Open access peer-reviewed chapter
Participants of the research study.
Abstract
Many companies implementing Enterprise Risk Management (ERM) struggle with its effectiveness. Available studies of risk practitioners’ practices describe and categorise phenomena related to establishing ERM. This qualitative study uses a cross-sectional field design to explore risk practitioners’ communication and leadership practices for achieving and maintaining effectiveness. It forms a practical guide for risk practitioners to manage ERM effectiveness and for organisations to optimise risk development programs. Risk practitioners apply four practice episodes—the first aims at creating shared knowledge and meaning. The second episode emphasises the value-creating capabilities of the organisational ERM. Leadership, the third practice episode, aims at increasing influence in the decision-making processes. Relationship management is the fourth episode centred on balancing independence and involvement. Executing these practices implies risk practitioners gaining referent and expert power, applying participatory, visionary, and affiliated leadership styles, identifying stakeholder needs, and recognising organisational knowledge barriers.
Keywords
- risk management
- effectiveness
- communication
- leadership
- risk practitioners
- ERM
- Germany
1. Introduction
Managing risks is essential for organisations to survive and, thus, part of everyday business activities. Traditionally, business managers were responsible for managing risks individually on a decentralised basis [1]. Enterprise Risk Management (ERM) takes a broader perspective. To inform strategic decision-making, ERM integrates all company risks into a coordinated framework [2].
An online survey conducted by the thought leader
Consequently, in a survey of financial firms conducted by Deloitte [4], two-thirds of respondents consider the infusion of risk management into strategy and better cooperation between risk management and business units as having high priority. Business units must accept and support the ERM unit and processes to achieve these objectives. However, Deloitte identified these specific aspects as a critical challenge. Similarly, KPMG [5] determined in a study of non-financial firms that context-rich discussions between the ERM unit and business leaders, particularly engaging top management, remain persistent obstacles.
Overcoming these challenges is essential for effective ERM. Risk communication, creating risk awareness and culture, and gaining commitment from top management are the critical success factors when integrating ERM into decision-making processes [6]. According to Maitlis [7], increasing the acceptance of ERM units is achieved by constructing and promoting understanding by decision-makers. The extent to which risk practitioners play a leadership role in business activities and how they communicate is therefore decisive for ERM effectiveness.
This relationship is reflected in competency frameworks increasingly emphasising the relevance of risk practitioners’ communication and leadership skills. Oliver Wyman [8] recognises that the ability to influence people in risk culture and top-level strategic decision-making is becoming a core competency for risk practitioners. The Institute of Risk Management (IRM), a professional body for risk management, similarly emphasises risk professionals’ influence, collaboration, and relationship management capabilities [9].
Apart from a few case studies describing risk practitioners’ communication practices in a company-specific context [10, 11, 12, 13], little is known about how ERM practitioners use communication and leadership to overcome the stated challenges. In response to these gaps in the literature, this research aims to explore risk practitioners’ practices to achieve ERM effectiveness, notably communication and leadership practices. It poses the following question:
The notion that ERM effectiveness is achievable and maintainable acknowledges that risk is a perception influenced by the social and physical environment [14]. Organisations construct and continually reconstruct the meaning of their environment [15]. This sensemaking process is influenced by risk practitioners, who are themselves sensemakers ongoingly affecting sensemaking as members of the organisation [14]. Organisational sensemaking imposes challenges on risk practitioners that they can overcome through leadership and communication.
The research is delimited to Germany to essentially factor out multiple country-specific risk management regulations and socio-cultural variations. It contributes to an enhanced understanding of the means available for risk practitioners to increase ERM effectiveness. Further, the study extends the literature on critical success factors for risk practitioners’ communication and leadership practices.
The remainder of this chapter is organised into five sections. The following section discusses the relevant literature, drawing on risk management studies and wider managerial research. The third section describes the research methods. Results are presented in the fourth section and discussed using theoretical frameworks in the fifth section. The final section concludes this research.
Advertisement
2. Literature
Academics disagree on the concrete constituents of ERM [16, 17, 18]. Consequently, its implementations vary substantially among companies [10, 19]. Considering ERM as a portfolio approach aiming to manage all critical risks holistically across the company and as an organisational function that creates competitive advantage is an emerging consensus [16]. However, developing resilience in the company’s core competencies and seizing opportunities requires synchronising ERM with the firm’s dynamic capabilities [20]. Therefore, ERM embodies change management requiring close cooperation between risk managers and business departments [21, 22].
A system’s effectiveness requires incorporating the aspiration of the decision taker, who has authority and responsibility for the system and a primary concern for its performance [23, 24]. Therefore, ERM effectiveness depends on the formal power of the company’s management and the informal power of the ERM unit. To gain this aspiration, ERM must support risk-informed or risk-based decisions in a disciplined way throughout the organisation [25]. Therefore, risk practitioners must understand what their stakeholders value [26]. Quantitative studies on ERM and firm performance identify risk committees as pivotal stakeholders [27, 28, 29]. Beasley et al. [30] identified the CEO and CFO as essential stakeholders who determine the success of ERM implementation.
