SciELO - Scientific Electronic Library Online

 
vol.14 issue1The impact of crises on the performance of the Ecuadorian agricultural sectorTaxation and regional economic dynamics in Colombia author indexsubject indexarticles search
Home Pagealphabetic serial listing  

Services on Demand

Journal

Article

Indicators

Related links

  • On index processCited by Google
  • Have no similar articlesSimilars in SciELO
  • On index processSimilars in Google

Share


Revista Finanzas y Política Económica

Print version ISSN 2248-6046

Finanz. polit. econ. vol.14 no.1 Bogotá Jan./June 2022  Epub July 23, 2022

https://doi.org/10.14718/revfinanzpolitecon.v14.n1.2022.8 

Artículo de investigación

Impact of risk governance and associated practices and tools on enterprise risk management: some evidence from Colombia

Impacto del gobierno del riesgo, asociado a las prácticas y herramientas en la administración de riesgos empresariales: evidencia de Colombia

*PhD in Strategic Business Management. Professor Universidad Eafit, Colombia-Medellín. E-mail: evillanu@eafit.edu.co.

** MA in Risk: Management and Insurance. Professor Universidad Eafit, Colombia-Medellín. E-mail: mnunezpa@eafit.edu.co.

*** PhD in Entrepreneurs hip and Business Management. Professor Universidad Eafit, Colombia-Medellin. E-mail: imartins@eafit.edu.co.


Abstract

Enterprise risk management (ERM) is a discipline char is becoming increasingly necessary due to the changing environment in which companies operate. This paper is based on a research question that poses hypotheses questioning che impact of risk governance and associated practices and cools on ERM development. Hierarchical linear regression models were applied to test the hypotheses that suggest a relationship between predictor variables and che ERM criterion variable. A sample of 140 large private companies horn different economic sectors in Colombia was used to evaluate their behaviour and/or organizational performance related to che analysis variables. The main results suggest that risk governance composed of senior management commitment and risk management structure has a positive correlation with ERM. Also, it is evidenced that che practices and tools integrated by risk maps and risk treatment measures have a positive correlation with the maturity of ERM, Finally, the study's main findings and their implications are discussed, which serves as a basis for strengthening ERM in emerging markets.

JEL Classification:

G1, G32, M1, M10, M40.

Keywords: risk governance; practices; and tools; ERM development

Resumen

La administración de riesgos empresariales es una disciplina cada vez más necesaria por el enromo cambiante en el que se desempeñan las empresas. En este artículo se parte de una pregunta de investigación que plantea las hipótesis que cuestionan el impacto de las variables del gobierno del riesgo y las prácticas y herramientas en el desarrollo de la administración de riesgos. Modelos de regresión jerárquica lineal son usados para poner a prueba las hipótesis que plantean una relación entre variables predictoras y la variable criterio desarrollo de la administración de riesgos. Se cuenta con una muestra de 140 grandes empresas privadas de Colombia, que pertenecen a diferentes sectores económicos de las cuales se evalúa su comportamiento y/o desempeño organizacional relacionado con las variables de análisis. Los principales resultados sugieren que el gobierno del riesgo compuesto por el compromiso de la alta dirección y la estructura para la gestión de riesgos impactan positivamente su desarrollo. Se evidencia que las prácticas y herramientas integradas por los mapas de riesgos y las medidas de tratamiento que se definen tienen una correlación positiva sobre la madurez de la administración de riesgos en las empresas. Al final se presentan las discusiones e implicaciones de los principales hallazgos enconados, que sirve de base para el fortalecimiento de la administración de riesgos en economías emergentes.

Palabras clave: gobierno del riesgo; prácticas y herramientas; desarrollo de la administración de riesgos

INTRODUCTION

Enterprise risk management (ERM) is an increasingly relevant topic, driven by rising technology risks (Suarez-Paba & Cruz, 2022), environmental challenges facing societies, for example, climate change (Kaufmann & Wiering, 2022), and, especially in recent years, the development of regulatory frameworks and the increasing complexity of risks (Lechner & Gatzert, 2017). Events such as international financial crises, changes in foreign exchange rates, and tragedies caused by natural disasters, terrorist attacks, and other occurrences make it necessary for companies to seek a response to these risks (Mejia, 2017). This need involves the challenge to manage risks comprehensively through an ERM system, including strategic, operational, and financial risks, among others (Ai et al., 2018). Even established companies that have been in the market for several years could go bankrupt if they fail to manage these events (Collins, 2010).

