their business
because of their own risks. Without a risk management strategy the
market will always be insufficient.When we look back and even now
the limitations when traditional way of assessing risks, it become
increasingly clear that traditional risk management approaches do
not adequately identify, evaluate and manage risk. Tradition
approaches tend to be fragmented, treating risks as disparate and
compartmentalized. These risk management approaches often limit the
focus largely on loss prevention, rather than adding value,
traditional approaches do not provide a holistic framework most
organizations need to redefine the risk management value
proposition in this rapidly changing world.Traditional risk
management uses a tactical approach whereby viewing a threat as a
potential event that might not occur and is focused on the direct
consequences of that threat.in most instances ,a tactical risk will
directly affect program performance, the impact on a programs key
objectives is more often and indirect consequence of a tactical
risk.in a tactical approach, you first identify all known risks
that can adversely affect a programs performance .a risk statement
is prepared for each risk and provides details on the potential for
loss. Then, probability and impact are established for each risk
statement, and risk exposure is determined from the individual
values of probability and impact. Using this approach, the typical
software program can easily identify hundreds of risk statements.to
create a big picture view of a programs risk ,you must aggregate
detailed risk information because tactical approaches rely on
aggregation techniques to provide a big-picture view of risk ,we
refer to them as incorporating a bottom-up analysis.Many programs
are successful employing tactical approaches for managing risk.
However, just as many struggle to effectively manage high numbers
of risk statement.in some cases, decision makers in these programs
spent too much time manipulating and analyzing risk statement and
too little time actually managing risk.
Many organizations have been challenged by a surge of several
external factors/forces pressuring them for the adoption of a
structured and integrated risk management. Examples are
requirements/pressure from the market, from the regulators, gain
competitive advantage and good business practices (Corporate
Executive Board). For CAS, these forces are: increasing number of
risks and interactions that organizations have to acknowledge,
inclusion of risks in the portfolio theory and attempt of
quantifying the risks to gain qualitative perspective. Beasley,
Clune e Hermanson, James Lam & Associates and
Pricewaterhousecoopers also mention warning of previous financial
disasters, requirements/pressure from the head office, reinforce
corporate governance, reinforce internal controls and examples of
companies that have adopted ERM and achieved benefits.The adoption
of enterprise-wide risk management practices is also driven by
regulations themselves, which focus the business on operating the
right way as a normal business practice. Since this is a matter of
great importance both for scholars and for the business community,
it is intended with this article to make a contribution to academic
research while helping to increase the business community interest
majorly in Kenya.Kenyan companies that will adopt this enterprise
risk management will be looked upon to see if there are changes.
ERM and its conceptual framework has been tried in various
countries in developed countries like USA and it has worked.
Actuaries will in the future be the key in risk management though
this topic has been argued against by people who believe that they
are well fit for the job. This research will prove otherwise, it
will show first of all importance of an actuary in this case and
also it will reveal the benefits of ERM programs in companies.The
remainder of the paper will be organized into five main sections.
First, the literature review on ERM structures and the good
practices is presented. Second, the methodology and data
collection. This provides the context necessary for the third
section, which presents the discussion of the results followed by a
conceptual framework of good practices in the enterprise risk
management. Finally, the paper finishes with a brief conclusion
that summarizes the objectives of this study. This study will
provide an effective assistance for the enterprises to evaluate and
enhance their practices in risk management. An additional
motivation is the lack of academic research regarding the use of
good practices and their assessment.
1.3 STATEMENT OF THE PROBLEMThroughout the world, risk is the
potential of losing something of value. Sadly, when it comes to the
point of controlling or managing risk many companies seem to be
incapable. Major companies are being haunted by the risks they had
avoided or assumed (several companies have been closed e.g. webuye
paper mill).traditional risk management approach always measures
the risk that the companies are assuming. Companies in Kenya seem
to be having trouble maintaining their liquidity, their also are
having problems managing the credit rating. This makes their
shareholder remove their shares because the company cannot manage
their risks. This will be a problem always in Kenyan companies
until actuaries in Kenya are able to put up a solid Enterprise risk
management or else some of these companies soon will cease to
exist. The transition to market based accounting system and
economic capital will be going to change peoples view on what risk
is or what it isnt. For now financial managers understand risk as a
fluctuation in their income statement .traditional models of risk
management of the past and also unrealistic. The market is not
rational. There is no such thing as fully diversifiable risk, we
cannot diversify risk as we had thought in past we could. Companies
in Kenya believe that risk can be diversified and this soon you
will notice its impossible. The market will be inefficient if we
continue to use the same models to manage risks. New models should
be made to manage this risk in Kenyan companies.
1.4 OBJECTIVESThe main aim of this project will be to determine
the impact of advancing enterprise risk management and its
conceptual framework in Kenya.The study will also be guided by the
following sub objectives: Summarize the behavior patterns in the
adoption of risk management practices by the companies surveyed.
Move into a convergence between theoretical practices and those
adopted by the companies. Specifying the advantages of taking the
new way of risk management and that is ERM Criticizing the old
method of risk management, traditional method of controlling risk,
which is inefficient in the current market.