Consequently, the quality of upward communication and leadership by risk professionals with committees, board members, and other management levels affect ERM effectiveness. However, communication and leadership are essential across the company to gain stakeholders’ input to risk management processes and their ownership of outputs [22]. Accordingly, COSO [31] further identifies the business units’ operational management and employees as important stakeholders.
In Germany, risk practitioners predominantly take an independent facilitator role in their companies [32]. According to Kaplan and Mikes [11], in this role, they avoid influencing formal decision-making but set agendas for highly interactive risk management discussions and facilitate risk communication up, down, and across the organisation. The authors conclude that independent facilitators contribute to ERM effectiveness as these roles reduce individual and group bias and, thus, enable more objective decisions. However, the lack of formal authority constitutes a challenge as it impedes risk practitioners from effectively challenging front-line staff [33].
2.1 Communication
Organisational activities are based on interpretation and influenced by the characteristics of the environment [34]. How decision-makers understand risk information is, therefore, subject to how they make sense of it. Daft and Weick [34] term the cognitive process sensemaking. It can be described as the ‘reciprocal interaction of information seeking, meaning, ascription, and action’ ([35], p. 240).
The holistic ERM context renders the sensemaking process increasingly important. First, communication involves stakeholders from different business disciplines and diverse perspectives, objectives, and backgrounds [36]. Therefore, to go beyond gathering evidence, risk practitioners must incorporate subjective knowledge to create meaning of cues [12, 14, 26] and use boundary objects to manage knowledge across boundaries [22, 37, 38].
Second, risk is a social construction resulting from perceptions influenced by the social and physical environment and prior experience and knowledge [14]. Humans tend to use judgemental heuristics and ignore or discount essential information when thinking about risk [39]. Therefore, risk perceptions are highly resistant to information [40]. Additionally, organisational barriers and biases prevent information from being considered in decision-making [11]. Therefore, risk-related decisions increasingly rely on sensemaking [14].
Sensemaking depends on the activity of a pool of diverse actors addressing a range of organisational issues [7]. Risk experts can guide the sensemaking process of decision-makers by sense giving, that is, influencing their sensemaking and meaning construction to redefine the organisational reality [41]. Using concepts of issue selling and knowledge management, Meidell and Kaarbøe [12] showed that sensegiving increases risk practitioners’ influences during ERM implementation and development. Issue selling is the behaviour targeted at gaining others’ attention to acknowledge and understand issues [42]. Involving the upper level, peers and others from the organisation and presenting issues evidence-based, logically, and coherently supports getting buy-in [43].
Managing knowledge across knowledge domains is key to effectively cooperating with business units. Risk experts produce knowledge by analysing gathered data and information [26]. Interdepartmentally transferring and integrating this knowledge exposes challenges. Depending on novelty and power positions, managing knowledge across boundaries requires creating common knowledge, interacting cross-functional, and exploring and exploiting boundary objects [44]. Therefore, risk professionals manage knowledge within the organisation using shared language [19, 21, 22, 45], risk talks [11, 13, 45], and developing and introducing risk management tools[11, 12, 13, 37, 46].
2.2 Leadership
Business executives consider risk management effectiveness as a leadership issue [47]. Leadership, the ability to influence, motivate, and enable others [48], is independent of formal titles or positions [49]. A participative leadership style based on openness towards ideas, new concepts, or novel products contributes to ERM effectiveness [50]. This leadership style emphasises collaboration and communication and works best for creating consensus and gaining input from others [51].
However, establishing a sound risk culture also requires creating a positive climate and applying a forward-looking and anticipatory practice [14]. To gain acceptance and appreciation, risk professionals must build relationships with business managers and executives [13] and understand their objectives and needs. Therefore, risk practitioners must likewise apply visionary and affiliated leadership styles, which involve developing and articulating a vision and building emotional bonds within the organisation [51].
The ability to influence organisational activities and decisions depends on available power sources. Position power is derived from legitimate authority [52]. It is affected by risk governance frameworks, such as the widely accepted Three Lines of Defence (3LoD) model. Davies and Zhivitskaya [33] criticise the model-inherent imbalance of power distribution. The Lehman Brothers bankruptcy exemplified that the dominance of business units in decision-making reduces risk management effectiveness [53].
The ERM unit’s position power results from controlling the main information flow within the risk reporting system [54], pre-approval decision authority [55, 56], regulatory requirements [36], quality and credibility of their insights in strategic discussions [36], or design, control and use of risk tools [46].
Independent of the position, risk practitioners can develop personal power, particularly expert and referent power. Expert power facilitates risk talks [11, 13, 45]. It is gained through providing evidence and explaining reasons for requests or proposals, clear and confident communication, and listening thoughtfully to other persons’ concerns and suggestions [52]. Therefore, practitioners must use a common language [21, 45] with a standard accepted vocabulary [22].
Referent power is increased by demonstrating trust and respect to others and showing concern for the needs and feelings of others and can be excised by role modelling [52]. Accordingly, Kaplan and Mikes [11] conclude that risk practitioners need strong interpersonal and communication skills to stimulate broad and wide-ranging discussions that result in qualitative and subjective risk assessments.
Advertisement
3. Methodology
The research aimed at advancing a fundamental understanding of risk practitioners’ communication and leadership practices as means of achieving and maintaining ERM effectiveness. The qualitative study uses a cross-sectional qualitative field design. It allows understanding of risk practitioners’ perceptions and connecting them to the organisational context and enables an interpretation from different perspectives.
