INTRODUCTION
Enterprise risk management (ERM) is an increasingly relevant topic, driven by rising technology risks (Suarez-Paba & Cruz, 2022), environmental challenges facing societies, for example, climate change (Kaufmann & Wiering, 2022), and, especially in recent years, the development of regulatory frameworks and the increasing complexity of risks (Lechner & Gatzert, 2017). Events such as international financial crises, changes in foreign exchange rates, and tragedies caused by natural disasters, terrorist attacks, and other occurrences make it necessary for companies to seek a response to these risks (Mejia, 2017). This need involves the challenge to manage risks comprehensively through an ERM system, including strategic, operational, and financial risks, among others (Ai et al., 2018). Even established companies that have been in the market for several years could go bankrupt if they fail to manage these events (Collins, 2010).
This study analyzed the impact of senior management commitment, risk management structure, risk maps, and risk treatment measures on ERM development. Surveys were applied to large private companies in the city of Medellin, Colombia, to observe their risk identification techniques, risk response strategies, and the support and importance of this issue for the company, among other aspects that determine the key variables required for an effective ERM.
The results show that senior management commitment is essential to help companies build ERM support structures, create risk maps, and bolster decisionmaking to respond to risks based on specific treatment measures, thereby entailing the development of ERM. Therefore, they become key factors for companies that aim to increase the maturity level of their risk management systems.
The study first presents the theoretical framework used in the research and a review of previous studies, from which hypotheses are derived. Subsequently, it describes the methodology used to answer the research objective, along with how each of the variables found in the models are measured. Then, the results of the surveys conducted during the fieldwork are presented, while the final section is dedicated to discussion and conclusions.
THEORETICAL FRAMEWORK, PREVIOUS STUDIES, AND HYPOTHESIS DEVELOPMENT
Understood as a set of activities aimed at managing possible internal or external threat situations to create value and fulfil objectives and goals, ERM is applicable to all types of organizations, of different ages, sizes, and sectors (ISO 31000, 2018); therefore, administrators are increasingly encouraged to implement risk management practices (Manama et al., 2020). Companies that adopted ERM have significantly reduced the cost of capital, thereby creating value for the organization (Berry-Stölzle & Xu, 2018) and improving the effectiveness of service delivery (Manama et al., 2020). However, ERM development levels vary according to the characteristics of each company (Mejia et al., 2017; Marsh & RIMS, 2018), and risk management systems are not always flexible enough to model the complexity of the risk management process (Castro et al., 2012).
Companies in developing Latin American countries have shown great ERM development and implementation (Marsh & RIMS, 2016), owing to different situations such as the sector to which they belong, their size, the regulations governing them, their financial capacity, expected investments in these purposes, and awareness of the importance of creating a risk-based thinking culture for all its members (Mejia et al., 2017; Marsh & RIMS, 2018).
To identify ERM maturity, models measuring the development level of these systems in different organizations are created to describe their state and determine their weaknesses and strengths according to the attributes, variables, and elements to be assessed (Hillson, 1997; Wieczorek-Kosmala, 2014; Oliva, 2016; Zhao et al, 2015).
Maturity models have been designed to evaluate different ERM variables, such as risk governance, risk practices and tools, risk reporting and communication, and risk management function alignments (FERMA, 2012). Risk governance has taken on great importance in recent years, including tacit knowledge, experience, and the expertise of decision makers (Klinke & Renn, 2021). Other authors describe the groups in terms of senior management commitment, risk management structure, defined guidelines, a risk-conscious culture, risk appetite and tolerance, as well as risk identification, analysis, and response, among other elements that establish development criteria reflecting the characteristics of an advanced or successful risk management practice (Zhao et al., 2015).
The present study used the FERMA maturity model as a reference, because its elements allow for a comprehensive overview of the fundamental components of ERM for any type of organization, in addition to grouping in a coherent way the framework of reference, stages, methodologies, and other essential aspects of the system.
One of the key elements where maturity models coincide regarding what an organization needs to transcend the problem of risk is ensuring senior management commitment (Antonucci, 2016; Villanueva et al., 2017)-its importance for a company, a clear understanding of the board's role in risk-based decision-making and defining guidelines that enable the organization to achieve its corporate strategy (Ali et al., 2022; Andersen et al., 2014).
