Integration of enterprise risk management and management control system: based on a case study


Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License

This paper aims to discuss the concepts and methodological issues of enterprise risk management (ERM). The case study of company A shows that ERM has been implemented and integrated with management control as a means of monitoring its subsidiaries. First, ERM system was implemented through comprehensive review of corporate risk policies, risk management processes, roles and responsibilities, and risk culture. Second, company A integrated ERM with the existing management control system in order to evaluate the risk underlying the current management activities. Finally, ERM implementation was expanded to all subsidiaries so that each business unit would be delegated for its own risk management. This paper provides insight on the process how group-level internal auditors can use ERM as a tool to manage risk of subsidiaries, thereby filling the gap between academic research and practice. This successful ERM adoption case can be used as a guideline for other organizations, which plan to adopt ERM with reduced costs and improved processes.

view full abstract hide full abstract
    • Fig. 1. ERM as a management control infrastructure
    • Fig. 2. Integration of ERM and management control systems
    • Fig. 3. Risk governance system in company
    • Table 1. Comparison of COSO 1 and COSO 2 ERM Framework
    • Table 2. Risk profile of company A
    • Table 3. Measurement of ERM maturity