Skip to content

The role of interactive style of use in improving risk management effectiveness

Business Continuity and IT Disaster Recovery Blog

The role of interactive style of use in improving risk management effectiveness Author: Mojca Marc, Marika Arena and Darja Peljhan

  1. Introduction

    The use of risk management systems (RMS) is widespread in contemporary organizations, primarily because of the potential of risk management (RM) to improve organizational performance. However, many organizations have been frustrated by implementation problems that have prevented the expected benefits of advanced RMS designs, such as enterprise risk management (ERM) (Miccolis 2003). Recently, the gap between the prevailing descriptions of ERM in technical terms, on the one hand, and the social issues associated with ERM implementation and actual use, on the other, has been revealed as a source of such problems (Jean-Jules and Vicente 2021). Mainstream RM literature still prescribes RM models with sequential stages such as risk identification, risk analysis/assessment, and risk response or treatment. More advanced RMS designs are characterized by a holistic approach to risk management that requires the coordination of different risks (Hoyt and Liebenberg 2011) and a combination of quantitative and qualitative approaches (Davila 2012). However, it is implicitly assumed that individuals involved in RM are sufficiently competent and rational to collect, process, and use this information to make decisions (Power 2007). In reality, social aspects such as employee involvement, willingness to learn new routines related to RM, or acceptance of change due to RM prove to be more challenging for risk managers and a critical success factor (Jean-Jules and Vicente 2021).

    We argue that the qualities of more advanced RMS designs can only be realized if managers use these systems interactively, which in turn increases RMS effectiveness. The concept of interactive use comes from the management control literature (Simons 1995, 2000) and is largely related to what is described as meaningful risk communication in the risk governance literature (van Asselt and Renn, 2011). The commonality between the two views is that effective two-way communication between organizational members is central to the functioning of a system and should not be reduced to just one stage in the RM model. However, interactive use of RMS requires a lot of time and attention from managers. As a result, managers often tend to prefer diagnostic approaches based on managing by exceptions, where only the red-fagged issues are communicated to them (and receive their full attention), while other issues are not discussed. We use insights from the knowledge codification literature (e.g., Zollo and Winter 2002) to explain why an interactive style of use (i.e., consistent interaction and information sharing among organizational members) is necessary in the case of RMS and how it mediates the effect of RMS design (technical elements) on RMS effectiveness.

    Although this is recognized as a critical component, there is limited empirical evidence on how RMS usage style or risk communication affects the relationship between the design and effectiveness of RMS. Previous work has relied primarily on case studies (e.g., Kaplan and Mikes 2016). By examining these relationships in a large-scale study, we aim to extend the existing literature. We use an online survey to obtain cross-sectional data from a sample of medium and large firms and analyze these data using the composite-based structural equation modeling (PLS-SEM) approach. We find that the interactive style of using RMS fully mediates the relationship between the RMS design and effectiveness for the companies studied. More elaborated RMS design encourages more interactive RMS use, which leads to significantly better RMS effectiveness. In other words, more advanced RMS designs are more effective because they encourage a more interactive style of using the system, not because they have additional technical features.

    This study makes two contributions to the literature. First, it contributes to the RM literature and practice by identifying a critical element of successful RMS implementation and its effectiveness that is neglected in the mainstream literature. RM is becoming increasingly central to the effective functioning of contemporary organizations (Arena and Arnaboldi 2014; Collier et al. 2006), and given the amount of organizational resources invested to ensure RM effectiveness, it is critical to understand the importance of risk communication and the implications of using RMS interactively. Second, by discussing RMS at the intersection of management control, risk governance, and knowledge codification literature, we contribute a new perspective to the RM literature. This opens up new research opportunities that can further enrich our understanding of how RMS is designed and used. Our results explicitly suggest that interactive use can compensate for the lack of an organization-wide system in the case of less developed RM designs (e.g., the traditional silo-based RMS) and contribute positively to RM effectiveness.

    The remainder of this paper is divided into four sections. In the next section, we present the relevant literature and develop hypotheses. Then, the research method is explained, followed by a section in which the results are presented and discussed. The last section concludes the paper.

