Abstract
Purpose
Debate is growing around the expansion of risk-based regulation. The regulation scholarship provides evidence of regulatory failure of the risk-based approach in different domains, including financial regulation. Therefore, this paper aims to provide cautionary evidence about the risk of regulatory failure of risk-based strategy in the financial regulation while using enterprise risk management (ERM) as a meta-regulatory toolkit.
Design/methodology/approach
Based on interview data gathered from 30 risk managers of banks and five regulatory personnel, combined with secondary data, this study mainly explores the challenges for meaningful use of ERM based self-regulation in regulated banks. The evidence helps to assess the risk of regulatory failure of the risk-based regulation while using ERM.
Findings
The evidence reflects that regulated banks face diverse challenges arising from both peripheral and internal environments that limit the true internalization of ERM-based self-regulation. Despite this, the regulator uses this self-regulation as a meta-regulatory toolkit under the risk-based regulation to achieve the regulatory aims. However, the lack of true internalization of ERM based self-regulation is likely to raise the risk of regulatory failure of risk-based regulation to achieve the regulatory goals. Risk-based regulation is an evolving strategy in the regulatory regime. Therefore, care should be taken while using ERM as a regulatory toolkit before relying on it substantially.
Originality/value
The paper provides empirical insights about the challenges for effective use of ERM as a meta regulatory toolkit that might be useful practically both to the regulators and regulated firms.
Keywords
Citation
Moniruzzaman, M. (2022), "Risk of regulatory failure of “risk-based regulation” while using enterprise risk management as a meta-regulatory toolkit", Asian Journal of Economics and Banking, Vol. 6 No. 1, pp. 103-121. https://doi.org/10.1108/AJEB-05-2021-0067
Publisher
:Emerald Publishing Limited
Copyright © 2021, Mohammad Moniruzzaman
License
Published in Asian Journal of Economics and Banking. Published by Emerald Publishing Limited. This article is published under the Creative Commons Attribution (CC BY 4.0) licence. Anyone may reproduce, distribute, translate and create derivative works of this article (for both commercial and non-commercial purposes), subject to full attribution to the original publication and authors. The full terms of this licence may be seen at http://creativecommons.org/licences/by/4.0/legalcode.
1. Introduction
The notion of “risk” has gained much prominence among the regulators in policy reform in diverse areas, including financial regulation (Ojo, 2010). It is now considered the principal doctrine for “better regulation” (Black and Baldwin, 2010). Therefore, a shift is marked in the relationship between risk and regulation, which is labeled as “risk-based regulation”. Risk-based regulation is a philosophy that enables regulators to govern by “risk” and provides a powerful rationale to achieve the regulatory objectives in a legitimate way (Beaussier et al., 2016). It is emerged as a “flexible regulation” alternative to the “command and control” regulation (Ford, 2017; Coglianese, 2020). It is also regarded as a governance technique in the “New Governance” scholarship (Black, 2012). This strategy is much favored to the regulators for its flexibility and responsiveness across the globe, including the UK, Australia, New Zealand, Canada and the USA in the areas of food safety, health safety, financial services and pension regulation (Rothstein, 2006; Black, 2010; Beaussier et al., 2016). In recent times, risk-based regulation is also entered in aviation, offshore oil and nuclear industries (Binz et al., 2018), cybersecurity management (Boehm et al., 2019), mining industry (Rudakov et al., 2021), anti-money laundering regime (Pellegrina et al., 2021), personal data protection regulation in the EU (Gonçalves, 2020) and the environmental protection (Knol-Kauffman et al., 2021).
In the Anglo-Saxon literature, risk-based regulation is viewed as an innovative policy intervention tool (Black and Baldwin, 2010). However, in designing the risk-based regulation framework, regulators use diverse approaches. The meta-regulatory approach is one of the unique methodologies (Black, 2005). In the meta-regulatory approach, the risk-based framework is designed by focusing on the regulated firms' self-regulation. Regulators allow or enforce the regulated firms to develop their self-regulation and afterward, enroll that self-regulation into the regulatory process. In fact, regulators administer the self-regulation of regulated firms. Various supervisory measures are taken after relying on such self-regulation to achieve the regulatory aims through ex ante risk assessment (Akinbami, 2013).
However, regulators use enterprise risk management (ERM) as a meta-regulatory toolkit in designing enforced self-regulation in the regulated firms under the risk-based regulation. In recent years, ERM has entered the regulatory domain and evolved as a regulatory apparatus. Regulatory aims are achieved intensely relying on such ERM based self-regulation after integrating it into the regulatory process. Consequently, ERM has emerged as a meta-regulatory toolkit in designing the risk-based regulation. The scholarly literature has paid much attention to the development of risk-based regulation in various domains (see, e.g. Black, 2005; Black and Baldwin, 2012; Hommel and King, 2013), although there is a conceptual and normative debate in regulation scholarship about the need for risk-based regulation. However, less attention has been paid to investigating the challenge for effective implementation of risk-based regulation except a few in diffident domains, for example, Rothstein et al. (2006), Beaussier et al. (2016) and Sinha (2020). Empirical evidence is limited to know the true practice of the risk-based regulation in a real-world setting (van der Heijden, 2021). Consequently, little is known in the literature about the practical challenge of meaningful use of risk-based regulation, particularly, particularly when ERM is used as a meta-regulatory toolkit in financial regulation. Besides, there is a concern about using the meta-regulatory approach in supervision of the regulated firms because it is not unproblematic (Akinbami, 2013).
Moreover, a debate is also rising around the development and effectiveness of using of risk-based regulation, precisely in the Anglo-Saxon literature (Black, 2005, 2012; Hutter, 2005; Black and Baldwin, 2010; Paul and Huber, 2015). Therefore, this study intends to contribute to this research gap and take part in this development path. Thus, the study aims to explore the practical challenges for meaningful use of ERM based self-regulation in regulated firms and, after that, provide cautionary evidence by evaluating the likelihood of regulatory failure of risk-based regulation.
The rest of the paper is structured as follows. Section 2 reviews the literature on risk-based regulation, meta-regulation and ERM and delineates the research gap to explore. Section 3 explains the research design, while section 4 reports the practical challenges for effective use of ERM based self-regulation in the regulated banks. An evaluation provides in section 5 regarding the likelihood of regulatory failure of risk-based regulation while using ERM as a meta-regulatory toolkit. Section 6 concludes by demonstrating the paper's contribution, including avenues for further research and limitation.
2. The integration among ERM, meta-regulation and risk-based regulation
The notion of “ERM” is relatively new in the regulatory domain. Since the advent of ERM in the mid-1990s, the dynamics of ERM has been evolving. It has emerged as a management control innovation (Jabbour and Abdel-Kader, 2015) and regarded as a dynamic of management control systems (Liff and Wahlstrom, 2018). It is viewed as an essential element of improved corporate governance practice and corporate governance reform (Mikes and Kaplan, 2015). In defining ERM, the COSO (2017) asserts that ERM is a set of principles that apply at all levels of an organization and across all functions. It is not a function of a department rather a culture, capabilities and practices that organizations integrate with strategy. It is also a system of monitoring, learning and improving performance. Thus, ERM is a systematic, holistic and strategic approach to risk management that enables firms to manage organization-wide risks in an integrated manner.
