Journal of

Risk and Financial

Management

Article
Triangulating Risk Profile and Risk Assessment: A Case Study
of Implementing Enterprise Risk Management System
Abol Jalilvand 1, * and Sidharth Moorthy 2

1 The Quinlan School of Business, Loyola University Chicago, 16 E. Pearson, Chicago, IL 60611, USA
2 Morgan Stanley, Mumbai 400013, India; [email protected]
* Correspondence: [email protected]

Abstract: Establishing an enterprise risk management (ERM) system is widely viewed as providing
firms with the tools and processes needed to build resilience and expertise, enabling them to manage
the consequences of crises that have led to the collapse of major firms across different industries
globally. Intended for use in advanced accounting, auditing, and finance courses, this case study (of a
true event) describes the development and implementation of an ERM system for a U.S. multinational
nonprofit firm during the 2015–2021 period. The case study’s main learning objectives are several-fold.
First, couched within the recent economic environment, it informs students on some of the more
important academic and applied research on corporate risk management. Second, students will learn
to analyze the content of a questionnaire designed to capture the integrated effects of the firm’s risk
culture, risk structure, risk governance, and control for establishing its risk profile. Third, they will
learn to create and apply multi-dimensional risk indices to measure and prioritize the firm’s risk
exposures. Finally, the last learning outcome focuses on strategies to triangulate the firm’s overall
risk profile and risk prioritization results to construct mitigation strategies that build resilience and
create value through risk diversification, information signaling, the exploitation of natural hedges,
and enhancing the board’s governing efficiency. The nonprofit nature of the firm in this case study
introduces no methodological or conceptual constraints or limitations in applying the proposed risk
management methodologies to for-profit or publicly traded firms.
Citation: Jalilvand, Abol, and
Sidharth Moorthy. 2023. Keywords: risk profile; enterprise risk management (ERM); accounting and finance education; risk
Triangulating Risk Profile and Risk maturity model; multi-dimensional risk indices; mitigation strategies
Assessment: A Case Study of
Implementing Enterprise Risk
Management System. Journal of Risk
and Financial Management 16: 473.
1. Introduction
https://doi.org/10.3390/
jrfm16110473 Beyond the disruptions from the 2007–2008 financial crisis and the recent COVID-19
pandemic, we continue to witness the demise of major firms across different industries
Academic Editor: Khaled Hussainey
resulting from known and unknown economic, social, and geopolitical risks. Recent
Received: 15 September 2023 evidence includes the collapse of the Silicon Valley Bank, the second largest bank failure
Revised: 18 October 2023 in U.S. history after that of Washington Mutual in 2008, the failure of Bed Bath & Beyond,
Accepted: 27 October 2023 the fall of the Sears Holding Corp, and the acquisition of Credit Suisse by the Swiss
Published: 3 November 2023 investment bank UBS Group AG.1 In response, unprecedented levels of fiscal and monetary
interventions have been introduced to protect the global economy from a total collapse. For
example, in response to the economic challenges resulting from the recent pandemic, the
U.S. Treasury was responsible for administering over USD 1 trillion in American Rescue
Copyright: © 2023 by the authors.
Plan programs and tax credits to the industry and consumers during the 2020–2021 period.
Licensee MDPI, Basel, Switzerland.
In tandem, the Federal Reserve aggressively maintained a near-zero interest rate policy,
This article is an open access article
distributed under the terms and
providing sustained liquidity for supporting economic activities. Similar arrays of monetary
conditions of the Creative Commons
and fiscal policies were also implemented by other countries worldwide. While corporate
Attribution (CC BY) license (https:// risk management has been a popular topic in the academic and professional literature,
creativecommons.org/licenses/by/ the dynamics of the relationship between a firm’s risk profile and metrics to measure its
4.0/). overall risk exposure have received much less attention. There is a need for developing

J. Risk Financial Manag. 2023, 16, 473. https://doi.org/10.3390/jrfm16110473 https://www.mdpi.com/journal/jrfm

J. Risk Financial Manag. 2023, 16, 473 2 of 17

systematic approaches that triangulate such qualitative and quantitative characteristics,

aiming to construct mitigation strategies that build resilience and create value through risk
diversification, information signaling, the exploitation of natural hedges, and enhancing
the board’s governing efficiency.
Based on an actual event, we provide a clinical case study to address this gap in the
literature through the development, implementation, and post-implementation review
of establishing an enterprise risk management (ERM) system for a U.S. multinational
nonprofit firm during the 2015–2021 period. Despite this paper’s focus on a nonprofit
firm, the proposed methodologies introduced in this case study are fully generalizable and
scalable to any privately held or publicly traded firms. The firm is anonymized to protect
the scope and scale of its operations, and its employees. The case study is designed to equip
students in advanced accounting, auditing, and finance courses with the knowledge and
tools to prioritize a firm’s risks and establish mitigation strategies, with their performance
being reviewed post-ERM implementation. The key case-study learning objectives are
listed below.
 Couched within the recent economic environment, it informs students on some of the
more important academic and applied research on corporate risk management.
 Students will learn to analyze the content of a questionnaire designed to capture the
integrated effects of the firm’s risk culture, risk structure, risk governance, and control
for establishing its risk profile. In this sense, students understand that risk interactions
and aggregations are key components of establishing an effective risk management
system.
 Students will learn to create and apply multi-dimensional risk indices to measure
and prioritize the firm’s risk exposures. These indices cover a wider range of relevant
risk parameters, including the difference between inherent and residual risks and the
dispersion in cognitive perception of different risk exposures within the firm.
 Finally, the last learning outcome focuses on strategies to triangulate the firm’s risk
profile and risk prioritization results to construct mitigation strategies that build
resilience and create value for the firm.
Despite its educational focus, the case study also contributes to the existing literature
by advancing powerful statistical approaches for analyzing the dynamics of qualitatively
based questionnaire data. Specifically, as discussed in more detail in Section 4, these
techniques are applied to measure the convergence and implied informational content of
different sets of questions in the questionnaire.
In the balance of the paper, Section 2 provides an overview of the studied firm’s
operations and financial performance and the evolution of its risks in recent years. The
literature on the institutional development and valuation implication of enterprise risk
management (ERM) is provided in Section 3. Sample selection and the development of
the questionnaire are discussed in Section 4. Methodologies to analyze the questionnaire
data are explained in Section 5. Information on the observed drivers of risks and their
influence in developing established mitigation strategies are provided in Section 6. Finally,
the conclusion and the case requirements are detailed, respectively in Sections 7 and 8.
Detailed instructor’s notes are discussed in Appendix A.

