Best Practices for Business Continuity in 2021
Business Continuity and IT Disaster Recovery Blogs
Organizational Risk Management – A Case Study in Companies that have won the Brazilian Quatity Award Prize
By Luiz Carlos Di Serio1, Luciel Henrique de Oliveira2, Luiz Marcelo Siegert Schuch3
Supply chain optimization, company interdependency and the establishment of global operating networks have all made companies more susceptible to uncertainty and risk. Literature on the subject lacks analysis of how companies have implemented these systems and what the results have been. This paper describes the implementation of Enterprise Risk Management (ERM) in three Brazilian world-class companies and evaluates the hindrances and facilitating factors. It also considers the results achieved in performance and company culture. Finally, we propose a model associating the beneﬁts of risk management to the level of organizational transformation.
Keywords: Enterprise risk management (ERM); risk management; organizational transformation; operating risks, ruptures in the supply chain.
In the organizational field, risk management has only recently featured in executives’ agendas, changing the perception in the process that this discipline is restricted to insurance experts (CAVINATO, 2004). The optimization of supply chains, more company interdependency prompted by the evolution of lean manufacturing, and the establishment of global supply networks have increased companies’ exposure to different types of uncertainties and consequently, to greater risk (HARLAND et al, 2003). According to the Global Risks 2008 report, published by the World Economic Forum, the main current risks stem from supply chains, the financial system, food safety, and issues related to energy availability and use.
This work aims at finding ways to reduce the gap in the practical implementation of risk management systems in organizations. A multiple case study was conducted with three companies chosen from a list of winners and finalists of the PNQ National Quality Award. Winning the PNQ award was a prerequisite for the companies chosen, as one of the requirements of the EFQM Management Excellence Model is the identification, classification, analysis and handling of more significant corporate risks. The fact that these are award-winning companies is a sign of public recognition of their maturity, development and integrated management systems and enables a more comprehensive evaluation of the factors proposed by this study.
This study is based on the following research problems: How do companies that are considered as examples of world-class management handle their organizational risk? How does risk management affect the culture and results of these organizations?
2. Theoretical References
From an individual perspective, companies have acknowledged risk for a while and there is a vast literature on the subject in the areas of economics, finances, strategy and international management (JÜTNER et al, 2003). Also, the author points out that the term risk is somehow confusing, because it is perceived as a multidimensional concept. On the one hand it can be attributed to internal or external events that reduce the predictability of results (e.g. political, environmental and market risks). On the other, the term risk can refer to the potential consequences of an event (e.g. operating, personal and service risks).
The Brazilian National Quality Foundation (FNQ, 2010) Excellence Model includes the need to identify organizational risks and defines risk as a combination between the probability of an occurrence and the consequence(s) of an undesired event. It also defines corporate risk as a risk to the achievement of an organization’s goals in the light of market uncertainties, the organization’s area of operation, the macroeconomic scenario and the organization’s own processes.
Bernstain (1996) suggests that the understanding of risk management methods requires prior knowledge of their history. The author argues that it is almost unbelievable that theories about probabilities have taken so long to be developed. This delay is attributed to the combination of two factors that had to be present in order to enable the development of theories about risk: a more developed numeration system and greater liberty for people to question the future.
The basic premise behind organizational risk studies is that a company’s behavior reflects its executives’ behavior. For this reason, the theoretical foundation for the analysis of the different results observed in organizations is based on understanding people’s behavior during decision-making. According to Fiegenbaun and Thomas (1988), it is important to question how far individual attitudes towards risk can be translated into organizational behavior.
An increase in corporate scandals together with recent legislation such as the Sarbanes-Oxley Act of 2002 has led companies to focus more on risk management. Thus, it is not surprising that ERM models that provide a structure for risk analysis and measurement have been so widely embraced by executives (GATES and HEXTER, 2006).
