“Enterprise risk management and company ethics: The case of a short-term insurer in South Africa”

The aim of this study was to investigate the relationship between enterprise risk management (ERM) and company ethics, so as to understand the central role of risk management in improving company ethics. A 5-point Likert scale questionnaire was used to survey all 122 employees of an insurance organization. The level of ethics was measured by posing questions on the integrity, trustworthiness, and level of respect for top management, middle management, and non-management. The overall Cronbach’s alpha for the instrument measuring the level of ethics was 0.865, indicating that the instrument was highly reliable. The relationship between ERM controls and the level of ethics was determined using regression analysis, which produced a F value of 0.268 (p-value 0.607), which implied that there is no relationship between ERM controls and the level of ethics. It was also ascertained that ethics and compliance-related issues are not fully embraced by the organization. This implied that the insurance company is at a level of “nominal” risk management with uncoordinated, top-down risk management activities. Since ethics risk exposure resulting from poor corporate governance has been identified by the Institute of Risk Management as being a key contributor to many business failures in South Africa (and internationally), the exploratory findings can stimulate the leadership to institute polices to mitigate poor governance and risk as this will benefit all stakeholders.


INTRODUCTION
In South Africa, the exposure to corruption during the administration of former President Jacob Zuma, which is commonly referred to as "state capture", and the recent highly reported incidents of corporate misconduct, has focused the spotlight on ethics in both the public and private sectors.The plethora of companies that suffered major financial losses and reputational damage due to corruption and lack of ethics included VBS Mutual Bank in what has been dubbed "The Great Bank Heist" (Motau, 2018), South African Airways, with its board of directors implicated in state capture (Government of South Africa, 2018), DSTV admitting to price-fixing (Competition Commission, 2017), Steinhoff (Vegter, 2017), Eskom (National Treasury, 2018) and African Bank (Myburgh, 2016).Senior members of these organizations were found guilty of unethical conduct including extortion, price-fixing, abuse of power, insider trading and fraud, negligence and maladministration (Kirsten et al., 2017).
Recognition of the importance of ethics in business and the need for corporate governance led to the development of the King Codes on Corporate Governance, which were developed for the Institute of Directors -Southern Africa (IODSA), by a committee chaired by a retired judge and corporate governance expert, Professor Mervyn King.The most recent code referred to as King IV, which was released in 2016, intended to foster an ethical environment and culture within organizations, improve trust between stakeholders, create an adequate and effective control environment, enhance company performance and value creation, ensure all organizations are good corporate citizens, and that the business is seen to be legitimate (IODSA, 2016).
The implementation of Enterprise Risk Management (ERM) can often be reduced to a mere compliance or "tick-box" exercise, which raises the question of whether ERM implementation is effectively addressing risks, such as poor company ethics.The above examples of some of the failed South African companies have one common feature, namely, failure by the relevant Board committees to manage risk.From an international perspective, the American Commission of Inquiry into the financial crisis of 2008 stated that, "dramatic failures of corporate governance and risk management at many systematically important financial institutions were a key cause of this crisis" (FCIC, 2011).

