Following the economic and financial crises, any activity involving internal controls, especially risk management, has been given more attention. With this study, we aim to contribute further to the existing literature on risk management by looking at practices adopted by financial services firms licenced in Europe with a Mediterranean connection. We used parts of a questionnaire adopted by two of the authors in another study on risk management practices adopted by Maltese financial services firms and sent it to prospective candidates who work closely within risk management, to collect our data. This resulted in 1635 participants. This data was used to (1) bring to light the mechanisms and strategies used in risk management by these organisations to maximise their opportunities, manage their risks, and maintain stability in their financials. Also, (2) we check if this is perceived as contributing to ‘principled performance’. Finally, (3) we examine the extent to which risk management capabilities offer a competitive advantage to these firms. Our findings evidence that the objective by EMP and the EU, that is to ensure that members operate ‘on the same level playing field’ within risk management, in financial services of firms with a Euro-Mediterranean connection, has been achieved.
- risk management
- financial services industry
- risk management frameworks
- principled performance
Although risks have been present since the beginning of mankind, explicit attention to them has differed over the passage of time. Early civilisations attributed unexpected events to the gods. This made it pointless for mankind to intervene and manage. This continued till today with some tribes in some parts of the world and was even the case until the middle ages when Christianity was strong in the current Western Europe. The word “risk” itself is derived from ancient Arabic word “rizq” and used till today in the Maltese Language, translated to mean prosperity granted by God (Allah) to a person. However, during the Renaissance, in Europe this was given the meaning of an uncertain loss or danger Doff, .
Following the economic and financial crises of this century, any activity involving internal controls, especially risk management has been given more attention and importance. This, as noted in the World Economic Forum , was due mainly to the successful results of effective risk management during periods of global economic turbulence . In fact, as Ghoshal  highlighted, one of the main objectives of any organisation is to manage their risk.
However, the treatment and understanding of risk and as a consequence its management, varies both in literature and in practice. Moreover, as March and Shapira  note, the strategic management field does not provide us with one specific accepted definition of risk and highlight that most managers view risk as a negative outcome.
Hillson  defines risk as an “uncertainty that matters because it can affect one or more objectives”. Also, literature by , show that one needs to distinguish between the known, unknown and unknowable uncertainties before defining what constitutes a risk and as a consequence managing it under the risk management process. Unknowable uncertainty is when the missing information is unavailable to all known uncertainty is when the probability is an objective chance and is generally agreed upon and unknown uncertainty is when the probability may be or is known by somebody .
The strategy of any organisation has to deal with the alignment to its uncertain environment and to rebalance its strategic choices to determine the exposure to this uncertain environment, which impacts performance. To this effect various studies have focussed on understanding the risk management discipline and practices of firms in specific activities, areas and countries. Moreover, the effectiveness and efficiency of appropriate practices in risk management is critical for the continued existence, industry profitability and for the continual development and growth of the whole economy. It is imperative that all organisations adopt good quality practices and measures when managing risks .
With this study, we aim to contribute further to the existing literature on the risk management by looking at practices adopted by financial services firms licenced in Europe with a Mediterranean connection, specifically Cyprus, France, Italy, Spain, Croatia, Greece, and Slovenia extending and comparing to the work of Bezzina et al.  on Malta. We chose members, which although, have inherent country and cultural diversity and are joined by their geographical border with the Mediterranean Sea, aim for a level regulatory and economic playing field through their union in the European Union (EU) and the Euro-Mediterranean partnership .
When dealing with financial services firms, in the EU, this regulatory level playing field is much more pronounced, since financial firms are required to abide by common directives such as the Capital Requirement Directive (CRD) in banks and investment firms, Solvency II (SII) in Insurance firms and other soft laws. This is likely to make the sample more representative and the empirical results more generalisable. It will also shed light on whether European Union within the Euro-Mediterranean region and the Euro-Mediterranean Partnership (EMP), has brought these countries closer together in practices, specifically when dealing with risk and its management.
