Does the usage of organizational change method increase the … Jessie... · 2016. 9. 30. · Several organizational change methods and approaches exist to change and align people’s

Does the usage of organizational change method

increase the success of risk management

implementations?

A case study research

Jessie K.Y. Yung (6020346)

Rotterdam, 29-08-2011

Coach: Erwin Amersfoort

Amsterdam Business School – Universiteit van Amsterdam

Executive Internal Audit Program

Does the usage of organizational change method increase the success of risk management implementations?

J.K.Y. Yung - EIAP 2011 2

Preface

The executive internal audit program of the Amsterdam Business School (UvA) requires its students

to write an academic research in the field of internal/operational auditing in order to finalize the

executive program. Within the executive program, I decided to write my thesis in the field of

Organizational Change Management, as I believe this is a field which has been undermined in audit,

risk and control studies and practices. The main objective of this study is to understand the impact of

organizational change methods on risk management; a familiar topic for internal audit practitioners.

Finally I would like to thank my coach and all participating interviewees and organizations for

providing me valuable input for this thesis.

August, 2011,

Jessie Kiu Yen Yung



Executive Summary

Continuously changing business environment, developments and complexities increase the need of

risk management in order to meet organization’s business objectives by effectively managing risks

and uncertainties (COSO, 2003; Hampton, 2009). Risk is the opportunity that an event will occur that

affect the achievement of a business objective (COSO, 2003). These developments had led to a

growing demand for assistance in developing effective processes to support risk management

(Hillson, 1997). COSO Enterprise Risk Management (ERM) is one of the well-known methods which

address this. While most organizations have not embedded a formal ERM in their business practices,

there seem to be a growing trend to implement at least some of its key principles (IIA, 2009). Hence,

risk management is becoming more a recognized and valuable activity within organizations.

Besides risk managers, also internal audit practitioners fulfill a valuable role towards risk

management. Therefore they can fulfill two roles towards the board of an organization and senior

management, namely, 1) objectively assess the risk management program and the effectiveness or 2)

provide consulting/advising role by identifying, evaluate or support the implementation of risk

management methodologies.

Implementing risk management (either full ERM or some of its key principles) has led to many

difficulties for organizations, from technical (content) challenges to organizational challenges. The

technical challenges are for example the lack of a standard framework, steps and method, how to

quantify risks or the difficulty to keep the framework up to date (Claassen, 2010). Many publications

(Lam, 2003; Hampton 2009) are available which tackle the technical challenges in respect to risk

management implementations, by providing guidance, structures and specific methods. Limited

publications are available regarding the organizational challenges like, conflict resolutions between

risk functions and business, lack of a risk based culture or resistance towards risk management

(Cendrowski and Mair, 2009; Lam, 2003; Lee & Shimpi., 2005).

In order to implement risk management successfully it is important to understand why people act as

they do (misunderstanding, resistance, conflicts) and how to influence or change this. According to

Kotter (2002), ‘people change what they do less because they are given analysis that shifts their

thinking than because they are shown a truth that influences their feelings’. Based on a study of

Kotter (2002), successful organizations know how to overcome antibodies that reject anything new or

different, whereby the central challenge is changing people’s behavior and influence their feelings.

Several organizational change methods and approaches exist to change and align people’s

understanding, values and behavior in organizations.

Organizational change management studies provide several methods and approaches to overcome

organizational challenges in cultural transformations, mergers & acquisitions, new technologies and

restructuring. Studies have shown the positive effects of using organizational change methods to

overcome similar organizational challenges (Ashkanasy & Kavanagh, 2006; Bijlsma-Frankema, 2001;

Blokdijk, 2008; Kotter, 2002). Therefore in this research study the influence of using organizational

change method on risk management implementation is studied. Leading to the following main

research question: Does the usage of organizational change method increase the success of risk

management implementations?

Based on literature review the suitable change management method is selected for this study;

Kotter’s eight-phases model. The literature review is additionally used to propose the expected effect

between organizational change method and success of risk management implementations with the



possible moderating effects. The following moderators are used: size of an organization and

compliance driven (by external regulations) risk management implementations. All these factors are

integrated in a theoretical framework, which forms the basis of this study.

A comparative case study method is used to test the hypotheses. Four case studies with risk

management implementations have been studied, analyzed and compared. A cross case analysis

provides a comparison between the factors and a general overview of the results. Furthermore, the

cross case analysis also reveals patterns in the results.

By integrating theoretical and practical data, the main research questions could be answered. For the

four case studies, it was found that the usage of Kotter’s change model tends to have a positive effect

on the success of risk management implementations. Large organizations tend to benefit more by

using a change model in risk management implementations, as they have more political issues,

relatively large risk department and risk projects which require a longer time span. The results also

revealed that in general a large organization has more experience with risk and control related

aspects. The difficulty for this type of organization is to link the multiple existing risk and control

initiatives of the organization with each other. The number of risk and control initiatives could also

lead to adversity within the organization. Smaller organizations on the other hand show that their

employees have more difficulty in the content and lack knowledge of risk management. It takes

additional time to educate and train them. Sometimes the risk management approach requires to be

redefined in order to gain their support and buy-in.

Risk management implementations driven by compliance (external regulation) did not show any

remarkable effect on the relation between using Kotter’s change model and the success of the

implementation. The case study revealed that when the management of an organization believes that

the risk management implementation provides advantages or benefits, it does not matter anymore

whether it is compliance driven or not.

The results show that the use of Kotter’s change method does have a positive impact on the success

of implementing risk management. Therefore risk management practitioners should consider the use

of organizational change methods or some of its aspects in risk management implementations. The

same counts for internal audit practitioners who assess risk management (assurance role) or perform

some risk management related activities (consulting/advising role).

There might be other factors which moderate the effect of using organizational change method on the

success of risk management implementations. Future research is needed to test different moderators

and their effect. Furthermore, the domain of this study is rather broad, zooming in on specific

industries or organization’s risk maturity (Hillson, 1997) in future research, might yield additional

valuable insights.



Index

1. Introduction ......................................................................................................................................... 7

1.1. Research Gap .............................................................................................................................. 7

1.2. Research objectives and questions ............................................................................................. 8

1.3. Research approach ...................................................................................................................... 9

2. Literature review ................................................................................................................................ 10

2.1. Governance, risk management, internal control and internal audit ........................................... 10

2.2. Challenges in Risk Management ............................................................................................... 11

2.2.1. Technical versus organizational challenges ....................................................................... 12

2.2.2. Organizational challenges are undermined ........................................................................ 14

2.3. Influencing the organizational challenges .................................................................................. 14

2.3.1. Introduction to organizational change methods .................................................................. 14

2.3.2. Applicable organizational change method for this study ..................................................... 17

2.3.3. The 8 phases of Kotter ........................................................................................................ 18

2.4. Organizational change management and implementing risk management ............................... 19

2.5. Moderators ................................................................................................................................. 19

2.5.1. Moderator organization size ................................................................................................ 20

2.5.2. Moderator compliance (external regulation) ....................................................................... 20

2.6. Relevance for Internal Audit practitioners .................................................................................. 21

2.7. An overview ................................................................................................................................ 21

3. Methods section ................................................................................................................................ 23

3.1. Research method ....................................................................................................................... 23

3.1.1. Empirical research and theory testing ................................................................................. 23

3.1.2. Case study .......................................................................................................................... 23

3.1.3. Data collection ..................................................................................................................... 24

3.2. Validity and reliability .................................................................................................................. 24

3.3. Measurement ............................................................................................................................. 25

3.4. Cases ......................................................................................................................................... 27

3.4.1. Sample Selection and criteria ............................................................................................. 27

3.4.2. Participants ......................................................................................................................... 27

3.5. An overview ................................................................................................................................ 27

4. Case studies ..................................................................................................................................... 28

4.1. Case 1 – Dutch Transportation Company – Implementation of Risk and Financial Processes

Handbook – 2007 .............................................................................................................................. 28

4.2. Case 2 – Large Insurance Company - Key Control Register implementation – 2010 ............... 28



4.3. Case 3 – Credit Registration Office – Implementation of Organizational Risk Management –

2011 .................................................................................................................................................. 29

4.4. Case 4 – Small Insurance Company for a specific professional/occupational group – Risk

Management analysis – 2010 ........................................................................................................... 30

4.5. An overview ................................................................................................................................ 30

5. Results: Cross Case Analysis ........................................................................................................... 31

5.1. The effect of the usage of Kotter’s eight phases change method on the success of risk

management implementations. ......................................................................................................... 31

5.2. The effect of organization’s size ................................................................................................ 31

5.3. The effect of compliance (external regulation) ........................................................................... 32

5.4. An overview ................................................................................................................................ 32

6. Discussion ......................................................................................................................................... 34

6.1. Risk management implementation success .............................................................................. 34

6.2. Organization’s Size .................................................................................................................... 35

6.3. Compliance (external regulation) ............................................................................................... 35

6.4. An overview ................................................................................................................................ 36

7. Conclusion ........................................................................................................................................ 37

7.1. Main findings and conclusions ................................................................................................... 37

7.2. Limitations and future research recommendations .................................................................... 38

7.3. An overview ................................................................................................................................ 39

8. Implications for Internal Audit ............................................................................................................ 40

8.1. Assurance Role - Core internal audit roles in regard to ERM .................................................... 41

8.2. Advising/consulting Role - Legitimate internal audit roles with safeguards ............................... 41

8.3. An overview ................................................................................................................................ 42

9. Literature ........................................................................................................................................... 43

Appendix 1 – Method of Kotter.............................................................................................................. 45

Appendix 2 – Guideline and list of questions ........................................................................................ 48

Appendix 3 – Usage of the eight-phases method of Kotter .................................................................. 49

Appendix 4 – Success scores ............................................................................................................... 50



1. Introduction

In the past decades the need of risk management has increased due to business complexity issues,

corporate governance-codes developments (compliance driven), but also the voice of stakeholders

who require organizations to improve their management activities in respect to risks and uncertainties

(Hampton, 2009; Lam, 2003). Organizations are becoming more aware of the importance of risk

management for the success of the organization (Hillson, 1997). Risk is the possibility that an event

will occur which adversely affects the achievement of an objective (COSO, 2003). According to

Hampton (2009), risk management is essential in order to achieve the organization’s objectives by

enhancing operating stability and build organizational resilience. Finally, it also increases the

economic value of an organization.

