“Integration of enterprise risk management and management control system: based on a case study”

This paper aims to discuss the concepts and methodological issues of enterprise risk management (ERM). The case study of company A shows that ERM has been implemented and integrated with management control as a means of monitoring its subsidiaries. First, ERM system was implemented through comprehensive review of corporate risk policies, risk management processes, roles and responsibilities, and risk culture. Second, company A integrated ERM with the existing management control system in order to evaluate the risk underlying the current management activities. Finally, ERM implementation was expanded to all subsidiaries so that each business unit would be delegated for its own risk management. This paper provides insight on the process how group-level internal auditors can use ERM as a tool to manage risk of subsidiaries, thereby filling the gap between academic research and practice. This successful ERM adoption case can be used as a guideline for other organizations, which plan to adopt ERM with reduced costs and improved processes.


Introduction
Bankruptcies of Enron and Worldcom in early 2000s proved that companies which achieved shortterm growth and profitability through fraudulent accounting and falsehood contracting ultimately failed.Subprime mortgage scandal in 2006 and global financial crisis in 2008 also showed that companies are exposed to profile of unpredictable risks and uncertainty in financial markets.Since the frequency of risk and its harmful impact on corporate performance increased globally, regulatory agencies have enacted corporate risk management in many countries.U.S. Securities Exchange Commission (SEC) requires risk disclosures in 10-K and 10-Q filings, and accordingly U.S. listed companies disclose their risk exposure and risk management activities in their annual and quarterly reports.In Germany, Federal Ministry of Justice requires risk management system based on the business control and transparency regulation enacted in 1998 (Kon-TraG, Gesetz zur Kontrolle und Transparenz), and companies have to report risk management activities to regulatory agency on regular basis 1 .Also, since 2009, credit rating agencies such as S&P and Fitch have considered whether risk management system has been adopted by organization for corporate ratings.In addition, "risk & crisis management" has Ilhang Shin, Sorah Park, 2017.Ilhang Shin, Ph.D., Assistant Professor of Accounting, College of Commerce, Chonbuk National University, Korea.Sorah Park, Ph.D., Assistant Professor of Accounting, Ewha School of Business, Ewha Womans University, Korea.This is an Open Access article, distributed under the terms of the Creative Commons Attribution-NonCommercial 4.0 International license, which permits re-use, distribution, and reproduction, provided the materials aren't used for commercial purposes and the original work is properly cited. 1 Besides, Toronto Stock Exchange encourages the systematic internal control activities including risk evaluation and responses in the DeyReport (1994).
been included as one of major factors in Dow Jones Sustainability Index (DJSI) 2 .
Therefore, the role of internal controls within organization is expanding from ex-post uncovering non-compliance to managing risk proactively and enhancing firm value.Traditional function of internal control has been to be a policeman assuring compliance with legal policies and regulations (Flesher and Zarzeski, 2002).However, recent trend is to be an internal consultant who identifies harmful issues and risk that may hinder achieving goals and improves risk management and auditing (McNamee and Selim, 1998; Weidenmier and Ramamoorti, 2006).This implies that the role of internal auditors is changed from monitoring risk of individual department to leading proactive risk management at enterprise level.
Enterprise risk management (ERM) has emerged as a paradigm for managing various kinds of risks faced by organizations, and the trend is to focus on its role in improving risk management and ultimately enterprise value.ERM is designed to improve the board and executives' oversight of risks.Such paradigm is a big improvement from the existing risk management practice, which has limitations in responding to dramatic change in business environment, since individual department has different management strategies and repeating inputs toward the same risk, resulting in low efficiency in risk management. 2 For DJSI, the evaluation of ERM is included in the assessment criteria, specifically "Risk & Crisis Management" category.Companies are asked to answer not just "yes" or "no", but the details including data of recent few years in questionnaire.The questions are about the role of Chief Risk Officer (CRO) among top executive, his/her job description and responsibilities, risk analysis, risk correlations, sensitivity test, stress test, response strategy, crisis management, etc.The presence of risk officer and contingency plans are crucial factors for a company's sustainable growth.
The Committee of Sponsoring Organizations for the Treadway Commission (COSO), which was launched in order to improve monitoring misrepresentation in financial reporting, has updated the Internal Control Integrated Framework in 2004, originally published in 1992 and widely used by listed corporations for purposes of compliance with Sarbanes-Oxley Act.According to the Wall Street Journal3 , the update expands the scope of the framework and increases the level of detail of ERM, potentially expanding its utility beyond external financial reporting.Integrated risk management refers to implementation of three fundamental risk management objectives: modifying operations, using targeted financial instruments, and adjusting capital structure (Meulbroek, 2002).Meulbroek  (2002) defines ERM as a framework intended to help managers to design a value-maximizing, enterprise-wide corporate risk management system via aggregation of all risks faced by the firm into a net exposure and coordinated use of these three risk management techniques.This paper intends to discuss concepts and methodological issues of ERM, which is considered an extension of internal audit function.In doing so, this paper will have academic and practical implications by explaining factors that are related to successful ERM implementation and how to evaluate ERM capability.Also, internal audit practices can be strengthened by implementing internal control improvement strategies based on ERM.Moreover, external auditors' understanding of ERM system within audited corporations will be increased so that ERM infrastructure can be utilized for efficient and effective auditing.
Furthermore, we study the case of company A in which ERM has been implemented as a means to integrate with management control and to increase firm value by monitoring its subsidiaries.This paper provides insights on the process how group-level internal auditor can use ERM as a tool to manage risk of subsidiaries, thereby fills the gap between academic research and practice.There could be some areas within conglomerates (for example, "chaebol" in Korea), where group-level monitoring or control cannot reach.Reliance upon key performance indicator (KPI), a measure to quantify financial risks, or internal control has limitations in managing enterprise-level risk.Also, autonomic control by subsidiaries has the similar limitation.Hence, this paper presents the successful ERM adoption case that can be used as a guideline for other organi-zations, which plan to adopt ERM in the future with reduced costs and improved processes.

