Determinants of risk culture and risk behavior in non-financial organizations.

Transcription

1 UNIVERSITEIT GENT FACULTEIT ECONOMIE EN BEDRIJFSKUNDE ACADEMIEJAAR Determinants of risk culture and risk behavior in non-financial organizations. Masterproef voorgedragen tot het bekomen van de graad van Master of Science in de Toegepaste Economische Wetenschappen Elyse Bouten onder leiding van Prof. Dr. Regine Slagmulder

2 PERMISSION I declare that the contents of this master thesis may be consulted and/or reproduced, if the is acknowledged. Ondergetekende verklaart dat de inhoud van deze masterproef mag geraadpleegd en/of gereproduceerd worden, mits bronvermelding. Elyse Bouten II

3 Dutch summary In deze paper proberen we een inzicht te krijgen in de determinanten die het risicogedrag van ondernemingen beïnvloeden. Risico is iets waar alle ondernemingen mee geconfronteerd worden, het is dus zeer belangrijk om een idee te hebben van wat dit afhankelijk kan zijn. Eerst werd er een literatuurstudie uitgevoerd, waarbij we eerst gedefinieerd hebben welke concepten er verder in de thesis worden gebruikt. De concepten risico, ERM en risicocultuur werden hierbij bepaald. Daarna hebben we een overzicht gegeven van hoe het proces van risk management kan worden gezien. In de derde sectie van de literatuurstudie zijn we dan op zoek gegaan naar welke mogelijke determinanten er naar voor worden gebracht in de literatuur. Hierbij hebben deze opgedeeld in drie categorieën, waar we uiteindelijk enkel de organisatie - kenmerken van verder belichten. Drie kenmerken werden uitgekozen om verder in de paper de invloed op het risicogedrag van te onderzoeken, zijnde training en opleiding omtrent risico s, de formalizatie van de onderneming en de heterogeniteit van het top management team van de organisatie. Deze concepten werden aan de hand van de literatuur verder onderzocht, waarbij ook de mogelijke invloed op risicobeheer werd bekeken, zodat we van hieruit onze onderzoeksvragen en hypothesen konden opstellen. Nadat al deze zaken uit de literatuur werden gehaald zijn we overgegaan tot een eigen analyse waarin we dus geprobeerd hebben om de invloed van onze drie variabelen op het risicogedrag van ondernemingen te onderzoeken. Hierbij kwamen we tot weinig significante resultaten. Enkel het verschil in lengte van de dienst binnen het TMT blijkt een significante invloed uit te oefenen op het risicogedrag van de ondernemingen die we hebben onderzocht. Voor de andere resultaten bekomen we meestal een logische coëfficiënt, maar deze is niet statistisch significant. III

4 Acknowledgements I want to take the time to thank some people explicitly. Without help, I would not have been able to make this master thesis to what it is now. First of all, special thanks to Prof. Dr. Regine Slagmulder, who has been my promoter. She has given me useful suggestions and tried to help me direct the thesis to what it is. If I had problems or questions I could always contact her. Her guidance has been very helpful for me. I also want to thank the companies that have answered my questionnaire and shown interest in my master thesis and its subject. I can assume they get a lot of equal questions every year, so I am very thankful that they have taken the time to help me further. Without their answers, my analysis was not possible to do, so they were of extreme importance for me. Of course I may not forget everybody that gave me the possibility to learn everything I have in the last four years. The professors, personnel and everybody involved in the University of Ghent. Without that organization, I would never be so far as I am at this point. Making this course possible to participate is something that will help me with the rest of my life. Also this master thesis will contribute largely to that, as I have learned very much from it. Last, I want to get special thanks to my parents, without who this would not have been possible to do. Their support in the last four years and in general the opportunity I got from them to do this course is something unforgettable. Also concerning this master thesis, I got a lot of support from them. Thank you all. Elyse IV

5 Content Dutch summary... III Acknowledgements... IV List of abbreviations... VIII List of figures... VIII Introduction... 1 Literature review Definitions and concepts Definition of risk Definition of ERM Definition of a risk culture ERM process Assess Design Train and implement Monitor Possible determinants of risk behavior Characteristics of the decision maker Characteristics of the occurring risk Problem framing Problem familiarity Characteristics of the organizational context External context General company characteristics Communication Risk training and education Degree of formalization Specific organizational characteristics Variables and hypotheses V

6 4.1 Employee training Advantages and importance of risk training Suggestions to effective risk training Types of training Drawbacks Usage and influence of risk training Formalization Definition Usage of formalization Recognition of formalization Influence of formalization on risk behavior Top management team heterogeneity Types of heterogeneity Influence of TMT heterogeneity on risk behavior Organizational control systems Dependent variable: risk-taking behavior Control variables Hypotheses Research Method Sample selection Examination method Respondents Questionnaire Data analysis Analysis of variables Dependent variable Training variable Formalization TMT Heterogeneity Descriptive statistics VI

