Figure 2 - uploaded by Steve Sutton
Content may be subject to copyright.
Source publication
Purpose – This article aims to focus on raising awareness of the limitations of traditional “enterprise-centric” views of enterprise risk management that ignore the risks that are inherited from key business and supply chain partners. In essence, enterprise systems implementations have allowed organizations to couple their operations more tightly w...
Context in source publication
Context 1
... standards setting body. Within the IT realm, the Information Systems Audit and Control Association (ISACA) has also been proactive on an international basis in terms of providing guidance to management and auditors on effective IT governance and control frameworks. In some cases, the two organizations have worked together in the development of guidance for managing IT (e.g. IFAC, 1999; ISACA, 2001; IT Governance Institute, 2001). In this section, the guidance for management and auditors are each reviewed. IFAC None of provides these guidelines a central are distribution particularly point novel for to guidance IT researchers, on IT but governance, what is important bringing together from the perspective the contemporary of inter-organizational thinking of multiple systems bodies is that on an strategies enterprise for should establishing also be corporate interested in governance the effectiveness over IT. with In an which early supply guideline chain issued partners for and executive outsourcing management, partners IFAC adhere focused to these guidelines. on the IT The planning guidelines process are focused and on the internal importance corporate of monitoring focusing IT of investments planning, but on it is strategic unlikely alignment that strategically (IFAC, aligned 1999). The interorganizational guidelines focus systems on several that core link principles two or more for enterprises IT planning, in the including: supply chain through B2B e-commerce can be successful if both (1) enterprises alignment are with not business following direction good planning of enterprise; processes. Similarly, the core principles for (2) IT governance relevance of 1 and planning 4-10 from scope; the aforementioned IFAC guidance are critical to both enterprises (3) relevance and of if planning either timeline; enterprise’s alignment is not in place with joint interorganizational (4) identification systems of how business benefits objectives will be realized; and principles 4-10 are not in place to assure (5) alignment achievability is achieved, of plan; then success can be hindered for both enterprises. (6) The basis subsequent for measuring release of and the monitoring IT Governance performance; framework[3] by the IT Governance Institute (7) period (2001) reassessment broadens the of view plan; of IT Governance and prescribes a much broader view, (8) albeit dissemination at a high level of plan prescription. to create internal Figure 1 awareness; reflects the framework put forth in the 2003 (9) guideline. accountability; Note there and are five main focus areas that are key to responding to stakeholder (10) management value drivers. commitment IT strategic to plan alignment implementation relates to is a clear. focus on aligning IT with the business strategy. IT value delivery is concentrated on optimizing expenses and None of these guidelines are particularly novel to IT researchers, but what is important from the perspective of inter-organizational systems is that an enterprise should also be interested in the effectiveness with which supply chain partners and outsourcing partners adhere to these guidelines. The guidelines are focused on internal corporate monitoring of planning, but it is unlikely that strategically aligned interorganizational systems that link two or more enterprises in the supply chain through B2B e-commerce can be successful if both enterprises are not following good planning processes. Similarly, the core principles for IT governance 1 and 4-10 from the aforementioned IFAC guidance are critical to both enterprises and if either enterprise’s alignment is not in place with joint interorganizational systems business objectives and principles 4-10 are not in place to assure alignment is achieved, then success can be hindered for both enterprises. The subsequent release of the IT Governance framework[3] by the IT Governance Institute (2001) broadens the view of IT Governance and prescribes a much broader view, albeit at a high level prescription. Figure 1 reflects the framework put forth in the 2003 guideline. Note there are five main focus areas that are key to responding to stakeholder value drivers. IT strategic alignment relates to a focus on aligning IT with the business strategy. IT value delivery is concentrated on optimizing expenses and proving the value of IT. Risk management is fairly narrowly defined as the safeguarding of IT assets and disaster recovery. Performance Measurement relates to the processes in place to track project delivery and monitor IT services. Resource management (the overarching consideration for the other focus areas) relates to optimizing knowledge and infrastructure from available IT resource investments. Perhaps one of the more beneficial extensions put forth by the governance framework is the focus on performance measurement in that it takes a position emphasizing a balanced scorecard approach to assessing performance. This balanced scorecard approach (see Figure 2) takes a broader look beyond the financial performance criteria to recognizing the value accrued from meeting customer needs, examining alignment and support of internal business processes, and how IT supports organizational