Graduate School The Influence of ERM on Strategizing A case study Master Thesis Project 2019 Authors: Christina Tsipoulakou Robert Hänninen Supervisor: Berit Hartmann Acknowledgments: We would like to thank our supervisor, Berit Hartmann, for all the support and guidance during this thesis project. We also would like to thank the employees at Kerberos for their cooperation during this thesis project. Lastly, we would like to thank our families for their support and guidance throughout our lives. Abstract Many have studied how ERM can provide assurance to the achievement of already set strategies (COSO, 2004; 2017; Frigo & Anderson, 2011; Nocco and Stulz, 2006), but few have studied how ERM influences strategizing (Viscelli, Hermanson & Beasley, 2017; Frigo & Anderson, 2011). While Viscelli et al. (2017) found that the extent of ERM influence on strategizing is low, there is still little knowledge about how different organizational areas connected to a ERM system may enable that influence. The purpose of this study is, therefore, to elaborate on how the organizational areas of Culture, Performance, and, Review & Communication may enable ERM to influence strategizing. Within the areas, the study focuses on the importance of key actors, specifically accountants, and processes that create risk awareness and therefore enabling ERM to influence strategizing. This case study investigates one firm in the consumer goods industry by conducting semi-structured interviews with 8 actors in Kerberos to understand how actors, ERM processes, and results may enable ERM to influence strategizing. To analyze our results, we used a modified version of the COSO (2017) framework. Our findings show that organizational areas such as Culture, Performance, and Review & Communication enable ERM to influence strategizing by creating risk awareness. Specifically, one important actor involved in this is the accountant. This study contributes to Fraser and Simkins (2009), Nocco and Stulz (2006), Farrell and Gallagher (2015), and Rasid, Rahman and Ismail (2011) by exemplifying how processes and the overall ERM can assist the Culture, Performance, and Review & Communication areas to enable ERM to influence strategizing by creating risk awareness. This study also contributes to Viscelli et al. (2017) by exemplifying how accountants can allow ERM to have a stronger impact on strategizing. Key words: ERM, Enterprise Risk Management, Strategy, Strategizing, Accountants, Management Accounting. Table of Contents 1. Introduction 1 2. Theoretical Framework 3 2.1 Enterprise Risk Management 3 2.2 The Strategic Aspect of ERM 4 2.3 The Relevance of Management Accounting to ERM 7 2.4 Organizational Areas Relevant to ERM 8 2.5 The COSO (2017) Framework: Areas of Connection 9 2.5.1 The Modified COSO (2017) Framework 10 3. Methodology 12 3.1 Literature Search 12 3.2 Choice of Case Company 12 3.3 Data Collection and Analysis 13 3.4 Research Quality 15 4. Empirical Section 16 4.1 Description of Kerberos 16 4.2 ERM at Kerberos 16 4.3 Findings 16 4.3.1 Culture 17 4.3.1.1 Direct Influence of Risk Awareness on Strategy through Culture 17 4.3.1.2 Indirect Influence of Risk Awareness on Strategy through Culture 21 4.3.2 Performance 24 4.3.3 Review & Communication 26 5. Discussion and Analysis 30 6. Conclusion 35 6.1 Suggestion for Future Research 36 6.2 Practical Implications 36 List of References Appendix - Interview Guides 1 1. Introduction In recent years the role of risk management in organizations has shifted (Nocco & Stulz 2006). Traditional risk management entails the identification, measurement, and monitoring of risks separately and is characterized as having a silo approach towards risks (Fraser & Simkins, 2010; Lundqvist, 2015). Nowadays the various risk management practices are more integrated because of the recent financial crisis, and the necessity to link risk management and strategy to cope with uncertain environments has become clear (Frigo & Anderson, 2011). Further, ERM is proven to deliver several advantages, such as the enhancement of stakeholder value (Miccolis & Shah, 2000) and firm value (Farrell and Gallagher, 2015). Thus, risk management has advanced in many firms into what is called Enterprise Risk Management (ERM) (Lundqvist, 2015). The Committee of Sponsoring Organizations of the Treadway Commission (COSO) published in 2004 Enterprise Risk Management-Integrated Framework to help organizations design and implement ERM, and defined ERM as: “...a process, effected by an entity’s boards of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, manage risk to be within risk appetite, to provide reasonable assurance regarding the achievement of entity objectives” (COSO, 2004, p. 2). From the definition above it is understood, first that the ultimate goal of ERM is to discover opportunities by identifying, managing and monitoring risks systematically and provide confidence to employees in the achievement of organizational objectives and second that ERM is related to strategy by its definition (COSO, 2017). The integration of strategy and risk management elevates the decision-making processes in the reformulation of strategy (COSO, 2004). ERM provides an extensive understanding of opportunities and risks in the evaluation of alternative strategies (COSO, 2017) and assists strategic decision-making processes (Andrén & Lundqvist, 2017). Therefore, the integration of ERM and strategy is crucial since for ERM to be valuable; it should also influence strategizing. In addition, accounting over the years has become more relevant to strategizing processes as the role of accountants is changing by engaging in more business-oriented activities (Burns & Baldvinsdottir, 2005; Järvenpää, 2007; Ernst and Young, 2008). Thus, accounting is relevant to strategy. For example, Chapman (2005) provided an overview of how management control systems shape and are shaped by strategy and Dechow and Mouritsen (2005), and Quattrone and Hopper (2005 & 2006) argue that the boundaries of accounting are becoming blurred due to lateral process orientation and the hybridization of accountants. In a like manner, Rasid, Rahman, and Ismail (2011) demonstrated that management accounting supports risk management through budgeting, budgetary control, and strategic planning. Their findings also suggested that in ERM firms, performance management was integrated with risk management, 2 further strengthening the link between management accounting and risk management. Similarly, AICPA (2010) stressed the importance of accountants partaking in ERM processes to align risks with the strategic planning process. Despite the numerous advantages of ERM, intertwining ERM with strategic planning and the business of the firm is a challenge that needs to be overcome for ERM to create value (COSO, 2017; Fraser & Simkins, 2010). The traditional handling of risks in “silos” creates barriers that decouple strategic planning and ERM, which can be disastrous for strategy execution and risk management. Oversight of risk management is complicated due to the increasing volume and complexity of business transactions and risks, quick changes to IT, globalization, outsourcing, and increased competition. After the 2008 financial crisis boards and executives realized the need not only to abandon the silo approach of evaluating risks but also connect risk management and strategy formulation and execution (Frigo & Anderson, 2009), however, evidence of that link is rare (Frigo & Anderson, 2011). One notable study, by Viscelli, Hermanson and Beasley (2017), investigated the extent that ERM influences strategizing by interviewing 15 ERM champions. Viscelli et al. (2017) found that firms undertake ERM to cope with strategic risks. While Visceli et al. (2017) highlighted that the extent of ERM influencing strategizing is low, there is still little knowledge about how different organizational areas may enable that influence. Τhe purpose of this study is to elaborate on how the organizational areas; Culture, Performance, and, Review & Communication may enable ERM to influence strategizing. Within these areas, the study focuses on the importance of key actors, particularly accountants, and different processes that may create risk awareness and hence influence the relationship that ERM has on strategizing. This study contributes to previous literature by exemplifying how a case firm utilizes ERM processes and results, included in the three organizational areas, when strategizing. Furthermore, the study also contributes to understanding the role of accountants. Accountants can play a key role in enabling ERM to influence strategizing since that influence is rendered possible when all members embrace the ERM system on all organizational levels. The paper is constructed as follows. In the following section, the theoretical framework is described, which entails previous literature that concerns ERM and management accounting. A framework of analysis is then presented along with areas that may enable ERM to influence strategizing. After that, the methodology of the study is described. Then, the empirical findings are shown, followed by the discussion. Lastly, the conclusions of the study are highlighted, followed by practical implications and suggestions for further research. 3 2. Theoretical Framework In this section, previous literature about ERM is presented. First, earlier studies about ERM are described along with its strategic aspect. Second, the different organizational areas that may affect the link between ERM and strategizing are presented along with its connection to management accounting. At the end of this section, the framework of analysis is presented. 2.1 Enterprise Risk Management Risk management, in its early form, was focused on the abatement of risks such as damage to equipment or the death of employees (Gallagher, 1956). Primarily, risk management focused on reducing risks by using insurance or having well-trained staff, medical professionals, and safety engineering. The observance of risks was prescribed to be inclusive on all levels and company-wide. Miller (1992) considered that risks refer to "unpredictability in corporate outcome variables" (Miller, 1992, p. 312) and that uncertainty increased risks since it decreased the identification of corporate performance. Uncertainties can be placed in three categories; general environmental, industry, and firm-specific. Nevertheless, not all uncertainties should be reduced. A firm should establish an exposure profile that fits its risk-level preferences. With that in mind, Miller (1992) argued that the current way of treating uncertainties for international companies was inefficient and that risks should be managed collectively. Holton (1996) was one of the first who used the word "enterprise" in risk management literature and defined ERM as "Enterprise risk management is about optimizing the process with which risks are taken" (Holton, 1996, p. 1). In contrast to Miller (1992), Holton (1996), identified that the primary cause of uncertainties results from the people who used the myriad of financial leverage options offered by financial instruments and that organizations were embracing ERM to handle other types of risks as well. ERM was viewed as a possible solution to a plethora of costly losses suffered by firms that could have been prevented in the 1990s. In the same manner, at the beginning of the 2000s increased attention to risk management was observed, following the increased derivative usage, the higher volatility in financial markets and the significant derivative losses (Bartram, 2000). One of the first ERM frameworks, to our awareness, was proposed by Meulbroek (2002). Meulbroek (2002) defined the term "Integrated risk management involves the identification and assessment of the collective risks that affect firm value and the implementation of a firm-wide strategy to manage those risks" (Meulbroek 2002, p. 56) and emphasized that managing financial risks through derivatives was only a small part of the integrated management. Meulbroek's (2002) definition of this holistic view of risk management utilized the term "integrated risk management" instead of "enterprise risk management" revealing the immaturity of the term ERM in the early 2000s. After that, Cassidy (2005) also presented an ERM definition which emphasized that its main aim was to decrease risks associated with capital and earnings. Nevertheless, Cassidy (2005), similarly to Meulbroek (2002) still 4 underlined that ERM concerned a wide range of risks and not just financial, revealing the difficulty to transform traditional risk management to ERM. Other early ERM studies have focused on the determinants of ERM to distinguish ERM from traditional risk management practices. Liebenberg and Hoyt (2003) pointed out that ERM changes the focus of traditional risk management; from defensive to more strategic and offensive. The appointment of a Chief Risk Officer (CRO) with the responsibility of management and implementation of an ERM program has been used as a signal for ERM implementation (Liebenberg & Hoyt, 2003; Pagach & Warr, 2011). Liebenberg and Hoyt (2003) hypothesized that firms appointed CRO’s to reduce information asymmetry about the firm's current and future risk profile. The impact of a CRO was studied further by Aebi, Sabato, and Schmid (2012) who showed how financial institutions with a CRO who reported directly to the board of directors fared better off in the financial crisis compared to financial institutions with a CRO that reported to the CEO. On the contrary, D'Arcy (2001), argued that it was due to that complexity of ERM that not one, but a team should be in charge of the overall ERM procedures. Likewise, Fraser and Simkins (2010) also pointed out that a committee can also be in charge of the ERM procedures. The role of the committee should be regular oversight of ERM procedures along with regular reporting to the board of directors. However, even though the role of ERM has increased over time, organizations have not fully appreciated its potential (Frigo & Anderson, 2011). Particularly in relation to its strategic aspect. 2.2 The Strategic Aspect of ERM One of the first authors who considered that risks should be embedded into strategy was Baird and Thomas (1985). The authors recognized that mishandling or avoidance of risks could hinder strategic success. A primary reason for causing these actions was identified to be the very nature of strategy, which is a long-term horizon. In the long run, strategic outcomes are uncertain, and thus, risk identification becomes challenging. Baird (1986) expanded the knowledge of strategic risk management by arguing that strategy affects and is affected by risk and defined strategic risk as “risk which exists in decision situations which have strategic implications” (Baird, 1986, p.21). By taking a different approach, Miller and Bromiley (1990) investigated the properties of risk measurements which are used in strategic management processes using factor analysis. However, the strategic risk, Factor 1 in their study, was loosely related to reality as it entailed only quantitative variables; debt-to-equity-ratio, capital-intensity, R&D intensity. Equivantely, Slywotzky and Drzik (2005) proposed a framework for assessing and mitigating strategic risks. They also highlighted the increased need for companies to address strategic risks, which, according to them, result from external factors. Alike, Baird and Thomas (1985) and Miller and Bromiley (1990), the framework of Slywotzky and Drzik (2005) focused only on the quantification of strategic risks. 