7 2.2.1 General characteristics and control variables Risk behavior Risk training Formalization TMT Heterogeneity Analysis Summary results Conclusion Limitations and further research References... I Attachments... VII 1.1 Questionnaire... VII 1.2 statistics... X Descriptive statistics control variables... X Frequencies dependent variable... X Analysis... XI Training... XI Formalization... XII General... XII Rules... XIII Procedures... XIII Job Descriptions... XIV Consultation... XIV TMT Heterogeneity... XV General... XV Age... XV Tenure... XVI Education... XVI General together... XVII VII

8 List of abbreviations BELRIM COSO CEO CFO CRO EO ERM FERMA IRM KPI KRI TMT Belgian Risk Management Association Committee of Sponsoring Organizations of the Treadway Commission Chief Enterprise Officer Chief Finance Officer Chief Risk Officer Entrepreneurial Orientation Enterprise Risk Management European Federation of Risk Management Institute of Risk Management Key Performance Indicator Key Risk Indicator Top Management Team List of figures Figure 1 Relationship between objectives and ERM components... 8 VIII

9 Introduction Although risk is not a recent phenomenon, recently there has been some increased attention to the subject, caused by the crisis we had from 2008 on. Newspapers and other media are giving more attention to possible risks and as it is more discussed, the subject gets more popular. Risk is something that all companies know and try to handle, so it seems interesting to have an idea of what determinants have an influence on the risk behavior and culture of a company. Companies go bankrupt due to not knowing how to tackle the risks they face, so it is important to know what affects the risks that are taken in the company. This is exactly what we will try to do in this paper: investigate the determinants that affect the risk behavior of companies. As risk is a very broad element, consisting of several types, it is difficult to handle it fully, and that is the challenge for organizations. There are many factors that may affect their behavior as it is something rather broad. Companies have a lot of possible tools available to help them handling their risks, and those tools can influence their behavior and the risk culture that is connected to it. From the start, the remark needs to be made that although companies go down from the pressure of risks, it is not necessarily something bad. Risk is mostly seen as something that should be avoided but contrarily to what is commonly thought, a risk can also be an opportunity, a possibility to find new chances for the company to do better than before, despite a possible difficult period. Positive or negative, all types of risks are always present in companies so it is important not to underestimate its impact. And for that reason it is important to have an insight on what determinants influence the risk behavior of the companies facing it. The importance of the subjects of risk and risk behavior becomes even more clear while doing a literature review, as there exists a very broad amount of articles concerning the subject. The risk concept exists of a big amount of elements, of which every category is discussed a lot. As a 1

10 summary, we can say that the attention that is given to all types of risk in the academic world is rather big, as by trying to comprehend the concept, people try to be more able to manage it. Constantly, new risk management tools are implemented and one of these possible tools is Enterprise Risk Management, abbreviated ERM. This is the one that will be discussed in this paper as it is very determining for the risk culture. Companies try to link their corporate culture with the risks there are facing and their attempts to handle these. It is a way to do business as all parts of this business are involved. This risk culture is a part of what we will try to measure in this paper being the risk behavior. The attempt of ERM is to get a risk culture all over the company so that the behavior of everyone in the company would be adapted to the risks they meet. Their risk behavior can influence several decisions which are important for the company. On its turn, also this behavior can be influenced by several aspects and that is what we will try to research in this paper. What are the different aspects that affect the risk behavior and the risk culture of the company? After searching in the literature about what different aspects are proposed, three big categories will be picked out of which the influence on the risk behavior will effectively be researched further on. These categories contain the risk training behavior, level of formalization and top management team heterogeneity. The structure of the paper will be the following: first a literature review will be done. By this we are trying to understand what literature already exists and where this paper can still contribute. In this review, the concepts used further in the paper will be defined based on what is found in past academic articles. After that, a possible process for ERM will be set up to have an idea how companies can try to deal with risk and put up a risk management structure. The purpose of this paper is in fact to assess some determinants that have an impact on the risk behavior and culture. We will have a look in the literature what possible determinants have been discussed already. After firstly taking a rather general look at this possibilities, we next get deeper into the three determinants we have chosen to discuss further. By doing that, we finish the literature part of the paper and then go on to the research part. In this section we try to study the influence of the chosen determinants on the risk behavior and culture of the companies. 2

11 This paper contributes to the existing literature in several ways. First, it takes subjects together that exist already in the literature but have been showed separately, an example of this is the training variable. The independent variables have not been watched together before. Next to that, it also considers risk behavior, composed of several aspects, where in the existing literature mostly the impact on one component, for example innovation, has been examined. The elements that can be found in this paper have not been examined before as we will do it. 3