Enterprise Risk Management (ERM) emerged in the late 1980s (Hampton, 2009). ERM argues that

an organization should manage its risks in a single and comprehensive program, including the

coordination with internal processes, audit and compliance. A well-known method is the COSO

Enterprise Risk management Cube (COSO, 2003).

In practice, organizations face several challenges when implementing ERM or some of the key

principles (IIA, 2009). The discussions about the faced challenges are often related the content and

technical aspects of implementing risk management, for example the lack of a standard framework,

steps and methods. Many books have been published which explain how to implement ERM. Less is

available about the organizational challenges during and after the implementation.

To make risk management a success, deep understanding of the organizational challenges is

required and how to overcome these. Organizational challenges in risk management are for example

the lack of a risk based culture, the lack of understanding of risk management or conflicts within the

organization. Organization behavior and change management studies have published much literature

about organizational challenges. The organizational change methods and approaches are widely

applied in cultural transformations, mergers & acquisitions and organizational restructuring, in order to

overcome organizational challenges (Ashkanasy & Kavanagh, 2006; Bijlsma-Frankema, 2001;

Blokdijk, 2008; Kotter, 2002).

The purpose of this study is to explore how the usage of existing organizational change methods can

influence the success rate of implementing risk management in organizations, either ERM or some of

its key principles. The success rate is a combination of the organization’s risk culture, awareness and

understanding. Two moderators are selected which could affect the relation between the usage of

organizational change method and the success of implementing risk management.

1.1. Research Gap

As mentioned in the introduction, limited has been written about the organizational challenges when

implementing risk management. From a practical and theoretical perspective, it is important to get an

understanding of the organizational challenges that organizations face when implementing risks

management and whether the usage of organizational change methods can overcome these

challenges.



1.2. Research objectives and questions

Based on the research gap, the following research objectives are formed:

Develop a theoretical model whereby the following are encountered:

- Get more understanding in the organizational challenges when implementing risk

management;

- Get more understanding and insight into the existing organizational change methods and its

effect on organizational challenges;

- Get more insight into the possible moderating variables and their effects.

In order to realize this objective; the following main research question has been formulated:

- Does the usage of organizational change method increase the success of risk management

implementations?

Sub-questions are formulated in order to answer the main question. The sub-questions are used as a

guideline towards answering the main question:

- Why is risk management important for organizations?

- What is the purpose of risk management programs?

- What is the role of internal audit in respect to risk management?

- What kind of challenges do organizations face when implementing risk management?

- What kind of organizational change methods are available to overcome organizational

challenges?

- Which organizational change method is most applicable to test whether it is useful in risk

management implementations (and overcome the related organizational challenges)?

- What is the probabilistic relation between organizational change methods and risk

management implementations?

- What are other interesting moderators which should be taken into account?

- What is the relevance of this research topic for Internal Audit (practitioners)?

- What type of theory oriented research is applied in this study?

- Why is case study the most suitable research method for this study?

- How to enhance the validity and reliability of this research?

- How are the different factors measured?

- What are the sample selection criteria?

- Do the case study results support the hypotheses?

- How and why do the case study results support/not support the hypotheses?

- What are the main findings and conclusions?

- What are the limitations and recommendations?

- Based on the results what are the implications for internal audit practitioners in the assurance

or advising/consulting role?



1.3. Research approach

This study is based on a literature review, whereby relevant theories concerning risk management,

organizational challenges, organizational change methods and internal audit are used. Based on

previous literatures hypotheses of the effects of organizational change method usage and its

moderators in respect to risk management implementations are formed. This is presented in Chapter

2, which ends with a theoretical framework; the foundation of this study.

Besides theoretical data, practical data is used. The multiple case study approach is applied to gather

empirical data, in order to test the hypotheses as defined in Chapter 2. The arguments for the used

methodology, how to perform measurement, including the validity and reliability requirements are

presented in Chapter 3.

Chapter 4 provides information of the four case studies. Based on the gathered information, the four

cases are compared with a cross case analysis in Chapter 5. The results are discussed in chapter 6.

Following the results and discussion, Chapter 7 presents the findings, conclusions and limitations of

this study. Conclusions are formed based on both the practical and theoretical information. This study

ends with the implications for Internal Audit in Chapter 8.



2. Literature review

In this chapter the current state of literature of risk management, organizational change management

and its relation are explained.

2.1. Governance, risk management, internal control and internal audit

In order to understand why risk management is important for an organization and the internal audit

function, the positioning and relevance is outlined first, starting with the governance structure.

Organizations develop a structure/framework through which long-term and day-to-day decisions are

made. The actual organization structure can vary between organizations, but an overall governance

structure should be available to ensure key stakeholders requirements are met. The governance

structure provides direction to the persons who are responsible to execute the day-to-day activities of

managing the (inherent) risks in an organization’s business model. The day-to-day business activities

are also known as internal control (IIA, 2009). Governance is the process conducted by board of

directors in order to authorize, direct and oversee management in respect to the achievement of the

organization’s goals and objectives. Brickly et al (2001) defined governance as the system consisting

of:

The partition (business units, divisions, shared service centers) and attribution of decision

rights and reserved powers in the internal organization of het firm;

The methods of rewarding individuals;

The resource allocation process (capital, human resources, information, knowledge, physical

capital, intangibles like brands);

The structure of systems

Figure 1: Depiction of Key Governance elements (IIA, 2009)

Risk management is the second layer in the governance structure (refer to figure 1). The purpose of

risk management is to identify and mitigate the risks that may adversely affect the organization’s

success and to exploit the opportunities that enable that success. Organizations are becoming more

aware of the importance of risk management for the success of the organization (Hillson, 1997).

According to Lam (2003), four reasons can be defined for risk management:



1. Managing risk is management’s job - Managing the risks of a business enterprise is the direct

responsibility of management;

2. Managing risk can reduce earnings volatility – Management should pay attention to the

underlying risks of the business, including the sensitivity of the firm’s earnings and market

value towards internal and external variables;

3. Managing risk can maximize shareholder value – Risk management can help an organization

to achieve its objectives and maximize shareholder value. Risk-based programs can identify

opportunities for risk management and business optimization;

4. Risk management promotes job and financial security – On individual level the most

compelling benefit of risk management is that it promotes job and financial security. The past

have shown that executives have lost their jobs due to poor risk management performance.

According to figure 1, internal control is shown in the center, as it represents a subset and integral

part of the risk management activities. Risk responses which include controls are designed to execute

the risk management strategies (IIA, 2009). To achieve this, managers should design and implement

an effective system of internal control (Ritterberg et al, 2007). COSO (2003) defines internal control

as: a process effected by an entity’s board of directors, management and other personnel, designed

to provide reasonable assurance regarding the achievement of objectives in the following categories:

- effectiveness and efficiency of operations

- reliability of financial reporting

- compliance with laws and regulations

With the improved COSO ERM (2004) a new strategic objective has been included: High-level goals

should be aligned with and supporting the organization’s mission.

The final component and important role in the governance elements in figure 1 is the independent

assurance activities by internal audit that will provide the board and senior management an objective

assessment in respect to the effectiveness of governance and risk management (IIA, 2009). To be an

effective part of the governance process, the internal audit function should:

- Understand the direction and expectation of the board’s governance;

- Support the risk management program by monitoring structure and discipline in the risk

management program or also educate other employees in the organization with these risk

and control topics;

- Develop an internal audit plan which encompasses the independent governance assurance

activities, including the periodical reporting of the effectiveness of risk management activities

(IIA, 2009, 2011).

To summarize, based on the governance elements (also refer to figure 1), risk management and

internal audit fulfills an important role in the governance of an organization. For internal audit this

implies also the support of risk management, including the communication of risk and control

information to the appropriate areas in an organization and the assurance on the effectiveness of risk

management activities.

2.2. Challenges in Risk Management

As described in paragraph 2.1., organizations face an extensive number of risks as they try to execute

their strategies and achieve their objectives. Due to the extensive number of risks, there is a need for

a process to effectively understand and manage risks across an organization (IIA, 2009). According to



Hillson (1997) there is a growing demand for assistance in developing effective processes to support

the identification, assessment and management of risk, as organizations want to tackle the risks

facing them. Enterprise Risk Management (ERM) is a well-known method to address this (refer to

figure 2).

Figure 2: COSO Enterprise Risk Management Cube (COSO, 2004)

COSO ERM is built of eight interrelated components which are derived from the way management

runs an organization and are integrated with management processes. According to IIA (2009), most

organizations have not embedded formal ERM in their business practices, but there seem to be a

growing trend to implement ERM or some at least some of its key principles. Some key principles are

for example: Risk Assessments Workshops, Risk Self Assessments, Key Control Registers and

Frameworks, specific business process risks (i.e. supply chain or finance), In-Control-Statements etc.

This study is focused on ERM implementations and/or some of its key principles. The term risk

management in this study complies both full ERM and some key principles implementations.

Implementing risk management is not an easy process, as for most organizations it implies a

multiyear initiative that requires ongoing senior management sponsorships and sustained investment

in human and technology resources (Lam, 2003). In the next subparagraph the challenges in

implementing risk management are further outlined.

2.2.1. Technical versus organizational challenges

Many literature and publications are available in respect to implementing risk management (Lam,

2003; Hampton, 1997; COSO, 2004). The described challenges in literature are often related to the

content and technical aspects of implementing risk management. The difficulty in implementing risk

management, take for example COSO ERM, is the lack of a standard framework and the description

of steps and method (Claassen, 2010). Additionally COSO ERM is difficult to keep up to date in a

continuous changing environment. Negus (2010) published an article, whereby he outlines in more

detail the ten major technical challenges in risk management implementations:

1. Assessing ERM's Value - Organizations often have difficulties in demonstrating the sufficient

ERM value to justify implementation costs;

2. Privilege - Risk information becomes increasingly event-driven and money-based, issues are

raised about the distribution of risk to auditors or to external regulators;

3. Defining Risk – It is difficulty to establish a consistent and commonly applied risk definition;



4. Risk Assessment Method - Enterprise risk assessments are performed using a large variety

of approaches and tools, including surveys, interviews and historical analysis;

5. Qualitative Versus Quantitative - The decision whether risks should be assessed using

qualitative or quantitative metrics. Lam (2003) also describes it as the difficulty to assess and

quantify non-financial risks (business, organizational and operational risks) and how to

incorporate these into performance measurement systems;

6. Time Horizon - The time horizon of ERM risk assessment is largely based on the

organization's intent to use ERM risk results and its willingness to invest in risk management.

