Corporate Governance: The international journal of business in society

Strategic risk: am I doing ok?

Terry Kendrick,
Article information:
To cite this document:
Terry Kendrick, (2004) "Strategic risk: am I doing ok?", Corporate Governance: The international journal of business in society, Vol. 4
Issue: 4, pp.69-77, https://doi.org/10.1108/14720700410558899
Permanent link to this document:
https://doi.org/10.1108/14720700410558899
Downloaded on: 10 November 2017, At: 19:47 (PT)
References: this document contains references to 57 other documents.
To copy this document: permissions@emeraldinsight.com
The fulltext of this document has been downloaded 2963 times since 2006*
Users who downloaded this article also downloaded:
Downloaded by UNIVERSITY OF INDONESIA At 19:47 10 November 2017 (PT)

(2015),"A leaders guide to strategic risk management", Strategy &amp; Leadership, Vol. 43 Iss 1 pp. 26-35 <a href="https://
doi.org/10.1108/SL-11-2014-0082">https://doi.org/10.1108/SL-11-2014-0082</a>
(2014),"An art and science approach to strategic risk management", Strategic Direction, Vol. 30 Iss 4 pp. 28-30 <a href="https://
doi.org/10.1108/SD-04-2014-0056">https://doi.org/10.1108/SD-04-2014-0056</a>

Access to this document was granted through an Emerald subscription provided by emerald-srm:602779 []
For Authors
If you would like to write for this, or any other Emerald publication, then please use our Emerald for Authors service information about
how to choose which publication to write for and submission guidelines are available for all. Please visit www.emeraldinsight.com/
authors for more information.
About Emerald www.emeraldinsight.com
Emerald is a global publisher linking research and practice to the benefit of society. The company manages a portfolio of more than
290 journals and over 2,350 books and book series volumes, as well as providing an extensive range of online products and additional
customer resources and services.
Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the Committee on Publication Ethics (COPE)
and also works with Portico and the LOCKSS initiative for digital archive preservation.

*Related content and download information correct at time of download.

 Strategic risk: am I doing ok?
Terry Kendrick
Downloaded by UNIVERSITY OF INDONESIA At 19:47 10 November 2017 (PT)
Terry is currently undertaking PhD
studies at the University of East
Anglia in the application of risk
management tools and techniques
to strategic marketing planning. In
addition he is a strategic planning
and strategic marketing planning
consultant having undertaken
projects for over 50 large
organizations in 17 different
countries.
DOI 10.1108/14720700410558899
Abstract This article outlines a practical set of four challenges to senior management who wish
to quickly self assess the ``tness'' of their organization to manage risk. These four challenges
arise from the business and project risk environment in the context of organizational and
personal attitudes to risk: Do we understand the shareholder value risks of our strategy choices?
Do we understand the risks that our structure and processes pose for implementation of
chosen strategies? Is the risk appetite of the organization consistent with the risk appetite of our
staff? Are we condent that our staff are effective and efcient in reacting to, and dealing with,
risk? The four challenges offered in this paper will enable senior managers to broadly self-
assess an organization's ability to manage risk as both a value-creating opportunity as well as a
value-protecting activity.
Keywords Risk management, Corporate governance, Uncertainty management
T
his paper offers a simple challenge for those keen to broadly check their current
awareness of, and response to, strategic risk. Reection on how risk issues impact
on the creation or destruction of shareholder value is implicit in effective corporate
governance.
Good risk management has also been shown to have signicant effects, not just on corporate
governance compliance, but also on the perceived success of projects within organizations
(Elkington and Smallman, 2002) including key sources of future shareholder value such as new
product development (Di Benedetto, 1999). It is, therefore, useful to have a broad checklist to
identify the strategic response to risk at an enterprise level from which to diagnose key risk
management areas for immediate attention.
After outlining the importance of risk management in protecting and developing shareholder
value I offer four key challenges to self assess risk-awareness and risk-response. These four key
challenges are based upon the risk attitude of an organization and its people, and the risk
environment both external and in terms of the internal processes of effective management.
Having posed these four challenges I then discuss some of the key issues within them.
Satisfactory responses to these four key challenges will enable the board and senior managers
to focus their attention on appropriate key areas of practical and tactical risk management in
pursuit of not simply compliance, but also, importantly, the protection and development of
shareholder value.
VOL. 4 NO. 4 2004, pp. 69-77, Emerald Group Publishing Limited, ISSN 1472-0701
| CORPORATE GOVERNANCE
| PAGE 69
 Where self assessment reveals a broadly unsatisfactory response this will be a clear indication
of an area for more detailed assessment. Best practice risk management is much wider than
simple nancial or operational risk and these four challenges take account of the wider context
for risk. Phrases such as ``strategic risk management,'' ``integrated risk management'' and
``enterprise risk management'' (Kleffner et al., 2003; Liebenberg and Hoyt, 2003; Meulbroek,
2002) now describe the wider application of such thinking, tools and techniques.