    Literature review and hypotheses development

    RMS design

    We define RMS design as its structural characteristics that reflect the relevant technical features that should be considered when implementing the system (Agostino and Arnaboldi 2012). Accordingly, we use the term design choices when referring to the technical choices that managers have when implementing the structural elements of a RMS. Here, we have in mind both: i) components being developed (e.g., internal environment, risk assessment, risk response, information and communication, monitoring) and ii) methods and tools that are implemented. Organizations do not necessarily implement all of the components that constitute a RMS, and in implementing a component, managers make different choices regarding the approaches, methods, tools, and techniques to be used, so RMS may consequently be designed differently in particular organizations.

    In this study, we are interested in the relationship between a RMS design and RMS effectiveness, where the latter is defined as the ability of organizations to cope with adverse events and ensure their long-term survivability (Stein and Wiedemann 2016). An effective RMS can be implemented in many ways and is characterized by a distinct set of chosen RM practices (Kaplan and Mikes, 2016; Arena et al. 2010). Empirical studies offer mixed results regarding this relationship, with a few studies providing evidence of a positive impact of advanced RMS design on organizational performance (see, e.g., Bertinetti et al. 2013; Grace et al. 2015; Hoyt and Liebenberg 2011), and other studies finding no positive impact (e.g., Marc et al. 2018; Pagach and Warr 2010; McShane et al. 2011). As an upgrade, our study aims to understand the potential positive and negative influences of more developed RMS designs on RMS effectiveness by using insights from the knowledge codification literature.

    This literature shows that the mere accumulation of experience is not sufficient to learn new practices and transfer knowledge effectively (Heimeriks et  al. 2012; Zollo and Singh 2004). Indeed, organizations must deliberately codify experiences into manuals, checklists, and the like because this helps clarify the causal ambiguity between actions and outcomes and may lead to greater effectiveness. Codification also helps organizations to identify and select best practices (Kale and Singh 2007). Various design elements (e.g., policies, statements, processes, methods, tools, and techniques) chosen to implement different RM dimensions can, thus, be viewed as artifacts that contain codified knowledge/experiences about RM. Similarly, a specific organizational RMS design can be seen as a particular configuration of such artifacts. In firms with a narrow focus on risk, where there is little ambiguity about cause-and-effect relationships and most of the tools for RM are available over-the-counter (e.g., financial derivatives and insurance policies), there is less need to codify experience because it is easy to transfer knowledge and select the appropriate RM practices and tools. Such organizations end up with a RMS design often referred to as ‘silo’ RM or traditional RM (TRM). As a holistic approach, ERM is considered the most advanced (or mature) RMS design. ERM requires that different risks are coordinated and addressed simultaneously (Dvorski Lacković et al. 2022), both for the organization as a whole and across functions, rather than assessing risks within a particular department or function where different types of risks are isolated and treated separately (Cohen et al. 2017). It also requires combining traditional quantitative approaches to assess and manage risk exposure with qualitative approaches to manage strategic risks (Davila 2012). Organizations that have used the services of consulting firms, are subject to regulation, and have a complex ownership structure usually have such a RMS design. Compared to TRM, ERM requires more codified artifacts because both knowledge transfer and tool selection are more complicated and less obvious. We conclude that a more developed RMS design contains more codified knowledge and should have a positive impact on effectiveness according to this literature stream. Accordingly, we propose the following hypothesis:

    H1: RMS design is positively related to RMS effectiveness.

    However, codifying knowledge also has drawbacks, as it can make an organization inflexible when specific and unexpected situations arise. Indeed, the literature on risk governance (see van Asselt and Renn, 2011) indicates that the prevailing technocratic RMS, based on procedures and statistical models, should only be used for simple risks (e.g., financial risks) where causes and effects are obvious and uncertainty is low, as they are not able to capture and manage complex risks (e.g., strategic risks). This implies that there is also an optimal level of codification for RMS (i.e., an optimal RMS design) unless other forces are present that can counteract the negative effects of codification. We argue that a particular style of RMS use (i.e., interactive use that refers to active and continuous involvement of top management with its subordinates) can act as such a force and improve the effectiveness of a suboptimal RMS design. As follows, we explain RMS interactive use in more detail.

