Does the usage of organizational change method increase the success of risk management implementations?

(1)

Does the usage of organizational change method

increase the success of risk management

implementations?

A case study research

Jessie K.Y. Yung (6020346) Rotterdam, 29-08-2011 Coach: Erwin Amersfoort

Amsterdam Business School – Universiteit van Amsterdam Executive Internal Audit Program

(2)

Preface

The executive internal audit program of the Amsterdam Business School (UvA) requires its students to write an academic research in the field of internal/operational auditing in order to finalize the executive program. Within the executive program, I decided to write my thesis in the field of Organizational Change Management, as I believe this is a field which has been undermined in audit, risk and control studies and practices. The main objective of this study is to understand the impact of organizational change methods on risk management; a familiar topic for internal audit practitioners. Finally I would like to thank my coach and all participating interviewees and organizations for providing me valuable input for this thesis.

August, 2011, Jessie Kiu Yen Yung

(3)

Executive Summary

Continuously changing business environment, developments and complexities increase the need of risk management in order to meet organization’s business objectives by effectively managing risks and uncertainties (COSO, 2003; Hampton, 2009). Risk is the opportunity that an event will occur that affect the achievement of a business objective (COSO, 2003). These developments had led to a growing demand for assistance in developing effective processes to support risk management (Hillson, 1997). COSO Enterprise Risk Management (ERM) is one of the well-known methods which address this. While most organizations have not embedded a formal ERM in their business practices, there seem to be a growing trend to implement at least some of its key principles (IIA, 2009). Hence, risk management is becoming more a recognized and valuable activity within organizations.

Besides risk managers, also internal audit practitioners fulfill a valuable role towards risk management. Therefore they can fulfill two roles towards the board of an organization and senior management, namely, 1) objectively assess the risk management program and the effectiveness or 2) provide consulting/advising role by identifying, evaluate or support the implementation of risk management methodologies.

Implementing risk management (either full ERM or some of its key principles) has led to many difficulties for organizations, from technical (content) challenges to organizational challenges. The technical challenges are for example the lack of a standard framework, steps and method, how to quantify risks or the difficulty to keep the framework up to date (Claassen, 2010). Many publications (Lam, 2003; Hampton 2009) are available which tackle the technical challenges in respect to risk management implementations, by providing guidance, structures and specific methods. Limited publications are available regarding the organizational challenges like, conflict resolutions between risk functions and business, lack of a risk based culture or resistance towards risk management (Cendrowski and Mair, 2009; Lam, 2003; Lee & Shimpi., 2005).

In order to implement risk management successfully it is important to understand why people act as they do (misunderstanding, resistance, conflicts) and how to influence or change this. According to Kotter (2002), ‘people change what they do less because they are given analysis that shifts their thinking than because they are shown a truth that influences their feelings’. Based on a study of Kotter (2002), successful organizations know how to overcome antibodies that reject anything new or different, whereby the central challenge is changing people’s behavior and influence their feelings. Several organizational change methods and approaches exist to change and align people’s understanding, values and behavior in organizations.

Organizational change management studies provide several methods and approaches to overcome organizational challenges in cultural transformations, mergers & acquisitions, new technologies and restructuring. Studies have shown the positive effects of using organizational change methods to overcome similar organizational challenges (Ashkanasy & Kavanagh, 2006; Bijlsma-Frankema, 2001; Blokdijk, 2008; Kotter, 2002). Therefore in this research study the influence of using organizational change method on risk management implementation is studied. Leading to the following main research question: Does the usage of organizational change method increase the success of risk management implementations?

Based on literature review the suitable change management method is selected for this study; Kotter’s eight-phases model. The literature review is additionally used to propose the expected effect between organizational change method and success of risk management implementations with the

(4)

possible moderating effects. The following moderators are used: size of an organization and compliance driven (by external regulations) risk management implementations. All these factors are integrated in a theoretical framework, which forms the basis of this study.

A comparative case study method is used to test the hypotheses. Four case studies with risk management implementations have been studied, analyzed and compared. A cross case analysis provides a comparison between the factors and a general overview of the results. Furthermore, the cross case analysis also reveals patterns in the results.

By integrating theoretical and practical data, the main research questions could be answered. For the four case studies, it was found that the usage of Kotter’s change model tends to have a positive effect on the success of risk management implementations. Large organizations tend to benefit more by using a change model in risk management implementations, as they have more political issues, relatively large risk department and risk projects which require a longer time span. The results also revealed that in general a large organization has more experience with risk and control related aspects. The difficulty for this type of organization is to link the multiple existing risk and control initiatives of the organization with each other. The number of risk and control initiatives could also lead to adversity within the organization. Smaller organizations on the other hand show that their employees have more difficulty in the content and lack knowledge of risk management. It takes additional time to educate and train them. Sometimes the risk management approach requires to be redefined in order to gain their support and buy-in.

Risk management implementations driven by compliance (external regulation) did not show any remarkable effect on the relation between using Kotter’s change model and the success of the implementation. The case study revealed that when the management of an organization believes that the risk management implementation provides advantages or benefits, it does not matter anymore whether it is compliance driven or not.

The results show that the use of Kotter’s change method does have a positive impact on the success of implementing risk management. Therefore risk management practitioners should consider the use of organizational change methods or some of its aspects in risk management implementations. The same counts for internal audit practitioners who assess risk management (assurance role) or perform some risk management related activities (consulting/advising role).

There might be other factors which moderate the effect of using organizational change method on the success of risk management implementations. Future research is needed to test different moderators and their effect. Furthermore, the domain of this study is rather broad, zooming in on specific industries or organization’s risk maturity (Hillson, 1997) in future research, might yield additional valuable insights.