This study analyzed the impact of senior management commitment, risk management structure, risk maps, and risk treatment measures on ERM development. Surveys were applied to large private companies in the city of Medellin, Colombia, to observe their risk identification techniques, risk response strategies, and the support and importance of this issue for the company, among other aspects that determine the key variables required for an effective ERM.

The results show that senior management commitment is essential to help companies build ERM support structures, create risk maps, and bolster decisionmaking to respond to risks based on specific treatment measures, thereby entailing the development of ERM. Therefore, they become key factors for companies that aim to increase the maturity level of their risk management systems.

The study first presents the theoretical framework used in the research and a review of previous studies, from which hypotheses are derived. Subsequently, it describes the methodology used to answer the research objective, along with how each of the variables found in the models are measured. Then, the results of the surveys conducted during the fieldwork are presented, while the final section is dedicated to discussion and conclusions.

THEORETICAL FRAMEWORK, PREVIOUS STUDIES, AND HYPOTHESIS DEVELOPMENT

Understood as a set of activities aimed at managing possible internal or external threat situations to create value and fulfil objectives and goals, ERM is applicable to all types of organizations, of different ages, sizes, and sectors (ISO 31000, 2018); therefore, administrators are increasingly encouraged to implement risk management practices (Manama et al., 2020). Companies that adopted ERM have significantly reduced the cost of capital, thereby creating value for the organization (Berry-Stölzle & Xu, 2018) and improving the effectiveness of service delivery (Manama et al., 2020). However, ERM development levels vary according to the characteristics of each company (Mejia et al., 2017; Marsh & RIMS, 2018), and risk management systems are not always flexible enough to model the complexity of the risk management process (Castro et al., 2012).

Companies in developing Latin American countries have shown great ERM development and implementation (Marsh & RIMS, 2016), owing to different situations such as the sector to which they belong, their size, the regulations governing them, their financial capacity, expected investments in these purposes, and awareness of the importance of creating a risk-based thinking culture for all its members (Mejia et al., 2017; Marsh & RIMS, 2018).

To identify ERM maturity, models measuring the development level of these systems in different organizations are created to describe their state and determine their weaknesses and strengths according to the attributes, variables, and elements to be assessed (Hillson, 1997; Wieczorek-Kosmala, 2014; Oliva, 2016; Zhao et al, 2015).

Maturity models have been designed to evaluate different ERM variables, such as risk governance, risk practices and tools, risk reporting and communication, and risk management function alignments (FERMA, 2012). Risk governance has taken on great importance in recent years, including tacit knowledge, experience, and the expertise of decision makers (Klinke & Renn, 2021). Other authors describe the groups in terms of senior management commitment, risk management structure, defined guidelines, a risk-conscious culture, risk appetite and tolerance, as well as risk identification, analysis, and response, among other elements that establish development criteria reflecting the characteristics of an advanced or successful risk management practice (Zhao et al., 2015).

The present study used the FERMA maturity model as a reference, because its elements allow for a comprehensive overview of the fundamental components of ERM for any type of organization, in addition to grouping in a coherent way the framework of reference, stages, methodologies, and other essential aspects of the system.

One of the key elements where maturity models coincide regarding what an organization needs to transcend the problem of risk is ensuring senior management commitment (Antonucci, 2016; Villanueva et al., 2017)-its importance for a company, a clear understanding of the board's role in risk-based decision-making and defining guidelines that enable the organization to achieve its corporate strategy (Ali et al., 2022; Andersen et al., 2014).

Likewise, senior management commitment to ERM enables the structuring of a platform that comprises the resources needed to achieve the expected results in organizational management (Haimes, 1992; Mejia, 2006), along with directing employee activities according to their abilities in line with the behaviours required by the organization for value creation (Pereira, 2014).

The stronger the ERM, the greater the company's capabilities will be to produce visible benefits (Marsh & RIMS, 2018) in financial terms, decision-making, and organizational improvement. In accordance with the above, the following hypothesis is proposed:

H1: Senior management commitment has a positive correlation with ERM.

The effectiveness of ERM systems does not depend only on senior management commitment and the existing guidelines and policies, but also on the way they are implemented, showing thereby that appropriate risk management structures can strengthen a company's risk culture and, consequently, the overall development of its management (Sheedy & Griffin, 2018).