1.5 HYPOTHESIS ERM reduce possibility of risk. ERM and its
conceptual framework will be able to stop risk for good. ERM will
able to predict future risks.
1.6 SIGNIFICANCE OF THE STUDYCompanies in Kenya are being shut
down abruptly because of certain reasons like bankruptcy .This has
always been because of poor techniques of handling the risk they
are exposed to. Risk should not be minimized or avoided but in real
sense should be managed by professionals i.e. actuaries. This study
will only be based on spreading the importance of adopting the new
way of managing this new risks in the market.to be sincere the
market is changing every minute and new risk seems to be arising
every minute and the old approach are not working so far.This study
will help companies in Kenya, not only to companies but also to
institution that, to be aware that ERM is important in many
perspective to an organization such as;To reduce potential
financial losses for companies and institutions Desire to improve
business performance Due to the regulatory compliance requirements
The organization desire to increase risk accountabilityOn the other
hand, (PricewaterhouseCoopers, 2008) found that firms in Finland
are motivated to implement ERM because of the following reasons:
over 96 percent of the users want to adopt good business practice;
more than 81 percent due to corporate governance pressure; 42
percent stated it gives them a competitive advantage; and More than
30 percent comes from regulatory pressure and also investment
community pressure.These companies in Finland find it easy to
control their losses due to risk unlike in Kenya where insurance
cover is the optimal solution to risk management.
CHAPTER TWO: LITRATURE REVIEW2.1 INTRODUCTIONThere is a great
literature about enterprise risk management, both in Kenya and
abroad. . And there is ethnographic literature that examines the
way in which Kenyans conceive of ERM and why it should exist in the
market. After a few studies the current market not only in Kenya
have realized the market is already insufficient without proper
methods of handling the risks they face each and every day.The word
enterprise for Enterprise Risk Management (ERM) itself shows a
different meaning than Traditional Risk Management (TRM).
Enterprise means to integrate or aggregate all types of risks;
using integrated tools and techniques to mitigate the risks and to
communicate across business lines or level compared to Traditional
Risk Management. Integration refers to both combination of
modifying the firms operations, adjusting its capital structure and
employing targeted financial instruments (Meulbroek, 2002).
2.2 DEFINITION OF CONCEPTIt was argued that the term ERM has
quite similar meaning with Enterprise-Wide Risk Management (EWRM),
Holistic Risk Management (HRM), Corporate Risk Management (CRM),
Business Risk Management (BRM), Integrated Risk Management (IRM)
and Strategic Risk Management (SRM) (DArcy, 2001; Liebenberg and
Hoyt, 2003; Kleffner et al., 2003; Hoyt and Liebenberg, 2006; Manab
et al., 2007; and Yazid et al., 2009).There are various definitions
of ERM. For example, in the middle of 2004, the Committee of
Sponsoring Organization of the Treadway Commission (COSO) released
the Enterprise Risk Management Integrated Framework. COSO defines
Enterprise Risk Management as a process, affected by an entitys
board of directors, management and other personnel, applied in
strategy-setting and across the enterprise, designed to identify
potential events that may affect the entity, and manage risk to be
within its risk appetite, to provide reasonable assurance regarding
the achievement of entity objectives.CAS or Casualty Actuarial
Society (2003) defines Enterprise Risk Management as disciplines by
which an organization in any industry assesses, controls, exploits,
finances, and monitors risks from all sources for the purposes of
increasing the organizations short- and long-term value to its
stakeholders. Lam (2000) on the other hand, defines Enterprise Risk
Management as an integrated framework for managing credit risk,
market risk, operational risk, economic capital, and risk transfer
in order to maximize firm value. Makomaski (2008) defines
Enterprise Risk Management as a decision-making discipline that
addresses variation in company goals. Alviunessen and Jankensgrd
(2009) point out that Enterprise Risk Management is concerned about
a holistic, company-wide approach in managing risks, and
centralized the information according to the risk exposures. They
use the term Risk Universe, which is the risk that might impact on
the future cash flow, profitability and continued existence of a
company. In other words, risk universe is risk that could affect
the entity of the company. If risk universe can be identified, the
next step is to take an appropriate action such as risk mapping
process, accessing the likelihood and impact and curb the risk
based on the organizations objectivesTherefore, Enterprise Risk
Management can be defined as a systematically integrated and
discipline approach in managing risks within organizations to
ensure firms achieves their objective which is to maximize and
create value for their stakeholders. There are two key points that
must be highlighted according to the definitions given above. The
first key point is the main role of ERM itself - it integrates and
coordinates all types of risks across the entire organization. It
means that risks cannot be managed in silo approach. All risks
occurred in the entity must be combined and managed in enterprise
approach. The second key point is by using ERM, users are able to
identify any potential incidents that may affect the organization
and know their risk- appetite. If the risk-appetite is specifically
known, any decision made by the organization to curb risks may be
parallel with the firms objective (Walker et al., 2003).
