Page 1
Does the usage of organizational change method
increase the success of risk management
implementations?
A case study research
Jessie K.Y. Yung (6020346)
Rotterdam, 29-08-2011
Coach: Erwin Amersfoort
Amsterdam Business School – Universiteit van Amsterdam
Executive Internal Audit Program
Page 2
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 2
Preface
The executive internal audit program of the Amsterdam Business School (UvA) requires its students
to write an academic research in the field of internal/operational auditing in order to finalize the
executive program. Within the executive program, I decided to write my thesis in the field of
Organizational Change Management, as I believe this is a field which has been undermined in audit,
risk and control studies and practices. The main objective of this study is to understand the impact of
organizational change methods on risk management; a familiar topic for internal audit practitioners.
Finally I would like to thank my coach and all participating interviewees and organizations for
providing me valuable input for this thesis.
August, 2011,
Jessie Kiu Yen Yung
Page 3
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 3
Executive Summary
Continuously changing business environment, developments and complexities increase the need of
risk management in order to meet organization’s business objectives by effectively managing risks
and uncertainties (COSO, 2003; Hampton, 2009). Risk is the opportunity that an event will occur that
affect the achievement of a business objective (COSO, 2003). These developments had led to a
growing demand for assistance in developing effective processes to support risk management
(Hillson, 1997). COSO Enterprise Risk Management (ERM) is one of the well-known methods which
address this. While most organizations have not embedded a formal ERM in their business practices,
there seem to be a growing trend to implement at least some of its key principles (IIA, 2009). Hence,
risk management is becoming more a recognized and valuable activity within organizations.
Besides risk managers, also internal audit practitioners fulfill a valuable role towards risk
management. Therefore they can fulfill two roles towards the board of an organization and senior
management, namely, 1) objectively assess the risk management program and the effectiveness or 2)
provide consulting/advising role by identifying, evaluate or support the implementation of risk
management methodologies.
Implementing risk management (either full ERM or some of its key principles) has led to many
difficulties for organizations, from technical (content) challenges to organizational challenges. The
technical challenges are for example the lack of a standard framework, steps and method, how to
quantify risks or the difficulty to keep the framework up to date (Claassen, 2010). Many publications
(Lam, 2003; Hampton 2009) are available which tackle the technical challenges in respect to risk
management implementations, by providing guidance, structures and specific methods. Limited
publications are available regarding the organizational challenges like, conflict resolutions between
risk functions and business, lack of a risk based culture or resistance towards risk management
(Cendrowski and Mair, 2009; Lam, 2003; Lee & Shimpi., 2005).
In order to implement risk management successfully it is important to understand why people act as
they do (misunderstanding, resistance, conflicts) and how to influence or change this. According to
Kotter (2002), ‘people change what they do less because they are given analysis that shifts their
thinking than because they are shown a truth that influences their feelings’. Based on a study of
Kotter (2002), successful organizations know how to overcome antibodies that reject anything new or
different, whereby the central challenge is changing people’s behavior and influence their feelings.
Several organizational change methods and approaches exist to change and align people’s
understanding, values and behavior in organizations.
Organizational change management studies provide several methods and approaches to overcome
organizational challenges in cultural transformations, mergers & acquisitions, new technologies and
restructuring. Studies have shown the positive effects of using organizational change methods to
overcome similar organizational challenges (Ashkanasy & Kavanagh, 2006; Bijlsma-Frankema, 2001;
Blokdijk, 2008; Kotter, 2002). Therefore in this research study the influence of using organizational
change method on risk management implementation is studied. Leading to the following main
research question: Does the usage of organizational change method increase the success of risk
management implementations?
Based on literature review the suitable change management method is selected for this study;
Kotter’s eight-phases model. The literature review is additionally used to propose the expected effect
between organizational change method and success of risk management implementations with the
Page 4
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 4
possible moderating effects. The following moderators are used: size of an organization and
compliance driven (by external regulations) risk management implementations. All these factors are
integrated in a theoretical framework, which forms the basis of this study.
A comparative case study method is used to test the hypotheses. Four case studies with risk
management implementations have been studied, analyzed and compared. A cross case analysis
provides a comparison between the factors and a general overview of the results. Furthermore, the
cross case analysis also reveals patterns in the results.
By integrating theoretical and practical data, the main research questions could be answered. For the
four case studies, it was found that the usage of Kotter’s change model tends to have a positive effect
on the success of risk management implementations. Large organizations tend to benefit more by
using a change model in risk management implementations, as they have more political issues,
relatively large risk department and risk projects which require a longer time span. The results also
revealed that in general a large organization has more experience with risk and control related
aspects. The difficulty for this type of organization is to link the multiple existing risk and control
initiatives of the organization with each other. The number of risk and control initiatives could also
lead to adversity within the organization. Smaller organizations on the other hand show that their
employees have more difficulty in the content and lack knowledge of risk management. It takes
additional time to educate and train them. Sometimes the risk management approach requires to be
redefined in order to gain their support and buy-in.
Risk management implementations driven by compliance (external regulation) did not show any
remarkable effect on the relation between using Kotter’s change model and the success of the
implementation. The case study revealed that when the management of an organization believes that
the risk management implementation provides advantages or benefits, it does not matter anymore
whether it is compliance driven or not.
The results show that the use of Kotter’s change method does have a positive impact on the success
of implementing risk management. Therefore risk management practitioners should consider the use
of organizational change methods or some of its aspects in risk management implementations. The
same counts for internal audit practitioners who assess risk management (assurance role) or perform
some risk management related activities (consulting/advising role).
There might be other factors which moderate the effect of using organizational change method on the
success of risk management implementations. Future research is needed to test different moderators
and their effect. Furthermore, the domain of this study is rather broad, zooming in on specific
industries or organization’s risk maturity (Hillson, 1997) in future research, might yield additional
valuable insights.
Page 5
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 5
Index
1. Introduction ......................................................................................................................................... 7
1.1. Research Gap .............................................................................................................................. 7
1.2. Research objectives and questions ............................................................................................. 8
1.3. Research approach ...................................................................................................................... 9
2. Literature review ................................................................................................................................ 10
2.1. Governance, risk management, internal control and internal audit ........................................... 10
2.2. Challenges in Risk Management ............................................................................................... 11
2.2.1. Technical versus organizational challenges ....................................................................... 12
2.2.2. Organizational challenges are undermined ........................................................................ 14
2.3. Influencing the organizational challenges .................................................................................. 14
2.3.1. Introduction to organizational change methods .................................................................. 14
2.3.2. Applicable organizational change method for this study ..................................................... 17
2.3.3. The 8 phases of Kotter ........................................................................................................ 18
2.4. Organizational change management and implementing risk management ............................... 19
2.5. Moderators ................................................................................................................................. 19
2.5.1. Moderator organization size ................................................................................................ 20
2.5.2. Moderator compliance (external regulation) ....................................................................... 20
2.6. Relevance for Internal Audit practitioners .................................................................................. 21
2.7. An overview ................................................................................................................................ 21
3. Methods section ................................................................................................................................ 23
3.1. Research method ....................................................................................................................... 23
3.1.1. Empirical research and theory testing ................................................................................. 23
3.1.2. Case study .......................................................................................................................... 23
3.1.3. Data collection ..................................................................................................................... 24
3.2. Validity and reliability .................................................................................................................. 24
3.3. Measurement ............................................................................................................................. 25
3.4. Cases ......................................................................................................................................... 27
3.4.1. Sample Selection and criteria ............................................................................................. 27
3.4.2. Participants ......................................................................................................................... 27
3.5. An overview ................................................................................................................................ 27
4. Case studies ..................................................................................................................................... 28
4.1. Case 1 – Dutch Transportation Company – Implementation of Risk and Financial Processes
Handbook – 2007 .............................................................................................................................. 28
4.2. Case 2 – Large Insurance Company - Key Control Register implementation – 2010 ............... 28
Page 6
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 6
4.3. Case 3 – Credit Registration Office – Implementation of Organizational Risk Management –
2011 .................................................................................................................................................. 29
4.4. Case 4 – Small Insurance Company for a specific professional/occupational group – Risk
Management analysis – 2010 ........................................................................................................... 30
4.5. An overview ................................................................................................................................ 30
5. Results: Cross Case Analysis ........................................................................................................... 31
5.1. The effect of the usage of Kotter’s eight phases change method on the success of risk
management implementations. ......................................................................................................... 31
5.2. The effect of organization’s size ................................................................................................ 31
5.3. The effect of compliance (external regulation) ........................................................................... 32
5.4. An overview ................................................................................................................................ 32
6. Discussion ......................................................................................................................................... 34
6.1. Risk management implementation success .............................................................................. 34
6.2. Organization’s Size .................................................................................................................... 35
6.3. Compliance (external regulation) ............................................................................................... 35
6.4. An overview ................................................................................................................................ 36
7. Conclusion ........................................................................................................................................ 37
7.1. Main findings and conclusions ................................................................................................... 37
7.2. Limitations and future research recommendations .................................................................... 38
7.3. An overview ................................................................................................................................ 39
8. Implications for Internal Audit ............................................................................................................ 40
8.1. Assurance Role - Core internal audit roles in regard to ERM .................................................... 41
8.2. Advising/consulting Role - Legitimate internal audit roles with safeguards ............................... 41
8.3. An overview ................................................................................................................................ 42
9. Literature ........................................................................................................................................... 43
Appendix 1 – Method of Kotter.............................................................................................................. 45
Appendix 2 – Guideline and list of questions ........................................................................................ 48
Appendix 3 – Usage of the eight-phases method of Kotter .................................................................. 49
Appendix 4 – Success scores ............................................................................................................... 50
Page 7
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 7
1. Introduction
In the past decades the need of risk management has increased due to business complexity issues,
corporate governance-codes developments (compliance driven), but also the voice of stakeholders
who require organizations to improve their management activities in respect to risks and uncertainties
(Hampton, 2009; Lam, 2003). Organizations are becoming more aware of the importance of risk
management for the success of the organization (Hillson, 1997). Risk is the possibility that an event
will occur which adversely affects the achievement of an objective (COSO, 2003). According to
Hampton (2009), risk management is essential in order to achieve the organization’s objectives by
enhancing operating stability and build organizational resilience. Finally, it also increases the
economic value of an organization.
