The Risk Management Process in Jordanian Public Shareholding Organisations

Risk management, as a business practice in developing and emerging nations, is an under-researched area. The aim of this paper is to contribute to the development of risk management theory and practice by examining the determinants of the integration of risk management within public shareholding organizations in an Arab country, Jordan. A survey strategy was used and questionnaires were distributed to Jordanian organizations listed on the Amman Stock Exchange. Parametric statistics such as Pearson’s correlation coefficient and analysis of variance were used to achieve the aim and objectives, which were all related to risk management practice and its wider implications for general management. The main finding of this research is that the level of integrated risk management within many Jordanian organizations is variable, but that it is significantly correlated with the type of industry; financial organizations are more likely to be involved in risk management than service or industrial organizations.


Introduction
Most productive activities of an organization involve risk, and many of these risks can threaten the organization's success, leading ultimately to a decrease in stakeholder value (Hull, 2007).Voinea and Anton (2009) argue that risk management should be a key activity for all organizations, while Stulz (2009) has highlighted the need for more and improved integrated risk management (IRM).IRM is frequently discussed (for example, AS/NZS ISO 31000, 2009) in the context of a cohesive approach to the organization's risks per se; however, there are wider implications of the practice.It could be argued that the integration should look beyond risk management and consider how this particular business discipline could be assimilated into general management; in other words, it should consider the wider business and management implications of having or not having a system of IRM.
Forces such as globalization and instability in the political and economic environment add complexity to business and have provided a significant impetus to the importance of managing risks.Internationally, the financial crisis of 2008 has highlighted some weaknesses in the process of risk management (Voinea & Anton, 2009), and in the Middle East, the events of the Arab Spring have increased the risk perceptions of organizations (Al Khattab et al., 2012;Barbour et al., 2012).The turmoil, as reported by Vale Colombia Center (2012), had a significant impact on corporate investors' investment intentions.Despite this fact, previous risk management studies of Swedish (Kettis, 2004) and Jordanian organizations (Al Khattab et al., 2008b) have reported that risk assessment practice is crisis oriented.In essence, risk management is not fully integrated into the general business and management decision-making process, in that it focuses only on the negative outcomes of possible events and not on the balance between risk and reward.
The majority of existing work in this area (e.g., Meyer & Nguyen, 2005) has been conducted in the context of developed countries.Writing in the context of the use by US insurance companies of enterprise risk management (ERM), one of the labels attached to an integrated form of the discipline, Hoyt and Liebenberg (2011) provide tentative evidence of the value to the organization of having an integrated system.They recognize that their sector analysis and geographical frame are limited and their sample size small, but their preliminary finding is that such a system of risk management can add overall value to public shareholding organizations.Most studies conducted in Jordan and other Middle Eastern countries (e.g., Zeitun & Tian, 2007;Moore, 2012;Adeel & Awadallah, 2012), have been concerned with general management practices.Frynas and Mellahi (2003) state that very few investigations have been conducted into corporate risk management practices in emerging markets, while Al Khattab (2006) notes that there has been little research on IRM, either as a stand-alone business practice or as a wider contributor to general management, within the Middle East.Alon et al. (2006) and Anchor and Benešová (2012), moreover, suggest that there is a limited body of research that investigates risk management practices and integration from an organization-specific perspective.
Unlike previous descriptive studies, the present research is explanatory.Given the apparent gap in the wider literature, this study contributes to the knowledge base of risk management in the Middle East.The research focuses on Jordanian public shareholding organizations and offers an explanation of how organizations in that emerging market perceive and implement the management of risk.The focus on Jordan enables the research to explore how organizations in emerging markets manage risk and to determine the reasons for divergent approaches to the risk management process.This is important, since outward foreign direct investment from developing and transition economies recently reached USD 388 billion (UNCTAD, 2011).The aim of this research, therefore, has been divided into three sub-objectives: a) to examine the indicators of IRM; b) to explain the determinants of IRM; and c) to examine the correlations between the determinants of IRM.Consequently, organizations and governments in emerging markets need to integrate their risk management processes.