(5)

Index

1. Introduction ... 7

1.1. Research Gap ... 7

1.2. Research objectives and questions ... 8

1.3. Research approach ... 9

2. Literature review ... 10

2.1. Governance, risk management, internal control and internal audit ... 10

2.2. Challenges in Risk Management ... 11

2.2.1. Technical versus organizational challenges ... 12

2.2.2. Organizational challenges are undermined ... 14

2.3. Influencing the organizational challenges ... 14

2.3.1. Introduction to organizational change methods ... 14

2.3.2. Applicable organizational change method for this study ... 17

2.3.3. The 8 phases of Kotter ... 18

2.4. Organizational change management and implementing risk management ... 19

2.5. Moderators ... 19

2.5.1. Moderator organization size ... 20

2.5.2. Moderator compliance (external regulation) ... 20

2.6. Relevance for Internal Audit practitioners ... 21

2.7. An overview ... 21

3. Methods section ... 23

3.1. Research method ... 23

3.1.1. Empirical research and theory testing ... 23

3.1.2. Case study ... 23

3.1.3. Data collection ... 24

3.2. Validity and reliability ... 24

3.3. Measurement ... 25

3.4. Cases ... 27

3.4.1. Sample Selection and criteria ... 27

3.4.2. Participants ... 27

4. Case studies ... 28

4.1. Case 1 – Dutch Transportation Company – Implementation of Risk and Financial Processes Handbook – 2007 ... 28

(6)

4.3. Case 3 – Credit Registration Office – Implementation of Organizational Risk Management –

2011 ... 29

4.4. Case 4 – Small Insurance Company for a specific professional/occupational group – Risk Management analysis – 2010 ... 30

5. Results: Cross Case Analysis ... 31

5.1. The effect of the usage of Kotter’s eight phases change method on the success of risk management implementations. ... 31

5.2. The effect of organization’s size ... 31

5.3. The effect of compliance (external regulation) ... 32

6. Discussion ... 34

6.1. Risk management implementation success ... 34

6.2. Organization’s Size ... 35

6.3. Compliance (external regulation) ... 35

7. Conclusion ... 37

7.1. Main findings and conclusions ... 37

7.2. Limitations and future research recommendations ... 38

8. Implications for Internal Audit ... 40

8.1. Assurance Role - Core internal audit roles in regard to ERM ... 41

8.2. Advising/consulting Role - Legitimate internal audit roles with safeguards ... 41

9. Literature ... 43

Appendix 1 – Method of Kotter... 45

Appendix 2 – Guideline and list of questions ... 48

Appendix 3 – Usage of the eight-phases method of Kotter ... 49

(7)

1. Introduction

In the past decades the need of risk management has increased due to business complexity issues, corporate governance-codes developments (compliance driven), but also the voice of stakeholders who require organizations to improve their management activities in respect to risks and uncertainties (Hampton, 2009; Lam, 2003). Organizations are becoming more aware of the importance of risk management for the success of the organization (Hillson, 1997). Risk is the possibility that an event will occur which adversely affects the achievement of an objective (COSO, 2003). According to Hampton (2009), risk management is essential in order to achieve the organization’s objectives by enhancing operating stability and build organizational resilience. Finally, it also increases the economic value of an organization.

Enterprise Risk Management (ERM) emerged in the late 1980s (Hampton, 2009). ERM argues that an organization should manage its risks in a single and comprehensive program, including the coordination with internal processes, audit and compliance. A well-known method is the COSO Enterprise Risk management Cube (COSO, 2003).

In practice, organizations face several challenges when implementing ERM or some of the key principles (IIA, 2009). The discussions about the faced challenges are often related the content and technical aspects of implementing risk management, for example the lack of a standard framework, steps and methods. Many books have been published which explain how to implement ERM. Less is available about the organizational challenges during and after the implementation.

To make risk management a success, deep understanding of the organizational challenges is required and how to overcome these. Organizational challenges in risk management are for example the lack of a risk based culture, the lack of understanding of risk management or conflicts within the organization. Organization behavior and change management studies have published much literature about organizational challenges. The organizational change methods and approaches are widely applied in cultural transformations, mergers & acquisitions and organizational restructuring, in order to overcome organizational challenges (Ashkanasy & Kavanagh, 2006; Bijlsma-Frankema, 2001; Blokdijk, 2008; Kotter, 2002).

The purpose of this study is to explore how the usage of existing organizational change methods can influence the success rate of implementing risk management in organizations, either ERM or some of its key principles. The success rate is a combination of the organization’s risk culture, awareness and understanding. Two moderators are selected which could affect the relation between the usage of organizational change method and the success of implementing risk management.

1.1. Research Gap

As mentioned in the introduction, limited has been written about the organizational challenges when implementing risk management. From a practical and theoretical perspective, it is important to get an understanding of the organizational challenges that organizations face when implementing risks management and whether the usage of organizational change methods can overcome these challenges.

(8)

1.2. Research objectives and questions

Based on the research gap, the following research objectives are formed: Develop a theoretical model whereby the following are encountered:

- Get more understanding in the organizational challenges when implementing risk management;

- Get more understanding and insight into the existing organizational change methods and its effect on organizational challenges;

- Get more insight into the possible moderating variables and their effects.

In order to realize this objective; the following main research question has been formulated:

- Does the usage of organizational change method increase the success of risk management implementations?

Sub-questions are formulated in order to answer the main question. The sub-questions are used as a guideline towards answering the main question:

- Why is risk management important for organizations? - What is the purpose of risk management programs?

- What is the role of internal audit in respect to risk management?

- What kind of challenges do organizations face when implementing risk management?

- What kind of organizational change methods are available to overcome organizational challenges?

- Which organizational change method is most applicable to test whether it is useful in risk management implementations (and overcome the related organizational challenges)?

- What is the probabilistic relation between organizational change methods and risk management implementations?

- What are other interesting moderators which should be taken into account? - What is the relevance of this research topic for Internal Audit (practitioners)?

- What type of theory oriented research is applied in this study? - Why is case study the most suitable research method for this study? - How to enhance the validity and reliability of this research?

- How are the different factors measured? - What are the sample selection criteria?

- Do the case study results support the hypotheses?

- How and why do the case study results support/not support the hypotheses? - What are the main findings and conclusions?

- What are the limitations and recommendations?

- Based on the results what are the implications for internal audit practitioners in the assurance or advising/consulting role?

(9)

1.3. Research approach

This study is based on a literature review, whereby relevant theories concerning risk management, organizational challenges, organizational change methods and internal audit are used. Based on previous literatures hypotheses of the effects of organizational change method usage and its moderators in respect to risk management implementations are formed. This is presented in Chapter 2, which ends with a theoretical framework; the foundation of this study.