Likewise, senior management commitment to ERM enables the structuring of a platform that comprises the resources needed to achieve the expected results in organizational management (Haimes, 1992; Mejia, 2006), along with directing employee activities according to their abilities in line with the behaviours required by the organization for value creation (Pereira, 2014).
The stronger the ERM, the greater the company's capabilities will be to produce visible benefits (Marsh & RIMS, 2018) in financial terms, decision-making, and organizational improvement. In accordance with the above, the following hypothesis is proposed:
H1: Senior management commitment has a positive correlation with ERM.
The effectiveness of ERM systems does not depend only on senior management commitment and the existing guidelines and policies, but also on the way they are implemented, showing thereby that appropriate risk management structures can strengthen a company's risk culture and, consequently, the overall development of its management (Sheedy & Griffin, 2018).
Therefore, it is important to establish structures that support and facilitate this practice, in addition to defining responsibilities related to the subject, with a view of complying with risk and control functions (Institute of Internal Auditors, 2013; Nguyen, 2022). To this end, different roles are established at all corporate levels, ranging from the board of directors, executive management, chief risk officer, business unit management and process/risk owners, independent risk management and compliance functions, to the system's internal and external audit functions (Beasley et al., 2005; Protiviti, 2013), which aims to protect the organization against exposure to situations that may threaten its continuity and sustainability over time. Thus, the following hypothesis is formulated:
H2: Risk management structure has a positive correlation with ERM.
Risk identification, analysis, and response are part of the process stages that must be carried out in an organization for a better understanding of the internal and external variables that may affect it, analyzing them in a timely manner to achieve enterprise risk prioritization (COSO, 2017). These elements are presented through risk maps.
Risk maps correspond to the graphic representation of these events, according to the probability of their occurrence and the impact they could generate (Chapman, 2006). They are usefule to provide a clear, agile vision of the organizational reality and to make pertinent decisions. These maps can be created at a strategic, operational, financial, and project level (ISO 31000, 2018) for business units, contracts, products, and other areas of analysis established by each organization. Based on the above, the following hypothesis can be established:
H3: Risk maps have a positive correlation with ERM.
Risk maps help establish appropriate risk treatment measures to manage these events and thereby make decisions to control situations that may pose a threat to the company (Standards Australia/Standards New Zealand, 2004). These measures include avoiding, reducing, or mitigating the probability and consequences of transferring or retaining the risk (Andersen et., 2014; ISO 31000, 2018).
Likewise, the control and assessment of potential business threats becomes an ERM priority. Key risk indicators provide information that can generate an early warning system for the company at the operational, tactical, and strategic levels (Scarlat et al., 2012).
Thus, when a risk management process is implemented by using the appropriate techniques and tools for each process stage, significant progress can be made in the development of risk management and, consequently, in organizational management (Marsh & RIMS, 2018). Thus, based on the literature review, the following hypothesis is structured:
H4: Risk treatment measures have a positive correlation with ERM.
According to the previously described criteria included in the framework of an ERM system, measured by existing maturity models, when a company has rigorously applied these criteria, the level of risk management implementation can be considered as high (Marsh & RIMS, 2018; Zhao et al., 2015). The above mentioned four hypotheses are summarized in Figure 1.
METHODOLOGY
Data collection
This study examines the influence of senior management commitment, risk management structure, risk maps, and risk treatment measures as key variables of ERM development. To this end, a quantitative approach is used to measure the impact of independent variables on a dependent one. The study population consisted of large private companies in Medellin, Colombia; namely, 343 large companies were selected using reports of the Medellin Chamber of Commerce. This initial selection was refined as the sample involved business groups that implemented centralized risk management; in these cases, only one company was included. Those that had less than 200 employees or those that did not have private capital were removed from the database. Eventually, 300 companies remained.
Sample size was determined using a 95% confidence interval and an error margin of 5%, which resulted in a sample of 168 companies that are representative of the population (Kerlinger & Lee, 2002). Data were collected through a questionnaire developed based on analysis variables derived from the literature review, which was validated with a risk consultant, a comprehensive risk management officer, and a risk management professor.
