Gabungan 2 Jurnal
Gabungan 2 Jurnal
TELEKOMUNIKASI
Firman Fauzi
Program Studi Teknik Elektro, Fakultas Teknik, Universitas Mercu Buana
Jakarta Email: ffauzi12@gmail.com
Abstrak – Dalam era data / internet, para operator telekomunikasi tentu saja mulai
memfokuskan bisnis dan layanannya pada data, yang semula hanya sebagai salah satu value
added service (VAS) hingga kemudian menjadi bagian core business para operator.
Sayangnya pada era data ini, sepertinya resiko yang dihadapi operator adalah harus berbagi
“kue” revenue dengan “banyak pemain lain” di luar operator telekomunikasi. Kemungkinan
nilai yang didapatkan tidak akan sebesar saat era voice dan SMS yang masih mendominasi
layanan telekomunikasi saat itu. Tetapi pertumbuhan pendapatan terus tertekan. Untuk
mengatasi resiko tersebut maka operator telekomunikasi perlu manajemen resiko yang lebih
handal lagi.
Kata kunci: Resiko, Bisnis, Layanan perubahan dan memberikan pengaruh pada
orang lain melalui dunia maya. Sehingga
PENDAHULUAN telah terjadi pergeseran dari konsumen
Era konvergensi pada industri menjadi prosumer (produser - consumer),
telekomunikasi informasi semakin mendekat, dimana konsumen juga dapat bertindak
ditandai dengan semakin menipisnya batas sebagai produser. Dampak lain dari hal ini
dari fungsi spesifik yang sebelumnya adalah harus disadari bahwa kekuatan
dimiliki masing-masing operator perubahan tidak lagi dikuasai oleh organisasi
telekomunikasi. Komoditas pelayanan jasa / perusahaan tapi juga dalam masing-masing
telekomunikasi sekarang ini bisa dinikmati individu sebagai konsumen yang akan
dari berbagai perangkat telekomunikasi dan mempengaruhi strategi perusahaan dan akan
internet. Seiring dengan perkembangan mengubah bagaimana cara perusahaan
teknologi informasi, perluasan akses internet, merespon perubahan yang terjadi dengan
proses dalam pembuatan konten program cepat.
pun bergeser dari company-based menjadi Perubahan yang cepat dan tidak pernah
individual-based. Hal ini dapat dengan terjadi sebelumnya ini telah menciptakan
mudah kita amati dengan bermunculannya suatu pasar dan mekanisme baru yang tidak
para individu yang mampu membuat dapat diantisipasi oleh strategi sebelumnya,
karena suatu strategi bisa jadi bekerja baik meningkat. Adanya penyedia layanan
untuk suatu kondisi tertentu namun belum telekomunikasi baru yang ada saat ini akan
tentu berhasil untuk kondisi lainnya. Era ini menciptakan produk dan paket layanan yang
dapat dikatakan sebagai “ Tantangan atau lebih menarik, teknologi yang lebih canggih
Resiko Di Tengah Perubahan Bisnis atau konvergensi dari beragam layanan
Telekomunikasi “, dimana perubahan yang telekomunikasi, sehingga berdampak pada
terjadi 'mengacaukan' sistem yang telah tingginya tingkat pemutusan layanan, ARPU
bertahan sebelumnya, dengan cara yang yang rendah atau penurunan, atau
berhasil membuat para penyusun strategi di perlambatan pertumbuhan pada basis
bisnis telekomunikasi dan informasi berpikir pelanggan telekomunikasi.
ulang serta berkolaborasi untuk menciptakan Persaingan antar penyedia teknologi baru
model bisnis baru, proses baru, hingga tujuan bersama, masuknya pemain baru, pemain
perusahaan yang sebelumnya belum menjadi yang sudah ada dan konsolidasi antar
ranah mereka. Yang tak kalah pentingnya penyedia layanan dapat berdampak negatif
adalah dengan menyiapkan kapabilitas baru pada posisi bisnis layanan telekomunikasi,
untuk menjawab semua tantangan dan kondisi keuangan, hasil operasi dan prospek
memperkecil resiko, dalam rangka usaha telekomunikasi. Oleh karena itu, untuk
menciptakan pertumbuhan usaha yang mengatasi semua resiko- resiko yang
berkelanjutan. dihadapi ini maka perlu manajemen resiko
Di yakini bahwa persaingan bisnis yang bagus untuk setiap operator
layanan telekomunikasi akan terus telekomunikasi.
