Abstract
Worldwide governance organizations and regulators have recently called for more enhanced disclosures about how organizations manage risks. Enterprise Risk Management (ERM) is recognized as a value-contributing best practice even when legal standards do not require it (Whitman in Risk Manag Insur Rev 18(2):161–197, 2015), but public disclosure on such a process is not generally mandatory. In Italy emphasis on risk disclosure started in 2008 but it was the 2011 revision of the Corporate Governance (CG) code for listed companies to ask for the board commitment in disclosing, within the CG report, about the main internal control and risk management system’s characteristics (Borsa Italiana in Codice di Autodisciplina, 2011). Given the proprietary nature of risk information in addition to the Italian capital market characteristics (small capitalization and presence of a dominant shareholder) and the lack of any mandate for what specific aspects board should disclose, the study aims at investigating a potential variation between private and public disclosure on ERM. Relying on the ERM concepts provided by the COSO framework (2004) the author submitted a survey seeking information about ERM practices within Italian listed companies. Such a private information is compared to public CG reports released by the same companies. The comparison shows companies tend to privately reveal a more effective ERM process than the one they publicly disclose. An examination of CG and firm’s risk variables potentially determining higher variation—i.e. information inconsistency—supports proprietary costs theory rather than agency theory expectations. Thus showing the limits of voluntary disclosure dealing with risk management systems. The study might have international policy implications.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
An analysis on MD&A section has been done as a robustness check but information about the risk management process are exclusively provided in the CG reports.
- 2.
- 3.
The sample size depends on different reasons. First, the high difficulty of data access in Italy and to set data on this context given the small size of the Italian stock market. Second, the complexity of collecting data on internal processes as already highlighted by prior studies (Zimmerman 2001). Nevertheless, the overall response rate reflects about the 30% of the total number of Italian listed companies (on average 255 in the main Italian market in the considered time span excluding those companies not compliant to the CG code). In addition, the response rate is higher than previous studies adopting the survey methodology (see Beasley et al. 2005; Paape and Speklé 2012). Further, there are many prior studies on risk disclosure with a similar sample size (see for instance, Beretta and Bozzolan 2004; Allini et al. 2016). Finally, considering Italy is the 8th largest country in the world based on GDP and it has an advance environment in terms of risk management disclosure since 2011, the data collected represent the ERM practices of a large part of the Italian market capitalization (about the 40% of the total market capitalization in the years of analysis).
- 4.
The author is aware of the changed ERM definition according to the recent COSO draft (2016) which states the following: The culture, capabilities, and practices, integrated with strategy-setting and its execution, that organizations rely on to manage risk in creating, preserving, and realizing value. However, given the intention to investigate the level of ERM implementation in the Italian setting the author choices to rely on the most adopted framework (Hayne and Free 2014; and as supported by results) at the period of analysis.
- 5.
Enterprise Risk Management—Integrated Framework Executive summary (2004).
- 6.
A detailed definition of each variable is provided at Table 5.
- 7.
Additional descriptive statistics not inserted in Table 5a show ownership concentration in the sample is on average 47.86%.
- 8.
Multicollinearity was checked by the variance inflation factor (VIF) test. VIF value of 1.22 for this model ruled out a multicollinearity problem. IVprobit test for endogeneity displays no endogenous variables.
- 9.
The integration concept introduced by Arena et al. (2011) refer to how risks are governed within all levels and functions of an organization.