To ensure a significant response rate, a phone reminder strategy was used throughout the study, which resulted in a response rate of approximately 57%, equivalent to 170 observations. The questionnaires that were not answered in their entirety were eliminated, thereby leaving a database with 140 companies. Of these, 4.3% belong to the extractive sector (n=6), 26.4% to the manufacturing sector (n=37), 57.1% to the service sector (n=80), and 12.1% to the retail sector (n=17). In this sample, 29.3% have been in the market for less than 20 years, 37.8% for more than 20 years but less than 40 years, and the remaining 32.9% for more than 40 years.
Techniques for controlling non-response bias and common method bias
To ensure the absence of bias in the data, the non-response bias has been evaluated. In this case, the companies that participated in the study were compared in terms of size and age to the companies that received the survey instrument but did not respond it. The results reveal that there are no significant differences between the two groups (p<0.05).
However, in studies using information on organizational behaviour, different biases influencing the response process should be considered (Meade etal., 2007). Therefore, these possible influences have been controlled through two channels: first, in the survey design and application, and second, based on a statistical control.
While the study's focus is related to organizational behaviour and/or performance, we must guarantee that key informants-possibly managers or officials in charge of departments or branches-are completely assured that their answers are anonymous, without concerns of being evaluated or self-evaluating their own performance. The main advantage of this procedure is a control of possible information bias. Likewise, interviewees could be subconsciously looking for correlations between questions or relations between predictor variables and explained variables, distorting thus reality, and causing the common method bias (Podsakoff etal, 2003).
After assuring anonymity and responsibility in the design of the data collection instrument, a statistical control technique has been used. One of the most common techniques is the Harman single factor test (Meade et al., 2007; Rhee et al., 2010), which poses the hypothesis that if there is a significant amount of common method variance, either a single factor will emerge from the factor analysis or the first factor will account for most of the covariance (Podsakoff et al., 2003). Once tests were completed, the results showed different factors that indicated a high percentage of the total variance explained, as seen in the variables presented below. Therefore, no single factor has emerged from the Harman test. These results depict the measurement validity of the constructs used in the study.
Model variables
Age. This is a control variable used in the model to observe possible variations in companies that have been in the market for more or less time. The youngest company was 3 years old and the oldest was 144 years old. This variable has a mean of 38.82 and a standard deviation of 23.71; thus, due to such a high dispersion, we used its natural logarithm to include it in the model.
Size. This is also a control variable that makes it easy to consider differences that could arise from difference in the company's number of employees. The company with the smallest number of employees had 200, and the one with the highest number had 17,000 employees. The mean of this variable is 1,075.21 and its standard deviation is 1,812.17; due to high dispersion, we included its natural logarithm in the model.
Senior management commitment. The internal consistency of the survey is assessed by applying an exploratory factor analysis to evaluate factorial dimensionality and validity on senior management commitment and associated benefits. This was measured by using five questions on a 5-point scale about resource adequacy, financial benefits, organizational improvement, decision-making benefits, and effective senior management commitment, all with respect to ERM (FERMA, 2012).
This factor has statistics such as a Kaiser-Meyer-Olkin (KMO) value of 0.882, Bartlett's test of sphericity with p<0.01, and Cronbach's alpha = 0.921.
Risk management structure. This factor is measured by using four questions on a 5-point scale identifying whether the organization had an office coordinating risk management, carried out an independent system evaluation, defined responsibilities, or followed international standards (FERMA, 2012). This factor presented a KMO value = 0.717, Bartlett's test of sphericity with p<0.01, and Cronbach's alpha = 0.658, indicating internal consistency of both factors (Hair et al., 1999).
Risk maps. This factor was measured by using three questions on a 5-point scale, related to the creation of risk maps in business units, enterprise risk maps, and risk map periodic review. This presented statistics such as a KMO value = 0.730, Bartlett's test of sphericity of less than 0.01, and Cronbach's alpha of 0.888.
Risk treatment measures. To measure this factor, four questions were asked on a 5-point scale about the implementation of risk control measures, risk financing measures, the use of indicators, and the use of this information in decision-making. These questions present a KMO value = 0.802, a Bartlett's test of sphericity of less than 0.01, and Cronbach's alpha of 0.869.
ERM development. This is the dependent variable of the model. Four questions identified in the literature review were applied to generate the ERM development factor measured on a 5-point scale, where questions related to ERM development over the last 10 years were asked, comparing this development with international standards, companies in the same sector, and relevant regulations (FERMA, 2012). The KMO value (0.800), Bartlett's test of sphericity (0.000), and Cronbach's alpha (0.888) were applied to the four questions, which enabled factor validation.
