Evaluating Enterprise Risk Management (ERM); Bahrain Financial Sectors As a Case Study

Enterprise Risk Management (ERM) is a process used by firms to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a proactive framework for risk management, which typically involves identifying particular events relevant to the organization's objectives, assessing them and magnitude of impact, determining a response strategy, and monitoring progress. This research measures the awareness of Bahrain financial sector of ERM and if companies maintain an effective ERM framework. The results show success since all companies are aware of ERM and have an effective ERM framework in place.


Overview
The pace of change and characteristics of the new economy are exposing organizations to take risks more than ever before. Therefore mastering these risks can be a real source of opportunity and challenge and a powerful way of sustaining a competitive edge. Especially for companies to sustain and survive in the long run where companies need an effective & continuous risk management. Risk influences every aspect of business as they say "Risk is a risk is a risk". Understanding the risks Bahraini Companies face and managing them appropriately will enhance their ability to make better decisions, deliver company's objectives and hence subsequently improve performance. It is also important to note that risk is categorized into: financial, operational, strategic, and reputation risk. Enterprise Risk Management is any significant event or circumstance, which could impact the achievement of business objectives, including strategic, operational, financial, and compliance risks. ERM helps create a comprehensive approach to anticipating, identifying, prioritizing, and managing material risks of the Company.

Research Objective
The objective of this research is to take a more strategic and consistent approach to managing risk across, Bahrain's financial sector through the introduction of an Enterprise Risk Management ("ERM") framework and associated activities assisting the protection and the creation of value. When looking back at the corporate scandals i.e. Enron & world com, financial crisis of 1997, 2009 misled the investors and resulted in investors loosing confident & dissatisfaction. The result of that crisis was not limited to the country of origin. However it spread globally due to globalization.

Global marketplace = Increased risks
This means that global risks combined with rapidly evolving business conditions are prompting financial sector to turn to ERM. It is very important for Bahrain Financial sector to have ERM. Bahrain does international business with other, therefore it is effected by downturns and since no company can prevent an economic downturn, those who map out the steps they would take to respond to a downturn won't find themselves taking quick decisions which will ultimately affect the firm negatively.

Research Methodology
A questionnaire will be constructing and publish on Google document targeting only Bahraini financial sector. SPSS application will be utilized to analyze results. In addition, the questionnaire will measure how important of ERM factors to establish a good ERM practice.

Research Challenges
The goal of any firm is to achieve its objectives and create value; therefore each company has value chain which is divided into key and support activities. The company must be successful in each and every process in order to deliver a good result and achieve competitive advantage. Each of the processes in the value chain might result in more than five risks. If firms were not able to identify and put appropriate controls then all firms will end up bankrupt, in crisis, investor's dissatisfaction, etc. This research focuses on the importance of addressing key risks which helps and organization understand accountability-who owns the risks and whether the risks are being properly monitored. Often, because companies are organized by function or geography and not by risk, the highest risks might not have designated risk owners or risk monitors. Risk Management is the responsibility of each and every staff. This research will allocate one full section which will be called "Challenges" where it will mention what kind of risk will the bank face of proper ERM framework was not in place.

