The Impact of Enterprise Risk Management on Firm Performance: Evidence from Malaysia

This study examined the implementation of Enterprise Risk Management (ERM) on firm performance of Public Listed Companies (PLCs) on main market in Bursa Malaysia based on COSO (2004) ERM Integrated Framework. In addition, this study also investigated the moderating role of Board of Directors’ (BODs) monitoring, firm complexity and firm size of the implementation of ERM on firm performance. Questionnaire survey was adopted as the research methodology for this study. Total of 103 questionnaires were successfully collected through mail questionnaire from PLCs. The data was analyzed by using Partial Least Squares and Structural Equation Modeling Tool (Smart-PLS 2.0 M3). Based on the analysis, implementation of ERM was found to have significant influence on firm performance. In addition, monitoring by BODs, firm size and firm complexity were found to significantly influence the relationship between ERM implementation to firm performance. The findings from this study enable organizations to better understand the status of their ERM implementation and assist them in identifying areas of improvement with regards to the processes within each ERM elements. It also contributes to the literature on the importance of good governance within ERM framework in organizations.


Introduction
In the recent years, a shift of trend has been observed on how the organizations view and manage risks (Lai et al., 2010) as a fundamental concern of any organisation.Instead of the traditional risk management method which is based on the silo approach, organizations now treat risk management from a holistic perspective which commonly known as enterprise risk management (ERM) (Gordon et al., 2009).The instability in the international financial, currency and commodity markets, and uncertainties on the direction of monetary policy in some dominant economies have caused substantial risk facing emerging economies like Malaysia.During the economic and financial crisis attacked in 2007/08, a number of PLCs fell under the PN-status in Bursa.As indicated in Bursa Malaysia, after the revamp of the Malaysian Stock Exchange in August 2009, the ACE Market replaced the MESDAQ Market and the Main and Second Boards unified into Main Market trying to allow more efficient access to capital and investments, however, there are still sixteen companies under PN17 (as of 11 June 2012).
The impact of corporate governance on firm performance has gained a considerable attention by researchers in recent years (Shukeri et al., 2012).The financial scandals in the US economy such as the collapse of Worldcom and Enron have increased the attention of a lot parties in Malaysia.As in Malaysian Code on Corporate Governance (Revised, 2007), several principles and practices of good governance have been identified which has included the duties and responsibilities of BODs in influencing a firm's performance i.e. to review and to adopt strategic plan of the firm and make the firm's internal control system is adequate and practicing integrity.
The management needs to recognize the opportunity to allow the firm to progress further while mitigating the risk which may affect the firm's profit.For companies which are still practicing tradition risk management approach fail as they are not able to sustain the performance due to the complexity and fast changing business environment (Nocco & Stulz, 2006).As a result, the traditional risk management model has been replaced by an enterprise-wide view of risk rapidly, as BODs and top management of the firm have begun to focus on the ERM function (Robinson, 2002).The difference between ERM and traditional ways of managing risks is in how the entity centralizes comprehensive risk management structure and processes at strategic level as an extension of its control system.ERM is a comprehensive and integrated approach that calls for high-level oversight of the firm entire risk portfolio aligned with the strategic objectives of the firm, instead of having many different individual managers to oversee specific risks in isolation (Banham, 2004).The concept of ERM implementation framework advocates a holistic method to risk management that enables the firm to stabilize earnings and reduce the expected costs of external capital, thus improving the firm's capital efficiency.This in turn, will result in the enhancement of the firm's value (Lai, 2012).In fact, the ERM framework is an extension of the COSO (1992) Internal Control Framework and can be utilized to address the needs of a more complete control system and move the firms to an integrated and comprehensive risk management processes.
This study intends to examine the extent in which ERM is implemented among the public listed companies in Malaysia.This study also examines board of director's monitoring, firm size and firm complexity as factors that moderate the relationship between the implementation of ERM and firm performance.