This is also related to challenge 1, the assessment of ERM’s value;

7. Multiple Potential Scenarios – Most risks have multiple event likelihoods and risk severities;

8. ERM Ownership - The question regarding who is responsible and owner of ERM is often

unclear and commonly disputed at the board, audit committee and management levels;

9. Risk Reporting – What information should be shared with internal and external stakeholders

and how should risk be communicated and reported?

10. Simulations and Stress Tests - Organizations often struggle to balance the need for

meaningful simulation and stress tests against a nearly infinite number of potential scenarios

(Negus, 2010).

The published literatures include guidelines to address these content related and technical issues in

risk management (Lam, 2003; Hampton, 1997; COSO, 2004). Beside technical challenges in risk

management implementations, there are also organizational challenges, which are more complex and

relatively undermined in the risk management literature. The organizational challenges are further

outlined below:

Organizational Culture

An organizational culture focused on risk management is an essential component of risk

management. Creating a culture of risk management requires management to 1) formulate a risk

management policy, 2) communicate this policy to employees and 3) act in accordance with this

policy. Many organizations are successful in completing the first two steps and the third step

appeared to be challenging (Cendrowski and Mair, 2009). For organizations it can be disastrous,

where employees make unharmonious risk management decisions. If risks are not challenged and

addressed in a uniform manner by the organization, the risks cannot be properly mitigated

(Cendrowski and Mair, 2009). The third step is also connected to the tone at the top. In literature a lot

have been written about the influence of tone at the top, which is seen as a precondition for

organizations. The internal environment forms the basis for handling risks and controls measures.

The core of every organization is its employees, their individual integrity, values, competence and

work environment. Tone at the top has a critical influence on this (Bruinsma, 2009).

Conflict resolution between line and staff

The type of conflict often concerns the choices between business volume or revenue growth and risk

control. In this process the line seeks ways to avoid oversight by staff units (Lam, 2003). This also

includes misalignment of incentives, one side seeks for growth (volume, revenue, profit and return on

equity) and the other seeks for quality (minimization of losses, errors or deviations from plans) (Lam,

2003). The conflicts resolutions remain when both parties have different objectives, perceptions and

lack total overview or mutual understanding.

The role of line risk management

The installation of risk managers within the business units, with a reporting line to the CRO and

business manager, often leads to uncomfortable situations. In this situation, the line staff may



perceive the line risk manager as part of the ‘enemy’. The effect is increased due to the reporting line

to CRO (Lam, 2003).

Lack of risk management foundation

Risk managers have difficult tasks including assimilating, analyzing and communicating sometimes

complex concepts to leaders and managers who often do not possess a strong risk management

foundation. Often they are only informed about the financial and technical issues (Lee & Shimpi.

2005). Hence, the core of risk management is not tackled, which raise the question how business

leaders and managers can actual manage the risk?

2.2.2. Organizational challenges are undermined Literature about the technical challenges of implementing risk management and organizational

challenges are scattered. The challenges in risk management implementations are often written about

the content and technical aspects, while organizational challenges and influences are more or less

neglected. More have been written about the prerequisite of the tone at the top. In general terms, tone

at the top is a precondition for managing an organization and not specific in the field of risk

management and control.

To summarize, due to the importance of risk management for organizations (paragraph 2.1.) and the

research gap in organizational challenges in risk management literature and how to overcome these

(paragraph 2.2.), the relevance of this study is justified. The following chapters further outline

available methods to overcome organizational challenges.

2.3. Influencing the organizational challenges

The organizational challenges in implementing risk management are described in paragraph 2.2.1.

The challenges start with not having a risk based culture, combined with lack of understanding of risk

concepts in the business, lack of understanding of the need of risk management and conflict

resolutions between the business and risk managers (Cendrowski and Mair, 2009; Lee & Shimpi.

2005). In addition to that, the perception of risk managers as the enemy (Lam, 2003), is in practice

often perceived as resistance. To overcome the organizational challenges, it is important to

understand why people act as they do and how to influence or change this.

According to Kotter (2002), ‘people change what they do less because they are given analysis that

shifts their thinking than because they are shown a truth that influences their feelings’. Based on a

study of Kotter (2002), successful organizations know how to overcome antibodies that reject

anything new or different, whereby the central challenge is changing people’s behavior and influence

their feelings. Several organizational change methods and approaches exist to change and align

people’s understanding, values and behavior in organizations. Studies in the field of cultural

transformations, mergers & acquisitions and organizational restructuring have shown positive effects

when using organizational change methods in overcoming organizational challenges (Ashkanasy &

Kavanagh, 2006; Bijlsma-Frankema, 2001; Blokdijk, 2008; Kotter, 2002). Five well-known existing

change management methods are introduced below.

2.3.1. Introduction to organizational change methods

Change Quadrants

With the change quadrants model (Assen et al, 2009) the type of change and the culture of an

organization are taken into account to determine the change strategy. By understanding the key



levers, it can help to facilitate the change. The change quadrants model define whether an

organization is warm (led by shared norms and values) or cold (led by rules, regulations and

procedures) and whether the motivation for change is warm (led by ambitions) or cold (led by

urgency, i.e. near bankruptcy or drop in market share). Based on the various warm/cold combinations,

there are four possible change strategies: intervention, implementation, transformation and

innovation. Also refer to figure 3.

Figure 3: Change Quadrants (Assen et al, 2009)

E and O theories by Beer and Nohria

Beer and Nohria introduced two approaches to organizational change, which are called Theory E and

Theory O of change. Theory E is the creation of economic value (i.e. shareholder value). It is focused

on formal structure and systems. It is driven from the top with the support of an extensive number of

consultants and financial incentives. The change is planned. The purpose of Theory O on the other

hand is to develop the organization’s human ability to implement strategy and learn about the

effectiveness of changes made from the actions taken. It is driven by the development of a high

commitment culture with high involvement. Change is emergent instead of planned (Assen et al,

2009).



Table 1: Theories E and O by Beer and Nohria (Assen et al, 2009)

Five colors of Caluwé

Caluwé (2006), one of the most influential consultants in the Netherlands came up with a model of

five colors. Each color represents a different change process, as he does not believe that there is only

one way to execute a change process. The colors and the method of change are shown in table 2.

Table 2: The 5 colors of Caluwé (Caluwé & Vermaak, 2004)

Kotter’s eight phases of change

One of the most used methods is the eight phases of Kotter (2002). The basic principle of Kotter is

that change does not regard a single occurrence, but it is a process with several stages which are

related with each other. The eight phases are shown in table 3.



Table 3: The eight phases for successful change (Kotter, 2002)

Lewin’s Change Model

Lewin’s change model emphasizes three stages of change: unfreeze, change (modification), then

refreeze (also refer to figure 4).

Figure 4: Lewin's three stages of changes

The first stage is to get the organization or people ready for the change. It involves getting a point of

understanding, motivation and then to move away from the previous comfort zone (Blokdijk, 2008).

The second stage regards the change (modification phase). It involves the transition to the desired

state. Proper motivation and good leadership will enable the change. Also training, skills transfer and

personnel re-alignments or reduction could be part of this phase. The third stage, refreezing comes

when the workforce has already embedded the change in their system, until another unfreezing will

occur (Blokdijk, 2008).

2.3.2. Applicable organizational change method for this study

The first 3 models (The Change Quadrants, E and O theories and Five colors of Caluwé) provide

determinants for an organization to select a change strategy. The determinants are the type of

people, management style, culture and the status of an organization. These types of models can be

used in conjunction with other more stepwise methods, for example the eight phases method of Kotter

or Lewin’s three stages model. As the three models only provide determinants for the preferred

change strategy, it is less useful for this study because it does not provide guidelines how to execute

the change process. Kotter’s method on the other hand provides a more stepwise approach, which

involves subtle points and may not be always followed rigidly, but it does provide a clear and specified



guideline. The model of Lewin shows the three important steps that are required to get the change

started towards the objective, but it lacks the specific guideline that the Kotter’s model does provide.

Hence, the method of Kotter is used in this study, as it is more generally applicable, including specific

steps and activities. This also enables the possibility to perform analysis and comparisons between

cases. The method of Kotter with the 8 phases is further outlined below.

2.3.3. The 8 phases of Kotter

Kotter is a professor at the Harvard Business School, he introduced the eight-phases change process

in his book ‘Leading Change’ in 1995. Whereafter the method has been used by many consulting

firms. In this section the eight phases are outlined in more detail.

Phase 1 – Create urgency

Most significant changes start with the creation of sense of urgency among the relevant people. Less

successful changes in organizations allow complacency, fear or anger, which can undermine the

desired effect. Sense of urgency gets people off the couch, out of a bunker and ready to move. Refer

to Appendix 1 for a summary with some ideas and guidance of what to do and what not to do in this

phase.

Phase 2 – Build the guiding team

A guiding team needs to be created with the credibility, skills, connections, reputations and formal

authority. This team operates with trust and emotional commitment. Studies have shown that less

successful project relies on single person or no one, weak task forces and committees or complex

governance structures, all without the stature and skills and power to do the job. Refer to Appendix 1

for a summary with some ideas and guidance of what to do and what not to do in this phase.

Phase 3 – Get the vision right

The team should create clear, simple, uplifting visions and sets of strategies. In the less successful

cases, there are only detailed plans and budgets, while a vision is not very sensible. Vision which is

created by others than the guiding team is often ignored by the guiding team. Refer to Appendix 1 for

a summary with some ideas and guidance of what to do and what not to do in this phase.