Enterprise Risk Management (ERM) emerged in the late 1980s (Hampton, 2009). ERM argues that
an organization should manage its risks in a single and comprehensive program, including the
coordination with internal processes, audit and compliance. A well-known method is the COSO
Enterprise Risk management Cube (COSO, 2003).
In practice, organizations face several challenges when implementing ERM or some of the key
principles (IIA, 2009). The discussions about the faced challenges are often related the content and
technical aspects of implementing risk management, for example the lack of a standard framework,
steps and methods. Many books have been published which explain how to implement ERM. Less is
available about the organizational challenges during and after the implementation.
To make risk management a success, deep understanding of the organizational challenges is
required and how to overcome these. Organizational challenges in risk management are for example
the lack of a risk based culture, the lack of understanding of risk management or conflicts within the
organization. Organization behavior and change management studies have published much literature
about organizational challenges. The organizational change methods and approaches are widely
applied in cultural transformations, mergers & acquisitions and organizational restructuring, in order to
overcome organizational challenges (Ashkanasy & Kavanagh, 2006; Bijlsma-Frankema, 2001;
Blokdijk, 2008; Kotter, 2002).
The purpose of this study is to explore how the usage of existing organizational change methods can
influence the success rate of implementing risk management in organizations, either ERM or some of
its key principles. The success rate is a combination of the organization’s risk culture, awareness and
understanding. Two moderators are selected which could affect the relation between the usage of
organizational change method and the success of implementing risk management.
1.1. Research Gap
As mentioned in the introduction, limited has been written about the organizational challenges when
implementing risk management. From a practical and theoretical perspective, it is important to get an
understanding of the organizational challenges that organizations face when implementing risks
management and whether the usage of organizational change methods can overcome these
challenges.
Page 8
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 8
1.2. Research objectives and questions
Based on the research gap, the following research objectives are formed:
Develop a theoretical model whereby the following are encountered:
- Get more understanding in the organizational challenges when implementing risk
management;
- Get more understanding and insight into the existing organizational change methods and its
effect on organizational challenges;
- Get more insight into the possible moderating variables and their effects.
In order to realize this objective; the following main research question has been formulated:
- Does the usage of organizational change method increase the success of risk management
implementations?
Sub-questions are formulated in order to answer the main question. The sub-questions are used as a
guideline towards answering the main question:
- Why is risk management important for organizations?
- What is the purpose of risk management programs?
- What is the role of internal audit in respect to risk management?
- What kind of challenges do organizations face when implementing risk management?
- What kind of organizational change methods are available to overcome organizational
challenges?
- Which organizational change method is most applicable to test whether it is useful in risk
management implementations (and overcome the related organizational challenges)?
- What is the probabilistic relation between organizational change methods and risk
management implementations?
- What are other interesting moderators which should be taken into account?
- What is the relevance of this research topic for Internal Audit (practitioners)?
- What type of theory oriented research is applied in this study?
- Why is case study the most suitable research method for this study?
- How to enhance the validity and reliability of this research?
- How are the different factors measured?
- What are the sample selection criteria?
- Do the case study results support the hypotheses?
- How and why do the case study results support/not support the hypotheses?
- What are the main findings and conclusions?
- What are the limitations and recommendations?
- Based on the results what are the implications for internal audit practitioners in the assurance
or advising/consulting role?
Page 9
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 9
1.3. Research approach
This study is based on a literature review, whereby relevant theories concerning risk management,
organizational challenges, organizational change methods and internal audit are used. Based on
previous literatures hypotheses of the effects of organizational change method usage and its
moderators in respect to risk management implementations are formed. This is presented in Chapter
2, which ends with a theoretical framework; the foundation of this study.
Besides theoretical data, practical data is used. The multiple case study approach is applied to gather
empirical data, in order to test the hypotheses as defined in Chapter 2. The arguments for the used
methodology, how to perform measurement, including the validity and reliability requirements are
presented in Chapter 3.
Chapter 4 provides information of the four case studies. Based on the gathered information, the four
cases are compared with a cross case analysis in Chapter 5. The results are discussed in chapter 6.
Following the results and discussion, Chapter 7 presents the findings, conclusions and limitations of
this study. Conclusions are formed based on both the practical and theoretical information. This study
ends with the implications for Internal Audit in Chapter 8.
Page 10
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 10
2. Literature review
In this chapter the current state of literature of risk management, organizational change management
and its relation are explained.
2.1. Governance, risk management, internal control and internal audit
In order to understand why risk management is important for an organization and the internal audit
function, the positioning and relevance is outlined first, starting with the governance structure.
Organizations develop a structure/framework through which long-term and day-to-day decisions are
made. The actual organization structure can vary between organizations, but an overall governance
structure should be available to ensure key stakeholders requirements are met. The governance
structure provides direction to the persons who are responsible to execute the day-to-day activities of
managing the (inherent) risks in an organization’s business model. The day-to-day business activities
are also known as internal control (IIA, 2009). Governance is the process conducted by board of
directors in order to authorize, direct and oversee management in respect to the achievement of the
organization’s goals and objectives. Brickly et al (2001) defined governance as the system consisting
of:
The partition (business units, divisions, shared service centers) and attribution of decision
rights and reserved powers in the internal organization of het firm;
The methods of rewarding individuals;
The resource allocation process (capital, human resources, information, knowledge, physical
capital, intangibles like brands);
The structure of systems
Figure 1: Depiction of Key Governance elements (IIA, 2009)
Risk management is the second layer in the governance structure (refer to figure 1). The purpose of
risk management is to identify and mitigate the risks that may adversely affect the organization’s
success and to exploit the opportunities that enable that success. Organizations are becoming more
aware of the importance of risk management for the success of the organization (Hillson, 1997).
According to Lam (2003), four reasons can be defined for risk management:
Page 11
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 11
1. Managing risk is management’s job - Managing the risks of a business enterprise is the direct
responsibility of management;
2. Managing risk can reduce earnings volatility – Management should pay attention to the
underlying risks of the business, including the sensitivity of the firm’s earnings and market
value towards internal and external variables;
3. Managing risk can maximize shareholder value – Risk management can help an organization
to achieve its objectives and maximize shareholder value. Risk-based programs can identify
opportunities for risk management and business optimization;
4. Risk management promotes job and financial security – On individual level the most
compelling benefit of risk management is that it promotes job and financial security. The past
have shown that executives have lost their jobs due to poor risk management performance.
According to figure 1, internal control is shown in the center, as it represents a subset and integral
part of the risk management activities. Risk responses which include controls are designed to execute
the risk management strategies (IIA, 2009). To achieve this, managers should design and implement
an effective system of internal control (Ritterberg et al, 2007). COSO (2003) defines internal control
as: a process effected by an entity’s board of directors, management and other personnel, designed
to provide reasonable assurance regarding the achievement of objectives in the following categories:
- effectiveness and efficiency of operations
- reliability of financial reporting
- compliance with laws and regulations
With the improved COSO ERM (2004) a new strategic objective has been included: High-level goals
should be aligned with and supporting the organization’s mission.
The final component and important role in the governance elements in figure 1 is the independent
assurance activities by internal audit that will provide the board and senior management an objective
assessment in respect to the effectiveness of governance and risk management (IIA, 2009). To be an
effective part of the governance process, the internal audit function should:
- Understand the direction and expectation of the board’s governance;
- Support the risk management program by monitoring structure and discipline in the risk
management program or also educate other employees in the organization with these risk
and control topics;
- Develop an internal audit plan which encompasses the independent governance assurance
activities, including the periodical reporting of the effectiveness of risk management activities
(IIA, 2009, 2011).
To summarize, based on the governance elements (also refer to figure 1), risk management and
internal audit fulfills an important role in the governance of an organization. For internal audit this
implies also the support of risk management, including the communication of risk and control
information to the appropriate areas in an organization and the assurance on the effectiveness of risk
management activities.
2.2. Challenges in Risk Management
As described in paragraph 2.1., organizations face an extensive number of risks as they try to execute
their strategies and achieve their objectives. Due to the extensive number of risks, there is a need for
a process to effectively understand and manage risks across an organization (IIA, 2009). According to
Page 12
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 12
Hillson (1997) there is a growing demand for assistance in developing effective processes to support
the identification, assessment and management of risk, as organizations want to tackle the risks
facing them. Enterprise Risk Management (ERM) is a well-known method to address this (refer to
figure 2).
Figure 2: COSO Enterprise Risk Management Cube (COSO, 2004)
COSO ERM is built of eight interrelated components which are derived from the way management
runs an organization and are integrated with management processes. According to IIA (2009), most
organizations have not embedded formal ERM in their business practices, but there seem to be a
growing trend to implement ERM or some at least some of its key principles. Some key principles are
for example: Risk Assessments Workshops, Risk Self Assessments, Key Control Registers and
Frameworks, specific business process risks (i.e. supply chain or finance), In-Control-Statements etc.
This study is focused on ERM implementations and/or some of its key principles. The term risk
management in this study complies both full ERM and some key principles implementations.
Implementing risk management is not an easy process, as for most organizations it implies a
multiyear initiative that requires ongoing senior management sponsorships and sustained investment
in human and technology resources (Lam, 2003). In the next subparagraph the challenges in
implementing risk management are further outlined.
2.2.1. Technical versus organizational challenges
Many literature and publications are available in respect to implementing risk management (Lam,
2003; Hampton, 1997; COSO, 2004). The described challenges in literature are often related to the
content and technical aspects of implementing risk management. The difficulty in implementing risk
management, take for example COSO ERM, is the lack of a standard framework and the description
of steps and method (Claassen, 2010). Additionally COSO ERM is difficult to keep up to date in a
continuous changing environment. Negus (2010) published an article, whereby he outlines in more
detail the ten major technical challenges in risk management implementations:
1. Assessing ERM's Value - Organizations often have difficulties in demonstrating the sufficient
ERM value to justify implementation costs;
2. Privilege - Risk information becomes increasingly event-driven and money-based, issues are
raised about the distribution of risk to auditors or to external regulators;
3. Defining Risk – It is difficulty to establish a consistent and commonly applied risk definition;
Page 13
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 13
4. Risk Assessment Method - Enterprise risk assessments are performed using a large variety
of approaches and tools, including surveys, interviews and historical analysis;
5. Qualitative Versus Quantitative - The decision whether risks should be assessed using
qualitative or quantitative metrics. Lam (2003) also describes it as the difficulty to assess and
quantify non-financial risks (business, organizational and operational risks) and how to
incorporate these into performance measurement systems;
6. Time Horizon - The time horizon of ERM risk assessment is largely based on the
organization's intent to use ERM risk results and its willingness to invest in risk management.
