Rethinking Enterprise Risk Management

Table of Contents

1. Frontmatter

2. Introduction

   1. Frontmatter

   2. Chapter 1. Introduction: Why Enterprise Risk Management Needs a Rethink

      Halis Kıral

      Abstract

      Unfortunately, enterprise risk management (ERM) activities are not high on the priority agenda of senior management in both public and private sectors. Over the years, risk management experts or internal auditors have continued to raise awareness about ERM among senior management. The purpose of this chapter is to examine the role of international standards and frameworks in the failure of ERM. Conceptual ambiguity and methodological gaps in current standards and frameworks make it difficult to implement ERM effectively. Enterprise risk management is now far from being coordinated with core management and audit functions such as strategic management, internal control, and internal audit as well as with core business functions such as procurement, production, marketing, and financing. Therefore, ERM, which aims to eliminate the unit-based silo approach of traditional risk management, adopted a function-based silo approach. In this case, focusing on managing fewer and more significant risks associated with high-level objectives, rather than all business processes of the organization, and making higher contributions to the strategy formulation phase of other corporate functions can increase the success of ERM implementation.

3. The Zero Point of ERM: Risk, Uncertainty, and Risk Attitude

   1. Frontmatter

   2. Chapter 2. Conceptualising Risk and Uncertainty in Decision-Making: A Historical Analysis

      Aynur Zaku

      Abstract

      Although decisions have been made under risk and uncertainty for thousands of years, theories on decision-making processes started to be formulated once risk and uncertainty were defined. Just as diagnosis is necessary to treat a patient, definition is necessary to theorise and manage a concept. It is not quite possible to manage risks without making a precise distinction between the concepts of uncertainty and risk. The change in the concepts of uncertainty and risk in the last three centuries has also steered the development of decision-making theories. The decision-making process is influenced by emotions, intuitions, personality and experiences. Examining this process under risk and uncertainty also makes it difficult to predict behaviour. This study aims to examine decision-making processes under uncertainty and risk from the perspective of expected utility theory, prospect theory and heuristic approach as well as the effects of cognitive perception and misperceptions on decision-making mechanisms.

   3. Chapter 3. Risk Attitude: The CAPSTONE of Enterprise Risk Management

      Yağmur Özyurt, Ali Göksel

      Abstract

      Individuals’ attitudes towards risk-taking or risk avoidance when faced with risks vary depending on many factors and determine the outcome of the decisions we make. Individual risk attitudes have a keystone effect on Enterprise Risk Management (ERM). Ignoring the impact of risk attitude, which holds the ERM structure together, can cause the entire structure to collapse. Therefore, risk attitudes need to be understood and properly managed. This study aims to produce recommendations taking into account the subjective aspect of individual risk attitudes that affect ERM. Accordingly, the factors affecting individual risk attitudes and senior management’s ERM-specific risk attitudes are analyzed together with the impact of these factors on ERM. In addition, the extent to which risk attitudes are taken into account in standards and frameworks has been the subject of the research. We have concluded that the standards and frameworks used in ERM either ignore individual risk attitudes completely or do not address them in the necessary depth. Emphasizing the importance of taking into account individual risk attitudes in the design or implementation of the ERM system, recommendations defined as CAPSTONE are presented.

4. Rethinking the Components of ERM

   1. Frontmatter

   2. Chapter 4. Uncertainty in Risk Definition and Its Impact on Enterprise Risk Management

      Mecbure Aslan

      Abstract

      Defining risk correctly is crucial for an effective Enterprise Risk Management (ERM). In the existing literature, disciplines and researchers have different perspectives on risk. It has been observed that other perspectives are reflected in risk definitions, leading to uncertainty. This ambiguity becomes a significant risk to the effectiveness of ERM. Uncertainty in the definition reduces the effectiveness of ERM by making the stages of assessing risks and taking measures against risks uncertain. This study concludes that, for an ERM to be effective, it is necessary to take proper measures against risks and assess them correctly, which is possible with a good definition of risk. Therefore, the importance of risk definition for an effective ERM is emphasized.