5 COSO in 2004, released the Enterprise Risk Management – Integrated Framework elevating the knowledge of ERM by proposing a general ERM definition and providing guidance to firms that seek to implement ERM. COSO’s (2004) definition of ERM highlighted the importance of ERM to be applied into the strategy formulation processes and emphasized that the previous has a direct effect on the ability of a firm to achieve its strategic objectives. With ERM, entities can recognize and strategize following the firm’s risk appetite (Aven, 2013; COSO, 2004). According to COSO (2009), risk appetite is “the amount of risk, broadly defined, that an organization is willing to accept in pursuit of stakeholder value” (COSO, 2009, p.7). The set risk appetite will determine whether the intended or already set objectives and strategy are aggressive or conservative. Moreover, risk appetite can be either expressed in quantitative or qualitative terms. In quantitative terms risk appetite can be expressed in; earnings per share, capital or operating cash flows. By considering the risk appetite, managers can alter a firm’s operations to adjust risk exposures by considering the level of risk that each of its shareholders is willing to take (Meulbroek, 2002). The focal point of ERM, provided by COSO (2004) framework, was the application of ERM in strategy setting at every level and unit across the enterprise where risks are considered as a portfolio of risks in the firm. Opposed to that, previously Dickinson (2001) had highlighted that risks could be managed through the formulation of strategy since they are included in it and argued that for that reason, ERM is a top-down process. COSO’s (2004) ERM definition also stands out from previous literature since it reiterates that it is an ongoing process that flows through the entire firm and is affected by people at all levels. The concept of ERM is not about mitigating risks only but aims to provide assurance about endogenous and exogenous risks and take advantage of opportunities. Gates (2006), considering COSO’s (2004) ERM definition, focused on another aspect of ERM, which is its implementation for managing strategic risks. By conducting a survey and interviews, Gates identified some determinants and perks of ERM implementation. One notable discovery was that firms that had an advanced level of ERM utilized scenario analysis, which in contrast to Baird and Thomas (1985), Miller and Bromiley (1990), and Slywotzky and Drzik (2005) focused on the qualitative aspect of strategic risks. Further results also indicated that even though firms recognized the advantages of ERM implementation, only a small number of companies have integrated ERM with strategy formulation. Following, Frigo and Anderson (2011) also argued that the effectiveness of ERM lies in the connection and consideration of ERM processes and outputs when strategizing. The authors also highlighted that for ERM to be beneficial, it should be linked not only to the strategy development, as COSO (2004) mentioned, but also to the execution processes. Nevertheless, and even after the disastrous events of the 2008 financial crisis, studies again have indicated that many companies have not yet achieved an advanced level strategic risk management (Frigo & Anderson, 2011). Another critical aspect of strategic risk management is its connection to performance measurement (Frigo & Anderson, 2011). Effective strategic risk management is dependent on 6 the integration of ERM activities to the entire management system. This integration will provide feedback to the organization regarding ERM results, which in turn can support decision- making. Nevertheless, for that to happen a strong culture, governance, and communication need to be in place to support the integration of ERM processes with strategizing (Andrén & Lundqvist, 2017). Viscelli et al. (2017), study the level of integration between ERM and strategy along with what may affect that integration by interviewing 15 ERM champions. Findings suggest that firms undertake ERM to cope with strategic risks. However, the level of integration of ERM and strategy is low. Reasons that may hinder this integration were identified to be; culture, leadership, structure, and management of critical risks. In 2017, COSO released an update on the 2004 ERM framework due to the complexity of risks, the emergence of new risks and the enhanced awareness and oversight that boards and executives have over ERM (COSO, 2017). The framework acts as an improved guide for the management and the board of directors of organizations to become more adaptive to changes in a world of increased volatility, complexity, and ambiguity. Enterprise Risk Management - Integrated with Strategy and Performance placed importance on the connection of risks on the strategy-setting process, strategy execution, and on the performance improvement. Same as 2004, ERM is accredited for generating more optimized outcomes when risk is thought of in the formulation of an organization’s strategy and business objectives. Nonetheless, the 2017 framework specifies ERM can create a competitive advantage and that there are three aspects firms must consider in their strategy setting and execution process. Firstly, risks can impact already set strategies (COSO, 2017). Strategic initiatives can introduce risks that can be counterproductive when it comes to the goals of another strategy. Secondly, in strategy development, the risk of the strategy not aligning with the vision and mission of the firm must be considered. The strategy should be aligned with what the firm wants to achieve, which is set out in the vision, mission, and core values. Thirdly, the implications of strategic alternatives must be considered, where each strategic alternative has its risk profile that is evaluated through the inherent trade-offs in the strategy. The task of the board and management is to assess whether or not the strategy fits the risk appetite of the organization and whether it can allocate resources efficiently to reach organizational objectives. By evaluating the risk implications of different strategic alternatives, management is in a better position to assess if the combined risks are aligned with the strategic direction of the firm and stakeholders’ risk appetite. The consideration of risks in the strategic planning process also allows for the seizing of risk opportunities. Examples of this are the identification of situations of extreme risk aversion or inefficiencies in the handling of similar risks in multiple departments of the firm. For all that to occur, ERM should be embraced by all actors in an organization (COSO, 2004). This embracement also includes accountants, indicating a link between ERM and Management Accounting. 7 2.3 The Relevance of Management Accounting to ERM Several authors have suggested that management accounting and risk management are complementary when it comes to aiding decision-making (Bhimani, 2009; Mikes, 2006; Rasid et al., 2011). Rasid et al. (2011) investigated the link between management accounting and risk management by surveying financial institutions in Malaysia. Empirical support is provided for the claim that management accounting supports risk management. Most of the respondents considered that the management accounting function had significant involvement in the organization’s risk management. Both financial and operational information, as part of a more extensive management accounting system, provided support for the managing of risks. Furthermore, after the survey, Rasid et al., (2011) conducted semi-structured interviews that linked the importance of budgetary control, budgeting, and strategic planning in the managing of risks. In firms using ERM, business line performance management was found to be integrated with risk management, which linked management accounting to risk management. Both risk management and management accounting were viewed as complementary parts of internal control systems and essential management tools that formed parts of a corporate performance management system. Hence, the authors argued that risk management and management accounting functions were becoming more integrated with other core functions, blurring functional boundaries. In the same manner, AICPA (2010) explained that certified public accountants need to partake in ensuring that ERM practices and processes are aligned with the strategic planning process by exemplifying the strategic relevance of ERM and helping senior management understand the need to integrate risks with strategic planning. Moreover, Ernst and Young (2008) also highlighted the changing roles of the accounting professions and categorized the role of the accountants based on four distinct roles which are commentator, business partner, scorekeeper, and custodian. The commentator is involved with producing management accounting reports and explaining to them while the business partner is, even more, business-oriented by assisting decision-making processes. Business partners are expected to support decision-making processes by providing insights and communicating results from various activities such as financial analysis. The scorekeeper is involved with basic accounting routines such as bookkeeping. Lastly, the custodian has a focus on governance and compliance activities. By taking a different approach, Järvenpää (2007) studied management accounting culture change and the business orientation of management accountants by performing a longitudinal case study. Both formal and informal interventions were considered, such as changes in accounting systems and values, and storytelling and role modelling by top management that contributes to the cultural practices. The business orientation of accounting was found to be affected by many different, both formal and informal cultural interventions. Similarly, Burns and Baldvinsdottir (2005) examined the changing role of the accountants. By conducting a case study in a UK company in the pharmaceuticals industry, they concluded that accountants were involved in more business-oriented activities when the research was conducted compared to a 8 decade earlier. While culture influences the role of accountants, it is also an important area relevant to ERM according to ERM literature (Holton, 1996; Nocco & Stulz, 2006). 2.4 Organizational Areas Relevant to ERM Holton (1996) claimed that effective ERM is dependent on culture, which is the extent that employees embrace risk management thinking. With a positive culture, risk management processes can be aligned with the preferred risk appetite of the organization. Similarly, Nocco and Stulz (2006) argued that a culture which supports ERM entails risk-return tradeoff consideration in decision-making activities and should extend beyond the top management level to avoid mishandling of risks. The authors pointed out that ERM creates value both macro and micro level. At a micro level, ERM is useful when risk ownership and the risk-return tradeoff is decentralized while at a macro level when decisions of risk bearing are based on comparative advantage. Likewise, Andrén and Lundqvist (2017) also suggested that ownership of risks should be assigned to business managers to involve the whole organization in risk management. In their study, the authors suggested three ERM dimensions, which are strategy, integration, and governance. According to them, the decentralization of ERM, which is part of the integration dimension, along with the strategic dimension of ERM, are achieved through the last dimension, namely governance. The governance dimension of ERM entails the different organizational actors and controls the whole risk management system. Previously, Lundqvist (2015) identified that the governance of ERM is simply risk governance. Risk governance is one crucial aspect that makes ERM different from risk management and is explained as a fusion of corporate governance and risk management. The structure of a risk management system is formed by risk governance that stipulates responsibilities, accountability, and authority in the system and rules and processes for decision-making. Risk governance is about encouraging risk awareness in the firm, supporting the risk management system with the structure of the organization, and having formal mechanisms in place to oversee the enterprise risk management system. However, Power (2009) was critical to ERM practices and warned about the trap of falling in to “rule-based compliance” where the employees carry a heavy workload of following regulatory requirements, which creates legitimacy but is a standardized approach rather than adapted to the business context. On the upper level of the organization, the board of directors should promote a corporate culture that fits the needs of the organization and is incorporated to the corporate strategy and everyday activities (Fraser & Simkins, 2010). A top-down view of risks is needed, which requires “buy- in” from senior executives and the board to spread risk awareness down in the organization. The “tone at the top” is critical for molding the culture of the organization by providing funding and behavioural support. This can be supported by risk policies which describe the desired tolerance levels of risk-taking along with people responsible for decision-making (COSO, 2009; Fraser & Simkins, 2010). Encouraging, discouraging, and exhibiting certain behaviours 9 are ways with which top management can strive towards desired behaviours among all levels of employees and hence create a culture that supports ERM (Fraser & Simkins, 2010). Also, risk policies should be communicated to employees handling risks to develop a strong culture where risk and reward are considered in a disciplined and informed way. An ERM which is supported by a strong culture enables better decision-making (AICPA, 2010). In the same manner, the importance of top-down engagement and ERM culture was exemplified by Farrell and Gallagher (2015) that studied the level of ERM maturity and firm value by using Tobin’s Q. The journey to promote a risk culture was explained as the employees taking a risk- aware approach to their tasks and business activities. The level of top-down engagement and the consequent ERM culture in the firm was found to be the most essential aspect affecting firm value which emphasized the importance of “tone from the top” for having a risk-aware culture. Despite the importance of culture, documentation of risk information was also found as crucial for increasing risk awareness and spreading information throughout the organization (Farrell & Gallagher, 2015; Fraser & Simkins, 2010). The study by Farrell and Gallagher (2015) was one of the first attempts that shed light into the connection of firm value and strategic risk management along with the fact that organizations started to engage in integrating activities between risk management and strategic processes. Also, the integration of the ERM process in the strategic operations and everyday practices assisted, according to the authors, in the identification of risk dependencies and correlations across the enterprise. Thus, by linking ERM with strategy, organizations had a more holistic view of risks and therefore better processes which lead to enhanced value. While culture and governance are important areas for ERM, Hax and Majluf (1996) pointed out that continuous communication among various actors in a firm reveals important information through negotiations about factors affecting the firm and result in effective strategy formulation and overall coordination of the firm. Risk information that is shared within the organization supports the ERM system (Lundqvist, 2015). Formal tools for information sharing include, for example, a “risk map” and a “heat map” (Fraser & Simkins, 2010). Such tools create a collective understanding regarding risks and thus increase risk awareness, which assists decision-making processes. By identifying risks and quantifying them, when possible, managers can link the impact of risk in strategic objectives. By making that link, KPI’s can also serve as a monitoring tool of risk taking-level of the company for informing the appropriate actors for performance deviations from strategic targets. Some of the different organizational areas that may affect the link between ERM and strategizing were presented by the COSO (2017) framework as a set of processes for ERM implementation. 