Determinants of ERM implementation: the case of

Download PDF
0 downloads 0 Views 210KB Size Report
Comment
Nov 14, 2018 - *Related content and download information correct at time of download. .... Considering ERM maturity, many authors (Ahmad et al., 2014; Milos Sprcic et al., 2017) .... management and internal control (Institut Français des Auditeurs et des Contrôleurs ...... www.ermsymposium.org/2011/pdf/dafikpaku.pdf.
Journal of Financial Reporting and Accounting Determinants of ERM implementation: the case of Tunisian companies Sana Masmoudi Mardessi, Sonda Daoud Ben Arab,

Downloaded by Professor SANA MASMOUDI At 09:08 14 November 2018 (PT)

Article information: To cite this document: Sana Masmoudi Mardessi, Sonda Daoud Ben Arab, (2018) "Determinants of ERM implementation: the case of Tunisian companies", Journal of Financial Reporting and Accounting, Vol. 16 Issue: 3, pp.443-463, https://doi.org/10.1108/JFRA-05-2017-0044 Permanent link to this document: https://doi.org/10.1108/JFRA-05-2017-0044 Downloaded on: 14 November 2018, At: 09:08 (PT) References: this document contains references to 63 other documents. To copy this document: [email protected] The fulltext of this document has been downloaded 39 times since 2018*

Users who downloaded this article also downloaded: (2016),"Business strategy, enterprise risk management and organizational performance", Management Research Review, Vol. 39 Iss 9 pp. 1016-1033 https://doi.org/10.1108/MRR-05-2015-0107 (2017),"Enterprise risk management: a capability-based perspective", The Journal of Risk Finance, Vol. 18 Iss 3 pp. 234-251 https:// doi.org/10.1108/JRF-10-2016-0131 Access to this document was granted through an Emerald subscription provided by Token:Eprints:N9KRSJVBCHCBCMRMSZU5:

For Authors If you would like to write for this, or any other Emerald publication, then please use our Emerald for Authors service information about how to choose which publication to write for and submission guidelines are available for all. Please visit www.emeraldinsight.com/authors for more information.

About Emerald www.emeraldinsight.com Emerald is a global publisher linking research and practice to the benefit of society. The company manages a portfolio of more than 290 journals and over 2,350 books and book series volumes, as well as providing an extensive range of online products and additional customer resources and services. Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the Committee on Publication Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive preservation. *Related content and download information correct at time of download.

The current issue and full text archive of this journal is available on Emerald Insight at: www.emeraldinsight.com/1985-2517.htm

Determinants of ERM implementation: the case of Tunisian companies Sana Masmoudi Mardessi Department of Accounting and Law, Higher Business School, University of Sfax, Sfax, Tunisia, and Downloaded by Professor SANA MASMOUDI At 09:08 14 November 2018 (PT)

Sonda Daoud Ben Arab

ERM implementation

443 Received 28 May 2017 Revised 25 August 2017 2 December 2017 Accepted 3 December 2017

Higher Institute of Business Administration, University of Sfax, Sfax, Tunisia

Abstract Purpose – Enterprise risk management (ERM) has become an important subject of increasing interest among companies throughout the world. It is gaining global attention among risk management professionals and academics. However, little is known about the extent of ERM implementation in the Tunisian context. More importantly, there are limited studies in literature that examine the determinants of this implementation. The purpose of this study is threefold, to propose an index to measure the level of ERM implementation, to examine the level of ERM implementation in Tunisian companies and to propose a conceptual framework for the determinants of this implementation. From the review of literature, several factors are found to be determinants of ERM implementation. Such factors are the presence of a Chief Risk Officer, the appointment of an internal auditor, the type of industry and the firm size.

Design/methodology/approach – To further understand the relation between ERM implementation and its determinants, a questionnaire survey was conducted in 2016 and administrated to 80 companies. Respondents were CRO and more often internal auditors or financial directors. Other data were collected from annual reports and notes to the financial statements. Along with this, the ordinal regression was applied to test the dependence between ERM implementation and its determinants.

Findings – Based on the data gathered, Tunisian companies have shown an increasing interest in risk management in the post-revolution context; however, an integrated approach of ERM implementation is still at an early stage. Descriptive statistics suggest that ERM is essentially developed in financial institutions, especially in banks and some large companies operating in non- financial industries. With regard to the multivariate regression results, the level of ERM implementation is positively related to the presence of a Chief Risk Officer, internal auditor, the type of industry and the firm size. Originality/value – This study attempts to contribute to the risk management literature in two ways. Conceptually, this study proposes an ERM index to assess the level of ERM implementation. Empirically, it provides some empirical evidence that highlights factors which determine the level of ERM implementation. Therefore, this study will extend the scope of literature by providing novel empirical evidence by exploring the Tunisian context.

Keywords Industry, Banks, Internal auditor, Size, ERM, CRO, Tunisian context Paper type Research paper

Introduction Determinants of ERM implementation: the case of Tunisian companies According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2004), the development of enterprise risk management (ERM) is designed to provide reasonable assurance regarding the achievement of entity objectives[1]. It helps ensure effective reporting and guarantee that the entity complies with laws and regulations. With a

Journal of Financial Reporting and Accounting Vol. 16 No. 3, 2018 pp. 443-463 © Emerald Publishing Limited 1985-2517 DOI 10.1108/JFRA-05-2017-0044

JFRA 16,3

Downloaded by Professor SANA MASMOUDI At 09:08 14 November 2018 (PT)

444

more comprehensive view of risk and risk management, ERM helps management to achieve the entity’s performance and profitability targets and prevent loss of resources. Despite the importance of ERM implementation, limited research has been conducted to investigate the level of ERM implementation in Tunisian companies. Moreover, there are limited studies in literature that examine the determinants of this implementation. Most of these studies have been conducted in developed countries and emerging economies (Dabari and Saidin, 2015). Based on the above, we aim to examine the level of ERM implementation in Tunisian companies and to test a conceptual framework for the determinants of this implementation. Besides, an index to measure the level of ERM implementation is proposed. Over the past few years, the Tunisian context have known significant change resulting in new challenges and contributing to political, economic and social instability, which has been reinforced by the series of revolutions that swept through the Middle East and North Africa (Perkins, 2014). Since then, Tunisian companies have faced mutations and changes posing many risks at all levels. These companies are required to identify and manage their internal risks, including those related to the unfavorable conditions of the country. This study is structured as follows. First, we provide a brief summary of the literature on ERM. Then, we develop our hypothesis by describing the ERM determinants. Third, we describe the data collection and research methodology. Fourth, we present the findings and the discussion. Finally, conclusion and the implications will be presented. The literature on enterprise risk management “Risk is a variable that can cause variation from an expected outcome, and as such may affect the achievement of business objectives and the performance of the overall organization” (Lam, 2017, p. 4). Different types of risks may be cited. There are, for example, operational risks, financial risks, ineffective internal communication, customer-related risks, political and social instability, etc. In light of those numerous risks, the organization should set up a process allowing it to effectively understand and manage these identified risks; such is the goal of ERM (Reding et al., 2011). There are various definitions of ERM. The Committee of Sponsoring Organizations of the Treadway Commission defines ERM as: A process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and to manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives [Committee of Sponsoring Organizations of the Treadway Commission (COSO), 2004].

