**2. Literature**

*Perspectives on Risk, Assessment and Management Paradigms*

of any organisation is to manage their risk.

practices and measures when managing risks [7].

European Union (EU) and the Euro-Mediterranean partnership [8].

When dealing with financial services firms, in the EU, this regulatory level playing field is much more pronounced, since financial firms are required to abide by common directives such as the Capital Requirement Directive (CRD) in banks and investment firms, Solvency II (SII) in Insurance firms and other soft laws. This is likely to make the sample more representative and the empirical results more generalisable. It will also shed light on whether European Union within the Euro-Mediterranean region and the Euro-Mediterranean Partnership (EMP), has brought these countries closer together in practices, specifically when dealing with risk and

We use part of the questionnaire adopted by Bezzina et al. [9] in their paper on risk management practices adopted by Maltese financial services firms, to collect our data and (1) bring to light the mechanisms and strategies used in risk management by these organisations to maximise their opportunities, manage their risks,

negative outcome.

by somebody [6].

given the meaning of an uncertain loss or danger Doff, [1].

by God (Allah) to a person. However, during the Renaissance, in Europe this was

However, the treatment and understanding of risk and as a consequence its management, varies both in literature and in practice. Moreover, as March and Shapira [4] note, the strategic management field does not provide us with one specific accepted definition of risk and highlight that most managers view risk as a

Hillson [5] defines risk as an "uncertainty that matters because it can affect one or more objectives". Also, literature by [6], show that one needs to distinguish between the known, unknown and unknowable uncertainties before defining what constitutes a risk and as a consequence managing it under the risk management process. Unknowable uncertainty is when the missing information is unavailable to all known uncertainty is when the probability is an objective chance and is generally agreed upon and unknown uncertainty is when the probability may be or is known

The strategy of any organisation has to deal with the alignment to its uncertain environment and to rebalance its strategic choices to determine the exposure to this uncertain environment, which impacts performance. To this effect various studies have focussed on understanding the risk management discipline and practices of firms in specific activities, areas and countries. Moreover, the effectiveness and efficiency of appropriate practices in risk management is critical for the continued existence, industry profitability and for the continual development and growth of the whole economy. It is imperative that all organisations adopt good quality

With this study, we aim to contribute further to the existing literature on the risk management by looking at practices adopted by financial services firms licenced in Europe with a Mediterranean connection, specifically Cyprus, France, Italy, Spain, Croatia, Greece, and Slovenia extending and comparing to the work of Bezzina et al. [7] on Malta. We chose members, which although, have inherent country and cultural diversity and are joined by their geographical border with the Mediterranean Sea, aim for a level regulatory and economic playing field through their union in the

Following the economic and financial crises of this century, any activity involving internal controls, especially risk management has been given more attention and importance. This, as noted in the World Economic Forum [2], was due mainly to the successful results of effective risk management during periods of global economic turbulence [8]. In fact, as Ghoshal [3] highlighted, one of the main objectives

**80**

its management.

We can cite various studies dealing with risk management practices in different areas, industries, regions and countries. For example, a study on risk management practices carried out on the Ghanaian insurance industry by [7] revealed that companies insuring life, different from companies insuring non-life, have their risk appetite levels statements recorded. This enables the identification of those risks to on-board and those ones to transfer. Moreover, they exposed that the industry lacks adequate skilled personnel and risk management is reactive as a response to regulatory directives. Other surveys carried out about the UK insurance industry showed that the response by most insurance firms to risk management regulations was perfunctory, rather than being seen as good business practice [10].

Another study by [11] on risk management practices of German firms revealed that participants showed no difficulty in developing a risk management system and rated business survival as the top risk management goal. Moreover, they showed that respondents are more risk-neutral than risk-averse for financial risks, and that 88 percent use derivatives.

Bankers operating in Barbados perceived risk management as critical to the performance of their banks; with operational risk, credit risk, country/sovereign risk, market risk and interest rate risk being their greatest exposures [12], while those operating in Bahrain show a clear understanding of both risk and risk management and have efficient risk assessment analysis, risk identification processes, credit risk analysis, risk monitoring and risk management practices with credit, liquidity and operational risk being the most prominent risks faced by both conventional and Islamic banks [13].