Besides theoretical data, practical data is used. The multiple case study approach is applied to gather empirical data, in order to test the hypotheses as defined in Chapter 2. The arguments for the used methodology, how to perform measurement, including the validity and reliability requirements are presented in Chapter 3.

Chapter 4 provides information of the four case studies. Based on the gathered information, the four cases are compared with a cross case analysis in Chapter 5. The results are discussed in chapter 6. Following the results and discussion, Chapter 7 presents the findings, conclusions and limitations of this study. Conclusions are formed based on both the practical and theoretical information. This study ends with the implications for Internal Audit in Chapter 8.

(10)

2. Literature review

In this chapter the current state of literature of risk management, organizational change management and its relation are explained.

2.1. Governance, risk management, internal control and internal audit

In order to understand why risk management is important for an organization and the internal audit function, the positioning and relevance is outlined first, starting with the governance structure. Organizations develop a structure/framework through which long-term and day-to-day decisions are made. The actual organization structure can vary between organizations, but an overall governance structure should be available to ensure key stakeholders requirements are met. The governance structure provides direction to the persons who are responsible to execute the day-to-day activities of managing the (inherent) risks in an organization’s business model. The day-to-day business activities are also known as internal control (IIA, 2009). Governance is the process conducted by board of directors in order to authorize, direct and oversee management in respect to the achievement of the organization’s goals and objectives. Brickly et al (2001) defined governance as the system consisting of:

 The partition (business units, divisions, shared service centers) and attribution of decision rights and reserved powers in the internal organization of het firm;

 The methods of rewarding individuals;

 The resource allocation process (capital, human resources, information, knowledge, physical capital, intangibles like brands);

 The structure of systems

Figure 1: Depiction of Key Governance elements (IIA, 2009) Risk management is the second layer in the governance structure (refer to figure 1). The purpose of risk management is to identify and mitigate the risks that may adversely affect the organization’s success and to exploit the opportunities that enable that success. Organizations are becoming more aware of the importance of risk management for the success of the organization (Hillson, 1997). According to Lam (2003), four reasons can be defined for risk management:

(11)

1. Managing risk is management’s job - Managing the risks of a business enterprise is the direct responsibility of management;

2. Managing risk can reduce earnings volatility – Management should pay attention to the underlying risks of the business, including the sensitivity of the firm’s earnings and market value towards internal and external variables;

3. Managing risk can maximize shareholder value – Risk management can help an organization to achieve its objectives and maximize shareholder value. Risk-based programs can identify opportunities for risk management and business optimization;

4. Risk management promotes job and financial security – On individual level the most compelling benefit of risk management is that it promotes job and financial security. The past have shown that executives have lost their jobs due to poor risk management performance. According to figure 1, internal control is shown in the center, as it represents a subset and integral part of the risk management activities. Risk responses which include controls are designed to execute the risk management strategies (IIA, 2009). To achieve this, managers should design and implement an effective system of internal control (Ritterberg et al, 2007). COSO (2003) defines internal control as: a process effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

- effectiveness and efficiency of operations - reliability of financial reporting

- compliance with laws and regulations

With the improved COSO ERM (2004) a new strategic objective has been included: High-level goals should be aligned with and supporting the organization’s mission.

The final component and important role in the governance elements in figure 1 is the independent assurance activities by internal audit that will provide the board and senior management an objective assessment in respect to the effectiveness of governance and risk management (IIA, 2009). To be an effective part of the governance process, the internal audit function should:

- Understand the direction and expectation of the board’s governance;

- Support the risk management program by monitoring structure and discipline in the risk management program or also educate other employees in the organization with these risk and control topics;

- Develop an internal audit plan which encompasses the independent governance assurance activities, including the periodical reporting of the effectiveness of risk management activities (IIA, 2009, 2011).

To summarize, based on the governance elements (also refer to figure 1), risk management and internal audit fulfills an important role in the governance of an organization. For internal audit this implies also the support of risk management, including the communication of risk and control information to the appropriate areas in an organization and the assurance on the effectiveness of risk management activities.

2.2. Challenges in Risk Management

As described in paragraph 2.1., organizations face an extensive number of risks as they try to execute their strategies and achieve their objectives. Due to the extensive number of risks, there is a need for a process to effectively understand and manage risks across an organization (IIA, 2009). According to

(12)

Hillson (1997) there is a growing demand for assistance in developing effective processes to support the identification, assessment and management of risk, as organizations want to tackle the risks facing them. Enterprise Risk Management (ERM) is a well-known method to address this (refer to figure 2).

Figure 2: COSO Enterprise Risk Management Cube (COSO, 2004) COSO ERM is built of eight interrelated components which are derived from the way management runs an organization and are integrated with management processes. According to IIA (2009), most organizations have not embedded formal ERM in their business practices, but there seem to be a growing trend to implement ERM or some at least some of its key principles. Some key principles are for example: Risk Assessments Workshops, Risk Self Assessments, Key Control Registers and Frameworks, specific business process risks (i.e. supply chain or finance), In-Control-Statements etc. This study is focused on ERM implementations and/or some of its key principles. The term risk management in this study complies both full ERM and some key principles implementations.

Implementing risk management is not an easy process, as for most organizations it implies a multiyear initiative that requires ongoing senior management sponsorships and sustained investment in human and technology resources (Lam, 2003). In the next subparagraph the challenges in implementing risk management are further outlined.

2.2.1. Technical versus organizational challenges

Many literature and publications are available in respect to implementing risk management (Lam, 2003; Hampton, 1997; COSO, 2004). The described challenges in literature are often related to the content and technical aspects of implementing risk management. The difficulty in implementing risk management, take for example COSO ERM, is the lack of a standard framework and the description of steps and method (Claassen, 2010). Additionally COSO ERM is difficult to keep up to date in a continuous changing environment. Negus (2010) published an article, whereby he outlines in more detail the ten major technical challenges in risk management implementations:

1. Assessing ERM's Value - Organizations often have difficulties in demonstrating the sufficient ERM value to justify implementation costs;

2. Privilege - Risk information becomes increasingly event-driven and money-based, issues are raised about the distribution of risk to auditors or to external regulators;

(13)

4. Risk Assessment Method - Enterprise risk assessments are performed using a large variety of approaches and tools, including surveys, interviews and historical analysis;

5. Qualitative Versus Quantitative - The decision whether risks should be assessed using qualitative or quantitative metrics. Lam (2003) also describes it as the difficulty to assess and quantify non-financial risks (business, organizational and operational risks) and how to incorporate these into performance measurement systems;

6. Time Horizon - The time horizon of ERM risk assessment is largely based on the organization's intent to use ERM risk results and its willingness to invest in risk management. This is also related to challenge 1, the assessment of ERM’s value;

7. Multiple Potential Scenarios – Most risks have multiple event likelihoods and risk severities; 8. ERM Ownership - The question regarding who is responsible and owner of ERM is often

unclear and commonly disputed at the board, audit committee and management levels; 9. Risk Reporting – What information should be shared with internal and external stakeholders

and how should risk be communicated and reported?