    RMS interactive use

    RMS can be conceived as part of an organization’s management control system (MCS), as it is used to support planning, decision making, and achievement of organizational goals (Arena and Arnaboldi 2014). Based on the seminal work of Simons (1990), there are two styles of using MCS: a diagnostic style and an interactive style. A diagnostic style refers to the use of RMS on an exception basis to monitor deviations from established objectives and critically review key risk indicators, while an interactive style refers to the use of RMS to enhance opportunity identification and learning (Bisbe and Otley 2004). In the interactive use of RMS, top management regularly participates in the decision-making activities of subordinates. With effective communication among all involved parties, they can achieve resilient risk oversight (Eppler and Aeschimann 2009). Such top management involvement provides them with the opportunity to have an open dialog with their subordinates and challenge the underlying data, assumptions, and action plans (Chong and Mahama 2014). An important perspective of the interactive style is that managers use RMS to create a positive information environment that generates dialog and encourages information sharing (Bisbe and Otley, 2004; Chong and Mahama, 2014), which is considered critical to RM effectiveness. Based on the above reasoning, we argue that interactive use of RMS should improve the RMS effectiveness.

    H2: The interactive style of using RMS is positively related to RMS effectiveness.

    The most developed RMS (such as the ERM) typically include a component dedicated to information and communication about risks. However, the mere presence of this technical component does not guarantee the interactive use of ERM in practice, because even the most developed RMS designs too often focus only on the technical design elements (e.g., a written risk appetite statement, formal RM procedures, and RM reports to the board). Jean-Jules and Vicente (2021) note that these codified tools do not straightforwardly lead to the desired outcomes. One reason is that they are typically created by individuals at corporate headquarters and implemented by others, but it is ’unlikely that any superior understanding gained through the codification process by the former will transfer to the latter simply by being provided with these codified tools’ (Heimeriks et al. 2012, p. 706; Szulanski 1996). A managerial perspective and social factors such as employee involvement, willingness to learn new routines related to RM, or acceptance of change by RM are largely neglected (Jean-Jules and Vicente, 2021).

    The literature on risk governance also suggests that the principle of communication and inclusion should be part of RMS, but this is not currently the case. In this view, communication refers to social interactions and the sharing of ’knowledge, experiences, interpretations, concerns, and perspectives’ while inclusion means ‘roundtables, open forums, negotiated rule-making exercises, mediation or mixed advisory committee’ (Aven and Renn 2020, p. 1123). Such meaningful communication of and about risk is not formally part of the RMS designs, but it can be recognized in the descriptions of an interactive style of using RMS. Therefore, we argue that the style of using RMS is not conceptually part of the RMS design. Nevertheless, an evolved RMS likely encourages interactive use for several reasons, which we explain in the next section.

    The mediating role of interactive use

    While codification increases efficiency for known, recurring problems, it also leads to inertia because organizations respond to all problems in a pre-programed way (Schulz 1998). This occurs because people who merely implement codified tools do not learn the deeper causal relationships underlying the codification process, which prevents them from finding ad-hoc solutions to problems (Heimeriks et al. 2012). When managers use RMS elements (i.e., codified tools) diagnostically, simple risk problems (e.g., financial risks) may be managed effectively, but the complex, uncertain, and ambiguous risk problems (see Aven and Renn, 2020) are unlikely to be addressed or managed appropriately as they require more meaningful risk communication and ad-hoc approaches.

