The influence of board composition, audit fees and ...

Download PDF
6 downloads 175 Views 119KB Size Report
Comment
explore how the board composition, the audit fee and the ownership structure are related ..... While SOX requires that audit committees be composed of all.
The influence of board composition, audit fees and ownership concentration on enterprise risk management

Kurt Desender Universitat Autònoma de Barcelona Department of Business Economics Edifici B. 08193 Bellaterra (Barcelona). Spain Tel. +34 93 581 1209, Fax: + 34 93 581 2555 Email: [email protected] Esteban Lafuente Centre for Entrepreneurship & Business Research (CEBR). Bucharest, Romania Email: [email protected]

Abstract Corporate governance failures and new legislation have emphasized the importance of enterprise risk management (ERM) in preventing fraudulent reporting. Despite the increased attention on ERM, little research has been done to explain why some organizations embrace ERM while others do not. The objective of this paper is to explore how the board composition, the audit fee and the ownership structure are related to the degree of enterprise risk management. Our main results reveal that the board independence, the audit scope and the ownership structure have an important influence on the level of ERM. Firms with an independent board and concentrated ownership show the highest level of ERM. In addition, our results show a complementary relationship between the audit fees and ERM. Companies with lower audit fees seem to exhibit more elaborated ERM, and the other way around. Keywords: Enterprise risk management, CEO, Board of directors, Chief Risk Officer, ownership concentration, audit fees, audit committee JEL classification: G3, G32, G34

Electronic copy available at: http://ssrn.com/abstract=1495856

1. Introduction In recent years, a paradigm shift has occurred regarding the way organizations view risk management. Instead of looking at risk management from a silo-based perspective, the trend is to take a holistic view of risk management. This holistic approach toward managing an organization’s risk is commonly referred to as enterprise risk management, hereafter referred to as ERM. Managing risk is a fundamental concern in today’s dynamic global environment. With the creation of new financial products, rapid advances in IT, increased global interrelationships, shifting regulatory regimes, and fragmented geopolitical forces, organizations have seen the need for an integrated risk management approach increase dramatically.

The Enron failure, together with other high profile corporate collapses, has led to a debate concerning the efficiency and the role of corporate governance. Companies have suffered astonishing losses as a result of poor decisions leading to excessive risk taking. Massive gaps in both the understanding and communication of a company's risk appetite and exposure have been identified in post-mortem reviews. The corporate governance failures culminated in the passage of the Sarbanes Oxley Act (SOX) on July 30, 2002, which have emphasized the importance of enterprise risk management, hereafter referred to as ERM in preventing fraudulent reporting. Section 404 of the Sarbanes-Oxley Act of 2002 required U.S. publicly-traded corporations to utilize a control framework in their internal control assessments (e.g. the COSO Internal Control Framework). In addition, new guidance issued by the Securities and Exchange Commission (SEC) and PCAOB in 2007 placed increasing scrutiny on top-down risk assessment and included a specific requirement to perform a fraud risk assessment (PCAOB, 2007). In addition, the emerging regulatory capital framework, Basel II,

1 Electronic copy available at: http://ssrn.com/abstract=1495856

leading the reform of banking supervision, endorsed enterprise risk management as an umbrella notion that can accommodate the techniques required for bank capital adequacy calculation: “... integrated firm-wide approaches to risk management should continue to be strongly encouraged by the regulatory and supervisory community.” (BIS, 2003: 11–12). In response to these requirements, companies and financial institutions are embracing ERM to manage risks across the entity. Rating agencies, such as Standard and Poor’s and Moody’s, are examining how managers are controlling and tracking the risks facing their enterprises (Samanta, Azarchs and Martinez, 2005; Standard & Poor’s, 2005). These rating agencies have publicly reported their explicit focus on ERM activities in the financial services, insurance, and energy industries.

Increasing numbers of organizations have implemented or are considering ERM programs, consulting firms have established specialized ERM units, rating agencies have begun to consider ERM in the ratings process and universities have developed ERM related courses and research centers. In fact, a recent survey of global CEOs found that ERM is a priority among more than one-third of CEOs (39 percent strongly agree) and their boards (38 percent) (PWC 2004). Furthermore, academics argue that ERM benefits firms by decreasing earnings and stock-price volatility, reducing external capital costs, increasing capital efficiency, and creating synergies between different risk management activities (Miccolis and Shah, 2000; Cumming and Hirtle, 2001; Lam, 2001; Meulbroek, 2002; Beasley, Pagach, and Warr, 2006). More broadly, ERM is said to promote increased risk awareness which facilitates better operational and strategic decision-making. While ERM potentially provides a significant source of competitive advantage (Stoh, 2005), not all organizations are adopting it. Initial literature has looked at firm characteristics related with ERM implementation, but little is known about how

2

existing corporate governance characteristics influence ERM implementation. The purpose of this paper is to investigate how a company’s board composition, audit committee size, audit fees and ownership structure are related to the degree of ERM practices.

This paper contributes mainly to field of corporate governance by providing new evidence on the influence of board composition, audit fees and ownership structure on ERM. In addition we also suggest a measure to test the degree of ERM derived from the COSO theoretical paper on ERM. Our main results reveal that the board independence, the characteristics of the external audit and the ownership structure have an important influence on the level of ERM. Firms with an independent board and concentrated ownership show the highest level of ERM. In addition, our results show a complementary relationship between the audit fees and ERM. Companies paying high audit fees tend to invest less in ERM, while companies with lower audit fees tend to have more elaborated ERM. In what follows, we discuss the prior research and hypothesis development. Afterwards, we focus on the sample description and the research method. Finally, we describe the results and formulate the conclusions and limitations of this research.

2. Prior research and Hypotheses development Existing agency theory proposes a series of mechanisms that seek to reconcile the interests of shareholders and managers, including the utilization of internal control mechanisms such as monitoring by non-executive directors (Fama and Jensen, 1983), monitoring by large shareholders (Shleifer and Vishny, 1986), the incentive effects of executive share ownership (Jensen and Meckling, 1976) and the implementation of

3

internal controls (Matsumura and Tucker, 1992). An additional instrument of shareholder monitoring is the statutory audit whereby independent auditors report annually to shareholders on the appropriateness of the financial statements prepared by management (Watts and Zimmerman, 1983). The clear implication for corporate governance from an agency theory perspective is that adequate monitoring or control mechanisms need to be established to protect shareholders from management’s conflict of interest (Fama and Jensen, 1983). Since the corporate scandals and the creation of new corporate governance codes, ERM has been considered as a valuable element of the corporate governance structure.

While ERM has numerous sources feeding the same basic idea, the COSO (2004) version has become a world-level template for best practice over a short period of time (Power, 2007). COSO stands for the Committee of Sponsoring Organizations of the Treadway Commission, an ‘organizing organization’ (Ahrne and Brunsson, 2006) or coalition of the main accounting and finance trade associations in the United States and formed in the light of concerns about fraudulent financial reporting in the mid-1980s. The Treadway Commission reported its findings in 1987 and COSO published guidance on internal control in 1992. This guidance provides the antecedent conceptual building blocks for the 2004 framework for enterprise risk management, hence a direct line of influence on ERM can be traced to an accounting conception of internal control, itself a product of broader engineering conceptions of control theory. So the ERM model is strongly, if not exclusively, influenced by accounting and auditing norms of control, with an emphasis on process description and evidence.