Literature Review
When EJ Smith (1912) was asked if he has encountered any risks during his 40 years experience he said "cannot remember any serious risks. I have only once seen a ship in distress." However immediately after that SS Titanic sank. The accident demanded 1500 lives including that of Captain EJ Smith. This article highlights the importance of our subject which is Enterprise risk Management if (EJ Smith, 1912) though of some risks that could occur, then Titanic wouldn't have sunk. This article is too general and it has nothing to do with our ERM on financial sector in Bahrain, however it could help us understand that there are risks in each and every business, process, task, etc we do in our life and ERM should be considered whether it is a financial or non financial sector, however for the purpose of specificity, the research will focus only on the financial sector in Bahrain. This quote also shows that risks always exist and it has nothing to do with the current environment or crisis. In another article Ed O'Donnell, (2005) talked about the framework for ERM and he stated "The guidelines establish objectives for event identification and suggest general procedures for identifying events that represent business risks." Internal Audit is concerned about identifying the root cause of the risk however here in ERM it is about identifying the root cause of the root cause. The Author is right as he mentioned that ERM task is to identify the risks which can stop us from achieving our objectives. The author wants companies to be proactive in identifying risks.
The project will also highlight the factors according to COSO framework and it will also highlight what type of risks the company is going to face if it didn't have ERM framework implemented. In Nocco, Brian W & Stulz, René M article published on (2006) He state That " ERM adds value by ensuring that all material risks are owned and riskreturn tradeoffs carefully evaluated, by operating managers and employees throughout the firm. ".It is strongly believed that implementing ERM adds value to the firm if it was effective and the action points were implemented correctly. Also supports what (Ed O'Donnell, 2005) said in his article that ERM improves the performance of the firms which will ultimately add value to the firm "there is growing support for the general argument that organizations will improve their performance by employing the ERM concept". Rao, Ananth (2009) has conducted a case on private sector organization which uses ERM within strategic control process. (Rao, Ananth 2009) uses risk identification, risk assessment, value at risk as the quantitative risk assessment techniques. Rao recommends the implementation of COSO (2004) which focuses on the Internal controls, (Rao, Ananth 2009) research stated "This case study demonstrates the prudence and practicality of the recommendations of COSO (2004) framework and Turnbull report for integrating the management of risk and organizational performance in general as part of a coherent approach to corporate governance." .However Our case study will differ than the above research as we are going to focus on COSO frame work in financial institutions .this research will focus on all supply chain areas not only strategic.(Please refer to Challenges section in this research for more details). Marika Arena, Michela Arnaboldi and Giovanni Azzone, (2010) stated that "ERM is the main form taken by firms' increasing efforts to organize uncertainty, which 'exploded' in the 1990s." This project supports Marika Arena, Michela Arnaboldi and Giovanni Azzone article's that ERM & Risk Management are important and that is because uncertainty always exist, we agree with this article somehow because all our plans are for the future and as we know the only thing we are sure about the future is that many things might change in future so we are not certain .It is impossible to have no risk however by preparing ourselves and implementing ERM we can minimize it.
In the article above the researcher used longitudinal multiple case study however we are going to build a questionnaire to test if companies are aware with the concept of ERM and they are implementing effective ERM framework. We agree with the researcher as there is a strong link between risk management & business strategy therefore financial institutions should maintain Disaster recovery plan and business continuity plan when doing their business strategy which ensures backup of all information and which reduces the safety hazards such us fire (Umbrella insurance). He also used the longitudinal multiple case study to make readers understand more about ERM process. Mark S. Beasley, Richard Clune, and Dana R. Hermanson,(2005) stated that "there is little research on factors associated with the implementation of ERM. Research is needed to provide insights as to why some organizations are responding to changing risk profiles by embracing ERM and others are not."(Mark S. Beasley, Richard Clune, and Dana R. Hermanson 2005) and it focuses on US, however as a result of our research and discussions with our managers we were informed that Bahraini corporations and specifically financial sector are aware of the ERM concept. It came to our attention that Central Bank of Bahrain force institutions to have independent auditors, however ERM is still grey area to many banks. We also noticed that now ERM factors are clearly defined, and frameworks have been established.
The following article supports the idea that if a company has established good risk management process then this will help it reduce the risk and therefore the cost of having consultants to check compliance against the Central Bank.
We are going to test if banks in Bahrain maintain a compliance checklist against CBB rulebook and if there is adequate monitoring and follow up with this checklist .This will be tested as part of our questionnaire. Standard & Poor's Ratings Services( 2005 )"The HP Compliance Suite for Financial Institutions is a collection of HP products, market offerings, and services that help financial services firms reduce the cost of achieving regulatory compliance, improve risk management capabilities, and also reduce the cost of sustaining compliance. This paper explains how with the Enterprise Risk Management component of its compliance suite, HP can help organizations". Craig Faris (2010) states "Climbing out of a recession can be heavy going. At the same time, it can be a stimulating wake-up call." We agree that the recession was like a wakeup call for many financial institutions which didn't give risk management attention; in our introduction we mentioned briefly that because of the financial crisis and scandals (i.e. Enron & Worldcom) Bahrain's financial sector need to establish and implement ERM framework. In another article for Walker, Paul L and Shenkir, William G. (2008) his article highlights Enterprise Risk Management (ERM) practices that improve a company's ability to manage risks effectively. "The authors argue that ERM allows companies to proactively manage risk, clarify the organization's risk philosophy, and develop a risk strategy."Further, the article discusses how the ERM process forces companies to consider those events that might stand in the way of achieving corporate goals. Then companies can assess these risks and develop strategic plans. Discussion of contingency plans, measuring effectiveness, and communications strategies is also presented. Referring to Paul, shenkir & William (2008) article we mentioned that Bahrain financial sector need to establish & implement ERM framework, this article highlights one way to start implementing ERM which is establishing good internal controls which we will also consider it one of the ERM factors in later stages of this project.This article explains how we can implement ERM. We strongly agree with Walker as ERM is trying to imagine what could happen to the company in the worst scenario therefore the company should establish Internal controls for each and every department and those controls should be communicated to all employees & implemented. As we said we agree with the author when he said that "ERM allows companies to proactively manage risk" Cokins, Gary (2010) stated that "It notes that the four types of alternative risk categorization are market and price risk, credit risk and operational risk". This article talks about risk categorization .We disagree somehow with the researcher when he categorized risks into Market, Price, credit & Operational. As we would classify them to: Strategic, financial, Operational & Reputation. He could have done better job by listing price and credit under financial. In another article for Richard S.Warr & Donald P.Pagach, (2010) said in his article "We study the effect of adoption of enterprise risk management (ERM) principles on firms' long-term performance by examining how financial, asset and market characteristics change around the time of ERM adoption. Overall, our results fail to find support for the proposition that ERM is value creating, although further study is called for."( Richard S. Warr & Donald P. Pagach, 2010) fail to support that ERM is value creating, we mentioned earlier that implementing ERM does not only mitigate the risks, however it also adds value .During our detailed testing in Bahrain financial sector we are either going to agree with this article or disagree. McAliney, Peter J (2009) said "providing readers the operational considerations to implement this program within their organization to enhance performance improvement. At the individual initiative level, readers will recognize elements used in developing retrospective return on investments (ROIs) for learning programs. " We agree with (McAliney, Peter J, 2009) in teaching and communicating ERM concept with the line executive as all employees in the company must be aware of what possible risk might take place to better appreciate the internal controls which will be established by the Management in later stages. We are going to test how whether financial sector in Bahrain have well established internal controls while doing their business. If Management doesn't communicate such issues with employees then they won't understand the reason for policies & procedure changes, etc. We also agree that by performing good and effective ERM the ROI's will improve as we believe that ERM adds value to all business processes. In another SHABUDIN, Ebrahim, DREW, John O. &PEROTTI, William L. (2007), said that" noted that risk management is not just about mitigation but also about optimization. "We think that this article will help us in writing the project as they segregated risk into other classification which is quantitative & qualitative risk. We might need to through light on the difference between quantitative & qualitative as part of the introduction. We also agree with the researcher when he mentioned that it is not about mitigation but optimization however we would also like to add that ERM is also about "value adding" to the corporations.
While Ohio State University, (2006) stated that "we explain how enterprise risk management creates value for shareholders", this article highlights the role of ERM in creating value, and as we learnt in our finance courses that the goal of any firm is to increase the value of stockholders. This article also draws attention on the risk appetite which we will explain later as one of the ERM factors. David L. Olson, (2010), stated that "This paper demonstrates support to risk management through validation of predictive scorecards for a large bank. The bank developed a model to assess account creditworthiness". This article supports our project. It writes about financial sector (Bank), it talks about scorecards which we are going to consider it as one of the ERM factors which falls under Internal Controls. This article also supports benchmarking and evaluating actual performance against competitors which will also be tested in our questionnaire.

