Enterprise Risk Management Maturity: A Clinical Study of a U.S. Multinational Nonprofit Firm

Abstract

This study, which is based on actual events, presents a dynamic analysis of the development, implementation, and post-implementation review of establishing an enterprise risk management (ERM) system for a U.S. multinational nonprofit firm over a 5-year period, 2015–2020. Using the Risk and Insurance Management Society Risk Maturity Model (RIMS RMM), questionnaire-based risk data and multi-dimensional risk mapping indices are used to identify and prioritize the firm’s key strategic risks leading to the development of mitigation strategies whose performance are reviewed post ERM implementation, including during the 2020 Coronavirus pandemic. The results reveal that the firm’s risk management system has been ad hoc and uncoordinated. Post-implementation review of the ERM program shows improvements in financial and operating positions resulting from risk diversification, enhanced profitability, exploitation of natural hedges, and improved board governance. The results further show that the recommended mitigation strategies have been effective in managing the adverse impact of the pandemic. Overall, the evidence offered in this study provides further support on the valuation benefits of ERM maturity within a real-world environment.

Keywords

enterprise risk management (ERM)Risk Maturity Model questionnaire data reliability tests risk metrics mitigation pandemic

Global Educational Systems (GES): Company Background

The case for GES is based on actual events. Efforts have been made to maintain confidentiality. Founded in 1990, GES is a U.S. multinational nonprofit firm with a mission to develop and deliver customized educational and training programs for the public and private sectors in over 60 countries around the world. GES is headquartered in the United States and holds offices in several countries in Central Asia, Europe, the Middle East, and North Africa. The firm’s vision is strongly rooted in the belief that availability and access to customized educational and training programs at a global level expands trades between nations, enhances economic growth, harmonizes diverse societies, ultimately harnessing a socially and economically stable world. GES has been successful in achieving this mission by consistently increasing its revenue sources and expanding its presence in the global environment. The annual revenues for GES reached US$500 million in 2015, primarily garnered from government and nongovernment grants, tuition, program administration fees, fund-raising, and investment income.

During the period, 2015–2017, GES encountered a number of major strategic risks that adversely affected its profitability and the functioning of its global operations. In late 2016 and early 2017, a number of countries, including the United States, sharply reduced funding allocated to government grants for international educational purposes. As shown in the firm’s Consolidated Statement of Revenues and Expenses for the period 2015 through 2017 (Table 1), government grants have regularly presented a significant share (approximately 60%) of annual revenues at GES. Specifically, total government grants, revenues from tuition, and administrative fees declined by approximately 12% during the 2015–2017 period. The budgetary contraction was followed by stringent regulatory changes in the United States, Central Asia, the Middle East, and North Africa, key operational regions for the firm. Continued visa restrictions threatened the student exchange programs. The data and technology platforms at GES were also breached potentially releasing sensitive information on students, funding sources, and other propriety information. In tandem, GES began to face stronger competition both in the United States and in other countries worldwide. Consequently, GES was forced to sharply reduce its programmatic and student exchange activities by 8.31% and 10.31%, respectively, during the 2015–2017 period. Overall, in spite of cost cutting programs implemented, the net surplus at GES declined by approximately 25.29% during the 2015–2017 period.

Table 1.

GES Consolidated Statement of Revenues and Expenses: 2015–2017.

	2017	Contribution %	2016	Contribution %	2015	Contribution %	2015–2017 change (%)
Revenues
Government grant	275.06	62.33	295.45	62.53	313.20	62.64	−12.18
Nongovernment grant	22.07	5.00	23.63	5.00	25.00	5.00	−11.74
Tuition	92.19	20.89	98.71	20.89	104.45	20.89	−11.74
Administrative fees	41.92	9.50	44.89	9.50	47.50	9.50	−11.74
Fund-raising	1.87	0.42	2.25	0.48	2.75	0.55	−32.00
Investment income	3.25	0.74	2.29	0.48	1.50	0.30	116.67
Other income	4.94	1.12	5.29	1.12	5.60	1.12	−11.74
Total revenues	441.30		472.50		500.00		−11.74
Expenses
Student exchanges	143.01	33.37	147.26	32.15	156.88	32.48	−8.84
Program expenses	153.19	35.74	169.84	37.08	170.80	35.36	−10.31
Salary and pension	88.62	20.68	92.27	20.14	98.20	20.33	−9.76
Depreciation and amortization	2.27	0.53	2.27	0.50	2.38	0.49	−5.00
Repair and maintenance	1.22	0.28	1.31	0.29	1.43	0.30	−15.00
Transportation	33.18	7.74	37.28	8.14	43.35	8.98	−23.47
Taxes	1.19	0.28	1.30	0.28	1.20	0.25	−0.83
Miscellaneous expenses	5.94	1.39	6.53	1.42	8.75	1.81	−32.14
Total expenses	428.60		458.05		483.00		−11.26
Net surplus (deficit)	12.70		14.45		17.00		−25.29

Note. GES = Global Educational Systems.

Facing increasing financial and operational challenges and recognizing the ad hoc nature of the firm’s existing processes and methodologies to manage its overall risk, in late 2016 and early 2017, the board of directors at GES decided to establish a more formal risk management system aimed at identifying, assessing, prioritizing, and mitigating the firm’s exposure to all of its strategic risks and opportunities. Subsequently, GES hired a leading risk management consulting firm charged both with assessing the firm’s existing risk management’s profile and developing and monitoring a systematic plan for establishing a fully integrated enterprise risk management (ERM) system across the multinational corporate structure at GES.

Despite its focus on a nonprofit firm, the ERM methodology used at GES is equally applicable both to for-profit (privately held or publicly traded) firms. Previous studies (Aabo et al., 2005; Harrington et al., 2002) provide examples of applying similarly designed ERM methodologies to privately held and publicly traded firms.¹ We apply exploratory factor analysis (EFA) and Cronbach’s alpha (α) test (Fabrigar et al., 1999) to validate the internal consistency and relevance of the risk data obtained from a focused questionnaire constructed using the Risk and Insurance Management Society Risk Maturity Model (RIMS RMM). We also apply multidimensional risk mapping indices to identify and prioritize the key risk exposures at GES. Finally, our study offers detailed mitigation strategies and reviews their performances post ERM implementation, including during the 2020 coronavirus pandemic.