References
Abraham, S., Cox, P.: Analysing the determinants of narrative risk information in UK FTSE 100 annual reports. Br. Account. Rev. 39(3), 227–248 (2007)
Abraham, S., Shrives, P.J.: Improving the relevance of risk factor disclosure in corporate annual reports. Br. Account. Rev. 46(1), 91–107 (2014)
AICPA & NCSU: The State of Risk Oversight: An Overview of Enterprise Risk Management Practices. Available at: https://erm.ncsu.edu/az/erm/i/chan/library/AICPA_ERM_Research_Study_2016.pdf (2016)
AIDEA: “New Trends” in Business Economics and Management Studies Rewriting the Relationship between Business and Society. http://www.accademiaaidea.it/wpaidea/wp-content/uploads/2016/12/CFP-AIDEA-2017-ENG1.pdf (2017)
Allegrini, M., Greco, G.: Corporate boards, audit committees and voluntary disclosure: evidence from Italian listed companies. J. Manage. Governance 17(1), 187–216 (2013)
Allini, A., Manes Rossi, F., Hussainey, K.: The Board’s Role in Risk Disclosure: An Exploratory Study of Italian Listed State-Owned Enterprises. Public Money and Management (2016). http://dx.doi.org/10.1080/09540962.2016.1118935
Amran, A., Bin, A.M.R., Hassan, B.C.H.M.: Risk reporting: an exploratory study on risk management disclosure in Malaysian annual reports. Manag. Audit. J. 24(1), 39–57 (2009)
Arena, M., Arnaboldi, M., Azzone, G.: Is enterprise risk management real? J. Risk Res. 14(7), 779–797 (2011)
Ball, R., Kothari, S.P., Robin, A.: The effect of international institutional factors on properties of accounting earnings. J. Account. Econ. 29(1), 1–51 (2000)
Baxter, R., et al.: Enterprise risk management program quality: determinants, value relevance, and the financial crisis. Contemp. Account. Res. 30(4), 1264–1295 (2013)
Beasley, M., Branson, B., Pagach, D.: An analysis of the maturity and strategic impact of investments in ERM. J. Account. Public Policy 34(3), 219–243 (2015)
Beasley, M.S., Clune, R., Hermanson, D.R.: Enterprise risk management: an empirical analysis of factors associated with the extent of implementation. J. Account. Public Policy 24(6), 521–531 (2005)
Beasley, M., Pagach, D., Warr, R.: Information conveyed in hiring announcements of senior executives overseeing enterprise-wide risk management processes. J. Account. Audit. Financ. 23(3), 311–332 (2008)
Beretta, S., Bozzolan, S.: A framework for the analysis of firm risk communication. Int. J. Account. 39(3), 265–288 (2004)
Borsa Italiana: Codice di Autodisciplina. Available at: http://www.borsaitaliana.it/comitato-corporate-governance/codice/2011.pdf (2011)
Borsa Italiana: Codice di Autodisciplina. Available at: http://www.borsaitaliana.it/comitato-corporate-governance/codice/2015clean.pdf (2015)
Brown, I., Steen, A., Foreman, J.: Risk management in corporate governance: a review and proposal. Corp. Gov.: Int. Rev. 17(5), 546–558 (2009)
Buckby, S., Gallery, G., Ma, J.: An analysis of risk management disclosures: Australian evidence. Manag. Audit. J. 30(8/9), 812–869 (2015)
Campbell, J.L., et al.: The information content of mandatory risk factor disclosures in corporate filings. Rev. Account. Stud. 19(1), 396–455 (2014)
Chen, C.J.P., Jaggi, B.: Association between independent non-executive directors, family control and financial disclosures in Hong Kong. J. Account. Public Policy 19, 285–310 (2000)
Collier, P.M., Berry, A.J., Burke, G.T.: Risk and Management Accounting: Best Practice Guidelines for Enterprise-Wide Internal Control Procedures, vol. 2. No. 11. Elsevier (2007)
Cormier, D., Magnan, M.: Environmental reporting management: a continental European perspective. J. Account. Public Policy 22(1), 43–62 (2003)
COSO: Enterprise risk management—Aligning Risk with Strategy and Performance. Available on the internet at http://www.coso.org (2016)
COSO: Enterprise risk management. Available on the internet at http://www.coso.org (2004)
Courtnage, S.: Financial reporting of risk. Tolley’s Pract. Audit. Account. 9(6), 61–63 (1998)
Dobler, M.: Incentives for risk reporting: a discretionary disclosure and cheap talk approach. Int. J. Account. 43(2), 184–206 (2008)
Dobler, M., Lajili, K., Zéghal, D.: Attributes of corporate risk disclosure: an international investigation in the manufacturing sector. J. Int. Account. Res. 10(2), 1–22 (2011)