Risk and shareholder value

Risk and its management have always been implicit in good business practice. Corporate
governance, globalization, making strategic alliances work, increasingly competitive markets
requiring more risk to be taken to win business, political unrest and terrorism are some of many
risk factors in the business environment. Uncertainty, ambiguity and risk are everywhere.
When considering business risk we are looking at, amongst others:
J business risk (risks in the business environment that could stop corporate objectives being
met);
J nancial risks (risks to the ability of our initiatives to deliver prot);
Downloaded by UNIVERSITY OF INDONESIA At 19:47 10 November 2017 (PT)

J project and operational risk (risks in the implementation of strategy);

J reputation risks (risks to our reputation which may follow from our activities); and
J compliance risks (risks of non-compliance with good corporate governance practices,
legislation and regulations).

The traditional approach to protecting and developing shareholder value has been based
upon nancial risk as dened by economic theory. However, in recent times, a wider view of risk
has recognized that economic models of risk and shareholder value need to be moderated
by less probabilistic, but nonetheless impactful, factors such as reputation. Other factors
which inuence risk and shareholder value include: industry characteristics, characteristics of
the organization's decision makers, the process of achieving the organization's goals and the
organization's resource base (Palmer and Wiseman, 1999).

The project risk and operational risk dimension is, arguably, as important as more general
business risk. Once the board and senior management team make a decision on strategy they
must take some responsibility for convincing the shareholders not just that it is a good idea, but
that it will happen. In other words, the project and operational risks must be understood and
addressed.

A model to assess the quality of strategic response to risk

Given that risk management can contribute to the protection and development of shareholder
value, how can an organization tell if it is asking the right questions about its strategic response
to risk?
There are well established stages to a risk management process essentially: risk identication;
risk analysis, estimation, evaluation; risk response, risk monitoring: risk reporting and com-
munication (see e.g. Baird and Thomas, 1985; Bandyopadhyay et al., 1999; Boehm, 1991; Eloff
et al., 1993; Epich and Persson, 1994; Fairley, 1994; Lightle and Sprohge, 1992; Loch et al.,
1992; Rainer et al., 1991; Tummala and Leung, 1999; Vitale, 1986).
However, what are the underlying key strategic questions an organization must ask itself if it is
to not just manage risk well on a day to day basis but also have a conceptual understanding of
the risk background and its current management competence in these areas?

Two key dimensions to understanding risk in an organization

There are two key dimensions to the strategic understanding of risk within an organization. On
the one hand there is the issue of understanding the organizational and personal attitudes to risk

PAGE 70
| CORPORATE GOVERNANCE
| VOL. 4 NO. 4 2004
 which will provide an ``attitude and behavior'' dimension while, on the other hand, there are the
business risk and project risk issues which will provide an ``external and internal environment''
dimension.
Combining these two dimensions will reveal four very important strategic challenges which,
when accepted and satisfactorily met, will give an indication of how well a company is aware of
real risk issues and the quality of its responses to those risks. The answers to these challenges
will inform the subsequent development of an existing, or new, practical risk management
process. Experience suggests that many companies have introduced an off-the-shelf risk
management process without subjecting themselves to such strategic challenges.
It is clear that risk is a very complex subject both from attitudinal and environmental dimensions.
(Mukherji and Wright, 2002; Palmer and Wiseman, 1999). However, the board cannot wait for
the concepts of risk and its management to be fully disentangled and totally understood before
making its response to risk (Figure 1).

Challenge 1: Do we understand the shareholder value risks of our strategy choices?

