Risk Management Practices Adopted by European Financial Firms with a Mediterranean Connection

Following the economic and financial crises, any activity involv ing internal controls, especially risk management, has been given more attention. With this study, we aim to contribute further to the existing literature on risk management by looking at practices adopted by financial services firms licenced in Europe with a Mediterranean connection. We used parts of a questionnaire adopted by two of the authors in another study on risk management practices adopted by Maltese financial services firms and sent it to prospective candidates who work closely within risk management, to collect our data. This resulted in 1635 participants. This data was used to (1) bring to light the mechanisms and strategies used in risk management by these organisations to maximise their opportunities, manage their risks, and maintain stability in their financials. Also, (2) we check if this is perceived as contributing to ‘principled performance’. Finally, (3) we examine the extent to which risk manage ment capabilities offer a competitive advantage to these firms. Our findings evidence that the objective by EMP and the EU, that is to ensure that members operate ‘on the same level playing field’ within risk management, in financial services of firms with a Euro-Mediterranean connection, has been achieved.


Introduction
Although risks have been present since the beginning of mankind, explicit attention to them has differed over the passage of time. Early civilisations attributed unexpected events to the gods. This made it pointless for mankind to intervene and manage. This continued till today with some tribes in some parts of the world and was even the case until the middle ages when Christianity was strong in the current Western Europe. The word "risk" itself is derived from ancient Arabic word "rizq" and used till today in the Maltese Language, translated to mean prosperity granted Risk Management Practices Adopted by European Financial Firms with a Mediterranean… DOI: http://dx.doi.org /10.5772/intechopen.80640 and maintain stability in their financials. Also, (2) we check if this is perceived as contributing to 'principled performance' (defined in the chapter in Section 2.2). Finally (3) we examine the extent to which risk management capabilities offer a competitive advantage to these firms.

Literature
We can cite various studies dealing with risk management practices in different areas, industries, regions and countries. For example, a study on risk management practices carried out on the Ghanaian insurance industry by [7] revealed that companies insuring life, different from companies insuring non-life, have their risk appetite levels statements recorded. This enables the identification of those risks to on-board and those ones to transfer. Moreover, they exposed that the industry lacks adequate skilled personnel and risk management is reactive as a response to regulatory directives. Other surveys carried out about the UK insurance industry showed that the response by most insurance firms to risk management regulations was perfunctory, rather than being seen as good business practice [10].
Another study by [11] on risk management practices of German firms revealed that participants showed no difficulty in developing a risk management system and rated business survival as the top risk management goal. Moreover, they showed that respondents are more risk-neutral than risk-averse for financial risks, and that 88 percent use derivatives.
Bankers operating in Barbados perceived risk management as critical to the performance of their banks; with operational risk, credit risk, country/sovereign risk, market risk and interest rate risk being their greatest exposures [12], while those operating in Bahrain show a clear understanding of both risk and risk management and have efficient risk assessment analysis, risk identification processes, credit risk analysis, risk monitoring and risk management practices with credit, liquidity and operational risk being the most prominent risks faced by both conventional and Islamic banks [13].
A study on Islamic banks in Pakistan showed that they are efficient in managing their risks. Revealing that the most influencing variables in the risk management process were that of understanding risk and risk management, risk monitoring and credit risk analysis [14]. On the other hand, Hassan [15], found that the Islamic banks in Brunei Darussalam consider foreign-exchange risk, followed by credit risk and then operating risk, as the 3 most important risks. He also noted that Islamic banks are very efficient mainly in risk identification, assessment and analysis.
A further study by Sifumba et al. [16] revealed that manufacturing SMEs personnel in Cape Town are not aware of the elements that make risk management effective. While in Malta, Bezzina et al. [8], found that financial firms have a strong culture of efficient and effective risk management practices that add value and are linked to well-defined objectives with corporate social responsibility embedded within the organisations' risk management corporate strategies and corporate culture. Miloš Sprčić et al. [17], in a study on Croatian companies, find that the risk management system development is dependent only on value of the growth options and the size of the company.