Phase 4 – Communicate for buy in

Communication of the vision and strategies follows in this phase. The goal is to induce understanding,

develop commitment, and liberate more energy from a critical mass of people. In this phase deeds

are more important than words and repetition is a key success factor. Previous studies have shown

that smart people does not recognize their error with undercommunication or poor communication.

Refer to Appendix 1 for a summary with some ideas and guidance of what to do and what not to do in

this phase.

Phase 5 – Empower action

In this phase the obstacles to reach the vision and objectives are removed. The focus should be on

the people who try to disempower and inadequate information and systems. In less successful

situations the people in the team often fend for themselves instead of the obstacles around. In this

phase it is important that the obstacles or difficulties are faced and adequately solved. Refer to

Appendix 1 for a summary with some ideas and guidance of what to do and what not to do in this

phase.

Phase 6 – Create short term wins



Creating short wins are critical, as it provides credibility, resources and momentum to the overall

effort. Some wins may come more slowly, less visibility and speak less to what people value, and

have more ambiguity as to whether they are really successes. The challenge is to make this also a

short win. Refer to Appendix 1 for a summary with some ideas and guidance of what to do and what

not to do in this phase.

Phase 7 – Don’t let up

First wins are required to define the next steps, which will lead to new wins, where after the vision or

project become reality. In less successful cases people try to do too much at a time and quit too soon,

once they find themselves confused. Refer to Appendix 1 for a summary with some ideas and

guidance of what to do and what not to do in this phase.

Phase 8 – Make change stick

The change should stick within the new culture. This may come with organizational changes like,

appropriate promotions, new employee orientations and also events that engage the emotions. Refer

to Appendix 1 for a summary with some ideas and guidance of what to do and what not to do in this

phase.

2.4. Organizational change management and implementing risk management

While most literature regarding risk management provides limited insight to how to overcome

organizational challenges in risk management implementation, change management studies provide

several methods or approaches to overcome similar organizational challenges (i.e. resistance,

misalignment, lack of understanding etc.) in cultural transformations, mergers & acquisitions, new

technologies and restructuring (Ashkanasy & Kavanagh, 2006; Bijlsma-Frankema, 2001; Blokdijk,

2008; Kotter, 2002).

Based on the type of organizational challenges during risk management implementation, it is probable

that the usage of Kotter’s method could influence the success of the implementation and overcome

the faced organizational challenges. In practice it could be that some of Kotter’s eight-phases have

already been used (implicit or explicit), without using the full method.. Based on this assumption, the

following hypothesis is introduced:

H1. The usage of Kotter’s eight phases change method increases the success of risk management

implementations.

2.5. Moderators

Kotter (2002) described that his eight phases method involves subtle points and should not always be

followed strictly. This implicates that each situation may require a slightly different approach, but the

foundation of the phases remain the same. There can be other internal or external influences that

moderate the effect of change management method on the success rate of risk management

implementations.

Possible moderators are for example industry, organizational culture, national/international operating

organization, existing knowledge etc. Due to the limited availability of research information on this



specific topic, the difficulty is to identify the relevant moderators. To downsize the possible factors and

enhance a relevant scope for this study, one generic and one specific moderator is introduced, both

implying multiple sub-factors. The size of an organization is introduced as a generic moderator, in

order to yield more information, as this moderator implies multiple sub-factors (i.e. type of culture,

internal politics, complexity etc.). The second moderator regard a specific and also common subject in

the field of risk management; compliance (external regulations). This moderator also implies multiple

sub-factors, i.e. type of industry that faces compliance issues and the intrinsic or extrinsic motivation

of an organization to be ‘in control’. The two moderators are further outlined below.

2.5.1. Moderator organization size

Haveman (1993) studied the effect of the size of an organization and the flexibility of an organization.

If organization size indicates political insulation and degree of bureaucratization, then large

organizations will change less than small organizations and are less flexible. According to Haveman

(1993), the sociological literature on organizational size and growth addresses the issue of size-based

differences in organizational structure and behavior. The ability of organizational members to conduct

face-to-face (one-on-one) interactions with each of the other members declines with the number of

members. Larger organizations require more complex forms of communication. Hence, in larger

organizations interpersonal interactions assumed to be more impersonal and more formal. The usage

of a change management method may be more required for large organizations and could lead to

better results, as it provides more structure and communication in the process.

H2. The smaller the size of an organization, the weaker the effect change management method has

on the success rate of risk management implementation.

2.5.2. Moderator compliance (external regulation)

Some organizations are required to perform and report on their risk activities by law, for example the

Dutch Central Bank (DNB) requirements for the financial industry or the AEX listed companies. In the

compliance theories, compliance is considered as a planned behavior in order to maximize its utility

by fulfilling the obligation and dispose any sanctions or consequences (Etienne, 2011; Merchant and

Van der Stede, 2007). Organizations that choose to comply with regulations will perform a tradeoff

between the marginal costs of compliance with the marginal benefits of compliance (Brehm and

Hamilton, 1996). For organizations that perform risk management activities as a result of

utilitarianism, may not have the intention to make risk management part of their organization, as it is a

goal oriented action; being compliant. Therefore the usage of the change management method may

have a weaker effect if it is driven by external regulations.

H3. Risk management activities driven by external regulations weaken the effect of change

management method on the success rate of risk management implementation.

Compliance projects in respect to internal regulation are not taken into account. Internal regulations

are defined for business and management purposes, thus an advantage for the organization. External

regulations on the contrary may not always lead to explicit advantages for an organization, hence, it

could be easier perceived as a burden.



2.6. Relevance for Internal Audit practitioners

In the previous paragraphs the relevance of risk management for organizations is explained and why

this research topic is interesting for organizations and risk practitioners. Beside the relevance for

organizations and risk practitioners, this study is also interesting for internal audit (practitioners).

Some risk management related activities are covered by internal audit practitioners, as they are the

supporters of risk management in the governance of an organization (refer to figure 1).

According to the IIA Standard 2120, the internal audit activities must evaluate the effectiveness and

contribute to the improvement of risk management processes (IIA, 2009). The skills and experiences

that internal audit practitioners may possess, allow them to fulfill a valuable role in ERM and also for

related key principles. The IIA international Professional Practices Framework includes a position

paper, called The Role of Internal Auditing in Enterprise-wide Risk Management (IIA, 2009; IIA 2011).

The paper outlines several opportunities for internal audit practitioners. Internal audit can provide

objective assurance to the board regarding the effectiveness of an organization’s ERM activities, to

help ensure key business risks are being managed adequately and that the system of internal

controls is operating effectively (IIA, 2009). Whether the internal controls are operating effectively is

related to the organization’s perception towards the need of having risk management and the

acceptance level.

In the practice advisory 2120-1: assessing the adequacy of risk management processes, it states that:

‘Management and the board are responsible for their organization’s risk management and control

processes (IIA, 2009). However, internal audit practitioners acting in a consulting role can assist the

organization in identifying, evaluating, and implementing risk management methodologies and

controls to address those risks’. This may be via ERM or some of its key principles; whereby this

study addresses whether the risk management implementation require additional organizational

change attention.

Based on the function and role of internal audit, the relevance of this research topic is two-fold for

internal audit practitioners:

1. The usage of organizational change method in risk management implementations is an

interesting topic for internal audit practitioners as it can change the way they initially assess

the risk management program and the effectiveness

2. For internal audit practitioners acting in the consulting or advisor role in risk management, the

results of this research topic can change their initial way to identify, evaluate or implement risk

management methodologies throughout the organization.

2.7. An overview

This chapter started with the positioning of risk management and its importance. Risk management is

required within an organization in order to identify and mitigate risks that may adversely affect the

organization’s success or achieving its objectives. In order to manage the effectiveness of risk

management, internal audit can play a valuable role by objectively assessing the governance and

effectiveness of risk management activities. Additionally some internal audit practitioners may also

fulfill an advising/consulting role by identifying, evaluating or supporting the risk management

approaches and implementations.



Difficulties in risk management can be divided into organizational or technical related challenges,

whereby the organizational challenges seem to be undermined in current research and literature in

respect to risk management. Similar organizational challenges (misunderstanding and conflicts of

roles, lack of a specific culture, limited foundation etc.) in other studies have shown that the use of

organizational change method can overcome these. This led to the probabilistic relation, that the use

of an organizational change method could also overcome the organizational challenges in risk

implementation and increase the success. Five well known organizational change methods are

introduced in this chapter, whereby the eight phases of Kotter is selected for this study, due to its

practical character. Additionally two moderators are selected, size of an organization and whether the

risk management implementation was external compliance driven. Both are selected, based on its

multilateral nature, which is useful to identify possible sub-factors.

Based on the hypotheses, a theoretical framework can be formed. This theoretical framework forms

the foundation of this study and includes the relations; refer to figure 5.

Figure 5: Theoretical framework



3. Methods section

In the previous chapter a theoretical framework has been developed (see figure 5). A prerequisite in

academic research is an adequate foundation of the selected research method. In this section the

research method is described to test the theoretical framework. It includes a discussion why the case

study method is used, including the validity and reliability issues, which is also a prerequisite for

academic research. Then the measurement methods of the different factors in the theoretical

framework are outlined. This chapter ends with an introduction of the four case studies.

3.1. Research method

Different research methods exist, but which method is the most useful for this study? For every

research method there are advantages and disadvantages. The arguments for using the case study

method are discussed below.

3.1.1. Empirical research and theory testing

Empirical observations, interviews and data are collected in order to answer the research question.

Empirical research bases its finding on the systematic gathering of observable facts. The observable

facts could occur directly or indirectly. Empirical research can improve the relevance for

organizational research by providing real-life data. On the other hand it could occur that real-life

obtained empirical data might lead to less predictable and controllable results, which may leave the

researcher without any meaningful results (Elram, 1996).

The objective of this research study is theory oriented and contributes to the development of theory

(Dul & Hak, 2007). Within the theory oriented research approach, three types of activities can be

distinguished: 1) exploration, 2) theory-building research and 3) theory-testing research. The objective

of this study is to gain understanding of the effect of organizational change method on the success of

implementing risk management, whereby several hypotheses are formed and tested. This method is

characterized as theory-testing research.

