An Examination of Enterprise Risk Management ( ERM ) Practices among the Government-Linked Companies ( GLCs ) in Malaysia

Enterprise Risk Management (ERM) is a new concept of managing risks holistically and in Malaysia, such a concept is still relatively new among Malaysian companies. On a positive note however, the ERM concept appear to be receiving much attention over the recent years from various businesses and industries in Malaysia. This particular study aims to determine the level of ERM adoption among the Government-Linked Companies (GLCs) and to examine the influence of Chief Risk Officers (CROs) and Board of Directors (BODSs) on the ERM implementation itself. Findings of the study showed that the more established GLCs were more receptive to the adoption of ERM as compared to the less established ones. Also, companies that adopt ERM were found to have appointed the Chief Risk Officers (CROs). In addition, the quality of Board of Directors (BODSs) was also found to play a significant role in respect of ERM implementation.


Introduction
A common definition of risk is the likelihood of something undesirable happening in a given time (Merna and Al-Thani, 2008).Risk is present whenever there is uncertainty (D'Arcy, 2004).Business risks represent threats to the ability of an enterprise to execute business process effectively and to create customer value in accordance with strategic objectives (Bell et al 1997).Along the same basis, many corporate executives believe that a comprehensive program for managing business risks provides an essential foundation for sustaining competitive advantage (Economist Intelligence, 2001).
In response, many company executives strongly believe that Risk Management is of primary importance to business enterprises (Mikes, 2005).On the other hand, Smith et al (1997) gave a common sense definition of Risk Management as any set of actions taken by individuals or corporations in an effort to alter risk arising from their primary line(s) of business.Traditionally, companies and organizations appear to have been managing risks implicitly or in "silo/stovepipe" approach which means that risks are often managed in isolation (Beasley et al 2005).However, the top management in growing number of companies recognizes that such a "silo/stovepipe" approach is no longer an effective way to manage the myriad forms of risks they face (Walker & Shenkir, 2006).
Enterprise Risk Management (ERM) as an increasingly popular concept in this part of the world is indeed a relatively new term that is catching much attention among businesses and industries today as it is viewed as the ultimate approach to effective risk management.It is argued that ERM could increase shareholders value (Bowen et al 2006;Nocco & Stulz, 2006;Allayannis and Weston, 1998) which is in line with most corporate objectives.Furthermore, ERM also provides a significant source of competitive advantage for those who can demonstrate a strong ERM capability and strength (Stoh, 2005).
However, evidence shows that the ERM concept is still not widely practiced in Malaysia despite having received much attention over the past years.It is rather important to note that scholarly research and empirical evidence in relation to the determinants of such a concept is obviously lacking.Equally important, it must be highlighted that several reasons have been cited for the companies' non-involvement in ERM program.The reasons include organizational structure that are not conducive to ERM, individuals who do not want to give up their specific responsibilities, a lack of understanding in respect of how to effectively implement ERM and measure the benefits, and also difficulties in measuring risks and correlations across risks within the company (Kleefner et al 2003).
Since ERM is a relatively recent activity and has yet to be fully implemented by most companies if not all, it must be emphasized that there has been little academic research about its accomplishments and about the obstacles to further progress.Also, very little has been published about attempts to identify and manage corporate strategic risks while integrating them into a corporate-wide ERM framework (Gates, 2006).While ERM appreciation and acceptance is on the rise, not all companies seem to adopt it.Not surprisingly, very little is known about why some companies acknowledge ERM while others do not.
In view of the above, this particular study is highly significant in enhancing knowledge in terms of ERM practices in Malaysia.The main objective of this study is to examine ERM practices among Government-Linked Companies (GLCs) in Malaysia.Specifically, the objectives of this particular study can be described as follows:-

To determine the level of ERM adoption among the Malaysian GLCs; and
To examine the role of Chief Risk Officer (CRO) and the Quality of Board of Directors (QBODs) towards ERM adoption within Malaysian GLCs.
The paper is structured as follows: First, a summary of literature on the concept of ERM, the role of Chief Risk Officer and Quality of the Board of Directors.Second, the methodology of the study is described.Third, the findings are thoroughly discussed and finally the conclusion is provided by summarizing the results and discussing avenues for future research.