Razali and Tahir (2011) define ERM as a “systematically integrated and discipline approach in managing risks within organizations to ensure firms achieves their objective which is to maximize and create value for their stakeholders”. Dafikpaku (2011), on the other hand, points out that ERM covers all risks, both internal and external, integrates and views all risks from a board, creating awareness organization-wide, with the goal of creating, protecting and enhancing shareholder value by mitigating risks and seizing opportunities in a continuous process. Later, Lam (2017, p. 11) defines ERM as: An integrated and continuous process for managing enterprise-wide risks in order to minimize unexpected performance variance and maximize intrinsic firm value. This process empowers the board and management to make more informed risk/return decisions by addressing fundamental requirements with respect to governance and policy.

Downloaded by Professor SANA MASMOUDI At 09:08 14 November 2018 (PT)

It emerges from these definitions that risk management is inherent to all aspects of the organization. It aims to be global and should cover all the activities, processes and assets. ERM allows a higher perception of opportunities and a greater apprehension of the risks. From the perspective of agency theory, ERM can help an organization to achieve its business objectives and ultimately maximize shareholder’s value (Daud et al., 2010). Following the publication of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2004) and ISO 31000 (2009) standard, ERM is based on a dynamic process defined and implemented by the organization which includes a set of steps to keep the risks to an acceptable level. These steps consist in defining the organizational framework of risk management, risk identification, risk analysis, risk treatment, monitoring and review (Appendix 1). Taking into consideration the monitoring and review step, ERM is not a sequential process in which a step affects only the next. It is indeed an iterative process by which any point has an immediate and direct impact on others. Both COSO and ISO use a formal and comprehensive model that should be usable by any organization regardless of its size, activity or sector. By adopting a contingency approach to ERM implementation, these entities avoid recommending a universal risk management process that should be applied in different contexts. Thus, the appropriate ERM process varies from firm to firm (Gordon et al., 2009). In literature, studies on ERM can be classified along three main lines describing the level of ERM implementation (Beasley et al., 2005; Beasley et al., 2015; Milos Sprcic et al., 2015) analyzing the determinants of ERM implementation (Liebenberg and Hoyt, 2003; Beasley et al., 2005; Hoyt and Liebenberg, 2011) and assessing the ERM effectiveness (Pagach and Warr, 2010; Yazid et al., 2011, Abdullah et al., 2017). Effectiveness of ERM implementation has been studied from a firm performance perspective, value perspective, default risk perspective and disclosure requirements perspective (Musyoki and Komo, 2017). The results of empirical research are mixed. On one hand, Yazid et al. (2011) note that ERM adds value to individual companies and supports the overall economic growth by lowering the cost of capital and reducing the uncertainty of commercial activities. On the other hand, Pagach and Warr (2010) find no evidence of ERM effects on market value and firm performance. Gordon et al. (2009) argue that the relation between ERM and firm performance depends on how well ERM implementation matches firm-specific factors. In ERM, there is a variation in regulatory environment, along with variations in firm’s characteristics and host countries (Bromiley et al., 2015). Recently, Abdullah et al. (2017) find that ERM is negatively related to firm value and contradicts the arguments by corporate risk management proponents that the valuation effect of ERM does not happen immediately. It requires ultimate commitments from all organization members as well as financial pledges as to ensure the success of ERM program and provides greater benefits in the long term. In addition, current studies have showed that ERM effect depends on the maturity of ERM implementation. It seems that firms with mature ERM processes achieve greater operational performance than those with less mature risk management processes (Callahan and Soileau, 2017). Other empirical results show that firms with advanced levels of ERM implementation present higher performance, both as financial performance and as market evaluation (Florio and Leoni, 2017). Considering ERM maturity, many authors (Ahmad et al., 2014; Milos Sprcic et al., 2017) argue that organizations have different levels of ERM implementation which are revealed by the ERM characteristics assumed by these entities. Initially, Beasley et al. (2005) in their study of the level of 123 firms identified five ERM stages mainly no plans to implement ERM, investigating ERM but no decision yet, planning to implement ERM, partial ERM and

ERM implementation

445

JFRA 16,3

Downloaded by Professor SANA MASMOUDI At 09:08 14 November 2018 (PT)

446

complete ERM in place. On the same note, Yazid et al. (2011) proposed three levels of ERM implementation in Malaysian context, namely, complete ERM, partial ERM and planning to adopt ERM. More recently, Beasley et al. (2015) propose five levels called very immature, developing, evolving, mature and robust ERM. Similarly, Milos Sprcic et al. (2015) develop an ERM Index that measures quality of ERM process within the company. Three levels of ERM implementation were identified mainly ERM highly developed, ERM moderately developed and ERM not developed. Finally, Lotti Oliva (2016) proposes five levels of maturity model called insufficient, contingency, structured, participative and systemic ERM. In respect to determinants of ERM implementation, Beasley et al. (2005) examined several factors in diverse US and international organizations. The findings reveal that the level of ERM implementation is positively associated with the presence of a risk office, BOD independence, support of the Chief Executive Officer (CEO) and Chief Financial Officer (CFO), presence of a big four auditor, entity size and type of industry (banking, education and insurance industries). Yazid et al. (2012) propose seven factors that could possibly influence any organization to eventually implement ERM. The factors include the appointment of a Chief Risk Officer (CRO), leverage, profitability, international diversification, majority shareholders, size and turnover. Eckles et al. (2014) in their study concluded that the adoption of a strategic risk management system was related to the diversified nature of the organization, organizational size and the returns on stock volatility. Research hypothesis The extant literature suggests that organizations vary in the extent to which they have adopted ERM. Some organizations have developed process, whereas others rely on rather ad hoc responses to risks as they become manifest (Paape and Speklé, 2012). From the thorough review of related literature in this particular area of interest, several factors are associated with the extent of ERM implementation (Beasley et al., 2005; Pagach and Warr, 2011; Milos Sprcic et al., 2017). Considering the contingency perspective, there is no general theoretical framework that can predict the key factors influencing ERM implementation. However, based on the extant literature, we focus on factors frequently applied in previous research including CRO, internal auditor (IA), type of industry and firm size. Chief risk officer and ERM implementation The role of a CRO has begun to gain worldwide acceptance over the past several years. The trend that began in the US financial services industry in 1990’s has extended into Europe and Asia, as well as other industries (Lam, 2001). It is therefore important to highlight that the Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2004) Report on ERM suggested the essential need of a CRO as someone who works closely with other managers in establishing effective Risk Management for the entire company. The value of CRO has risen worldwide after the economic meltdown of 2008, when companies prioritized the development of comprehensive ERM frameworks; increased regulation has also aided the rise of CRO (Lam, 2017). This trend will continue due mainly to external stakeholders demanding more effective risk controls; growing acceptance of the role of a CRO and new technologies and products that support ERM. As a leader of risk management, the CRO is responsible for creating, implementing and managing a risk management function across the organization. Lam (2017) cited numerous responsibilities of the CROs. These include providing an overall leadership and vision for

Downloaded by Professor SANA MASMOUDI At 09:08 14 November 2018 (PT)