2. Mengevaluasi resiko potensial kadang dikenal dengan istilah risiko yang dapat
diasuransikan (insurable risk).
3. Memilih teknik / cara yang tepat atau
2. Risiko spekulatif adalah suatu risiko yang
menentu
dihadapi perusahaan yang dapat memberikan
kan suatu kombinasi dari teknik - teknik
keuntungan dan juga dapat memberikan
yang tepat guna untuk menanggulangi
kerugian. Contoh: usaha bisnis, membeli saham.
kerugian.
Risiko spekulatif kadang-kadang dikenal dengan
Dengan demikian manajemen risiko
istilah risiko perubahan model bisnis.
berfungsi dalam menemukan risiko potensial,
Tindakan manajemen resiko diambil
mengevaluasi risiko potensial, dan menang
oleh untuk merespon bermacam-macam resiko.
gulangi kerugian yang ditimbulkan oleh bisnis
Ada dua macam tindakan manajemen resiko
atau aktivitas yang dilakukan perusahaan atau
yaitu : 1. Mencegah dan memperbaiki. Tindakan
badan usaha. Manajemen risiko pada prinsipnya
mencegah digunakan untuk mengurangi,
menghindari, atau mentransfer resiko dengan dengan menggunakan voice dan sms. Hal ini tentu
cara diasuransikan. saja akan menyebabkan perubahan pola
2. Sedangkan tindakan memperbaiki adalah pendapatan operator telekomunikasi sehingga
untuk mengurangi efek-efek ketika resiko terjadi saat ini, di Indonesia penggunaan mobile internet
atau ketika resiko harus diambil dan kontrol sudah mulai ramai. Hal ini diprediksi masih akan
bisnis dari sebuah resiko yang mengancam terus berlanjut hingga beberapa tahun mendatang.
aset Salah satu teknologi yang mungkin dapat
dari bisnis sebuah perusahaan atau proyek yang merevolusi akses broadband mobile di Indonesia
dapat menimbulkan kerusakan atau kerugian adalah teknologi data (4G). Namun, hingga saat
pada perusahaan tersebut. ini, penggunaan teknologi data ini secara massal
di seluruh nusantara nampaknya masih harus
Dalam beberapa tahun ke depan, jumlah investasi yang akan dikeluarkan oleh operator
Indonesia akan bertambah secara signifikan. Hal mengatur teknologi data (4G) belum tertata baik.
ini antara lain didorong oleh jumlah populasi Jika teknologi data sudah dapat diterap
Indonesia yang sebagian besar merupakan kan secara massal di seluruh Nusantara, maka
penduduk muda, penerapan teknologi maju, serta kemungkinan besar mobile internet akan menjadi
masih rendahnya tarif transfer data pilihan utama para pengguna jasa telekomunikasi
telekomunikasi di Indonesia. Hal ini di seluruh Indonesia. Hal ini tentunya akan
Di samping itu, ekonomi Indonesia yang signifikan. Hal ini sepertinya menimbulkan
terus tumbuh juga akan membantu para operator dampak resiko kepada para insan telekomunikasi
telekomunikasi untuk mendapatkan pendapatan baik langsung maupun tidak langsung. Pada era
yang lebih. Dari beberapa riset yang dilakukan, sebelumnya untuk pelayanan voice dan SMS
pendapatan Domestik Bruto (PDB) dari suatu mendominasi, sehingga revenue operator relatif
negara mempunyai kaitan yang erat dengan besar. Karena pada era tersebut operator
peningkatan jumlah pelanggan telepon, dengan telekomunikasi mendapatkan revenue dari dua
catatan, negara tersebut masih tergolong dalam hal utama yaitu jaringan dan layanan (services).
Salah satu hal yang dapat merubah pola penyedia jaringan dan penyedia layanan
adalah teknologi. Contohnya dengan teknologi Namun di era data, peran operator
teknologi ini, konsumen tidak banyak lagi “monopoli” walau masih mendominasi. Memang
Organizational Risk Management – A Case Study in Companies that have won the
Brazilian Quatity Award Prize
Luiz Carlos Di Serio1, Luciel Henrique de Oliveira2, Luiz Marcelo Siegert Schuch3
Abstract
Supply chain optimization, company interdependency and the establishment of global operating
networks have all made companies more susceptible to uncertainty and risk. Literature on the subject
lacks analysis of how companies have implemented these systems and what the results have been.
