Documente Academic
Documente Profesional
Documente Cultură
BH 189
Business Horizons (2006) 49, 127 — 138
www.elsevier.com/locate/bushor
a
University of East Anglia, Norwich, United Kingdom
b
University of Washington, Bothell, Washington, USA
Abstract Strategic risk management is an increasing concern for both boards and
KEYWORDS
senior executives. Many recent business failures are due to senior level misjudge-
Strategic risk
ment and mismanagement of risk, the consequences of which can range from
management;
embarrassment to serious setback to bankruptcy. Ineffective risk management puts
Corporate governance;
otherwise strong business models in jeopardy. Here we present CLASS (Culture,
Enterprise risk
Leadership, Alignment, Systems, and Structure), an integrated, five-element model
management
of corporate governance. We identify how attending to the elements in this
framework supports development of an integrated and robust approach to corporate
risk, and helps senior executives anticipate and handle the complexities of risk
inherent in meeting strategic objectives.
D 2005 Kelley School of Business, Indiana University. All rights reserved.
1. Risk management: A need for a new secutions and executive turnover at numerous
look well-known corporations (e.g., AIG, Marsh and
McLennan, Bank of America, Citigroup, Parmalat,
Boards of directors are increasingly willing to take WorldCom, Enron, Nortel, and Lucent) also dem-
firm managerial action to mitigate the downside onstrate growing intolerance of strategic miscal-
risks of strategic change. In February of 2005, for culations by regulators and investors. Sir Philip
example, the directors of Hewlett Packard sud- Watts, chairman of Royal Dutch/Shell, was forced
denly removed Carly Fiorina as CEO because of to resign in March 2004 when overstatements of
her management of the risks and slow progress the company’s oil reserves and poor results in oil
of the complex HP-Compaq merger. Recent pro- exploration generated a public scandal. As well,
Maurice Greenberg stepped down in March 2005
as CEO of insurer AIG, following investigations
T Corresponding author. into bid-rigging and fraud in the insurance
E-mail addresses: stephen.drew@comcast.net (S.A. Drew)8 industry.
pckelley@u.washington.edu (P.C. Kelley)8 t.kendrick@uea.ac.uk A different view of the practice of risk man-
(T. Kendrick).
agement needs to be taken. Numerous changes,
0007-6813/$ - see front matter D 2005 Kelley School of Business, Indiana University. All rights reserved.
doi:10.1016/j.bushor.2005.07.001
This document is authorized for use only in Carlo Pugnetti's International Risk & Financial Management-1 course at Zurich University of Applied Science, from April 2018 to September 2018.
128 S.A. Drew et al.
2. CLASS: The five elements, strategic rigging bids on insurance contracts and accepting
risk management, and corporate special contingent commissions. As a result,
CEO Jeffrey Greenberg was ousted, the firm
governance
was forced to reach an $850 million settlement,
and the loss of revenue from special commis-
We believe effective risk management must be
sions forced drastic job cuts and share price
defined broadly in order to avoid strategic failures.
declines. Cultural problems were an important
We identify five integrated elements that underpin
root cause of these woes. Not only was Marsh
a firm’s ability to manage risks, engage in effective
and McLennan known for its arrogance and se-
corporate governance, and implement new regula-
crecy, CEO Greenberg set high financial targets
tory changes: Culture, Leadership, Alignment,
for his managers which, if not met, could lead
Systems, and Structure. Referred to, for the sake
to dismissal. This cultural intolerance of failure
of convenience, by the acronym CLASS, each
resulted in some managers engaging in exces-
element relates to the others. For example,
sive risk-taking, rule-bending, and gaming the
organizational culture is shaped by leadership
system.
practices. Systems support organizational structure
and shape its culture. Alignment ensures each Citigroup has also suffered setbacks many
element is harmonized with the others so that, attribute to cultural deficiencies. In September
for example, explicit cultural norms are reinforced 2004, Japan’s Financial Services Agency (FSA)
by leadership, and systems reinforce the culture. terminated Citigroup’s private banking operations
No one element stands alone. in that country after investigations into alleged
improprieties. This decision cost Citigroup $244
Boards and senior executives can review each
million in the fourth quarter of 2004 alone,
CLASS element to build and fortify risk manage-
denied the bank access to wealthy Japanese
ment and governance capabilities. As Fig. 1 illus-
customers, and temporarily shut it out of Japa-
trates, each element positively reinforces the
nese government bond auctions. FSA investigators
others and strengthens strategic risk management.
faulted a culture where profits were chased at
After engaging in an examination process, board
any cost.