Therefore, it is important to establish structures that support and facilitate this practice, in addition to defining responsibilities related to the subject, with a view of complying with risk and control functions (Institute of Internal Auditors, 2013; Nguyen, 2022). To this end, different roles are established at all corporate levels, ranging from the board of directors, executive management, chief risk officer, business unit management and process/risk owners, independent risk management and compliance functions, to the system's internal and external audit functions (Beasley et al., 2005; Protiviti, 2013), which aims to protect the organization against exposure to situations that may threaten its continuity and sustainability over time. Thus, the following hypothesis is formulated:

H2: Risk management structure has a positive correlation with ERM.

Risk identification, analysis, and response are part of the process stages that must be carried out in an organization for a better understanding of the internal and external variables that may affect it, analyzing them in a timely manner to achieve enterprise risk prioritization (COSO, 2017). These elements are presented through risk maps.

Risk maps correspond to the graphic representation of these events, according to the probability of their occurrence and the impact they could generate (Chapman, 2006). They are usefule to provide a clear, agile vision of the organizational reality and to make pertinent decisions. These maps can be created at a strategic, operational, financial, and project level (ISO 31000, 2018) for business units, contracts, products, and other areas of analysis established by each organization. Based on the above, the following hypothesis can be established:

H3: Risk maps have a positive correlation with ERM.

Risk maps help establish appropriate risk treatment measures to manage these events and thereby make decisions to control situations that may pose a threat to the company (Standards Australia/Standards New Zealand, 2004). These measures include avoiding, reducing, or mitigating the probability and consequences of transferring or retaining the risk (Andersen et., 2014; ISO 31000, 2018).

Likewise, the control and assessment of potential business threats becomes an ERM priority. Key risk indicators provide information that can generate an early warning system for the company at the operational, tactical, and strategic levels (Scarlat et al., 2012).

Thus, when a risk management process is implemented by using the appropriate techniques and tools for each process stage, significant progress can be made in the development of risk management and, consequently, in organizational management (Marsh & RIMS, 2018). Thus, based on the literature review, the following hypothesis is structured:

H4: Risk treatment measures have a positive correlation with ERM.

According to the previously described criteria included in the framework of an ERM system, measured by existing maturity models, when a company has rigorously applied these criteria, the level of risk management implementation can be considered as high (Marsh & RIMS, 2018; Zhao et al., 2015). The above mentioned four hypotheses are summarized in Figure 1.

Source: Author's elaboration.

Figure 1 Proposed model of the relationship between risk governance, practices, and tools, and ERM development 

METHODOLOGY

Data collection

This study examines the influence of senior management commitment, risk management structure, risk maps, and risk treatment measures as key variables of ERM development. To this end, a quantitative approach is used to measure the impact of independent variables on a dependent one. The study population consisted of large private companies in Medellin, Colombia; namely, 343 large companies were selected using reports of the Medellin Chamber of Commerce. This initial selection was refined as the sample involved business groups that implemented centralized risk management; in these cases, only one company was included. Those that had less than 200 employees or those that did not have private capital were removed from the database. Eventually, 300 companies remained.

Sample size was determined using a 95% confidence interval and an error margin of 5%, which resulted in a sample of 168 companies that are representative of the population (Kerlinger & Lee, 2002). Data were collected through a questionnaire developed based on analysis variables derived from the literature review, which was validated with a risk consultant, a comprehensive risk management officer, and a risk management professor.

To ensure a significant response rate, a phone reminder strategy was used throughout the study, which resulted in a response rate of approximately 57%, equivalent to 170 observations. The questionnaires that were not answered in their entirety were eliminated, thereby leaving a database with 140 companies. Of these, 4.3% belong to the extractive sector (n=6), 26.4% to the manufacturing sector (n=37), 57.1% to the service sector (n=80), and 12.1% to the retail sector (n=17). In this sample, 29.3% have been in the market for less than 20 years, 37.8% for more than 20 years but less than 40 years, and the remaining 32.9% for more than 40 years.

Techniques for controlling non-response bias and common method bias

To ensure the absence of bias in the data, the non-response bias has been evaluated. In this case, the companies that participated in the study were compared in terms of size and age to the companies that received the survey instrument but did not respond it. The results reveal that there are no significant differences between the two groups (p<0.05).

However, in studies using information on organizational behaviour, different biases influencing the response process should be considered (Meade etal., 2007). Therefore, these possible influences have been controlled through two channels: first, in the survey design and application, and second, based on a statistical control.

While the study's focus is related to organizational behaviour and/or performance, we must guarantee that key informants-possibly managers or officials in charge of departments or branches-are completely assured that their answers are anonymous, without concerns of being evaluated or self-evaluating their own performance. The main advantage of this procedure is a control of possible information bias. Likewise, interviewees could be subconsciously looking for correlations between questions or relations between predictor variables and explained variables, distorting thus reality, and causing the common method bias (Podsakoff etal, 2003).