Recently ERM has entered in the regulatory regime. Regulators use ERM as a meta-regulatory toolkit in designing the risk-based regulation. In the financial industry, regulators enforce the regulated banks to adopt and implement ERM based self-regulation. The regulator enforces the regulated banks to develop ERM based self-regulation through prescribing to have a separate risk management division, chief risk officer, board risk committee, executive risk management committee, defined organizational hierarchy, risk appetite statement and monthly and half-yearly risk management reports in the banks. The regulator, after that, enrolls the self-regulation into the regulatory process and achieves the regulatory goals by relying on and administrating it (Bangladesh Bank, 2015).
However, many challenges have been highlighted in the literature regarding the use of the meta-regulatory approach. The problems associated with the meta-regulatory approach can lead to serious regulatory failure (Akinbami, 2013). In this approach, much attention is paid to the internal control of the regulated firms. It is regarded as one of the potential weaknesses of meta-regulation. Regulated firms have more information about their risks and activities than anyone else. It is more likely to conceal the information by the regulated firms for achieving their self-interest. Thus, relying on the regulated firms' self-regulation without any modification is much risky (Black, 2005). Besides, there is a conflict of interest between the regulators and the regulated firms, particularly in the financial industry (Akinbami, 2013). Private banks are more likely to prioritize their own interest than the regulator's public interest. Hence, there is an opportunity to act for self-interest by the regulated firms. This conflict of interest may lead to regulatory failure if the regulators fail to align both of the interests.
Similarly, lack of meaningful practice of the self-control mechanism and ineffectiveness of the regulated firms are also the biggest challenge in the meta-regulatory approach. Regulated firms often fail to focus on the most important risks. Similarly, excessive reliance on risk quantification may lead them over-confident to predict and manage risk, which is eventually harmful. Even firms may fail to fully understand the difference between risk, which is calculable and uncertainty, which is not calculable (Gray, 2010). Regulators are likely in a disadvantaged position of risk information compared to the regulated firms in this regard (Akinbami, 2013). Furthermore, meta-regulation has a potential risk of regulatory inertia and regulatory capture.
However, the risk-based regulatory technique and meta-regulatory approach belong to the “flexible regulatory” alternative. In regulation scholarship, there is a debate over the effectiveness of the flexible regulatory techniques due to regulatory failure, particularly following the Asian financial “meltdown” of 1997–98 (Braithwaite, 2003) and the recent financial crisis 2007–2009 (Black, 2012; Ford, 2013). Besides, regulation scholarship provides evidence of regulatory failure of the risk-based regulation in different domains, particularly financial and environmental regulations (Akinbami, 2013; Beaussier et al., 2016). Recently, Sinha (2020), after critically analyze the risk-based approach in the UK anti-money laundering regime, finds the ineffectiveness of the risk-based approach over the rule-based approach in removing its deficiencies. Besides, a culture of “tick-box exercise” is also found among banks and financial institutions following the adoption of risk-based regulation. Therefore, risk-based regulation comes with its own risks. It may result in a false sense of security (van der Heijden, 2019).
Despite this, the relevance of flexible regulatory alternatives still survives over the “prescriptive” regulation, precisely the risk-based regulation. Regulator remains committed to developing and using risk-based approaches (Akinbami, 2013; Beaussier et al., 2016). It can improve efficiency, effectiveness and transparency (Molfetas and Grava, 2020). The risk-based approach is one of the policy recommendations of an expert group to create an accommodative framework for technology-enabled financial services in the EU. It is also much favored to the World Bank group in policy reforms to different countries (Molfetas and Grava, 2020). Consequently, the risk regulation is institutionalized (Knol-Kauffman et al., 2021). It is also considered as one of the most promising trends in regulation over the last century and thought that it would be the central proposition to addressing the key future global challenges arising from climate change, global warming and evolving disruptive technologies (van der Heijden and Hodge, 2021).
Moreover, much attention is paid to the normative rationales for risk-based regulation, less attention is paid to explore empirically the likelihood of regulatory failure of a new choice of risk-based regulation, particularly when using an emerging regulatory innovation i.e. ERM as a meta-regulatory toolkit in achieving the risk-based regulatory aims. Moreover, the use of ERM as a meta-regulatory toolkit is yet to arrive at its maturity in risk-based regulation. Therefore, this research is embarked on this study.
3. Research methods
This study is motivated by the recent regulatory reform in the banking sector of Bangladesh, an emerging economy in the Asian region. The Bangladesh Bank (BB), the central bank of Bangladesh, has made a strategic shift in its supervision and regulation through shifting from the “compliance-based” regulation to the “risk-based” regulation (Bangladesh Bank, 2015). The ERM has gained considerable attention to the central bank to use as a meta-regulatory toolkit in designing the risk-based regulatory framework. To explore the implementation challenge of ERM based self-regulation among the regulated banks under the meta-regulatory approach, this study, therefore, adopted the interpretive philosophy to describe, understand and interpret the actors' meanings (Baker and Bettner, 1997). Here, it is assumed that reality is constructed socially (Berger and Luckmann, 1966). There is no objective reality, and the world is just the creation of human minds. The qualitative methodology dominates in this paradigm to comprehend rather than generalize the reality. This study, therefore, employed a qualitative study to investigate the phenomena at field level.
Data were collected mainly through semi-structured interviews. A total of 35 interviews were conducted during the period from April to August 2017, where 30 interviews were conducted with the Head of the risk management division (RMD) of 30 regulated banks. The remaining five interviews were taken with the risk management personnel of the central bank. The Head of the RMDs had an average of 10 years' experience in the risk management area with various designations in banks ranging from Vice President, Executive Vice President, Senior Vice president, First Vice President, Deputy General Manager. Besides, the designation of the central bank's staff was Joint Director, who also experienced an average of 10 years in risk management policymaking. Details of the interviewees are provided in Appendix.
In addition to qualitative interview data, secondary data also gathered from annual reports of the BB; risk management circulars; monthly, half-yearly and annual risk reports, publication of the development partners based on sectoral assessment; banking laws and regulations; published articles on the banking sector of the country and the newspaper. This secondary data helped to triangulate the interview evidence.
All the interviews were recorded with due permission of the interviewees that ensured the data validity and reliability. Four systematic steps were followed for analyzing the qualitative data. This included: data familiarization and management, data reduction and initial code development, initial code organization and primary theme development and theme refinement and data set preparation. At the first step, the recorded data were transcribed verbatim that helped to get much familiar with the nature and depth of the data. A pseudo-code was used while analyzing the data to ensure the anonymity of the interviewees. For example, data collected from regulated banks was labeled as “SB” and from the regulator was marked as “RG”.