Literature Review
The risk literature, including national and international standards (AIRMIC, ALARM & IRM, 2002; AS/NZS ISO 31000, 2009) suggests that risk management enables the decision-maker to avoid or reduce the negative consequences of risk.Despite this, some of the literature on risk (e.g., Burmester, 2000;Hood & Nawaz, 2004), has suggested that the standard of some specific forms of risk management undertaken by organizations is generally low.Al Khattab et al. (2012) describe the use of risk management in practice as crisis oriented.The risk management literature, including AIRMIC, ALARM and IRM (2002), National Institute of Standards and Technology (2002) and AS/NZS ISO 31000 ( 2009), uses more or less synonymously the terms "integration of risk management", "enterprise risk management" and "systematic risk management", affirming that risk management should be a continuous and developing process.It should also address methodically all of the risks surrounding the organization's activities.In line with this literature, the term "integration of risk management" is preferred in this study.

Risk Management and Its Wider Integration
Risk management, as defined by AIRMIC, ALARM and IRM (2002), is an effective process whereby organizations methodically address the risks attaching to their activities with the goal of achieving sustained benefit within each activity and across the portfolio of all activities.There are two fundamental approaches to the risk management process: a fragmented approach and an integrated one.The former, traditional approach is a segmented and compartmentalized one, in which different risks are delegated to different specialists, who use different instruments to tackle them.In the second approach, often called integrated or enterprise risk management (D'Arcy, 2001;Ward, 2003), all the risks are assembled in a strategic framework.Many standards (e.g., AIRMIC, ALARM andIRM, 2002, 2010) recommend that organizations should have a framework that integrates the process for managing risk into the organization's overall management strategy, although they are relatively silent on how this wider integration can be achieved.AIRMIC, ALARM and IRM (2010) assert that such management should be: a) supported by a structure that is appropriate to the organization and its external environment or context; b) proportionate to the level of risk in the organization; c) aligned with other corporate and management activities; d) comprehensive in its scope; e) embedded into routine activities and f) dynamic, i.e., responsive to changing circumstances.Their standards (AIRMIC, ALARM andIRM, 2002, 2010) ensure that such an approach will enable a risk management initiative to deliver outputs, including compliance with applicable governance requirements, assurance to stakeholders regarding the management of risk and improved decision-making.The benefits associated with these outputs include more efficient operations, effective tactics and efficacious strategy.Furthermore, many studies (e.g., Ward, 2003;Hull, 2007;KPMG, 2009;Stulz, 2009) have highlighted the need for improved IRM, both as a stand-alone discipline and as part of wider management practice.
In their review of the theory and practice of ERM, Hoyt and Liebenberg (2011) identify several persuasive arguments in its favour, e.g., organizational and financial efficiency, better informed management decision-making and a potential reduction in aggregated risk exposure.Therefore, if we accept as a basic premise that risk management as a discipline should not be an isolated function, but integrated, both per se and with other management functions, we need clarity on what is meant by IRM. Doherty (2000), AIRMIC, ALARM andIRM (2002, 2010) and AS/NZS ISO 31000 ( 2009) argue that each organization should have a framework that integrates the process for managing risk into its overall governance, strategy and planning, management, reporting processes, policies, values and culture.While all organizations manage risk to some degree, AIRMIC, ALARM and IRM (2002) and AS/NZS ISO 31000 (2009) suggest establishing principles that need to be satisfied before risk management will be effective.Consequently, the indicators of the extent to which organizations engage in risk management vary.
This research conceptualises the extent to which organizations integrate risk management into their operations in the context of four related elements, with each element comprising a number of indicators.These four elements have informed our analysis of the apparent determinants of IRM and, consequently, our empirical study in Jordan:  Developing the corporate risk profile, which ensures: a) that the organization's risks are identified through environmental scanning; b) that the current status of risk management within the organization is assessed; and c) that the organization's risk profile is identified.
 Establishing an IRM function, ensuring: a) that management direction on risk management is communicated, understood and applied; b) that the operationalization of IRM is implemented through existing general management, decision-making and reporting structures; and c) that capacity is built through the development of organizational learning plans and tools.
 Practising IRM, to ensure: a) that a common risk management process is consistently applied at all levels; b) that the results of risk management practices at all levels are integrated into informed decision-making and priority setting; c) that tools and methods are applied; and d) that consultation and communication with stakeholders is ongoing.
 Developing continuous risk management learning, thus ensuring: a) that a supportive work environment is established, where learning from experience is valued and lessons are shared; b) that learning plans are built into the organization's risk management practices; c) that the results of risk management are evaluated to support innovation, learning and continuous improvement; and d) that experience and best practices are shared, internally and across government.
The creation of a standard model may be very challenging, as Howell (2001) suggests, but the Risk Management Standard (AIRMIC, ALARM, and IRM, 2002) and the Australian/New Zealand Standard represent best practice, although these are not intended to produce a prescriptive approach.Whilst these standards are useful as regards the creation of a model of IRM, however, they are often less informative on how this IRM can then be taken forward as a wider management technique.Nevertheless, by meeting the various component parts of such a standard, albeit in different ways, as suggested by AIRMIC, ALARM and IRM ( 2002), organizations will be in a position to report that they are in compliance.