12 Literature review In this section, there will be an examination of how the literature handles the concept of risk. First off all, the concepts used further in the paper will be defined by means of this literature. This concerns first the concept risk in general and further goes deeper to the definitions of enterprise risk management (ERM) and a risk culture. After this definitions, the ERM process will be discussed. Thirdly, some general determinants that influence the risk-taking in the company will be defined, and to conclude this section, some of these determinants will be examined deeper, as these will be used in the analysis of this paper. 1 Definitions and concepts Before the determinants of risk behavior and culture will be examined, it is important to first explore some concepts and definitions discussed in the literature to get a general view of what these things contain, because these concepts are rather broad. 1.1 Definition of risk First of all, there will be looked at what is written about the word risk in general and at which different manners there can be looked at the concept. In this paper we will define risk as the uncertainty concerning the economic outcomes that companies will have in the future. We will see risk as caused by external as well as internal effects, differing from the organization and sector that is worked in. We will next to that consider the concept rather broad and not divide it into several sub-categories of risk. Our definition contains several elements that are found in the literature. 4

13 From this literature it first of all gets clear that risk is a concept that can be used in several contexts. Even if we focus only on risks that are possible in companies, a lot of very different definitions occur. These definitions depend mostly on the angle from which we look at the possible risk. From this different viewpoints, many sub-categories of risk can be made. According to Oehmen, Olechowski, Kenley & Ben-Daya (2014), risk can be related to decision theories, economics or project management. The insights change respectively from watching the changing nature of the decision, the outcomes of economics or the possible impacts on project objectives. The insight that the economic part of risks is concerned with the uncertainty of possible outcomes is also mentioned in the article of Kimball (2000) and is the one that we use for our definition. Kimball (2000) defines risk also in a different way, namely as something that is determined by the boundaries of companies. These boundaries determine how far the company can go concerning their risk acceptance and behavior. The article deals with risk as something that can be really managed. Gatzert & Kolb, (2013) discuss another possible risk point of view: operational risk. They define it as the risk of loss arising from inadequate or failed internal processes, personnel or systems, or from external events. Operational risk shall include legal risks, and exclude risks arising from strategic decisions, as well as reputation risks. (Gatzert & Kolb, 2013, introduction). Athearn (1971) also mentions some different angles, the paper namely discusses the difference between the economic and the decision-making point of view. In this paper, a lot of different definitions about risk are mentioned. There are some common points in all of these definitions that are also used for our definition. The first similarity is that every author includes the concept of uncertainty in its definition. The problem with uncertainty is again that it can be defined in many different ways. We consider it as the fact that the outcome of a certain event cannot be known perfectly beforehand. A second ascertainment of the authors is that they all say something about the future. It is also said this is logic, because we all have information about what happens in the present, so this brings few risks. Only if we want to go further, it gets less clear-cut and more risky. The third common point of 5

14 the definitions that the article mentions, is that risk is seen as something undesirable. The authors mention that companies want to reduce risk as much as possible. This is something that is discussed also in the article of Kimball (2000), mentioned above. The article says that companies should try to mitigate risk as much as possible by doing good market research, hedging Nevertheless, Linsley & Shrives (2006) show that more and more people are convinced that risk can also be seen as an opportunity, it can also have a positive effect. The different views from which business risk can be watched are still growing, researchers are constantly thinking about new categories of risks. Risk in general is a domain of research that is still growing, especially in the aftermath of the financial crisis. To search about the culture and determinants of risk, it seems necessary to keep the definition rather broad, so it will not be too restricted. This is the reason why risk will not be put in categories in the rest of the paper. There are several reasons why companies take risks, they can be seen as a threat as well as an opportunity, so both the positive and negative side of a risk will be taken into account. Risk will also be seen as something that may occur in the future, because the past and present are already known things as mentioned in the literature. Risk can also be measured in different ways, these will be discussed further on. 1.2 Definition of ERM As risks are so common, companies need to try to handle them, because an efficient risk management can really help them forwards, for instance by decreasing negative business events. For example, Eckles, Hoyt & Miller (2014) say effective risk management reduces volatility in company results. Liebenberg & Hoyt (2013) indicate the importance of risk management for operational and strategic decisions making. Beasley, Clune & Hermanson (2005, introduction) say risk management is a significant source of competitive advantage for those who have a strong management capability and discipline. 6