This paper describes the implementation of Enterprise Risk Management (ERM) in three Brazilian
world-class companies and evaluates the hindrances and facilitating factors. It also considers the
results achieved in performance and company culture. Finally, we propose a model associating the
benefits of risk management to the level of organizational transformation.
Keywords: Enterprise risk management (ERM); risk management; organizational
transformation; operating risks, ruptures in the supply chain.
1. Introduction
In the organizational field, risk management and integrated management systems and enables a
has only recently featured in executives’ agendas, more comprehensive evaluation of the factors
changing the perception in the process that this proposed by this study.
discipline is restricted to insurance experts This study is based on the following research
(CAVINATO, 2004). The optimization of problems: How do companies that are considered
supply chains, more company interdependency as examples of world-class management handle
prompted by the evolution of lean manufacturing, their organizational risk? How does risk
and the establishment of global supply networks management affect the culture and results of these
have increased companies’ exposure to different organizations?
types of uncertainties and consequently, to greater
risk (HARLAND et al, 2003). According to the 2. Theoretical References
Global Risks 2008 report, published by the World From an individual perspective, companies have
Economic Forum, the main current risks stem ack- nowledged risk for a while and there is a
from supply chains, the financial system, food vast literature on the subject in the areas of
safety, and issues related to energy availability economics, finances, strate- gy and international
and use. management (JÜTNER et al, 2003). Also, the
This work aims at finding ways to reduce the author points out that the term risk is somehow
gap in the practical implementation of risk confusing, because it is perceived as a
management systems in organizations. A multiple multidimensional concept. On the one hand it can be
case study was conducted with three companies attributed to internal or external events that reduce the
chosen from a list of winners and fina- lists of predictability of results (e.g. political, environmental
the PNQ National Quality Award. Winning the and market risks). On the other, the term risk can
PNQ award was a prerequisite for the companies refer to the potential consequen- ces of an event (e.g.
chosen, as one of the requirements of the EFQM operating, personal and service risks). The
Management Ex- cellence Model is the Brazilian National Quality Foundation
identification, classification, analysis and handling (FNQ, 2010) Excellence Model includes the need
of more significant corporate risks. The fact that to identify organizational risks and defines risk as
these are award-winning companies is a sign of a combination between the probability of an
public recognition of their maturity, development occurrence and the consequence(s) of an
undesired event. It also defines corporate risk as more on risk management. Thus, it is not
a risk to the achievement of an organization’s surprising that ERM models that provide a
goals in the light of market uncertainties, the structure for risk analysis and measurement
organization’s area of operation, the have been so widely embraced by executives
macroeconomic scenario and the organization’s (GATES and HEXTER, 2006).
own processes.
The market offers models aimed at directing
Bernstain (1996) suggests that the an organization’s risk management. COSO’s
understanding of risk management methods (Committee of Sponsoring Organizations of the
requires prior knowledge of their history. The Treadway Commission) introduces an ERM
author argues that it is almost unbelievable that model that takes into consideration strategic
theories about probabilities have taken so long and operating aspects associated to risk
to be developed. This delay is attributed to the management. This model has been embraced by
combination of two factors that had to be agencies and by the US government as a
present in order to enable the development of means to control organizational risks and meet
theories about risk: a more developed the requirements of the Sarbanes-Oxley Law.
numeration system and greater liberty for
people to question the future.
N local
performance
To enhance IT capabilities in order - To focus on business processes
INTERNAL
to - To compare with best-in-class
INTEGRATION
create an organization with a higher
degree of integration and
interconnectivity
REDESIGNING To redesign key processes in order to - To draw up proactive processes
THE develop future capabilities and not just - Challenges bigger than
BUSINESS correct existing faults. mere
PROCESS technology selection
REDESIGNING To draw up a strategic logic aimed - To implement a strategic
BUSINESS at vision
NETWORKS strengthening the various links based for the value chain
on IT functionality, learning, -To redefine the
coordination, performance
and control with partners criteria
REDEFINING - To implement a business view
THE To redefine the business’ scope through interrelated internal and
BUSINESS’ external activities
SCOPE
Table 1: Characteristics of the Transformation Levels/ Source: Venkatraman (1994).
