An Exploratory Study of Enterprise Risk Management

Abstract

There is a general consensus that enterprise risk management’s (ERM) popularity has resulted from a response to pressure on organizations to holistically manage risk. Multiple frameworks for implementation of ERM contribute to an overall uncertainty regarding the essential components of ERM. This uncertainty carries forward to empirical studies of ERM where results regarding value creation are inconclusive. There exists no real consensus about what the principal components of ERM are; this has led to identification and measurement methods that are inconsistent. By using inconsistent indicators and measures of ERM implementation, it is impossible to compare “apples to apples” and arrive at conclusive and convincing results regarding ERM’s ability to create value. This is an exploratory study of ERM aimed at determining the integral components of ERM based on how firms actually implement ERM dimensions. The result is the identification of four discrete components, or pillars, of ERM implementation; two prerequisite components related to the general internal environment and control activities of the firm, one component identifying risk management activities of the firm and one component with the defining attributes of ERM implementation. All four components must be implemented to have well-implemented ERM, but only one separates ERM firms from non-ERM firms. The resulting four components challenge existing frameworks to adapt to better reflect how firms implement ERM and can have a valuable impact on identifying and measuring ERM, leading to more informative empirical studies on the value creating abilities of ERM.

Keywords

enterprise risk management holistic risk management exploratory factor analysis risk management

Introduction

There is a general consensus that enterprise risk management’s (ERM) popularity in discussions of modern risk management practices has resulted from a response to increased pressure on organizations to holistically manage risk. New demands on corporations for reporting purposes imposed by, for example, The Sarbanes–Oxley Act of 2002 (SOX) is often argued to have had a significant impact in changing the face of risk management (Beasley, Clune, & Hermanson, 2005a; Beasley, Pagach, & Warr, 2008; Desender, 2007). Ratings agencies have also helped put focus on the emergence of ERM; in May 2008, Standard and Poor’s (S&P, 2008) Ratings Services announced its intention to include ERM assessment in ratings of non-financial firms. And with companies facing a broader scope of risks arising from globalization, industry consolidation, and deregulation (Liebenberg & Hoyt, 2003), ERM has risen as a coping mechanism for the pressures placed on firms to have effective risk management. Still, despite its rising popularity, knowledge of ERM is beset by uncertainties and inconsistencies.

As attention to ERM increased, a number of frameworks emerged to help guide firms in their implementation of ERM. The number of frameworks developed contributes to an overall uncertainty regarding the essential components of ERM. Each framework identifies different components in varying number and definition; and while the underlying ideas of ERM are consistent, dissatisfaction with existing guidance in ERM implementation is apparent. Beasley, Branson, and Hancock (2010) find that the Committee of Sponsoring Organizations of the Treadway Commission (COSO)ERM framework, one of the most cited and debated frameworks, is considered to be ambiguous and overly theoretical in nature by individuals who are involved in leading ERM. In addition, it was found in this study that firms often use more than one framework to guide implementation or take implementation into their own hands by creating internal ERM frameworks, suggesting a level of uncertainty regarding existing guidance. This uncertainty carries forward to empirical studies of ERM (Beasley, Clune, & Hermanson, 2005a, 2005b; Beasley, Pagach, & Warr, 2008; Desender, 2007; Gates, Nicolas, & Walker, 2009; Gordon, Loeb, & Tseng, 2009; Hoyt & Liebenberg, 2011; Liebenberg & Hoyt, 2003; McShane, Nair, & Rustambekov, 2011; Pagach & Warr, 2010, 2011), where results regarding value creation of ERM and its determinants are inconclusive. Of particular concern are the inconclusive results regarding the potential value creation of ERM; this of course is a key motivation for implementation of ERM which requires considerable time, resources, and commitment. There exists no real consensus about what an ERM firm “looks like” and/or what the principal components of ERM are; this has led to measurement and identification methods that are inconsistent and imperfect. By using inconsistent measures of ERM implementation, it is impossible to compare “apples to apples” and arrive at conclusive and convincing results regarding ERM’s ability to create value.

Previous identifiers of ERM are often limited to simple proxies of implementation, like a chief risk officer (CRO) hire (Beasley, Pagach, & Warr, 2008; Liebenberg & Hoyt, 2003; Pagach & Warr, 2010, 2011), or measures of ERM dependent on survey information (Beasley et al., 2005a; Beasley, Clune, & Hermanson, 2005b; Gates, Nicolas, & Walker, 2009). Both methods ignore the complexities of implementing ERM and assume imprecise identifiers are sufficient to represent the integral parts of ERM. More complex attempts at measuring ERM implementation, using public information or survey data, differ across studies. To better identify ERM firms, measure ERM implementation, create comparability between firms, and identify true value creation capabilities, it is important to take a step back and first determine what ERM really is and what the principal components are.

This is an exploratory study of ERM aimed at determining the integral components of ERM based on how firms actually implement ERM dimensions. Components are broad but integral pieces of ERM that are made up of a number of grouped together more detailed dimensions or aspects of ERM; components, factors, pillars, and integral parts are used interchangeably throughout the text. One hundred fifty-one Nordic firms responded to a comprehensive questionnaire aimed at capturing completeness of ERM implementation by assessing the level of implementation of 59 different dimensions. Few other ERM studies have firm-level information on ERM implementation in such detail. Exploratory factor analysis (EFA) is used to identify the underlying factor structure determining the implementation of ERM dimensions seen in the sample firms. Confirmatory factor analysis (CFA) is used to evaluate a priori ERM component models based on existing frameworks for ERM implementation. Finally, the importance of the resulting factors for ERM implementation is investigated based on the feedback from seven experts in ERM.

The result is the identification of four discrete underlying components, or pillars, of ERM implementation; two prerequisite components related to the general internal environment and control activities of the firm, one component identifying risk management activities of the firm, and one component with the defining attributes of ERM implementation. All four components must be implemented to have well-implemented ERM, but only one separates ERM firms from non-ERM firms. The first two components are not directly associated with risk management; firms that demonstrate no risk management activities could still implement these two components in a robust way, for example if they have strong governance in place. The third component distinguishes between firms that are actively managing different risks of the firm and those that are not, but this component provides no information on the organization of these risk management activities. The fourth component contains the dimensions that are characteristic of ERM implementation, for example, formal written statement of risk appetite, correlating and determining portfolio effects of combined risks, having a senior manager assigned the responsibility of overseeing risk and risk management, and a formal risk management report submitted to board level regularly.

The resulting four components challenge existing frameworks to adapt to better reflect how firms implement ERM. The resulting factors also have a valuable impact on identifying and measuring ERM, which can lead to better and more informative empirical studies on value creating abilities of ERM.

The article is organized as follows. “Frameworks for Enterprise Risk Management Implementation” presents a discussion of ERM frameworks with a focus on the COSO ERM Framework. “Previous Studies on Enterprise Risk Management” discusses previous flaws and inconsistencies in measuring and identifying ERM firms as well as the inconclusive results of previous empirical studies of ERM. “Data and Method” presents the methodology used in the article: survey, EFA, and expert weighting. “Results and Discussion” presents the empirical results. And finally, conclusions.

Frameworks for ERM Implementation

There are a number of frameworks intended to guide firms in their implementation of ERM. Some of the most prominent and frequently mentioned frameworks are COSO’s ERM Integrated Framework, the Joint Australia/New Zealand 4360-2004 Standards, ISO 31000-2009, the Turnbull Guidance, the Casualty Actuarial Society Framework, the International Association of Insurance Supervisors Framework, and Basel II. ISO 31000-2009 is said to incorporate best practices from COSO, PMI (Project Management Institute), the Australian and New Zealand Standard, and other leading international risk management standards (Fraser & Simkins, 2007). Each framework identifies its own specific component structure in varying number and definition and ERM implementation process. A number of firms also create their own internal frameworks for implementing ERM, usually guided by one of the above-mentioned frameworks. Of those who were surveyed for this study and knew which frameworks were followed for implementing ERM, 41% of firms said they used internally created frameworks solely or in combination with other frameworks. Of the listed frameworks, the COSO framework was the most followed, with 24% of firms following COSO solely or in combination with other frameworks. The ISO 31000-2009 and the Basel 11 frameworks both follow with 9% of the firms using them for implementation guidance either solely or in combination with other frameworks.

Twenty-nine percent of the firms surveyed stated that they were using more than one framework to guide their implementation of ERM. This suggests a level of uncertainty regarding existing guidance. It could be an indication of confusion regarding what ERM really is and how it should be implemented and that existing frameworks are to some degree incomplete or difficult to follow; therefore, firms find a need to use more than one framework.

Since its release in 2004, the COSO ERM Framework has been discussed extensively and is generally the most cited ERM framework; it also plays a central role in this study. Following events like Enron, a heightened concern and a call for risk management prompted COSO to update its original internal control framework from 1992, leading to the creation of the COSO ERM Framework (Pang & Shi, 2009). Many of the dimensions and underlying ideas of ERM mentioned in the COSO framework are also relevant for other existing ERM frameworks. Existing ERM frameworks tend to be conceptually similar, but they differ in their structural representations, pertaining mostly to how dimensions or aspects of ERM are grouped—how they define the integral parts of ERM.