This is also related to challenge 1, the assessment of ERM’s value;
7. Multiple Potential Scenarios – Most risks have multiple event likelihoods and risk severities;
8. ERM Ownership - The question regarding who is responsible and owner of ERM is often
unclear and commonly disputed at the board, audit committee and management levels;
9. Risk Reporting – What information should be shared with internal and external stakeholders
and how should risk be communicated and reported?
10. Simulations and Stress Tests - Organizations often struggle to balance the need for
meaningful simulation and stress tests against a nearly infinite number of potential scenarios
(Negus, 2010).
The published literatures include guidelines to address these content related and technical issues in
risk management (Lam, 2003; Hampton, 1997; COSO, 2004). Beside technical challenges in risk
management implementations, there are also organizational challenges, which are more complex and
relatively undermined in the risk management literature. The organizational challenges are further
outlined below:
Organizational Culture
An organizational culture focused on risk management is an essential component of risk
management. Creating a culture of risk management requires management to 1) formulate a risk
management policy, 2) communicate this policy to employees and 3) act in accordance with this
policy. Many organizations are successful in completing the first two steps and the third step
appeared to be challenging (Cendrowski and Mair, 2009). For organizations it can be disastrous,
where employees make unharmonious risk management decisions. If risks are not challenged and
addressed in a uniform manner by the organization, the risks cannot be properly mitigated
(Cendrowski and Mair, 2009). The third step is also connected to the tone at the top. In literature a lot
have been written about the influence of tone at the top, which is seen as a precondition for
organizations. The internal environment forms the basis for handling risks and controls measures.
The core of every organization is its employees, their individual integrity, values, competence and
work environment. Tone at the top has a critical influence on this (Bruinsma, 2009).
Conflict resolution between line and staff
The type of conflict often concerns the choices between business volume or revenue growth and risk
control. In this process the line seeks ways to avoid oversight by staff units (Lam, 2003). This also
includes misalignment of incentives, one side seeks for growth (volume, revenue, profit and return on
equity) and the other seeks for quality (minimization of losses, errors or deviations from plans) (Lam,
2003). The conflicts resolutions remain when both parties have different objectives, perceptions and
lack total overview or mutual understanding.
The role of line risk management
The installation of risk managers within the business units, with a reporting line to the CRO and
business manager, often leads to uncomfortable situations. In this situation, the line staff may
Page 14
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 14
perceive the line risk manager as part of the ‘enemy’. The effect is increased due to the reporting line
to CRO (Lam, 2003).
Lack of risk management foundation
Risk managers have difficult tasks including assimilating, analyzing and communicating sometimes
complex concepts to leaders and managers who often do not possess a strong risk management
foundation. Often they are only informed about the financial and technical issues (Lee & Shimpi.
2005). Hence, the core of risk management is not tackled, which raise the question how business
leaders and managers can actual manage the risk?
2.2.2. Organizational challenges are undermined Literature about the technical challenges of implementing risk management and organizational
challenges are scattered. The challenges in risk management implementations are often written about
the content and technical aspects, while organizational challenges and influences are more or less
neglected. More have been written about the prerequisite of the tone at the top. In general terms, tone
at the top is a precondition for managing an organization and not specific in the field of risk
management and control.
To summarize, due to the importance of risk management for organizations (paragraph 2.1.) and the
research gap in organizational challenges in risk management literature and how to overcome these
(paragraph 2.2.), the relevance of this study is justified. The following chapters further outline
available methods to overcome organizational challenges.
2.3. Influencing the organizational challenges
The organizational challenges in implementing risk management are described in paragraph 2.2.1.
The challenges start with not having a risk based culture, combined with lack of understanding of risk
concepts in the business, lack of understanding of the need of risk management and conflict
resolutions between the business and risk managers (Cendrowski and Mair, 2009; Lee & Shimpi.
2005). In addition to that, the perception of risk managers as the enemy (Lam, 2003), is in practice
often perceived as resistance. To overcome the organizational challenges, it is important to
understand why people act as they do and how to influence or change this.
According to Kotter (2002), ‘people change what they do less because they are given analysis that
shifts their thinking than because they are shown a truth that influences their feelings’. Based on a
study of Kotter (2002), successful organizations know how to overcome antibodies that reject
anything new or different, whereby the central challenge is changing people’s behavior and influence
their feelings. Several organizational change methods and approaches exist to change and align
people’s understanding, values and behavior in organizations. Studies in the field of cultural
transformations, mergers & acquisitions and organizational restructuring have shown positive effects
when using organizational change methods in overcoming organizational challenges (Ashkanasy &
Kavanagh, 2006; Bijlsma-Frankema, 2001; Blokdijk, 2008; Kotter, 2002). Five well-known existing
change management methods are introduced below.
2.3.1. Introduction to organizational change methods
Change Quadrants
With the change quadrants model (Assen et al, 2009) the type of change and the culture of an
organization are taken into account to determine the change strategy. By understanding the key
Page 15
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 15
levers, it can help to facilitate the change. The change quadrants model define whether an
organization is warm (led by shared norms and values) or cold (led by rules, regulations and
procedures) and whether the motivation for change is warm (led by ambitions) or cold (led by
urgency, i.e. near bankruptcy or drop in market share). Based on the various warm/cold combinations,
there are four possible change strategies: intervention, implementation, transformation and
innovation. Also refer to figure 3.
Figure 3: Change Quadrants (Assen et al, 2009)
E and O theories by Beer and Nohria
Beer and Nohria introduced two approaches to organizational change, which are called Theory E and
Theory O of change. Theory E is the creation of economic value (i.e. shareholder value). It is focused
on formal structure and systems. It is driven from the top with the support of an extensive number of
consultants and financial incentives. The change is planned. The purpose of Theory O on the other
hand is to develop the organization’s human ability to implement strategy and learn about the
effectiveness of changes made from the actions taken. It is driven by the development of a high
commitment culture with high involvement. Change is emergent instead of planned (Assen et al,
2009).
Page 16
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 16
Table 1: Theories E and O by Beer and Nohria (Assen et al, 2009)
Five colors of Caluwé
Caluwé (2006), one of the most influential consultants in the Netherlands came up with a model of
five colors. Each color represents a different change process, as he does not believe that there is only
one way to execute a change process. The colors and the method of change are shown in table 2.
Table 2: The 5 colors of Caluwé (Caluwé & Vermaak, 2004)
Kotter’s eight phases of change
One of the most used methods is the eight phases of Kotter (2002). The basic principle of Kotter is
that change does not regard a single occurrence, but it is a process with several stages which are
related with each other. The eight phases are shown in table 3.
Page 17
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 17
Table 3: The eight phases for successful change (Kotter, 2002)
Lewin’s Change Model
Lewin’s change model emphasizes three stages of change: unfreeze, change (modification), then
refreeze (also refer to figure 4).
Figure 4: Lewin's three stages of changes
The first stage is to get the organization or people ready for the change. It involves getting a point of
understanding, motivation and then to move away from the previous comfort zone (Blokdijk, 2008).
The second stage regards the change (modification phase). It involves the transition to the desired
state. Proper motivation and good leadership will enable the change. Also training, skills transfer and
personnel re-alignments or reduction could be part of this phase. The third stage, refreezing comes
when the workforce has already embedded the change in their system, until another unfreezing will
occur (Blokdijk, 2008).
2.3.2. Applicable organizational change method for this study
The first 3 models (The Change Quadrants, E and O theories and Five colors of Caluwé) provide
determinants for an organization to select a change strategy. The determinants are the type of
people, management style, culture and the status of an organization. These types of models can be
used in conjunction with other more stepwise methods, for example the eight phases method of Kotter
or Lewin’s three stages model. As the three models only provide determinants for the preferred
change strategy, it is less useful for this study because it does not provide guidelines how to execute
the change process. Kotter’s method on the other hand provides a more stepwise approach, which
involves subtle points and may not be always followed rigidly, but it does provide a clear and specified
Page 18
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 18
guideline. The model of Lewin shows the three important steps that are required to get the change
started towards the objective, but it lacks the specific guideline that the Kotter’s model does provide.
Hence, the method of Kotter is used in this study, as it is more generally applicable, including specific
steps and activities. This also enables the possibility to perform analysis and comparisons between
cases. The method of Kotter with the 8 phases is further outlined below.
2.3.3. The 8 phases of Kotter
Kotter is a professor at the Harvard Business School, he introduced the eight-phases change process
in his book ‘Leading Change’ in 1995. Whereafter the method has been used by many consulting
firms. In this section the eight phases are outlined in more detail.
Phase 1 – Create urgency
Most significant changes start with the creation of sense of urgency among the relevant people. Less
successful changes in organizations allow complacency, fear or anger, which can undermine the
desired effect. Sense of urgency gets people off the couch, out of a bunker and ready to move. Refer
to Appendix 1 for a summary with some ideas and guidance of what to do and what not to do in this
phase.
Phase 2 – Build the guiding team
A guiding team needs to be created with the credibility, skills, connections, reputations and formal
authority. This team operates with trust and emotional commitment. Studies have shown that less
successful project relies on single person or no one, weak task forces and committees or complex
governance structures, all without the stature and skills and power to do the job. Refer to Appendix 1
for a summary with some ideas and guidance of what to do and what not to do in this phase.
Phase 3 – Get the vision right
The team should create clear, simple, uplifting visions and sets of strategies. In the less successful
cases, there are only detailed plans and budgets, while a vision is not very sensible. Vision which is
created by others than the guiding team is often ignored by the guiding team. Refer to Appendix 1 for
a summary with some ideas and guidance of what to do and what not to do in this phase.
Phase 4 – Communicate for buy in
Communication of the vision and strategies follows in this phase. The goal is to induce understanding,
develop commitment, and liberate more energy from a critical mass of people. In this phase deeds
are more important than words and repetition is a key success factor. Previous studies have shown
that smart people does not recognize their error with undercommunication or poor communication.
Refer to Appendix 1 for a summary with some ideas and guidance of what to do and what not to do in
this phase.