4

Risk management has evolved from a narrow, insurance based view to a holistic; all risk encompassing view, commonly termed Enterprise Risk Management. In September 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued Enterprise Risk Management—Integrated Framework, to provide a model framework for ERM. That framework defines ERM as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Nocco and Stultz (2006) argue that ERM is beneficial to most firms because it allows them to manage risks in a manner that avoids costly left tale outcomes.

Two streams of research have been developed around ERM. A first stream focuses on the influence of ERM on firm performance, while a second stream studies the determinants of ERM. A general argument gaining momentum in the literature is that the implementation of an ERM system will improve firm performance (e.g., see Barton et al., 2002; Lam, 2003; Stulz, 1996, 2003; COSO, 2004; Nocco and Stulz, 2006; Hoyt and Liebenberg, 2009). The findings by Hoyt and Liebenberg (2009), for example, based on data from the insurance industry and using Tobin’s Q as the measure of performance, support this argument. The fact that many firms have adopted ERM (e.g., see Gates and Hexter, 2005) lends additional support to the view that ERM will improve firm performance. Nevertheless, empirical evidence confirming this relation between ERM and firm performance is quite limited and is not based on a robust measure of ERM.

5

An argument against the positive relationship between ERM and firm performance stems from modern portfolio theory, which assumes that shareholders, through portfolio diversification, can eliminate idiosyncratic risks in a virtually costless manner. Therefore, any expenditure by the firm to reduce this idiosyncratic risk represents a negative NPV project. This view relies on the assumption that capital markets work without frictions and imperfections. When the possibility of such frictions and imperfections is introduced, a role for ERM in value creation emerges. Stulz (1996, 2003) makes a link between both streams and argues that firms should engage in ERM to protect corporate assets from the risk of lower-tail earnings outcomes in which the result of these outcomes would be a real destruction in shareholder value. Stulz states that the factors that determine whether a firm will benefit from ERM depend on the likelihood of a lower-tail earnings outcome and the amount of firm value that might be lost in the resulting potential financial distress. Firms with high leverage, limited cash reserves, and volatile earnings should benefit from ERM, as these firms are more likely to face financial distress. Firms that have growth options, high levels of research and development (R&D), and opaque assets have significant amounts of firm value tied to yet unrealized cash flows.

The second stream of literature has focused on the firm-specific characteristics associated with ERM adoption. Kleffner et al. (2003) examined characteristics of Canadian companies and their ERM adoption status. Companies adopting ERM cited “the influence of the risk manager (61%), encouragement from the board of directors (51%), and compliance with Toronto Stock Exchange (TSE) guidelines (37%)” as the key factors causing their adoption of ERM. Liebenberg and Hoyt (2003) used Chief Risk Officer (CRO) appointments to examine the determinants of ERM adoption. The

6

authors found that companies appointing a Chief Risk Officer had higher leverage. Furthermore, Beasley et al. (2005) and Desender (2009) show that the presence of a Chief Risk Officer, board independence, managerial involvement, firm size and auditor type is associated with the level of ERM adoption. Finally, Pagach and Warr (2007) show that firms that are more leveraged, have more volatile earnings and exhibit poorer stock market performance, are more likely to initiate an ERM program. Additionally, they find that ERM is used for reasons beyond basic risk managements, including offsetting CEO risk taking incentives and seeking improved operating performance.

The decision to implement ERM, are made by the board of directors rather than by the CEO (Lam, 2001), but Walker et. al. (2002) notes that because of its scope and impact, ERM requires strong support from senior management. However, Kleffner et al. (2003) found that encouragement from the board of directors is one of the most important driving forces, while management does not appear amongst the mayor driving forces. Besides, the benefits of ERM may not be obvious for managers, since part of their remuneration is typically given in stock options, for which the value increases with increased stock volatility. We therefore belief it may be interesting how the composition of the board and its committees, the external auditor and the shareholders. We particularly investigate the influence of the board independence, the separation of CEO and chair, the audit committee size, audit fees, presence of Big4-auditor and ownership concentration on ERM.

2.1 Board independence In their respective reports on corporate governance, both Cadbury (1992) and OECD (2004) emphasize the value of increased non-executive representation on boards’

7

suggesting that non-executives are capable of bringing greater independence and impartiality to board decisions. Consistently, Beasley (1996) finds an inverse relation between the percentage of outside directors on the board and the incidence of fraudulent financial reporting. Similarly, Firms with a majority of inside directors are found to be more likely to engage earnings management compared to a control sample matched by industry and size (Peasnell et al., 2000). Furthermore, non-executives are expected to favor more extensive risk management and (internal or external) auditing in order to complement their own monitoring responsibilities, since they have the objective of identifying and rectifying reporting errors deliberately or otherwise made by managers. In a similar context, O’Sullivan (1997) finds that companies with a higher proportion of non-executive directors are more likely to purchase the monitoring of directors’ and officers’ insurance compared to boards with a lower proportion of non-executives. This suggests that companies with greater non-executive representation may favor a more comprehensive control, risk management and (internal or external) audit.

In order to reduce the likelihood of fraudulent reporting, and opportunistic behavior in general, board could demand investments in higher quality control and risk management practices and/or purchase of higher quality audit services. Numerous studies have reported a positive relationship between the independence of the board and the demand for external audit quality, as measured by the audit fees (O’Sullivan, 2000; Carcello et al., 2002; Hay and Knechel, 2004). In addition, Beasley et al. (2005) show that board independence is associated with a greater stage of ERM adoption. Therefore, one may view outside directors as more concerned with the quality of the financial and nonfinancial reports than are management directors, who face greater conflicts of interest. From this argument our first hypothesis emerges:

8

H1: There is a positive relation between board independence and enterprise risk management.

2.2 Audit Committee Size Both the board of directors and its audit committee play a critical role in ERM by establishing the right environment or tone-at-the-top. External drivers are encouraging boards to oversee management’s ERM practices by assigning explicit responsibilities to audit committees for risk oversight. The New York Stock Exchange’s (NYSE) Final Corporate Governance Rules require audit committees to discuss policies with respect to risk assessment and risk management. While acknowledging that an entity’s senior executive team has the job of assessing and managing the entity’s exposure to risk, the NYSE rules call for the audit committee to discuss guidelines and policies to govern the process by which this is accomplished and to discuss the entity’s major financial risk exposures. In addition, a key element of S&P’s ERM evaluation focuses on the entity’s risk management culture and governance, which includes an analysis of the board and audit committee’s role in risk oversight. Moody’s and Fitch perform similar considerations as well.