ERM; establishing integrated risk management across separate business units in the organization; overseeing the risk taking activities of the organization; and developing risk analytical and data management capabilities. The CRO should implement board and corporate-level reporting in all risks areas and regulatory compliance; develop risk management policies and quantifying firm wide risk appetite and communicate the company’s risk profile to key stakeholders (regulators, rating agencies and business partners). Some authors argue that the emergence of the CRO is the key to managing and monitoring enterprise risk (Lam and Kawamoto, 1997). They strongly suggest that companies should consider appointing a CRO to manage all the potential risks. According to Beasley et al. (2005), the existence of a CRO constitutes a highly significant determinant for an existing ERM system. Other studies note that there is a significant relationship between the presence of a CRO and the level of ERM implementation (Godson and Werner, 2016). Hence, this study hypothesizes that: H1. Firms, which have a Chief Risk Officer, are more likely to have implemented a complete ERM. Internal auditor and ERM implementation The role of internal audit[2] continues to evolve into a more risk focused one (Wang and Li, 2011). In this spirit, companies need the existence of two structures, one to establish a risk management process, and the other to assess the effectiveness of this process. While the first is inherent to ERM, the second is a part of the missions of the internal audit. The internal audit helps an organization to accomplish its objectives by evaluating and improving the effectiveness of its processes relating to business governance, risk management and internal control (Institut Français des Auditeurs et des Contrôleurs Internes, 2011). Explicitly, internal auditors are expected to be increasingly involved in ERM by providing assurance that the entity’s risk exposures are well managed (Thompson, 2013). Internal auditors should be experts in risk management. They can play a range of risk management activities. The Institute of Internal Auditors (Institute of Internal Auditors, 2004 and 2011) presents and indicates which roles internal audit activities should and should not undertake. Core internal auditing roles in regard to risk management: They form part of the wider objective of giving assurance on risk management. An internal audit function can give assurance on risk management processes. It can also ensure that risks are correctly evaluated, evaluate risk management processes and review the management of key risks. Legitimate internal auditing roles with safeguards: They are generally considered consulting roles that can greatly enhance the value provided by internal auditing in risk management. These roles include facilitating the identification and evaluation of risks, coaching management in responding to risks, coordinating the risk management activities, maintaining and developing the risk management framework, etc. Roles internal auditing should not undertake: These roles are management responsibilities that would clearly impair the internal audit activity’s objectivity, particularly, setting the risk appetite, imposing risk management processes, taking decisions on risk responses, implementing risk responses on management’s behalf and accountability for risk management. Considering the risk management process, an internal auditor can be responsible for certain activities related to steps defined below, mainly: defining the organizational

ERM implementation

447

JFRA 16,3

Downloaded by Professor SANA MASMOUDI At 09:08 14 November 2018 (PT)

448

framework of risk management, risk identification, risk analysis, monitoring and review. Clearly, internal audit should provide advice, challenge and support to management’s decision-making (Institute of Internal Auditors, 2004). Walker et al. (2003) note that although the auditors’ role in ERM varies among surveyed companies, the function’s contribution is significant in every case and auditing’s efforts proved significant contributions to the ERM implementations. Meanwhile, the research of Dabari and Saidin (2015) revealed that the internal audit effectiveness is associated with the level of risk management implementation. On the above, the appointment of an internal auditor may facilitate the implementation of a structured ERM. Hence, this study hypothesizes that: H2. Firms, which have an internal auditor, are more likely to have implemented a complete ERM. Firm’s industries and ERM implementation. Industry is a relevant determinant of an ERM program, as some industries are more regulated than others. Dabari and Saidin (2015) note that the firm’s decision to implement ERM is influenced by external factors such as corporate governance, laws and regulatory compliance. Hence, firms operating in regulated industries as financial firms are more likely to adopt ERM and they have been at the head of ERM implementation (Golshan and Rasid, 2012). The impact of the firm’s industries is studied by Beasley et al. (2005), focusing on the banking, education and insurance industry. Their results show that these industries are indeed more advanced in the development of ERM frameworks as opposed to other sectors. Similarly, Paape and Speklé (2012) find that the extent of ERM implementation is influenced by the regulatory environment, internal factors, ownership structure and firm- and industryrelated characteristics. From a theoretical perspective, institutional theory suggests that, in the presence of a regulated environment, a number of organizations are required to implement ERM processes so that their organizations are in line with external pressures (Powell, 1991). While regulated industries are more likely to implement a developed ERM system, the Deloitte survey (2015) showed that a gap exists between financial firms in Tunisia concerning their ERM maturity. This survey provides evidence that the ERM process is more developed in banks than in leasing and insurance companies, even if leasing and banks are governed by the same prudential standards. Based on the arguments that arise from the presented literature, the following hypothesis is proposed: H3. Entities in the banking industry are more likely to implement a complete ERM. Firm size and ERM implementation. Many firms lack the resources and reliable mechanisms to support their risk-management activity and this is particularly notable for small- and medium-sized enterprises (Brustbauer, 2016). Zhao and Singhaputtangkul (2016) noted that, for smaller firms under less regulatory pressure, it may be unnecessary to fully implement ERM because the cost associated with ERM would not be exceeded by the benefits of ERM. Larger companies tend to have more resources to implement an ERM system (Beasley et al., 2005). Further, a larger company size is generally associated with an increasing scope and complexity of risks, which increases the likelihood of an ERM implementation (Gatzert and Martin, 2015). In addition, larger firms tend to be more formalized, which may be conducive to ERM adoption (Paape and Speklé, 2012). Pagach and Warr (2011) found that larger firms are more likely to adopt integrated risk management processes. A positive correlation of the

company size with the extent of the risk management system has also been shown in other works (Eckles et al., 2014; Milos Sprcic et al., 2015). We examine the following hypothesis:

ERM implementation

Downloaded by Professor SANA MASMOUDI At 09:08 14 November 2018 (PT)

H4. Larger firms are more likely to implement a complete ERM.

Methodology Data collection From the whole population of Tunisian companies, we consider a sample of firms listed in the “Tunisie Index” business register for the two regions of Sfax and Tunis[3]. The cluster sample was randomly selected through several types of industry (banks, leasing companies, insurance companies, service firms, manufacturing and trade companies). Companies operate in different industries and vary significantly regarding their size, which allows us to examine industrial and size related effects on ERM implementation. From 100 companies contacted, 80 respondents accepted to participate in the study. The survey was pretested by four practitioners and appropriate revisions were then made. In 2016, a survey questionnaire was self-administrated to CRO and more often to internal auditors and financial directors. Additional data were collected from annual reports and notes to the financial statements (2015). The questionnaire comprised two sections. The first one included questions related to the process of risk management. Five steps related to ERM were involved: the definition of the organizational framework of risk management, risk identification, risk analysis, the treatment of risks, monitoring and review. The second section contained some questions about the major risks that had encountered the surveyed companies (risk of insolvency of customers, staff’s stress, etc [. . .]). Additional questions were asked to indicate the current responsibility of internal auditors in ERM activities and to examine the presence of a CRO, firm size, industry, difficulties related to internal audit and internal control functions. Research model Survey data were analyzed by using multivariate analysis. Ordinal logistic regression was estimated as it is a form of multiple logistic regression used when the dependent variable is ordinal and the independents variables are of any type (Garson, 2014). The research adopted a quantitative approach through the use of survey responses and used STATA 13 and SPSS version 20 to analyze the responses. SPSS was used for preliminary analysis and Logistic regression, while STATA was applied for testing Ordinary Least Squares (OLS) assumptions. To address our research question, we used the following ordinal regression model: ERM I = f (CRO; IA, BANKS, SIZE). Here, ERM I represents the level of ERM implementation; CRO represents Chief Risk Officer; IA represents Internal auditor presence; BANKS represents banking industry; and SIZE represents the size of the company. Research variables. The dependent variable, Level of ERM implementation, has been designed in the form of an ordinal measure of an ERM index that can take the value from 0 to 15, depending on the number of ERM characteristics listed below that are present within the company (Milos Sprcic et al., 2015). The development of those characteristics has been mainly based on the work of the Autorité des marchés financiers - AMF (2010) and the Institut Français des Auditeurs et des Contrôleurs Internes (2010):  Have you identified and communicated the main objectives of your company?  Do you plan to have a process to manage risks?