The rst challenge is based upon the organizational attitude to risk in the context of the general
business risk environment. Is prot to be made from low risk or high risk ventures? Is our chosen
Downloaded by UNIVERSITY OF INDONESIA At 19:47 10 November 2017 (PT)

approach, or portfolio of approaches, consistent with the reality of the market? Will shareholder
value be developed or destroyed?
Our business choices are likely to increase or decrease shareholder value, so risk managing
those choices is very important to protect the expected value and to deect or out maneuver
the inevitable uncertainties, ambiguities and risks which will occur as the business plan rolls out.
In the past, companies have tried to organize in such a way as to buffer themselves from
uncertainty, but modern thinking suggests that uncertainty is the norm, should be expected and
managed accordingly with new forms of organization (Child and McGrath, 2001).
Risk management is not an option. It naturally occurs as part of the strategic planning process
(e.g. in more advanced applications of SWOT and PEST analyses) so the question is not
whether or not it occurs, but how well it is understood and undertaken.

Figure 1 Four challenges to strategic risk management thinking in an organization

Attitude and Behaviour

Organisational Personal
attitude to risk attitude to risk

Challenge 1 Challenge 3
External and Internal Environment

Do we understand the Is the risk appetite of

Business risk
shareholder value the organisation
environment
risks of our strategy consistent with the risk
choices? appetite of our staff?

Challenge 2 Challenge 4
Project risk Do we understand the
Are we confident that
environment risks that our structure
our staff are effective
and processes pose
and efficient in reacting
for implementation of
to and dealing with risks
chosen strategies?

VOL. 4 NO. 4 2004

| CORPORATE GOVERNANCE
| PAGE 71
 Strategic planning will often explicitly, or implicitly, use well established models for product-
market strategies (Ansoff, 1957) and implicit risk management of the competitive arena (Porter,
1980). Particularly important here are risks associated with choice of product and market
combinations in which to compete: clearly a market penetration strategy is potentially less risky
than a diversication strategy provided that there is still a market to penetrate. Competitive
response will be moderated by the relative impact of buyer power, supplier power, new players,
new approaches to meeting the values provided by the market area, and the general push and
shove of the usual suspects in the marketplace.

Customer portfolio issues are also important in the process of achieving marketing objectives
(Bloemer et al., 2003). The most appropriate customer protability measure (though still with
aws) approach is economic value (Ryals, 2002). This is clearly a risk and return equation. The
higher the risk (volatility) associated with a customer the higher return required by the company
to create value for its shareholders. There is a need to manage the risk of the overall customer
portfolio as well as the returns. One marketing strategy would be to aim to reduce the risk of
customers, particularly those who earn less than the cost of capital. Another would be to identify
low risk customers who are value creating rather than value destroying. Customer risks can be
either the risk of losing the customer or the risk of making losses on the relationship.
Downloaded by UNIVERSITY OF INDONESIA At 19:47 10 November 2017 (PT)

Branding is a high prole risk area at present. A failed brand extension, for instance, can
undermine the customer's relationship with the whole brand not just the extension (Piercy,
2002). Recent negative experiences for Royal Mail (formerly Consignia) and British Airways
(change of logo) emphasize the risks of branding strategy.

In recent years we have witnessed reputations (for example WorldCom and Enron) falling
overnight. Risk to reputation is high on the agenda of both organizations (Webley, 2003) and
researchers (Banks et al., 2002).

Good ethical practice is one of a company's greatest assets, if not, indeed, its greatest asset
(Francis and Armstrong, 2003). Reputation also sometimes suffers from the rhetoric-reality gap
(Waddock and Smith, 2000). One of our greatest challenges is to manage ethics and rhetoric,
sometimes in combination.

It is clear that there are a number of sources of risk to reputation. For instance, there are a
number of threats from stakeholder groups that pose risks to reputation: from customers (the
threat of misunderstanding); from investors (the threat to value); from partners (the threat of
defection); from regulators (the threat of legal action); from activists (the threat of boycott); from
the community (the threat of illegitimacy); from the media (the threat of exposure) (Fombrun
et al., 2000).