The “Thematic Approach (TA)” was followed in the second step for coding the raw data using the Nvivo 11 software that provided a rich and detailed account of the interview data (Braun and Clarke, 2006). After completing the coding of all the transcripts, the repetitive code was combined in a suitable theme using the NVivo in the third step. Then, the initial themes were developed following the codes. At the final stage, the initial themes were refined into a manageable size after reviewing it several times, and the refined themes were used to develop a data set to demonstrate the practical challenges for meaningful use of ERM-based self-regulation among the regulated banks.
4. The practical challenges for meaningful use of ERM based self-regulation
A range of challenges has been unearthed that obstruct the effective practice of ERM-based self-regulation in the regulated banks. However, the challenges have been classified broadly into two parts considering the sources, namely, peripheral challenges arising from the external environment and internal challenges arising from the internal environment of the banks.
4.1 Peripheral challenges
At the outset, the political influence is marked as one of the most significant challenges for the effective implementation of ERM in the banks. One interviewee stated that the banking industry is politically connected in the economy. Therefore, political influence is the biggest challenge for the effective functioning of the ERM. He quoted:
Political forces are a strong coercive force for providing a loan. No policy guidelines are followed in case of guided loan which provided under political influence. There is no scope of risk management in that case. Even you will not get time for risk assessment. This is the main reason for the failure of risk management. (SB-21)
Similarly, the influence of the large borrowers in sanctioning loan is also identified as a significant challenge for effective ERM practice. One interviewee stated:
If I do not provide any loan to the large borrowers in the country, then my bank will shut down [indicating the power and influence of the large borrowers in the industry]. The economy will shut down. Because our industry is growing in this way! (SB-20)
Also, the interviewees made responsible the BB, the central bank, itself as a challenge for effective ERM practice in the industry. They showed concerns about the regulatory role of the BB. One interviewee cited:
The regulator is one of the factors of risk management failure. The regulator conducted the audit several times in the branch where the fraud occurred. They took advantages. There was bleeding in the banking sector, and the regulator knew that. I do not know! why not they [BB] take timely action. (SB-16)
However, the political pressure is made responsible in the banking sector for which the BB could not perform its regulatory duties independently. One interviewee stated:
They [BB] are influenced by powerful businessmen, musclemen, the business community and politicians. They [BB] ultimately compromise in their regulation. There is a lack of professionalism in the behaviour of the BB. (SB-17)
The interviewees also stated that the BB acts as a government-owned bank to serve the interest of the government rather than the depositors. Besides, one of the interviewees marked BB's double standard role in the supervision of commercial banks and the state-owned banks and sometimes provided regulatory forbearance. He mentioned:
Here, Bangladesh Bank acts as a regulator of the commercial banks only. Does it play an equal role for all banks in supervision and regulation [indicated to the government banks]? (SB-24)
Similarly, the World Bank showed its concern regarding effective regulation and supervision of the BB due to lack of enforcement and independence. It quoted in its report:
Banking regulation and supervision have not been effective due to a lack of enforcement and limited BB's independence. (Hussain et al., 2019, p. 6)
Besides, the interviewees emphasized the change of the socio-cultural value of the industry people as another challenge for effective ERM practice. They indicated the default culture, managed culture, name lending culture and wilful default culture of the industry, which are growing over the years. One interviewee said:
Default culture is growing in the industry. It hampers our business a lot. With this default culture in the industry, borrowers do not come forward willingly for repayment of the loan. For example, the garments industry is our largest industry in the economy, highest foreign income earners. A lion share of the loan has been concentrated in the garments sector. You see! The garments owners are doing their business well, but they do not pay back the loan to the bank. (SB-9)
Another interviewee added that the tendency to be a wilful defaulter is growing among the borrowers due to the industry's continuous growth of default culture. It is also a major issue in risk management.
Afterward, some inherent limitations of the banking industry are highlighted by several interviewees that also cast challenge for effective ERM practice in the banks, for example, the prevailing loan concentration in a sector and the recurring funding to the large borrowers despite loan default. One interviewee narrated this fact in the following ways:
There are some inherent difficulties in the industry. It is not possible to overcome overnight through any kind of policy. For example, […] the highest loan concentration is in the “Dhaka” division and in the garments industry. It is not possible to minimize this concentration overnight. Next to say that most of the credit risk is concentrated among the top twenty borrowers. We need to provide a loan to them despite of their default. (SB-26).
Besides, unhealthy competition is marked in the industry due to the increasing number of banks. One interviewee said that it destroys the level playing in the industry and an effective ERM practice becomes difficult for this reason.
Similarly, several interviewees specified the country's judicial system as another important challenge for effective ERM practice. For example, they mentioned the provision of “writ petition” and the “stay order” system of the laws. One of them added that if any bank files any lawsuit in the Court against recovery of loan from the collateral, the borrower also applies a writ petition against the lawsuit and takes a stay order from the Court until vacant the lawsuit. Consequently, it becomes a lengthy process to recover the loan after the lawsuit and the stay order. In addition, another interviewee pointed out the coordination issue between the law and the risk management guideline. He described:
There is a lack of coordination among the laws and risk management guidelines of the country. It is mentioned in the risk management guideline that banks should collect environmental clearance certificate before any investment decision. If we want to collect that certificate according to “Environmental Conservation Act 1997”, sometimes the project would be impracticable to finance. So, coordination is needed between the law and the guidelines considering the practical reality. (SB-5)
Likewise, interviewees highlighted a number of challenges arising from the regulatory prescription, which also act as a barrier for effective ERM practice in the banks. One interviewee cited:
We are in a very tight situation compare to the international standards. As per international standard, the rate of risk-based capital is 10.5%, whereas our requirement is 12.5%. So, an increase of 2% over the five years in our industry is a challenge. It should be reviewed. (SB-3)
Similarly, several interviewees showed their worry regarding the lack of guideline for the preparation of the risk appetite statement and setting the trigger point for management action, including the size and volume of the risk management guideline. One of them also marked the redundancy of the Basel Unit in risk management guideline.
After that, the weak role of the capital market is also brought to the attention as a challenge of real ERM practice. Several interviewees mentioned that they do not get any motivation from the capital market for effective implementation of ERM due to weak form of efficiency. Besides, the capital market rule and regulation are not congenial for risk management practice, another interviewee added. For example, one interviewee mentioned the rule of 10% minimum dividend for a company to remain in the “A” category in the capital market. The dividend policy of a company should not regulate by the regulator, he added.
Likewise, the concern is shown regarding the role of the external auditor and the reliability of their audited balance sheet. One interviewee quoted:
The chartered accountant group [auditors] has to take responsibility for the failure of the industry as like a banker. They have to take the liability. They provide audit reports after doing an audit of the clients. But sometimes, they do not provide the real report. It is not possible on my part to go at the end of the client. I need to depend on the audited balance sheet. The reliability of the balance sheet is a big question. (SB-13)
One interviewee from the regulator also raised concerns regarding the audited financial statements and shared his bitter experience about the fabricated audited account.