Several attributes of an audit committee have been found to be important factors in effective monitoring. Abbott et al. (2001) and Knechel and Willekens (2006) find evidence consistent with audit committee members taking actions within their span of control to ensure a higher level of audit coverage, as well as facilitating auditor independence. In addition, Krishnan (2005) finds that there is a positive relation between audit committee independence and the quality of internal control prior to the

9

enactment of SOX. While SOX requires that audit committees be composed of all independent directors for firms traded on an organized stock exchange (e.g., NYSE, AMEX) or a recognized dealer quotation system (e.g., NASDAQ), exemptions may be given by the SEC, if it determines that it is appropriate under certain circumstances.

We control for the audit committee size, measured as the number of audit committee members, because research suggests that a large audit committee tends to enhance the audit committee’s status and power within an organization (Kalbers and Fogarty, 1993), to receive more resources (Pincus et al., 1989), and to lower the cost of debt financing (Anderson et al., 2004). We thus expect that a large audit committee is more likely than a small one to improve ERM, because increased resources and enhanced status will make the audit committee more effective in fulfilling its monitoring role. This leads us to formulate our second hypothesis:

H2: There is a positive relation between the size of the audit committee and enterprise risk management.

2.3 Separation of CEO and Chairman The UK Code of Best Practice (Cadbury Committee, 1992) recommends that the positions of chair and CEO should be held by different individuals. In addition, Jensen (1993) points out that when the CEO also holds the position of the chairman of the board, internal control systems may fail, as the board cannot effectively perform its functions including those of evaluating and firing CEOs. Similarly, Fama and Jensen (1983) argue that concentration of decision management and decision control in one individual reduces a board’s effectiveness in monitoring top management. In addition,

10

Goyal and Park (2002) point out that the sensitivity of top executive turnover to firm performance is significantly lower for firms that vest the titles of CEO and chairman in the same individual.

Pagach and Warr (2007) find that ERM is used for reasons beyond basic risk managements, including offsetting CEO risk taking incentives and seeking improved operating performance. They find that the likelihood of hiring a Chief Risk Officer increases as CEOs compensation packages become more sensitive to stock volatility. A possible explanation for their result is that the board recognizes that the CEO has an incentive to increase risk, and tries to control the risk behavior from the CEO by implementing a risk management program. Managers may not benefit from implementing ERM, since part of their remuneration may be given in stock options for which the value increases with increased stock volatility. In addition, ERM adds an additional layer of monitoring and probably reduces the freedom of managers to pursue personal benefits over shareholder benefits. From this argument our third hypothesis emerges:

H3: There is a positive relation between the separation of CEO and chairman positions and enterprise risk management.

2.4 External audit External auditors can rely on the work of internal auditors in many respects in carrying out their external audit duties as both auditors are concerned that proper controls are in place. ERM can assist external auditors to understand the internal control system that has been set up before any compliance or substantive work is being carried out.

11

Reliance on the work of the ERM should have the potential to reduce the audit hours that need to be spent on the audit and thus help to reduce the audit fee that needs to be paid – of particular importance in view of the upwards pressure on external audit fees, not least due to a progressive tightening of the audit requirement in the wake of Enron and other corporate debacles. Empirically, Knechel and Willekens (2006) find that audit fees are lower when a company discloses a relatively high level of disclosure of compliance risk, but higher when a company discloses a relatively high level of financial risk. In addition, Goddard and Masters (2000) find was a negative relationship between audit fees and improved internal controls in the presence of audit complexity. This leads to our fourth hypothesis:

H4: There is a negative relation between the external audit fee and enterprise risk management.

Big Four audit firms have probably more expertise in assisting companies to implement ERM. Although ERM could lead to lower audit fee, the loss could be compensated through an increase in non-audit services for assisting the company with its ERM implementation. Beasley et al. (2005) and Desender (2009) find a positive association between the presence of Big-4 auditors and the level of ERM development. This leads to our fifth hypothesis:

H5: There is a positive relation between the presence of a Big-4 auditor and enterprise risk management.

12

2.5 Ownership concentration Finally, we are interested in examining to what extent the presence of large shareholders affects the quality of ERM. It is often argued that ownership concentration mitigates free-riding problems of corporate control associated with a scattered principal. Likewise, large investors have the incentive to exercise a closer oversight and control of management, in order to reduce agency costs and increase their monitoring role in the companies where they invest. Demsetz and Lehn (1985) argue that within firms facing more uncertain environments, insiders’ actions are less observable and thus the benefits of ownership are greater. For example, if information asymmetry is an increasing function of the uncertainty, it would suggest a positive relationship between business risk-taking and ownership concentration. Nevertheless, large shareholders also have a strong preference for control, an this could lead to the expropriation of minority shareholders’ wealth. This implies that ownership concentration can also create costs within the firm that may outweigh its benefits over some intervals of the distribution of ownership concentration (Zwiebel, 1995 and De Miguel et al, 2004).

Despite this concern, and given that small shareholders have no incentives to monitor managers in contexts characterized by high levels of ownership concentration, it is also argued that one way to improve the quality of risk management is to ensure the presence of (at least) one large shareholder. Amihud and Lev (1981) find that insiders with large stakes of corporate capital are less motivated by considerations of risk-aversion when evaluating merger opportunities. Further, Shleifer and Vishny (1986) suggest that equity blockholders theoretically can maximize value through the promotion of firm risktaking. Hill and Snell (1988) provide evidence of a negative relation between corporate diversification and insider ownership, and consequently a positive relation between the

13

latter and the firm's overall level of risk. Large controlling owners may in addition prefer a focus on internal governance mechanisms over which they may exert certain control rather than enhancing the external audit scope. Therefore, the benefit of ERM could be larger in companies with a closely-held ownership structure. From this argument comes our last hypothesis:

H6: Enterprise risk management is higher in closely-held firms compared to widely held firms.

3. Data and method 3.1 Data and variable definition We focus our study on one particular industry to maximize comparability between firms in terms of business environment, degree of competition and risk. The sample is composed entirely of pharmaceutical firms (SIC code: 2834 – Pharmaceutical preparations), an industry that has also been used in previous corporate governance research (Robb et al., 2001; Macher and Boerner, 2005). Firms in this particular industry are faced with the same array of risks and seem to display a sufficient amount of variation in ERM practices. The pharmaceutical companies are capital intensive and mainly rely on the stock market to finance their R&D projects. Furthermore, it is a competitive industry, with pressure to perform, generating incentives to cut corners if results are not satisfactory. In fact, the SEC enforcement list contains several pharmaceutical companies that manipulated numbers in response of bad results. Therefore, we believe that this industry is ideal to study ERM and its relationship to the board composition. The original dataset comprises information for 100 pharmaceutical firms randomly chosen (out of a population of 213 firms) for the years 2004 and 2005.

14

All selected firms are listed on Amex, NYSE or Nasdaq. However, and in the interest of following a rigorous methodology, we dropped from the final sample three firms as we want to include in our final sample only those firms for which a complete dataset of the dependent and independent variables can be clearly identified.

Concerning the dependent variable, we measure enterprise risk management (ERM) through two variables. Similar to Liebenberg and Hoyt (2003), we introduce a single event like the presence of a Chief Risk Officer to proxy ERM. This dummy variable takes the value of one if the pharmaceutical firm has a Chief Risk Officer in the year 2005, and zero otherwise. From Table 1 we observe that, in our final sample, 47 firms (48.45%) report the presence of a Chief Risk Manager in 2005.