    If more advanced RMS designs encourage interactive use, this represents a new passage through which RM effectiveness can be enhanced. For example, greater involvement of top management can stimulate and boost RM outcomes across the organization. However, because the interactive use of RMS is costly in terms of managerial time and effort, not every organization is managed in this way. We argue that only through the interactive use of RM tools and techniques can an organization continuously adapt and update the codified RM knowledge (policies, procedures, tools, and techniques) and, thus, have more effective risk management. In other words, ’ fine-tuning’ risk management practices is more effective when tacit knowledge about risk and risk practices is better communicated, and this happens when RM is used interactively. Interactive use of RMS, thus, functions similarly to what has been described as second-order routines (e.g., Winter 2003; Heimeriks et al. 2012) and can help counteract the inertia caused by codified RM practices by transferring some of the tacit knowledge and interpretations that are not captured by the codification process. For example, through regular and frequent interactions with subordinates, top managers can signal to all members of the organization that RM initiatives are legitimate, meaningful, and welcome on the organizational agenda (Bisbe and Otley, 2004), which is likely to increase employee engagement in RM activities and positively influence RM effectiveness. Similarly, open debates on risk-related issues improve shared understanding of causal relationships, which should improve RM effectiveness.

    To summarize, we expect that both advanced design and interactive use of RMS positively influence the RMS effectiveness. However, we hypothesize that greater effectiveness will result primarily from mediation through interactive use of RMS rather than directly from more advanced design because, as explained earlier, too much codification in advanced RMS designs inhibits RMS effectiveness. We, therefore, expect the indirect effect of the RMS design through interactive use to be stronger than its direct effect on effectiveness. We, thus, propose the following hypotheses:

    H3: RMS design is positively related to RMS use.

    H4: RMS use mediates the effect of RMS design on RMS effectiveness: the indirect effect of RMS design on effectiveness is larger than the direct effect

    Research method

    Data collection.

    We empirically test the proposed relationships on a sample of medium and large Slovenian organizations. Since our variables refer to concepts recognized and applied by managers in organizations, we collect cross-sectional observations using an online questionnaire prepared as part of a larger study ‘Risk Management as part of Management Control.’

    Following recommendations in the literature (Churchill 1999), we included a cover letter to increase the response rate, we used a combination of measurement scales to avoid the common-method bias, and the translation-back translation procedure, pre-testing, and a mini-pilot study to ensure content validity. Appendix 1 contains the questions from the questionnaire that we used as main variables.

    Because RM is not widely practiced in the target population (Berk and Loncarski 2011), we took the following procedural steps to ensure sufficient precision of statistical analysis (Groves et  al. 2009): (1) we contacted all potential companies with RMS (large companies, listed companies, and companies in financial industry) to obtain information about the person responsible for RM, and (2) after the first reminder e-mail, we called and prompted these companies to respond to the questionnaire. In large companies, the respondents were CRO or other persons indicated as responsible for RM. In medium-sized companies, we e-mailed the questionnaire to the managing directors as the RM process is typically informal and without dedicated resources (Falkner and Hiebl 2015). After the initial invitation to participate in the study, two reminder e-mails were sent and follow-up and reminder calls were made.

    total, we collected 136 responses, representing a response rate of approximately 12% (N=1,117); however, the analyses are based on 93 responses with complete observations. We found no statistically significant difference between the first and second half of respondents on the main variables of interest, indicating that non-response bias is unlikely a problem. Table 1 presents the structure of the target population and sample.

    We estimate the proposed research model using the partial least squares structural equation modeling approach (SEM-PLS), shown to be superior to regression and factor-based SEM in estimating complex mediation models (Sarstedt et  al. 2020) and with a small sample size (Hair et al. 2017). Additionally, our dataset contains a mixture of reflective and formative latent variables, categorical variables with unknown non-normal frequency distributions, and observed variables measured with single items, which also justifies the use of SEM-PLS (Sarsted et al. 2016; Hair Jr et al. 2020).


    The main dependent variable is the RM effectiveness (EFF). The effects of RM can be observed through various financial and non-financial performance indicators. For example, Marc et al. (2018) consider the effects on a set of fundamental value drivers (invested capital, return on invested capital, net operating cash flow, free cash flow, and expected growth rate). On the other hand, Gordon et al. (2009) measure the effectiveness of RM with a formative ERM index based on the organization’s ability to achieve the four objectives stated in the COSO ERM framework (2004). The main purpose of RM is to improve the ability of organizations to cope with adverse events. However, this typically requires them to balance risk and return; therefore, using indicators only for one or the other could yield biased results. Following related studies (e.g., Paape and Speklé, 2012), we measure RM effectiveness through a subjective managerial perception of its performance. We asked respondents to evaluate on a scale from 1 (strongly disagree) to 5 (strongly agree) how RM helped their respective organizations to cope more easily and effectively with the negative effects of the global financial crisis. The financial crisis hit the Slovenian economy hard, and the effects of the financial crisis were still being felt in the target population at the time of the survey. Besides explicitly considering the perception of comprehensive RM effects, the chosen measure is also general enough that the target respondents were expected to know about it. At the same time, we framed the question in terms of the global financial crisis so that a concrete situation in which RMS effects could be perceived was brought into the respondents’ mental image.