10. Simulations and Stress Tests - Organizations often struggle to balance the need for meaningful simulation and stress tests against a nearly infinite number of potential scenarios (Negus, 2010).

The published literatures include guidelines to address these content related and technical issues in risk management (Lam, 2003; Hampton, 1997; COSO, 2004). Beside technical challenges in risk management implementations, there are also organizational challenges, which are more complex and relatively undermined in the risk management literature. The organizational challenges are further outlined below:

Organizational Culture

An organizational culture focused on risk management is an essential component of risk management. Creating a culture of risk management requires management to 1) formulate a risk management policy, 2) communicate this policy to employees and 3) act in accordance with this policy. Many organizations are successful in completing the first two steps and the third step appeared to be challenging (Cendrowski and Mair, 2009). For organizations it can be disastrous, where employees make unharmonious risk management decisions. If risks are not challenged and addressed in a uniform manner by the organization, the risks cannot be properly mitigated (Cendrowski and Mair, 2009). The third step is also connected to the tone at the top. In literature a lot have been written about the influence of tone at the top, which is seen as a precondition for organizations. The internal environment forms the basis for handling risks and controls measures. The core of every organization is its employees, their individual integrity, values, competence and work environment. Tone at the top has a critical influence on this (Bruinsma, 2009).

Conflict resolution between line and staff

The type of conflict often concerns the choices between business volume or revenue growth and risk control. In this process the line seeks ways to avoid oversight by staff units (Lam, 2003). This also includes misalignment of incentives, one side seeks for growth (volume, revenue, profit and return on equity) and the other seeks for quality (minimization of losses, errors or deviations from plans) (Lam, 2003). The conflicts resolutions remain when both parties have different objectives, perceptions and lack total overview or mutual understanding.

The role of line risk management

The installation of risk managers within the business units, with a reporting line to the CRO and business manager, often leads to uncomfortable situations. In this situation, the line staff may

(14)

perceive the line risk manager as part of the ‘enemy’. The effect is increased due to the reporting line to CRO (Lam, 2003).

Lack of risk management foundation

Risk managers have difficult tasks including assimilating, analyzing and communicating sometimes complex concepts to leaders and managers who often do not possess a strong risk management foundation. Often they are only informed about the financial and technical issues (Lee & Shimpi. 2005). Hence, the core of risk management is not tackled, which raise the question how business leaders and managers can actual manage the risk?

2.2.2. Organizational challenges are undermined

Literature about the technical challenges of implementing risk management and organizational challenges are scattered. The challenges in risk management implementations are often written about the content and technical aspects, while organizational challenges and influences are more or less neglected. More have been written about the prerequisite of the tone at the top. In general terms, tone at the top is a precondition for managing an organization and not specific in the field of risk management and control.

To summarize, due to the importance of risk management for organizations (paragraph 2.1.) and the research gap in organizational challenges in risk management literature and how to overcome these (paragraph 2.2.), the relevance of this study is justified. The following chapters further outline available methods to overcome organizational challenges.

2.3. Influencing the organizational challenges

The organizational challenges in implementing risk management are described in paragraph 2.2.1. The challenges start with not having a risk based culture, combined with lack of understanding of risk concepts in the business, lack of understanding of the need of risk management and conflict resolutions between the business and risk managers (Cendrowski and Mair, 2009; Lee & Shimpi. 2005). In addition to that, the perception of risk managers as the enemy (Lam, 2003), is in practice often perceived as resistance. To overcome the organizational challenges, it is important to understand why people act as they do and how to influence or change this.

According to Kotter (2002), ‘people change what they do less because they are given analysis that shifts their thinking than because they are shown a truth that influences their feelings’. Based on a study of Kotter (2002), successful organizations know how to overcome antibodies that reject anything new or different, whereby the central challenge is changing people’s behavior and influence their feelings. Several organizational change methods and approaches exist to change and align people’s understanding, values and behavior in organizations. Studies in the field of cultural transformations, mergers & acquisitions and organizational restructuring have shown positive effects when using organizational change methods in overcoming organizational challenges (Ashkanasy & Kavanagh, 2006; Bijlsma-Frankema, 2001; Blokdijk, 2008; Kotter, 2002). Five well-known existing change management methods are introduced below.

2.3.1. Introduction to organizational change methods Change Quadrants

With the change quadrants model (Assen et al, 2009) the type of change and the culture of an organization are taken into account to determine the change strategy. By understanding the key

(15)

levers, it can help to facilitate the change. The change quadrants model define whether an organization is warm (led by shared norms and values) or cold (led by rules, regulations and procedures) and whether the motivation for change is warm (led by ambitions) or cold (led by urgency, i.e. near bankruptcy or drop in market share). Based on the various warm/cold combinations, there are four possible change strategies: intervention, implementation, transformation and innovation. Also refer to figure 3.

Figure 3: Change Quadrants (Assen et al, 2009) E and O theories by Beer and Nohria

Beer and Nohria introduced two approaches to organizational change, which are called Theory E and Theory O of change. Theory E is the creation of economic value (i.e. shareholder value). It is focused on formal structure and systems. It is driven from the top with the support of an extensive number of consultants and financial incentives. The change is planned. The purpose of Theory O on the other hand is to develop the organization’s human ability to implement strategy and learn about the effectiveness of changes made from the actions taken. It is driven by the development of a high commitment culture with high involvement. Change is emergent instead of planned (Assen et al, 2009).

