Next Article in Journal
Disentangling Director Attributes: Human Capital versus Social Capital of Directors
Next Article in Special Issue
Modeling the Risks of the Global Customs Space
Previous Article in Journal
Co-Jumps, Co-Jump Tests, and Volatility Forecasting: Monte Carlo and Empirical Evidence
Previous Article in Special Issue
Banking Risks in the Asset and Liability Management System
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
JRFM
Volume 15
Issue 8
10.3390/jrfm15080335
jrfm-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Introduction of a Corporate Security Risk Management System: The Experience of Poland

by
Iryna Kalina
1,*,
Viktoriia Khurdei
2,
Vira Shevchuk
3,
Tetiana Vlasiuk
4 and
Ihor Leonidov
5
1
Department of Marketing, Interregional Academy of Personnel Management, 03039 Kiev, Ukraine
2
Department of Marketing, University of Customs and Finance, 49105 Dnipro, Ukraine
3
Department of Accounting and Audit, Ivan Franko National University of Lviv, 79007 Lviv, Ukraine
4
Department of Smart Economics, Kyiv National University of Technologies and Design, 02019 Kiev, Ukraine
5
Department of International Economy, Political Economy and Governance, National Metallurgical Academy of Ukraine, 49015 Dnipro, Ukraine
*
Author to whom correspondence should be addressed.
J. Risk Financial Manag. 2022, 15(8), 335; https://doi.org/10.3390/jrfm15080335
Submission received: 5 June 2022 / Revised: 24 July 2022 / Accepted: 25 July 2022 / Published: 29 July 2022
(This article belongs to the Special Issue Social, Economic, Legal and Educational Challenges of Network Economics)
Browse Figures
Versions Notes

Abstract

:
To ensure the economic security of companies, it is necessary to introduce a risk management system based on the use of various tools, especially financial ones. The purpose of the article is to scientifically substantiate the paradigm of integration of the risk management mechanism into the system of economic security in companies on the basis of risk-oriented management. The main study method was an online survey of 50 Polish companies in January–April 2021 using a developed questionnaire consisting of 40 questions. According to the results of the expert survey, it is determined that regardless of the type of economic activity of the enterprise, the main goal of introducing risk-oriented management is to preserve assets and increase the efficiency of financial and economic processes. The introduction of risk-oriented management is perceived as a tool to increase the value of the company and ensure the achievement of strategic goals. Fraud is a significant risk to the state of economic security for modern enterprises. To prevent the fact of fraud, taking into account the specifics of the operation of companies, it is suggested to conduct an annual examination. As a result, the suggested procedure should include an audit (audit of financial statements, forensics, transition to international financial reporting standards, audit of systems and processes), assessment (assessment for audit and reporting in accordance with international financial reporting standards, risk management assessment in accordance with international standards, assessment of the effectiveness of economic security), tax analytics (identification of tax risks, analysis of compliance with tax legislation, tax audit), and a due diligence procedure for investment objects.

1. Introduction

Modernization of the process of economic security management in enterprises should become a priority of top management to ensure effective counteraction to threats and risks of internal and external environments of its operation. The development of the information economy and the globalization of business confirm the effectiveness of risk-based approaches in ensuring the economic security of enterprises.
Globalization and integration can lead to an increase in domestic and international competition, and the accuracy of assessing existing and potential risks will require taking into account an increasing number of indicators, and therefore the tools of diagnostics of the economic condition of economic entities tested by experience of the developed countries do not give exact forecasts any more. Given this, for the development of the economy there is an urgent need to create at the macro, micro, and meso levels effective mechanisms for ensuring economic security of enterprises in the strategic and short-term perspectives.
Risk-based management in the system of economic security of the enterprise is designed to reduce the level of negative consequences of threats that are present in all business processes of an entity of any kind of economic activity. (Khanyile et al. 2019). In addition, risk-based management is aimed at maximizing the possible positive effects in the case when the company’s directors and its management make management decisions to take risks in a particular economic situation (Kähkönen et al. 2018).
The problem of ensuring the stability of the economic security system in conditions of uncertainty of different kinds of environments is similar to ensuring the stability of quality management, financial stability, which is increasingly becoming a management problem. Modern ideas about the role of entrepreneurship in the economy and its development are quite contradictory due to the huge number of different methods and approaches to assessment of the target function of the socio-economic process, in which uncertainty and risk are leading, namely, to assessment of the state of the economic security system of the economic entity (Lai and Wong 2020). To select effective methods, ways, and techniques for managing risks, threats, and dangers, it is first necessary to clearly determine the destabilizing factors of the company’s economic security system (Dixit 2021).
Thus, the application of risk-based management practices, provided there is a proper theoretical and methodological basis for their application adapted to the crisis realities of economic activity, can have double benefits for the company and its stakeholders—both in countering risks to economic security and ensuring the maximum level of satisfaction of economic interests of owners and other interested parties.
The aim is to scientifically substantiate the paradigm of integration of the risk management mechanism into the system of economic security of companies on the basis of risk-oriented management.
In accordance with the defined goal, the study set and solved the following tasks: to specify the impact of risks, dangers, and threats on the state of the economic security system of companies; to substantiate the role of the process of risk-based management in the system of economic security of companies; and to diagnose risks and threats to the economic security of companies.

2. Literature Review

2.1. Analysis of the Concept of Risk-Oriented Company Management

The condition of uncertainty that exists for any manufacturing enterprise is due to the fact that the system of economic security in the process of its operation is dependent on a number of reasons that can be systematized (Fan and Stevenson 2018). It is from the interpretation and understanding of the concept of uncertainty that the ways and methods of minimizing the impact of risks, dangers, and threats follow, which is one of the priority goals of the economic security system of any enterprise (Kumar and Jha 2018).
In the study of destabilizing factors of the economic security of an economic entity, it is advisable to identify several such factors: risk as the probability of occurrence of circumstances that may cause danger (Kong and Castella 2021), danger as a real possibility of harm or damage (Kim and Chance 2018), and threat as a real intention to cause harm (Corbett and Smodis 2018).
The focus of risk management is shifted towards risk-based management of the entire company, rather than management of certain risks or separate management of the economic security system (DuHadway et al. 2019). Integrating risk management into the company’s management system itself is an objective necessity.
Currently, the biggest problems in global risk management are the lack of sound theories and technologies of risk management in many areas, especially operational risk management (Chaudhuri et al. 2018). There are almost no effective quantitative methods for assessing the most important of the risks—the human factor, mechanisms for diversification, and hedging of operational risks; methods of assessing reputational risks are at the initial stage.
Note the characteristics of risk-based management in the system of economic security that distinguish it from “classical risk management.” In classical risk management, the object of management is the risk with which management manipulations are carried out in order to avoid it, minimize it, or use it to the benefit of the enterprise (Liu and Jensen 2018).
In risk-based management in the system of economic security, the object is also risks—not general and specific to the entire enterprise and its economic activities, but those that are inherent in each asset and operation of the economic entity, and the negative impact of which reduces the level of economic security and harms its system (Villanueva et al. 2022). The subject of management is traditionally a risk manager. However, in the system of economic security, a professional in financial and economic security joins him or plays his role (Tarei et al. 2020).
Management functions also differ. In risk management, these are planning losses from the negative manifestation of risk, organizing the risk management process, motivating personnel involved in risk management processes to perform their duties conscientiously, and monitoring the results of risk management measures (Hinna et al. 2018).
In risk-based management in the economic security system, the functions of management are to plan security measures through risk management mechanisms, risk identification, and their analysis and evaluation, establishing their level of maturity and selecting one of many management solutions to avoid, minimize, compensate for, or diversify a risk (Karamouz and Heydari 2020). In this case, the function of motivation is to encourage the entire staff to comply with the rules of good conduct and professional performance of their duties, as staff in the economic security of the enterprise is both an asset in need of protection and a source of personnel risks (Kwak et al. 2018).
It is possible to say about the different influences of risks, dangers, and threats on the functioning of the system of economic security of enterprises and corresponding different responses of the system to these negative factors. Effective risk management within the economic security system is able to eliminate the negative manifestations of risks and will take advantage of their positive consequences (Azim and Nahar 2021). At the same time, the impact of dangers and threats on the state of the economic security system is completely negative, because the very fact of their existence in the external and internal environment of the enterprise is the reason for spending resources of economic security to counter them and prevent their negative effects.
Risk minimization means the selection of such management decisions to influence the risk, which can either limit the likelihood of its occurrence, or reduce its negative consequences for corporate resources and economic interests of the company (Tullo 2020).
The priority for modern founders and researchers of security science in this regard should be the development of a theoretical and methodological basis for the formation of an information base for risk-based management in the organization and implementation of business processes in the enterprise, and especially in its system of economic security and in its management.
The main differences between risk-oriented management and “classical risk management” in the economic security of a company are as follows.
Companies should focus their actions on integrating risk analysis into key business processes, rather than on risk assessment measures. Risks should not be the subject of analysis, and risk analysis should not be a result but a decision-making tool (Tai et al. 2020).
Different types of risks require different approaches. Different risk assessment methods are needed to integrate risk management into different business processes. This approach differs significantly from the common practice of implementing ERM (enterprise risk management) (Hsu et al. 2021).
Therefore, it can be argued that you should not use a single approach to risk management. Each process and each type of decision may have its own risk assessment methods, with its own criteria and tools. The priority task in risk-oriented management should be the development of competencies for risk assessment in employees of enterprises, which is the task of a risk manager (Joshi 2018).
The above confirms again that risk is the central object of study for the economic security system of a company. The company’s security is faced with the task of integrating risk management into all business processes. There arises a need for a comprehensive study of risks as a tool for risk-oriented management (Mazumder and Hossain 2018). To conduct a detailed risk analysis in Polish companies, it is necessary to study all the parameters of this phenomenon.
The scientific problem of the study is to ensure the economic security of the enterprise in conditions of growth and increasing variability of business risks through the use of risk-oriented management based on the development of conceptual, methodological, and practical components.
It should be noted that for the authors’ study there are other concepts at the micro level of the economy, in addition to the basic concept of risk management. The number of these concepts is large enough, and they are the subject of a review article. In this scientific article, we focused on the concept that is directly related to the risks of corporate culture.

