Modeling Enterprise Risk Management Ecosystems Using Text Analytics
Patipan SAE-LIM
Profilo Orcid 
Pubblicato online: 31 dic 2024
Pagine: 391 - 406
DOI: https://doi.org/10.2478/fman-2024-0024
Parole chiave
© 2024 Patipan SAE-LIM, published by Sciendo
This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Risk Management (RM) is mandatory for public and private firms. RM contributes to the business as a preventive tool for mitigating losses, as well as seizing opportunities. RM involves the processes of identification, assessment, mitigation, and monitoring of adverse events (Barbosa, et al., 2022). In the past, these processes were performed separately in each department, which we called “Traditional Risk Management (TRM)”.
There are some pitfalls of TRM, including the fragmented and siloed approach, where each department handles risk independently. Most of the time, while implementing a risk mitigation plan, risk managers need high levels of cooperation; however, TRM disconnects from other important ecosystems. Therefore, TRM has been shifted towards “Enterprise Risk Management (ERM)” with the aim of managing risk in an enterprise-wide fashion, reducing organizational silos. (Gordon, et al., 2009; Sithipolvanichgul, 2021; Verbano and Venturini, 2011).
Several studies have explored the value creation of ERM. These works try to analyze the significant correlation between ERM and firm performance, but they model different firm indicators. Gordon, et al. (2009a) measured firm performance by focusing on the risk and return trade-off using contingency variables such as environmental uncertainty, competition, complexity of the firm, and so forth. Sae-Lim (2019) investigated the relationship between ERM implementation and firm performance in the context of financial and nonfinancial performance. Ultimately, some studies found a significant relationship between ROA, ROE, and Tobin’s Q (Callahan and Soileau, 2017; McShane, et al., 2011).
In addition, several articles studied critical success factors (CSFs) (Beasley, et al., 2005a; Wu and Olson, 2010; Yaraghi and Langhe, 2011), yet little is known in connection with ecosystems relating to ERM. We perceive that ERM rectifies TRM by focusing on the integration in contrast to silo. Most ERM studies employed primary data, while this research focuses on secondary data from the SCOPUS database (Razali and Tahir, 2011). Thus, the research question in this study is: “whether there are any other organizational systems with which ERM needs to coordinate?” Since ERM is a longitudinal study, this article examines the ERM ecosystem using text analytics with three research objectives (RO). RO (1): To analyze ERM research performance that includes total publication, the growth rate, number of contributing authors, citation-related metrics, descriptive analysis in subject areas, document types, and source types. RO (2): To analyze ERM ecosystems by conducting science mapping through social network analysis, focusing on citation analysis and author keyword clustering. RO (3): To analyze hidden insights and provide a holistic framework.
The concept of ERM was developed at the firm level in the mid-1990s (Wu and Olson, 2010). ERM addresses the weaknesses of TRM in several aspects (Beasley, et al., 2015, 2005b). TRM handles risk according to a given organizational chart, whereas risks that fall between the silos then have no risk owner, which means, in turn, that there are no risk responses. Moreover, TRM focuses on the internal lens, while ERM includes external risks such as the effects of demographic change or climate change. Finally, ERM does not solely consider risk as a negative event, but it also takes into account an event or an opportunity.
Next, academia and practitioners have become aware of the benefits of ERM; therefore, they have attempted to find a way to effectively implement ERM in organizations. First and foremost, organizations initially start by finding an appropriate ERM framework and following its steps. The most widely cited ERM framework that dominants others are that of the Committee of Sponsoring Organization of the Treadway Commission (COSO) (Hayne and Free, 2014; Lundqvist, 2014; Saardchom, 2013). While the articles mentioned stated the benefits of the COSO, its obvious advantage concerns the focus on risk governance and culture. Nevertheless, the COSO framework was developed to reach its latest version in 2017, which integrates ERM with strategy and performance (Committee of Sponsoring of the Treadway Commission, 2017).