2.3 DEVELOPMENT OF ENTERPRISE RISK MANAGEMENTThis section will
discuss briefly the development of ERM especially on the emerging
factors that influence companies to shift from risk management
practices (Traditional Risk Management) to Enterprise Risk
Management. The discussions will focus from the theoretical
perspectives; academic and professional bodies. DArcy (2001) has
postulated that the origin of risk management was developed by
group of innovative insurance professors i.e. Robert I. Mehr and
Bob Hedges in 1950s. In the 1963s, the first risk management text
entitled Risk Management and the Business Enterprise was published.
The objective of risk management at that time was to maximize the
productive efficiency of the enterprise. At that time, risk
management was specifically focused on pure risks and speculative
risks.In the 1970s, when Organization of Petroleum Exporting
Countries (OPEC) decided to reduce production in order to increase
the price, financial risk management became an interesting issue
highlighted by firms because the increment in oil price has
affected the instability in exchange rates and inflation rate
(DArcy, 2001; Skipper and Kwon, 2007). Later in 1980s, political
risks attracted more attention from multinational corporations as a
result of different political regimes in different countries. For
example, when the government announced a new policy, investors and
corporations must make decision to reduce risk (Skipper and Kwon,
2007). According to DArcy (2001), during this era, organizations
did not properly apply risk management because they did not apply
the risk management tools and technique such as options. Therefore,
it had increased the cost of operations of the organizations.
During this era, the silo mentality still remains (Skipper and
Kwon, 2007).In the 1990s, the use of financial tools such as
forwards and futures are widely practiced in the United States. In
addition, pressure from shareholders and stakeholders to take more
action rather than buying insurance to fight against uncertain loss
or financial crisis, influenced managers to mitigate risks more
proactively. It demanded managers to retrieve better risk
information and risk management techniques. During this time, risk
management was closely related to financial, operational and
strategic risks, not only hazard risks (Skipper and Kwon, 2007).
Hazard risk refers to any source that may cause harm or adverse
effects such as equipment lose due to natural disasters for
example, the Hurricane Katrina that happened in United States in
2005.There are various risks that can occur. These include
financial risk, strategic risk and operational risk. Financial risk
refers to any loss due to economic conditions such as foreign
exchange rates, derivatives, liquidity risks and credit risks.
Apart from the corporate scandals in Enron, WorldCom, Polly Peck
and Parmalat, the last decade showed how serious the financial
scandal was to corporations and banks (Jones, 2006; Benston et al.,
2003). Another example was in 1994, the Orange Countys Investment
Pool lost USD1.7 billion from structured notes and leveraged repo
positions, while in 1995, Barings Bank and Daiwa Bank lost USD1.5
billion and USD1.1 billion respectively due to losses in futures
and options trading and unauthorized derivatives trading. The same
financial disaster occurred in 1996 when Sumitomo Corp. lost USD1.8
billion as a result of the actions of its head copper trader, Yasuo
Hamanaka who secreted his activities in unauthorized copper trading
on the London Metal Exchange (Holton, 1996; DArcy, 2001).Li and Liu
(2002) define strategic risk as the uncertainty of loss of a whole
organization and the loss may be profit or non-profit, while Mango
(2007) points out that there is no specific definition of strategic
risk due to the inability to well-define and understand it.
Strategic risk may arise from regulatory, political impediments or
technological innovation. For example a specific guide entitled
Risk Management Principles for Electronic Banking was produced to
ensure banks follow the 14 guidelines in providing internet banking
services like electronic fund transfers as proposed (The Basel
Committee, 2001). The Basel Committee (2001) define operational
risk as the risk of direct or indirect loss resulting from
inadequate or failed internal processes, people and systems or from
external events. Operational risk is more related to internal
problems, such as employee fraud, corporate leadership, segregation
of duties, information risk and product flaws. For example, Marc
Dreier was found guilty and charged for 20 years of imprisonment
due to fraud of fictitious promissory notes, which is valued at
approximately USD700 million (Weiser, 2009).As the results that
risks might occur in multiple perspectives, it can be concluded
that risk management (Traditional Risk Management) could not be
managed separately. It has to be integrated in a holistic manner.