Risk management strategies and mechanisms
Any organisation's strategy needs to deal with an uncertain environment. Therefore, organisational strategic choices will determine the organisation's exposure to an uncertain environmental and constituents that impact their performance. "Exposure" defined as the sensitivity of an organisation's cash flows to changes in interrelated uncertain variables. The emphasis of organisation on specific particular (particularist view) rather than multidimensional uncertainties is a significant shortcoming. The former view of isolating specific uncertainties, excludes other interrelated uncertain variables. In fact, literature in financial services emphasises uncertainties for which hedging or insurance instruments can be designed to manage organisation exposures, however omitting some uncertainties that are encountered in the overall management strategic decisions. The alternative view is where management takes a general approach to risk and gives explicit consideration to numerous uncertainties (integrated risk management perspective) [18].
Das and Teng [19], build on the latter and suggests that to effectively manage risks and reduce unwanted risks, organisations need to examine the inter-relationship between trust, control and risk using an integrated framework which examines the inter-relationship between the three constructs. They note that firms need to manage their risks by determining the conjoint roles of these constructs in the context of their objectives and strategies.
It has therefore always been a must for every leading firm to ensure that the process of identifying risk and managing it, is an explicit part of the strategic plan, and that there is a buy-in from all levels of their organisation. Risk management should be seen as a systematic effort that is pervasive through all operating units, be it in the front, mid or back office, right in line with growth areas targeted for investments or any critical support functions. Risk management must matter to the organisation and to the person whose occupation and responsibility is defined by it [20].
The risk manager or officer is responsible to initiate the process of determining the risks faced by the company, based on the strategy, determine the mandatory and voluntary barriers and put in place a risk management strategy to achieve objectives with the least of problems. That is the objective risk assessment process which depends on the organisation, and the plan and tactics to arrive at that objective [21].
Stulz [22] offers us theoretical evidence showing that risk management practice within firms is limited. Marshall and Heffes [23] report that only 11 percent of "more than 90 percent of the executives who say they are building or want to build enterprise risk management (ERM) processes into their organization report they have completed their implementation. The survey results indicate that more than two-thirds of both boards of directors and senior management staff consider risk management to be an important responsibility". COSO's recent survey [24] findings show unsatisfactory results for the implementation of ERM showing that "60 percent of respondents say their risk tracking is mostly informal and ad hoc or only tracked within individual silos or categories as opposed to enterprise-wide."

Risk management and principled performance
As explained in Bezzina et al. [8] we again adopted the Open Compliance and Ethics Group's (OCEG) standard's concept of integrating internal controls "(the Governance, Risk Management and Compliance (GRC) capability model) into one main function [24]. This as suggested by these authors and OCEG, helps to "improve quality and performance, by providing tools that can measure and enhance corporate culture within an integrated environment." This structure is said to be the main determinant of the achievement of 'Principled Performance' as defined by OCEG. That is "reliable achievement of objectives while addressing uncertainty and acting with integrity." [21].
"OCEG in their definition of 'Principled Performance' emphasises the unambiguous articulation of a firm's objectives in financial and non-financial form. It outlines the methods and boundaries that would be adhered to while achieving the set targets." They continued to note that 'Principled Performance' in a financial firm can be achieved with clearly defined objectives, goals, values and a transparent, effective flexible mechanism, which enables continuous improvement to address risks and vulnerabilities within established boundaries [25].
Mitchell [25] continues by highlighting that, mainly if the existing structure offers a competitive advantage, GRC requires function integration without the need for operations consolidation. One can replicate the strengths of approaches, communication, technology used and reporting integration to the whole business to benefits from reduced errors, better information quality, and reduced costs. The GRC 360 Capability Model, 2009 specifies that, while culture, structure and the organisation play an essential role in the overall performance of a company; people, process and technology are crucial for principled performance.