A study on Islamic banks in Pakistan showed that they are efficient in managing their risks. Revealing that the most influencing variables in the risk management process were that of understanding risk and risk management, risk monitoring and credit risk analysis [14]. On the other hand, Hassan [15], found that the Islamic banks in Brunei Darussalam consider foreign-exchange risk, followed by credit risk and then operating risk, as the 3 most important risks. He also noted that Islamic banks are very efficient mainly in risk identification, assessment and analysis.

A further study by Sifumba et al. [16] revealed that manufacturing SMEs personnel in Cape Town are not aware of the elements that make risk management effective. While in Malta, Bezzina et al. [8], found that financial firms have a strong culture of efficient and effective risk management practices that add value and are linked to well-defined objectives with corporate social responsibility embedded within the organisations' risk management corporate strategies and corporate culture. Miloš Sprčić et al. [17], in a study on Croatian companies, find that the risk management system development is dependent only on value of the growth options and the size of the company.

#### **2.1 Risk management strategies and mechanisms**

Any organisation's strategy needs to deal with an uncertain environment. Therefore, organisational strategic choices will determine the organisation's

exposure to an uncertain environmental and constituents that impact their performance. "Exposure" defined as the sensitivity of an organisation's cash flows to changes in interrelated uncertain variables. The emphasis of organisation on specific particular (particularist view) rather than multidimensional uncertainties is a significant shortcoming. The former view of isolating specific uncertainties, excludes other interrelated uncertain variables. In fact, literature in financial services emphasises uncertainties for which hedging or insurance instruments can be designed to manage organisation exposures, however omitting some uncertainties that are encountered in the overall management strategic decisions. The alternative view is where management takes a general approach to risk and gives explicit consideration to numerous uncertainties (integrated risk management perspective) [18].

Das and Teng [19], build on the latter and suggests that to effectively manage risks and reduce unwanted risks, organisations need to examine the inter-relationship between trust, control and risk using an integrated framework which examines the inter-relationship between the three constructs. They note that firms need to manage their risks by determining the conjoint roles of these constructs in the context of their objectives and strategies.

It has therefore always been a must for every leading firm to ensure that the process of identifying risk and managing it, is an explicit part of the strategic plan, and that there is a buy-in from all levels of their organisation. Risk management should be seen as a systematic effort that is pervasive through all operating units, be it in the front, mid or back office, right in line with growth areas targeted for investments or any critical support functions. Risk management must matter to the organisation and to the person whose occupation and responsibility is defined by it [20].

The risk manager or officer is responsible to initiate the process of determining the risks faced by the company, based on the strategy, determine the mandatory and voluntary barriers and put in place a risk management strategy to achieve objectives with the least of problems. That is the objective risk assessment process which depends on the organisation, and the plan and tactics to arrive at that objective [21].

Stulz [22] offers us theoretical evidence showing that risk management practice within firms is limited. Marshall and Heffes [23] report that only 11 percent of "more than 90 percent of the executives who say they are building or want to build enterprise risk management (ERM) processes into their organization report they have completed their implementation. The survey results indicate that more than two-thirds of both boards of directors and senior management staff consider risk management to be an important responsibility". COSO's recent survey [24] findings show unsatisfactory results for the implementation of ERM showing that "60 percent of respondents say their risk tracking is mostly informal and ad hoc or only tracked within individual silos or categories as opposed to enterprise-wide."

#### **2.2 Risk management and principled performance**

As explained in Bezzina et al. [8] we again adopted the Open Compliance and Ethics Group's (OCEG) standard's concept of integrating internal controls "(the Governance, Risk Management and Compliance (GRC) capability model) into one main function [24]. This as suggested by these authors and OCEG, helps to "improve quality and performance, by providing tools that can measure and enhance corporate culture within an integrated environment." This structure is said to be the main determinant of the achievement of 'Principled Performance'

**83**

advantage.

advantage [30].