These factors are among the main cause of the emergence of
Enterprise Risk Management in late 1990s. Organizations face risks
and the risks depend on many factors. For example operational risk,
strategic risk, political risk, technology risk, legal risk,
financial risk, reputational risk and human capital risk. Most of
the literature mainly concern on four types of risk i.e. financial
risk, hazard risk, operational risk and strategic risk (D Arcy,
2001; CAS, 2003; Cassidy, 2005). Cassidy (2005) found that
Enterprise Risk Management existed in planning, organizing, and
leading and controlling organizations activities in order to
minimize firms major risks such as financial, strategic and
operational risks. The professional bodies such as Casualty
Actuarial Society (CAS, 2003) have reported six factors that force
organization to practice Enterprise Risk Management. The first
factor is related to complicated risks. Organization not only faced
four basic types of risks such as hazard, financial, operational
and strategic risk, but there were other risks such as the risks in
advance technology, the accelerating pace of business,
globalization, increasing financial sophistication and the
uncertainty of irrational terrorist activity. These risks did not
occur by themselves. It might be happened because of the
combination of both types of risks (for example combination of
globalization factors and advance in technology). The second factor
came from external pressures such as regulators, rating agencies,
stock exchanges, institutional investors and corporate governance
bodies. The Australia/New Zealand Risk Management standard released
in 1995 was an example of a formalized system of risk management
and report the organizations management pertaining to the
performance of the risk management system. The third factor is
related to a sense of portfolio point of view which refers to an
increasing tendency towards integrating the risks, which previously
have been managed in silo. The fourth factor is that risk need to
be quantified even if it is impossible to quantify all risks. By
quantifying risks, management will be able to estimate the
magnitude of risk or degree of dependency with other risks
efficiently in making decision process. The fifth factor is the
Boundary-less Benchmarking factor. The implementation of risk
management now is not only limited to the insurance or financial
services, but is now common to other organizations. In addition,
rapid changes in technology allow related information on risks to
be transferable easily across the organizations. The final factor
is related to risk can be treated as opportunity. Previously, any
risk that arises has been treated in defensive approach to be
minimized or avoided. Now, risk must be understood as the
value-creating potential of risk. As a result of past experience in
mitigating risk, organizations may develop expertise in managing
those risks and may be able to transfer their expertise to other
organizations. Lam (2000) as cited in Wolf (2008), have stressed
that risks may arise from multiple perceptions in daily business
operations. For example, Mercer Management Consulting showed that
most Fortune 1000 companies suffered declining in stock due to
failure in decisions in terms of strategic (58 percent),
operational (31 percent) and financial (6 percent). Therefore,
firms need to integrate all risks in their daily operations, in
order to mitigate any probabilities on risks in the systematic
manner. In addition, by using Enterprise Risk Management, it helps
firms to manage better financial results (Jablonowski ,2006). As
argued by Lam (2000), practicing Enterprise Risk Management should
be observed upon three perspectives; globalization changes in the
role of risk managers regulatory From the globalization
perspective, it created multiple risks perceptions, fast growing
technologies and interdependency of risks. From the role of risk
manager, risks should not be treated as a trouble, but also as an
opportunity. Finally from the regulatory oversight factors
perspective, appointing Chief Risk Officer (CRO) and the
establishing Risk Management Committee (RMC), the adoption of ERM
will become a reality.
2.4 LEVELS OF EVOLUTION OF THE RISK MANAGEMENT STRUCTURE Based
on the fact that enterprise risk management has been always complex
process, there was a research who developed a five stage ERM
maturity model (see figure 1). It has been used to help
organizations benchmark their progress in driving value through
ERM. Basically, it address issues on the effect ERM has had on
harmonizing organizational needs, culture and stakeholder
requirements and how ERM is being used proactively to balance risk,
opportunity and value.
Scale
1. Initial/lackingComponent and associated activities are very
limited in scope and many be implemented on an ad -hoc basis
2.BasicLimited capabilities to identify, assess, manage and
monitor risks
3. DefinedSufficient capabilities to identify, measure, manage,
report and monitor major risks; policies and technique are defined
and utilized (perhaps independently) across the organization
4. operationalConsistent ability to identify, measure, manage,
report and monitor risks, consistent application of policies and
techniques across the organization
5. AdvancedWell-developed ability to identify, measure, manage
and monitor risks across the organization; process is dynamic and
able to adapt to changing risks and varying business cycles;
explicit consideration of risks and risk management in management
decisions
Figure 1: enterprise risk management maturity model
Marsh/RIMS used a different model by classifying the risk
management approaches in traditional, progressive and
strategic.
Traditional approach
1.Risk identification, loss control and complains analysis
2.Increase ability to meet corporate objectives ensuring that risks
are taken into consideration in the decisions3.Improve management
of the interrelated risks across the organization
Progressive approach
Traditional approach plus: 1.Business continuity, total risk
cost, education and communication 2.Improve competences to identify
and assess risks 3.Improve management and responsibility of
business unit4.Internal auditing takes the risk issues for
discussion
Strategic approach
Tradition and progressive approaches plus;1.ERM across the
organization and use of technology 2.Risk issues are part of
business discussion strategy3. Risk sources are gathered across all
levels of the organization and with the stakeholders.
Figure 2: approaches of enterprise risk management
2.5 GOOD PRACTICES IN THE ENTERPRISE RISK MANAGEMENT a) Culture
and risk awareness It is unquestionable the importance of
information across the organization. Green and Jenning-Mares study
states that the most important element in the risk management is
the growth of a risk culture coherent and consistent. An education
program aimed to spread this culture should be consolidated by all
the managers and employees of the company (Namibia). For Economist
Intelligence Unit EIU the key determinant of success in risk
management has become the need to ensure that a strong culture and
awareness of risk permeates every layer of the organization.
Protiviti shows that the absence of a common language and awareness
prevents sharing the good practices across the organizations. It
generates a great uncertainty. b) Risk permeates the whole company
The risk management function has evolved to become a core area of
business practice, driven by the board but embedded at every level
of the organization. The aim is no longer simply to avoid losses,
but to enhance reputation and yield competitive advantage (EIU).