The results show that the risk management system at GES was ad hoc and uncoordinated. Overall, significant barriers in risk communication and reporting existed within the organization. The organizational structure at GES was rigid represented by a relatively low level of risk appetite. Project selection approaches used were not risk-adjusted nor were the strategies and tactics identified in the existing strategic plan prioritized based on their inherent or residual risk–return profile. There were also limitations and gaps in the governance of risk management. The ERM program enabled GES to identify, prioritize, and manage its top strategic risks improving its financial position and advancing its international growth opportunities. GES launched a new and more focused strategic plan, created a stand-alone risk committee of the board, hired a Chief Information Officer (CIO) charged with changing the firm’s existing communication and technology architecture, implemented a risk-adjusted valuation approach for new projects and programs, and set up a currency risk minimization system to manage the foreign exchange (FX) risk of its foreign revenues. As the analysis overlaps with the emergence of the novel coronavirus in 2020, the post-ERM implementation results further document that GES benefited from its ERM program in managing the financial and operational consequences of the pandemic. Overall, the integrated nature of the risk management strategies implemented filtered through the risk portfolio at GES effectively providing natural hedges emphasizing the benefits of risk aggregation approaches by hedging residual risk, rather than the inherent risks (Hoyt & Liebenberg, 2011; McShane et al., 2011). These results offer further support for the recent literature on the valuation benefits of ERM maturity within a real-world environment (Farrell & Gallagher, 2014; Hoyt & Liebenberg, 2011).

In the remainder of the article, the “ERM Literature Review” section provides a review of the literature on the valuation implication of ERM. Sample selection is discussed in the “Sample and Data” section. The questionnaire and the proposed statistical methodologies to analyze the internal consistency of the risk data are explained in “The Questionnaire and Methodology” section. Risk assessment, identification, and prioritization of key risk areas at GES are explained in the “Risk Assessment” section. The risk profile at GES and the mitigation strategies adopted together with a review of the effectiveness of the overall system, particularly during the coronavirus pandemic, are presented in the “Risk Profile and Mitigation Strategies at GES” section. Concluding remarks are offered in the “Conclusion” section.

ERM Literature Review

The topic of corporate risk management has been widely debated and examined both in the academic literature and in practice. In late 1990 and early 2000, several professional and regulatory bodies established the initial objective and framework of ERM, including the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in the United States, the Group of Thirty Report in the United States, and the Toronto Stock Exchange Dey Report in Canada. Furthermore, more recently, credit rating agencies such as Moody’s and Standard & Poor’s introduced metrics to assess the impact of effectiveness and maturity of ERM systems on their rating methodologies. In 2016, the Risk and Insurance Management Society (RIMS) developed a set of maturity criteria, Risk Maturity Model (RMM), describing the fundamental characteristics of an effective ERM program. Maturity models have since been used in many industries for the purpose of assessment and benchmarking of ERM programs.²

The Miller and Modigliani (1958) seminal contribution on the irrelevance of a firm’s capital structure implies that in perfect capital markets, risk management activities do not create value. In tandem, the capital market theory (Lintner, 1965; Sharpe, 1964; Treynor, 1961) asserts that investors holding well-diversified portfolios have already eliminated the idiosyncratic risks of the firm, thus rendering risk management efforts irrelevant in terms of value creation. However, counter arguments suggest that risk management activities can and do add value to the firm. Capital and product markets are affected by various market imperfections, including corporate and personal taxes (Miller, 1977; Miller & Modigliani, 1963), bankruptcy costs (Kraus & Lichtenberger, 1973), costly information (Leland & Pyle, 1977; Ross, 1977), external capital costs (Froot et al., 1993), and agency costs (Jensen & Meckling, 1976, 1986). Corporate risk management could affect both the positive and negative consequences of such imperfections, thus adding value within an organizational setting. Furthermore, as noted by Pagach and Warr (2011), attempting to reduce idiosyncratic risk is not a negative net present value project due to the numerous market frictions existing within the economy. Whether or not well-diversified investors, in fact, do exist, several studies argue that risk management can lead to a reduction in the probability of large detrimental cash flow shortfalls, costly capital acquisition, and relinquishing of profitable investments (MacKay & Moeller, 2007; Nocco & Stulz, 2006; Shapiro & Titman, 1998; Shimko, 2001; Smith & Stulz, 1985).

Recently, there has also been a rising interest in establishing the value-added benefits of ERM. The expected benefits have been diverse covering a large spectrum of underlying economic, market, and organizational effects. Farrell and Gallagher (2014) find a highly significant value effect of about 25% for fully engaged firms that are considered mature in their ERM approach. Key sources of value creation include reduction in the firm’s cost of capital (Hoyt & Liebenberg, 2011; Samanta et al., 2004), information signaling on the firm’s overall risk profile (Hoyt & Liebenberg, 2011), improving executive compensation (Fraser et al., 2014), risk diversification, exploitation of natural hedges, and sharpening the board’s ability in governing the enterprise’s risk (Beasley et al., 2005; Hoyt & Liebenberg, 2011; McShane et al., 2011; Nocco & Stulz, 2006). Table 2 summarizes in more detail the recent studies on the value proposal of ERM.

Table 2.

Review of the Literature on Value-Added Benefits of ERM.