Determinants of IRM
A synthesis of the four elements of IRM identified above suggest that the extent of IRM among organizations can be explained by two sets of determinants: decision makers' perception of risk and organization-specific characteristics.Although we touch on the former, the primary focus of our empirical research was on the latter.Management characteristics, such as perceptions of risk in foreign operations and senior management exposure to foreign markets, have a significant influence on management views of international business activities (Miller, 1992;Jaw & Lin, 2009).The integration of risk management, therefore, can be seen as an 'adaptive' response by organizations in circumstances where there is a perception of greater probability that potentially significant risks will arise (Miller, 1992).
The risk literature emphasizes that the impact of risk is related to organization-specific characteristics (e.g., Chenhall, 2003;Goriaev & Sonin, 2005;Anchor & Benešová, 2012) and that the implementation of risk management is organization specific (Uta, 2005;Alon et al., 2006).Miller (1992) asserts that the nature of risk management is heavily dependent on the nature of the risk exposure of the organization.The systemic risk to organizations posed by recent developments has placed greater demands on both regulators and risk managers (Deloitte, 2009).The literature (e.g., Al Khattab et al., 2008a;Pooser, 2012;Anchor & Benešová, 2012), suggests that the extent to which an organization is involved in risk management is therefore correlated with factors including its size, its degree of internationalization and the sector in which it operates.We use these three organizational characteristics in the formulation of our second objective, i.e., the description and explanation of the determinants of IRM.
An organization's size has an impact on its capability to identify, assess and manage risk (Chapman & Ward, 2003;Deloitte, 2009) and on its exposure and vulnerability to risk (Sadorsky, 2001;Anchor & Benešová, 2012, Chan & Chen 2012).From the capability perspective, Al Khattab et al. (2008a) conclude that larger organizations are more capable of engaging formally in risk management.However, as can be seen from the banking crisis, this theoretical capability does not always translate into practical efficacy.The size and complexity of larger organizations (Ward, 2003;Deloitte, 2009) make IRM more important, but these very characteristics make it harder to achieve an organization-wide view of risk.Conversely, few smaller organizations may have IRM programmes and it could be argued that they would expect limited value from implementing one, as they have fewer sources of risk (Deloitte, 2009); yet they are more vulnerable to the consequences of whatever risks they do face than larger, more resource-rich organizations.
By way of illustration, Kettis (2004) found that many organizations considering risk management were hindered by the initial and continuing high fixed costs of such a process.On the other hand, Moen (1999) reports that small organizations tend to have a strong advantage with regard to products and technology.Fitzpatrick (2005) explains that small organizations are more responsive to the market than larger ones.In order to gain competitive advantage, however, Thompson (1997) recommends that small organizations should examine their environment for opportunities and threats.In the context of Costa Rica, Oetzel (2005) found that smaller organizations were exposed to different political risks than larger ones.
In summary, the risk management literature suggests that larger organizations are more likely to engage in risk management than smaller ones, although much of that literature is silent on its effectiveness in ensuring a balance between risk and reward.
To help achieve our research objective, the total assets in US dollars is used as a continuous variable to measure the size of the organization.
International revenue is used widely in the risk literature to measure an organization's degree of internationalization (e.g., Gomes & Ramaswamy, 1999;Auden et al., 2006;Anchor & Benešová, 2012;Al Khattab et al., 2012).Thus, the proportion of total revenue that is generated from international business activities is used as an indicator of internationalization. Organizations which are 'heavily' involved in international business, according to Suder (2006), Chapman and Ward (2003) and Green (2005), face greater risks and consequently place more emphasis on risk management.Studies of risk management in the context of Bulgaria (Iankova & Katz, 2003) and Jordan (Al Khattab et al., 2008b) found that organizations which had greater international risk exposure had more interest in risk integration.The organization's degree of internationalization can therefore influence its practices through the exposure to various risk sources in international markets.
In compliance with the practice of the Amman Stock Exchange, Jordanian organizations are categorized for the purpose of this research into three main nominal categories: financial, service and industrial.Classifying organizations by sector follows the proposition of Burmester (2000), Howell (2001), Wilkin (2001) and Anchor and Benešová (2012) that some sectors may be more vulnerable to risk than others.Similarly, May (1995), Zarkada-Fraser and Fraser (2002), Minor (2003) and Goriaev and Sonin (2005) argue that organizations belonging to different sectors do not perceive the same degree of risk when facing that same risk in a given country.
Voinea and Anton (2009) report that risk management has had a higher profile, especially among financial organizations, while Deloitte (2009) notes that volatility and illiquidity have illuminated a range of challenges for risk management in this sector.For their part, industrial organizations with large fixed assets are particularly concerned about contract repudiation, as such breaches can have severe consequences (Jenney, 2001), whereas of greater concern to oil organizations, according to Minor (2003), is expropriation: the risk that a host country will seize foreign-owned assets.
It is appropriate to suggest that organizations which are perceived as being more vulnerable to risk have more concern for risk and that as a result, they may give more consideration to risk management.Feng et al. (2012) identify the causes of the financial crisis as credit risk and market risk.However, the root cause underlying these was poor corporate management.In recent years, financial sector failures have induced policymakers to devise prudent risk management mechanisms, many of which should be integrated into the general management policies and practices of organizations.Indeed, de Mortanges and Allers (1996) have argued that industries such as those in the extractive and banking sectors have tended to develop more comprehensive and sophisticated techniques of risk management.By contrast, a study of UK organizations by Wyper (1995) found no significant relationship between the type of industry and the integration of risk management.
To sum up, the integration of risk management within organizations may be related to their industrial sector.

