Enterprise Risk Management – Approaches Determining Its Application and Relation to Business Performance

Purpose: As management systems, enterprise risk management and enterprise performance management pursue similar objectives and influence each other positively. The paper aims to provide an insight into the relationship between Enterprise Risk Management and Business Performance Management. Methodology/Approach: The paper compares the results of an American study with the results of a Slovakian study. First, the American results are cited and interpreted. Then the Slovak results are presented and discussed. Then the results are compared. In the last part an overall conclusion is drawn, the relationships between the results are shown and practical implications are explained. Findings: The results show similarities, but also differences to Enterprise Risk Management and the relationships between Enterprise Risk Management and Business Performance Management. The paper shows that there are differences in both the management approach and the impact on business performance between American and Slovak companies. Research Limitation/implication: A limitation in both studies is the limited number of participating companies. This is accompanied by a higher probability of error. Originality/Value of paper: The paper provides new information to the gap related to subjects enterprise risk management and business performance management and their relations. Category: Research paper


INTRODUCTION
Enterprise Risk Management (ERM) is the sum of business activities focused on identifying, influencing and actively applying risks to achieve business objectives. The risks can deviate both positively and negatively from the planned state. Risk management is performance-related, aims at the growth of the company and serves to prepare a better basis for decision-making.
There is a wealth of literature on ERM, much of which is available in foreign languages. The Slovak literature and practice is determined by the fact that the application is not legally established and is not mandatory. Therefore, in Slovakia the topic is treated more often in theory than in practice. In fact, risk management is constantly applied in practice. Its application is more intuitive and less based on methods. The level of risk management also depends strongly on the industry in which the company operates and the size of the company. For this reason, it is possible to identify significant differences in the application of ERM in Slovakia in the banking and insurance sector and in other sectors as well as in large or small and medium-sized enterprises. Although studies have shown a link between risk and performance management, it is still a little-noticed topic (e.g. Rabechini and de Carvalho, 2013;De Bakker, Boonstra and Wortmann, 2012).
In 2015, we conducted a questionnaire survey among Austrian and Slovak small and medium-sized enterprises with the aim of surveying the current status of ERM among SMEs in both countries Klučka, Grünbichler and Havko, 2017;Klučka, 2018). In parallel, other surveys on the status quo of ERMs in other countries were also conducted. For the purpose of this article we compare the results of the statistical survey in Slovakia with the statistical results published in the Disaster Recovery Journal (Belaouras, 2019). This source has been used for reasons of time actuality of data. The differences and similarities between companies from Slovakia and the USA are highlighted.
In America, companies from different sectors in North America were contacted. They were sent a questionnaire and 55 companies participated in the study. Of these, 44% had sales of less than USD 500 million. 40% of the respondents had between one and less than a thousand employees. In Slovakia, a standardized questionnaire was also created and sent to Slovakian companies. The questionnaire contained a wide range of ERM-relevant topics, such as the implementation and application of risk management within the company. The total number of companies surveyed was 162; however, not all questions from the companies were answered, so the number of answers per question varied. About 95% of the companies surveyed fall into the category of small and medium-sized enterprises.

METHODOLOGY
In this paper a qualitative approach is chosen. The procedure is designed in such a way that first the results of the American survey are processed and interpreted and then the Slovakian results are presented and commented on. In the next part, measures are derived from the commented results for practical application and presented. Subsequently, the relationships between the management systems are shown. Those factors are identified which are covered by the management activities with regard to both risk management and performance management.

Use of Risk Management in Companies and Organizational Anchoring
The first question asked of American companies was to determine how Enterprise Risk Management is structured in the company. For this purpose, the companies were given several statements to choose from. The most frequent answer was that a formally established ERM program with the function of a chief risk officer was in place (36%). The second most common response was that there is a single director or head of risk who is responsible for selected risk areas, but does not cover the entire spectrum of an ERM program (25%).
The Slovakian questionnaire asked a question about the use of risk management by asking about rules and regulations of risk management in the company. Several answers were given for selection (multiple answers possible). 42% of the respondents stated that they have no written documentation of risk management in the company. Of the remaining answers, 33%, 31% and 28% stated that they have risk management documentation in the company as part of the internal control, organisational system or quality management documentation of the company. In another question, it was asked who in the company is responsible for risk management. In contrast to the American results, the responsibility for risk management in Slovakian companies is considered to be a task of the management (65%).
This implies that the issue of ERM is formally unregulated in Slovak companies, which is also reflected by the fact that there is no risk management position in the organizational structure outside the bank institutions and insurance companies, as well as in the vast majority of small and medium-sized enterprises.