LITERATURE REVIEW AND THEORETICAL BASIS
Enterprise risk management (ERM) is rooted in a theoretical foundation of systems thinking, where an organization is viewed holistically as a complex system of separate, but interrelated processes, parts or components (Kim, 1999).Moeller (2011) asserted that ERM is concerned with decision-making, as it is naturally connected to business functions through shared risk exposures and synergistic relationships within the organizational structure.As companies grow, these relationships increase in complexity, until no individual division can easily be insulated from the risks affecting other divisions in the organization.ERM is defined as "a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, to identify potential events that may negatively affect the entity, and manage risk to be within its risk appetite" (Curtis & Carey, 2012, p. 2).
While there are conflicting views and approaches to ERM, there is still mounting pressure from external sources such as banks and rating agencies to add ERM to their rating methodology and credit risk assessments (Jabbour & Abdel-Kader, 2016).According to Sandford (2015), "the financial scandals in the aftermath of the American tech bubble and the housing bubble, led to the passing of sweeping legislation and the call for greater financial transparency and rigorous scrutiny of large corporations."The Ethics, Risk and Compliance functions of an organization sud-denly took center stage, with their areas of responsibility now being widely expanded, in the struggle to regain public trust.
Narisimhan (2017) highlighted the current trend of the increasing scope of governance, risk and compliance frameworks to include ethics and value management, quality management, information security management, and business continuity management.This researcher devised a broader three-dimensional model for governance, risk and compliance, which encompassed Risk" as a business attribute.
Because of the credit crisis, which highlighted systemic failures in risk management within the failed financial service businesses, a global study was conducted by Pricewaterhouse Coopers (2008) to understand if ERM matters relevant to the insurance industry.Jabbour and Abdel-Kader (2016) found that various change agents influenced the decision by insurance companies to implement ERM processes.In addition, institutional pressures, some being coercive and others normative, were found to differ in character and magnitude over time in relation to the adoption of ERM.Gradually, ERM developed into a fully-fledged management function and permeated business functions, which were not previously accepted as being relevant to risk management (Jabbour & Abdel-Kader, 2016).From an insurer's viewpoint, an ERM program provides an integrated and comprehensive assessment of all material risks arising from its operations; presents a rigorous framework that facilitates an objective and consistent approach to manage risks across business units; serves as a common language and view of risk throughout the enterprise to derive a realistic risk profile; and aligns its risk profile with its business strategies and risk appetite and allows for calculated risks to be taken to proactively seize opportunities.
Brooks and Dunn (2018) note that ERM is often practiced as a superficial exercise aimed at identifying risks associated with events, rather than being used to identify ethics-related causality.While ERM can uncover many risks, in practice there is no in-depth examination to assess the underlying ethics risks and ethics-related risk causes.
There is a range of benefits associated with an organization being perceived as ethical, inter-alia, increased customer loyalty; greater investor confidence; ease of access to capital; and the ability to attract top talent (Schoeman, 2015).In order to cultivate an environment in which employees will support one another in pursuing their goals ethically, it is important to establish and maintain an ethically strong culture in the workplace (Chun et al., 2013).
In Transparency International's annual Corruption Perception Index report, South Africa is ranked number 71 out of 180 countries (Transparency International, 2018).However, despite this relatively good ranking, corruption is still regarded as a significant problem in South Africa (Kirsten et al., 2017).Thus, all organizations are required to put measures in place to guard against unethical conduct, and manage ethics in the workplace effectively (Schoeman, 2015).
According to the King Code, ethical risks and opportunities should be incorporated in the risk management process, while a code of ethics and/ or a general code of conduct, plus ethics-related policies, should be implemented.The Board is responsible for putting measures in place to ensure adherence to the standards it has set and for measuring this adherence (IODSA, 2016).Management is required to make many decisions daily, ranging from selection of vendors for various services to dealing with customers, and some decisions are not simple choices between "right" and "wrong" but 'neutral' from a moral perspective and require strategizing, not ethical deliberation (SOSU, 2016).
When decisions involve choices that can negatively affect people within or outside of an organization, businesses require leaders who are able to choose ethically and put people ahead of profits.Kosdrosky (2015) mentions that a company may have an ethics policy, which on its own will do little to prevent bad actions by staff members.Thus, various tools for measuring ethics and compliance are suggested.Kaminski and Robu (2016) concur that managers are often being left to figure out what specific controls are required to address regulatory requirements.They also highlight the ongoing struggle of financial institutions with fundamental issues in their control environments, such as management's compliance literacy, accountability, performance incentives and the risk culture.
In South Africa, insurers are regulated by the Financial Sector Conduct Authority (FSCA) and the Prudential Authority (PA), both of which define how companies should conduct business.The Prudential Standard GOI 1: Framework for Governance and Operational Standards for Insurers, states that insurers are the absorbers of risk from the economy and thus it is essential that their risks are managed prudently and professionally.The Governance and Operational Standards (GOIs) also establish the minimum requirements from the Prudential Authority, for an insurer's approach to risk management and control.
The Companies Act (Act 71 of 2008) requires that a registered company's annual financial statements be audited, and prohibits any material misstatement or misrepresentation of financial information.There is therefore a strong legal and regulatory incentive for companies to be ethical and to manage their risks.
Principle 4.1 of the King IV code that deals with risk management states that, "The governing body should govern risk in a way that supports the organization in setting and achieving its strategic objectives."The King code therefore brings together the principles of ethics and risk management, since they share common objectives relating to the triple bottom line which requires accounting methods to extend beyond just measuring profits, and include social and environmental measures.
This broadens the scope of business objectives to include not only the shareholders of a company, but all stakeholders (Edwards, 2018). According