--- Insert Table 1 about here ---

However, it is important to remark that this dummy variable only reflects the presence of a risk manager, rather than the number of practices related to risk management implemented by firms. This is major concern in this study, as we are interested in examining the extent to which variables linked to board composition, auditing committees and fees, as well as ownership concentration help explain the adoption of risk management practices. Thus, we use the COSO-ERM (2004) framework, has become a world-level template for best practice over a short period of time (Power, 2007) and prior work by Knechel (2002) to identify those variables that best reflect relevant control and risk management procedures, in order to derive an aggregate measure of ERM. Similar to Knechel (2002), we expect that the disclosure of control

15

and risk management practices indicate that organizations are more sensitive to the identification and management of those specific risks.

A three-step methodology was used to construct our ERM index. In a first stage, and based on the COSO-ERM (2004) framework, we obtained an initial list of 254 items related to ERM. Second, we asked 5 senior auditors to evaluate the original list and select those items that they consider as the most relevant to measure the degree of ERM. Based on their assessment, we retained all components that were selected by at least three different auditors. The final list consists of 108 ERM components, scoring zero (absence) or one (presence). In addition, as indicated in the COSO-ERM framework (2004), our ERM index considers the eight dimensions of ERM: 1) internal environment, 2) objective setting, 3) event identification, 4) risk assessment, 5) risk response, 6) control activities, 7) information and communication, and 8) monitoring.

Having determined the composition of our ERM index, information about ERM practices, as well as for the set of independent variables, was obtained from public sources (10-K’s, proxy statements, annual reports and the company website). The dependent variable we use in the regression analysis (ERM) is the weighted average of the eight dimensions. Table 1 gives an overview of the measure of ERM, whereas the final list of ERM items considered in this study is presented in the Appendix. From the descriptives we notice that firms in our sample have adopted on average, and for the year 2005, 35.94% of the ERM practices considered in our index (Table 1). Also, from Appendix 1 we observe that the ERM practices mainly adopted by firms in our sample correspond to the categories of risk assessment (57%), event identification (57%), and

16

objective setting (52%). To the contrary, only 17% of firms in our sample report the adoption of practices related to control activities.

At this point, an important qualification is also in order. We are aware that our ERM index may suffer from some inconsistency given particular changes in the adoption of ERM practices over time. To corroborate the stability of our ERM measure, we calculated this variable for both 2004 and 2005 and tested whether the values for the ERM index significantly changed between these years. Despite that 77 firms in our sample increased the implementation of ERM practices by 4.18% between 2004 and 2005, results of the Wilcoxon signed-ranked test indicate that the distribution of the ERM index for both 2004 and 2005 are the same (Z value: –1.295). The validity of our measure of ERM is further confirmed when examining its relation to the presence of a Chief Risk Officer. Here, we find that the implementation of ERM is significantly higher (at the 1% level) for those firms with a Chief Risk Officer (0.4687), as compared to that value shown by firms with no Chief Risk Officer (0.2566). Also, 78.72% of firms with a Chief Risk Officer (37 firms) show an above-the-median value for our ERM measure.

As regard our set of independent variables, data was collected for the year 2004 from the company’s annual reports and descriptive statistics are presented in Table 2. We first consider board independence. Similar to Carcello et al. (2002) and O’Sullivan (2000), we define board independence as the ratio of non-executive board members divided by the total number of board members. From the descriptive statistics we observe that boards in our sample are highly independent (on average, 75.82% of board members are non-executives). Similar to previous literature (e.g. Abbott et al. 2002, O’Sullivan,

17

2000), we define audit committee size as the total number of audit committee members. In our sample, audit committees have on average 3.45 members, and the number of members of these committees ranges from two to six members.

--- Insert Table 2 about here ---

We also introduce two variables linked to external auditing: audit fees, and the type of auditor. In accordance with recent studies on audit fees by Craswell et al. (1995), Carcello et al. (2002), and Hay and Knechel (2004), we use the natural log of audit fees as independent variable. For the latter, Beasley et al. (2005) show that the type of auditor is associated with the adoption of ERM practices. In this paper, we introduce a dummy variable taking the value of one if the firm has a Big-4 external auditor (Deloitte Touche Tohmatsu, KPMG, PWC, and Ernst & Young), and zero otherwise. From Table 2 we observe that for nearly 63% of the pharmaceutical firms in our sample, the external auditor is a Big-4 company. Previous literature (Jensen, 1993; Fama and Jensen, 1983, Cadbury Committee, 1992) argues that the board looses power to the management when the positions of CEO and Chairman are vested in the same person. Thus, we include in the analysis a dummy variable taking the value of one if the positions of Chairman and CEO are not vested in the same person, and zero otherwise. In the final sample 43.30% of firms report a two-tier leadership structure (Table 2).

Data availability allows us identifying two measures of ownership concentration: the stake held by the largest and by the three largest shareholders. In our sample, the largest shareholder controls on average 14.46% of shareholder’s equity, whereas this figure stands at 25.61% in the case of the three largest shareholders (Table 2). In addition, and

18

in line with La Porta et al. (1999) and Faccio et al. (2001), we distinguish those firms with a more concentrated ownership structure from those with an ownership structure more scattered. In this case, we introduce a dummy variable taking the value of one if the largest shareholder controls at least 20% of the shares. From Table 2 we notice that 16.49% of firms in our sample report a controlling shareholder owning more than 20% of shareholder’s equity.

Finally, we introduce two control variables: firm size and leverage. Firm size is measured by total assets. As an organization’s size increases, the scope of events threatening it is likely to differ in nature, timing, and extent. In addition, to having a greater need for more effective enterprise-wide risk management techniques, larger entities may have greater ability to implement ERM practices due to a greater access of resources (Colquitt et al., 1999). Furthermore, Beasley et al. (2005) show that there is a positive relation between firm size and the adoption of ERM practices. We introduce the variable leverage, measured as the ratio of long-term debt divided by total assets, as a proxy for the agency costs between a company and its outside debtholders (Watts and Zimmerman 1986). Empirical evidence by Pagach and Warr (2007) show that highly leveraged firms are more likely to initiate an ERM program, whereas Liebenberg and Hoyt (2003) found that companies appointing a Chief Risk Officer had higher leverage.

3.2 Method As we indicated above, our approach to ERM implies the use of two dependent variables: the presence of a Chief Risk Manager and the ERM index. For both variables, the full model to be estimated follows:

19

ERM i ,t = d0 + d1Control Variablesi ,t- 1 + d2 Board independencei ,t- 1 + d3Size of internal audit committeei ,t- 1

[1]

+ d4 External audit feesi ,t- 1 + d5CEO - Chairman i ,t- 1 + d6 Big - 4 audit firmi ,t- 1 + d7 Ownership concentration i ,t- 1 + ei

In Equation [1] d0 is the constant term, d j refers to the vector of parameter estimates for the jth independent variables, and ei is the disturbance term for the ith firm, and it follows a logistic distribution when the dependent variable is the presence of a Chief Risk Officer, whereas the error term is normally distributed when the dependent variable is the ERM index. Control variables correspond to the natural log of size (total assets) and leverage.