Finally, several interviewees highlighted the conflict of interest in the credit rating process and showed concern about the accountability of the credit rating companies. One interviewee explained how a credit rating report helps a bank to reduce the risk weight of an asset and minimum capital requirement. He said that the risk weight of an asset would be 20% if the credit rating report is good; consequently, the required minimum capital will be Tk 2.5 (12.5%). However, the risk weight of the same asset without any credit rating report would be 125%, and the required minimum capital will be Tk 15.63. Therefore, the concern is shown regarding the use of the credit rating report because banks appoint credit rating companies. Therefore, a conflict of interest arises in this process. Besides, several interviewees were also worried about the independence and accountability of the credit rating companies. One interviewee quoted:
If a company's credit rating is “A”, it indicates a good rating, and it helps reduce the risk weight and the capital requirement. But it is not sure how much justified that rating. Banks actually dominate the credit rating company to provide a credit rating report of their clients. So, it is a matter of the question of their accountability. (SB-09)
4.2 Internal challenges
The interview data reflected diverse internal challenges for effective implementation of ERM within the banks arising from governance, management, divisional and operational levels.
All the interviewees admitted that ERM is a top-down approach, and the board of governance plays a vital role in implementing ERM-based self-regulation within the banks. The board should set the tone of the risk culture that will prevail throughout the bank, one interviewee added. However, the interviewees highlighted several issues at the board level, which act as a significant barrier for effective practice of ERM based self-regulation in the banks.
At the start, the lack of awareness of the board members about the ERM practice is noticed. The board members are not much aware of the ERM practice. Even their intention is not clear. Besides, board members do not pay due attention to the ERM. One interviewee cited:
There is a problem of awareness among the board members and the top management. They think the risk management division has no responsibility. They do not pay attention. They believe that risk management does not add any value. (SB-19)
One interviewee said that board members believe that risk management is an expense. It does not create any value. They are always motivated by profit. He quoted:
Risk management is supposed to oversee by the board. The board should pay due attention to the risk management organogram. But they think it is a compliance cost. It is an expense. They pay much attention to the profit. (SB-10)
Later, the issue of risk management expertise is pointed out in the board composition. One interviewee said that risk management is a complex area in banks, but there is a lack of expertise among the board members. As a result, a guidance gap arises between the board and the management. He mentioned:
I believe corporate governance is very important for risk management. The composition of the board is a matter. Most of the board members in our banking industry are businessmen. They do not have expert knowledge in risk management. Retired MD/CEO of various banks could represent on board as an independent director as an expert. You will see, the quality of the board will increase to a large extent. (SB-22)
Another interviewee said:
The composition of the board in our country is a big challenge […] what is happening that we [management] need to guide our board. We need to educate our board. Hence, there is a guidance gap between the board and the management. As a result, we are not guided properly. (SB-16).
Likewise, another interviewee stated that the board members sometimes are not interested in educating themselves in risk management practice. The age of the board members, social position and pre-occupation do not support them to get educated in this complex issue, he added.
On the other hand, top management is another significant part of the ERM process. However, the interviewees stressed several concerns at the top management level.
Several interviewees specified that the banking industry becomes a target-oriented industry. Boards always set an ambitious and unrealistic budget for the management. They are always guided by profit. This unrealistic and overambitious budget for the management acts as a barrier to effective ERM practice in the banks. The MD (Managing Director)/CEO (Chief Executive Officer) is less powerful in banks to bargain with this unrealistic target. One interviewee stated:
The MD/CEO has an unrealistic target. He has to meet the target. If you want to make sure the real practice of risk management in banks, then you may not get the business/profit. This is the reality. An effective risk management approach does not permit an aggressive budget. (SB-28)
Likewise, interviewees highlighted the tenure of the MDs/CEOs as another vital aspect of effective ERM practice. The tenure of the MDs/CEOs is three years subject to renewal as per the board's intention until the age of 65. As a result, the CEOs/MDs do not want to risk of his performance in the short term. One interviewee cited:
It is one kind of criticism that top management (CEO/MD) comes for three years. What will be his plan for three years? What will be his target? A new MD never takes the responsibility of his predecessor. He must keep happy the board. He must keep happy the shareholders. (SB-6)
Another interviewee added that there is no agency cost between the management and the board. The master-servant relationship prevails in the banks. MDs/CEOs always follow the board. He quoted:
You know! Management and board are different from each other. But here in the banking sector, board and management are mixed together. There is no agency cost. The board interferes in the management function, and the management always follows the board. (SB-7)
Similarly, several challenges are marked at the divisional level, i.e. at the risk management division (RMD), which also act as a barrier for effective ERM practice.
The interviewees spotted the conflict of interest and the role ambiguity in the role of the Chief Risk Officers (CROs). Regulator has prescribed to appoint the CROs from the position of Deputy Managing Director (DMD)/Additional Managing Director (AMD) level. The interviewees said that the DMD/AMD is a very top position in a bank. He/she has a separate portfolio of business and has to earn profit. Conflict of interest will arise if he holds the position of the CRO and at the same time looks after his business portfolio. Being a portfolio manager, a DMD/AMD cannot act independently as a CRO. One interviewee stated:
The role and position of CRO in our banking industry is conflicting. He is doing business as well as acting as a CRO of RMD. If you involve any CRO from the DMD level, he will forget everything about risk management. (SB-30)
Another interviewee added:
DMD is a quasi-MD. He has to take care of his portfolio. If you see the true picture, no bank can appoint an independent CRO from DMD/AMD position. (SB-5)
Besides, one interviewee highlighted the role ambiguity of the CRO as no detailed guidance is provided in the regulation. He stated:
The role and function of the CRO are yet to define. Just a policy guideline and hierarchy are given in a circular. A CRO designation is just given in the circular, but it is yet to define his role and responsibilities, his authority and reporting style. (SB-17).
Then, the interviewees questioned the independence of the RMD because DMD/AMD works under the MD in a bank. The promotion of a DMD/AMD, their salary increment, incentive bonus and retrenchment depend on the CEO/MD. As a result, CROs (DMD/AMD) do not take the risk of conflict with the CEO/MD. One interviewee stated:
There is no independence of the risk management division (RMD). We [RMD] need to depend on MD. Job promotion, increment, retrenchment etc., depend on the MD. (SB-25)
Likewise, another interviewee highlighted the concern about the job security of the CRO to act independently. He mentioned:
Job security is essential for CRO as like MD. Without the intervention of BB, Board has no power to sack the MD up to a certain period. But this kind of job security is not applicable for CRO. There should have specific policy guideline for CRO appointment and dismissal. (SB-24)
Later, the interviewees underlined the concern of empowerment and authority of the RMD in the real practice. One interviewee stated:
You know! Risk management is now a separate division, and it will not be under the control of MD. The CRO will be the chief of this division. But it is not possible in the context of Bangladesh. Because, in our system, MD is all in all in a bank. Everything should be gone through the MD. It is not possible to report directly to the Board's Risk Management Committee bypassing the MD. It is very difficult to do in practice. (SB-20)
The interviewees also added that the RMD has no decision-making power. Even the RMD is not a member of the bank's final credit approval committee. One interviewee quoted:
We have a default culture. We have to get rid of this culture. Bankers should give decision making power. There is huge political pressure. We have found that the default rate is zero when the bankers provide the loan. All of my driven loan (pressure comes from the top) is bad. (SB-19).