Research Methodology
Our research investigates the extent to which public shareholding organizations in Jordan engage in risk management.To achieve the primary aim, we adopted a positivist philosophy, as recommended by Easterby-Smith et al. (2002) and by Sekaran and Bougie (2009).In line with similar studies (e.g., Adeleye et al., 2004;Hood & Nawaz, 2004;Olsson, 2007;Anchor & Benešová, 2012), we chose a survey strategy in order to examine the relationship between the risk management process and organizational characteristics.This cross-sectional study included all Jordanian organizations listed on the Amman Stock Exchange as public shareholding organizations.The rationale for taking the survey approach was threefold: a) it has been extensively used in the field of business research; b) it is consistent with the positivist paradigm and with our aim and objectives; and it is by far the most common approach to primary data collection (Creswell, 2008).In particular, surveys represent the overwhelming choice for collecting primary data in risk management research (Raz & Michael, 2001;White & Fortune, 2002;Bing et al., 2005;Al Khattab et al., 2008b;Anchor & Benešová, 2012).
The research population was defined as all public shareholding organizations registered on the Amman Stock Exchange Market for 2012 (n = 213).For this purpose, public shareholding organizations are defined as those issuing stocks which are traded on the open market, either on a stock exchange or on the over-the-counter market.
While the Jordanian Corporate Governance Code is important for all types of organizations, it is specifically applicable to public shareholding organizations.The rationale for limiting the research to Jordanian organizations is the sensitive nature of risk management which, as Welch et al. (2002) and Hood and Nawaz (2004) suggest, might have inhibited the responses of non-Jordanian participants.
The questionnaire used in the research survey was highly structured and specific, most of the items being fixed-response questions.This is a highly effective method of data collection, in that it requires less time to administer and is therefore less expensive, while permitting data to be collected from a larger sample (Sekaran & Bougie, 2009).The questionnaire was pilot tested in order to refine it, so that respondents would have no problems in answering the questions.Its reliability was assessed by examining item-to-total and inter-item correlations, as recommended by Hair et al. (2011).These were found to exceed 0.5 and 0.3 respectively, indicating that internal consistency was met.As to validity, this was established by asking two experts in risk to assess the content validity.
Following the suggestions of Hood and Nawaz (2004), Oetzel (2005) and Auden et al. (2006) concerning appropriate units of study, the questionnaires were specifically sent to general managers, who were asked to complete them or forward them to the person in charge of such activities.This strategy was also considered to be useful in the context of the general management/risk management nexus.
Out of 213 organizations, 29 were unreachable, so questionnaire forms were delivered by hand to 184 organizations.Nineteen of these were ineligible and 68 did not respond.The active response rate was 41.21%.This response rate is sufficiently high to ensure that the survey results are representative of the target population and able to produce accurate and useful results.Five of the 97 eligible questionnaires returned were unusable.Of the 92 usable responses, 39 (42.39%) were from the financial sector, 29 (31.52%) from the service sector and 24 (26.09%) from the industrial sector.The output of the chi-square (Χ2) test indicated no statistically significant difference between respondents and non-respondents with respect to industrial sector (Χ2= 2.275, p = 0.184).The sample, therefore, is representative of the entire population.

