WIXLIB

Asia-Pacific Management Accounting Journal, Volume 13 Issue 2According to Helfat, Finkelstein, Mitchell, Peteraf, Singh, Teeceand Winter (2001), dynamic capability is the ability of an organisation tointentionally build, expand and change its resource base. organisationsshould focus on dynamism of environmental uncertainty, and allocatenecessary resources and capabilities to handle changes related to valuable,rare and imitable resources. The above dynamic capability perspectivessupport ERM as the tool to predict unforeseen events and help organisationsto recover from risky events (Bogodistov and Wohlgemuth, 2017). Thisperspective suggests that organisations need to take a necessary courseof action when they encounter unforeseen events, it emphasises thatorganisations should have routines and processes in order to recover fromthese events effectively. The risk management capability focusses on theprocess such as assessment of valuable, rare and not imitable-related risksat the strategic level and risk management process at the operational level.The management identifies the valuable rare and not imitable-resources toset priorities for risk management at the operational level, whereby theyaddress the high priority risks first, only then manage the low priority risks.In addition, Krause and Tse (2016) propose risk management practices asa useful and valuable creation tool. The usage of risk management toolsincreases the firm’s performance and lowers the cost of capital whichresults in higher firm values. Jing, Hua and Zhao (2014) found that firmsthat implemented ErM reported a higher profit and experienced lesserstock price volatility.liTERaTuRE REViEw aNd hyPOThESiSdEVElOPMENTAgency relationship involves the delegation of decision-making from aprincipal to an agent. Agents tend to use information to transfer wealthto themselves from others in the presence of informational asymmetries.Therefore, corporate governance and risk management must be in placeto ensure that companies are governed to reduce the abuse of financialresources and risk of business failure (Ansong, 2013). However, inthe context of SMEs, they may not be motivated to implement the riskmanagement concept since there rarely is separation between ownershipand management.88

Coso Enterprise Risk ManagementMalaysian SMEs rarely implement a fully functional risk management(rM) system with identification, evaluation, treatment and monitoring.Abu Bakar and Ahmad (2010) stressed that this is the reason why manyMalaysian SMEs collapse within the first five years of their operations, asthe owner does his own risk assessment. Malaysian entrepreneurs havelimited experience to draw a systematic risk management framework, as theydo not have sufficient expertise on risk management systems which enablethem to evaluate all components of ERM in their organisation (Salikin,Ab Wahab & Muhammad, 2014). A mandate from top management on theimplementation of risk management is necessary for organisations to reachtheir goal in addition to establishing a risk management team (Fadun, 2013).However, Hudin and Hamid (2014) stated that Malaysian SMEsthat have the resources to be audited by the Big Four accounting firmsare inclined towards adapting and implementing ERM practices in theirorganisation. This is because the external auditors may pressure SMEsto adopt the ErM framework in order to maintain their firm’s reputation.SMEs need to understand the ERM process can increase the effectivenessof risk management activities, which will ultimately increase stakeholders’value (Fadun, 2013). The implementation cost of governance, risk andcontrol (GrC) system exceeds its benefits when non-executive directors areappointed and internal audit departments are established (Altman, Sabatoand Wilson, 2009). Mahzan and Chia (2013) also found that many ownersand managers are ignorant of the GRC system in mitigating risks.From a critical point of view, a German scholar, Ann-Kathrin (2009)established that those organisations that do not implement risk managementpractices will be taken by surprise as they rely on insurance to overcomecircumstances. Many SMEs practise instinctive risk management in theirorganisation as they do not realise how ERM can actually be an earlywake up call for a crisis (Hudin & Hamid, 2014). owners will only fullyimplement ERM when they realise the potential of ERM in making theirorganisation more competitive in changing circumstances and increase longterm profit. Although it is rare to see SMEs adopt a proper ErM system,majority of scholars agree that SMEs do actually benefit from it. They willhave a more risk friendly and sustainable future in the long run as ERM issupposed to be a continuous process (Kaur, 2010).89