2. Background on the Firm

The firm is a U.S. multinational nonprofit established in 1990 focused on develop-
ing and delivering educational, training, and student exchange programs for the public
and private sectors in Asia, the Middle East, and North Africa, collectively serving over
100 countries. The firm’s total full-time and part-time staff comprise over 5000 people,
distributed over 200 field offices throughout the world. With an annual revenue of USD
500 million in 2015, the firm has been consistently increasing its impact and revenue sources
globally. Government and non-government grants, tuition fees, program administration
fees, fundraising, and investment income have traditionally been the primary sources of
revenue. The period from 2015 through 2017 highlighted the growing impact of different
J. Risk Financial Manag. 2023, 16, 473 3 of 17

risks that diminished profitability and market share. As shown in Table 1, overall, gov-
ernment grants (accounting for approximately 60% of annual revenues), tuition income,
and administrative fees were sharply reduced by approximately 12% during the 2015–2017
period. More broadly, the total revenue declined by 11.74% in the same period. Currency
volatility increased the FX risk and the inability to maintain adequate levels of liquidity
constrained operational efficiency. Restrained regulatory environment, enhanced visa
restrictions, supply chain bottlenecks, and other geopolitical developments in the U.S. and
abroad put further pressure on financial performance. Student-related data and other types
of proprietary information were breached. As a result, overall activities were sharply re-
duced, destroying the firm’s net surplus by approximately 25.29% for 2015–2017. The need
to establish a more formal approach to managing the firm’s exposures was emphasized by
its board of directors in 2017.

Table 1. Consolidated statement of revenues and expenses: 2015–2017 (USD millions).

2015–2017
Revenues 2017 2016 2015
Change
Government Grant 275.0614 295.4502 313.2000 −12.18%
Non-Government Grant 22.0650 23.6250 25.0000 −11.74%
Tuitions 92.1876 98.7053 104.4500 −11.74%
Administrative Fees 41.9235 44.8875 47.5000 −11.74%
Fund Raising 1.8700 2.2500 2.7500 −32.00%
Investment Income 3.2500 2.2900 1.5000 116.67%
Other Income 4.9426 5.2920 5.6000 −11.74%
Total Revenues 441.3000 472.5000 500.0000 −11.74%
Expenses
Student Exchanges 143.0067 147.2570 156.8825 −8.84%
Program Expenses 153.1890 169.8350 170.8000 −10.31%
Salary and Pension 88.6176 92.2720 98.2000 −9.76%
Depreciation and Amortization 2.2654 2.2700 2.3846 −5.00%
Repair and Maintenance 1.2180 1.3100 1.4329 −15.00%
Transportation 33.1757 37.2810 43.3500 −23.47%
Taxes 1.1900 1.3000 1.2000 −0.83%
Miscellaneous Expenses 5.9378 6.5250 8.7500 −32.14%
Total Expenses 428.600 458.050 483.000 −11.26%
Net Surplus (Deficit) 12.7000 14.4500 17.0000 −25.29%

3. ERM Literature Review

In early 2000, a coordinated regulatory and institutional effort in the U.S and Canada
(Committee of Sponsoring Organizations of the Treadway Commission (COSO), the Toronto
Stock Exchange Dey Report, the Risk Management and Insurance Society, and several
global rating agencies, including Moody’s and Standard & Poor’s) introduced processes
and metrics to increase the maturity of ERM systems.2
Academically, beginning with Miller and Modigliani (1958)’s classic article in 1958,
there has existed an extensive literature in corporate finance that assumes a perfect market
environment in which to analyze firm behavior. One logical conclusion of these perfect
market analyses is that a firm’s debt-to-equity decision and, by implication, its risk manage-
ment decision, is irrelevant and has no impact on firm value. While this “perfect market”
analysis provides useful insights into the behavior of corporations, it has the disturbing
feature of denying, by assumption, many of the features (“imperfections”) of financial and
economic activity that give rise to corporations in the first place.
When perfect market assumptions are relaxed, different types of analytical and eco-
nomic issues arise. The existence of market imperfections, such as corporate taxes, implies
that financing decisions may affect the value of the firm through the risk–return tradeoffs
inherent in the use of debt versus equity capital (Miller and Modigliani 1963). The differen-
J. Risk Financial Manag. 2023, 16, 473 4 of 17

tial personal taxes on interest versus dividend income provide a different picture of the
risk–return tradeoffs in the use of debt versus equity capital (Miller 1977). Bankruptcy
costs, costly information, external capital costs, and agency costs yet provide a strong
incentive for a firm to search for an optimal debt-to-equity position by actively managing
both its systematic and unsystematic risk exposures (Kraus and Litzenberger 1973; Ross
1977; Leland and Pyle 1977; Froot et al. 1993; Jensen and Meckling 1976).
At the level of the enterprise, researchers have argued that the evaluation of risk and
return at the project level does not allow for optimization at the corporate level as risk
diversification and correlations are ignored. Furthermore, risk interactions and aggregation
are expected to improve internal decision-making, ultimately contributing to the firm’s
value through more efficient capital allocation (Nocco and Stulz 2006; Rosenburg and
Schuermann 2006; McShane et al. 2011; Hoyt and Liebenberg 2011). More specifically,
Lindberg and Seifert (2011) and Farrell and Gallagher (2014) find a highly significant 25%
value effect for firms that are considered mature in their ERM approach. Other sources of
value creation through effective risk management include lowering a firm’s overall cost
of capital (Samanta et al. 2004; Hoyt and Liebenberg 2011; Shad et al. 2022), signaling the
firm’s overall risk profile (Hoyt and Liebenberg 2011), optimizing executive compensation
(Grace et al. 2014), enhancing risk diversification, benefiting from natural hedges, and
improving governance of the enterprise’s risk (Nocco and Stulz 2006; McShane et al. 2011;
Hoyt and Liebenberg 2011; Beasley et al. 2005), among others. More recently, Hristov et al.
(2022) used semi-structured interviews with a total of 75 senior and middle managers
from 25 different Italian companies to provide an approach to integrate enterprise risk
management (ERM) and a performance management system (PMS). They find that PMS
processes, built on a specific set of key risk indicators (KRIs), could enable the companies
to achieve economically and environmentally sound performance. Focusing on the oil
and gas industry in Malaysia, Shad et al. (2022) find that an increase in the maturity of
ERM implementation reduces the cost of capital, which they argue is a possible mechanism
through which ERM increases firm value. Focusing on actual cases, Harrington et al.
(2002) documented the risk management program at United Grain Growers (UGG), a
Canadian agricultural services company. Their study shows that the company identified
and prioritized its exposure to risks including environmental liability, weather-related
effects, counterparty, credit policy, and commodity prices. The mitigation strategy also
included a general integrated loss and liability insurance contract offered by Swiss Re-
insurance. In a different case study, Aabo et al. (2005) described the risk management
program at Hydro One, a large publicly traded Canadian utility company. Hydro One
adopted an integrated approach to examine its overall risks in response to deregulation,
emerging competition in the energy sector, and increased scrutiny on corporate governance.
Further evidence on ERM maturity was developed by Fraser and Simkins (2010) and Fraser
et al. (2014).