Phase 5 – Empower action
In this phase the obstacles to reach the vision and objectives are removed. The focus should be on
the people who try to disempower and inadequate information and systems. In less successful
situations the people in the team often fend for themselves instead of the obstacles around. In this
phase it is important that the obstacles or difficulties are faced and adequately solved. Refer to
Appendix 1 for a summary with some ideas and guidance of what to do and what not to do in this
phase.
Phase 6 – Create short term wins
Page 19
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 19
Creating short wins are critical, as it provides credibility, resources and momentum to the overall
effort. Some wins may come more slowly, less visibility and speak less to what people value, and
have more ambiguity as to whether they are really successes. The challenge is to make this also a
short win. Refer to Appendix 1 for a summary with some ideas and guidance of what to do and what
not to do in this phase.
Phase 7 – Don’t let up
First wins are required to define the next steps, which will lead to new wins, where after the vision or
project become reality. In less successful cases people try to do too much at a time and quit too soon,
once they find themselves confused. Refer to Appendix 1 for a summary with some ideas and
guidance of what to do and what not to do in this phase.
Phase 8 – Make change stick
The change should stick within the new culture. This may come with organizational changes like,
appropriate promotions, new employee orientations and also events that engage the emotions. Refer
to Appendix 1 for a summary with some ideas and guidance of what to do and what not to do in this
phase.
2.4. Organizational change management and implementing risk management
While most literature regarding risk management provides limited insight to how to overcome
organizational challenges in risk management implementation, change management studies provide
several methods or approaches to overcome similar organizational challenges (i.e. resistance,
misalignment, lack of understanding etc.) in cultural transformations, mergers & acquisitions, new
technologies and restructuring (Ashkanasy & Kavanagh, 2006; Bijlsma-Frankema, 2001; Blokdijk,
2008; Kotter, 2002).
Based on the type of organizational challenges during risk management implementation, it is probable
that the usage of Kotter’s method could influence the success of the implementation and overcome
the faced organizational challenges. In practice it could be that some of Kotter’s eight-phases have
already been used (implicit or explicit), without using the full method.. Based on this assumption, the
following hypothesis is introduced:
H1. The usage of Kotter’s eight phases change method increases the success of risk management
implementations.
2.5. Moderators
Kotter (2002) described that his eight phases method involves subtle points and should not always be
followed strictly. This implicates that each situation may require a slightly different approach, but the
foundation of the phases remain the same. There can be other internal or external influences that
moderate the effect of change management method on the success rate of risk management
implementations.
Possible moderators are for example industry, organizational culture, national/international operating
organization, existing knowledge etc. Due to the limited availability of research information on this
Page 20
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 20
specific topic, the difficulty is to identify the relevant moderators. To downsize the possible factors and
enhance a relevant scope for this study, one generic and one specific moderator is introduced, both
implying multiple sub-factors. The size of an organization is introduced as a generic moderator, in
order to yield more information, as this moderator implies multiple sub-factors (i.e. type of culture,
internal politics, complexity etc.). The second moderator regard a specific and also common subject in
the field of risk management; compliance (external regulations). This moderator also implies multiple
sub-factors, i.e. type of industry that faces compliance issues and the intrinsic or extrinsic motivation
of an organization to be ‘in control’. The two moderators are further outlined below.
2.5.1. Moderator organization size
Haveman (1993) studied the effect of the size of an organization and the flexibility of an organization.
If organization size indicates political insulation and degree of bureaucratization, then large
organizations will change less than small organizations and are less flexible. According to Haveman
(1993), the sociological literature on organizational size and growth addresses the issue of size-based
differences in organizational structure and behavior. The ability of organizational members to conduct
face-to-face (one-on-one) interactions with each of the other members declines with the number of
members. Larger organizations require more complex forms of communication. Hence, in larger
organizations interpersonal interactions assumed to be more impersonal and more formal. The usage
of a change management method may be more required for large organizations and could lead to
better results, as it provides more structure and communication in the process.
H2. The smaller the size of an organization, the weaker the effect change management method has
on the success rate of risk management implementation.
2.5.2. Moderator compliance (external regulation)
Some organizations are required to perform and report on their risk activities by law, for example the
Dutch Central Bank (DNB) requirements for the financial industry or the AEX listed companies. In the
compliance theories, compliance is considered as a planned behavior in order to maximize its utility
by fulfilling the obligation and dispose any sanctions or consequences (Etienne, 2011; Merchant and
Van der Stede, 2007). Organizations that choose to comply with regulations will perform a tradeoff
between the marginal costs of compliance with the marginal benefits of compliance (Brehm and
Hamilton, 1996). For organizations that perform risk management activities as a result of
utilitarianism, may not have the intention to make risk management part of their organization, as it is a
goal oriented action; being compliant. Therefore the usage of the change management method may
have a weaker effect if it is driven by external regulations.
H3. Risk management activities driven by external regulations weaken the effect of change
management method on the success rate of risk management implementation.
Compliance projects in respect to internal regulation are not taken into account. Internal regulations
are defined for business and management purposes, thus an advantage for the organization. External
regulations on the contrary may not always lead to explicit advantages for an organization, hence, it
could be easier perceived as a burden.
Page 21
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 21
2.6. Relevance for Internal Audit practitioners
In the previous paragraphs the relevance of risk management for organizations is explained and why
this research topic is interesting for organizations and risk practitioners. Beside the relevance for
organizations and risk practitioners, this study is also interesting for internal audit (practitioners).
Some risk management related activities are covered by internal audit practitioners, as they are the
supporters of risk management in the governance of an organization (refer to figure 1).
According to the IIA Standard 2120, the internal audit activities must evaluate the effectiveness and
contribute to the improvement of risk management processes (IIA, 2009). The skills and experiences
that internal audit practitioners may possess, allow them to fulfill a valuable role in ERM and also for
related key principles. The IIA international Professional Practices Framework includes a position
paper, called The Role of Internal Auditing in Enterprise-wide Risk Management (IIA, 2009; IIA 2011).
The paper outlines several opportunities for internal audit practitioners. Internal audit can provide
objective assurance to the board regarding the effectiveness of an organization’s ERM activities, to
help ensure key business risks are being managed adequately and that the system of internal
controls is operating effectively (IIA, 2009). Whether the internal controls are operating effectively is
related to the organization’s perception towards the need of having risk management and the
acceptance level.
In the practice advisory 2120-1: assessing the adequacy of risk management processes, it states that:
‘Management and the board are responsible for their organization’s risk management and control
processes (IIA, 2009). However, internal audit practitioners acting in a consulting role can assist the
organization in identifying, evaluating, and implementing risk management methodologies and
controls to address those risks’. This may be via ERM or some of its key principles; whereby this
study addresses whether the risk management implementation require additional organizational
change attention.
Based on the function and role of internal audit, the relevance of this research topic is two-fold for
internal audit practitioners:
1. The usage of organizational change method in risk management implementations is an
interesting topic for internal audit practitioners as it can change the way they initially assess
the risk management program and the effectiveness
2. For internal audit practitioners acting in the consulting or advisor role in risk management, the
results of this research topic can change their initial way to identify, evaluate or implement risk
management methodologies throughout the organization.
2.7. An overview
This chapter started with the positioning of risk management and its importance. Risk management is
required within an organization in order to identify and mitigate risks that may adversely affect the
organization’s success or achieving its objectives. In order to manage the effectiveness of risk
management, internal audit can play a valuable role by objectively assessing the governance and
effectiveness of risk management activities. Additionally some internal audit practitioners may also
fulfill an advising/consulting role by identifying, evaluating or supporting the risk management
approaches and implementations.
Page 22
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 22
Difficulties in risk management can be divided into organizational or technical related challenges,
whereby the organizational challenges seem to be undermined in current research and literature in
respect to risk management. Similar organizational challenges (misunderstanding and conflicts of
roles, lack of a specific culture, limited foundation etc.) in other studies have shown that the use of
organizational change method can overcome these. This led to the probabilistic relation, that the use
of an organizational change method could also overcome the organizational challenges in risk
implementation and increase the success. Five well known organizational change methods are
introduced in this chapter, whereby the eight phases of Kotter is selected for this study, due to its
practical character. Additionally two moderators are selected, size of an organization and whether the
risk management implementation was external compliance driven. Both are selected, based on its
multilateral nature, which is useful to identify possible sub-factors.
Based on the hypotheses, a theoretical framework can be formed. This theoretical framework forms
the foundation of this study and includes the relations; refer to figure 5.
Figure 5: Theoretical framework
Page 23
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 23
3. Methods section
In the previous chapter a theoretical framework has been developed (see figure 5). A prerequisite in
academic research is an adequate foundation of the selected research method. In this section the
research method is described to test the theoretical framework. It includes a discussion why the case
study method is used, including the validity and reliability issues, which is also a prerequisite for
academic research. Then the measurement methods of the different factors in the theoretical
framework are outlined. This chapter ends with an introduction of the four case studies.
3.1. Research method
Different research methods exist, but which method is the most useful for this study? For every
research method there are advantages and disadvantages. The arguments for using the case study
method are discussed below.
3.1.1. Empirical research and theory testing
Empirical observations, interviews and data are collected in order to answer the research question.
Empirical research bases its finding on the systematic gathering of observable facts. The observable
facts could occur directly or indirectly. Empirical research can improve the relevance for
organizational research by providing real-life data. On the other hand it could occur that real-life
obtained empirical data might lead to less predictable and controllable results, which may leave the
researcher without any meaningful results (Elram, 1996).
The objective of this research study is theory oriented and contributes to the development of theory
(Dul & Hak, 2007). Within the theory oriented research approach, three types of activities can be
distinguished: 1) exploration, 2) theory-building research and 3) theory-testing research. The objective
of this study is to gain understanding of the effect of organizational change method on the success of
implementing risk management, whereby several hypotheses are formed and tested. This method is
characterized as theory-testing research.
3.1.2. Case study
The hypotheses in this theory-testing research express a probabilistic relation. With a probabilistic
relation it is assumed that on average x causes y (Dul & Hak, 2007). To simplify: if x is higher, then it
is likely that y is higher. According to Dul & Hak (2007) to test a probabilistic relation, an experiment is
the preferred method and a survey is the second best method to test a probabilistic relation.