We use part of the questionnaire adopted by Bezzina et al.  in their paper on risk management practices adopted by Maltese financial services firms, to collect our data and (1) bring to light the mechanisms and strategies used in risk management by these organisations to maximise their opportunities, manage their risks, and maintain stability in their financials. Also, (2) we check if this is perceived as contributing to ‘principled performance’ (defined in the chapter in Section 2.2). Finally (3) we examine the extent to which risk management capabilities offer a competitive advantage to these firms.
We can cite various studies dealing with risk management practices in different areas, industries, regions and countries. For example, a study on risk management practices carried out on the Ghanaian insurance industry by  revealed that companies insuring life, different from companies insuring non-life, have their risk appetite levels statements recorded. This enables the identification of those risks to on-board and those ones to transfer. Moreover, they exposed that the industry lacks adequate skilled personnel and risk management is reactive as a response to regulatory directives. Other surveys carried out about the UK insurance industry showed that the response by most insurance firms to risk management regulations was perfunctory, rather than being seen as good business practice .
Another study by  on risk management practices of German firms revealed that participants showed no difficulty in developing a risk management system and rated business survival as the top risk management goal. Moreover, they showed that respondents are more risk-neutral than risk-averse for financial risks, and that 88 percent use derivatives.
Bankers operating in Barbados perceived risk management as critical to the performance of their banks; with operational risk, credit risk, country/sovereign risk, market risk and interest rate risk being their greatest exposures , while those operating in Bahrain show a clear understanding of both risk and risk management and have efficient risk assessment analysis, risk identification processes, credit risk analysis, risk monitoring and risk management practices with credit, liquidity and operational risk being the most prominent risks faced by both conventional and Islamic banks .
A study on Islamic banks in Pakistan showed that they are efficient in managing their risks. Revealing that the most influencing variables in the risk management process were that of understanding risk and risk management, risk monitoring and credit risk analysis . On the other hand, Hassan , found that the Islamic banks in Brunei Darussalam consider foreign-exchange risk, followed by credit risk and then operating risk, as the 3 most important risks. He also noted that Islamic banks are very efficient mainly in risk identification, assessment and analysis.
A further study by Sifumba et al.  revealed that manufacturing SMEs personnel in Cape Town are not aware of the elements that make risk management effective. While in Malta, Bezzina et al. , found that financial firms have a strong culture of efficient and effective risk management practices that add value and are linked to well-defined objectives with corporate social responsibility embedded within the organisations’ risk management corporate strategies and corporate culture. Miloš Sprčić et al. , in a study on Croatian companies, find that the risk management system development is dependent only on value of the growth options and the size of the company.
2.1 Risk management strategies and mechanisms
Any organisation’s strategy needs to deal with an uncertain environment. Therefore, organisational strategic choices will determine the organisation’s exposure to an uncertain environmental and constituents that impact their performance. “Exposure” defined as the sensitivity of an organisation’s cash flows to changes in interrelated uncertain variables. The emphasis of organisation on specific particular (particularist view) rather than multidimensional uncertainties is a significant shortcoming. The former view of isolating specific uncertainties, excludes other interrelated uncertain variables. In fact, literature in financial services emphasises uncertainties for which hedging or insurance instruments can be designed to manage organisation exposures, however omitting some uncertainties that are encountered in the overall management strategic decisions. The alternative view is where management takes a general approach to risk and gives explicit consideration to numerous uncertainties (integrated risk management perspective) .
Das and Teng , build on the latter and suggests that to effectively manage risks and reduce unwanted risks, organisations need to examine the inter-relationship between trust, control and risk using an integrated framework which examines the inter-relationship between the three constructs. They note that firms need to manage their risks by determining the conjoint roles of these constructs in the context of their objectives and strategies.
It has therefore always been a must for every leading firm to ensure that the process of identifying risk and managing it, is an explicit part of the strategic plan, and that there is a buy-in from all levels of their organisation. Risk management should be seen as a systematic effort that is pervasive through all operating units, be it in the front, mid or back office, right in line with growth areas targeted for investments or any critical support functions. Risk management must matter to the organisation and to the person whose occupation and responsibility is defined by it .