4. Sample and Questionnaire Data

As shown in Table 2, a plan of action was developed to determine the firm’s risk profile
and establish an integrated risk management system. Key elements of the plan included
the selection of a sample of risk owners, administering a risk management questionnaire,
prioritizing potential risks, and, finally, constructing mitigation strategies. Specifically,
a group of 30 participants was selected, representing senior executives (40%) and board
members (10%), with the balance of 50% representing the field managers globally.
J. Risk Financial Manag. 2023, 16, 473 5 of 17

Table 2. Plan of action to develop the enterprise risk management (ERM) program.

Identify a representative and diverse group of functional risk owners

Sample of Risk Owners (managers/executives in field offices with major P/L responsibilities),
senior executives, and board members.
Develop and deliver a short educational module for the sample
Education group to create a uniform level of understanding on the dynamics
and application of ERM.
Administer and analyze a focused questionnaire covering multiple
Questionnaire risk management areas including risk culture, risk recognition, risk
organization, risk governance, risk control, and risk measurement.
Synthesize and compile the results obtained from the questionnaire.
Synthesis and Risk
Develop a detailed multidimensional risk table identifying and
Assessment
prioritizing the existing and potential risks.
Mitigation Develop mitigation strategies for the top risks.
Review and assess, on an ongoing basis, the effectiveness of the
Review
proposed risk management system.

To identify the firm’s risk profile and measure the impact of its overall risk exposure,
a questionnaire was developed addressing risk culture (14 questions), risk recognition
(9 questions), risk organization (8 questions), risk governance (9 questions), and risk control
(10 questions), Table 3. Both verbal and coded responses, using the 5-level scale from the
RIMS RMM (Table 4), were requested. Furthermore, following the example of Aabo et al.
(2005), the respondents’ input was continually circulated to arrive at an optimal level of
consensus and a convergence of opinion.3 In addition, exploratory factor analysis (EFA)
and Cronbach’s alpha (α) test (Fabrigar et al. 1999) were used to establish the internal
consistency of the risk data (Jalilvand and Moorthy 2022).
Focusing on risk assessment, a set of 10 structural risk categories (Table 5) was consid-
ered: operations, financial and markets, regulatory and legal, strategic, human resources,
innovation, geopolitics, credit, information security, and reputation. Identifying 3–5 risk
events in each of the 10 risk categories, data on estimates of the likelihood of occurrence,
impact on annual revenue growth, and the level of existing control were collected (Table 6).

Table 3. Key areas determining the risk profile.

Risk Areas Definition

The questions in this segment are designed to elucidate the interplay
Risk Culture between the organization’s strategy, goals, decision-making
processes, risk appetite, and risk management philosophy.
The questions in this segment focus on the board structure, processes,
and levels, and the effectiveness of the board’s involvement,
Risk Governance
knowledge, and transparency in devising strategies to carry out risk
management decisions.
This section focuses on the administrative and operational nature of
Risk Organization capturing, communicating, reporting, monitoring, and compliance
related to risk management actions.
This segment is designed to elucidate the organization’s ability to
Risk Recognition identify risks, distinguish risks from opportunities, recognize risk
metrics, and increase awareness of fraudulent activities.
The questions in this segment have been designed to gauge the firm’s
Risk Control
level of existing control regarding overall risk exposure.
Devise and implement consistent multi-dimensional risk indices,
Risk Assessment
which are used to assess and prioritize potential categories of risks.
J. Risk Financial Manag. 2023, 16, 473 6 of 17

Table 4. The Risk and Insurance Management Society’s five-level risk maturity model: RIMS RMM a .

Maturity (Level) Maturity-Level Characteristics

This implies an extremely primitive level of ERM maturity, where risk
Ad hoc (1) management typically depends on the actions of specific individuals,
with improvised procedures and poorly understood processes.
Risk is managed in silos, with little integration or risk
Initial (2) aggregation.Processes typically lack discipline and rigor. Risk
definitions often vary across the silos.
A risk assessment framework is generally in place, with the Board of
Repeatable (3) Directors being provided with risk overviews. Approaches to risk
management are established and repeatable.
Enterprise-wide risk management activities, such as monitoring,
Managed (4) measurement, and reporting, are integrated and harmonized, with
measures and controls established.
Risk-based discussions are embedded at a strategic level, such as
long-term planning, capital allocation, and decision-making. Risk
Leadership (5) appetite and tolerances are clearly understood, with alerts in place to
ensure that the board of directors and the executive management are
made aware when risk thresholds are exceeded.
a Adapted from Lindberg and Seifert (2011), and Farrell and Gallagher (2014).

Table 5. General risk categories.

Risks resulting from inadequate or failed procedures, systems, processes, or policies. It includes
Operational Risk employee errors, business interruptions, fraud or other criminal activity, equipment failure,
logistical bottlenecks, third-party liability, employee safety, timeliness, and accuracy.
Risks resulting from a shortfall in revenues and/or cost escalation, accumulated losses,
diminished liquidity, problems in meeting financial obligations, diminished credit rating,
Financial and Market Risk
forecasting and valuation errors, audit problems, portfolio losses, and poor hedging against
market volatility (interest rates, exchange rates, and stock prices).
Risks resulting from lawsuits and unpredictable changes in the local and global regulatory
Regulatory and Legal Risk
environment and from noncompliance with statutory and accreditation rules.
Risks resulting from poor articulation and communication of goals and strategies, misalignment
Strategic Risk of the strategic plan and corporate governance, an uninformed board, and a lack of established
and effective review processes.
Risks resulting from problems in employee recruitment and retention, low labor productivity, and
Human Resources Risk
a sub-optimal compensation system.
Risks resulting from inertia in identifying and implementing new products and services in local
Innovation Risk
and foreign markets in response to political, macroeconomic, and market changes.
Risks resulting from political changes, sanctions, travel bans, economic and political retaliation,
Geopolitical Risk
and the nationalization of foreign assets and establishments.
Risks resulting from competition, economic slowdown/slow recovery, supply chain disruption,
Credit Risk embargoes, customer attrition, changes in customers’ expectations and demand, and changes in
customers’ financial capacity.
Risks resulting from cyber security attacks and hacking, using outdated and inefficient
Informational/Security Risk
information systems (technology obsolescence), and communication system failure.
Risks resulting from a decline in or lack of brand and image, the loss of customers’ trust, negative
Reputation Risk
publicity, recruitment challenges, and fundraising problems.
J. Risk Financial Manag. 2023, 16, 473 7 of 17

Table 6. Risk assessment metrics: likelihood, impact, and control a .