As well as the wide set of legal risks associated with corporate governance and employee
law, business is potentially in conict with a whole range of regulatory and public policy issues.
Recent issues include potential conicts between ecommerce and antitrust (Foer, 2001) and
issues for public policy in Internet marketing business models (Stewart and Zhao, 2000). As a
further example, the wider area of marketing and public policy is of current interest with perhaps
ten areas for research activity: warning messages, risk perception, children, disadvantaged
consumers, media inuence, privacy, impact of laws and regulations on international com-
petition, advertising deception, corporate decision making and social marketing (Mazis, 1997).

Traditionally, risk has been associated with hazard or threat: dictionary denitions still uphold
this approach. However, modern risk management is moving towards recognizing that
risky choices are as much about increasing shareholder value as they are about protecting
such value. There is often the opportunity to make risk responses which recognize inherent
opportunities as well as inherent threats. Taking four generic strategies in response to risk
we can have upside as well as downside responses: while considering avoiding risk we should
be looking to exploit risk; while seeking to transfer risk look for opportunities to share risk;
mitigation may, in certain circumstances, be replaced by enhancement: and acceptance in the
baseline may be replaced, in certain circumstances, by simply ignoring the risk in the baseline
(Hillson, 1999; Hillson, 2001).

PAGE 72
| CORPORATE GOVERNANCE
| VOL. 4 NO. 4 2004
 The important practical implication here for managing risk within the business is to challenge
whether chosen strategies are effective given the risk prole of the marketplaces. Have we
managed risks to protect shareholder value and exploited those risks which offer potential
development of such value?

Challenge 2: Do we understand the risks that our structure and processes pose for
implementation of chosen strategies?
We may understand the strategic risk to shareholder value of our business choices but a new
challenge immediately arises. Is our approach to strategy implementation likely to support our
strategic risk-aware choices, or will it adversely affect value creation and protection by the
business? Hence, the second challenge is based upon the ability of the project risk environment
to implement, support and complement the organizational attitude to risk.
Intuitively, the achievement of objectives will not stand or fall on one risk factor. Superb risk
management in new product choices for instance will not be sufcient to ensure overall
marketing success. It will, in this instance, be necessary to have diverse project risk manage-
ment skills in place (Lewis et al., 2002) to ensure full and effective implementation of new
product decisions. In addition, the structure and process of the organization should facilitate
Downloaded by UNIVERSITY OF INDONESIA At 19:47 10 November 2017 (PT)

interdependencies between marketing and manufacturing, R&D, physical distribution and after
sales service (Hutt and Speth, 1984).
Two alternative strategic approaches to dealing with turbulence are proposed (Bettis and Hitt,
1995): robustness (designing organizations to make performance immune to uncontrollable
environmental uctuations) and exibility (the ability to rapidly sense the change in the environ-
ment, conceptualize a response to that change and recongure resources to execute that
change). Other researchers offer related concepts robustness and governability (Floricel and
Miller, 2001).
A number of risk management maturity models exist. Such matrices suggest processes which,
if followed, are likely to result in specic degrees of risk management maturity. INCOSE (2002),
for instance, presents ve attributes (denition, culture, process, experience, application) which
can exhibit four levels of maturity (ad hoc, initial, repeatable, managed). Seven criteria have
been identied for effective application of risk management tools and techniques: appropriate
level of response, affordable, actionable, achievable, assessed, agreed, allocated and accepted
(Hillson, 1999).
The important practical implication here for managing risk within the business is that
organizational structures and processes are key to effective risk response.

Challenge 3: Is the risk appetite of our business consistent with the risk appetite of
our staff?
The third challenge is to reect upon the risk attitude of the organization in its environment and
whether this is reected in the risk attitudes of its staff. A poor match will result in confusion at
best and destructive tensions accompanied by high levels of stress at worst.
Risk appetite is not a static concept within individuals. Risk will be perceived as either positive
or negative depending upon the circumstances of the decision to be taken. Relationship to a
strategic reference point SRP (Shoham and Fiegenbaum, 2002) will have resonance for the
organization, while individual staff will have their own internal SRPs.
The propensity of managers to take risk and the importance of cultural approval is well studied
in the literature (MacCrimmon and Wehrung, 1990; March and Shapira, 1987). However, again,
although these are important factors they are by no means the only factors and it is perhaps
over simplistic to describe managers as risk takers or risk averters.
Both gender (Blais and Weber, 2001) and ethnicity (Palmer et al., 2001) have been found
to inuence risk perception and decision making under risk. Other factors to include in any
analysis of managerial risk taking include framing (Tversky and Kahneman, 1981), mood factors
(Wright and Bower, 1992), dispersion of effects (Gioffre et al., 1992), and moral and ethical