After assuring anonymity and responsibility in the design of the data collection instrument, a statistical control technique has been used. One of the most common techniques is the Harman single factor test (Meade et al., 2007; Rhee et al., 2010), which poses the hypothesis that if there is a significant amount of common method variance, either a single factor will emerge from the factor analysis or the first factor will account for most of the covariance (Podsakoff et al., 2003). Once tests were completed, the results showed different factors that indicated a high percentage of the total variance explained, as seen in the variables presented below. Therefore, no single factor has emerged from the Harman test. These results depict the measurement validity of the constructs used in the study.

Model variables

Age. This is a control variable used in the model to observe possible variations in companies that have been in the market for more or less time. The youngest company was 3 years old and the oldest was 144 years old. This variable has a mean of 38.82 and a standard deviation of 23.71; thus, due to such a high dispersion, we used its natural logarithm to include it in the model.

Size. This is also a control variable that makes it easy to consider differences that could arise from difference in the company's number of employees. The company with the smallest number of employees had 200, and the one with the highest number had 17,000 employees. The mean of this variable is 1,075.21 and its standard deviation is 1,812.17; due to high dispersion, we included its natural logarithm in the model.

Senior management commitment. The internal consistency of the survey is assessed by applying an exploratory factor analysis to evaluate factorial dimensionality and validity on senior management commitment and associated benefits. This was measured by using five questions on a 5-point scale about resource adequacy, financial benefits, organizational improvement, decision-making benefits, and effective senior management commitment, all with respect to ERM (FERMA, 2012).

This factor has statistics such as a Kaiser-Meyer-Olkin (KMO) value of 0.882, Bartlett's test of sphericity with p<0.01, and Cronbach's alpha = 0.921.

Risk management structure. This factor is measured by using four questions on a 5-point scale identifying whether the organization had an office coordinating risk management, carried out an independent system evaluation, defined responsibilities, or followed international standards (FERMA, 2012). This factor presented a KMO value = 0.717, Bartlett's test of sphericity with p<0.01, and Cronbach's alpha = 0.658, indicating internal consistency of both factors (Hair et al., 1999).

Risk maps. This factor was measured by using three questions on a 5-point scale, related to the creation of risk maps in business units, enterprise risk maps, and risk map periodic review. This presented statistics such as a KMO value = 0.730, Bartlett's test of sphericity of less than 0.01, and Cronbach's alpha of 0.888.

Risk treatment measures. To measure this factor, four questions were asked on a 5-point scale about the implementation of risk control measures, risk financing measures, the use of indicators, and the use of this information in decision-making. These questions present a KMO value = 0.802, a Bartlett's test of sphericity of less than 0.01, and Cronbach's alpha of 0.869.

ERM development. This is the dependent variable of the model. Four questions identified in the literature review were applied to generate the ERM development factor measured on a 5-point scale, where questions related to ERM development over the last 10 years were asked, comparing this development with international standards, companies in the same sector, and relevant regulations (FERMA, 2012). The KMO value (0.800), Bartlett's test of sphericity (0.000), and Cronbach's alpha (0.888) were applied to the four questions, which enabled factor validation.

Multivariate analysis. Two control variables (age and size) are used in the research model. The independent variables are senior management commitment, risk management structure, risk maps, and risk treatment measures, which, according to the literature, directly affect the dependent variable-ERM development. Therefore, we decided to implement a multiple linear regression that is part of the multivariate analysis technique, since it explains the effect that one or more variables can exert on the other(s) (Hair et al., 1999).

RESULTS

Before performing a regression analysis, we present a matrix that shows possible correlations between the independent variables to detect multicollinearity. As evidenced in Table 1, the independent variables are not highly correlated; thus, there are no multicollinearity issues.

Table 1 Correlation Matrix 

Note: *** p<0.01, ** p<0.05, * p<0.1.

Source: Author's elaboration.

The research hypotheses were tested using hierarchical multiple regression models to check the influence of independent variables on the dependent variable. As a result, four regression models are presented, noting variations in the explanatory power of each model when entering or removing any independent variable and showing changes in the meanings of some variables (see Table 2).

Table 2 Regression Analysis Output 

Note: *** p<0.01, ** p<0.05, *p<0.1. The data in the table show standardized coefficients, and the associated standard errors are in parentheses.

Source: Author's elaboration.