2.5 The COSO (2017) Framework: Areas of Connection The COSO (2017) framework aimed to enhance strategic decision-making and overall ERM value by providing an overview of how firms can elevate ERM processes. To improve ERM, the COSO (2017) framework defined five areas of the organization that are relevant concerning the implementation and utilization of the ERM system. 10 The first area, Governance & Culture, sets the ERM oversight responsibilities while at the same time, promotes organizational values and risk awareness. Initiatives begin with the board of directors who oversee the overall ERM processes and provide guidance. Operating structures are set to enable the achievement of the strategic objectives. At the same time, culture is promoted to ensure that employees are behaving based on the organization’s values. The second area, Strategy & Objective-Setting, is where strategy is set with the help of ERM. For an organization to be successful, it is crucial to understand the risks that surround it. The choice of the strategy is assisted by the identification of risks that the alternatives entail, and by the defined risk appetite. After the strategy has been set, the formulation of objectives to be met occurs again with the help of the risk identification process of alternative objectives. The third area, Performance, is where the heart of ERM lies. An organization identifies and assesses risks that hinder the achievement of the strategy. Risk responses are selected based on the prioritization of risks. All these processes should enable a portfolio view of risks where top management understand the interrelation among risks. The fourth area, Review & Revision, assesses ERM processes. By reviewing entity performance and changes that occur in its environment, the organization can identify improvements in the ERM processes. The fifth and last area, Information, Communication & Reporting, sets the channels with which ERM outputs are communicated throughout the organization. Improvements in communication channels are essential not only for reporting risks results but also for communicating performance and culture information that enhance overall ERM. To unravel how ERM may influence strategizing, we chose to develop a modified version of the COSO (2017) to avoid studying strategizing through the area of Strategy & Objective- Setting. 2.5.1 The Modified COSO (2017) Framework In this study, a modified version of the COSO (2017) framework (Figure 1) is used to define areas of the organization that may have an influence on the relationship between ERM and strategy and to structure the Findings section. The modified COSO (2017) framework is based on the framework presented above and entails three areas; Culture, Performance, and, Review & Communication. Specifically, in the revised version, the area of Strategy & Objective-Setting was merged with the other three areas to reveal how these create risk awareness and thus may enable ERM to influence strategizing. Also, the governance aspect of the framework is not analyzed explicitly but instead briefly mentioned in the Culture area since it has been studied extensively (e.g., Andrén & Lundqvist, 2017; Bhimani, 2009; Lundqvist, 2015). The reporting processes were looked at from a management accounting perspective to reveal the internal 11 information flows in Kerberos. Lastly, the areas of Review & Revision and Information, Communication & Reporting from the original COSO (2017) framework were consolidated into one area (Review & Communication) since the areas complement each other. The different areas of the modified version are interlinked, and together they may enable ERM to influence strategizing. Therefore, in this study, the link with ERM and strategy will be viewed from the perspective of how organizational areas may enable ERM to influence strategizing since the how strategy influences ERM has been established by many (COSO, 2004 & 2017; Frigo & Anderson, 2011; Nocco & Stulz, 2006) Figure 1: Modified Version of COSO (2017) Framework. Own processing. 12 3. Methodology In this section, the methodology of this study is described in depth. First, the literature search is presented. Then, the choice of the case company and respondents is described. After that, how the data collection and analysis were conducted are described. Lastly, this section is rounded off with a discussion regarding the trustworthiness of our study. 3.1 Literature Search The literature review was done by searching for scientific articles and other literature within the field of ERM, Strategy and Management Accounting. This was done to create an understanding of previous research connected to the purpose of this study. Scientific articles were found by using the Super Search function accessible through Gothenburg University library and Google Scholar. Key words used include “Risk Management”, “Enterprise Risk Management”, “ERM”, “Strategy”, “Accounting”, “Management Accounting” and different combinations of these. The quality of the literature chosen was ensured by focusing on peer- reviewed articles, and only using other literature from legitimate authors with a history in research. 3.2 Choice of Case Company This case study investigates ERM and strategizing by exemplifying how and if organizational areas enable ERM to influence strategizing. Specifically, this case study aims to gain the in depth contextual knowledge about the organizational areas that may influence the relationship between ERM and strategizing, from the view of different actors, specifically accountants. A case study method focusing on interview material therefore is used, since it allows us to reveal how and why a set of tasks are undertaken (Yin, 2009). Particularly, a case study is used to try to understand and reveal information about real-life phenomena with direct observation and interviews. The case company, henceforth renamed as Kerberos, is a Swedish, publicly traded and active in the consumer goods industry. The company was chosen after reviewing annual reports of Swedish firms with the keyword “Enterprise Risk Management” and analysing if and how ERM is connected to strategy. Initial contact was made by e-mail during the beginning of February with representatives of Kerberos, followed by a phone call that got us in contact with the Group Treasurer of Kerberos. After a short discussion about the ERM process a decision was made to continue working with Kerberos as a case company after creating an understanding of how the strategic planning process is integrated with ERM. This integration is necessary to be able to understand how different organizational areas actors may enable ERM to influence strategizing through actors. 13 3.3 Data Collection and Analysis We collected data by interviewing eight participants during six interviews. Respondents were contacted by both email and phone to book interviews. Five of the interviews took place in the headquarters of Kerberos in Stockholm, and one in a factory placed in Gothenburg. The interviews were conducted in a quiet place, free of disturbances in English with both authors present. The six interviews lasted on average 90 minutes with two interviews being conducted with two employees simultaneously and the others being interviewed individually. We took at least one-hour breaks between interviews conducted the same day to deliver the best possible results. All interviews were conducted from the end of February until the middle of March. Saturation of information was used to control the number of interviews, meaning that when repetition of information was detected, we did not proceed with conducting further interviews. Also, employees who met the eligibility criterion of working more than one-year full time in Kerberos were chosen for participating in this study. Before conducting the interviews, we created several interview guides for guidance based on the COSO (2004 & 2017) frameworks and each interviewee was notified that they will be recorded. The interview guides were tailored to each interview, relating to the purpose of the study and the different roles of the respondents. All interviews were semi-structured, which allow to keep an open mind, resulting in the emergence of theories and concepts (Bryman & Bell, 2011). Therefore, to relate to ERM and strategy an interview guide was followed, however questions were skipped or asked in a different order depending on the reactions of the respondents. Follow-up questions were formed sporadically during the interviews, to gain a deeper understanding of how ERM may influence strategizing, and the respondents’ role in the overall ERM system. During the interviews we showed interest to the answers of the respondents to encourage them to provide more information and ensured anonymity. After the interviews we completed, we transcribed them. Information regarding the interviews are presented in Table 1, and the question guides are presented in the Appendix. 14 Respondent Interview Date Duration (minutes) Division*** CFO 2019-03-12 60 Central function (TMT) Senior Vice President of R&D 2019-02-27 120 A (TMT) Business Developer 2019-03-11 90 B Vice President Business Control 2019-03-12 75 A Group Treasurer 2019-03-05* 120 Central Function Senior Expert Market Intelligence 2019-03-12** 75 A Vice President Group Finance 2019-03-12** 75 Central Function Business Controller 2019-03-05* 120 Central Function Table 1: Summary of respondents * Interviewed simultaneously ** Interviewed simultaneously *** See 4.1 for further details. To interpret the transcribed interviews, first we read the transcriptions from top to bottom. Thereafter, we divided the data into different themes to start making sense of the large amount of data collected. After we identified the overarching themes, these were found to be fairly similar to the different areas of the COSO (2017) framework. Therefore, we chose the COSO (2017) ERM framework as a method of analysis by using the five different areas of ERM to structure the findings; Culture & Governance, Strategy & Objective Setting, Performance, Review and Revision and Information, Communication and Reporting. After we distributed the data across the five areas, an overlap was discovered and since this study investigates the link between ERM and strategy we decided to look at strategy through the other areas, leading to the final three categories presented in the Findings: Culture, Performance and, Review & Communication. This led to a redefinition of the model and then the data was analysed with the new and adjusted model to gain an even deeper understanding of the influence that ERM may have on strategizing. 15 3.4 Research Quality Quality in qualitative research is ensured by establishing trustworthiness (Lincoln & Guba, 1985). In this study, trustworthiness is established by meeting four criteria; credibility, transferability, dependability and confirmability. Credibility is met by ensuring the truthfulness of the findings (Lincoln & Guba 1985). In this study, credibility was ensured by devoting enough interview time with the participants and pledging anonymity to develop trust and to learn about the culture in Kerberos. At the same time during the interviews, we kept notes of thoughts and feelings of the interviewee responses and applied them to the findings of this study to provide objectivity. Also, during the interviews we repeated the interviewee answers and requested clarification on several occasions to confirm the findings and certify their truthfulness. Lastly, we triangulated findings from different interviews, by comparing them with each other and with the Kerberos’ annual reports, to raise the probability that findings are credible. Transferability is ensured when the findings of study can be transferred to other contexts (Lincoln & Guba 1985). We ensured transferability by exposing the findings for constructive criticism by several colleagues. Throughout this study, we participated in four mandatory seminars in which different colleagues each time provided constructive feedback in the presence of our assigned supervisor and seminar leader. Also, transferability in this study is established by providing several examples of actions by the employees of Kerberos to create a thick description that portrays how and why actions take place the way they do (Parker & Northcott, 2016). Furthermore, the processes and mechanisms involved in different settings and the experiences of the employees in Kerberos are conveyed. Concepts and processes are described from different points of view and could therefore be transferable to other settings as described by Simons (2000) in “concept generalisation” and “process generalisation”. Dependability is ensured when a researcher secures that the findings could be repeated (Lincoln & Guba 1985). We ensured dependability by making regular contact with the assigned supervisor to examine the findings and interpretations and, provide recommendations. Confirmability is ensured when a researcher acts in good faith by not allowing personal values affect the conduction and findings of the research (Lincoln & Guba 1985). We ensure confirmability by recording the data and reviewing them continuously during the analysis to ensure that not personal values affect them and their interpretations in the analysis. Lastly, we establish confirmability by ensuring that all other three criteria of trustworthiness have been met. 16 4. Empirical Section In this section, the description of the company and its basic ERM system is presented. Further, the different areas of the organization that might enable ERM to influence strategizing are exemplified. 