15 Since the 90 s there is a new discipline coming up from this risk management, which diminishes the disadvantages of the management that still existed. Enterprise Risk Management (ERM) is different to the earlier management in the way that it tries to involve different business units into the risksituations that occur in the company. The risk management is no longer seen as a single aspect, managed by some people of the company, instead it is seen as something that needs to be managed by the whole company, every single person needs to be involved. O Donnell (2005) says that the enterprise-wide approach changes the company s ability to achieve its business objectives. He mentions also the increased ability to compose good programs to manage the risks, as more people, and by that more different ideas, can be involved. The achievement of the objectives is also mentioned by Power (2009) as he says companies should seek to identify the risks that are threatening their objectives. Arena, Arnaboldi & Azzone (2010, abstract) claim that the ERM approach seeks to link risk management with business strategy and objective-setting. As another characteristic, The Committee of Sponsoring Organizations of the Treadway Commission [COSO] (2004, p.2) emphasizes it is important that ERM needs to be effected by people everywhere in the organization, at every level. COSO stands for The Committee of Sponsoring Organizations of the Treadway Commission, they make up standards for internal auditors and internal control. In 2004 they made up a framework for ERM. In this report, they define the concept as follows: Enterprise risk management is a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of the entity's objectives. (COSO, 2004, p2) This definition is frequently referred to by other authors (e.g. Beasley et al., 2005; Fraser & Henry, 2007). As this is the most referred one, we will take this one as the definition of ERM in the rest of this paper. In their report, COSO elaborates their definition further, by dividing the objectives into different parts. They also split ERM into different aspects which are derived from the way management runs an enterprise and are integrated with the management process. (COSO, 2004, 7

16 p.3) The achievement of these ERM components is seen as a criterium for a good ERM approach. The ERM components are directly correlated to the objectives of the company, since these objectives can be achieved by getting an efficient enterprise risk management. This relationship is shown in Figure 1. Other authors also try to define ERM: Kleffner, Lee & McGannon (2003) describe it as a process of managing risks, taking into account the risk-tolerance of the company. To do this, they accentuate the importance of maximizing the cost-effectiveness of the management. Others describe ERM as a corporate governance mechanism that constrains and coordinates managers behavior (Baxter, Bedard, Hoitash & Yezegell, 2013, p.1). Sobel & Reding (2004) say: ERM - a structured and disciplined approach to help management understand and manage uncertainties - encompasses all business risks using an integrated and holistic approach. By this, they give a definition as well as mentioning advantages of the approach. Figure 1 Relationship between objectives and ERM components: taken over from Enterprise Risk Management integrated framework, executive summary, COSO, Baxter et al. (2013) name another big advantage of ERM as being the awareness of the using companies to all sources of risks, they think about all sorts of possible difficulties in all parts of the enterprise. The organization has a way broader view of what can threaten them. This is also mentioned by Beasley et al. (2005, introduction) who say that ERM helps to oversee the portfolio of risks facing an enterprise. Another advantage is mentioned by COSO (2004), they say: Enterprise risk management enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value. The report also mention: Enterprise risk management helps ensure effective reporting and compliance with laws and regulations, and helps avoid damage to the entity s reputation and associated consequences. In 8

17 sum, enterprise risk management helps an entity get to where it wants to go and avoid pitfalls and surprises along the way. 1.3 Definition of a risk culture In implementing the risk management, the main purpose should be to really try to build a real risk culture in the company. This concept is defined by many different authors. Hoon & Farrell (2009, para. 2) describe a risk culture as follows: It can be defined as the system of values and behaviors present throughout an organization that shape risk decisions.. In this definition there are three important segments that are also discussed in other literature. As this definition contains the most important aspects, we will use this one in the rest of this paper. Now, we will link this definition to other papers mentioning aspects of this one. The first part of the definition is that a risk culture is described as a system of values and behaviors. This is more explained by Davidson, Mackenzie, Wilkinson & Asselin-Miller (2012). They describe risk culture as individual and group behavior within an organization that determines the way in which the company identifies, understands, discusses and acts on the risks the organization confronts. (Davidson et al., 2012, p.12) As such, it is important to see it is a system used in the company. A Code of Conduct can help to show this values in the company, this tool also shows what is expected from the employees. The combination of the values and the risk management could be treated in this Code as well. Davidson et al. (2012) talk in their definition also about individual and group behavior and that is the second, and maybe the most important notion concerning risk culture. It is something that is part of the whole company, every layer needs to be involved. As it is mentioned: Risk culture is a common understanding of an organization and its business purpose (Risk culture of companies, Enterprise Risk Management Initiative, 2009, para. 1). Top management as well as employees need to be involved. Bozeman, Kingsley & Tech (1998) claim that if the managers trust employees more, 9