Authors	Sources of value creation
Samanta et al. (2004) and Hoyt & Liebenberg (2011)	Reduced cost of capital and better capital structure decisions.
Farrell & Gallagher (2014)	For firms considered mature in their ERM approach, there is a highly significant firm value increase of about 25%. The data suggest that the strongest valuation effects are associated with ongoing performance management, process management, the corporate approach to ERM, root cause discipline, and the efficacy of uncovering risks.
Fraser et al. (2014)	Factors such as the use of market-based risk metrics and the exploitation of ERM output to influence executive compensation tend to have a positive effect on a firm’s efficiency measured by revenue and cost metrics.
Meulbroek (2002)	ERM attempts to create shareholder value by allowing firms to achieve a more optimized risk–return trade-off position. The goal of risk management is not to minimize the total risk faced by a firm per se but to choose the optimal level of risk to maximize shareholder value.
Hoyt & Liebenberg (2011)	Signaling and information release on the firm’s risk profile to outsiders such as regulators and shareholders.
Nocco & Stulz (2006), Rosenburg & Schuermann (2006), McShane et al. (2011), Hoyt & Liebenberg (2011), Beasley et al. (2005), Chapman (2006), and Jacobs (2004)	- Evaluation of risk and return at the project level does not allow for optimization at the corporate level as risk diversification and correlations are ignored, thus leading to suboptimal decision making.- Risk interactions and aggregation are key components of ERM, improving internal decision making, hence ultimately contributing to the firm value through more efficient capital allocation.- A firm’s total amount of risk differs from the sum of the enterprise’s individual risks.- Hedging residual risk, rather than inherent risks, maximizes value by allowing the organization to benefit from a risk diversification effect or recognition of natural risk hedges.- Integration of risks helps firms to avoid duplication of risk management outlay.- Viewing the company’s risks as a portfolio should be beneficial to the firm as it should improve both the senior management and the board’s ability to fully oversee the enterprise’s risk.- An improvement in the understanding and transparency of the aggregate level of firm risk should allow an efficient level of strategic decision making at the board level, enhancing resource allocation, capital efficiency, and equity returns.- ERM goes beyond focusing on just risk-avoidance activities in recognition of the value to be gained from exposure to risks for which the firm has a strategic competitive advantage. Risk avoidance alone may actually increase the volatility and fragility of financial markets as a whole.

Note. ERM = enterprise risk management.

One of the first case studies on the development and implementation of ERM for an actual firm was conducted by Harrington et al. (2002) for United Grain Growers (UGG), a Canadian privately held agricultural services company. The company’s decision to establish ERM was influenced by listing requirements at the Toronto Stock Exchange, increased disclosure by the Canadian Wheat Board, and urgency to control the cash flow volatility from grain handling and crop production services. UGG’s internal risk committee prioritized the company’s exposure to several types of risks, including environmental liability, weather-related effect, counter-party, credit policy, and commodity prices. However, the mitigation strategy eventually chosen was a general integrated loss and liability insurance contract offered by Swiss Re-insurance. According to the case study, while the ERM process provided a better understanding of the risks involved, it faced challenges in establishing the required cooperation and “buy in” to carry out the ERM process in its entirety.³

In a later case study, Aabo et al. (2005) discussed the ERM process at Hydro One, a large publicly traded Canadian utility in the transmission and distribution of electricity. Facing deregulation and emerging competition in the Canadian energy sector and increased scrutiny on corporate governance, in 2000, Hydro One adopted an integrated approach to examine its overall risks and opportunities aiming at achieving better risk-based allocation of its resources. Similar to the case for UGG, Hydro One also followed a process of consultation and interviews at a subsidiary level to assess and prioritize its exposure to myriad internal and external risks. Unexpected changes in energy regulation, inefficiencies in human resources, environmental contamination, and growth impediments in a competitive energy market characterized the top areas of risk exposure for the company. Mitigation strategies adopted included increased and more effective interactions with provincial and federal government and regulatory agencies, improved labor relations and compensation strategies to address human resources’ retention issues, and limited insurance contracts to cover losses due to the environmental risk. Among the most tangible benefits of establishing ERM at Hydro One was the development of a more rational and coordinated process of risk-based capital allocation and achieving a higher credit rating on its new debt issues. More recently, Fraser et al. (2014) produced a collection of earlier case studies on the implementation of ERM in different industries providing further evidence on the efficacy of ERM maturity to deliver efficiency in strategic decision making coordinated with optimal risk-taking strategies. Overall, however, a general limitation of the earlier case studies is the lack of any quantitative statistical filter to formally validate the internal consistency of the risk inputs used in developing and implementing an ERM program. As shown later in this study, the absence of such statistical verification methodologies could lead to erroneous characterization of a firm’s overall risk exposures, thus limiting the effectiveness of the mitigation strategies.

Sample and Data

A multistep plan of action was developed to guide the ERM process as explained in Table 3. Specifically, the plan consisted of selecting a representative sample of risk owners, delivering an educational program on ERM to sample risk owners, developing a focused and internally consistent risk management questionnaire, and, finally, constructing mitigation strategies and reviewing their performance post ERM implementation. The consulting team was given full access to potential risk owners at the firm’s worldwide operation. Upon a series of confidential interviews, a sample of 30 randomly selected risk owners representing senior executives, field managers, and board members was identified.⁴ The sample group participated in a 3-day online educational program on the fundamentals of ERM. Topics covered included the economics and regulatory aspects of risk management aided by case studies and global surveys representing the practice in a diverse group of industries.

Table 3.

Plan of Action to Develop the ERM Program at GES.

Recommended Actions	Description of Actions
Sample of risk owners	Identify a representative and diverse group of functional risk owners (managers/executives at field offices with major Profit and Loss (P/L) responsibilities), senior executives, and board members.
Education	Develop and deliver a short educational module for the sample risk owner group to create a uniform level of understanding on the dynamics and application of ERM.
Questionnaire	Administer and analyze a focused questionnaire covering multiple risk management areas, including Risk Culture, Risk Recognition, Risk Organization, Risk Governance, Risk Control, and Risk Measurement.
Synthesis, identification, and risk assessment	Apply statistical approaches to synthesize and compile the results obtained from the questionnaire. Develop a detailed multidimensional risk table identifying and prioritizing the existing and potential risks.
Mitigation	Develop mitigation strategies for the top risks.
Review	Review and assess, on an ongoing basis, the effectiveness of the proposed risk management system.

Note. GES = Global Educational Systems; ERM = enterprise risk management.