As seen in Table 2, regression Model 1 only includes the control variables (age and size) that do not have a significant relation for the companies studied. Regression Model 2 is made up of control variables and the independent variables of senior management commitment and risk management structure. Both independent variables have a positive and significant relationship with ERM development at a 99% confidence level (p<0.01) in both cases. Moreover, the explanatory power of this model is increased up to 55.9%, which indicates that the companies promoting and supporting ERM through senior management-using a coherent risk management structure-achieve a higher level of ERM development. This allows us to accept hypotheses HI and H2.

Regression Model 3 includes control variables and the independent variables of risk maps and risk treatment measures. The two control variables still have no significant correlation with ERM development. However, in the case of both independent variables, a positive and significant relationship was found with ERM development, both at a 99% confidence level QkO.01). This indicates that the companies that have created risk maps and designed treatment measures to respond to potential risks depending on the severity they represent for the company will have a positive impact on ERM development. Thus, hypotheses H3 and H4 are also acceptable since the adjusted R-squared value of this model is 0.511.

Regression Model 4 contains all variables examined in this study associated with ERM development. It shows that the control variables have no significant relationship as in the previous models and that all variables continue to have a positive and significant relationship. This model has high explanatory power regarding the study variable as it increases up to 60.3%.

DISCUSSIONS AND CONCLUSIONS

This study contributes to ERM theory insofar as it establishes a direct relationship between factors that are fundamental when evaluating the development level of this practice in an organization; thereby, it helps organizations determine when they need to begin designing and implementing risk systems or when they need to improve and/or strengthen existing ones. Likewise, some variables can be identified as not having a direct influence on this phenomenon.

As for the control variables, it is worth noting that the company's age is not associated with the level of ERM development. This can be the case because today environment dynamics, exposure to risks, and regulations regarding this issue have generated greater awareness in companies with regard to the importance of managing possible risks, regardless of their age.

The variable of size does not influence ERM development. Although all the companies in the study were large (with more than 200 employees), there was a vast difference between the smallest (200 employees) and the largest one (17,000 employees). These results suggest that not necessarily the largest companies are the ones who can develop their ERM systems to a greater extent, but that there are other factors that do influence this purpose.

Among the variables of risk governance, senior management commitment was analyzed as one of the key factors driving ERM, regardless of the organization's size and/or age, which supports what was previously found in the literature (Suarez-Paba & Cruz, 2022). Thus, this variable has a directly proportional relationship, implying that people fulfilling a managerial role in a company could motivate or discourage efforts made to implement an ERM system. These results are consistent with other studies (Acik et al., 2021; Pereira, 2014; Villanueva et al., 2017), which found that senior management, owing to its authority or importance in the company, can direct employee actions towards achieving fundamental goals, such as risk management, to increase the company's value. These results reinforce the importance of the discourse of risk governance that was found in another recent investigation (Kaufmann &Wiering,2022).

The results also suggest that risk management structure is another key factor in ERM development, which is consistent with a recent study (Nguyen, 2022), because an office or unit in charge of coordinating risk management activities can help assign responsibilities throughout the company to reach relevant goals and, at the same time, generates greater commitment from all personnel to promote said development. This supports what has been found in other studies, such as that of Sheedy and Griffin (2018), which identified that risk management structures help build company culture and facilitate risk management.

Additionally, among the variables derived from practices and tools, risk maps are notable as another variable positively related to ERM development. This indicates that creating risk maps at different organizational levels and updating them periodically generates a risk response system of greater maturity. This is important since business environments rapidly change; therefore, it is necessary to keep abreast of new situations that the company might face. These findings are consistent with what Marsh and RIMS (2018) found, namely that companies that use techniques and tools such as risk maps may achieve greater progress in implementing ERM systems.

Risk treatment measures is the fourth factor identified in the results of this study, which are also part of the practices and tools and play an important role in ERM development. Thus, risk control and financing methods, the recording of events to decide appropriate response measures, and the use of advance alert monitoring and evaluation systems in the organization entail a significant development of the ERM system.

Implications for academic and business environments

This study has theoretical implications for ERM because it identifies the main variables for its development. As for risk governance, the results suggest that it is very important to focus on senior management commitment and risk management structure to develop ERM. This makes it easier to assimilate risk management guidelines at different organizational levels.

After analyzing the variables of this study related to risk governance, practices, and tools, several implications can be established for the academia, such as the possibility of incorporating more academic content related to the subject from different disciplines, allowing thus for a greater dissemination and awareness of the problems of an economy lacking this conceptual clarity. Likewise, another implication is the possibility to associate variables that may have a greater impact on the development of ERM systems, to strengthen the theoretical aspects dealing with these elements. Although well-supported by some studies at the national and international level, theory could benefit from further research on the combination of these and other variables, which will provide guidance for future lines of research. This will allow companies to focus their efforts on ERM practices and the benefits they bring in terms of system development and maturity.