The market offers models aimed at directing an organization’s risk management. COSO’s (Committee of Sponsoring Organizations of the Treadway Commission) introduces an ERM model that takes into consideration strategic and operating aspects associated to risk management. This model has been embraced by agencies and by the US government as a means to control organizational risks and meet the requirements of the Sarbanes-Oxley Law.
Over the past decades the area of operations has reemerged as a crucial part of strategic planning. Skinner’s article (1969) proposed that manufacturing be included in the strategic process rather than be limited as a specialization focused on the plant’s everyday routine. Operational strategy has gained more space and become a link between market requirements and operating resources (SLACK LEWIS, 2002).
The implementation of a risk management system is a long-term, dynamic, interactive process that must be continuously improved and integrated to the organization’s strategic planning, Brazilian Corporate Governance Institute (IBGC, 2007). VENKATRAMAN (1994) presented a framework with possible ways to implement Information Technology within an organization. This framework (Table 1) has different stages of organizational transformation and their respective impacts, and it is the company’s job to determine which type of transformation it wants to introduce. The choice of a specific level of transformation depends on the costs incurred and on estimated benefits.
2. Methodological Procedures
The research used the multiple-case study model proposed by YIN (2005). Selection of the cases was followed by the development of research proposals and protocol. Each case is described in detail. We first contacted the latest winners and finalists of the PNQ award and identified the companies that adopt risk management systems. Initial contact was made with the company’s representative on the FNQ (National Quality Foundation) data bank, who then referred us to the person in charge of risk management. One of the prerequisites for involvement in the study was for the company to work with the subject of ‘risk management”, even if it was still being structured. This premise enabled a preliminary glimpse of the results obtained through the implementation of the risk management system.
Three of the companies we contacted agreed to share information and experiences. In many cases risk management involves the organization’s strategic questions, thus hindering access to some information and, in some cases even preventing the company’s participation in the study. This problem was dealt with through a confidentiality agreement stating that the participants’ names remain undisclosed, and through prior submission of the data collection process and of the research protocol containing the main themes discussed during the interviews. Our main interest was in risk management implementation and results, so despite limiting the research’s scope, the lack of access to each company’s specific risks did not prevent the execution of the study.
After consulting the literature on the subject, we drew up the following research protocol for the interviews and analyses of the results:
(1) Risk management implementation –factors that facilitate and hinder risk management in the company.
(2) Current stage of the risk management system – risk management governance; risk identification and analysis; risk monitoring and crisis management, the use of technology and integration, and how and whether risks were communicated to stakeholders.
(3) Impacts of risk management – the organizational culture’s approach to risk and decision-making and the impact on organizational results.
The following proposals were withdrawn from theoretical references and used to direct the research and as the object of analysis of this study:
• Proposal 1: organizations consider risk management as an important initiative for carrying out their strategies and obtaining sustainable results;
• Proposal 2: organizations include formal risk analyses in their decision-making processes;
• Proposal 3: the identification, analysis and handling of financial risks is more developed than in the case of operating risks;
• Proposal 4: the adoption of a structured organizational risk management system has a positive impact on performance;
We chose to conduct semi-structured interviews with a prepared questionnaire containing specific sections to help map out the implementation process, the current stage of the risk management system, and the results obtained. For each case analyzed we conducted interviews with the executive in charge of the organization’s risk management. The interviews were based on a prepared script and were conducted in the company’s facilities during scheduled meetings. They lasted an average of 3 hours and covered the entire scope established in the script.
In each question the interviewees were asked to explain the company’s experience. At the end of questions with previously-established factors, it was requested that the interviewee grade the degree of agreement with this practice and the degree to which it has been implemented. The interview was not restricted to the suggested factors, so the interviewees were free to propose new ones. This approach aimed at obtaining a minimum group of factors for future comparison between companies. Although the selected companies did not authorize the disclosure of their names nor of details that enabled their identification, they are loosely described in Table 2.