Although the ERM framework is compulsory, it would not, in itself, ensure the successful implementation of ERM. Based on contingency theory, the successful embedding of ERM varies depending on the contingency context (Beasley, et al., 2015). Thus, several studies hypothesized that the influential factor has a significant effect on ERM apart from the ERM framework (Beasley, et al., 2005c; Trisnawati, et al., 2023). Accordingly, most studies identified supportive leadership and the presence of a Chief Risk Officer (CRO) as having a positive impact on ERM implementation.
As mentioned in the first part, the modern study of ERM investigates the relationship between ERM and value creation. One determinant factor related to the ERM value creation is ERM maturity (Fauzi and Lubis, n.d.; Huang, et al., 2021; Jalilvand and Moorthy, 2022; Oliva, 2016). These articles, to be precise, indicated that ERM can enhance value creation when organizations have high ERM maturity. Another key point is that increasing ERM maturity depends on how it is integrated with other ecosystems in organizations, yet little is known from these studies. Therefore, this study addresses this gap and uses a text analytics framework, which we call “bibliometric analysis”, to study long-term patterns of ERM.
This article adopts bibliometric analysis, which is a well-established scientific method for analyzing longitudinal literature, while bibliometric data are quantitatively studied (Kongthon, et al., 2014; Kumar, et al., 2023a). The aims of this analysis are to demonstrate the long-term specific topics for research performance, productive authors and countries, affiliations, and the hidden insights from text clustering. This allows the researcher to study previous trends while also providing foresight. Bibliometric analysis is recognized in several areas, including medicine (Kelly, et al., 2010; Sugimoto, et al., 2019), engineering and natural science (Kumar, et al., 2023b; Verma, et al., 2021), social science, and business study (Chandra, 2018; Fayad, et al., 2023; Nyantakyi, et al., 2023).
Bibliometric analysis enables us to unpack the evolutionary scientific data, whereas its application in business research is relatively new (Donthu, et al., 2021). In particular, bibliometric analysis has yet to be widely applied in ERM. With this gap in mind, the author takes this opportunity to use bibliometric data to conduct an analysis of the intellectual structure and emerging trends in the following steps:
Step 1: Data Extraction The bibliometric data were extracted from the SCOPUS database. The author selected the maximum range for the frame using the keyword “TITLE ("Enterprise Risk*") by focusing on article titles. The outcome of this search numbered 725 articles since 1997 because, at that time, ERM had become a buzzword (Beasley et al., 2005d). Step 2: Data Cleaning Most of the bibliometric data from the database are messy. The issues, for example, include inconsistencies in similar terms, misspellings, and variations in citation styles, which can have an impact on the accuracy of the results (Ahmi, 2023). Thus, data cleaning for bibliometric data is compulsory. This article used OpenRefine, a powerful free, open-source tool for cleaning messy data. For example, “ERM” and “enterprise risk management” should be consolidated as the same keyword. The problem fields that the paper cleaned by OpenRefine are author keywords and author names due to the main variable in our bibliometric model. Step 3: Data Visualization and Mapping After cleaning data, bibliometric analysis will be conducted VOSviewer and the Bibliometrix R package (Aria and Cuccurullo, 2017).
All the steps from the explanation are illustrated in Figure 1 and can be employed to fix the conceptual framework in Figure 2.
Bibliometric Analysis Process
(
Proposed Conceptual Framework
(
Over a period of 26 years (1997–2023), the majority of ERM academic documents have been produced in the fields of business management and accounting, closely followed by economics and finances (Figure 3). Most ERM publications in SCOPUS are journals 467/725) and articles (440/725), while the second rank comprises proceedings and conferences (Figure 4a and Figure 4b).
Descriptive of ERM by Subject Area
(
ERM Document Types and Source Types
(
ERM Document Types and Source Types
(
The number of published studies on ERM has constantly increased since 1997, with an annual growth rate of 15.24%. Figure 5 indicates peaks of ERM publication in 2011, 2015, 2018, and 2019. Table 1 displays publication-related metrics. The number of contributing authors and total citations is 1813 and 9658, respectively.