learning and innovation. Notable again in this framework, and the discussion supporting the framework, is the focus on internal processes, internal value, and internal alignment of processes. While clearly there is value from assessing internal systems, the framework again assumes an enterprise centric model and ignores the implications of interorganizational systems. Also of note, is the general tone taken within the discussion of the framework that addresses IT risk as a separate and distinct subset of It is of note that the latter principle does extend beyond traditional IT controls to recognize a business issue that may arise from e-commerce relationships. IFAC’s information processing risk principles include: . completeness; . accuracy; . timeliness; . accessibility; . maintenance of chronological order; and . inalterability of data. The focus on information security and processing for the principles and criteria for e-business and accounting is curious given that the whitepaper expressly recognizes that IT systems include three basic elements: (1) IT business processes; (2) IT applications; and (3) IT infrastructure. business It The However, is focus of note risk. the on that However, information three the components latter enterprise security principle systems are and does fairly processing have extend narrowly reshaped beyond for the defined most principles traditional organizations to focus and IT controls criteria on over the the for IT to past recognize e-business components decade a and to business and the accounting not point the issue where integration. is that curious the may enterprise given Similarly, arise that systems from the the e-commerce three whitepaper establish basic the relationships. elements expressly business are recognizes rules viewed IFAC’s and the information that from business IT the systems enterprise processing processes include centric risk three cannot view principles basic be and elements: cleanly risks include: from separated the partner from the on the enterprise other end systems of an supporting e-business (1) . completeness; IT business relationship and driving processes; are those not business considered processes. other than This to consider integrated the nature need to of capture IT and business electronically (2) . accuracy; IT processes applications; received necessitates transaction and that data business from risk the partner. be assessed from such an integrated perspective. (3) One . timeliness; IT quote infrastructure. in the IT Governance report should resonate heavily with management and researchers, IFAC . accessibility; has “In recognized IT, if you that are e-business playing the alters game the and risk not model. keeping In a white score, paper you are entitled: only “E-Business practising” . maintenance (IT and Governance the of chronological Accountant” Institute, order; (IFAC, 2001). and 2002a) The notes corporate that governance risks increase guidelines in an e-business . inalterability environment of data. and management has a responsibility to manage the ensuing risks. The principles and criteria for e-business still treat IT risk as a distinct subset of business risk, though, as it examines the reliability of information security and information processing. The security risk principles include: . integrity; . availability; . confidentiality; . authenticity; . authorization; and . non-repudiation. However, the three components are fairly narrowly defined to focus on the IT components and not the integration. Similarly, the three basic elements are viewed from the enterprise centric view and risks from the partner on the other end of an e-business relationship are not considered other than to consider the need to capture electronically received transaction data from the partner. One quote in the IT Governance report should resonate heavily with management and researchers, “In IT, if you are playing the game and not keeping score, you are only practising” (IT Governance Institute, 2001). The corporate governance guidelines presented through the series of guidance documents reviewed to this point all provide valuable information and discussion to support initial IT governance strategies. However, these guidelines still fall short of addressing IT corporate governance needs in enterprise systems and extended-enterprise systems environments. Research is desperately needed that will help guide management in assessing risk in environments where business processes are supported and driven by enterprise systems, and where the two are essentially inseparable and must be jointly assessed. Research is also desperately needed to assist in the development of risk models that recognize that in extended-enterprise ...
Citations
... Normalmente, os eventos de risco são caracterizados pela frequência de sua ocorrência (probabilidade) e a extensão de suas consequências (impacto) (KASAI et al., 2022). Quanto às causas dos eventos de risco, elas podem ser externas (econômico, ambiental, social, político ou tecnológico) ou internas (infraestrutura, recursos, processos e tecnologia utilizados pela empresa) (SUTTON, 2006) Brazilian Applied Science Review, Curitiba, v.8, n.1, p. [130][131][132][133][134][135][136][137][138][139][140][141][142][143][144][145][146][147]2024 Gerenciar riscos não visa somente minimizar o risco total enfrentado por uma empresa, mas também, tem o objetivo de escolher o nível adequado de risco para maximizar as potenciais oportunidades e fazer com que o planejado ocorra (RAMPINI, 2023). A implicação desta afirmação é que o risco, em sua essência, não é puramente um evento negativo; também pode apresentar uma chance de progresso (AVEN, 2016). ...