Reporting of Risks and the Need for Risk Management Systems Adapted for SMEs
Another question was asked to which manager or department the most senior risk officer reports. Of the possible answers, this is the Chief Risk Officer (CRO) with 29%. This is followed by the Chief Information Security Officer (11%), others (11%) and Chief Finance Officer (CFO) (9%).
The Slovak version of the survey included one question regarding responsibility for risk management in the company. The respondents' answers have revealed a big preference of the management or owner (65%), who is responsible for the risk management or the head of the department (25%). 8% of respondents' reactions were assigned to the risk manager.
The answer to this question shows a clear difference in risk management. In Slovak small and medium-sized enterprises, management, which includes risk management, is the task of the owner or head of unit, not a specialist with assigned competence. Especially small and medium-sized enterprises are affected by risks to a high degree and usually do not have the financial and human resources to assess and manage risks. In practice, this means that risk management systems have to be adapted to the needs of small and medium-sized enterprises so that they too can carry out risk management systematically.
However, the lack of a risk management system is not only an issue in Slovakian SMEs. Due to the lack of human and capital resources in most cases, it is a general issue. In general, small and medium-sized enterprises do not use a formalised risk management system, but individual key figures (Taticchi, Tonelli and Cagnazzo, 2010). Here, the need for research to develop appropriate systems for SMEs is evident.
When asked in the American questionnaire to which level the highest ranking employee reports, the most frequent answer was to the C-level or equivalent head of functional area (e.g. COC) (68%). For Slovakian conditions, it is clear from the above that the absence of a written report predominates and at the same time it is assumed that the boss (CEO) or head of department is responsible for risk management. It follows that this question is irrelevant for Slovakian circumstances. In Slovakia, it was also asked whether companies employ staff who are trained or educated in the field of risk management. Up to 75% of respondents stated that they do not have such employees. Here, too, the potential for optimisation in connection with risk management is evident in practice.

ERM Responsibilites and Perceived Risks
Another question included in the questionnaire was to what extent the ERM system or ERM efforts are responsible for selected risk areas. The participating companies were able to choose to rate the risk areas on an ordinal scale. Table 1 shows the distribution to the options fully and mostly responsible (Balaouras, 2019, p.47).
The Slovakian questionnaire asked which risks are relevant for the companies (multiple answers possible). In Slovakia, the most frequent risks were indicated: departure of key employees (28%) and risks emanating from the state or political decisions or risks (21%). Other risks mentioned are risks arising from the development of raw material prices or risks arising from liability for damages caused. Given the different formulation of the question, it is not possible to establish a clear comparison. However, with some generalization, it can be stated that, like US companies, Slovak companies have identified operational risk and events that affect operations.

ERM and Business Continuity (BC)
In an american enterprise where the occurrence of risk is associated with high financial / non-financial implications, in addition to the ERM agenda covered by the institutional department and its own procedures, there is also a business continuity management (BCM) agenda. The question concerns the cooperation of ERM and BCM departments/people. In response, 31% of respondents said that the BCM team is working closely with the ERM team. Very close (29%) was the second response, stating that BCM team reports are directed directly to the ERM team (department).
In the survey, which was addressed to Slovak companies, the question was formulated whether there is also a business continuity plan (based on the emergency plan). Up to 67% of respondents answered that they had no problems with business continuity. It is important that a Slovak SME is legally obliged to process e.g. an evacuation plan, but the term BCM is not used terminologically. It is not part of Slovak legal norms to process business continuity plans. The professional public in small and medium-sized enterprises is usually not familiar with the contents and tasks related to the BCM agenda.

Risks in General and due to Critical Events
The question, whose answer may illustrate the importance of the ERM agenda, has focused on the frequency of critical risks over the past 3 years. Critical risks were understood e.g. shooting, natural disasters, IT dysfunction with impact on traffic, cyber-attacks. In response, 38% of respondents stated that no critical events had occurred in the past 3 years and 32% of respondents reported that these events were in the 1-5 range; 12% of respondents reported the occurrence of critical events in the interval 11 to 20.
The last question concerned the experience with risks in American companies and their occurrence in the last 3 years. The top 10 were (Balaouras, 2019, p.48): • IT failure a business-critical system or application • Extreme weather or natural disaster • Theft of intellectual property • Cyberattack (data breach, ransomware, DDoS attack, etc.) • Critical infrastructure failure (power, water, transportation, etc.) • Customer privacy abuse, data breach, or fraud • Supply chain disruption/failure • Geopolitical events/social unrest • Customer backlash/adverse media exposure/social activism

• Workplace misconduct
The latter two questions were not part of the questionnaire aimed at small and medium-sized enterprises in Slovakia. In Slovakia, the question was asked which risks were considered most significant at the time of the survey. The answers showed that the most important risks are 67% competition and 42% problems with customers.

CONCLUSION
The relation between risk and performance is theoretically known (e. g. Aureli and Salvatori, 2012) and also applied in practice by managers of Slovak companies. However, it is rather an intuitive approach, which is the responsibility of the company's management and the relevant line manager. Nevertheless, it is not explicitly stated in the tasks and obligations of these employees. In fact, given the circumstances of the transforming post-socialist economy, Slovak managers had to implement the risk in their management decisions. As the questionnaire suggests, risk management was rather intuitive, without data support and appropriate methods, know-how, and trained employees, providing background information for management decisions. Most importantly, risk management is not explicitly established as a legal or business culture obligation. Thus, risk management (as well as BCM issues) in Slovakia is reduced to companies that have to process these, as their parent company abroad requires this.