METHOD
To collect data for this study, a survey questionnaire was developed using a 5-point Likert-scale, where 1 = Strongly disagree and 5 = Strongly agree.To establish the level of individual ethics, the questions addressed the integrity, trustworthiness, and respect of the top, middle non-management staff.To create a baseline against which to test whether company controls had any effect on internal ethics, questions were also formulated regarding the respondents' level of ethics outside of the workplace.General questions were also developed to determine perceptions of ERM controls and ERM effectiveness in the organization.
As a pilot study, the questionnaire was administered to a sample of five (5) highly qualified and experienced individuals in the insurance company, including executives, in order to determine whether the questions provided sufficient coverage of all the areas to be addressed through the aim and objectives.Another phase of the pilot study involved administering the questionnaire to a sample of 10 insurance company employees.All the feedback received was taken into consideration in preparing the final survey instrument, resulting in some minor amendments to the final questionnaire.
The final questionnaire comprised 59 questions used to classify the "Level of ethics", "Level of ERM controls", and "ERM effectiveness".The questionnaire was self-designed, based on various previously developed and tested questionnaires, which aimed to determine issues pertaining to ethics, risk and governance in organizations.
The target population comprised 122 employees of a short-term insurer.Since the target population was low, all members of the population were surveyed.Upon receiving permission from the relevant heads, the employees were informed via e-mail about the purpose of the survey and advised that a questionnaire would be sent to them via an e-mail link.The data was captured using Microsoft Excel and regression analysis was performed using the Logistic regression procedure in Real Stats 2003.xla, which is free software available for Microsoft Excel.

RESULTS
Only 56 of the 122 employees targeted completed the survey, which yielded a response rate of approximately 46%.Almost 40% of the participants were managers, while the majority were in operations.The largest single category of respondents (23.2%) had been employed by the company for less than one year, with 21.4% being employed between three and five years; 17.9% for less than five years.
The level of ethics was measured by posing questions on the integrity, trustworthiness, and level of respect for top management, middle management, and non-management.For eligibility to participate in the study, respondents were asked whether they understood the meaning of ethics, and all the respondents either agreed or strongly agreed that they understood the concept.The overall Cronbach's alpha for the instrument measuring the level of ethics was 0.865, indicating that the instrument was highly reliable.
Table 1 presents the participant's perception of the level of integrity, trustworthiness, and respect by top management, middle management, and non-management.
It is evident from Table 1 that with respect to integrity, trustworthiness and respect, the top management rated the CEO and/or the board of directors highly (4.6 on a 5-point measurement scale).
The middle management participants, on the other hand, 'agreed' that top management led by example, since the average score was 3.9.
Regarding responsibility for ethics in the organization, both top and middle management participants 'agreed' that they had greater responsibility for ethics, than those who reported to them, which implies that the top and middle management participants had integrity, trustworthiness, and respect.
It is evident from Table 2 that the "top" management participants rated their superiors highly (4.4), on their level of ethics and this was affirmed by middle managers and even non-managers who 'agreed' that their superiors were ethical, with ratings of 3.8 and 3.7, respectively.
Table 3 that reflects the levels of ERM controls, by position in the company, reveals that top managers, middle managers, and non-managers neither agreed nor disagreed that ERM controls were sufficient at the organization.Respondents were al-so unaware of the 'tip-off' line for reporting incidents of misconduct and they neither agreed nor disagreed that the controls at insurer were good enough to address ethics risks.
Table 4 shows that all levels of management 'agreed' that ERM was effective at the company (overall rating of 3.8).However, middle managers

Nonmanagers
Given the circumstances, it is sometimes necessary to lie in order to conceal a bad situation at work (Reverse scored) 4.4 2.9 3.0 Given the circumstances, it is sometimes necessary to lie in order to avoid getting into trouble (Reverse scored)

Nonmanagers
The controls we have at FEM are good enough to address ethics risks 3.4 3.4 3.4 The FEM risk management program helps to identify ALL ethics risks 2.8 3.4 3.3 The FEM risk management program has controls for ALL known ethics risks 2.8 3.3 3.4 Are you aware that FEM has a tip-off line for reporting misconduct?
2.4 1.9 1.9 Do you know how to use the tip-off line?
2.4 1.9 1.6 I would report or have reported misconduct during my time at FEM 2.8 3.9 4.0 There are no loopholes in the company policies 3.4 3.4 3.0 All company policies and procedures are ethically sound 3.4 3.5 3.6 There are no opportunities to commit fraud 2.4 3.4 3.6 I do not commit fraud because there are checks and balances that will pick it up 2.9 2.9 3.0 There are controls in place for all the risks in my day-to-day activities 3.4 3.3 3.6 Average ratings 2.9 3.1 3.1

Table 4. Perceptions of ERM effectiveness
Source: Research data.and non-managers seemed ambivalent regarding the risk management processes of the company.