In the development of theory, this study validates the scales of risk governance, practices, and tools, related to ERM development. This research contributes to highlighting the importance of defining roles and responsibilities in relation to risk management, guidelines, and directives on risk culture and communication, which allows transparency and trust in management.

The implications related to business environment show that senior management commitment, risk management structure, enterprise risk maps, and risk treatment measures that focus on mitigating potential risks promote the development and maturity level of ERM systems; in turn, they also demonstrate the benefits and value creation generated by this practice in decision-making and the achievement of business goals at different organizational levels.

There are also other elements that should be implemented to further the maturity of ERM systems. However, the elements tested in this study provide an important source of information, which will allow the company to be more coherently aligned with its current business priorities, achieve the results expected in this regard, and subsequently move to the next level, reaching other elements that theoretically form part of these organizational management systems.

Limitations and future lines of research

This study mainly focuses on large Colombian private companies. Future research could consider comparative analyses between different countries, enabling thus the study of other important components for ERM development, such as regulations specific to each context, to strengthen risk management practices in emerging markets. However, as this study examines aspects of the ERM design, other studies may focus on the implementation stage, which is also related to support from senior management (Beasley et al, 2005). This would allow the analysis of different stages that must be carried out when using an ERM system.

The limitation of this study is related to the fact that it analyzes factors that had an impact on ERM development. Further research could determine whether the analysis of this criterion variable is associated with value creation to verify risk theory (Hoyt& Liebenberg, 2011), which would support the importance of this type of systems in companies. It is also necessary to look further into the corporate governance variable and its role regarding ERM, as it is becoming increasingly relevant to understand the relationship among these variables (Bromiley et al, 2011) dueto the great impact of corporate governance on the entrepreneurial decision-making process, such as promoting risk management.

For future research, the relationship between internal audit performance and ERM development could be examined, as well as the relationship level between the financial results of the companies of the study and their ERM maturity level, associated with tangible benefits that this discipline provides to companies. Similarly, databases that include public financial information could be used as future data sources.

Methodologically this study analyses a cause-effect relationship through hierarchical linear modelling. Future studies could consider using econometric models that allow simultaneous interrelationships between different dimensions proposed in this study, as well as the constructs emerging from them, such as practices, tools, and risk governance. This would generate more explanatory models of causality between these constructs, their dimensions, and ERM development, such as structural equation modelling. Similarly, further analyses, particularly considering the effects that interaction between third variables (mediators or moderators) generate on risk management research, would provide new evidence on the relationship between predictor (independent) variables and the criterion variable (ERM development).

ACKNOWLEDGMENT

We thank the anonymous reviewers for their constructive comments, which significantly improved the article. We also thank the companies that participated in the study

REFERENCES

1. Acik, A. C., Trott, P., & Cinar, E. (2021). Risk governance approach to migration: a viable alternative to precautionary management. Journal of Risk Research, 1-20. https://doi.org/10.1080/13669877.2021.1957984. [ Links ]

2. Ai, J., Bajtelsmit, V., & Wang, T. (2018). The combined effect of enterprise risk ma-nagement and diversification on property and casualty insurer performance. Journal of Risk and Insurance, 85(2), 513-543. https://www.jstor.org/stable/26482945. [ Links ]

3. Ali, W., Alasan, I. I., Khan, M. H., Ali, S., Cheah, J. H., & Ramayah, T. (2022). Competitive strategies-performance nexus and the mediating role of enterprise risk management practices: a multi-group analysis for fully fledged Islamic banks and conventional banks with Islamic window in Pakistan. International Journal of Islamic and Middle Eastern Finance and Management, 15(1), 125-145. https://doi.org/10.1108/IMEFM-06-2020-0310. [ Links ]

4. Andersen, T. J., Garvey, M., & Roggi, O. (2014). Managing Risk and Opportunity.Oxford University Press. [ Links ]

5. Antonucci, D. (2016). Risk Maturity Models: How to Assess Risk Management Effectiveness. London; Philadelphia: Kogan Page Limited. [ Links ]

6. Beasley, M. S., Clune, R., & Hermanson, D. R. (2005). Enterprise risk management: An empirical analysis of factors associated with the extent of implementation. Journal of Accounting and Public Policy, 24(6), 521-531. https://doi.org/10.1016/j.jaccpubpol.2005.10.001. [ Links ]