4.1 Description of Kerberos Kerberos is a Swedish publicly traded company that operates in the consumer goods industry. The organization is composed of three divisions, A, B, and C, where A is the largest and B the smallest, and one central function which entails several groups such as the finance control group. A fixed group of division leaders along with the central function leaders, referred to as Top Management Team, is responsible for communicating information throughout the organization and suggesting to the board of directors long-term strategies. Top central management in Kerberos is composed by various leaders in the different divisions of the central function. 4.2 ERM at Kerberos The ERM process in Kerberos is an annual process and has been in place for over two decades. ERM was implemented originally to cope with regulations for going public. Changes in ERM procedures took place in the last years due to the appointment of a new CFO. In addition, accountants at Kerberos are closely linked with the overall ERM process since they are involved with strategizing, specifically the three-year plan (3YP) and business performance management which goes hand in hand with ERM processes. The 3YP is an annual process where each division and the central function construct a plan for the next three years, including budgeting and strategic planning. ERM procedures at Kerberos are guided by an overarching framework following a top-down process. The board of directors directs the overall ERM and has oversight over both the 3YP and the ERM heat maps that are presented to them in a consolidated form. The CEO issues the group principles on risk management and the CFO is the owner of the overall ERM processes. ERM processes are guided by the Group Treasurer of the Central Function and the Business Controller of the Central Function that are in charge of the ERM process execution. The Business Controller of the Central Function reports to Vice President Group Finance of the Central Function who in turn reports to the CFO. Depending on the results of the ERM processes, decisions can be made to take action against certain enterprise wide and division specific risks. 4.3 Findings The common aspect that connects the modified COSO (2017) framework areas relevant to ERM and strategy is risk awareness. Thus, the first section of the findings focuses on risk awareness 17 through the surrounding Culture. The second focuses on risk awareness through Performance in terms of processes. Finally, the third section of the findings focuses on risk awareness through the Review & Communication in terms of processes and actors. 4.3.1 Culture As the findings suggest, the area of Culture enables ERM to influence strategizing by controlling the overall working environment of the employees at Kerberos. Culture can have a direct and indirect influence on risk awareness and thus enable ERM to influence strategizing. In Kerberos, each of the three divisions have a distinguished culture due to the spread of physical location and business area. However, the overall culture in Kerberos is characterized as informal and results-oriented, promoting the expression of opinions. “I would characterize it as results focused and I would say the culture is a little bit different depending upon your physical location, but we have an overarching view. We are performance and results focused but, in an employee-friendly way so it is informal but it is not to where people just are casual not getting things done. What I am trying to convey is that we really are focused on what it is we need to achieve and then work hard to get that done, but you do not have to wear a three-piece suit to achieve that.” (CFO) As stated by the CFO, focus on delivering results was part of the company's culture without however promoting an organizational environment where formality is important. Being results- oriented but at the same time informal was also shared by a lower level employee at division B of Kerberos. Yet, another aspect of the culture was conveyed as a hindrance when it comes strategizing. “What is common for the whole group is that it is kind of unpretentious. It is not serious in a good way, you know people are hardworking and doing their best [...]. We have this consensus culture were everybody needs to say their opinion and then we are going to find a way how to make a decision in the end without [hurting] anybody's feelings” (Business Developer, Division B) Expressing opinions is part of Kerberos’ culture, as expressed by the Business Developer of Division B. Nevertheless, the amount of opinions could complicate strategizing processes since only some of them are chosen when strategizing. 4.3.1.1 Direct Influence of Risk Awareness on Strategy through Culture The promotion of risk awareness in Kerberos is supported by an initiative from the CFO who acted as a leading figure for creating a risk aware culture by modifying and synchronizing different ERM and strategizing procedures. With these changes and modifications Kerberos created a closer link of its ERM processes with the construction of its 3YP. Changes and 18 modifications include the synchronization of different ERM procedures such as the calculation of the risk appetite and the conduction of workshops with the creation of the 3YP. Most of the strategizing takes place in Kerberos once a year, where the firm’s divisions and the central function construct a 3YP. The instructions for the ERM and the 3YP are issued at the same time. Within the 3YP quantitative objectives are placed such as buyback of a specific number of shares, product price levels, amount of targeted growth in products and a budget is decided. After that, each objective is translated into financial terms such as cash flows. To set the risk appetite Kerberos estimates the probabilities of over and underperforming in terms of objectives in the 3YP and translates them in financial terms. This reveals the financial flexibility of the company which is used for understanding how aggressive the company is regarding its objectives. “I think in terms of affecting the 3YP, [the ERM] is more for checking the balance to make sure that given the kind of [financial flexibility] we have, are we too bullish or bearish in our 3YP?” (Vice President of Business Control, Division A) The identified financial flexibility provides an overview to the top management within the divisions, such as the Vice President of Business Control of Division A, and central function about the level of risk-taking of the company from the objectives set. Also, by calculating the financial flexibility Kerberos uses it as a measure of its risk appetite to evaluate different strategic decisions such as the acquisition of a company. “For example, when we acquire a company next year, can we really do that? Because of course if you just look at the plan number everything looks fantastic, but you need to bear in mind that if we do spend 1 billion to acquire some company, are we in a situation where we need to cut our dividend if the business performance did not go as planned?” (Business Controller, Central Function) As Business Controller of the Central Function explains, the use of financial flexibility as a measure of risk appetite serves as a mean of considering the different implications that each strategy has on the financial flexibility. The business controllers play an important role in evaluating strategic decisions based on financial flexibility and therefore connect the ERM results from a financial perspective to strategizing. Specifically, the Business Controller of the Central Function considers the needs of the stakeholders by considering the dividend to shareholders when evaluating a potential acquisition indicating that the risk appetite is aligned with the shareholders’ needs. This procedure promotes a risk aware culture and enables ERM to influence strategizing. Further, the risk appetite at Kerberos is assisted by set tolerance levels in terms of materiality included in various policies. Employees are expected to know the company’s tolerance level mentioned in the various policies if applicable. “We have policies and procedures in a lot of different areas. We have a treasury policy and policy for recruitment and a policy for tax and within each of those policy documents. We 19 also state kind of what risk level we are willing to accept” (Vice President of Group Finance, Central Function) Policies create an understanding of the risk tolerance which can guide employees to stay within the limits stated in in their daily decision-making processes assisting the link between ERM and strategy. The initiative to increase risk awareness is also supported by the Code of Conduct. The group principles and policies are facilitated through the Code of Conduct which also serves as a governance tool and promote values and desired behaviors to all employees. The Code of Conduct was modified the last years and it was promoted with mandatory online training. To assure that employees were aware of the Code of Conduct a survey was conducted the previous year with 88% response rate and over 90% confirming knowing the content of the Code of Conduct. To increase risk awareness, Kerberos also has in place workshops. During the workshops employees, such as the Business Controller of Divisions A and the Vice President of Group Finance of the Central Function, place risks in heat maps. Risks include general risks, and risks that specifically affect the achievement of the 3YP. The workshops aim to increase the buy-in and understanding of risks by increasing risk awareness. The division managers, such as the Vice President of Business Control of Division A, have the responsibility for their respective divisions and are held accountable to make sure that the overall risks affecting the objectives are identified and have in place mitigation activities. Same accountability also applies for the central function group managers such as the Vice President of the Group Finance of the Central Function. One example, where workshops advanced risk thinking in terms of Environmental Social and Governance (ESG) risks, was provided by the Vice President of Group Finance of the Central Function, with Kerberos taking a decision to seek external guidance. “I think maybe back to that ESG, which we discuss in this heat map at fall is that we need to be even sharper in our strategy towards that risk. We decided to have more one to one meetings with investors and meet the banks [...] and getting some help from them in setting up these meetings, and also discuss with them how they view the development in this area, so I would say that this is one tangible thing that happened after the workshop.” (Vice President of Group Finance, Central Function) The conducted workshops help the identification of risks that may otherwise have been overlooked. While the results of the workshops are produced usually annually, the risk practices to mitigate the identified exposures are ongoing, increasing risk awareness. One example where workshops increased risk awareness was also provided by the Senior Vice President of R&D of Division A. Kerberos is highly dependent on its suppliers and through ERM processes the identification of flaws in the supply chain was facilitated. “Raw materials where we used to be single sourced and decided if that company goes out of business or if they have big fire at their plant where our materials are used, we [have a major problem]. So, we started to look for a second and third supplier, and after we done that we looked one step further and found that all those three suppliers, they were sourcing material from the same supplier” (Senior Vice President of R&D, Division A) 20 Processes to mitigate risks are not only ongoing after the completion of workshops but may also reveal subsequent risk information as a result of the increased risk awareness. Identified risks in workshops help also the identification of flaws and enable management to be conscious about risks that have a strategic impact on the organization. “Less suppliers you have, better price you get, but you have high risk too. Because in [Kerberos’ industry] there are not so many suppliers that produce [raw materials]. But we have to see where is the match, where is the balance between more suppliers and less risk and then we start to discuss what can we do with this.” (Group Treasurer, Central Function) As the Group Treasurer of the Central Function explains, identified non-value adding risks, with strategic implications, are mitigated by evaluating risk and rewards trade-offs, indicating that ERM results have an impact on strategizing. Other procedures that increase risk awareness are also in place. In the R&D department several projects, regardless of their size, undergo risk analysis which promotes a risk aware culture. The process of risk analysis even for small product developments in Kerberos elevated risk consideration into everyday activities even though they were considered as a hindrance towards innovation by creating a risk averse culture. “Failing is sort of the mother of learning and if you do not fail you have probably not tried hard enough.[...] risk management principles do not apply very well to R&D because in order to be effective and on your toes, you need to take risks, a calculated approach, you need to take enough risks to fail sometimes. If you do not fail sometimes you are not being offensive enough” (Senior Vice President of R&D, Division A) Risk-taking is an important aspect of doing business to be innovative as expressed by the RD. For that reason, risk management is considered as a potential hindrance to innovation because it creates a risk aversion with which less innovating processes take place. Nevertheless, a calculated approach was considered useful but after the innovating processes take place. “When you are developing something [...] fairly early you decide sort of a limit where you at least need to stop and reconsider. If you have spent half of what you anticipated and had gotten nowhere, maybe need to take a rethink where this will end up.” (Senior Vice President of R&D, Division A) Risk management processes add value to the R&D department by assisting the re-evaluation of strategic initiatives, revealing a connection between ERM and strategy. Likewise, other projects also undergo risk assessment. For Kerberos, the choice of a project is based on risk assessment to discover the best course of action. “We have invested significantly behind this in 2018, manufacturing capacity for [product] in [location], that was one of our big investments in 2018. The risk assessment process is very critical to making those decisions.” (CFO) 21 The investments in manufacturing capacity was for Kerberos a large strategic initiative, for which the course of action was optimized with a risk management assessment process. The risk assessment processes influenced the steps for realizing the strategic initiative, revealing efforts to promote a risk aware culture and link ERM and strategy. To operationalize risk thinking on lower levels, Kerberos has training programs for the different operating units to increase risk awareness. Operating units are given a scenario where a risk has occurred and they are expected to handle the subsequent crisis. The scenarios are tailored to each unit’s responsibilities. The training programs are facilitated by an external actor and are accompanied by manuals to ensure their effectiveness. These ERM procedures aim to enhance decision-making by ensuring that employees are aware of risks surrounding their job. By being aware of the risks, decisions can be taken on a risk-adjusted basis. “I am always kind of thinking about how we do things with a risk mind-set [...]