3.1 Data collection
The research was limited to Germany to avoid influences from socio-cultural differences or country-specific risk management regulations. Participants have been recruited by a combination of self-selection and snowball sampling within the researcher’s professional network. The selection included various industries and was limited to ERM leadership or senior-level positions. Instead of job titles, the classification followed IRM’s career levels [9] and, thus, based on the breadth and depth of influence over stakeholders and the risk profession (Table 1).
| Interviewee | Industry | Interview mode | Career level | Risk experience |
|---|---|---|---|---|
| 1 | Energy | Face-to-face | Senior | 9 years |
| 2 | Chemistry | Video | Leadership | 8 years |
| 3 | Food | Video | Leadership | 10 years |
| 4 | Energy | Telephone | Leadership | 12 years |
| 5 | Pharma | Video | Leadership | 17 years |
| 6 | Manufacturing | Telephone | Leadership | 9 years |
| 7 | Energy | Telephone | Senior | 7 years |
Table 1.
Primary data have been collected through one-to-one semi-structured interviews to facilitate rich and in-depth accounts. Initial questions were shared with the interviewees before the interview to enable participants to mull over the questions and provide deeper accounts. The interviews’ flow was flexible and contingent on what participants were saying. Accordingly, the formulation of questions and their order varied among interviews. Emphasis was put on how participants frame and understand issues and what an interviewee considers meaningful in ERM communication and leadership. This focus enabled explaining and understanding events, patterns, and behaviours. The interview language concurred with the researcher’s first language and the study’s location.
3.2 Data analysis
The research followed an inductive approach to theory development. Instead of pre-specifying hypotheses, findings have been generated from data. Interviews have been transcribed and analysed in the source language to keep ties between language, identity, and culture as long as possible. For quotations, the material has been directly translated into the English language to achieve credibility and authenticity.
Qualitative research data have been triangulated with qualitative studies and surveys to ensure credibility. Surveys have been consulted to identify risk practitioners’ challenges, contextualise risk practitioners’ roles in German companies, and understand practitioners’ perceptions of the present risk culture. Thick descriptions of the research findings and interpretations ensure transferability. The researcher kept complete records through all phases of the research process, including data analysis decisions and a reflective research diary to ensure dependability. Including rich quotes from participants depicting how themes have emerged ensures conformability.
The coding of interviews followed a template analysis approach in which the hierarchical representation of themes and codes emerged during the coding process. Existing literature, particularly sensemaking literature, guided the development of codes.
The coding was performed in two cycles using NVivo software. Initial coding provided breaking down data into discrete parts and determining the topic of each passage of the semi-structured interviews. Risk practitioners’ challenges and actions have been identified using value coding, respectively, process coding.
In a second coding cycle, initial codes have been grouped and summarised to create smaller categories based on emergent configuration and explanation. This process included reanalysing first cycle codes, merging similar codes, and reassessing the utility of infrequent codes for the overall coding scheme.
Advertisement
4. Results
A salient challenge for risk practitioners is the reluctance of business units to accept new ERM initiatives or deeply involve the ERM unit in decision-making. Practitioners consider the recurrent misperception of ERM as an administrative burden pivotal for this change resistance. Additionally, individual and organisational bias, including understating risks not yet encountered by the organisation, backs misperception. Organisational knowledge domains aggravate the correction of business units’ appreciation of ERM.
Regarding the company’s top management, risk practitioners realise challenges through insufficient management commitment to ERM. Consequently, the ERM unit is insufficiently involved in the strategic decision-making process. Top management representatives’ political and social concerns related to risk documentation and perception of their authority further undermine the ERM’s strategic relevance. Risk practitioners apply practices substantiating in four episodes to overcome these challenges. Table 2 summarises the findings, including the number of participants who mentioned the specific practice.
| Praxis episodes | Practices | Description |
|---|---|---|
| Creating shared understanding | Understand the business (5) | Understand the requirements, objectives and operating principles of business units |
| Qualify stakeholders (4) | Perform interactive training and interdisciplinary workshops with business units and management | |
| Visualise risk methods (3) | Explain risk knowledge through scenarios, examples, visualisation and simplification | |
| Emphasising value creation | Strengthen transparency (6) | Reduce bias and groupthink by coordinating views and exploring consensus among the organisation |
| Leveraging information (5) | Combining perspectives, using risk tools, and experimenting with ways to present information effectively | |
| Enhance perspectives (4) | Adding insights by exploring consequences from different perspectives | |
| Exerting leadership practices | Strengthen influence (5) | Using power, knowledge and assertive communication and actively network |
| Cultivate dialogue (5) | Establish dialogue and exchange of information. Apply appropriate language when necessary | |
| Foster direction (4) | Encourage decisions by incorporating objectives, adapting approaches and presenting in the language of business | |
| Manage tensions (4) | Solving conflicts and achieving compromises by a participatory leadership style | |
| Managing relationships | Building trust (6) | Allow unbiased and trustful discussions. Respect and utilise competencies and responsibilities of business units |
| Business partnering (6) | Consult business units on risk questions considering their interests. Create win-wins and proactively provide support | |
| Building relationships (4) | Establish connections with business units and actively engage in networking |
Table 2.