Os estudos sobre compliance ao longo do tempo crescem em importância tanto no mundo acadêmico quanto no mundo empresarial. O que antes era tratado de forma isolada, atualmente é essencial para a sobrevivência de uma organização. Assim, as partes que compõem os processos de compliance das instituições devem ser estudadas de forma contínua visando a otimização de todo o processo. Neste contexto, a gestão de riscos, que apesar de possuir um conjunto de diretrizes e enquadramentos, tem uma aplicação incipiente no contexto do sistema de compliance, e não desempenha um papel relevante na implantação do processo. Porém, a recente ISO 37301:2021, que apresenta requisitos para implantação do programa de compliance possui elementos diretamente relacionados à gestão de riscos. Portanto, o presente artigo tem como objetivo traçar um perfil das publicações acadêmicas que relacionam a gestão de riscos e o compliance, e identificar a existência de outros temas relacionados à gestão das organizações. Para atingir o objetivo foi realizada uma análise descritiva com amostras de documentos pertencentes à Web of Science Core Collection e à base de dados Scopus. Após as análises foi possível identificar a evolução consistente das publicações, diversidade de periódicos interessados no assunto, interdisciplinaridade entre o compliance e a gestão de riscos e por fim a relevância dos temas relacionados à sustentabilidade, por meio das áreas ambientais e sociais.
... Esta visión moderna u holística es la que desarrollan los principales marcos de referencia en materia de gestión de riesgos, como el COSO ERM, el ISO 31000 y la Ley Sarbanes Oxley, que introdujeron directrices para reformar y robustecer los sistemas de control y gestión prioritaria de los riesgos ampliando las responsabilidades de los diferentes órganos de gobierno (Arena et al., 2010;Callahan y Soileau, 2017;Lundqvist, 2014;Ruiz-Canela, 2021;Shad et al., 2019). Se evidencia que no existen estudios concluyentes de los efectos de la gestión de riesgos empresariales; se conoce muy poco sobre los impactos que han podido ocasionar en sectores diferentes al financiero y tampoco existen estudios sobre empresas de países con economías emergentes (Anton y Afloarei, 2020;Callahan y Soileau, 2017;Otero et al., 2020;Pagach y Warr, 2011;Ruiz-Canela, 2021;Sutton, 2006). Por ese motivo, este trabajo hace una revisión de las investigaciones más citadas en Scopus y Web of Science, realizadas acerca de los impactos que ha generado la gestión de riesgos en las organizaciones y, de ese modo, establece futuras líneas de investigación. ...
... Por primera vez -señalan Gordon et al. (2009)-se propone una forma de validar la implementación eficaz de los modelos de gestión de riesgos, considerando que en la literatura hay escasa información sobre los impactos de la ERM en las organizaciones (Gordon et al., 2009;Hoyt y Liebenberg, 2011;Power, 2009;Sutton, 2006). Gordon et al. (2009) desarrollaron el Enterprise Risk Management Index (ERMI), el cual se basa en los cuatro objetivos señalados en el marco de referencia COSO: i) estrategia: metas de alto nivel, alineadas con las de la organización y que se apoyan en la misión; ii) operaciones: uso eficaz, prolijo y eficiente de recursos de la organización; iii) informes: confiabilidad del sistema de informes de la organización; y iv) cumplimiento: cumplimiento organizacional de las leyes aplicables y regulaciones. ...
... Además, señalaron los peligros existentes de que los auditores internos asuman funciones de consultoría que pueden comprometer su objetividad. Unos años antes, Sutton (2006) también vinculó las labores de auditoría, aunque circunscritas al ámbito de las tecnologías de información (TI), señalando que urgía la necesidad de tener visibilidad de los riesgos, pero en especial de los heredados de los partners de la cadena de suministros; en concreto, destacaba las bondades de los marcos de referencia en materia de gobierno y control de TI. Sin embargo, Power (2009) lanzó feroces críticas contra la vinculación de la gestión de riesgos a la auditoría y la contabilidad; realizó una crítica ácida al marco COSO señalando que la ERM tiene fallas a nivel de diseño en tres formas: i) la visión de "toda la empresa" y el apetito al riesgo (visión engañosa y débil); ii) la relación estrecha entre la ERM y la auditoría/contabilidad que está fuertemente influenciada por normas y evidencias en el proceso, lo que conlleva a una análisis muy sesgado; y iii) la incapacidad de articular y comprender los riesgos críticos. ...