members can map organizational challenges
against these elements, identify areas in need of In several other high-profile examples, cultures
improvement, and plan change management pro- that maintain an attitude of arrogance, encourage
grams. Superior risk management programs and secrecy, and/or create an unwillingness to admit
stronger firm governance capabilities result. failure have spawned disastrous consequences. As
Schein (1996) notes, culture is one of the most
powerful influences on organizational decision-
2.1. Element 1: Culture making and strategy. It can be a vital aid to
strategic risk management and a source of com-
In October 2004, Marsh and McLennan was sued petitive advantage; however, culture can also
by New York attorney-general Eliot Spitzer for contribute to destructive behaviors. Aspects of
Culture Leadership
STRATEGIC RISK
MANAGEMENT
Alignment Systems
Structure
Figure 1 CLASS: Culture, Leadership, Alignment, Systems, Structure. Five elements of corporate governance to
manage strategic risk.
130 S.A. Drew et al.
culture that can work against good governance and These values and systems appear to create
risk management include: cultures that reinforce illegal activity.
Interestingly, Professors Morrison and Milliken
! Unethical behavior; (2000) investigated the related issue of borganiza-
! Excessive internal rivalry; tional silence Q, which they describe as
! Intolerance of failure; bthe widespread withholding of information about
! Propensity for risk-taking;
po- tential problems or issues by employeesQ (p.
! Secretiveness; and
706). They identified factors conducive to silence,
! Persecution of people who speak up
(bwhistle- blowersQ).
including managers’ fear of negative feedback
and a set of implicit beliefs often held by
managers that speaking up about problems is
As Fig. 1 illustrates, culture is intricately linked inappropriate or futile. These findings are consis-
with leadership, alignment, systems, and orga- tent with the work of Castellano and Lightle
nizational structure. Professor Schein’s (1996) (2005).
research demonstrates that the founder’s person- Such research clearly reveals a need to be
ality can both create and shape organizational concerned with culture’s influence on employee
culture. The author observes that culture is behavior. Effective cultures (such as those found at
influenced by historical events and can be rein- Costco, Johnson and Johnson, and Starbucks) align
forced by systems, particularly when management well with business needs, yet support development
can manipulate incentive systems to reinforce of risk management and governance competencies.
specific behaviors. Significantly, he believes man- They are dedicated to openness, transparency,
agers need to understand the power of culture in high ethical standards, and fair competition, while
organizations to influence values and behaviors. at the same time meeting customer and
Other researchers have upheld the validity of stakeholder commitments.
Schein’s work. For example, Professors Baucus Professor Simons (1999) underscores the impor-
and Near (1991) developed and tested a model of tance of culture as a bbelief systemQ that enhances
illegal behavior in organizations. Studying Fortune traditional control systems used to manage risk in
500 corporations over a ten-year period, they organizations (p. 93). In his scheme, this belief
identified 141 violations that resulted in convic- system communicates core values and mission, and
tions in 88 firms; in fact, some firms had multiple helps resolve uncertainty of organizational pur-
convictions. The authors’ findings and analysis pose. As he notes, culture cannot easily be
provide empirical evidence that a past history of separated from leadership (Simons, 1995): it is
corruption inclines firms to repeat such behavior. shaped and supported by systems, both those that
They comment (p. 31): reward desired behavior and those that punish
bA corporation’s culture can predispose its mem- undesired activities. The reciprocal reinforcement
bers to behave illegally. As the relationship be- of each of the five CLASS elements is critical for
tween prior violations and illegal behavior appears effective, ethical strategic risk management.
to indicate, some firms have a culture that An ethical and effective corporate culture
reinforces illegal activity. Firms may also socialize encourages integrity and openness, and balances
employees to engage in illegal acts as a part of those elements with reasonable levels of risk-
their normal job duties.Q taking. Table 1 presents questions that can be used
to probe whether firm culture supports good corpo-
Additional studies reinforce the impact of cul-
rate governance and strategic risk management.
ture on ethical behavior and illustrate the interre-
latedness of culture and organizational systems.