2.2. Analysis of the Theory of Bureaucracy in the System of Risk Management of Corporations

Sociological theories of bureaucracy consider bureaucracy both as an organization and as a social stratum, but not as a group of individual actors. Consequently, bureaucracy is distinguished by its solidity in sociological theories. This feature can acquire both positive (rational bureaucracy of M. Weber and T. Parsons) and negative (parasite bureaucracy of K. Marx) connotations.
Bureaucracy is considered a management system of society and its separate areas, emerging as society develops. This way of management has both strong (hierarchy, rationality, activity regulation, etc.) and weak (red tape, conformity, special status) sides (Pivoras and Kaselis 2019).
In patrimonial systems, management is carried out arbitrarily, and the management apparatus is personally subordinate to the head of the company (Drechsler 2020). Loyalty is a key professional requirement for bureaucrats.
A rational bureaucracy is a management system that maintains legal dominance based on impersonal order and legally established procedures (Reinsberg et al. 2019). This type of bureaucracy is characterized by a hierarchical organization, clearly defined responsibilities and rights, and professionalism.
The bureaucracy of professionalism implies (Bakker 2019) that a bureaucrat must have certain competencies to hold his position; if the qualification requirements are met, he has the right to career growth and he receives a salary established by the procedure for the fulfillment of his responsibilities.
As a result of bureaucracy, an employee spends time going to the instances (managers, responsible persons from related functional units) to obtain approvals (including electronic) and “waiting in line” for a decision (Kim et al. 2021).
Sometimes this time is useful and adequate, and sometimes it is excessive, leading to increased expenses. We distinguish between “healthy” and “unhealthy” bureaucracy.
By “healthy” or sound bureaucracy we mean a bureaucracy that is objectively necessary for documenting records under the requirements of the external environment (compliance with the terms of contracts with partners, compliance with labor and tax laws) (Bianco and Gamba 2019). In addition, you can consider “healthy” bureaucracy the minimum necessary to maintain the process at the proper professional level in a particular organization.
Bureaucracy is considered “unhealthy” when it is excessive and leads to increased time expenditure for employees, without changing the level of quality of the process or the degree of risk of the company and its shareholders (Kuo et al. 2021).
Here are the main reasons for “unhealthy” bureaucracy.
One is when managers have a low level of self-awareness and personal responsibility. This is the desire to be on the safe side, to play for time in case “you don’t have to make a decision at all” (Christopher and Sarens 2018). In this case, the big question is about the compliance of managers with their positions.
Managers who try to change the behavior of subordinates often face persistent resistance to change, which cannot be explained reasonably (Gu and Yuan 2022). They see that separate units of the organization prefer war against each other. They face such communication problems and such misunderstandings between members of different groups that it would seem that “reasonable” people should not have them.
Second is criteria for the evaluation of decisions by superiors changing during the activity and inconsistency of the first party. It is probably the worst thing that can happen and generates not only “unhealthy” bureaucracy in the company (Shatnawi et al. 2019). The historical reevaluation of the decisions of subordinates according to the “new” criteria that arise suddenly and the very fact of unilateral change of these criteria (process regulations) give rise to mutual irresponsibility and demotivation in decision-making.
Third is a low degree of mutual trust of colleagues, the presence of precedents when the demand is “wrong,” and the other employees not standing up for the fairness of the decision made by a colleague. Such mutual behavior of employees, as well as the selection of people, is an omission in the work of not only of the CEO, but in many respects of the HR service as well.
Fourth is excessive complexity of procedures in their original design. This is characteristic of large companies where the processes of coordination of decisions are built iteratively, often when changing the persons responsible for the regulations of the processes themselves. For example, an analyst from the head office building a procedure for remote departments may simply not understand the essence of the local process (Busru et al. 2020). On the ground, the proposed regulations of this or that coordination are considered a certain fact sent down from above by “smart people.” When you look at this situation from the side, it is sad that clever people here and there lose company time due to simple miscommunication (lack of time, or unwillingness to go into detail/escalate for subjective reasons).
As a result of unhealthy bureaucracy, costs increase (and often disproportionately). The risk of unhealthy bureaucracy against the background of such an example is much higher, as it affects not only the development of the company’s employees, but also its business reputation, “adequacy,” and speed of response in the eyes of suppliers and customers (Jiang and Feng 2021).
The discussion about bureaucracy has a clear negative connotation, but initially we wanted to remain impartial to it. After all, there are a number of advantages (guarantees) that cannot be discounted.
Firstly, bureaucracy is already a sign of the process (Larasati and Asrori 2020). Whether this process is effective or not does not matter in this case. The main thing that can be stated is its actual presence, which is far from obvious for many companies. Secondly, bureaucracy largely insures against outright theft and overt sabotage of the employees (Cassano 2019). Thirdly, it somehow guarantees decision-making, despite being time-consuming (Hao and Kang 2019). Fourthly, it frees up top management’s time, eliminating the need for “manual control” (Liu et al. 2019). In summary, bureaucracy, albeit “unhealthy,” is much better than chaos.
All the above reasons for “unhealthy” bureaucracy are directly related to the degree of development of corporate culture.
Last is the mutual responsibility of managers, the so-called sense of “90% personal responsibility” for the “common” task, and self-awareness of the personality of a manager (Eriandani and Wijaya 2021). It is both a result and a sign of the presence of a corporate culture in the company.
Both corporate culture and bureaucracy evolve as power is centralized and expanded, as well as in connection with the emergence of new management tasks. Both of these phenomena, one way or another, ensure the controllability of the process in the absence of the first part.
The ideal environment does not exist, and people with their uniqueness make adjustments to any process. Both bureaucratic corporate cultures are present to varying degrees in any company. Studying in practice and trying to combine these concepts in a simple model, we came to the conclusion that they fill the same space, being mutually displaced, opposite in content, and not subject to diffusion. Any company can be characterized by the ratio of “corporate culture/unhealthy bureaucracy.”

