ARM Tutorials
Week 1
How to review the seminar papers
- Read abstract
- Read introduction: now pause and reflect and try to get the ‘Big Picture’ of the paper
o Seek out research objectives / research questions
o Now have some idea of the paper’s contribution
- Read the discussion / conclusion: now you know the paper’s essence
- Review the theory used in the paper broadly
- Proceed to enter and slowly read the main body or story of the paper in the
findings/case analysis / case narrative
- Simplify the key concepts / theory used to explain the findings
- Aim for a broad overview
Qualitative research method
- Field / case studies our focus
Way of researching specific phenomenon, change, etc. Focus not on generalizing on large set
of data but understand in depth a single case or limited number of cases to understand
concept.
- In-depth interviews
o Experiences by people, perceptions, opinions, feelings, knowledge
o Data: verbatim quotations
- Observation
o Activities, behaviors, actions, conversations, interpersonal interactions
o Data: field notes
- Documents
Making ‘sense’ of processes as they unfold over time
- Answer ‘how’ and ‘why’ questions
- Provide insights into the framing of practice in context
- Depth of analysis versus breadth of analysis
- Sensitise academics to the realities of practitioners
- Aim for theoretical, not statistical generalization
Theory in qualitative research
- Role of ‘theory’ varies
o Contextualize, understand or explain phenomenon
- Provides a framework within which social phenomena can be understood and
research findings can be interpreted
Bryman
Important ‘tool-kit’ that you can draw upon as required to support your reading,
understanding and analysis of seminar and lecture papers.
Not going to be tested
,Spira & Page (2003)
Drawing on this paper, critically discuss the following statement:
“Risk is a fixed concept. Its fixed nature has ensured that internal control and risk
management have remained completely separate activities.”
Summary
- A conceptual, exploratory paper
- No new empirical insights, but claimed new insights
- Offers an analysis that frames our focus on accountability and risk management
- Seeks to explain: how internal control (and internal audit) came to be closely aligned
with risk management
Storyline of the paper
- Risk has become central to corporate governance
o CG: how a company is getting, who manages a company and for who’s
benefit, what are the rules etc following this interaction needed so that a
company can achieve its goal and objective
- Corporate governance has evolved to embrace a broader range of risks
- Risk is now managed through accountability mechanisms
o Internal control and audit: the company makes sure that the list with which
they might face are properly managed
- Internal control is now explicitly linked to risk management
- Notions of risk are liable to change and continually evolve
- The nature of risk and responses to risk continually evolve
- This is evident in the way that:
o Risk management has become closely aligned with internal control
Risk management as a form of accountability
- Form of accountability
o Part of the accountability process
o Aimed at demonstrating accountability
But:
- Focus is on blame avoidance as opposed to enhancing accountability
o When something goes bad in a company, the system has failed
- Previously, risk management was the focus of accountability
o Focus of internal control was to manage the risk in a company
o A response to risk through risk management systems
- Risk management is now part of the accountability process
o Internal controls are central to that process
This paper has no theory!
3 phases of historical development of risk
Pre-modern phase
- No risk management: risk is not manageable
, - Risk was associated with acts of God
o Misfortune that is beyond human influence
- Acceptance: make amends for ‘sin’ committed
- Blame placing
More modern type of societies:
- Risk concept:
o Risk became associated with unanticipated outcomes of human actions
o Techniques for prediction and calculation of risk evolved – risk was made
calculable (measurable)
- Risk concept:
o Focus on blame remained – but focus now on blame prevention or avoidance
A company has set in place some procedures if something goes
wrong, they blame the procedures, not the person
o Not as easy to blame external parties as risk now deemed avoidable
- Accountability for risk:
o Move from blame placing to offering compensation for risk avoidance and
protection (due to measurement) take somebody else to make sure that
risk does not happen to us (insurance company)
The ‘risk society’ phase
- Risk is now deemed manageable – risk management offers comfort
o Advances in science and technology offered risk protection but also created
new risks
o You have idea that can set system idea that offers comfort that risk will never
happen again
- Response to adverse consequences of risk:
o Blame the system not individuals given increasing complexity
o Paradox: currently we have all of this systems in place to manage risk,
(quantifiable, identifiable manageable) we have systems in place to prevent
that risk from occurring when risk system fails, we don’t have anybody to
blame, the only response is public relation types of responses ‘oh sorry’,
because they cannot do anything about it we know more about risk, but if
it occurs, the system is not helping us much
o Risk responses are planned in advance – as are PR responses
Ex: Facebook data leak nobody got the blame for it “it will never
happen again, we take measures, we are going to proceed the
criminal’
o Seek blame avoidance – protect individuals from blame for adverse
consequences
o Does not protect organizations from the consequences of risk
- Accountability through amending the system
o Risk management reduces accountability by hiding responsibility for adverse
consequences
When risk happens, we actually cannot do much about this.