There are three influential journals with both TPs and TCs in ERM: Risk Management and Insurance Review, Management Decision, and The Journal of Corporate Accounting and Finance. Among these, Management Decision (Emerald Group Publishing Ltd.) has a highest H-Index; however, its scope is not directly related to risk management. The subject areas in this journal are Business, Management and Accounting (miscellaneous) (Q1) and Management Science and Operations Research (Q1). The journal scope that relates to risk management is Risk Management and Insurance Review. There are seven pieces of ERM publications in this journal, with 102 citations between 1997 and 2023.
Most ERM publications are produced by more than a single author (figure 7), whereby the majority involve two authors. In addition, the most productive author in ERM is “David Olson”, Professor of Business Analytics, University of Nebraska, with 13 articles. His specialist associates with ERM in the supply chain. The most influential article was written by Hoyt and Liebenberg (2011) with 402 citations for the paper named “The Value of Enterprise Risk Management”. This paper evaluates the value of ERM and its implications. Both of them are in the insurance industry. Next, the paper named “Enterprise risk management: An empirical analysis of factors associated with the extent of implementation” written by Beasley, et al. (2005) conveyed the study of ERM determinants with 382 citations. The authors in this article are in the accounting field, while the first author, Prof Beasley, is a Professor of Enterprise Risk Management and the Director of the Enterprise Risk Management Initiative at the Poole College of Management. One interesting article with 343 citations conducted by Gordon, et al. (2009) concluded that the successful implementation of ERM varies across different firms under the contingency theory.
Numbers of Publication in ERM during 1997-2023
(
Total Publications and Total Citations
(
Publication-Related Matric
| Publication-Related Matric | Information |
|---|---|
| Time Frame | 1997–2023 |
| Total Publication (TPs) | 725 Documents |
| Number of Contributing Authors | 1813 |
| Total Citation (TCs) | 9568 |
| Number of Citation/Paper | 9568/725 = 13.20 |
| Number of Citation/Author | 9568/1813 = 5.28 |
| h-index | 49 |
| g-index | 62 |
(
High Rank of Citations
| Author | Article Name | Journal Name | Brief Objective |
|---|---|---|---|
| Robert E. Hoyt, Andre P. Liebenberg | The Value of Enterprise Risk Management |
The Journal of Risk and Insurance (2011) | Assessing the value of ERM and its implication |
| Mark S. Beasley Richard Clune Dana R. Hermanson | Enterprise risk management: An empirical analysis of factors associated with the extent of implementation Total Citation (382) | Journal of Accounting and Public Policy (2005) | Studying the factors associated with the implementation of ERM |
| Lawrence A. Gordon Martin P. Loeb Chih-Yang Tseng | Enterprise risk management and firm performance: A contingency perspective Total Citation (343) | Journal of Accounting and Public Policy (2009) | Studying the contingency factors, ERM and organizational performance |
| Marika Arena Michela Arnaboldi Giovanni Azzone | The Organizational Dynamics of Enterprise Risk Management Total Citation (244) | Accounting, Organizations and Society (2010) | Studying the ERM variations in firms |
| Philip Bromiley Michael McShane Anil Nair Elzotbek Rustambekov | Enterprise Risk Management: Review, Critique, and Research Directions Total Citation (242) | Long Range Planning (2015) | Proposing of critical review ERM gaps |
(
This research created a social network of word clustering (Figure 8) from 725 documents and 1428 author keywords. First, 1428 author keywords were cleaned and underwent preliminary clustering using two algorithms: key collision and nearest neighbor, using word key functions such as figureprint, n-gram figureprint, and Cologne phonetic. Possible words such as “ERM,” “Enterprise Risk Management,” and “Enterprise Risk System” should be clustered as same word. Afterward, a social network algorithm selects 37 author keywords that occurred at least 5 times (as given in Table 3) from the 725 documents. These 37 keywords are clustered into 6 clusters based on their co-occurrence.