Both the interviews and the data collection were carried out by the authors. In addition to the interviews, we used information from the companies’ sites, minutes of meetings, internal presentations about the subject, annual reports, and documents available to the market (such as documentation sent to the Securities Exchange Commission – SEC – corroborating compliance with the Sarbanes-Oxley Law).
4 Results and Discussion
4.1. COMPANY A
4.1.1. The implementation of risk management
The company’s risk management system was implemented in 2005, during the selection of a consultancy firm as part of the formalization of the risk analysis process. Some specific areas in the company already had a risk-identification and handling system, although there was no standardized structure and methodology. Demand for the structuring of a risk management system came from the holding company and majority shareholder. It was determined that two subsidiaries were to develop a common system that could, as a secondary goal, meet the requisites of the Sarbanes-Oxley Law. A working group was created containing members of the controllership, information technology, and auditing areas of the two companies and which was led by Investor Relations Management.
Observation of the results showed that the leadership’s support and that implementation through a multifunctional team were facilitating factors. The leadership’s support was crucial for mobilizing people, as it placed the subject firmly in the executives’ agenda. This was made evident with the inclusion of the subject in the Chief Executive Officer and Chief Financial Officer’s (leaders of the implementation process) variable remuneration plan and with the definition of a specific action plan for the Financial Area within strategic planning. An interesting point is that the interviewees did not consider as relevant the use of a specialized consultancy firm to support the implementation process. Previous experience with the implementation of management systems was not considered a facilitating factor, although the firm had already implemented several other systems (ISO9001, ISO14001, OHSAS18001, MEG, SAP, among others).
The answers did not suggest that any of the proposed factors had a significant impact on the implementation of the risk management system. In COMPANY A, the support of the leadership was considered effective and as a result the proposals item scored low on the interviewees’ evaluation, although all the interviewees recognized the item as being a very important factor. The factor that generated the greatest difficulty, according to the interviewees, was the executives’ relative lack of knowledge about risk assessment. According to them, this difficulty was attenuated by a request for each executive to identify the factors that made them “lose sleep”. Afterwards, the risks were detailed and analyzed.
4.1.2 The current stage of the risk management system
The process’ Governance is carried out by the Risk Sub-Committee – the body responsible for risk management. Since 2005, company A has used the COSO methodology to deal with corporate risk. This methodology includes a process of identification, measurement, definition of responses, and control of potential events that might have a negative effect on the company and its strategies. The Risk Sub-Committee is directly linked to the Strategy Committee, which receives frequent reports about the progress made in risk identification, evaluation, and monitoring and about the materialization of previously identified risks.
Risk identification and analysis exclusively cover the company and are not extended to its supply chain. Risk management is associated with strategic planning. Risk identification takes place at least once a year through the analysis of scenarios (external and internal environments) as part of one of the stages in the strategic planning cycle. There are preventive plans to reduce or eliminate the identified risks, while more significant risks are handled through a contingency plan drawn up in accordance to the risk’s priority. Risk prioritization is determined in accordance with the factors described in Table 3.
Credit and market financial risks are a subgroup of Corporate Risks covered by the COSO methodology and monitored by the Risk Committee. Thus, financial risk management in COMPANY A is at a more mature stage than operating risk management. The factor identified by the interviewees as less developed is executive training. The risk management system’s most fragile spot is, according to the interviewees, the auditing of internal controls employed to manage identified risks. According to one of the interviews, this process occurs in several cases but its results have not yet been reported to the subcommittee and therefore corrective action has not been taken. Although the company uses credit management (SAP) and market risk management software, there is no indication of an operating risk management system. The company adopts criteria for risk control that are part of SAP parameterization, including control of the degree of approval for certain operations (credit, refunds, payments, etc). Although the entire process of risk identification and analysis is considered a restricted activity that is subject to the signing of a confidentiality agreement by the parties involved, the company has adopted the practice of disclosing its main risks in its sustainability report.