For example, Professors Castellano and Lightle
(2005) describe three specific cultural concerns in
cases of fraud they have studied:
Academics have identified a number of ways attempted rapid change to kick-start innovation,
management can ensure a healthy organizational but his abrasive style alienated firm managers. As
culture. For example, Professor Schein (1996) a result, P and G experienced a major decline.
recommends building organizational learning ca- Professor Conger (1990, 1999) describes bthe
pacity to increase awareness of how culture shapes dark side of leadershipQ (1990, p. 10) and how the
organizational effectiveness, and proposes use of skills and personality traits that serve leaders well
process consulting and coaching skills to achieve in rising to the top may also lead to their undoing.
this goal. Professors Castellano and Lightle (2005) Charismatic leaders are often admired for their
recommend formal cultural audits to assess the vision; however, the greater a leader’s commit-
tone of an organization and define improvements. ment to a vision, the less willing they may be to
They propose boards of directors engage outside entertain competing viewpoints. This single-mind-
firms to conduct cultural audits every three years, edness can lead to unrealistic aspirations and
and that external auditors formally include inappropriate strategies. Professor Kets de Vries
assessment of the tone at the top in their (1993) reinforces this concern when discussing the
evaluations of internal controls. In cultures that psychology of leadership. His studies suggest lea-
condone secrecy, Profes- sors Morrison and ders and followers can exhibit irrational behavior
Milliken (2000) suggest top management change is and distorted thinking in making strategic deci-
a necessary but insufficient precondition for sions. Khurana (2002) proposes that leadership
breaking the climate of silence. They also note irrationality can further extend to the boards and
time and effort are required to overcome recruitment professionals who guide the process of
employee resistance to speaking up, since change appointing CEOs.
throughout the organization (including creating It is tempting to blame organizational failures
appropriate systems to reinforce the desired solely on top management, but leadership requires
cultural norms) is required. committed and consenting followers. Research by
We suggest boards can address critical cultural DeCelles and Pfarrer (2004) suggests when the
weaknesses in a number of ways, including: bdark sideQ of charismatic leadership is
combined with stakeholder pressure for results,
! Implementing new and stronger controls; the risks of corporate corruption are increased (p.
! Restructuring incentive systems; 11). Conger (1990, p. 49) describes how followers
! Educating employees; may tend to become dependent on a visionary
! Creating communication programs; and leader, idealize that leader, and ignore their
negative qualities. They may become byes peopleQ
! Providing individual and team coaching.
and carry out orders without question, even when
Furthermore, it is critical to remember organi- these orders fly in the face of logic and business
zational culture cannot be separated from national realities. Problems of bgroup thinkQ can occur,
culture, and global firms should take into account and leaders may even acquire a sense of
national cultural differences in designing risk omnipotence as a result of the uncritical support
control systems (Hamilton & Kashlak, 1999). and blind obedience of their followers.
Do charismatic leaders get results? Professors
2.2. Element 2: Leadership Tosi, Misangyi, Fanelli, Waldman, and Yammarino
(2004) studied 59 CEOs from a sample of Fortune
Naveen Jain, former CEO of Internet firm Info- 500 companies over a ten-year period (1988 to
Space, was charismatic, visionary, and passionate, 1997) to see whether charismatic leadership is
attracting both employees and investors to the associated with improved firm performance. Lea-
firm. At the height of the dot-com boom, InfoSpace ders were identified as charismatic by other
was worth $31 billion; however, Jain and other executives in each company. Interestingly, results
executives have been accused of misreporting showed that CEO charisma seemed to be related
revenues and using fraudulent schemes to create more to CEO compensation packages and stock
an illusion of success. He has also been portrayed prices than to broader indicators of firm perfor-
as a reckless, ruthless, and bullying leader. And mance. The study demonstrates that charisma,
although Carly Fiorina brought magnetism and while attractive, does not generate positive results
enormous sales and marketing skills to her role as on its own.
CEO of Hewlett Packard, she was also accused of A charismatic leader does, however, possess at
egotism and self-promotion at the expense of least one advantage. As Professors Flynn and Staw
company interests, as well as insensitivity to the (2004) found in their ten year study (1985—1994) of
organization’s engineering culture. As the new CEO 44 CEOs from 46 Fortune 500 firms, charismatic
of Procter and Gamble in 1999, Durk Jager
132
leadership can influence external support for the S.A. Drew et al.
organization. In particular, it makes the company
more attractive to outside investors. The research
confirmed charismatic leadership is associated ! Centralizing key risk management activities in
a corporate department;
with enhanced stock prices, notably in difficult
economic conditions. The authors conducted ! Planning a balance of competencies and expe-
rience in executive teams; and
experiments to show that, when faced with
appeals from a charismatic leader, managers may
become less risk averse and investors may be
! Developing and coaching executives.