The implementation of a risk management system is management”, even if it was still being structured.
a long-term, dynamic, interactive process that must be This premise enabled a preliminary glimpse of the
continuously improved and integrated to the results obtained through the implementation of the
organization’s strategic planning, Brazilian Corporate risk management system.
Governance Institute (IBGC, 2007). Three of the companies we contacted agreed to
VENKATRAMAN(1994) presented a framework share information and experiences. In many cases
with possible ways to implement Information risk management involves the organization’s strategic
Technology within an organization. This framework questions, thus hindering access to some information
(Table 1) has different stages of organizational and, in some cases even preventing the company’s
transformation and their respective impacts, and it is participation in the study. This problem was dealt
the company’s job to determine which type of with through a confidentiality agreement stating that
transformation it wants to introduce. The choice of a the participants’ names remain undisclosed, and
specific level of transformation depends on the costs through prior submission of the data collection
incurred and on estimated benefits. process and of the research protocol containing the
2. Methodological Procedures main themes discussed during the interviews. Our
The research used the multiple-case study model main interest was in risk management
proposed by YIN (2005). Selection of the cases was implementation and results, so despite limiting the
followed by the development of research research’s scope, the lack of access to each company’s
proposals and protocol. Each case is described in specific risks did not prevent the execution of the
detail. We first contacted the latest winners and study.
finalists of the PNQ award and identified the After consulting the literature on the subject, we
companies that adopt risk management systems. drew up the following research protocol for the
Initial contact was made with the company’s interviews and analyses of the results:
representative on the FNQ (National Quality (1) Risk management implementation –factors
Foundation) data bank, who then referred us to that facilitate and hinder risk management in the
the person in charge of risk management. One of company.
the prerequisites for involvement in the study was (2) Current stage of the risk management system
for the company to work with the subject of ‘risk – risk management governance; risk identification
and analysis; risk monitoring and crisis covered the entire scope established in the script.
management, the use of technology and In each question the interviewees were asked to
integration, and how and whether risks were explain the company’s experience. At the end of
communicated to stakeholders. questions with previously-established factors, it was
(3) Impacts of risk management – the requested that the interviewee grade the degree of
organizational culture’s approach to risk and agreement with this practice and the degree to which
decision-making and the impact on organizational it has been implemented. The interview was not
results. restricted to the suggested factors, so the
The following proposals were withdrawn from interviewees were free to propose new ones. This
theoretical references and used to direct the research approach aimed at obtaining a minimum group of
and as the object of analysis of this study: factors for future comparison between companies.
• Proposal 1: organizations consider risk Although the selected companies did not authorize
management as an important initiative for the disclosure of their names nor of details that
carrying out their strategies and obtaining enabled their identification, they are loosely
sustainable results; described in Table 2.
•Proposal 2: organizations include formal risk
analyses in their decision-making processes;
• Proposal 3: the identification, analysis and
handling of financial risks is more developed
than in the case of operating risks;
• Proposal 4: the adoption of a structured
organizational risk management system has a
positive impact on performance;
We chose to conduct semi-structured interviews
with a prepared questionnaire containing specific
sections to help map out the implementation process,
the current stage of the risk management system,
and the results obtained. For each case analyzed we
conducted interviews with the executive in charge of
the organization’s risk management. The interviews
were based on a prepared script and were conducted
in the company’s facilities during scheduled
meetings. They lasted an average of 3 hours and
Company A – Brazilian industrial company and a traditional player in its segment. One of the
country’s most profitable private business conglomerates, it combines family control, high
performance professional management, and partnerships with the capital market. Its trajectory
has been marked by a capacity for innovation, risk taking and the adoption of bold new
business models and products for the achievement of value solutions for the organization and
society as a whole.
Company B – A holding company that operates through subsidiaries in the production,
distribution and commercial sectors. It is Brazil’s largest company in its segment. It has great
experience and knowledge of its activities, acquired from significant expertise and tradition.