Resource-based View
According to resource-based view, the application and combination of a bunch of valuable internal resources which the firm possesses is the fundamental of the firm's competitive advantage (Penrose, 1959;Wernerfelt, 1984).A firm's resources include all assets, firm attributes and its capabilities, its organizational processes, information, and knowledge (Barney, 1991).The capabilities of a firm in using and engaging the resources within the firm, such as implicit processes to transfer information and knowledge within every level of the firm is said to be one of the valuable resources that improves the firm's efficiency and effectiveness (Barney, 1991;Makadok, 2001).Due to the ERM framework, standards, governance structure and processes can be used to 'integrate, enhance and facilitate large-scale intra and inter-firm knowledge management', ERM plays a role in contributing to firm performance based on the resource-based view (Grant, 1996).

Risk and Risk Management
Risk can be defined as the likelihood of the outcome from a process will not meet expectations (Knechel, 2002).Dickinson (2001) defines risk at the enterprise level as the outcomes from a firm's corporate strategy may differ from the firm's corporate objectives.According to Harrington & Niehaus (2003), business risks are viewed from the perspective of a firm's future net cash flow, which is the major source of fluctuations in business value.Greater risks usually indicate greater losses.If potential risks are not managed effectively, they can reduce a firm's abilities to achieve its overall objective and decrease the shareholders' value.Risk management is the process of identifying key risks, obtaining consistent, understandable, operational risk measures, choosing which risks to reduce and which to increase and by what means and establishing procedures to monitor the resulting risk position (D'Arcy, 2001).The origin of risk management can be traced back to the late 1940s (Dickinson, 2001) which evolved from the foundations of financial risk management of traditional insurance focusing on hazard and also as the earlier strands of risk management practice that has recently been integrated under the broader concept of ERM.Miccolis et al. (2001) explained the emerging practices of ERM can be viewed in terms of the approach and breadth of risks considered.ERM emerged in corporate risk management practice and considers the overall risks management system as of its corporate strategy, as it views all risks together within a coordinated and strategic framework (Nocco & Stulz, 2006).

Enterprise Risk Management
The paradigm shift towards ERM adoption is often associated with a combination of external and internal factors.The external influences e.g.risks arise from globalization, industry consolidation, and deregulation as the motivated factors for the firms to approach ERM (Lam & Kawamoto, 1997;Miccolis & Shah, 2000).Internal factors are basically emphasized on maximizing shareholder wealth (Miccolis & Shah, 2000).Several empirical studies discussed on the factors towards ERM adoption and implementation in firms.Liebenberg & Hoyt (2003) found that firms with higher financial leverage are more likely to adopt ERM system and prompt to have a CRO in the organization structure, which is an early indication of ERM adoption (Pagach & Warr, 2007).
COSO ERM (2004) was expanded from COSO (1992) Internal Control Framework in providing more 'robust and comprehensive focus on broader subject of ERM'.COSO (2004) defines ERM as "a process, affected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."The definition implies that ERM reaches to the highest level of the organizational structure and it is directly related to the corporations' business strategies.
Firms with ERM program implemented are perceived could have sustained their competitive advantages than firms that manage and monitor risks in silos as ERM helps in strengthening the firm's ability perform its strategic plan (Nocco & Stulz, 2006).Studies have shown that the implementation of ERM has improved firm performance (e.g.COSO, 2004;Lai, 2010;Gordon et al., 2009;Hoyt & Liebenberg, 2010;Segal, 2011).In recent years the benefits of ERM have been seen by the organizations ( (Liebenberg & Hoyt, 2003;Miccolis & Shah, 2000).Without taking risks, organizations cannot add value.This study synthesized that the risk management objectives of most companies are mainly to strive to achieve a balanced approach in mitigating risk events as well as optimizing business opportunities.

Theoretical Framework and Hypotheses Development
The theoretical framework is shown in Figure 1.