Research Methodology
This project was conducted by analyzing results of distributed questionnaires about Enterprise Risk Management (ERM) in Bahrain Financial Sector. A questionnaire was published on the web and sent to banks in Bahrain and specifically to risk management and internal audit department. The questionnaire will cover the following areas being: (1) general questions, (2) questions relating to risk awareness and (3) questions relating to ERM factors. This research is trying to identify the extent to which good enterprise risk management (ERM) practices are being implemented and communicated throughout the banks. In addition, we are going to test how important the ERM factors established against a good ERM practice.

Hypothesis
In order to state the hypothesis we need to identify successful factors defining ERM.
As defined by KPMG (one of the big four Auditing firms) the following are the factors of successful ERM: [Insert Table 1

here]
Referring to the above table we can identify the following independent factors which must be in place for an effective and successful ERM:

[Insert Table 2 here]
According to the above factors we are going to design a questionnaire tailored for Bahrain corporations (financial sector), published on Google. Results will be analyzed and hence conclude findings.

Challenges
If firms don't implement ERM all value chain activities will be subject to risk. As previously mentioned; risk can be divided into strategic/financial/operational. Each of the activities whether its support or primary it is subject to risks. If we ignore deploying clear ERM framework we might end up with financial losses (like bankruptcy/operational risk reputation.