The Questionnaire and Methodology

Using the RIMS RMM, the consulting team designed a focused questionnaire to analyze the risk profile at GES (see, for example, Farrell & Gallagher, 2014; Lindberg & Seifert, 2011). The questionnaire was comprised of two basic parts. The first part was divided into five areas: risk culture, risk recognition, risk organization, risk governance, and risk control. The description of each of the above-mentioned five areas is provided in Table 4. Each area was treated as a latent variable which was explained by a set of related questions. The area of risk culture was represented by 14 questions, risk recognition by nine questions, risk organization by eight questions, risk governance by nine questions, and, finally, risk control by 10 questions. The respondents were asked to provide both a verbal response to each question and codify the importance of any given response using the five-level scale from the RIMS RMM as described in Table 5.

Table 4.

Key Areas Determining the Risk Profile at GES.

Risk areas	Definition
Risk culture	The questions in this segment were designed to understand the interplay between the organization’s strategy, goals, decision-making processes, risk appetite, and risk management philosophy.
Risk governance	The questions in this segment focus on the board structure and processes, levels, and effectiveness of the board’s involvement, knowledge, and transparency in devising strategies to carry out risk management decisions.
Risk organization	This section focuses on the administrative and operational nature of capturing, communicating, reporting, monitoring, and compliance related to risk management actions.
Risk recognition	This segment is designed to understand the organization’s ability to identify risks, distinguish risks from opportunities, recognize risk metrics, and awareness for fraudulent activities.
Risk control	The questions in this segment have been designed to gauge the firm’s level of existing control on overall risk exposure: inherent versus residual risks.
Risk assessment	This section focuses on the application of multidimensional risk indices to prioritize risk categories.

Note. GES = Global Educational Systems.

Table 5.

Five-Level Risk Maturity Model: Risk and Insurance Management Society: RIMS RMMa.

Maturity (level)	Maturity-level characteristics
Ad hoc (1)	Implies an extremely primitive level of ERM maturity where risk management typically depends on the actions of specific individuals, with improvised procedures and poorly understood processes.
Initial (2)	Risk is managed in silos, with little integration or risk aggregation.Processes typically lack discipline and rigor. Risk definitions often vary across the silos.
Repeatable (3)	A risk assessment framework is generally in place with the board of directors being provided with risk overviews. Approaches to risk management are established and repeatable.
Managed (4)	Enterprise-wide risk management activities such as monitoring, measurement, and reporting are integrated and harmonized with measures and controls established.
Leadership (5)	Risk-based discussions are embedded to a strategic level, such as long-term planning, capital allocation, and decision making. Risk appetite and tolerances are clearly understood with alerts in place to ensure the board of directors and executive management are made aware when risk thresholds are exceeded.

Source. Adapted from RIMS https://www.riskmaturitymodel.org/rims-risk-maturity-model-rmm-for-erm, Lindberg and Seifert (2011) and Farrell and Gallagher (2014).

Note. RIMS RMM = Risk and Insurance Management Society Risk Maturity Model; ERM = enterprise risk management.

The second part of the questionnaire focused on risk identification and assessment. The consultant team used formal methods of compiling and synthesizing expert collective decisions to focus the dialogue and discussion from the educational program on gaining insights on the broad nature of the risk portfolio at GES.⁵ Accordingly, respondents were given a set of 10 structural risk categories, explained in Table 6, which closely approximated the universe of risk exposure at GES.⁶ The risk categories covered the areas of operations, financial and markets, regulatory and legal, strategic, human resources, innovation, geopolitics, credit, information security, and reputation. Sample risk owners were asked to identify three to five risk events in each of the 10 risk categories and provide estimates of their likelihood of occurrence, impact on annual revenue growth, and the level of control presently existing in the firm.⁷ Table 7 summarizes the assessment matrix used by the sample risk owners in this part.

Table 6.

General Risk Categories at GES.

Risk Category	Risk Category Description
Operational risk	Risks resulting from inadequate or failed procedures, systems, processes, or policies. It includes employee errors, business interruptions, fraud or other criminal activity, equipment failure, logistical bottleneck, third-party liability, employee safety, timeliness, and accuracy.
Financial and market risk	Risks resulting from a shortfall in revenues and/or cost escalation, accumulated losses, diminished liquidity, problems in meetings, financial obligations, diminished credit rating, forecasting and valuation error, audit problems, portfolio losses, and poor hedging against market volatility (interest rates, exchange rates, stock prices).
Regulatory and legal risk	Risks resulting from lawsuits and unpredictable changes in the local and global regulatory environment, noncompliance to statutory, and accreditation rules.
Strategic risk	Risks resulting from poor articulation and communication of goals and strategies, misalignment of strategic plan and corporate governance, uninformed board, lack of established and effective review processes.
Human resources risk	Risks resulting from problems in employee recruitment and retention, low labor productivity, and suboptimal compensation system.
Innovation risk	Risks resulting from inertia in identifying and implementing new products and services in local and foreign markets in response to political, macroeconomic, and market changes.
Geopolitical risk	Risks resulting from political changes, sanctions, travel bans, economic and political retaliation, nationalization of foreign assets and establishments.
Credit risk	Risks resulting from competition, economic slowdown/slow recovery, supply chain disruption, embargoes, customer attrition, changes in customers’ expectations and demand, and changes in customers’ financial capacity.
Informational/security risk	Risks resulting from cyber security attacks and hacking, using outdated and inefficient information systems (technology obsolescence), and communication system failure.
Reputation risk	Risks resulting from decline or lack of brand and image, loss of customers’ trust, negative publicity, recruitment challenges, fund-raising problems.

Table 7.

Risk Assessment Metrics: Likelihood, Impact, and Control.^a

Panel A
Likelihood (P)					Control (C)^b
Very low p < .15	Low.15 < p < .3	Medium.3 < p < .5	High.5 < p < .75	Very high p > .75	Ad hoc	Initial	Repeatable	Managed	Leadership

Panel B
Impact on revenue growth (G)
Very negative–25% < G < –50%	Negative0%> G < –25%	Neutral0%	Positive0% < G < 40%	Very positiveG > 40%

Note. GES = Global Educational Systems.