18 it is related to more risk-taking in the company, which can augment company performance. Cooper, Speh & Downey (s.d., introduction) say that accountability for risk permeates the enterprise from the boardroom to the front line. As such, also according to them, every layer of the company should be involved. This should be done by giving everybody the responsibility, for example by giving them the right tools so they can take initiatives themselves to identify, manage and mitigate business risks. By doing this, the over-management of risk behavior is reduced. (Smit & Watkins, 2012) This paper also claims that good alignment within the company makes the company approach more directly aligned to its general vision. Hoon & Farrell (2009) also dig deeper into the notion of a shared behavior by saying not only managers need to apply this but everyone. They give as a reason that employees need to understand how to make educated risk-related decisions to ensure consistent risk behavior throughout the organization. (Hoon & Farrell, 2009, para. 6) To conclude, Davidson et al. (2012) say risk culture is the responsibility of the leaders. They mean leaders need to make the culture strong, by giving their workers enough responsibilities. The article describes that risk culture should be a part of the whole culture of the company, shared by everyone. The employees are the most important people because they are the ones that execute the company. By this, they are also the ones that create possible risks. A culture of risk management changes the way employees think about their responsibilities in the organization. (Cooper et al., s.d., Conclusion) The third component of the definition is that it shapes risk decisions. Hoon & Farrell (2009) say: Having a strong risk culture means that employees know what the company stands for, the boundaries within which they can operate, and that they can discuss and debate openly which risks should be taken in order to achieve the company's long-term strategic goals. (Hoon & Farrell, 2009, para. 25) Another important consideration mentioned frequently, is that risk culture should not be static and should be challenged to encourage continuous improvement. (Davidson et al., 2012, para. 39) A 10

19 strong risk culture can constantly change, depending on the needs and performance of the company. Also here, employees should be involved and encouraged to an active participation. The dynamism can reveal for example in functions that are changing. 2 ERM process Now the main concepts of risk management are defined, it can be interesting to give a general structure of how companies can built up this concept. The process of initiating an ERM program consists of several steps. These need to be considered by the whole company to get an efficient program, as is mentioned above. It is important that all layers of the organization can put in a word. The different steps in the process will be discussed now. These steps are based on a process that is found in the literature. The ISO standard is for example build around this structure, they first discuss the risk assessment, afterwards they look at the risk treatment. This treatment consists of the selection/design of the risk treatment as well as the implementation of the chosen program. After the risk assessment and risk treatment, the standard discusses risk monitoring and review. These four steps will be explained further now based on the following article: Risk culture of companies, Enterprise Risk Management Initiative, Assess The first step in developing a new approach is watching what has been done and used before to reduce risks in that company. Besides this, companies should in this step also define some objectives, what do they want to obtain by using ERM? By doing this, the organization is more able to see what they expect from the new risk approach and what will be the important differences with the earlier approaches. The assessment step makes it also easier to evaluate the used risk management afterwards. To execute this step, an important tool has to be used: documentation and 11

20 preparation. There has to be documents present in the company that show the past behavior so that this can be evaluated. 2.2 Design The second step is a very important one. It is the building of the ERM program itself, using the first step. The program is namely built on how the past needs to be changed in order to be able to obtain the goals set. In this section, the risk behavior of the company will be built. A first important step is having an insight in the risks that threaten the company. Next to that, the linkage of the risks to the respectively activities in the company are of extreme importance, in order to be able to match better the behavior. The building of the ERM approach depends on the risks, especially the analysis and evaluation of them, and the categorization to the right part of the company. In this step, the company will chose which of the possible tools they will use, an example of a tool that will be discussed further on is risk training. 2.3 Train and implement The third step in the risk management is the most important one for an efficient management. It can be good developed and prepared, but without implementation through the company it will never work well. The important thing here is that everybody should implement the risk strategy, not only the top managers. To manage this efficiently a possible tool is making a new function for someone who needs to do this, the chief risk officer (CRO). This function will be discussed further on. 2.4 Monitor This last step in the ERM process is the analysis of the behavior and the functioning of the company and the comparison of this with the goals that were set in the assess-step. This step is used to change 12

21 the risk behavior towards how the company desires to behave. It also matched the dynamism that has been mentioned before, because this is the step that can lead to change of the ERM. Here, documentation is an important aspect because this makes it easier for the next assess-step to see if and what changes are needed. 3 Possible determinants of risk behavior There are different aspects that influence the risks threatening companies and the reaction of these towards this risks. This aspects can be seen as the determinants that have an impact on the company s behavior due to their risks. Sitkin & Pablo (1992) have written an important paper, bringing together a lot of determinants found in the literature. The paper has been cited frequently times in the Web Of Science database - and is still commonly referred to, which shows its important contribution to the risk management literature. It needs to be said that the paper discusses more the individual characteristics of the risk-takers instead of the characteristics of the organization, which are the ones that are discussed in this paper. We will nevertheless consider the determinants of the risk behavior of these as rather equal. Sitkin & Pablo (1992) divide these determinants into three categories, which are 1) characteristics of the decision maker 2) characteristics of the occurring risk and 3) characteristics of the organizational context. The determinants discussed by this paper and those of other authors will be explained now, taking these three categories into account. 3.1 Characteristics of the decision maker First of all, it is important to detect who makes the decisions in the company, this can make an important difference according to Hoyt & Lee (1999). They claim that the background and training of the risk manager makes a crucial difference in the company s risk behavior. Kleffner et al (2013) also mention this as important, next to the CEO support for the enterprise risk management, board 13