4.1.3 The impacts of risk management
Risk management culture in Company A is still under development. According to the interviewees, risk management is still “confined” to the risk management Subcommittee and consequently, only a small number of executives have taken part in the full process – from identification to the drawing up of contingency plans for certain risks.
Risk analysis is already part of the executives’ routine and the biggest change brought by the adoption of the risk management system is the formalization of the process and the creation of a single referential (classification, terminology, templates). The process is quite effective for those involved in assessing risks and in drawing up plans of action. According to the interviewees, there is not yet proactivity in risk identification and assessment, as with few exceptions these activities are undertaken upon demand from the Subcommittee. An important determining factor for the introduction of this culture was the implementation by the CEO of the No Surprise Policy, which is frequently mentioned in his periodic statements to the company’s employees (which are called “A Chat with the CEO”). The financial department also plans implementation and has established the need “to perfect risk management”.
Among the benefits of organizational risk management, four were reported as being the most important: an increase in shareholders’ trust in the company; the prevention of events that could lead to an interruption in the operations; an improvement in operating results; and better identification of opportunities and threats. Shareholders’ trust was highlighted as a positive factor. In the case in point, this is also due to the No Surprise Policy between the CEO and the Board of Directors, which is also supported by the risk management system. It was also reported that risk management practices and the main risks to which the company is subject are also disclosed to the investment market.
4.2 COMPANY B
4.2.1. The implementation of risk management
Risk management as a structured process dates back to 2005, when the company started to comply with the Sarbanes-Oxley Law following its listing on the New York Stock Exchange. At the time the process was led by the Corporate Governance area, which is directly linked to the CEO. The Corporate Governance area was created in 2002, with the initial purpose of adapting the company to the BOVESPA’s Novo Mercado corporate governance level.
A process was established whereby there is annual evaluation of the controls for each of the accounts in the company’s financial statements. The process consists of identifying the interface areas and the existing controls for each line in the financial statement. Based on this there is a self-assessment of the controls’ effectiveness, followed by a series of field tests and verifications aimed at proving control efficiency. The company has four main risk areas that are the object of more detailed analysis – in the form of pilot projects. The risk implementation project foresees the gradual inclusion of new risks combined with the maturing and internal consolidation of the methodology. The adoption of a risk management system was not prompted by one factor alone. Although it started with adjustments to the Sarbanes-Oxley Law, it was also the result of a natural evolution of the organization’s management system, which was expected to have a positive impact on the organization’s results.
The facilitating factor considered most relevant was support from the organization’s leadership, especially the CEO and Board of Directors. This support was manifested through a frequent (weekly) monitoring of risk management implementation and through the allocation of resources, both in terms of staff (through the creation of a department) and financial (approval of a budget to hire a consultancy firm to help implementation). Still on the subject of facilitating factors, the same importance was granted to previous experience with a management system (the company has certifications from ISO9001, ISO14001, SA8000 and OHSAS 18001), to the existence of a team dedicated to implementation and to the creation of a multifunctional team. A factor considered to be of great importance by the interviewee was the clear definition of roles during the drawing-up of the implementation project. The main complicating factors mentioned were a lack of understanding regarding risk assessment, and the long duration of the still-ongoing implementation as the plan foresees a gradual inclusion of risks in the methodology’s scope. This tends to turn implementation into a very bureaucratic process, whose limited scope prevents actual benefits from becoming immediately apparent.
4.2.2. The current stage of risk management
Risk management is implemented by the Risk Management Department, which reports directly to the CEO. The department has four analysts in addition to its Chief Risk Officer. Effectively the office has a supporting role and is in charge of establishing the rules and standardizing the organization’s risk management process. Identification of specific risks is done by the business areas under the Risk Management Department.
In company B the unit for the analysis of risk identification limits itself to the company itself and it does not acknowledge risks in the supply chain (upstream and downstream). The company has adopted the COSO methodology from September 2004 as a reference point for the development of risk management. It includes an ERM model that considers strategic and operating aspects associated to risk management. This reference point is also considered by risk taxonomy, which includes an additional category called regulatory risks given the importance of this issue for a company that operates in a strongly regulated market.