Average values of ranges for likelihood and impact are used to calculate expected values.

Five-Level Risk Maturity Model: Risk and Insurance Management Society: RIMS RMM.

Typically, questionnaire data are evaluated by treating all questions uniformly in terms of the degree of their association to, and informational content with, selected latent variables. However, this assumption is unlikely to hold given the wide range of experiences, attitudes, and beliefs observed among the sample respondents. Two separate statistical tests were used to identify the questions with the highest explanatory power in characterizing the risk profile at GES. Specifically, following Fabrigar et al. (1999), the convergence rate of the questions in each risk area was judged by means of the EFA, powered with Varimax rotation.⁸ Using this approach, the consulting team was able to approximate, as closely as possible, the underlying relationships between observed responses and their respective latent category variables (risk culture, risk recognition, risk organization, risk governance, and risk control). Selected questions representing the strongest evidence-based reliability must carry a factor loading greater than 0.5. Accordingly, a factor loading less than 0.5 could be viewed as providing weak evidence for the existence of any association between questions and their respective risk areas. The reliability of the set of questions was further tested by means of the internal consistency statistic, Cronbach’s α, which established the optimum level of consistency for a group of questions in explaining a particular risk area. A Cronbach’s α greater than .7 represents optimum consistency in a set of questions.

Given the directives from the GES senior executives and its board, the response rate to the questionnaire was 100%. The returned questionnaires were all usable indicating an acceptable level of familiarity with the topics covered and the process involved. The EFA approach resulted in isolating seven out of 14 questions under risk culture, five out of nine questions under risk recognition, six out of eight questions under risk organization, six out of nine questions under risk governance, and seven out of 10 questions under risk control. The selected questions have the highest association (factor loadings>0.5) within their respective segments. These questions also possessed Cronbach’s αs greater than .7 representing optimum consistency in the relevant risk area. The results of the included questions are reported in Table 8. The analysis of the overall risk profile at GES represented by statistically significant questions in each area is discussed in the “Risk Profile and Mitigation Strategies at GES” section of the article.

Table 8.

Questionnaire’s Internal Consistency: Application of EFA and Cronbach’s Alpha.

Risk areas	Factor loading	Cronbach’s α
Risk culture
Overall, is GES willing to take any magnitude of risk to achieve strategic objectives?	0.62	.74
How are the critical competencies of GES structured: in a range from “Operational” to “Entrepreneurial”?	0.91
How do you describe the reward structure of the company in a range from “Margins and Productivity” to “Milestones and Growth”?	0.56
Is the organizational culture “Efficiency, Low Risk, Quality, Customers”; “Risk Taking, Speed, Flexibility, and Experimentation”; or somewhere in between?	0.91
Rate the leadership role from being “Authoritative and Top Down” to “Visionary and Involved.”	0.86
How would you rank the strategic and related objectives defined by the organization: in a range from “Unclear and Unfocused” to “Planned and Transparent”?	0.71
Based on the reflection above, rate the overall risk culture at GES.	0.81
Risk recognition
What type of forces, internal and external, impact the risk management culture described above: in a range from “Entirely Internal” to “Entirely External”?	0.96	.89
Rate the organizations ability to distinguish risk versus opportunity.	0.84
What are the most relevant assessment metrics for quantifying significant measurable risks and incorporating them into decision-making process: in a range from “Entirely Qualitative” to “Entirely Quantitative”?	0.84
How susceptible is the firm to fraud? Which areas are most susceptible to the same?	0.91
Based on the reflection above, rate your department’s overall risk recognition capabilities.	0.97
Risk organization
How effective is the organization in capturing risk information and communicating it to various constituencies (government, donors, clients, staff, and the board)?	0.87	.72
Do communication barriers exist within the organization when addressing risk?	−0.72^a
How often do you think the senior management involves the board and staff during the strategy-setting process, including when making decisions to accept or reject risk factors?	0.85
Rate the activities of writing down, prioritizing, and disseminating risk.	0.68
Rate the risk monitoring and reporting system within the organization.	0.91
Based on the reflection above, rate the risk management organizational capacity at GES.	0.88
Risk governance
Rate the board’s understanding of the organization’s priority risks and how those risks should be addressed.	0.72	.63
How much do the senior executives involve the board in the assessment of strategic risks?	−0.78
Rate the frequency with which the company revisits its risk assessment to determine whether the circumstances and conditions have changed or whether there are new emerging risks.	0.81
How confident are you about the organization not taking significant risks without the board’s knowledge?	0.84
How effectively do you feel are the organization’s risk management culture and governance functioning?	0.67
Based on the reflection above, rate the alignment between risk management and governance at GES.	0.82
Risk control
Rate the monitoring of the objectives under each of the above-mentioned categories	0.73	.79
How well defined are the risk management goals in terms of ongoing strategic activities: in a range from “Unclear and Unfocused” to “Planned and Transparent”?	0.80
How do you rate the quality, reliability, and relevance of the risk reporting?	0.92
How effective are the ongoing monitoring activities (e.g., compliance monitoring, risk management group monitoring, board monitoring)?	0.81
Rate the risk measuring methodology abided by the firm when each risk is measured on an individual level.	0.77
Rate the risk measuring methodology abided by the firm when each risk is measured on an enterprise level.	0.74
Does GES have a rising learning curve with regard to its risk assessment and management process?	0.81

Note. EFA = exploratory factor analysis; GES = Global Educational Systems.

Sign of the factor is not indicative of the results obtained as the focus was based on absolute values.