Ellul, A., Yerramilli, V.: Stronger risk controls, lower risk: evidence from U.S. bank holding companies. J. Finance 68(5), 1757–1803 (2013)
Elshandidy, T., Neri, L.: Corporate governance, risk disclosure practices, and market liquidity: comparative evidence from the UK and Italy. Corp. Gov.: Int. Rev. 23(4), 331–356 (2015)
Elshandidy, T., Fraser, I., Hussainey, K.: Aggregated, voluntary, and mandatory risk disclosure incentives: evidence from UK FTSE all-share companies. Int. Rev. Financ. Anal. 30, 320–333 (2013)
EU Parliament and Council: Directive 2001/65/CE, del 27 settembre 2001, che modifica le direttive 78/660/CEE, 83/349/CEE e 86/635/CEE per quanto riguarda le regole di valutazione per i conti annuali e consolidati di taluni tipi di società nonché di banche e di altre istituzioni finanziarie (2001)
EU Parliament and Council: Directive 2006/46/CE, del 14 giugno 2006, che modifica le direttive del Consiglio 78/660/CEE, relativa ai conti annuali di taluni tipi di società, 83/349/CEE, relativa ai conti consolidati, 86/635/CEE, relativa ai conti annuali e ai conti consolidati delle banche e degli altri istituti finanziari, e 91/674/CEE, relativa ai conti annuali e ai conti consolidati delle imprese di assicurazione (2006)
EU Parliament and Council: Directive 2013/36/UE, del 26 giugno 2013, sull’accesso all’attività degli enti creditizi e sulla vigilanza prudenziale sugli enti creditizi e sulle imprese di investimento, che modifica la direttiva 2002/87/CE e abroga le direttive 2006/48/CE e 2006/49/CE (2013)
European Parliament and Council: Regulation (UE) n. 575/2013, del 26 giugno 2013, relativo ai requisiti prudenziali per gli enti creditizi e le imprese di investimento e che modifica il regolamento (UE) n. 648/2012 (2013)
European Parliament and Council: Directive 2009/138/CE, del 25 novembre 2009, in materia di accesso ed esercizio delle attività di assicurazione e di riassicurazione (solvibilità II) (2009)
Florio, C., Leoni, G.: Enterprise risk management and firm performance: the Italian case. Br. Account. Rev. 49(1), 56–74 (2017)
Frigo, M.L., Anderson, R.J.: Strategic risk management: a foundation for improving enterprise risk management and governance. J. Corp. Account. Financ. 81–88 (2011)
Francis, J., Nanda, D.J., Olsson, P.: Voluntary disclosure, earnings quality, and cost of capital. J. Account. Res. 46(1), 53–99 (2008)
Giner, B., Ruiz, A., Cervera, N., Arce, A.: Accounting policy choice and the disclosure of segmental information: Spanish evidence. In: Paper Presented at the 20th EAA Annual Congress, Graz, April (1997)
Gordon, L.A., Loeb, M.P., Tseng, C.: Enterprise risk management and firm performance: a contingency perspective. J. Account. Public Policy 28(4), 301–327 (2009)
Hassan, M.K.: UAE corporations-specific characteristics and level of risk disclosure. Manag. Audit. J. 24(7), 668–687 (2009)
Hayne, C., Free, C.: Hybridized professional groups and institutional work: COSO and the rise of enterprise risk management. Account. Organ. Soc. 39(5), 309–330 (2014)
Healy, P., Palepu, K.: Information asymmetry, corporate disclosure, and the capital markets: a review of the empirical disclosure literature. J. Account. Econ. 31, 405–440 (2001)
Hoyt, R.E., Liebenberg, A.P.: The value of enterprise risk management. J. Risk Insur. 78(4), 795–822 (2011)
IIRC: The International Integrated Reporting Framework. www.theiirc.org (2013)
IRDCEC: Documento n. 1. La Relazione sulla Gestione. Alcune considerazioni. Roma: Istituto di Ricerca dei Dottori Commercialisti e degli Esperti Contabili (2008)
Jensen, M.C., Meckling, W.H.: Theory of the firm: managerial. J. Financ. Econ. 3, 305–360 (1976)
Jordan, S., Jørgensen, L., Mitterhofer, H.: Performing risk and the project: risk maps as mediating instruments. Manag. Account. Res. 24(2), 156–174 (2013)
Kajüter, P.: Risk disclosures of listed firms in Germany: a longitudinal study. In: 10th Financial Reporting & Business Communication Conference, July, Cardiff Business School: Unpublished (2006)
Lajili, K.: Board characteristics, ownership structure and risk disclosures: Canadian evidence. In: 30th Annual Congress of the European Accounting Association, April, Lisbon: Working Paper (2007)