3. Materials and Methods

The online survey followed the logic of traditional survey methodology. The task of the mass survey is to determine the relationship between different variables (for example, between socio-economic status and political preferences). It is a survey of a group of people based on a formed sample: a subgroup of a given population, which allows relatively reasonable conclusions to be made about the population as a whole. As a rule, in the analysis of the obtained data, various methods of quantitative measurements are used: correlation analysis, regression analysis, etc. (Omar and Javaria 2019). In terms of technology and organization, the newest online survey is closest to the oldest scheme of mass surveys—mail surveys, a method that has more than a century of history.
Among the main characteristics of the online survey one can note the completion of the web questionnaire by the participants themselves, the availability of precise instructions, and the opportunity to demonstrate numerous incentives for respondents. The online survey allows for testing photo, video, and audio materials. In general, the tools of the online survey are more varied and provide a large number of different opportunities, such as click-tests, eye-tracking techniques, 3D modeling of goods, visual scales for measuring emotions, etc. (Shakya et al. 2020).
Surveys on the Internet have advantages over other indirect methods, in particular telephone surveys, in terms of a higher level of respondents’ willingness to participate in the survey and a cheaper cost per interview (Embi and Shafii 2018). Online surveys also increase participants’ involvement through the inclusion of visual, audio, and textual perceptions. These surveys give the opportunity to select a convenient time and place of participation and can be completed at any time convenient for the respondent.
In general, one can highlight the following benefits of online surveys (Lee and Lee 2018): saving resources (not only money, but also time and labor costs), large sample size, speed of the survey (the possibility to interview several thousand people in a short time); the possibility to respond quickly (for example, change tools); breadth of coverage (crossing borders and distances, access to various social groups and communities); reachability (opportunity to interview those who are not accessible in real life, such as marginalized groups); focus (the possibility to build a specific sample); relevance (independence) of communication, that is, a lower level of influence of the interviewer on the respondent and the possibility to give more detailed answers; high level of trust (due to the anonymity of the online environment); the breadth of subject fields (opportunity to study topics that are delicate and closed for public discussion); organizational flexibility (a respondent chooses the time and place of participation); strict logic of the survey (special software eliminates traditional errors in filling out the questionnaire); and operating control over the completion of the questionnaire (for example, detection of logical inconsistencies in the answers and their correction).
Moreover, a survey via the Internet provides additional opportunities (apart from the opportunity to select the channel of influence). These are the opportunities of subsequent communication with respondents, automatic collection of additional information, and automatic recording of data and processing of questionnaires (Jepson et al. 2020).
The main disadvantage of online surveys is related to the problems of ensuring the representativeness of the sample. Firstly is the lack of a sampling frame. One can successfully solve this problem in the studies of organizations with wide network bases, and also when building a sample with the results of an offline survey (Shatnawi and Eldaia 2020). Secondly is the problem of coverage, which is the inability of the sampling procedure used to cover the real population (i.e., to set a known non-zero probability of being included in the sample for each population unit) (Girangwa et al. 2020). Thirdly are non-responses or refusals to participate (Yeargin et al. 2021). Usually, the first two problems are successfully solved.
The main disadvantages and limitations of online surveys include the following (Elmsalmi et al. 2021): lack of representativeness (population structure does not coincide with user structure), spontaneity of the sample (“self-selection method”), audience coverage possibly not being relevant to the target audience (e.g., limited to visitors to a single site), mobility and variability of social space on the Internet (for example, high “mortality” of the panel), repeated participation in the survey (especially in the case of an anonymous survey), lack of data on the general population (for example, on the audience structure of the portal or forum), intentional distortion of data, the possibility of hostile actions (“hacking” software), limited length of the questionnaire (in practice no more than 20–25 questions), limited control over the completion time and the number of corrections in the answers (important when using some techniques), communication problems (incorrect interpretation of the questionnaire, errors in transitions, filling in tables, etc.), and individual system parameters (influence of software installed on the respondent’s computer).
Some of these disadvantages may be eliminated in the near or distant future. For some surveys, these limitations are critical, in other surveys they can be ignored.
Within the authors’ study, directional sampling was used in the online survey.
Panel or directional sampling is based on databases (lists) of potential respondents using socio-demographic data for surveying homogeneous audiences; the sample includes mainly those objects that have typical values of the studied characteristics for the general sample as a whole.
If the internal validity (the degree of certainty with which one can judge the assumed causal relationship between variables) and the randomization of experimental conditions (by pairwise or other non-random distribution of observation objects by groups) is more important than the randomly selected external validity (the possibility of distributing the results of a selective study to the general sample), an online study is carried out not according to a selective, but rather experimental and quasi-experimental plans. Our study did not require a selective assessment of the distribution of characteristics of the general sample, but was aimed at studying causal relationships between variables. Here, finding an effect in the general sample was the primary task in relation to estimating the scale of this effect.
In 2021, the authors conducted a study. The main areas of the study were as follows: the portrait of a modern risk management unit, assessment of the current level of risk management, the key problems related to the development of risk-based management in non-financial companies, and prospects for further development of risk-based management of certain types of risks. The authors conducted a survey of various Polish companies for assessment of existing risk management practices to ensure economic security, prospects for the development of risk-based management in the system of economic security of enterprises, and to identify key business risks.
The expert survey was conducted over four months (January–April 2021). The study involved 50 Polish companies representing various sectors of the economy. For example, 17% of respondents represented agriculture, hunting, and forestry; 14% of respondents represented trade, repair of motor vehicles, household products, and articles for personal use; 11% of respondents represented industry; 10% of respondents represented transport and communications; and 7% of respondents represented IT technologies, etc.
When developing the questionnaire, the following methodical aspects were taken into account:
(1)
Questions should not contain explicit or implicit prompts;
(2)
The meaning of a question should be unambiguous for all respondents and interviewers;
(3)
Questions should not contain terms and concepts that are unclear to a respondent;
(4)
When formulating evaluative questions, it is necessary to monitor the balance of positive and negative judgments;
(5)
If a question is difficult, instructions are required after its formulation;
(6)
All questions must correspond to the study task;
(7)
A questionnaire should correspond to the capabilities of a respondent as a source of information.
The operation of control and approbation of the questionnaire included three stages:
(1)
Logical control over the compliance of the questionnaire questions with quality criteria;
(2)
Clarification of the compliance of the questionnaire with methodical requirements;
(3)
Approbation of the questionnaire (conducting a pilot survey).
The target audience of the study was risk managers, enterprise directors, CFOs, CEOs, heads of security services, and specialists from leading departments who were asked to complete the questionnaire of 40 questions, which was developed by the authors (Appendix A). The respondents answered questions about risk management practices to ensure enterprise economic security.