Then, several interviewees pointed out the shortage of workforce in the RMDs as a challenge to run the ERM function effectively and efficiently. Besides, there is an involvement of cost, they added. One interviewee stated:
In 8 desks, it requires at least 2/3 skilled people for every desk to work. We are working with only 8. Board and management should pay proper importance to the organogram of the risk management system. (SB-10)
Also, several interviewees stated that it is demotivational to work in RMD. As a reason, they highlighted the ambiguity in career growth in the RMDs, lack of management's appreciation and lack of KPI (key performance indicator). Besides, there is a high frequency to transfer of staff from the RMD. Furthermore, bank people do not take risk management training seriously. One interviewee stated:
There is no indicator in KPI for risk management issue. That should be. Even people are not interested in taking the post of CRO in the banks. (SB-28)
On the other hand, a range of challenges is highlighted at the operational level that also works as a barrier for effective use of ERM based self-regulation in the banks.
The interviewees acknowledged that there is a lack of IT automation in risk reporting system in the banks, including a lack of suitable risk management software. They admitted that the ERM is yet to be system based in the industry, and the data support system is yet to be developed. One interviewee mentioned:
We are yet to develop the database to provide the required information to the Bangladesh Bank. We need to provide almost 70 tables (together with large and small) in the half-yearly risk report. We need to provide a comparison on a quarterly, half-yearly and yearly basis. We procure some data from CBS (core banking software) and give some input manually. Sometimes, we do not get all the required information from CBS. (SB-13)
Also, the interviewees showed concern regarding the data quality, reliability and timeliness due to people dependency for preparing the risk reports rather than the system. One interviewee quoted:
Data authenticity and integrity are a problem in preparing the risk reports. The reality is that sometimes we need to manipulate [indicating to manual arrangement] the data. (SB-19)
Similarly, another interviewee said:
We [RMD] face a problem getting data. Besides, the reliability of the data is also a question. The data support system is a challenge. We need to do work manually. We need to assemble the data set manually. (SB-12)
The sectoral database is also a big challenge for ERM practice. The interviewees also indicated the lack of a sectoral database to understand the demand and supply of a loan in any industry. Bankers are taking the decision based on their experience, they added. One interviewee said:
There is a demand for a loan in Bangladesh. But there is no database to assess the sectoral demand and its segregation in Bangladesh (SB-13)
Multidimensional skills are required to work in the RMD. Several interviewees stated that there is a shortage of skilled manpower in risk management in the banks. One interviewee said:
There are very few experts in the market to understand risk management. Risk management is an innovative process, need to deal with the future. It requires a very sharp and brilliant person with multidimensional expertise. Actually, there is a shortage of expert manpower in the market. (SB-18)
Likewise, several interviewees highlighted the lack of advanced and sophisticated tools and techniques for the identification and measurement of risks. Besides, there is a lack of a formal risk register. Therefore, risk people mainly depend on their internal policy guidelines and self-developed tools and techniques, the interviewees added. One interviewee quoted:
We did not develop any sophisticated tool and technique to measure the risks. I am not sure about other banks. We follow our own policy guidelines, questionnaire, core risk management policy to measure the risks. We categories risk as low, medium and high based on our own measurement. (SB-26)
Further, some of the interviewees stressed inter-departmental conflict and ambiguity in risk ownership. One of the interviewees said that people from other departments sometimes criticize the people of the RMD if the risk people are doing well. He quoted:
[…] it requires developing a congenial cultural environment in banks. It will be a problem if I criticize someone who is doing good in a risk management job. It happens in banks. (SB-24).
Another interviewee stated that no one wants to take responsibility for the aroused risk. Besides, business people think RMD is the risk owner. He stated:
The risk management division is not the risk owner. The risk owner is the person who generates risk. But no one wants to take ownership of risk. (SB-16)
Additionally, the interviewees admitted the cost involvement for effective implementation of ERM. There is a resource constraint in the banks, particularly for newly entranced banks in the industry. One interviewee said:
The implementation of ERM has a huge cost. (SB-3)
After that, the banking ethics and morality are also highlighted by the interviewee. They stated that the ethics and morality of the bankers are now in question. They made responsible the ethical degradation of the bankers as a significant reason for the risk management failure. As an example, one interviewee mentioned:
[…] sometimes a banker sells a customer to me [bank] without notifying the default status of the customer. Bank considers him as a good customer. In this way, liability is shifting without knowing which is unethical. It is a bad practice to transfer bad portfolio without disclosing to other banks (SB-11).
Likewise, another interviewee stated:
It is not ethical to wash out the bad debt from the balance sheet of the banks by written-off the loans. It is public money. Bank is dealing with public money. (SB-26)
Finally, the interviewees admitted that the risk culture is yet to be developed in the industry, which is also a vital factor for the effective use of ERM. They said that the practice of ERM is still at a compliance level due to a regulatory requirement. It is in the developing stage; therefore, the risk culture is growing. One interviewee quoted:
Though it is mandatory to implement ERM, it is yet to implement in an organized way in Bangladesh's banking industry. Structural change happened, but we are still at compliance level due to regulatory pressure, I think! (SB-24).
Another interviewee said:
Our risk culture is yet to grow in that sense. We are trying to comply with the regulations and guidelines of the Bangladesh bank. (SB-9)
5. An evaluation of the risk of regulatory failure of risk-based regulation
Risk-based regulation is an evolving strategy in the regulatory regime, particularly in the financial sector. In this strategy, the meta-regulatory approach is much prevalent. Among diverse meta-regulatory toolkit, the ERM is used as a meta-regulatory toolkit in designing the risk-based regulation. However, the success of risk-based regulation depends on the effective implementation and use of the regulated firms' meta-regulatory toolkit because the meta-regulatory approach is not unproblematic (Akinbami, 2013). There is a risk of regulatory failure of the meta-regulatory approach and the risk-based regulation. Nevertheless, empirical evidence is limited to evaluate the likelihood of regulatory failure of risk-based regulation, particularly while using ERM as a meta-regulatory toolkit. As regulators depend on ERM based self-regulation of the regulated firms to achieve the risk-based regulatory aims under the meta-regulatory approach, the practical challenges for meaningful use of ERM based self-regulation support to evaluate the likelihood of the regulatory failure.
Evidence shows that the ERM-based self-regulation in the banks suffers from various challenges arising from peripheral and internal environments. The empirical challenges are summarized in Table 1.
Although ERM is an internal phenomenon in the banks, it is significantly affected by the peripheral challenges. Evidence shows that the significant political influence, the weak supervisory role of the regulator, change of socio-culture value of industry people, inherent limitations of the industry, unfavorable legal environment, limitations of the regulatory prescriptions, weak role of the capital market and the external auditor, and the conflict of interest in credit rating process, including the lack of accountability of credit rating company are the most significant challenges arising from the peripheral environment. These external challenges substantially influence in meaningful use of ERM based self-regulation in the banks.