(16)

Table 1: Theories E and O by Beer and Nohria (Assen et al, 2009) Five colors of Caluwé

Caluwé (2006), one of the most influential consultants in the Netherlands came up with a model of five colors. Each color represents a different change process, as he does not believe that there is only one way to execute a change process. The colors and the method of change are shown in table 2.

Table 2: The 5 colors of Caluwé (Caluwé & Vermaak, 2004) Kotter’s eight phases of change

One of the most used methods is the eight phases of Kotter (2002). The basic principle of Kotter is that change does not regard a single occurrence, but it is a process with several stages which are related with each other. The eight phases are shown in table 3.

(17)

Table 3: The eight phases for successful change (Kotter, 2002)

Lewin’s Change Model

Lewin’s change model emphasizes three stages of change: unfreeze, change (modification), then refreeze (also refer to figure 4).

Figure 4: Lewin's three stages of changes The first stage is to get the organization or people ready for the change. It involves getting a point of understanding, motivation and then to move away from the previous comfort zone (Blokdijk, 2008). The second stage regards the change (modification phase). It involves the transition to the desired state. Proper motivation and good leadership will enable the change. Also training, skills transfer and personnel re-alignments or reduction could be part of this phase. The third stage, refreezing comes when the workforce has already embedded the change in their system, until another unfreezing will occur (Blokdijk, 2008).

2.3.2. Applicable organizational change method for this study

The first 3 models (The Change Quadrants, E and O theories and Five colors of Caluwé) provide determinants for an organization to select a change strategy. The determinants are the type of people, management style, culture and the status of an organization. These types of models can be used in conjunction with other more stepwise methods, for example the eight phases method of Kotter or Lewin’s three stages model. As the three models only provide determinants for the preferred change strategy, it is less useful for this study because it does not provide guidelines how to execute the change process. Kotter’s method on the other hand provides a more stepwise approach, which involves subtle points and may not be always followed rigidly, but it does provide a clear and specified

(18)

guideline. The model of Lewin shows the three important steps that are required to get the change started towards the objective, but it lacks the specific guideline that the Kotter’s model does provide. Hence, the method of Kotter is used in this study, as it is more generally applicable, including specific steps and activities. This also enables the possibility to perform analysis and comparisons between cases. The method of Kotter with the 8 phases is further outlined below.

2.3.3. The 8 phases of Kotter

Kotter is a professor at the Harvard Business School, he introduced the eight-phases change process in his book ‘Leading Change’ in 1995. Whereafter the method has been used by many consulting firms. In this section the eight phases are outlined in more detail.

Phase 1 – Create urgency

Most significant changes start with the creation of sense of urgency among the relevant people. Less successful changes in organizations allow complacency, fear or anger, which can undermine the desired effect. Sense of urgency gets people off the couch, out of a bunker and ready to move. Refer to Appendix 1 for a summary with some ideas and guidance of what to do and what not to do in this phase.

Phase 2 – Build the guiding team

A guiding team needs to be created with the credibility, skills, connections, reputations and formal authority. This team operates with trust and emotional commitment. Studies have shown that less successful project relies on single person or no one, weak task forces and committees or complex governance structures, all without the stature and skills and power to do the job. Refer to Appendix 1 for a summary with some ideas and guidance of what to do and what not to do in this phase.

Phase 3 – Get the vision right

The team should create clear, simple, uplifting visions and sets of strategies. In the less successful cases, there are only detailed plans and budgets, while a vision is not very sensible. Vision which is created by others than the guiding team is often ignored by the guiding team. Refer to Appendix 1 for a summary with some ideas and guidance of what to do and what not to do in this phase.

Phase 4 – Communicate for buy in

Communication of the vision and strategies follows in this phase. The goal is to induce understanding, develop commitment, and liberate more energy from a critical mass of people. In this phase deeds are more important than words and repetition is a key success factor. Previous studies have shown that smart people does not recognize their error with undercommunication or poor communication. Refer to Appendix 1 for a summary with some ideas and guidance of what to do and what not to do in this phase.

Phase 5 – Empower action

In this phase the obstacles to reach the vision and objectives are removed. The focus should be on the people who try to disempower and inadequate information and systems. In less successful situations the people in the team often fend for themselves instead of the obstacles around. In this phase it is important that the obstacles or difficulties are faced and adequately solved. Refer to Appendix 1 for a summary with some ideas and guidance of what to do and what not to do in this phase.

(19)

Creating short wins are critical, as it provides credibility, resources and momentum to the overall effort. Some wins may come more slowly, less visibility and speak less to what people value, and have more ambiguity as to whether they are really successes. The challenge is to make this also a short win. Refer to Appendix 1 for a summary with some ideas and guidance of what to do and what not to do in this phase.

Phase 7 – Don’t let up

First wins are required to define the next steps, which will lead to new wins, where after the vision or project become reality. In less successful cases people try to do too much at a time and quit too soon, once they find themselves confused. Refer to Appendix 1 for a summary with some ideas and guidance of what to do and what not to do in this phase.

Phase 8 – Make change stick

The change should stick within the new culture. This may come with organizational changes like, appropriate promotions, new employee orientations and also events that engage the emotions. Refer to Appendix 1 for a summary with some ideas and guidance of what to do and what not to do in this phase.

2.4. Organizational change management and implementing risk management

While most literature regarding risk management provides limited insight to how to overcome organizational challenges in risk management implementation, change management studies provide several methods or approaches to overcome similar organizational challenges (i.e. resistance, misalignment, lack of understanding etc.) in cultural transformations, mergers & acquisitions, new technologies and restructuring (Ashkanasy & Kavanagh, 2006; Bijlsma-Frankema, 2001; Blokdijk, 2008; Kotter, 2002).

Based on the type of organizational challenges during risk management implementation, it is probable that the usage of Kotter’s method could influence the success of the implementation and overcome the faced organizational challenges. In practice it could be that some of Kotter’s eight-phases have already been used (implicit or explicit), without using the full method.. Based on this assumption, the following hypothesis is introduced:

H1. The usage of Kotter’s eight phases change method increases the success of risk management implementations.