Multivariate analysis. Two control variables (age and size) are used in the research model. The independent variables are senior management commitment, risk management structure, risk maps, and risk treatment measures, which, according to the literature, directly affect the dependent variable-ERM development. Therefore, we decided to implement a multiple linear regression that is part of the multivariate analysis technique, since it explains the effect that one or more variables can exert on the other(s) (Hair et al., 1999).
RESULTS
Before performing a regression analysis, we present a matrix that shows possible correlations between the independent variables to detect multicollinearity. As evidenced in Table 1, the independent variables are not highly correlated; thus, there are no multicollinearity issues.
The research hypotheses were tested using hierarchical multiple regression models to check the influence of independent variables on the dependent variable. As a result, four regression models are presented, noting variations in the explanatory power of each model when entering or removing any independent variable and showing changes in the meanings of some variables (see Table 2).
Note: *** p<0.01, ** p<0.05, *p<0.1. The data in the table show standardized coefficients, and the associated standard errors are in parentheses.
Source: Author's elaboration.
As seen in Table 2, regression Model 1 only includes the control variables (age and size) that do not have a significant relation for the companies studied. Regression Model 2 is made up of control variables and the independent variables of senior management commitment and risk management structure. Both independent variables have a positive and significant relationship with ERM development at a 99% confidence level (p<0.01) in both cases. Moreover, the explanatory power of this model is increased up to 55.9%, which indicates that the companies promoting and supporting ERM through senior management-using a coherent risk management structure-achieve a higher level of ERM development. This allows us to accept hypotheses HI and H2.
Regression Model 3 includes control variables and the independent variables of risk maps and risk treatment measures. The two control variables still have no significant correlation with ERM development. However, in the case of both independent variables, a positive and significant relationship was found with ERM development, both at a 99% confidence level QkO.01). This indicates that the companies that have created risk maps and designed treatment measures to respond to potential risks depending on the severity they represent for the company will have a positive impact on ERM development. Thus, hypotheses H3 and H4 are also acceptable since the adjusted R-squared value of this model is 0.511.
Regression Model 4 contains all variables examined in this study associated with ERM development. It shows that the control variables have no significant relationship as in the previous models and that all variables continue to have a positive and significant relationship. This model has high explanatory power regarding the study variable as it increases up to 60.3%.
DISCUSSIONS AND CONCLUSIONS
This study contributes to ERM theory insofar as it establishes a direct relationship between factors that are fundamental when evaluating the development level of this practice in an organization; thereby, it helps organizations determine when they need to begin designing and implementing risk systems or when they need to improve and/or strengthen existing ones. Likewise, some variables can be identified as not having a direct influence on this phenomenon.
As for the control variables, it is worth noting that the company's age is not associated with the level of ERM development. This can be the case because today environment dynamics, exposure to risks, and regulations regarding this issue have generated greater awareness in companies with regard to the importance of managing possible risks, regardless of their age.
The variable of size does not influence ERM development. Although all the companies in the study were large (with more than 200 employees), there was a vast difference between the smallest (200 employees) and the largest one (17,000 employees). These results suggest that not necessarily the largest companies are the ones who can develop their ERM systems to a greater extent, but that there are other factors that do influence this purpose.
Among the variables of risk governance, senior management commitment was analyzed as one of the key factors driving ERM, regardless of the organization's size and/or age, which supports what was previously found in the literature (Suarez-Paba & Cruz, 2022). Thus, this variable has a directly proportional relationship, implying that people fulfilling a managerial role in a company could motivate or discourage efforts made to implement an ERM system. These results are consistent with other studies (Acik et al., 2021; Pereira, 2014; Villanueva et al., 2017), which found that senior management, owing to its authority or importance in the company, can direct employee actions towards achieving fundamental goals, such as risk management, to increase the company's value. These results reinforce the importance of the discourse of risk governance that was found in another recent investigation (Kaufmann &Wiering,2022).
The results also suggest that risk management structure is another key factor in ERM development, which is consistent with a recent study (Nguyen, 2022), because an office or unit in charge of coordinating risk management activities can help assign responsibilities throughout the company to reach relevant goals and, at the same time, generates greater commitment from all personnel to promote said development. This supports what has been found in other studies, such as that of Sheedy and Griffin (2018), which identified that risk management structures help build company culture and facilitate risk management.