Asia-Pacific Management Accounting Journal, Volume 13 Issue 2CoSo ERM (2004 & 2013) framework consists of six (6) maincomponents; namely risk appetite, control environment, assessing riskmanagement, control activities, information and communication andmonitoring that link to its objectives.Risk appetiteAn organisation has to consider its risk appetite while deciding onwhich goals to pursue or operational tactics to employ (Rittenberg &Martens, 2012). Risk appetite is the level of risk that can be accepted byan organisation in pursuit of its value. It will guide the management to setbusiness goals and make decisions to achieve their goals and sustain theiroperation. The company decision maker must understand how much riskis acceptable for their business and should consider ways of accomplishingtheir business objectives, at both organisational and individual operationslevels (Epetimehin, 2016). Companies that are risk averse tend to be moreconservative when setting their goals, they will choose to avoid riskyopportunities even if it may generate higher profits. In contrast, companieswith a high risk appetite will decide to invest in a higher reward investmentalthough it is risky (Rittenberg & Martens, 2012). Therefore, when thecompany considers a strategy, they should identify whether the strategy isaligned with company’s risk appetite.According to Gorzen-Mitza (2015), although SMEs’ financial positionis weak in comparison to larger entities, the owners’ risk appetite stillremains high. Somehow, the probability of getting a credit offer is higherfor the SME companies which have a stronger financial position than thosewith a weak financial position. In addition, SMEs with higher collaterals arealso more likely to get a loan compared to companies with limited collaterals.The core of risk assessment is the appraised chance of occurrenceand estimated amount of possible loss and risk appetite that directly affectscompany’s profit (COSO, 2013). Thus, the researchers hypothesise:H1: Risk appetite is positively related to sales performance90

Coso Enterprise Risk ManagementControl EnvironmentAn organisation is set by the control environment which influences thecontrol consciousness of the work staff within the organisation. It is alsoa foundation which provides structure and discipline to an organisation’scontrol system. The factors of the control environment include code ofconduct, competence of the people, operating style, management’s cultureand integrity that organise and develop the people within an organisation;as well as attention and direction provided by the business owner or boardof directors (Nelson & Ambrosini, 2007). Moreover, control environmentreflects the policies and attitude of the organisation in respect to theimportance of internal controls in profit generation. According to Tseng’s(2007) research, poor internal control would have the possibility to ruin theorganisation’s value. Weak internal control is related to higher informationvagueness and consequently higher organisational cost of capital, thusreducing the expected future earnings.Control environment reflects the policies and attitudes of theorganisation in relation to the importance of internal controls for profitgeneration. Lundqvist (2014) found that the control environment is valuecreating and the organisation should focus on their efforts in this area.Therefore,H2: Control environment is positively related to sales performanceassessing Risk ManagementAssessing risk management can be considered as the heart of theErM framework. It helps the SME in identifying significant risks, such asreputational and strategic risk to optimise the trade-off between risk andreturn, in order to strengthen the organisation in carrying out its strategic plan(Falker & Hiebl, 2015). This is because failure in recognising risks can leadto disastrous consequences, ranging from loss of customers to environmentaldamages or even bankruptcy. A clear definition and communication aboutan integrated approach in risk management process helps SMEs to increaseeffectiveness at all organisational levels (Gorzen-Mitza, 2015). Assessingrisk management is basically determining how risk should be managed inbusiness. It is able to help management to make better strategic decisions91

