Search results

The purpose of this study is to examine how companies integrate cyber risk into their enterprise risk management practices. Data breaches have become commonplace, with thousands occurring each year, and some costing hundreds of millions of dollars. Consequently, cyber risk has become one of the gravest risks facing organizations, and has attracted boardroom-level attention. On the other hand, companies already manage many kinds of difficult and growing risks, and that firms lose less than 1% of annual revenues as a result of cyber incidents. Therefore, how should firms appropriately address cyber risk? Is it indeed a materially different kind of risk area, or is it simply just one more risk that can seamlessly be integrated into existing enterprise risk management (ERM) practices?

The authors performed thematic analysis based on semi-structured interviews, with non-probabilistic, purposive sampling, to answer two main questions. First, how do firms manage enterprise risks, generally? And second, how are they integrating cyber risk into these existing processes?

The authors find that there is considerable variation in the approach and sophistication in ERM practices, such as whether they are driven more like an auditing function, or as a risk champion. The authors also find that despite the novelty of cyber risk, it can be integrated like other enterprise risks, and that cyber risk is most often seen as an operational risk (similar to workplace accidents or fraud), rather than a strategic risk, emerging from, for example, technology innovation and R&D.

The generalization of the results is limited by the sample size and variation of firms interviewed. While the authors attempted to interview enterprise risk managers across a wide variation of firms, there were clear limitations in the scope. That being said, the authors were fortunate to be able to examine ERM and cyber risk practices across small and large, private and publicly traded companies, from a variety of business sectors.

The authors believe these finding are important because they present evidence that while cyber risk may be new, it does not require specialized handling or processes to track it at the enterprise level. While some firms may choose to provide special accommodations or attention because of their data collection or business practices, this approach is neither necessary nor required of all firms in all situations.

This research is one of the only papers that, to the best of the authors’ knowledge, examines how cyber risk is integrated at an enterprise level.

Debate is growing around the expansion of risk-based regulation. The regulation scholarship provides evidence of regulatory failure of the risk-based approach in different domains, including financial regulation. Therefore, this paper aims to provide cautionary evidence about the risk of regulatory failure of risk-based strategy in the financial regulation while using enterprise risk management (ERM) as a meta-regulatory toolkit.

Based on interview data gathered from 30 risk managers of banks and five regulatory personnel, combined with secondary data, this study mainly explores the challenges for meaningful use of ERM based self-regulation in regulated banks. The evidence helps to assess the risk of regulatory failure of the risk-based regulation while using ERM.

The evidence reflects that regulated banks face diverse challenges arising from both peripheral and internal environments that limit the true internalization of ERM-based self-regulation. Despite this, the regulator uses this self-regulation as a meta-regulatory toolkit under the risk-based regulation to achieve the regulatory aims. However, the lack of true internalization of ERM based self-regulation is likely to raise the risk of regulatory failure of risk-based regulation to achieve the regulatory goals. Risk-based regulation is an evolving strategy in the regulatory regime. Therefore, care should be taken while using ERM as a regulatory toolkit before relying on it substantially.

The paper provides empirical insights about the challenges for effective use of ERM as a meta regulatory toolkit that might be useful practically both to the regulators and regulated firms.

The purpose of this paper is to identify the effect of enterprise risk management (ERM) with firm size, ROA and managerial ownership as control variables on firm value that is proxied by Tobin’s Q.

Population of this research was manufacturing companies listed on the Indonesian Stock Exchange (IDX) in 2010–2013. The used method in this research is multiple linear regression-ordinary least square and hypotheses testing using t-test to test the regression coefficients with level of significance of 5 percent.

The results showed that ERM, ROA and size of the company have a significant positive effect on the firm value. While the managerial ownership has a significant negative effect on the firm value.

The results showed that firm value increases as ERM, ROA and size of the company improves. While the managerial ownership has a significant negative effect on the firm value.

In developing countries, how risk management technologies influence management accounting and control (MAC) practices is under-researched. By drawing on insights from institutional studies, this study aims to examine the multiple institutional pressures surrounding an entity and influencing its risk-based management control (RBC) system – that is, how RBC appears in an emerging market attributed to institutional multiplicity.

The authors used qualitative case study research methods to collect empirical evidence from a privately owned Egyptian insurance company.

The authors observed that in the transformation to risk-based controls, especially in socio-political settings such as Egypt, changes in MAC systems were consistent with the shifts in the institutional context. Along with changes in the institutional environment, the case company sought to configure its MAC system to be more risk-based to achieve its strategic goals effectively and maintain its sustainability.

This research provides a fuller view of risk-based management controls based on the social, professional and political perspectives central to the examined institutional environment. Moreover, unlike early studies that reported resistance to RBC, this case reveals the institutional dynamics contributing to the successful implementation of RBC in an emerging market.

Human-related risks are practices in a given organization that lead to harmful behaviors that prevent managers and their teams from achieving goals. The purpose of this article is to enable the organization to provide a preventive and simple response to risks in the event that deterioration in employee well-being is detected.

In the literature, many questionnaires based on a variety of metrics have been developed and tested to measure and assess the quality of work life (e.g. stress, commitment, satisfaction, etc.). The approach of this study was to identify the most meaningful items and combine them into a unique score integrated into an effective decision-making module.

A long process of trial and error was necessary to collect confidential information from employees, both anonymously and longitudinally, to measure well-being in the workplace objectively and globally. The unique score generated provides an indication of potential human risk.

This research and its practical implementation have demonstrated the importance of personal-data protection and the need to work harder to maintain employees' digital trust while using a digitized tool.

Development of a new app that was used for the first time to regularly assess ill-being in several companies.

The social implication of this research is to contribute to health policies related to well-being in the workplace.

To the authors’ knowledge, this is the first time that a software module measuring the human risk of an entire company has been embedded in Enterprise Risk Management (ERM).