22 independence and which audit company they work with (Big Four member or not). Beasley et al. (2005) mention the importance of the leadership towards ERM. Also Chintrakarn, Jiraporn & Tong (2015) show this importance by proving the influence of the CEO on risk-taking. Their finding is that: relatively less powerful CEOs exhibit risk aversion, resulting in less risky strategies. However, when the CEO has his power consolidated beyond a certain point, he is less likely to compromise with other executives, leading to less moderate decisions and more risky strategies. (Chintrakarn et al., 2015, abstract) Who is the decision maker in the company depends strongly on the company itself. It could be the CEO or CFO of the company but another possible way to manage risks efficiently is making a new function for someone who needs to do this, the chief risk officer (CRO). Liebenberg & Hoyt (2003) say it is a person - or group that is made responsible for the coordination and communication of the ERM program. They also mention that the appointment of a CRO in general is seen as a good try of the company to manage their risks, but that ERM is also possible without this appointment. The CRO needs to manage the behavior that has been agreed on in the previous steps of the ERM. Colquitt, Hoyt & Lee (1999) try to get the attention on the dynamism of the job. The environment of the company is constantly evolving and so are the tasks of the CRO. The paper mentions this is because the risk manager becomes increasingly involved in the management of a broader spectrum of risks facing the company. What the chief risk officer needs to try is creating a risk culture in the company. By getting every single person aware of the risks their company is facing, it is easier to manage and challenge them. There are different tools for the CRO to use, such as trainings and codes of conduct. These are also important determinants that influence the risk management, but it are more characteristics of the company itself that will be discussed further on. Sitkin & Pablo (1992) say that there are three ways in which leaders and decision makers influence the decisions made through the company: they can guide their people by setting the attention at high or low risks, dependent on what they actually want to accentuate, secondly they delineate how a risk situation should be handled in the company and as last influence they decide which information 14

23 reaches their people and in what manner. By getting all these possibilities, we can see the big importance of the decision maker. Further on, Sitkin & Pablo (1992) see the individual affecting determinants as tripartite: risk preferences, risk perceptions, and risk propensity. By this, the manner in which the decision makers think about the risks have a big impact on how the company deals with them. 3.2 Characteristics of the occurring risk As a second category, Sitkin & Pablo (1992) mentioned aspects of the risk itself as an important determinant affecting the company s risk behavior. They divide this into two sides: the framing and the familiarity of the problem or risk the company has to do with Problem framing First, the framing of the problem will be discussed. The paper describes it as whether the situation is presented to the decision maker in a positive or negative light, as an opportunity or a problem, or in terms of gains or losses. (Sitkin & Pablo, 1992, p.14) They refer to the prospect theory of Kahneman & Tversky (1979) which says that framing is important as positively framed situations led to risk-averse behavior, whereas negatively framed situations led to risk-seeking behavior. (Sitkin & Pablo, 1992, p.14) The paper mentions this has a psychological effect, because risk-averse decision makers will overestimate the negative effects and risk-seeking decision makers will do the inverse and overestimate the positive effects of risk-taking. For this statement they refer to Schneider & Lopes (1986). This shows that the framing of the risk has a big impact on the risk behavior of the company, it determines their risk-seeking or risk-aversion. Another point that is indicated by Sitkin & Pablo (1992) is the impact of how the company is doing before. A company in trouble will be more tended to be risk-taking, as a last hope to survive having less to lose when it goes wrong. Their preceding results are by this also seen as a determinant of their risk behavior. 15