Literature Review
Risk Management adds value to individual companies and also supports the overall economic growth by lowering the cost of capital and reducing the uncertainty of commercial activities.Shenkir and Walker (2006) stated that according to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the ERM model requires executive management commitment for its rigorous implementation.It is strongly suggested that key executives of companies should be eager to make a commitment to ERM because they are ultimately responsible for the overall protection, creation and enhancement of shareholders' value.
According to Mikes (2005), ERM is a systematic approach for managing risk.By effectively managing risk, companies and organizations alike, could possibly achieve their corporate objectives and eventually create value for their stakeholders.Furthermore, Shenkir & Walker (2006) proposed that an effective ERM implementation requires a company/organization context that includes strong commitment from the top management, Risk Management philosophy and risk appetite, integrity and ethical values, and also the scope and infrastructure for ERM.
In view of the above, it is rather useful to note the definition of ERM as provided by The Committee of Sponsoring Organizations of the Treadway Commission (COSO): "… a process affected by an entity's board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity goal."Based on the above definition of ERM reflects certain fundamental concepts whereby it is: "A process, ongoing and flowing through an entity; Effected by people at every level of an organization; Applied in strategy setting; Applied across the enterprise, at every level and unit and includes taking an entity (level portfolio view of risk); Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite; Able to provide reasonable assurance to an entity's management and board of directors; Geared to achievement of objective in one or more separate but overlapping categories" (Flaherty, 2004).
A number of ERM frameworks are currently being used.They include: The Combined Code and Turnbull Guidance, King ll Report, A Risk Management Standard by the Federation of European Risk Management (FERMA), Australia/New Zealand Standard 4360-Risk Management, COSO's Enterprise Risk Management-Integrated Framework, The Institute of Management Accountants' (IMA) "A Global Perspective on Assessing Internal Control over Financing Reporting" (ICoFR), Basel ll, and also the Standard and Poor's and ERM.Although they are different in name, industry and region, nevertheless, they all share a common theme: the identification, prioritization and quantification of risks in order to help corporations effectively manage their exposure.
In this regard however, one of the most popular frameworks being implemented is the Committee of Sponsoring Organizations of the Treadway Commission (COSO) (Bohn & Kemp, 2006).The foundation for the ERM methodology was based in COSO's 1992 Internal Control -Integrated Framework, a publication that formulated a uniform approach to managing internal control system (Bowen et al 2006).
In view of the above, COSO's ERM Integrated Framework expanded the approach by integrating these controls throughout an enterprise.It provides Risk Management architecture in terms of eight (8) components, namely, internal environment, objective setting, event identification, risk response, control activities, information and communication, and monitoring to be considered under each of the four (4) categories of objectives i.e. strategic, operation, reporting and compliance.Therefore, each level of the organization applies the eight (8) components of ERM to the following four (4) categories of objectives concerned.A particular objective may be classified into one (1) or more categories.Thus, the classification may delineate the objective into multiple lines of authority.
The eight components of COSO's Integrated Framework: 1) Internal environment which refers to risk management philosophy, risk appetite, integrating of ethical values and the working environment of an enterprise; 2) Objective setting is important to be addressed before any ERM process.These objectives should be aligned with enterprise's vision and mission, and are consistent with enterprise's risk appetite; 3) event identification refers to internal and external events affecting an enterprise; 4) Risk assessment measures the frequency and impact of potential losses; 5) Risk response is the way an enterprise mitigate risks.It may include avoidance, acceptance of risk by reducing the likelihood of losses, and transfer of risk to insurance company; 6) Control activities are policies and procedures to ensure the effectiveness of risk management implementation; 7) Information and communication refers to technique to disseminate ERM program; and 8) Monitoring is the last process in ERM implementation to ensure that all risk management measures are appropriate and effective in mitigating risks in an enterprise.
In order to undertake the ERM program, a company needs someone who can initiate and monitor the risk related activities.It is therefore important to highlight that the COSO Report (2004) on ERM suggested the essential need of a Chief Risk Officer (CRO) as someone who works closely with other managers in establishing effective Risk Management for the entire company or organization.In addition, the CRO is considered to be someone who has the overall responsibility for monitoring progress and also for assisting other managers in reporting relevant risk information up, down and across the entire business entity.
In this context, the need for quality CRO is highly essential and extremely important in ensuring the successful implementation of ERM program on the whole.Rosa (2007) postulated that qualities of a successful CRO include the following attributes such as well developed risk consciousness, knowledge of main business processes, current education in Risk Management curriculum, communication skills that include working with individuals at all levels, facilitations skills and skills in finance, accounting and insurance.Furthermore, the CRO's duties include the following responsibilities:overseeing the Risk Management activities and management of framework process assisting the top management by designing an appropriate Risk Management foundation monitoring enterprise wide risks and making sure that certain major risks are communicated upward to the knowledge and awareness of the top management concerned ensuring and validating effective management of risks by business unit leaders serving as ERM adviser for other upper level executives within the entire company assisting with corporate governance responsibilities assisting in the execution of the Risk Management processes facilitating an integrated approach to ERM managing specific risk types participating in the Risk Management committee It is important for the company or organization to elect a leadership team that fits the current business setting.Usually, an organization's leadership is referred to the Board of Directors (BODs).Then, in deciding on the composition of board members to be elected, stakeholders should consult the business' ERM initiative, which highlights the most significant risks that require dynamic leadership (Rosa, 2006).For example, strategic issues, human resources and information technology will govern the Board's agenda and should influence the election of Board members who can provide proactive guidance on these topics to the organization's executive management team.Furthermore, COSO (2004) suggested that in the first component of ERM that is, the internal environment, it provides the required discipline and structure.Also, it is the basis for the other seven (7) components of the framework, which encompasses the responsibilities of the BODS and the role of sound organizational culture.
An issue that constitutes the effectiveness of BODS has become increasingly important in recent years.For example, Berghe and Levrau ( 2004) stated that the board size, Board composition and Board leadership structure are the three (3) main criteria for good Boards of directors.It is argued that the effectiveness of a Board in monitoring management is determined by its composition, independence and size.The notion of composition and independence are closely related as board independence increases as the proportion of independent outside directors increases.Subsequently, Rosa (2006) argued that what make a Board effective are the Board structure, composition, information management process, authority and responsibilities, performance and operations.
Board size is one of the well studied Board characteristics from two different perspectives.First, the number of directors may influence the Board functioning and hence corporate performance.A study by Conyon and Peck (1998) showed an inverse relationship between the returns on shareholders' equity and the Board size for five (5) European countries.Second, researchers have started to study the Board of directors as decision making groups by integrating the various literatures on group dynamics and workgroup effectiveness.It is important to note that the Board size can have both positive and negative effects on Board performance.Larger Boards are more difficult to coordinate and may experience problems with regard to communication and organization of related activities.Besides, large Boards may face decreased levels of motivation and participation, and are prone to develop factions and coalitions.In this context, the quality of BODS might influence the level of ERM adoption.