Unfortunately, these two methods are not feasible, due to time, case dependency and cost issues. An
experiment is not feasible as it requires a full set up of at least two similar risk management
implementations within organizations (one with the use of an organizational change method and one
without), whereby at least a time span of two full time months is required for the preparation of the risk
management framework and foundation, mobilization of a real life organization and participants.
Additional time span is required, in order to measure the results. A survey requires a large number of
respondents in order to yield meaningful results and is also constrained by rigid limits of the
questionnaire. During discussions with potential participating organizations, they had let known that a
survey is not favorable due to the limited available time of their employees and no response rate
could be guaranteed. Therefore the third-best method is chosen: a comparative case study (also
known as multiple case studies by Yin, 1981; Yin, 2003).
Page 24
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 24
Case studies can show the multiple influences and by conducting several case studies, the
differences between the cases can become clear (Yin, 1981). In a comparative case study, a number
of cases are selected from real-life context. The data obtained from the cases are analyzed in a
qualitative manner (Dul & Hak, 2007). Empirical data are gained via on site observations, interviews
and documentary evidence. In general, the case study method is preferred when ‘how’ and ‘why’
questions need to be answered, whereby the investigator has limited control over the events and the
events occur in real-life context (Yin, 2003). A case study is particularly useful when the phenomenon
that needs to be researched is difficult to study outside its natural setting and when the concepts and
variables are difficult to quantify (Ghauri & Grønhaug, 2005). Often there are other variables that need
to be considered. This explains also why case study is one of the major research strategies in
organizational and social science (Thacher, 2006).
Organizational and related factors in this study are very intangible, subjective and strongly social
oriented. The natural setting cannot easily be identified or set, which makes research very difficult.
The case study method can yield better and gain new insights into the organizational change method
in relation to the success of implementing risk management.
3.1.3. Data collection
The case study method is a distinctive form to gain empirical evidence or data. A case study is a
qualitative research and in depth oriented. This research method can give refreshing insights into the
concerning topic (Yin, 2003) and the results of case research can have high impact (Dul & Hak,
2007). Unconstrained by the rigid limits of questionnaires, it can lead to new and creative insights and
enrich theories. Then it can show the problems and how it resulted in the cases itself.
A combination of data collection methods is used, to obtain insight into the cases, also called
triangulation (Dul & Hak, 2007). This is a major strength of a case study method. A case study data
collection gives the opportunity to use many different sources of evidence (Yin, 1981). Existing
literature is used as departing point for this study. Based on the literature review and research gap,
hypotheses are used to get more direction and to proceed further (Ghauri & Grønhaug, 2005). Data
regarding the cases are gained via in depth interviews with organizations. During the interviews, a
questionnaire is used as guideline. Furthermore, available secondary (qualitative and quantitative)
data are also collected. The comparative case research is executed in two phases. First, the different
cases are researched separately and then the cases are analyzed and compared with each other.
3.2. Validity and reliability
A prerequisite in academic research are the validity and reliability aspects. In order to enhance the
validity and reliability of this research, the triangulation method is applied. The quality of a case study
can be enhanced by following the four criteria: construct validity, internal validity, external validity and
reliability (Yin, 1981; Ghauri & Grønhaug, 2005). The relation between these criteria and the case
study are discussed below.
Construct Validity – The primary concern for a case study method is the construct validity. Biased and
subjective views might influence the direction of the results, findings and conclusions (Yin, 2003). To
overcome the problem of subjectivity in a case study method, different sources of evidence are used
during the data collection, also known as the triangulation technique (Dul & Hak, 2007). A
questionnaire is used as a guideline during the interviews. The questionnaire contains open
questions, closed questions and questions whereby the 1-5 Likert scale is used. The interview
Page 25
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 25
method is used to gain more insight into the answers, but also to gain unforeseen and new
information related to the studied objects. This led to a more valid analysis of the studied objects.
Secondary data is used to increase the validity. The study is mainly conducted with the responsible
person for implementing risk management and sometimes with additional participants from the
business (if available). This makes the triangulation technique even more important. The questions,
results and secondary data should reveal, not only the perception of the interviewee (risk manager),
but also the opposite party (the participants from the business). The triangulation technique offers the
possibility to decrease the impact of subjectivity and reflect the case more truly.
Internal Validity – Internal validity refers to the extent to which the researcher can infer that a causal
relationship exists between two (or more) variables (Ghauri & Grønhaug, 2005); x led to y. When any
third factor (z) has influenced y, instead of x, what was concluded; the research design is failed.
Specific tactics to overcome this problem are difficult to identify (Yin, 1981). Yin (2003) identified a
couple of questions, which has to be anticipated during the case study:
- Are there any other possible interference?
- Have all the conflicting explanations and possibilities been considered?
- Is the assumed interference correct, even with the other possible interferences?
These questions are anticipated while conducting the case studies. Other possible interferences are
discussed with the interviewee and whether these interferences (z) might have caused y (success of
risk management implementation), instead of x (organizational change method).
External Validity – The external validity refers to the extent in which the findings can be generalized
(Yin, 2003). For a single case study, it is difficult to generalize, because it is limited to one case. A
comparative case study method, with four cases, increases the ability to generalize the results. The
findings in this study are generalized to theory, also called the analytical generalization. As defined by
Yin (2003), in analytical generalization, the investigator strives to generalize a particular set of results
to some broader theory.
Reliability – The reliability criterion is enhanced by following a strict and repetitive procedure during
the case studies (Yin, 2003). The procedure for each case study is exactly the same as all the others.
The questionnaire as guideline enhance the repetitive procedure and guided the case study step
wisely, refer to Appendix 2. All information is verified and documented carefully.
3.3. Measurement
In the literature review, existing theory and literature formed the basis for assumptions and
hypotheses in this research; which resulted to the theoretical framework in figure 5. How the
definitions of the factors in the theoretical framework are used and measured in this study, are
described below.
Kotter’s eight-phases method – This is the perceived usage of each of the eight-phases in the Kotter’s
method by the responsible person for implementing the risk management and if possible validated
with the participants from the business. Each of the eight phases is outlined. The interviewee
describes the usage in the eight phases during the implementation. The perceived usages in the
different phases are classified in a 1-5 Likert scale. Appendix 3 shows how the usage is calculated.
Page 26
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 26
Successful risk management implementation – The success of the implementation of the risk
management regard overcoming the organizational challenges. First the responsible person for
implementing the risk management and the participants are asked whether they perceived the
implementation as a success or not in general. In order to estimate the implementation success in
quantitative terms, success factors are rated. The success factors are designed to measure the
dissolve of the organizational challenges as mentioned in the literature (paragraph 2.2.1.). The
organizational challenges imply the lack of a risk based culture, misunderstanding of risk
management and the role of risk manager; and the lack of risk management foundation.
Success factors to measure that these organizational challenges are dissolved regard: increased
proactivity (participation grade) as the participants gradually understand the content and the need and
acceptance of risk management; request for additional information as the foundation and
understanding increased, they trust the risk manager and want more information to understand the
topic; increased risk and control awareness of the participants due to the increased foundation and
understanding; risk based culture and thinking and the increased understanding towards the need of
risk and control within the organization. The success factors are discussed as follow during the case
study analysis:
- During the implementation has the proactivity amongst the participants increased?
- During or after the implementation did participants request for additional information or
risk/control services?
- After the implementation has the risk and control awareness increased in the organization?
- After the implementation has the organizational culture become more risk based?
- After the implementation has the understanding towards the need of risk and control been
increased?
How the five parameters of success are rated is explained in Appendix 4.
Organization Size – Whether an organization belongs to a small, medium or large sized organization,
depends on the number of employees. Small organization has a maximum of 50 employees; medium
sized organization has a maximum of 250 employees. An organization with more than 250 employees
belongs to a large organization. The foundation of this moderator is explained in paragraph 2.5.1.
Table 4: Classification organization size
Compliance (external regulation) – Describes whether the project is driven by external laws and
regulations or not. Not performing the project could lead to sanctions or other major consequences
from external institutions. Compliance projects in regard to internal regulation are not taken into
account. For foundation, refer to paragraph 2.5.2.
Page 27
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 27
3.4. Cases
In this section, the sample selection and criteria are discussed. Thereafter the participating
organizations and the representatives are shortly introduced. In the following chapter (4), the case
studies are described more thoroughly.
3.4.1. Sample Selection and criteria
The sample consists of organizations that have implemented enterprise risk management or key
principles in the organization, in order to test the hypotheses. An additional criterion is that the
implementation has been completed.
There is no distinction made between industries or type of risk management implementation. Due to
the limited availability of research information on this research topic, the objective of this study is to
gain overall insight into the influence/effect of using organizational change method in risk
management implementations. Whereby four case studies as a sample size is sufficient to gain
insight into this influence/effect.
3.4.2. Participants
The following four case studies have participated in this research:
1. Dutch Transportation Company – Implementation of Risk and Financial Processes Handbook
– 2007
2. Large Insurance Company – Implementation of Key Control Register - 2010
3. Credit Registration Office – Implementation of Organizational Risk Management - 2011
4. Small Insurance Company for a specific professional/occupational group – Risk Management
Analysis – 2010
3.5. An overview
This chapter has outlined that this study is a theory testing research as it is theory oriented and
contributes to the development of theory. Due to cost, available time and capacity, together with the
main question which expresses a probabilistic relation, the case study method is the preferred method
for this research. To enhance the validity and reliability of this research, the triangulation method is
applied, consisting of interviews, observations and collections of secondary data. This chapter has
ended with an overview of the participating organizations. The case studies are further analyzed in
chapter 4.
Page 28
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 28
4. Case studies
The participating organizations were shortly introduced in the previous chapter. In this chapter the
stories and the results from the case studies are outlined per case, following the different phases of
Kotter’s change method. The results of the cases are further outlined in chapter 5 and 6.
4.1. Case 1 – Dutch Transportation Company – Implementation of Risk and Financial
Processes Handbook – 2007
In 2005 the director of a Dutch Transportation Company introduced a risk and financial processes
handbook for all its business units. Financial department was responsible for defining a generic
handbook with standard financial risks and controls. There was no implementation plan. In 2007 the
director realized that most of the business units have not implemented the handbook. Thereafter the
director decided to enforce the business units to implement the handbook; discussion or
customization was not allowed. Every year the controls in the handbook are tested for effectiveness.