If we consider the origins of the risk management process in the organization (adjustment to the Sarbanes-Oxley Law and the active management of regulatory risks), then the identification and handling of reporting (related to the reliability of the company’s reports) and compliance (compliance with legislation and applicable regulation) are more developed than the identification and handling of strategic and operating risks. The identification of operating risks is more spread-out and dealt with by several forums as part of the certified management systems related to quality (ISO 9001), environment (ISO 14001), health and safety (OHSAS 18001) and social responsibility (SA 8000). The company’s 2007 annual report contains the way in which some of its main risks were handled, as summarized in Table 4.
Based on the risk management system’s level of maturity regarding risk quantification and handling and on the marks assigned by the interviewees, we concluded that the organization does not have a unified risk handling and report system. The process is still under implementation and currently only some of the risks are submitted to standardization (pilot-projects).
As regards the use of technology and integration, the company has adopted a system for the management of regulatory aspects and another for the bottom-up certification of controls related to compliance with the Sarbanes-Oxley Law. This system includes a bottom-up approval process for control efficiency starting at the operating level and moving up to the CEO and board of directors – both of which grant final approval based on information from the lower levels. Regarding risk communication, a description of the organization’s main risks can be found in its Annual Report. Disclosure of more detailed information about risks and control strategies is confidential and restricted to the company’s executives.
4.2.3. The impact of risk management
As regards culture and decision-making, the company has not developed a corporate culture for risk management. According to the interviewee, the process is still strongly linked to the strategic planning period during which SWOT analyses are carried out for each type of business. As risk management is still under implementation, there have been no evident cultural changes, as risk identification and handling have not simultaneously occurred in all areas of the company. In the case of the controls listed by the Sarbanes-Oxley Law’s certification process, there is already more awareness about the need to identify potential risks during changes in procedures – a sign of increased maturity in the company’s culture.
In the interviewee’s opinion the benefits obtained from risk management are still limited, as shown by the current stage of implementation. Among the benefits proposed there is a perception of improvement in the operating results prompted by a reduction in losses and in interruptions. At this stage, it is not yet possible to associate risk management implementation with lower payments to insurers or to fundraising in the market, although the AA+ rating assigned by Austin will positively affect market confidence in the company.
4.3 COMPANY C
4.3.1 The implementation of risk management
Corporate risk management in Company C started in 2006. The process was centrally coordinated in the US, as risk management is an attribution of the vice CEO responsible for the corporate management system. In Brazil the initiative to implement risk management is recent, starting in May 2008 with a workshop in the industrial plant aimed at identifying the unit’s main risks. This company’s case is different from the others, as it shows risk assessment in one production unit belonging to a global corporation. For this reason, the local risks are identified and handled almost exclusively at the operating area. Financial and strategic risks are dealt with on a corporate level and so are all the processes related to the Sarbanes¬-Oxley Law.
The facilitating factors considered most important for the implementation of risk management were: support from the leadership, training on how assess risks, and the actions of the multifunctional team. The interviews showed that employees from all areas took part in a workshop held with members from headquarters and received initial training. As regards the complicating factors, the interviewee said that none of those listed actually hindered implementation or risk assessment. As the initiative came from headquarters, it received the prompt adhesion and mobilization of all parties involved.
4.3.2 The current stage of risk management
In the unit analyzed the process was coordinated by the plant’s Chief Projects Officer and there is no formal support structure to support risk identification. Assessment is carried out annually through workshops held for that purpose and attended by employees from various areas. There is a risk management structure that reports directly to a vice-president and the corporate model uses the COSO methodology. A principal focus in 2008 was to assess risks that could lead to an interruption in production (Business Continuity Management) and the corporate guideline was for the creation of a structure involving key areas in the company.