449

JFRA 16,3

  

450

  

Downloaded by Professor SANA MASMOUDI At 09:08 14 November 2018 (PT)

      

Does every department manage its own risks separately and without coordination with others (accounting/financial/operational risks, etc.)? Do you have a formalized process to identify several risks? Do you have a formalized process to evaluate and analyze the possible effects of identified risks? Do you manage all identified corporate risks with an integrated analysis (e.g. financial, strategic, operational, compliance and reporting risks)? Are there official risk management policy and procedures in your company? Does your company have a written statement of the firm’s risk appetite? Do you have a risk response plan for risks surpassing the firm’s risk appetite? Do you have a CRO, a risk committee or a risk function in your company? Do you organize meetings in your company to discuss exposures to different types of risks and risk management strategies? Do you submit formal reports on risk management to the management board? Does your company create a risk map (cartography) indicating the probability of occurrence and significance of identified risks to the business activity? Do you communicate risk analysis to decision makers? Are your risk management policy and procedures revised to be adapted to new and emerging risks?

Companies are categorized according to their Index that can take value from 0 to 15 (Table I). Four groups can be observed. In the first group, called No ERM, companies have just a plan (or not) to implement ERM. This group includes companies that have little awareness of the enterprise risks. In some cases, the risk culture is entirely absent. The Partial ERM framework is focused on treating individual and specific risks (accounting and financial risks, operational risks and fiscal risks). The Evolving ERM is an integrated view of ERM but the framework is not well formulated. The ERM process is evolving but the adoption of risk management practices occurs on a non-structured manner (lack of communication, procedures not formulated, absence of a risk map). The Complete ERM which is an integrated and structured ERM framework. The independent variables CRO = 1 if have a CRO, else 2. The IA = 1 if have an IA, else 2. The independent variable BANKS = 1 if organization is a bank, else 2. The independent variable SIZE was measured as proposed by the Conseil du Marché Financier (CMF) (2006), a small- and medium-sized enterprise (SME) is an entity whose immobilized net assets are less than 4 million dinars and whose number of employees is smaller than 300. The variable SIZE = 1 if organization is Large, else 2.

Level of ERM implementation

Table I. Correspondence between level of ERM and index value

No ERM Partial ERM Evolving ERM Complete ERM

Index value

Code

0-2 3-5 6-9 10-15

0 1 2 3

Downloaded by Professor SANA MASMOUDI At 09:08 14 November 2018 (PT)

Findings and discussions From descriptive statistics (Appendix 2), 40 per cent of the companies (n = 32) have appointed a CRO. Of 32, 25 are relative to financial institutions. Most of the entities (75 percent) have audit services and internal control. Their tenure mostly exceeds five years which is not the case for Risk management. Surveyed companies are operated in different industries. 65per cent of them are large. A disparity in the stage of ERM implementation across entities is observed in our sample as follow.

ERM implementation

451

Level of ERM implementation in Tunisian companies The analyzed value of ERM index allows us to categorize companies according to their level of ERM implementation. Most companies are interested in ERM, but it is implemented to different extents (Figure 1). Of 80 companies, 37 (46.25 percent) had a partial ERM framework investigated in treating specific risks (accounting and financial risks, operational risks and fiscal risks). Companies are not aware of the global risks to which they are subject. In all, 12 companies (15 percent) had an evolving ERM; they rely on integrated process, but the risk management system is not well formalized. Only, 15 companies (18.75 percent) had a complete ERM which is an integrated and structured ERM framework. Eight out of these companies are Banks. However, 16 companies (20 percent) have just a plan (or not) to implement ERM. By using methods of descriptive statistics, it appears that the level of ERM implementation is divergent regarding the type of industries. Accurately, ERM is generally better developed within financial industries (banks, leasing and insurance) than in other cases (service, manufacturing and trade). Pearson’s chi-square test of independence model supports the existence of dependence between the type of industry and ERM maturity (Table II). Interestingly, organizations in the financial industries either have adopted ERM or are making progress towards adopting it; none of the respondents indicated that ERM is rejected by their organization. It seems that regulatory influence may strongly encourage companies to implement an integrated approach of ERM. Whatever, some gap may be observed between these institutions concerning their ERM maturity, which supports the

Figure 1. ERM implementation in Tunisian companies

ERM implementation No ERM Partial ERM Evolving ERM Complete ERM Total

Banks

Leasing

0 1 6 8 15

0 3 1 2 6

Industries Insurance Service

Notes: Pearson Chi-square (2) = 44.499; p = 0.000

0 6 1 0 7

4 5 1 1 11

Manufacturing

Trade

Total

7 19 2 4 32

5 3 1 0 9

16 37 12 15 80

Table II. ERM implementation among industries

JFRA 16,3

Downloaded by Professor SANA MASMOUDI At 09:08 14 November 2018 (PT)

452

Deloitte (2015) survey. ERM process is more developed in banks than in leasing and insurance companies (Table II), even if leasing and banks are governed by the same regulations. ERM is less developed in non-financial institutions. In half of the cases, ERM is disaggregated and focused on specific risks. Only 9 out 52 companies have a global approach to manage risks (Evolving and Complete ERM). Most of them are large companies or referring to holding group (Poulina Group Holding, Delice Holding, Nestlé). Factors associated with ERM implementation Before the application of logistic regression analysis, bivariate correlations between variables, VIF values and tolerance were examined to check out the problem of multicollinearity. Tables reported in Appendix 3 indicate that the correlations between the independent variables are low. In addition, the calculated VIF values are smaller than 5 and the tolerance is above 0.20. When all the findings obtained are considered, it is clear that there is no problem of multicollinearity between the independent variables (Garson, 2014). The multivariate regression results are presented in Appendix 4. The explanatory power of the model is significant (Model Chi-Square = 95.514, p < 0.000) with a Cox and Snell Pseudo R-Square of 69.7 per cent. Thus, the full model predicts the outcome. Furthermore, to meet the parallel lines assumption[4], the Evolving ERM and Complete ERM were combined together to form the same level referring to an integrated approach of managing risks. From the observed significance levels in Table III, we note that the four independent variables could influence the ERM implementation. The significance levels of these variables were less than 0.05. They all have positive coefficients. Thus, the four hypotheses developed below are accepted. Chief risk officer The positive and significant coefficient for CRO suggests that the presence of a CRO is positively associated with the extent of ERM implementation. This finding supports other works (Beasley et al., 2005; Godson and Werner, 2016), suggesting that the presence of a CRO among the senior management team significantly increases the entity’s stage of ERM deployment. Liebenberg and Hoyt (2003, p. 43) argued that if companies fail to hire a CRO, it does not mean the companies do not have an ERM program in place. Some firms might use the committee system, and others might include the ERM responsibility in the CEO function. However, in their study, the CRO is one of the factors that encourage the companies to Variables

Estimate

Std. Error

Wald

df

Significance

Threshold[5] [ERM = 0] [ERM = 1] [CRO = 1]

2.052 8.853 1.844

0.761 1.863 0.809

7.263 22.587 5.193

1 1 1

0.007** 0.000*** 0.023**

Location [IA = 1] [BANKS = 1] [SIZE = 1]