Concepts and methodological issues of ERM implementation
Corporate control itself does not create value.Rather, it is a mechanism that can be used to manage an entity's objective, strategies, and risk.According to the Institute of Internal Auditors, internal control is a series of rules and procedures, which are undertaken by management in order to improve risk management and the capability to achieve the objective of organization.
Among various definitions of ERM in the literature, ERM is usually defined as "a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives (COSO, 2004, p. 2)" 4 .Namely, ERM allows companies to identify and evaluate all types of risk, including financial risk and catastrophes that have been individually managed and external market condition and business risk, so that they can have a more systematic and integrated risk management process and increase the firm value.
According to COSO (2004), ERM system should be designed to achieve three main objectives: (1)  strategy: high-level goals that support the organization's missions, (2) operations: effective and efficient use of a firm's resources, (3) financial reporting: reliability of reporting system, (4) compliance: organizational compliance with applicable laws and regulations.As now, the range of SOA internal control over financial reporting and internal audit system is limited to one of them, which is reliability of financial reporting.However, based on the analysis of company A, only 14% of workforce has been dedicated to tasks related to reliability of financial reporting.COSO (2004) conceptualized the ERM frame work by integrating COSO I (1992) internal control model and risk management process.First, internal control system is expanded to ERM frame work.Second, entity objectives have been modified to strategy, operations, reporting and compliance. 4Definition of ERM was also provided by Casualty Actuarial Society (CAS) in 2003.The Casualty Actuarial Society (CAS) defined ERM as "the discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organization's short-and long-term value to its stakeholders".
Third, three new ERM components (control activities, information and communication, monitoring) have been added to existing components (internal environment, objective setting, event identification, risk assessment, risk response).According to the updated framework, ERM can be viewed as a part of management control infrastructure to achieve corporate goals.For ERM to operate effectively as management control infrastructure, it is necessary to implement ERM system with comprehensive consideration of risk policy, management process, role and responsibility clarification, support system and risk culture.
There are five core steps for successful implementation of ERM as a management control infrastructure.First, management should analyze the needs for ERM in each subsidiary.In doing so, current risk management practice should be assessed in order to draw ERM-related issues.Second step is to identify/evaluate all potential risk of subsidiaries and select risk that needs to be managed with priority at enterprise level.Third, management should, then, take corrective actions to improve risk management.For this, they need to study the causes and effects of each priority risk, select KPI based on their importance, and quantify the likelihoods.Fourth step is to implement risk management system.This assures risk management system to utilize the risk profile and KRI list, which have been completed from the previous steps and to clarify the official role and responsibility of each team in the ERM process.The last step is the follow-up oversight on ERM system in order to monitor the effectiveness of ERM system that has been implemented as the management control system in step 4. In sum, step1~step3 are in place to come up with risk at priority and KRI at subsidiary level and step4~step5 are used to implement the management control system based on the risk and KRI deducted from step1~step3.