Conceptual Framework
The independent variables of this study are the role of Chief Risk Officer (CRO) and Quality of the BODS while the Level of ERM Adoption is the dependent variable.

Methodology
The use of survey questionnaires is common for Risk Management studies (Yazid et al 2008;Beasley et al 2006;2007 andLiebenberg &Hoyt, 2003).As argued by Saunders et al. (1997), there are three (3) main advantages for employing the survey questionnaires.Firstly, they are highly economical for gathering a large number of data.Secondly, they can be standardized so that analysis becomes easier.Finally, they are easy for respondents to understand.
The unit of analysis for this study was Government-Linked Companies (GLCs).In this context, GLCs are referred to as companies listed under Khazanah Holding whereby the Malaysian government is the major shareholders.
For the purpose of this particular study, all companies listed under Khazanah Holding which are considered as Government-Linked Companies (GLCs) were surveyed.However, only 14 of them responded.Thus, the response rate for this study is 50 percent.
The survey questionnaires consist of four (4) sections.Section A focused on gathering information pertaining to the demographic profile of respondents and their firms or companies.Section B examined the companies' Level of ERM Adoption.Section C investigated the role of CRO in these companies while Section D examined the Quality of BODS.

Level of ERM Adoption
One of the objectives of this study was to examine the level of ERM adoption among GLCs.From the survey, about 43 percent of the GLCs had a complete ERM in place, while 50 percent could be considered as partial ERM implementers and about 7 percent was planning to adopt ERM (Table 1).The results show a 'positive trend' in the implementation of ERM among the GLCs in Malaysia.It is expected that the number of companies adopting ERM to grow in years to come.This is the expectation in view of the fact that most of the literatures suggested that ERM, with the holistic approach of managing corporate risks, could be successfully adopted to achieve the companies' objectives hence the enhancement of shareholders' value.