Data Analysis
To measure the level of integration of risk management, a multidimensional approach was taken (AIRMIC, ALARM and IRM, 2002; AS/NZS ISO 31000, 2009).Thus, the final questionnaire consisted of four items related to the extent of integration of risk management (developing the corporate risk profile; establishing an IRM function; practising IRM; ensuring continuous risk management learning) and three items related to organizational characteristics: size, degree of internationalization and industrial sector.Respondents were asked to indicate on a five-point Likert scale the degree of emphasis placed on each of the items for the integration of risk management.To measure internal consistency, Cronbach's alpha was calculated and found to be 0.8756, indicating that the set of items were closely related as a group.Pallant (2010) reports that such a high value of alpha is often taken as evidence that the items measure an underlying (or latent) construct.
The descriptive statistics of frequency, percentage and mean were used to demonstrate the extent of the integration of risk management and to analyse the organizations' characteristics.Analysis of the research data, on the other hand, indicated that the level of IRM (dependent variable) measured on a continuous scale was normally distributed.Thus, the one-way analysis of variance (ANOVA) test was used for these variables with 95 % confidence intervals for the dependent variable (integration) for each separate sector.Hair et al. (2011) suggest that a ranking scale, such as the Likert scale, be treated as an interval scale.One-way ANOVA is a method of testing the variation between three or more groups at one time by comparing mean values.The F-test, according to Saunders et al. (2012), shows if there are any significant differences among the group.If F is large, with a probability of less than .05,this indicates that it is statistically significant.

Discussion of the Findings
The study contributes to theory development in the area of IRM and, by implication, the extent to which such integration may be contributing to general management strategy and practice.

Conceptual Domain of IRM
This study conceptualises and measures IRM on the basis of four indicators rather than a single indicator.Such an approach better captures the construct of IRM by representing, as with general management, that it is a continuum of arrangements within an organization, instead of a binary concept.
Survey participants were presented with a list of four general risks (political, financial, cultural, natural) and asked to rate their degree of concern for each on a five-point rating scale.The correlations between managerial concerns for general risk and the level of integration were explored.Despite the evidence that Jordanian organizations have shown a growing interest in risk management, the output of Pearson's correlation coefficient (r) suggested no significant correlations between the degree of concerns for political, financial, cultural or natural risk and the level of integration.The lack of apparent correlation between the awareness of risk and the operationalization of IRM would suggest that the surveyed organizations were not benefiting from the risk and general management benefits identified by Hoyt and Liebenberg (2011).

Determinants of IRM
An organization-specific characteristics framework was used to investigate three principal determinants of integration: size, degree of internationalization and industrial sector.

Size
The values of Pearson's r show that there was no significant relationship between integration of risk management and the size of the organization as measured in total assets.Accordingly, any hypothesis that differences in the level of IRM are associated with organizational size should be rejected.There is, nonetheless, a developing consensus in the wider risk management literature (Chapman & Ward, 2003;Ward, 2003;Deloitte, 2009) that it is primarily larger organizations which have the resources and capabilities to integrate the process of risk management within their structures.The Jordanian results would contradict this, although based on other findings from the research this contradiction may be a feature of weak integration across organizations as a whole, irrespective of their size.