*Risk Management Practices Adopted by European Financial Firms with a Mediterranean…*

as defined by OCEG. That is "reliable achievement of objectives while addressing

"OCEG in their definition of 'Principled Performance' emphasises the unambiguous articulation of a firm's objectives in financial and non-financial form. It outlines the methods and boundaries that would be adhered to while achieving the set targets." They continued to note that 'Principled Performance' in a financial firm can be achieved with clearly defined objectives, goals, values and a transparent, effective flexible mechanism, which enables continuous improvement to address

Mitchell [25] continues by highlighting that, mainly if the existing structure offers a competitive advantage, GRC requires function integration without the need for operations consolidation. One can replicate the strengths of approaches, communication, technology used and reporting integration to the whole business to benefits from reduced errors, better information quality, and reduced costs. The GRC 360 Capability Model, 2009 specifies that, while culture, structure and the organisation play an essential role in the overall performance of a company; people,

Creativity is lost if we only think of risk management as a way to minimise risk. We need to take risks and if and when they go in some unwanted unpredictable path, we need to be able to respond to them [26]. Kannan and Thangavel [27] note that every major advance in human civilization was possible because someone was

Enterprise risk management (ERM) promotes risk management as a more strategic responsibility and emphasises that if effectively implemented it can create a long term competitive advantage [28]. However, Slywotzky and Drzik [29] suggest, that many companies still treat ERM as an extension of their internal control processes, while only a few companies, use their risk management abilities as a source of competitive advantage. In fact these companies go beyond internal controls and cost-controlling (defensive and reactive approaches), taking a more aggressive and proactive stance towards risk. These have understood that managing risk is a source

Ehsan [30], limited risks faced by a company, to two major types: rewarded and unrewarded risks, and continues to note that the way through which capabilities of risk management can increase competitive advantage depends mainly on the type of risk exposure the company has. Rewarded risks are those risks that are expected to gain us some type of benefit, that is, risks taken to create value and are consequences of our decisions. Unrewarded risks usually brought about by external forces, such as natural disasters, industrial accidents, theft, pandemics, etc. which have no potential value in them. The ability to effectively deal with these risks has an important impact on the company's performance and thereby its competitive

In his seminal book, Porter [31] argues that "there are two major ways that a company can gain competitive advantage over its competitors: cost advantage, and differentiation". Risk management capabilities can help to affect the company's costs and the value it creates for stakeholders. Moreover, in theory, since risk management is a proactive activity, it can help create preparedness and advanced warnings for disruptions (i.e., to ensure business continuity). This differentiates these companies from their competitors giving them a competitive

*DOI: http://dx.doi.org/10.5772/intechopen.80640*

uncertainty and acting with integrity." [21].

risks and vulnerabilities within established boundaries [25].

process and technology are crucial for principled performance.

**2.3 Risk management abilities and competitive advantage**

willing to take a risk and challenge the status quo.

of leverage to gain competitive advantage [30].

#### *Risk Management Practices Adopted by European Financial Firms with a Mediterranean… DOI: http://dx.doi.org/10.5772/intechopen.80640*

as defined by OCEG. That is "reliable achievement of objectives while addressing uncertainty and acting with integrity." [21].

"OCEG in their definition of 'Principled Performance' emphasises the unambiguous articulation of a firm's objectives in financial and non-financial form. It outlines the methods and boundaries that would be adhered to while achieving the set targets." They continued to note that 'Principled Performance' in a financial firm can be achieved with clearly defined objectives, goals, values and a transparent, effective flexible mechanism, which enables continuous improvement to address risks and vulnerabilities within established boundaries [25].

Mitchell [25] continues by highlighting that, mainly if the existing structure offers a competitive advantage, GRC requires function integration without the need for operations consolidation. One can replicate the strengths of approaches, communication, technology used and reporting integration to the whole business to benefits from reduced errors, better information quality, and reduced costs. The GRC 360 Capability Model, 2009 specifies that, while culture, structure and the organisation play an essential role in the overall performance of a company; people, process and technology are crucial for principled performance.

#### **2.3 Risk management abilities and competitive advantage**

Creativity is lost if we only think of risk management as a way to minimise risk. We need to take risks and if and when they go in some unwanted unpredictable path, we need to be able to respond to them [26]. Kannan and Thangavel [27] note that every major advance in human civilization was possible because someone was willing to take a risk and challenge the status quo.