Risk Assessment

The risk measurement results are reported in Table 9. As explained earlier in “The Questionnaire and Methodology” section, respondents were asked to identify three to five risk events for each of the 10 risk categories (Table 5) and provide estimates for each risk event, as structured in Table 6, of likelihood of occurrence, impact on annual revenue growth, and the level of control presently existing in the firm. Individual respondents’ entries were averaged to arrive at representative values for likelihood, expected impact (product of average likelihood and average impact), and average control in each risk category. Aggregate averages of likelihood, expected impact on annual revenue growth, and level of control were then calculated across respondents to arrive at overall risk indices for all risk categories. In Table 9, two new qualifying indices were also introduced for each risk category. Specifically, ratios of standard deviation of expected impact on annual revenue growth and average level of control, adjusted by the absolute values of their respective means, were used to provide measures of the convergence of opinion among the respondents on estimates of likelihood, impact, and control. Large values of these ratios should signal lack of convergence of opinion (presence of input noise) indicating a lower priority and relevance for a particular risk category in the analysis.

Table 9.

Risk Matrix at GES.

Risk category	Average probability (%)	Average expected impact	Average control	Opinion convergence (expected impact)	Opinion convergence (control)
Strategic risk	46.46	−0.16	4.23	0.71	0.1313
Innovation risk	54.26	−0.15	4.30	0.4	0.1271
Information and security risk	61.67	−0.14	4.00	0.74	0.1428
Geopolitical risk	51.30	−0.15	3.95	0.63	0.1427
Financial risk	48.10	−0.17	4.05	0.28	0.1042
Regulatory and legal risk	45.56	−0.14	3.95	0.22	0.1227
Operational risk	44.81	−0.16	3.76	0.36	0.0949
Credit and product risk	57.14	−0.19	3.76	0.51	0.1282
Human resources risk	53.33	−0.15	3.65	0.3	0.1185
Reputation risk	42.08	−0.16	3.35	0.6	0.1282

Note. Average expected impact is the product of average probability by average impact for each risk category across the sample. Opinion convergence (expected impact) is the ratios of standard deviation of expected impact for each risk category across the sample adjusted by the absolute value of its mean. Opinion convergence (control) is the ratios of standard deviation of average control for each risk across the sample category adjusted by its mean. GES = Global Educational Systems.

Typically, the conventional practice in prioritizing risks is to summarize pictorially the risk categories in a two-dimensional risk map where likelihood is measured on the x-axis and impact on the y-axis. Such conventional demonstrations ignore the role of other risk-related indices which could further qualify the informational value of estimates on likelihood and impact. To increase the accuracy and representativeness of the sample results, an expanded approach is used in this study where risk categories were ranked using multiple criteria. Specifically, the 10 risk categories were initially ranked by their expected impact, subsequently ranked by an equally weighted average of individual ranks associated with expected impact and control. A third approach ranked the risk categories by an equally weighted average of ranks associated with three indices: expected impact, opinion convergence on expected impact, and opinion convergence on control. In Table 10, the three ranking approaches are consolidated to provide the final ranking of the 10 risk areas.

Table 10.

Top Risk at GES by Different Ranking Criteria.

Risk category	Rank (1)	Rank (2)	Rank (3)	Consolidated ranking
Strategic risk	3	5	7	6
Innovation risk	4	6	5	6
Information and security risk	5	5	9	7
Geopolitical risk	4	3	8	6
Financial risk	2	3	1	1
Regulatory and legal risk	5	4	3	5
Operational risk	3	2	2	2
Credit and product risk	1	1	4	1
Human resources risk	4	2	3	3
Reputation risk	3	1	6	4

Note. Rank 1: Absolute value of expected impact; Rank 2: Equally weighted average of expected impact and average control; Rank 3: Equally weighted average of expected impact, opinion convergence (expected impact), and opinion convergence (control). GES = Global Educational Systems.

The results in Table 10 were presented to the senior executives and the board at GES in 2017. Upon extensive deliberation, considering the firm’s existing risk profile (Table 8), the board voted to proceed initially with a subset of six risk areas deemed to be the most consequential in affecting the firm’s future annual revenues and growth opportunities. The six risk areas identified were strategic risk, innovation risk, informational and security risk, geopolitical risk, financial risk, and regulatory and legal risk. The six risk areas, key sources of risks involved, and summary of mitigation approaches adopted at GES are reported in Table 11, which are discussed in the next section.

Table 11.

Summary of Mitigation Strategies.

Risk categories	Key drivers of risks	Mitigation strategies
Strategic	- Transparency- Mission drift- Diversification- Alignment	Developed a new 5-year, 2017–2022, strategic plan establishing more clearly the firm’s mission and vision, creating strategies and tactics that serve the mission, and aligning the firm’s operational, financial, risk management, and marketing/communication goals. Created a stand-alone risk committee as a subcommittee of the board. Provided regular progress reports to the board on realizing the goals of the plan. Used risk-adjusted criteria to assess the valuation implications of new projects. Produced quarterly global economic and environmental scans to review the plan’s goals and strategies, recommending possible changes.
Innovation	- Commercial orientation- Competitiveness- Incentives- R&D resources	Established a portfolio approach where the financial and human resources at GES are allocated strategically and optimally to enhance innovation in core offerings, adjacent opportunities, and, particularly, transformational territories achieved through geographic diversification. Promoted a more effective dialogue between staff, senior executives, and the board on new initiatives. Incentivized staff to experiment with new ideas. Aligned the R&D budget with best practices by comparable entities. Used risk-adjusted approaches to measure the value proposal of R&D projects.
Informational and security	- Data privacy- System obsolescence- Technical issues- Data loss- Multiple platforms	Hired a CIO responsible for developing and executing policies to manage the global network of information at GES. Key steps included synchronization and consolidation of email platforms, launching software and hardware for document management, establishing effective patches to detect and defuse cyber-attacks, and aligning information technology policies with strategic planning.
Geopolitical	- Political instability- Travel bans and visas- Trend forecasting- Program closure	Incorporated country risk analysis information regularly published by the IMF and the WB to better assess geographic risks and their implications for ongoing and new initiatives. Established quarterly country-based reports from foreign field offices. Secured a global insurance contract against losses occurring from travel bans, visa restrictions, kidnapping, and nationalizations.
Financial	- Fraud- Revenue shortfall- Cost overruns- Liquidity- Currency changes- Audit	Systematically shifted revenue sources such that the contribution of nongovernmental projects would increase to 30% from its existing level of 5% of annual revenues in 5 years. Planned to increase liquidity ratios by 30% over 5 years. Established quarterly revenue scenario exercises to stress test the financial health of the firm. Implemented an optimal currency model to manage the FX risk of foreign revenues. Developed and implemented risk-adjusted valuation approaches related to R&D investments.
Regulatory	- Lawsuits and liability- Registration status- Noncompliance- Regulatory forecasting- Third-party liability	Reported and regularly updated U.S. Federal/State- and country-specific compliance measures. Established quarterly country-based regulatory reports from foreign field offices. Secured a global insurance contract for covering the losses of third-party liability.

