**2. Literature**

Academics disagree on the concrete constituents of ERM [16–18]. Consequently, its implementations vary substantially among companies [10, 19]. Considering ERM as a portfolio approach aiming to manage all critical risks holistically across

#### *Communication and Leadership for Improving ERM Effectiveness DOI: http://dx.doi.org/10.5772/intechopen.107066*

the company and as an organisational function that creates competitive advantage is an emerging consensus [16]. However, developing resilience in the company's core competencies and seizing opportunities requires synchronising ERM with the firm's dynamic capabilities [20]. Therefore, ERM embodies change management requiring close cooperation between risk managers and business departments [21, 22].

A system's effectiveness requires incorporating the aspiration of the decision taker, who has authority and responsibility for the system and a primary concern for its performance [23, 24]. Therefore, ERM effectiveness depends on the formal power of the company's management and the informal power of the ERM unit. To gain this aspiration, ERM must support risk-informed or risk-based decisions in a disciplined way throughout the organisation [25]. Therefore, risk practitioners must understand what their stakeholders value [26]. Quantitative studies on ERM and firm performance identify risk committees as pivotal stakeholders [27–29]. Beasley et al. [30] identified the CEO and CFO as essential stakeholders who determine the success of ERM implementation.

Consequently, the quality of upward communication and leadership by risk professionals with committees, board members, and other management levels affect ERM effectiveness. However, communication and leadership are essential across the company to gain stakeholders' input to risk management processes and their ownership of outputs [22]. Accordingly, COSO [31] further identifies the business units' operational management and employees as important stakeholders.

In Germany, risk practitioners predominantly take an independent facilitator role in their companies [32]. According to Kaplan and Mikes [11], in this role, they avoid influencing formal decision-making but set agendas for highly interactive risk management discussions and facilitate risk communication up, down, and across the organisation. The authors conclude that independent facilitators contribute to ERM effectiveness as these roles reduce individual and group bias and, thus, enable more objective decisions. However, the lack of formal authority constitutes a challenge as it impedes risk practitioners from effectively challenging front-line staff [33].

### **2.1 Communication**

Organisational activities are based on interpretation and influenced by the characteristics of the environment [34]. How decision-makers understand risk information is, therefore, subject to how they make sense of it. Daft and Weick [34] term the cognitive process sensemaking. It can be described as the 'reciprocal interaction of information seeking, meaning, ascription, and action' ([35], p. 240).

The holistic ERM context renders the sensemaking process increasingly important. First, communication involves stakeholders from different business disciplines and diverse perspectives, objectives, and backgrounds [36]. Therefore, to go beyond gathering evidence, risk practitioners must incorporate subjective knowledge to create meaning of cues [12, 14, 26] and use boundary objects to manage knowledge across boundaries [22, 37, 38].

Second, risk is a social construction resulting from perceptions influenced by the social and physical environment and prior experience and knowledge [14]. Humans tend to use judgemental heuristics and ignore or discount essential information when thinking about risk [39]. Therefore, risk perceptions are highly resistant to information [40]. Additionally, organisational barriers and biases prevent information from being considered in decision-making [11]. Therefore, risk-related decisions increasingly rely on sensemaking [14].

Sensemaking depends on the activity of a pool of diverse actors addressing a range of organisational issues [7]. Risk experts can guide the sensemaking process of decision-makers by sense giving, that is, influencing their sensemaking and meaning construction to redefine the organisational reality [41]. Using concepts of issue selling and knowledge management, Meidell and Kaarbøe [12] showed that sensegiving increases risk practitioners' influences during ERM implementation and development. Issue selling is the behaviour targeted at gaining others' attention to acknowledge and understand issues [42]. Involving the upper level, peers and others from the organisation and presenting issues evidence-based, logically, and coherently supports getting buy-in [43].

Managing knowledge across knowledge domains is key to effectively cooperating with business units. Risk experts produce knowledge by analysing gathered data and information [26]. Interdepartmentally transferring and integrating this knowledge exposes challenges. Depending on novelty and power positions, managing knowledge across boundaries requires creating common knowledge, interacting cross-functional, and exploring and exploiting boundary objects [44]. Therefore, risk professionals manage knowledge within the organisation using shared language [19, 21, 22, 45], risk talks [11, 13, 45], and developing and introducing risk management tools [11–13, 37, 46].

#### **2.2 Leadership**

Business executives consider risk management effectiveness as a leadership issue [47]. Leadership, the ability to influence, motivate, and enable others [48], is independent of formal titles or positions [49]. A participative leadership style based on openness towards ideas, new concepts, or novel products contributes to ERM effectiveness [50]. This leadership style emphasises collaboration and communication and works best for creating consensus and gaining input from others [51].

However, establishing a sound risk culture also requires creating a positive climate and applying a forward-looking and anticipatory practice [14]. To gain acceptance and appreciation, risk professionals must build relationships with business managers and executives [13] and understand their objectives and needs. Therefore, risk practitioners must likewise apply visionary and affiliated leadership styles, which involve developing and articulating a vision and building emotional bonds within the organisation [51].

The ability to influence organisational activities and decisions depends on available power sources. Position power is derived from legitimate authority [52]. It is affected by risk governance frameworks, such as the widely accepted Three Lines of Defence (3LoD) model. Davies and Zhivitskaya [33] criticise the model-inherent imbalance of power distribution. The Lehman Brothers bankruptcy exemplified that the dominance of business units in decision-making reduces risk management effectiveness [53].

The ERM unit's position power results from controlling the main information flow within the risk reporting system [54], pre-approval decision authority [55, 56], regulatory requirements [36], quality and credibility of their insights in strategic discussions [36], or design, control and use of risk tools [46].

Independent of the position, risk practitioners can develop personal power, particularly expert and referent power. Expert power facilitates risk talks [11, 13, 45]. It is gained through providing evidence and explaining reasons for requests or proposals, clear and confident communication, and listening thoughtfully to other persons'

concerns and suggestions [52]. Therefore, practitioners must use a common language [21, 45] with a standard accepted vocabulary [22].

Referent power is increased by demonstrating trust and respect to others and showing concern for the needs and feelings of others and can be excised by role modelling [52]. Accordingly, Kaplan and Mikes [11] conclude that risk practitioners need strong interpersonal and communication skills to stimulate broad and wide-ranging discussions that result in qualitative and subjective risk assessments.
