ADVANCING ENTERPRISE RISK MANAGEMENT GOOD PRACTISES AND ITS

CONCEPTUAL FRAMEWORK IN, KENYA.

KEVIN ANTONIO ANYOKA

SC281-0637/2012

A RESEARCH PROPOSAL SUBMITTED TO THE DEPARTMENT OF STATISTICS IN THE

SCHOOL OF MATHEMATICAL SCIENCE IN PARTIAL FULFILMENT FOR THE DEGREE
OF ACTUARIAL SCIENCE OF JOMO KENYATTA UNIVERSITY OF AGRICULTURE AND
TECHNOLOGY

2015

DECLARATION
I hereby declare that this is original work and has not been submitted in any other university for
an award of a degree
NAME:

KEVIN ANTONIO ANYOKA

REG NO

SC281-0637/2012

SIGNATURE

DATE

DECLARATION BY SUPERVISOR
This research proposal has been submitted for examination with my approval as the university
supervisor(s)
Signature. DATE
Mr. SIJE

DEDICATION
This research is dedicated to all my dear close friends and family and also to all who made
proposal possible

ACKNOWLEDGEMENT
I would like to thank my lecturer, Mr. Sije, for the valuable advice and support he has given me
in the writing of this report. I would also like to thank my classmates for their encouragement
support and guidance. My deepest thanks go to understanding and support of all.

ABSTRACT
The aim of this paper will be to review previous studies on Enterprise Risk Management (ERM).
Previous studies show that empirical works on ERM are still limited. Research using both
primary and secondary data will be discussed. From the previous studies, it was found that most
of the studies in Kenya on risk management or ERM used primary data. The scopes of the
previous studies in Kenya include construction, financial institutions, service sector, technology,
industrial products, consumer products, plantation and trade and services, and these studies used
mail questionnaires and interviews. While studies from the secondary data focus on industrial
product companies, of which data are gathered from their annual reports.
Another objective of this study on enterprise risk management will be to gather information on
the impact of advancing ERM Kenya industries whether positive or negative. There has been a
significant discussion about the natural fit for actuaries in the growing area of enterprise risk
management .although here has been considerable literature on the benefits of enterprise risk
management ,it has been typically targeted at large ,global corporations in the financial sector,
that is insurance and also banking. This proposal shall advance the practice of ERM in Kenya
and push the boundaries of ERM beyond its traditional applications in the insurance and
financial sector. The key objective these proposal shall be to summarize the behavior patterns in
the adoption of risk management practices by the companies that will be surveyed. Another
objective of the proposal will be to move into a convergence between theoretical practices i.e. the
use of traditional approaches, and those adopted by the companies .this proposal shall be
theoretical with descriptive objectives and the procedure shall be multiple study of nine
companies in kiambu county, Kenya. The method we shall use or adopt in the selection nine
companies will be the diversity of the industry segments, representativeness of the companies in
5

their segments and also the use of enterprise risk management segment.to verify if there will be
patterns between the practices employed in the companies, they will be separated by the size of
the company and location too. All the small companies will be of traditional approach in risk
management. The same will happen to all companies in different locations of Kiambu County.
Yet, all the traditional approach companies, but one, adopt all the seven risk management
practice found in accordance to enterprise risk management. Without the enterprise risk
management the market will always be insufficient since many risks affect individual
companies.to deal with this problem of using of using traditional methods of risk management,
these proposal will take the measure of encouraging enterprise risk management to all companies
in growth areas such as ERM and pensioner and health care, ERM and general insurance, ERM
for smaller companies, ERM for non-financial institutions and ERM hazard risk management.

Table of Contents
DECLARATION BY SUPERVISOR................................................................................. ii
DEDICATION............................................................................................................... iii
ABSTRACT................................................................................................................... v
LIST OF FIGURES......................................................................................................... ix
TABLE OF FIGURES....................................................................................................... x
DEFINITION OF TERMS................................................................................................. xi
1.1 OVERVIEW........................................................................................................... 1
1.2 BACKGROUND INFORMATION............................................................................... 1
1.3 STATEMENT OF THE PROBLEM.............................................................................. 6
1.4 OBJECTIVES......................................................................................................... 7
1.5 HYPOTHESIS........................................................................................................ 8
1.6 SIGNIFICANCE OF THE STUDY..............................................................................8
CHAPTER TWO: LITRATURE REVIEW...........................................................................10
2.1 INTRODUCTION................................................................................................. 10
2.2 DEFINITION OF CONCEPT....................................................................................... 10
2.3 DEVELOPMENT OF ENTERPRISE RISK MANAGEMENT..............................................12
2.4 LEVELS OF EVOLUTION OF THE RISK MANAGEMENT STRUCTURE........................17
2.5 GOOD PRACTICES IN THE ENTERPRISE RISK MANAGEMENT....................................20
2.6 THE NEED FOR RESEARCH..................................................................................23
2.7 CONCLUSION..................................................................................................... 23
CHAPTER THREE: RESEARCH DESIGN AND METHODOLOGY.........................................24
3.1 OVERVIEW............................................................................................................ 24
3.2 INTRODUCTION..................................................................................................... 24
3.3 Research design....................................................................................................... 24
3.4 Target population.................................................................................................... 25
3.5

Sampling method................................................................................................ 25

3.6

Purposive or judgmental sampling.........................................................................25

3.7

Random sampling............................................................................................... 26

3.8

Sampling procedures and sample size.....................................................................26

3.9

Sampling size determination.................................................................................27

3.10

Data collection instruments...................................................................................27

3.11

Data collection procedure..................................................................................... 28

3.12

Questionnaires................................................................................................... 28
7

3.13

Interviews.......................................................................................................... 28

3.14

Secondary instruments......................................................................................... 29

3.15

Observation....................................................................................................... 29

3.16 Reliability of the research instruments.......................................................................29

3.17 Ethical consideration.............................................................................................. 29

LIST OF FIGURES
CASCASUAL ACTUARIAL SOCIETY
8

COSO.COMMITTEE OF SPONSORING ORGANIZATIONS OF THE

TREADWAY COMMISSIONT
CRO........................CHIEF RISK OFFICER
TRM.......................TRADITIONAL RISK MANAGEMENT
EWRM...................ENTERPRISE -WIDE RISK MANAGEMENT
BRM......................BUSINESS RISK MANAGEMENT
HRM.......................HOLISTIC RISK MANAGEMENT
EIU..ECONOMIST INTELLIGENCE UNIT
ERMENTERPRISE RISK MANAGEMENT

TABLE OF FIGURES

Figure 1: enterprise risk management maturity model.22

Figure 2: approaches of enterprise risk management..23

DEFINITION OF TERMS

Conceptual framework-

companies follow to control and manage risk.

