“Perceptions about effective risk management. The crucial role of internal audit and management. Evidence from Greece”

In the aftermath of the financial crisis, many companies have implemented extensive risk management procedures. Additionally, internal audit has increasingly attracted the attention of managers as it constitutes the core of modern corporate governance. However, regarding Greek companies, there is a lack of empirical research on factors that affect risk management. Therefore, the purpose of the present paper is to analyze specific factors associated with effective risk management. Primary data were collected using questionnaires distributed to employees in companies that are listed on the Athens Exchange. Multiple regression analysis was conducted in order to examine the relationship between effective risk management, risk based internal audit, internal auditors’ involvement in risk management and top management support. Our findings demonstrate that the above factors contribute positively to effective risk management.


INTRODUCTION
Risk management has been widely acknowledged as an important tool for identifying, assessing and addressing the various risks that companies face.Nowadays, the fact that companies operate in highly uncertain environment, makes it of outmost importance to develop and implement procedures that allow them for timely and effective risk management (Krause & Tse, 2016;Moloi, 2016).Risk management is considered as a new medium of business management strategy that associates business strategy with everyday risks (KPMG, 2002), while it is considered as an important key element of developing integrated business management procedures (Caratas & Spatariu, 2013).
Along those lines, internal audit provides an independent and objective opinion to an organization's management as to whether its risks are being managed to acceptable levels (Institute of Internal Auditors, 2004).The ultimate aim of internal audit is the evaluation of the business activities of a company and the assessment of the different risks it faces (Karagiorgos et al., 2007).In this context, internal audit can be viewed as a process that adjusts itself to the changes of the internal and external environment of a company (Bozek & Emerling, 2016), leading to the redesign of techniques which are necessary for effective Investment Management and Financial Innovations, Volume 14, Issue 4, 2017 risk management.Building on the above, internal audit can be considered as an important tool for risk management (Fernandez-Laviada, 2007).
In the aftermath of the economic crisis, emphasis has been laid upon the internal audit profession in Greece (Drogalas et al., 2016).Despite the importance of risk management and internal audit in Greek companies, research on the relationship between the above has been scarce and fragmented.This paper examines the potential influence of internal audit to effective risk management.We investigate perceptions regarding the effectiveness of risk management in the Greek business environment and provide a comprehensive, updated overview of the factors that positively affect risk management.The results of our study suggest that risk management and internal audit are of paramount importance for the successful management of Greek companies.The findings also reveal that risk-based internal audit, internal auditors' involvement and top management commitment are positively associated with effective risk management.On the contrary, the results indicate that internal audit's characteristics are not significantly associated with effective risk management.
This study contributes to international research regarding both risk management and internal audit by investigating the existing risk management practices and how they are related to internal audit.Additionally, we perform a thorough investigation of the relationship between effective risk management and internal audit and provide additional information thereby complementing recent qualitative research in this subject area.Moreover, contrary to previous studies, we investigate the impact of factors such as top management support and implementation of a risk based internal audit approach, both of which have not been examined within Greek companies.Building on the above, this study addresses an unexplored aspect of risk management effectiveness, and opens several paths for future research.
The remainder of this paper is organized in the following manner.In the next section, we provide a review of current literature on the subject area and we formulate our hypotheses.Then, we present our research methodology along with our sample profile.This section is followed by the empirical results of our study.Finally, we provide a discussion of our result along with limitations of this study and suggestions for future research.

Risk management
Regarding the implementation of risk management procedures in companies, extensive academic research has been conducted.In their study, Krause and Tse (2016) examined sixty five recent theoretical and empirical studies about risk management.
According to their research, risk management is of great importance to businesses as it enhances business value.Moreover, Hoyt and Liebenberg (2011) conducted a research regarding the extent of implementation of risk management programs by insurance companies in the United States.Their findings were quite positive regarding the relationship between business value and integration of risk management procedures in mainstream business management.Finally, the integration of enterprise risk management and management control systems is examined by Shin and Park (2017).Based on a case study, they find that close relationship between enterprise risk management and management control systems is important to the increase of firm value.Building on the above, when risk management is successfully integrated into core business activities, it can positively affect firm value.

Risk-based internal audit and risk management
In modern economies, great importance has been placed upon the role of internal audit for the protection of an organization against risk factors (Institute of Internal Auditors, 1999 Finally, Bozek and Emerling (2016) present the theoretical and practical aspects of internal audit in enterprises in the context of the risk assessment.Their results confirm the effectiveness of internal audit in addressing internal and external risks.Building on the above, the following hypothesis is formulated: Η1: There is a positive association between risk based internal audit and effective risk management.