Note. GES = Global Educational Systems; R&D = research and development; CIO = Chief Informational Officer; IMF = International Monetary Fund; WB = World Bank.

Risk Profile and Mitigation Strategies at GES

The questionnaire’s results in Table 8 revealed that the existing risk management system at GES was ad hoc and uncoordinated.⁹ Overall, significant barriers in risk communication and reporting existed within the organization. The organizational structure at GES was rigid represented by a relatively low level of risk appetite, although there were no formalized and direct mechanisms to know whether the firm’s attitude toward risk had played a major role in evaluating new programs in different countries. There was evidence that the lack of a risk-adjusted project selection had weakened the financial performance at GES, particularly when the U.S.-based governmental grants, approximately 60% of its overall annual revenues, had declined. The strategies and tactics identified in the existing strategic plan were not directly prioritized based on their inherent or residual risks and return profiles. There were also limitations and gaps in the governance of risk management. The board did not have a stand-alone risk committee and was not directly informed on the portfolio of risks at GES. The audit reports were basically focused on ensuring that appropriate steps were taken to address the potential risk of fraud and the accuracy and informativeness of the financial reports and their alignment with accepted accounting rules. Assessing the organizational preparedness to address other categories of risks was not formally stressed or monitored in the audit reports.¹⁰

The explanation of the key drivers of the six risk areas selected by the board at GES and their respective mitigation strategies are summarized in Table 11. Overall, GES did made progress in implementing the proposed risk management strategies since their adoption in 2017. It launched a new and more focused strategic plan aligning the proposed strategies with the overall mission, regularly monitoring its progress by measurable and transparent criteria. GES also created a stand-alone risk committee of the board headed by the Chief Financial Officer. Internally, the committee regularly submits quarterly field offices’ reports to the board and senior executives on the evolving nature of the firm’s overall geographical risk exposure. In addition, it shares with the board country-specific risk and compliance reports published by the International Monetary Fund (IMF) and the World Bank (WB). The progress in managing informational and security risk, financial risk, and innovation risk was more advanced. Regarding informational and security risk, GES hired a CIO with responsibility to change the firm’s existing communication and technology architecture. The CIO centralized the firm’s international communication network and data, aligning the myriad cyber compliance and privacy policies with the new strategic plan. It further provided technological and communication training for the staff globally. Beyond fending off potential data breaches, streamlining the communication network at GES enhanced the timeliness, accuracy, and availability of multiple sources of financial and programmatic information from the field offices worldwide.

Focusing on the financial risk, a risk-adjusted valuation approach similar to the concept of Adjusted Present Value (APV) was set up to evaluate and rank the new projects and programs. The APV measures the sum of the unlevered net present value of a given project and the net present value of all non-market-related side effects.¹¹ GES also developed a currency risk minimization model to manage the FX risk of its foreign revenues. Specifically, total revenues were divided into its U.S. and foreign-based sources. Foreign currency cross-correlation analysis with the U.S. dollar-based revenues identified the optimal group of currencies with inherent risk reduction possibilities.

Using the APV and the currency risk minimization models, GES was able to adopt value-enhancing nongovernmental strategic projects shifting the revenue sources away from governmental grants. It systematically increased the proportion of annual revenues generated from nongovernmental projects to approximately 15% versus about 5% on average during 2015–2017. For example, in 2018, in cooperation with private-sector partners and local universities, GES created professional training programs in environmental aspects of water resources management in several countries in the Middle East, Africa, and China. In 2019, GES in cooperation with local universities in a number of countries in Central Asia led the creation of an English language management training program. Also, in 2019, using its network of global field offices, GES launched its geopolitical consulting division advising public and private sectors in Central Asia and the Middle East on economic development projects. The strategies used to manage financial, innovation, and informational security risks filtered through the overall risk portfolio at GES effectively providing natural hedges emphasizing the benefits of risk aggregation approach by hedging residual risk, rather than the inherent risks (Hoyt & Liebenberg, 2011; McShane et al., 2011).

In early 2020, the novel coronavirus emerged as a major global pandemic, significantly slowing down the pace of economic and social activity around the world. In response, an unprecedented level of fiscal and monetary interventions were introduced to protect the global economy from a total collapse. As a multinational firm deeply focused on emerging economies, the pandemic seriously affected the operations of field offices at GES. It eliminated or slowed down its upcoming contracts and existing programs and threatened the health and safety of its participants and employees around the world. Addressing the informational and security and financial risks played a major role in minimizing the adverse impact of the pandemic. The new CIO effectively centralized the international communication network at GES and provided regular technology training which was instrumental in maintaining operational continuity remotely at a global level. Optimal allocation of additional resources to nongovernmental projects increased the liquidity ratios by 30%. Establishing quarterly revenue scenario exercises to stress test the financial health of the firm and implementing an optimal currency model to manage the FX risk of foreign revenues further boosted the availability of the net cash reserve, collectively making it possible to provide short-term funding for some of the field offices and absorbing revenue losses from delayed programs. Integrating country risk analysis information published by the IMF and the WB with reports from the field offices allowed GES to better assess geographic risks playing an instrumental role in successfully repatriating its program participants and employees.