Relationship between ERM, internal control and internal audit
Due to large corporate scandals and accounting frauds such as Enron and Worldcom, the United States enacted the Sarbanes-Oxley Act in 2002 to enhance corporate transparency.At similar time, Korea amended the laws on corporate accounting to increase the transparency of after the 1997-98 Asian financial crises.One of key issues in these accounting regulations is to enhance internal control in the financial reporting and disclosure procedures.
In order to fully understand the background of such accounting regulations, it is necessary to under-stand the internal control.According to COSO Report 5 (which is considered the internal control standards in general), internal control is the process undertaken by board of directors, management and other members in order to achieve the following three goals: (1) effectiveness and efficiency of operations, (2) reliability of financial reporting, (3) compliance with applicable laws and regulations (COSO, 1992).COSO Framework defines the five elements of internal control as follows: (1) control environment, (2) risk assessment, (3) information and communications, (4) control activity, and (5) monitoring.Among these elements, control activity is specified at task level and the rest are specified at enterprise level.Continuous internal auditing system supports the monitoring element of internal control.The main subject of monitoring is other internal control elements, more importantly, the effectiveness of control activity.In the case we study in this paper (a manufacturing company A), continuous monitoring system is used to oversee the following control activities in COSO Report: review & report on exceptional events, authorization by superior management, system configuration, processing consistent information, system access authority, system interface, segregation of duties 6 .
Figure 1 shows the relationship between internal control, Korean SOX and continuous auditing system based on the COSO Framework.When viewing internal control from its objectives, Korean SOX is the internal control to enhance reliability of financial reporting.Continuous auditing system is the monitoring element of internal control of COSO Framework, which is monitoring the other internal control elements and, therefore, increases effectiveness and efficiency of internal control system.For companies, continuous auditing system could be considered an effective tool that supports internal accounting regulations such as SOX, as a part of compliance.However, ERP aims for real-time information flows in integrating and automating business processes.Therefore, when there are needs for real-time data, the potential benefits of ERP systems can be achieved only by continuous auditing.Chan and Vasarhelyi (2011)  argue that the traditional audit paradigm is outdated in the real time economy and the innovation of the traditional audit process is crucial in supporting the realtime assurance.Also, they emphasize the innovation, namely the transition from traditional auditing to continuous auditing methodology.
Furthermore, research on continuous audit system that is integrated with other management systems is warranted.A continuous audit system could be utilized with connections to various management systems, for example, company A integrated audit information system and early-warning system.For ERM system, there are many cases where KRI is linked to early-warning system.Thus, continuous audit system can be integrated with ERM system by developing KRI based on continuous monitoring scenarios under continuous audit system.This will enable comprehensive risk management at process level, which is the main concern of strategic risk management and continuous audit system.

Case study: company A
In this section, we discuss and evaluate the case of company A (a non-financial company in Korea) which implemented ERM successfully at subsidiary level.