Company C – A diversified global industrial company that supplies products and services to
clients worldwide. It is Brazil’s main producer and supplier of its products. Through a
combinationTable 2: Characteristics
of the strength and ofexpertise
the companies analyzed/
acquired as a Source:
global Written
company,by the authors.
it has become a
Both the interviews and the data collection were ca- subject, annual reports, and documents available to the
rried out by the authors. In addition to the interviews, market (such as documentation sent to the Securities
we used information from the companies’ sites, Exchange Commission - SEC – corroborating
minutes of meetings, internal presentations about the compliance with the Sarbanes-Oxley Law).
4 Results and Discussion the requisites of the Sarbanes-Oxley Law. A working
4.1. COMPANY A group was created containing members of the
4.1.1. The implementation of risk controllership, information technology, and auditing
management areas of the two companies and which was led by
The company’s risk management system was Investor Relations Management. Observation of the
implemen- ted in 2005, during the selection of a results showed that the leadership’s support and that
consultancy firm as part of the formalization of the implementation through a multifunctional team were
risk analysis process. Some specific areas in the facilitating factors. The leadership’s support was crucial
company already had a risk- identification and for mobilizing people, as it placed the subject firmly in
handling system, although there was no standardized the executives’ agenda. This was made evident with
structure and methodology. Demand for the structuring the inclusion of the subject in the Chief Executive
of a risk management system came from the holding Officer and Chief Financial Officer’s (leaders of the
company and majority shareholder. It was deter- implementation pro- cess) variable remuneration plan
mined that two subsidiaries were to develop a and with the definition of a specific action plan for the
common system that could, as a secondary goal, meet Financial Area within strategic planning. An interesting
point is that the interviewees did not consider as proposals item scored low on the inter- viewees’
relevant the use of a specialized consultancy firm to evaluation, although all the interviewees re-
support the implementation process. Previous ex- cognized the item as being a very important factor.
perience with the implementation of management The factor that generated the greatest difficulty,
systems was not considered a facilitating factor, according to the interviewees, was the executives’
although the firm had already implemented several relative lack of knowledge about risk assessment.
other systems (ISO9001, ISO14001, According to them, this difficulty was attenuated
OHSAS18001, MEG, SAP, among others). by a request for each exe- cutive to identify the
The answers did not suggest that any of the factors that made them “lose sleep”. Afterwards,
proposed factors had a significant impact on the the risks were detailed and analyzed.
implementation of the risk management system. 4.1.2 The current stage of the risk
In COMPANY A, the support of the leadership management system
was considered effective and as a result the
The process’ Governance is carried out by the Risk analysis exclusively cover the company and are not
Sub- Committee – the body responsible for risk extended to its supply chain. Risk management is
management. Since 2005, company A has used the associated with strategic planning. Risk identification
COSO methodology to deal with corporate risk. takes place at least once a year through the analysis of
This methodology includes a process of scenarios (external and internal environments) as part
identification, measurement, definition of responses, of one of the stages in the strategic planning cycle. There
and control of potential events that might have a negative are preventive plans to reduce or eliminate the
effect on the company and its strategies. The Risk Sub- identified risks, while more significant risks are
Committee is directly linked to the Strategy handled through a contingency plan drawn up in
Committee, which receives frequent reports about the accordance to the risk’s priority. Risk prioritization
progress made in risk identification, evaluation, and is determined in accordance with the factors
monitoring and about the materialization of described in Table 3.
previously identified risks. Risk identification and
Credit and market financial risks are a subgroup of SAP parameterization, including control of the degree
Corporate Risks covered by the COSO methodology of approval for certain operations (credit, refunds,
and monitored by the Risk Committee. Thus, payments, etc). Although the entire process of risk
financial risk management in COMPANY A is at a identification and analysis is considered a restricted
more mature stage than operating risk management. activity that is subject to the signing of a
The factor identified by the interviewees as less confidentiality agreement by the parties involved, the
developed is executive training. The risk management company has adopted the practice of disclosing its main
system’s most fragile spot is, according to the risks in its sustainability report.
interviewees, the auditing of internal controls employed
to manage identified risks. According to one of the 4.1.3 The impacts of risk management
interviews, this process occurs in several cases but its
results have not yet been reported to the Risk management culture in Company A is still under
subcommittee and therefore corrective action has not de- velopment. According to the interviewees, risk
been taken. Although the company uses credit manage- ment is still “confined” to the risk management
management (SAP) and market risk management Subcom- mittee and consequently, only a small number of
software, there is no indication of an operating risk executives have taken part in the full process - from
management system. The company adopts criteria for identification to the drawing up of contingency plans
risk control that are part of for certain risks.