Conclusion

The study of the ERM program at GES presents a dynamic examination of the development, implementation, and post-implementation review for a U.S. multinational nonprofit firm over a 5-year period, 2015–2020. The results clearly show that application of powerful statistical filters to questionnaire data enhances the accuracy and relevance of the risk information needed to assess a firm’s risk profile and areas of vulnerabilities. Furthermore, the use of multidimensional risk indices is shown to provide a more realistic perspective of the risk hierarchy and respective mitigation strategies, ultimately achieving a more optimized risk–return trade-off position for the firm. Specifically, establishing the ERM program at GES is shown to have effectively helped the firm in managing the consequences of the coronavirus pandemic in 2020. Despite its focus on a nonprofit firm, previous studies discussed in the article provide examples of applying similarly designed ERM methodologies to privately held and publicly traded firms. Finally, this study provides additional support to the existing literature on the benefits of establishing mature ERM systems.

Footnotes

Declaration of Conflicting Interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) received no financial support for the research, authorship, and/or publication of this article.

ORCID iD

Abolhassan Jalilvand

Notes

Author Biographies

Abolhassan Jalilvand is professor of finance and executive director of the Business Leadership Hub at Quinlan School of Business, Loyola University Chicago.

Sidharth Moorthy is Quantitative Analyst at Morgan Stanley, India.

References

Aabo

Fraser

Simkins

(2005). The rise and evolution of the chief risk officer: Enterprise risk management at Hydro One. Journal of Applied Corporate Finance, 17(3), 62–75.

Beasley

Clune

Hermanson

(2005). Enterprise risk management: An empirical analysis of factors associated with the extent of implementation. Journal of Accounting and Public Policy, 24(6), 521–531.

Chapman

R. J.

(2006). Simple tools and techniques for enterprise risk management electronic resources. Wiley.

Fabrigar

Wegener

MacCallum

Strahan

(1999). Evaluating the use of exploratory factor analysis in psychological research. Psychological Methods, 4(3), 272–299.

Farrell

Gallagher

(2014). The valuation implications of enterprise risk management maturity. The Journal of Risk and Insurance, 9999, 1–34.

Fraser

Simkins

Narvaez

(2014). Implementing enterprise risk management: Case studies and best practices. Wiley.

Froot

Scharfstein

Stein

(1993). Risk management: Coordinating investment and financing policies. Journal of Finance, 48(5), 1629–1658.

Harrington

Niehaus

Risko

(2002). Enterprise risk management: The case of United Grain Growers. Journal of Applied Corporate Finance, 14(4), 71–81.

Hoyt

Liebenberg

(2011). The value of enterprise risk management. Journal of Risk and Insurance, 78(4), 795–822.

10.

Jacobs

(2004). Risk avoidance and market fragility. Financial Analysts Journal, 60(1), 26–30.

11.

Jalilvand

Kostolansky

(2016). Le Beau footwear: A business valuation case for a privately held firm. Issues in Accounting Education, 31(4), 439–444.

12.

Jensen

Meckling

(1976). Theory of the firm: Managerial behavior, agency costs and ownership structure. Journal of Financial Economics, 3(4), 305–360.

13.

Jensen

Meckling

(1986). Agency costs of free cash flow, corporate finance and takeover. American Economic Review, 76(2), 323–329.

14.

Kraus

Litzenberger

(1973). A state preference model of optimal financial leverage. Journal of Finance, 28(4), 911–922.

15.

Leland

Pyle

(1977). Informational asymmetries, financial structure, and financial intermediation. Journal of Finance, 32, 371–388.

16.

Lindberg

Seifert

(2011). Enterprise risk management (ERM) can assist insurers in complying with the Dodd-Frank Act. Journal of Insurance Regulation, 30, 319–337.

17.

Lintner

(1965). The valuation of risk assets and the selection of risky investments in stock portfolios and capital budgets. Review of Economics and Statistics, 32(2), 13–37.

18.

MacKay

Moeller

(2007). The value of corporate risk management. Journal of Finance, 62(3), 1379–1419.

19.

McShane

Nair

Rustambekov

(2011). Does enterprise risk management increase firm value? Journal of Accounting, Auditing and Finance, 26(4), 641–658.

20.

Meulbroek

(2002). Integrated risk management for the firm: A senior manager’s guide. Journal of Applied Corporate Finance, 14(4), 56–70.

21.

Miller

(1977). Debt and taxes. Journal of Finance, 32(2), 261–275.

22.

Miller

Modigliani

(1958). The cost of capital, corporation finance and the theory of investment. American Economic Review, 48(3), 261–297.

23.

Miller

Modigliani

(1963). Corporate income taxes and the cost of capital: A correction. American Economic Review, 53(3), 433–443.

24.

Nocco

Stulz

(2006). Enterprise risk management: Theory and practice. Journal of Applied Corporate Finance, 18(4), 8–20.

25.

Pagach

Warr

(2011). The characteristics of firms that hire chief risk officers. Journal of Risk and Insurance, 78(1), 185–211.

26.

Rosenburg

Schuermann

(2006). A general approach to integrated risk management with skewed, fat-tailed risks. Journal of Financial Economics, 79(3), 569–614.

27.

Ross

(1977). The determination of financial structure: The incentive signaling approach. Bell Journal of Economics, 8, 23–40.

28.

Samanta

Azarchs

Martinez

(2004). The PIM approach to assessing the TRM practices of financial institutions. Standard & Poor’s/McGraw-Hill.

29.

Shapiro

Titman

(1998). An integrated approach to corporate risk management. The revolution in corporate finance (3rd ed.). Blackwell.

30.

Sharpe

(1964). Capital asset prices: A theory of market equilibrium under conditions of risk. Journal of Finance, 19(3), 425–442.

31.

Shimko

(2001). NPV no more: RPV for risk-based valuation. Mimeo Risk Management Partners.

32.

Smith

Stulz

(1985). The determinants of firms’ hedging policies. Journal of Financial and Quantitative Analysis, 20(4), 391–405.

33.

Treynor

J. L.

(1961) Market value, time, and risk. https://ssrn.com/abstract=2600356 or https://doi.org/10.2139/ssrn.2600356