Practice episodes and practices applied by risk practitioners.
4.1 Creating shared understanding
The first practice episode concerns creating a shared understanding between the ERM and business units. Risk practitioners develop profound and comprehensive business knowledge to enable effective risk identification, making sense of received information, and aligning the ERM system with business requirements and objectives. One interviewee summarised: ‘You must have seen the way things work to understand how risks arise, to discern how to report risks effectively, and implement the risk management processes to work properly’.
Reciprocally, practitioners qualify stakeholders and create risk awareness through interdisciplinary workshops, informal dialogues and interactive training sessions to surmount boundaries of knowledge domains. They use purposeful presentation and shared language to transfer risk knowledge effectively.
Practitioners capitalise on simplification and contextualise risk theory using psychological research. Additionally, they offer examples of risk management failures in the company’s business environment: ‘We conduct workshops that include some fun–examples from Kahneman and Tversky, or Ralf Dobelli–and classic thinking mistakes concerning our industry. These examples support that people better understand what risk management is about and what traditional mistakes can happen. These topics increase the dialogue’.
4.2 Emphasising value creation
The second practice episode aims at creating business value. Risk practitioners holistically emphasise aspects from a company’s point of view. They prioritise risks with high importance on the company level while leaving the analysis of more local risks on the business unit’s level. Besides effective resource use, this prioritisation acknowledges business domain expertise and esteems cooperation. In this vein, risk practitioners consciously decide about the amount and content of information presented to avoid communication overloads: ‘I would always minimise or reduce communication to the essentials. This means I only communicate as much as necessary to avoid overwhelming others with all the details’.
Participants leverage information by combining risks and business objectives, such as profitability or strategic relevance. They consciously capitalise on the advantage of a central unit for rendering interrelations between the company’s risks. By experimenting with visual representations for presenting intricate risk knowledge, risk practitioners continuously optimise communication across business units and with management. They constantly create and reconfigure risk tools to further increase the sophistication of risk analysis and decisions. Risk practitioners utilise these tools to increase the effectiveness of risk communication with business units.
Furthermore, risk practitioners campaign risk discussions with business units to enhance company-wide risk perspectives. With these discussions, they anticipate potential conflicts of interest and try to find commonalities and differences in business units’ perspectives on risk. While practitioners aim at joint organisational perspectives, they appreciate different perspectives to holistically inform decisions and reduce bias and groupthink in the decision-making process.
4.3 Exerting leadership practices
Exerting leadership practices represent the respondents’ third practice episode. Interviewees reinforce their influence in decision-making through deliberate networking and demonstrating expertise. For this purpose, they use assertive communication and openly and confidentially express opinions: ‘When I talk about risks with the Board of Management, I express my own opinion, for instance, by telling my suggestion. In this way, the board recognises me as a competent advisor’.
Risk practitioners cultivate dialogue with business units by establishing and encouraging conversations. These dialogues are encouraged by offering the ERM unit’s availability for talks beyond official meetings and by assuring confidential treatment of information on request. To reinforce direction in decision-making, interviewees focus on how they present information. These considerations include describing information in the language of business units, outlying available decision options and incorporating business objectives.
Risk practitioners apply a cooperative communication style to avoid or manage tensions and ensure trustworthy cooperation with business units. In the same vein, they use ownership over information, such as risk reporting, carefully and only as the last resource to uphold trust and maintain a cooperative relationship with business units. One interviewee exemplified this: ‘You have to work with people because you cannot achieve anything when working against them’. However, risk practitioners defend positions and resist undue requests from business units to champion sound risk management approaches: ‘I try to be as flexible as possible in the communication with business units. However, certain things must not be adjusted’.
4.4 Managing relationships
Risk practitioners’ relationship management practices aim to overcome change resistance by building trust, networking and partnering with the business. Being transparent about the ERM unit’s assumptions and the intended use of received data is a routine practice. Respondents demonstrate a level playing field to distract fears that they could use information against business units. For this reason, they use factual and objective communication to build trust and avoid early judgements.
Participants emphasised the importance of partnering with the business to overcome change resistance and misperception of the ERM. Therefore, they proactively support business units in solving risk-related problems. Participants also create win-wins with other business departments through purposeful cooperation and deliberately avoid making the impression of box-ticking. As a result, they counter the perception of ERM as a valueless administrative burden: ‘When you are seen as a consultant and offer solutions to specific issues, then you win the people’.
Establishing connections with business units through informal meetings and talks and active networking is a regular practice. Participants strive to develop casual relationships to overcome change resistance and reduce conflicting interests: ‘You try staying in contact and up to date by knowing what is going on in the department’.
Advertisement
5. Discussion
Risk communication is essential to gain stakeholders’ input on the risk management process and their ownership of the output [22]. Accordingly, the findings show that risk practitioners’ communication and leadership practices are directed both towards business units and top management. ERM practitioners encourage and support communication about risks within the organisation without formally influencing decision-making [11]. As a result, business units can easily prevent or restrict risk practitioners’ involvement in decision-making [57]. Therefore, risk practitioners emphasise creating value and building common ground for risk work, which they achieve through leadership practices and relationship management.