Panel A. Likelihood (P) Control (C) a

Very Low Low Medium High Very high
Ad hoc Initial Repeatable Managed Leadership
p < 0.15 0.15 < p < 0.3 0.3 < p < 0.5 0.5 < p < 0.75 p > 0.75
Panel B. Impact on Revenue Growth (G) b
Very Negative Negative Neutral Positive Very Positive
−25% < G < −50% 0% > G < −25% 0% 0% < G < 40% G > 40%
a Risk and Insurance Management Society five-level risk maturity model: RIMS RMM; b mid-point ranges for
likelihood and impact are used to calculate the expected values.

5. Risk Profile and Risk Assessment

The returned questionnaires (100% response rate) were all usable. Following the
example of Jalilvand and Moorthy (2022), for internal consistency and relevance, the
questionnaire was further streamlined, resulting in 7 questions for risk culture, 5 questions
for risk recognition, 6 questions for risk organization, 6 questions for risk governance,
and 6 questions for risk control. Coded responses to questions were averaged across all
respondents using the 5-level scale from the RIMS RMM, Table 7.

Table 7. The questionnaire’s results.

Risk Areas Average Score Sectional Average

Risk Culture
Overall, is the firm willing to take any magnitude of risk in order to achieve strategic
2.37
objectives?
How are the critical competencies of the firm structured, in a range from “Operational” to
2.61
“Entrepreneurial”?
How do you describe the reward structure of the company, in a range from “Margins and
2.63
Productivity” to “Milestones and Growth”?
Is the organizational culture:
-“Efficiency, Low Risk, Quality, Customers”, 2.70
2.98
-“Risk Taking, Speed, Flexibility, and Experimentation”, or
-somewhere in between?
Rate the leadership role from being “Authoritative and Top Down” to “Visionary and
2.77
Involved”.
How would you rank the strategic and related objectives defined by the organization, in a
2.82
range from “Unclear and Unfocused” to “Planned and Transparent”?
Based on the reflection above, rate the firm’s overall risk management culture. 2.75
Risk Recognition
What type of forces, internal and external, impact the risk management culture described
2.85
above, in a range from “Entirely Internal” to “Entirely External”?
Rate the organization’s ability to distinguish risk vs. opportunity. 2.19
What are the most relevant assessment metrics for quantifying significant measurable 2.85
risks and incorporating them into the decision-making process, in a range from “Entirely 3.05
Qualitative” to “Entirely Quantitative”?
How susceptible is the firm to fraud? Which areas are most susceptible to the same? 3.45
Based on the reflection above, rate your department’s overall risk recognition capabilities. 2.69
J. Risk Financial Manag. 2023, 16, 473 8 of 17

Table 7. Cont.

Risk Areas Average Score Sectional Average

Risk Organization
How effective is the organization in capturing risk information and communicating it to
1.82
various constituencies (government, donors, clients, staff, and the board)?
Do communication barriers exist within the organization when addressing risk? 3.42
How often do you think the senior management involves the board and staff during the
2.93 2.70
strategy-setting process, including when making decisions to accept or reject risk factors?
Rate the activities of writing down, prioritizing, and disseminating risk. 3.56
Rate the risk monitoring and reporting system within the organization. 2.36
Based on the reflection above, rate the firm’s risk management organizational capacity. 2.12
Risk Governance
Rate the board’s understanding of the organization’s priority risks and how those risks
2.37
should be addressed.
How much do the senior executives involve the board in the assessment of strategic risks? 3.07
Rate the frequency with which the company revisits its risk assessment to determine
whether the circumstances and conditions have changed or whether there are new 2.56
emerging risks. 2.47
How confident are you about the organization not taking significant risks without the
1.79
board’s knowledge?
How effective do you consider the organization’s risk management culture and
2.73
governance functioning to be?
Based on the reflection above, rate the alignment between risk management and
2.32
governance at the firm.
Risk Control
How well-defined are the risk management goals in terms of ongoing strategic activities:
3.12
in a range from “Unclear and Unfocused” to “Planned and Transparent”?
How do you rate the quality, reliability, and relevance of the risk reporting? 2.76
How effective are the ongoing monitoring activities (e.g., compliance monitoring, risk
2.93
management group, board monitoring, etc.)?
3.10
Rate the risk measuring methodology adopted by the firm when each risk is measured, on
3.20
an individual level.
Rate the risk measuring methodology adopted by the firm when each risk is measured, on
2.09
an enterprise level.
Does the company have a rising learning curve with regard to its risk assessment and
4.47
management process?

The risk measurements are reported in Table 8. These variables are the result of two
averaging processes across 30 respondents and more than 10 risk categories, resulting in
a range of 900 to 1500 observations for each variable. Furthermore, two new qualifying
indices were added to the mix to provide measures of the convergence of opinion among
respondents regarding likelihood, impact, and control, respectively, calculated as the ratios
of the standard deviation of the expected impact on annual revenue growth and average
control, divided by their means. Large values of these ratios signal a lack of convergence
of opinion (the presence of input noise) among the respondents, thereby qualifying a
particular risk category as being ranked low in the hierarchy of risk areas.
J. Risk Financial Manag. 2023, 16, 473 9 of 17

Table 8. Risk matrix: the average expected impact is the product of the average probability by average
impact for each risk category. Opinion convergence (expected impact) is the ratio of the standard
deviation of expected impact for each risk category, adjusted by its mean. Opinion convergence
(control) is the ratio of the standard deviation of average control for each risk category, adjusted by
its mean.

Average Average Average Variance Variance

Risk Category
Probability Impact Control Expected Impact Control
Strategic Risk 46.46% −0.3444 4.23 0.0129 0.3085
Innovation Risk 54.26% −0.2764 4.30 0.0036 0.2987
Information and Security Risk 61.67% −0.2270 4.00 0.0107 0.3263
Geopolitical Risk 51.30% −0.2924 3.95 0.0089 0.3177
Financial Risk 48.10% −0.3534 4.05 0.0023 0.1781
Credit and Product Risk 57.14% −0.3325 3.76 0.0094 0.2324
Operational Risk 44.81% −0.3571 3.76 0.0057 0.1273
Regulatory and Legal Risk 45.56% −0.3073 3.95 0.0009 0.2349
Human Resources Risk 53.33% −0.2813 3.65 0.0020 0.1871
Reputation Risk 42.08% −0.3802 3.35 0.0092 0.1844

A conventional practice to depict the hierarchy of a firm’s risk exposures is to develop

a risk map: a two-dimensional graph of likelihood and impact. While informative, the
information contained in the risk map is quite limited. That is why the case requirement
in Section 8 asks students to rank the ten risk categories by multiple criteria: expected
impact, an equally weighted index of expected impact and average control, and an equally
weighted index of expected impact and the two opinion convergence indices.