Risk analysis is already part of the executives’ routine the main risks to which the company is subject are
and the biggest change brought by the adoption of also disclosed to the investment market.
the risk management system is the formalization of
the process and the creation of a single referential 4.2 COMPANY B
(classification, terminology, templates). The process
is quite effective for those involved in assessing 4.2.1. The implementation of risk
risks and in drawing up plans of action. According management
to the interviewees, there is not yet proactivity in
risk identification and assessment, as with few Risk management as a structured process dates back
exceptions these activities are undertaken upon to 2005, when the company started to comply with the
demand from the Subcommittee. An important Sarba- nes-Oxley Law following its listing on the New
determining factor for the introduction of this York Stock Exchange. At the time the process was led
culture was the implementation by the CEO of the by the Corpo- rate Governance area, which is directly
No Surprise Policy, which is frequently mentioned linked to the CEO. The Corporate Governance area
in his periodic statements to the company’s was created in 2002, with the initial purpose of
employees (which are called “A Chat with the adapting the company to the BOVESPA’s Novo
CEO”). The financial department also plans Mercado corporate governance level.
implementation and has established the need “to
perfect risk management”. A process was established whereby there is annual
evaluation of the controls for each of the accounts in
Among the benefits of organizational risk the company’s financial statements. The process
management, four were reported as being the most consists of identifying the interface areas and the
important: an increase in shareholders’ trust in the existing controls for each line in the financial
company; the prevention of events that could lead statement. Based on this there is a self-assessment of
to an interruption in the operations; an improvement the controls’ effectiveness, followed by a series of
in operating results; and better identification of field tests and verifications aimed at proving control
opportunities and threats. Shareholders’ trust was efficiency. The company has four main risk areas that
highlighted as a positive factor. In the case in point, are the object of more detailed analysis
this is also due to the No Surprise Policy between - in the form of pilot projects. The risk
the CEO and the Board of Directors, which is implementation project foresees the gradual
also supported by the risk management system. It inclusion of new risks combined with the
was also reported that risk management practices and maturing and internal consolidation of the
methodology. The adoption of a risk management factors, the same importance was granted to
system was not prompted by one factor alone. previous experience with a management system
Although it started with adjustments to the (the company has certifications from ISO9001,
Sarbanes-Oxley Law, it was also the result of a ISO14001, SA8000 and OHSAS 18001), to the
natural evolution of the organization’s existence of a team dedicated to
management system, which was expected to have a implementation and to the creation of a
positive impact on the organization’s results. multifunctional team. A factor considered to be of
great importance by the interviewee was the clear
The facilitating factor considered most relevant definition of roles during the drawing-up of the
was support from the organization’s leadership, implementation project. The main complicating
especially the CEO and Board of Directors. factors mentioned were a lack of understanding
This support was manifested through a frequent regarding risk assessment, and the long duration
(weekly) monitoring of risk management of the still-ongoing implementation as the plan
implementation and through the allocation of foresees a gradual inclusion of risks in the
resources, both in terms of staff (through the methodology’s scope. This tends to turn
creation of a department) and financial (approval of implementation into a very bureaucratic process,
a budget to hire a consultancy firm to help whose limited scope prevents actual benefits from
implementation). Still on the subject of facilitating becoming immediately apparent.
Risk management is implemented by the Risk acknowledge risks in the supply chain (upstream and
Management Department, which reports directly to downstream). The company has adopted the COSO
the CEO. The department has four analysts in methodology from September 2004 as a reference point
addition to its Chief Risk Officer. Effectively the office for the development of risk management. It includes
has a supporting role and is in charge of establishing an ERM model that considers strategic and operating
the rules and standardizing the organization’s risk aspects associated to risk management. This reference
management process. Identification of specific risks is point is also considered by risk taxonomy, which
done by the business areas under the Risk Management includes an additional category called regulatory risks
Department. given the importance of this issue for a company that
operates in a strongly regulated market.