COSO presents eight components of ERM. (a) The internal environment pertains to the governance and structure, culture, and philosophy of risk management, including the firm’s risk appetite. The firm’s risk appetite is argued in much of the literature to be a central aspect of ERM and a key to its success. Many authors, frameworks, and even practitioners address the importance of establishing, communicating, and understanding the firm’s risk appetite (Blakely, 2009; COSO, 2004; Drew & Kendrick, 2005; Fraser & Simkins, 2007; Kirkpatrick, 2008; “Recent Trends in ERM and Literature Review,” 2007; The Society of Actuaries, n.d.; Stulz, 2008). (b) The objective setting covers the strategic objectives of the firm’s operations, reporting, and compliance activities. (c) Event identification involves determining significant events that may affect the firm’s ability to achieve its objectives. Events are both internal and external factors such as external economic events, natural environmental events, political events, social factors, internal infrastructure events, internal process-related events, and external and internal technological events (Moeller, 2007). (d) Risk assessment is the consideration of the extent to which potential risk events may affect an organization’s ability to achieve its objectives. The dimensions underlying this component are more “quantitative” evaluations of the risks the firm faces. (e) Risk response concerns the existence of formal policies in place to determine how risk should be responded to and managed. There are four general responses: avoiding, accepting, reducing, and sharing risk (COSO, 2004). (f) Control activities are policies and procedures in place to ensure that identified risk responses are carried out. (g) Information and communication is the process or unit of the framework that links together each of the other components. Finally, (h) monitoring is essential to ensure that ERM is working effectively on a continuous basis. COSO defines the effectiveness of ERM based on an assessment of whether the eight components are present and functioning properly, making proper implementation of the eight components the criteria for effective risk management. For the components to be present and functioning as prescribed, there can be no material weakness, and all risks need to be brought into the perspective of the firms risk appetite (COSO, 2004).

In COSO’s 2001 “Report on ERM,” 26.5% of respondents responded “significant or a great deal” to the perception that the COSO ERM Framework contains overly vague guidance, and 44.6% responded “significant or a great deal” to the perception that the framework is overly theoretical (Beasley et al., 2010). In general, criticisms of ERM tend to focus on this ambiguity which leads to difficulties in implementation.

Ambiguity and confusion resulting from flawed and inconsistent guidance is a symptom of lacking consensus about what ERM really is. This lack of consensus exists in empirical studies of ERM as well. Flaws and inconsistencies in identification and measurement methods of ERM firms result in a lack of resolution regarding ERM’s ability to create value.

Previous Studies on ERM

In current ERM research, there are two main methodological ways of identifying and measuring ERM implementation in firms; researchers either search publicly available information or they use surveys to obtain the information straight from the firm. Inconclusive results regarding the value creating ability of ERM and its determinants can, in part, be a result of the inherent flaws in the methods used as well as the inconsistencies between identification and measurement; these inconsistencies stem partially from a lack of agreement about what ERM really is and what the principal components of ERM are.

As Liebenberg and Hoyt (2003) state in their article, a major obstacle to empirical research in ERM is the difficulty in identifying firms engaging in ERM. Firms typically do not disclose whether they are managing risks in an integrated manner. Much of their risk management disclosure and discussion relates to specific risks and not whether they are managed in an integrated way (Liebenberg & Hoyt, 2003). In addition, a number of ERM dimensions, for example, those associated with COSO’s internal environment component, are not specific to the implementation of ERM. Therefore, firms may have efficiently implemented ERM dimensions in the firm without consciously trying to implement ERM. This could in turn mean that they do not report on such dimensions. Underreporting of ERM practices then creates inaccuracies in the evaluations of ERM implementation by deflating measures of ERM and ultimately affecting the results of studies.

Many researchers using public information searches use simple proxies to identify ERM implementation, like the existence of a CRO position or similarly a senior risk officer (Beasley et al., 2008; Hoyt & Liebenberg, 2011; Liebenberg & Hoyt, 2003; Pagach & Warr, 2010, 2011). Beasley et al. (2008) assume that hiring a CRO implies that the firm is implementing ERM and will use corporate resources toward the effort. This is problematic given that the hiring of an individual does not necessarily accurately represent a well-implemented and effective ERM system. In addition, it is possible for a firm to hire an individual to signal to shareholders an intention to implement ERM but for the firm to not follow through with implementation or to poorly implement ERM. Therefore, such a proxy measure may be too superficial to robustly identify an ERM firm. On the contrary, it may be possible that firms who have implemented ERM have not hired a CRO; COSO (2004) states that some firms choose to assign the role of risk officer to another senior officer, CFO for example, making the hire of a CRO unnecessary for ERM implementation. Only 18 firms (12%) in the sample firms for this study reported that they had a CRO, but 73% of the 143 that responded regarding implementation of ERM said they had implemented ERM but improvement was needed, had robustly implemented ERM, or had implemented ERM but according to a definition other than COSO’s. Assuming, in this case, responses to such questions accurately reflect ERM implementation, using a CRO would identify too few firms as ERM implementers.

An example of a more comprehensive existing measure of ERM implementation is the use of the risk management rating from S&P; McShane, Nair, and Rustambekov (2011) use this measure to investigate the value creation of ERM. At this time, this measure only exists for insurance companies and because of its newness and dependence on the S&P definition of ERM, it must be evaluated further for its appropriateness in studies of ERM.

Some studies use multiple ERM dimensions to measure ERM implementation but still search publicly available information (Desender, 2007; Gordon, Loeb, & Tseng, 2009). Desender (2007) searches all publicly available information, 10-Ks, proxy statements, and company websites, for information about 70 dimensions of ERM spanning specific types of controls, risk, and related ERM practices. Gordon et al. (2009) have a similar measurement strategy where they define variables used to create an ERM index (strategy, operation, reporting, and compliance); variable data are collected from publicly available information, for example: sales, number of employees, material weakness disclosures, announcements of financial restatements, and auditor fees. Both these studies take into consideration a number of ERM dimensions and acknowledge ERM’s complexity, but because the measure themselves are different, they should be analyzed and/or developed from a more consistent definition of ERM.

Beasley et al. (2005a, 2005b) survey firms to bypass the incompleteness and under reporting worries related to public information searches. They ask firms directly through survey about their level of ERM implementation. This is a case of oversimplification and an over reliance on a firm’s own definition of ERM and the perception of ERM implementation in the firm. Given that the level of ERM implementation is dependent on a single answer with no additional information or “controls” for bias, this measure of ERM implementation is problematic. Gates et al. (2009) also survey firms regarding their stage of ERM implementation as well as regarding which components of the COSO ERM framework lead to better decisions and increased profitability. Although they include possible control questions for accuracy of the stage of ERM, potential biases can arise, for example, from firms attempting to give an “appealing” answer and inflating their implementation of ERM.

Table 1 shows a summary of the empirical studies’ identification and measurement methods addressed in this section as well as the results of the studies. Out of 10 studies, at least 5 of them identify and measure ERM in a different way (more than 5 if one considers the measures in detail). This means that a number of these studies are not comparing “apples to apples.” A firm being defined as an ERM implementer because of announcing a senior risk officer hire announcement will likely be different than a firm identified as an ERM firm using the ERM Index developed by Gordon et al. (2009). This could explain the inconclusive results from ERM studies.

Table 1.

Previous Enterprise Risk Management Empirical Studies.

Identification method	Author(s)	Identifier	Objective
			Value creation
Public information search	Beasley, Pagach, and Warr (2008)	CRO announcement	Positive shareholder reaction
	Gordon, Loeb, and Tseng (2009)	ERM index	ERM and firm performance contingent on contextual variables
	Pagach and Warr (2010)	Senior risk officer announcement	No support
	McShane, Nair, and Rustambekov (2011)	S&P risk management rating	No support
			Value creation and determinants
	Hoyt and Liebenberg (2011)	ERM keywords	ERM premium = 17% of firm value	Firm size, institutional ownership/negative relation to reinsurance use and leverage
			Determinants
	Liebenberg and Hoyt (2003)	CRO announcement	Financial leverage
	Desender (2007)	Multiple dimensions	CEO on the board, board independence when there is separation of CEO and chairman, size, and Big Four auditor
	Pagach and Warr (2011)	Senior risk officer announcement	Size, leverage, fewer growth options
			Value creation
Survey	Gates, Nicolas, and Walker (2009)	Survey response	Better decision making and profitability
			Determinants
	Beasley, Clune, and Hermanson (2005a, 2005b)	Survey response—Scale from 0 to 4	CRO, independent board, CEO or CFO involvement

Note. CRO = chief risk officer; ERM = enterprise risk management; S&P = Standard and Poor’s.