Enterprise Risk Management and Firm Performance
The performance of a firm is crucial to indicate whether a firm is facing a loss or profit.Business performance is often a key concept and the main concern of strategic management (Venkatraman & Ramanujam, 1986).It is reasonable to be assured by the management of the firm that no major negative events might occur via maintaining good control, to increase the probability of organizational success (Merchant & Van der Stede, 2007) and improve firm performance.Bartnam (2000) and Doherty (2000) elaborated firm performance as the firm's ability to achieve its goals and objectives, financially or non-financially.Hoyt and Liebenberg (2011) find that ERM is associated with significantly higher values of Tobin's Q, which is a measure of firm value and growth opportunities.However, Lin, Wen and Yu (2010) find that ERM is associated with a lower Tobin's Q.Based on the literature reviewed on ERM implementation and firm performance, most studies support that implementation of ERM appropriately will create value and enhance firm performance (Deloach, 2000;Miccolis & Shah, 2001;Barton et al., 2002;Kleffner et al., 2003, Hoyt & Liebenberg, 2006;Anderson, 2008;COSO, 2004;Lai, 2010;Gordon et al., 2009;Hoyt & Liebenberg, 2010;Segal, 2011).Woon et al. (2011)  Firm Complexity implementation will create value for shareholders through lowered cost of capital and enhanced business performance.Therefore, this study proposing the development of the following hypothesis: H1: ERM implementation has a significant relationship with firm performance.

Firm Complexity
COSO ( 2004) stated that a complexity of a may also affect how the principals and concepts of its framework are implemented in an effective and efficient manner.Firm complexity is referred to the number of business segments or subsidiaries within a firm and is in operating with (Doyle et al., 2007;Yatim, 2010, Golshan & Rasid, 2012).Hoyt & Liebenberg (2009) found that firm complexity has positive relationship to the use of ERM. Gordon et al. (2009), Gordon et al., and Pagach & Warr (2011) also found that firms which are more complex are more likely to implement ERM.Bies (2007) claimed that ERM should be adopted depending on the size and level of complexity of the firm.Based on literatures above suggesting that there should be a positive relation between the firm complexity and its need for an ERM implementation, therefore the proposed hypothesis is stated as below: H2: Firm complexity has a significant influence on the relationship between ERM implementation and firm performance.

Firm Size
COSO ( 2004) mentioned that size of a firm as one of characteristics that affects how the concepts and principles of the COSO framework are most effectively and efficiently implemented.From the past empirical studies, the frequently measurement for firm size are in terms of employment or total number of employees in the company (Munro & Noori, 1988;Hsu et al., 2008).The size of a firm can also be reflected in its total assets (Yazid et al., 2012) or market capitalization (Ge & McVay, 2005).In a study by Beasley et al. (2005) which focused on the factors associated with the implementation of ERM, it was found that firm size as one of the contributing factors.Yazid (2008) showed that larger multinationals were more likely to be involved in risk management.Hoyt & Liebenberg (2006, 2011) revealed that size is one of the key factors that determine the company's involvement in ERM.It is important to have enough assets to support an ERM program was also stressed by Pagach and Warr (2007) and Yazid et al. (2008).Apart from that, most of the studies show evidence that bigger firms are more likely to engage themselves in ERM activities.Yazid et al. (2011) again claimed firm size as one of the factors that could possibly influence any firm to eventually implement ERM.Thus the hypothesis proposed by this study as: H3: Firm size has a significant influence on the relationship between ERM implementation and firm performance.

Board of Directors' Monitoring
To implement ERM, it requires the contribution from most of the parties from different levels in a firm.COSO (2004) identified several parties of governance that play vital role in order to make sure the implementation of ERM is a success.The BODs plays a critical role monitoring managerial actions on behalf of the shareholders.BODs and the CEO are responsible for strategic direction setting of the firm and creating the environment for an effective ERM system.An effective ERM implementation requires the strong commitment from the BODs and top management.(Kleffner et al., 2003;Shenkir & Walker, 2006;Daud & Yazid, 2009).Sobel & Reding (2004) noted that an effective ERM system is dependent on active participation by firm's BODs.Consistent with the risk-based approach, establishment of a risk management committee on the board shows a greater concern of the importance of risk management and control (COSO) 1992(COSO) , 2004;;Hermanson 2003;Selim and McNamee 1999).The above noted literature suggests that there should be a positive relation between the BOD's monitoring and with ERM implementation.Therefore, the proposed hypothesis for this study as below: H4: Monitoring by the BODs has a significant influence on the relationship between ERM implementation and firm performance.