5.1 Gaining and using power
Risk practitioners emphasise unbiased discussions and respect other business units’ competencies. This trust-building practice effectively addresses change resistance as it reframes change requests as less threatening [58]. Practitioners further reinforce trust-building by fostering dialogue with business units and management and building relationships through networking and connections.
These practices, aimed at building informal networks and increasing dialogue, overlap with the findings of studies conducted by Mikes and colleagues, as outlined in Kaplan and Mikes [11]. According to the authors, informal networks with executives and business managers help maintain a balance between keeping a sufficient distance to remain independent and staying involved in the business. The challenges mentioned by respondents elucidate this requirement. On the one hand, the ERM unit is perceived as an administrative burden responsible for controlling compliance with little relevance for decision-making. On the other hand, conflicting interests and change resistance by business units hinder the effective sharing of information.
Yukl [52] emphasises collaboration and communication as related to referent power. As the author states, this power source is an essential source of influence as people are more likely to carry out requests from persons they admire. Therefore, referent power positively affects risk practitioners’ leadership practices, such as managing tensions and strengthening influence. Using their referent power, established informal networks allow risk practitioners to reshape and improve how the ERM role is perceived by executives and business units [13]. Risk practitioners must develop a consistent set of values, clearly express them and act based on them to increase referent power [52].
Risk practitioners strengthen their influence using two additional power sources. The first is expert power, a personal power source. Yukl [52] confirms unique knowledge as a potential source for influencing subordinates, peers and superiors. Moreover, as influence is more likely to be accepted and less rejected when exercised by people with critical and scarce knowledge, expert power is superior to participative leadership [59]. Expert power allows risk practitioners to share opinions proactively and openly and, thus, be recognised as competent advisors for the management. Risk practitioners must present rational arguments appreciatively and humbly to gain and maintain expert power [52]. To be recognised by decision-makers as experts require building informal networks and proactively providing expert opinions from a risk perspective.
As a second power source to strengthen their influence, risk practitioners possess information power, a position power source. Despite having no formal authority as independent facilitators, the risk unit presents risk information to the top management. Control over information enables risk practitioners to influence risk management activities within the organisation [52]. However, position power is lost with the position associated with the power [60]. Therefore, risk practitioners reluctantly use power over information. This parallels the limited use of legitimate power found by Mikes [13] in two case studies.
Risk practitioners must manage tensions as a result of different interests. They overcome these tensions using participative leadership. Participation and collaboration enable sharing perspectives [51]. Furthermore, it increases the speed at which threats and opportunities can be identified and addressed [50]. In contrast, compromising can be counterproductive as harmony is prioritised over value [61]. For risk practitioners, this implies prioritising negotiation of claims over compromise-seeking strategies.
5.2 Increasing influence through issue selling
Issue selling is centred on affecting others’ attention. The framework developed by Dutton and Ashford [42] and Dutton et al. [43] considers how middle managers gain influence through issue selling in upward communication. Still, the observation of Dutton et al. [43] observation that issue selling is a political and commitment-building process parallels the process through which risk practitioners engage with peers.
When risk practitioners emphasise value creation, such as leveraging information and enhancing perspectives, they predominantly use logical, coherent, structured presentations and incorporate business objectives. These practices create legitimacy on issues to be sold and increase attention by decision-makers [43].
According to Dutton et al. [43], bundling risk issues with business objectives is successful if these issues are linked to already agreed-upon goals. Risk practitioners must identify stakeholders, practice relationship building and develop knowledge about the organisation’s strategy. The authors note that issue-selling efforts should be customised to include the full range of stakeholders. Beyond knowing stakeholders, customisation may involve experimenting with alternatives to present knowledge, as one interviewee specified.
Practices aiming to develop this knowledge include fostering dialogue and building trust. These practices involve the informal exchange of information and emphasise unbiased and trustful discussions. Involving others helps reduce bias through diverse thoughts [62]. It further increases visibility, creates awareness and supports building organisational commitment [43]. Practitioners reinforce involvement through a participatory leadership style that builds trust, respect and commitment [51]. Therefore, these practices help increase risk practitioners’ influence and overcome change resistance.
In the same vein, involvement helps to reduce the misperception of ERM and reinforces relation-building practices. However, as Goleman [51] flags, participation must be distinguished from putting off crucial decisions, confusing people and escalating conflicts. As the findings show, it implies that risk practitioners communicate assertively, including resisting conflicting demands. Assertive communication emphasises expressing opinions and beliefs honestly and appropriately without infringing on others’ emotions [63]. Therefore, assertively resisting conflicting demands helps keeping a balance between independence and involvement [13].
5.3 Managing knowledge across boundaries
Creating a shared understanding and value for the business are two major practice episodes pursued by risk practitioners. Through these episodes, they understand the business, including objectives and requirements. It also involves transferring knowledge on ERM to stakeholders. These practices help risk practitioners and business units create common knowledge. Common knowledge is necessary for sharing and assessing knowledge across boundaries [44]. Using this knowledge and, particularly, applying the language of the business reinforce risk practitioners’ leadership practices, such as cultivating dialogue.