On the other hand, the ERM-based self-regulation is also exposed to the challenges arising from the banks' internal environment. Evidence shows that internal challenges exist at the governance level, top management level, divisional level i.e. at the RMD itself and the operational level. It is found that there is a lack of awareness and expertise among the board members. Besides, board composition is not diversified with professional experts. There is a guidance gap between the board and the management regarding the risk management practice. Besides, the banks' CEOs/MDs are appointed for a short-term period, and the extension of their service depends on boards. Consequently, they are less likely to take profitability risk in the short-term applying effective ERM practice. They are directed to achieve ambitious target set by the board. There is no agency cost between the board and the management.
Likewise, there is a conflict of interest and role ambiguity for CROs. As a result, CROs cannot perform risk management functions independently. Besides, frequent transfer of employees and demotivational factors also exist at the RMD level. Furthermore, there is a lack of data availability, data authenticity, data integrity and timeliness at the operational level. The lack of risk management software in preparing the risk reports and the lack of data support system and data warehouse are also the most significant challenge at the operational level to ensure the effective practice of ERM. Besides, unavailability of sectoral databased, shortage of risk professional and skilled workforce, absence of advanced tools and techniques, absence of risk register, interdepartmental conflict, ambiguity in risk ownership, including lack of ethics and morality are also a major barrier for true internalization of ERM based self-regulation in the banks.
Thus, the problems associated with the effective use of ERM based self-regulation in the regulated firms may lead to regulatory failure of risk-based regulation. Inappropriate reliance on firms' ERM based self-regulation without assessing its efficacy may raise the risk of regulatory failure. In that case, risk-based regulation may provide a false sense of control to the regulators over the regulated firms.
With this evidence, this paper responds to the call for research for investigating the true practice of risk-based regulation beyond the normative prescription (van der Heijden, 2021). In regulation scholarship, there is evidence of a regulatory failure of risk-based regulation. Akinbami (2013) shows evidence of the regulatory failure of the use of meta-regulation under risk-based regulatory strategy in financial regulation. Likewise, Beaussier et al. (2016) find the failure of risk-based policy instrument in health care domain in England. Besides, Krieger (2013) challenges the universality and uniformity of the application of risk-based governance comparing flood management in Germany and England. Moreover, in the UK's anti-money laundering regime, Sinha (2020) finds a growing culture of “tick box exercise” amongst banks and financial institutions following the shift towards risk-based regulation. Taking a lesson from this literature, this study provides cautionary evidence, based on empirical research, before the failure of risk-based regulation while using ERM as a meta-regulatory toolkit in achieving the risk-based regulatory aims in financial regulation. However, the risk-based approach is a cost-effective framework for regulation. The value relevance of risk-based regulation is still growing among the regulators. The ERM has much potential to be a meta-regulatory toolkit to achieve the risk-based regulatory aims.
6. Conclusion
This paper has provided empirical evidence regarding the likelihood of regulatory failure of risk-based regulation and emerging regulatory strategy while using ERM as a meta-regulatory toolkit. Based on interview analysis with risk managers and regulator, combined with secondary data, this study has explored the practical challenges of meaningful use of ERM based self-regulation in the regulated banks in the financial industry. These practical challenges help to assess the likelihood of the regulatory failure of risk-based regulation because regulators substantially rely on such ERM based self-regulation under a meta-regulatory approach to regulate the regulated firms.
This study reflects that the practical challenges raise the question of true internalization of ERM based self-regulation in the regulated firms. If the regulator substantially depends on such self-regulation to regulate the industry under risk-based regulation without assessing its efficacy, in that case, there might have a risk of regulatory failure of this approach. As the input of risk-based regulation comes from the regulated firms, the lack of true internalization of ERM based self-regulation is likely to cast doubt about the regulatory failure of the meta-regulatory approach. Therefore, this paper argues that ERM has the potential to use as a meta-regulatory toolkit in designing risk-based regulation to achieve the regulatory goals and to ensure legitimacy; however, much care should be taken for effective practice of ERM based self-regulation in the regulated firms before relying on them substantially. Otherwise, there might have a risk of regulatory failure of the most prominent regulatory philosophy in the financial sector and less likely to achieve the regulatory aims. Else, risk-based regulation would merely be a mechanism to search for regulatory legitimacy, as Black (2005) noticed. Thus, the policy shift towards risk-based regulation and the use of ERM as a meta-regulatory toolkit demands careful use of this philosophy as there is a likelihood of regulatory failure.
This paper makes both empirical and policy contributions. Empirically, this research contributes to regulation and ERM scholarship. In line with the studies such as (Rothstein et al., 2006; Baldwin and Black, 2016; Beaussier et al., 2016) regarding the challenges of successful implementation of risk-based regulation in different domains, this study has also questioned the success of risk-based regulation in the financial sector while using ERM. Besides, the evidence of practical challenge for effective use of ERM also enriches the ERM literature. The practical challenge may be considered a critical success factor of effective use of ERM in regulated firms, as identified in other studies such as Zhao et al. (2013), Fraser and Simkins (2016) and Oliveira et al. (2018).
This paper also has a policy contribution to the regulators to rethink the use of ERM as a meta-regulatory toolkit. Regulators may take necessary measures for effective use of ERM if they rely on ERM based self-regulation. In addition, the empirical evidence may also be useful to the regulators in other industries if they wish to use ERM as a meta toolkit. Moreover, the empirical evidence would help the regulated firms to take restorative measures for effective use of ERM based self-regulation for their own interest.
However, this research is not free from limitation. This study explored the practical challenge for effective use of ERM-based self-regulation, focusing only on the regulated firms to evaluate the risk of regulatory failure of risk-based regulation. Therefore, this research opens an avenue for further research to investigate the regulator's challenges to use the ERM as a meta-regulatory toolkit under risk-based regulation. An in-depth case study could be undertaken to evaluate regulator's limitations in using ERM based risk-based regulation.