Asia-Pacific Management Accounting Journal, Volume 13 Issue 2and this would increase business profitability. This happens because theyhave a better understanding and overall view of risks involved in everyproject or decisions made in business. This will help them plan better tominimise risks therefore leading to higher profits (Oracle, 2009). Comparedto the large enterprises, SMEs made smaller profits and hence they do nothave access to a wide resource base. SMEs also have a low equity ratioand therefore they are usually more vulnerable to external events. Thisillustrates that the survival of SMEs is easily threatened because they facevarious risks with smaller resources. According to Falker and Hiebl (2015),many SMEs do not apply risk management practices due to this constraint.ERM is becoming an important part of organisational strategic planningto achieve a competitive advantage (Krause & Tse, 2016). To achieve asustainable competitive advantage, the capability-based perspective stronglyadvocates that organisation should possess valuable rare inimitable andnon-substitutable resources (Bogodistov & Wohlgemuth, 2017). Thesecriteria are one of the most important pillars for holistic risk management.Hence, the next hypothesis is:H3: Risk management assessment is positively related to sales performanceControl activitiesControl activities in the ERM framework includes operating policiesand procedures to ensure management directives are being carried out(ACCA, 2015). At the same time, necessary actions are being taken toaddress risks in achieving business objectives. Control activities occurthroughout the whole organisation at all levels and in all functions. Theyinclude segregation of duties, verifications, review of operating performanceetc. A failure of control may be due to human non-compliance when they donot take control seriously or over-ride the controls (ACCA, 2015). Nothingcan hinder an organisation to achieve their main and long term goal aslong as the company’s existing risk is being controlled and well-managed.Somehow, the risk management function of SMEs is usually at the owner’sprerogative and is influenced by owner’s risk perception and their attitudetowards risk management (Yusuf & Dansu, 2013).92

Coso Enterprise Risk ManagementDrew and Kendrick (2005) argued that control activities practisedby a holding company can add value to subsidiaries, while managingexisting core competencies to become a source of competitive advantage.Mikes (2009) suggests that control activity and system adopters have profitmaximising incentives to reduce risks. These core business risks reductionwould become a potential source for expected incomes to the organisation(Spikin, 2013). Therefore, the researchers hypothesise:H4: Control activity is positively related to sales performanceinformation and CommunicationInformation and communication is another component of the ERMframework. It is stated that information and data must be distinguished,captured and communicated in a timeframe and format. This is to enablepeople in the entity to carry out their responsibilities. The informationmust be relevant, appropriate and cover all the objectives shown on thetop of the cube (ACCA, 2015). All the information, both internal controlsystems and external events, must be communicated to all the staff sothat they understand their roles and how it relates to each other’s work.Besides, relevant information needs to be communicated to external parties,such as regulators, suppliers, customers and shareholders. An effectivecommunication is able to strengthen internal environment of the entity(CoSo, 2013). According to Hannah (2013), all relevant information needsto be captured, identified and communicated in a method and time-framethat allows people to carry out their financial reporting accountabilitiesfor internal control. organisations should accept information systems andinternal control created in financial, operational and compliance-linkedmaterial reports for running and controlling the business.At all levels of the organisation, effective communication shouldhappen in a wide-ranging sense of information flowing up, across anddown (Hannah, 2013). This is because information and communication isone of the components which influences working relationship within theorganisations. Therefore, information needs to be communicated throughthe whole organisation, so that the concerned personnel can perform theirduties according to the expected outcome to achieve objectives. However,implementation of ERM is very challenging, and a tremendous effort is93