Risk managementcan be dened as the culture, processes, and structures

conceptual framework is the structure under which

Directed towards the effective management of potential opportunities and adverse effects
10

Enterprise Risk Management-as the discipline by which an organization in any industry

assess, control, exploits finances and monitoring risks from all sources for the purpose of

increasing the organizations short and long term value to its stakeholders
risk management practices- this are practices put in place to control and manage risk
also determination of risk and processing risk.

11

CHAPTER ONE: INTRODUCTION

1.1 OVERVIEW
This chapter deals with providing an in depth understanding about the phenomena under study.
This chapter contains some background information in Enterprise risk management good
practice and conceptual framework.
1.2 BACKGROUND INFORMATION
In early 1970s,the concept of a holistic approach of risk management was traced when Gustar
Hamilton of Sweden statforetag proposed the risk management circle to describe the
interaction of all elements in the risk management process (assessment control, financing and
communication).in 20th century ,risk managers were primarily responsible for managing pure
risks through the purchase of insurance ,though the concept of risk management soon became
associated with financial risk management with the use of derivative financial products. Up to
now people are still using the traditional approaches to deal with these risk. When the traditional
approaches are used the market becomes inefficient leading to insolvency of many companies.
Major companies have demonstrated a growing concern with the need for risk management,
considering the recent financial scandals involving companies like Parmalat, Enrom,
Metallgesellschaft, among others.in Kenya companies in Thika faces several risks but only rely
on insurance company for insurance cover. This proposal aims at reaching major companies in
Kiambu counting and educate them the benefits of putting up an enterprise management program
in their companies. Also this proposal targets other individual who will be able to discover more
of what ERM is really about. Thus, it is possible to note that enterprise risk management is a
very present issue and has been the agenda of many debates.

In 2003, the casual actuarial society (CAS) defined ERM as the discipline by which an
organization in any industry assess, control, exploits finances and monitoring risks from all
sources for the purpose of increasing the organizations short and long term value to its
stakeholders. According to CAS, risks are being considered as source of opportunities for value
creation and not something to be avoided or minimized. The risk is not fully avoidable but
knowing to assess it and its return is a way to gain competitive edge. Many companies have
demonstrated a growing concern with the need for risk management, considering the recent
financial scandals involving companies like Parmalat, Enrom, Metallgesellschaft, among others.
Thus, it is possible to note that enterprise risk management is a very present issue and has been
the agenda of many debates.
The risk management should analyze the company in a holistic manner and not in an ad-hoc
manner by business silo or by each risk type. Risk management must be conducted in a
structured way, integrated across the whole company. Businesses have started to embrace the
enterprise risk management ERM approach. There are many definitions of ERM, however a
representative example is the following from the Committee of Sponsoring Organizations of the
Tread way Commission COSO : ERM is a process, effected by an entitys board of directors,
management and other personnel, applied in strategy setting, and across the enterprise, designed
to identify potential events that may affect the entity, and manage risk to be within its risk
appetite, to provide reasonable assurance regarding the achievement of entity objectives. Yet,
with the aim to optimize the process and maintain its quality,
A survey was jointly conducted by the Association of Governing Boards of Universities and
Colleges (AGB) and United Educators (UE) and reports data on attitudes, practices, and policies
regarding enterprise risk management1 among American colleges and universities. The survey
2

was completed by more than 600 respondents between June 11 and 25, 2008. Forty-one percent
of respondents mostly agreed that risk management is a priority at their institution and
companies. Twenty three percent of respondents mostly agreed that their governing boards
monitors institution risk through regular, formal reports from the administrator who is assigned
responsibility .a majority of sixty one percent of respondents reported that their company do not
identify major risks to companys mission success through comprehensive ,strategic risk
assessments. Fewer than half of respondents reported frequent or routine monitoring of political
or reputational risks which pose serious threats for companies and institutions. Half of the
respondents, almost fifty one percent, reported that board members and senior administrators at
their companies evaluated major risks identified by strategic risk assessment only on an as
needed basis.
When talking about enterprise risk management one has just to look at his backyard and he wont
miss a case of this. In Kenya management of risk is a sore issue that can be traced to our ancient
traditional way of doing things. In many African countries traditional way of approaching risk is
considered as a way of life as it pertains their strategy in dealing with risks. This issue is more
pronounced in developing countries as more and more companies are getting dissolved each and
every day without their consent. It should be noted that a minimum percentage of companies in
Kenya are willing to loss their business because of their own risks. Without a risk management
strategy the market will always be insufficient.
When we look back and even now the limitations when traditional way of assessing risks, it
become increasingly clear that traditional risk management approaches do not adequately
identify, evaluate and manage risk. Tradition approaches tend to be fragmented, treating risks as
disparate and compartmentalized. These risk management approaches often limit the focus
3

largely on loss prevention, rather than adding value, traditional approaches do not provide a
holistic framework most organizations need to redefine the risk management value proposition in
this rapidly changing world.
Traditional risk management uses a tactical approach whereby viewing a threat as a potential
event that might not occur and is focused on the direct consequences of that threat.in most
instances ,a tactical risk will directly affect program performance, the impact on a programs key
objectives is more often and indirect consequence of a tactical risk.in a tactical approach, you
first identify all known risks that can adversely affect a programs performance .a risk statement
is prepared for each risk and provides details on the potential for loss. Then, probability and
impact are established for each risk statement, and risk exposure is determined from the
individual values of probability and impact. Using this approach, the typical software program
can easily identify hundreds of risk statements.to create a big picture view of a programs risk
,you must aggregate detailed risk information because tactical approaches rely on aggregation
techniques to provide a big-picture view of risk ,we refer to them as incorporating a bottom-up
analysis.
Many programs are successful employing tactical approaches for managing risk. However, just
as many struggle to effectively manage high numbers of risk statement.in some cases, decision
makers in these programs spent too much time manipulating and analyzing risk statement and
too little time actually managing risk.