7. Berry-Stölzle, T. R., & Xu, J. (2018). Enterprise risk management and the cost of capital. Journal of Risk and Insurance, 85(1), 159-201. https://doi.org/10.1111/jori.12152. [ Links ]

8. Bromiley, P., McShane, M., Nair, A., & Rustambekov, E. (2015). Enterprise risk management: Review, critique, and research directions. Long Range Planning, 48(4), 265-276. https://doi.org/10.1016/j.lrp.2014.07.005. [ Links ]

9. Castro, L. M., Gulías, V. M., Abalde, C., & Jorge, J. S. (2012). Managing the risks of risk management. Journal of Decision Systems, 17(4), 501-521. https://doi.org/10.3166/jds.17.501-52110. [ Links ]

10. Chapman, R. J. (2006). Simple Tools and Techniques for Enterprise Risk Management. Chichester, West Sussex: John Wiley and Sons, Ltd. [ Links ]

11. Collins, J. (2010). Cómo caen los poderosos y por qué algunas compañías nunca se rinden. Bogotá, Colombia: Grupo Editorial Norma. [ Links ]

12. Committee of Sponsoring Organizations of the Treadway Commission (COSO). (2017). Enterprise risk management-Integrating with strategy and performance. New York: COSO. [ Links ]

13. Federation of European Risk Management Associations (FERMA). (2012). FERMA European Survey 2012. ERM Maturity. Key Findings. https://www.eiseverywhere.com/file_uploads/b377564d6b7d7759c3eeac8cd35d7042_SurveyPtI-DPageaudEY.pdfLinks ]

14. Haimes, Y. Y. (1992). Toward a holistic approach to total risk management. Geneva Papers on Risk and Insurance. Issues and Practice, 17(64), 314-321. https://www.jstor.org/stable/41952107Links ]

15. Hair, J., Anderson, R., Tatham, R., & Black, W. (1999). Análisis multivariante (5a ed.). Madrid: Prentice Hall. [ Links ]

16. Hillson, D. A. (1997). Towards a risk maturity model. The International Journal of Project e Business Risk Management, 1(1), 35-45. [ Links ]

17. Hoyt, R. E., & Liebenberg, A. P. (2011). The value of enterprise risk management. Journal of Risk and Insurance, 78(4), 795-822. https://www.jstor.org/stable/41350401Links ]

18. Institute of Internal Auditors. (2013). The three lines of defense in effective risk mana-gement and control. Florida: The Institute of Internal Auditors. [ Links ]

19. International Organization for Standardization (ISO). (2018). ISO 31000. Risk management. Switzerland: ISO. [ Links ]

20. Kaufmann, M., & Wiering, M. (2022). The role of discourses in understanding institutional stability and change-an analysis of Dutch flood risk governance. Journal of Environmental Policy and Planning, 24(1), 1-20. https://doi.org/10.1080/1523908X.2021.1935222Links ]

21. Kerlinger, F., & Lee, H. (2002). Investigación del comportamiento. Métodos de investigación en ciencias sociales (4th ed.). Mexico D.F: McGraw-Hill. [ Links ]

22. Klinke, A., & Renn, O. (2021). The Coming of Age of Risk Governance. Risk Analysis, 41(3), 544-557. https://doi.org/10.1111/risa.13383Links ]

23. Lechner, P., & Gatzert, N. (2017). Determinants and value of enterprise risk mana-gement: empirical evidence from Germany. The European Journal of Finance, 24(2), 1-27. https://doi.org/10.1080/1351847X.2017.1347100Links ]

24. Mahama, H., Elbashir, M., Sutton, S., & Arnold, V. (2020). New development: Enabling enterprise risk management maturity in public sector organizations. Public Money and Management, 1-5. https://doi.org/10.1080/09540962.2020.1769314Links ]

25. Marsh and Risk and Insurance Management Society (RIMS). (2016). La gestión de riesgos en Latinoamérica. Evolución, tendencias y oportunidades. 2o Benchmark en gestión de riesgos en Latinoamérica. Marsh LLC. [ Links ]

26. Marsh and Risk and Insurance Management Society (RIMS). (2018). Reimagine Risk. Navegando la incertidumbre. III Benchmark de gestión de riesgos en Latinoamérica. Marsh LLC. [ Links ]

27. Meade, A. W., Watson, A. M., & Kroustalis, C. M. (2007). Assessing common methods bias in organizational research. Paper presented at the 22nd Annual Meeting of the Society for Industrial and Organizational Psychology, New York, Abril 2007. [ Links ]