VOL. 4 NO. 4 2004

| CORPORATE GOVERNANCE
| PAGE 73
 considerations based on heightened or reduced risk perceptions in consequential and non-
consequential evaluations of outcomes (Cherry and Fraedrich, 2002).
The experience of a previous risk situation and decision can be a particularly important factor
in an individual's perception of, and response to, risk (Osborn and Jackson, 1988; Thaler and
Johnson, 1990). ``While an expert mountaineer might see a certain climb as a relatively low-risk
proposition, an inexperienced person might consider it risky indeed'' (Morgan and Rao, 2000).
Risk propensity or perception needs to be understood in a wide context with multiple measures
(West and Shelton, 1998) taking account of the differences between organizational and
individual risk attitudes and behaviors (Wehrung et al., 1984).
To take an example: the risk appetite of the sales force in the context of the risk appetite of the
business. Given that, as noted above, personality is an input into personal risk attitude but only
an input, what messages are we giving to our sales team and are these consistent with the
amount of risk the business needs to take to stem losses and achieve gains in the quest to meet
or exceed strategic reference points?
There are potentially two conicting strategic reference points here. The organization, for
example, may have a benchmark reference point which requires the acquisition of large new
customers (``high risk'' in a sales representative's mind) to be able to achieve, or at least move
Downloaded by UNIVERSITY OF INDONESIA At 19:47 10 November 2017 (PT)

signicantly towards, the reference point. In such circumstances it is really important to ensure
that the sales culture reects this and that sales representatives are encouraged, enabled, and
empowered to undertake the long term customer development rather than simply focus on a
few quick wins.

The important practical implication here for managing risk within the business is that by
reecting upon this challenge there is the opportunity to ensure a consistent risk culture and
avoid destructive clashes between the risk appetite of the organization and its employees.
Furthermore, it is clear that risk appetite is extremely complex and context dependent.
Typecasting individuals as risk averse or risk seeking is very dangerous.

Challenge 4: Are we condent that our staff are effective and efcient in reacting to
and dealing with risks?
Understanding risk is important but responding to it is critical. We may have structure and
processes designed to identify, analyze, evaluate, respond to and monitor risk but are our
people willing and able to meet the challenges this brings? This is the fourth challenge.
Managerial decisions on allocation of resources are grounded in possible outcomes, likelihood
of each of these outcomes, and ambiguity in these payoffs and probabilities (Ho et al., 2002;
Kahn and Sarin, 1988). However, when making important decisions, managers rarely use
formal risk analysis (Jablonowoski, 2000). Risk management is often ad hoc dependent upon
the particular skills, experience and risk orientation of individual managers (Tah and Carr, 2000).
Furthermore, corporate risk strategy varies across an organization (Noy and Ellis, 2003) with the
consequence that an integrated approach to risk will need a watching brief company wide.
An important consideration for organizations is how risk is to be dealt with by staff. Do they need
a set of competencies or simply an awareness? Who needs what? Clearly, where the move to
enterprise wide risk management has begun the establishment of a chief risk ofcer is often
appropriate. Such risk managers will need to combine technical and analytical excellence with
an understanding of how risk measures relate to strategic and tactical business choices and
decisions.
The important practical implication here for managing risk within the business is the need to
ensure that even if we:
J understand the shareholder value implications of the risks we face (challenge one);
J have procedures to manage risk in our processes and structures (challenge two); and

PAGE 74
| CORPORATE GOVERNANCE
| VOL. 4 NO. 4 2004
 J have articulated our organizational risk attitude and set in place exible risk-aware expectations
of our staff (challenge three)
then we must complete the risk management challenge by ensuring that staff are trained to
understand the concept of risk and its implications for the organization. Where appropriate, staff
should be trained for competence in risk management tools and techniques.