Many organizations have been challenged by a surge of several external factors/forces pressuring
them for the adoption of a structured and integrated risk management. Examples are
requirements/pressure from the market, from the regulators, gain competitive advantage and
good business practices (Corporate Executive Board). For CAS, these forces are: increasing
number of risks and interactions that organizations have to acknowledge, inclusion of risks in the
portfolio theory and attempt of quantifying the risks to gain qualitative perspective. Beasley,
Clune e Hermanson, James Lam & Associates and Pricewaterhousecoopers also mention
warning of previous financial disasters, requirements/pressure from the head office, reinforce
corporate governance, reinforce internal controls and examples of companies that have adopted
ERM and achieved benefits.
The adoption of enterprise-wide risk management practices is also driven by regulations
themselves, which focus the business on operating the right way as a normal business practice.
Since this is a matter of great importance both for scholars and for the business community, it is
intended with this article to make a contribution to academic research while helping to increase
the business community interest majorly in Kenya.
Kenyan companies that will adopt this enterprise risk management will be looked upon to see if
there are changes. ERM and its conceptual framework has been tried in various countries in
developed countries like USA and it has worked. Actuaries will in the future be the key in risk
management though this topic has been argued against by people who believe that they are well
fit for the job. This research will prove otherwise, it will show first of all importance of an
actuary in this case and also it will reveal the benefits of ERM programs in companies.
The remainder of the paper will be organized into five main sections. First, the literature review
on ERM structures and the good practices is presented. Second, the methodology and data
5

collection. This provides the context necessary for the third section, which presents the
discussion of the results followed by a conceptual framework of good practices in the enterprise
risk management. Finally, the paper finishes with a brief conclusion that summarizes the
objectives of this study.
This study will provide an effective assistance for the enterprises to evaluate and enhance their
practices in risk management. An additional motivation is the lack of academic research
regarding the use of good practices and their assessment.

1.3 STATEMENT OF THE PROBLEM

Throughout the world, risk is the potential of losing something of value. Sadly, when it comes to
the point of controlling or managing risk many companies seem to be incapable. Major
companies are being haunted by the risks they had avoided or assumed (several companies have
been closed e.g. webuye paper mill).traditional risk management approach always measures the
risk that the companies are assuming. Companies in Kenya seem to be having trouble
maintaining their liquidity, their also are having problems managing the credit rating. This makes
their shareholder remove their shares because the company cannot manage their risks. This will
be a problem always in Kenyan companies until actuaries in Kenya are able to put up a solid
Enterprise risk management or else some of these companies soon will cease to exist. The
transition to market based accounting system and economic capital will be going to change
peoples view on what risk is or what it isnt. For now financial managers understand risk as a
fluctuation in their income statement .traditional models of risk management of the past and also
unrealistic. The market is not rational. There is no such thing as fully diversifiable risk, we
cannot diversify risk as we had thought in past we could. Companies in Kenya believe that risk
6

can be diversified and this soon you will notice its impossible. The market will be inefficient if
we continue to use the same models to manage risks. New models should be made to manage
this risk in Kenyan companies.

1.4 OBJECTIVES
The main aim of this project will be to determine the impact of advancing enterprise risk
management and its conceptual framework in Kenya.
The study will also be guided by the following sub objectives:

Summarize the behavior patterns in the adoption of risk management practices by the

companies surveyed.
Move into a convergence between theoretical practices and those adopted by the

companies.
Specifying the advantages of taking the new way of risk management and that is ERM
Criticizing the old method of risk management, traditional method of controlling risk,
which is inefficient in the current market.

1.5 HYPOTHESIS

ERM reduce possibility of risk.

ERM and its conceptual framework will be able to stop risk for good.
7

ERM will able to predict future risks.

1.6 SIGNIFICANCE OF THE STUDY

Companies in Kenya are being shut down abruptly because of certain reasons like bankruptcy
.This has always been because of poor techniques of handling the risk they are exposed to. Risk
should not be minimized or avoided but in real sense should be managed by professionals i.e.
actuaries. This study will only be based on spreading the importance of adopting the new way of
managing this new risks in the market.to be sincere the market is changing every minute and new
risk seems to be arising every minute and the old approach are not working so far.
This study will help companies in Kenya, not only to companies but also to institution that, to be
aware that ERM is important in many perspective to an organization such as;
To reduce potential financial losses for companies and institutions

Desire to improve business performance

Due to the regulatory compliance requirements
The organization desire to increase risk accountability

On the other hand, (PricewaterhouseCoopers, 2008) found that firms in Finland are motivated to
implement ERM because of the following reasons:

over 96 percent of the users want to adopt good business practice;

more than 81 percent due to corporate governance pressure;
42 percent stated it gives them a competitive advantage; and
More than 30 percent comes from regulatory pressure and also investment community
pressure.

These companies in Finland find it easy to control their losses due to risk unlike in Kenya where
insurance cover is the optimal solution to risk management.

CHAPTER TWO: LITRATURE REVIEW

2.1 INTRODUCTION
There is a great literature about enterprise risk management, both in Kenya and abroad. . And
there is ethnographic literature that examines the way in which Kenyans conceive of ERM and
why it should exist in the market. After a few studies the current market not only in Kenya have
realized the market is already insufficient without proper methods of handling the risks they face
each and every day.
9

The word enterprise for Enterprise Risk Management (ERM) itself shows a different meaning
than Traditional Risk Management (TRM). Enterprise means to integrate or aggregate all types
of risks; using integrated tools and techniques to mitigate the risks and to communicate across
business lines or level compared to Traditional Risk Management. Integration refers to both
combination of modifying the firms operations, adjusting its capital structure and employing
targeted financial instruments (Meulbroek, 2002).