The risk manager or officer is responsible to initiate the process of determining the risks faced by the company, based on the strategy, determine the mandatory and voluntary barriers and put in place a risk management strategy to achieve objectives with the least of problems. That is the objective risk assessment process which depends on the organisation, and the plan and tactics to arrive at that objective .
Stulz  offers us theoretical evidence showing that risk management practice within firms is limited. Marshall and Heffes  report that only 11 percent of “more than 90 percent of the executives who say they are building or want to build enterprise risk management (ERM) processes into their organization report they have completed their implementation. The survey results indicate that more than two-thirds of both boards of directors and senior management staff consider risk management to be an important responsibility”. COSO’s recent survey  findings show unsatisfactory results for the implementation of ERM showing that “60 percent of respondents say their risk tracking is mostly informal and ad hoc or only tracked within individual silos or categories as opposed to enterprise-wide.”
2.2 Risk management and principled performance
As explained in Bezzina et al.  we again adopted the Open Compliance and Ethics Group’s (OCEG) standard’s concept of integrating internal controls “(the Governance, Risk Management and Compliance (GRC) capability model) into one main function . This as suggested by these authors and OCEG, helps to “improve quality and performance, by providing tools that can measure and enhance corporate culture within an integrated environment.” This structure is said to be the main determinant of the achievement of ‘Principled Performance’ as defined by OCEG. That is “reliable achievement of objectives while addressing uncertainty and acting with integrity.” .
“OCEG in their definition of ‘Principled Performance’ emphasises the unambiguous articulation of a firm’s objectives in financial and non-financial form. It outlines the methods and boundaries that would be adhered to while achieving the set targets.” They continued to note that ‘Principled Performance’ in a financial firm can be achieved with clearly defined objectives, goals, values and a transparent, effective flexible mechanism, which enables continuous improvement to address risks and vulnerabilities within established boundaries .
Mitchell  continues by highlighting that, mainly if the existing structure offers a competitive advantage, GRC requires function integration without the need for operations consolidation. One can replicate the strengths of approaches, communication, technology used and reporting integration to the whole business to benefits from reduced errors, better information quality, and reduced costs. The GRC 360 Capability Model, 2009 specifies that, while culture, structure and the organisation play an essential role in the overall performance of a company; people, process and technology are crucial for principled performance.
2.3 Risk management abilities and competitive advantage
Creativity is lost if we only think of risk management as a way to minimise risk. We need to take risks and if and when they go in some unwanted unpredictable path, we need to be able to respond to them . Kannan and Thangavel  note that every major advance in human civilization was possible because someone was willing to take a risk and challenge the status quo.
Enterprise risk management (ERM) promotes risk management as a more strategic responsibility and emphasises that if effectively implemented it can create a long term competitive advantage . However, Slywotzky and Drzik  suggest, that many companies still treat ERM as an extension of their internal control processes, while only a few companies, use their risk management abilities as a source of competitive advantage. In fact these companies go beyond internal controls and cost-controlling (defensive and reactive approaches), taking a more aggressive and proactive stance towards risk. These have understood that managing risk is a source of leverage to gain competitive advantage .
Ehsan , limited risks faced by a company, to two major types: rewarded and unrewarded risks, and continues to note that the way through which capabilities of risk management can increase competitive advantage depends mainly on the type of risk exposure the company has. Rewarded risks are those risks that are expected to gain us some type of benefit, that is, risks taken to create value and are consequences of our decisions. Unrewarded risks usually brought about by external forces, such as natural disasters, industrial accidents, theft, pandemics, etc. which have no potential value in them. The ability to effectively deal with these risks has an important impact on the company’s performance and thereby its competitive advantage.
In his seminal book, Porter  argues that “there are two major ways that a company can gain competitive advantage over its competitors: cost advantage, and differentiation”. Risk management capabilities can help to affect the company’s costs and the value it creates for stakeholders. Moreover, in theory, since risk management is a proactive activity, it can help create preparedness and advanced warnings for disruptions (i.e., to ensure business continuity). This differentiates these companies from their competitors giving them a competitive advantage .