Publication Keyword Clustering
| Author's Keyword | Cluster Red | Co-occurrence | Occurrence |
|---|---|---|---|
| Internal Control | 1 | 15 | 9 |
| Risk Governance | 1 | 13 | 11 |
| COSO | 1 | 11 | 13 |
| Risk Identification | 1 | 10 | 9 |
| Risk Appetite | 1 | 8 | 6 |
| Internal Audit | 1 | 8 | 6 |
| Management Control Systems | 1 | 8 | 5 |
| Risk Analysis | 1 | 7 | 8 |
| Public Sector | 1 | 6 | 6 |
| Strategy | 1 | 4 | 5 |
| Enterprise Risk Management | 2 | 217 | 309 |
| Corporate Governance | 2 | 31 | 27 |
| Firm Value | 2 | 27 | 20 |
| Risk Culture | 2 | 11 | 7 |
| Financial Performance | 2 | 9 | 5 |
| Risk Disclosure | 2 | 9 | 5 |
| Business Strategy | 2 | 5 | 5 |
| Leverage | 2 | 5 | 5 |
| Financial Institutions | 3 | 14 | 9 |
| Construction Firms | 3 | 12 | 8 |
| Organizational Culture | 3 | 11 | 10 |
| Maturity | 3 | 9 | 5 |
| Insurance | 3 | 7 | 5 |
| Firm Characteristics | 3 | 6 | 5 |
| Information Technology | 3 | 6 | 5 |
| Risk Assessment | 4 | 18 | 18 |
| Emerging Market | 4 | 6 | 5 |
| Enterprise | 4 | 4 | 6 |
| Data Mining | 4 | 2 | 5 |
| Performance | 5 | 27 | 20 |
| MALAYSIA | 5 | 19 | 11 |
| Knowledge Management | 5 | 16 | 11 |
| CRO | 5 | 11 | 6 |
| Structural Equation Modeling | 6 | 19 | 7 |
| SMES | 6 | 13 | 5 |
| Corporate Social Responsibility | 6 | 6 | 5 |
| Sustainable Development | 6 | 6 | 5 |
(
Single Author and Multiple Authors
(
Network of Word Clustering
(
Apart from the keyword “Enterprise Risk Management” used in the search term, the most prominent keywords from the social network analysis map were Corporate Governance (27), Firm Value (20), Performance (20), Risk Assessment (18), and COSO (13). This study selects author keywords instead of all key words, as they more directly relate to the paper’s scope. The study of ERM since 1997 has focused on governance and firm value using the COSO standard.
Furthermore, top keyword pairs by degree of co-occurrence (Table 4) were analyzed based on their co-occurrences, which are ranked based on their strength or weight of association. Co-occurrence of words represents a high correlation indicating the strength of the interactions among them. The most strongly associated keywords were Corporate Governance and Enterprise Risk Management. Other significant pairs of author keywords were “Enterprise Risk Management” with “firm value, performance and Malaysia”.
Publication Keyword Clustering
| Author's Keyword 1 | Author's Keyword 2 | Weight |
|---|---|---|
| Corporate Governance | Enterprise Risk Management | 20 |
| Enterprise Risk Management | Firm Value | 19 |
| Enterprise Risk Management | Performance | 14 |
| Enterprise Risk Management | Malaysia | 10 |
| COSO | Enterprise Risk Management | 9 |
| Enterprise Risk Management | Financial Institutions | 9 |
| Enterprise Risk Management | Organizational Culture | 9 |
| Enterprise Risk Management | Knowledge Management | 9 |
| Enterprise Risk Management | Risk Assessment | 9 |
(
The paper combines the analysis outcomes of VOSviewer and the Bibliometrix R package (Biblioshiny) to show the prominent themes. Biblioshiny creates a thematic map (Figure 9) under a two-dimensional strategic diagram: density and centrality, to end up with four themes. The first one, called the motor theme (Quadrant 1, Q1), represents important themes with high centrality and density. The author keywords, such as “corporate governance” and “COSO”, fall into this theme. Basic themes (Quadrant 2, Q2) are those with strong centrality but low development. Next, emerging or declining themes (Quadrant 3, Q3) represent low density and centrality. After combining with word clustering over the years in Figure 10, “sustainability” and “risk governance” are the emerging theme of studying ERM. Finally, Quadrant 4 (Q4) displays highly developed and isolated themes, called the niche theme, such as banking and insurance of ERM.