Risk management abilities and competitive advantage
Creativity is lost if we only think of risk management as a way to minimise risk. We need to take risks and if and when they go in some unwanted unpredictable path, we need to be able to respond to them [26]. Kannan and Thangavel [27] note that every major advance in human civilization was possible because someone was willing to take a risk and challenge the status quo.
Enterprise risk management (ERM) promotes risk management as a more strategic responsibility and emphasises that if effectively implemented it can create a long term competitive advantage [28]. However, Slywotzky and Drzik [29] suggest, that many companies still treat ERM as an extension of their internal control processes, while only a few companies, use their risk management abilities as a source of competitive advantage. In fact these companies go beyond internal controls and cost-controlling (defensive and reactive approaches), taking a more aggressive and proactive stance towards risk. These have understood that managing risk is a source of leverage to gain competitive advantage [30].
Ehsan [30], limited risks faced by a company, to two major types: rewarded and unrewarded risks, and continues to note that the way through which capabilities of risk management can increase competitive advantage depends mainly on the type of risk exposure the company has. Rewarded risks are those risks that are expected to gain us some type of benefit, that is, risks taken to create value and are consequences of our decisions. Unrewarded risks usually brought about by external forces, such as natural disasters, industrial accidents, theft, pandemics, etc. which have no potential value in them. The ability to effectively deal with these risks has an important impact on the company's performance and thereby its competitive advantage.
In his seminal book, Porter [31] argues that "there are two major ways that a company can gain competitive advantage over its competitors: cost advantage, and differentiation". Risk management capabilities can help to affect the company's costs and the value it creates for stakeholders. Moreover, in theory, since risk management is a proactive activity, it can help create preparedness and advanced warnings for disruptions (i.e., to ensure business continuity). This differentiates these companies from their competitors giving them a competitive advantage [30].
Perspectives on Risk, Assessment and Management Paradigms 6

Method
A questionnaire adopted from a previous study by Bezzina et al. [8] to determine the risk management practices by Maltese financial firms, was used to extend this study to other Euro-Mediterranean countries. This questionnaire was administered to persons working in, or with a connection to the field of risk management within the financial services industry. Participants for the questionnaire were recruited with the help of one of the authors who is an active participant in European risk management associations. The survey was administered using an online questionnaire which was opened in January 2017 and closed in November 2017. In the introduction page we outlined our aims and objectives, while in the next four sections we posed closedended statements, which related to four main themes: (i) strategies and mechanisms adopted in risk management; (ii) the perceived purpose, scope and benefits of risk management; (iii) risk management and competitive advantage; and (iv) CSR influences on the corporate risk management strategies. The participants were asked to choose from a five-point Likert scale mainly ranging from 'strongly disagree' (coded as '1') to 'strongly agree' (coded as '5'), and some others ranging from 'very unimportant' (coded as '1') to 'very important' (coded as '5'). The final section (Section 5) was dedicated to the collection of the demographic data about the participant and their organisations. This data was collected in the form of labels or a scale and presented in aggregate, so as not to enable identification of the organisation or the participant. The responses (1635 respondents) were then subjected to statistical analysis using SPSS. When summarising the data, the median and interquartile range (lower quartile to upper quartile) were used for the ordinal scales while the mean and standard deviation were used with the interval/ratio scales. To test for differences in mean ranks, the Friedman test (a non-parametric alternative to one-way ANOVA) was used. Participants were guaranteed that their identity and that of the firm they are representing will be maintained anonymous.

Research questions
As noted above, being an extension of a previous study by Bezzina et al. [8], and since we adopted the same questionnaire, we also maintained the same research questions and the new responses were used to investigate and compare to the findings in that study.

RQ1
What are the risk management strategies and mechanisms adopted by financial services firms within countries with a Euro-Mediterranean connection in order to manage their risks, strengthen their opportunities and retain financial stability?

RQ2
Do the financial services firms in countries with a Euro-Mediterranean connection perceive risk management as just an authority imposed obligatory requirement or do they see it as critical for the achievement of 'principled performance'?

RQ3
Do risk management abilities offer a competitive advantage to financial services firms in countries with a Euro-Mediterranean connection?

RQ1
The respondents reported (on average), that they strongly agree their institution has a strategic risk management plan in place (Md = 5, IQR = 4-5). Furthermore, they agreed (Md = 4), that they have systems in place to strengthen the risk management process (see Table 1).
Furthermore, we asked the respondents to rate their level of agreement with seven statements related to the scope of their institution's strategic risk management plan is. Table 2 shows that there were significant differences in mean ranks based on the Friedman test, although they strongly agreed (Md = 5) or agreed (Md = 4) with all the statements.
We then delved into the quality requirements of risk management, the procedures/processes/policies of risk management, and the risk culture adopted by the financial services institutions. Details of the items used and a summary of statistical output are provided in Table 3. The responses exhibit empirical evidence of a strong risk management within the institutions investigated.
Finally, we wanted to know how important each of 12 established frameworks were for the institutions when implementing risk management. Table 4 shows that four frameworks were overall rated as 'important' , (Basel Accords, COSO 2, IAS and Interest Rate Risk Management), and the remaining eight as 'neither important nor unimportant' .

