Al di là delle Ande, e oltre

The risk control actions are directly associated with the effect of failures in risk management; however, the use of KM processes in risk control is not clear. Bowling and Rieger (2005) present a concept they call the “Journey to Enterprise Risk Management.”

In this concept, they identify how a financial institution is moving from a level of

compliance to a second level of control, whereby the organisation uses the most common practices of review of actions and decisions. From these points, there is a need to move ahead to get a better understanding of risk management processes and to achieve ERM. Through these searches ERM is expected to develop a common language and orientation to perform risk reviews linked to the strategic decisions.

However, the journey supposes a learning curve and knowledge accumulation, but the ERM frameworks do not say anything about the proper use of the knowledge. The steps to get ERM include moving from the traditional risk control actions to something that has a holistic view. Thus in this study, the first point to review is what is happening with risk control and the KM variables. Or better, to identify if risk control is positively associated with KM variables such as collaboration, knowledge sharing and better people interactions.

Moreover, Matyjewicz and D‟Arcangelo (2004) wrote referring to the value of using the Sarbanes–Oxley framework: “Senior executives learned the importance of establishing objectives, identifying risks that will prevent them from meeting those objectives and establishing controls that will mitigate those risks” and they said that an ERM solution can take two or three years to implement. From these points, the reflection is that the performance evaluation of the whole organisation takes into consideration risk as a factor that can change the results. This means a control of risk across the organisation might be a good enabler of the organisation‟s results.

From the interest of analysing and understanding risk control, a variable identified as perceived quality of risk control (qrc) was constructed. The items included for the variable construction are based on sections 2.2.3, 2.2.4 and the Abrams et al. (2007) main points.

These points look for the optimization of the application of the policies in the organisation and search for the reduction of duplication of efforts. The variable perceived quality of risk control (qrc) was constructed based on the following 5 items:

• The risk mitigation tools are an essential piece of risk control. The section 2.2.3 introduced the RM processes and in addition to that literature, Pritchard (2001) refers to risk mitigation as the actions that reduce probabilities and the impact of risk, and this can

involve many people. Crouhy et al. (2001) introduces the concept of risk monitoring as an essential way to manage limits of exposure and to make less severe the risk events. The risk monitoring needs to be performed by people who are not involved in the transactions and need the capacity to explain to management what is happening. In addition to these authors, Mun (2006) presents in his integrated risk analysis framework the concept of real options analysis which includes several people and areas across the organisation for developing solutions to mitigate risk threats according to the business environment.

However, it is not clear how people perceive the risk mitigation actions in risk control.

Thus, the item used was: the risk mitigation tools are good.

• The risk assessment process provides a means to measure and evaluate risk.

This means the generation of risk control based on measurement and quantitative analytics capacity (Abrams et al., 2007) is identified as a priority. This is a movement from only qualitative level analysis to the quantitative approach. However, risk assessment is a combination of activities that includes value coming from qualitative and quantitative analysis. These actions are performed by people, and the organisation needs capacity to execute these actions regarding risk control. Thus, Lelyveld and Shilder (2003) analyse the financial conglomerates and compared silo or aggregated approaches to assess risk across the whole financial group. They showed the need for the involvement of many people and actions that are complementary to one another; in particular, risk assessment as a piece of risk control that requires people actions.

However, the perception of the risk assessment process is not clear across the organisation. Therefore, the item used was: the risk assessment process is good.

• The risk transfer process is part of the protection for most of the assets. In terms of risk control, the traditional RM practise used to control risk transferring risk to insurance companies. Given the business of the financial institutions, many of their operations and products were not possible to insure and derivatives and other hedging strategies appeared. In terms of this research, it is valuable to identify the perception of risk transfer in a risk control activity. In particular, risk transfer includes equally the organisation‟s people as was identified by Pritchard (2001) saying that risk transference is an action that involves many stakeholders. The user, internal and external, of the services can be affected by risk transfer or, in terms of this research, possibly the

knowledge of risk management people can affect risk transfer and then risk control.

Then, the item used was: the risk transfer process is good.

• Risk control appears in the processes that the financial institutions already have.

However, financial institutions have grown their basis of products offered to the market, increasing the number of products and developing new ways to offer services to the market. Financial products include a new risk exposure for the organisation once the product is in the market. Its evaluation is a way to protect the enterprise portfolio and to improve a risk control in a new area of risk exposure.

Products are created in order to provide solutions of credit, operations or investment to the customers, and in each field the product has risk to be calculated and to be aware of in order to protect the financial organisation of adverse events that can affect its final results. After Basel II and others of the frameworks (Section 2.2) the organisations were aware and oriented to avoid failures in the product releases. For example, a risk control action has to be developed to manage operational risk such as Panjer (2006) included in his review about operational risk. Panjer (2006) suggests the need of reviewing, analysing product standards, systems support and business disruption. All these points are associated with risk control. Thus, financial service products are connected by operations and technology and the control of them is the basis of the presence of the organisation in the market. There is not clarity enough about the perception of the risk of the products; therefore, the item used was: the risk product evaluation is good.

• Finally, risk control is evolving into the holistic view of risk and requires capacity to aggregate the analysis and the management options to act. The risk aggregation analysis represents the review of clusters of risk and exposure accumulation. Regarding this, Slywotzky and Drzik (2005) summarized the concept of strategic risk by indicating as a main point, the review of all the pieces of risk exposure under the same framework and organisation orientation. Nevertheless, the perception of the risk aggregation process is not clear. Then, the item used was: the risk aggregation analysis is good.