In making such appointments, the board can
enticed to make additional investments in compa-
counterbalance the role of a charismatic leader
ny stock.
with the thoughtfulness of a chief risk officer,
Research suggests a charismatic leadership style
develop systems that reward longer-term strategic
can positively affect certain measures of company
and ethical systems, and reinforce a healthy
performance. Such leadership, though, does not
culture. Boards can also concentrate on selecting
alleviate the current crisis of ethics and risk
leaders who demonstrate what Greenleaf (1977)
management in many firms; in fact, it may actually
termed a bservant-leadershipQ style (p. 262), which
encourage such crises. Professor Sankar (2003)
suggests more attention be paid to a leader’s focuses on the role of leader in the individual
character, in particular to moral literacy, and to development of followers. It ensures leadership
core values such as integrity, trust, truthfulness, evolves throughout the organization and is shared
and respect for human dignity. In his view, among management, rather than centralized in one
leadership excellence is based more on character individual.
than charis- ma. Sankar’s work reinforces the Boards can also guard against unethical leader-
importance of leadership on organizational culture, ship by employing seven mechanisms Professors
and ensuring the alignment of culture with Grojean, Resick, Dickson, and Smith (2004) found
leadership. to build an ethical climate in organizations. These
mechanisms include:
Table 2 poses a number of cautionary questions
to assess the governance and risk management
(1) Using values-based leadership;
abilities of leaders, and identify areas for improve-
(2) Setting an example;
ment. Again, these questions demonstrate the
(3) Establishing clear expectations of ethical
interrelated nature of the five elements of CLASS,
conduct;
encouraging boards to take a holistic view toward
(4) Providing feedback, coaching, and support
risk management and the alignment of critical
regarding ethical behavior;
elements that affect a firm’s risk management
(5) Recognizing and rewarding behaviors that
profile.
support organizational values;
Boards of governors can improve leadership and
(6) Being aware of individual differences among
its effects on governance and risk management in a
subordinates; and
variety of ways, including:
(7) Establishing leadership training and mentoring.
had fallen out of favor with the City of London create value. These executives also found it easier
because of a belief that its corporate governance to document and leverage internal controls in line
had become old-fashioned; in fact, some thought with SOX.
the company was not delivering sufficient share- Alignment is not easy to achieve. Many organi-
holder value due to outdated governance. Others zations struggle to manage interfaces between
speculated that GEC’s large cash reserve was an external and internal audit, regulatory compli-
unexploited opportunity. ance, and risk management functions. The chal-
Under George Simpson, a new management lenges of creating internal alignment of systems
team proceeded to dismantle GEC’s portfolio of that support appropriate levels of risk-taking
businesses to focus on high growth telecommuni- include the development of a common language,
cations. Unfortunately, Simpson and his chief and understanding among employees as to the
financial officer, John Mayo, made serious mis- nature and tasks of governance and risk manage-
judgements in strategy and took increased risks in ment. Proper alignment also requires conflicts
competitive arenas. For example, they paid 4.1 between functions be addressed. Unnecessary
billion pounds to acquire U.S. firms Fore and overlaps of jobs and areas of accountability, as
Reltec at the peak of the telecommunications well as gaps in responsibility, must be identified
boom in 2001. Not only did they overpay for these and resolved. This may require complex and
firms, but the deals were made in cash, when difficult organizational change.
competitors (such as Cisco) reduced the risk of Business scholars have conducted limited re-
similar acquisitions by paying with their own search into the business performance impacts of
stock. In the wake of the ensuing disaster, aligning governance, risk management, and report-
over ing systems. However, a study by Professors Baker
30 billion pounds of shareholder value was and Gompers (2003) of over 1000 venture-capital
destroyed and thousands of jobs were lost. In financed firms indicated board composition and
May 2005, due to an inability to compete with venture capital involvement in governance were
foreign rivals, Marconi failed to win any part of a associated with lower rates of firm failure. They
much sought-after 10 billion pound contract with discovered venture-backed boards were about 10%
U.K. telecommunications giant BT (British Tele- less likely to be liquidated or delisted than boards
com). GEC’s failure has been attributed in large that were not venture-backed. This data suggests
part to egregious failings in corporate governance, venture capital involvement in board composition
strategic risk management, and financial reporting results in stronger risk management.
systems. Nonetheless, other research into the impact of
Disasters such as GEC’s are usually systemic in commonly suggested mechanisms for aligning gov-
nature and reveal not only individual mismanage- ernance, reporting, and risk management is incon-
ment, but also inability to align key functions and clusive. For instance, Turley and Zaman (2004)
their responsibilities in the face of rapidly changing examined a number of studies on the corporate
environments. Professor George Labovitz (2005, governance effects of audit committees on finan-
1997) defines alignment as an optimal state in cial reporting quality and corporate performance.
which people, key processes, and strategies work They found no evidence of an automatic relation-
in tandem. Alignment is a key element that, if ship between the adoption of audit committee
neglected, can lead to severe coordination, per- structures or characteristics and the achievement
formance, and financial problems. Professor Labo- of particular governance and control effects. This
vitz’s investigations reveal organizations achieving data indicate that we do not yet know how best to
this state outperform their competitors in every ensure systems which are aligned internally to
financial measure. support appropriate risk management.