RQ2
The respondents reported (on average) that risk management practices play a vital role in their institutions (M = 4.00; SD = 0.51) and have a positive perception of risk management practices in achieving principled performance (M = 4.10, 0.64). Table 5 provides a summary of the responses and statistical output pertaining to the individual items that make up these two constructs.
Furthermore, they agreed (Md = 4) that they give sufficient attention to all the risks that we outlined when designing strategies and objectives, bar 'health and safety' (Md = 3). Table 6 exhibits the 14 risks in order of decreasing attention as rated by the respondents.

RQ3
In this research question, we wanted to better understand the capabilities of risk management practices in achieving competitive advantage. We first sought to determine the institutions' intention behind the risk management strategy for the financial services (see Table 7).

The strategic risk management plan Median IQR
Is clearly communicated and understood   Is to provide a defined structure to sustain business growth and continued profitability within objectives, appetite and tolerance.  We then wanted to examine the extent to which continuous risk impact assessments strengthen the competitive advantage in each of 8 factors. Table 8 shows that the respondents agreed (Md = 4) with all the factors bar political and legal factors (Md = 3).
Furthermore, we examined the benefits risk management capabilities provide to institutions. These respondents agreed (Md = 4) that risk management infuses a Our institution makes use of the following frameworks when implementing risk management

Risk management practices play a vital role in ensuring that our institution
Clearly defines its goals and values 4 4-4 Outlines how these goals are achieved 4 4-4 Identifies and demonstrates how risks and vulnerabilities would be addressed 4 4-4 Allows for transparency with stakeholders 4 3-4 Implements an effective mechanism for change, enabling continuous improvement to achieve the desired outcomes 4 4-5

Perceived purpose of risk management practices
Critical factor in achieving principled performance 4 4-5 Vital to the performance and success of our institution's objectives 4 3-5 No link between principled performance and RM practices * 4 4-5 Principled performance does not form part of our institution's risk management practices benefit realisation plans *  risk culture in the institution (IQR = 3-5), sustains future profitability (IQR = 4-5), provides visibility of economic and financial environment (IQR = 3-5) as well as long term profitable growth (IQR = 3-4) and provides competitive advantage (IQR = 3-5). Furthermore, we asked the respondents to rate their level of agreement with six factors aimed strengthening core risk management functions. The findings are exhibited in Table 9.

Conclusion
Our findings evidence that although authors such as Youngs [9], show strong scepticisms on the works and challenges of the EMP and the EU legislation; mainly to ensure that members operate on the same level playing field; within risk management in financial services of firms with a Euro-Mediterranean connection, this objective has been achieved. In fact, results show that similarly to the findings by Bezzina et al. [8] on Maltese financial services firms, personnel working or are involved in/with risk management of financial services firms with their head offices operating from Cyprus, France, Italy, Spain, Croatia, Greece, and Slovenia report that they have a strategic risk management plan in place with systems to enable the strengthening of their risk management processes to reach clearly identified objectives. They note various reasons that have helped to ensure this, with the strongest reasons being that of abiding to legal, regulatory and compliance requirements and the need to have a framework for systematic risk identification, mitigation, management, monitoring and control.   Findings, also show that the risk manager in these firms, similar to that of Maltese financial services forms, is highly active and involved, very knowledgeable and uses both top-down and bottom-up approaches to communicate the risk appetite of the company. This is facilitated by the fact that the quality and importance of risk management is embedded within their risk management strategy and seen as part of the firms' growth road map and a way to meet objectives. Moreover, in carrying out and designing their risk management strategy and processes these institutions tend to favour the use of frameworks/recommendations with the most followed being that provided by the Basel Accords. However, although, they give attention to practically all known risks identified, they are neutral on 'health and safety' issues, maybe because this might fall out of the competence of the respondents.
Finally, findings show that risk management practices play a vital role in ensuring that institutions reach their objectives (principled performance), add value and create a competitive advantage. This , with these practices, goals and values, is being clearly recorded and communicated; the roadmap to successfully reaching objectives is transparent and clear, enabling appropriate, identification of risks, growth, profitability, flexibility for improvement and change and quick response to uncertainties.