Given the nature of the dependent variables used in this study, we need to use different econometric methods to identify those variables that best explain the decision to introduce a Chief Executive Officer, as well as to implement ERM practices.

In the case of the dummy dependent variable, to identify the differentiating characteristics that affect the likelihood to have a Chief Risk Officer, one can perform a logit regression model (Greene, 2003). In our case, the probability to have a Chief Risk Officer (Pr (Yi = 1)=

pˆ i ) can be modeled as a function of the aforementioned set of

explanatory variables (X i ), where

ˆ

ˆ

Xb Xb pˆ i is expressed as pˆ i = e i j 1 + e i j , and

parameters bˆ j are estimated by maximum likelihood method.

( )

20

Nevertheless, it has been widely documented that, in any regression model, coefficients bˆ are a biased estimate of b in small samples (Greene, 2003). Given that

()

our sample of pharmaceutical firms is rather small (97 observations), the application of traditional logit models could yield to biased results due to the underestimation of the parameter estimates for those observations that show the event of interest (Pr (Yi = 1)). As a result, in a first step we adopt the approach proposed by King and Zeng (2001a, 2001b) to compute approximately unbiased estimates in logit models by correcting for the presence of rare events and small samples. This procedure, labeled rare events logit model, is based on the standard logit model, but it introduces a correction term in the estimation of the coefficients bˆ . This correction term (ui ) represents a sampling error

()

linked to uncertainty in the estimation of bˆ , and its main implication is that

Pr (Yi = 1)» pˆ i + ui , where ui = (0.50 - pˆ i ) pˆ i (1 - pˆ i )XV bˆ ¢ X ¢ (King and

( )

Zeng, 2001a, p. 149). The term ui is derived from Bayesian estimation and its direction is determined by (0.50 - pˆ i ). Therefore, ui enters into the logistic function providing a solution to the underestimation problem, and the resulting parameter estimates have a smaller mean squared error, that is, they are better estimators of the probability of the event of interest. Thus, the use of the rare events logit approach enables us to carry out our analysis with the appropriate statistical corrections.

Parameter estimates from the rare events logit model only indicate the direction of the effect of each explanatory variable on the response probability. To obtain a better understanding of the results, we also calculate the first difference, which is the change in the probability as a function of a specific change in an independent variable holding

21

the rest of variables constant at their means, i.e., γ x = Pr (Y = 1 X = 1) − Pr (Y = 1 X = 0 ) for dummy variables. Finally, we also calculate the proportion of correctly classified (predicted) observations. This is done for the full sample as well as for those firms that report a Chief Executive Officer (adopter) and those firms that do not (non-adopters).

In a second step, when the dependent variable is the index of ERM practices the methodological approach chosen is based on OLS regression. It is important to remark that for greater robustness of our estimation, we examined the properties of the errors derived from the different model specifications. In all regressions, results for the Shapiro-Wilks and the Jarque-Bera tests indicate that error terms are normally distributed, confirming that our approach to ERM in this second stage is appropriate.

4. Results The results of the different applications of both the rare events logit model (Tables 3 and 4) and the linear regression (Table 5) to the ERM variables considered in this paper are presented in this section. It should be noted that Table 4 shows, for the model specification three, the results for the discrete change in the probability to have a Chief Risk Officer. In the case of dummy variables, the first difference represents the change in the probability as a result of a discrete change from zero to one in the independent variable, i.e. γ x = Pr (Y = 1 X = 1) − Pr (Y = 1 X = 0 ) . We further explore differences in the probability to have a Chief Risk Officer due to variations in the selected continuous variables. Here, and for illustrative purposes, we also estimated discrete changes at different

points

(

of

the

)

distribution

(

of

the

independent

variables

)

as γ x = Pr Y = 1 X = Q ( q2 ) − Pr Y = 1 X = Q ( q1 ) , where q1 and q2 represent

22

quantile points of the distribution of the independent variable under analysis. Results for the discrete changes are consistent throughout the different specifications of the rare events logit model, and results for specifications one and two are available on request from the authors.

The first column in Tables 3 to 5 shows the results for our model that considers as the ownership concentration variable the dummy variable accounting for the presence of a shareholder controlling at least 20% of shareholder’s equity. Specifications two and three of these tables consider the stake held by the largest and the three largest shareholders as the ownership concentration variable, respectively.

The results for the control variables included in our analysis indicate that, throughout the different specifications of the model applied to our sample, larger firms are more likely to have a Chief Risk Officer (Table 4: g1 = 0.21724 and p - value < 0.05) and to introduce a larger number of ERM practices (Tables 4 and 5). This result is consistent with previous evidence by Colquitt et al. (1999) and Beasley et al. (2005). In the case of leverage, we fail in finding any significant relation between this variable and the adoption of ERM practices.

--- Insert Table 3 about here ---

--- Insert Table 4 about here ---

--- Insert Table 5 about here ---

23

As for the key findings of our study, we observe that, in our sample, firms with more independent boards have higher levels of ERM practices. Results in Table 4 indicate that, if we compare two identical firms, when one has an average level of board independence (the median value, for instance) and the other a higher proportion of nonexecutive board members (at the 75th percentile of the distribution of this variable), the probability to include a Chief Risk Officer is 7.48% higher for the latter firm (g 2 = 0.07478 and p - value < 0.05) (Table 4). Similar results are obtained when the dependent variable is the ERM index (Table 5). This is in accordance with our first hypothesis (H1) which proposes that ERM is higher in firms with more independent boards.

Concerning the size of the audit committee, and contrary to Kalbers and Fogarty (1993) and Anderson et al. (2004), the results from the different model specifications indicate that this variable does not exert a significant impact on ERM, leading to reject hypothesis H2. This could indicate that ERM is driven by the board of directors, rather than by the audit committee. After controlling for board independence, the size of the audit committee does not explain additional ERM. The results are in line with the argument that the audit committee is a subcommittee of the board of directors which can influence its organization and strength within the organization. Furthermore, our findings reveal that the separation of CEO and Chairman (H3) does not significant impact on ERM.

Furthermore, our empirical findings reveal that audit fees (H4) and the presence of a Big-4 audit firm (H5) have a significant impact on ERM, providing support for hypothesis 4 and 5. The relationship is however only significant with respect to the

24

continuous measure ERM. The audit characteristics are not significantly related to the presence of the CRO. The results indicate a substitution effect between the external audit and ERM, indicated by the negative coefficient related to audit fees. Companies with lower audit fees seem to exhibit more elaborated ERM, and the other way around. Furthermore, the results show that pharmaceutical companies where a big-4 auditor is present, tend to have higher ERM scores. This consistent with the idea that client firms of big-4 auditors rely on the expertise and experience of the auditor when elaborating their ERM. Since the audit fees capture the part of the services related to the statutory audit, audit companies may be able to compensate for the loss in revenue from the statutory audit by increasing their revenue from other audit services, such as the assistance with ERM implementation.