Of the six studies on ERM’s ability to create value, four find support. In these six studies, six different methods of identification/measurement of ERM are used, five of which use searches of publicly available information. Two articles use the announcement of a CRO or senior risk officer announcement. The former, an event study, finds a positive shareholder reaction to the announcement of a CRO in firms with little financial slack or large non-financial firms with volatile earnings, greater amounts of intangible assets, low leverage, and low amounts of slack (Beasley et al., 2008). Pagach and Warr (2010) find, however, that financial performance does not change as a result of adopting ERM. Using Gordon et al.’s (2009) ERM Index shows that ERM is in fact value creating contingent on a number of firm characteristics. Inconclusive results like these are worrisome because the argument that ERM is value creating is of importance for its continuing development and is a core motivator for firms choosing to devote resources to its implementation.

The results from determinants articles aren’t as straightforward in the sense that many of the articles include different test variables for ERM determinants, but some of the results show inconsistencies across studies. Liebenberg and Hoyt (2003) find that financial leverage is positively associated with ERM implementation, but Hoyt and Liebenberg (2011) find, using a broader set of indicators, that ERM has a negative relation to leverage. Because financial leverage is a traditional motive for implementing risk management, inconclusive results like these are troublesome; the difference in measurement technique can contribute to the inconclusive results.

To better identify and measure ERM, there must be a consensus about what an ERM firm “looks like” and/or what the principal components of ERM are. This study determines the integral components of ERM based on how firms actually implement ERM dimensions.

Data and Method

To determine the pillars of ERM, a survey methodology is used to first gain information about the implementation of dimensions of ERM. Based on the survey information, EFA is used to determine the underlying factor structure of ERM. These factors are then tested, along with possible a priori component classifications, with CFA to assess the most accurate components underlying ERM. The final component structure gives a picture of what ERM is based on how its dimensions are implemented. Finally, the importance of the components for efficient ERM implementation is assessed using expert weighting.

Survey

Survey design

The questionnaire used in this study focuses on identifying a firm’s level of implementation of a number of dimensions of risk management. While a significant portion of the survey is aimed at identifying implementation of ERM dimensions, the survey did not draw attention to its focus on ERM to ensure that respondents were not influenced by the mention of ERM but instead answered with a more general consideration to their risk management practices.

The survey was based on a set of questions developed by Desender (2007) to construct an aggregate measure of ERM. Desender’s original list was developed using the COSO (2004) ERM Framework and prior work by Knechel (2002) that defined relevant control and risk management procedures. Desender searched publicly available information to find evidence of the implementation of 70 ERM items developed, giving firms a score of 0 or 1 for each dimension.

For the purpose of this study, Desender’s dimensions of ERM were refined and, based on a careful review of existing literature, developed further to be more complete and include aspects that were perceived missing from the original list. Dimensions from Desender’s list that were either difficult to comprehend under the COSO framework context without more information or absent¹ in public information were removed from the list. In addition, input regarding necessary components of proper ERM implementation was received from two members of the COSO board to refine and complete the survey.

The dimensions were then transformed into survey questions designed to assess the degree of implementation of each dimension in the firm from 0 to 3. Zero being that the dimension is non-existent in the firm and 3 being that the dimension is robustly implemented in the firm.

The questionnaire was sent to the Chairman of COSO, a consultant of ERM implementation, and a researcher with experience in survey use for comments. The survey was also pre-tested on two practitioners. The final version of the questionnaire included changes based on the comments from the aforementioned individuals. Minor changes were also made based on the recommendations of Sinitor² who helped distribute the survey.

The final version of the questionnaire is comprised of 59 dimensions. Included in the questionnaire are also two background questions, questions directed at the firm’s perception of their implementation of ERM, and a number of questions addressing ERM specific concepts. A copy of the survey is available on request. See Appendix A for the list of dimensions and summary statistics.

Sample

The questionnaire was aimed at firms listed on two major Nordic stock exchanges, either NASDAQ OMX or Oslo Börsen, and with headquarters in a Nordic country (Sweden, Norway, Finland, or Denmark). Iceland and associated territories are excluded due to their small number of companies. The number of firms contacted for the survey was 676: 173 in Denmark, 123 in Finland, 147 in Norway, and 233 in Sweden.

Nordic firms are targeted for this study in the hopes that individuals surveyed would have a positive response to the study as it is conducted by Lund University, a well-known university in the Nordic Region, leading to higher response rates.

The Nordic countries have a lot in common economically. They are small, open economies with significant foreign trade. Being small, open countries generally mean that they are particularly vulnerable to international economic fluctuations. The Nordic countries all industrialized relatively late but quickly, and they all currently perform well economically. The similarities between Nordic firms are likely to carry over to their risk management approaches as they are exposed to similar risks. Firms in Nordic countries are all also similar in their governance structure. There have been previous studies that have focused on risk management in Nordic firms, like the one done by Brunzell, Hansson, and Liljeblom (2011).

Survey delivery and response

The questionnaire was delivered with the help of Sinitor, specialists in data collection. The questionnaire was translated from English into Swedish, Finnish, Danish, and Norwegian and made into a web-based format. Firms were contacted directly by telephone, attempting to reach the CEO, CFO, or an individual knowledgeable about risk management. These individuals are targeted because of the important role they play in implementing ERM. ERM should be a top-down process, with the CEO and the senior executive team determining the parameters for the policies and the organizational structure for its effective implementation (Dickinson, 2001). The first attempt at getting a respondent was to contact the CEO. According to COSO (2004), the CEO has the ultimate ownership responsibility for ERM, sets the tone at the top that influences internal environment factors and other ERM components, and can influence the board of directors. This made the CEO the ideal candidate for the survey, as they not only should be able to answer questions specific to ERM but also should be knowledgeable about other areas of the firm as well, in the case where ERM is not being implemented. Because CEOs are in general difficult to reach, the next attempts to gain respondents were focused toward the CFO or a risk manager of some form, if such a position existed. CFOs tended to be more readily available than CEOs with 77% of respondents being CFOs. In addition, firms generally have a CFO while a specified risk manager does not always exist. Only 18 firms (12%) reported that they had a CRO (only 2 of these answered the survey).

The final response rate was 22.6% with 153 responses. Two respondent firms have since delisted and are therefore eliminated from the study, leaving a final sample of 151 firms. This response rate is higher than the response rate (10.35%) from a survey regarding ERM from Beasley et al. (2005a, 2005b), but closer in line with the response rate (27%) from the ERM survey used in Gates et al. (2009), which also surveys firms on component-level ERM implementation. Also slightly higher than the response rate (19.92%) from the survey of Nordic firm derivative use by Brunzell et al. (2011).

The distribution of respondent firms and the distribution of the original sampled firms are similar in respect to country representation, industry, and market capitalization; therefore, the respondent group is considered an adequate representation of the original sample and there is no expected non-response bias.

Exploratory Factor Analysis (EFA)

EFA is a method used to explore the underlying factor structure without a prior specification of a number of factors and their loadings (Kim & Mueller, 1978). To develop a proper grouping of ERM dimensions, EFA is used first to determine from the survey data a possible underlying factor structure.

The purpose of factor analysis is to reveal any latent variables that cause the dimensions to covary. Factor extraction discriminates between shared and unique variance (principal component does not). Factors are extracted so that shared variance is partitioned from its unique variance and error variance to reveal an underlying factor structure where only the shared variance shows in the solution (Costello & Osborne, 2005).

This study uses robust-weighted least squares estimation (WLSMV) with geomin oblique rotation. WLSMV estimation is the default estimator in MPlus when estimating EFA with ordered categorical variables. Given that the number of categories in each variable (four categories, response from 0 to 3) is less than recommended to be considered continuous and there are ceiling effects in the data, WLSMV is the recommended estimator. Ceiling effects are evident in the negative skew of numerous variables. Oblique rotation allows the final factors to correlate with each other. Varimax rotation, an orthogonal rotation method used more frequently, finds factors that are uncorrelated. As the factors in this study are all themselves a part of ERM, it is unrealistic to believe they would not be correlated to some degree. The geomin rotation is the default oblique rotation in the MPlus software. Given that the missing data are assumed to be missing completely at random,³ all available observations are used to estimate each correlation, present pairwise treatment of missing data.

Before running the EFA, the dimensions are screened for evidence of multi-collinearity. Correlation between dimensions increases with difficulty of question, with the general background dimensions showing less correlation than the specific risk management dimensions. This is expected given that the general dimensions cover a number of areas and the risk management questions are more closely related and narrow in topic. Correlations between dimensions are seldom more than 0.5 but many correlation coefficients are above .3. For dimensions with correlations more than .8, one of the correlated dimensions is removed to eliminate redundant dimensions. Eleven dimensions are removed. Correlated dimensions were eliminated with the intention to maintain as much information as possible for the EFA but to also retain the dimensions that would be perceived as the simplest to answer. All dimensions pertaining to the consideration of potential impacts of risk events on the firm’s ability to achieve its objectives were removed due to their correlation with the dimensions pertaining to the consideration of the likelihood that the risk events will affect the firm’s ability to achieve its objectives.