2.2 DEFINITION OF CONCEPT

It was argued that the term ERM has quite similar meaning with Enterprise-Wide Risk
Management (EWRM), Holistic Risk Management (HRM), Corporate Risk Management
(CRM), Business Risk Management (BRM), Integrated Risk Management (IRM) and Strategic
Risk Management (SRM) (DArcy, 2001; Liebenberg and Hoyt, 2003; Kleffner et al., 2003;
Hoyt and Liebenberg, 2006; Manab et al., 2007; and Yazid et al., 2009).
There are various definitions of ERM. For example, in the middle of 2004, the Committee of
Sponsoring Organization of the Treadway Commission (COSO) released the Enterprise Risk
Management Integrated Framework. COSO defines Enterprise Risk Management as a process,
affected by an entitys board of directors, management and other personnel, applied in strategysetting and across the enterprise, designed to identify potential events that may affect the entity,
and manage risk to be within its risk appetite, to provide reasonable assurance regarding the
achievement of entity objectives.
CAS or Casualty Actuarial Society (2003) defines Enterprise Risk Management as disciplines by
which an organization in any industry assesses, controls, exploits, finances, and monitors risks
10

from all sources for the purposes of increasing the organizations short- and long-term value to
its stakeholders.
Lam (2000) on the other hand, defines Enterprise Risk Management as an integrated framework
for managing credit risk, market risk, operational risk, economic capital, and risk transfer in
order to maximize firm value. Makomaski (2008) defines Enterprise Risk Management as a
decision-making discipline that addresses variation in company goals.
Alviunessen and Jankensgrd (2009) point out that Enterprise Risk Management is concerned
about a holistic, company-wide approach in managing risks, and centralized the information
according to the risk exposures. They use the term Risk Universe, which is the risk that might
impact on the future cash flow, profitability and continued existence of a company. In other
words, risk universe is risk that could affect the entity of the company. If risk universe can be
identified, the next step is to take an appropriate action such as risk mapping process, accessing
the likelihood and impact and curb the risk based on the organizations objectives
Therefore, Enterprise Risk Management can be defined as a systematically integrated and
discipline approach in managing risks within organizations to ensure firms achieves their
objective which is to maximize and create value for their stakeholders. There are two key points
that must be highlighted according to the definitions given above. The first key point is the main
role of ERM itself - it integrates and coordinates all types of risks across the entire organization.
It means that risks cannot be managed in silo approach. All risks occurred in the entity must be
combined and managed in enterprise approach. The second key point is by using ERM, users are
able to identify any potential incidents that may affect the organization and know their riskappetite. If the risk-appetite is specifically known, any decision made by the organization to curb
risks may be parallel with the firms objective (Walker et al., 2003).
11

2.3 DEVELOPMENT OF ENTERPRISE RISK MANAGEMENT

This section will discuss briefly the development of ERM especially on the emerging factors that
influence companies to shift from risk management practices (Traditional Risk Management) to
Enterprise Risk Management. The discussions will focus from the theoretical perspectives;
academic and professional bodies.
DArcy (2001) has postulated that the origin of risk management was developed by group of
innovative insurance professors i.e. Robert I. Mehr and Bob Hedges in 1950s. In the 1963s, the
first risk management text entitled Risk Management and the Business Enterprise was
published. The objective of risk management at that time was to maximize the productive
efficiency of the enterprise. At that time, risk management was specifically focused on pure risks
and speculative risks.
In the 1970s, when Organization of Petroleum Exporting Countries (OPEC) decided to reduce
production in order to increase the price, financial risk management became an interesting issue
highlighted by firms because the increment in oil price has affected the instability in exchange
rates and inflation rate (DArcy, 2001; Skipper and Kwon, 2007).
Later in 1980s, political risks attracted more attention from multinational corporations as a result
of different political regimes in different countries. For example, when the government
announced a new policy, investors and corporations must make decision to reduce risk (Skipper
and Kwon, 2007). According to DArcy (2001), during this era, organizations did not properly
apply risk management because they did not apply the risk management tools and technique such
12

as options. Therefore, it had increased the cost of operations of the organizations. During this era,
the silo mentality still remains (Skipper and Kwon, 2007).
In the 1990s, the use of financial tools such as forwards and futures are widely practiced in the
United States. In addition, pressure from shareholders and stakeholders to take more action
rather than buying insurance to fight against uncertain loss or financial crisis, influenced
managers to mitigate risks more proactively. It demanded managers to retrieve better risk
information and risk management techniques. During this time, risk management was closely
related to financial, operational and strategic risks, not only hazard risks (Skipper and Kwon,
2007). Hazard risk refers to any source that may cause harm or adverse effects such as equipment
lose due to natural disasters for example, the Hurricane Katrina that happened in United States in
2005.
There are various risks that can occur. These include financial risk, strategic risk and operational
risk. Financial risk refers to any loss due to economic conditions such as foreign exchange rates,
derivatives, liquidity risks and credit risks. Apart from the corporate scandals in Enron,
WorldCom, Polly Peck and Parmalat, the last decade showed how serious the financial scandal
was to corporations and banks (Jones, 2006; Benston et al., 2003). Another example was in 1994,
the Orange Countys Investment Pool lost USD1.7 billion from structured notes and leveraged
repo positions, while in 1995, Barings Bank and Daiwa Bank lost USD1.5 billion and USD1.1
billion respectively due to losses in futures and options trading and unauthorized derivatives
trading. The same financial disaster occurred in 1996 when Sumitomo Corp. lost USD1.8 billion
as a result of the actions of its head copper trader, Yasuo Hamanaka who secreted his activities in
unauthorized copper trading on the London Metal Exchange (Holton, 1996; DArcy, 2001).

13

Li and Liu (2002) define strategic risk as the uncertainty of loss of a whole organization and the
loss may be profit or non-profit, while Mango (2007) points out that there is no specific
definition of strategic risk due to the inability to well-define and understand it. Strategic risk may
arise from regulatory, political impediments or technological innovation. For example a specific
guide entitled Risk Management Principles for Electronic Banking was produced to ensure
banks follow the 14 guidelines in providing internet banking services like electronic fund
transfers as proposed (The Basel Committee, 2001). The Basel Committee (2001) define
operational risk as the risk of direct or indirect loss resulting from inadequate or failed internal
processes, people and systems or from external events. Operational risk is more related to
internal problems, such as employee fraud, corporate leadership, segregation of duties,
information risk and product flaws. For example, Marc Dreier was found guilty and charged for
20 years of imprisonment due to fraud of fictitious promissory notes, which is valued at
approximately USD700 million (Weiser, 2009).
As the results that risks might occur in multiple perspectives, it can be concluded that risk
management (Traditional Risk Management) could not be managed separately. It has to be
integrated in a holistic manner. These factors are among the main cause of the emergence of
Enterprise Risk Management in late 1990s. Organizations face risks and the risks depend on
many factors. For example operational risk, strategic risk, political risk, technology risk, legal
risk, financial risk, reputational risk and human capital risk. Most of the literature mainly
concern on four types of risk i.e. financial risk, hazard risk, operational risk and strategic risk (D
Arcy, 2001; CAS, 2003; Cassidy, 2005). Cassidy (2005) found that Enterprise Risk Management
existed in planning, organizing, and leading and controlling organizations activities in order to
minimize firms major risks such as financial, strategic and operational risks.
14