Due to privacy issues and sensitivity of the information, further detailed descriptions are not provided
in this chapter. The rating of the different phases and factors are rated by the participant. The results
are shown below:
Table 5: Ratings Case Study 1
4.2. Case 2 – Large Insurance Company - Key Control Register implementation – 2010
In 2010 the new CFO at a large insurance company in The Netherlands requested to implement a key
control register for its business and functional units. This was a response to a number of major
incidents with hundreds of millions of losses in the organization. The analysis of the root cause of the
incidents showed that there were some gaps in communication, silo mindset and lack of transparency
between roles and responsibilities. The Key Control Register is a register with key risks and controls,
which are aligned with the objectives of each business unit and the supporting functional units. The
objective is that the business units will use the key control register as a management tool for their
daily business, increase transparency in roles & responsibilities and to improve the value chain
effectiveness and to change the silo mindset.
Page 29
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 29
Due to privacy issues and sensitivity of the information, further detailed descriptions are not provided
in this chapter. The rating of the different phases and factors are rated by the participant. The results
are shown below:
Table 6: Ratings Case Study 2
4.3. Case 3 – Credit Registration Office – Implementation of Organizational Risk Management –
2011
In 2011 a Credit Registration Office in the Netherlands started implementing Organizational Risk
Management (ORM). The management team and Internal Audit perceived that risk management is an
important aspect in order to realize organization’s objectives, especially in the area that they are
operating (including credit and fraud risks).The implementation of ORM in 2011 started with the
establishment of a risk department. The practitioners for the risk department were selected from the
Internal Audit Department. Practitioners with risk affinity could apply or were invited for the new
function. They received training from an external risk consulting firm. The second step was the
development of a risk and control framework for the three organizational units (Operations, IT and
Staff & Relation Management) by the new appointed risk managers and external risk consultants.
This case describes the implementation for one organizational unit (Operations), as the project for this
unit has been finished and the others are still in the implementation phase.
Due to privacy issues and sensitivity of the information, further detailed descriptions are not provided
in this chapter. The rating of the different phases and factors are rated by the participant. The results
are shown below:
Table 7: Ratings Case Study 3
Page 30
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 30
4.4. Case 4 – Small Insurance Company for a specific professional/occupational group – Risk
Management analysis – 2010
In 2010 a small insurance company (focused on a specific professional/occupational group) was
required to report on their risk management activities towards the central bank of The Netherlands;
DNB (De Nederlandse Bank). Therefore they decided to perform a risk management analysis in order
to identify their risks and control effectiveness. A consulting firm was hired to perform the risk
assessment workshops with the risk manager. The director of the company attended all workshops
and the validation sessions, as he fully supported this initiative.
Due to privacy issues and sensitivity of the information, further detailed descriptions are not provided
in this chapter. The rating of the different phases and factors are rated by the participant. The results
are shown below:
Table 8: Ratings Case Study 4
4.5. An overview
In this chapter the four case studies are shortly outlined, whereby the success of the risk
implementation are scored, including the usage of the different phases of Kotter’s change method.
The cases regard different organizations with their own objectives and risk management
implementations. Each case is ended with an overview of the ratings, provided by the participant(s).
In the following chapter (5 and 6) the results are further analyzed.
Page 31
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 31
5. Results: Cross Case Analysis
In this chapter, the results of the cases are analyzed and compared with each other. Based on the
comparisons the acceptance of the hypotheses can be tested.
5.1. The effect of the usage of Kotter’s eight phases change method on the success of risk
management implementations.
None of the four cases have used or followed the Kotter’s method during the risk management
implementation. Therefore the usage level of the model is used, based on the eight phases. The
usage level of Kotter’s change method can get a maximum score of 40 and the maximum of the
success score is 10 (refer to chapter 3 or appendix 3 and 4 for the calculation method). The usage
level of the change method and the success scores are presented in table 9.
Table 9: Overview of the results
From the four cases, case 1 shows a relatively low usage of the change method of Kotter in
comparison to the other three cases (case 2, 3 and 4). It seems that a limited usage of the change
method of Kotter leads to a lower success score, as case 1 shows an explicit lower success score in
comparison with the other three cases
In general, the results show that a higher usage of the Kotter’s change method, do lead to a higher
success rate. These findings support hypothesis 1: The usage of Kotter’s eight phases change
method increases the success of risk management implementations
5.2. The effect of organization’s size
In the hypotheses, it was assumed that the smaller an organization the weaker the effect change
management method has on the success rate of risk management implementation. The results of the
case studies are presented in table 10.
Table 10: Effect of organization's size
When comparing case 4 (small organization) with case 2 (large organization) and 3 (medium sized
organization), it seems that the small organization had made less use of the change method in
Page 32
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 32
comparison with the large and medium sized organization, while the success rate is higher for the
small organization.
This effect is further supported when comparing case 2 (large organization) with case 3 (medium
sized organization). Case 3 made less use of the change method, but shows a similar success rate,
which implicates that a smaller organization require less usage of the change method in order to be
more successful or to gain the same success level.
To summarize, based on the cross case analysis results, it seems that for a smaller organization, a
lower usage of the change method lead to a higher or similar success score in comparison with a
large organization. Hence, hypothesis 2: The smaller the size of an organization, the weaker the
effect change management method has on the success rate of risk management implementation, is
supported.
5.3. The effect of compliance (external regulation)
In the hypothesis it was assumed that to comply with external regulation in respect to risk
management weakens the effect of change management method as the organization is driven by
compliance and not by the intrinsic will to perform the risk management activities. The results of the
case studies are presented in table 11.
Table 11: Effect of compliance (external regulation)
From the 4 case studies, only 1 case was driven by external regulation, which did not lead to a lower
success rate of the implementation. Hence, hypothesis 3 is not supported: Risk management
activities driven by external regulations weaken the effect of change management method on the
success rate of risk management implementation. Note that this result is relatively weak, since the
number of cases which were compliance driven is limited.
5.4. An overview
In this chapter the results are analyzed and compared with each other, in order to verify the
hypotheses. Based on the results, the following table shows an overview of whether the hypotheses
are supported:
Page 33
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 33
Table 12: Overview of the results of the hypotheses
Based on the stories of the case study in chapter four and the results provided in this chapter, the
following chapter (6) provides insight into ‘how’ and ‘why’ the hypotheses are supported or not.
Page 34
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 34
6. Discussion
Chapter 5 showed the results of the case studies. Why were some hypotheses supported and some
not? In this chapter, the results, outcomes and exceptions are discussed.
6.1. Risk management implementation success
Success is measured by scoring five success factors. In general the results show that the higher the
usage of the change method lead to a higher success score. Refer to table 13 and the cross case
analysis in Chapter 5. Case 1 explicitly shows that a very limited usage of the method led to a lower
success score.
Table 13: Overview of the results
Case 3 and 4 show a similar or higher success score with a lower usage level of the change method
than case 2. This was because the implementation the risk management projects were shorter and
smaller than case 2, whereby some phases of the change method were less relevant for case 3 and
4. For example the selection of the guiding team. In case 3 and 4, there was only 1 risk manager
available; hence, there is not much choice beside the fact that they selected an external consulting
firm to support them. In case 2, there was a risk management department with approximately 25
people, whereby the project leader could select the appropriate persons to support the project.
Another remarkable difference from the case study stories is the empowerment of action. Case 2 is a
large organization whereby the project team faced several barriers and political issues. Several times
they had to escalate to the board of directors and request them to put pressure on the business units.
Page 35
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 35
They did receive the required support. Other moments, whereby they could solve the issues by
themselves, they did. Therefore the empowerment of action phase is more applicable to case 2. In
case 3 and 4, they also faced barriers, but these could be solved without escalation to the directors.
Communication for buy in was very important for case 3 and 4, as the participants lack risk
management knowledge. Initially they did not understand the content and the need of the project. It
took the project team a lot of time to convince them, change the approach and to train them in respect
to the content. Case 2 also required a lot of communication in order to gain the buy in, but this was
due to political issues and not the content. This is in line with another remarkable point, the success
factor - understanding of the need of risks and controls. The understanding towards risks and controls
was already within the organization of case 2. Therefore it was difficult to rate success factor 5. The
organization is compliant to SOx and many other regulations, whereby the need of having controls
was already there.
6.2. Organization’s Size
As indirectly briefed in paragraph 6.1., some phases of the change management method are less
relevant for smaller organizations, as they have less political issues and a relatively small risk
management department. On the other hand, the larger the organization the more they are familiar
with risk and controls aspects. For example the organization of case study 2 is SOx compliant and
quarterly reports on strategic risks. The people in the organization are familiar with risk, controls and
compliance aspects, as they face this daily within their operations. They only struggled to link the
many risk and control initiatives within the organization, which led to some adversity when another
risk management project was introduced. Studies (Pinto and Trailer, 1999) have shown that too many
projects within an organization may be a reflection of the lack of focus, direction and objective of the
organization and often lead to project failures. Combined with the previous experiences of employees
with projects and changes, knowing that the process is not easy, may lead to resistance within the
organization.
The organizations of case 3 and 4 reacted very adverse in the beginning as they did not understand
the content very well. After some training and change of the approach, their attitude changed
positively during the implementation and they became more involved in the process. Their enthusiasm
and participation grade had increased over time.
6.3. Compliance (external regulation)
From the four cases, only case study 4 was driven by external regulation. During the interviews of
case study 4 it appeared that external regulation had not influenced the impact of the change
management method on the success rate. Management of the organization perceived the risk
management analysis as important and explicitly communicated this towards the organization. The
director in case 4 actively participated the different sessions/workshops to show the importance of the
project. The participants did not perceive that the project was driven by external regulation; this may
explain why hypothesis 3 is not supported.
Page 36
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 36
6.4. An overview
This chapter has outlined the why and how the hypotheses are supported or not. The results have
shown that a higher usage level of the organizational change method of Kotter do lead to a higher
success rate of the risk implementation. The size of organization showed to moderate effect, as small
organizations made less use of Kotter’s change method, but had a higher or similar success rate
compared to a medium or large-sized organization. Most significant differences are caused by the
shorter project lead times, smaller risk department and less political issues for smaller organizations.
Compliance driven risk management implementations did not show any moderating effect, as the
organization did not perceive the implementation was driven by external regulation.