2.5. Moderators

Kotter (2002) described that his eight phases method involves subtle points and should not always be followed strictly. This implicates that each situation may require a slightly different approach, but the foundation of the phases remain the same. There can be other internal or external influences that moderate the effect of change management method on the success rate of risk management implementations.

Possible moderators are for example industry, organizational culture, national/international operating organization, existing knowledge etc. Due to the limited availability of research information on this

(20)

specific topic, the difficulty is to identify the relevant moderators. To downsize the possible factors and enhance a relevant scope for this study, one generic and one specific moderator is introduced, both implying multiple sub-factors. The size of an organization is introduced as a generic moderator, in order to yield more information, as this moderator implies multiple sub-factors (i.e. type of culture, internal politics, complexity etc.). The second moderator regard a specific and also common subject in the field of risk management; compliance (external regulations). This moderator also implies multiple sub-factors, i.e. type of industry that faces compliance issues and the intrinsic or extrinsic motivation of an organization to be ‘in control’. The two moderators are further outlined below.

2.5.1. Moderator organization size

Haveman (1993) studied the effect of the size of an organization and the flexibility of an organization. If organization size indicates political insulation and degree of bureaucratization, then large organizations will change less than small organizations and are less flexible. According to Haveman (1993), the sociological literature on organizational size and growth addresses the issue of size-based differences in organizational structure and behavior. The ability of organizational members to conduct face-to-face (one-on-one) interactions with each of the other members declines with the number of members. Larger organizations require more complex forms of communication. Hence, in larger organizations interpersonal interactions assumed to be more impersonal and more formal. The usage of a change management method may be more required for large organizations and could lead to better results, as it provides more structure and communication in the process.

H2. The smaller the size of an organization, the weaker the effect change management method has on the success rate of risk management implementation.

2.5.2. Moderator compliance (external regulation)

Some organizations are required to perform and report on their risk activities by law, for example the Dutch Central Bank (DNB) requirements for the financial industry or the AEX listed companies. In the compliance theories, compliance is considered as a planned behavior in order to maximize its utility by fulfilling the obligation and dispose any sanctions or consequences (Etienne, 2011; Merchant and Van der Stede, 2007). Organizations that choose to comply with regulations will perform a tradeoff between the marginal costs of compliance with the marginal benefits of compliance (Brehm and Hamilton, 1996). For organizations that perform risk management activities as a result of utilitarianism, may not have the intention to make risk management part of their organization, as it is a goal oriented action; being compliant. Therefore the usage of the change management method may have a weaker effect if it is driven by external regulations.

H3. Risk management activities driven by external regulations weaken the effect of change management method on the success rate of risk management implementation.

Compliance projects in respect to internal regulation are not taken into account. Internal regulations are defined for business and management purposes, thus an advantage for the organization. External regulations on the contrary may not always lead to explicit advantages for an organization, hence, it could be easier perceived as a burden.

(21)

2.6. Relevance for Internal Audit practitioners

In the previous paragraphs the relevance of risk management for organizations is explained and why this research topic is interesting for organizations and risk practitioners. Beside the relevance for organizations and risk practitioners, this study is also interesting for internal audit (practitioners). Some risk management related activities are covered by internal audit practitioners, as they are the supporters of risk management in the governance of an organization (refer to figure 1).

According to the IIA Standard 2120, the internal audit activities must evaluate the effectiveness and contribute to the improvement of risk management processes (IIA, 2009). The skills and experiences that internal audit practitioners may possess, allow them to fulfill a valuable role in ERM and also for related key principles. The IIA international Professional Practices Framework includes a position paper, called The Role of Internal Auditing in Enterprise-wide Risk Management (IIA, 2009; IIA 2011). The paper outlines several opportunities for internal audit practitioners. Internal audit can provide objective assurance to the board regarding the effectiveness of an organization’s ERM activities, to help ensure key business risks are being managed adequately and that the system of internal controls is operating effectively (IIA, 2009). Whether the internal controls are operating effectively is related to the organization’s perception towards the need of having risk management and the acceptance level.

In the practice advisory 2120-1: assessing the adequacy of risk management processes, it states that: ‘Management and the board are responsible for their organization’s risk management and control processes (IIA, 2009). However, internal audit practitioners acting in a consulting role can assist the organization in identifying, evaluating, and implementing risk management methodologies and controls to address those risks’. This may be via ERM or some of its key principles; whereby this study addresses whether the risk management implementation require additional organizational change attention.

Based on the function and role of internal audit, the relevance of this research topic is two-fold for internal audit practitioners:

1. The usage of organizational change method in risk management implementations is an interesting topic for internal audit practitioners as it can change the way they initially assess the risk management program and the effectiveness

2. For internal audit practitioners acting in the consulting or advisor role in risk management, the results of this research topic can change their initial way to identify, evaluate or implement risk management methodologies throughout the organization.

2.7. An overview

This chapter started with the positioning of risk management and its importance. Risk management is required within an organization in order to identify and mitigate risks that may adversely affect the organization’s success or achieving its objectives. In order to manage the effectiveness of risk management, internal audit can play a valuable role by objectively assessing the governance and effectiveness of risk management activities. Additionally some internal audit practitioners may also fulfill an advising/consulting role by identifying, evaluating or supporting the risk management approaches and implementations.

(22)

Difficulties in risk management can be divided into organizational or technical related challenges, whereby the organizational challenges seem to be undermined in current research and literature in respect to risk management. Similar organizational challenges (misunderstanding and conflicts of roles, lack of a specific culture, limited foundation etc.) in other studies have shown that the use of organizational change method can overcome these. This led to the probabilistic relation, that the use of an organizational change method could also overcome the organizational challenges in risk implementation and increase the success. Five well known organizational change methods are introduced in this chapter, whereby the eight phases of Kotter is selected for this study, due to its practical character. Additionally two moderators are selected, size of an organization and whether the risk management implementation was external compliance driven. Both are selected, based on its multilateral nature, which is useful to identify possible sub-factors.

Based on the hypotheses, a theoretical framework can be formed. This theoretical framework forms the foundation of this study and includes the relations; refer to figure 5.

(23)

3. Methods section

In the previous chapter a theoretical framework has been developed (see figure 5). A prerequisite in academic research is an adequate foundation of the selected research method. In this section the research method is described to test the theoretical framework. It includes a discussion why the case study method is used, including the validity and reliability issues, which is also a prerequisite for academic research. Then the measurement methods of the different factors in the theoretical framework are outlined. This chapter ends with an introduction of the four case studies.