After elimination of variables based on correlations, 48 dimensions of ERM remain for analysis.

Sample suitability

A number of rules of thumb exist regarding necessary sample sizes for EFA. Comrey and Lee (1992) suggest that a sample size of 50 is very poor, 100 is poor, 200 is fair, 300 is good, 500 is very good, and 1,000 is excellent. Based on this guide, the sample used in this study falls between poor and fair. However, sample size rules of thumb fail to take into account many of the complex dynamics of factor analysis (Henson & Roberts, 2006). MacCallum, Widaman, Zhang, and Hong (1999) find that sample size adequacy depends on features of the obtained data; having high communalities—MacCallum et al. say greater than 0.60 but Costello and Osborne (2005) suggest 0.40 to 0.70 as more realistic communalities where communalities of less than 0.04 are either not related to the other items or that an additional factor should be explored—and having component saturation (four or more items defining a factor) requires smaller samples sizes for EFA. The sample is sufficiently large to provide a participant-to-factor ratio greater than 20:1, and a 3:1 participant-to-variable ratio, to yield a clear and stable factor structure. Communalities of the resulting factor structure are discussed in the “Results” section, but given that resulting communalities are relatively high and there are few cross-loadings, plus several variables are loading strongly on each factor, a smaller sample, like the one in this study, can be argued as adequate.

Confirmatory Factor Analysis (CFA)

To compare the EFA factor model fit with the fit of other possible a priori models, CFA is used to not only test the fit of possible models where the number of factors and their correspondence with the indicators are explicitly specified but also modify the EFA model for better fit given that suggested modifications can be interpreted and are theoretically reasonable. The EFA model is expected to have the best fit given that the factor structure is determined by the data, but considering a priori models is a way to investigate existing ideas about ERM as well as to compare and contrast with the EFA factor structure.

Table 2 shows the four a priori models tested using CFA and their corresponding factor structures. All 48 factors, remaining after the multi-collinearity analysis, are used in the tested models.

Table 2.

A Priori Models Tested With Confirmatory Factor Analysis.

	No. of factors	Factor structure
Model	No. of factors	Factor 1	Factor 2	Factor 3	Factor 4	Factor 5	Factor 6	Factor 7
General	3	Environment: d1-d12, d42-d46	Risk related: d20-d31, d34, d36-d38	Monitoring: d13-d19, d32-d33, d35, d39-41, d47-d48	—	—	—	—
COSO	7	Internal environment: d1-d10, d42-d46	Objective setting: d11-d12	Risk identification and assessment: d20-d31, d34	Risk response: d36-d38	Control activities: d13-d15, d18	Information and communication: d16-d17, d32, d35, d39	Monitoring: d19, d33, d40, d41, d47, d48
Risk related	2	General (not risk related): d1-d19	Risk specific: d20-d48	—	—	—	—	—
General/risk	5	General environment: d1-d12	Risk-related environment: d42-d46	Risk related: d20-d31, d34, d36-d38	General monitoring: d13-d19	Risk-related monitoring: d32-d33, d35, d39-41, d47-d48	—	—

Note. COSO = Committee of Sponsoring Organizations of the Treadway Commission.

The four models shown in Table 2 are intuitive models that are developed when considering existing ERM frameworks. The general CFA model is based on general groupings that appear to be consistent across a number of frameworks. These groupings are developed by comparing and finding communalities between leading ERM frameworks. On a general level, there seems to be a consistent division of components into three broad levels: (a) environment and firm context related components; (b) risk identification, assessment, and response components; and (c) some form of system evaluation. For the general model in Table 2, dimensions from the survey are divided into these three groups.

A grouping of dimensions into COSO’s eight components is also tested. The model would not converge unless risk identification and risk assessment dimensions were joined into one; therefore, the model structure has seven factors not eight. The final two models separate dimensions into risk- and non-risk-related items; the final model separates the general items from the first model into both risk- and non-risk-related components.

To estimate the CFA models, WLSMV is used. The analysis is based on the estimation of probit regressions for the factor indicators regressed on the factors (Muthén & Muthén, 1998-2010).

In addition, under CFA, the modification indices are used to strengthen the EFA model fit. The modification index estimates the amount by which the overall model chi-square statistic would decrease if a particular fixed-to-zero parameter was freely estimated (Kline, 2011). Any modification is guided by substantive considerations and included in the revised model only if it makes theoretical sense. In total, six modifications are made to the EFA model to result in the final factor structure.

Finally, CFA is used to test a second-order factor model where the factors from the EFA model, with all significant modifications, load onto a second-order ERM factor.

Expert Weighting of Determined Factor Structure

By including a second-order factor in a CFA model, an implicit weighting of the first-order factors can be derived from the resulting factor loadings.

Because of the exploratory nature of this article, the implicit weightings from the CFA are not sufficient given that they are both exploratory and data driven. In addition, these weights represent firm implementation of ERM and the weights given by implementation data and not the intended weights of such factors.

The importance of the resulting factors for efficient and effective ERM implementation is determined by having seven experts weight the importance of the ERM factors on having effective and well-implemented ERM. A similar expert weight approach is used in Ginnarakis, Galani, Georgia, and Litinas (2010) to create a corporate social responsibility (CSR) index, where eight experts are asked to rank indicators of CSR factors and then the rank reciprocal weighting approach is used to determine the weights of each indicator. In this study, experts are asked to give their opinion of how important the four factors are to having effective and well-implemented ERM. Instead of ranking the factors, they were requested to give a weight of importance to each component between 0 and 100, 0 being not important at all and 100 being the only item of importance. The four weights were required to sum to 100.

Experts include board members of COSO, members of the Swedish Risk Management Association (SWERMA), and individuals with extensive experience in ERM implementation consulting.

Results and Discussion

EFA and CFA

Factor retention

Determining the number of factors to retain is one of the most significant decisions when conducting EFA. It is important to balance parsimony and simplicity of models with plausibility (Fabrigar, Wegener, MacCallum, & Strahan, 1999). This article employs four different tests for factor retention: Kaiser Criterion, scree test, parallel analysis (PA), and goodness of fit statistics. In addition, the number of factors retained is considered based on their interpretability.

Based on the Kaiser criterion, 11 factors should be retained based on the general rule that factors with eigenvalues greater than 1 should be retained. The Kaiser criterion has been found to lead to substantial over factoring (Fabrigar et al., 1999). Fabrigar et al. (1999) state that they know of no study in which this rule works well for determining the number of factors to retain. In comparison, the scree plot suggests the retention of three to nine factors.

Hayton, Allen, and Scarpello (2004) argue that PA is one of the most accurate factor retention methods. PA is performed using 50 random samples with the same number of cases and variables. The appropriate number of factors to retain, using the stricter criteria of the 95th percentile, is four.

Goodness of fit statistics obtained for different factor models can be used to compare and decide on the proper number of factors to retain. Instead of analyzing the eigenvalues obtained, one can conceptualize the decision regarding the number of factors to retain as choosing the most appropriate model from a series of models with alternative factor numbers (Fabrigar et al., 1999). Relevant fit statistics are chi-square test of model fit, root mean square error of approximation (RMSEA), the Bentler Comparative Fit Index (CFI), and standardized root mean square residual (SRMR). Table 3 shows the goodness of fit statistics for different factor structures.

Table 3.

Goodness of Fit Statistics for Different Exploratory Factor Analysis Structure.

No. of factors	Chi-square value	Degrees of freedom	Chi-square p value	RMSEA estimate	RMSEA 90% CI	Probability of RMSEA ≤ .05	CFI	SRMR
1	2,041.170	1,080	0.0000	0.077	[0.072, 0.082]	0.000	0.831	0.124
2	1,691.179	1,033	0.0000	0.065	[0.059, 0.070]	0.000	0.884	0.103
3	1,453.631	987	0.0000	0.056	[0.500, 0.062]	0.057	0.918	0.086
4	1,309.300	942	0.0000	0.051	[0.044, 0.057]	0.414	0.935	0.077
5	1,180.378	898	0.0000	0.046	[0.038, 0.053]	0.844	0.950	0.068
6	1,079.583	855	0.0000	0.042	[0.033, 0.049]	0.966	0.961	0.061
7	996.178	813	0.0000	0.039	[0.030, 0.047]	0.992	0.968	0.055
8	921.836	772	0.0002	0.036	[0.026, 0.044]	0.998	0.974	0.050
9	843.956	732	0.0025	0.032	[0.020, 0.041]	1.000	0.980	0.046
10	787.577	693	0.0071	0.030	[0.017, 0.040]	1.000	0.983	0.043
11	734.497	655	0.0165	0.028	[0.013, 0.039]	1.000	0.986	0.040

Note. Italic numbers indicate values suggesting acceptable fit and bold numbers indicate values suggesting good fit. RMSEA = root mean square error of approximation; CI = confidence interval; CFI = Comparative Fit Index; SRMR = standardized root mean square residual.