Conclusions and discussion

Risk is complex, but is at the heart of the creation or destruction of shareholder value. An
organization cannot wait for risk to be fully understood before attempting to manage risks. This
paper offers four broad challenges to enable an organization to self-assess risk awareness and
response at a strategic level.
Risk management maturity models exist to benchmark performance against a broad com-
petency scale. These do not explicitly outline the strategic challenges for those eager to identify
how well they are doing. Such maturity models are often process based and, while useful, do
not fully take into account the psychological aspects of good risk management.
In this paper I have outlined four challenges based on environmental and attitudinal dimensions
Downloaded by UNIVERSITY OF INDONESIA At 19:47 10 November 2017 (PT)

of risk in organizations. Personal consultancy experience suggests that there are instances of
organizations buying in proprietary risk management products, which allow apparent com-
pliance with corporate governance requirements, but which do not strongly inuence the day to
day risk awareness, mitigation and exploitation of risk.
Such an approach to risk is at the same time both a potential waste of effort and positively
dangerous. In addition to adding cost for little benet over compliance, such an approach can
offer a chimera of risk awareness and management with the subsequent potential for over-
condence and negative surprises.
While nasty shocks cannot be completely avoided, for there are indeed some truly random
events, it is evident that in many instances it is possible to isolate a set of damaging risks which,
should they materialize, may derail the achievement of business objectives and compliance with
corporate governance imperatives. Most importantly, an alert approach to risk management
will nd opportunity in many of the risks which may initially appear to be negative. The four
challenges offered in this paper will enable senior managers to broadly assess an organization's
ability to manage risk, as both a value-creating opportunity, as well as a value-protecting activity.

References
Ansoff, H.I. (1957), ``Strategies for diversication'', Harvard Business Review, Vol. 35 No. 5, pp. 113-24.
Baird, I.S. and Thomas, H. (1985), ``Towards a contingency model of strategic risk taking``, Academy of
Management Review, Vol. 10 No. 2, pp. 230-43.
Bandyopadhyay, K. et al. (1999), ``A framework for integrated risk management in information technology'',
Management Decision, Vol. 37 No. 5, pp. 437-44.
Banks, D.T. et al. (2002), ``Reputation in marketing channels: repeated-transactions bargaining with two
sided uncertainty'', Marketing Science, Vol. 21 No. 3, pp. 251-72.
Bettis, R.A. and Hitt, M.A. (1995), ``The new competitive landscape'', Strategic Management Journal,
Vol. 16, Special issue, pp. 7-19.
Blais, A.-R. and Weber, E.U. (2001), ``Domain-specicity and gender differences in decision making'', Risk
Decision and Policy, Vol. 6 No. 1, pp. 47-69.
Bloemer, J.M.M. et al. (2003), ``Comparing complete and partial classication for identifying customers at
risk'', International Journal of Research in Marketing, Vol. 20 No. 2, pp. 117-31.
Boehm, B.W. (1991), ``Software risk management: principles and practices'', IEEE Software, Vol. 8,
pp. 32-41.
Cherry, J. and Fraedrich, J. (2002), ``Perceived risk, moral philosophy and marketing ethics: mediating
inuences on sales managers' ethical decision making'', Journal of Business Research, Vol. 55 No. 12,
pp. 951-62.

VOL. 4 NO. 4 2004

| CORPORATE GOVERNANCE
| PAGE 75
 Child, J. and McGrath, R.G. (2001), ``Organizations unfettered: organizational form in an information-
intensive economy'', Academy of Management Journal, Vol. 44 No. 6, pp. 1135-48.
Di Benedetto, C.A. (1999), ``Identifying the key success factors in new product launch'', Journal of Product
Innovation Management, Vol. 16 No. 6, pp. 530-44.
Elkington, P. and Smallman, P. (2002), ``Managing project risks: a case study from the utilities sector'',
International Journal of Project Management, Vol. 20 No. 1, pp. 49-57.
Eloff, J.H.P. et al. (1993), ``A comparative framework for risk analysis methods'', Computers and Security,
Vol. 12 No. 6, pp. 597-603.
Epich, R. and Persson, J. (1994), ``A re drill for business'', Information Strategy: the Executive's Journal,
pp. 44-7.
Fairley, R. (1994), ``Risk management for software projects'', IEEE Software, pp. 57-67.
Floricel, S. and Miller, R. (2001), ``Strategizing for anticipated risks and turbulence in large-scale engineering
projects'', International Journal of Project Management, Vol.19 No. 8, pp. 445-55.
Foer, A.A. (2001), ``E-commerce meets antitrust: a primer'', Journal of Public Policy and Marketing, Vol. 20
No. 1, pp. 51-63.
Fombrun, C.J. et al. (2000), ``Opportunity platforms and safety nets: corporate citizenship and reputational
Downloaded by UNIVERSITY OF INDONESIA At 19:47 10 November 2017 (PT)