4.665 2.281 2.702

1.249 1.146 1.055

13.953 3.959 6.560

1 1 1

0.000*** 0.047** 0.010**

Table III. Parameters estimates Notes: ***p < 0.001; **p < 0.05

Downloaded by Professor SANA MASMOUDI At 09:08 14 November 2018 (PT)

engage themselves in ERM. According to these authors, CROs often hold advanced degrees and possess a high level of technical expertise. Furthermore, the CRO is likely to have the necessary communication skills that are required to promote the importance of ERM to the board and to inform external stakeholders of the firm’s risk profile. By creating a CRO position, a company is signaling both internally and externally that it is serious about integrating all of its risk management activities under a more powerful senior- level executive. However, the CRO faces three interrelated challenges that he must work to overcome: reporting structure and collaboration, measuring and communicating the value of ERM efforts to key stakeholders and making risk management an integral part of corporate culture (Lam, 2017). In this context, the need for quality CRO is highly essential and extremely important in ensuring the successful implementation of ERM program on the whole (Daud et al., 2010). Internal auditor According to regression results, we observe that the appointment of an internal auditor is positively related to ERM implementation. This shows that there is a significant difference in the level of ERM maturity dependent on whether there is an internal auditor. The present paper makes obvious that the internal audit function is involved in the risk management process, which supports other works conducted in the Tunisian context (Oussii and Boulila, 2015). However, it seems that internal audit involvement in areas deemed “core” activities and legitimate with safeguards is moderate and involvement in areas deemed inappropriate is high (Institute of Internal Auditors, 2011). When asking the respondents to specify the roles of internal audit in risk management process, they claim that the internal auditor participates in risk identification and risk analysis. They are implicated in preparing the risk cartography and in half of the cases they are invited to participate in risk treatment. Similarly, Zwaan et al. (2011) investigated the use of ERM and the role of internal audit in ERM in Australian private and public sector entities. The results of the study showed that internal auditors are involved in ERM assurance activities but some also engage in activities that could compromise objectivity. The study hypothesized that internal auditors would be less willing to report when their involvement in ERM is high. This hypothesis was strongly supported and was also robust to sensitivity analyses. This result suggests that internal auditors perceive that extensive involvement in ERM has a negative impact on objectivity. Banking industry The regression statistics support the existence of dependence between banking and ERM implementation. According to Beasley et al. (2005), banks and other regulated firms are further into their ERM implementations, which is probably because of explicit calls for more effective risk management emerging from industry regulators. These empirical findings are generally consistent with theoretical arguments regarding the dependence of an ERM implementation and firm’s industry (Soltanizadeh et al., 2014). The fact that banks are the best equipped in the management and surveillance of risk can be explained by the existence of a legal and regulatory framework. In this respect, regulators are pressing firms to improve risk management and risk reporting in many countries. Examples of such regulatory pressure include the Sarbanes–Oxley Act in the USA, the Combined Code on Corporate Governance in the UK and the Dutch Corporate Governance Code (Paape and Speklé, 2012). Similarly, the Central Bank of Tunisia implemented several rules of good governance that seeks to establish a prudent management of credit institutions (Banque Centrale de Tunisie - BCT, 2011). Credit institutions have to establish an executive

ERM implementation

453

JFRA 16,3

Downloaded by Professor SANA MASMOUDI At 09:08 14 November 2018 (PT)

454

credit committee to examine the financing activity, a permanent internal audit committee in charge of ensuring that internal control mechanisms are put in place and a risk committee that helps the Board of directors to fulfil its responsibilities relative to managing and monitoring risk. A research done by Rasid and Rahman (2009) investigated management accounting and risk management practices in financial institutions in Malaysia, found that financial institutions tend to adopt ERM because of the requirements set by regulators. Firm size Regression results support the existence of dependence between the level of ERM implementation and the firm size. More specifically, larger companies are more likely to have developed ERM comparing to SME. In accordance with prior research (Beasley et al., 2015), firm size is an important factor associated with greater ERM maturity. It is a logical argument that when an organization’s size increases, the nature, timing and the extent of the threatening events it will be different as well. In addition to having a greater need for more effective ERM techniques, larger entities may have greater ability to implement ERM due to greater resources (Golshan and Rasid, 2012). According to Pagach and Warr (2011), who investigated the characteristics of firms that hire CROs, larger firms have greater risk of financial distress and more volatile operating cash flows and as a result, they are more likely to adopt ERM practices. Consistent with the prior studies, Milos Sprcic et al. (2017) noted that this result supports the scale economies argument that larger firms have more developed risk management process due to larger risk exposures and the high expenses of its implementation. Accordingly, most of the studies provide evidence that larger companies are more likely to engage themselves in ERM activities. Conclusion and implications Tunisian companies are increasingly confronted with issues of risks, particularly in the post- revolution context. While some of them are specific to companies (customer insolvency, personnel’s stress and anxiety, etc.), others are related to business sectors and relevant to economic, political and social conditions in the country. Some problems are, though, better controlled mainly the political instability (Banque Centrale de Tunisie - BCT, 2014). On the level of ERM implementation, the analyzed value of ERM index allows us to note that 46.25 per cent of analyzed companies have a partial ERM framework investigated in treating specific risks. In all, 15 per cent of the companies have an evolving ERM, while 18.75 per cent of the surveyed companies have a complete ERM. A silo approach is more common than an integrated and structured approach to ERM in Tunisian companies. Similar results were observed in other contexts, mainly Croatian (Milos Sprcic et al., 2017). It seems that ERM implementation is at an early stage comparing to other studies (Rasid and Rahman, 2009; Ahmad et al., 2014). By adopting a contingency approach to ERM implementation, the appropriate ERM process varies from firm to firm; however, some factors are frequently cited as determinants of ERM implementation. We find that the extent of ERM implementation is positively related to the presence of a CRO, internal auditor, firm size and type of industry. Our results regarding the determinants of ERM implementation appear to replicate the findings of earlier work in this line of research.

Downloaded by Professor SANA MASMOUDI At 09:08 14 November 2018 (PT)

It was argued that ERM is essentially developed in banks and some large companies operating in non-financial industry; otherwise, it has not been sufficiently structured and formalized. According to some respondents, having an informal or a limited risk management process can be explained by the lack of skills and inappropriate management tools. For others, the ERM implementation has revealed not only technical but also significant social challenges, essentially the lack of risk consciousness. This study provides insightful results showing that organizations having a CRO are more likely to have an integrated approach of ERM. It seems that a formal risk management function, or a CRO, risk management should involve a wide range of people and be developed. Whatever, the CRO needs to have some attributes such as well-developed risk consciousness, knowledge of main business processes, current education in Risk Management curriculum, communication skills that include working with individuals at all levels, facilitation skills and skills in finance, accounting and insurance (Rosa, 2007). In addition, our study proves that the presence of an internal auditor may help the organization to implement ERM. Concerning the role of internal auditors in ERM implementation, they are involved in risk management process, specifically, in risk identification and risk treatment. As treatment function raises significant threats to objectivity, the Institute of Internal Auditors (2011) notes that if the organization has a significant need related to risk management and nobody else has the experience to feel that need, it may be better if an internal auditor feels that role rather than nobody at all. Consistent with other studies (Sarens and De Beelde, 2006), the internal auditing profession is in a kind of “transition phase”. To survive this transition phase, internal auditors need to assume a “teaching role” to the different management levels to make them aware of their responsibilities in risk management. After this transition period, this situation should not continue to allow internal audit to fully ensure its mission as an evaluator of the effectiveness of the risk management process (Thompson, 2013). However, some difficulties may disturb the internal auditor to play his roles, mainly staff resistance, the low sensitivity of the leaders as well as the difficulty of controlling the higher hierarchical levels. More needs to be done to insure independence and objectivity, particularly with respect to risk management, control and governance (Al-Akra et al., 2016), even as the Middle East and North Africa (MENA) region was expected to experience the most significant changes in the regulation of internal auditing (Institute of Internal Auditors, 2010). Moreover, larger firms are more likely to have developed ERM. Indeed, small and medium companies need to develop their risk management process given the complexity of the organizational environment. They should also designate people be responsible for managing their own risk management and assessment process. Brustbauer (2016) found numerous examples of small and medium companies that take a very proactive approach to risk management. The key to success is awareness of firm-related risks; being aware of risks is the prerequisite for ERM activity. Besides, financial industries have a more developed ERM than others industries. Whatever, some gap may be observed between companies concerning the extent of ERM implementation. The fact that financial companies are the best equipped in the management and surveillance of risk can be explained by the existence of legal and regulatory frameworks. Hence, the governance regulation and the associated pressure to invest in risk management affect ERM development. To the extent that the codes are mandatory, the intensity of enforcement varies (Paape and Speklé, 2012).