    The main independent variable captures the development of RMS design (RMD). Several alternative approaches have been used in the literature to evaluate the level of RMS development: an indicator of the ERM presence (e.g., Pagach and Warr 2011; Gordon et al. 2009; Hoyt and Liebenberg, 2011; Bertinetti et al. 2013), ERM ratings by rating agencies (e.g., McShane et al. 2011), or the self-reported level of RMS development (e.g., Beasley et  al. 2005, Paape and Speklé, 2012). Similarly to Grace et  al.(2015), we avoid some of the problems of existing measurement approaches by observing whether specific elements of RM are present in the organization. Therefore, we measure RMS development by classifying companies based on their responses to a series of questions about the systematic elements of RM that are present. We developed a list of 10 items covering all five core RMS dimensions identified by Lundqvist (2014), and we asked respondents to mark whether each of these items was present in their respective company (yes/no; see Appendix 1). Since a broader and more comprehensive scope characterizes more advanced RMS designs, the number and type of RM practices implemented are relevant indicators. In contrast to studies that simply sum the number of RM practices in place (e.g., Heimeriks et al. 2012), we classified companies into four categories of RMS development (RMD) using the following rules, which also consider the scope of RMS:

    Stage 1: No RMS item.

    Stage 2: Random RMS items, but not from all dimensions.

    Stage 3: One RMS item from each dimension.

    Stage 4: More than one RMS item from each dimension.

    In stage 1, we find companies that do not have a RM system. In stage 2, we find companies with some elements of a RMS, but since the complete process is not in place, they likely manage risks with a traditional (silo-based) approach. In stages 3 and 4, we find companies with the highest RMS development levels: either a less developed ERM system (stage 3) or a more developed ERM system (stage 4).

    The hypothetical mediation variable (INT) is measured as a reflective construct based on Bisbe and Otley’s (2004) scale for measuring interactive use of MCS, which we adapted and statistically validated at RMS. Our scale captures the five elements define the style of using RMS: the purpose of face-to-face discussion, the frequency of top management attention, the involvement of managers at all levels, the inclusion of risk officers in strategic decision making, and the aim of RM (see Appendix 1). For each element, we used a scale of 1 to 7, with descriptions of a diagnostic (1) and an interactive (7) use of RMS as anchors. We asked respondents to evaluate the similarity of the descriptions to the way RM is used in their respective companies.

    We include the following contextual variables in the model to control for the effects they might have on the hypothesized relationship between the three main variables: company size (the logarithm of the number of employees), use of a Big4 accounting company (indicator variable), an indicator variable for companies in the financial industry, a variable measuring external ownership (% not owned by managers), and a variable proxying for financial risk management (number of risk instruments used to manage financial risks (0 to 5): derivative securities for interest rate, currency, and commodity price risk; natural hedging against currency risk and insurance for harmful events). To reduce the complexity of the data, we combine these variables into a formative construct labeled Company Profle (CP), which we expect to be positively associated with RMD but not necessarily with its interactive use. Company size increases the complexity of business processes and typically affects the design of management control systems (e.g., Chenhall 2003; Henri 2006), so it could also influence RMD. Previous research found that using a Big4 auditor significantly affects the design of RMS (Beasley et al. 2005). Firms with greater institutional ownership are more likely to implement ERM (Pagach and Warr, 2011), greater board independence is positively associated with ERM development stage (Beasley et al. 2005), and owner-managers have less incentive to implement ERM (Paape and Spekle 2012). This implies that higher ownership by external stakeholders (i.e., not managers or employees) is positively associated with the RMS development stage. Finally, we also expect a positive association with RMS development for financial risk management (Rogers 2009).