The professional bodies such as Casualty Actuarial Society (CAS, 2003) have reported six
factors that force organization to practice Enterprise Risk Management. The first factor is related
to complicated risks. Organization not only faced four basic types of risks such as hazard,
financial, operational and strategic risk, but there were other risks such as the risks in advance
technology, the accelerating pace of business, globalization, increasing financial sophistication
and the uncertainty of irrational terrorist activity. These risks did not occur by themselves. It
might be happened because of the combination of both types of risks (for example combination
of globalization factors and advance in technology). The second factor came from external
pressures such as regulators, rating agencies, stock exchanges, institutional investors and
corporate governance bodies. The Australia/New Zealand Risk Management standard released in
1995 was an example of a formalized system of risk management and report the organizations
management pertaining to the performance of the risk management system. The third factor is
related to a sense of portfolio point of view which refers to an increasing tendency towards
integrating the risks, which previously have been managed in silo. The fourth factor is that risk
need to be quantified even if it is impossible to quantify all risks. By quantifying risks,
management will be able to estimate the magnitude of risk or degree of dependency with other
risks efficiently in making decision process. The fifth factor is the Boundary-less Benchmarking
factor. The implementation of risk management now is not only limited to the insurance or
financial services, but is now common to other organizations. In addition, rapid changes in
technology allow related information on risks to be transferable easily across the organizations.
The final factor is related to risk can be treated as opportunity. Previously, any risk that arises has
been treated in defensive approach to be minimized or avoided. Now, risk must be understood
as the value-creating potential of risk. As a result of past experience in mitigating risk,

15

organizations may develop expertise in managing those risks and may be able to transfer their
expertise to other organizations.
Lam (2000) as cited in Wolf (2008), have stressed that risks may arise from multiple perceptions
in daily business operations. For example, Mercer Management Consulting showed that most
Fortune 1000 companies suffered declining in stock due to failure in decisions in terms of
strategic (58 percent), operational (31 percent) and financial (6 percent). Therefore, firms need to
integrate all risks in their daily operations, in order to mitigate any probabilities on risks in the
systematic manner. In addition, by using Enterprise Risk Management, it helps firms to manage
better financial results (Jablonowski ,2006).
As argued by Lam (2000), practicing Enterprise Risk Management should be observed upon
three perspectives;

globalization
changes in the role of risk managers
regulatory

From the globalization perspective, it created multiple risks perceptions, fast growing
technologies and interdependency of risks. From the role of risk manager, risks should not be
treated as a trouble, but also as an opportunity. Finally from the regulatory oversight factors
perspective, appointing Chief Risk Officer (CRO) and the establishing Risk Management
Committee (RMC), the adoption of ERM will become a reality.

16

2.4 LEVELS OF EVOLUTION OF THE RISK MANAGEMENT STRUCTURE

Based on the fact that enterprise risk management has been always complex process, there was a
research who developed a five stage ERM maturity model (see figure 1). It has been used to help
organizations benchmark their progress in driving value through ERM. Basically, it address
issues on the effect ERM has had on harmonizing organizational needs, culture and stakeholder
requirements and how ERM is being used proactively to balance risk, opportunity and value.

Scale

Component and associated activities are very limited in scope and

1. Initial/lacking

many be implemented on an ad -hoc basis

17

Limited capabilities to identify, assess, manage and monitor risks

2.Basic
Sufficient capabilities to identify, measure, manage, report and
3. Defined

monitor major risks; policies and technique are defined and

utilized (perhaps independently) across the organization
Consistent ability to identify, measure, manage, report and

4. operational

monitor risks, consistent application of policies and techniques

across the organization

5. Advanced

Well-developed ability to identify, measure, manage and monitor

risks across the organization; process is dynamic and able to adapt
to changing risks and varying business cycles; explicit
consideration of risks and risk management in management
decisions

Figure 1: enterprise risk management maturity model

Marsh/RIMS used a different model by classifying the risk management approaches in

traditional, progressive and strategic.

18

1.Risk identification, loss control and complains analysis

Traditional approach

2.Increase ability to meet corporate objectives ensuring that

risks are taken into consideration in the decisions
3.Improve management of the interrelated risks across the
organization

Progressive approach

Traditional approach plus:

1.Business continuity, total risk cost, education and
communication
2.Improve competences to identify and assess risks
3.Improve management and responsibility of business unit
4.Internal auditing takes the risk issues for discussion
Tradition and progressive approaches plus;
1.ERM across the organization and use of technology

Strategic approach

2.Risk issues are part of business discussion strategy

3. Risk sources are gathered across all levels of the
organization and with the stakeholders.

Figure 2: approaches of enterprise risk management

19

2.5 GOOD PRACTICES IN THE ENTERPRISE RISK MANAGEMENT

a) Culture and risk awareness
It is unquestionable the importance of information across the organization. Green and JenningMares study states that the most important element in the risk management is the growth of a risk
culture coherent and consistent. An education program aimed to spread this culture should be
consolidated by all the managers and employees of the company (Namibia). For Economist
Intelligence Unit EIU the key determinant of success in risk management has become the need to
ensure that a strong culture and awareness of risk permeates every layer of the organization.
Protiviti shows that the absence of a common language and awareness prevents sharing the good
practices across the organizations. It generates a great uncertainty.
b) Risk permeates the whole company
The risk management function has evolved to become a core area of business practice, driven by
the board but embedded at every level of the organization. The aim is no longer simply to avoid
losses, but to enhance reputation and yield competitive advantage (EIU). Protiviti and Harner
share the view that, despite ERM responsibility starts right at the top of the organization, the
managers of all levels of organization should also participate to improve the process.
c) Predictable increase in investments Firms of all sizes and in all areas of the world are
planning to increase investment in most areas of risk management. These areas are: improving
data quality and reporting, strengthening risk assessment processes, management training in risk
management, analytics and quantification, risk framework or model development, setting risk
committee roles and responsibilities (EIU). Marsh/RIMS study highlights that 42% of the
companies that have ERM in place (so called strategic companies) will invest more in risk
management in 2009.
20

