We are in the process of upgrading DSpace and are restricting logins.
Development of an enterprise risk management implementation model and assessment tool
Le Roux, Hermie
MetadataShow full item record
Globalisation, new technology, increased regulatory requirements, legal pressures, and disappearing boundaries — these factors have resulted in a dynamic business environment for all organisations where mediocrity is no longer tolerated. In response to this dynamic environment, thriving organisations are expected to have the following characteristics: (1) sound governance, including clarity of roles and responsibilities of the governing body; (2) processes and systems which ensure compliance and accountability for the organisation as a whole; (3) an explicit ethical framework; (4) detailed strategic, business, financial, and services planning; (5) shared strategic direction (identity, purpose, values, and culture); (6) an empowered workforce committed to the organisational direction; (7) a distinct management approach in terms of data, information and knowledge; (8) a clear understanding of what clients and other stakeholders need and how to fulfil those needs effectively; and (9) be well connected within the larger business community and services network (Bullen, 2015). One of the other key aspects an organisation needs to focus on in order to thrive, even just to survive in this changing business environment, is the organisation’s ability to respond to the changing risk landscape with an appropriate risk management approach (Accenture, 2015; Beasley, Branson & Hancock, 2015b; Deloitte, 2015; WEF, 2016). The role of the risk practitioner (such as the chief executive officer (CEO), chief risk officer (CRO), or another risk custodian) has changed from that of an advisor to a business partner as expectations regarding timely and transparent risk information from external and internal risk stakeholders have escalated (Senior Supervisors Group, 2009). The risk practitioner’s ability to keep organisational decision makers informed of existing, new, and emerging risks, and therefore opportunities, is pivotal to the organisation’s success — as it enables risk-based and timely organisational decisions leading to the creation, protection or enhancement of value within their business. It stands to reason that a risk practitioner employed by an organisation operating within the ERM domain — with a clear understanding of the concept ERM, the adoption drivers of ERM, the proposed value-add for their organisation, and the barriers to ERM — should be able to develop an ERM implementation model and assessment tool to create, protect or enhance their organisation’s value. The purpose of the study was therefore to develop an ERM implementation model and assessment tool that can be used by all risk practitioners as a guideline for ERM program implementation and to assess the level of ERM implementation within South African organisations. This study addressed 3 areas of concern that were identified during the preliminary literature review: 1) The misalignment between the principles of organisational design and ERM program design. Fourteen different organisational design models and different continual improvement models to identify the best suited model with which to align the conceptual ERM implementation model. Weisbord’s six-box organisational design model and the Deming continual improvement cycle were selected due to its simplicity of design and the ease with which it could be applied to the ERM program. 2) Limited availability of literature on how to implement ERM. The way in which this research study attempts to address this area of concern is by proposing an ERM implementation model with a specific structure (7 building blocks that are based on Weisbord’s six-box organisational design model and the continual improvement Deming cycle); with specific level 1 and level 2 best practice requirements (based on ISO 31000, ISO 31010 and King III); specific deliverables per requirement (derived from the best practice requirements and based on the researchers practical experience as a risk practitioner); and by proposing ERM implementation assessment tools that are based on the validated ERM implementation model. The confirmed ERM implementation assessment tools comply with Protiviti’s 5 lines of defence risk governance model in terms of structure, assigned responsibility and process flow. 3) The ambiguity surrounding the concept of practice-based ERM. The conceptual ERM implementation model and the proposed ERM implementation assessment tools were validated by senior risk stakeholders from 8 different industries in an attempt to close the gap between ERM theory and ERM application. This resulted in the validated ERM implementation model and confirmed ERM implementation assessment tool. To fulfil the purpose of the study and to address the areas of concern, the study was conducted in accordance with the principles of the pragmatic research paradigm. The mixed methods research method was used. Information regarding the context of ERM and the relevant theoretical frameworks for this study were gathered with a systematic literature review (qualitative). Information regarding the South African ERM domain, specific information regarding the aforementioned organisations’ ERM programs, and the most applicable barriers to ERM implementation were gathered in the first phase of the empirical study by using a questionnaire (quantitative). The conceptualised ERM implementation model and the proposed ERM implementation assessment tool was validated through the second phase of the empirical study utilising the Delphi technique (qualitative). The results of the study should resonate with Albert Einstein’s quote relating to science.