6. Mitigation Strategies
The board finally decided to focus on a subset of the ten risk areas (strategic, inno-
vation, information and security, geopolitical, financial, and regulatory and legal). The
statement of revenues and expenses in Table 1, the streamlined questionnaire results, and
the quantitative risk metrics in Tables 7 and 8 provided the key qualitative and quantitative
information to establish a series of mitigation strategies for the top six risks selected by
the board and review their effectiveness over time. Specifically, the consulting firm estab-
lished mitigation strategies that were influenced by some observed drivers of risks in each
category, which are listed below.
 Lack of transparency, possible mission drifts, and weak alignment among mission,
vision, and future strategies seemed to characterize the nature of the firm’s strate-
gic risks.
 Strategic projects, particularly non-governmental ones, were not competitively and
commercially selected.
 Project valuation techniques did not adequately account for the market and country-
specific risks involved.4
 Strategies for maintaining specific financial flexibility and liquidity were also lacking.
 The global technology network was outdated and prone to information breaches.
 The consequences of political, regulatory, and social changes in many regions of
operations were poorly understood, and existing insurance policies were not optimally
designed to cover the expected losses.
 The firm was not fully taking advantage of the country risk information provided
by global agencies such as the International Monetary Fund (IMF) and the World
Bank (WB).
J. Risk Financial Manag. 2023, 16, 473 10 of 17

 In early 2020, the COVID-19 pandemic significantly slowed down the pace of eco-
nomic and social activity around the world. It seriously affected the operations of field
offices, threatening the viability and continuity of upcoming contracts and existing
programs, as well as the health and safety of participants and employees around
the world.

7. Conclusions
Intended for use in advanced accounting, auditing, and finance courses, this case
study, a true event, underscores the need for equipping students with an understanding
and knowledge of developing effective risk management systems that identify, prioritize,
and mitigate a firm’s overall risk exposures. The case details the development and im-
plementation of an enterprise risk management (ERM) system for a U.S. multinational
nonprofit firm during the 2015–2021 period. Students will learn to establish the firm’s risk
profile through questionnaire-based data that capture the integrated effects of its structure,
culture, processes, governance, and control. In this sense, students understand that risk
interactions and aggregations are key components for establishing an effective risk manage-
ment system. Students will also learn to create and apply multi-dimensional risk indices
to measure and prioritize the firm’s risk exposures. These indices cover a wider range of
relevant risk parameters, including the difference between inherent and residual risks and
the dispersion in cognitive perception of different risk exposures within the firm. Finally,
the last learning outcome focuses on strategies to triangulate the firm’s risk profile and risk
prioritization results to construct mitigation strategies that build resilience and create value
through risk diversification, information signaling, the identification of natural hedges, and
creating board governing efficiency.
Beyond its educational focus, the case study also contributes to the existing literature
by advancing powerful statistical approaches for analyzing the dynamics of qualitatively
based questionnaire data. While the relatively small sample size of the risk owners and
the focus on a nonprofit firm may have been a limitation of the case study, the proposed
methodologies introduced in this study are fully generalizable and scalable to any for-profit
or publicly traded firms. In fact, the nonprofit nature of the case-study firm introduces
no methodological or conceptual constraints or limitations in applying our proposed
framework to the risk management decisions of other types of firms.

8. Case Requirements
Assume you are a member of the consulting firm and that you are familiar with
the plan of action for the ERM process (Table 3) and have had access to the information
discussed in Tables 7 and 8. You are asked to prepare a report that addresses the following
issues.
1. Using the average coded responses to selected questions in each of the five risk areas
in Table 7, provide a 500-word summary of the firm’s risk profile.
2. Complete the risk matrix in Table A1, below, by using the input measures from Table 8:
average of likelihood, impact on annual revenue growth, and level of control, along
with variance of the expected impact and average control.
3. Based on the results in Tables 8 and A1 above:
a. rank the ten risk categories by (i) their expected impact, (ii) by an equally
weighted index of expected impact and average control, and (iii) by an equally
weighted index of three indices: expected impact, opinion convergence on
expected impact, and opinion convergence on control.
b. create an equally weighted consolidated ranking of the above three rankings
and re-rank the ten risk categories.
4. Develop a risk map of all ten risks identified for the firm.
5. Using the input in Table 1, the questionnaire results, and quantitative risk metrics
in Tables 7 and 8, along with the discussion on key sources and drivers of risk in
Section 6, propose mitigation strategies for the top six risks selected by the board.
J. Risk Financial Manag. 2023, 16, 473 11 of 17

Author Contributions: All authors are participated equally on all dimensions mentioned above. All
authors have read and agreed to the published version of the manuscript.
Funding: This paper received no external funding.
Data Availability Statement: Due to the confidentiality of this case study, a true event, data can not
be made available.
Conflicts of Interest: The authors declare no conflict of interest.

Appendix A. Instructor’s Notes

Appendix A.1. Background and Introduction
Intended for use in advanced accounting, auditing, and finance courses, this case
study, a true event, underscores the need for equipping students with an understanding
and knowledge of developing effective risk management systems that identify, prioritize,
and mitigate a firm’s overall risk exposures. The case study discusses the development and
implementation of an enterprise risk management (ERM) system for a U.S. multinational
nonprofit firm during the 2015–2021 period.
 Students will learn to establish the firm’s risk profile through questionnaire-based
data that capture the integrated effects of its structure, culture, processes, governance,
and control. In this sense, students understand that risk interactions and aggregation
are key components of establishing an effective risk management system.
 Students will also learn to create and apply multi-dimensional risk indices to measure
and prioritize the firm’s risk exposures. These indices cover a wider range of relevant
risk parameters, including the difference between inherent and residual risks and the
dispersion in cognitive perception of different risk exposures within the firm.
 The final learning outcome focuses on strategies to triangulate the firm’s overall risk
profile and risk prioritization results to construct mitigation strategies that build
resilience and create value through risk diversification, information signaling, the
identification of natural hedges, and creating board governing efficiency.
Beyond its educational focus, the case study also contributes to the existing literature
by advancing powerful statistical approaches for analyzing the dynamics of qualitatively
based questionnaire data. Furthermore, despite the paper’s focus on a nonprofit firm, the
proposed methodologies introduced in this study are fully generalizable and scalable to
any for-profit or publicly traded firm.