Practical challenges for meaningful use of ERM based self-regulation in the regulated banks
| Source of challenges | Area of challenges | Nature |
|---|---|---|
| Peripheral environment | Significant political influence | Political connection; influence of large borrowers, musclemen and powerful borrowers |
| Weak supervisory role of the central bank (BB) | Not independent; influenced by government and political person; weak regulation for state-owned banks; provide regulatory forbearance under political pressure; act on behalf of the government rather depositors; resource limitation | |
| Change of socio-cultural values | Growing managed culture, wilful default culture, name lending culture | |
| Inherent limitations of the country's banking industry | Loan concentration (geographically and industry–wise); lending to top twenty borrowers despite their default; unhealthy competition due to increasing number of banks in the economy | |
| Unfavorable legal environment | Weakness of judiciary system regarding collateral management; writ petition; stay order; contradiction among the concerned laws and risk management guideline | |
| Limitations in regulatory prescription | Rate of minimum capital requirement; lack of guideline for risk appetite statement, management action trigger; overlapping of Basel unit with the RMD; vast risk management guidelines | |
| Weak role of the capital market | Weak form of efficiency; no response from capital market; dividend regulation (minimum dividend payment rule) | |
| Weak role of the auditors | Concerns about the reliability of audited balance sheet; window-dressed/ fabricated balance sheet; question about the role of the auditor | |
| Conflict of interest in credit rating process and lack accountability of credit rating companies | Conflict of interest due to use of credit rating report and appointment; question of accountability | |
| Internal environment | Governance level | Lack of awareness; consider as expense and non-value-added practice; lack of expertise in board composition; not interest to be educated in risk management; guidance gap between board and management; board influences in management activities |
| Top management level | Target-oriented industry, unrealistic budget; led by target; no bargaining power by the CEOs/MDs; no agency cost; master-servant relationship; short tenure of the CEOs/MDs; extension of tenure depends on board; CEO focuses on short term project by overlooking risks and avoids performance risk | |
| Divisional level (i.e. at the risk management division-RMD) | Ceremonial post of CRO; conflict of interest; role ambiguity; lack of independence and empowerment; avoid conflict with MD/CEO; lack of job security; exist demotivational factors such as no indicator in KPI regarding risk management, ambiguity in career growth, frequent transfer of employee in RMD, less appreciation and recognition | |
| Operational level | Lack of automation and data support system; lack of data quality, reliability and timeliness; lack of sectoral database; lack of skilled manpower; lack of advanced tools and techniques; lack of risk register; Interdepartmental conflict and lack of integration between RMD and operations; ambiguity in risk ownership; cost involvement; lack of ethics and morality among the bankers and growing risk culture |
Details of the interviewees
| SL. No | Name of bank (Regulated banks) | Head of the RMD (Official designation) | Duration of interview in minutes | Interview date |
|---|---|---|---|---|
| 1 | Modhumoti Bank Ltd. | Assistant Vice President, Risk Management Division | 48.55 | 10 April 2017 |
| 2 | Mercantile Bank Limited | Senior Executive Vice President and Head of Risk Management Division | 37.27 | 13 April 2017 |
| 3 | Eastern Bank Limited | Head of Risk Management Division | 35.09 | 16 April 2017 |
| 4 | Dhaka Bank Limited | First Vice President Basel Unit | 29.25 | 16 April 2017 |
| 5 | Islami Bank Bangladesh Ltd. | Vice President, Risk Management Wing | 53.2 | 17 April 2017 |
| 6 | Social Islami Bank Ltd. | Executive Vice President and Head of Risk Management Division | 60.35 | 02 May 2017 |
| 7 | Southeast Bank Limited | Head of Risk Management Division | 37.2 | 02 May 2017 |
| 8 | Jamuna Bank Ltd. | Vice President and Head of Risk Management Division | 37.2 | 07 May 2017 |
| 9 | Sonali Bank Limited | Deputy General Manager | 38.4 | 11 May 2017 |
| 10 | Pubali Bank Limited | Head of Risk Management Division | 34.5 | 14 May 2017 |
| 11 | Prime Bank Limited | Senior Vice President Risk Management Division | 37.1 | 15 May 2017 |
| 12 | Trust Bank Limited | Senior Vice President and Head of Risk Management Division and Basel | 40.34 | 15 May 2017 |
| 13 | NCC Bank Limited | Senior Vice President and Head of Risk Management Division | 53.51 | 22 May 2017 |
| 14 | Uttara Bank limited | Deputy General Manager | 26.13 | 23 May 2017 |
| 15 | Agrani Bank limited | General Manager | 53.3 | 18 June 2017 |
| 16 | AB Bank Limited | Executive Vice President and Deputy CRO and Head of Risk Management Division | 51.46 | 18 July 2017 |
| 17 | Dutch Bangla Bank Limited | Head of Risk Management Division | 44.17 | 24 July/2017 |
| 18 | Shahjalal Bank Limited | Senior Vice President and Head of Risk Management Division | 33.3 | 16 July 2017 |
| 19 | SBAC Bank Limited | First Vice President, Head of Credit Administrative Division and Risk Management Division. Principal, Training Institute | 32.55 | 20 July 2017 |
| 20 | NRB Commercial Bank Limited | Senior Vice President and Head of Risk Management Division | 42.4 | 23 July 2017 |
| 21 | NRB Global bank limited | Head of Risk Management Division | 29.55 | 24 July 2017 |
| 22 | Standard Bank Limited | CFO Head of RMD, Acting Company Secretary | 37.1 | 25 July 2017 |
| 23 | Commercial Bank of Ceylon | Deputy Chief Manager Integrated RMD | 36.56 | 25 July 2017 |
| 24 | Meghna Bank Limited | Deputy Managing Director | 22.53 | 27 July 2017 |
| 25 | Al Arafa Bank Limited | Senior Vice President Risk Management Division | 31.1 | 30 July 2017 |
| 26 | IFIC Bank Limited | In-Charge Risk Management Division | 29.47 | 30 July 2017 |
| 27 | Woori bank Limited | Principal Officer Financial Administration Division | 30.12 | 1 August 2017 |
| 28 | City Bank Limited | Company Secretary and Head of the Risk Management Division | 35.58 | 6 August 2017 |
| 29 | Habib Bank | Head of Risk Management Division | 32.9 | 17 August 2017 |
| 30 | Bank Asia Limited | Vice President Head of Risk Management Division | 48.24 | 21 August 2017 |
| Regulator – Central Bank | ||||
| 1 | Bangladesh Bank | Joint Director – Department of Off-Site Supervision | 45 | 07 May 2017 |
| 2 | Bangladesh Bank | Joint Director and Project Manager | 19.21 | 09 May 2017 |
| 3 | Bangladesh Bank | Joint Director – Financial Stability Department | 54.59 | 11 May 2017 |
| 4 | Bangladesh Bank | Joint Director – Department of Banking Inspection-1 | 30.07 | 24 May 2017 |
| 5 | Bangladesh Bank | Joint Director – Banking Regulatory and Policy Department | 30.26 | 04 June 2017 |
Appendix
References
Akinbami, F. (2013), “Is meta-regulation all it's cracked up to be? The case of UK financial regulation”, Journal of Banking Regulation, Vol. 14 No. 1, pp. 16-32.
Baker, C.R. and Bettner, M.S. (1997), “Interpretive and critical research in accounting: a commentary on its absence from mainstream accounting research”, Critical Perspectives on Accounting, Vol. 8, pp. 293-310.
Baldwin, R. and Black, J. (2016), “Driving priorities in risk-based regulation: what's the problem?”, Journal of Law and Society, Vol. 43 No. 4, pp. 565-595.
Bangladesh Bank (2015), “Bangladesh bank: annual report 2015-2016”, available at: https://www.bb.org.bd/pub/annual/anreport/ar1415/index1415.php.
Beaussier, A.L., Demeritt, D., Griffiths, A. and Rothstein, H. (2016), “Accounting for failure: risk-based regulation and the problems of ensuring healthcare quality in the NHS”, Health, Risk and Society, Vol. 18 Nos 3-4, pp. 205-224.
Berger, P.L. and Luckmann, T. (1966), The Social Construction of Reality: A Treatise in the Sociology of Knowledge, New York.
Binz, C., Razavian, N.B. and Kiparsky, M. (2018), “Of dreamliners and drinking water: developing risk regulation and a safety culture for direct potable reuse”, Water Resources Management, Vol. 32 No. 2, pp. 511-525.