3.1.2. Case study

The hypotheses in this theory-testing research express a probabilistic relation. With a probabilistic

relation it is assumed that on average x causes y (Dul & Hak, 2007). To simplify: if x is higher, then it

is likely that y is higher. According to Dul & Hak (2007) to test a probabilistic relation, an experiment is

the preferred method and a survey is the second best method to test a probabilistic relation.

Unfortunately, these two methods are not feasible, due to time, case dependency and cost issues. An

experiment is not feasible as it requires a full set up of at least two similar risk management

implementations within organizations (one with the use of an organizational change method and one

without), whereby at least a time span of two full time months is required for the preparation of the risk

management framework and foundation, mobilization of a real life organization and participants.

Additional time span is required, in order to measure the results. A survey requires a large number of

respondents in order to yield meaningful results and is also constrained by rigid limits of the

questionnaire. During discussions with potential participating organizations, they had let known that a

survey is not favorable due to the limited available time of their employees and no response rate

could be guaranteed. Therefore the third-best method is chosen: a comparative case study (also

known as multiple case studies by Yin, 1981; Yin, 2003).



Case studies can show the multiple influences and by conducting several case studies, the

differences between the cases can become clear (Yin, 1981). In a comparative case study, a number

of cases are selected from real-life context. The data obtained from the cases are analyzed in a

qualitative manner (Dul & Hak, 2007). Empirical data are gained via on site observations, interviews

and documentary evidence. In general, the case study method is preferred when ‘how’ and ‘why’

questions need to be answered, whereby the investigator has limited control over the events and the

events occur in real-life context (Yin, 2003). A case study is particularly useful when the phenomenon

that needs to be researched is difficult to study outside its natural setting and when the concepts and

variables are difficult to quantify (Ghauri & Grønhaug, 2005). Often there are other variables that need

to be considered. This explains also why case study is one of the major research strategies in

organizational and social science (Thacher, 2006).

Organizational and related factors in this study are very intangible, subjective and strongly social

oriented. The natural setting cannot easily be identified or set, which makes research very difficult.

The case study method can yield better and gain new insights into the organizational change method

in relation to the success of implementing risk management.

3.1.3. Data collection

The case study method is a distinctive form to gain empirical evidence or data. A case study is a

qualitative research and in depth oriented. This research method can give refreshing insights into the

concerning topic (Yin, 2003) and the results of case research can have high impact (Dul & Hak,

2007). Unconstrained by the rigid limits of questionnaires, it can lead to new and creative insights and

enrich theories. Then it can show the problems and how it resulted in the cases itself.

A combination of data collection methods is used, to obtain insight into the cases, also called

triangulation (Dul & Hak, 2007). This is a major strength of a case study method. A case study data

collection gives the opportunity to use many different sources of evidence (Yin, 1981). Existing

literature is used as departing point for this study. Based on the literature review and research gap,

hypotheses are used to get more direction and to proceed further (Ghauri & Grønhaug, 2005). Data

regarding the cases are gained via in depth interviews with organizations. During the interviews, a

questionnaire is used as guideline. Furthermore, available secondary (qualitative and quantitative)

data are also collected. The comparative case research is executed in two phases. First, the different

cases are researched separately and then the cases are analyzed and compared with each other.

3.2. Validity and reliability

A prerequisite in academic research are the validity and reliability aspects. In order to enhance the

validity and reliability of this research, the triangulation method is applied. The quality of a case study

can be enhanced by following the four criteria: construct validity, internal validity, external validity and

reliability (Yin, 1981; Ghauri & Grønhaug, 2005). The relation between these criteria and the case

study are discussed below.

Construct Validity – The primary concern for a case study method is the construct validity. Biased and

subjective views might influence the direction of the results, findings and conclusions (Yin, 2003). To

overcome the problem of subjectivity in a case study method, different sources of evidence are used

during the data collection, also known as the triangulation technique (Dul & Hak, 2007). A

questionnaire is used as a guideline during the interviews. The questionnaire contains open

questions, closed questions and questions whereby the 1-5 Likert scale is used. The interview



method is used to gain more insight into the answers, but also to gain unforeseen and new

information related to the studied objects. This led to a more valid analysis of the studied objects.

Secondary data is used to increase the validity. The study is mainly conducted with the responsible

person for implementing risk management and sometimes with additional participants from the

business (if available). This makes the triangulation technique even more important. The questions,

results and secondary data should reveal, not only the perception of the interviewee (risk manager),

but also the opposite party (the participants from the business). The triangulation technique offers the

possibility to decrease the impact of subjectivity and reflect the case more truly.

Internal Validity – Internal validity refers to the extent to which the researcher can infer that a causal

relationship exists between two (or more) variables (Ghauri & Grønhaug, 2005); x led to y. When any

third factor (z) has influenced y, instead of x, what was concluded; the research design is failed.

Specific tactics to overcome this problem are difficult to identify (Yin, 1981). Yin (2003) identified a

couple of questions, which has to be anticipated during the case study:

- Are there any other possible interference?

- Have all the conflicting explanations and possibilities been considered?

- Is the assumed interference correct, even with the other possible interferences?

These questions are anticipated while conducting the case studies. Other possible interferences are

discussed with the interviewee and whether these interferences (z) might have caused y (success of

risk management implementation), instead of x (organizational change method).

External Validity – The external validity refers to the extent in which the findings can be generalized

(Yin, 2003). For a single case study, it is difficult to generalize, because it is limited to one case. A

comparative case study method, with four cases, increases the ability to generalize the results. The

findings in this study are generalized to theory, also called the analytical generalization. As defined by

Yin (2003), in analytical generalization, the investigator strives to generalize a particular set of results

to some broader theory.

Reliability – The reliability criterion is enhanced by following a strict and repetitive procedure during

the case studies (Yin, 2003). The procedure for each case study is exactly the same as all the others.

The questionnaire as guideline enhance the repetitive procedure and guided the case study step

wisely, refer to Appendix 2. All information is verified and documented carefully.

3.3. Measurement

In the literature review, existing theory and literature formed the basis for assumptions and

hypotheses in this research; which resulted to the theoretical framework in figure 5. How the

definitions of the factors in the theoretical framework are used and measured in this study, are

described below.

Kotter’s eight-phases method – This is the perceived usage of each of the eight-phases in the Kotter’s

method by the responsible person for implementing the risk management and if possible validated

with the participants from the business. Each of the eight phases is outlined. The interviewee

describes the usage in the eight phases during the implementation. The perceived usages in the

different phases are classified in a 1-5 Likert scale. Appendix 3 shows how the usage is calculated.



Successful risk management implementation – The success of the implementation of the risk

management regard overcoming the organizational challenges. First the responsible person for

implementing the risk management and the participants are asked whether they perceived the

implementation as a success or not in general. In order to estimate the implementation success in

quantitative terms, success factors are rated. The success factors are designed to measure the

dissolve of the organizational challenges as mentioned in the literature (paragraph 2.2.1.). The

organizational challenges imply the lack of a risk based culture, misunderstanding of risk

management and the role of risk manager; and the lack of risk management foundation.

Success factors to measure that these organizational challenges are dissolved regard: increased

proactivity (participation grade) as the participants gradually understand the content and the need and

acceptance of risk management; request for additional information as the foundation and

understanding increased, they trust the risk manager and want more information to understand the

topic; increased risk and control awareness of the participants due to the increased foundation and

understanding; risk based culture and thinking and the increased understanding towards the need of

risk and control within the organization. The success factors are discussed as follow during the case

study analysis:

- During the implementation has the proactivity amongst the participants increased?

- During or after the implementation did participants request for additional information or

risk/control services?

- After the implementation has the risk and control awareness increased in the organization?

- After the implementation has the organizational culture become more risk based?

- After the implementation has the understanding towards the need of risk and control been

increased?

How the five parameters of success are rated is explained in Appendix 4.

Organization Size – Whether an organization belongs to a small, medium or large sized organization,

depends on the number of employees. Small organization has a maximum of 50 employees; medium

sized organization has a maximum of 250 employees. An organization with more than 250 employees

belongs to a large organization. The foundation of this moderator is explained in paragraph 2.5.1.

Table 4: Classification organization size

Compliance (external regulation) – Describes whether the project is driven by external laws and

regulations or not. Not performing the project could lead to sanctions or other major consequences

from external institutions. Compliance projects in regard to internal regulation are not taken into

account. For foundation, refer to paragraph 2.5.2.



3.4. Cases

In this section, the sample selection and criteria are discussed. Thereafter the participating

organizations and the representatives are shortly introduced. In the following chapter (4), the case

studies are described more thoroughly.

3.4.1. Sample Selection and criteria

The sample consists of organizations that have implemented enterprise risk management or key

principles in the organization, in order to test the hypotheses. An additional criterion is that the

implementation has been completed.

There is no distinction made between industries or type of risk management implementation. Due to

the limited availability of research information on this research topic, the objective of this study is to

gain overall insight into the influence/effect of using organizational change method in risk

management implementations. Whereby four case studies as a sample size is sufficient to gain

insight into this influence/effect.

3.4.2. Participants

The following four case studies have participated in this research:

1. Dutch Transportation Company – Implementation of Risk and Financial Processes Handbook

– 2007

2. Large Insurance Company – Implementation of Key Control Register - 2010

3. Credit Registration Office – Implementation of Organizational Risk Management - 2011

4. Small Insurance Company for a specific professional/occupational group – Risk Management

Analysis – 2010

3.5. An overview

This chapter has outlined that this study is a theory testing research as it is theory oriented and

contributes to the development of theory. Due to cost, available time and capacity, together with the

main question which expresses a probabilistic relation, the case study method is the preferred method

for this research. To enhance the validity and reliability of this research, the triangulation method is

applied, consisting of interviews, observations and collections of secondary data. This chapter has

ended with an overview of the participating organizations. The case studies are further analyzed in

chapter 4.



4. Case studies

The participating organizations were shortly introduced in the previous chapter. In this chapter the

stories and the results from the case studies are outlined per case, following the different phases of

Kotter’s change method. The results of the cases are further outlined in chapter 5 and 6.