Appendix A.2. Case Requirements: Implementation

1. Using the average coded responses to selected questions in each of the five risk areas
in Table 7, provide a 500-word summary of the firm’s risk profile.
The results of the questionnaire are reported in Table 7. Relatively low values of the
coded responses for the selected questions (average scores for risk administration and
risk control of 2.70 and 3.1, respectively) indicate that the firm’s existing risk management
system was ad hoc and uncoordinated. Also, significant barriers appeared to exist in
risk reporting and communication. The low values on the average scores for risk culture
and risk recognition of 2.7 and 2.85, respectively, emphasize the respondents’ inability
to distinguish between the risk areas representing threats, those needing to be mitigated,
and those representing opportunities to be seized upon for increasing future revenue
growth. The average score for risk governance of 2.47 demonstrates that the board was
poorly prepared to comprehend the firm’s overall risk exposure and that there was no risk
committee on the board.
2. Complete the risk matrix in Table A1 by using the following input measures from
Table 8:
 Average likelihood, impact on annual revenue growth, and level of control.
 Variance of the expected impact and average control.
J. Risk Financial Manag. 2023, 16, 473 12 of 17

Table A1. Risk Matrix.

Average Opinion Opinion

Risk Category Expected Convergence Convergence
Impact (Expected Impact) (Control)
Strategic Risk
Innovation Risk
Information and Security Risk
Geopolitical Risk
Financial Risk
Regulatory and Legal Risk
Operational Risk
Credit and Product Risk
Human Resources Risk
Reputation Risk

To respond to this question, students need to calculate three well-known statistical

indices: average expected impact on revenue growth, opinion convergence indices for the
expected impact on revenue growth, and average risk control, respectively, for each risk
area. Table 8 provides the relevant information to calculate the statistical indices. Examples
are discussed below.
1. (Average Expected Impact on Revenue Growth) risk (i) =
{(Average Probability) risk (i) ) (Average Impact) risk (i) )}
Example
(Average expected impact on revenue growth) Financial Risk = (0.4810) (−0.3534) = −0.17
2. (Opinion Convergence Index on Expected Impact) risk (i) =
(Standard Deviation of Expected Impact) risk (i) )/(Average expected impact) risk (i)
Note that in calculating the opinion convergence index on expected impact, we use
the absolute value of the average expected impact to arrive at a non-negative value for
achieving consistency and ease of comparison across different risk areas.
Example
(Opinion Convergence Index on Expected Impact) Financial Risk = (0.0023)1/2 /0.17 = 0.28
3. (Opinion convergence index on Average Control) risk (i) =
(Standard Deviation of Average Control) risk (i) )/(Average Control) risk (i)
Example
(Opinion convergence index on expected impact) Financial Risk = (0.1781)1/2 /4.05 = 0.1042
The final table for the risk areas is provided below.
As the results in Table A2 reveal, the average impacts on annual revenue growth
across all risk categories are consistently negative, reflecting the respondents’ inability to
distinguish between the risk areas representing threats, those needing to be mitigated, and
those representing opportunities to be seized upon for increasing future revenue growth.
The low scores on the “Risk Recognition” part of the questionnaire further confirm and
underscore this observation.
J. Risk Financial Manag. 2023, 16, 473 13 of 17

Table A2. Risk matrix: the average expected impact is the product of average probability by average
impact for each risk category across the sample. Opinion convergence (expected impact) represents
the ratios of the standard deviation of expected impact for each risk category across the sample,
adjusted by the absolute value of its mean. Opinion convergence (control) represents the ratios of the
standard deviation of average control for each risk across the sample category, adjusted by its mean.

Opinion Opinion
Average Average Average
Risk Category Convergence Convergence
Probability Expected Impact Control
(Expected Impact) (Control)
Strategic Risk 46.46% −0.16 4.23 0.71 0.1313
Innovation Risk 54.26% −0.15 4.30 0.4 0.1271
Information and Security
61.67% −0.14 4.00 0.74 0.1428
Risk
Geopolitical Risk 51.30% −0.15 3.95 0.63 0.1427
Financial Risk 48.10% −0.17 4.05 0.28 0.1042
Regulatory and Legal Risk 45.56% −0.14 3.95 0.22 0.1227
Operational Risk 44.81% −0.16 3.76 0.36 0.0949
Credit and Product Risk 57.14% −0.19 3.76 0.51 0.1282
Human Resources Risk 53.33% −0.15 3.65 0.3 0.1185
Reputation Risk 42.08% −0.16 3.35 0.6 0.1282

Furthermore, the results in Table A2 show that both opinion convergence indices are
negatively and significantly correlated with the absolute value of expected impacts across
all risk areas. In other words, wide variations in the respondents’ estimates of likelihood
and impact (high values for the convergence indices) in certain risk areas (strategic risk,
geopolitical risk, and reputational risk) lower their position in the hierarchy of top risks.
These results are consistent with our prior conjectures on the role of opinion convergence
indices in prioritizing the risk areas.
4. Based on the results in Table 8:
(a) rank the ten risk categories by: (i) their expected impact, (ii) by an equally
weighted index of expected impact and average control, and (iii) by an equally
weighted index of three factors: expected impact, opinion convergence on
expected impact, and opinion convergence on control;
(b) create an equally weighted consolidated ranking of the above three rankings
and re-rank the ten risk categories.
For this question, students should use the information included in the risk matrix
above to rank the ten risk areas. Risk areas with higher values of expected impact and
opinion convergence indices reflect higher level (top) risks (ranked first, second, third, etc.)
The overall ranking of risk areas is presented in Table A3 below.
J. Risk Financial Manag. 2023, 16, 473 14 of 17