d) Need of a formal risk management framework In Kaufman, Oh and Sherman study, 79% of
the companies surveyed said having a formal structure of ERM, either at initial stage (28%) or
advanced stage (48%). However, 54% of them indicated that their ERM framework is not based
on any external model. Among the 46% remaining, 67% of them use COSO framework and 16,
2% adopt AS/NZS 4360 framework. Corporate Executive Board study shows a more discrete
result: only 48% of the companies implemented fully or partially ERM. However, 52% of them
said having implemented or planning to implement COSO framework. Ching concludes that the
use of an ERM formal framework contributes significantly to its efficiency.
e) A dedicated CRO Chief Risk Officer in a senior position the presence of a CRO is the most
common practice among all. Its reason is debated by many authors. Kleffner, Lee and McGannon
show that 61% of companies surveyed mention the influence of CRO as a key factor for driving
and facilitating the ERM process. The appointment of a CRO is a sign of a formal ERM program
and his quality and skills promote ERM importance for all the executives and influence the
whole company (Daud, Yazid and Hussin, Liebenberg and Hoyt). CROs are already in place at
38% of those organizations represented in the EIU survey, and a further 21% have plans to
appoint an individual to this role over the next three years. Trying to be neutral, Beasley, Pagach
and Warr do not show any financial benefit for the shareholders for those companies that hired
CRO.
f) Creation of a risk committee
For Branson an emerging good practice is the creation of a multidisciplinary risk committee
which can be located at the top of the ERM function and be leaded by the CRO. Whether risk
should be centralized or decentralized depends on the organizational structure of the company.
Most organizations are implementing a
21

Hong Y Ching and Thalita M Colombo

Structure where there is a small number of people in the central, or group, risk function, and then
embedding risk champions in the business units, all being part of the risk committee (EIU).
g) Independence between the Board and CEO
Companies with independent board and segregation between CEO and the chairman present the
highest level of enterprise risk management (Desender). Beasley et al claim that an independent
board is more objective to comply with the management actions and strategies than companies
that do not possess this independence

2.6 THE NEED FOR RESEARCH

The need for this research will be to encourage companies to step up their ways of handling
risk .The best way is to use ERM with good practices and conceptual framework. In Kenya
companies find it had to manage their own risk so they either avoid it or assume it.

2.7 CONCLUSION
This paper discusses the definitions of ERM and its development over the years. In addition,
previous studies that are related to the determinants of companies that practiced Enterprise Risk
Management (ERM) are also discussed. The paper starts with the definition of ERM and its
development. The fact that risks might occur in multiple perspectives, it appears that risk
management (Traditional Risk Management) could not be managed as a separate approach, it
requires enterprise risk management and conceptual framework. It needs to be integrated in a
holistic manner. These factors were among the main cause of the emergence of ERM in late
22

1990s and could be argued as factors for companies to adopt or practice ERM. Evidence also
showed that studies on ERM are based on two approaches, using primary data such as interviews
and mail questionnaire; and using secondary data. From the previous study it was found that
most of the studies in Kenya on risk management or ERM used primary data. The scopes of the
previous studies in Kenya were construction, financial institutions, service sector, technology,
industrial products, consumer products, plantation and trade and services, and these studies used
mail questionnaire and interviews. While from the secondary data study, the focus was only on
industrial product, of which data was gathered from annual reports.

CHAPTER THREE: RESEARCH DESIGN AND METHODOLOGY

3.1 OVERVIEW
This chapter contains the materials on the population of the study, the research design, the data
collection techniques, validity of the instruments, data analysis techniques and reliability of the
research instruments.
3.2 INTRODUCTION
Data collection and documentation will be important if we are to better our understanding about
ERM and its conceptual framework. Lack of access of reliable information and data can lead to
difficulty in assessing the situation in the companies. In Regard to methods of data collection the
researcher should not only rely on secondary data alone as we had earlier noted there exists a
major gap in knowledge thus other methods should be

employed such as interviews and

questionnaires. To collect both primary and secondary data, the baseline study will involve field
and library research. The library research will involve a document and literature review
23

specifically looking at the existing international and national view on ERM good practices and
conceptual framework. Various earlier statistical data and empirical studies on ERM in Kenya
and not only in Kenya will be reviewed, including documents, books, journals and reports.
Relevant information will be extracted from these sources to substantiate the magnitude of the
risk management problem and its various effects, especially on Kenyan companies.
3.3 Research design
The research design that the researcher will opted to use in this study is the descriptive research
model. I am of the opinion that this research design will be able to provide me with the
guidelines to carry out this study. This design Involves gathering data that describe events and
then organizes, tabulates, depicts, and describes the data. It Uses description as a tool to organize
data into patterns that emerge during analysis. Descriptive research design is a systematic,
empirical inquiry into which the researcher does not have direct control of independent variables
as their manifestation has already occurred or because they reflecting the state of happenings
and qualify the obtained findings through the use of quantitative analysis.
The core issue of this study will be to advance ERM good practices and conceptual framework
in Kenyan companies. And in order to achieve this with maximum impacts then I need to carry
out a detailed study of this phenomenon and make the unknown known to the public. A detailed
inquiry will enable me to achieve my objective and come up with effective tools of research.

24

3.4 Target population

The target population in the research will companies in kiambu county, Kenya. Also institution
around Kiambu County will be my targeted population. Interviewing of the managers in the
companies and institution will help me understand how each and every company manages their
risk.
3.5 Sampling method
In order to get respondents who will provide viable data the researcher will employ triangulation
of both Non-probability and probability sampling. Triangulation of these two methods will
ensured that respondents selected for the study will be relevant.

3.6 Purposive or judgmental sampling

This will entail selecting companies and institution based on the judgment of the researcher.
Given the fact that this study has the whole country's companies as probable respondents
judgmental sampling will be more applicable given the fact that respondents will be chosen
based on their knowledge relating to TRM and ERM with conceptual framework.

3.7 Random sampling

Random sampling will be applied where the probable respondents companies will be known; this
will ensure that every company has an equal chance of being selected. We define sampling as the
process of selecting a number of individuals for study in such a way that the individual selected
represents the large group from which they were selected. Simple random sampling will be
adopted in selecting the members of the population to be interviewed or be given questionnaires.
25

The researcher is to use random sampling method to collect data from companies financial
managers. They will be randomly chosen when the researcher will visit the respective places.
The sampling method will be used because of its simplicity. For instance random sampling is
proved to be helpful when it came to carrying out the research amount companies of various
calibers as it will give every company an equal chance of being respondent to the study. Random
sampling will be applicable due to the fact that the sample frame is known.