4. Results

The authors’ study proved that regardless of the type of economic activity of the enterprise, the main goal of introducing risk-based management is to preserve assets and increase efficiency. This emphasizes that companies use corporate risk management systems as a tool not only for strategic management but also operational management (Figure 1).
If one ranks the objectives of introducing risk-based management in a company, then rank 1—preserving assets and improving efficiency (25%), rank 2—increasing corporate rating (22%), rank 3—guaranteeing the achievement of strategic goals (18%), rank 4—increasing the value of a company (17%), rank 5—compliance with regulatory requirements (12%), and rank 6—access to IPO (6%).
It should also be noted that the introduction of risk-based management is perceived as a tool to increase the value of a company and ensure the achievement of strategic goals. The first three positions of the respondents’ answers with the highest percentages allowed for a conclusion to be drawn that corporate risk management systems can be an effective tool for creating business value in both the short- and long-term perspectives.
The participation of the risk manager in the process of agreeing on key management decisions provides an independent approach to alternative opportunities and contributes to a more open discussion of risks. Practice proves the existence of the problem of reporting and perception of negative information, which is typical for many companies. This is primarily due to the specifics of thinking—the so-called mental traps. These traps may, for example, manifest in excessive optimism about decisions in which the employee is personally interested, in the general risk culture of society, and the Polish mentality.
At the same time, there are companies that create an open environment in which the employees have the opportunity to freely express their fears or doubts, both at the level of personal interaction and through, for example, a hotline (implementation at the level of IT systems), to report potential risks. The combination of these measures contributes to the formation of the necessary corporate risk culture and risk-based management in general, within which top management is an example to follow.
One of the key organizational questions that were asked of the respondents concerned the existence of a separate structural division responsible for the coordination of risk management. The existence of such a division is one of the conditions for ensuring the independence of the risk management function.
At the time of the survey, 36% of the surveyed companies had a separate structural division responsible for coordination of risk management processes, with 21% of the companies saying that they plan to create such a structural division in the near future. These results indicate the readiness of Polish companies to introduce risk-based management in the economic security system.
The absence of a separate risk management division does not indicate the absence of risk management practices in the company. Therefore, in the absence of such a division, respondents answered the question “Who is responsible for coordination of risk management processes in the absence of a separate structural division?” According to the data (Figure 2), in 40% of the companies the internal control/audit department is responsible for coordination of risk management processes and in 35% of the companies CFO is responsible for it.
Usually, the enterprises see the implementation of force, information, personnel, or other functions in the security department, and 20% of the enterprises assign the function of risk management coordination to the security department.
This situation illustrates where the risk management process has historically originated in a company. Generally, it is due to advanced risk management practices and access to larger volumes of information compared to the other functional divisions.
The share of Polish companies that have a separate risk management division in their structure is characterized by a decentralized approach when risk management is entrusted to risk owners appointed from employees of functional divisions. It should be noted that in 37% of the companies the existing risk management divisions are accountable to the CFO, in 17% of the companies to the audit committee, and in 13% of the companies to the security service (Figure 3).
The peculiarity of the accountability of the structural division responsible for dealing with risks is the specificity of such activities. At an industrial enterprise such a structural division is often accountable to the CEO, and in the transport or telecommunications sector to the CFO. Based on international practice, the head of the division responsible for the introduction of risk-based management is directly accountable to the CEO. This makes it possible to ensure a sufficient level of authority and to avoid conflicts of interest, which may be associated with a combination of responsibilities for managing one of the functional areas of the enterprise and introducing risk management approaches in all processes. Thus, as shown in Figure 3, the Polish practice is quite different from worldwide ones because of the rather low culture of risk management. It should be noted that in the industrial sector the CEO or another top manager is usually the initiator of the creation of a structural division for risk management. In contrast to this, in public-sector enterprises, in the sectors of education, health, and social protection middle managers usually introduce risk-based management.
Analyzing the study data on the average time of risk management activities in the enterprise, which is mostly up to five years, one can conclude that most of the surveyed companies have passed the stage of development of basic knowledge and skills in risk management. At present, the issues of implementation of adopted procedures and effective integration of risk management in the decision-making process come to the fore. It should also be noted that in 33% of respondents’ answers the lack of corporate culture of risk management is an obstacle to effective risk management. Within the development of corporate risk culture, companies need to pay significant attention to the development of employee skills in risk management. According to the data of the authors’ study, 59% of the surveyed Polish companies conduct regular training of employees, 46% of the companies conduct seminars for top management, and 40% of the companies have an internal portal and a form for discussion of risk management issues. Quite a small percentage, namely, 19% of the respondents, had passed a certification in risk management.
More than 60% of the surveyed Polish companies have detected fraudulent transactions. A total of 40% of the companies have faced theft of assets and fictitious expenses. A total of 20% of the companies estimated their losses in the range from EUR 100,000 to EUR 5 million per year. A total of 38.2% of fraud cases were detected from unofficial internal sources.
The most frequent cases of fraud were recorded in the sectors of industrial production, trade, the food industry, and agriculture. This situation is in line with global trends according to the ACFE report (Association of Certified Fraud Examiners) on a global study of fraud in organizations (Occupational Fraud 2022, a report to the nations). Industrial production is among the top five sectors prone to fraudulent schemes. As in Poland, asset theft is the most common type of fraud in the world; as evidenced by the ACFE study (Occupational Fraud 2022, a report to the nations), it is recorded in 83% of all cases of fraud. As is known, fraud risks are most common in companies in Eastern Europe, and Poland is no exception. This statement is confirmed by the data of international reports on fraud (Figure 4).
Thus, for the countries of Eastern Europe, corruption is the most typical type of fraud (Figure 4), which accounts for 20% of all professional fraud schemes. The second place (18%) is occupied by fraudulent actions with non-cash payments. Almost in equal parts, these are followed by falsification, fraud with compensation payments, theft of cash, and fraud with financial statements and cash on hand (Occupational Fraud 2022, a report to the nations).
According to the ACFE report for 2021, the fact of professional fraud was detected in 40% of reported crimes, in 23% of internal audit results, and in 16% of management checks (Figure 5).
One should pay attention to the occasional identification of fraud, as it is as much as 7%, and therefore may lead to significant losses for the company or not be detected at all. Occasional cases of detection indicate unsystematic and uncontrolled processes of risk management in the enterprise, which could be as low as possible or completely leveled under the condition of effective risk management.
Given the shift in focus from cost to value, relationships with third parties have begun to be viewed in terms of the strategic opportunity that such third parties can offer organizations. Thus, according to the study, there are five key areas that need improvement in most organizations: dependency and vulnerability, relationship management, corporate governance and risk management processes, technology platforms, and new models of providing products and services.
Among the key risks that may adversely affect the activities of enterprises, respondents noted the following: strategic risks involving changes in macroeconomic parameters and market conditions, operational risks related to the implementation of investment projects, regulatory risks related to tax legislation, and financial or price risks.
According to the study of Polish companies, an important element of the organization of the risk management function is its documentation. The existence of a full set of quality regulations and methodological documents contributes to the overall institutionalization of the process, awareness of all participants, improvement of the culture of risk management, and strict implementation of the corresponding procedures (Figure 6).
According to the study, the application of risk management documents such as policies for the management of certain types of risks, methods of risk identification, assessment and management, risk management policies, and so on were the most popular among the companies that participated in the survey. A significant gap among the documents of a strategic nature was found in the low level of the document on risk appetite and strategy for the development of a risk management system. Therefore, in order to reduce the risk of fraud, documentary deficiencies should be taken into account and risk management should be diagnosed and self-assessed. This will not only ensure the continuity of the system’s development and eliminate its shortcomings, but will also be the basis for providing objective information to stakeholders. The lack of risk management policy was noted by enterprises in the industrial, transport, and telecommunications sectors, as well as those enterprises with no more than 100 employees. At the same time, companies that have a risk management policy build their goals, objectives, and basic principles in accordance with international standards.
According to the study, the average level of risk management maturity is present in the companies of almost 42% of respondents, which indicates a significant potential for further development and improvement of risk management. Enterprises with more than 1000 employees have a high level of risk management maturity.
A total of 34% of respondents mentioned risk appetite statement at the enterprise, whereas 31% plan to define and document it in the near future. In 39% of the companies, risk information is taken into account in the process of investment planning/project management. The fact that 34% of the companies have no risk appetite statement indicates an insufficient level of maturity. Risk appetite was stated mainly in large companies, as well as in energy companies. In the sectors of industrial production and agriculture they mostly did not have a risk-appetite statement but planned to have one the near future.
Effective operation of the economic security system when using risk-based management requires integration with all business processes. To achieve the declared goals, top management must take into account information about the risks in business processes, especially when building an enterprise strategy. In 49% of the companies, risk information is taken into account in the processes of internal checks/audits, which suggests the development of risk-based management in the system of internal audit, during which the system is required in matters of internal communication and interaction of stakeholders. A significant part of the representatives of large and medium-sized businesses, which was 68% of respondents, reported that the risks related to the main business processes of the company are identified and assessed quarterly, semi-annually, or annually.
Representatives of industrial enterprises stated that risk management is fully integrated into the main operational processes, and that risks are analyzed not at regular intervals, but on a regular basis (in the process of operational activities)—twice as often as in other sectors. The processes of integrating risk-based management into the management system are more effective in small companies with no more than 100 employees. Disclosure of information on the integration of risk-based management into key enterprise processes and decision-making, as well as information on the management of separate risks in the company’s annual reports or on the corporate website, is a positive sign for partners, regulators, investors, and customers. This not only increases the investment attractiveness of the enterprise, but also gives financial results and allows for saving on the cost of insurance and borrowed capital.
For most Polish companies, the results of risk analysis are related to the achievement of strategic goals and budget planning and are taken into account by top management for goal setting/budgeting. Risk analysis in the process of strategic and budget planning is one of the key elements of defective risk management. For example, 39% of the respondents take into account information on risks during the investment planning/project management process, 57% of the respondents during the strategic/business planning process, 49% of the respondents during the processes of internal checks/audits, and 38% of the respondents during the budgeting process/cash flow forecasting. Within the framework of budgeting, it is important not only to identify risks that may affect the goals in order to assess the feasibility of achieving them, but also to take into account in the budget the costs related to risk management in priority areas. Enterprises with a high level of risk management maturity successfully complement this approach using quantitative assessment of the impact of risks on key financial and economic indicators, which provides a relationship with motivation management, and, accordingly, fully implements risk-based management in the context of planning/budgeting. Integration of risk management in cash flow forecasting processes is more typical for enterprises with less than 100 employees.
One of the applied tools of risk-based management is maintaining a risk register. According to the study, most Polish companies (31%) plan to create a risk register in the near future and 50% already have one (Figure 7).
The effectiveness of working with a risk register depends on the quality of analysis of both the internal and external environment of the enterprise. At the same time, excessive detail, as well as insufficiency, can significantly reduce the result of the implementation of this document. The average level of detail of risks is offered, namely, from 30 to 80 risks that will give the chance to analyze them more qualitatively and to consider in further work. In this case, it is optimal to create an extended register to reflect the entire field of risk, but detailed analysis and processing should be carried out with a small number of key risks.
When forming a risk register, which is becoming increasingly popular in enterprises, it is important to establish and delineate responsibilities. The risk owner is responsible for its management, timely identification, monitoring, analysis, evaluation, and prevention. The majority of enterprises, namely, 43% of the respondents, confirmed that the risk owners are identified in their organization. In 38% of the enterprises the risk owners are identified but not for all risks, and only 19% of the respondents answered in the negative about the existence of risk owners. Analysis of economic feasibility is a necessary condition for the implementation of effective allocation of resources within risk-based management in the system of economic security of the enterprise. Usually, the analysis of economic feasibility accompanies the decision on key risks or those risks where the conclusions on the feasibility of implementing certain measures are not clear. For example, the majority of respondents, 61% of the companies, conduct cost-benefit analysis when implementing new risk management measures.
Analytical data clearly illustrated the barriers to effective risk management in the respondent companies. The most significant obstacles (20%) were the lack of interconnection between functional structures in terms of management and (19%) the lack of corporate culture of risk management. As a result, cultural and communicative tasks come first (Figure 8).
Specialists in risk management must have good psychological skills, the ability to avoid mental traps in decision-making, and a high level of industry knowledge. This may require additional qualifications and competencies to train employees. A total of 59% of the respondents conduct regular training of employees, 46% of the respondents conduct seminars for top management, 40% of the respondents use an internal portal and forum to discuss risk management, and 19% of the respondents conduct certification in the field of risk management. It is important to note that training should not be focused on risk identification, assessment, and management, but on risk-based business management. The lack of competencies required for quantitative risk assessment is one of the main problems in the development of risk management. The low quality of information provided to top management for decision-making, irregularity, and the outdated format used by most respondents are all key reasons for the low level of development of risk management in Polish companies.
The system of regulatory internal control to prevent fraud by staff at various levels is perceived as the most effective mechanism. Unlike in Poland, in global practice an external audit of financial statements is the most effective mechanism to prevent fraud. According to the ACFE study (Occupational Fraud 2022, a report to the nations), 82% of companies regularly use this tool. At the same time, regular external audits are positively correlated with lower financial losses as a result of fraud and faster detection of negative factors.
Examining the issue of recording the facts of fraud, it should be noted that more than 60% of the respondents have encountered facts of fraud in the company, although most often such offenses are found in the following sectors: industrial production, trade, the food industry, and agriculture. In large enterprises, facts of fraud are recorded more often. This is primarily due to the fact that large companies have a wider range of opportunities to implement fraudulent schemes. More than half (60%) of Polish companies have faced fraud and estimated the average financial loss from such actions as EUR 100,000 for the year, and in 20% of companies, losses ranged from EUR 100,000 to EUR 5 million.
For example, in order to prevent the fact of fraud, taking into account the specifics of the operation of Polish companies, it is suggested to conduct an annual examination. The suggested procedure should include an audit (audit of financial statements, transition to international financial reporting standards (IFRS), forensics, audit of processes and systems), assessment (assessment for audit and reporting according to IFRS, risk management assessment according to international standards, economic security assessment), tax analytics (identification of tax risks, analysis of compliance with tax legislation, tax audit), and a due diligence procedure for investment objects.