    Results and discussion

    Table  2 shows descriptive statistics and correlations for the latent variables used in the structural model. Additional statistics are presented in Appendix  2. Skewness and kurtosis do not indicate problems due to non-normal distributions (Hair et al. 2014), pairwise correlation coefficients reveal a high correlation between INT and EFF (0.391), as well as between INT and RMD (0.415). and a low correlation between RMD and EFF (0.231). The sample distribution of RMD is as follows: 3 companies (3%) have no RMS, 49 companies (53%) have TRM, 21 companies (23%) have less developed ERM systems, and 20 companies (22%) have more developed ERM systems.

    In our model, two constructs are measured with multiple items: CP (company profile) and INT (the level of RMS interactive use). The first (CP) is a formative construct, so its suitability depends critically on the absence of multicollinearity – VIFs below 3 indicate that this is not problematic (Appendix 2). The second (INT) is a reflective construct; therefore, its internal consistency is assessed using Cronbach’s alpha (0.906), composite reliability index (CR 0.930), average variance extracted (AVE; 0.728) and factor loadings (all above 0.7), which are all higher than suggested critical values (Hair Jr et al. 2017).

    We use the Smart PLS software to estimate the structural model. The results for the base model (without the mediator) and the main model are shown in Table 3. Figure 1 shows the results for the main model. The statistical significance of path coefficients is assessed based on the bootstrapping procedure. The models are assessed using the standardized root-mean-square error (SRMR), RMS theta, and the Stone-Geiser’s Q2 measure of predictive relevance. The SRMS is below the recommended value of 0.08, Q2 is well above 0; however, the RMS theta measure is slightly above the recommended value of 0.12 (Henseler et al. 2014).

    The estimated coefficients support a fully mediating mechanism in which a more advanced RMS design fosters its interactive use, which in turn increases the effectiveness of RMS (H4 confrmed). Consistent with previous research (Bertinetti et al. 2013; Grace et al. 2015; Hoyt and Liebenberg, 2011), we find a positive effect (0.231, p=0.005) between RMD and EFF in the baseline model, which does not include the mediating effect of INT (H1 confirmed).

    However, when the mediator INT is included, this direct effect is reduced and not statistically significant (0.083, p=0.364), while the indirect effect of RMD via INT is positive and statistically significant (0.148, p=0.050). This supports the hypothesized mediating role of RMS interactive use (H4). Although the direct effect of RMD is positive, our results imply that organizations can considerably improve the effectiveness of their RMS by using them more interactively, as indicated by the mediated effect size (64% of the total effect; a medium effect size according to Cohen’s f2, Cohen 1988). This is consistent with Kaplan and Mikes (2016), who find from case studies that simply improving the design of RMS without its interactive use does not lead to significantly better effectiveness. When using RMS interactively, organizations gain the flexibility needed to adapt the design of RMS to the heterogeneity of situations and risks, leading to higher effectiveness of RM. Consistent to this, we find a positive direct effect of interactive use on effectiveness (0.356, p=0.000; H2 confirmed).

    Because the direct effect of RMS design on interactive use is positive and signifcant (0.415, p=0.000; H3 confirmed), our results are also consistent with the view that structure is an essential condition for interactive(Chenhall and Morris 1995), but imply that only structure is insufcient for effectiveness. More developed RMS are better structured, allowing for interactive use that leads to greater effective. However, as Stein et al.(2019) argue, typical RMS designs per se are not capable of informing top management of the need for business model adaptation because the cognitive framing of TRM is not geared towards early warnings of emerging risks at the business model level, and even ERM is limited in this regard. Therefore, the diagnostic use of RMS would confine managers to acting according to pre-determined RM protocols based on codified experience, which is only effective for managing risks in predictable and familiar contexts. On the other hand, interactive use acts as a learning mechanism that enables better response in less predictable settings.