Risk identification at the plant (operating focus) is based on corporate methodology. The process starts with a standard list of events that the units classify according to pertinence, severity and probability of occurrence. An event to evaluate risks is held annually, with participation from several areas (IT, production, sales, supply, projects, etc). The main risks are classified and employees are appointed to draw up plans of action.
As the plant has no risk indicators, reports about the monitoring of risk handling plans are presented during the plant’s executive meetings. A budget for risk mitigation actions is established on an annual basis and is also used as a basis for the executives’ evaluation. Financial exposure to risks does not take place at the plant, and there is no information available about how this is done on a corporate level. The analyzed plant has no risk management system or portal and surveys are recorded on spreadsheets using the corporation’s methodology. The plant’s risk management leader does not have access to any corporate system and all risk handling action plans are monitored by the group and the actions’ progress and inter-relations can be viewed by all.
4.3.3. The impact of risk management
Although risk management is still at an initial stage, as only one full cycle has been completed in the plant that is being analyzed, there is evidence that risk-related issues have started to be included in the executive and middle-management agenda. This is due to the constant monitoring of risk mitigation action plans and their inclusion as a theme of discussion in managerial meetings in several areas of the company.
In the case of the evaluation of results obtained from risk management, the principal implementation gains perceived at the plant were improvements to opportunities, to threat identification and to corporate governance. When asked about his perception of the corporate risk system, the interviewee said improved investor confidence is imperceptible at plant level. There were no improvements regarding compliance with legal requirements or regarding financial reports, as these obligations had been met prior to the implementation of risk management.
4.4. Comparative analysis and discussion
In the three companies the implementation of risk management was prompted by demand from the board of directors, usually in response to pressure for more transparency. The enactment of the Sarbanes-Oxley Law in 2002 in the US was evidently a major incentive for companies listed on the US market.
The three companies hold ISO 14001 (Environmental Management Standards) and OHSAS 18001 (Occupational Health and Safety Management) certification which require the identification of environmental impact (ISO 14001) and health and safety risks (OHSAS 18001). However, these assessments are not part of the risk management systems in any of the three companies. The explanation given during the interviews was that risk assessment for these norms is very specific and operations-oriented and therefore is not the focus of current risk management implementation, which is aimed at strategic and financial risks. Table 5 summarizes empirical evidence common to all three companies.
Each company opted for different structures for the implementation of their risk management systems. While Company A opted for the establishment of an implementation team and a Risk Subcommittee to manage the process, Company B created a Risk Management Department that reported directly to the CEO. Company C created a post for someone with a deep knowledge of operations at the plant (Chief Projects Officer), as this was the focus of risk assessment in Brazil. Literature on the subject shows the adoption of different implementation models, whether in the form of a specific area, a committee or a post (LIEBENBERG and HOYT, 2003). In terms of complicating factors, field results show that the biggest hindrance to implementation stems from lack of knowledge about risk assessment among those involved. As for the extent of the assessments, both Company A and B affirmed that their respective risk assessments were focused on the company itself and that supply chain risks were not evaluated. Only Company C made an analysis of its client and supplier risks. This is in line with the Gates and Hexter (2006) research conclusion that risk management starts with the financial area and is followed by strategic and operating risks.
We perceived that risk handling helps prevent occurrences and events that could lead to an interruption in operations. After discussions about this with representatives from the companies, we concluded that contingency plans are rarely put into action. One of the interviewees claimed that it is difficult to measure the risk management system’s efficiency, comparing it to a soccer goalkeeper: “No one knows how many goals a goalkeeper has prevented, but everyone knows how many he has let in”. This remark summarizes the difficulties in measuring the efficiency of a risk management system and leads to a much more qualitative than quantitative analysis of its impact.