Protiviti and Harner share the view that, despite ERM
responsibility starts right at the top of the organization, the
managers of all levels of organization should also participate to
improve the process. c) Predictable increase in investments Firms
of all sizes and in all areas of the world are planning to increase
investment in most areas of risk management. These areas are:
improving data quality and reporting, strengthening risk assessment
processes, management training in risk management, analytics and
quantification, risk framework or model development, setting risk
committee roles and responsibilities (EIU). Marsh/RIMS study
highlights that 42% of the companies that have ERM in place (so
called strategic companies) will invest more in risk management in
2009. d) Need of a formal risk management framework In Kaufman, Oh
and Sherman study, 79% of the companies surveyed said having a
formal structure of ERM, either at initial stage (28%) or advanced
stage (48%). However, 54% of them indicated that their ERM
framework is not based on any external model. Among the 46%
remaining, 67% of them use COSO framework and 16, 2% adopt AS/NZS
4360 framework. Corporate Executive Board study shows a more
discrete result: only 48% of the companies implemented fully or
partially ERM. However, 52% of them said having implemented or
planning to implement COSO framework. Ching concludes that the use
of an ERM formal framework contributes significantly to its
efficiency. e) A dedicated CRO Chief Risk Officer in a senior
position the presence of a CRO is the most common practice among
all. Its reason is debated by many authors. Kleffner, Lee and
McGannon show that 61% of companies surveyed mention the influence
of CRO as a key factor for driving and facilitating the ERM
process. The appointment of a CRO is a sign of a formal ERM program
and his quality and skills promote ERM importance for all the
executives and influence the whole company (Daud, Yazid and Hussin,
Liebenberg and Hoyt). CROs are already in place at 38% of those
organizations represented in the EIU survey, and a further 21% have
plans to appoint an individual to this role over the next three
years. Trying to be neutral, Beasley, Pagach and Warr do not show
any financial benefit for the shareholders for those companies that
hired CRO. f) Creation of a risk committee For Branson an emerging
good practice is the creation of a multidisciplinary risk committee
which can be located at the top of the ERM function and be leaded
by the CRO. Whether risk should be centralized or decentralized
depends on the organizational structure of the company. Most
organizations are implementing a Hong Y Ching and Thalita M Colombo
Structure where there is a small number of people in the central,
or group, risk function, and then embedding risk champions in the
business units, all being part of the risk committee (EIU). g)
Independence between the Board and CEO Companies with independent
board and segregation between CEO and the chairman present the
highest level of enterprise risk management (Desender). Beasley et
al claim that an independent board is more objective to comply with
the management actions and strategies than companies that do not
possess this independence
2.6 THE NEED FOR RESEARCHThe need for this research will be to
encourage companies to step up their ways of handling risk .The
best way is to use ERM with good practices and conceptual
framework. In Kenya companies find it had to manage their own risk
so they either avoid it or assume it.
2.7 CONCLUSION This paper discusses the definitions of ERM and
its development over the years. In addition, previous studies that
are related to the determinants of companies that practiced
Enterprise Risk Management (ERM) are also discussed. The paper
starts with the definition of ERM and its development. The fact
that risks might occur in multiple perspectives, it appears that
risk management (Traditional Risk Management) could not be managed
as a separate approach, it requires enterprise risk management and
conceptual framework. It needs to be integrated in a holistic
manner. These factors were among the main cause of the emergence of
ERM in late 1990s and could be argued as factors for companies to
adopt or practice ERM. Evidence also showed that studies on ERM are
based on two approaches, using primary data such as interviews and
mail questionnaire; and using secondary data. From the previous
study it was found that most of the studies in Kenya on risk
management or ERM used primary data. The scopes of the previous
studies in Kenya were construction, financial institutions, service
sector, technology, industrial products, consumer products,
plantation and trade and services, and these studies used mail
questionnaire and interviews. While from the secondary data study,
the focus was only on industrial product, of which data was
gathered from annual reports.
CHAPTER THREE: RESEARCH DESIGN AND METHODOLOGY
3.1 OVERVIEWThis chapter contains the materials on the
population of the study, the research design, the data collection
techniques, validity of the instruments, data analysis techniques
and reliability of the research instruments.3.2 INTRODUCTIONData
collection and documentation will be important if we are to better
our understanding about ERM and its conceptual framework. Lack of
access of reliable information and data can lead to difficulty in
assessing the situation in the companies. In Regard to methods of
data collection the researcher should not only rely on secondary
data alone as we had earlier noted there exists a major gap in
knowledge thus other methods should be employed such as interviews
and questionnaires. To collect both primary and secondary data, the
baseline study will involve field and library research. The library
research will involve a document and literature review specifically
looking at the existing international and national view on ERM good
practices and conceptual framework. Various earlier statistical
data and empirical studies on ERM in Kenya and not only in Kenya
will be reviewed, including documents, books, journals and reports.