    Among the company profile variables, we find positive and statistically significant effects of Big4 auditors, the financial industry, external ownership, and financial RM on the CP construct. However, we do not find the effect of company size at conventional confidence levels. The significant positive effect of CP on the RMD construct indicates that the included variables are good predictors (determinants) of RMS design (0.503, p=0.000). On the other hand, the effects of CP on RMS inter-activeness and effectiveness are much lower. This suggests that the technical (hard) elements of RMS are largely predetermined by the industry, size, type of risks, and services of top accounting and consulting companies. The social (soft) elements captured in the instructiveness construct are less predictable by these factors and depend on other elements in the company, such as organizational culture and leadership style. However, our results suggest that they are also more critical to the success of RM.

    As a robustness check, we tested the same hypotheses with OLS regression models and following the Baron and Kenny (1986) approach to test for mediation effects. The results are not tabulated in the paper (available from the authors upon request), but the conclusions remain substantially the same.


    The purpose of this study was to investigate how to make RM more effective. We argue that organizations in which RMS is used more interactively can make RMS more flexible and better adapt their RMS to the heterogeneity of situations and risks, thus, managing risks more effectively. Using a cross-sectional survey, we empirically confirm the mediating role of the interactive use of RMS in the relationship between RMS design and effectiveness. We apply findings from the knowledge codification literature to explain the role of interactive use as a learning mechanism behind the mediation process. To our knowledge, no empirical studies have been conducted on the RM design-use-effectiveness nexus, so we have no prior empirical evidence to compare. Our empirical analysis provides a better understanding of this research gap and contributes to the existing literature.

    First, we contribute to the RM literature by empirically showing how the RMS design can help improve RMS effectiveness through the interactive style of RMS use. By showing that merely implementing an ERM framework is not sufficient to make RMS effective, we complement authors who argue that risk communication is the missing element that distinguishes TRM from ERM (e.g., Stein and Wiedemann 2016; Lundqvist 2015) by characterizing the nature of efficient risk communication more specifically. Namely, the best results are achieved when ERM is used interactively as this style of use facilitates knowledge transfer among employees in the organization (Yuliansyah et al. 2022). This finding also has implications for RM practice, as it cautions managers against viewing RMS as just a set of predefined tools used only for financial RM. If RMS is to be of real benefit to the organization by recognizing competitive advantages and new strategic opportunities, the diagnostic use of RM tools that work with management by exception is not optimal, and organizations benefit more from the interactive style of using RMS.

    Second, by viewing interactive use as a second-order routine and treating RMS designs as a mixture of codified are facts, we explain why with interactive use, managers can benefit from one-size-fts-all RMS designs even in their unique circumstances. RMS designs have codified inherent individual and organizational biases about risk, but with interactive use, they can be counteracted when faced with new challenges and exposures. On the other hand, diagnostic use of RMS does not allow for such adaptation and, thus, limits organizational growth. If risk monitoring and mitigation are only delegated to a risk management department, much risk (and opportunity) information is likely to be filtered out, but could be critical for effective top management decision making (Stein et al. 2019). With a large-scale study, our findings extend what Kaplan and Mikes (2016) have shown with case studies of risk-avoiding and risk-taking organizations. RM is seen as a barrier to innovation in both cases, but our findings support the view that interactive use could act as a balancing force in the trade-of between risk and return: it ensures that RM on the one hand does not stifle creativity and innovation in organizations with a high risk appetite and tolerance, and on the other hand encourages the adoption of more opportunities in risk-averse organizations.

    Our study has also brought important implications for practice. Our findings are particularly relevant for regulators, standard setters, e.g., COSO and ISO RM frameworks, professional associations, and educators of future managers (and other members of all types of organizations) who will use and provide RMS information for decision making at the individual, operational, and strategic levels. Managers need to be aware of the drivers of organizational performance and the causal relationships critical to driving that value. This study reflects the importance of the interactive use of RMS as a driver of RM effectiveness and also points to the potential of the interactive use of less developed RMS to improve RM effectiveness. The results suggest that the gap between recommendations and actual implementation of the ERM (Dvorski Lacković et al. 2022) could be overcome by adopting an interactive style of using the frameworks. This implies that more attention should be paid to training the RM community, not only on how to codify practices or implement ready-made RM tools, but also on how to develop the use of the tools provided.