. The role that finance brings to an organization is value, and value is a function of cash flows on a risk adjusted basis, “so what's the risk?”. If we cannot articulate the risk and describe why we are willing to take on more risk or the effects that risk decisions have on the development of cash flows, then you are not getting the full valuation picture.” (CFO) By taking decisions on a risk-adjusted basis, different alternatives can be evaluated more efficiently and aligned with the risk appetite of Kerberos. The alignment of the decision-making with the risk-appetite supports the initiative of the CFO to increase risk awareness which enable the connection of ERM results, such the risk appetite, and strategizing processes. 4.3.1.2 Indirect Influence of Risk Awareness on Strategy through Culture As the findings indicate, governance tools and risk management processes created a risk aware culture that was also indicated without any direct connection with a formal ERM procedure, but nonetheless part of an overarching framework that supports ERM. Long-term strategies in Kerberos focus on potential and existing consumers and products. Kerberos has in place mid- term reviews where long-term strategies are discussed. Participants include the CEO and CFO, divisional managers, such as the Vice President of Business Control of Division A, along with the Vice President of Group Finance of the Central Function and other managers of business units. Furthermore, Kerberos operates in a highly competitive and regulated environment where consumer acceptance is crucial. Competition for Kerberos has increased due to the distribution of an innovative product, hereafter referred as Product 1. Also, in the early 2010’s Kerberos modified its vision which resulted in divestments from several companies. Even though the new vision is in accordance with the types of products Kerberos sells, depending on the point of view, it can also be contradicting which was identified as a minor risk. Decisions to continue to sell the “contradicting” product, referred as Product 3 hereafter, were based on profitability 22 but also the opportunity it created for Product 1. Product 3 was sold overseas creating a beneficial situation for Kerberos in that geographical market. “Product 3 fills a very important role in the fact that we can leverage our other business on top of it, and if you talk to the rest of the organization, what is the future of [Kerberos] in the [overseas location], I think 100% of them would say [Product 1] although we have this huge track record on [Product 3]. There are opportunities in [Product 3] as well but the opportunity for [Product 1] is so much bigger, so in terms of that I think, today to get rid of [Product 3] at this point would be a pity” (Vice President of Business Control, Division A) The identification of opportunities, resulting from risks, is facilitated by the overall risk management procedures which creates risk awareness. As the Vice President of Business Control of Division A explains, some risks are value-adding and should affect strategizing. Other risks that may hinder the usefulness of Product 1 were identified with ERM such as time to market. Failure to launch the product ahead of Kerberos’ competitors further strengthens the decision to continue selling Product 3 overseas for the advantages it offers in that geographical market. “When you work with risk management I think it is very important to focus on the right type of risks, for instance when you are doing something new like [Product 1], which has a consumer appeal and where the market takes off very quickly, the big risk is time, it is not an economical risk, it is time to market” (Senior Vice President of R&D, Division A) As explained by the Senior Vice President of R&D of Division A, with ERM the focus of the management can be placed on risks that have strategic implications and enables managers to focus on the right type of risks. Overall, opinions regarding the risks that Kerberos took by continuing selling Product 3 were shared among employees indicating the existence of a common risk aware culture. Nevertheless, employees understood and embraced these to promote new business for Product 1 which in the long term would fulfil Kerberos’ vision. On the other hand, another product, hereafter referred as Product 2, is aligned with the vision of Kerberos and is the largest product category in terms of revenue. Specifically, for Product 2, Kerberos identified a decline in a specific consumer segment and decided that the risk of losing resources to investments accounted for more than the benefits resulting from the success of the projects. “If you take [Product 2], you have to realize where your products are in the terms of lifecycle. [Product 2] is in a slowly declining in segment, there are almost no new consumers coming in and the old consumers are dying or leaving and there is not much you can do about that. Then you need to have sort of a strategy that fits in the product’s lifecycle, it is not an area where you should invest heavily in product development for example” (Senior Vice President of R&D, Division A) 23 The Senior Vice President of R&D of Division A displays an awareness of the business context for Product 2 and its strategic implications; that large investments are not valuable on a risk- adjusted basis. Risk management processes elevate the understanding of the environment that Kerberos operates in and enables the identification of the most important information which assists strategizing. In the lower levels of the divisions, the existence of a risk aware culture was also indicated. When it comes to the choice of a manufacturer, Division B of Kerberos evaluates different manufacturers with various factors such as quality, pricing and service level. Another aspect that comes into consideration is what percentage of the end product the manufacturer produces. Manufacturers that produce the whole product are preferred since this decreases risks in the supplier chain of Kerberos by creating transparency in the supply chain. “We know that those are produced in [Country], the 50% of the product that they do not make themselves is sourced from [Country]. We normally have no idea of who that producer is, and is that produced by children? We do not know, and that is of course a risk. It is nice to know exactly where the [resource] is coming from, you can see the whole chain” (Business Developer, Division B) As explained by the Business Developer of Division B, supplier risk influences strategizing processes. The choice of supplier is based on risks, like child labour, that have strategic implications such as decreased transparency of the supply chain. Overall, the culture that is promoted aims to link risks and the decision-making process not only in the annual ERM processes or an overall framework but also in the everyday working process seamlessly. “I think it is more important that it is kind of part of your thinking rather than putting a specific label on the framework of whatever, because it is much broader than what we are actually doing in the ERM because we discuss these kind of things all the time but no one thinks of “now we are talking risks” it is just a natural part of our discussions.” (Vice President of Group Finance, Central Function) Risk thinking was deemed as a natural part of the decision-making processes rather than a specified task as explained by the Vice President of Group Finance of the Central Function. Others expressed a similar view by highlighting that their culture was risk minded and that risk was not only looked upon once a year with an exercise but rather part of daily operations. The culture in Kerberos by various processes which directly and indirectly increase risk awareness. Moreover, the culture in Kerberos is assisted by governance in different forms such as the Code of Conduct and group policies, which delegate responsibilities and guide the behaviours and actions of employees. Also, the Code of Conduct and group policies are driven down through the organization from the top, where the CFO appears to be a leading figure for driving the awareness of the policies. This risk aware-culture guides decisions even outside of 24 formal ERM processes, as employees consider the risk implications of decisions, and what the alternatives are on a risk-adjusted basis. 4.3.2 Performance The findings suggest that the Performance area of the modified COSO (2017) framework creates risk awareness, which in turn, influences strategizing through risk management processes. A formal ERM process entails a mandatory workshop, after the 3YP objectives are set, for the central function guided by the Kerberos’ CEO and the Group Treasurer of the Central Function aiming to identify risks. Risks that are identified there are enterprise wide and not division specific such as insurance, legal and IT since they affect the whole organization and are handled by the central function for efficiency reasons. Each division also conducts a voluntary workshop to identify where each division’s management and some business units list risks related to the specific division. The decision to not conduct a workshop is accumulated by justification from each division to the ERM practice group, however, these workshops are mandatory to be conducted once every 4 years. During the workshops, top management members of the central function, such as Vice President of Group Finance of the Central Function, and of Division A, such as the Vice President of Business Control of Division A, place the 10 most important risks on a heat map which entails two dimensions; probability and impact. The impact of risks is expressed as the highest of the impact on one of three categories; profit and loss, reputation or competition. Risks may fall under all these categories but are placed only in the category affected the most. The severity of risks is expressed on the heat map according to one of the following colours; green, yellow and red. Risks identified in workshops are usually closely associated with the achievement of the 3YP objectives. Arrows are placed for each risk on the heat map to indicate its direction from the previous year. Risks that are green are just continued to be monitored while yellow and red undergo additional processes. Yellow and red risks are accounted for with a description of the risk and its mitigation activities, if any, along with the rationale of the mitigation activity and the rejected alternatives. Monitoring activities are also documented. If a division decides to accept a risk the respective managers are called to provide an explanation of their rationale to the ERM practice group. Interrelations among risks are also mandatory to be identified to provide a portfolio view of risk. This provides assurance to Kerberos that each division understands the context of each risk and is committed to the overall ERM process. Finally, the different heat maps from each division along with the heatmap of the central function are condensed into an overall heat map by the Top Management Team for the entire organization. All these procedures ensure that the 3YP and ERM are interlinked. The production of heat maps is characterized as a structured process where risks that are identified and considered daily are put together. 25 “I think that the overall framework adds value, even the fact that you need to label risks in to certain more specific topics and quantifying them even though you know that there is no exact number that will ever capture the risk. But it is more a way of illustrating the risks, which serves very good for the purpose of discussing them.” (Vice President of Group Finance, Central Function) The aim of the workshops is to account for risks and thereby create risk awareness are explained by the Vice President of Group Finance of the Central function. Categorizing and quantifying the risks is not the most important action per se, but the generation of information and discussion that it enables is. Workshops also create a risk overview in the organization which elevates risk considerations in daily decision-making processes. “It is not so much doing the risk map, it is really starting to think about the different types of risk that you have and sorting them into different categories of risk and making sure that you take on the one you want because you want to take risk right? But you want to take the right type of risk that actually has an upside. No risk no reward, right?” (Vice President of Business Control, Division A) Taking the right types of risks, that are value-adding, when strategizing is considered as a significant outcome by the Vice President of Business Control of Division A, which is facilitated by the accounting and discussion of the risks in the workshops. Another function in Kerberos that considers risk responses is the risk committee where responses are decided for risks that are not division specific and risk responses chosen by the divisions are discussed. Insurances are mostly handled centrally and are presented and discussed in the risk committee. By considering insurance risks centrally it enables an overarching view of the insurances. The risk committee is composed of the CFO, internal audit, ERM representative and depending on the occasion, several other internal and external actors. External actors include firms which Kerberos hires, to rate its factories and suppliers to assist the identification of risks. The identification of risks in Kerberos is done on different levels. Each department is in charge of identifying the risks that affect it, and account for these in the annual ERM process by creating a heat map, which shows the severity and direction of risks. This allows for a prioritization of risks, by visualizing them on a green-yellow-red scale. The connection of ERM and strategy allows Kerberos to consider the implication that its risk has on set or intended strategies. Also, with ERM non-value adding risks are identified and mitigated. Furthermore, ERM assists in creating an overarching view of all the risks in a company by the creation of heat maps for each division and the central function that are condensed into an overall heat map for Kerberos. By handling risks that affect the whole company centrally, Kerberos can strategize more efficiently by having a portfolio view of risks. 