Based on figure 1 and the model proposed by Venkatraman (1994), analysis of the cases studied for this work suggests that companies A and B are more aligned to the Internal Integration stage. In these two companies the efforts are mostly focused on risk consolidation and integration, although in both cases the processes were redesigned in accordance with initial assessments. In corporate terms, company C might be at a more advanced stage (transition to Stage 4) as the firm, or more precisely its supply chain, is more concerned with business networks as shown in the individual analysis of the case. Finally, it is important to highlight that the model aims towards companies aligning their expectations and making more conscious choices, as in practice they can end up at different stages for each particular aspect.
To guide the research we have made some initial proposals based on the theoretical revision discussed herein and in accordance with the empirical evidence.
Proposal 1: The empirical evidence offers partial support to this proposal. Although in all three cases representatives from the organizations affirmed the belief that there have been result improvements, demand for implementation has largely come from upper management (in all three cases there was demand for compliance to the Sarbanes-Oxley Law). As there does not seem to be consensus about the extent of the improvements, the companies might be more interested in legitimizing their processes and structures than in effectively improving their performances.
Proposal 2: This proposal has been partially proven true. The current state of risk management implementation in the companies has proved insufficient to have a significant effect on decision-making. Risk management remains strongly focused on the implementation team members and in some cases, on specific areas (Company A) or pilot-processes (Company B). The use of pilot-projects during implementation is recommended by the literature on the subject (Enterprise Risk Management Framework, 2007; KLEFFNER et al, 2003, COSO).
Proposal 3: This proposal was observed in all three companies. In fact, operating risk management is at a lower stage of development than for financial risk. All three companies are integrating operating risks to the financial and strategic risks that had previously been handled. In this case, Company C was at the highest stage of development, by including supply chain risks in operating risks. This conclusion is in line with the theoretical discussion about the subject (SHEFFI, 2005; HARLAND, 2003, JUTNER et al, 2003; HENDRICKS and SINGHAL, 2005).
Proposal 4: This proposal could not be convincingly proved. Although analysis of the cases led to the conclusion that the companies considered their operating results had improved, there was no objective evidence to this effect. An interesting analogy was made by one of the interviewees who made a comparison to a soccer goalkeeper: “No one knows how many goals a goalkeeper has prevented, but everyone knows how many he has let in”. This remark summarizes the difficulties in measuring the efficiency of a risk management system and leads to a much more qualitative than quantitative analysis of its impact.
The research contributed both to the debate in the academic field and to managers interested in risk management implementation. As regards academia, the study presents a preliminary proposal for a theoretical model relating the degree of organizational transformation to the benefits of risk management, depending on how the organization decides to implement this initiative. Regarding practical application, the study enables the identification of different risk management development models in organizations with fairly developed management systems which, for this reason, are very experienced when it comes to this type of initiative. Finally, it presents the factors that might facilitate and hinder the success of this initiative.
The study has some limitations. As this is a multiple case study its power of generalization is limited, despite the methodological care applied to its development. The risk management systems in the companies analyzed in the case study are at the initial maturation stage. This reduces the likelihood of events that could be the object of proactive action taken in response to risk assessment. Additionally, the companies’ current risk management status also limits perceptions about the cultural issues in the process. As risk management has not been effectively implemented in all areas, the interviews were restricted to direct participants in the implementation process, thus introducing a certain bias to the answers. None of the companies gave access to their specific risks or their respective handling (mitigation, elimination, transfer, etc). Consequently, it was not possible to evaluate the extent to which each of these alternatives has been applied. Risk management is seen as part of the companies’ strategy and disclosure of this information is considered a “risk”.
We suggest more in-depth study at companies where risk management is at a more advanced stage. These studies could assess the systems’ impact on organizational culture from the viewpoint of the various participants (board of directors, executives, middle-management, risk management team members, staff and other employees), in order to identify how perceptions about risk can affect organizations’ control and strategic planning. Furthermore, as risk management can result in stricter internal controls it can also have an impact on processes related to innovation. Studies about this ambiguous aspect could help companies ration control during the continuous reinvention processes that are required for facing new challenges.