    This refers to training to develop soft skills that are prerequisites for the inter-active use of RMS. These skills include teamwork, problem solving, communication, and critical thinking and are the basis for developing a risk culture that all employees share. Such soft skills training should become an integral part of business school RM courses and vocational RM training after formal education. An example would be to include role playing in RM courses to have face-to-face discussions about RM, giving feedback, and discussing risk reports. This way, dual awareness of mutual RM communication and cooperation is facilitated to achieve the intended outcome of using RMS interactively. It is important to educate managers and employees on the importance of knowledge and information sharing to promote organizational learning in the context of RM. This is particularly necessary for an ERM environment characterized by an organization-wide risk orientation.

    There are some noteworthy limitations in our study. Our findings relate to the sample of companies studied, so any interpretation of our results beyond this domain should be made with caution. Although we have taken the necessary steps to overcome known problems, a number of limitations typical of survey research design apply to our study: we use a self-assessed subjective performance measure and an ordinal measurement of RMS design that does not capture the full range of differences in actual designs. Thus, the results need to be interpreted in light of potential biases.

    Future research could address these limitations by using more general organizational performance measures and perhaps case studies to indicate under what conditions interactive use would lead to the best outcomes for organizations. As for the variable measuring RMS design, we acknowledge that it can be expanded in future research to include additional characteristics of the developed RM system. One of the major issues in current RM research is the use of different RMS design measures, especially ERM measures. Since there is no single measure of ERM in the literature, various authors have attempted to develop proxy variables for its measurement. For example, one of the most recent developments in this area is the three-factor ERM model developed by Dvorski Lacković et al. (2022), which measures the strategic, operational, and oversight dimensions of the ERM process and provides 29 characteristics of a mature and developed ERM system (empirically tested on the 10 largest European electric-power companies, see: Pecina et al. 2022) derived from relevant and recent ERM studies, and follows the integrated COSO ERM framework, revised in 2017 to encompass the use of ERM as a strategic tool.

    Finally, the path model implies causality. We use cross-sectional data, representing a snapshot of practice, and therefore, causality cannot be confirmed unequivocally. Longitudinal studies can be used to provide stronger empirical evidence of causality in the relationships between the constructs in the theoretical model. In particular, longitudinal case studies could improve the understanding of the dynamics and underlying reasons for the relationships found in our study.

    BRCCI – Business Resilience Certification Consortium International (

    We are thankful to the author for allowing us to post this insightful article on our website. BRCCI provides a comprehensive training and certification program in business resiliency, continuity and IT disaster recovery planning:

    1. 3-day CBRM (Certified Business Resilience Manager) is a comprehensive, all-in-one, 3-day Business Continuity Planning and Management Training and Certification course which is designed to teach practical methods to develop, test, and maintain a business continuity plan and establish a business continuity program.

    2. 3-day CBRITP (Certified Business Resilience IT Professional) is a comprehensive training on how to assess, develop, test, and maintain an information technology (IT) Disaster Recovery Plan for recovering IT and telecommunications systems and infrastructure in the event of a disaster or business disruption. The training provides a step-by-step methodology to ensure a reliable and effective IT disaster recovery and continuity plan consistent with the industry’s standards and best practices.

    3. 2-day CBRA (Certified Business Resilience Auditor) It provides 2 days of intensive, Business Continuity Audit training to enable students to determine the effectiveness, adequacy, quality and reliability of an organization’s Business Continuity Program. Students will learn an audit methodology to evaluate compliance of Business Continuity and IT Disaster Recovery Programs with the current industry’s best practices and standards including:

    • ISO 22301: Business Continuity Management Systems – Requirements
    • NFPA: Standard on Disaster/Emergency Management and Business Continuity Programs
    • ITIL: Information Technology Infrastructure Library

    For information on the above program, please contact BRCCI (, 1-888-962-7224).

On Key

Related Posts

ISO 22301

ISO 22301 4.1 IntroductionThe Standard ISO 22301 was proposed in 2012 as a new way to implement The Business Contingency Management process regardless of the