26 4.3.3 Review & Communication As the following analysis shows, the Review & Communication area of the COSO (2017) modified framework can create risk awareness and thus influence strategizing through processes and actors, such as accountants involved in them. Changes to the ERM process of Kerberos are usually rare since ERM has been in place for over two decades. Nevertheless, recently major changes occurred to alter the mind-set of Kerberos when it comes to ERM and the role its serves. The new CFO aspired to operationalize risk management activities in Kerberos by using the COSO (1992) Internal Control Framework. “There are a lot of things we do organizationally that touch on risk management and when we think about it I wanted to also orient it around this COSO, the older COSO framework [Referring to the COSO (1992) Internal Control Framework], risk assessment, control activity, monitoring, active information communication.” (CFO) The risk management of Kerberos is described as being not one process but rather many processes that together form a system that involves many different areas such as communication, monitoring, risk assessment and controls. As the CFO explains, risk management processes are considered as something broader than just one activity which are infused into everyday organizational activities. Further, as mentioned, initiatives to infuse the ERM process with the strategic planning of the divisions in Kerberos have taken place instead of having ERM as a separated centralized annual process. Previously, the construction of the 3YP and the conduction of ERM were executed separately. Therefore, the underlying risks of the 3YP were considered after its construction rather than as a part of the process. Now the ERM and 3YP process are more intertwined than before in that risks to achieving the 3YP are considered as a part of the creation of it. Each of the divisions now have their own management team that adjusts ERM activities tailored to their risks. Strategic planning on the group level is considered together with the ERM process rather than having the strategic planning and ERM as two separate isolated processes. “Historically we are not that synchronized. That is something we have improved over the past few years since our group is responsible for driving the strategic planning process on the group level and we think that ERM should be kind of related to this and we should take everything together rather than isolated” (Business Controller, Central Function) Considering ERM results in strategic planning is deemed as a crucial part for strategizing as explained by the Business Controller of the Central Function. The connection of ERM and the 3YP was initiated as a top-down process driven by the CFO his/her team within business control of Kerberos. The heat maps provide a concise but understandable view of the different types of risks along with their severity. The Top Management Team and board of directors utilizes the heat maps to understand and monitor the directions from last year of each risk. By connecting the 3YP of each division to the production of the heat map, the board of directors and top management within the divisions and central function can review the divisions’ performance in 27 connection to risks and take informed decisions. The ERM process is described to be as simple as possible, to make it understandable to the people in the divisions who take part in the process. “We try to do this as simple as possible. Not to have too much around it and the description is quite simple too it does not explain too deep and then we can go in and ask deep questions because then it is possible to read it and just understand.” (Group Treasurer, Central Function) Even though the instruction and the ERM process is quite simple, the ERM practice group can discuss relevant risks, identified in workshops, with the divisions to gain a deeper understanding. These subsequent actions reveal that ERM in Kerberos is executed carefully to enable the generation of the best possible results. Furthermore, the heat maps undergo reality checks annually where the reasonability of the severity and mitigation activities of the risks are reviewed. The heat map of the central function is checked by the Top Management Team while the heat maps of the divisions are discussed with divisions’ managers and the ERM practice group, such as the Group Treasurer of the Central Function. “Sometimes we discuss “This we do not understand, the risk, please explain why is it here when it was here last year” That is a question that we discuss with them and then we discuss directly with the management for each division “Why has it moved?”” (Group Treasurer, Central Function) The review by the ERM practice group in the form of a discussion requires the division management to understand the risk and be able to explain the development of the risk as stated by the Group Treasurer of the Central Function. Even though ERM procedures take place usually a specified number of times around the year, risk consideration and their implication are ongoing throughout the year. Also, the probabilities of over and underperforming in terms of objectives in the 3YP which are translated in financial terms are reconciled with the placement of the risks in the heatmaps. This is another step to ensure synchronization between the heat maps and the 3YP. These procedures aim to validate risks in the heat maps and ensure the successfulness of workshops by ensuring that employees are aware of risks that hinder the achievement of the 3YP. Further, the risks placed in the heat maps are also compared to the results from the previous year by the Top Management Team to identify external and internal changes that may affect the business. The Top Management Team also holds a meeting once a month where cross- divisional implications are discussed. The discussions could entail the prioritization of a limited supply of products. “[Discussions may entail the] prioritization of supply of this product here, we have limited supply, we have market demands that are in [different locations], “are we investing enough behind it, are we investing in the right areas?”” (CFO) The discussions of the Top Management Team assist in strategizing such as making the appropriate investments to ensure that the supply of Kerberos products can meet the market 28 demands, revealing the importance of risk consideration in strategizing. Moreover, policies that affect the overall risk management of Kerberos, and suggested changes are also discussed in the risk committee. The changes to the processes are initiated by the CFO and the ERM practice group, discussed by the risk committee, and must be accepted by the board of directors and the Top Management Team when they are significant. The risk committee was described to have become more structured after the recruitment of the current CFO. In the past the risk committee focused mostly on a third-party audit report of manufacturing facilities and decisions involved how to react to the report. The scope of the risk committee has broadened in that more actors are involved. Depending on the focus of the risk committee, the appropriate internal actors that own and are affected by identified risks are included to distribute relevant information and enable better decision-making. “[The factory audit report] is information that we use centrally but we are paying money to [name of third party] so that the operating presidents who have people in charge of supply chain that work for them, that is the audience, they are the ones that should be getting this information, and you know, either agreeing or disagreeing, that dialogue needs to take place and we are doing that much better now than we have done historically.” (CFO) Factory audit reports, constructed by a third party, are used centrally but should also be communicated to the operating presidents who can spread the information further to lower levels so it can be incorporated in the operations. As the CFO explains, it is beneficial for the risk information to reach the right people in the organization to elevate the business operations and decision-making. To monitor the effectiveness of ERM activities and overall performance of the organization Kerberos divisions and central function construct monthly and quarterly reports which serve as a method for communication both within the organization and with the stakeholders. The quarterly and monthly reports share information about performance results regarding the 3YP. Division managers, such as the Vice President of Business Control of Division A, along with the Business Controller of the Central Function are responsible for presenting the quarterly reports to selected people such as the CFO and CEO in a quarterly meeting and discuss the positives and negatives of the quarter. The Vice President of Business Control of Division A is also accountable for the forecasting process in the 3YP budgeting process, the quarterly and monthly reports for division A and also for making sure different departments set proper Key Performance Indicators (KPI). The KPIs are used to monitor, follow up, and guide necessary actions to reach the targets proposed in the 3YP. All these processes, executed by the Vice President of Business Control of Division A, monitor the performance of the division in regard to the 3YP objectives. “So, all of those things is basically like making sure that the performance of the division is in line with our expectations or targets or [3YP] also highlighting deviations.” (Vice President of Business Control, Division A) 29 As the Vice President of Business Control of Division A explains, being accountable for all these procedures is crucial for identifying deviations from the 3YP objectives and require communication among different actors through meetings and reports. On the other hand, even though employees in the lower levels in the divisions are not familiar with any formal ERM processes, they partake in the different reporting processes which can serve as a risk information communication channel. In the business control department in division A, the Senior Expert at Market Intelligence in Business Control of Division A is partly responsible for the construction of the monthly and quarterly reports. “I can say that 20 or 40 percent of my time it is like, I [am] looking at a mirror, what happened the last 4 weeks and then I report that. Sometimes of course I look in the future as well [...] My reports are, okay, it already happened, but we use those market shares to communicate to the financial markets, it affects the stock price or the development of our stock.” (Senior Expert at Market Intelligence in Business Control, Division A) As the Senior Expert at Market Intelligence in Business Control of Division A explains, reporting processes help the identification of causes that affect the changes in market shares of Kerberos. The identification of these causes are used internally further, to assist decision- making, and to reveal underperforming segments then someone else in the organization acts to rectify that. The Senior Expert at Market Intelligence in Business Control of Division A also conducts weekly reports that are shared within the organization to help monitor changes in the industry and assist decision-making processes in different business units. “[Weekly reports may include] “how does this change from last week?” Huge amount of slides and we know exactly where we are when the risk comes up.” (Group Treasurer, Central Function) As Group Treasurer of the Central Function explains, these reports do not only serve as communication channel and for performance monitoring but also serve as a basis for risk identification which can later be used in the construction of heat maps, creating risk awareness. In general, ERM processes have undergone changes to integrate risk management and strategy initiated by the CFO to increase risk awareness. There have been simplifications of the instructions of the ERM-process to make it understandable and to operationalize risk thinking in the organization. The CFO of Kerberos has oriented the risk management framework around the COSO (1992) Internal Control Framework that includes risk assessment processes and is similar to the COSO (2017) ERM framework used in this study. To review the integration of ERM and strategy, Kerberos ERM practice group reviews the results of the workshops. In addition, ERM results are communicated throughout the organization through various meetings. Furthermore, reports are used to spread performance that can be used for following up on KPIs and the identification of risks and are also communicated through various meetings. The understanding of risks increases risk awareness, allowing the formulation of strategies which are aligned with the risks of the organization. 30 5. Discussion and Analysis In this section, the major findings of this study are outlined and discussed in depth. All three organizational areas contribute to the ERM literature by exemplifying how they can enable ERM to influence strategizing. At the same time, the findings also contribute to the ERM literature by highlighting how the business orientation of accountants is the key to enable the influence of ERM on strategizing. Having a culture that supports ERM has been identified as an essential part of an overall ERM system by several authors (Fraser & Simkins, 2010; Nocco & Stultz, 2006). A corporate culture, fitting the needs of the organization and incorporated into corporate strategy, and everyday activities should be promoted by the board of directors (Fraser & Simkins, 2010). Indeed, in Kerberos, a culture that supports ERM is evident, however, the area of culture in Kerberos enables ERM to influence strategizing by creating risk awareness. A direct influence of risk awareness on the link between ERM and strategy through culture was enabled by workshops. By participating in workshops, top management of each division and central function become aware of the risks affecting the organization and may hinder the achievement of the 3YP. One example was provided by the GF, where after the completion of a workshop the understanding of ESG risks were elevated. Another example was provided by the Senior Vice President of R&D of Division A regarding supply chain flaws. The flaws identified in the supply chain posed a strategic risk in Kerberos as explained by the Senior Vice President of R&D of Division A and actions to mitigate that was based on risk thinking as exemplified by the Group Treasurer of the Central Function. The Group Treasurer of the Central Function was aware of the trade- off between having many or few suppliers. Few suppliers result in lower prices but increased Kerberos dependence on them at the same time, which imposed a risk. This implies that the risk management processes in Kerberos indeed created a culture where the risk-return trade-off is considered as suggested by Nocco and Stulz (2006). Another process which also had a direct influence of risk awareness on the strategy through culture was the estimation of the risk appetite. According to COSO (2017) and Aven (2012), the calculation of the risk appetite enables better decision-making. It became evident during the interviews that risk appetite elevated decision-making processes. In Kerberos, the 3YP serves as a measure of risk appetite, which is in accordance to the shareholders’ needs, by estimating upsides and downsides to objectives of the plan and translating them to cash flows. The risk appetite serves as a basis for evaluating strategic alternatives and understanding how aggressive Kerberos is, given the objectives set in the 3YP. Also, in Kerberos, the implication of strategic alternatives, such as acquisitions, are evaluated based on