J. Risk FinancialTable
Manag.A3.
2023,
Top16, xrisks
FOR by
PEER REVIEWranking
different criteria: Rank 1: absolute value of the expected impact; Rank 14 of 17
2: equally weighted index of expected impact and average control; Rank 3: equally weighted index
of expected impact, opinion convergence (expected impact), and opinion convergence (control).
Table A3. Top risks by different ranking criteria: Rank 1: absolute value of the expected impact;
Rank 2: equally weighted
Risk Category Rank (1)index of expected
Rank (2) impact
Rank and
(3)average control; RankRanking
Consolidated 3: equally weighted
index of expected impact, opinion convergence (expected impact), and opinion convergence (con-
Strategictrol).
Risk 3 5 7 6
Innovation Risk 4 6 5 6
Consolidated
Risk Category Rank
Information and Security Risk (1)
5 Rank
5 (2) 9 Rank (3) 7 Ranking
StrategicGeopolitical
Risk Risk 3 4 3 5 8 7 6 6
InnovationFinancial
Risk Risk 4 2 3 6 1 5 1 6
Information and Security Risk 5 5 9 7
Regulatory and Legal Risk 5 4 3 5
Geopolitical Risk 4 3 8 6
FinancialOperational
Risk Risk 2 3 2 3 2 1 2 1
RegulatoryCredit
and Legal
and Risk
Product Risk 5 1 1 4 4 3 1 5
Operational Risk
Human Resources Risk 3 4 2 2 3 2 3 2
Credit and Product Risk 1 1 4 1
Reputation Risk 3 1 6 4
Human Resources Risk 4 2 3 3
Reputation Risk 3 1 6 4
5. Develop a risk
5. map including
Develop the including
a risk map ten risks the
identified
ten risksfor the firm.
identified for the firm.
Table 8 contains Table
the information forinformation
8 contains the drawing afor
risk map where
drawing a risk the
mapaverage
where the probability
average probabil-
ity of risk occurrence is plotted on the Y-axis and the average impact
of risk occurrence is plotted on the Y-axis and the average impact on annual revenue growth on annual revenue
growth is plotted on the X-axis. Using the information in Table 8, a
is plotted on the X-axis. Using the information in Table 8, a risk map of the ten risk areasrisk map of the
is ten risk
shown below. areas is shown below.
6. Using the input in Table 1, the questionnaire results, quantitative risk metrics, Tables
6. Using the input 7inand
Table 1, the questionnaire results, quantitative risk metrics, Tables 7
8, and the discussion on key sources and drivers of risk in Section 6, propose
and 8, and the mitigation
discussionstrategies
on key for
sources and
the top six drivers of risk
risks selected by in
theSection
board. 6, propose
mitigation strategies for the top six risks selected by the board.

Risk Map
70%

Credit and Product Risk Geopolitical Risk

65% Innovation Risk

Financial Risk
60%
AVERAGE PROBABILITY

55% Reputation Risk

Information and Security Risk

50%

45%
Human Resource Risk

40%

35% Strategic Risk Regulatory and Legal Risk

Operational Risk

30%
-0.40 -0.35 -0.30 -0.25 -0.20
AVERAGE IMPACT

This question is Thisclearly a challenging one, as students need to use the information on
question is clearly a challenging one, as students need to use the information on
the drivers of risks, given in Section
the drivers of risks, given 6, to construct
in Section mitigation strategies
6, to construct for the
mitigation top sixfor
strategies risks
the top six
selected by the board. The discussion on the firm’s risk profile using the information
risks selected by the board. The discussion on the firm’s risk profile using the information in
Table 7 is relevantintoTable
this 7requirement.
is relevant to There is a need toThere
this requirement. develop a strategic
is a need plan athat
to develop alignsplan that
strategic
with the firm’s overall
aligns mission, regularly
with the firm’s monitoring
overall mission, its progress
regularly according
monitoring itstoprogress
measurableaccording to
and transparentmeasurable
criteria. The andboard’s weaknesses
transparent criteria. in
Theaddressing the firm’sinrisks
board’s weaknesses could be
addressing the firm’s
risks could
alleviated by creating be alleviated
a stand-alone riskby creating a Reports
committee. stand-alone
from risk committee. Reports
international from interna-
field offices,
coupled with thosetional field
from theoffices, coupled with
International those from
Monetary Fundthe International
(IMF) Monetary
and the World BankFund
(WB),(IMF) and
theaddressing
are also helpful in World Bankgeographical
(WB), are alsoriskhelpful in addressing geographical risk exposure.
exposure.
Hiring a Chief Information Officer (CIO) would change the firm’s communication
and technology infrastructure and would be an effective step in dealing with the infor-
mational and security risk. Risk-adjusted capital budgeting techniques should be applied
J. Risk Financial Manag. 2023, 16, 473 15 of 17

to successfully shift revenue sources from governmental grants to value-enhancing non-

governmental ones. Specifically, a detailed set of mitigation strategies focused on the top
six risks are summarized in Table A4 below. Overall, the proposed mitigation strategies
are consistent and support the results of the earlier studies, showing positive valuation
implications for fully engaged firms that are considered mature in their ERM approach.

Table A4. Mitigation strategies.

Risk Categories Key Drivers of Risks Mitigation Strategies

Developed a new 5-year, 2017–2022, strategic plan establishing more
clearly the firm’s mission and vision, creating strategies and tactics
- Transparency aligning the firm’s operational, financial, risk management, and
- Mission Drift marketing/communication goals. Created a stand-alone risk committee as
Strategic - Diversification a sub-committee of the board. Provided regular progress reports to the
- Alignment board on realizing the goals of the plan. Used risk-adjusted criteria to
assess the valuation implications of new projects. Produced quarterly
global economic and environmental scans to review the plan’s goals and
strategies, recommending possible changes.
Established a portfolio approach whereby the financial and human
resources are allocated strategically and optimally to enhance innovation
- Commercial Orientation in core offerings, adjacent opportunities, and, particularly,
- Competitiveness transformational territories achieved through geographic diversification.
Innovation - Incentives Promoted a more effective dialog between staff, senior executives, and the
- R&D Resources board on new initiatives. Incentivized staff to experiment with new ideas.
Aligned the R&D budget with best practices by comparable entities. Used
risk-adjusted approaches to measure the value proposal of R&D projects.
Hired a Chief Informational Officer (CIO) who was responsible for
- Data Privacy developing and executing policies to manage the global network of
- System Obsolescence information. Key steps included the synchronization and consolidation of
Informational - Technical Issues email platforms, launching software and hardware for document
and Security - Data Loss management, establishing effective patches to detect and defuse
- Multiple Platforms cyber-attacks, and aligning information technology policies with strategic
planning.
Incorporated country risk analysis information regularly published by the
- Political Instability International Monetary Fund (IMF) and the World Bank (WB) to better
- Travel Bans and Visas assess geographic risks and their implications for ongoing and new
Geopolitical - Trend Forecasting initiatives. Established quarterly country-based reports from foreign field
- Program closure offices. Secured a global insurance contract against losses occurring from
travel bans, visa restrictions, kidnappings, and nationalizations.
Systematically shifted revenue sources, such that the contribution of
- Fraud non-governmental projects would increase to 30% from its existing level of
- Revenue Shortfall 5% of annual revenues in 5 years. Planned to increase liquidity ratios by
- Cost overruns 30% over 5 years. Established quarterly revenue scenario exercises to stress
Financial - Liquidity test the financial health of the firm. Implemented an optimal currency
- Currency Changes model to manage the FX risk of foreign revenues. Developed and
- Audit implemented risk-adjusted valuation approaches related to R&D
investments.