3.1. Research method

Different research methods exist, but which method is the most useful for this study? For every research method there are advantages and disadvantages. The arguments for using the case study method are discussed below.

3.1.1. Empirical research and theory testing

Empirical observations, interviews and data are collected in order to answer the research question. Empirical research bases its finding on the systematic gathering of observable facts. The observable facts could occur directly or indirectly. Empirical research can improve the relevance for organizational research by providing real-life data. On the other hand it could occur that real-life obtained empirical data might lead to less predictable and controllable results, which may leave the researcher without any meaningful results (Elram, 1996).

The objective of this research study is theory oriented and contributes to the development of theory (Dul & Hak, 2007). Within the theory oriented research approach, three types of activities can be distinguished: 1) exploration, 2) theory-building research and 3) theory-testing research. The objective of this study is to gain understanding of the effect of organizational change method on the success of implementing risk management, whereby several hypotheses are formed and tested. This method is characterized as theory-testing research.

3.1.2. Case study

The hypotheses in this theory-testing research express a probabilistic relation. With a probabilistic relation it is assumed that on average x causes y (Dul & Hak, 2007). To simplify: if x is higher, then it is likely that y is higher. According to Dul & Hak (2007) to test a probabilistic relation, an experiment is the preferred method and a survey is the second best method to test a probabilistic relation. Unfortunately, these two methods are not feasible, due to time, case dependency and cost issues. An experiment is not feasible as it requires a full set up of at least two similar risk management implementations within organizations (one with the use of an organizational change method and one without), whereby at least a time span of two full time months is required for the preparation of the risk management framework and foundation, mobilization of a real life organization and participants. Additional time span is required, in order to measure the results. A survey requires a large number of respondents in order to yield meaningful results and is also constrained by rigid limits of the questionnaire. During discussions with potential participating organizations, they had let known that a survey is not favorable due to the limited available time of their employees and no response rate could be guaranteed. Therefore the third-best method is chosen: a comparative case study (also known as multiple case studies by Yin, 1981; Yin, 2003).

(24)

Case studies can show the multiple influences and by conducting several case studies, the differences between the cases can become clear (Yin, 1981). In a comparative case study, a number of cases are selected from real-life context. The data obtained from the cases are analyzed in a qualitative manner (Dul & Hak, 2007). Empirical data are gained via on site observations, interviews and documentary evidence. In general, the case study method is preferred when ‘how’ and ‘why’ questions need to be answered, whereby the investigator has limited control over the events and the events occur in real-life context (Yin, 2003). A case study is particularly useful when the phenomenon that needs to be researched is difficult to study outside its natural setting and when the concepts and variables are difficult to quantify (Ghauri & Grønhaug, 2005). Often there are other variables that need to be considered. This explains also why case study is one of the major research strategies in organizational and social science (Thacher, 2006).

Organizational and related factors in this study are very intangible, subjective and strongly social oriented. The natural setting cannot easily be identified or set, which makes research very difficult. The case study method can yield better and gain new insights into the organizational change method in relation to the success of implementing risk management.

3.1.3. Data collection

The case study method is a distinctive form to gain empirical evidence or data. A case study is a qualitative research and in depth oriented. This research method can give refreshing insights into the concerning topic (Yin, 2003) and the results of case research can have high impact (Dul & Hak, 2007). Unconstrained by the rigid limits of questionnaires, it can lead to new and creative insights and enrich theories. Then it can show the problems and how it resulted in the cases itself.

A combination of data collection methods is used, to obtain insight into the cases, also called triangulation (Dul & Hak, 2007). This is a major strength of a case study method. A case study data collection gives the opportunity to use many different sources of evidence (Yin, 1981). Existing literature is used as departing point for this study. Based on the literature review and research gap, hypotheses are used to get more direction and to proceed further (Ghauri & Grønhaug, 2005). Data regarding the cases are gained via in depth interviews with organizations. During the interviews, a questionnaire is used as guideline. Furthermore, available secondary (qualitative and quantitative) data are also collected. The comparative case research is executed in two phases. First, the different cases are researched separately and then the cases are analyzed and compared with each other.

3.2. Validity and reliability

A prerequisite in academic research are the validity and reliability aspects. In order to enhance the validity and reliability of this research, the triangulation method is applied. The quality of a case study can be enhanced by following the four criteria: construct validity, internal validity, external validity and reliability (Yin, 1981; Ghauri & Grønhaug, 2005). The relation between these criteria and the case study are discussed below.

Construct Validity – The primary concern for a case study method is the construct validity. Biased and subjective views might influence the direction of the results, findings and conclusions (Yin, 2003). To overcome the problem of subjectivity in a case study method, different sources of evidence are used during the data collection, also known as the triangulation technique (Dul & Hak, 2007). A questionnaire is used as a guideline during the interviews. The questionnaire contains open questions, closed questions and questions whereby the 1-5 Likert scale is used. The interview

(25)

method is used to gain more insight into the answers, but also to gain unforeseen and new information related to the studied objects. This led to a more valid analysis of the studied objects. Secondary data is used to increase the validity. The study is mainly conducted with the responsible person for implementing risk management and sometimes with additional participants from the business (if available). This makes the triangulation technique even more important. The questions, results and secondary data should reveal, not only the perception of the interviewee (risk manager), but also the opposite party (the participants from the business). The triangulation technique offers the possibility to decrease the impact of subjectivity and reflect the case more truly.

Internal Validity – Internal validity refers to the extent to which the researcher can infer that a causal relationship exists between two (or more) variables (Ghauri & Grønhaug, 2005); x led to y. When any third factor (z) has influenced y, instead of x, what was concluded; the research design is failed. Specific tactics to overcome this problem are difficult to identify (Yin, 1981). Yin (2003) identified a couple of questions, which has to be anticipated during the case study:

- Are there any other possible interference?

- Have all the conflicting explanations and possibilities been considered?

- Is the assumed interference correct, even with the other possible interferences?

These questions are anticipated while conducting the case studies. Other possible interferences are discussed with the interviewee and whether these interferences (z) might have caused y (success of risk management implementation), instead of x (organizational change method).