Finally, when analyzing the results for ownership concentration (H6), our findings reveal that this variable becomes increasingly important to explain ERM. From Table 4 it can be seen that the change in the probability to have a Chief Risk Officer as a result of changes in the stake held by the three largest shareholders varies from 5.40% (p - value < 0.05), for firm with low ownership concentration levels (change from the 10th percentile to the first quartile of the distribution of this variable: 12.73% and 16.58%, respectively), to 14.53% (p - value < 0.05) for those firms with high ownership concentration levels (change from the third quartile to the 90th percentile of the distribution of this variable: 29.85% and 40.25%, respectively). This result could signal that, for monitoring purposes, large shareholders rely more on internal governance mechanisms over which they may exert certain control rather than enhancing the external audit scope. Ownership concentration also exerts a positive and statistically significant effect on the adoption of ERM practices (Table 5). These results

25

lead to confirm our hypothesis H6 which states that ERM is higher in firms with dominant shareholders.

5. Conclusions Corporate governance failures, new legislation and recommendations have emphasized the importance of control and risk management in reducing agency costs and preventing fraudulent reporting. Despite the increased attention on ERM, little research has been done to explain why some organizations embrace ERM while others do not. The paper explores which elements of the COSO-ERM (2004) framework are addressed and how board composition is related to the degree of ERM implementation. We find that pharmaceutical companies score well on objective setting and risk identification and risk assessment, while they score weakly on control activities score and monitoring.

Our main results reveal that the board independence, the audit scope and the ownership structure have an important influence on the level of ERM. Firms with an independent board and concentrated ownership show the highest level of ERM. In addition, our results show a complementary relationship between the audit fees and ERM. Companies with lower audit fees seem to exhibit more elaborated ERM, and the other way around. Furthermore, the results show that pharmaceutical companies where a big-4 auditor is present tend to have higher ERM scores. This consistent with the idea that client firms of big-4 auditors rely on the expertise and experience of the auditor when elaborating their ERM. Since the audit fees capture the part of the services related to the statutory audit, audit companies may be able to compensate for the loss in revenue from the

26

statutory audit by increasing their revenue from other audit services, such as the assistance with ERM implementation.

We acknowledge limitations in our research approach. First, we use publicly available data to proxy for the degree of ERM implementation. To the extent that annual report or other company information does not reflect the true state of control and risk management practices, our results are limited. To cope with this limitation, we tested our hypotheses using an alternative proxy for ERM. Second, this study focuses on a single industry. Therefore our result may not be generalized for other industries. Finally, there may be other organizational characteristics of ERM deployments that were not reflected in this study. As a consequence, further research should attempt not only to replicate a similar analysis in a different industrial context, but also to enrich the content of the model as well as its longitudinal perspective.

References Ahrne, G., & Brunsson, N. (2006). Organizing the world. In M.-L. Djelic & K. SahlinAndersson (Eds.), Transnational governance: Institutional dynamics of regulation (pp. 74–94). Cambridge: Cambridge University Press. Amihud, Y., Lev, B. (1981). Risk reduction as a managerial motive for conglomerate mergers. Bell Journal of Economics, 12, 605–617. Basel Committee on Banking Supervision (2003). Trends in risk integration and aggregation. BIS, August 2003, pp. 1–41. Beasley, M.S. (1996). An empirical analysis of the relation between the board of director composition and financial statement fraud. Accounting Review, 71, 443– 465. 27

Beasley, M.S., Clune, R., Hermanson, D.R. (2005). Enterprise risk management: An empirical analysis of factors associated with the extent of implementation. Journal of Accounting and Public Policy, 24 (6), 521–531. Beasley, M.S., Pagach, D., Warr, R. (2006). The Information Conveyed in Hiring Announcements

of

Senior

Executives

Overseeing

Enterprise-Wide

Risk

Management Processes. Working Paper, North Carolina State University. Cadbury Report. (1992). Report of the Committee on the Financial Aspects of Corporate Governance. London: Gee & Co. Carcello, J.V., Hermanson, D.R., Neal, T.L., Riley, R.R. Jr. (2002). Board Characteristics and Audit Fees. Contemporary Accounting Research, 19 (Fall), 365– 384. Committee of the Sponsoring Organizations of the Treadway Commission (2004). Enterprise Risk Management, Integrated Framework (COSO-ERM Report). New York: AICPA. COSO (2004). Enterprise risk management. Committee of the Sponsoring Organizations of the Treadway Commission. . Cumming, C.M., Hirtle, B.J. (2001). The Challenges of Risk Management in Diversified Financial Companies. FRBNY Economic Policy Review, March, 1–17. De Miguel, A., Pintado, J., De la Torre, C. (2004). Ownership Structure and Firm Value: New Evidence from Spain. Strategic Management Journal, 25, 1199–1207. Demsetz, H., Lehn, K. (1985). The Structure Of Corporate Ownership: Causes And Consequences. Journal of Political Economy, 93, 1155–1177. Desender, K. (forthcoming). On the Determinants of enterprise risk management implementation. Forthcoming in Shi Nan Si, S. and Silvius, G. 2010, Enterprise IT Governance, Business Value and Performance Measurement, IGI Global

28

Fama, E.F., Jensen, M. C. (1983). Agency Problems and Residual Claims. Journal of Law and Economics, 26 (2), 327–349. Goyal, V.K., Park, C.W. (2002). Board leadership structure and CEO Turnover. Journal of Corporate Finance, 8, 49–66. Greene, W. (2003). Econometric Analysis. Fifth edition. New Jersey: Upper Saddler River. Hay, D., Knechel, W.R. (2004). Evidence on the Association among Elements of Control and External Assurance, Working paper, University of Auckland Jensen, M. C. and W. Meckling. (1976). The Theory of the Firm: Managerial Behavior, Agency Costs and Ownership Structure. Journal of Financial Economics, 3, 305– 360. Jensen, M.C. (1993). The modern industrial revolution, exit, and the failure of internal control systems. Journal of Finance, 48, 831–880. King, G., Zeng, L. (2001a). Logistic Regression in Rare Events Data. Political Analysis, 9 (2), 137–163. King, G., Zeng, L. (2001b). Explaining Rare Events in International Relations. International Organization, 55 (3), 693–715. Kleffner, A., Lee, R., McGannon, B. (2003). The effect of corporate governance on the use of enterprise risk management: Evidence from Canada. Risk Management and Insurance Review, 6 (1), 53–73. Knechel, W.R. (2002). The Role of the Independent Accountant in Effective Risk Management. Journal of Economics and Management, 47 (1), 65–86. Lam, J. (2001). The CRO is here to stay. Risk Management, 48 (4) (April), 16–22.