, How internal controls became risk management
1980s and 1990s – major change in internal control of companies
1) Growth of information technology
a. ERP systems and real time processing
2) Changes in audit methods
a. Business risk approaches – reduced systems and detailed testing
3) Compliance with policies and procedures replaced with rhetoric of risk
a. Business risk approach: they are coming to a company saying, these areas are
the areas with highest amount of risk focus on these areas company
tends to focus those areas are okay and downgrade others
b. Upper organizational levels focused on risk deemed to be important
c. They don’t do question check of list is this issue important, yes or no? Yes
we check it, otherwise not
d. Managers were in charge of managing these risks
e. Rhetoric of risk: focus was not so much of making sure every single system
comply with rules and stuff they had in place. They don’t go and manually
check every single system they only check those areas which are
considered to be more risky for the company: in this approach you might miss
some of the risk you previously considered
How internal control became risk management
- Emergence of COSO (1992)
- Definition of internal control:
o Linked internal control with effectiveness:
o “A process, effected by an entity’s board of directors, management, and other
personnel designed to provide reasonable assurance regarding the
achievement of objectives in the following categories
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations”
o Internal control was mostly concerned with financial risk, but now they are
also concerned with making sure that a company achieves its goals (goals can
be compliance goals, operational goals, not only moneywise) expanding
what they meant by integral controls
- The concept of internal control has gradually evolved over time to also include risk
management: they became very hard to distinguish.
o Not only look at financials of organizations and see if they correctly recorded,
but to see if they have done all the necessary steps to achieve a goal, and to
prevent a risk from taking place
- The scope of internal control was broadened
- Reporting requirements became less stringent
- IC as RM = links to strategy formulation and IC as support for enterprise
o Now the purpose of IC is to make sure the organization achieves its goals,
therefore, they have to also address the risk that the organization does not
achieve those goals that is why it is now also linked to risk management
o But: does anyone now know exactly what the IC system is?!
Scope is bigger but saying less
Week 1
How to review the seminar papers
- Read abstract
- Read introduction: now pause and reflect and try to get the ‘Big Picture’ of the paper
o Seek out research objectives / research questions
o Now have some idea of the paper’s contribution
- Read the discussion / conclusion: now you know the paper’s essence
- Review the theory used in the paper broadly
- Proceed to enter and slowly read the main body or story of the paper in the
findings/case analysis / case narrative
- Simplify the key concepts / theory used to explain the findings
- Aim for a broad overview
Qualitative research method
- Field / case studies our focus
Way of researching specific phenomenon, change, etc. Focus not on generalizing on large set
of data but understand in depth a single case or limited number of cases to understand
concept.
- In-depth interviews
o Experiences by people, perceptions, opinions, feelings, knowledge
o Data: verbatim quotations
- Observation
o Activities, behaviors, actions, conversations, interpersonal interactions
o Data: field notes
- Documents
Making ‘sense’ of processes as they unfold over time
- Answer ‘how’ and ‘why’ questions
- Provide insights into the framing of practice in context
- Depth of analysis versus breadth of analysis
- Sensitise academics to the realities of practitioners
- Aim for theoretical, not statistical generalization
Theory in qualitative research
- Role of ‘theory’ varies
o Contextualize, understand or explain phenomenon
- Provides a framework within which social phenomena can be understood and
research findings can be interpreted
Bryman
Important ‘tool-kit’ that you can draw upon as required to support your reading,
understanding and analysis of seminar and lecture papers.
Not going to be tested
,Spira & Page (2003)
Drawing on this paper, critically discuss the following statement:
“Risk is a fixed concept. Its fixed nature has ensured that internal control and risk
management have remained completely separate activities.”