Risk practitioners increase interaction with business units by developing and applying business language in conversations [12, 13, 46]. Carlile [44] states that a common lexicon is sufficient for managing dependencies between activities and resources where knowledge differences and dependencies between actors are known.
Increasing novelty blurs differences and dependencies and makes meanings ambiguous [44]. Therefore, risk practitioners visualise risk methods using scenarios, examples and simplification. Moreover, they use their risk tools to leverage information. Risk tools can effectively represent and transform current and novel knowledge [46], thus supporting the interaction between risk practitioners and others.
When novelty leads to conflicting interests, it impedes effectively sharing information and knowledge [44]. Overlapping activities resulting from shared accountability for managing uncertainties stimulate professional rivalry [10] and reinforce conflicting interests. These conflicts require creating common meanings and renegotiating agreements [44]. The participative leadership style used by risk practitioners supports this objective [61]. Therefore, participation effectively overcomes knowledge boundaries, especially in volatile business environments characterised by high novelty.
Risk practitioners complement collaboration by partnering with business units to create win-wins and reframe the organisational ERM. According to Carlile and Rebentisch [64], reframing the perception of ERM as a value-creating practice fosters cooperation through the demand for value-creating activities. However, a high level of novelty generates different interests [44] expressed by political and social concerns. According to Carlile [44], interests must be negotiated and defined in a political process. As the author states, costs resulting from transforming current common and domain-specific knowledge negatively impact the willingness of actors to make those changes. Therefore, partnering with business units enables risk practitioners to discuss and stipulate shared interests.
Risk practitioners require stakeholders’ input to risk management processes [22]. However, individual biases and groupthink jeopardise the quality of shared information and, thus, the quality of consequent decisions [65]. These issues promote overlooking threats or subjective assessments [11]. Risk practitioners acknowledge different perspectives from diverse stakeholders and incorporate them into their knowledge generation to overcome individual bias and combat groupthink. This diversity of thoughts is essential for effective decision-making as it supports understanding the full range of possible options [62].
Advertisement
6. Conclusion
While many companies implement ERM to inform strategic decision-making, most struggle with its effectiveness. This research explores risk practitioners’ communication and leadership practices to achieve and maintain ERM effectiveness. Findings result from data collected through semi-structured interviews among leadership and senior-level ERM practitioners across various industries.
The study identifies four practice episodes. First, risk practitioners create shared knowledge between business units and the ERM unit. Practitioners fathom business concerns, requirements and objectives, and reciprocally qualify stakeholders and create risk awareness. Second, practitioners demonstrate the value-creating capabilities of ERM. They capitalise on the high-level perspective of a central ERM unit to leverage data and information through contextualisation. Practitioners acknowledge business domain expertise and esteem cooperation by dividing and prioritising risk work based on value-adding capabilities.
Third, practitioners consciously exert leadership practices to strengthen their influence in decision-making and champion sound risk management. They use participation to emphasise trust and get the buy-in of stakeholders. Using assertiveness, they withstand undue requests and advocate sound risk management standards.
Leadership practices affect relationship building, the fourth practice episode. Practitioners network to overcome organisational change resistance and balance independence and involvement. They are partnering with and proactively supporting business units in risk aspects to reframe ERM and avoid tensions.
The study forms a practical guide for risk practitioners to manage ERM effectiveness. Applying these practices requires practitioners to develop and emphasise referent and expert power. Practitioners must identify stakeholders and understand their needs to sell issues and effectively encourage decisions. Practitioners must continuously develop a common language for effectively transferring knowledge within the organisation, understand when knowledge boundaries blur and constantly explore and exploit boundary objects. For organisations, the research provides opportunities for shareholder value creation by optimising risk practitioner development programs and setting the course for higher ERM effectiveness.
The research is limited to Germany to ensure an unambiguous socio-cultural and country-specific setting. The narrow scope constitutes a limitation, and future in-depth case studies are required to understand how cultural and intercultural aspects influence risk practitioners’ ERM practices.
Advertisement
Acknowledgments
I thank Christian Dommers (Deloitte GmbH) for providing access to Deloitte’s network of ERM practitioners. This extension of my professional network substantially supported selecting ERM practitioners in senior and leadership positions from various industries.
References
- 1.
Beasley MS. What is Enterprise Risk Management? NC State: Poole College of Management; 2016. Available from: https://erm.ncsu.edu/az/erm/i/chan/library/What_is_Enterprise_Risk_Management.pdf. [Accessed: 23 May 2020] - 2.
Schiller F, Prpich G. Learning to organise risk management in organisations: What future for enterprise risk management? Journal of Risk Research. 2014; 17 (8):999-1017 - 3.
Beasley MS, Branson BC, Hancock BV. The State of Risk Oversight. NC State: Poole College of Management; 2021. Available from: https://erm.ncsu.edu/az/erm/i/chan/library/2021-risk-oversight-report-erm-ncstate.pdf . [Accessed: 16 June 2022] - 4.
Deloitte. Global Risk Management Survey. 11th ed. Deloitte; 2018. Available from: https://www2.deloitte.com/bg/en/pages/finance/articles/global-risk-management-survey-2019.html . [Accessed: 7 June 2020] - 5.