3.8 Sampling procedures and sample size

The most companies affected dearly by poor risk management are the small companies which are
still growing. Hence some of the companies that will be interviewed in Kiambu County shall be
small firms and companies. The researcher will also focuses on primary information that is the
companies that have suffered dearly because of not managing their risk properly. The reason
behind this is such that they will provide the much needed insight when it comes to
understanding this age long vice.

3.9 Sampling size determination

Using the above technique of determining our respondents, our respondents companies should be
at least nine, and should be given questionnaires to be filled. The respondents in the sampling
size will be picked on stratified random basis. This will ensure that all the residents in each
department of the locality will be involved. It will also contribute to an equal and unbiased
chance of respondents participation in the research study. Stratified random sampling is also
applicable where the population under study is heterogeneous.
26

3.10 Data collection instruments

These will be the tools used in identifying and gathering information that will be relevant to the
realization of the research objectives. The tools will be expected to have valuable contributions
in the development of the new system.
Data collection will be done through interviews, questionnaire and secondary sources. These
information or data will be collected during interaction with the companys board members.
Secondary Data will be also collected from documented information that will be easily accessed
from libraries, books, published thesis, newspapers and journals.

3.11 Data collection procedure

Questionnaires will help the researcher to gather data on opinions and suggestions of the
companys board members towards their information on the effects of risk and usage of TRM as
a method of risk management in their companies. The method will be chosen to ensure that the
large of financial management department members will be effectively reached over a shorter
period and at little costs than would have been with interview. The method will supplement other
tools of data collection since it will act as a check to some information collected from members
through the interview method.
27

3.12 Questionnaires
In the course of the study questionnaires will be used to collect data from literate respondents
where applicable.

3.13 Interviews
Interviews will also be employed in cases where the respondents will be capable of meeting the
researcher or in some case it will be used when respondents opted to be interviewed rather than
fill a questionnaire. Interviews will only be carried out with the total consent of the respondent
such that only reliable and viable data is collected. In the course of carrying out an interviews the
information that will be collected will be filled on the questionnaire while in some cases it will
be noted down in order to prevent loss of information.
3.14 Secondary instruments
The researcher will also use secondary data collection techniques in order to fill some gaps
within the knowledge and also to find out some existing knowledge about the phenomena. Such
data will be easily accessible from local libraries, journals, newspapers, books, and thesis papers
among many more.
3.15 Observation
Contrary to some cases observation may be used as a data collection method. For instance when
undertaking interviews the researcher will have to employ observation to gauge emotions and
truthfulness of respondent.

28

3.16 Reliability of the research instruments

A questionnaire is a set of standard questions that will be answered by the respondent. They
will be reliable since the population targeted is big and may take a lot of time if interview was
scheduled. The questionnaires therefore will serve as the best for this study. The assurance of
response sometimes can be guaranteed when the researcher will use questionnaires.
3.17 Ethical consideration
In the course of the study the researcher will have to maintain an ethical code of conduct in order
to maintain the ethics of business. In order to achieve this the researcher will employ the aspect
of informed consent from respondents. Before carrying out an interview or handing out a
research questionnaire it will be mandatory to seek consent of the respondents from the
companies. This will ensure that any information collected was credible as it will be collected
without any form of coercion.
Also the researcher will also respect the privacy of the respondents especially when it came to
the companys laws and orders. In the course of the study the respondent from companies will
have the right to choose the circumstances under which to carry out the interview.
In the course of the study collection of sensitive information about the companies will be
followed by an assurance of confidentiality and anonymity by the researcher. For the case of
questionnaires a statement ensuring confidentiality in information given will be indicated so that
the respondents will feel secure in providing sensitive information about the company. Also the
respondents will not be required to fill out their names on the questionnaires in order to ensure
privacy and anonymity of information collected.
When dealing with the aspect of ethical issues the researcher will have to take into account by
laws rules and regulations of the companies so as not to interfere with them. This is due to the
29

fact that managers and top ranked individuals are very sensitive in the way they lead their
companies. Sometimes they may be resistant to change.

4. Discussion of the Results

In the first section, we display the general aspects of each company researched.
The adoption of market good practices by these companies will be shown in the
second section.

Company 1;
Segment: capital good products make to order,
Size: 5300 employees,
Listed in the head office country,
Risk management approach: improve the management and responsibility of its managers
in order to gain competitive advantage,
Duration of ERM: + 15 years Reasons for ERM adoption: requirements from head office;
alert from previous corporate disasters; reinforce corporate governance and internal
controls.

30

Company 2
Segment:utilities/energy generation and distribution
Size: 7500 employees
Listed in Kenya
Risk management approach: increase ability to meet corporate objectives making sure the
risks are mitigated when necessary
Duration of ERM: 4 years Reasons for ERM adoption: requirements from market (banks,
rating agencies, investors, etc); reinforce corporate governance; good business practices.
Company 3
Segment: agribusiness
Size: 6000 employees
Listed in the head office country R
isk management approach: risk issues are part of company strategic discussions in order
to maximize company value in long range
Duration of ERM: + 20 years Reasons for ERM adoption: reinforce corporate governance
and internal controls; gain competitive advantage; good business practices

Company 4
Segment: health care services
Size: 5100 employees
Risk management approach: increase ability to meet corporate objectives making sure the
risks are mitigated when necessary
Duration of ERM: over 1 year Reasons for ERM adoption: reinforce corporate governance
and internal controls; good business practices
Company 5
Segment: automotive
Size: 23000 employees
Listed in the head office country
Risk management approach: risk issues are part of company strategic discussions in
order to maximize company value in long range
Duration of ERM: + 10 years Reasons for ERM adoption: requirements/pressure from head
office and regulatory bodies; reinforce internal controls.

31

Company 6
Segment: financial services
Size: 85 employees
Listed in the head office country
Risk management approach: increase ability to meet corporate objectives making sure
the risks are mitigated when necessary
Duration of ERM: 8 years Reasons for ERM adoption: reinforce corporate governance and
internal controls; gain competitive advantage; good business practices
Company 7
Segment: financial institution
Size: 40 employees
Risk management approach: increase ability to meet corporate objectives making sure the
risks are mitigated when necessary
Duration of ERM: + 20 years Reasons for ERM adoption: requirements from market (banks,
rating agencies, investors, etc); pressure from regulatory bodies; alert from previous
corporate disasters.

Company 8
Segment: pension fund and health plan
Size: 130 employees
Risk management approach: increase ability to meet corporate objectives making sure
the risks are mitigated when necessary
Duration of ERM: 6 years Reasons for ERM adoption: pressure from regulatory bodies;
reinforce corporate governance and internal controls.