Los eventos acontecidos en los primeros años del siglo XXI, como los escándalos
financieros de Enron y WorldCom, y las crisis financieras, pusieron
en evidencia, en primer lugar, importantes deficiencias en los procesos
de control existentes y, en segundo lugar, dificultades de las empresas
para estructurar modelos robustos de gestión de riesgos. Con la entrada
en vigor de COSO ERM, ISO 31000 y la Ley Sarbanes Oxley -como principales
marcos de referencia de modelos holísticos de gestión de riesgos-, se
buscaba que las organizaciones mejoren sus capacidades para cumplir con
sus objetivos estratégicos a través de actividades que atiendan la incertidumbre
y, sobre todo, creen y retengan valor organizacional. Este artículo
tiene como objetivo revisar las investigaciones realizadas sobre la eficacia
que ha generado la gestión de riesgos en las organizaciones, realizando
una revisión de la literatura en Scopus y la Web of Science. Esta revisión
deja en evidencia que las investigaciones realizadas no son concluyentes
con respecto a los reales impactos que generan los sistemas de gestión de
riesgos y su contribución con la creación de valor e incremento de la rentabilidad
financiera. Además, muestra que existe una brecha interesante
para desarrollar futuras investigaciones, considerando que muchos de los
estudios que se han realizado tienen un especial énfasis en el sector financiero,
descuidándose otros sectores económicos igualmente importantes.
... Twenty-four risk sources suggested by Pham et al. (2022c) are increased and magnified challenges for firms during the lockdowns. Hence, risk assessment is one step of the risk analysis process aiming to estimate the danger degree of risk occurrence based on qualitative and/or quantitative information (Sharma and Routroy, 2016;Almeida et al., 2019;Sutton, 2006). There are various approaches and models assessing risks from both theoretical and practical points of view (Pham et al., 2022b;Kumar et al., 2018). ...
Purpose
Proactive risk assessment suggests that risk assessment should emphasize the consequences that it might cause and the opportunities it might create for firms. Hence, this study aims to validate risk impact on supply chain performance in the context of the Vietnamese construction sector. Also, a complex network, in which multiple risk factors mutually affect, impede or promote each other, is developed to assist managers in tackling unpredictable risks proactively. In particular, the authors investigate whether certain risks could be considered either challenges or opportunities for businesses in turbulent times to improve SC performance.
Design/methodology/approach
The construction industry is the focal study context as it is one of the most essential industries in charge of providing accommodations, infrastructures and employment for society. 289 valid responses used in this research are from a large-scale survey result, supported by a Japanese government project promoting sustainable socio-economic development in Vietnam.
Findings
From the study findings, the authors find that external risk brings opportunities for supply chain performance. Meanwhile, demand risk, when it occurs, can reduce the danger level of operational risk, which is an interesting finding of this research. It is evident that when multiple risk factors mutually affect, impede or promote each other, it provides a more meaningful examination of mutually interconnected supply chain risks.
Originality/value
Practitioners should perceive risks as an opportunity than a threat. This study contributes to preventing risks and guaranteeing an effective and efficient supply chain by tackling unpredictable risks in a disruptive period. Moreover, data on validating research models collected during the Covid-19 pandemic and Ukraine and Russia conflicts reflect the topicality of this study.
... First, internal control is one of the five functions of management, along with goal-setting, planning, execution, organization, coordination, and control. As the frequency of fraud and company failures has risen, organizations have turned to internal control to improve control efficiency and, as a result, the efficacy of corporate governance by the board of directors and shareholders has improved (Shleifer & Vishny, 1997;Sutton, Steve., 2006). Furthermore, because bribe payments are sometimes camouflaged as "legal" operations, such payments can be difficult to detect, particularly in emerging economies. ...
In the past, the question whether formalization and internal control systems can be employed by firms as anti-corruption measures has received little attention. Based on a unique panel dataset of Vietnamese SMEs, this paper finds that when enterprises formalize, they have to pay more in bribes. The evidence supports the hypothesis that a legitimate corporation with a high level of visibility is more likely to feel constrained to pay bribes. Internal control, on the other hand, reduces bribe payments and legal breaches. Effective internal control mechanisms also reduce the favorable correlation between formalization and bribe payments. This suggests that in the absence of effective institutions, firms should develop appropriate internal control mechanisms to prevent the harm caused by bribery.
... In addition, companies, their boards, investors, and supply chain partners are demanding more with an eye toward better C-SCRM processes and verification of those processes (Olyaei et al. 2018;Eaton et al. 2019;Bissell et al. 2019;Frank, Grenier, and Pyzoha 2019). Yet, companies continue to struggle with getting beyond an enterprise centric view that focuses on firewalling a single organization from cyber threats to a broader extended enterprise realization that cyber risks from third parties, particularly tightly coupled supply chain partners, have substantial potential for allowing cyber-attackers through those security fortresses (Sutton 2006;Johnson 2016;Colicchia et al. 2019). ...