A questionnaire adopted from a previous study by Bezzina et al.  to determine the risk management practices by Maltese financial firms, was used to extend this study to other Euro-Mediterranean countries. This questionnaire was administered to persons working in, or with a connection to the field of risk management within the financial services industry. Participants for the questionnaire were recruited with the help of one of the authors who is an active participant in European risk management associations. The survey was administered using an online questionnaire which was opened in January 2017 and closed in November 2017. In the introduction page we outlined our aims and objectives, while in the next four sections we posed closed-ended statements, which related to four main themes: (i) strategies and mechanisms adopted in risk management; (ii) the perceived purpose, scope and benefits of risk management; (iii) risk management and competitive advantage; and (iv) CSR influences on the corporate risk management strategies. The participants were asked to choose from a five-point Likert scale mainly ranging from ‘strongly disagree’ (coded as ‘1’) to ‘strongly agree’ (coded as ‘5’), and some others ranging from ‘very unimportant’ (coded as ‘1’) to ‘very important’ (coded as ‘5’). The final section (Section 5) was dedicated to the collection of the demographic data about the participant and their organisations. This data was collected in the form of labels or a scale and presented in aggregate, so as not to enable identification of the organisation or the participant. The responses (1635 respondents) were then subjected to statistical analysis using SPSS. When summarising the data, the median and interquartile range (lower quartile to upper quartile) were used for the ordinal scales while the mean and standard deviation were used with the interval/ratio scales. To test for differences in mean ranks, the Friedman test (a non-parametric alternative to one-way ANOVA) was used. Participants were guaranteed that their identity and that of the firm they are representing will be maintained anonymous.
4. Research questions
As noted above, being an extension of a previous study by Bezzina et al. , and since we adopted the same questionnaire, we also maintained the same research questions and the new responses were used to investigate and compare to the findings in that study.
What are the risk management strategies and mechanisms adopted by financial services firms within countries with a Euro-Mediterranean connection in order to manage their risks, strengthen their opportunities and retain financial stability?
Do the financial services firms in countries with a Euro-Mediterranean connection perceive risk management as just an authority imposed obligatory requirement or do they see it as critical for the achievement of ‘principled performance’?
Do risk management abilities offer a competitive advantage to financial services firms in countries with a Euro-Mediterranean connection?
The respondents reported (on average), that they strongly agree their institution has a strategic risk management plan in place (Md = 5, IQR = 4–5). Furthermore, they agreed (Md = 4), that they have systems in place to strengthen the risk management process (see Table 1).
|The strategic risk management plan||Median||IQR|
|Is clearly communicated and understood||4||3–5|
|Is a contribution of all team members||4||3–5|
|Is a responsibility of top management||4||4–5|
|Is in sync with individual risk management plans||4||4–5|
Furthermore, we asked the respondents to rate their level of agreement with seven statements related to the scope of their institution’s strategic risk management plan is. Table 2 shows that there were significant differences in mean ranks based on the Friedman test, although they strongly agreed (Md = 5) or agreed (Md = 4) with all the statements.
|The scope of the strategic risk management plan||Median||IQR||Mean rank|
|Is to provide a framework for the risk management process of identification, monitoring, control and decision||5||4–5||4.76|
|Is to provide the appropriate setup to enable risk assessments in terms of costs and benefits of identified risks||5||4–5||4.73|
|Is to help maintain stability in financials||4||4–5||3.94|
|Is to allow for innovation to maximise opportunities and cost reduction||4||4–5||3.68|
|Is to provide a framework with roles and responsibilities to enable better risk identification||4||4–5||3.66|
|Is to record declared aims and objectives and ensure a systematic identification of risks relating to each||4||4–5||3.62|
|Is to provide a defined structure to sustain business growth and continued profitability within objectives, appetite and tolerance.||4||4–5||3.60|
We then delved into the quality requirements of risk management, the procedures/processes/policies of risk management, and the risk culture adopted by the financial services institutions. Details of the items used and a summary of statistical output are provided in Table 3. The responses exhibit empirical evidence of a strong risk management within the institutions investigated.