Sample and Data Collection
Questionnaire survey was adopted to obtain data from the public listed companies on main market in Bursa Malaysia.Questionnaire surveys were distributed to the Chairman of Risk Committee, Chairman of Audit Committee or Managing Director in the firms by post mail.All measures of variables were selected and adapted from existing literature.This is a cross sectional study where questionnaires were sent to PLCs on main market in Bursa Malaysia by different industries at a single point of time.The target population of this study consists of total of 800 companies listed on the main market of Bursa Malaysia.Total of 107 questionnaires were successfully collected.However, only 103 questionnaires were usable and it representing a response rate of 13.38%.

Method of Analysis
A total of eight components are used as the measurement for ERM implementation in this study.There are three moderating variables added into the framework: BOD's monitoring, firm complexity and, firm size to test their moderating effect on the relation between ERM implementation and firm performance.Firm performance is measured based on financial and non-financial perspectives.The survey instrument is based on constructs validated in prior research, standardized and adapted to the context of this study.The independent variables include the eight components of ERM Integrated Framework: Internal environment (8 items), objective setting (5 items), event identification (5 items), risk assessment (4 items), risk response (4 items), control activities (5 items), information and communication (3 items) and monitoring (2 items) used as the measurement for ERM implementation.These items are adapted from Altemayer ( 2004) based on components of COSO (2004), andFadzil et al. (2005) based on COSO (1992).The independent variable was adopted 5-point Likert scale ranging from "1=strongly disagree" to "5=strongly agree".Firm complexity (measured by number of business segments, adopted from Gordon et al., (2009), BODs' monitoring (10 items) is adapted from Kamardin & Haron (2011) and firm size (measured by number of employees, adopted from Gordon et al., (2009), are the moderating variables in this study.5-point Likert scale ranging from "1=strongly disagree" to "5=strongly agree" was utilized in measuring the moderating variables.The dependent variable of this study is the firm performance (12 items) which adopted 7-point Likert scale ranging from "1=declined greatly" to "7=improved greatly".Firm performance is measured by financial indicators (6 items, adapted from Calandro & Lane (2006), Marques & Simon (2006), Glaister, et al. (2007), Hsu et al. (2008) and Anderson (2008); and non-financial indicators (6 items), adapted from Calandro & Lane (2006), Glaister, et al. (2007), Hsu et al. (2008), Jang & Lin (2008) and also based on Kaplan & Norton (1992).