4.1. Case 1 – Dutch Transportation Company – Implementation of Risk and Financial

Processes Handbook – 2007

In 2005 the director of a Dutch Transportation Company introduced a risk and financial processes

handbook for all its business units. Financial department was responsible for defining a generic

handbook with standard financial risks and controls. There was no implementation plan. In 2007 the

director realized that most of the business units have not implemented the handbook. Thereafter the

director decided to enforce the business units to implement the handbook; discussion or

customization was not allowed. Every year the controls in the handbook are tested for effectiveness.

Due to privacy issues and sensitivity of the information, further detailed descriptions are not provided

in this chapter. The rating of the different phases and factors are rated by the participant. The results

are shown below:

Table 5: Ratings Case Study 1

4.2. Case 2 – Large Insurance Company - Key Control Register implementation – 2010

In 2010 the new CFO at a large insurance company in The Netherlands requested to implement a key

control register for its business and functional units. This was a response to a number of major

incidents with hundreds of millions of losses in the organization. The analysis of the root cause of the

incidents showed that there were some gaps in communication, silo mindset and lack of transparency

between roles and responsibilities. The Key Control Register is a register with key risks and controls,

which are aligned with the objectives of each business unit and the supporting functional units. The

objective is that the business units will use the key control register as a management tool for their

daily business, increase transparency in roles & responsibilities and to improve the value chain

effectiveness and to change the silo mindset.





are shown below:


4.3. Case 3 – Credit Registration Office – Implementation of Organizational Risk Management –

2011

In 2011 a Credit Registration Office in the Netherlands started implementing Organizational Risk

Management (ORM). The management team and Internal Audit perceived that risk management is an

important aspect in order to realize organization’s objectives, especially in the area that they are

operating (including credit and fraud risks).The implementation of ORM in 2011 started with the

establishment of a risk department. The practitioners for the risk department were selected from the

Internal Audit Department. Practitioners with risk affinity could apply or were invited for the new

function. They received training from an external risk consulting firm. The second step was the

development of a risk and control framework for the three organizational units (Operations, IT and

Staff & Relation Management) by the new appointed risk managers and external risk consultants.

This case describes the implementation for one organizational unit (Operations), as the project for this

unit has been finished and the others are still in the implementation phase.



are shown below:




4.4. Case 4 – Small Insurance Company for a specific professional/occupational group – Risk

Management analysis – 2010

In 2010 a small insurance company (focused on a specific professional/occupational group) was

required to report on their risk management activities towards the central bank of The Netherlands;

DNB (De Nederlandse Bank). Therefore they decided to perform a risk management analysis in order

to identify their risks and control effectiveness. A consulting firm was hired to perform the risk

assessment workshops with the risk manager. The director of the company attended all workshops

and the validation sessions, as he fully supported this initiative.



are shown below:


4.5. An overview

In this chapter the four case studies are shortly outlined, whereby the success of the risk

implementation are scored, including the usage of the different phases of Kotter’s change method.

The cases regard different organizations with their own objectives and risk management

implementations. Each case is ended with an overview of the ratings, provided by the participant(s).

In the following chapter (5 and 6) the results are further analyzed.



5. Results: Cross Case Analysis

In this chapter, the results of the cases are analyzed and compared with each other. Based on the

comparisons the acceptance of the hypotheses can be tested.

5.1. The effect of the usage of Kotter’s eight phases change method on the success of risk

management implementations.

None of the four cases have used or followed the Kotter’s method during the risk management

implementation. Therefore the usage level of the model is used, based on the eight phases. The

usage level of Kotter’s change method can get a maximum score of 40 and the maximum of the

success score is 10 (refer to chapter 3 or appendix 3 and 4 for the calculation method). The usage

level of the change method and the success scores are presented in table 9.

Table 9: Overview of the results

From the four cases, case 1 shows a relatively low usage of the change method of Kotter in

comparison to the other three cases (case 2, 3 and 4). It seems that a limited usage of the change

method of Kotter leads to a lower success score, as case 1 shows an explicit lower success score in

comparison with the other three cases

In general, the results show that a higher usage of the Kotter’s change method, do lead to a higher

success rate. These findings support hypothesis 1: The usage of Kotter’s eight phases change

method increases the success of risk management implementations

5.2. The effect of organization’s size

In the hypotheses, it was assumed that the smaller an organization the weaker the effect change

management method has on the success rate of risk management implementation. The results of the

case studies are presented in table 10.

Table 10: Effect of organization's size

When comparing case 4 (small organization) with case 2 (large organization) and 3 (medium sized

organization), it seems that the small organization had made less use of the change method in



comparison with the large and medium sized organization, while the success rate is higher for the

small organization.

This effect is further supported when comparing case 2 (large organization) with case 3 (medium

sized organization). Case 3 made less use of the change method, but shows a similar success rate,

which implicates that a smaller organization require less usage of the change method in order to be

more successful or to gain the same success level.

To summarize, based on the cross case analysis results, it seems that for a smaller organization, a

lower usage of the change method lead to a higher or similar success score in comparison with a

large organization. Hence, hypothesis 2: The smaller the size of an organization, the weaker the

effect change management method has on the success rate of risk management implementation, is

supported.

5.3. The effect of compliance (external regulation)

In the hypothesis it was assumed that to comply with external regulation in respect to risk

management weakens the effect of change management method as the organization is driven by

compliance and not by the intrinsic will to perform the risk management activities. The results of the

case studies are presented in table 11.

Table 11: Effect of compliance (external regulation)

From the 4 case studies, only 1 case was driven by external regulation, which did not lead to a lower

success rate of the implementation. Hence, hypothesis 3 is not supported: Risk management

activities driven by external regulations weaken the effect of change management method on the

success rate of risk management implementation. Note that this result is relatively weak, since the

number of cases which were compliance driven is limited.

5.4. An overview

In this chapter the results are analyzed and compared with each other, in order to verify the

hypotheses. Based on the results, the following table shows an overview of whether the hypotheses

are supported:



Table 12: Overview of the results of the hypotheses

Based on the stories of the case study in chapter four and the results provided in this chapter, the

following chapter (6) provides insight into ‘how’ and ‘why’ the hypotheses are supported or not.



6. Discussion

Chapter 5 showed the results of the case studies. Why were some hypotheses supported and some

not? In this chapter, the results, outcomes and exceptions are discussed.

6.1. Risk management implementation success

Success is measured by scoring five success factors. In general the results show that the higher the

usage of the change method lead to a higher success score. Refer to table 13 and the cross case

analysis in Chapter 5. Case 1 explicitly shows that a very limited usage of the method led to a lower

success score.

Table 13: Overview of the results

Case 3 and 4 show a similar or higher success score with a lower usage level of the change method

than case 2. This was because the implementation the risk management projects were shorter and

smaller than case 2, whereby some phases of the change method were less relevant for case 3 and

4. For example the selection of the guiding team. In case 3 and 4, there was only 1 risk manager

available; hence, there is not much choice beside the fact that they selected an external consulting

firm to support them. In case 2, there was a risk management department with approximately 25

people, whereby the project leader could select the appropriate persons to support the project.

Another remarkable difference from the case study stories is the empowerment of action. Case 2 is a

large organization whereby the project team faced several barriers and political issues. Several times

they had to escalate to the board of directors and request them to put pressure on the business units.



They did receive the required support. Other moments, whereby they could solve the issues by

themselves, they did. Therefore the empowerment of action phase is more applicable to case 2. In

case 3 and 4, they also faced barriers, but these could be solved without escalation to the directors.

Communication for buy in was very important for case 3 and 4, as the participants lack risk

management knowledge. Initially they did not understand the content and the need of the project. It

took the project team a lot of time to convince them, change the approach and to train them in respect

to the content. Case 2 also required a lot of communication in order to gain the buy in, but this was

due to political issues and not the content. This is in line with another remarkable point, the success

factor - understanding of the need of risks and controls. The understanding towards risks and controls

was already within the organization of case 2. Therefore it was difficult to rate success factor 5. The

organization is compliant to SOx and many other regulations, whereby the need of having controls

was already there.

6.2. Organization’s Size

As indirectly briefed in paragraph 6.1., some phases of the change management method are less

relevant for smaller organizations, as they have less political issues and a relatively small risk

management department. On the other hand, the larger the organization the more they are familiar

with risk and controls aspects. For example the organization of case study 2 is SOx compliant and

quarterly reports on strategic risks. The people in the organization are familiar with risk, controls and

compliance aspects, as they face this daily within their operations. They only struggled to link the

many risk and control initiatives within the organization, which led to some adversity when another

risk management project was introduced. Studies (Pinto and Trailer, 1999) have shown that too many

projects within an organization may be a reflection of the lack of focus, direction and objective of the

organization and often lead to project failures. Combined with the previous experiences of employees

with projects and changes, knowing that the process is not easy, may lead to resistance within the

organization.

The organizations of case 3 and 4 reacted very adverse in the beginning as they did not understand

the content very well. After some training and change of the approach, their attitude changed

positively during the implementation and they became more involved in the process. Their enthusiasm

and participation grade had increased over time.

6.3. Compliance (external regulation)

From the four cases, only case study 4 was driven by external regulation. During the interviews of

case study 4 it appeared that external regulation had not influenced the impact of the change

management method on the success rate. Management of the organization perceived the risk

management analysis as important and explicitly communicated this towards the organization. The

director in case 4 actively participated the different sessions/workshops to show the importance of the

project. The participants did not perceive that the project was driven by external regulation; this may

explain why hypothesis 3 is not supported.



6.4. An overview

This chapter has outlined the why and how the hypotheses are supported or not. The results have

shown that a higher usage level of the organizational change method of Kotter do lead to a higher

success rate of the risk implementation. The size of organization showed to moderate effect, as small

organizations made less use of Kotter’s change method, but had a higher or similar success rate

compared to a medium or large-sized organization. Most significant differences are caused by the

shorter project lead times, smaller risk department and less political issues for smaller organizations.

Compliance driven risk management implementations did not show any moderating effect, as the

organization did not perceive the implementation was driven by external regulation.



7. Conclusion

The purpose of this study is to explore the effect of using organizational change method of Kotter on

the success of risk management implementations. Moderators are included in the framework to

understand the side effects of possible surrounding factors. Previous studies in respect to

organizational change methods have shown that it has a positive effect to overcome organizational

challenges (i.e. cultural transformations, mergers & acquisitions, organizational restructuring etc.). In

the field of risk management, there is lack of attention regarding organizational challenges and the

use of organizational change methods. This study tries to bring these two research fields together.