Result analysis
We have identified 8 factors however due to time constraints we will only choose the 4 most important factors according to KPMG one of the big 4 auditing firms and specialized in ERM.
A questionnaire was tailored based on the above mentioned 8 factors and this questionnaire was conducted in 2010 & it was distributed to financial sector in Bahrain; only 33 questionnaires .The results were organized in tables and graphs which facilitate our analysis and help the reader better understand. SPSS was used for the purpose of analysing the results. SPSS test results were conducted on 4 independent factors & the dependent factor (ERM) using 2 questions for each factor.
Keeping in mind that the following four factors will be used:

SPSS Results
As mentioned earlier, SPSS will used to analyze the results, t-test will used to determine whether Bahraini financial sector are aware of the ERM concept and are implementing effective ERM framework to mitigate the risks, and F-test will used to determine the relationship between dependent factor and the 4 independent factors.

T-Test examines (Dependent Factor) ERM
T test will try to examine whether Bahraini financial sector are aware of the ERM concept and are implementing effective ERM framework to mitigate the risks.

[Insert Table 3 here]
T-test result shows that t = 27.617, and referring to table of critical values for T by choosing level of significance .05, T-critical value= 2.04., The results shows that mean is more than 3 it's almost 4.1, & the level of significant is 0 less than .05, these results will give us a good indicator that almost all respondents in financial sector are aware of the ERM concept and they implement effective ERM.

F-Test
F-test will be used to determine the relationship between dependent factors which is Enterprise risk management and the four independent factors which are risk assessment, control, monitoring, and communication then we will compare F-test result for the relationship to the corresponding entry on a [Insert Table 4

here]
The results for Risk assessment shows that F test = 1.018 and referring to the critical value in F table shows F .05 = 4.16, F critical value more than f test and the level of significant = .321 and it more than .05 which mean reject H 1 , Bahrain Financial sector not consider Risk Assessment while implementing planning the ERM, but in reality and according to COSO framework risk assessment one of the important factor for ERM.
In this case, T-test will used to examine the factor "risk assessment" -(Independent Factor) Risk Assessment

F-Test
The results for control shows that F test = 4.266 and referring to F .05 critical value in the table shows F = 4.16, F critical value less than F test and the level of significant = .047 and it is less than .05 which mean Accept H1, and the Bahrain Financial sector consider control while implementing planning the ERM so there is no need for T test.

Discussions
After analyzing the results we conclude that F test results show that there is no relationship between risk assessment & ERM, communication & ERM, monitoring & ERM, but there is a relationship between control & ERM.
In addition, almost all the respondents answer the questions positively either strongly agree or somewhat agree, and these factors that we used for the analysis were essential factors in COSO framework, so we used T test analysis to examine the three factors separately, and the results for each factor conclude a positive results which mean that all Bahrain financial firms consider risk assessment, control, monitoring and communication while implementing ERM.
After reviewing all the published literature reviews written about Enterprise Risk Management .We think that this subject was not fully consumed by researchers, as researchers didn't touch all the areas or in some cases they did but very briefly.
This research is more comprehensive as it includes ERM from the very first point, then it will walk easier through the different factors in COSO framework.
As we mentioned in the result analysis that financial sector in Bahrain are aware of the importance of ERM however companies can't perform it by themselves and use other professional firms to have effective ERM in place and we can say the reason for that is due to unavailability of enough sources and explanation of ERM framework.

Conclusion
The result of the project concludes that Bahrain financial Corporations are aware of the Concept of ERM and its factors and that awareness can be traced to the fact that companies appreciate that risks are things that might face us in our day to day activities and all companies regardless of its capital and how experienced is their employees are subject to different types of risks. The project conclude that companies are aware of the different classifications of risks and that there is no one standard classification of risk as mentioned in the literature review section Article number 11 where better classification of risk could be put in place.
Bahraini Financial Institutions are lead by the Central Bank of Bahrain rules and since having Effective ERM framework is not insisted in the rulebook as the need for independent internal auditors, the corporations will not consider it as priority .As we understand that companies are more concerned with compliance with the CBB rule book .As explained earlier although companies are not required to have ERM process by the Central Bank of Bahrain, it seems that many companies are looking forward to have contracts signed with Professional firms to conduct ERM studies.
Keeping in mind that professional firms charge quite a high fee for conducting ERM studies, however as a result of the questionnaire we can say that companies would not matter to pay any amount as long as they can ensure that they are on the safe side by having ERM.
We noted that the implementation of the ERM factors varied from one bank to other and we analysed that some factors might influence having comprehensive ERM framework .We were able to identify the following factors: Financial sector in Bahrain has well established internal controls which seem to work effectively.