Respondents and Company Profile
Majority of the respondents are male (75.7%) and minority are female (24.3).Majority of the respondents are 45 years old and above (40.8%).This may imply the respondents have sufficient working experience and may understand the current issue and concern well.In terms of management level in the company, it found that 52.4% of the respondents are from the C-level role in the organization.This indicates that the respondents are appropriate and qualified to answer the questionnaires.In addition, more than 50% of the respondents have more than five years working experience with the current company.This may indicate the respondents have experience and understanding to the company's structure and planning thus could increase the reliability of the information provided by the respondents.
The target audiences of this survey are the PLCs of main market in Bursa Malaysia.From the data analysis of organization profile shown in Table 2, majority of the responded companies are from properties (22.3%) and plantation (19.4%) industries, followed by consumer product (15.5%),trading/service (12.6%), construction (11.7%), industrial product (6.8%),technology (6.8%) and other industries (4.9%).None of the responded companies has established less than 5 years.Majority of the responded companies have established for 16 years or more (65%).Companies were asked on their status of risk management activities.57.3% of the companies claimed that they have complete a ERM in place while 30.1% of the responded companies claimed that they have only partial ERM structure in place while there are still 8.9% of the companies responded that they are still practicing silo approach but is looking into the implementation of ERM in the coming future as they realized the paradigm shift of ERM as nowadays' trend.From the result, we found that almost of the responded companies (48.5%) started to adopt ERM in between year 2008 to 2010.It shows that ERM had started to raise attention and concern among public listed companies since year 2008 or before.Even though the trend and concern in implementing ERM has raised, and most of the responded companies have either complete ERM or partial ERM structure in place, however, there are only about a quarter of the responded companies (21.4%) has been implementing ERM extensively and 44.7% of the companies implemented ERM to a somewhat moderate extent.68.9% of the companies have formed the risk committee to oversee the firm's strategy and performance.Even though most of the companies have formed the risk committee, however it is only 44.7% out of the 68.9% of the companies have appointed a Chief Risk Officer in the managerial structure.

Measurement Model
The relationship between latent variables and the observed variables in the questionnaire is shown by the measurement models.The factor loadings, composite reliability, convergent validity, and discriminant validity was examined in order test the measurement model of this study (Ramayah & Suki, 2011).Table 1 shows the convergent validity of constructs.From the analysis result, all loadings are higher than the recommended level of 0.5, indicates that all the questions are representing a particular variable.In order to measure the reliability of the measure, researcher used the inter-item consistency reliability value of Cronbach alpha.The values range from 0.948 to 0.950, which above the threshold of 0.7 as suggested by Nunnally (1978).Composite reliability (CR) values, which depict the degree to which the construct indicators indicate the latent construct range from 0.956 to 0.959, which meet the recommend value of 0.7 (Nunnally, 1978).The average variance extracted (AVE), which reflect the overall amount of variance in the indicators accounted for by the latent construct, were in the range of 0.643 and 0.744 which exceeded the recommended value of 0.5 as suggested by Bagozzi and Yi (1988).Therefore, the measurement model possessed adequate convergent validity can be concluded.The result of the hypotheses testing of this study are summarized and presented in Table 3.
Table 3. Summary of the hypotheses testing Hypotheses Results H1: ERM implementation has a significant relationship with firm performance.Supported H2: Firm complexity has a significant influence on the relationship between ERM implementation and firm performance.Supported H3: Firm size has a significant influence on the relationship between ERM implementation and firm performance.Supported H4: Monitoring by the BODs has a significant influence on the relationship between ERM implementation and firm performance.Supported