Recognizing the need for effective cyber risk management processes across the supply chain, the AICPA issued a new SOC in March 2020 for assuring cyber supply chain risk management (C-SCRM) processes. This study examines supply chain relationship factors and cyber risk issues to better understand the demand for C-SCRM assurance. Resource Advantage Theory of Competition provides the conceptual foundation for assessing the dual drivers of relationship building and cyber risk management on demand for assurance. We use a field survey to collect data from 205 professionals enabling evaluation of the complex relationships in the theoretical model. Results support all hypotheses, provide satisfactory model fit, and support the underlying theory. Trust and cyber supply chain risk both positively influence demand for assurance over C-SCRM processes. This study expands the literature on cyber assurance by auditors and elaborates on overall supply chain processes that help drive value from auditors providing such assurance.
... Employee uncertainty (absenteeism, illness) Quinn (2006) and Christopher and Peck (2004) Uncertainty in demand Huang et al. (2009) andTang (2006) Communication breakage Faisal et al. (2006) and Sutton (2006) Delivery failure Ravindran et al. (2010) Demand related ...
The purpose of this paper is to develop a decision-making model for supporting the management of risks in supply chains. This proposed model is applied to the case of the oil industry in Nigeria. A Partial Least Square Structural Equation Model (PLS-SEM) is developed to measure the significance of the influence of risk management strategy on mitigating disruption risks and their correlations with the performance of activities in the supply chain and relevance of key performance measures in the organisation. The model considers seven aspects: behavioural-based management strategy; buffer-based oriented management strategy; exploration and production risks; environmental and regulatory compliance risks; geopolitical risks; supply chain performance; and organisational performance measures. A survey questionnaire was applied to collect data to populate the model, with 187 participants from the oil industry. Based on the PLS-SEM methodology, an optimised risk management decision-making method was developed and accomplished. The results show that a behavioural-based mechanism predicts the capacity of the organisation to manage risks successfully in its supply chain. The approach proposed provides a new and practical methodology to manage disruption risks in supply chains. Further, the behavioural-based mechanism can help to formulate risk management strategies in the oil industry.
... In today's complex business environment, corporations are exposed to innumerable challenges and their long-term success is threatened (Sutton, 2006). In addition, companies in all kinds of business area face different types of risks and thus risk management (RM) is critical for the business success (Bettis and Mahajan, 1990). ...
... Since the RM system helps individuals easily acquire RM knowledge, the more sophisticated level of RM system, the more likely individuals engage in RM behavior. Thus, providing organizational RM support should be implemented within the framework of an organization's RM policies, and go side by side with careful consideration of how risks or necessary changes impact the organization's internal system (Sutton, 2006). ...
Purpose
Effective risk management (RM) requires not only proactive prevention, but also reactive response where the role of individual managers is pivotal as they are the main players to perform RM behavior. Hence, the key questions related to effective corporate RM can be identified as how actively managers engage in RM behaviors and how well the firm supports their RM behavior. The purpose of this paper is to understand the mechanism of managers’ engagement in an active RM behavior and highlight the role of knowledge and organizational support in explaining the mechanism.
Design/methodology/approach
A structural model built on the theory of planned behavior and the institutional theory is proposed to empirically examine the factors affecting managers’ RM intention. The survey of 150 senior managers from different divisions of six major companies in Korean food industry was conducted.
Findings
The data analysis brings forward three key findings: individual factors (behavioral belief about RM, social pressure and RM knowledge) positively influence RM intention; organizational factor (organizational RM support) positively affects managers’ RM knowledge; and both individual and organizational factors are affected by organizational environment and/or RM championship.
Originality/value
This study contributes to the literature by identifying the mechanism in that managers perform RM behavior voluntarily. This study also contributes to the practice by informing practitioners of the importance of implementing a company-wide RM system and motivating managers for an active RM behavior.