Internal auditors' involvement and risk management
Internal auditors' perception about their role in risk management is examined by Sarens and Beelde (2006).Internal auditors from ten companies in USA and Belgium were interviewed in order to provide qualitative evidence on how internal auditors perceive their role in risk management.The results reveal that internal auditors' role in risk management is time specific.The findings also show that internal auditors are involved in the development of self-assessment procedure and the maintenance of centralized risk databases.Similarly, Zwaan et al. (2011) analyze internal audit involvement in enterprise risk management.Data from 117 certified internal auditors in Australia were used.Their results contribute to the understanding of the impact of internal audit involvement in enterprise risk management.Moreover, the assurance of risk management processes, the evaluation of risk reporting and the review of risk management procedures are established as core elements of internal auditing in enterprise risk management.
Finally, Rijamampianina (2016) who explored internal audit in the South Africa banking sector makes recommendations for enhancing risk management and internal audit procedures.The results depict that internal audit contributes to risk management quality and increases risk managers' expertise in other risk disciplines.Consequently, we formulate our second hypothesis: Η2: There is a positive association between internal auditor's involvement and effective risk management.

Management support and risk management
Top management support plays a major role in the nurturing of values and ethics in organizations (McNamee, 1992).In analyzing the relationship between risk management and internal audit, Selim and McNamee (1999) reveal that risk management principles are better integrated into overall management processes when risks are highlighted in top management corporate reports.Furthermore, Spira and Page (2003), by using a sociological perspective on risk, find that increased corporate governance positively contributes to effective risk management.Their findings also reveal that risks are more effectively managed when they are incorporated within the mainstream corporate governance framework.
Along those lines, Allegrini and D'Onza (2003) analyze internal audit and risk assessment in largest 100 companies listed on the Italian Stock Exchange.They argue that top management is responsible for setting a strategic direction and creating the environment for effective risk management.Their results also reveal that management support is the most significant factor for the continuous improvement of risk management procedures.Additionally, Sarens and Beelde (2006) examine the relationship between management support and effective risk management.They find that management support is ultimately responsible for effective risk assessment.Finally, Aziz (2012) examined how the legislative provisions support companies in the implementation of internal audit mechanisms and risk management, in order to enhance business effectiveness.The results reveal that a legal framework that enhances efficient governance is crucial in developing risk management and internal audit procedures.Based on the above discussion, the third hypothesis is formed as: Η3: There is a positive association between management support and effective risk management.

Characteristics of internal audit and management
Regarding the relationship between internal audit characteristics and risk management, Stewart and Subramaniam (2010) examine the independence and objectivity of the internal audit procedure in relation to the involvement of internal audit in risk management.The results reveal that independence and objectivity positively influence the effectiveness of internal audit.Additionally, El-Sayed Ebaid (2011) explored the characteristics of internal audit function.Providing an exploratory study of Egyptian listed companies, he demonstrates that organizational independence is a crucial factor for the relationship between internal audit and corporate governance.
Internal audit's role within the corporate governance system is examined by Eulerich (2013).The findings show that internal audit creates value for a company by revealing problems.In this context, the results reveal that compliance with International Standards for the Professional Practice of Internal Auditing (ISPPIA) is essential in order for internal audit to be effective.Finally, Bozek and Emerling (2016) analyze the role of internal audit in protecting an organization against risk.Based on the study of literature, the authors depict basic characteristics of internal audit.The results reveal that internal audit constitutes an important tool in the risk management process.The findings also imply that internal audit is focused on the assessment of risk management effectiveness.The above discussion leads to the last hypothesis for this study: Η4: There is a positive association between characteristics of the internal audit and effective risk management.