Relevant information will be extracted from these sources to
substantiate the magnitude of the risk management problem and its
various effects, especially on Kenyan companies.3.3 Research
designThe research design that the researcher will opted to use in
this study is the descriptive research model. I am of the opinion
that this research design will be able to provide me with the
guidelines to carry out this study. This design Involves gathering
data that describe events and then organizes, tabulates, depicts,
and describes the data. It Uses description as a tool to organize
data into patterns that emerge during analysis. Descriptive
research design is a systematic, empirical inquiry into which the
researcher does not have direct control of independent variables as
their manifestation has already occurred or because they reflecting
the state of happenings and qualify the obtained findings through
the use of quantitative analysis. The core issue of this study will
be to advance ERM good practices and conceptual framework in Kenyan
companies. And in order to achieve this with maximum impacts then I
need to carry out a detailed study of this phenomenon and make the
unknown known to the public. A detailed inquiry will enable me to
achieve my objective and come up with effective tools of
research.
3.4 Target populationThe target population in the research will
companies in kiambu county, Kenya. Also institution around Kiambu
County will be my targeted population. Interviewing of the managers
in the companies and institution will help me understand how each
and every company manages their risk. 3.5 Sampling methodIn order
to get respondents who will provide viable data the researcher will
employ triangulation of both Non-probability and probability
sampling. Triangulation of these two methods will ensured that
respondents selected for the study will be relevant.
3.6 Purposive or judgmental samplingThis will entail selecting
companies and institution based on the judgment of the researcher.
Given the fact that this study has the whole country's companies as
probable respondents judgmental sampling will be more applicable
given the fact that respondents will be chosen based on their
knowledge relating to TRM and ERM with conceptual framework.
3.7 Random samplingRandom sampling will be applied where the
probable respondents companies will be known; this will ensure that
every company has an equal chance of being selected. We define
sampling as the process of selecting a number of individuals for
study in such a way that the individual selected represents the
large group from which they were selected. Simple random sampling
will be adopted in selecting the members of the population to be
interviewed or be given questionnaires. The researcher is to use
random sampling method to collect data from companies financial
managers. They will be randomly chosen when the researcher will
visit the respective places. The sampling method will be used
because of its simplicity. For instance random sampling is proved
to be helpful when it came to carrying out the research amount
companies of various calibers as it will give every company an
equal chance of being respondent to the study. Random sampling will
be applicable due to the fact that the sample frame is known.
3.8 Sampling procedures and sample sizeThe most companies
affected dearly by poor risk management are the small companies
which are still growing. Hence some of the companies that will be
interviewed in Kiambu County shall be small firms and companies.
The researcher will also focuses on primary information that is the
companies that have suffered dearly because of not managing their
risk properly. The reason behind this is such that they will
provide the much needed insight when it comes to understanding this
age long vice.
3.9 Sampling size determinationUsing the above technique of
determining our respondents, our respondents companies should be at
least nine, and should be given questionnaires to be filled. The
respondents in the sampling size will be picked on stratified
random basis. This will ensure that all the residents in each
department of the locality will be involved. It will also
contribute to an equal and unbiased chance of respondents
participation in the research study. Stratified random sampling is
also applicable where the population under study is
heterogeneous.
3.10 Data collection instrumentsThese will be the tools used in
identifying and gathering information that will be relevant to the
realization of the research objectives. The tools will be expected
to have valuable contributions in the development of the new
system.Data collection will be done through interviews,
questionnaire and secondary sources. These information or data will
be collected during interaction with the companys board members.
Secondary Data will be also collected from documented information
that will be easily accessed from libraries, books, published
thesis, newspapers and journals.
3.11 Data collection procedureQuestionnaires will help the
researcher to gather data on opinions and suggestions of the
companys board members towards their information on the effects of
risk and usage of TRM as a method of risk management in their
companies. The method will be chosen to ensure that the large of
financial management department members will be effectively reached
over a shorter period and at little costs than would have been with
interview. The method will supplement other tools of data
collection since it will act as a check to some information
collected from members through the interview method.
3.12 QuestionnairesIn the course of the study questionnaires
will be used to collect data from literate respondents where
applicable.
3.13 InterviewsInterviews will also be employed in cases where
the respondents will be capable of meeting the researcher or in
some case it will be used when respondents opted to be interviewed
rather than fill a questionnaire. Interviews will only be carried
out with the total consent of the respondent such that only
reliable and viable data is collected. In the course of carrying
out an interviews the information that will be collected will be
filled on the questionnaire while in some cases it will be noted
down in order to prevent loss of information.3.14 Secondary
instrumentsThe researcher will also use secondary data collection
techniques in order to fill some gaps within the knowledge and also
to find out some existing knowledge about the phenomena. Such data
will be easily accessible from local libraries, journals,
newspapers, books, and thesis papers among many more.3.15
ObservationContrary to some cases observation may be used as a data
collection method. For instance when undertaking interviews the
researcher will have to employ observation to gauge emotions and
truthfulness of respondent.3.16 Reliability of the research
instruments A questionnaire is a set of standard questions that
will be answered by the respondent. They will be reliable since the
population targeted is big and may take a lot of time if interview
was scheduled. The questionnaires therefore will serve as the best
for this study. The assurance of response sometimes can be
guaranteed when the researcher will use questionnaires.3.17 Ethical
considerationIn the course of the study the researcher will have to
maintain an ethical code of conduct in order to maintain the ethics
of business. In order to achieve this the researcher will employ
the aspect of informed consent from respondents. Before carrying
out an interview or handing out a research questionnaire it will be
mandatory to seek consent of the respondents from the companies.