Summary
- A conceptual, exploratory paper
- No new empirical insights, but claimed new insights
- Offers an analysis that frames our focus on accountability and risk management
- Seeks to explain: how internal control (and internal audit) came to be closely aligned
with risk management
Storyline of the paper
- Risk has become central to corporate governance
o CG: how a company is getting, who manages a company and for who’s
benefit, what are the rules etc following this interaction needed so that a
company can achieve its goal and objective
- Corporate governance has evolved to embrace a broader range of risks
- Risk is now managed through accountability mechanisms
o Internal control and audit: the company makes sure that the list with which
they might face are properly managed
- Internal control is now explicitly linked to risk management
- Notions of risk are liable to change and continually evolve
- The nature of risk and responses to risk continually evolve
- This is evident in the way that:
o Risk management has become closely aligned with internal control
Risk management as a form of accountability
- Form of accountability
o Part of the accountability process
o Aimed at demonstrating accountability
But:
- Focus is on blame avoidance as opposed to enhancing accountability
o When something goes bad in a company, the system has failed
- Previously, risk management was the focus of accountability
o Focus of internal control was to manage the risk in a company
o A response to risk through risk management systems
- Risk management is now part of the accountability process
o Internal controls are central to that process
This paper has no theory!
3 phases of historical development of risk
Pre-modern phase
- No risk management: risk is not manageable
, - Risk was associated with acts of God
o Misfortune that is beyond human influence
- Acceptance: make amends for ‘sin’ committed
- Blame placing
More modern type of societies:
- Risk concept:
o Risk became associated with unanticipated outcomes of human actions
o Techniques for prediction and calculation of risk evolved – risk was made
calculable (measurable)
- Risk concept:
o Focus on blame remained – but focus now on blame prevention or avoidance
A company has set in place some procedures if something goes
wrong, they blame the procedures, not the person
o Not as easy to blame external parties as risk now deemed avoidable
- Accountability for risk:
o Move from blame placing to offering compensation for risk avoidance and
protection (due to measurement) take somebody else to make sure that
risk does not happen to us (insurance company)
The ‘risk society’ phase
- Risk is now deemed manageable – risk management offers comfort
o Advances in science and technology offered risk protection but also created
new risks
o You have idea that can set system idea that offers comfort that risk will never
happen again
- Response to adverse consequences of risk:
o Blame the system not individuals given increasing complexity
o Paradox: currently we have all of this systems in place to manage risk,
(quantifiable, identifiable manageable) we have systems in place to prevent
that risk from occurring when risk system fails, we don’t have anybody to
blame, the only response is public relation types of responses ‘oh sorry’,
because they cannot do anything about it we know more about risk, but if
it occurs, the system is not helping us much
o Risk responses are planned in advance – as are PR responses
Ex: Facebook data leak nobody got the blame for it “it will never
happen again, we take measures, we are going to proceed the
criminal’
o Seek blame avoidance – protect individuals from blame for adverse
consequences
o Does not protect organizations from the consequences of risk
- Accountability through amending the system
o Risk management reduces accountability by hiding responsibility for adverse
consequences
When risk happens, we actually cannot do much about this.
, How internal controls became risk management
1980s and 1990s – major change in internal control of companies
1) Growth of information technology
a. ERP systems and real time processing
2) Changes in audit methods
a. Business risk approaches – reduced systems and detailed testing
3) Compliance with policies and procedures replaced with rhetoric of risk
a. Business risk approach: they are coming to a company saying, these areas are
the areas with highest amount of risk focus on these areas company
tends to focus those areas are okay and downgrade others
b. Upper organizational levels focused on risk deemed to be important
c. They don’t do question check of list is this issue important, yes or no? Yes
we check it, otherwise not
d. Managers were in charge of managing these risks
e. Rhetoric of risk: focus was not so much of making sure every single system
comply with rules and stuff they had in place. They don’t go and manually
check every single system they only check those areas which are
considered to be more risky for the company: in this approach you might miss
some of the risk you previously considered
How internal control became risk management
- Emergence of COSO (1992)
- Definition of internal control:
o Linked internal control with effectiveness:
o “A process, effected by an entity’s board of directors, management, and other
personnel designed to provide reasonable assurance regarding the
achievement of objectives in the following categories
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations”
o Internal control was mostly concerned with financial risk, but now they are
also concerned with making sure that a company achieves its goals (goals can
be compliance goals, operational goals, not only moneywise) expanding
what they meant by integral controls
- The concept of internal control has gradually evolved over time to also include risk
management: they became very hard to distinguish.
o Not only look at financials of organizations and see if they correctly recorded,
but to see if they have done all the necessary steps to achieve a goal, and to
prevent a risk from taking place
- The scope of internal control was broadened
- Reporting requirements became less stringent
- IC as RM = links to strategy formulation and IC as support for enterprise
o Now the purpose of IC is to make sure the organization achieves its goals,
therefore, they have to also address the risk that the organization does not
achieve those goals that is why it is now also linked to risk management
o But: does anyone now know exactly what the IC system is?!
Scope is bigger but saying less