5. Discussion and Conclusions

Disclosure of risk management information to stakeholders is one of the most important measures to reduce fraud in an enterprise. Stakeholders expect detailed information on the risk management system of a company and the key risks to which a particular business is exposed (Yang et al. 2018). Such information is primarily needed to ensure that risk-based management is integrated into all business processes of the enterprise, as well as able to identify and respond to new risks, dangers, and threats in a timely manner.
The strengthening and growth of business reputation is facilitated by the disclosure of information on the most important risks and data that confirm the ongoing work of a company on risk management and prevention (Renault et al. 2018).
Rarely used methods of detecting facts of professional fraud are as follows: rewards for informants, job rotation, and active monitoring. At the same time, for companies operating in Western Europe, a code of conduct (93%) is the most popular method of combating fraud (Catanzaro and Teyssier 2021). It is suggested to include some elements of such a code in the “Concept of risk management in the enterprise” as the main document governing risk management in a company. The management of the certification of financial reporting and an external audit of financial statements (88% each) have proven to have a highly preventive effect in Western Europe (El Baz and Ruel 2021).
The main problem they face when generating risk statistics is the lack of reliable information. Under such conditions, specialists spend from 70% to 80% of working time collecting quality data, and the remaining time is spent on analytics (Singh 2020). For enterprises planning to build a statistical database on risks for the first time, it is necessary to establish and formalize the process of data selection in a single format using IT systems that reduce time and labor costs (Vincent et al. 2019). In this case, you only need to format the processes and build requirements for analysts on the quality of the source data.
According to the authors’ study, the key elements of building an effective risk management system in the enterprise are the development and implementation of a risk management policy/concept (31%), the implementation of a risk management process in all functional units of the enterprise (44%), and active support from the executive management (41%). Thus, the priority for the introduction of risk-based management in the economic security of the enterprise is the development and implementation of a basic document that would regulate the processes of coordination of risk management along with practical actions to implement this approach in all functional units of the enterprise. In this process, Polish companies pay special attention to the support from top management.
We believe that Polish companies, when forming an effective system of corporate risk management, should take into account the modern methods of increasing confidence in accounting–analytical support of management information—blockchain technology. For example, among its possibilities, blockchain technology promises the following advantages: decreasing the number of errors—when data gets into the blockchain intelligent contracts carry out many accounting functions, automatically reducing the likelihood of human error; cost reduction—the blockchain will increase the efficiency of the accountant’s work and reduce the number of errors, which will help reduce the cost of accounting and check for correctness in the medium term; reducing the likelihood of fraud—to change a record in the blockchain, you must make the same change for all copies of the distributed network at the same time, which is almost impossible; and reduction of audit time—with the help of intelligent contracts you can automate many audit functions, which will reduce the time required by the auditor to view records.
According to the study, for the development of risk-based management in an enterprise priority is given to the following: accounting of information on risks in decision-making on enterprise management, accounting of risks in strategic and business planning, budgeting/risk-based planning, quantitative methods and models of risk assessment, etc.
Data from surveys of top management of Polish companies signal the lack of risk management culture and the lack of understanding of the importance of this aspect in the processes of operational and strategic financial and economic activities of business structures.
First of all, the prospects for further studies involve increasing the base of respondents—the number of Polish companies. It is appropriate to increase the number of surveyed companies to 150. This is necessary because, according to the authors’ study, Polish companies with less than 100 employees have no risk management policy. In addition, increasing the number of respondents will allow for additional statistical verification and export of relative conclusions related to the answers about the characteristics of the sample (for example, the economic sector, number of employees, etc.).
Without state intervention and assistance in advisory and regulatory activities, this situation will be difficult to change. Given that macro-level threats and risks are complemented by internal threats, the introduction of risk-based management in economic security systems in enterprises is an urgent task for modern management.

Author Contributions

Conceptualization, I.K. and V.K.; methodology, V.K.; software, V.S.; validation, T.V.; formal analysis, I.L.; investigation, I.K.; resources, V.S.; data curation, T.V.; writing—original draft preparation, I.L.; writing—review and editing, V.K.; visualization, V.S.; supervision, I.L.; project administration, I.K.; funding acquisition, I.L. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Not applicable.

Conflicts of Interest

The authors declare no conflict of interest.