This will ensure that any information collected was credible as it
will be collected without any form of coercion.Also the researcher
will also respect the privacy of the respondents especially when it
came to the companys laws and orders. In the course of the study
the respondent from companies will have the right to choose the
circumstances under which to carry out the interview. In the course
of the study collection of sensitive information about the
companies will be followed by an assurance of confidentiality and
anonymity by the researcher. For the case of questionnaires a
statement ensuring confidentiality in information given will be
indicated so that the respondents will feel secure in providing
sensitive information about the company. Also the respondents will
not be required to fill out their names on the questionnaires in
order to ensure privacy and anonymity of information collected.When
dealing with the aspect of ethical issues the researcher will have
to take into account by laws rules and regulations of the companies
so as not to interfere with them. This is due to the fact that
managers and top ranked individuals are very sensitive in the way
they lead their companies. Sometimes they may be resistant to
change.
4. Discussion of the Results
In the first section, we display the general aspects of each
company researched. The adoption of market good practices by these
companies will be shown in the second section.
Company 1; Segment: capital good products make to order, Size:
5300 employees, Listed in the head office country, Risk management
approach: improve the management and responsibility of its managers
in order to gain competitive advantage, Duration of ERM: + 15 years
Reasons for ERM adoption: requirements from head office; alert from
previous corporate disasters; reinforce corporate governance and
internal controls.
Company 2Segment:utilities/energy generation and
distributionSize: 7500 employeesListed in KenyaRisk management
approach: increase ability to meet corporate objectives making sure
the risks are mitigated when necessaryDuration of ERM: 4 years
Reasons for ERM adoption: requirements from market (banks, rating
agencies, investors, etc); reinforce corporate governance; good
business practices.
Company 3Segment: agribusinessSize: 6000 employeesListed in the
head office country Risk management approach: risk issues are part
of company strategic discussions in order to maximize company value
in long range Duration of ERM: + 20 years Reasons for ERM adoption:
reinforce corporate governance and internal controls; gain
competitive advantage; good business practices
Company 4Segment: health care services Size: 5100 employees Risk
management approach: increase ability to meet corporate objectives
making sure the risks are mitigated when necessary Duration of ERM:
over 1 year Reasons for ERM adoption: reinforce corporate
governance and internal controls; good business practices
Company 5Segment: automotive Size: 23000 employees Listed in the
head office country Risk management approach: risk issues are part
of company strategic discussions in order to maximize company value
in long range Duration of ERM: + 10 years Reasons for ERM adoption:
requirements/pressure from head office and regulatory bodies;
reinforce internal controls.
Company 6 Segment: financial services Size: 85 employees Listed
in the head office country Risk management approach: increase
ability to meet corporate objectives making sure the risks are
mitigated when necessary Duration of ERM: 8 years Reasons for ERM
adoption: reinforce corporate governance and internal controls;
gain competitive advantage; good business practices
Company 7 Segment: financial institution Size: 40 employees Risk
management approach: increase ability to meet corporate objectives
making sure the risks are mitigated when necessary Duration of ERM:
+ 20 years Reasons for ERM adoption: requirements from market
(banks, rating agencies, investors, etc); pressure from regulatory
bodies; alert from previous corporate disasters.
Company 8Segment: pension fund and health plan Size: 130
employees Risk management approach: increase ability to meet
corporate objectives making sure the risks are mitigated when
necessary Duration of ERM: 6 years Reasons for ERM adoption:
pressure from regulatory bodies; reinforce corporate governance and
internal controls.
Company 9 Segment: automotive Size: 5500 employees Listed in the
head office country Risk management approach: risk issues are part
of company strategic discussions in order to maximize company value
in long range Duration of ERM: + 10 years Reasons for ERM adoption:
requirements from market (banks, rating agencies, investors, etc);
reinforce corporate governance; good business practices.
In summary, of these nine companies, just one is not listed,
three are listed in Kenya and six are in their head office country.
Based on the replies regarding the risk management approaches, the
authors classified the companies in traditional, progressive and
strategic, according to Marsh/RIMS (2009). See table below
APPROACHQUANTCOMPANIES
Traditional: increase ability to meet corporate objectives
making sure the risks are mitigated when necessary
52,4,6,7,8
Progressive: improve the management and responsibility of its
managers in order to gain competitive advantage
11
Strategic: risk issues are part of company strategic discussions
in order to maximize company value in long range33,5,9
In summary, 60% of them have traditional approach in risk
management. On the other extreme, 30% have strategic approach while
just one (10%) has progressive approach. We can expect that
companies with less duration of ERM would be classified in
traditional approach. This was true in 3 companies 2, 4, and 8 with
until 6 years of ERM duration. And as they have more time in ERM,
they would be progress in their approach. This seems to be true
with companies 3, 5 and 9, all of them with over 10 years of ERM
duration and with strategic approach. However, in the case of
companies 6 and 7 with over 8 years of ERM duration, they did not
move along and parked in the traditional approach.