32

Company 9
Segment: automotive
Size: 5500 employees
Listed in the head office country
Risk management approach: risk issues are part of company strategic discussions in
order to maximize company value in long range
Duration of ERM: + 10 years Reasons for ERM adoption: requirements from market
(banks, rating agencies, investors, etc); reinforce corporate governance; good business
practices.

In summary, of these nine companies, just one is not listed, three are listed in Kenya
and six are in their head office country. Based on the replies regarding the risk
management approaches, the authors classified the companies in traditional,
progressive and strategic, according to Marsh/RIMS (2009). See table below

APPROACH

QUANT

33

COMPANIES

Traditional: increase ability to meet corporate objectives

making sure the risks are mitigated when necessary

Progressive: improve the management and

responsibility of its managers in order to gain
competitive advantage

Strategic: risk issues are part of company strategic

discussions in order to maximize company value in long
range

2,4,6,7,8

3,5,9

In summary, 60% of them have traditional approach in risk management. On the

other extreme, 30% have strategic approach while just one (10%) has progressive
approach. We can expect that companies with less duration of ERM would be
classified in traditional approach. This was true in 3 companies 2, 4, and 8 with
until 6 years of ERM duration. And as they have more time in ERM, they would be
progress in their approach. This seems to be true with companies 3, 5 and 9, all of
them with over 10 years of ERM duration and with strategic approach. However, in
the case of companies 6 and 7 with over 8 years of ERM duration, they did not move
along and parked in the traditional approach.

34

5. Proposal of a Conceptual Framework

In this section, the authors developed from these ten cases a conceptual enterprise
risk management framework and its good practices (see figure 3). This model
consists of four blocks (see figure 3). On the upper left corner, the enterprise risk
management that consists of the integration between the internal environment
(business goals, policies, strategies, procedures, processes, controls and
organizational structure) and the risk assessment and its evolution to ERM
implementation. COSO [3], ISO/DIS 31000 [24] and AZ/NZS 4360 models (as
described in the CAS study) [1] were taken as reference for this risk management
proposal. The internal environment encompasses the tone of an organization, and
sets the basis for how risk is viewed and addressed by an entitys people, including
risk management philosophy and risk appetite, integrity and ethical values, and the
environment in which they operate (COSO) [3]. In the risk assessment, risks are
analyzed, considering likelihood and impact, as a basis for determining how they
should be managed and their impacts calculated. The integration will enable ERM
implementation. It consists in creating a structure and process for managing risk
which provide the organizational arrangements that will embed it throughout the
organization at all levels. After its implementation, it is paramount the actions
analyze, monitor, review and improve occur constantly. Analyze means considering
the likelihood and the impacts of the risk mitigation and/or gain financial
advantages. Monitor is following frequently the risk environment and the
performance of the strategies adopted. It provides vital inputs forreview action.
Review can be defined as making feedback and modifications of other elements.
Finally, improve is about enhancing the performance to an upper stage constantly.
And the good practices are the engine to boost the performance as can be seen
later on. Moving to upper right corner, the outcomes resulting of the enterprise risk
management. The companies can obtain tangible benefits, such as: competitive
advantage, thrust from the shareholders, reinforce of corporate governance and
internal controls, compliances to the regulatory bodies and stock exchange
standards. In order for the cycle keeps evolving, benchmarking tools and/or
continuous improvement are explored (lower right corner). Benchmarking helps
companies to define goals, encourages new ideas and offers a structured method of
change management. Continuous improvement, on its turn, is the combination of
two elements: the improvement, understood as a change for better, and the
continuity, understood as permanent change actions (Laugeni and Martins) [25].
From the use of these two tools, good existing practices are optimized and new
good practices are incorporated (lower left corner). Benchmarking address more
specifically the new practices, since new successful techniques, methods, processes
are copied by the competition. However, benchmarking can also generate
improvements in the existing practices since modifications that become successful
35

can be copied. On the other hand, continuous improvement tackles the existing
practices. It is paramount that for those companies that have achieved the so
desired efficiency, they should never stop challenging and enhancing themselves

This set of existing and new practices closes the ERM cycle. With this loop
repeating continuously, it will enable the market good practices to benefit the
enterprise risk management. Moving into a convergence between theoretical
practices and those adopted by the companies, a zoom is given in the practices
chart of above figure. As explained in the framework, the enterprise risk
management is divided in integration (internal environment and risk assessment)
and implementation. Therefore, based on the new (mentioned by the executives in
the questionnaire) and existing practices (those found in the literature), the authors
classified them into these three parts of risk management (see figure 4).

Among the existing practices, those that belong to the internal environment are:
risk permeates the organization, creation of a risk committee, board independence
and presence of CRO. The practice culture and risk awareness belongs to risk
assessment. The remaining practices increase in risk investments and need of a
formal ERM framework are part of risk management implementation. Among the
new practices, the following ones improve the internal environment: ISO 9001
certification, external auditing, internal control council meeting, internal auditing,
data security standards, ombudsman reporting to the board, independence between
board and fiscal council, adherence to the code of good practices, corporate
governance standards and complaints channel. The practices risk assessment every
two years and process risk management belong to risk assessment. Finally,
effective participation in the regulation bodies committees practice improves risk
management implementation.

36

Questionnaire
I am a student of JKUAT university main campus. I am carrying out a research on advancing
ERM in Kenya therefore am kindly requesting you to voluntarily provide the scheduled
information. It is guaranteed that confidentiality will be maintained and that the information will
not be used against you in any way either directly or indirectly.
1. How many times your company face dissolution? (Choose one)
i.
ii.
iii.

Once
Twice
Others

2. How does your company control risk

3. Does your company have risk management officers (choose one
i.
ii.

Yes
No

4. How many times does your company assess risk with (i.e. 3 times?)
i.
ii.
iii.

One year.
One month
One week.

5. Which approach does your company use in managing their risks (chosen one?)
i.
ii.

Traditional approach
Enterprise risk management approach

6. Does your company know about ERM? (yes/no).if no state the ways the company use to write
off its risks.

37

7. What do you understand about ERM?

8. Do you think the company is handling their risk effectively? (yes/no).......................if no, state
your reasons
9. Do have an understanding on ERM conceptual framework? (yes/no)..
10. How many times has your company been declared bankrupt due to poor risk management?
(Choose one)
i.
ii.
iii.

Once
Twice
Others..(specify)

38