None of the factor structures reported have p values greater than .05 for the chi-square test, indicating poor fit of all models. Chi-square values are ignored given that Chau and Hocevar (1995) found that the chi-square test statistic is strongly biased against models with a large number of measured variables. Given that this study uses 48 indicators, this is a possible explanation for the large chi-square values and the resulting rejection of the null hypothesis.⁴

A model with only one factor shows acceptable fit according to the estimate value of RMSEA, but the upper bound of the confidence interval shows only marginal fit. The probability of RMSEA being less than .05 leads to a rejection of the close-fit hypothesis. With three factors, the close-fit hypothesis is not rejected and the estimated value and confidence interval suggest acceptable fit. Using CFI, good fit is suggested when the model has six factors. Acceptable fit, greater than 0.90, is suggested with a three-factor model. Acceptable fit is suggested by the SRMR test with a three-factor model and good fit is suggested with the addition of a sixth factor.

It is important to remember that the factor retention decision is a substantive issue as well as a statistical one (Fabrigar et al., 1999). The factors retained should suggest a model that is interpretable and theoretically sensible. Therefore, as a final aspect of the factor retention decision, the suggested factor structures that seem acceptable under the above factor retention procedures (three-six factors) are considered based on their interpretability and theoretical sensibility.

For a three-factor model, which shows acceptable fit using the goodness of fit tests, the factor structure (based on factor loadings) is weak, with a few cross-loadings, dimensions that do not load sufficiently on any factor (loadings less than 0.32), and otherwise low factor loadings (slightly above 0.32). This model, though it shows acceptable fit and the scree plot potentially indicates three factors, is difficult to interpret in comparison with the four-factor model and problematic given the weak factor structure. Therefore, the three-factor model is not considered appropriate. Although the four-factor model is chosen as superior in this study, the three-factor model has a similar factor structure where the four-factor model’s first and second factors are combined into one. Therefore, should one argue for the three-factor model, the resulting analysis would be similar. See Appendix B for the geomin rotated loadings for the three- and five-factor models and Table 4 in “Resulting factor structure” for the four-factor model loadings.

Table 4.

Geomin Rotated Loadings of ERM Dimensions for the Four-Factor Exploratory Factor Analysis Model.

Factor
General internal environment and objective setting				Specific risk identification and risk assessment activities				Holistic organization of risk management				General control activities and information and communication
1	0.331	25	−0.063	1	0.197	25	−0.033	1	0.242	25	0.776	1	−0.125	25	0.232
2	0.328	26	−0.015	2	0.233	26	−0.060	2	0.198	26	0.776	2	−0.056	26	0.240
3	0.707	27	−0.056	3	−0.055	27	0.249	3	−0.096	27	0.431	3	−0.104	27	−0.230
4	0.940	28	0.097	4	0.006	28	0.305	4	−0.243	28	0.692	4	−0.032	28	−0.342
5	0.710	29	0.065	5	0.045	29	0.293	5	0.017	29	0.686	5	−0.036	29	−0.315
6	0.380	30	0.112	6	0.130	30	0.662	6	0.167	30	−0.009	6	0.103	30	−0.053
7	0.355	31	0.129	7	−0.011	31	0.716	7	0.161	31	0.025	7	0.034	31	−0.086
8	0.748	32	0.275	8	0.046	32	0.573	8	−0.053	32	0.069	8	−0.017	32	0.140
9	0.500	33	0.150	9	0.268	33	0.504	9	0.009	33	0.077	9	−0.063	33	0.215
10	0.731	34	−0.083	10	0.129	34	0.753	10	−0.043	34	0.092	10	−0.151	34	0.231
11	0.711	35	0.089	11	0.021	35	0.624	11	0.011	35	0.089	11	0.103	35	0.057
12	0.686	36	0.239	12	−0.019	36	0.582	12	0.094	36	0.136	12	0.139	36	0.115
13	0.579	37	0.019	13	0.011	37	0.600	13	0.150	37	0.315	13	0.296	37	0.168
14	0.226	38	−0.062	14	0.240	38	0.715	14	0.019	38	0.249	14	0.534	38	0.222
15	0.257	39	0.278	15	0.212	39	0.550	15	−0.073	39	0.091	15	0.534	39	−0.023
16	0.402	40	−0.131	16	0.152	40	0.618	16	0.094	40	0.093	16	0.425	40	0.177
17	0.400	41	0.205	17	−0.023	41	0.726	17	−0.044	41	−0.068	17	0.552	41	0.135
18	0.259	42	0.073	18	0.124	42	0.819	18	−0.117	42	−0.068	18	0.656	42	0.014
19	0.461	43	−0.111	19	0.149	43	0.830	19	0.054	43	−0.051	19	0.428	43	0.053
20	0.206	44	0.100	20	0.077	44	0.577	20	0.511	44	−0.066	20	−0.179	44	−0.111
21	0.630	45	−0.077	21	−0.208	45	0.817	21	0.409	45	−0.187	21	0.010	45	−0.088
22	0.619	46	−0.150	22	−0.285	46	0.880	22	0.424	46	−0.045	22	0.050	46	0.025
23	−0.010	47	0.108	23	0.222	47	0.752	23	0.604	47	−0.164	23	0.004	47	−0.095
24	−0.040	48	0.133	24	0.221	48	0.619	24	0.626	48	0.042	24	−0.029	48	0.010

Note. Bold numbers are loadings greater than 0.32. Factors are listed in original output order. Factor numbers designated for ease of interpretation and use for the rest of the study, in order of above, are 1, 4, 3, and 2.

The four-factor model shows a relatively clear and strong factor structure and yields interpretable factors. Only a few factors have cross-loadings (in which case the majority are reasonable and interpretable) and most dimensions show adequate loadings of 0.32 or higher, with most loadings being higher than 0.50. See “Resulting factor structure” for further detail on this factor structure. One third of the communalities for the four-factor model are greater than 0.60 and 65% are greater than 0.50. In addition, each factor has at least six defining items.

Five- and six-factor models become difficult to interpret and have problematic cross-loadings. The addition of the fifth factor creates a factor that is difficult to interpret given that the dimensions that load on the fifth factor are hard to relate to one another and additionally cross load with other factors. The problem of interpretability and cross-loading becomes further exacerbated with the addition of a sixth factor. See Appendix B for the geomin rotated loadings for the five-factor model.

Four factors are retained based on the above analysis.

Resulting factor structure

The geomin rotated loadings for the four-factor EFA model can be seen below in Table 4.⁵ Loadings in bold, greater than 0.32, show dimensions that are considered to load adequately on a factor. Dimensions that load at 0.32 or higher for two or more factors are considered to cross load. Tabachnick and Fidell (2001) suggest 0.32 as a good rule of thumb for minimum loadings. They argue that 0.32 equates to approximately 10% overlapping variance with the other items in the factor. Dimensions are allowed to cross load in the final interpretation of the model if it makes theoretical sense, otherwise the dimension is assumed to load only on the factor that makes the most theoretical sense.

Ignoring cross-loadings, the factor structure is interpreted. Dimensions that load solely onto the first factor are related to internal environment and object setting dimensions (as defined by the COSO ERM framework), excluding internal environment dimensions that address dimensions specific to risk management. Therefore, this factor is designated as a general internal environment and objective setting factor; general meaning not having to do specifically with risk management and risk-related dimensions but the more broad elements of the environment of the firm. The second factor is related to general control activities, monitoring, and information and communication that are not directly related to risk management and risk-related dimensions. The third factor is comprised of risk-related dimensions that pertain to the firm’s internal environment (e.g., a formal risk management philosophy and/or a centralized department or staff function dedicated to risk management), monitoring, information and communication, general risk assessment activities (not related to specific types of risks), and finally a firm’s risk response dimensions. These are dimensions fairly specific to ERM and its holistic nature. Finally, the fourth factor relates to the risk identification and risk assessment of specific risks (financial, compliance, technology, economical, and reputation). These dimensions are specific to risk management activities but less indicative of ERM as they deal with a variety of risks but not specifically on a holistic level (see Appendix A for expanded EFA factor structure including the description of dimensions included in each factor). The cross-loading dimensions are then considered to determine how to treat them in the final model; the cross-loadings must be logical and/or theoretically sound to be included in the final factor structure.

Dimensions 16, 17, 19, 21, and 22 all show cross-loading between two factors. Dimensions 16, 17, and 19 cross load between Factors 1 and 2, whereas 21 and 22 cross load between Factors 1 and 3. Dimension 16 and 19 are considered logical as cross-loading elements. Although they do address non-risk-related information and communication and monitoring dimensions of ERM, they also pertain to the general internal environment of the firm. Dimension 16 relates to the ethics of the firm given that if they have implemented this dimension, there are communication channels in place to deal with breaches of law, regulations, and/or other improprieties. Dimension 19 addresses the monitoring of the internal environment that makes it logical to cross load between Factors 1 and 2. Dimension 17 does not have the same logical interpretation for cross-loading as it pertains to communication with external stakeholders and therefore has nothing to do with the internal environment or objective setting of the firm. Therefore, Dimension 17 is not allowed to cross load in the final model and instead only loads on Factor 2 (its highest loading which is still greater than the required level of 0.32).