Additionally, among the variables derived from practices and tools, risk maps are notable as another variable positively related to ERM development. This indicates that creating risk maps at different organizational levels and updating them periodically generates a risk response system of greater maturity. This is important since business environments rapidly change; therefore, it is necessary to keep abreast of new situations that the company might face. These findings are consistent with what Marsh and RIMS (2018) found, namely that companies that use techniques and tools such as risk maps may achieve greater progress in implementing ERM systems.
Risk treatment measures is the fourth factor identified in the results of this study, which are also part of the practices and tools and play an important role in ERM development. Thus, risk control and financing methods, the recording of events to decide appropriate response measures, and the use of advance alert monitoring and evaluation systems in the organization entail a significant development of the ERM system.
Implications for academic and business environments
This study has theoretical implications for ERM because it identifies the main variables for its development. As for risk governance, the results suggest that it is very important to focus on senior management commitment and risk management structure to develop ERM. This makes it easier to assimilate risk management guidelines at different organizational levels.
After analyzing the variables of this study related to risk governance, practices, and tools, several implications can be established for the academia, such as the possibility of incorporating more academic content related to the subject from different disciplines, allowing thus for a greater dissemination and awareness of the problems of an economy lacking this conceptual clarity. Likewise, another implication is the possibility to associate variables that may have a greater impact on the development of ERM systems, to strengthen the theoretical aspects dealing with these elements. Although well-supported by some studies at the national and international level, theory could benefit from further research on the combination of these and other variables, which will provide guidance for future lines of research. This will allow companies to focus their efforts on ERM practices and the benefits they bring in terms of system development and maturity.
In the development of theory, this study validates the scales of risk governance, practices, and tools, related to ERM development. This research contributes to highlighting the importance of defining roles and responsibilities in relation to risk management, guidelines, and directives on risk culture and communication, which allows transparency and trust in management.
The implications related to business environment show that senior management commitment, risk management structure, enterprise risk maps, and risk treatment measures that focus on mitigating potential risks promote the development and maturity level of ERM systems; in turn, they also demonstrate the benefits and value creation generated by this practice in decision-making and the achievement of business goals at different organizational levels.
There are also other elements that should be implemented to further the maturity of ERM systems. However, the elements tested in this study provide an important source of information, which will allow the company to be more coherently aligned with its current business priorities, achieve the results expected in this regard, and subsequently move to the next level, reaching other elements that theoretically form part of these organizational management systems.
Limitations and future lines of research
This study mainly focuses on large Colombian private companies. Future research could consider comparative analyses between different countries, enabling thus the study of other important components for ERM development, such as regulations specific to each context, to strengthen risk management practices in emerging markets. However, as this study examines aspects of the ERM design, other studies may focus on the implementation stage, which is also related to support from senior management (Beasley et al, 2005). This would allow the analysis of different stages that must be carried out when using an ERM system.
The limitation of this study is related to the fact that it analyzes factors that had an impact on ERM development. Further research could determine whether the analysis of this criterion variable is associated with value creation to verify risk theory (Hoyt& Liebenberg, 2011), which would support the importance of this type of systems in companies. It is also necessary to look further into the corporate governance variable and its role regarding ERM, as it is becoming increasingly relevant to understand the relationship among these variables (Bromiley et al, 2011) dueto the great impact of corporate governance on the entrepreneurial decision-making process, such as promoting risk management.
For future research, the relationship between internal audit performance and ERM development could be examined, as well as the relationship level between the financial results of the companies of the study and their ERM maturity level, associated with tangible benefits that this discipline provides to companies. Similarly, databases that include public financial information could be used as future data sources.
Methodologically this study analyses a cause-effect relationship through hierarchical linear modelling. Future studies could consider using econometric models that allow simultaneous interrelationships between different dimensions proposed in this study, as well as the constructs emerging from them, such as practices, tools, and risk governance. This would generate more explanatory models of causality between these constructs, their dimensions, and ERM development, such as structural equation modelling. Similarly, further analyses, particularly considering the effects that interaction between third variables (mediators or moderators) generate on risk management research, would provide new evidence on the relationship between predictor (independent) variables and the criterion variable (ERM development).