Discussion
H1 proposed ERM implementation has a significant relationship with firm performance.Result after analysis shows that H1 has a β-value of 0.793 and p < 0.01.Therefore, H1 is accepted and it shows significant relationship between extent of ERM implementation and firm performance.This result is supported by studies done by Lai, 2010;Gordon et al., 2009;Hoyt & Liebenberg, 2010;Segal, 2011 which claimed that implementation of ERM has improved firm performance.
H2 proposed that firm complexity has a significant influence on the relationship of the extent of ERM implementation on firm performance.Result of analysis shows that H2 has a β-value of 0.245 and p < 0.01.Therefore, H2 is accepted and it has a significant influence on the relationship of the extent of ERM implementation on firm performance.Hoyt &Liebenberg (2009) andpagach &Warr (2011) found that firm complexity has positive relationship to ERM adoption.Gordon et al. (2009) and Pagach & Warr (2011) found those complexes firms have higher tendency to implement ERM concept.Bies (2007) claimed that ERM should be adopted depending on the size and level of complexity of the firm, while smaller firms applying ERM in less formal and less structured ways.Firm which is complex is facing higher tendency for committing material weaknesses in internal control (Ge & McVay 2005;Doyle et al., 2007).Therefore the result is supported that firm complexity does influence ERM adoption on firm performance.
H3 proposed that firm size has a significant influence on the relationship of the extent of ERM implementation on firm performance.Result of analysis shows that H3 has a β-value of 0.713 and p < 0.01.Therefore, H3 is accepted and it has a significant influence on the relationship of the extent of ERM implementation on firm performance.This result is supported by Beasley et al. (2005) and Hoyt & Liebenberg (2009), who found that firm size is positively related to ERM adoption.Gordon et al. (2009) argue that relation of ERM and firm performance is contingent upon several factors while examining the relation between ERM and performance, and firm size as one of the factors has taken into consideration and had positive relationship on his hypothesis.
H4 proposed that BODs' monitoring has a significant influence on the relationship of the extent of ERM implementation on firm performance.Result of analysis shows that H4 has a β-value of 0.327 and p < 0.01.Therefore, H3 is accepted and it has a significant influence on the relationship of the extent of ERM implementation on firm performance.An effective ERM implementation requires the strong commitment from the BODs and top management (Shenkir & Walker, 200;Daud & Yazid, 2009).The BODs plays a critical role monitoring managerial actions on behalf of the shareholders.The governing role of the board has transformed from the past few decades to include new board conditions and procedures which help to promote the effectiveness of the board in monitoring and managing management on behalf of shareholders (Kosnik, 1987).Sobel & Reding (2004) noted that active participation of the firm's BODs ensure the effectiveness of the firm's ERM system.Kleffner et al. (2003) found that encouragement of the BODs associated with the adoption of a firm's ERM strategy.Thus, H4 is supported by the literature.

Implication of Findings
For the theoretical implications, Resource-based view is used in this study to examine the ERM implementation and firm performance among PLCs in Malaysia.ERM is the significant intangible resources because it is valuable and hard to imitate will enable the firm to achieve competitive advantage in the long run.This study found that the monitoring by BODs, firm complexity and firm size have significant influence to the relationship between ERM implementation on firm performance which contributed to uncovering contingent factor in the relationship of ERM implementation to firm performance.
For the practical implications, this study presented its findings on the status of ERM implementation among the PLCs in Malaysia and showed that Malaysian companies have increased their awareness to manage company-wide risks holistically.This research which conceptualized the extent of ERM as the eight elements of the COSO (2004) framework and further explains each element in the framework as to the process flow helps organizations to better understand the status of their ERM implementation and assists them in identifying areas of improvement with regards to the processes within each ERM elements.This study presents results that confirm, to a reasonable extent, the impact of such enterprise wide programme in balancing risks and opportunities in business firms, while maximizing value to the shareholders, and striving to sustain its competitiveness. .Besides, it also contributes to the literature on the importance of good governance within an ERM framework in organizations.Qualitative comments compiled from the interview sessions have also highlighted some of the challenges faced by the firms as they progressed through the ERM initiative in their organization.Besides, several critical success factors have also been highlighted to the attention of the practitioners.Furthermore, this study highlighted that the implications of such enterprise-wide programme should be viewed in terms of financial indicators and non-financial indicators.In addition, this finding contributes to the literature on the importance of good governance within an ERM framework in organizations.

Conclusion
This study has proven the significant relationship of ERM implementation and firm performance of PLCs in Malaysia.This study has also proven that BOD's monitoring, firm size and firm complexity have significant influence in moderating the relationship of the extent of ERM implementation and firm performance.Implementation of ERM is considered at its infancy stage in Malaysia.This study concludes the awareness of ERM implementation by PLCs in Malaysia is significant.This awareness of ERM has started way back in 1999 as few responded companies have already adopted the system within the organization.PLCs and government realized that the importance of ERM in managing the business risks in a holistic way thus could help the firm to identify the events at the preliminary stage, trying to reduce the unnecessarily negative surprise and respond to the changes, internally or externally which might threaten the firm's performance and create harm to the shareholders' value.

Figure
Figure 1.Theoretical framework

Table 1 .
Convergent validity of construct (with moderators)