Insert Table I here
From this particular study, a total of 83.3 percent of those companies which adopted ERM completely have been in operation for more than 16 years.This is a similar case for those companies which adopted ERM partially.Thus, the overall result provides the indication that companies which are more established are more likely to adopt ERM.This is probably true in view of such companies having more experience and much more resources being made available.
Insert Table II here

Role of Chief Risk Officer (CRO)
As asserted earlier, the CRO is an important person within the GLCs whose primary role is to ensure the eventual implementation of ERM.Therefore, it is interesting to note that half of the respondents surveyed had actually appointed a CRO to manage their potential risk exposures.Equally interesting, the findings showed that among the GLCs that have adopted ERM completely, a total of 66.7 percent appointed a CRO.However, the percentage of CRO appointment appears to be slightly lower (42.9%)among those GLCs that have adopted ERM partially (Table III).

Insert Table III here
It must be emphasized that these results signify the importance of CRO and the positive trend of the GLCs appointing a CRO.In this regard, it is important to note that there is a positive relationship between the number of CRO appointment and ERM adoption.This means that as the number of CRO increases, more GLCs would be inclined to be involved and eventually adopt ERM.The result shows the importance of CRO in the ERM implementation as suggested by Lam (2000).
Among the respondents surveyed, a total of 61.5 percent confirmed that the primary job function relates to Risk Management (Table IV) while 39 percent mentioned that they perform multiple tasks that include Risk Management.Among the companies that have adopted ERM completely, about 67 percent stated that their main job function is Risk Management related (Table V).The same applies to companies that have adopted ERM partially.
Considering that ERM is still at the infancy stage of development in Malaysia (Yazid, Husin and Razali, 2009), the overall result however shows a positive trend.Also, it is convincing to note that Risk Management appears to be the main job function among the respondents surveyed.In this respect, the person concerned in managing risks for his company could therefore focus on the eventual implementation of ERM on the whole.Nevertheless, the task seems to be quite challenging.
Insert Table IV and Table V here As provided in the earlier discussions, the ERM program involves several processes.It must be mentioned that the practical Risk Management experience of respondents is an important factor that contributes to the effective implementation of ERM.
In view of the above, about 42 percent of the respondents involved in the survey had more than 10 years of practical Risk Management experience (Table VI).Half of the respondents have between four (4) and nine (9) years of practical Risk Management experience.Looking at those companies that have adopted ERM completely, about 60 percent of the respondents have more than 10 years of practical Risk Management experience as compared to companies that have adopted ERM partially (33.3%) (Table VII).The result is consistent with the finding by Yazid (2001) that suggested more experience managers tend to manage more risks.

Job Functions of CRO
The COSO Framework suggested seven (7) job functions of a CRO which involves the whole ERM processes.Top of the list of job functions is to develop the integrated procedures to report on the major risks to the Board members (Table VIII).This is an important requirement under the Malaysian Code of Corporate Governance (MCCG, 2007) whereby the Board has the responsibility to foresee major risks associated with the companies' activities.
Next in the ranking is the job function of CRO in working with unit leaders to ensure the most significant risk complies with the companies' standard.The job function of the CRO to lead the risk identification process comes in third however.On the other hand, the task of identifying risks within the company requires the CRO to work closely with other heads of units concerned.
In this regard, risk identification is a crucial process that ensures the company lists out all the key risks that need to be prioritized in the first place.Another important job function of the CRO is to educate and train all employees on Risk Management for better understanding and effective management of risk exposures facing their companies.The finding is supported by by Rosa (2007).
In view of the above, Risk Management education and training are therefore much needed so that employees on the whole truly understand and appreciate the essential need of Risk Management within their companies.Such an understanding and appreciation is expected to create a risk-conscious workforce and Risk Management culture within the entire company/organization.In turn, a successful ERM implementation would all be possible ultimately.