Data sample and questionnaire
The basic research methodology used in the present paper was a survey questionnaire.We selected companies that were listed on the Athens Stock Exchange on January 25, 2017 as our target population.Companies that were under surveillance, under suspension and under deletion were excluded.A total of 205 firms matched the aforementioned criteria.Primary data were collected through the use of mailed questionnaires.The questionnaire was separated into six main sections: section A refers to "profile of the respondent", section B refers to "risk management effectiveness", section C refers to "risk-based internal audit", section D refers to "internal auditors' involvement in risk management", section E refers to "management support" and section F refers to "characteristics of internal audit".
Closed questions were used to make response easier and to avoid ambiguous interpretation of the results.We developed our survey questions based on both prior research and open-ended interviews with experienced internal auditors and risk managers.The respondents were asked to indicate their level of agreement on a five-point Likert-type scale rating from strongly disagree to strongly agree.The questionnaires were sent online.A total 205 questionnaires were mailed and a total of 118 were received, Investment Management and Financial Innovations, Volume 14, Issue 4, 2017 yielding a response rate of 57%.To increase response rate three reminders were sent to each target respondent.The first was after one week from the initial email posting, the second after two weeks from the initial posting and the third after four weeks from the initial email posting.The collection of questionnaires began on the 23rd of February 2017 and completed on the 29th of April 2017.The descriptive statistics of the final sample are presented in Table 1.

Variables
The variables used in the survey were derived through a review of prior literature.The variable "risk management" forms our dependent variable.

Research method
This study uses both descriptive and inferential analyses.Initially, the data collected via questionnaires were analyzed with descriptive statistics.Then the reliability of the scales was evaluated us-ing Cronbach's Alpha, which measures the consistency with which respondents answer questions within a scale.To explore whether the dependent variable (effective risk management) is associated with the four independent variables multiple regression analysis was conducted.The estimated model is as follows: where RME -risk management effectiveness; RBIA -risked-based internal audit; IAI -in- ternal auditors' involvement in risk management; MS -management support and risk manage- ment; CIA -internal audit's characteristics and risk management.

Descriptive statistics
Initially, certain demographic information for the survey participants is presented in Table 1. of the 118 respondents, 45.60% are employed in industry, 36.70% in trading, and 17.70% in other sectors.As far as their education is concerned, 51.90% hold a Master's degree and 44.30% a Bachelor's degree.Therefore, we can deduce that employees of companies that were listed on the Athens Stock Exchange are fully qualified.Commenting on their position in the company, 51.90% are internal auditors, a finding that was expected due to the fact that the listed companies are obliged to have an internal control department, 21.50% are directors and 11.40% are managers.Only a small percentage (8.9%)are employees and 6.30% hold another type of position in the company.Finally, regarding the years of experience, the majority of the respondents (53.20%) have over 8 years of experience, 24.00% from 1 to 5 years, and 22.80% between 5 and 8 years.
Regarding the descriptive statistics of dependent and independent variables, the results are shown in Table 2.Over 87.00 % agree or strongly agree that risk management adds value to the company.Likewise, 51.90% strongly agree that risk management is effective.On the contrary, 35.40% are undecided (neutral) whether risk management is financially important.The second set of questions refers to the adoption of risk-based auditing.The results are also encouraging, as over 85% agree or strongly agree that the annual schedules of audits use a risk-based approach.However 34.20% are neutral on whether the internal audit's domain of responsibility is reviewed often.On the contrary, over 88.00% agree or strongly agree that macro risk models are used to relatively rank the business risk.Similarly, over 90.00% agree or strongly agree that risk categories are used in audit reports, and that individual audit engagement is designed to test risk management techniques.
The third set of questions shows statements regarding internal auditors' involvement in risk assessment.Over 80.00% agree or strongly agree that internal auditors' role in risk management is time specific.On the contrary, 25.00% are neutral regarding the statements that "Internal auditors are involved in the development and facilitation of control-self-assessments" and that "Internal auditors evaluate the reporting of risks".However, over 83.00% agree that internal auditors give assurance on risk management processes.Similarly, over 85.00% agree or strongly agree that internal auditors review the management of key risks.
The next set of questions refers to the relationship between management support and risk management.Regarding the three items in this set of questions, we observe that the opinion of the respondents varies from neutral to strongly agree.Finally, the last set of questions examines the relationship between internal audit's characteristics and risk assessment.Over 80.00% agree or strongly agree that internal audit assesses the functioning of risk management system.However, 20.00% is neutral regarding the independence of internal audit.Finally, over 80.00% agree or strongly agree that internal audit complies with International Standards for the Professional Practice of Internal Auditing.