Thematic Analysis (
Word Clustering Across Years
(
Three Lines of Defense
(
Based on our text analytics from 725 articles in SCOPUS database using “Enterprise Risk” as a search term, the author found the following related systems that interact with ERM.
According to the author keyword “network analysis”, we found a significant co-occurrence among ERM, internal control (IC), and internal audit (IA). This results in the integration among ERM, IC, and IA, which consolidates into “Three Lines of Defense (3LOD).” The first line emphasizes the role of the front manager who is directly responsible for designing appropriate IC to protect against business loss (Bantleon, et al., 2021) If internal control works well, operational risk can be mitigated. While the first line is at the forefront of designing effective internal control, the second line focuses on providing compliance and oversight in the form of frameworks and policies. The second line refers to ERM and the compliance team. To ensure the effective internal control and risk framework, an independent internal audit team plays the a third-line role. 3LOD emphasizes the distinct role within an an organization relating to effectively managing risk. Our bibliometric results indicate that effective ERM should involve interaction with internal control and internal audit.
Most of the articles relating to 3LOD evaluated its quality from the perspective of financial institutions (Luburić, 2017; Tawfik, et al., 2023), whereas modern studies of 3LOD vary across industries. One contribution from Arab, et al. (2021) who studied 3LOD for wildfire risk management in electric power grids showed the ecosystem of ERM in relation to internal control and internal audit.
While 3LOD establishes different roles in firms risk management, powerful 3LOD is associated with the robust of corporate governance (CG) system (Beasley, et al., 2005d; Sithipolvanichgul, 2021b). Top keyword pairs by degree of co-occurrence indicate the most correlation between ERM and CG.
CG is defined in several ways. Some studies define CG as a principle or system of rule, while others mean it as the processes used to direct and control an organization. The ecosystems of ERM significantly correlate with CG towards the presence of the Risk Management Committee and the independence of Chief Risk Officer (CRO) (Aebi, et al., 2012; Alwi, et al., 2019; Anugerah, et al., 2023). Their studies framed their concepts using contingency and agency theory to investigate the factors such as the proportion of board independent directors, board size, board character, and CEO duality. Most of the articles found a significant association between effective ERM and CG through these factors.
However, the effectiveness of 3LOD rests on CG. Even 3LOD aims to provide a clear role in risk management, the different governance functions of each line are compulsory (Bantleon, et al., 2021). Although CG, ERM, and 3LOD are correlated, their the effectiveness depends on the organizational contingency.
There are several risk management frameworks, such as COSO, ISO 31000, the NIST Risk Management Framework (focusing on cybersecurity), and so forth. Our longitudinal study displays the clustering between COSO and ERM; consequently, the dominant standard in ERM is “COSO”. COSO launched the first framework relating to “internal control” in 2003 and closely produced COSO ERM in 2004. In 2017, COSO ERM itself improved the framework by integrating ERM with strategy and performance (Committee of Sponsoring of the Treadway Commission, 2017).
Firms established the ERM framework to follow the implementation step-by-step. Normally, the ERM framework comprises identification, assessment, mitigating, and monitoring risk, but COSO emphasizes governance, culture, and values of ERM. Hayne and Free (2014, p. 327) conducted an interview with ERM professionals and gathered information about why COSO is dominant over other ERM frameworks. Their findings showed that the COSO framework defines the language of governance and senior management responsibility. This results in the distinctive ERM framework from COSO, yet, it also contains pitfalls. COSO focuses on identifying internal risk, while external forces are neglected (Fuentes, et al., n.d.).