ERM implementation

455

JFRA 16,3

Downloaded by Professor SANA MASMOUDI At 09:08 14 November 2018 (PT)

456

In this respect, like all countries looking for a greater stability of its financial system, Tunisia has implemented reforms aimed mainly at better risk management (Kanzari and Mraihi, 2017). The Tunisian Central Bank continues the adoption of Basel II and prepares all banks for Basel III. Other sectors are being addressed under reforms as the insurance sector. The reforms will oblige Tunisian insurance firms to submit auditor’s report to the regulator and to establish risk management committees (Oxford Business Group, 2016). From the institutional perspective, Beasley et al. (2015) noted that companies may implement only minimal aspects of ERM just to be in compliant form with those frameworks, but the board and management fail to substantively embrace specific and robust key elements of what would be deemed as an effective ERM. As noted by Mikes and Kaplan (2014), the effectiveness of risk management ultimately depends less on the guiding framework than on the people who set up, coordinate and contribute to risk management processes. Hence, more attention should be given to the managerial attention as a driver behind the maturity and development of ERM process. This is in line with recent research (Milos Sprcic et al., 2017) who found manager’s support as an important determinant of ERM maturity. In conclusion, this paper hopefully contributes to the existing body of knowledge on ERM. Conceptually, an ERM index was proposed to assess the level of ERM implementation. Empirically, the level of ERM implementation was evaluated in a new context. This study provides some empirical evidence that highlights factors determining the level of ERM implementation. Our findings indicate a low level of an integrated and structured ERM framework in Tunisian companies. According to respondents, having such level can be explained in part by technical and social challenges mostly the lack of ERM expertise and risk consciousness. It was argued that ERM is essentially developed in banks and some large companies operating in non-financial industry. It seems that regulatory pressure is considered as critical drivers for ERM implementation. These findings support the argument that as ERM is a relatively new paradigm in Tunisia, regulators could enforce the corporate governance regulation. Indeed, stricter sanctions for violations of prudential rules may help to better manage the firm’s risk exposure. When corporate governance codes are non-binding, the pressure might be easy to ignore. Other determinants are also important mainly the presence of an internal auditor, the appointment of a CRO and the company size. The main contribution of this study is that it highlights the importance of the legal and regulatory frameworks for enterprise risk management. This should provide motivation for stakeholders, essentially regulators, to support the implementation of ERM. Further, it emphasizes the need of acquiring a CRO as an ERM expert to enhance ERM implementation. If not, audit officials could integrate functions relating to risk management until a structured function will be developed. This study provides findings of interest to management teams who should take into consideration several factors before ERM implementation. Finally, limitations in this study are outlined, together with the suggestions for further research. First, only four determinants were included in this study. Other important determinants of ERM implementation such as risk culture and management commitment should be reflected in future studies. Second, it must be mentioned that statistical techniques should be applied to validate the ERM index. Third, the relatively small sample size challenges the generalization of findings to firms other than those included in the study. Future research should evaluate the ERM effectiveness, essentially in financial institutions, where ERM practices could be just a reflection of a strict conformity to the laws and regulations.

Notes 1. ERM (Enterprise Risk Management) is synonymous with integrated risk management (IRM), holistic risk management, enterprise-wide risk management, and strategic risk management (Hoyt and Liebenberg, 2011, p. 795).

Downloaded by Professor SANA MASMOUDI At 09:08 14 November 2018 (PT)

2. Internal audit is an “independent and objective organization that gives assurance on the degree of control over its operations, brings its advice to improve and helps to create added value. It helps an organization to accomplish its objectives by bringing a systematic, disciplined approach, processes of risk management, control and corporate governance; and making proposals to enhance their effectiveness” (Institute of Internal Auditors, 1999). More recently, the COSO (2004) released its integrated framework for ERM. Since then, there has been a global move towards an enterprise wide approach to risk management. 3. Approximately 2,000 companies are registered on Tunisie Index for the regions of Tunis and Sfax. 4. The parallel lines test is a likelihood ratio test of the difference in 2 log-likelihood between a model constrained to have equal slopes for the predictor (location) variables and an unconstrained model. The parallel lines test is non-significant (p = 0.971) so the model is wellfitting which meets the parallel lines assumption. 5. No ERM coded 0; Partial ERM coded 1; Evolving and Complete ERM coded 2. The last category does not have an odds associated with it, as the probability of scoring up to and including the last score is 1.

References Abdullah, M., Abdul Hamid, M. and Yatim, P. (2017), “The effect of enterprise risk management on firm value: evidence from Malaysian technology firms”, Journal Pengurusan, Vol. 49, pp. 3-11. Ahmad, S., Chew, N. and McManus, L.A. (2014), “Enterprise risk management (ERM) implementation: some empirical evidence from large Australian companies”, Procedia Social and Behavioral Sciences, Vol. 164, pp. 541-547. Al-akra, M., Abdel-Qader, W. and Billah, M. (2016), “Internal auditing in the Middle East and North Africa: a literature review”, Journal of International Accounting, Auditing and Taxation, Vol. 26, pp. 13-27. Autorité des marchés financiers - AMF (2010), “Les dispositifs de gestion du risque et du contrôle interne, cadre de reference”, 36 pages. Banque Centrale de Tunisie - BCT (2011), Circulaire aux établissements de crédit N°2011-06. Banque Centrale de Tunisie - BCT (2014), Rapport annuel. Beasley, M., Branson, B. and Pagach, D. (2015), “An analysis of the maturity and strategic impact of investments in ERM”, Journal of Accounting and Public Policy, Vol. 34 No. 3, pp. 219-243. Beasley, M., Clune, R. and Hermanson, D.R. (2005), “Enterprise risk management: an empirical analysis of factors associated with the extent of implementation”, Journal of Accounting and Public Policy, Vol. 24 No. 6, pp. 521-531. Bromiley, P., McShane, M., Nair, A. and Rustambekov, E. (2015), “Enterprise risk management: review, critique, and research directions”, Long Range Planning, Vol. 48 No. 4, pp. 265-276. Brustbauer, J. (2016), “Enterprise risk management in SMEs: towards a structural model”, International Small Business Journal, Vol. 34 No. 1, pp. 70-85. Callahan, C. and Soileau, J. (2017), “Does enterprise risk management enhance operating performance?”, Advances in Accounting, Vol. 37, pp. 122-139, doi: doi.org/10.1016/j.adiac.2017.01.001. Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2004), Internal Control – Integrated Framework, AICPA, New York, NY. Conseil du Marché Financier (CMF) (2006), Bulletin du CMF, Vol. 2588, CMF, Tunisie.