... The 'extended enterprise' (EE) concept, in contrast to the VIE, has been defined by Davis and Spekman (2004, p. 20) as "… the entire set of collaborating companies…which bring value to the market-place…" and by Lyman et al. (2009) as "… a business value network where multiple firms own and manage parts of an integrated enterprise". This allows practices such as just-in-time (JIT) supply chain logistics (Sutton, 2006), collaborative innovation (Owen et al., 2008), and data warehouse interoperability (Triantafillakis et al., 2004) to be easily deployed across company boundaries; this is because an EE structure allows organizations to focus on their core business (usually the delivery of a complex product and or service) and technical activities whilst outsourcing non-core activities to other members in their extended enterprise (Thun, 2010). Thus, extended enterprises are conceived to be more agile than verti-cally integrated enterprises (VIEs) as they reduce cross-company barriers (Spekman and Davis, 2016). ...
This chapter critiques trends in enterprise resource planning (ERP) in respect to contemporary multi-organizational enterprise strategy in order to identify under-researched areas. It is based on the premise that multi-organization strategies and information systems span more than one legal company entity and are becoming increasingly important as digital Internet based systems become more prolific, and outsourcing and collaboration between companies becomes more widespread. This chapter presents a critique of literature covering theoretical, methodological and relational aspects of enterprise resource planning systems and multi-organizational enterprise strategy. The critique gives a unique perspective and highlights four major gaps in current research and points towards a trend which is referred to in this chapter as ‘enterprization.' This research could help organizations make more effective use of their information and operations systems strategies when used across more than one company. It should interest researchers, teachers, IS developers and managers.
... The financial crisis has increased the pressure on the board of directors and top management in improving corporate governance practices such as enhancing effectiveness of internal control systems particularly emphasizing on the importance of risk management to achieve effective governance and control (Sutton, 2006;Desender, 2007). Many critics blamed weak corporate governance as one of the factors that causes major failure in risk management and as a contributing factor to the collapse of many major corporations in the fiasco. ...
Corporate governance has been the subject of increasing interest following the 2008 global financial crisis. As a response to the crisis, Enterprise risk management (ERM) was introduced globally. Despite the claim that ERM is the solution for corporate governance deficiency, particularly in risk management practices, the number of empirical research studying this new field is still limited. Therefore, the current study has four research objectives that are; (i) to assess the extent of ERM practices, (ii) to identify corporate governance characteristics that influence ERM implementation (iii) to examine the association between ERM and firm value and (iv) to propose and develop the dimensions that can effectively measure ERM implementation. Eighty-one usable questionnaires were successfully collected and analysed using Partial Least Squares structural equation modeling method (PLS-SEM). The results of this study support that corporate governance characteristics (board size and board expertise) have a positive and significant association with ERM implementation. However, there is no significant evidence on the association between ERM and firm value. Therefore, the findings of this study will enable companies to have better understanding on corporate governance characteristics that influence ERM implementation and its effect towards firm value. The ERM index developed in this study will helps companies and regulators to formulate better corporate governance and ERM practices. JEL Classification: M30, M41,
... The financial crisis has increased the pressure on the board of directors and top management in improving corporate governance practices such as enhancing effectiveness of internal control systems particularly emphasizing on the importance of risk management to achieve effective governance and control (Sutton, 2006;Desender, 2007). Many critics blamed weak corporate governance as one of the factors that causes major failure in risk management and as a contributing factor to the collapse of many major corporations in the fiasco. ...
The 2008 global financial scandals have increased pressure on corporations to improve corporate governance practices particularly on risk management. As a response to the crisis, corporate governance reforms have been evidenced. Enterprise risk management (ERM) was introduced as one of the mechanisms that can improve corporate governance practices particularly on risk management. Since its introduction, ERM has received major attention from corporations. Despite the claim that ERM is the solution for corporate governance deficiency, the number of empirical research examining this new field is still limited. Thus, this study aimed at assessing the current development of ERM practices and identifying corporate governance characteristics that influence ERM implementation among Malaysian Shariah-compliant firms. The extent of ERM implementation was measured by using ERM Dimension index (ERMDi). A questionnaire survey was developed based on ERMDi to gather information on the extent of ERM practices. Four corporate governance characteristics were examined that are risk management committee (RMC), board size, proportion of non-executive directors and board expertise and its influence to ERM implementation. The data was analyzed by using Partial Least Squares and Structural Equation Modelling technique (PLS-SEM). Findings of this study show that the extent of ERM implementation among sample firms is at the moderate level and based on PLS-SEM analyses, board size and board expertise has a strong influence to ERM implementation. This study, find support that corporate governance characteristics have a positive and significant association with ERM implementation. The findings of this paper provide an additional empirical evidence regarding the extent of ERM practices and corporate governance characteristics that would influence ERM implementation among Malaysian Shariah-compliant firms.