Even though firms embed the same ERM framework, effective ERM implementation varies depending on the firm culture. Organizational culture is defined as the underlying values, beliefs, and assumptions in firms as well as their patterns of behavior (Syrová and Špička, 2023). There was evidence that proves the positive correlation between clan culture and organization performance (Yazici, 2011); however, clan culture did not ensure effective ERM.
Most articles define firm culture as the determinant; however, there is a lack of empirical evidence to explain which particular types of firm culture are suitable for ERM implementation. A detailed study on ERM and firm culture from Kimbrough and Componation (2009) refined the Organizational Culture Assessment (OCA) and mapped the correlation with ERM. The result concluded that ERM is positively associated with organic culture rather than mechanistic culture. Organic culture is directly related to lateral communication and employee commitment, while mechanistic culture refers to structure and policy. This study contains the limitation that while the empirical model established the relationship between ERM and organic culture, it would not conclude that effective ERM implementation is caused by the organic structure.
As mentioned in the introduction, ERM is distinct from TRM as it focuses on value creation. The bibliometric model displays the co-occurrence among ERM, firm value, organizational performance, and financial performance. Several studies demonstrated the relationship between ERM and firm performance but used different variables. Some of them used financial performance disclosed in financial statements while others considered non-financial measures.
Cluster 6 in Table 3 represents the correlation between ERM, sustainability, and corporate social responsibility that were confirmed in the works of Nyantakyi (et al., 2023) and Saardchom (2013). The thematic analysis from Figure 9 displayed sustainability and corporate social responsibility as emerging themes. This indicates that, to identify risk, firms should consolidate external factors such as environment and social risks as firm risk profile.
ERM is mandatory for firms operating within a turbulent business environment. Some of them implement ERM effectively and successfully, while others do not. Even though ERM solves the problem associated with TRM, implementing it rests upon so many contingency factors. Moreover, ERM is not easy to implement since it depends on the context of the individual as well as the ecosystem.
To close this gap, this study proposes an ERM ecosystem by analyzing longitudinal studies of ERM over a period of 23 years since 1997 using a well-known text analytics tool, called bibliometric analysis. Bibliometric analysis can display several hidden insights arising from ERM research performance. The number of publications on ERM has been increasing with an annual growth rate of 15.24% from the year 2000. The number of citations per paper amounts to 13, while citations per author is 5. Indeed, the most productive author in ERM is “David Olson”, Professor of Business Analytics, University of Nebraska. Most of his works focuses on ERM in the supply chain. However, most influential articles in ERM such as The Value of Enterprise Risk Management by Hoyt and Liebenberg (2011) and Enterprise risk management: An empirical analysis of factors associated with the extent of implementation” by Beasley, et al. (2005) were from the insurance and accounting field, respectively.
The main contribution of this study is to propose ERM ecosystems. Our bibliometric analysis displays five themes of ERM ecosystem such as Three-lines of Defense (3LOD), Corporate Governance (CG), ERM framework, Culture, and Value. For this ecosystem, this article creates the implementation structure as follows – Figure 12.
Three Lines of Defense
(
In addition, our text analytics find hidden insight relating to the ERM emerging theme, that is sustainability. This suggests that ERM should be incorporated with the firm sustainability roadmap. Practically, some environmental, social, and governance concerns should be identified in the ERM portfolio. Consequently, sustainability and ESG (Environment, Society, Governance) persist as an important ERM ecosystem in the future. The vital factors for the ERM framework under the consideration of sustainability account for the appropriate ERM governance such as support of CRO, management, and board of directors.
Finally, the validity of this research depends on the SCOPUS bibliometric data, which the researchers sought to clean. Therefore, future researchers might be advised to gather other data types to study the longterm trends in ERM studies. Some primary information such as management interviews should be included to better analyze the ERM ecosystems.