KPMG. Enterprise Risk Management Benchmarking Study. KPMG. Available from: https://advisory.kpmg.us/content/dam/advisory/en/pdfs/erm-benchmarking-brochure.pdf ; 2019. [Accessed: 6 June 2020] - 6.
Oliveira K, Méxas M, Meiriño M, Drumond G. Critical success factors associated with the implementation of enterprise risk management. Journal of Risk Research. 2019; 22 (8):1004-1019 - 7.
Maitlis S. The social processes of organisational sensemaking. Academy of Management Journal. 2005; 48 (1):21-49 - 8.
Oliver Wyman. Risk Leadership - Changing the Pardigm. Oliver Wyman; 2017. Available from: https://www.oliverwyman.com/content/dam/oliver-wyman/v2/publications/2017/sep/RISK_LEADERSHIP_2017.pdf. [Accessed: 22 June 2020] - 9.
IRM. Professional Standards in Risk Management. IRM. Available from: https://www.theirm.org/what-we-do/about-us/professional-standards/ . [Accessed: 6 June 2020] - 10.
Arena M, Arnaboldi M, Azzone G. The organisational dynamics of enterprise risk management. Accounting, Organisations and Society. 2010; 35 (7):659-675 - 11.
Kaplan RS, Mikes A. Risk management-the revealing hand, journal of applied corporate. Finance. 2016; 28 (1):8-18 - 12.
Meidell A, Kaarbøe K. How the enterprise risk management function influences decision-making in the organisation – A field study of a large, global oil and gas company. British Accounting Review. 2017; 49 (1):39-55 - 13.
Mikes A. The triumph of the humble chief risk officer. In: Power M, editor. Riskwork: Essays on the Organisational Life of Risk Management. Oxford, UK: Oxford University Press; 2016. pp. 253-273 - 14.
Taarup-Esbensen J. Making sense of risk—A sociological perspective on the management of risk. Risk Analysis. 2019; 39 (4):749-760 - 15.
Weick KE. Sensemaking in Organisations. London, UK: Sage; 1995 - 16.
Bromiley P, McShane M, Nair A, Rustambekov E. Enterprise risk management: Review, critique, and research directions. Long Range Planning. 2015; 48 (4):265-276 - 17.
Perera AAS. Enterprise risk management–international standards and frameworks. International Journal of Scientific and Research Publications. 2019; 9 (7):211-217 - 18.
Rochette M. From risk management to ERM. Journal of Risk Management in Financial Institutions. 2009; 2 (4):394-408 - 19.
Mikes A. Risk management and calculative cultures. Management Accounting Research. 2009; 20 (1):18-40 - 20.
Bogodistov Y, Wohlgemuth V. Enterprise risk management: A capability-based perspective. The Journal of Risk Finance. 2017; 18 (3):234-251 - 21.
Fraser JR, Simkins BJ. The challenges of and solutions for implementing enterprise risk management. Business Horizons. 2016; 59 (6):689-698 - 22.
McShane M. Enterprise risk management: History and a design science proposal. The Journal of Risk Finance. 2018; 19 (2):137-153 - 23.
Checkland P. Soft systems methodology: A thirty year retrospective. Systems Research and Behavioral Science. 2000; 17 (S1):S11-S58 - 24.
Bergvall-Kåreborn B, Mirijamdotter A, Basden A. Basic principles of SSM modeling: An examination of CATWOE from a soft perspective. Systemic Practice and Action Research. 2004; 17 (2):55-73 - 25.
Brooks DW. Creating a risk-aware culture. In: Fraser J, Simkins BJ, editors. Enterprise Risk Management. New York: Wiley & Sons; 2010. pp. 87-95 - 26.
Aven T. Risk assessment and risk management: Review of recent advances on their foundation. European Journal of Operational Research. 2016; 253 (1):1-13 - 27.
Florio C, Leoni G. Enterprise risk management and firm performance: The Italian case. The British Accounting Review. 2017; 49 (1):56-74 - 28.
Gordon LA, Loeb MP, Tseng C-Y. Enterprise risk management and firm performance: A contingency perspective. Journal of Accounting and Public Policy. 2009; 28 (4):301-327 - 29.
Malik MF, Zaman M, Buckby S. Enterprise risk management and firm performance: Role of the risk committee. Journal of Contemporary Accounting & Economics. 2020; 16 (1):100178 - 30.
Beasley MS, Clune R, Hermanson DR. Enterprise risk management: An empirical analysis of factors associated with the extent of implementation. Journal of Accounting and Public Policy. 2005; 24 (6):521-531 - 31.
COSO. Applying Enterprise Risk Management to Environmental, Social and Governance-Related Risks. COSO; 2018. Available from: https://www.wbcsd.org/Programs/Redefining-Value/Business-Decision-Making/Enterprise-Risk-Management/Resources/Applying-Enterprise-Risk-Management-to-Environmental-Social-and-Governance-related-Risks. [Accessed: 28 July 2020] - 32.
Deloitte, Benchmarkstudie Risikomanagement, Deloitte, 2020. Available from: https://www2.deloitte.com/de/de/pages/audit/articles/risikomanagement-benchmarkstudie-2020.html. [Accessed: 16 July 2020] - 33.