External Validity – The external validity refers to the extent in which the findings can be generalized (Yin, 2003). For a single case study, it is difficult to generalize, because it is limited to one case. A comparative case study method, with four cases, increases the ability to generalize the results. The findings in this study are generalized to theory, also called the analytical generalization. As defined by Yin (2003), in analytical generalization, the investigator strives to generalize a particular set of results to some broader theory.

Reliability – The reliability criterion is enhanced by following a strict and repetitive procedure during the case studies (Yin, 2003). The procedure for each case study is exactly the same as all the others. The questionnaire as guideline enhance the repetitive procedure and guided the case study step wisely, refer to Appendix 2. All information is verified and documented carefully.

3.3. Measurement

In the literature review, existing theory and literature formed the basis for assumptions and hypotheses in this research; which resulted to the theoretical framework in figure 5. How the definitions of the factors in the theoretical framework are used and measured in this study, are described below.

Kotter’s eight-phases method – This is the perceived usage of each of the eight-phases in the Kotter’s method by the responsible person for implementing the risk management and if possible validated with the participants from the business. Each of the eight phases is outlined. The interviewee describes the usage in the eight phases during the implementation. The perceived usages in the different phases are classified in a 1-5 Likert scale. Appendix 3 shows how the usage is calculated.

(26)

Successful risk management implementation – The success of the implementation of the risk management regard overcoming the organizational challenges. First the responsible person for implementing the risk management and the participants are asked whether they perceived the implementation as a success or not in general. In order to estimate the implementation success in quantitative terms, success factors are rated. The success factors are designed to measure the dissolve of the organizational challenges as mentioned in the literature (paragraph 2.2.1.). The organizational challenges imply the lack of a risk based culture, misunderstanding of risk management and the role of risk manager; and the lack of risk management foundation.

Success factors to measure that these organizational challenges are dissolved regard: increased proactivity (participation grade) as the participants gradually understand the content and the need and acceptance of risk management; request for additional information as the foundation and understanding increased, they trust the risk manager and want more information to understand the topic; increased risk and control awareness of the participants due to the increased foundation and understanding; risk based culture and thinking and the increased understanding towards the need of risk and control within the organization. The success factors are discussed as follow during the case study analysis:

- During the implementation has the proactivity amongst the participants increased?

- During or after the implementation did participants request for additional information or risk/control services?

- After the implementation has the risk and control awareness increased in the organization? - After the implementation has the organizational culture become more risk based?

- After the implementation has the understanding towards the need of risk and control been increased?

How the five parameters of success are rated is explained in Appendix 4.

Organization Size – Whether an organization belongs to a small, medium or large sized organization, depends on the number of employees. Small organization has a maximum of 50 employees; medium sized organization has a maximum of 250 employees. An organization with more than 250 employees belongs to a large organization. The foundation of this moderator is explained in paragraph 2.5.1.

Table 4: Classification organization size Compliance (external regulation) – Describes whether the project is driven by external laws and regulations or not. Not performing the project could lead to sanctions or other major consequences from external institutions. Compliance projects in regard to internal regulation are not taken into account. For foundation, refer to paragraph 2.5.2.

(27)

3.4. Cases

In this section, the sample selection and criteria are discussed. Thereafter the participating organizations and the representatives are shortly introduced. In the following chapter (4), the case studies are described more thoroughly.

3.4.1. Sample Selection and criteria

The sample consists of organizations that have implemented enterprise risk management or key principles in the organization, in order to test the hypotheses. An additional criterion is that the implementation has been completed.

There is no distinction made between industries or type of risk management implementation. Due to the limited availability of research information on this research topic, the objective of this study is to gain overall insight into the influence/effect of using organizational change method in risk management implementations. Whereby four case studies as a sample size is sufficient to gain insight into this influence/effect.

3.4.2. Participants

The following four case studies have participated in this research:

1. Dutch Transportation Company – Implementation of Risk and Financial Processes Handbook – 2007

2. Large Insurance Company – Implementation of Key Control Register - 2010

3. Credit Registration Office – Implementation of Organizational Risk Management - 2011 4. Small Insurance Company for a specific professional/occupational group – Risk Management

Analysis – 2010

3.5. An overview

This chapter has outlined that this study is a theory testing research as it is theory oriented and contributes to the development of theory. Due to cost, available time and capacity, together with the main question which expresses a probabilistic relation, the case study method is the preferred method for this research. To enhance the validity and reliability of this research, the triangulation method is applied, consisting of interviews, observations and collections of secondary data. This chapter has ended with an overview of the participating organizations. The case studies are further analyzed in chapter 4.

(28)

4. Case studies

The participating organizations were shortly introduced in the previous chapter. In this chapter the stories and the results from the case studies are outlined per case, following the different phases of Kotter’s change method. The results of the cases are further outlined in chapter 5 and 6.

4.1. Case 1 – Dutch Transportation Company – Implementation of Risk and Financial Processes Handbook – 2007

In 2005 the director of a Dutch Transportation Company introduced a risk and financial processes handbook for all its business units. Financial department was responsible for defining a generic handbook with standard financial risks and controls. There was no implementation plan. In 2007 the director realized that most of the business units have not implemented the handbook. Thereafter the director decided to enforce the business units to implement the handbook; discussion or customization was not allowed. Every year the controls in the handbook are tested for effectiveness. Due to privacy issues and sensitivity of the information, further detailed descriptions are not provided in this chapter. The rating of the different phases and factors are rated by the participant. The results are shown below:

Table 5: Ratings Case Study 1

4.2. Case 2 – Large Insurance Company - Key Control Register implementation – 2010

In 2010 the new CFO at a large insurance company in The Netherlands requested to implement a key control register for its business and functional units. This was a response to a number of major incidents with hundreds of millions of losses in the organization. The analysis of the root cause of the incidents showed that there were some gaps in communication, silo mindset and lack of transparency between roles and responsibilities. The Key Control Register is a register with key risks and controls, which are aligned with the objectives of each business unit and the supporting functional units. The objective is that the business units will use the key control register as a management tool for their daily business, increase transparency in roles & responsibilities and to improve the value chain effectiveness and to change the silo mindset.