29

Liebenberg, A., Hoyt, R. (2003). The determinants of enterprise risk management: evidence from the appointment of chief risk officers. Risk Management and Insurance Review, 6 (1), 37–52. Macher, J., Boerner, C. (2005). Development and the boundaries of the firm: a knowledge-based examination in drug development. Academy of Management Proceedings, GG1-GG6, 6p. Matsumura, E.M., Tucker, R.R. (1992). Fraud detection: A theoretical foundation. Accounting Review, 67 (Fall), 753–782. Meulbroek, L.K. (2002). Integrated Risk Management for the Firm: A Senior Manager’s Guide. Journal of Applied Corporate Finance, 14, 56–70. Miccolis, J., Shah, S. (2000). Enterprise risk management: An analytic approach. Tillinghast – Towers Perrin. Available at www.tillinghast.com. Milgrom, P., Roberts, J. (1992). Economics, Organization and Management. London: Prentice-Hall. Nocco, B.W., Schulz, R. (2006). Enterprise risk management: Theory and practice. Ohio State University working paper O’Sullivan, N. (1997). Insuring the Agents: The Role of Directors´ and Officers´ Insurance in Corporate Governance. Journal of Risk and Insurance, 64 (3), 545– 556. O’Sullivan, N. (2000). The Impact of Board Composition and Ownership on Audit Quality: Evidence from Large UK Companies. British Accounting Review, 32 (December), 397–414. Pagach, D.P., Warr, R.S. (2007). An Empirical Investigation of the Characteristics of Firms Adopting Enterprise Risk Management. Working paper, Available at SSRN: http://ssrn.com/abstract=1010200

30

Peasnell, K.V., Pope, P.F., Young, S. (2000). Detecting earnings management using cross-sectional abnormal accrual models. Accounting and Business Research, 30, 303–326. Power, M. (2007). Organized uncertainty: Designing a world of risk management. Oxford: Oxford University Press. Robb, S., Single, L., Zarzeski, M.T. (2001). Nonfinancial disclosures across AngloAmerican countries. Journal of International Accounting, Auditing and Taxation, 10, 71–83. Sarbanes-Oxley Act, of 2002. (2002). Public Law No. 107–204. Washington, DC.: Government Printing Office. Shleifer. A., Vishny, R. (1986). Large Shareholders and Corporate Control. Journal of Political Economy, 3, 461–488. Stoh, P.J. (2005). Enterprise risk management at United Health Group. Strategic Finance, 87 (July), 26–35. Walker, P.L., Shenkir, W.G., Barton, T.L. (2002). Enterprise Risk Management: Putting it all together. Institute of Internal Auditors Research Foundation, Altamonte Springs, FL. Watts, R.L., Zimmerman, J.L. (1986). Positive Accounting Theory. Englewood Cliffs, New Jersey: Prentice-Hall. Willekens, M., Sercu, P. (2005). Corporate governance at the crossroad. Intersentia. Zwiebel, J. (1995) Block Investment and Partial Benefits of Corporate Control. Review of Economic Studies, 62, 161–185.

31

Author Biographies

Kurt Desender is currently a Ph.D. candidate in the Department of Business Economics at the Universitat Autònoma of Barcelona. His research interests include corporate governance and risk management.

Esteban Lafuente is Professor at the Universitat Autònoma of Barcelona and he also serves as CEO and researcher in the Romanian Centre for Entrepreneurship and Business Research (CEBR). His research interests include corporate governance, efficiency analysis and entrepreneurship, and he has published, amongst others, in Regional Studies and the British Journal of Management.

32

List of Tables

Table 1. Measures of enterprise risk management (ERM)

Chief Risk Officer Enterprise Risk Management

Observations 97 97

Mean value 0.4845 0.3594

Standard deviation 0.5024 0.1717

33

Table 2. Descriptive statistics for the selected variables

Total assets (t-1) in million of US$ Leverage (t-1) Board independence (t-1) Size of internal audit committee (t-1) External audit fee (t-1) in million of US$ CEO – Chairman separation (t-1) Big-4 audit firm (t-1) Concentrated ownership (t-1) Stake held by the largest shareholder (t-1) Stake held by the three largest shareholders (t-1)

Observations

Mean value

97 97 97 97 97 97 97 97 97

8,022.76 0.1935 0.7582 3.4536 5.50 0.4330 0.6289 0.1649 0.1446

Standard deviation 20,274.16 0.2370 0.1270 0.9016 16.57 0.4981 0.4856 0.3731 0.0895

97

0.2561

0.1198

34

Table 3. Rare-events logit model: Decision to have a Chief Risk Officer

Ln total assets (t-1) Leverage (t-1) Board independence (t-1) Size of internal audit committee (t-1) Ln external audit fee (t-1) CEO – Chairman separation (t-1) Big-4 audit firm (t-1) Concentrated ownership (t-1)

Model 1 0.5390 *** (0.1640) –1.3862 (1.3770) 5.6950 ** (2.3797) 0.0845 (0.3015) –0.0874 (0.2423) 1.0776 * (0.6219) 1.0135 (0.6824) 2.4200 *** (0.8679)

Model 2 0.5144 *** (0.1732) –2.2692 (1.4772) 5.6255 ** (2.5713) 0.0762 (0.3211) –0.0720 (0.2452) 0.9939 (0.6052) 1.1263 * (0.6515) 11.8777 ** (5.1298)

Stake held by the largest shareholder (t-1) Stake held by the three largest shareholders (t-1) Intercept Log likelihood value Pseudo – R2 LR (Chi2) Correctly classified (CRO adopters) Correctly classified (not-CRO adopters) Correctly classified (overall) Number of observations

Model 3 0.4725 *** (0.1565) –2.4639 * (1.4168) 5.4550 ** (2.2751) 0.1243 (0.3140) –0.0481 (0.2346) 0.8288 (0.5770) 0.9335 (0.6466)

–9.2920 *** (3.0050) –39.4082 0.4135 34.62 *** 0.8085 0.8000 0.8041 97

–12.6291 *** (3.2797) –39.2383 0.4160 33.30 *** 0.8085 0.7800 0.7938 97

6.2508 *** (2.3436) –12.2057 *** (2.7880) –41.4226 0.3835 38.65 *** 0.7660 0.8000 0.7835 97

Robust standard errors are presented in brackets. *, **, *** indicate significance at the 10%, 5% and 1%, respectively.

35

Table 4. Rare-events logit model: Predicted change in the probability for the decision to have a Chief Risk Officer (from model 3 in Table 4) Discrete change for dummy variables Ln total assets (t-1) Leverage (t-1) Board independence (t-1) Size of internal audit committee (t-1) Ln external audit fee (t-1) CEO – Chairman separation (t-1) Big-4 audit firm (t-1) Stake held by the three largest shareholders (t-1)

Discrete changes at different percentiles of the distribution of the corresponding independent variables 0.10 – 0.25 0.25 – 0.50 0.50 – 0.75 0.75 – 0.90 0.08795 † 0.11665 † 0.21946 † 0.21724 † –0.00598 –0.04877 –0.13670 –0.15240 0.11838 † 0.10879 † 0.06412 † 0.07478 † 0.00000

0.00000

0.03369

0.02709

–0.00706

–0.01049

–0.02657

–0.02564

0.05396 †

0.10122 †

0.09497 †

0.14533 †

0.20144 0.22264

The first difference represents the change in the probability as a result of a discrete change from zero to one in the independent variable, i.e. γ x = Pr Y = 1 X = 1 − Pr Y = 1 X = 0 . In the case of continuous

(

)

(

)

variables, the first difference refers to discrete changes in the variable of interest at different percentiles,

(

)

(

)

that is, as γ x = Pr Y = 1 X = Q ( q2 ) − Pr Y = 1 X = Q ( q1 ) , where

q1

and

q2

represent

quantile points of the distribution of the independent variable under analysis.. Sample size = 97. † indicates that the change in the discrete and continuous variables at their corresponding percentiles is significant at the 5% level.