Nonmanagers
The relationship between ERM controls and the level of ethics was determined using regression analysis and, as is evident from the results presented in Table 5, there is no evidence of a relationship between ERM controls and the level of ethics.

DISCUSSION
According to Schoeman (2015), there is a major responsibility on all organizations to put measures in place against unethical conduct and to effectively manage ethics in the workplace.Management, therefore, has more responsibility for ethical conduct than their subordinates (Demidenko & McNutt, 2008).Before measuring the levels of ethics, the researchers first measured integrity, trustworthiness, and respect.Although all respondents 'agreed' that their superiors demonstrated integrity, trustworthiness, and respect, the results reveal that different levels of employees perceived their superiors differently.Top managers rated their superiors highly (4.6), whereas the average rating by middle managers was 4.0, and 3.7 by non-managers.It is concluded that top managers did not perceive themselves as having more responsibility for ethics than their subordinates.
Regarding the level of ethics, top management was rated highest overall (4.4), middle managers (3.8) and non-managers (3.7).It is interesting to note that middle managers and non-managers tended to be neutral on whether they would ignore or transgress policy, if there was no risk of being caught, and on whether they found anything wrong with exploiting loopholes in company policy.No relationship could be established between ERM controls and the level of ethics at a research organization.This is due to the uncoordinated nature of ERM at the organization.

CONCLUSION
The aim of this study was to explore the relationship between enterprise risk management and company ethics at a short-term insurance company in South Africa.The level of ethics at the organization, level of ERM controls, and levels of ERM effectiveness were determined and thereafter, the relationship between ERM controls and ethics was investigated.
The findings indicate that integrity, trustworthiness, and respect at the organization deteriorates at lower management levels.Middle managers and non-managers tended to be neutral on whether they would ignore or transgress policy if there was no risk of being caught, and whether they found anything wrong with exploiting loopholes in company policy.
Respondents at all management levels were not aware that the organization had a "tip-off" line for reporting misconduct.The findings on ERM effectiveness were conflicting, with respondents rating ERM effectiveness as being high, even though they neither "agreed nor disagreed" that they knew the risk management process of the company.
Since the findings did not reveal any relationship between ERM controls and the level of ethics in the organization, it is possible that this is attributed to the uncoordinated nature of ERM at the organization and low levels of ethics.There is a need for a longitudinal study to further examine the relationship, after implementing of ERM controls.The ERM program at the short-term insurer can benefit from the five HGP principles developed by the ECI (Edwards, 2018).These principles included the following: Strategy, Risk management, Culture, Speaking up, and Accountability.Clear and consistent lines of accountability should be established to enable the organization to hold itself accountable when wrongdoing occurs.
Although "whistle-blowing" had been introduced as an anti-fraud measure, it is evident that this is not well communicated in the organization.This should be addressed and assurance should be given that there will be no victimization of "whistle blowers", since this will be totally anonymous.
Even though there is an ERM unit at the research organization, employees are not aware of its functions and value to the organization.Top management should get ensure that the ERM unit gets proper support, both in structure and resources.The ERM unit should also arrange regular risk management training for all staff, to sensitize them of the importance of ethical risks.
An ERM framework that is closely aligned with the principles of COSO ERM, should be adopted, because the principles clearly address the "tone" of an organization and the achievement of the desired culture regarding its ethical values.Furthermore, clear and visible action is to be taken when ethical misconduct is identified across all levels of an organization.

Table 1 .
Perception of Integrity, trustworthiness, and respect by position Source: Research data.

Table 2 .
Perception of the level of ethics Source: Research data.

Research statements Average scores Top management Middle management Non- managers
Given the situation, it is acceptable to skip a red light on the way to work (Reverse

Table 2 (
cont.).Perception of the level of ethics

Table 3 .
Perception of ERM controls Source: Research data.

Table 5 .
Relationship between ERM controls and level of ethics Top and middle management, as well as non-managers, ERM effectiveness at the company as