risk'', Business and Society Review, Vol. 105 No. 1, pp. 85-106.
Francis, R. and Armstrong, A. (2003), ``Ethics as a risk management strategy: the Australian experience'',
Journal of Business Ethics, Vol. 45 No. 4, pp. 375-85.
Gioffre, K. et al. (1992), ``The effects of decision outcome dispersion upon organizational decision-making'',
Psychological Record, Vol. 42 No. 3, pp. 427-36.
Hillson, D. (1999), ``Developing effective risk responses,`` PMI, Philadelphia, PA.
Hillson, D. (2001), ``Effective strategies for exploiting opportunties,`` PMI, Nashville TN.
Ho, J.L.Y. et al. (2002), ``Effects of outcomes and probabilistic ambiguity on managerial choices'', Journal of
Risk and Uncertainty, Vol. 24 No. 1, pp. 47-74.
Hutt, M.D. and Speth, T.W. (1984), ``The marketing strategy centre: diagnosing the industrial marketer's
interdisciplinary role'', Journal of Marketing, Vol. 48 No. 4, pp. 53-61.
Jablonowoski, M. (2000), ``Why risk analyses fail'', CPCU Journal, Vol. 53 No. 4, pp. 223-30.
Kahn, B.E. and Sarin, R.K. (1988), ``Modeling ambiguity in decisions under uncertainty'', Journal of
Consumer Research, Vol. 15 No. 2, pp. 265-72.
Kleffner, A.E. et al. (2003), ``The effect of corporate governance on the use of enterprise risk management:
evidence from Canada'', Risk Management and Insurance Review, Vol. 6 No. 1, pp. 53-73.
Lewis, M. et al. (2002), ``Product development tensions: exploring contrasting styles of project
management'', Academy of Management Journal, Vol. 45 No. 3, pp. 546-64.
Liebenberg, A.P. and Hoyt, R.E. (2003), ``The determinants of enterprise risk management: evidence from
the appointment of chief risk ofcers'', Risk Management and Insurance Review, Vol. 6 No. 1, pp. 37-52.
Lightle, S. and Sprohge. H. (1992), ``Strategic information system risk'', Internal Auditing, pp. 31-6.
Loch, K.D. et al. (1992), ``Threats to information systems: today's reality, yesterday's understanding'', MIS
Quarterly, Vol. 16 No. 2, pp. 173-86.
MacCrimmon, K.R. and Wehrung, D.A. (1990), ``Characteristics of risk taking executives'', Management
Science, Vol. 36 No. 4, pp. 422-35.
March, J.G. and Shapira, Z. (1987), ``Managerial perspectives on risks and risk taking'', Management
Science, Vol. 33 No. 11, pp. 1404-18.
Mazis, M.B. (1997), ``Marketing and public policy: prospects for the future'', Journal of Public Policy and
Marketing, Vol. 16 No. 1, pp. 139-43.
Meulbroek, L. (2002), ``The promise and challenge of integrated risk management'', Risk Management and
Insurance Review, Vol. 5 No. 1, pp. 55-66.
Morgan, I. and Rao, J. (2000), ``How restaurant owners manage strategic risk'', Cornell Hotel and
Restaurant Administration Quarterly, December, pp. 64-74.