24 3.2.2 Problem familiarity The second side of characteristics of the problem is the risk familiarity. This is the experience that the enterprise already has with that specific risk threatening them. March & Shapira (1987) are mentioned, as they claim that more experience with a menace leads to more willingness to undertake the risks. In other words, experience with a certain phenomenon would lead to more risk-taking according to this paper. The paper also mentions the paper of Douglas (1985) summarizing its conclusions like this: individuals exhibit habitual or routine ways of handling risk-related situations that predispose them to react in predictable ways. (Sitkin & Pablo, 1992, p.17) They found out that risk behavior consists over time and companies tend to handle similar risks in the same way over time. The risk behavior is thus strongly determined by their familiarity. It is even said that companies try to solve new problems according to how they managed past risks. (Cohen, March, & Olsen, 1972) This is some negative impact of experience, however, having no experience can also be negative because there can be a lack of resources in the company to tackle the risk. This can lead to incorrect assumptions and diagnoses, which can be critical when handling essential problems. 3.3 Characteristics of the organizational context As a last category, the decisions made by an organization can also depend strongly on the organization itself. These can be featured inside as well as outside the company External context Outside the company, there are characteristics in the environment that influence the ERM adoption, they are discussed by Liebenberg & Hoyt (2003). One of these influences is the globalization. This makes a lot of new risks possible for companies all over the world. Globalization creates also new technological challenges and makes a company dependent on very different regulations. All this 16

25 makes an advanced risk management more and more necessary and changes this management profoundly. Another mentioned incentive to change risk behavior is the increased pressure from stakeholders outside the company (Liebenberg & Hoyt, 2003). Especially investors can head for this, because they are very dependent on the company s results affected by its risk behavior. Regulation can also have an important impact, as more governments are seeing the benefits of an efficient risk behavior of the players in their economy, but by the globalization this effect can be a bit mitigated General company characteristics General characteristics of the company can also be changing the behavior. As such, Hoyt & Lee (1999) claim that the risk management is affected by the size of the firm and its industry, next to the features of the decision maker discussed above. Baxter et al. (2013) show that ERM is more adopted by large and more complex companies. Also the financial strong or weak position should be involved in the examination of the risk behavior according to this paper. Beasley et al. (2005) also mention the importance of company size and industry, next to the leadership already discussed Communication Next to this outside and general influences, there are many aspects of the functioning inside the company itself that may have an impact on its risk behavior. First of all - and a really important factor - is the communication through the company. It has been mentioned above that the whole company needs to be involved, not only the top management, to obtain a good risk management. There needs to be a constant message to employees that managing risks is a part of their daily responsibilities, and that it is not only valued, but critical to the company's success and survival. (Hoon & Farrell, 2009, para. 11) That message is a responsibility of the managers. Honest and transparent communication in the company is of crucial importance at this point. Cooper et al. (s.d.) say this is very important because only with a clear and well-known culture, people will do what 17

26 management expects. They emphasize communication and reporting is crucial to companies. Not only what is expected needs to be communicated, it is also important to emphasize the importance of the employees for the organization. This will increase their performance. (Risk culture of companies, Enterprise Risk Management Initiative, 2009) Baxter et al. (2013) mention that one of the criteria S&P uses to examine the quality of ERM is efficient communication of the strategy through the company. This communication should be in two ways, bottom-up as well as top-down, to have the best chance of success. (Shelton, 2014) The constant message and communication makes that risk behavior can be executed better, it is very important in the train and implementation -step of the ERM process. Sitkin & Pablo (1992) study the importance of communication because individuals often rely on the information they gather from others. Salancik and Pfeffer (1978) proposed that social information processing was the root mechanism by which organizations and organizational members come to influence the perceptions, the beliefs-and, ultimately, the actions-of individuals. (Sitkin & Pablo, 1992, p.21) It also may be useful to mention the importance of indirect communication. Next to the thoughts of the decision makers and leaders, also their behavior is crucial to the company s behavior. If they want the whole company to do something, the best way to get this done is showing the example by conducting like that themselves. (Risk Culture: Three Stages of Continuous Improvement, 2013) From the paragraph above, it can be deduced that for the risk behavior of a company, employee behavior is crucial. This can be influenced by the leaders, by their behavior and what they impose. Sitkin & Pablo (1992) claim the important role of leaders consist of modeling risk-related behavior and of lending their personal legitimacy to the taking or avoiding of risks. (Sitkin & Pablo, 1992, p.13) Next to this, there is another possible way to implement this, namely in the very beginning of the contact of the employee and the company: the hiring process. Since it is of crucial importance that all company s employees have the same insight, human resource managers should involve the risk behavior of applicants in their recruitment choices. (Risk culture of companies, Enterprise Risk Management Initiative, 2009) In fact, the main purpose of this as well as training and communication is trying to make the employee s interests and goals the same as these of the 18