Page 37
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 37
7. Conclusion
The purpose of this study is to explore the effect of using organizational change method of Kotter on
the success of risk management implementations. Moderators are included in the framework to
understand the side effects of possible surrounding factors. Previous studies in respect to
organizational change methods have shown that it has a positive effect to overcome organizational
challenges (i.e. cultural transformations, mergers & acquisitions, organizational restructuring etc.). In
the field of risk management, there is lack of attention regarding organizational challenges and the
use of organizational change methods. This study tries to bring these two research fields together.
The scope may be broad with a generic approach, but it still reflects some interesting findings, which
should be taken into account by risk and audit practitioners and future academic research topics. The
following subsections present the main findings of this study, including recommendation for future
research and limitations of this study.
7.1. Main findings and conclusions
Based on theoretical research and practical data, the main question: Does the usage of organizational
change method increase the success of risk management implementations? can be answered. The
results of this study have shown that the usage of Kotter’s organizational change method can
increase the success of a risk management implementation. By rating the usage level of Kotter’s
change method, the results have revealed that a higher usage level of the method in general lead to
more successful risk management implementation. The metrics of the success factors are designed
to measure the organizational challenges as mentioned in literature.
The usage level of the change management method and its effect on the implementation success is
dependent on the size of the organization. Due to the lack of available research in this field, a generic
moderator is explicitly selected, as it could provide additional information. Some phases of Kotter’s
change method tend to be less relevant for smaller organizations, as they have less political issues
and a smaller risk management department. During the case study analyses, it appeared that a large
organization could also implicate that it has more experience with risk and controls aspects. The
difficulty for this type or organization is to link the different existing risk and control initiatives in the
organization. For small organizations it appeared that the participants had difficulties with the content
and lacked risk and control knowledge. It took additional time to educate and train them. Hillson
(1997) introduced a risk maturity model, whereby he categorizes organizations in different levels of
risk maturity, from unawareness with limited experience to a proactive and highly integrated risk
management culture. Based on these findings, I would recommend for future research to take
organization's risk maturity (Hillson, 1997) and the relative size of the risk department into account as
moderators.
In the beginning of the interviews I have asked what the interviewees (implementers) perceived as a
possible obstacle prior to starting the implementation. All of them answered that they expected some
organizational challenges (i.e. how to get everybody involved? how to overcome resistance? etc.).
When asking them how they planned to overcome these expected obstacles, most of them (3 out of
4) answered that they planned to convince the participants by content, as then they would understand
why risk management is important. This is in line with a publication of Lee & Shimpi (2005), stating
that risk managers often tend to present themselves as technical experts rather than as
communicators or facilitators.
Page 38
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 38
Several interviewees have revealed that with new insight of Kotter’s change model and on hindsight,
they have missed some crucial activities. One of the crucial activities is the creation of urgency in the
model of Kotter. The urgency is often there on higher management (director) level and not at the
business/operating level (the participants or executors). Risk managers tend to forget to create
urgency on the floor as well. Additionally, the risk managers and external consultants (if relevant)
often tend to report towards higher management about the progress and status of the implementation;
Are we on schedule? What is the status of the deliverables/output? The process seems to be very
goal and output oriented, instead of the question: What are you actually trying to achieve at
business/operating level?
In this study, the moderator compliance (external regulation) has not shown any remarkable effect on
the relation between using Kotter’s change model and success of the implementation. The case study
revealed that it may be more important to test whether the participants perceived the risk
management implementation as mandatory without advantages or is there an advantage/benefit for
them? This perception can be affected by higher management. For future research it may be
interesting to test moderating effect on higher management’s perception and the perception of
participants towards compliance.
This study has shown that the usage of Kotter’s change method can increase the success of the risk
management implementations. Therefore it is recommended for all organizations to use
organizational change methods in risk management implementations. For large organizations the full
usage of the method of Kotter is recommended, as it provides structure to a large and complex
organization to implement risk management throughout the organization. Full usage of the method of
Kotter may be less relevant for smaller organizations, due to the shorter lead time of risk management
projects. The most important phases for small organization are create urgency (phase 1), get the
vision right (phase 4), communicate for buy in (phase 5) and create short wins (phase 6) within the
organization. Additionally it is important to educate and train the people in risk management topics
during or prior to the process, as often there is lack of experience and knowledge in risk management
in the business. Without proper risk management knowledge in the organization, the challenge is both
technical (content) and organizational.
To summarize, for organizations, consulting firms, risk managers or internal audit practitioners who
operate in the field of risk management, they should acknowledge that organizational challenges are
crucial and should be carefully considered, whereby a relevant change management method can
provide the necessary support,
7.2. Limitations and future research recommendations
The domain of this study is kept broad, as I tried to find out what the impact of using organizational
change methods in general is on the implementation of risk management. In the sample selection,
factors such as industry, organizational culture and project history were not taken into account. I
chose organizational size as moderator as it implicates other aspects as well, for example:
organizational risk maturity, culture and management style. The results of the case study have shown
that interesting aspects for future studies could be organization’s risk maturity (Hillson, 1997) and the
relative size of the risk department. Additionally I did not make a distinction between type of industry
or organizational cultures. In future study it may be interesting to zoom into particular industries or
Page 39
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 39
organizational cultures to yield more information on the impact of organizational change method on
risk management implementations.
Four case studies have been analyzed in order to gain insight into the effect of using a change
management method and the success of risk management implementation. From the four cases, only
for one case the risk management implementation was compliance driven. Three cases are from the
financial industry. Since the results have shown that the usage of change management method could
increase the success of risk management implementation, there is certainly need for more
comparative studies to yield more and specific information. For future research I would recommend to
use more case studies, involving different industries and drivers or focus on a specific industry.
I did not make a distinction between the types of risk management implementation as it is very rare to
have identic risk management implementations. Often the foundation is the same but the approaches
will show differences. For future research it might be interesting to test the impact of organizational
change method on relatively identical risk management implementations.
Case studies have been conducted with limited participants of the organizations, always with the risk
managers (implementers) and selected participants from the business (if available). In future
research, it might be more interesting to conduct a larger study, whereby more participants from the
business should be studied, in order to generate a more balanced overview and increase the
objectivity.
7.3. An overview
This study has shown that organizational change method plays is an important role in risk
management implementations, therefore it requires and deserves more attention in managerial
activities and business studies. Internal audit practitioners can also yield from the results; this is
further explained in the final chapter (8).
Page 40
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 40
8. Implications for Internal Audit
According to a paper of IIA (2011), organizations are giving risk management more consideration as
the business world is becoming more complex due to new, evolving and emerging risks.
Implementing an effective risk management program takes a lot of time and discipline, whereby
internal audit practitioners can play an important role. On the other hand there are many roles that
internal audit practitioners are not ready to pursue or are not proactive in pursuing. The IIA (2009,
2011), introduced a diagram with the position and roles of internal audit, refer to figure 6.
Figure 6: Internal Auditing's Role in Enterprise Risk Management (IIA, 2009)
The diagram is divided into three groups:
1. Core internal audit roles in regard to ERM (green colored roles) - Assurance
2. Legitimate internal audit roles with safeguards (yellow colored roles) –
Advising/Consulting
3. Roles internal auditing should not undertake (red colored roles)
As described in paragraph 2.7, the relevance of this research in respect to internal audit practitioners
is two-fold, namely for the internal audit practitioners who provide independent assurance and assess
the activities of risk management activities (the green colored activities in figure 6) and for internal
audit practitioners with a consulting/advising role in risk management (the yellow colored activities in
figure 6).
In the following subsections the results and findings of this research are discussed in respect to the
first two groups in the diagram (figure 6), as the latter ones are roles that internal audit should not
undertake. Hence, no more attention is required for this group.
Page 41
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 41
8.1. Assurance Role - Core internal audit roles in regard to ERM
The roles of internal audit practitioners in the regard to ERM include giving assurance on the risk
management process, that the risks are correctly evaluated and reported. The results of my study
have shown that using an organizational change method to implement risk management could
increase the need and understanding of participants towards risks and controls and a more risk based
culture. These are important aspects in order to increase the effectiveness of the organization’s risk
management.
Based on the results and findings it seems that internal audit should not only focus on the technical
part of risk management implementations, but also the organizational part. Here lies an opportunity
for internal audit to focus on how the risk management approach is set up and implemented by the
organization.
Driessen & Molenkamp (2008) state that the critical mentality of internal audit practitioners can lead to
relevant feedback regarding to the approach and the process of risk management. The assurance
activities internal audit practitioners should include in the assessment whether the risk management
implementation contains the usage of an organizational method or some of its aspects. The
assessment of the use of an organizational change method is especially important for large
organizations, as the results of this study have shown that large organizations tend to benefit more
from using an organizational change method, due to the complexity of the organization and political
issues. Additionally the internal audit practitioner can also assess whether the organizational aspects
are considered in the risk management approach (i.e. stimulate the understanding within the
organization in respect to risk and controls; stimulate a risk based culture etc.).
When risk management is executed as a mandatory and formal procedure without initiatives to
change or overcome the resistance or misunderstanding in the organization; and there is a lack of a
risk based culture and risk understanding, how assure can internal audit be that the correct key risks
are identified and reported by the business? How well can internal audit use the risks identified as by
the business in its internal audit plan? How valid is the work that internal audit performs based on the
identified risks by an organization who do not understand risk management and the added value?
Hence, for internal audit practitioners who only perform assurance/audit role in respect to risk
management, they should assess and evaluate how risk management practitioners or the business
have used elements of organizational change methods to be effective in risk management throughout
the organization.
8.2. Advising/consulting Role - Legitimate internal audit roles with safeguards
The roles in this group represent consulting services that may improve the organization’s governance,
risk management and control processes (IIA, 2009). During risk management implementations
organizational challenges can be major obstacles. A regular risk management implementation
includes facilitation, coaching and coordinating risk management activities. These are activities which
can be carried out by internal audit practitioners. Hence, for internal audit practitioners it is also crucial
to understand how they can overcome any organizational obstacles. Because, how are they able
facilitate the identification and evaluation of risks or coach the management in responding to risks,
Page 42
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 42
when the participants are not willing to cooperate and do not understand why risk management is
crucial and necessary?
This study has shown that the use or Kotter’s change method can increase the success of the
implementation. Hence, for advising/consulting internal audit practitioners it is useful to gain deeper
understanding on how they can use relevant organizational change methods (or some key elements
of it) to increase the effectiveness of their selected risk management activities. This is especially
relevant for large organization as the positive effect of using an organizational change method is
stronger. For smaller organizations, internal audit practitioners should make sure that during their
advising/consulting role in the implementation, sufficient urgency and buy-in is created amongst the
participants; strong vision is available and communicated; and enables short win(s) to stimulate the
participants.