|In our institution…a|
|The risk manager is an active member of the risk management committee||4||4–5||2.76|
|The risk management committee members communicate the risk appetite and tolerance of the firm||4||4–4||2.52|
|The risk management committee members are Knowledgeable||4||4–4||2.37|
|The risk manager makes use of bottom up methodologies in developing the strategic risk management plan||4||4–4||2.36|
|Which of the following initiatives are embedded within the firm’s risk management strategy?b|
|Risk reporting and information systems||5||4–5||3.67|
|Enterprise risk management practices||5||4–5||3.64|
|Ongoing improvements in risk management practices||5||4–5||3.62|
|Risk measurement and monitoring in non-financial terms||5||4–5||3.59|
|Risk measurement and monitoring practices in financial terms||5||4–5||3.47|
|Identification and quantification of risks and controls||4||4–5||3.01|
|To what extent does your institution map its risks (identification, description and prioritisation)?c|
|Top down approach and bottom up approach||5||4–5||3.53|
|On a global corporate level only (strategic, financial and operational)||4||4–5||3.43|
|Risks are managed at group level or are silo based*||4||3–5||2.92|
|Only for certain business units/areas*||4||2–5||2.56|
|Only for certain categories of risks*||4||2–5||2.56|
Finally, we wanted to know how important each of 12 established frameworks were for the institutions when implementing risk management. Table 4 shows that four frameworks were overall rated as ‘important’, (Basel Accords, COSO 2, IAS and Interest Rate Risk Management), and the remaining eight as ‘neither important nor unimportant’.
|Our institution makes use of the following frameworks when implementing risk management||Median||IQR (range)||Mean rank|
|International Accounting Standards (IAS)||4||3–4||7.91|
|Interest Rate Risk Management (e.g., duration or gap analysis)||4||3–4||6.70|
|National Risk Management Standards (NRMS)||3||3–3||5.55|
|Value at Risk (VAR)||3||3–4||5.46|
The respondents reported (on average) that risk management practices play a vital role in their institutions (M = 4.00; SD = 0.51) and have a positive perception of risk management practices in achieving principled performance (M = 4.10, 0.64). Table 5 provides a summary of the responses and statistical output pertaining to the individual items that make up these two constructs.
|Risk management practices play a vital role in ensuring that our institution|
|Clearly defines its goals and values||4||4–4|
|Outlines how these goals are achieved||4||4–4|
|Identifies and demonstrates how risks and vulnerabilities would be addressed||4||4–4|
|Allows for transparency with stakeholders||4||3–4|
|Implements an effective mechanism for change, enabling continuous improvement to achieve the desired outcomes||4||4–5|
|Perceived purpose of risk management practices|
|Critical factor in achieving principled performance||4||4–5|
|Vital to the performance and success of our institution’s objectives||4||3–5|
|No link between principled performance and RM practices*||4||4–5|
|Principled performance does not form part of our institution’s risk management practices benefit realisation plans*||4||4–5|
|Puts a strain on resource effort for compliance’s purposes without providing added value*||4||3–5|
Furthermore, they agreed (Md = 4) that they give sufficient attention to all the risks that we outlined when designing strategies and objectives, bar ‘health and safety’ (Md = 3). Table 6 exhibits the 14 risks in order of decreasing attention as rated by the respondents.
|Our institution gives sufficient attention to the following risks when designing strategies and objectives||Median||IQR||Mean rank|
|Corporate governance risk||4||3–4||6.52|
|Health and safety risks||3||3–4||5.28|
In this research question, we wanted to better understand the capabilities of risk management practices in achieving competitive advantage. We first sought to determine the institutions’ intention behind the risk management strategy for the financial services (see Table 7).