In company B the unit for the analysis of risk identification
limits itself to the company itself and it does not If we consider the origins of the risk management
process in the organization (adjustment to the operating risks is more spread-out and dealt with by
Sarbanes-Oxley Law and the active management of several forums as part of the certified management
regulatory risks), then the identification and handling systems related to quality (ISO 9001), environment
of reporting (related to the reliability of the (ISO 14001), health and safety (OHSAS 18001) and
company’s reports) and compliance (compliance with social responsibility (SA 8000). The company’s 2007
legislation and applicable regulation) are more annual report contains the way in which some of its main
developed than the identification and handling of risks were handled, as summarized in Table 4.
strategic and operating risks. The identification of
SCOPE FACTOR
Risks related to the exchange rate and interest on other
liabilities
Exchange rate on financial liabilities
Interest rate
Financial Financial Covenants
Credit
Planning on the (...) Purchasing Market
Private pension plan
Environment
Operating Hydrologic risks
Irregular consumption
Information technology security
Regulatory -
Table 4 – COMPANY B’s main risks/ Source: Company B’s internal documentation.
Based on the risk management system’s level of for the bottom-up certification of controls related to
maturi- ty regarding risk quantification and handling compliance with the Sarbanes-Oxley Law. This system
and on the marks assigned by the interviewees, we includes a bottom-up approval process for control
concluded that the organization does not have a unified efficiency starting at the operating level and moving
risk handling and report system. The process is still up to the CEO and board of directors – both of which
under implementation and currently only some of the grant final approval based on information from the
risks are submitted to standardization (pilot- lower levels. Regarding risk communication, a
projects). As regards the use of technology and description of the organization’s main risks can be found
integration, the company has adopted a system for in its Annual Report. Disclosure of more detailed
the management of regulatory aspects and another information about risks and control strategies is
confidential and restricted to the company’s executives. US, as risk management is an attribution of the vice CEO
4.2.3. The impact of risk management responsible for the corporate management system. In
As regards culture and decision-making, the company Brazil the initia- tive to implement risk management is
has not developed a corporate culture for risk recent, starting in May 2008 with a workshop in the
management. According to the interviewee, the process industrial plant aimed at identifying the unit’s main
is still strongly linked to the strategic planning period risks. This company’s case is different from the others,
during which SWOT analyses are carried out for each as it shows risk assessment in one production unit
type of business. As risk management is still under belonging to a global corporation. For this reason, the
implementation, there have been no evident cultural local risks are identified and handled almost exclusively at
changes, as risk identification and handling have not the operating area. Financial and strategic risks are dealt
simultaneously occurred in all areas of the company. with on a corporate level and so are all the processes
In the case of the controls listed by the Sarbanes- related to the Sarbanes¬-Oxley Law.
Oxley Law’s certification process, there is already The facilitating factors considered most important for
more awareness about the need to identify potential the implementation of risk management were: support
risks during changes in procedures – a sign of from the leadership, training on how assess risks, and
increased maturity in the company’s culture. the ac- tions of the multifunctional team. The interviews
showed that employees from all areas took part in a
In the interviewee’s opinion the benefits obtained from workshop held with members from headquarters and
risk management are still limited, as shown by received ini- tial training. As regards the complicating
the current stage of implementation. Among the factors, the in- terviewee said that none of those listed
benefits proposed there is a perception of actually hindered implementation or risk assessment. As
improvement in the operating results prompted by a the initiative came from headquarters, it received the
reduction in losses and in interruptions. At this stage, prompt adhesion and mobilization of all parties
it is not yet possible to associate risk management involved.
implementation with lower payments to insurers or to
fundraising in the market, although the AA+ rating 4.3.2 The current stage of risk management
assigned by Austin will positively affect market
confidence in the company. In the unit analyzed the process was
coordinated by the plant’s Chief Projects Officer and
4.3 COMPANY C there is no formal support structure to support risk
4.3.1 The implementation of risk management identification. Assessment is carried out annually
Corporate risk management in Company C started in through workshops held for that purpose and
2006. The process was centrally coordinated in the attended by employees from various areas. There is a
risk management structure that reports directly to a by all.
vice-president and the corporate model uses the 4.3.3. The impact of risk management
COSO methodology. A principal focus in 2008 was
to assess risks that could lead to an interruption in Although risk management is still at an initial stage, as
production (Business Continuity Management) and only one full cycle has been completed in the plant that
the corporate guideline was for the creation of a is being analyzed, there is evidence that risk-related
structure involving key areas in the company. issues have started to be included in the executive and
middle-management agenda. This is due to the constant
Risk identification at the plant (operating focus) is monitoring of risk mitigation action plans and their
based on corporate methodology. The process starts inclusion as a theme of discussion in managerial meetings
with a standard list of events that the units classify in several areas of the company.