   3. Chapter 5. Risk Assessment: Efficiency of Methods and Tools

      Ali Erdem Saatçi

      Abstract

      Reducing or minimizing the risk for a specific opportunity, which is the main purpose of risk management, only happens sometimes. This is often achieved through planned and designed measurements with well-chosen and efficient assessment tools. The only way for organizations to justify the belief that they are “very effective” in risk management, particularly in the risk assessment phase, is to have measured the risks efficiently. Thanks to the accurate and reliable information they provide, risk assessment tools steer the institutions towards making effective decisions. Risk assessment methods vary considerably between organizations. Some organizations prefer qualitative risk assessment methods, while others use quantitative methods. Some methods are more efficient than others. This study addresses the techniques and tools frequently used in the risk assessment process; their advantages and disadvantages; and how the concepts, published standards, and frameworks affect the process.

   4. Chapter 6. Beyond Fight or Flight: Alternative Risk Response Strategies

      Mehmet Baha Karaçolak

      Abstract

      The purpose of enterprise risk management (ERM) is to identify and implement strategies or actions in order to address and evaluate uncertainties, threats and possible opportunities that may affect the existence and continuity of the organization and to respond to risks as a result of this assessment. A well-implemented ERM model adds competitive value by providing reasonable assurance to the organization. The stage of developing a response to risks is the stage which, as a result, puts the organization into action. The organization’s perspective and attitude towards risks are the main factors in determining risk response strategies. In this context, first of all, response strategies are determined separately for each risk. However, response strategies may differ for threats and opportunities. Once the response strategy has been decided, appropriate response actions are identified and combined into a risk response plan. This study searches whether the belief that risk strategies are limited to fight-or-flight motivation is accurate. To that end, the conceptual framework for responding to risks and alternative strategies other than fighting or avoiding risk are examined in detail. Thus, it has been revealed that the risks that are perceived only as a threat should also be considered in terms of the opportunities they may provide. It has been concluded that, contrary to the general belief, the strategies developed against risks are not only aimed at eliminating the threats caused by the risks, but they also differ in order to reveal the possible opportunities that these risks contain.

   5. Chapter 7. Analysis of Recording, Monitoring and Reviewing Risks in Enterprise Risk Management

      Esra Güneş, Caner Erşan

      Abstract

      The success of enterprise risk management can be ensured through the effective design and implementation of all components of enterprise risk management processes. This study analyses the activities of recording, monitoring and reviewing risks, among the most important steps of the enterprise risk management process. The methods presented in the most widely used risk management standards and frameworks in organisations were researched to determine the current situation. In this context, risk management approaches applied in project management standards were also included in the scope of the study in order to indicate different understandings in risk management. Although these methods are essentially designed to serve the same purpose, the differences and shortcomings in the way risks are recorded, monitored and reviewed are noteworthy. There is a need for a common language and new regulations on how the processes of recording, monitoring and reviewing risks should be implemented in organisations. This study provides opinions and suggestions on how to improve the effectiveness of these processes.

5. To Improve the Effectiveness of ERM

   1. Frontmatter

   2. Chapter 8. Barriers to Effective Risk Communication

      Murat Soner

      Abstract

      It is a fact that studies on enterprise risk management mostly focus on risk management processes and risk identification. However, since the measures proposed in the studies are insufficient to prevent large-scale crises, the need for studies that differ from the existing studies and contribute to risk management is felt more and more every day. Research conducted for this purpose reveals that studies on risk communication are insufficient at the enterprise level and that existing studies focus on public health and environmental issues. For this reason, it is aimed to put forward a study that can guide enterprise governments and to support the study with examples to be presented. Within the scope of the study, risk communication definitions, necessity, approaches, and methods were examined, and obstacles and solutions to communication were tried to be identified.

   3. Chapter 9. Reputation Risk: Does an Increase in Reputation Risks Damage the Reputation of Risk Management?

      Yasemin Gök

      Abstract

      Intangible values such as reputation can create a strong perception on the public as much as material values. Various factors, be it internal or external, that can destroy reputation or cause loss of reputation are perceived as risks to reputation. Reputation risk, expressed as expectation gap, also indicates the effectiveness of risk management. After all, risk management effectiveness is related to our capacity to deal with reputation risks. In the context of reputation management, everything that has an impact on corporate reputation is perceived as a reputation risk. But can this lead to risk management of everything under reputation management and failure to manage anything? In this context, the aim of this study is to find an answer to the question, “Does the reputation of risk management decrease as the risks of reputation increase?” All in all, the perception, identification, definition, assessment, and effective management of risks to reputation will reveal the effectiveness of risk management. However, it should be noted that the approach of risk management of everything will lead to risk management of nothing.