|The risk management strategy was implemented…||Median||IQR||Mean rank|
|To abide by legal, regulatory or compliance requirements||5||3–5||6.11|
|To formally define the institution’s risk appetite||5||3–5||5.92|
|To formalise the governance structure||4||3–5||5.84|
|For catastrophic events or major crises (reaction to unexpected losses)||4||3–5||5.81|
|For corporate social responsibility||4||3–5||5.51|
|Due to pressure from analysts and/or rating agencies||4||3–5||5.32|
|Due to pressure from the market (e.g., competitors, suppliers, etc.)||4||3–5||5.28|
|To instil a consistent strong risk culture focussed on optimising understood risk return trade-offs within the defined risk strategy||4||3–5||5.13|
|To ensure full transparency across all risks and across the organisation||4||3–5||5.08|
|For competitive advantage||4||3–5||5.01|
We then wanted to examine the extent to which continuous risk impact assessments strengthen the competitive advantage in each of 8 factors. Table 8 shows that the respondents agreed (Md = 4) with all the factors bar political and legal factors (Md = 3).
|Our institution’s risk management strategy requires that continuous risk impact assessments are conducted in order to strengthen the competitive advantage in:||Median||IQR||Mean rank|
|Cultural and societal factors||4||3–5||4.18|
|Human resource capabilities||4||3–5||3.74|
|Political and legal factors||3||3–4||3.90|
Furthermore, we examined the benefits risk management capabilities provide to institutions. These respondents agreed (Md = 4) that risk management infuses a risk culture in the institution (IQR = 3–5), sustains future profitability (IQR = 4–5), provides visibility of economic and financial environment (IQR = 3–5) as well as long term profitable growth (IQR = 3–4) and provides competitive advantage (IQR = 3–5). Furthermore, we asked the respondents to rate their level of agreement with six factors aimed strengthening core risk management functions. The findings are exhibited in Table 9.
|In order to strengthen the core risk management functions,|
our executives seek to…
|Carry out continuous risk analysis of its credit portfolio||4||3–5||3.74|
|Adjust credit policies and revise mandates and incentive systems||4||3–5||3.73|
|Strengthen the internal information markets to make information available to decision makers on credit and sources of finance||4||3–5||3.65|
|Continuously strengthen internal capital efficiency and capital planning for the coming years to reflect potential market scenarios||4||3–5||3.45|
|Carry out strategic re-adjustment of liquidity intensive businesses||4||3–5||3.26|
|Refine the risk management tools to optimise usage of liquidity and improve transparency||4||3–4||3.17|
Our findings evidence that although authors such as Youngs , show strong scepticisms on the works and challenges of the EMP and the EU legislation; mainly to ensure that members operate on the same level playing field; within risk management in financial services of firms with a Euro-Mediterranean connection, this objective has been achieved. In fact, results show that similarly to the findings by Bezzina et al.  on Maltese financial services firms, personnel working or are involved in/with risk management of financial services firms with their head offices operating from Cyprus, France, Italy, Spain, Croatia, Greece, and Slovenia report that they have a strategic risk management plan in place with systems to enable the strengthening of their risk management processes to reach clearly identified objectives. They note various reasons that have helped to ensure this, with the strongest reasons being that of abiding to legal, regulatory and compliance requirements and the need to have a framework for systematic risk identification, mitigation, management, monitoring and control.
Findings, also show that the risk manager in these firms, similar to that of Maltese financial services forms, is highly active and involved, very knowledgeable and uses both top-down and bottom-up approaches to communicate the risk appetite of the company. This is facilitated by the fact that the quality and importance of risk management is embedded within their risk management strategy and seen as part of the firms’ growth road map and a way to meet objectives. Moreover, in carrying out and designing their risk management strategy and processes these institutions tend to favour the use of frameworks/recommendations with the most followed being that provided by the Basel Accords. However, although, they give attention to practically all known risks identified, they are neutral on ‘health and safety’ issues, maybe because this might fall out of the competence of the respondents.
Finally, findings show that risk management practices play a vital role in ensuring that institutions reach their objectives (principled performance), add value and create a competitive advantage. This , with these practices, goals and values, is being clearly recorded and communicated; the roadmap to successfully reaching objectives is transparent and clear, enabling appropriate, identification of risks, growth, profitability, flexibility for improvement and change and quick response to uncertainties.