36

Table 5. Regression results: Enterprise Risk Management

Ln total assets (t-1) Leverage (t-1) Board independence (t-1) Size of internal audit committee (t-1) Ln external audit fee (t-1) CEO – Chairman separation (t-1) Big-4 audit firm (t-1) Concentrated ownership (t-1)

Model 1 0.0412 *** (0.0085) –0.0541 (0.0778) 0.2930 *** (0.0896) 0.0015 (0.0175) –0.0241 * (0.0126) 0.0448 (0.0382) 0.0854 *** (0.0340) 0.0569 * (0.0329)

Model 2 0.0394 *** (0.0085) –0.0635 (0.0748) 0.2978 *** (0.0904) 0.0047 (0.0175) –0.0229 * (0.0127) 0.0476 (0.0384) 0.0868 *** (0.0315) 0.2947 ** (0.1394)

Stake held by the largest shareholder (t-1) Stake held by the three largest shareholders (t-1) Intercept F – test R2 RMSE Number of observations

Model 3 0.0403 *** (0.0086) –0.0777 (0.0729) 0.3071 *** (0.0885) 0.0036 (0.0169) –0.0229 * (0.0131) 0.0452 (0.0387) 0.0813 ** (0.0327)

–0.0985 (0.1529) 8.55 *** 0.4043 0.1374 97

–0.1954 (0.1576) 8.27 *** 0.4125 0.1374 97

0.2158 ** (0.1002) –0.2150 (0.1612) 8.87 *** 0.4109 0.1376 97

Robust standard errors are presented in brackets. *, **, *** indicate significance at the 10%, 5% and 1%, respectively.

37

List of Appendix Appendix 1: Dimensions and average values of enterprise risk management Dimensions of Enterprise Risk Management Internal environment 1 Is there a charter of the board? 2 Information on the code of conduct/ethics? Information on how compensation policies align interest of managers with 3 shareholders? 4 Information on individual performance targets? 5 Information on procedures for hiring and firing of board member and management? 6 Information on remuneration policy of board members and management? 7 Information on training, coaching and educational programs? 8 Information on training in ethical values? 9 Information on board responsibility? 10 Information on audit committee responsibility? 11 Information on CEO responsibilities? 12 Information on senior executive responsible for risk management 13 Information on supervisory and managerial oversight Objective setting 14 Information on company’s mission? 15 Information on company’s strategy? 16 Information on company’s business objectives? 17 Information on adopted benchmarks to evaluate results? 18 Information on approval of the strategy by the board? 19 Information on the link between strategy, objectives and shareholder value Event identification Financial risk 20 Information on the extent of liquidity? 21 Information on the interest rate? 22 Information on the foreign exchange rate? 23 Information on the cost of capital? 24 Information on the access to the capital market 25 Information on long-term debt instruments? 26 Information on default risk? 27 Information on solvency risk? 28 Information on equity price risk? 29 Information on commodity risk? Compliance risk 30 Information on litigation issues? 31 Information on compliance with regulation? 32 Information on compliance with industry codes? 33 Information on compliance with voluntary codes? 34 Information on compliance with recommendation of Corporate Governance? Technology risk 35 Information on data management? 36 Information on computer systems? 37 Information on the privacy of information held on customers? 38 Information on software security? Economical risk 39 Information on the nature of competition? 40 Information on the macro-economic events that could affect the company? Reputational risk 41 Information on environmental issues? 42 Information on ethical issues? 43 Information on health and safety issues? 44 Information on lower/higher stock or credit rating?

Average 32% 34% 64% 38% 18% 31% 56% 24% 11% 34% 23% 11% 24% 44% 52% 65% 95% 68% 26% 6% 50% 54% 84% 82% 67% 56% 46% 69% 42% 49% 64% 57% 85% 88% 58% 11% 45% 19% 36% 24% 19% 89% 61% 69% 23% 76% 41%

38

Appendix 1: Continued. 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95

Risk assessment Risk assessment of the extent of liquidity? Risk assessment of the interest rate? Risk assessment of the foreign exchange rate? Risk assessment of the cost of capital? Risk assessment of the access to the capital market Risk assessment of long-term debt instruments? Risk assessment of default risk? Risk assessment of solvency risk? Risk assessment of equity price risk? Risk assessment of commodity risk? Risk assessment of litigation issues? Risk assessment of compliance with regulation? Risk assessment of compliance with industry codes? Risk assessment of compliance with voluntary codes? Risk assessment of compliance with recommendation of Corporate Governance? Risk assessment of data management? Risk assessment of computer systems? Risk assessment of the privacy of information held on customers? Risk assessment of on software security? Risk assessment of the nature of competition? Risk assessment of environmental issues? Risk assessment of ethical issues? Risk assessment of health and safety issues? Risk assessment of lower/higher stock or credit rating? Information on techniques used to assess the potential impact of events combining Risk response General description of processes for determining how risk should be managed? Information on written guidelines about how risk should be managed? Response to the liquidity risk? Response to the interest rate risk? Response to the foreign exchange rate risk? Response to the risk related to cost of capital? Response to the access to the capital market Response to long-term debt instruments? Response to litigation risk? Response to default risk? Response to n solvency risk? Response to equity price risk? Response to commodity risk? Response to compliance with regulation? Response to compliance with industry codes? Response to compliance with voluntary codes? Response to compliance with recommendation of Corporate Governance? Response to data risk? Response to computer systems risk? Response to the privacy of information held on customers? Response to risk of software security? Response to the risk of competition? Response to environmental risk? Response to ethical risk? Response to health and safety risk? Response to risk of lower/higher stock or credit rating?

51% 84% 82% 67% 56% 46% 69% 38% 43% 56% 50% 85% 88% 58% 11% 45% 19% 36% 24% 11% 89% 69% 23% 76% 35% 18% 28% 8% 11% 47% 51% 39% 26% 29% 28% 67% 24% 28% 31% 23% 55% 28% 8% 27% 6% 2% 6% 9% 64% 38% 22% 38% 14%

39

Appendix 1: Continued. 96 97 98 99 100 101 102 103 104 105 106 107 108

Control activities Information on sales control? Information on review of the functioning and effectiveness of controls? Information on authorisation issues? Information on documents and record as control? Information on independent verification procedures? Information on physical controls? Information on process control? Information and communications Information on verification of completeness, accuracy and validity of information? Information on channels of communication to report suspected breaches of laws, regulations or other improprieties? Information on channels of communication with customers, vendors and other external parties? Monitoring Information on how processes are monitored? Information about Internal audit? Information about the budget of the Internal Audit? Total Weighted Average ERM

21% 29% 37% 13% 11% 22% 10% 24% 28% 49% 11% 23% 20% 24% 32% 3% 36%

40