ERM implementation

457

JFRA 16,3

Downloaded by Professor SANA MASMOUDI At 09:08 14 November 2018 (PT)

458

Dabari, I.J. and Saidin, S.Z. (2015), “Determinants influencing the implementation of enterprise risk management in the Nigerian banking sector”, International Journal of Asian Social Science, Vol. 5 No. 12, pp. 740-754. Dafikpaku, E. (2011), “The strategic implications of enterprise risk management: a framework”, Enterprise Risk Management Symposium, Society of Actuaries, March, pp. 14-16, available at: www.ermsymposium.org/2011/pdf/dafikpaku.pdf Daud, W.N.W., Yazid, A.S. and Hussin, M.R. (2010), “The effect of chief risk officer (CRO) on enterprise risk management (ERM) practices: evidence from Malaysia”, International Business & Economics Research Journal (IBER), Vol. 9 No. 11, pp. 55-64. Deloitte (2015), Baromètre de l’appétence aux risques Etat de lieux du secteur financier tunisien, Deloitte ToucheTohmats. Eckles, D.L., Hoyt, R.E. and Miller, S.M. (2014), “The impact of enterprise risk management on the marginal cost of reducing risk: evidence from the insurance industry”, Journal of Banking & Finance, Vol. 43, pp. 247-261. Florio, C. and Leoni, G. (2017), “Enterprise risk management and firm performance: the Italian case”, The British Accounting Review, Vol. 49 No. 1, pp. 56-74. Garson, G.D. (2014), Ordinal Regression, Statistical Publishing Associates, Asheboro, p. 110. Gatzert, N. and Martin, M. (2015), “Determinants and value of enterprise risk management: empirical evidence from the literature”, Risk Management and Insurance Review, Vol. 18 No. 1, pp. 29-53. Godson, K.M. and Werner, D.G. (2016), “Enterprise risk management: factors associated with effective implementation”, Risk Governance and Control: Financial Markets & Institutions, Vol. 6 No. 4. Golshan, N.M. and Rasid, S.A. (2012), “Determinants of enterprise risk management adoption: an empirical analysis of Malaysian public listed firms”, International Journal of Social and Human Sciences, Vol. 6, pp. 119-126. Gordon, L.A., Loeb, M.P. and Tseng, C.Y. (2009), “Enterprise risk management and firm performance: a contingency perspective”, Journal of Accounting and Public Policy, Vol. 28 No. 4, pp. 301-327. Hoyt, R.E. and Liebenberg, A.P. (2011), “The value of enterprise risk management”, Journal of Risk and Insurance, Vol. 78 No. 4, pp. 795-822. Institut Français des Auditeurs et des Contrôleurs Internes (2010), Les pratiques de l’audit et du contrôle internes en France en 2009. Institut Français des Auditeurs et des Contrôleurs Internes (2011), Manuel de contrôle interne: améliorer l’efficacité de la gouvernance, du contrôle interne et du management des risques. Institute of Internal Auditors (1999), Definition of Internal Auditing, Altamonte Springs, Florida. Institute of Internal Auditors (2004), The Role of Internal Auditing in Enterprise-Wide Risk Management, Altamonte Springs, Florida. Institute of Internal Auditors (2010), What’s Next for Internal Auditing, Vol. 2, CBOK, Lake Mary, FL. Institute of Internal Auditors (2011), Internal Auditing’s Role in Risk Management, , Oracle, Lake Mary, FL, Vol. 2. ISO 31000 (2009), “Risk management principles and guidelines”, Norme Internationale ISO 31000. Kanzari, I. and Mraihi, F. (2017), “Financial stability and prudential requirements in Tunisian case”, International Business Research, Vol. 10 No. 10, pp. 126-131. Lam, J.C. (2001), “The CRO is here to stay”, Risk Management, Vol. 48 No. 4. Lam, J.C. (2017), Implementing Enterprise Risk Management, From Methods to Application, John Wiley & Sons, Hoboken, NJ, p. 432. Lam, J.C. and Kawamoto, B.M. (1997), “Emergence of the chief risk officer”, Risk Management, Vol. 44 No. 9, p. 30.

Downloaded by Professor SANA MASMOUDI At 09:08 14 November 2018 (PT)

Liebenberg, A.P. and Hoyt, R.E. (2003), “The determinants of enterprise risk management: evidence from the appointment of Chief risk officers”, Risk Management and Insurance Review, Vol. 6 No. 1. Lotti Oliva, F. (2016), “A maturity model for enterprise risk management”, International Journal of Production Economics, Vol. 173, pp. 66-79. Mikes, A. and Kaplan, R.S. (2014), “Towards a contingency theory of enterprise risk management”, Working Paper, Harvard Business School, January 13. Milos Sprcic, D., Kozul, A. and Pecina, E. (2015), “State and perspectives of enterprise risk management system development – the case of croatian companies”, Procedia Economics and Finance, Vol. 30, pp. 768-779. Milos Sprcic, D., Kozul, A. and Pecina, E. (2017), “Manager’s support – a key driver behind enterprise risk management maturity”, Zagreb International Review of Economics and Business, Vol. 20 No. 1, pp. 25-39. Musyoki, D. and Komo, L. (2017), “Risk factors and enterprise risk management in the financial services industry: a review of theory and evidence”, International Journal of Economics and Business Management, Vol. 3 No. 6, pp. 29-45. Oussii, A.A. and Boulila, N.T. (2015), “Internal audit function in tunisian listed companies: an explanatory study”, Research Journal of Finance and Accounting, Vol. 6 No. 19. Oxford Business Group (2016), “The Report Tunisia 2016”, OBG, London. Paape, L. and Speklé, R.F. (2012), “The adoption and design of enterprise risk management practices: an empirical study”, European Accounting Review, Vol. 21 No. 3. Pagach, D.R. and Warr, R. (2010), “The effects of enterprise risk management on firm performance”, Working Paper, North Carolina State University, Raleigh. Pagach, D. and Warr, R. (2011), “The characteristics of firms that hire chief risk officers”, Journal of Risk and Insurance, Vol. 78 No. 1, pp. 185-211. Perkins, K. (2014), A History of Modern Tunisia, 2ème éd., Cambridge University Press, New York, NY. Powell, W. (1991), “Expanding the scope of institutional analysis”, in Powell, W. and DiMaggio, P. (Eds), The New Institionalism in Organizational Analysis, The University of Chicago Press, Chicago, IL, pp. 183-203. Rasid, S.A. and Rahman, A.A. (2009), “Management accounting and risk management practices in financial institutions”, Jurnal Teknologi, Vol. 51 No. 1, pp. 89-110. Razali, A.R. and Tahir, I.M. (2011), “Review of the literature on enterprise risk management”, Business Management Dynamics, Vol. 1 No. 5, pp. 8-16. Reding, K.F., Sobel, P.J., Anderson, U.L., Head, M.J., Ramamoorti, S., Salamasick, M. and Riddle, C. (2011), Manuel D’audit Interne Améliorer L’efficacité De La Gouvernance, Du Contrôle Interne Et Du Management Des Risques, édition, IFACI, Paris. Rosa, S. (2007), Taking a Closer Look at the Role of Chief Risk Officer, Accounting SA, Johannesburg. Sarens, G. and De Beelde, I. (2006), “Internal auditors’ perception about their role in risk management: a comparison between US and belgian companies”, Managerial Auditing Journal, Vol. 21 No. 1, pp. 63-80. Soltanizadeh, S., Abdul Rasid, S.Z., Golshan, N., Quoquab, F. and Basiruddin, R. (2014), “Enterprise risk management practices among malaysian firms”, Procedia-Social and Behavioral Sciences, Vol. 164, pp. 332-337. Thompson, R.M. (2013), “A conceptual framework of potential conflicts with the role of the internal auditor in enterprise risk management”, Accounting and Finance Research, Vol. 2 No. 3 Walker, P.L., Shenkir, W.G. and Barton, T.L. (2003), “ERM in practice: examples of auditing’s role in enterprise risk management efforts at five leading companies shed light on how this new paradigm is impacting audit practitioners”, Internal Auditor, Vol. 60 No. 4, pp. 51-55.