Lajili, K., Zeghal, D.: A content analysis of risk management disclosures in Canadian annual reports. Can. J. Adm. Sci. 22(2), 125–142 (2005)
Leuz, C.: Proprietary versus Non-Proprietary Disclosures: Voluntary Cash Flow Statements and Business Segment Reports in Germany. Working Paper, Department of Business and Economics, Johann Wolfgang Goethe-Universitat, Frankfurt (1999)
Linsley, P.M., Shrives, P.J.: Examining risk reporting in UK public companies. J. Risk Financ. 6(4), 292–305 (2005)
Linsley, P.M., Shrives, P.J.: Risk reporting: a study of risk disclosures in the annual reports of UK companies. Br. Account. Rev. 38(4), 387–404 (2006)
Marshall, A., Weetman, P.: Information asymmetry in disclosure of foreign exchange risk management: can regulation be effective? J. Econ. Bus. 54, 31–53 (2002)
Maizatulakma, A., et al.: Risk management disclosure: a study on the effect of voluntary risk management disclosure toward firm value. J. Appl. Account. Res. 16(3), 400–432 (2015)
McShane, M.K., Nair, A., Rustambekov, E.: Does enterprise risk management increase firm value? J. Account. Audit. Financ. 26(4), 641–658 (2011)
Miihkinen, A.: What drives quality of firm risk disclosure? The impact of a national disclosure standard and reporting incentives under IFRS. Int. J. Account. 47(4), 437–468 (2012)
Mikes, A.: Risk management and calculative cultures. Manag. Account. Res. 20(1), 18–40 (2009)
Murphy, K.J.: Reporting choice and the 1992 proxy disclosure rules. J. Account. Audit. Financ. 11(3), 497–515 (1996)
NCSU & Protiviti.: Executive Perspectives on Top Risks for 2016. Key Issues Being Discussed in the Boardroom and C-Suite. Research Conducted by North Carolina State University’s ERM Initiative and Protiviti. Available at: https://www.protiviti.com/sites/default/files/united_states/insights/nc-state-protiviti-survey-top-risks-2016.pdf (2016)
OECD: Risk Management and Corporate Governance, OECD Publishing. Available at: http://dx.doi.org/10.1787/9789264208636-en (2014)
Oliveira, J., Lima Rodrigues, L., Craig, R.: Risk-related disclosures by non-finance companies. Manag. Audit. J. 26(9), 817–839 (2011)
O’Sullivan, N.: The impact of board composition and ownership on audit quality: evidence from large UK companies. Br. Account. Rev. 32(4), 397–414 (2000)
Paape, L., Speklé, R.F.: The adoption and design of enterprise risk management practices: an empirical study. Eur. Account. Rev. 21(3), 533–564 (2012)
Patelli, L., Prencipe, A.: The relationship between voluntary disclosure and independent directors in the presence of a dominant shareholder. Eur. Account. Rev. 16(1), 5–33 (2007)
Prencipe, A.: Proprietary costs and determinants of voluntary segment disclosure: evidence from Italian listed companies. Eur. Account. Rev. 13(2), 319–340 (2004)
Rothbauer, P.: Triangulation. In: Given, L. (ed.) The SAGE Encyclopedia of Qualitative Research Methods. Sage Publications, Beverly Hills (2008)
Standard and Poor’s: Methodology: Management and Governance Credit Factors for Corporate Entities and Insurers. S&P, New York (2012)
Tao, N.B., Hutchinson, M.: Corporate governance and risk management: the role of risk management and compensation committee. J. Contemp. Account. Econ. 9, 83–99 (2013)
Tufano, P.: Who manages risk? An empirical examination of risk management practices in the gold mining industry. J. Financ. 51(4), 1097–1137 (1996)
Whitman, A.F.: Is ERM legally required? Yes for financial and governmental institutions, no for private enterprises. Risk Manag. Insur. Rev. 18(2), 161–197 (2015)
Woods, M.: A contingency theory perspective on the risk management control system within birmingham city council. Manag. Account. Res. 20(1), 69–81 (2009)
Woods, M., Dowd, K., Humphrey, C.: Market risk reporting by the world’s top banks: evidence on the diversity of reporting practice and the implications for international accounting harmonisation. Span. Account. Rev. 11(2), 9–41 (2008)
Verrecchia, R.E.: Discretionary disclosure. J. Account. Econ. 5, 179–194 (1983)
Zimmerman, J.L.: Conjectures regarding empirical managerial accounting research. J. Account. Econ. 32(1–3), 411–427 (2001)
Acknowledgements