Dimensions 21 and 22 both address risk identification and risk assessment of strategic risk. It is therefore logical that it cross loads between the risk identification and risk assessment factor (Factor 4) as well as the objective setting factor (Factor 1).

The factor structure developed using EFA is modified using modification indices given in a CFA analysis to obtain a model with better fit but maintaining interpretability from a theoretical sense. In addition, a number of other possible a priori models are tested for goodness of fit.

Results of the CFA

Table 5 presents the resulting fit statistics from the 12 factor structures that are tested using CFA—four a priori models (see Table 2), the fit statistics from the exact EFA model, six modifications of the EFA model, and the second-order factor model.

Table 5.

Confirmatory Factor Analysis Goodness of Fit Statistics.

Model	No. of factors	Chi-square value	Degrees of freedom	RMSEA estimate	RMSEA 90% CI	Probability of RMSEA ≤ .05	CFI	TLI
General	3	1,926.712	1,077	0.072	[0.067, 0.077]	0.000	0.851	0.844
COSO	7	1,809.125	1,059	0.068	[0.063, 0.074]	0.000	0.868	0.860
Risk related	2	1,825.556	1,079	0.068	[0.062, 0.073]	0.000	0.869	0.863
General/risk	5	1,693.916	1,070	0.062	[0.057, 0.068]	0.000	0.890	0.884
Exact EFA	4	1,309.300	942	0.051	[0.044, 0.057]	0.414	0.935	0.923
EFA	4	1,419.128	1,070	0.046	[0.040, 0.053]	0.814	0.939	0.935
EFA₁	4	1,408.974	1,069	0.046	[0.039, 0.052]	0.851	0.940	0.937
EFA₂	4	1,339.414	1,067	0.041	[0.034, 0.048]	0.985	0.952	0.949
EFA₃	4	1,336.296	1,065	0.041	[0.034, 0.048]	0.986	0.952	0.949
EFA₄	4	1,314.968	1,064	0.040	[0.032, 0.046]	0.994	0.956	0.953
EFA₅	4	1,290.399	1,063	0.038	[0.030, 0.045]	0.998	0.960	0.958
ERM by EFA₅	4	1,290.217	1,065	0.037	[0.029, 0.045]	0.999	0.960	0.958

Note. Italic numbers indicate values suggesting acceptable fit and bold numbers indicate values suggesting good fit. ERM by EFA₅ is a four-factor model with a second-order factor. RMSEA = root mean square error of approximation; CI = confidence interval; CFI = Comparative Fit Index; TLI = Tucker–Lewis Index; COSO = Committee of Sponsoring Organizations of the Treadway Commission; EFA = exploratory factor analysis; ERM = enterprise risk management.

All the models tested show acceptable fit when taking into consideration the presented fit statistics excluding the chi-square fit test. As mentioned previously, chi-square values are strongly biased against models with a large number of measured variables (Chau & Hocevar, 1995). Given that this study uses 48 indicators for all models, this is a possible explanation for the large chi-square values and the resulting rejection of the null hypothesis. Good fit of the model is not suggested for any of the a priori models, but is for the Exact EFA model using the RMSEA fit statistic.

The a priori models tested in the CFA section are intuitive factor structures developed based on the study of ERM frameworks. These models fit the data acceptably. The final structure suggested by the EFA can to some extent be seen as a combination of the a priori models tested with CFA. The EFA model incorporates a separation of risk/and non-risk dimensions (Risk-Related model, see Table 2 for structure in detail), broader groupings (General model), both of the former which are related to the General/Risk model where dimensions are grouped both by risk- and non-risk-related dimensions and the general grouping, and finally some incorporation of the COSO framework structure (COSO model).

Using modification indices, significant improvements to the fit of the model can be made by including modifications that are theoretically sound. All modifications made to the EFA model involve allowing the error terms of certain dimensions to covary. This means that something other than the underlying factor is jointly determining the respective dimensions’ implementation. All modifications involved a significant change in chi-square values using chi-square difference testing adjusted for the WLSMV estimation method.

The final modified model that retains seven modifications is then used in a second-order factor structure with the four factors as indicators for ERM (see Figure 1 in the following section). This model shows good fit excluding the chi-square fit test statistic and each factor loads significantly on the latent ERM second-order factor variable. This model, ERM by EFA5 (see Table 5), is the final chosen factor structure. Each of the four factors loads significantly onto the ERM factor at the 1% level.

Figure 1.

Pillars of enterprise risk management.

The final first-order factor structure can be found in Appendix A, expanded to show the dimensions that load on the four factors.

Interpretation and discussion of resulting factor structure

The resulting factor structure identifies the four underlying factors, or pillars, of ERM implementation. See Figure 1 for the pillars of ERM resulting from the analysis.

Two of the components, related to the general internal environment and control activities of the firm, can be viewed as “prerequisites” of ERM implementation. These components are necessary to have well-functioning and well-implemented ERM but are neither connected directly to risk management activities nor specific to ERM. Therefore, firms with no effort toward holistic risk management, or risk management at all for that matter, can have implemented these two prerequisite factors robustly.

The fourth component identifies efforts of the firm to manage certain types of risk: financial, compliance, technology, economical, and reputation. This component is an indicator of risk management implementation, but it says nothing about the organization of the management system. Therefore, firms that have robustly or well-implemented risk-specific identification and assessment may be implementing ERM but they may also be implementing more traditional forms of risk management, like a less holistic silo-approach where risks are managed separately.

The third component is truly the ERM identifier. The dimensions that make up this component are the typical characteristics of ERM addressing the organizational and holistic nature of risk management as ERM prescribes: formal written statement of risk appetite, correlating and determining portfolio effects of combined risks, having a senior manager assigned the responsibility of overseeing risk and risk management, and a formal risk management report submitted to board level regularly.

Firms separate dimensions related to risk from non-risk-specific dimensions. This separation is logical given that firms may implement the non-risk-related items, for example, a code of conduct, but may not be implementing any of the dimensions specific to ERM, for example a formal statement of risk appetite. In addition, many of the non-risk-related items have been the focus of other corporate management tools, like internal and management control, which were stressed for their importance prior to the introduction of ERM. COSO, for example, had an internal control framework, preceding the ERM framework, which was published in 1992.

Therefore, such related dimensions may be implemented to a different degree as well as grouped by the firm based on their relation to other management functions and not ERM. Using COSO’s definition of effectiveness of ERM, all components being present and functioning properly are important to proper ERM implementation, but not all factors are ERM specific or even risk management specific.

The idea that firms implement ERM by dividing between risk- and non-risk-related dimensions is important for development of ERM frameworks guiding implementation. Conceptualizing dimensions or components by separating risk-related dimensions/components from those that are not directly related to risk could be a way to improve frameworks and adapt them to how firms seem to be conceptualizing and implementing different dimensions. Existing frameworks each have different components in varying number and definition; the frameworks have between seven and eight components each, twice as many as the factors identified in this study. A more consolidated framework with broader component definitions may be necessary to better match guidance with how firms implement ERM. If the creators of the frameworks and the “experts” feel that the specificity and separation of ERM components is essential to effective implementation, then the findings of this study suggest that more precise definitions and distinctions between components may be necessary as firms currently do not implement ERM based on existing component definitions and instead implement on broader terms.

These four factors have important implications for research in ERM. Many researchers using public information searches use simple proxies to identify ERM implementation, like the existence of a CRO position or similarly a senior risk officer.

To provide a comparison between the factor structure of ERM found in this article and existing measures of ERM, factor scores for the third ERM identifying factor as well as the second-order ERM factor are calculated (Mplus uses the regression method, also known as the modal posterior estimator, for categorical outcomes with WLSMV), firms are ranked (1 for the highest score and 151 for the lowest) based on their factor scores and then separated into 10 groups. These ranked groups are then matched to three proxies similar to those used in existing literature: (a) the number of firms with a CRO in each group, (b) the average level of implementation of a senior risk officer designated with the responsibility to oversee risk and risk management, and (c) the number of firms with a robustly implemented (Level 3) senior manager. Table 6 shows the 10 ranking groups either by Factor 3 (ERM identifier) factor score or by second-order ERM factor score (designated in the first row); for each group, the number of firms with a CRO is presented.

Table 6.

ERM Factor Score Comparison With CRO and Senior Risk Management Implementation.