The scope may be broad with a generic approach, but it still reflects some interesting findings, which

should be taken into account by risk and audit practitioners and future academic research topics. The

following subsections present the main findings of this study, including recommendation for future

research and limitations of this study.

7.1. Main findings and conclusions

Based on theoretical research and practical data, the main question: Does the usage of organizational

change method increase the success of risk management implementations? can be answered. The

results of this study have shown that the usage of Kotter’s organizational change method can

increase the success of a risk management implementation. By rating the usage level of Kotter’s

change method, the results have revealed that a higher usage level of the method in general lead to

more successful risk management implementation. The metrics of the success factors are designed

to measure the organizational challenges as mentioned in literature.

The usage level of the change management method and its effect on the implementation success is

dependent on the size of the organization. Due to the lack of available research in this field, a generic

moderator is explicitly selected, as it could provide additional information. Some phases of Kotter’s

change method tend to be less relevant for smaller organizations, as they have less political issues

and a smaller risk management department. During the case study analyses, it appeared that a large

organization could also implicate that it has more experience with risk and controls aspects. The

difficulty for this type or organization is to link the different existing risk and control initiatives in the

organization. For small organizations it appeared that the participants had difficulties with the content

and lacked risk and control knowledge. It took additional time to educate and train them. Hillson

(1997) introduced a risk maturity model, whereby he categorizes organizations in different levels of

risk maturity, from unawareness with limited experience to a proactive and highly integrated risk

management culture. Based on these findings, I would recommend for future research to take

organization's risk maturity (Hillson, 1997) and the relative size of the risk department into account as

moderators.

In the beginning of the interviews I have asked what the interviewees (implementers) perceived as a

possible obstacle prior to starting the implementation. All of them answered that they expected some

organizational challenges (i.e. how to get everybody involved? how to overcome resistance? etc.).

When asking them how they planned to overcome these expected obstacles, most of them (3 out of

4) answered that they planned to convince the participants by content, as then they would understand

why risk management is important. This is in line with a publication of Lee & Shimpi (2005), stating

that risk managers often tend to present themselves as technical experts rather than as

communicators or facilitators.



Several interviewees have revealed that with new insight of Kotter’s change model and on hindsight,

they have missed some crucial activities. One of the crucial activities is the creation of urgency in the

model of Kotter. The urgency is often there on higher management (director) level and not at the

business/operating level (the participants or executors). Risk managers tend to forget to create

urgency on the floor as well. Additionally, the risk managers and external consultants (if relevant)

often tend to report towards higher management about the progress and status of the implementation;

Are we on schedule? What is the status of the deliverables/output? The process seems to be very

goal and output oriented, instead of the question: What are you actually trying to achieve at

business/operating level?

In this study, the moderator compliance (external regulation) has not shown any remarkable effect on

the relation between using Kotter’s change model and success of the implementation. The case study

revealed that it may be more important to test whether the participants perceived the risk

management implementation as mandatory without advantages or is there an advantage/benefit for

them? This perception can be affected by higher management. For future research it may be

interesting to test moderating effect on higher management’s perception and the perception of

participants towards compliance.

This study has shown that the usage of Kotter’s change method can increase the success of the risk

management implementations. Therefore it is recommended for all organizations to use

organizational change methods in risk management implementations. For large organizations the full

usage of the method of Kotter is recommended, as it provides structure to a large and complex

organization to implement risk management throughout the organization. Full usage of the method of

Kotter may be less relevant for smaller organizations, due to the shorter lead time of risk management

projects. The most important phases for small organization are create urgency (phase 1), get the

vision right (phase 4), communicate for buy in (phase 5) and create short wins (phase 6) within the

organization. Additionally it is important to educate and train the people in risk management topics

during or prior to the process, as often there is lack of experience and knowledge in risk management

in the business. Without proper risk management knowledge in the organization, the challenge is both

technical (content) and organizational.

To summarize, for organizations, consulting firms, risk managers or internal audit practitioners who

operate in the field of risk management, they should acknowledge that organizational challenges are

crucial and should be carefully considered, whereby a relevant change management method can

provide the necessary support,

7.2. Limitations and future research recommendations

The domain of this study is kept broad, as I tried to find out what the impact of using organizational

change methods in general is on the implementation of risk management. In the sample selection,

factors such as industry, organizational culture and project history were not taken into account. I

chose organizational size as moderator as it implicates other aspects as well, for example:

organizational risk maturity, culture and management style. The results of the case study have shown

that interesting aspects for future studies could be organization’s risk maturity (Hillson, 1997) and the

relative size of the risk department. Additionally I did not make a distinction between type of industry

or organizational cultures. In future study it may be interesting to zoom into particular industries or



organizational cultures to yield more information on the impact of organizational change method on

risk management implementations.

Four case studies have been analyzed in order to gain insight into the effect of using a change

management method and the success of risk management implementation. From the four cases, only

for one case the risk management implementation was compliance driven. Three cases are from the

financial industry. Since the results have shown that the usage of change management method could

increase the success of risk management implementation, there is certainly need for more

comparative studies to yield more and specific information. For future research I would recommend to

use more case studies, involving different industries and drivers or focus on a specific industry.

I did not make a distinction between the types of risk management implementation as it is very rare to

have identic risk management implementations. Often the foundation is the same but the approaches

will show differences. For future research it might be interesting to test the impact of organizational

change method on relatively identical risk management implementations.

Case studies have been conducted with limited participants of the organizations, always with the risk

managers (implementers) and selected participants from the business (if available). In future

research, it might be more interesting to conduct a larger study, whereby more participants from the

business should be studied, in order to generate a more balanced overview and increase the

objectivity.

7.3. An overview

This study has shown that organizational change method plays is an important role in risk

management implementations, therefore it requires and deserves more attention in managerial

activities and business studies. Internal audit practitioners can also yield from the results; this is

further explained in the final chapter (8).



8. Implications for Internal Audit

According to a paper of IIA (2011), organizations are giving risk management more consideration as

the business world is becoming more complex due to new, evolving and emerging risks.

Implementing an effective risk management program takes a lot of time and discipline, whereby

internal audit practitioners can play an important role. On the other hand there are many roles that

internal audit practitioners are not ready to pursue or are not proactive in pursuing. The IIA (2009,

2011), introduced a diagram with the position and roles of internal audit, refer to figure 6.

Figure 6: Internal Auditing's Role in Enterprise Risk Management (IIA, 2009)

The diagram is divided into three groups:

1. Core internal audit roles in regard to ERM (green colored roles) - Assurance

2. Legitimate internal audit roles with safeguards (yellow colored roles) –

Advising/Consulting

3. Roles internal auditing should not undertake (red colored roles)

As described in paragraph 2.7, the relevance of this research in respect to internal audit practitioners

is two-fold, namely for the internal audit practitioners who provide independent assurance and assess

the activities of risk management activities (the green colored activities in figure 6) and for internal

audit practitioners with a consulting/advising role in risk management (the yellow colored activities in

figure 6).

In the following subsections the results and findings of this research are discussed in respect to the

first two groups in the diagram (figure 6), as the latter ones are roles that internal audit should not

undertake. Hence, no more attention is required for this group.



8.1. Assurance Role - Core internal audit roles in regard to ERM

The roles of internal audit practitioners in the regard to ERM include giving assurance on the risk

management process, that the risks are correctly evaluated and reported. The results of my study

have shown that using an organizational change method to implement risk management could

increase the need and understanding of participants towards risks and controls and a more risk based

culture. These are important aspects in order to increase the effectiveness of the organization’s risk

management.

Based on the results and findings it seems that internal audit should not only focus on the technical

part of risk management implementations, but also the organizational part. Here lies an opportunity

for internal audit to focus on how the risk management approach is set up and implemented by the

organization.

Driessen & Molenkamp (2008) state that the critical mentality of internal audit practitioners can lead to

relevant feedback regarding to the approach and the process of risk management. The assurance

activities internal audit practitioners should include in the assessment whether the risk management

implementation contains the usage of an organizational method or some of its aspects. The

assessment of the use of an organizational change method is especially important for large

organizations, as the results of this study have shown that large organizations tend to benefit more

from using an organizational change method, due to the complexity of the organization and political

issues. Additionally the internal audit practitioner can also assess whether the organizational aspects

are considered in the risk management approach (i.e. stimulate the understanding within the

organization in respect to risk and controls; stimulate a risk based culture etc.).

When risk management is executed as a mandatory and formal procedure without initiatives to

change or overcome the resistance or misunderstanding in the organization; and there is a lack of a

risk based culture and risk understanding, how assure can internal audit be that the correct key risks

are identified and reported by the business? How well can internal audit use the risks identified as by

the business in its internal audit plan? How valid is the work that internal audit performs based on the

identified risks by an organization who do not understand risk management and the added value?

Hence, for internal audit practitioners who only perform assurance/audit role in respect to risk

management, they should assess and evaluate how risk management practitioners or the business

have used elements of organizational change methods to be effective in risk management throughout

the organization.

8.2. Advising/consulting Role - Legitimate internal audit roles with safeguards

The roles in this group represent consulting services that may improve the organization’s governance,

risk management and control processes (IIA, 2009). During risk management implementations

organizational challenges can be major obstacles. A regular risk management implementation

includes facilitation, coaching and coordinating risk management activities. These are activities which

can be carried out by internal audit practitioners. Hence, for internal audit practitioners it is also crucial

to understand how they can overcome any organizational obstacles. Because, how are they able

facilitate the identification and evaluation of risks or coach the management in responding to risks,



when the participants are not willing to cooperate and do not understand why risk management is

crucial and necessary?

This study has shown that the use or Kotter’s change method can increase the success of the

implementation. Hence, for advising/consulting internal audit practitioners it is useful to gain deeper

understanding on how they can use relevant organizational change methods (or some key elements

of it) to increase the effectiveness of their selected risk management activities. This is especially

relevant for large organization as the positive effect of using an organizational change method is

stronger. For smaller organizations, internal audit practitioners should make sure that during their

advising/consulting role in the implementation, sufficient urgency and buy-in is created amongst the

participants; strong vision is available and communicated; and enables short win(s) to stimulate the

participants.