The U.S. Sarbanes—Oxley Act (SOX) and other The inconclusive nature of present research
regulatory changes require firms to improve clearly indicates a need for further investigation
alignment between governance, financial report- regarding best practices in alignment. In support of
ing, and risk management; for example, the board this recommendation, in April 2005 the Financial
must assess the effectiveness of the audit com- Times Group launched a new set of corporate
mittee as part of compliance. The audit function governance indices to track the performance of
now plays a higher profile role in risk manage- firms and provide better information to investors.
ment. In a global survey of 1400 executives by Data from this initiative and future research may
Price Waterhouse Coopers (2004), firms making provide further evidence of the benefits of im-
enterprise risk management a priority believed proved alignment between risk management, gov-
that higher prioritization of the audit function ernance, and reporting systems.
increased their ability to take appropriate risks to
134 S.A. Drew et al.
companies should treat compliance as an oppor- priately. They also demonstrate what values the
tunity to introduce an enterprise-wide approach organization is promoting and how those values are
to risk management, including financial, legal, translated into action. To ensure control systems
and operational aspects that affect an organiza- play their important reinforcing role in risk man-
tion’s strategic goals. He suggests companies use agement, the board can use the questions listed in
SOX 404 rules as levers to help achieve enter- Table 4 to review the existing systems and their
prise-wide transformation of business processes. contribution to control, reporting, and overall risk
Improvements that may result from this transfor- management. This list should be expanded in the
mation include greater use of automation, context of individual firms.
streamlining, increased uniformity in controls, The variety and complexity of systems can be so
and greater responsibility by process owners. great that many firms will be challenged to find
Interestingly, Professor Farrell also describes an the time and resources to implement all necessary
enhanced and vital role for internal auditors in improvements in governance and risk management.
linking internal control reporting with risk man- Farrell (2004, p. 12) admits that applying strategic
agement to achieve the overall aims of the risk management has significant costs, but may be
organization. even more expensive to neglect. Investments
Damianides (2005) also suggests organizations include:
use Sarbanes—Oxley as the impetus for reviewing
governance and increasing the effectiveness of
controls over information technology. He believes
! Establishing a risk framework and common risk
vocabulary;
strong IT governance helps organizations ensure
operational continuity, and especially promotes
! Establishing and maintaining a chief risk offi-
cer or risk committee;
managing IT strategically for competitive advan-
! Measuring and monitoring continuously; and
tage. The author describes the crucial role IT can
play in monitoring the effectiveness of internal
! Updating the risk assessment framework
periodically.
controls over financial accounting, and in
establish- ing a sound internal control Improving the management of risk requires firms
environment. To achieve these advantages, many to consider the adequacy of formal systems to
companies will need to improve communication identify, analyze, forecast, and manage a wide
between IT man- agement and internal and range of business and strategic risks. As noted
external auditors. Damianides proposes earlier, however, there is significant interplay
organizations implement the Co-biT (Control among the elements of CLASS. For example, we
objectives for Information and related Technology) propose the role of chief risk officer to guard
governance framework devel- oped by the IT against unethical leadership, but the same role
Governance Institute. As well, he also suggests the also helps create strong organizational systems to
use of strategy maps, as described by Kaplan and comply with SOX and mitigate system-induced risk.
Norton (2004), to ensure better alignment of IT Additionally, as Professors Hamilton and Kashlak
with business strategy. (1999) suggest, global firms need to take into
As Professor Simons (1995) notes, corporations account national cultural differences in designing
need not view control systems as necessary evils; control systems for risk. Such control systems
rather, corporations should use them for strategic should form part of a global strategy.
benefit and to support the organization’s future
development. He describes how management can
use control systems in interactive ways to focus Table 4Element 4: Systems
organizational energy and learning toward innova- Does the company have an effective and standardized system of
tion and growth. Simons notes how other systems, internal controls and financial reporting?
not just those concerned with IT and financial Does the company regularly assess changes in the business and
regulatory environments that have an effect on internal control
reporting, can put firms at significant risk of
systems?
failure and of not achieving desired goals. He Is the organization attempting to link implementation of SOX 404 with
suggests a broader view of risk control systems that initiatives to improve strategic risk management?
includes, for example, strategic planning and What systems are currently in place to identify, assess, and mitigate
reputation management. risks across the organization?
We previously identified the critical, reinforcing Is the organization attempting to implement a framework and systems
role systems play in terms of shaping behavior and for IT governance that will be acceptable under SOX 404?