Davies H, Zhivitskaya M. Three lines of defence: A robust organising framework, or just lines in the sand? Global Policy. 2018; 9 :34-42 - 34.
Daft RL, Weick KE. Toward a model of organisations as interpretation systems. Academy of Management Review. 1984; 9 (2):284-295 - 35.
Thomas JB, Clark SM, Gioia DA. Strategic sensemaking and organisational performance: Linkages among scanning, interpretation, action, and outcomes. Academy of Management Journal. 1993; 36 (2):239-270 - 36.
Mikes A. Chief risk officers at crunch time: Compliance champions or business partners? Journal of Risk Management in Financial Institutions. 2008; 2 (1);7-25 - 37.
Jordan S, Jørgensen L, Mitterhofer H. Performing risk and the project: Risk maps as mediating instruments. Management Accounting Research. 2013; 24 (2):156-174 - 38.
Romme AGL, Damen IC. Toward science-based design in organisation development: Codifying the process. The Journal of Applied Behavioral Science. 2007; 43 (1):108-121 - 39.
Kahneman D, Lovallo D, Sibony O. Before you make that big decision. Harvard Business Review. 2011; 89 (6):50-60 - 40.
Arvai J. The end of risk communication as we know it. Journal of Risk Research. 2014; 17 (10):1245-1249 - 41.
Gioia DA, Chittipeddi K. Sensemaking and sensegiving in strategic change initiation. Strategic Management Journal. 1991; 12 (6):433-448 - 42.
Dutton JE, Ashford SJ. Selling issues to top management. Academy of Management Review. 1993; 18 (3):397-428 - 43.
Dutton JE, Ashford SJ, O'Neill RM, Lawrence KA. Moves that matter: Issue selling and organisational change. Academy of Management Journal. 2001; 44 (4):716-736 - 44.
Carlile PR. Transferring, translating, and transforming: An integrative framework for managing knowledge across boundaries. Organization Science. 2004; 15 (5):555-568 - 45.
Ashby S, Bryce C and Ring P. Risk and Performance: Embedding Risk Management. London, UK: Association of Chartered Certified Accountants (ACCA). 2019. Available from: http://hdl.handle.net/20.500.12127/6367 . [Accessed: 5 August 2020] - 46.
Hall M, Mikes A, Millo Y. How do risk managers become influential? A field study of toolmaking in two financial institutions. Management Accounting Research. 2015; 26 :3-22 - 47.
Campbell KA. Can effective risk management signal virtue-based leadership? Journal of Business Ethics. 2015; 129 (1):115-130 - 48.
House R, Javidan M, Hanges P, Dorfman P. Understanding cultures and implicit leadership theories across the globe: An introduction to project GLOBE. Journal of World Business. 2002; 37 (1):3-10 - 49.
Nahavandi A. The Art and Science of Leadership. Harlow, Essex, England: Pearson Education Limited; 2015 - 50.
Sax J, Torp SS. Speak up! Enhancing risk performance with enterprise risk management, leadership style and employee voice. Management Decision. 2015; 53 (7):1452-1468 - 51.
Goleman D. Leadership that gets results. Harvard Business Review. 2000; 78 (2):78-90 - 52.
Yukl G. Leadership in Organisations. 8th ed. Harlow, England: Pearson Education Limited; 2013 - 53.
Rooney J, Cuganesan S. Leadership, governance and the mitigation of risk: A case study, managerial auditing journal. Limited. 2015; 30 (2):132 - 54.
Giovannoni E, Quarchioni S, Riccaboni A. The role of roles in risk management change: The case of an Italian bank. European Accounting Review. 2016; 25 (1):109-129 - 55.
Mikes A. From counting risk to making risk count: Boundary-work in risk management. Accounting, organisations and society. 2011; 36 (4):226-245 - 56.
Mikes A, Kaplan RS. When one size doesn't fit all: Evolving directions in the research and practice of enterprise risk management. Journal of Applied Corporate Finance. 2015; 27 (1):37-40 - 57.
Stulz RM. Risk-taking and risk management by banks. Journal of Applied Corporate Finance. 2015; 27 (1):8-18 - 58.
Kotter JP, Schlesinger LA. Choosing strategies for change. Harvard Business Review. 2008; 86 (7/8):130-139 - 59.
Lines R. Using power to install strategy: The relationships between expert power, position power, influence tactics and implementation success. Journal of Change Management. 2007; 7 (2):143-170 - 60.
Caproni PJ. Management Skills for Everyday Life: The Practical Coach. 3rd ed. Boston: Prentice Hall; 2012 - 61.
Whetten DA, Cameron KS. Developing Management Skills. Global ed. Harlow, United Kingdom: Pearson; 2015 - 62.
Bruce JR. Risky business: How social psychology can help improve corporate risk management. Business Horizons. 2014; 57 (4):551-557 - 63.
Back K, Back K. Assertiveness at Work. 3rd ed. London, UK: McGraw-Hill; 2005 - 64.
Carlile PR, Rebentisch ES. Into the black box: The knowledge transformation cycle. Management Science. 2003; 49 (9):1180-1195 - 65.
Chaffey D, White G. Business Information Management: Improving Performance Using Information Systems. Harlow: Prentice Hall; 2005