	Factor 3—ERM identifier	Second-order ERM	Factor 3—ERM identifier	Second-order ERM	Factor 3—ERM identifier	Second-order ERM
Firm rank by	Number of firms with a CRO		Average level of implementation of a senior manager designated with the responsibility to oversee risk and risk management		Number of firms with a robustly implemented (3) senior manager designated with the responsibility to oversee risk and risk management
1-16	7	6	2.75	2.25	14	12
17-31	2	2	2.20	2.07	9	9
32-46	2	2	1.87	2.13	6	8
47-61	2	3	2.00	1.73	7	4
62-76	0	1	1.93	1.60	6	3
Total top scores	13	14	2.16	1.96	42	36
	17.57%	18.92%			55.26%	47.37%
77-91	3	1	1.60	1.90	2	4
92-106	1	3	1.47	1.80	2	5
107-121	1	0	0.80	1.21	1	1
122-136	0	0	0.93	0.73	2	2
137-151	0	0	0.40	0.67	0	1
Total bottom scores	5	4	1.04	1.24	7	13
	6.67%	5.33%			9.46%	17.57%
Total	18		1.61		49
	12.08%				32.67%

Note. Percentages are based on valid N for the top and bottom firms. For CRO, two missing values occur in the top ranked firms for both types of ranking; therefore, valid N for CRO percentages is 74 for top firms and 75 for bottom firms. For implementation of a senior risk manager, one missing value occurs in the bottom ranked firms for both types of ranking; therefore, valid N for senior risk manager percentages is 76 for top firms and 74 for bottom firms. Averages also take into account missing values. ERM = enterprise risk management; CRO = chief risk officer.

As can be seen in Table 6, firms with greater factor scores show a higher number of CRO positions (with a few discrepancies but an overall pattern). This does suggest that firms with more advanced ERM are in fact more likely to have a CRO. The same pattern can be seen for the average level of implementation and the number of firms with a robustly implemented senior manager designated with the responsibility to oversee risk and risk management.⁶

However, this does not suggest that using a CRO is a sufficient indicator on its own. Using a CRO as a proxy for ERM will result in a large loss of observations (18 of 149 firms or 49 of 150 using a robustly implemented senior manager as a proxy), and making the assumption that the 76 firms with the highest ERM identifier factor scores are “true” ERM implementers, a misclassification of approximately 28% of firms (5 of 18) using the CRO proxy and 15% of firms (7 of 49) using a robust senior manager as a proxy. This misspecification becomes worse with more strict boundaries defining “true” ERM implementers.

By including more dimensions in a measure of ERM and allowing for different levels of ERM in the measure (Factor 3 factor scores range from −1.91 to 1.94 with a mean of 0 and second-order ERM factors scores range from −1.12 to 1.22 with a mean of 0), more of ERM’s complexity is accounted for. As having a CRO position or a senior risk manager is one of many dimensions contributing to the factor scores for the third factor and overall ERM, it alone does not provide robust information regarding a firm’s ERM implementation.

Previous research also employs survey methodology to create better informed indicators of ERM asking firms directly about their level of ERM implementation. These measures then rely heavily on a firm’s own definition of ERM and the perception of ERM implementation in the firm. Table 7 shows the top and bottom ranking groups either by Factor 3 (ERM identifier) factor score or by second-order ERM factor score (designated in the first row); for each group, firms’ responses to what degree ERM is implemented in the firm based on COSO’s definition are presented. Making the assumption that the 75 firms with the lowest ERM identifier factor scores are not “true” ERM implementers, approximately 70% of firm’s perceive themselves as being ERM implementers though their factor scores do not suggest ERM implementation, and between 17% and 23% perceive themselves as having robustly implemented ERM. This suggests that a direct survey methodology is unreliable.

Table 7.

ERM Factor Score Comparison With Direct ERM Implementation Response.

	Factor 3—ERM identifier	Second-order ERM	Factor 3—ERM identifier	Second-order ERM	Factor 3—ERM identifier	Second-order ERM
Firm rank by	Number of firms with robustly implemented (3) ERM based on the COSO definition		Number of firms with implemented ERM but improvements needed (2) and robustly implemented (3) ERM based on the COSO definition and with implemented ERM but according to other definition		Number of firms with no implementation at all (0) of ERM
Top scores (1-76)	27	31	57	56	7	7
	37.50%	42.47%	79.17%	76.71%	9.72%	9.59%
Bottom scores (77-151)	16	12	48	49	6	6
	22.54%	17.14%	67.61%	70.00%	8.45%	8.57%
Total (n = 143)	43		105		13
	30.07%		73.43%		9.09%

Note. Percentages are based on valid N for each group. ERM = enterprise risk management; COSO = Committee of Sponsoring Organizations of the Treadway Commission.

What can be seen in current research are flawed and inconsistent methods of indentifying and measuring ERM implementation, which have resulted in inconclusive empirical results regarding the true value creating ability of ERM as well as its determinants. The four pillars of ERM developed in this study can be used to create a consistent definition of ERM based on how firms are actually implementing ERM dimensions and a consistent way of measuring ERM.

For identifying firms, some or all of the dimensions in Factor 3 should be incorporated. Using a CRO hire or senior risk manager is shown to be insufficient given the large number of observations lost and the misclassification of firms which reflects that CROs may be hired for signaling purposes and that CROs are not always hired when implementing ERM. Therefore, incorporating multiple dimensions for identification can be a way to more robustly identify ERM firms. In addition, if intending to measure ERM implementation, stage, degree, or levels, all four factors should be represented in the measure. Factor 3 is not sufficient in that case because all of the four factors should be implemented robustly. Because the prerequisite factors and the risk management factor also load significantly on the second-order ERM factor, they are important to the assessment of quality or level of ERM implementation.

The four components of ERM implementation based on how firms implement dimensions of ERM can help create a more consistent way of defining what ERM is and how ERM is implemented. This consistency is crucial to having better studies on the value creating ability of ERM, comparing “apples to apples,” and advancing guidance in ERM implementation so it is less theoretical and more easily understood by firms.

Importance of Determined Factors

Table 8 shows the implicit weights from the second-order CFA model, which are the normalized standardized factor loadings (see Figure 1, weights correspond to the loadings of the four factors on the second-order ERM factor), and the expert weights from seven respondents regarding the importance of the factors for efficient and effective ERM implementation.

Table 8.

Resulting Weighting Schemes—Implicit and Expert.

			Expert
ERM implementation factors		Implicit (%)	1 (%)	2 (%)	3 (%)	4 (%)	5 (%)	6 (%)	Average (%)	7 (%)
1	General internal environment and objective setting	25.66	50	25	30	20	15	15	27.14	35
2	General control activities and information and communication	23.35	35	20	25	15	10	15	18.57	10
3	Holistic organization of risk management	22.39	10	40	25	25	50	20	27.14	20
4	Specific risk identification and risk assessment activities	28.60	5	15	20	40	25	50	27.14	35

Note. ERM = enterprise risk management.

The implicit weights from the normalized factor loadings are similar with no factor standing out as having a much higher weight. Factor 4, the risk identification and assessment of specific events, has the most weight for ERM implementation—based on the data collected. The least weighted factor for ERM implementation is Factor 3, which was argued earlier to be the most characteristic factor of ERM.

Kendall’s coefficient of concordance suggests that there is no agreement on the weights between experts (p = .254). The average weights suggest that Factors 1, 2, and 4 have equal weight on the effectiveness and quality of ERM implementation. Factor 2, general aspects of control and information and communication that are not risk specific, receive the lowest weight on average. Components 1, 3, and 4 are all weighted as the most important by more than one expert. Rankings suggest a large amount of discrepancy. Factor 4 has the greatest dispersion, followed by Factor 1. Factor 3, however, is the most consistently ranked across experts.

Interpretation and discussion of expert weighting

Two conclusions can be taken from analyzing the result of the expert weighting survey: the four factors are in fact discrete factors that have importance for ERM implementation from one perspective or another and a lack of consensus of what ERM is and what is important to ERM implementation exists not only on framework level but also on the individual level, even for those considered experts.

Motivated by adopting COSO’s definition of effective ERM for the four factors in this study, all four factors were argued to be important to ERM implementation; because each factor receives relatively high weights from at least one expert (Factor 2 is given a 35% weight by Expert 1), this definition of effective ERM is supported. The lack of agreement of which has the highest importance would suggest that the four factors are in fact distinct from one another and all hold value in the implementation of ERM.

The lack of agreement also highlights the lack of consistency in defining what ERM is. Seven experts do not agree on which factor holds the most weight in effective and well-implemented ERM; this suggests that there are many different opinions and approaches to implementing ERM. While this is not necessarily surprising given the holistic and ambiguous nature of ERM, it highlights a problem and source of uncertainty regarding ERM implementation. Although ERM is not likely to ever become a fully prescriptive, crystal clear tool because of its culturally laden holistic nature, the inconsistencies in the expert weights suggest that a more concise and consistent way of conceptualizing ERM may be needed to aid firms in implementing ERM.