PAGE 76
| CORPORATE GOVERNANCE
| VOL. 4 NO. 4 2004
 Mukherji, A. and Wright, P. (2002), ``Reexamining the relationship between action preferences and
managerial risk behaviours'', Journal of Managerial Issues, Vol. 4 No. 3, pp. 314-30.
Noy, E. and Ellis, S. (2003), ``Corporate risk strategy: does it vary across business activities?'', European
Management Journal, Vol. 21 No. 1, pp. 119-28.
Osborn, R.N. and Jackson, D.H. (1988), ``Leaders, riverboat gamblers, or purposeful unintended
consequences in the management of complex dangerous technologies'', Academy of Management
Journal, Vol. 31 No. 4, pp. 942-47.
Palmer, C.G.S. et al. (2001), ``Risk perception and ethnicity'', Risk Decision and Policy, Vol. 6 No. 3,
pp. 187-206.
Palmer, T.B. and Wiseman, R.M. (1999), ``Decoupling risk taking from income stream uncertainty: a holistic
model of risk'', Strategic Management Journal, Vol. 20. No. 11, pp. 1037-62.
Piercy, N. (2002), Market Led Strategic Change, Butterworth Heinemann, Oxford.
Porter, M. (1980), Competitive Strategy: Techniques for Analyzing Industries and Competitors, Free Press,
New York, NY.
Rainer, R.K. et al. (1991), ``Risk analysis for information technology'', Journal of Management Information
Systems, Vol. 8 No. 1, pp. 129-47.
Downloaded by UNIVERSITY OF INDONESIA At 19:47 10 November 2017 (PT)

Ryals, L. (2002), ``Measuring risk and returns in the customer portfolio'', The Journal of Database Marketing,
Vol. 9 No. 3, pp. 219-27.
Shoham, A. and Fiegenbaum, A. (2002), ``Competitive determinants of organizational risk-taking attitude:
the role of strategic reference points'', Management Decision, Vol. 40 No. 2, pp. 127-41.
Stewart, D.W. and Zhao, Q. (2000), ``Internet marketing, business models and public policy'', Journal of
Public Policy and Marketing, Vol. 19 No. 2, pp. 287-96.
Tah, J. and Carr, V. (2000), ``Information modelling for a construction project risk management system'',
Engineering Construction and Architectural Management, Vol. 7 No. 2, pp. 107-19.
Thaler, R.H. and Johnson, E. (1990), ``Gambling with the house money and trying to break even: the effects
of prior outcomes on risky choice'', Management Science, Vol. 36 No. 6, pp. 643-60.
Tummala, V.M.R. and Leung, Y.H. (1999), ``Applying a risk management process (RMP) to manage
cost risk for a EHV transmission line project'', International Journal of Project Management, Vol. 17 No. 4,
pp. 223-35.
Tversky, A. and Kahneman, D. (1981), ``The framing of decisions and the psychology of choice'', Science,
Vol. 211, pp. 453-58.
Vitale, M.R. (1986), ``The growing risks of information systems success'', MIS Quarterly, Vol. 10 No. 4,
pp. 327-34.
Waddock, S. and Smith, N. (2000), ``Corporate responsibility audits: doing well by doing good'', Sloan
Management Review, Winter, pp. 75-83.
Webley, S. (2003), ``Risk reputation and trust'', Journal of Communication Management, Vol. 8 No. 1,
pp. 9-12.
Wehrung, D.A. et al. (1984), ``Utility assessment: domains, stability, and equivalence procedures'', INFOR,
Vol. 22, May, pp. 98-115.
West, D. and Shelton, D. (1998), ``Taking advertising risks: the case of Clerical Medical'', Journal of
Marketing Management, Vol. 14 No. 4/5, pp. 251-72.
Wright, W.F. and Bower, G.H. (1992), ``Mood effects on subjective probability assessment'', Organizational
Behavior and Human Decision Processes, Vol. 52 No. 2. pp. 276-91.

VOL. 4 NO. 4 2004

| CORPORATE GOVERNANCE
| PAGE 77
 This article has been cited by:

1. KhongmalaiOrapan, Orapan Khongmalai, DistanontAnyanitha, Anyanitha Distanont. 2017. Corporate governance model in
Thai state-owned enterprises: structural equation modelling approach. Corporate Governance: The international journal of
business in society 17:4, 613-628. [Abstract] [Full Text] [PDF]
2. Orapan Khongmalai, John C.S. Tang, Sununta Siengthai. 2010. Empirical evidence of corporate governance in Thai state
owned enterprises. Corporate Governance: The international journal of business in society 10:5, 617-634. [Abstract] [Full Text]
[PDF]
3. Stephen A. W. Drew, Terry Kendrick. 2005. Risk Management: The Five Pillars of Corporate Governance. Journal of General
Management 31:2, 19-36. [Crossref]
Downloaded by UNIVERSITY OF INDONESIA At 19:47 10 November 2017 (PT)