28. Mejía, R. (2006). Administración de riesgos: un enfoque empresarial. Medellín, Colombia: Fondo Editorial Universidad EAFIT. [ Links ]

29. Mejía, R. (2017). Introducción. In R. Mejía, M. A. Nuñez, & I. Martins (Eds.), Administración de riesgos empresariales en Colombia, México y Argentina (pp. 15-28). Medellín, Colombia: Editorial Eafit. [ Links ]

30. Mejía, R., Nuñez-Patiño, M. A., & Villanueva, E. (2017). Resultados, retos y tenden-cias del diagnóstico de la administración de riesgos empresariales. In R. Mejía, M. A. Nuñez-Patiño, & I. Martins (Eds.), Administración de riesgos empresariales en Colombia, México y Argentina. (pp. 191-205). Medellín, Colombia: Editorial Eafit . [ Links ]

31. Nguyen, Q. K. (2022). Determinants of bank risk governance structure: A cross-country analysis. Research in International Business and Finance, 60, 101575. https://doi.org/10.1016/j.ribaf.2021.101575Links ]

32. Oliva, F. L. (2016). A maturity model for enterprise risk management. International Journal of Production Economics, 173(C), 66-79. https://doi.org/10.1016/j.ijpe.2015.12.007Links ]

33. Pereira, A. (2014). Liderazgo líquido: una propuesta para enfrentar la incertidumbre y riesgo. Pensamiento y Gestión, (37), 97-113. [ Links ]

34. Podsakoff, P. M., MacKenzie, S. B., Lee, J. Y., & Podsakoff, N. P. (2003). Common method biases in behavioral research: A critical review of the literature and recommended remedies. Journal of Applied Psychology, 88(5), 879-903. https://doi.org/10.1037/0021-9010.88.5.879Links ]

35. Protiviti. (2013). Applying the Five Lines of Defense in Managing Risk. The Bulletin, 5(4). https://www.protiviti.com/UK-en/insights/bulletinv5-i4Links ]

36. Rhee, J., Park, T., & Lee, D. H. (2010). Drivers of innovativeness and performance for innovative SMEs in South Korea: Mediation of learning orientation. Technovation,30(1), 65-75. https://doi.org/10.1016/j.technovation.2009.04.008Links ]

37. Scarlat, E., Chirita, N., & Bradea, I.-A. (2012). Indicators and metrics used in the enterprise risk management (ERM). Economic Computation and Economic Cybernetics Studies and Research,(4),5-18. [ Links ]

38. Sheedy, E., & Griffin, B. (2018). Risk governance, structures, culture, and behavior: A view from the inside. Corporate Governance: An International Review, 26(1):4-22. https://doi.org/10.1111/corg.12200Links ]

39. Standards Australia/Standards New Zealand. (2004). Australian/New Zealand Standard. Risk management.AS/NZS-4360. Sydney, Australia: Standards Australia /Standards New Zealand. [ Links ]

40. Suarez-Paba, M. C., & Cruz, A. M. (2022). A paradigm shift in Natech risk management: Development of a rating system framework for evaluating the performance of industry. Journal of Loss Prevention in the Process Industries, 74, 104615. https://doi.org/10.1016/j.jlp.2021.104615Links ]

41. Villanueva, E., Martínez, D., Quintero, D., Vahos, J. E., & Marín, Y. (2017). El papel de la alta gerencia en el desarrollo de la administración de riesgos. Caso Medellín, Colombia. In R. Mejía, M. A. Nuñez-Patiño , & I. Martins (Eds.), Administración de riesgos empresariales en Colombia, México y Argentina (pp. 49-74). Medellín, Colombia: Editorial Eafit . [ Links ]

42. Wieczorek-Kosmala, M. (2014). Risk management practices from risk maturity models perspective. Journal of East European Management Studies, 19(2), 133-159. https://www.jstor.org/stable/24330969Links ]

43. Zhao, X., Hwang, B. G., & Low, S. P. (2015). Risk management and enterprise risk mana-gement in enterprise risk management in international construction operations. Singapore: Springer. [ Links ]

FUNDING This work was supported and funded by Universidad EAFIT.

Received: June 06, 2021; Revised: August 15, 2021; Accepted: November 30, 2021

CONFLICT OF INTEREST STATEMENT

On behalf of all authors, the corresponding author states that there is no conflict of interest.

Creative Commons License This is an open-access article distributed under the terms of the Creative Commons Attribution License