Conclusion

Based on the identified pillars, it would be advisable for frameworks to adapt to better fit how firms implement ERM, namely by altering components to reflect a separation of risk- and non-risk-related dimensions and by conceptualizing components on a broader level. By adapting frameworks to how ERM is actually implemented in firms, dissatisfaction and uncertainty about ERM implementation could be mitigated by creating guidance that can be better identified with by the user. Evidence from the expert weighting process suggests that there is little agreement on the actual importance of the factors of ERM; this suggests the need of a more consistent definition of ERM and a more consistent set of implementation recommendations. The four pillars of ERM developed in this study can be used to create a consistent definition of ERM based on how firms are actually implementing ERM dimensions. Future research should test the factor structure found in this study for other samples to confirm their relevance outside of the Nordic region, although it is not suspected that these pillars are country specific. Further analysis of the four components should focus on which, if any, of the factors are value creating; this would shed more light on which components are the most important for achieving the ultimate goal of value creation.

Many of the dimensions used in this study require direct contact with the firm to assess the level of implementation; therefore, studies using publicly available information will not be effective in identifying true ERM implementation and/or measuring levels of implementation. A suggestion for future research is to investigate if and which dimensions can in fact be found in publicly available information or proxied with publicly available information without altering the measurement of the components and ERM. The results also stress the methodological flaw of proxying ERM with single and/or oversimplified indicators. Based on the findings that the factors are in fact four distinct factors, representing only one factor by using the existence of a CRO as an indication of ERM implementation is an incomplete measure; it results in the reduction in number of available observations as well as misclassification of firms. Multiple dimensions should be incorporated for robust identification purposes. When measuring ERM implementation levels, all four factors should be represented in the measure because they all have a significant relationship to the overall level of ERM. Until more work can be done to reduce the number of necessary dimensions for identification or measurement or create more easily available proxies for the dimensions, it is suggested that the same survey methodology and resulting factor scores are used to identify and measure ERM implementation.

The four pillars of ERM implementation define what ERM is based on how firms implement ERM dimensions. What is ERM: all four components present and functioning properly at one time. With a consistent definition of what ERM is that reflects how firms understand implementation, better guidance can be developed to aid firms in the implementation process and better and more informative empirical studies on value creating abilities of ERM can be done.

Footnotes

Appendix a

Appendix B

Declaration of Conflicting Interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: Funding of the data gathering with thanks to the NASDAQOMX Nordic Foundation.

Notes

References

Beasley

M. S.

Branson

Hancock

(2010). COSO’s 2010 report on enterprise risk management: Current state of enterprise risk oversight and market perceptions of COSO’s ERM framework. New York, NY: Committee of Sponsoring Organizations of the Treadway Commission. Retrieved from http://www.coso.org/documents/COSOSurveyReportFULL-Web-R6FINALforWEBPOSTING111710.pdf

Beasley

M. S.

Clune

Hermanson

D. R.

(2005a). Enterprise risk management: An empirical analysis of factors associated with the extent of implementation. Journal of Accounting and Public Policy, 24, 521-531.

Beasley

M. S.

Clune

Hermanson

D. R.

(2005b). ERM: A status report. Internal Auditor, 62(1), 67-72.

Beasley

M. S.

Pagach

D. P.

Warr

R. S.

(2008). Information conveyed in hiring announcements of senior executives overseeing enterprise-wide risk management processes. Journal of Accounting, Auditing & Finance, 23, 311-332.

Blakely

K. M.

(2009). Set your risk appetite and stick to it (From Your RMA Leadership). The RMA Journal, 91, 1-2.

Brunzell

Hansson

Liljeblom

(2011). The use of derivatives in Nordic firms. The European Journal of Finance, 17, 355-376.

Chau

Hocevar

(1995, April). The effects of number of measured variables on goodness-of-fit in confirmatory factors analysis. Paper presented at the annual Conference of the American Educational Research Association, San Francisco, CA.

Committee of Sponsoring Organizations of the Treadway Commission. (2004). Enterprise risk management—Integrated framework: Executive summary. New York, NY: Author.

Comrey

A. L.

Lee

H. B.

(1992). A first course in factor analysis (2nd ed.). Hillsdale, NJ: Lawrence Erlbaum.

10.

Costello

A. B.

Osborne

J. W.

(2005). Best practices in exploratory factor analysis: Four recommendations for getting the most from your analysis. Practical Assessment, Research & Evaluation, 10, 1-9.

11.

Desender

K. A.

(2007). On the Determinants of Enterprise Risk Management Implementation. Enterprise IT governance, business value and performance measurement, Shi

Nan Si

Silvius

Gilbert

, eds., IGI Global, 2011. Available at SSRN: http://ssrn.com/abstract=1025982

12.

Dickinson

(2001). Enterprise risk management: Its origins and conceptual foundation. The Geneva Papers on Risk and Insurance, 26, 360-366.

13.

Drew

S. A.

Kendrick

(2005). Risk management: The five pillars of corporate governance. Journal of General Management, 31, 19-36.

14.

Fabrigar

L. R.

Wegener

D. T.

MacCallum

R. C.

Strahan

(1999). Evaluating the use of exploratory factor analysis in psychological research. Psychological Methods, 4, 272-299.

15.

Fraser

J. R.

Simkins

B. J.

(2007). Ten common misconceptions about enterprise risk management. Journal of Applied Corporate Finance, 19, 75-81.

16.

Gates

Nicolas

J. L.

Walker

P. L.

(2009, October). Perceived value of enterprise risk management: A better methodology to manage uncertainty and risk?Paper presented at the 29th SMS Annual International Conference, Washington, DC.

17.

Ginnarakis

Galani

Georgia

Litinas

(2010). The weight of corporate social responsibility indicators in measurement procedure. World Academy of Science, Engineering and Technology, 66, 409-417.

18.

Gordon

L. A.

Loeb

M. P.

Tseng

(2009). Enterprise risk management and firm performance: A contingency perspective. Journal of Accounting and Public Policy, 28, 301-327.

19.

Hayton

J. C.

Allen

D. G.

Scarpello

(2004). Factor retention decisions in exploratory factor analysis: A tutorial on parallel analysis. Organizational Research Methods, 7, 191-205.

20.

Henson

R. K.

Roberts

J. K.

(2006). Use of exploratory factor analysis in published research: Common errors and some comment on improved practice. Educational and Psychological Measurement, 66, 393-416.

21.

Hoyt

R. E.

Liebenberg

A. P.

(2011). The value of enterprise risk management. Journal of Risk and Insurance, 78, 795-822.

22.

Kim

J. O.

Mueller

C. W.

(1978). Factor analysis: Statistical methods and practical issues. Newbury Park, CA: SAGE.

23.

Kirkpatrick

(2008). The corporate governance lessons from the financial crisis. OECD Journal: Financial Market Trends, 1, 61-87.

24.

Kline

R. B.

(2011). Principles and practice of structural equation modeling (3rd ed.). New York, NY: Guilford Press.

25.

Knechel

W. R.

(2002). The role of the independent accountant in effective risk management. Journal of Economics and Management, 47, 65-86.

26.

Liebenberg

A. P.

Hoyt

R. E.

(2003). The determinants of enterprise risk management: Evidence from the appointment of chief risk officers. Risk Management and Insurance Review, 6, 37-52.

27.

MacCallum

R. C.

Widaman

K. F.

Zhang

Hong

(1999). Sample size in factor analysis. Psychological Methods, 4, 84-99.

28.

McShane

M. K.

Nair

Rustambekov

(2011). Does enterprise risk management increase firm value?Journal of Accounting, Auditing & Finance, 26, 641-658.

29.

Moeller

R. R.

(2007). COSO enterprise risk management: Understanding the new integrated ERM framework. Hoboken, NJ: John Wiley.

30.

Muthén

L. K.

Muthén

B. O.

(1998-2010). Mplus user’s guide (6th ed.). Los Angeles, CA: Author.

31.

Pagach

D. P.

Warr

R. S.

(2010). The effects of enterprise risk management on firm performance (Working Paper). North Carolina State University. Retrieved from http://ssrn.com/abstract=1155218

32.

Pagach

D. P.

Warr

R. S.

(2011). The characteristics of firms that hire chief risk officers. Journal of Risk and Insurance, 78, 185-211.

33.

Pang

Shi

(2009). Integration of internal control and risk management. In International Conference on Business Intelligence and Financial Engineering (pp. 369-372).

34.

Recent trends in ERM and literature review. (2007). Management Accounting Quarterly, 8, 18-22.

35.

The Society of Actuaries. (n.d.). Enterprise risk management (ERM) fact sheet. Author. Retrieved from www.soa.org/files/pdf/news-erm-fact-sheet.pdf

36.

Standard & Poor’s. (2008). Standard & Poor’s to apply enterprise risk analysis to corporate ratings. Retrieved from http://www2.standardandpoors.com/spf/pdf/events/CRTconERM5908.pdf

37.

Stulz

R. M.

(2008). Risk management failures: What are they and when do they happen?Journal of Applied Corporate Finance, 20, 39-48.

38.

Tabachnick

B. G.

Fidell

L. S.

(2001). Using multivariate statistics (4th ed.). Boston, MA: Allyn & Bacon.