their impact on financial flexibility, which is used as a measure of the risk appetite. However, other processes of risk identification aiming to promote a risk-aware culture, such as risk analysis, were deemed as not applicable to the R&D department as exemplified by the Senior Vice President of R&D of Division A. While Kerberos’ effort of connecting ERM and strategy through the culture was viewed as natural for all of the respondents, the Senior Vice 31 President of R&D of Division A deemed the same culture as a hindrance when it came to innovation. The efforts of connecting ERM and strategy were seamless by most of the respondents, as suggested by AICPA (2010). Nevertheless, in the R&D department, risk management processes created difficulties for the same link due to the innovative aspect of that business unit. An indirect influence of risk awareness, through the area of culture, was also detected. This influence did not occur from any direct connection to any formal processes but rather the overarching ERM system. COSO (2017) argued that ERM enables better evaluation of strategic alternatives and alignment of the chosen strategy with the vision of a firm. There is no doubt that in Kerberos, the overall ERM systems enables the evaluation of strategic alternatives. An example was provided by the Senior Vice President of R&D of Division A regarding the decision to not to invest in products at the end of their lifecycle. However, it was identified that one of Kerberos’ divisions distributed a product that, depending on the point of view, contradicted the vision. Regardless, the decision to continue selling the contradicting product (Product 3) was based on risk thinking. Hence, the better evaluation of strategic alternatives does not always result in strategies aligning with the vision of a company, as COSO (2017) suggests. As shown, culture is influenced by various risk management processes and the overall ERM system. Different policies guide these processes and affect the decision-making of the actors in Kerberos by setting rules and spreading responsibilities. Lundqvist (2015) explained that risk governance, which is the integration of corporate governance and risk management, is used for spreading accountability, responsibility, and authority in the overall ERM system, by setting rules and processes for decision-making (Lundqvist, 2015). In Kerberos, the board of directors exercises oversight by reviewing the ERM instructions for the procedures. Furthermore, the board also has to accept the strategic planning of the various divisions. Policies and processes entail the Code of Conduct, workshops, and training programs. The risks accounted for in each of the divisions’ workshops are owned by the respective division leaders that in turn have the responsibility of these risks. By taking responsibility for some risks, division leaders became more informed about the risks affecting their business and thus more risk aware. Findings also indicated a risk-aware mind-set among the lower level employees at Kerberos even though they are not involved with any formal ERM processes. An example was provided by the Business Developer of Division B regarding supplier risk. This risk awareness can be because risk ownership enables the infusions of risk awareness to all levels of an organization as argued Andrén and Lundqvist (2017). In general, through risk management processes, Kerberos were able to promote a risk-aware culture, which directly and indirectly enables ERM to influence strategizing. This is interesting because even though there is no doubt that in Kerberos the area of Culture supports ERM as Fraser and Simkins (2010) and Nocco and Stulz (2006) suggested, this area has wider implications because it enables ERM to influence strategizing. Firms can utilize risk management processes, such as workshops and risk analysis, for creating a risk-aware culture that surrounds the whole organization. These processes should be guided by risk governance 32 that promotes risk awareness among the relevant actors. By assigning risk ownership to different managers enable the infusion of risk thinking to all organizational levels and elevate strategizing processes. The risk management processes are not as valuable if not embedded in the right culture and not guided by an overall ERM framework to enable ERM to influence strategizing. Nevertheless, when these processes are organized, their implications on the culture should be considered to ensure that they create a risk-aware mind-set which can enable ERM to influence strategizing. Regarding the Performance area, findings suggest that the results of risk documentation processes are not as important as the process itself for enabling ERM to influence strategy. Farrell and Gallagher (2015) argued that risk documentation is essential for embedding ERM with strategy, and Fraser and Simkins (2010) pointed out that the documentation of risks can create risk awareness. There is no doubt that in Kerberos, workshops serve for the assessment of risks and their documentation with heat maps. Despite that, based on the findings, workshops serve a broader role. Most risks are identified before the workshops. Nevertheless, workshops serve as a mean for discussing, visualizing risks and creating risk awareness as explained by the Vice President of Group Finance of the Central Function and the Vice President of Business Control of Division A. Discussing and visualizing the risks creates an understanding that can be dispersed in the organization, which enables ERM to influence strategizing. Therefore, the area of Performance, based on the above analysis, in Kerberos is facilitated by risk management processes, enabling ERM to influence strategizing by creating risk awareness. This finding expands previous literature provided by Farrell and Gallagher (2015), and Fraser and Simkins (2010) by exemplifying how the process of documenting risks serves a broader role. Specifically, the process of risk documentation enables the discussion, understanding, and, communication of risks, which creates a risk-aware mind-set among the actors of the organization. Processes and their outcomes are not important per se when they do not enable the exchange of risk information between various actors. Specifically, documentation process outcomes are important channels for risk communication only when the relevant actors are involved. These relevant actors elevate their risk awareness, specifically for risks affecting their business the most, by taking part in the documentation process and therefore make more risk- informed decisions. Regarding the Review & Communication area of ERM, findings indicate that the area helps ERM to influence strategizing. Previous literature (Hax & Majluf, 1996; Fraser & Simkins, 2010) had already pointed out the importance of open communication when it comes to strategizing. Indeed, findings point out the importance of the Review & Communication to strategizing but can also enable ERM to influence strategizing. The review of the ERM process led to the connection of the 3YP and the ERM process, to more closely connect it to strategic objectives. An initiative of the CFO enabled this and supported by accountants. Moreover, ERM results such as heatmaps are discussed by the Top Management Team and the ERM practice group, which is composed of two accountants, to ensure their validity and the usefulness of the workshops. By ensuring the validity of the heatmaps, the Top Management Team can strategize based on risk thinking. An example was provided by the CFO concerning 33 the prioritization of supply. Also, communication or risk information is supported by a risk committee in Kerberos. As the CFO explained, changes in the risk committee enabled the exchange of information among relevant actors who strategize. Nevertheless, the Review & Communication serves also as a mean of risk identification. Rasid et al. (2011) argued that risk management processes could be assisted by management accounting. In Kerberos, various reporting processes regarding the progress of the 3YP are supported by accountants. The Business Controller of Divisions A explained that responsibility for identifying deviations and presenting them in meetings lies to the accountants. The reporting processes provide information for handling and identifying risks regularly and thus create risk awareness. Therefore, based on the above analysis, the area of Review & Communication can enable ERM to influence strategizing through management accounting processes by creating risk awareness. This finding, concerning the area of Review & Communication, adds to Rasid et al. (2011) by providing further empirical evidence concerning the link between ERM and management accounting. Risk information can be generated through management accounting procedures. As such, processes aiming to create risk information can be complemented by management accounting. By communicating management accounting results, risk awareness is spread throughout the organization. Management accounting can assist changes in processes and detect risks affecting the achievement of set strategies. By identifying risks which affect set strategies, modifications can be made either in processes or strategies. These modifications can ensure the achievement of strategic objectives. Even though we provide evidence for how the three organizational areas can alleviate the weak influence that ERM has on strategizing, argued by Frigo and Andersen (2011), and Viscelli et al. (2017), an important actor who enabled that stronger influence was the accountant. Burns and Baldvinsdottir (2005) and Järvenpää (2007) argued about the changing role of accountants, in that they become more business-oriented. Our findings provide evidence for the claims of Burns and Baldvinsdottir (2005) and Järvenpää (2007) regarding the business orientation of accountants. The business orientation of accountants and their influence on ERM was detected and connected all three organizational areas that enabled ERM to influence strategizing. In the Culture area, accountants partake in workshops, the construction of the 3YP, and the calculation of the risk appetite. This enables them not only to be more business-oriented but also increase their risk awareness. In the Performance area, accountants play an active role in workshops by following the detailed steps of the processes and exchanging risk information between them and other organizational actors, thus increasing and promoting risk awareness. In the Review & Communication area, accountants have the responsibility of conducting various reports, presenting them to different meetings, and communicating them to the whole organization. This enables them to assist the identification of risks and the revisions of processes, and strategies, creating even further risk awareness throughout the organization. This business orientation and involvement accountants to risk management processes enabled them to link all three organizational areas relevant to ERM and was facilitated by CFO. The CFO recognized the need to infuse risk management to everyday processes to increase risk awareness. This 34 increased risk awareness enabled ERM to influence strategizing by affecting subsequent strategizing conducted by accountants and other actors within Kerberos. Hence, the accountants' role in the three organizational areas enabled ERM to influence strategizing, and this may be the answer to the claims provided by Frigo and Anderson (2011) and Viscelli et al. (2017) regarding the difficulty to enable ERM to influence strategizing. Therefore, we add to previous ERM literature provided by Frigo and Andersen, (2011) and Viscelli et al. (2017) that pointed out the difficulty enabling ERM to influence strategizing. This is achieved by exemplifying how accountants can assist the three organizational areas in enabling ERM to influence strategizing. By becoming more business-oriented, accountants partake in a broader range of activities. This provides them with an overview of the organization that can assist not only strategizing and ERM processes but also enable the ERM to influence strategizing. By partaking in ERM processes, accountants can carry risk information and support and participate in strategizing. At the same time, accountants serve the role of identifying and communicating risk information to the whole organization. The broadening role of accountants can be the key to enable ERM to influence. 35 6. Conclusion The purpose of this study was to elaborate on how the organizational areas of Culture, Performance, and, Review & Communication can enable ERM to influence strategizing through the lens of accountants and processes. As the discussion and analysis shows the three organizational areas enable ERM to influence strategizing through processes and key actors, specifically accountants. This study contributes to previous literature in four ways. Firstly, risk management processes and organizational policies promote a Culture that enables ERM to influence strategizing. Findings suggest that risk management processes and organizational policies, assisted by risk governance, promote a risk aware culture. However, some of the processes can be perceived in different ways by various actors. For that reason, the implications of each procedure on the overall culture of an organization are important. As such, our study contributes to Fraser and Simkins (2009) and Nocco and Stulz (2006) who pointed out the importance of culture to ERM, by exemplifying how risk management processes can promote a risk aware culture that enables ERM to influence strategizing. Secondly, risk management processes enable ERM to influence strategizing though the area of Performance. By including the appropriate actors in risk management processes, the exchange of risk information is enabled, creating a risk aware mind-set. Risk management processes are not aiming only on the end results but also on the exchange of risk information during these processes to create risk awareness and assist strategizing. Therefore, our study contributes to Farrell and Gallagher (2015), who pointed out the importance of risk documentation, by exemplifying how risk management processes promote risk awareness when the appropriate actors are involved in them. Thirdly, management accounting can assist ERM by creating risk information and promoting risk awareness which in turn can assist strategizing through the area of Review & Communication. Management accounting processes can assist in the generation of risk information that can trigger changes in processes and strategies and thus assure the achievement of corporate objectives. At the same time, the communication of management accounting information spreads information that can assist risk identification and create risk awareness. Thus, our findings contribute to Rasid et al. (2011), who argued about the link between ERM and management accounting, by providing further evidence of how management accounting can assist ERM and enable it to influence strategizing. Fourthly, the business orientation of accountants allows them to partake in management accounting processes and ERM processes linking all three organizational areas relevant to ERM. By partaking in a wide range of processes, accountants have an increased overview of their organization, along with the risks that affect it. The accountants’ overview of the organization can assist strategizing by providing guidance and partaking in strategizing processes, enabling ERM to influence strategy. Accordingly, accountants are the ideal candidates for furthering the connection of ERM and strategy when their role in an organization is not restricted. Hence, our study contributes to Viscelli et al. (2017) & Frigo and Anderson 36 (2011), who found a weak link between ERM and strategy, by exemplifying how the business orientation of accountants can enable ERM to influence strategizing. 