27 company. Their interests should then be expressed by their behavior. (Risk Culture: Three Stages of Continuous Improvement, 2013) Next to trying to change employee s conduct towards the enterprise, it is also a good chance for the company to learn of their members ideas about managing risks as companies may then adapt and improve their conduct Risk training and education Making employees aware of how to handle risks and the expected conduct is very important for a company to be able to tackle these risks. A frequently used tool to do this is training and education. Staff members need to be trained / educated in what risk behavior is expected from them. This contains training about what behavior the company expects, as well as training about how they can obtain that behavior. They need this training and education to understand how to make educated risk-related decisions to ensure consistent risk behavior in an organization. (Risk culture of companies, Enterprise Risk Management Initiative, 2009, para. 1) Degree of formalization Another thing that has a big impact on risk behavior is the degree of formalization. Although risk management is mostly seen as letting people rather free, it can be very important to document well. One of the important resources to handle risks is a good documentation to prepare and confirm what happens in the company. Companies need to plan and prepare their risk behavior profoundly so it could be executed more efficiently. With a risk management plan, they can think about what risks are threatening them, in which manner these are most dangerous and, very important, what are the ways to handle them. (Lorette, s.d.) In this article a good business plan is also mentioned as an important tool to adjust the company s risk behavior, as is also discussed by Root (s.d.). The Code of Conduct, mentioned before can also be an important document to adjust the behavior to what is expected within the company. Documentation and preparation are especially present in the assess- 19

28 step of the ERM, they determine how the risk management will be built up. The influence of formalization on risk behavior will be discussed further on Specific organizational characteristics Sitkin & Pablo (1992) divide the organizational characteristics that affect the risk behavior into four categories: group composition, cultural risk values, leader risk orientation, and organizational control systems. The influence of leaders and decision makers has been taken together in this paper, seeing it more as individual characteristic of these people affecting the risk behavior. The group composition is explained by Sitkin & Pablo (1992) who say that it is the role of group decisionmaking contexts as influencing individual risk behavior. They name the work of Janis (1972) and Stoner (1968) as proving that group contexts tend to influence individuals to take more extreme positions with regard to risk. Janis (1972) found out that the more a top management team (TMT) is homogeneous, the less risks will be taken by the company, because increased TMT homogeneity can narrow the range of individual risk perceptions in the group. (Sitkin & Pablo, 1992, p.20) With less risk perceptions, there are less possibilities to elaborate. The risk culture of a company has been described earlier in this paper. Thereby, the responsibility of the leaders of the company has been mentioned. Here again, Sitkin & Pablo refer to different previously written papers. Hofstede (1980) examined the different aspects of a company s culture. Sitkin & Pablo (1992) refer this paper by outlining its ideas as follows: the culture of a collectivity is characterized by values that reflect a broad tendency to prefer certain states of affairs over others. (Sitkin & Pablo, 1992, p.13) They also refer to Douglas & Wildavsky (1982) by summarizing their conclusion as follows: organizational tendencies to prefer certainty versus uncertainty and risk avoidance versus risk seeking may be defined as an organization's cultural risk values. (Sitkin & Pablo, 1992, p.13) By this, they point out that the culture has a big impact on the company s risk behavior. Martin, Sitkin & Boehm (1985) are also cited in this paper saying two of the most powerful sources of influence are the organization's culture and its leaders. (Sitkin & Pablo, 1992, p.21) 20

29 The fourth mentioned determinant discussed by Sitkin & Pablo (1992) is the organization's control systems. They refer to the paper of March & Shapira (1987) having discussed this category before. Here, a reward and/or punishment system is crucial. Sitkin & Pablo (1992) outline it in a beautiful way based on the findings of Ouchi (1977): When the outcomes of risky decisions are rewarded or punished, or the willingness to take risks is encouraged or discouraged as part of an effective decision-making process, the organization is viewed as ultimately channeling the decision maker's risk behavior by monitoring, evaluating, and rewarding the outcomes achieved and processes used when risks are involved. (Sitkin & Pablo, 1992, p.12) However a reward system can be a real help for the companies, also the dangers need to be indicated. Sitkin & Pablo (1992) point out that decision makers can be induced to advocate normatively inappropriate levels of risk when the reward message is clear, and they believe that such an approach is consistent with the organization's cultural risk values (Douglas & Wildavsky, 1982) and leader expectations (Schein, 1985; Wildavsky, 1988), or will enhance their career opportunities (Gaertner, 1988; Grey & Gordon, 1978). (Sitkin & Pablo, 1992, p.22) 4 Variables and hypotheses Now we have given many possible things that can influence the risk behavior of the company, some of them will be further elaborated as they are the ones that will be used in the analysis as our independent variables. We will discuss them in this section, discussing how they are determined in the existing literature. Out of the three categories, only the characteristics of the organization itself will be further discussed. From this, we will only focus on the functioning inside the company, as we really want to focus on how the company s inside characteristics influence its risk-taking. Out of all the features mentioned above, training and education, level of formalization and TMT homogeneity will be seen as determinants. This are the determinants of which we want to see the 21