Black, J. (2005), “The emergence of risk based regulation and the new public risk management in the UK”, Public Law, Vol. 32, pp. 1-42.
Black, J. (2010), “Risk-based regulation: choices, practices and lessons being learned”, in Risk and Regulatory Policy: Improving the Governance of Risk, OECD Publishing, Paris, Paris: OECD, 2008–SG/GRP.
Black, J. (2012), “Paradoxes and failures: 'new governance' techniques and the financial crisis”, Modern Law Review, Vol. 75, pp. 1037-1063.
Black, J. and Baldwin, R. (2010), “Really responsive risk-based regulation”, Law and Policy, Vol. 32 No. 2, pp. 181-213.
Black, J. and Baldwin, R. (2012), “When risk-based regulation aims low: approaches and challenges”, Regulation and Governance, Vol. 6 No. 1, pp. 2-22.
Boehm, J., Curcio, N., Merrath, P., Shenton, L. and Stähle, T. (2019), The Risk-Based Approach to Cybersecurity, McKinsey Insights, New York.
Braithwaite, J. (2003), “Meta risk management and responsive regulation for tax system integrity”, Law and Policy, Vol. 25 No. 1, pp. 1-16.
Braun, V. and Clarke, V. (2006), “Using thematic analysis in psychology”, Qualitative Research in Psychology, Vol. 3 No. 2, pp. 77-101.
Coglianese, C. (2020), Regulatory Abdication in Practice, Faculty Scholarship at Penn Law, p. 2144.
COSO (2017), Enterprise Risk Management Integrating with Strategy and Performance, (June), The Committee of Sponsoring Organizations of the Treadway Commission, p. 16.
Ford, C. (2013), Financial Innovation and Flexible Regulation: Destabilizing the Regulatory State, 18 N.C, Special ed., Vol. 18, No. 1, Banking Inst, pp. 27-38.
Ford, C. (2017), “Flexible regulation scholarship blossoms and diversifies: 1980-2012”, in Cristie Ford, Innovation and the State: Finance, Regulation, and Justice, Cambridge University Press, Cambridge.
Fraser, J.R.S. and Simkins, B.J. (2016), “The challenges of and solutions for implementing enterprise risk management”, Business Horizons, Kelley School of Business, Indiana University, Vol. 59 No. 6, pp. 689-698.
Gonçalves, M.E. (2020), “The risk-based approach under the new EU data protection regulation: a critical perspective”, Journal of Risk Research, Vol. 23 No. 2, pp. 139-152.
Gray, J. (2010), “What next for risk-based financial regulation?”, in MacNeil, I. and O'Brien, J. (Eds), The Future of Financial Regulation, Hart Publishing , Oxford, pp. 123-140.
Hommel, U. and King, R. (2013), “The emergence of risk‐based regulation in higher education”, Journal of Management Development, Vol. 32 No. 5, pp. 537-547.
Hussain, Z., Mahmood, S.A., Khan, N.S., Alam, A. and Shahriar, S. (2019), Bangladesh Development Update: Towards Regulatory Predictability, No. 135838, The World Bank, pp. 1-55.
Hutter, B.M. (2005), “The attractions of risk-based regulation: accounting for the emergence of risk ideas in regulation”, CARR Discussion Paper, (March), p. 17.
Jabbour, M. and Abdel-Kader, M. (2015), “Changes in capital allocation practices - ERM and organisational change”, Accounting Forum, Vol. 39 No. 4, pp. 295-311.
Knol-Kauffman, M., Solås, A.M. and Arbo, P. (2021), “Government-industry dynamics in the development of offshore waste management in Norway: from prescriptive to risk-based regulation”, Journal of Environmental Planning and Management, Vol. 64 No. 4, pp. 649-670.
Krieger, K. (2013), “The limits and variety of risk-based governance: the case of flood management in Germany and England”, Regulation and Governance, Vol. 7 No. 2, pp. 236-257.
Liff, R. and Wahlstrom, G. (2018), “Usefulness of enterprise risk management in two banks”, Qualitative Research in Accounting and Management, Vol. 15 No. 1, pp. 124-150.
Mikes, A. and Kaplan, R.S. (2015), “When one size doesn't fit all: evolving directions in the research and practice of enterprise risk management”, Journal of Applied Corporate Finance, Vol. 27 No. 1, pp. 37-40.
Molfetas, A. and Grava, L. (2020), Risk-Based Approaches to Business Regulation: A Note for Reformers. Finance, Competitiveness and Innovation in Focus, World Bank, Washington, DC, © World Bank.
Ojo, M. (2010), “The growing importance of risk in financial regulation”, Journal of Risk Finance, Vol. 11 No. 3, pp. 249-267.
Oliveira, K., Méxas, M., Meiriño, M. and Drumond, G. (2018), “Critical success factors associated with the implementation of enterprise risk management”, Journal of Risk Research, Vol. 22 No. 8, pp. 1004-1019.
Paul, R. and Huber, M. (2015), “Risk-based regulation in continental Europe? Explaining the corporatist turn to risk in German work safety policies”, European Policy Analysis, Vol. 1 No. 2, pp. 5-33.
Pellegrina, L.D., Di Maio, G., Masciandaro, D. and Saraceno, M. (2021), “Are bankers crying wolves? The risk-based approach in money laundering regulation and its Effects”, SSRN Electronic Journal, No. 444.
Rothstein, H. (2006), “The institutional origins of risk: a new agenda for risk research”, Health, Risk and Society, Vol. 8 No. 3, pp. 215-221.
Rothstein, H., Irving, P., Walden, T. and Yearsley, R. (2006), “The risks of risk-based regulation: insights from the environmental policy domain”, Environment International, Vol. 32 No. 8, pp. 1056-1065.
Rudakov, M., Gridina, E. and Kretschmann, J. (2021), “Risk-based thinking as a basis for efficient occupational safety management in the mining industry”, Sustainability, Vol. 13 No. 2, p. 470.
Sinha, G. (2020), “Risk-based approach: is it the answer to effective anti-money laundering compliance?”, in Assets, Crimes, and the State, 1st ed., Routledge, London.
van der Heijden, J. (2019), “Risk governance and risk-based regulation: a review of the international academic literature”, State of the Art in Regulatory Governance Research Paper Series 2019.02, SSRN Electronic Journal.
van der Heijden, J. (2021), “Risk as an approach to regulatory Governance: an evidence synthesis and research agenda”, SAGE Open, Vol. 11 No. 1, pp. 1-12.
van der Heijden, J. and Hodge, G. (2021), “Ten global trends in regulation: a future outlook”, in The Palgrave Handbook of the Public Servant, Springer International Publishing, pp. 741-759.
Zhao, X., Hwang, B.-G. and Low, S.P. (2013), “Critical success factors for enterprise risk management in Chinese construction companies”, Construction Management and Economics, Vol. 31 No. 12, pp. 1199-1214.
Acknowledgements
There is no external fund for this research. The view expressed in this paper is the author’s own and not necessarily those of the organization to which the author belong.