ERM implementation methodologies.
Introducing ERM was not a one-time event.Rather, company A implemented the ERM system with comprehensive consideration of risk policies, risk management process, roles and responsibilities, supporting system and risk culture.Risk policiesare stated through ERM policies and ERM manuals.These policies determine the risk management processes, which consist of the following four stages of identification, evaluation, response and monitoring.
(1) Identify: company A identifies the risk, analyzes the risk sources, and keeps their profiles (see Table 2).(2) Assessment: risk is assessed using guidelines and evaluation templates.The risk at priority control is managed based on the results of risk assessment.(3) Response: company A sets the direction of risk response and implements the plans to respond and to improve risk management.(4) Monitor/Report: KRI is monitored and the results risk management and any improvement in risk management are reported.Risk of reduced profits due to a lack of appointment system and its supporting system Risk of financial losses due to absence of asset management system Risk management organization is composed of risk committee, risk owner, risk management department and risk officer.ERM support system and earlywarning system serve as a support system.Lastly, risk culture is defined through employee education and communication, as well as the manner of managing changes.

Integration of management control system and ERM.
In company A, ERM was implemented through integrating the existing management control system with risk management system.This helps to identify and evaluate the risk underlying the existing management activities.Figure 2 describes how the management system and ERM process have been integrated.CRO is an executive who identifies, measures, and develops the strategies to manage potential business risks.The importance of CRO has increased in recent years, since it is difficult for top executives to clearly know the level of risk, as the firm size gets bigger.Also, sustainable growth can be attained through effective response to the profile of risks, as business environment changes.
The risk governance system of subsidiaries of company A can be considered the form in the middle of centralized and delegated system (see Figure 3).It aims to build the integrated crisis & risk management system at enterprise level.ERM implementation was expanded to other subsidiaries starting from the chemical-related subsidiary.Each business unit and staff is delegated for their own risk management.A risk officer is stationed at each subsidiary in order to work on subsidiary-level risk management and support.In addition, they set up the ERM team with CRO in charge and early-warning system to prevent the major risks.ERM is a very attractive management control system for management who experienced great losses due to unexpected risk.However, ERM has not been used actively in company A, since it was implemented.The reasons for this are analyzed as follows: first, there are no practical instructions or guidelines for risk management.Second, ERM was implemented just to get along with the crowd without careful consideration of selecting KPI based on firm-specific characteristics.Third, the management's view is too myopic, focusing on short-term performance.Regarding the measurement of performance, it is not clear how to quantify the effects of KPI in preventing crises.
Then, what could be the solutions to utilize ERM more effectively?First, the management should change their perspective on ERM, from a silo-based approach to an enterprise-level management approach.This requires the consideration of enterprise-wide loss (risk) in goal (outcome)-oriented thinking.Second, they need to customize the riskmanagement depending on the type of major risk.For instance, Walmart (traditional, PPE-intensive company) would have to manage typical operational risk, whereas Microsoft (economy-sensitive, competitive industry) has to manage unpredictable business risk.Third, they should begin with most-necessary tasks in the field by analyzing past losses and interviewing field expertsin order to identify weaknesses.Also, KPI and KRI should be managed together.KPI should be used as a carrot-and-stick for employees while KRI is a broader concept than KPI since it navigates the enterprise goal.Risks that cannot be detected by KPI should be identified and managed through further development of KRI.Last, the leadership of risk management and (internal and external) communication should be strengthened under the direction of CEO or CRO.

Discussion and conclusions
This section discusses the measurement of maturity of ERM.As described in In conclusion, the case study of company A shows how ERM is implemented and integrated with management control in order to increase firm value by monitoring its subsidiaries.This successful ERM adoption case can be used as a guideline for other organizations, which plan to adopt ERM in the future with reduced costs and improved processes.Especially, the implication of our paper on how a group-level internal auditor uses ERM as a tool to manage risk of subsidiaries could be useful for large conglomerates, where group-level monitoring cannot control subsidiaries due to limitations of KPI and internal controls.

Fig. 2 . 3 . 3 .
Fig. 2. Integration of ERM and management control systems 3.3.Risk management at subsidiary level.When implementing ERM, an organization should customize the process for firm-specific needs and circumstances.In case of company A, ERM implementation improved and developed risk management functions.They concentrate on the business risk, investment risk (due to global business), project risk, and financial risk.Also, the parties in charge of ERM implementation are CEO, CFO, and internal auditors.The role of CRO (Chief Risk Officer) is served by CFO.

Table 2 .
Risk profile of company A

Table 3 .
Measurement of ERM maturity