according to pertinence, severity and probability of
occurrence. An event to evaluate risks is held In the case of the evaluation of results obtained from risk
annually, with participation from several areas (IT, management, the principal implementation gains perceived
production, sales, supply, projects, etc). The main risks at the plant were improvements to opportunities, to
are classified and employees are appointed to threat identification and to corporate governance. When
draw up plans of action. asked about his perception of the corporate risk system,
the interviewee said improved investor confidence is
As the plant has no risk indicators, reports about imperceptible at plant level. There were no improvements
the monitoring of risk handling plans are presented regarding compliance with legal requirements or regarding
during the plant’s executive meetings. A budget for financial reports, as these obligations had been met prior
risk mitigation actions is established on an annual to the implementation of risk management.
basis and is also used as a basis for the executives’ 4.4. Comparative analysis and discussion
evaluation. Financial exposure to risks does not take
place at the plant, and there is no information In the three companies the implementation of risk
available about how this is done on a corporate management was prompted by demand from the
level. The analyzed plant has no risk management board of directors, usually in response to pressure for
system or portal and surveys are recorded on more transparency. The enactment of the Sarbanes-
spreadsheets using the corporation’s methodology. Oxley Law in 2002 in the US was evidently a major
The plant’s risk management leader does not have incentive for companies listed on the US market.
access to any corporate system and all risk handling
action plans are monitored by the group and the The three companies hold ISO 14001
actions’ progress and inter-relations can be viewed (Environmental Management Standards) and OHSAS
18001 (Occupational Health and Safety Management) environmental impact (ISO 14001) and health and
certification which require the identification of safety risks (OHSAS 18001). However, these
assessments are not part of the risk management of current risk management implementation, which
systems in any of the three companies. The is aimed at strategic and financial risks. Table 5
explanation given during the interviews was that risk summarizes empirical evidence common to all
assessment for these norms is very specific and three companies.
operations-oriented and therefore is not the focus
Table 5 – Summary of empirical evidence/ Source: Research results. Drawn up by the authors.
ORGANIZATIONAL TRANSFORMATION
REDEFINITION OF THE
BUSINESS SC#$E
DESIGNING OF BUSINESS
RE$%&U()%*+RY S(+GES NETWORKS
REDESIGNING OF THE
BUSINESS PROCESSES
INTERNAL
POTENTIAL BENEFITS
BENEFÍCIOS POTENCIAIS
Figure 1: Positioning of the cases in the transformation model proposed by Venkatraman (1994). Source:
REDEFINIÇÃO DO ESCOPO DE
Research results. NEGÓCIO
REDESENHO DOS
PROCESSOS DE NEGÓCIO
improvements, the companies might be more interested in
Based on figure 1 and the model proposed by Venkatra- legitimizing their processes and struc- tures than in
man (1994), analysis of the cases studied for this effectively improving their performances.
work suggests that companies A and B are more
aligned to the Internal Integration stage. In these Proposal 2: This proposal has been partially proven true.
two companies the efforts are mostly focused on risk The current state of risk management implementation in
consolidation and integration, although in both cases the companies has proved insufficient to have a signifi-
the processes were redesigned in accordance with cant effect on decision-making. Risk management remains
initial assessments. In cor- porate terms, company C strongly focused on the implementation team members
might be at a more advanced stage (transition to Stage and in some cases, on specific areas (Company A) or
4) as the firm, or more precisely its supply chain, is pilot-processes (Company B). The use of pilot-projects
more concerned with business networ- ks as shown in during implementation is recommended by the literature
the individual analysis of the case. Finally, it is on the subject (Enterprise Risk Management Framework,
important to highlight that the model aims towards 2007; KLEFFNER et al, 2003, COSO).
companies aligning their expectations and making more
conscious choices, as in practice they can end up at Proposal 3: This proposal was observed in all three com-
diffe- rent stages for each particular aspect. panies. In fact, operating risk management is at a lower
stage of development than for financial risk. All three
5. Conclusions companies are integrating operating risks to the financial
and strategic risks that had previously been handled. In
To guide the research we have made some initial pro-
posals based on the theoretical revision discussed herein
and in accordance with the empirical evidence.