- Lawsuits and Liability Reported and regularly updated U.S. Federal/State- and country-specific
- Registration Status compliance measures. Established quarterly country-based regulatory
Regulatory - Noncompliance reports from foreign field offices. Secured a global insurance contract to
- Regulatory Forecasting cover the losses due to third-party liability.
- Third-party liability
J. Risk Financial Manag. 2023, 16, 473 16 of 17

Notes
1 Other examples include British Petroleum (oil and gas), Tokyo Electric (electricity), Lehman Brothers, Bear Stearns, Merrill Lynch,
Wells Fargo (financial), Boeing (technology), Corinthian Colleges, and ITT (Educational Services), among others.
2 Founded in 1950, the Risk and Insurance Management Society (RIMS) is a global not-for-profit organization committed to
advancing the practice of risk management throughout the world.
3 This is similar to the Delphi method, which was originally developed by the RAND Corporation.
4 In particular, conventional capital budgeting techniques (such as the net present value (NPV), the internal rate of return (IRR), or
adjusted NPV)) were not used to evaluate strategic projects. See Jalilvand and Kostolansky (2016) for an approach to estimating
the cost of capital for privately held firms.

References
Aabo, Tom, John Fraser, and Betty Simkins. 2005. The Rise and Evolution of the Chief Risk Officer: Enterprise Risk Management at
Hydro One. Journal of Applied Corporate Finance 17: 62–75. [CrossRef]
Beasley, Mark, Richard Clune, and Dana Hermanson. 2005. Enterprise Risk Management: An Empirical Analysis of Factors Associated
with the Extent of Implementation. Journal of Accounting and Public Policy 24: 521–31. [CrossRef]
Fabrigar, Leandre, Duane Wegener, Robert MacCallum, and Erin Strahan. 1999. Evaluating the use of exploratory factor analysis in
psychological research. Psychological Methods 4: 272–99. [CrossRef]
Farrell, Mark, and Ronan Gallagher. 2014. The Valuation Implications of Enterprise Risk Management Maturity. The Journal of Risk and
Insurance 82: 625–67. [CrossRef]
Fraser, J., and B. Simkins. 2010. Enterprise Risk Management. Hoboken: John Wiley and Sons. ISBN 9780470499085.
Fraser, John, Betty Simkins, and Kristina Narvaez. 2014. Implementing Enterprise Risk Management: Case Studies and Best Practices.
Hoboken: John Wiley and Sons.
Froot, Kenneth, David Scharfstein, and Jeremy Stein. 1993. Risk Management: Coordinating Investment and Financing Policies. Journal
of Finance 48: 1629–58. [CrossRef]
Grace, Martin, J. Tyler Leverty, Richard Phillips, and Prakash Shimpy. 2014. The Value of Investing in Enterprise Risk Management.
The Journal of Risk and Insurance 82: 289–316. [CrossRef]
Harrington, Scott, Greg Niehaus, and Kenneth J. Risko. 2002. Enterprise Risk Management: The Case of United Grain Growers. Journal
of Applied Corporate Finance 14: 71–81. [CrossRef]
Hoyt, Robert E., and Andre P. Liebenberg. 2011. The Value of Enterprise Risk Management. Journal of Risk and Insurance 78: 795–822.
[CrossRef]
Hristov, Ivo, Riccardo Camilli, Antonio Chirico, and Alessandro Mechelli. 2022. The Integration between Enterprise Risk Management
and Performance Management System: Managerial Analysis and Conceptual Model to Support Strategic Decision-Making
Process. Production Planning & Control, 1–14. [CrossRef]
Jalilvand, Abol, and John W. Kostolansky. 2016. Le Beau Footwear: A Business Valuation Case for a Privately Held Firm. Issues in
Accounting Education 31: 439–47. [CrossRef]
Jalilvand, Abol, and Sidharth Moorthy. 2022. Enterprise Risk Management (ERM) Maturity: A Clinical Study of a U.S. Multinational
Nonprofit Firm” (with S. Moorthy). Journal of Accounting, Auditing, and Finance. [CrossRef]
Jensen, Michael C., and William H. Meckling. 1976. Theory of the Firm: Managerial Behavior, Agency Costs and Ownership Structure.
Journal of Financial Economics 3: 305–60. [CrossRef]
Kraus, Alan, and Robert Litzenberger. 1973. A State Preference Model of Optimal Financial Leverage. Journal of Finance 28: 911–22.
Leland, Hayne E., and David H. Pyle. 1977. Informational Asymmetries, Financial Structure, and Financial Intermediation. Journal of
Finance 32: 371–88. [CrossRef]
Lindberg, Deborah L., and Deborah L. Seifert. 2011. A Comparison of U.S. Auditing Standards with International Standards on
Auditing. The CPA Journal 81: 17–21.
McShane, Michael K., Anil Nair, and Elzotbek Rustambekov. 2011. Does Enterprise Risk Management Increase Firm Value? Journal of
Accounting, Auditing and Finance 26: 641–58. [CrossRef]
Miller, Merton. 1977. Debt and Taxes. Journal of Finance 32: 261–75.
Miller, Merton H., and Franco Modigliani. 1958. The Cost of Capital, Corporation Finance and the Theory of Investment. American
Economic Review 48: 261–97.
Miller, Merton H., and Franco Modigliani. 1963. Corporate Income Taxes and the Cost of Capital: A Correction. American Economic
Review 53: 433–43.
Nocco, Brian W., and René M. Stulz. 2006. Enterprise Risk Management: Theory and Practice. Journal of Applied Corporate Finance 18:
8–20. [CrossRef]
Rosenburg, Joshua V., and Til Schuermann. 2006. A General Approach to Integrated Risk Management with Skewed, Fat-Tailed Risks.
Journal of Financial Economics 79: 569–614. [CrossRef]
Ross, Stephen A. 1977. The Determination of Financial Structure: The Incentive Signaling Approach. Bell Journal of Economics 8: 23–40.
[CrossRef]
J. Risk Financial Manag. 2023, 16, 473 17 of 17

Samanta, P., T. Azarchs, and J. Martinez. 2004. The PIM Approach to Assessing the TRM Practices of Financial Institutions. New York:
Standard and Poor’s/McGraw-Hill.
Shad, Muhammad Kashif, Fong-Woon Lai, Amjad Shamin, Michael McShane, and Sheikh Muhammad Zahid. 2022. The relationship
between enterprise risk management and cost of capital. Asian Academy of Management Journal 27: 79–103.

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual
author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to
people or property resulting from any ideas, methods, instructions or products referred to in the content.