Degree of Internationalization
When Pearson's r was calculated to assess the relationship between integration in risk management and the second organization-specific characteristic, degree of internationalization, the results indicated no significant relationship between IRM and degree of internationalization as measured by revenues generated from international activities, with the number of years in international business also found not to be significant.Again, any hypothesis of statistically significant differences in the level of IRM associated with degree of internationalization was rejected.This finding is in line with a study of UK organizations (Wyper, 1995) but not Dutch ones (de Mortanges & Allers, 1996).
The Jordanian findings, however, suggest that organizations which have more international experience are not necessarily those organizations which operate in more countries.It is the nature of international experience, rather than its quantity, that can affect risk management practices.Despite this, the number of countries in which an organization operates, in line with Fast et al. (2012), Howell (2001) and Stosberg (2005), increases the complexity of its management generally, and there would be an expectation of cohesion and integration across a number of management disciplines.Consequently, the fragmented management of risk may not help in tackling the inevitable uncertainty associated with business within an increasingly internationalized organization.In such circumstances, organizations would benefit significantly from embedding IRM structures and systems.

Sector
The ANOVA results suggest that there were statistically significant differences between the three sectors (F (1, 66) = 3.3, p = 0.045) regarding the level of IRM.Consistent with Deloitte's (2009) findings, financial organizations were more involved in risk management than those in the service or industrial sectors.Furthermore, the degree of transnational financial regulation, mostly predicated on risk management, is perhaps an incentive for Jordanian financial organizations which does not apply to the two other sectors analyzed.
Financial organizations, therefore, now realise the importance of conducting risk management, since as Voinea and Anton (2009) note, the fragmentation of risk management practices within financial organizations was the main factor that contributed to the world financial crisis.Indeed, KPMG (2009) reports that weak risk management contributed to that crisis.Jordanian organizations, moreover, believe that they need improved IRM procedures.However, risk taking and risk management are key elements of any organization (Ernst & Young, 2012); therefore, whilst a higher level of IRM in financial organizations is unsurprising, its relative absence from firms in the other two sectors may suggest a deficiency in their overall management strategies.

Conclusions and Implications
This study conceptualises and measures the integration of risk management within public shareholding organizations in Jordan.It is one of the first to attempt to examine empirically in Jordan the extent to which organizations are engaged in risk management processes in accordance with various international standards.The Middle East is a region with vast energy reserves and is considered to be of major economic and geopolitical significance; therefore understanding the risk management practices of its organizations is of significant value.
The wider literature suggests that the successful integration of risk management can affect the probability and consequences of risks materialising.In essence, IRM is beneficial both as a specific discipline and as a contributor to more effective general management.Despite this, no significant correlations between the degree of concern regarding risk and the level of integration can be detected in Jordanian organizations.This absence of significant correlation raises concerns regarding their vulnerability to risk and their potential sustainability.Differences exist between the degree of integration in the financial sector and that in the other two sectors, but even among financial organizations there is a recognition that their IRM systems are underdeveloped.The focus of this study and consequently its results are based on the apparent situation in Jordan.There are, however, wider implications for organizations both in the Middle East and beyond.Despite the growth of risk management as a business discipline, the well-publicized failures of large organizations and international exhortations for embedded IRM systems, the evidence of IRM implementation is contradictory.In effect, there may be a gap between the rhetoric and the reality surrounding IRM.
While this study contributes to the knowledge base of risk management in the Middle East by investigating the extent and implications of IRM in public shareholding organizations in Jordan, in the context of both risk management as a specific business practice and of its implications for general management, it is subject to limitations.Despite evidence that managers consider personal risk when making decisions that affect their organization's risk management practices (May, 1995), the study has not taken this dimension into consideration.The survey, furthermore, offers a snapshot of apparent risk management practices, but it does not tell us why these practices are occurring or crucially, what their wider implications are.There is therefore a critical need for further research into the integration of risk management within organizations in real-world settings over time.This is particularly pressing since, as Rogmans (2012) suggests, the economies of the Middle East are likely to continue to be characterized by political turmoil over the next decade.