Appendix A

QUESTIONNAIRE
1. City and region:                               
2. What kind of economic activity is the main one for your enterprise? Select one variant:
Agriculture, hunting, forestry
Fishing, fish farming
Industry
Construction
Trade; repair of motor vehicles, household appliances, and articles for personal use
Hotels and restaurants
Transport and communications
Financial activities
Real estate, renting, engineering, and provision of business services
IT technologies
Governance
Education
Health care and social assistance
Provision of communal and individual services; activities in the field of culture and sports
3. How many years has your company existed?
Less than 5 years
From 5 to 10 years
More than 10 years
4. How many people are working at your company?
Up to 100 persons
From 101 to 250 persons
From 251 to 500 persons
From 501 to 1000 persons
More than 1000 persons
5. What is the annual gross income of your company?
Less than EUR 2 million
Less than EUR 10 million
Less than EUR 50 million
More than EUR 50 million
6. How would you assess the current economic condition of your company?
Bad
Satisfactory
Good
Difficult to answer
7. Indicate your experience in management positions in this company:
Less than 1 year
From 1 to 3 years
More than 3 years
8. Indicate your status in this company:
Owner
Director
CEO, president, deputy director, board member
Head of the security service
CFO
Chief accountant
Internal auditor
Specialist in one of the leading
departments/divisions
Other
9. Indicate the department of the enterprise where you are working:
Sales department
Procurement department
Production department
Executive/top management
Customer service department
Accounting department
Financial department
IT department
Marketing department
Other
10. Is the economic activity of your company related to making risky decisions?
No, it is not
Some economic decisions are related to risks
All economic decisions are risky
Difficult to answer
11. In your opinion, has the activity of your company become more risky compared to last year or over a 10-year period?
Risk decreased
Risk increased
Risk neither decreased nor increased
Difficult to answer
12. What economic risks were realized and negatively affected the economic life of your company?
Risks in the internal environment of the enterprise
Risks in the external environment of the enterprise
Risks in the internal and external environment of the enterprise
Difficult to answer
13. What internal environment risks were realized and negatively affected the economic life of your company? Check all that apply:
Violation of the main production activities of the company
Non-implementation of investment and innovation projects or plans
Failure in the area of product sales (termination of contracts, return of products, refusal to pay for shipped products, etc.)
Supply disruptions (disruption of supplies of raw materials, components, etc.)
Failures or violations in the management system of the company (failures of software and hardware, management errors, non-compliance with management decisions)
Personnel errors and violations of production discipline
Other risks (specify)
Difficult to answer
14. What external environment risks were realized and negatively affected the economic life of your company?
Change of economic legislation and other normative legal acts
Possible changes in the conditions of foreign economic activity
Actions of regional or local authorities in the economic sphere
Deterioration of the socio-economic situation in the region of the enterprise location
Emergence of technological, product, and other innovations from competitors
Deterioration of the environmental situation or change in environmental regulations
Other dangerous trends in the foreign economic environment of the enterprise (specify)
Difficult to answer
15. What do you think are the goals of introducing risk-based management in the enterprise?
To guarantee the achievement of strategic goals
To preserve assets and improve activity efficiency
To comply with regulatory requirements
To increase the value of the company
To improve corporate/credit rating
Access to IPO
Other
16. Does your company have a separate structural unit responsible for coordination of risk management?
Yes, it has
No, and it is not planned to create one in the near future
No, but it is planned to create one in the near future
17. Who is responsible for coordination of risk management processes in the absence of a separate structural unit?
Internal audit/control unit
Security service
CFO
Other
18. What do you think hindered the effective risk management of your company in the current year and may hinder it in the following year?
Lack of interconnection between functional units in terms of management
Low quality of risk information received
Lack of corporate culture of risk management
Impossibility to obtain an accurate assessment of enterprise risks
Insufficient support of the risk management process by the board of directors
Lack of necessary support from the executive management
Lack of necessary financial resources
Low efficiency of used tools and methods of risk detection, assessment, and management
Other
19. Which of these aspects, in your opinion, are key to building an effective risk management system in the enterprise?
Active support from the executive management
Accounting for information on risks when making decisions on risk management of the enterprise
Support of the risk management system by the board of directors
Implementation of the risk management process in all functional units of the enterprise
Commitment of all employees of the enterprise to risk management development
Organized and formalized process of risk identification and management
Effective risk-reporting system
Development and implementation of a risk management policy/concept
Accessibility of risk information for all interested users
Quantitative models of risk assessment
Automation of risk management system
Clearly defined level of risk appetite
Other
20. What areas of risk management development, in your opinion, are key for your company?
Accounting for information on risks in making management decisions
Risk accounting in strategic and business planning
Risk-based budgeting/planning
Quantitative methods and models of risk assessment
Automation of risk management system
Formalization of risk management processes
Personnel training
Determination of the level of risk appetite (level of acceptable risk)
Cost-benefit analysis
Creation of a risk register
Preparation/improvement of the insurance protection program
Other
21. What way of implementation/development of risk management in ensuring economic security do you consider the most effective for your company?
Involvement of external experts/consultants
Independent development
Combined
22. Does your company carry out risk management activities as an independent type of management activity? Select one variant:
Not conducted and not planned
Not conducted but planned
Conducted
Conducted as a different type of activity (specify)
Difficult to answer
The following questions apply to the case when your company works on risk management. Therefore, if you answered “Yes” to the above question, you can go to questions 23–42,
23. How long has your company been engaged in risk management activities?
Less than a year
From 1 to 5 years
More than 5 years
Difficult to answer
24. Which representative of your company’s top management is responsible for risk management?
Director
Deputy director
Head of one of the administrative services
Head of a specially created unit for risk management
Head of the security service of the enterprise
Other person (specify)
25. Which of the following documents related to risk management have been developed and implemented at your company?
Risk management policy
Methods of risk detection, assessment, and management
Regulations of risk management processes (including reporting forms)
Job descriptions of risk managers
Provisions of the structural division responsible for risk management
Provisions of the risk committee
Policy for management of certain risks
Risk management development strategy
Risk appetite document
Other
26. Who does the risk management work at your company?
Special risk management division
Professionals and specially appointed employees of the enterprise
Employees of the enterprise according to one-time
management orders
Our enterprise risk management is organized differently (specify)
27. Does your company attract external consultants for risk management?
We use our own employees
We attract consultants that work together with the company’s employees
We fully involve external consultants in risk management work
28. Which risk management methods were used in your company?
We avoid risky decisions
We use insurance of transactions
We share the responsibility between the partners
We diversify products, activities, etc.
We have a reserve fund (financial resources, stocks of raw materials, finished products, etc.) for contingencies
We have developed a strategic plan
Others (specify)
No answer
29. In your opinion, has risk management been effective for your company? (For example, it has made it possible to cancel unpromising projects or implement risky but successful projects. Or vice versa, it did not prevent erroneous decisions, did not improve the state of the enterprise in the market, etc.)
Risk management only led to losses at our company
Risk management gave no positive or negative results
Risk management was useful for the company
Difficult to answer/do not know
30. Which area of economic activity of your company, in your opinion, could risk management be most useful in?
In enterprise financial management
In strategic planning
In planning investment or innovation projects
In the operational economic activity of the enterprise
Risk management should cover all areas of the enterprise activities
Other (specify)
Risk management is not required for our company
Difficult to answer/do not know
31. What, in your opinion, could be an indicator of the success of risk management in your company?
Number of rejected dangerous (risky) projects
Number of accepted risky but successfully implemented projects
Reduction of the resources reserved for risk compensation
Improvement of the general economic indicators of the enterprise (increase in sales, gross income, profit growth, reduction of non-production costs, etc.)
Business expansion of the enterprise (new activities, new products, new markets, etc.)
Increase in dividends paid to shareholders
Strengthening the market position of the enterprise (expanding market share)
Other (specify)
Difficult to answer/do not know
32. In your opinion, what prevents your company from using risk management methods?
Risk management is useless for such enterprises as our company
We have no tradition of risk accounting in economic activity
We have no information on the positive results of risk management in other enterprises
We have no well-grounded and understandable methodological materials on risk management
This requires additional costs and organizational efforts
Nothing prevents us from it but we manage to do without risk management
Other (specify)
Difficult to answer/do not know
33. The structural unit of your company responsible for coordination of risk management processes is accountable to:
CFO
CEO/chairman of the board
Audit committee
Board of directors
Security service
Other
34. Which activities are carried out at your company to develop risk management skills in employees:
Regular training of employees
Seminars for top management
Internal portal and forum for discussion of risk management issues
Certification in the area of risk management
Other
35. Has a risk register been created in your company?
Yes
No
No, but it is planned to create one in the near future
36. Have risk owners been identified in your company?
Yes
Yes, but not for all risks
No
37. Does your company keep statistics on realized risks (database on realized risks)?
Yes
No
No, but it is planned to do so in the near future
38. Does your company carry out a cost-benefit analysis during the implementation of risk management measures?
Yes
No
39. Has a risk appetite been stated in your company?
Yes
No
No, but it is planned to do so in the near future
40. In what processes of your enterprise the information on risks is considered?
Investment planning/project management process
Strategic/business planning process
Administrative review/audit processes
Budgeting/cash flow forecasting process
Others