Additionally, the results have shown that for small organizations the unwillingness or
misunderstanding in respect to risk management could be a result of lack of knowledge and risk
foundation. Hence, the task here for advising/consulting internal audit practitioners is to make sure
that they communicate and educate the organization sufficiently regarding risk and control topics.
Large-sized organizations on the other hand may have seen too many different risk and control
projects and initiatives within the organization, leading to confusion. The task here for
advising/consulting internal audit practitioners is to explain the cohesion between the different
initiatives.
8.3. An overview
This chapter has outlined the implications of this research for internal audit practitioners. Note that
internal audit is not responsible for the execution of risk management activities (Driessen &
Molenkamp, 2008), the latter, red colored roles in figure 6. Based on the results of this research,
internal audit should understand that the usage of organizational change methods could increase the
success of risk management throughout an organization. Hence, they do have a critical and
challenging role regarding the selected risk management approach and process in an organization,
for the assurance role they carry out. For advising/consulting internal audit practitioners, the use of
organizational change method can support them in overcoming possible organizational challenges.
Page 43
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 43
9. Literature
Assen, A. van, Berg, G. van den, Pietersma, P. (2009), Key Management Models – the 60+ models every manager needs to know, Harlow UK, Prentice Hall Ashkanasy, N.M., Kavanagh, M.H. (2006), The Impact of Leadership and Change Management Strategy on Organizational Culture and Individual Acceptance of Change during a Merger, British Journal of Management, Vol. 17, Issue 1, pp. 81–103 Bijlsma-Frankema, K. (2001) On managing cultural integration and cultural change processes in mergers and acquisitions, Journal of European Industrial Training, Vol. 25 Issue 2/3/4, pp.192 – 207 Blokdijk, G. (2008), Change Management 100 Success Secrets, Gerard Blokdijk copyright e-reader Brehm, J., Hamilton J.T. (1996), Noncompliance in Environmental Reporting: Are Violators Ignorant, or Evasive, of the Law?, American Journal of Political Science, Vol. 40, No. 2, pp. 444-477 Brickley, J. A., Smith, C. W., & Zimmerman, J. L. (2001). Managerial Economics and Organizational Architecture, second edition, Boston, McGraw-Hill. Bruinsma, C. (2009), Tone at the Top is Vital – A Delphi study, ISACA Journal, Vol. 3 Caluwe, L. de, Vermaak, H. (2004), Change Paradigms: An Overview, Organization Development Journal, Vol. 22, No. 4 Caluwe , L. de (2006), Leren veranderen, een handboek voor de veranderkundige, second edition, Kluwer Cendrowski, H, Mair, W.C. (2009), Enterprise Risk Management and COSO – A guide for directors, executives and practitioners, John Wiley & Sons inc., New Jersey Claassen, U. (2010) - In 6 stappen naar COSO ‘nieuwe stijl’, Controllers Magazine, pg 24-27 COSO (2004), Enterprise Risk Management — Integrated Framework, Executive Summary, the Committee of Sponsoring Organizations of the Treadway Commission. COSO (2003), http://www.coso.org/IC-IntegratedFramework-summary.htm Driessen A.J.G., Molenkamp A. (2008), Internal auditing, Een managementkundige benadering, 4th edition, Kluwer, Deventer Dul, J., Hak, T. (2007), Case Study Methodology in Business Research, Pre-published manuscript, Erasmus University Rotterdam Ellram, L. (1996), "The use of the case study method in logistics research", Journal of Business Logistics, Vol. 17:8, pp.93-138 Etienne, J. (2011), Compliance Theory: A Goal Framing Approach, Law & Policy, Vol. 33, No. 3 Ghauri P., Grønhaug K. (2005), Research methods in Business studies, A practical Guide, Third edition, Edinburgh Gate Harlow, Pearson Education Havenman, H.A. (1993), Organizational Size and Change: Diversification in the Savings and Loan Industry after Deregulation, Administrative Science Quarterly, Vol. 38, No. 1, pp. 20-50 Hampton, J.J. (2009), Fundamentals of enterprise risk management – how top companies assess risk, manage exposures, and seize opportunities, New York, AMACOM American Management Association
Page 44
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 44
Hillson, D.A. (1997), Towards a Risk Maturity Model, The international Journal of Project & Business Risk Management, Vol 1. No 1, pp. 35-45 IIA (2009), Internal Auditing: Assurance & Consulting Services, Second Edition, The Institute of Internal Auditors Research Foundation IIA (2011), Internal Auditing’s Role in Risk Management, The IIARF White Paper, The Institute of Internal Auditors Research Foundation Kotter, J.P., Cohen, D.S. (2002), The Heart of Change, Real Life Stories of How People Change Their Organizations, Boston, Harvard Business School Publishing Lam, J (2003), Enterprise Risk Management – From Incentives to Controls, New Jersey, John Wiley & Sons inc. Lee, C., Shimpi, P. (2005), The Chief Risk Officer: What Does It look Like and How Do You Get There?, Risk Management, http://www.rmmag.com/Magazine/PrintTemplate.cfm?AID=2855 Merchant, K.A., Van der Stede, W.A. (2007), Management Control Systems – performance measurement, evaluation and incentives, second edition, Pearson Education Limited Negus, J. (2010), 10 Common ERM Challenges, Risk Management, Vol. 57 - Issue: 3, March 01, 2010 Pinto J.K., Trailer, J.W. (1999), Essentials of Project control, Pennsylvania, Project management institute Publishing Ritterberg, L.E., Martens, F., Landes, C.E. (2007), Internal Control Guidance – Not just a small matter, Journal of Accountancy, 203-3 Thacher, D. (2006), The normative case study, The American Journal of Sociology, Vol. 111:6, pp. 1631-1676 Yin, R.K. (1981), The Case Study Crisis: Some Answers, Administrative Science Quarterly, Vol. 26:1, pp. 58-65 Yin, Robert K. (2003), Case study research, design, and methods, Third edition, Thousand Oaks, Sage Publications
Page 45
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 45
Appendix 1 – Method of Kotter
Below an overview is provided per phase with some ideas and guidance on how to use the method of
Kotter (2002).
Phase 1 – Create urgency
Phase 2 – Build the guiding team
Phase 3 – Get the vision right
Page 46
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 46
Phase 4 – Communicate for buy in
Phase 5 – Empower action
Phase 6 – Create short term wins
Page 47
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 47
Phase 7 – Don’t let up
Phase 8 – Make change stick
Page 48
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 48
Appendix 2 – Guideline and list of questions
The following list contains questions that have been used during the case study interviews
1. Name of the organization
2. Size of the organization
3. Number of projects in the organization in the previous 3 years
4. When did the case occur?
5. What risk management project does it regard?
6. Explain more about the risk management project
7. Who was the initiator of the project?
8. Who was responsible for the execution of the project?
9. Were there external parties (i.e. consultants) involved?
10. What was perceived as the major challenge(s) prior to the implementation?
11. Did you create urgency amongst the participants? How? (give examples)
12. Define the usage level in phase 1 – Create urgency
13. Did you use a guiding team during the implementation? How? (give examples)
14. Define the usage level in phase 2 – Building the guiding team
15. Did the guiding team create the vision? How? (give examples)
16. Define the usage level in phase 3 – Get the Vision right
17. Did you communicate the vision and strategy to the participants? How? (give examples)
18. Define the usage level in phase 4 – Communicate for buy-in
19. How did you solve obstacles during the implementation? (give examples)
20. Define the usage level in phase 5 – Empower action
21. Did you create short wins during the implementation? How? (give examples)
22. Define the usage level in phase 6 – Create short term wins
23. What did you do after the new wins? (give examples)
24. Define the usage level in phase 7 – Don’t let up
25. Did you make additional changes at the end of the implementation? What and how? (give
examples)
26. Define the usage level in phase 8 – Make change stick
27. Did you perceive the implementation as a success? Why?
28. Did the pro-activity amongst the participant increase during the implementation? How? (give
examples)
29. Did participants asked for additional information or risk/control services after or during the
implementation? How? (give examples)
30. Did the risk and control awareness increase in the organization after implementation? How?
(give examples)
31. Did the organizational culture become more risk based after the implementation? How? (give
examples)
32. Did the understanding towards the need of risk and control increase after the implementation?
How? (give examples)
33. What was perceived as the major challenge(s) after the implementation?
Page 49
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 49
Appendix 3 – Usage of the eight-phases method of Kotter
During the case study the interviewee gave each of the 8 phases a score, in respect to the perceived
usage of it during implementation. The Likert-scale method with 5 scores has been used. The
interviewees had to score the eight phases with:1 = very limited, 2 = limited; 3 = average; 4 =
extensive and 5 = very extensive. No usage is ranked 0.
The total of the scores represents a certain level of usage of the Kotter model, whereby a maximum of
40 points can be obtained (maximum usage).
An illustrative example:
Phase 1 – Create urgency = 5
Phase 2 – Build the guiding team = 0
Phase 3 – Get the vision right = 1
Phase 4 – Communicate for buy in = 3
Phase 5 – Empower action = 2
Phase 6 – Create short term wins = 4
Phase 7 – Don’t let up = 0
Phase 8 – Make change stick = 2
---------------------------------------------
Usage level = 17 (out of 40)
Page 50
Does the usage of organizational change method increase the success of risk management implementations?
J.K.Y. Yung - EIAP 2011 50
Appendix 4 – Success scores
Five factors have been formed to identify the level of success of overcoming the organizational
challenges. Each factor can get a grade of 0, 1 or 2, with a total of maximum 10 points.
During the implementation has the proactivity amongst the participants increased?
0 (no), 1 (maybe), 2 (yes)
During or after the implementation did participants request for additional information or risk/control
services?
0 (no), 1 (partly), 2 (yes)
After the implementation has the risk and control awareness increased in the organization?
0 (no), 1 (maybe), 2 (yes)
After the implementation has the organizational culture become more risk based?
0 (no), 1 (partly), 2 (yes)
After the implementation has the understanding towards the need of risk and control been increased?
0 (no), 1 (partly), 2 (yes)