6.1 Suggestion for Future Research In the future, it would be interesting to study the role of top management leadership in driving organizational behaviour on lower levels that enables ERM to influence strategy to reveal the indirect effect of actors on that influence further. Researchers could study the role of top management leadership ERM's influence on strategy by focusing on the operational levels within an organization that strives to connect ERM with strategy. Moreover, further investigation is needed towards the balance between innovation and ERM processes, such as risk analysis, for unravelling how they can exist in harmony. Also, causes that contributed to advancing ERM and focusing on enabling ERM to influence strategizing were beyond the scope of this study, and further research could be useful to unravel the cause(s) that triggers firms to advance the strategic aspect of the ERM. Moreover, other studies, like this one, which confirms that specific organizational areas enable the link between ERM and strategy, are needed for separating firms that have advanced the strategic aspect of ERM. 6.2 Practical Implications Firms should consider the implications on the culture when designing risk management processes. By creating the processes in a way that promotes the understanding and exchange of relevant risk information among actors, the process can be viewed as a value-adding activity and not an additional compliance activity. If actors see the process as value-adding, it creates buy-in from the actors and makes them more likely to spread what they have learned in the processes. Furthermore, risk management processes should be designed with caution since their implications are received in different ways by various actors. Moreover, firms should consider contingencies to the effectiveness of the process when it affects the entire organization. For example, one process might be valuable in one business area of the organization but costly in another. Risk management processes and policies should promote a culture that supports the link between ERM and strategy, to create a seamless risk aware mind-set which guides actors through decision-making processes. In addition, firms should also consider the strategy’s alignment with the vision when formulating a new strategy and considering strategic alternatives, in a way that furthers the achievement of the vision in the long term. The long-term consideration can mean to compromise with the accomplishment of the vision in the short term if it would implicate long term benefits. However, with ERM, an organization can be aware of the implications of each strategy on the vision, which then enables better strategizing. Finally, management accounting, such as performance management and ERM processes concerning risk identification are in many ways, complementary and overlapping, and should 37 be considered when creating these processes to strive for efficiency. Furthermore, both ERM and management accounting have strategic implications and the potential to drive and assure the accomplishment of strategic objectives. Accountants with broad roles can play an essential part in creating efficient processes by understanding both management accounting and risk management processes and how they can complement each other. List of References Aebi, V., Sabato, G., & Schmid, M. (2012). Risk management, corporate governance, and bank performance in the financial crisis. Journal of Banking & Finance, 36(12), 3213-3226. AICPA (2010). Top Ten ‘Next’ Practices for Enterprise Risk Management 2010 AICPA Survey Results. Andrén, N., & Lundqvist, S. (2017). Incentive Based Dimensions of Enterprise Risk Management. Available at SSRN 3071699. Aven, T. (2013). On the meaning and use of the risk appetite concept. Risk Analysis, 33(3), 462-468. Baird, I. S. (1986). Defining and predicting corporate strategic risk: an application in the telecommunications industry(Doctoral dissertation, University of Illinois at Urbana- Champaign). Baird, I. S., & Thomas, H. (1985). Toward a contingency model of strategic risk taking. Academy of management Review, 10(2), 230-243. Bartram, S. M. (2000). Corporate risk management as a lever for shareholder value creation. Financial Markets, Institutions & Instruments, 9(5), 279-324. Bhimani, A. (2009). Risk management, corporate governance and management accounting: Emerging interdependencies. Burns, J., & Baldvinsdottir, G. (2005). An institutional perspective of accountants' new roles– the interplay of contradictions and praxis. European Accounting Review, 14(4), 725-757. Bryman, A., & Bell, E. (2011). Business Research Methods. Oxford: Oxford Univ. Press, 2011. Cassidy, D. (2005). Enterprise risk management (ERM): a new reality for businesses. Employee Benefit Plan Review, 59(11), 29-31. Chapman, C. S., (2005). Controlling Strategy Management, Accounting, and Performance Measurement. Oxford. Committee of Sponsoring Organizations of Treadway Commission (COSO) (2009). Strengthening Enterprise Risk Management for Strategic Advantage. Retrieved 2019-05-13 from URL: https://www.coso.org/documents/COSO_09_board_position_final102309PRINTandWEBFIN AL_000.pdf Committee of Sponsoring Organizations of Treadway Commission (COSO) (2004), Enterprise Risk Management – Integrated Framework. Executive Summary, retrieved 2018-04-22 from URL: www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf Committee of Sponsoring Organizations of Treadway Commission (COSO) (2017), Enterprise Risk Management — Integrating with Strategy and Performance, retrieved 2018-04-22 from URL: www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf D’Arcy, S. P., & Brogan, J. C. (2001). Enterprise risk management. Journal of Risk Management of Korea, 12(1), 207-228. Dechow, N., & Mouritsen, J. (2005). Enterprise resource planning systems, management control and the quest for integration. Accounting, organizations and society, 30(7-8), 691-733. Dickinson, G. (2001). Enterprise Risk Management: Its Origins and Conceptual Foundation*. Geneva Papers on Risk & Insurance, 26(3), 360-366. Ernst & Young (2008). The changing role of the financial controller. Research report. Farrell, M., & Gallagher, R. (2015). The Valuation Implications of Enterprise Risk Management Maturity. Journal of Risk and Insurance, 82(3), 625-657. Fraser, J. R., Fraser, J., & Simkins, B. (2010). Enterprise risk management: Today's leading research and best practices for tomorrow's executives (Vol. 3). John Wiley & Sons. Frigo, M. L., & Anderson, R. J. (2009). Strategic risk assessment. Strategic finance, 25-33. Frigo, M. L., & Anderson, R. J. (2011). Strategic risk management: A foundation for improving enterprise risk management and governance. Journal of Corporate Accounting & Finance, 22(3), 81-88. Gallagher, R. B. (1956). Risk management-new phase of cost control. Harvard Business Review, 34(5), 75-86. Gates, S. (2006). Incorporating strategic risk into enterprise risk management: A survey of current corporate practice. Journal of Applied Corporate Finance, 18(4), 81-90. Hax, A. C., & Majluf, N. S. (1996). The strategy concept and process: a pragmatic approach (Vol. 2, pp. 360-375). Upper Saddle River, NJ: Prentice Hall. Holton, G. A. (1996). Enterprise Risk Management: Contingency Analysis. Järvenpää, M. (2007). Making business partners: a case study on how management accounting culture was changed. European Accounting Review, 16(1), 99-142. Liebenberg, A. P., & Hoyt, R. E. (2003). The determinants of enterprise risk management: Evidence from the appointment of chief risk officers. Risk Management and Insurance Review, 6(1), 37-52. Lincoln, Y. S., & Guba, E. G. (1985). Establishing trustworthiness in: Naturalistic inquiry, 289, 331. Beverly Hills, Calif: Sage Publications. Lundqvist, S. A. (2015). Why firms implement risk governance–Stepping beyond traditional risk management to enterprise risk management. Journal of Accounting and Public Policy, 34(5), 441-466. Meulbroek, L. (2002). A senior manager's guide to integrated risk management. Journal of Applied Corporate Finance, 14(4), 56-70. Miccolis, J., and S. Shah, 2000, Enterprise Risk Management: An Analytic Approach, Tillinghast–Towers Perrin Monograph (New York). Mikes, A. (2006). Enterprise risk management in action (Doctoral dissertation, London School of Economics and Political Science (United Kingdom)). Miller, K. D. (1992). A framework for integrated risk management in international business. Journal of international business studies, 23(2), 311-331. Miller, K. D., & Bromiley, P. (1990). Strategic risk and corporate performance: An analysis of alternative risk measures. Academy of Management Journal, 33(4), 756-779. Nocco, B. W., & Stulz, R. M. (2006). Enterprise risk management: Theory and practice. Journal of applied corporate finance, 18(4), 8-20. Pagach, D., & Warr, R. (2011). The characteristics of firms that hire chief risk officers. Journal of risk and insurance, 78(1), 185-211. Parker, L. D., & Northcott, D. (2016). Qualitative generalising in accounting research: concepts and strategies. Accounting, Auditing & Accountability Journal, 29(6), 1100-1131. Power, M. (2009). The risk management of nothing. Accounting, organizations and society, 34(6-7), 849-855. Quattrone, P., & Hopper, T. (2005). A ‘time–space odyssey’: management control systems in two multinational organisations. Accounting, Organizations and Society, 30(7-8), 735-764. Quattrone, P., & Hopper, T. (2006). What is IT?: SAP, accounting, and visibility in a multinational organisation. Information and Organization, 16(3), 212-250. Rasid S., Rahman A., & Ismail W., (2011). Management accounting and risk management in Malaysian financial institutions: An exploratory study. Managerial Auditing Journal, 26(7), 566-585. Simons, H., (2009). Case Study Research in Practice, Sage Publications, London. Slywotzky, A. J., & Drzik, J. (2005). Countering the biggest risk of all. Harvard Business Review, 83(4), 78-88. Viscelli, T. R., Hermanson, D. R., & Beasley, M. S. (2017). The integration of ERM and strategy: Implications for corporate governance. Accounting Horizons, 31(2), 69-82. Yin, R. (2009). Case Study Research: Design and Methods (4.th ed., Applied social research methods series, 5). London: SAGE. Appendix – Interview Guides Senior Vice President of R&D of Division A Tell us a little bit about yourself. ● Tell us about your background in Kerberos ● Tell us about your current role in Kerberos ● What does your work include? ● What are you currently spending most time with? ● How much of your time do you spend on ERM? How is ERM defined in your organization? How long have you had ERM in Kerberos? What are your responsibilities connected to ERM? We know that there are some workshops for making lists of risks, do you partake in them? What impact (positively and negatively) has ERM had on the organization and its strategy? Group Treasurer and Business Controller of the Central Function Tell us a little bit about yourself. ● Tell us about your background in Kerberos ● Tell us about your current role in Kerberos ● What does your work include? ● What are you currently spending most time with? ● How much of your time do you spend on ERM? Tell us a little about your ERM process What is ERM to you? What do you think is its main goal? What are you responsibilities connected to the ERM system? In the annual report for 2017 it says that ERM is used for strategic planning, could you elaborate on how it is used? Does each division have a set strategy that they try to achieve? How do you communicate the results or the yearly ERM process to the different divisions? What impact (positively and negatively) has ERM had on the organization and its strategy? Business Developer of Division B Tell us a little bit about yourself. ● Tell us about your background in Kerberos ● Tell us about your current role in Kerberos ● What does your work include? ● What are you currently spending most time with? Could you tell us about different processes that you are involved in that include risks? Do you think that your opinion regarding risks matter to the higher-ups? We have heard that you have a present report that shows the development during the week by using Enterprise Performance Management reports? What do you think the goal of having ERM in Kerberos or in any company is? Vice President of Group Finance of the Central Function Tell us a little bit about yourself. ● Tell us about your background in Kerberos ● Tell us about your current role in Kerberos ● What does your work include? ● What are you currently spending most time with? ● How much of your time do you spend on ERM? Tell us a little about your ERM process. What is ERM to you? What do you think is its main goal? What are you responsibilities connected to the ERM system? How do you handle financial risks? How do you communicate risks to higher-ups? CFO Tell us a little bit about yourself. ● Tell us about your background in Kerberos ● Tell us about your current role in Kerberos ● What does your work include? ● What are you currently spending most time with? ● How much of your time do you spend on ERM? Tell us a little about your ERM process. How is ERM defined in your organization? How long have you had ERM in Kerberos? How is it determined if risk management activities need to be coordinated with other operating units? What impact (positively and negatively) has ERM had on the organization and its strategy? We are aware that your ERM includes Business risks, could you describe what you mean with business risks and how ERM is used? Did you implement any changes to the ERM system recently? Vice President of Business Control and Senior Expert Market Intelligence of Division A Tell us a little bit about yourself. ● Tell us about your background in Kerberos ● Tell us about your current role in Kerberos ● What does your work include? ● What are you currently spending most time with? ● How much of your time do you spend on ERM? When you came to work for Kerberos how were you introduced to ERM? What do you think the goal of having ERM in Kerberos or in any company is? What are your responsibilities connected to ERM? We know that there are some workshops for making lists of risks, do you partake in them? How do you communicate risks to higher-ups? Do you think that your opinion regarding risks matter to the higher-ups? Do you believe that the way that ERM is promoted to you and your colleagues is effective? What kind of insights do you get from market intelligence? Can they be used identify potential events (risks and opportunities)? If yes, how do you communicate them/use them?