References

  1. Azim, Mohammad Istiaq, and Shamsun Nahar. 2021. Risk disclosure practices: Does institutional imperative matter? Public Money & Management 42: 388–394. [Google Scholar] [CrossRef]
  2. Bakker, John. 2019. Grounded theory methodology and grounded theory method: Introduction to the special issue. Sociological Focus 52: 91–106. [Google Scholar] [CrossRef]
  3. Bianco, Marco, and Andrea Gamba. 2019. Inventory and corporate risk management. Review of Corporate Finance Studies 8: 97–145. [Google Scholar] [CrossRef]
  4. Busru, Showkat Ahmad, G. Shanmugasundaram, and Shariq Ahmad Bhat. 2020. Corporate governance an imperative for stakeholders protection: Evidence from risk management of Indian listed firms. Business Perspectives and Research 8: 89–116. [Google Scholar] [CrossRef]
  5. Cassano, Raffaella. 2019. Corporate global responsibility and reputation risk management. Symphonya. Emerging Issues in Management 1: 129–42. [Google Scholar] [CrossRef] [Green Version]
  6. Catanzaro, Alexis, and Christine Teyssier. 2021. Export promotion programs, export capabilities, and risk management practices of internationalized SMEs. Small Business Economics 57: 1479–503. [Google Scholar] [CrossRef]
  7. Chaudhuri, Atanu, Harry Boer, and Yariv Taran. 2018. Supply chain integration, risk management and manufacturing flexibility. International Journal of Operations & Production Management 38: 690–712. [Google Scholar] [CrossRef] [Green Version]
  8. Christopher, Joe, and Gerrit Sarens. 2018. Diffusion of Corporate Risk-Management Characteristics: Perspectives of Chief Audit Executives through a Survey Approach. Australian Journal of Public Administration 77: 427–41. [Google Scholar] [CrossRef]
  9. Corbett, Timothy P., and Sebastjan Smodis. 2018. Buy-side liquidity risk management best practices. Journal of Risk Management in Financial Institutions 11: 207–17. [Google Scholar]
  10. Dixit, Saurav. 2021. Impact of management practices on construction productivity in Indian building construction projects: An empirical study. Organization, Technology & Management in Construction: An International Journal 13: 2383–90. [Google Scholar] [CrossRef]
  11. Drechsler, Wolfgang. 2020. Good bureaucracy: Max Weber and public administration today. Max Weber Studies 20: 219–24. [Google Scholar] [CrossRef]
  12. DuHadway, Scott, Steven Carnovale, and Benjamin Hazen. 2019. Understanding risk management for intentional supply chain disruptions: Risk detection, risk mitigation, and risk recovery. Annals of Operations Research 283: 179–98. [Google Scholar] [CrossRef]
  13. El Baz, Jamal, and Salomée Ruel. 2021. Can supply chain risk management practices mitigate the disruption impacts on supply chains’ resilience and robustness? Evidence from an empirical survey in a COVID-19 outbreak era. International Journal of Production Economics 233: 107972. [Google Scholar] [CrossRef]
  14. Elmsalmi, Manel, Wafik Hachicha, and Awad M. Aljuaid. 2021. Prioritization of the Best Sustainable Supply Chain Risk Management Practices Using a Structural Analysis Based-Approach. Sustainability 13: 4608. [Google Scholar] [CrossRef]
  15. Embi, Sabri, and Zurina Shafii. 2018. The impact of Shariah governance and corporate governance on the risk management practices: Evidence from local and foreign Islamic banks in Malaysia. The Journal of Muamalat and Islamic Finance Research 15: 1–20. [Google Scholar] [CrossRef]
  16. Eriandani, Rizky, and Liliana Inggrit Wijaya. 2021. Corporate Social Responsibility and Firm Risk: Controversial Versus Noncontroversial Industries. The Journal of Asian Finance, Economics and Business 8: 953–65. [Google Scholar] [CrossRef]
  17. Fan, Yiyi, and Mark Stevenson. 2018. A review of supply chain risk management: Definition, theory, and research agenda. International Journal of Physical Distribution & Logistics Management 48: 205–30. [Google Scholar] [CrossRef] [Green Version]
  18. Girangwa, Kakiya Grace, Lucy Rono, and Jared Mose. 2020. The influence of enterprise risk management practices on organizational performance: Evidence from Kenyan State Corporations. Journal of Accounting, Business and Finance Research 8: 11–20. [Google Scholar] [CrossRef] [Green Version]
  19. Gu, Yuqi, and Wenjuan Yuan. 2022. Sarbanes-Oxley Act (SOX) and Corporate Risk Management. Southern University College of Business E-Journal 12: 1. [Google Scholar]
  20. Hao, Jongyu Paula, and Fei Kang. 2019. Corporate environmental responsibilities and executive compensation: A risk management perspective. Business and Society Review 124: 145–79. [Google Scholar] [CrossRef] [Green Version]
  21. Hinna, Alessandro, Danila Scarozza, and Fabrizio Rotundi. 2018. Implementing risk management in the Italian public sector: Hybridization between old and new practices. International Journal of Public Administration 41: 110–28. [Google Scholar] [CrossRef]
  22. Hsu, Ming-Fu, Ying-Shao Hsin, and Fu-Jiing Shiue. 2021. Business analytics for corporate risk management and performance improvement. In Annals of Operations Research. Berlin and Heidelberg: Spinger, pp. 1–41. [Google Scholar] [CrossRef]
  23. Jepson, Jacqueline, Konstantinos Kirytopoulos, and Nicholas Chileshe. 2020. Isomorphism within risk-management practices of the Australian construction industry. International Journal of Construction Management 8: 1508–1524. [Google Scholar] [CrossRef]
  24. Jiang, Jiaqi, and Yun Feng. 2021. The interaction of risk management tools: Financial hedging, corporate diversification and liquidity. International Journal of Finance & Economics 26: 2396–413. [Google Scholar] [CrossRef]
  25. Joshi, Himanshu. 2018. Corporate risk management, firms’ characteristics and capital structure: Evidence from Bombay Stock Exchange (BSE) Sensex Companies. Vision 22: 395–404. [Google Scholar] [CrossRef]
  26. Kähkönen, Anni-Kaisa, Katrina Lintukangas, and Jukka Hallikas. 2018. Sustainable supply management practices: Making a difference in a firm’s sustainability performance. Supply Chain Management: An International Journal 23: 518–30. [Google Scholar] [CrossRef]
  27. Karamouz, Mohammad, and Zahra Heydari. 2020. Conceptual design framework for coastal flood best management practices. Journal of Water Resources Planning and Management 146: 04020041. [Google Scholar] [CrossRef]
  28. Khanyile, Nokulunga S. M., Innocent Musonda, and Justus Ngala Agumba. 2019. Evaluating the relationship between communication management practices and project outcomes: A case study of Eswatini (Swaziland) construction industry. Construction Economics and Building 19: 197–219. [Google Scholar] [CrossRef] [Green Version]
  29. Kim, Sol, Geul Lee, and Hyoung-Goo Kang. 2021. Risk management and corporate social responsibility. Strategic Management Journal 42: 202–30. [Google Scholar] [CrossRef]
  30. Kim, Sungjae F., and Don M. Chance. 2018. An empirical analysis of corporate currency risk management policies and practices. Pacific-Basin Finance Journal 47: 109–28. [Google Scholar] [CrossRef]
  31. Kong, Rada, and Jean-Christophe Castella. 2021. Farmers’ resource endowment and risk management affect agricultural practices and innovation capacity in the Northwestern uplands of Cambodia. Agricultural Systems 190: 103067. [Google Scholar] [CrossRef]
  32. Kumar, Nirmal, and Ajeya Jha. 2018. Quality risk management during pharmaceutical ‘good distribution practices’–A plausible solution. Bulletin of Faculty of Pharmacy, Cairo University 56: 18–25. [Google Scholar] [CrossRef]
  33. Kuo, Ya-Fen, Yi-Mien Lin, and Hsiu-Fang Chien. 2021. Corporate social responsibility, enterprise risk management, and real earnings management: Evidence from managerial confidence. Finance Research Letters 41: 101805. [Google Scholar] [CrossRef]
  34. Kwak, Dong-Wook, Young-Joon Seo, and Robert Mason. 2018. Investigating the relationship between supply chain innovation, risk management capabilities and competitive advantage in global supply chains. International Journal of Operations & Production Management 38: 2–21. [Google Scholar] [CrossRef]
  35. Lai, Ivan Ka Wai, and Jose Weng Chou Wong. 2020. Comparing crisis management practices in the hotel industry between initial and pandemic stages of COVID-19. International Journal of Contemporary Hospitality Management 32: 3135–56. [Google Scholar] [CrossRef]