   4. Chapter 10. The Nexus Between Internal Control and Risk Management

      Serpil Ceylan

      Abstract

      After the 1990s, organizations faced new risks due to the facts that technology-intensive activities started to be carried out as a consequence of the changes in technology, the relations with the environment became more complex along with the acceleration of globalization, the organizations grew in scale, and new business models emerged. In addition to these developments, the importance of establishing an effective risk management and internal control system has gradually increased, with the effect of financial scandals, in order for organizations to achieve their goals and objectives. This study aims to examine the internal control (IC) and risk management (RM), becoming increasingly more important for organizations, to determine their scope and to reveal the relationship between them. In this context, the concepts of IC and RM are firstly discussed based on the literature and published frameworks, and then the relationship between IC and RM is examined. As a result, it has been determined that IC is an important tool used for effective RM, that they serve together to achieve the goals and objectives of the organization and therefore they are complementary elements that support each other, and that presenting a single guide through wholly consolidating the frameworks published to guide the practitioners will increase the efficiency in practice.

   5. Chapter 11. A Theoretical Examination of the Overlaps and Distinctions Between Risk Management and Crisis Management

      Turgay Çağlayan

      Abstract

      With the recently developing technology, the diversity and increase in demand, on the one hand, and the limited nature of resources used for supply, on the other hand, result in significant risks at the strategic level. Therefore, organizations have to carry on their activities in an environment where they are exposed to higher levels of risks compared to the past. This environment, full of uncertainty and risks, paves the way for unexpected and undesirable events, and in such an environment, suddenly arising crisis with negative consequences are also very likely to happen. In such cases, being aware of possible crises in advance, mitigating the negative effects of the crises, or managing them in a way that can offer opportunities may bring important advantages to the organizations. The most efficient factor in managing the crisis is to anticipate the crisis with a proactive approach and to take appropriate decisions in a timely manner. The aim of this study is to evaluate the similarities and differences between risk and crisis and risk management and crisis management and to evaluate whether organizations that cannot manage their risks will have to manage their crises. As a result of the examination conducted to that end, it has been seen that not every risk turns into a crisis or that not every crisis is caused by a risk. For this reason, in the event of a crisis, it is important to have a plan or system to manage the crisis, whether the risks are managed or not.

   6. Chapter 12. Risk Management in Digital Era: Opportunities and Challenges

      Cem Dursun

      Abstract

      This study aims to evaluate the risks faced by businesses embracing digitalization while assessing the opportunities, how to manage these risks in the mentioned new period, the supporting factors and opportunities, and the potential threats and challenges. In this context, we first address the historical development of the concept of digital transformation, its main benefit objectives, then the risks and adverse effects of digitalization, which is followed by a discussion, over the existing literature, of the change in risk management in the digitalized world and the conditions, opportunities, and challenges making this change necessary. As a result, digitalization can provide significant gains in operational processes and risk management approaches. On the other hand, it has been revealed that it is necessary to act with a new risk management approach in which this opportunity for gain can be made use of, taking into account the new risks arising after digitalization. Evaluating the opportunities and challenges regarding implementing the said approach, we have assessed the risk management approaches in businesses after digitalization under the titles of how businesses’ reactions to risks change, the consequences of risks in changing businesses, and how the adverse effects of risk have changed.

6. An Overview of ERM Literature

   1. Frontmatter

   2. Chapter 13. Enterprise Risk Management: A Bibliometric Review

      Deniz Erdem, Ertan Güvendi, Mecbure Aslan, Ramazan Acar, Serkan Ülger

      Abstract

      This study aims to perform a bibliometric analysis to map the development of the enterprise risk management (ERM) field. Post-1996 publications on enterprise risk management in the Web of Science database are analyzed in this scope. Bibliometric analysis of 597 publications provides a map of keywords, authors, countries, and institutions and a framework for following this literature over 25 years. According to the results of the research, in the field of ERM, an interdisciplinary field of study that attracts the attention of not only the academic world but also the business world, there has been a decrease in the number of publications in recent years. However, studies on new and different subjects have been conducted, and academic studies in ERM have shifted from developed to developing countries. It has been observed that proximity or language similarity does not affect the cluster formed by publishing countries.

7. Backmatter