Additionally, the results have shown that for small organizations the unwillingness or

misunderstanding in respect to risk management could be a result of lack of knowledge and risk

foundation. Hence, the task here for advising/consulting internal audit practitioners is to make sure

that they communicate and educate the organization sufficiently regarding risk and control topics.

Large-sized organizations on the other hand may have seen too many different risk and control

projects and initiatives within the organization, leading to confusion. The task here for

advising/consulting internal audit practitioners is to explain the cohesion between the different

initiatives.

8.3. An overview

This chapter has outlined the implications of this research for internal audit practitioners. Note that

internal audit is not responsible for the execution of risk management activities (Driessen &

Molenkamp, 2008), the latter, red colored roles in figure 6. Based on the results of this research,

internal audit should understand that the usage of organizational change methods could increase the

success of risk management throughout an organization. Hence, they do have a critical and

challenging role regarding the selected risk management approach and process in an organization,

for the assurance role they carry out. For advising/consulting internal audit practitioners, the use of

organizational change method can support them in overcoming possible organizational challenges.



9. Literature

Assen, A. van, Berg, G. van den, Pietersma, P. (2009), Key Management Models – the 60+ models every manager needs to know, Harlow UK, Prentice Hall Ashkanasy, N.M., Kavanagh, M.H. (2006), The Impact of Leadership and Change Management Strategy on Organizational Culture and Individual Acceptance of Change during a Merger, British Journal of Management, Vol. 17, Issue 1, pp. 81–103 Bijlsma-Frankema, K. (2001) On managing cultural integration and cultural change processes in mergers and acquisitions, Journal of European Industrial Training, Vol. 25 Issue 2/3/4, pp.192 – 207 Blokdijk, G. (2008), Change Management 100 Success Secrets, Gerard Blokdijk copyright e-reader Brehm, J., Hamilton J.T. (1996), Noncompliance in Environmental Reporting: Are Violators Ignorant, or Evasive, of the Law?, American Journal of Political Science, Vol. 40, No. 2, pp. 444-477 Brickley, J. A., Smith, C. W., & Zimmerman, J. L. (2001). Managerial Economics and Organizational Architecture, second edition, Boston, McGraw-Hill. Bruinsma, C. (2009), Tone at the Top is Vital – A Delphi study, ISACA Journal, Vol. 3 Caluwe, L. de, Vermaak, H. (2004), Change Paradigms: An Overview, Organization Development Journal, Vol. 22, No. 4 Caluwe , L. de (2006), Leren veranderen, een handboek voor de veranderkundige, second edition, Kluwer Cendrowski, H, Mair, W.C. (2009), Enterprise Risk Management and COSO – A guide for directors, executives and practitioners, John Wiley & Sons inc., New Jersey Claassen, U. (2010) - In 6 stappen naar COSO ‘nieuwe stijl’, Controllers Magazine, pg 24-27 COSO (2004), Enterprise Risk Management — Integrated Framework, Executive Summary, the Committee of Sponsoring Organizations of the Treadway Commission. COSO (2003), http://www.coso.org/IC-IntegratedFramework-summary.htm Driessen A.J.G., Molenkamp A. (2008), Internal auditing, Een managementkundige benadering, 4th edition, Kluwer, Deventer Dul, J., Hak, T. (2007), Case Study Methodology in Business Research, Pre-published manuscript, Erasmus University Rotterdam Ellram, L. (1996), "The use of the case study method in logistics research", Journal of Business Logistics, Vol. 17:8, pp.93-138 Etienne, J. (2011), Compliance Theory: A Goal Framing Approach, Law & Policy, Vol. 33, No. 3 Ghauri P., Grønhaug K. (2005), Research methods in Business studies, A practical Guide, Third edition, Edinburgh Gate Harlow, Pearson Education Havenman, H.A. (1993), Organizational Size and Change: Diversification in the Savings and Loan Industry after Deregulation, Administrative Science Quarterly, Vol. 38, No. 1, pp. 20-50 Hampton, J.J. (2009), Fundamentals of enterprise risk management – how top companies assess risk, manage exposures, and seize opportunities, New York, AMACOM American Management Association

http://onlinelibrary.wiley.com/doi/10.1111/bjom.2006.17.issue-S1/issuetoc

http://www.coso.org/IC-IntegratedFramework-summary.htm



Hillson, D.A. (1997), Towards a Risk Maturity Model, The international Journal of Project & Business Risk Management, Vol 1. No 1, pp. 35-45 IIA (2009), Internal Auditing: Assurance & Consulting Services, Second Edition, The Institute of Internal Auditors Research Foundation IIA (2011), Internal Auditing’s Role in Risk Management, The IIARF White Paper, The Institute of Internal Auditors Research Foundation Kotter, J.P., Cohen, D.S. (2002), The Heart of Change, Real Life Stories of How People Change Their Organizations, Boston, Harvard Business School Publishing Lam, J (2003), Enterprise Risk Management – From Incentives to Controls, New Jersey, John Wiley & Sons inc. Lee, C., Shimpi, P. (2005), The Chief Risk Officer: What Does It look Like and How Do You Get There?, Risk Management, http://www.rmmag.com/Magazine/PrintTemplate.cfm?AID=2855 Merchant, K.A., Van der Stede, W.A. (2007), Management Control Systems – performance measurement, evaluation and incentives, second edition, Pearson Education Limited Negus, J. (2010), 10 Common ERM Challenges, Risk Management, Vol. 57 - Issue: 3, March 01, 2010 Pinto J.K., Trailer, J.W. (1999), Essentials of Project control, Pennsylvania, Project management institute Publishing Ritterberg, L.E., Martens, F., Landes, C.E. (2007), Internal Control Guidance – Not just a small matter, Journal of Accountancy, 203-3 Thacher, D. (2006), The normative case study, The American Journal of Sociology, Vol. 111:6, pp. 1631-1676 Yin, R.K. (1981), The Case Study Crisis: Some Answers, Administrative Science Quarterly, Vol. 26:1, pp. 58-65 Yin, Robert K. (2003), Case study research, design, and methods, Third edition, Thousand Oaks, Sage Publications

http://www.rmmag.com/Magazine/PrintTemplate.cfm?AID=2855



Appendix 1 – Method of Kotter

Below an overview is provided per phase with some ideas and guidance on how to use the method of

Kotter (2002).

Phase 1 – Create urgency

Phase 2 – Build the guiding team

Phase 3 – Get the vision right



Phase 4 – Communicate for buy in

Phase 5 – Empower action

Phase 6 – Create short term wins



Phase 7 – Don’t let up

Phase 8 – Make change stick



Appendix 2 – Guideline and list of questions

The following list contains questions that have been used during the case study interviews

1. Name of the organization

2. Size of the organization

3. Number of projects in the organization in the previous 3 years

4. When did the case occur?

5. What risk management project does it regard?

6. Explain more about the risk management project

7. Who was the initiator of the project?

8. Who was responsible for the execution of the project?

9. Were there external parties (i.e. consultants) involved?

10. What was perceived as the major challenge(s) prior to the implementation?

11. Did you create urgency amongst the participants? How? (give examples)

12. Define the usage level in phase 1 – Create urgency

13. Did you use a guiding team during the implementation? How? (give examples)

14. Define the usage level in phase 2 – Building the guiding team

15. Did the guiding team create the vision? How? (give examples)

16. Define the usage level in phase 3 – Get the Vision right

17. Did you communicate the vision and strategy to the participants? How? (give examples)

18. Define the usage level in phase 4 – Communicate for buy-in

19. How did you solve obstacles during the implementation? (give examples)

20. Define the usage level in phase 5 – Empower action

21. Did you create short wins during the implementation? How? (give examples)

22. Define the usage level in phase 6 – Create short term wins

23. What did you do after the new wins? (give examples)

24. Define the usage level in phase 7 – Don’t let up

25. Did you make additional changes at the end of the implementation? What and how? (give

examples)

26. Define the usage level in phase 8 – Make change stick

27. Did you perceive the implementation as a success? Why?

28. Did the pro-activity amongst the participant increase during the implementation? How? (give

examples)

29. Did participants asked for additional information or risk/control services after or during the

implementation? How? (give examples)

30. Did the risk and control awareness increase in the organization after implementation? How?

(give examples)

31. Did the organizational culture become more risk based after the implementation? How? (give

examples)

32. Did the understanding towards the need of risk and control increase after the implementation?

How? (give examples)

33. What was perceived as the major challenge(s) after the implementation?



Appendix 3 – Usage of the eight-phases method of Kotter

During the case study the interviewee gave each of the 8 phases a score, in respect to the perceived

usage of it during implementation. The Likert-scale method with 5 scores has been used. The

interviewees had to score the eight phases with:1 = very limited, 2 = limited; 3 = average; 4 =

extensive and 5 = very extensive. No usage is ranked 0.

The total of the scores represents a certain level of usage of the Kotter model, whereby a maximum of

40 points can be obtained (maximum usage).

An illustrative example:

Phase 1 – Create urgency = 5

Phase 2 – Build the guiding team = 0

Phase 3 – Get the vision right = 1

Phase 4 – Communicate for buy in = 3

Phase 5 – Empower action = 2

Phase 6 – Create short term wins = 4

Phase 7 – Don’t let up = 0

Phase 8 – Make change stick = 2

---------------------------------------------

Usage level = 17 (out of 40)



Appendix 4 – Success scores

Five factors have been formed to identify the level of success of overcoming the organizational

challenges. Each factor can get a grade of 0, 1 or 2, with a total of maximum 10 points.

During the implementation has the proactivity amongst the participants increased?

0 (no), 1 (maybe), 2 (yes)

During or after the implementation did participants request for additional information or risk/control

services?

0 (no), 1 (partly), 2 (yes)

After the implementation has the risk and control awareness increased in the organization?

0 (no), 1 (maybe), 2 (yes)

After the implementation has the organizational culture become more risk based?


After the implementation has the understanding towards the need of risk and control been increased?


Does the usage of organizational change method increase the … Jessie... · 2016. 9. 30. · Several organizational change methods and approaches exist to change and align people’s

Documents