The Role of Board of Directors
Many commentators in Risk Management argued that the decision to implement Risk Management should come from the top namely, the Board of Directors.This is considered highly important in view of the fact that the Risk Management program requires a lot of resources which ultimately need the Board approval.
Thus, the quality of the Board could actually influence the ERM implementation within the company/organization on the whole.For this purpose and also to measure the quality of the Board, this study examines three (3) factors namely, the Board size, Board composition and Board leadership structure.
The study shows that all companies surveyed disclose the frequency of Board meeting (Table IX).Only a total of 46.1 percent of companies with complete ERM in place disclosed the frequency of the Board meeting as compared to 53.9 percent of those companies with partial ERM adoption (Table X).
Insert Table IX and X here Furthermore, about 64 percent of companies surveyed had more than four (4) Board meetings annually (Table XI).It is important to suggest that the more frequent Board meeting signals a 'Quality' Board.For companies with complete ERM in place, about 16 percent of them had more than 12 times of Board meetings (Table XII).This is considered a very active Board.
However, the study shows that none of the companies with partial ERM adoption had more than 12 times Board meeting.About 71 percent of the same companies had more than four (4) but less than six (6) times of Board meeting.

Insert Table XI and XII here
In terms of Board attendance, about 64 percent of companies involved in the survey had over 80 percent as compared to 28.6 percent of full (100%) attendance and only 7.1 percent had over 60 percent attendance (Table XIII).A total of 50 percent of those companies with complete ERM adoption had full (100%) attendance of the Board.This is different in the case of companies with partial ERM adoption (14%) only (Table XIV).With full attendance, the Board could make better Risk Management decisions.

Insert Table XIII and XIV here
According to the available literatures on Corporate Governance, independence of the Board members denotes transparency of the company/organization.The study shows that the higher number of independent Board implies that the company is more transparent.In line with the Malaysian Code on Corporate Governance (MCCG) (Revised 2007), a company that have a significant shareholder of the Board consists of one-third independent non-executive directors.
The significant shareholder referred for this purpose is defined as a shareholder with the ability to exercise a majority of votes for the election of directors.Therefore, a total of 84.6 percent of the companies surveyed had more than one-third independent Board members (Table XV).Looking at the companies with complete ERM in place, about 33 percent had more than one-half independent Board members as compared to none for companies with partial ERM adoption (Table XVI).The result suggests that board of directors play an important role in ERM implementation.This is similar to the finding by Wan Daud (2008).

Conclusion
This study examines the level of ERM adoption for GLCs in Malaysia for the very first time.Several factors associated with ERM implementation were also investigated.One of the significant findings is the role of CRO in companies that have adopted ERM.
Many companies actually appointed CRO even though ERM is still considered new in the context of Malaysian corporate scene.Several important roles of CRO are to integrate procedures to report on major risks, ensure the most significant risk compliance and risk identification.
It is important to note that companies which were established more than 16 years are more likely to adopt ERM.The quality of the Board of Directors could also be considered as another factor that influences the level of ERM implementation among the Malaysian GLCs.
It must be mentioned however, that this particular study has its own limitations.Due to a small population size which is 28 and the number of companies responded of only 14, more robust statistical techniques could not be used.The results were obtained by using descriptive analysis only.
In view of the above, perhaps for future research, a qualitative study such as personal interviews of the senior management involved in Risk Management for all the 28 GLCs would provide an in-depth analysis on the level of ERM adoption.

Figure 1 .
Figure 1.Conceptualization of the relationship between Quality of CRO, Quality of BO and Level of ERM Adoption

Table I .
Level of ERM Adoption

Table II .
Level of ERM Adoption vs. Years Company Established

Table III .
Level of ERM Adoption vs. Position of CRO

Table V .
Level of ERM Adoption vs.Primary Function of CRO

Table VI .
Experience of Respondents in Risk Management

Table VII .
Level of ERM Adoption vs. Experience of Respondents

Table VIII .
List of CRO's Job FunctionsFunctionsMean ScoreDevelops integrated procedures to report major risks to the board member 4.58Works with unit leaders to ensure the most significant risk compliance with the organization's standards 4.50Works with unit leaders to ensure that risk identification is included in the business plans 4.42

Table X .
Level of ERM Adoption vs Disclosure of BODs Meeting

Table XII .
Level of ERM Adoption vs. Frequency of BODs Meeting

Table XIV .
Level of ERM Adoption vs. BODs Attendance

Table XV .
Proportion of Independence Directors

Table XVI .
Level of ERM Adoption vs. Proportion of Independent BODs