5. Proposal of a Conceptual Framework
In this section, the authors developed from these ten cases a
conceptual enterprise risk management framework and its good
practices (see figure 3). This model consists of four blocks (see
figure 3). On the upper left corner, the enterprise risk management
that consists of the integration between the internal environment
(business goals, policies, strategies, procedures, processes,
controls and organizational structure) and the risk assessment and
its evolution to ERM implementation. COSO [3], ISO/DIS 31000 [24]
and AZ/NZS 4360 models (as described in the CAS study) [1] were
taken as reference for this risk management proposal. The internal
environment encompasses the tone of an organization, and sets the
basis for how risk is viewed and addressed by an entitys people,
including risk management philosophy and risk appetite, integrity
and ethical values, and the environment in which they operate
(COSO) [3]. In the risk assessment, risks are analyzed, considering
likelihood and impact, as a basis for determining how they should
be managed and their impacts calculated. The integration will
enable ERM implementation. It consists in creating a structure and
process for managing risk which provide the organizational
arrangements that will embed it throughout the organization at all
levels. After its implementation, it is paramount the actions
analyze, monitor, review and improve occur constantly. Analyze
means considering the likelihood and the impacts of the risk
mitigation and/or gain financial advantages. Monitor is following
frequently the risk environment and the performance of the
strategies adopted. It provides vital inputs forreview action.
Review can be defined as making feedback and modifications of other
elements. Finally, improve is about enhancing the performance to an
upper stage constantly. And the good practices are the engine to
boost the performance as can be seen later on. Moving to upper
right corner, the outcomes resulting of the enterprise risk
management. The companies can obtain tangible benefits, such as:
competitive advantage, thrust from the shareholders, reinforce of
corporate governance and internal controls, compliances to the
regulatory bodies and stock exchange standards. In order for the
cycle keeps evolving, benchmarking tools and/or continuous
improvement are explored (lower right corner). Benchmarking helps
companies to define goals, encourages new ideas and offers a
structured method of change management. Continuous improvement, on
its turn, is the combination of two elements: the improvement,
understood as a change for better, and the continuity, understood
as permanent change actions (Laugeni and Martins) [25]. From the
use of these two tools, good existing practices are optimized and
new good practices are incorporated (lower left corner).
Benchmarking address more specifically the new practices, since new
successful techniques, methods, processes are copied by the
competition. However, benchmarking can also generate improvements
in the existing practices since modifications that become
successful can be copied. On the other hand, continuous improvement
tackles the existing practices. It is paramount that for those
companies that have achieved the so desired efficiency, they should
never stop challenging and enhancing themselves
This set of existing and new practices closes the ERM cycle.
With this loop repeating continuously, it will enable the market
good practices to benefit the enterprise risk management. Moving
into a convergence between theoretical practices and those adopted
by the companies, a zoom is given in the practices chart of above
figure. As explained in the framework, the enterprise risk
management is divided in integration (internal environment and risk
assessment) and implementation. Therefore, based on the new
(mentioned by the executives in the questionnaire) and existing
practices (those found in the literature), the authors classified
them into these three parts of risk management (see figure 4).
Among the existing practices, those that belong to the internal
environment are: risk permeates the organization, creation of a
risk committee, board independence and presence of CRO. The
practice culture and risk awareness belongs to risk assessment. The
remaining practices increase in risk investments and need of a
formal ERM framework are part of risk management implementation.
Among the new practices, the following ones improve the internal
environment: ISO 9001 certification, external auditing, internal
control council meeting, internal auditing, data security
standards, ombudsman reporting to the board, independence between
board and fiscal council, adherence to the code of good practices,
corporate governance standards and complaints channel. The
practices risk assessment every two years and process risk
management belong to risk assessment. Finally, effective
participation in the regulation bodies committees practice improves
risk management implementation.
QuestionnaireI am a student of JKUAT university main campus. I
am carrying out a research on advancing ERM in Kenya therefore am
kindly requesting you to voluntarily provide the scheduled
information. It is guaranteed that confidentiality will be
maintained and that the information will not be used against you in
any way either directly or indirectly.1. How many times your
company face dissolution? (Choose one)i. Onceii. Twiceiii. Others2.
How does your company control risk3. Does your company have risk
management officers (choose onei. Yesii. No4. How many times does
your company assess risk with (i.e. 3 times?)i. One year.ii. One
monthiii. One week.5. Which approach does your company use in
managing their risks (chosen one?)i. Traditional approachii.
Enterprise risk management approach 6. Does your company know about
ERM? (yes/no).if no state the ways the company use to write off its
risks.7. What do you understand about ERM?8. Do you think the
company is handling their risk effectively?
(yes/no).......................if no, state your reasons9. Do have
an understanding on ERM conceptual framework? (yes/no)..10. How
many times has your company been declared bankrupt due to poor risk
management? (Choose one)i. Onceii. Twiceiii. Others..(specify)O
37