ERM implementation

459

JFRA 16,3

Downloaded by Professor SANA MASMOUDI At 09:08 14 November 2018 (PT)

460

Wang, Y. and Li, M. (2011), “The role of internal audit in engineering project risk management”, Procedia Engineering, Vol. 24, pp. 689-694. Yazid, A.S., Hussin, M.R. and Daud, W.N. (2011), “An examination of enterprise risk management (ERM) practices among the government linked companies (GLCs) in Malaysia”, International Business Research, Vol. 4 No. 4. Yazid, A.S., Razali, A.R. and Hussin, M.R. (2012), “Determinants of enterprise risk management (ERM): a proposed framework for malaysian public listed companies”, International Business Research, Vol. 5 No. 1. Zhao, X. and Singhaputtangkul, N. (2016), “Effects of firm characteristics on enterprise risk management: case study of chinese construction firms operating in Singapore”, Journal of Management in Engineering, Vol. 32 No. 4. Zwaan, L., Stewart, J. and Submaniam, N. (2011), “Internal audit involvement in enterprise risk management”, Managerial Auditing Journal, Vol. 26 No. 7, pp. 586-604. Further reading Kasper, E. (2006), Internal Research and Development Markets, Physica-Verlag, Germany, p. 333.

ERM implementation

Appendix 1

ERM Steps

Practices adopted

Defining the organizational framework of risk management

Define organizational goals Define the culture of the organization regarding the integrity, ethical values and the way that the risks are understood Precise responsibilities within the risk management process Develop of an adequate information system Identify all internal and external events Distinguish between risks and opportunities Identify sources of risk Determine the level of risks and its sensitivity to preconditions Evaluate probability of occurrence of risks and related impacts Communicate analysis to decision makers Establish risks cartography Help responsible to make judgments to better manage the risks identified Align level of risks with risk appetence of the organization Determine the appropriate treatment : avoidance, reduction, sharing or acceptance Assure continuous or periodic assessments Draw lessons from the past experience of the organization Ensure that treatments desired by the organization have effectively been implemented Verify whether the data necessary to manage risks are communicated in a format and in sufficient time for everyone Assure continuous improvement of the risk management process.

Downloaded by Professor SANA MASMOUDI At 09:08 14 November 2018 (PT)

Risk identification Risk analysis

Risk treatment Monitoring and review

461

Table AI. Practices related to ERM steps

JFRA 16,3

Downloaded by Professor SANA MASMOUDI At 09:08 14 November 2018 (PT)

462

Table AII. Descriptive statistics for variables in model

Appendix 2

N

(%)

ERM No ERM Partial ERM Evolving ERM Complete ERM

16 37 12 15

20 46.25 15 18.75

IA Yes No

60 20

75 25

CRO Yes No

32 48

40 60

SIZE Large SME

52 28

65 35

INDUSTRY Banks Leasing Insurance Service Manufacturing Trade

15 6 7 11 32 9

18.8 7.5 8.8 13.8 40 11.2

Appendix 3. Summary of OLS statistics

Table AIII. Correlation matrix

Table AIV. Collinearity test

IA CRO SIZE BANKS

IA

CRO

SIZE

BANKS

1 0.471 0.484 0.277

1 0.599 0.588

1 0.352

1

Variables

VIF

Tolerance

IA CRO SIZE BANKS

1.40 2.20 1.70 1.53

0.714 0.454 0.588 0.653

ERM implementation

Appendix 4. Summary of multivariate statistics

463 Model

Downloaded by Professor SANA MASMOUDI At 09:08 14 November 2018 (PT)

Intercept only Final

Pearson Déviance

2log-likelihood 110.768 15.254

Chi-square

df

Significance

95.514

4

0.000

Chi-square

df

Significance

0.459 0.748

6 6

0.998 0.993

Cox et Snell Nagelkerke McFadden

Model Null hypothesis General

0.697 0.795 0.571

2log-likelihood 15.254 14.729

Chi-square

df

Significance

0.525

4

0.971

Corresponding author Sana Masmoudi Mardessi can be contacted at: [email protected]

For instructions on how to order reprints of this article, please visit our website: www.emeraldgrouppublishing.com/licensing/reprints.htm Or contact us for further details: [email protected]

Table AV. Model fitting information

Table AVI. Goodness of fit with scale model

Table AVII. Pseudo R-deux

Table AVIII. Test of parallel lines

Suggest Documents

Determinants of Enterprise Risk Management (ERM) - CiteSeerX

Determinants of Enterprise Risk Management (ERM) - CiteSeerX
Read more
Bank Profitability Determinants: The Case of ...

Bank Profitability Determinants: The Case of ...
Read more
Sustaining growth through ERM - Case Study - Oracle

Sustaining growth through ERM - Case Study - Oracle
Read more
ERM -BD150 and ERM

ERM -BD150 and ERM
Read more
Determinants of quality management systems implementation in ...

Determinants of quality management systems implementation in ...
Read more
Measuring determinants of implementation behavior: psychometric ...

Measuring determinants of implementation behavior: psychometric ...
Read more
Determinants of B2B e-Commerce Implementation

Determinants of B2B e-Commerce Implementation
Read more
Determinants and Consequences of Implementation Enterprise ...

Determinants and Consequences of Implementation Enterprise ...
Read more
Determinants for Effective Implementation of ... - Macrothink Institute

Determinants for Effective Implementation of ... - Macrothink Institute
Read more
Determinants of quality management systems implementation in ...

Determinants of quality management systems implementation in ...
Read more
Determinants of successful clinical networks - Implementation Science

Determinants of successful clinical networks - Implementation Science
Read more
The Case of the Czech Republic. Determinants of the Recent ...

The Case of the Czech Republic. Determinants of the Recent ...
Read more
determinants of the implementation of urban logistics solutions

determinants of the implementation of urban logistics solutions
Read more
Determinants of Officiers Militancy: The Case of the

Determinants of Officiers Militancy: The Case of the
Read more
Initiation, Experimentation, Implementation of Innovations: The Case ...

Initiation, Experimentation, Implementation of Innovations: The Case ...
Read more
Determinants of Currency Substitution/Dollarization - The Case of the ...

Determinants of Currency Substitution/Dollarization - The Case of the ...
Read more
the determinants of resource-providing contracts: case-study of the

the determinants of resource-providing contracts: case-study of the
Read more
Into the Tails of Risk - ERM Symposium

Into the Tails of Risk - ERM Symposium
Read more
Into the Tails of Risk - ERM Symposium

Into the Tails of Risk - ERM Symposium
Read more
Determinants and Impact of Cloud Computing Implementation in the

Determinants and Impact of Cloud Computing Implementation in the
Read more
Determinants of the Total Quality Management Implementation in

Determinants of the Total Quality Management Implementation in
Read more
Political Determinants of Regional Financing: The case of ... - Gestrisam

Political Determinants of Regional Financing: The case of ... - Gestrisam
Read more
Determinants of Price-Earnings Ratio: The Case of Chemical ... - hrmars

Determinants of Price-Earnings Ratio: The Case of Chemical ... - hrmars
Read more
Determinants of Loan Repayment: The Case of Microfinance

Determinants of Loan Repayment: The Case of Microfinance
Read more