Enterprise risk management (ERM) promotes risk management as a more strategic responsibility and emphasises that if effectively implemented it can create a long term competitive advantage [28]. However, Slywotzky and Drzik [29] suggest, that many companies still treat ERM as an extension of their internal control processes, while only a few companies, use their risk management abilities as a source of competitive advantage. In fact these companies go beyond internal controls and cost-controlling (defensive and reactive approaches), taking a more aggressive and proactive stance towards risk. These have understood that managing risk is a source of leverage to gain competitive advantage [30].

Ehsan [30], limited risks faced by a company, to two major types: rewarded and unrewarded risks, and continues to note that the way through which capabilities of risk management can increase competitive advantage depends mainly on the type of risk exposure the company has. Rewarded risks are those risks that are expected to gain us some type of benefit, that is, risks taken to create value and are consequences of our decisions. Unrewarded risks usually brought about by external forces, such as natural disasters, industrial accidents, theft, pandemics, etc. which have no potential value in them. The ability to effectively deal with these risks has an important impact on the company's performance and thereby its competitive advantage.

In his seminal book, Porter [31] argues that "there are two major ways that a company can gain competitive advantage over its competitors: cost advantage, and differentiation". Risk management capabilities can help to affect the company's costs and the value it creates for stakeholders. Moreover, in theory, since risk management is a proactive activity, it can help create preparedness and advanced warnings for disruptions (i.e., to ensure business continuity). This differentiates these companies from their competitors giving them a competitive advantage [30].

*Perspectives on Risk, Assessment and Management Paradigms*

perspective) [18].

objectives and strategies.

is defined by it [20].

enterprise-wide."

**2.2 Risk management and principled performance**

exposure to an uncertain environmental and constituents that impact their performance. "Exposure" defined as the sensitivity of an organisation's cash flows to changes in interrelated uncertain variables. The emphasis of organisation on specific particular (particularist view) rather than multidimensional uncertainties is a significant shortcoming. The former view of isolating specific uncertainties, excludes other interrelated uncertain variables. In fact, literature in financial services emphasises uncertainties for which hedging or insurance instruments can be designed to manage organisation exposures, however omitting some uncertainties that are encountered in the overall management strategic decisions. The alternative view is where management takes a general approach to risk and gives explicit consideration to numerous uncertainties (integrated risk management

Das and Teng [19], build on the latter and suggests that to effectively manage risks

It has therefore always been a must for every leading firm to ensure that the process of identifying risk and managing it, is an explicit part of the strategic plan, and that there is a buy-in from all levels of their organisation. Risk management should be seen as a systematic effort that is pervasive through all operating units, be it in the front, mid or back office, right in line with growth areas targeted for investments or any critical support functions. Risk management must matter to the organisation and to the person whose occupation and responsibility

The risk manager or officer is responsible to initiate the process of determining the risks faced by the company, based on the strategy, determine the mandatory and voluntary barriers and put in place a risk management strategy to achieve objectives with the least of problems. That is the objective risk assessment process which depends on the organisation, and the plan and tactics to arrive at that objective [21]. Stulz [22] offers us theoretical evidence showing that risk management practice within firms is limited. Marshall and Heffes [23] report that only 11 percent of "more than 90 percent of the executives who say they are building or want to build enterprise risk management (ERM) processes into their organization report they have completed their implementation. The survey results indicate that more than two-thirds of both boards of directors and senior management staff consider risk management to be an important responsibility". COSO's recent survey [24] findings show unsatisfactory results for the implementation of ERM showing that "60 percent of respondents say their risk tracking is mostly informal and ad hoc or only tracked within individual silos or categories as opposed to

As explained in Bezzina et al. [8] we again adopted the Open Compliance and Ethics Group's (OCEG) standard's concept of integrating internal controls "(the Governance, Risk Management and Compliance (GRC) capability model) into one main function [24]. This as suggested by these authors and OCEG, helps to "improve quality and performance, by providing tools that can measure and enhance corporate culture within an integrated environment." This structure is said to be the main determinant of the achievement of 'Principled Performance'

and reduce unwanted risks, organisations need to examine the inter-relationship between trust, control and risk using an integrated framework which examines the inter-relationship between the three constructs. They note that firms need to manage their risks by determining the conjoint roles of these constructs in the context of their

**82**