  36. Larasati, Desi, and Asrori. 2020. The Effect of Corporate Governance Mechanisms, Capital Structure and Firm Size on Risk Management Disclosure. Accounting Analysis Journal 9: 60–66. [Google Scholar] [CrossRef]
  37. Lee, Jongook, and Dong Kun Lee. 2018. Application of industrial risk management practices to control natural hazards, facilitating risk communication. International Journal of Geo-Information 7: 377. [Google Scholar] [CrossRef] [Green Version]
  38. Liu, Bo, Yingjie Niu, and Yuhua Zhang. 2019. Corporate liquidity and risk management with time-inconsistent preferences. Economic Modelling 81: 295–307. [Google Scholar] [CrossRef]
  39. Liu, Li, and Marina Bergen Jensen. 2018. Green infrastructure for sustainable urban water management: Practices of five forerunner cities. Cities 74: 126–33. [Google Scholar] [CrossRef]
  40. Mazumder, Mohammed Mehadi Masud, and Dewan Mahboob Hossain. 2018. Research on corporate risk reporting: Current trends and future avenues. The Journal of Asian Finance, Economics and Business 5: 29–41. [Google Scholar] [CrossRef]
  41. Occupational Fraud. 2022. Occupational Fraud 2022: A Report to the Nations. Available online: https://acfepublic.s3.us-west-2.amazonaws.com/2022+Report+to+the+Nations.pdf (accessed on 1 July 2022).
  42. Omar, Masood, and Kiran Javaria. 2019. Implementation of Enterprise Risk Management Practices in Organizations: An Empirical Analysis of Takaful Industry Financial Performance. Journal of Islamic Financial Studies 5: 17–27. [Google Scholar] [CrossRef]
  43. Pivoras, Saulius, and Mindaugas Kaselis. 2019. The impact of client status on street-level bureaucrats’ identity and informal accountability. Public Integrity 21: 182–94. [Google Scholar] [CrossRef]
  44. Reinsberg, Bernhard, Alexander Kentikelenis, Thomas Stubbs, and Lawrence King. 2019. The world system and the hollowing out of state capacity: How structural adjustment programs affect bureaucratic quality in developing countries. American Journal of Sociology 124: 1222–57. [Google Scholar] [CrossRef] [Green Version]
  45. Renault, Bérenger, Justus Agumba, and Nazeem Ansary. 2018. An exploratory factor analysis of risk management practices: A study among small and medium contractors in Gauteng. Acta Structilia 25: 1–39. [Google Scholar] [CrossRef] [Green Version]
  46. Shakya, Sujata, Sameer Ratna Bajracharya, and Anjay Kumar Mishra. 2020. Strategy Assessment in Risk Management Practices in Construction of Gautam Buddha International Airport. Journal of Business Risk Management 3: 42–56. [Google Scholar]
  47. Shatnawi, Saddam Ali, and Monther Eldaia. 2020. The Factors Influencing The Enterprise Risk Management Practices and Firm Performance in Jordan and Malaysia. International Journal of Recent Technology and Engineering 8: 2277–3878. Available online: https://ssrn.com/abstract=3568299 (accessed on 1 July 2022). [CrossRef]
  48. Shatnawi, Saddam, Mustafa Hanefah, and Monther Eldaia. 2019. Moderating effect of enterprise risk management on the relationship between board structures and corporate performance. International Journal of Entrepreneurship and Management Practices 2: 1–15. [Google Scholar] [CrossRef]
  49. Singh, Nitya P. 2020. Managing environmental uncertainty for improved firm financial performance: The moderating role of supply chain risk management practices on managerial decision making. International Journal of Logistics Research and Applications 23: 270–90. [Google Scholar] [CrossRef]
  50. Tai, Vivian W., Yi-Hsun Lai, and Tung-Hsiao Yang. 2020. The role of the board and the audit committee in corporate risk management. The North American Journal of Economics and Finance 54: 100879. [Google Scholar] [CrossRef]
  51. Tarei, Pradeep Kumar, Jitesh J. Thakkar, and Barnali Nag. 2020. Benchmarking the relationship between supply chain risk mitigation strategies and practices: An integrated approach. Benchmarking: An International Journal 27: 1683–715. [Google Scholar] [CrossRef]
  52. Tullo, Lois. 2020. COVID-19 triggers great nonfinancial risk crisis: Nonfinancial risk management best practices in Canada. Journal of Risk Management in Financial Institutions 14: 40–58. [Google Scholar]
  53. Villanueva, Eduart, Maria Antonia Nuñez, and Izaias Martins. 2022. Impact of Risk Governance, Associated Practices and Tools on Enterprise Risk Management: Some Evidence from Colombia. Revista Finanzas y Política Económica 14: 187–206. [Google Scholar] [CrossRef]
  54. Vincent, Nishani Edirisinghe, Julia L. Higgs, and Robert E. Pinsker. 2019. Board and management-level factors affecting the maturity of IT risk management practices. Journal of Information Systems 33: 117–35. [Google Scholar] [CrossRef]
  55. Yang, Songling, Muhammad Ishtiaq, and Muhammad Anwar. 2018. Enterprise risk management practices and firm performance, the mediating role of competitive advantage and the moderating role of financial literacy. Journal of Risk and Financial Management 11: 35. [Google Scholar] [CrossRef] [Green Version]
  56. Yeargin, Thomas A., Angela M. Fraser, and Kristen E. Gibson. 2021. Characterization of risk management practices among strawberry growers in the southeastern United States and the factors associated with implementation. Food Control 122: 107758. [Google Scholar] [CrossRef]
Jrfm 15 00335 g001 550
Figure 1. Objectives of introducing risk-based management in 50 Polish companies. Source: authors’ study.
Figure 1. Objectives of introducing risk-based management in 50 Polish companies. Source: authors’ study.
Jrfm 15 00335 g001
Jrfm 15 00335 g002 550
Figure 2. Responsibility for the coordination of risk management processes in the absence of a separate structural division in 50 Polish companies. Source: authors’ study.
Figure 2. Responsibility for the coordination of risk management processes in the absence of a separate structural division in 50 Polish companies. Source: authors’ study.
Jrfm 15 00335 g002
Jrfm 15 00335 g003 550
Figure 3. Accountability of the structural division responsible for the coordination of risk management in 50 Polish companies. Source: authors’ study.
Figure 3. Accountability of the structural division responsible for the coordination of risk management in 50 Polish companies. Source: authors’ study.
Jrfm 15 00335 g003
Jrfm 15 00335 g004 550
Figure 4. Most common professional fraud schemes in Eastern Europe and Western/Central Asia. Source: based on (Occupational Fraud 2022), a report to the nations.
Figure 4. Most common professional fraud schemes in Eastern Europe and Western/Central Asia. Source: based on (Occupational Fraud 2022), a report to the nations.
Jrfm 15 00335 g004
Jrfm 15 00335 g005 550
Figure 5. How is professional fraud discovered? Source: based on (Occupational Fraud 2022), A report to the nation.
Figure 5. How is professional fraud discovered? Source: based on (Occupational Fraud 2022), A report to the nation.
Jrfm 15 00335 g005
Jrfm 15 00335 g006 550
Figure 6. Risk management documents developed and introduced in 50 Polish companies. Source: authors’ study.
Figure 6. Risk management documents developed and introduced in 50 Polish companies. Source: authors’ study.
Jrfm 15 00335 g006
Jrfm 15 00335 g007 550
Figure 7. Presence of a risk register in 50 Polish companies. Source: authors’ study.
Figure 7. Presence of a risk register in 50 Polish companies. Source: authors’ study.
Jrfm 15 00335 g007
Jrfm 15 00335 g008 550
Figure 8. Obstacles to effective risk management in 50 Polish companies. Source: authors’ study.
Figure 8. Obstacles to effective risk management in 50 Polish companies. Source: authors’ study.
Jrfm 15 00335 g008
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Kalina, I.; Khurdei, V.; Shevchuk, V.; Vlasiuk, T.; Leonidov, I. Introduction of a Corporate Security Risk Management System: The Experience of Poland. J. Risk Financial Manag. 2022, 15, 335. https://doi.org/10.3390/jrfm15080335

AMA Style

Kalina I, Khurdei V, Shevchuk V, Vlasiuk T, Leonidov I. Introduction of a Corporate Security Risk Management System: The Experience of Poland. Journal of Risk and Financial Management. 2022; 15(8):335. https://doi.org/10.3390/jrfm15080335

Chicago/Turabian Style

Kalina, Iryna, Viktoriia Khurdei, Vira Shevchuk, Tetiana Vlasiuk, and Ihor Leonidov. 2022. "Introduction of a Corporate Security Risk Management System: The Experience of Poland" Journal of Risk and Financial Management 15, no. 8: 335. https://doi.org/10.3390/jrfm15080335

Article Metrics

Back to TopTop