The author is grateful to the editors and the reviewers for their insightful comments and the support provided during the review process. In its earlier version, the article benefited from the feedback provided by the attendees at AIDEA conference, Rome, Italy, 14–15 September 2017 where the paper has been awarded as Emerging scholar colloquium—Best Paper Award and at ERRN 8th European Risk Conference, Katowice, Poland, 20–21 September 2018.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix: Survey
Appendix: Survey
The survey questions about an ERM process were developed using the seven fundamental concepts defining ERM from the COSO framework as a basis. Twelve questions in the survey map to the seven fundamental concepts from COSO to operationalize them. Thus, scores based on the 12 factors were created based on the survey responses and scores based on the same 12 factors were created based on the reading of the CG reports. Specifically, as summarized in Table 3, the first concept—defining ERM as a process on-going and flowing through the entity—is composed by one factor identifying the extent of ERM implementation (Paape and Speklé 2012). The second concept relates to the participation extent of people at every level of the organization. Therefore, the two factors by which it is composed respectively ask for training activities (Beasley et al. 2015) and business plan resources allocated to the ERM process (NCSU & Protiviti report 2016). Both these factors indeed aim at widening the ERM scope among people within the organization.
The third fundamental concept is about the application in the strategy setting and thereby the factor investigates the relation of ERM with strategic planning (Frigo and Anderson 2011; Beasley et al. 2015; COSO framework draft 2016). The fourth concept is composed by three factors investigating the identification and prioritization of risks, the methodology used for risk prioritization, and the extent of integrationFootnote 9 in risk prioritization to verify the application of the process across the enterprise (Arena et al. 2011; Paape and Speklé 2012). In particular, Arena et al. (2011) in their study based on the Italian setting find that generally an entity’s risk evaluation method comprises a combination of qualitative and quantitative techniques. Also other studies find a combination of the two methodologies (Woods 2009; Jordan et al. 2013; Mikes 2009). Thus, for this factor based on a three-point scale and related to the methodology used for risk prioritization, it is attributed a 1 only in the case both the methodologies are applied by the company, 0 otherwise.
Then, the ERM process according to the fifth concept needs to be designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite. A crucial element to identify potential events is a frequent communication in terms of risk reporting (Paape and Speklé 2012). Thus, the current study aims to investigate the frequency of risk reporting and its temporal orientation (back vs. forward-looking). Considering the proactive aim of ERM, the coding choice is to attribute a 1 if respondents answer forward-looking, 0 otherwise.
The sixth concept relates to the ERM process’ ability to provide reasonable assurance to an entity’s management and board of directors. Beasley et al. (2005) is the first study identifying Chief Risk Officer role (or a person having the same role but with a different title) as a good proxy for ERM effectiveness. The presence of such a person in charge for the process can provide the requested reasonable assurance of the ERM process (Baxter et al. 2013; Ellul and Yerramilli 2013). Another related factor providing assurance to the process is the frequency of risk managers’ meetings. Finally, the seventh concept geared to the achievement of objectives in one or more separate but overlapping categories is operationalized in a question asking for the level of comprehensiveness (i.e. range of risks) considered (Arena et al. 2011). Risks can be classified according many overlapping categories linked to the companies’ goals, such as strategic, operative, compliance and reporting (COSO 2004; AICPA & NCSU 2016). Wider and more holistic level of risks comprehensiveness considered can contribute to overcame a silo-based approach and to the companies’ objectives achievement.