Reliability, correlations and regression analysis
From the questions included in each separate questionnaire section, a new variable is exported that combines the answers of each section.At first, reliability assessment of the measures was conducted with the use of Cronbach's Alpha.As a general rule, a coefficient greater than or equal to 0.7 is considered acceptable and a good indication of construct reliability (Nunnally, 1978;Fornell & Larcker, 1981).Cronbach's Alpha for the dependent variable is 0.723 and for the independent variables "risk-based internal audit", "internal auditors' involvement in risk management", "top management support" and "internal audit's characteristics" is (0.806), (0.854), (0.872) and (0.887), respectively.These results show that all of these measures are reliable.
Moreover, a Pearson correlation matrix is presented in order to analyze the correlations between dependent and independent variables.The results of the correlations are presented in Table 3.We observe that there is a significant and positive correlation between dependent and independent variables.
Hierarchical regression is used in order to examine if there is a relationship between the independent variables and risk management effectiveness.
The results are presented in Table 4.
From Table 4, it is observed that R 2 is 0.437.This indicates that the four independent variables ex- plain 43.7 per cent of the variation in the dependent variable.Furthermore the results show that the model is significant at 1.00% level.Effective risk management is significantly and positively associated with the adoption of a risk-based internal auditing.Thus, our first hypothesis is strongly supported (p = 0.009 < .05).Consistent with H2, the results reveal that there is a significant association between internal auditors' involvement in risk management and effective risk management.Therefore, H2 is also supported (p = 0.001 < .05).Similarly, support of top management is found to be positively associated with effective risk management.Thus, H3 is also supported at the 5.00% significance level (p = 0.033 < .05).Finally, internal audit's characiteristics are positively associated with effective risk management.However, this association is not statistically significant.Therefore, H4 is not supported (p = 0.259 > .05).

DISCUSSION OF RESULTS
This study provides evidence of the current status of "risk-based internal audit", "internal auditors' involvement in risk management", "top management support" and "internal audit's characteristics".2009), a significant percent of the respondents is neutral towards the statement that "The internal audit's domain of responsibility is reviewed often".
An analysis of the results regarding internal auditors' involvement in risk assessment also reveal that internal auditors not only give assurance on risk management processes, but also evaluate the reporting of risks.These results are also confirmed by Zwaan et al. (2011).Similarly, in line with Allegrini and D'Onza (2003), a significant percent of respondents believe that management sets the strategic direction for effective risk management.On the contrary, regarding top management support, a significant percent is undecided whether management reports highlight risks.Finally, regarding internal audit's characteristics, the results of this study show that internal audit assesses the functioning of risk management system.The above result is in accordance with Eulerich (2013) and complies with the International Standards of Internal Auditing.

CONCLUSION
Enterprises are constantly searching for effective solutions to achieve their objectives and ensure their sustainability (Pokrovac et al., 2010).Risks threaten the achievement of business objectives at all levels (Sanchez et al., 2009).Thus, the overriding concern of business management is the continuous monitoring of risks and implementation of risk management practices.In addition, the financial crisis has highlighted the need for businesses to use internal audit as a key tool for effective risk management.Based on the literature review the internal audit function has been designed to enhance risk management and to improve the internal control system.Building on the above, it is clear that there is a strong relationship between internal audit and risk management and that relationship is of paramount importance for the viability of companies.
This study provides insight to managers regarding the effective use of specific internal audit factors and how they can enhance risk management effectiveness.Specifically, it provides a better understanding of how internal audit's involvement, top management and risk-oriented internal audit can increase risk management effectiveness.According to our results, there is a positive and significant relationship between effective risk management, risk-based internal audit, internal auditors' involvement in risk management and management support of risk management procedures.
The results of the present study should be considered in light of a number of limitations.The main limitation of the study is that it cannot be generalized due to the limited sample size.Similarly, the data collected by survey was necessarily limited in order to restrict the length of the questionnaire and to maximize response rates.Further, the study has been conducted for only one region.Further research that examines risk management in other national settings could be undertaken, in order to enhance our knowledge regarding risk management.Additional research may also investigate some of the issues in more depth, for example, the role of audit committee or the role of external audit in risk management.Finally, qualitative methods such as interviews may help to further explain factors that affect risk management effectiveness.
Shin and Park (2017)le is measured by four items that refer to added-value, financial importance, effectiveness and contribution of risk management.The aforementioned items were based on the studies of Krause and Tse (2016), Hoyt and Liebenberg (2011),Shin and Park (2017).The independent variable "risk-based internal audit" is measured by six questions regarding annual schedule of audit and individual audit engagements.

Table 1 .
Demographics of respondents

Table 2 .
Descriptive statistics regarding dependent and independents variables