Asia-Pacific Management Accounting Journal, Volume 13 Issue 2required to communicate the implementation using a top-down approachthroughout all hierarchical levels to achieve higher firm performance((Bogodistov & Wohlgemuth, 2017). Thus, the next hypothesis is:H5: CoSo ERM Information and communication component is positivelyrelated to sales performanceMonitoringMonitoring is a process that has been developing since the initialguidance of CoSo (ACCA, 2015). This principle states that unmonitoredcontrols have the tendency to deteriorate over time. The regulation echoes theTurnbull regulation which draws a division between separate evaluation andon-going-monitoring. nonetheless, there are weaknesses being identifiedand reported, evaluated and corrected to their respective root causes as theguidance stressed the importance of action and feedback. Internal auditdepartments and audit committees are main players for separate evaluation(ACCA, 2015). If any internal control deficiencies occur or signal that fallsoutside of the acceptable risk level, it should be reported upstream to topmanagement and the board of directors to carry out appropriate remedialaction plan so that the risk levels is maintained within the established risklevels. Although the ERM framework has provided a base for organisationto manage risks more effectively, the organisation should be aware ofshortcomings of risk management, and that the risk process may fail withoutimmediate action taken when the need arises.The risk management cycle includes many important steps of workingwith risks. As the starting point, organisations need to add strategicobjectives, and also risk and opportunities to this risk cycle. The detailedcycle includes a short description of assigning likelihood, impact anddetection values. organisation should follow the whole monitoring cycle andprocess to work with risks. From a resource-based view, core competenciesthat meet valuable rare inimitable and non-substitutable resources criteriarepresent the area of potential risks that have the highest impact on anorganisation. This core business risks would become a potential source ofexpected return and incomes to the organisation. The next hypothesis is:94

Coso Enterprise Risk ManagementH6: CoSo ERM monitoring process is positively related to salesperformanceFrom the review above it was found that most SMEs are family runbusinesses and the reason for not implementing ERM is because theyhave limited resources to hire external professionals to assist them in riskmanagement implementation. Hence, they suffer from lack of knowledgeand skills to run an efficient business. A separate governing body for SMEsshould be established to provide relevant information to the owners andmanagers to run the business. SMEs owners and managers also do not havethe extra resources to hire a board of directors, hence the duty to mitigaterisk falls in their hands. As the result, they need to mitigate risk after properevaluation of their issues and circumstances with external help.RESEaRCh METhOdSurvey research helps researchers to generate systematic evaluation of riskconceptions by managers (Bromiley et al., 2015). This paper collected datausing questionnaires distributed to small-medium enterprises in Malaysia.Enterprises are classified as Small Medium Enterprises (SMEs) if it meetsone of the criteria set (SME Corp., 2013). Enterprises in the manufacturingsector were classified as SMEs if the turnover did not exceed rM50 millionor if there were less than 200 full-time employees. Enterprises in the serviceand other sectors were classified as SME if the turnover did not exceedRM20 million or if there were less than 75 full-time employees.The use of fieldwork assistants for a survey study is a commonly usedand most effective method of conducting research in developing economies(Roxas & Chadee, 2011). The research team consisted of nineteen (19)fieldwork assistants who were final year accounting and finance studentsand assisted the researchers to distribute questionnaires to randomly selectedsmall firms. The use of fieldwork assistants to personally distribute andcollect the questionnaires to and from respondents tends to receive a higherresponse rate (Roxas & Chadee, 2011). They received responses from onehundred and sixty-one (161) SMEs. However, data cleaning proceduresreduced the sample size to one hundred and fifty-two (152) SMEs afterremoval of questionnaires that were considered useless. The researchers95

Asia-Pacific Management Accounting Journal, Volume 13 Issue 2monitored the research team closely during the data collection processthrough direct and extensive consultation with them. The period of thisstudy covered 1st February to 7th May 2016.The questionnaire is divided into two sections, A and B. In sectionA there are six parts of questions adapted from on CoSo ERM (2004 &2013). The first part the statements related is risk appetite; followed bythe control environment, then assessing the risk management framework,control activities, information and communication and lastly monitoring.This section asked the respondents to rate 62 ErM statements using a five (5)point Likert scale (1 disagree strongly, 2 disagree somewhat, 3 neutral,4 agree somewhat an

the ERM framework among SMEs in Malaysia, and to analyse its effect . reporting, and compliance (CoSo, 2004). This systematic strategy setting enables the company to minimise losses of capital and resources. Thus, ERM enables the organisation to deal with uncertainties . profitability (Mahzan & Chia, 2013). It plays an important role, as it .