For a detail about the survey/report factors and corresponding five-point scale answers see the following.
-
Concept 1. A process, ongoing and flowing through an entity
Item 1. How much has Enterprise Risk Management (ERM) process been implemented?
-
1.
Risk management is mainly incident-driven; no plans exist to implement ERM.
-
2.
We actively control risk in specific areas (e.g. health & safety, financial risk); we are considering to implement a complete ERM.
-
3.
We identify, assess and control risk in specific areas; we are planning to implement a complete ERM.
-
4.
We identify, assess and control strategic, financial, operational and compliance risks; we are in the process of implementing a complete ERM.
-
5.
We identify, assess and control strategic, financial, operational and compliance risks; ERM is an integral part of the (strategic) planning & control cycle.
-
Concept 2. Effected by people at every level of an organization
Item 2. Are training activities about risk carried out?
-
1.
Not at all
-
2.
Minimally
-
3.
Somewhat
-
4.
Mostly
-
5.
Extensively
Item 3. Are business plan resources allocated to ERM initiatives?
-
1.
Not at all
-
2.
Minimally
-
3.
Somewhat
-
4.
Mostly
-
5.
Extensively
-
Concept 3. Applied in strategy setting
Item 4. To make stronger the responsibilities is there a relation between capital allocation, budget decisions and identified risks? Namely, risk management process is related to strategic planning?
-
1.
Not at all
-
2.
Minimally
-
3.
Somewhat
-
4.
Mostly
-
5.
Extensively
-
Concept 4. Applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk
Item 5. Do you identify and prioritize risks?
-
1.
No at all
-
2.
Minimally
-
3.
Somewhat
-
4.
Mostly
-
5.
Extensively
Item 6. Which kind of methodology do you use to prioritize risks:
-
1.
Qualitative: phenomenon description;
-
2.
Quantitative: phenomenon description in monetary terms;
-
3.
Both
Item 7. What is the extent of integration in risk prioritization?
-
1.
Not at all widespread
-
2.
Uncommon
-
3.
Spread just at top levels: board and top management
-
4.
Spread in the majority of the organization: board, top and middle managers
-
5.
Enterprise widespread: board, top and middle managers and operative levels
-
Concept 5. Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite
Item 8. What is the frequency of general risk reporting?
-
1.
Every 3 years or never
-
2.
Once a year
-
3.
Every 9 months
-
4.
Twice a year (every 6 months)
-
5.
Every 3 months or less
Item 9. Temporal orientation of risk reporting:
-
1.
Past-looking (overcame risks)
-
2.
Forward-looking (expected risks)
-
Concept 6. Able to provide reasonable assurance to an entity’s management and board of directors
Item 10. Who is accountable for ERM process?
-
1.
CEO
-
2.
Internal Auditor
-
3.
Board
-
4.
Chief Risk Officer
-
5.
Others (specify)
Item 11. ERM managers meeting: what is their frequency?
-
1.
Every 3 years or never
-
2.
Once a year
-
3.
Every 9 months
-
4.
Every 6 months
-
5.
Every 3 months or less
-
Concept 7. Geared to achievement of objectives in one or more separate but overlapping categories
Item 12. What is the level of comprehensiveness—range of risks considered (strategic, operative, compliance and reporting risks…)?
-
1.
Not at all
-
2.
Minimally
-
3.
Somewhat
-
4.
Mostly
-
5.
Extensively
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Panfilo, S. (2019). (In)Consistency Between Private and Public Disclosure on Enterprise Risk Management and Its Determinants. In: Linsley, P., Shrives, P., Wieczorek-Kosmala, M. (eds) Multiple Perspectives in Risk and Risk Management. Springer Proceedings in Business and Economics. Springer, Cham. https://doi.org/10.1007/978-3-030-16045-6_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-16045-6_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-16044-9
Online ISBN: 978-3-030-16045-6
eBook Packages: Business and ManagementBusiness and Management (R0)