Enterprise Risk Management (ERM) Practices among Malaysian SMEs: The Three Steps Process to identify Adopters and Non- Adopters of ERM for SMEs

According to the World Bank research involving SMEs from 104 developing countries has found that small firms have the largest shares of job creation, highest sales growth and employment growth compare to large firm. However, large firm is more productive. Similarly, SMEs in Malaysia also contribute significantly to the economic development especially in creating new job opportunities. SMEs involvements in business expose themselves to risks. Hence, SMEs need risk management. A review of current literature was focus to the adoption of ERM among large firm. However studies that have been conducted to examine ERM adoption among SME are still lacking. More important, the identification of adopters and non-adopters are based on the large firm’s ERM indicator such as Chief Risk Officer (CRO) or COSO (2004) whereas SMEs with difference characteristic need a suitable adopters and non-adopters identification process. Thus, the main objective of this paper is to propose a simple and systematic identification process of adopters and non-adapters of ERM for SMEs.


Introduction
Small and Medium Enterprises (SMEs) play a vital role in most countries especially developing countries. Base on the World Bank Enterprise Surveys (ES) database, a study of 49,370 firms in 104 countries revealed that SMEs have the largest shares of job creation, highest sales growth and employment growth compare to large firm (Ayyagari, Demirguc-Kunt, & Maksimovic, 2011). In Malaysia, SMEs accounting for 98.5 percent of total business or 907,065 establishments and account for 36.3 percent of the GDP, 65.5 percent of employment and 17.6 percent of export (SME Corporation Malaysia, 2016) According to SME Corp, SMEs in Malaysia are defined as: i) Manufacturing sectors with annual sales turnover not exceeding RM 50 million or full-time of employees not exceeding 200 workers (previously less than 25 million annual sales turnover and less than 150 workers); and ii) Services and other sectors with sales turnover not exceeding RM 20 million or full-time employees not exceeding 75 workers (previously less than 5 million annual sales turnover and less than 50 workers). SMEs in Malaysia have low productivity compare to large firm (SME Corporation  and SMEs in other developed countries. SMEs productivity per worker averaged RM 47,000 which is about one-third the productivity of large establishment. Likewise, SMEs in the United States and Singapore are seven and four times more productive respectively than Malaysian SMEs(SME Corporation . Productivity issues are similar to most of SMEs in developing countries (Ayyagari et al., 2011). Low productivity is one of the symptom of SMEs failure or crisis (Ropega, 2011) and part of risk. In general SMEs face risks externally and internally. Externally, business is changing quickly and generating a great deal of uncertainty such as changing customer tastes, new product development and technology. Internally, SMEs face the risks such as human error, fraud, system failure, the disruption of production and so on (Dickinson, 2001). This environment forces firms, especially SMEs to be innovative and constantly review their processes and practices in order to keep survive (Bahri, St-Pierre, et al., 2011). Therefore in order to manage risks, Enterprise Risk Management (ERM) could be a solution to SMEs. Given the size and managerial structure of SMEs, the process of establishing and using ERM is relatively simple given the close relationship between owners, managers and operators of the enterprise (Yolande Smit, 2012). The main objective of this paper is to propose a simple and systematic approach to identify adopters and non-adopters of ERM for SMEs in Malaysia using 3 step process derived from previous literature namely Application of Risk Management in Small Business (Alliance, 2005), Enterprise Wide Risk Components (Lam, 2014) and COSO (2004) ERM Framework.

Problem Statement
In Malaysia, ERM practices still at early stages. Among current practices such as government initiative to introduce the Malaysian Code of Corporate Governance 2012 which is required the board of public listed company in Bursa Malaysia to identify principle risks and ensuring the implementation of appropriate internal control and mitigation measures (Securities Commission . Despite of the regulation upon public listed company in Malaysia to implement risk management, the adoption rate is still relatively low compare to the other developed countries (Togok, 2016;Yazid, Hussin, & Daud, 2011a). Event related to risk has terrible effect on SMEs than in large firms (Kiew & Angeline, 2016). Risk management is a major issues for SME (Brustbauer, 2016). Although ERM is an effective proactive risk prevention tool for SMEs (Vadiveloo & Aguirre, 2013), the ERM practices among Malaysian SMEs are still questionable. For example there is a risk issues on fraud in business organization in Malaysia but they tend to put the matter a side (Shanmugam, Ali, Hassan, & Haat, 2012). Furthermore only small numbers of SMEs in Malaysia are expanding into larger establishment. SMEs are afraid of taking risk and facing uncertainties when they become large corporation (Salleh & Ibrahim, 2011). Besides growing in size, SMEs need to face the challenges such as vulnerability in financial market, political instability, raising cost of energy and frequent natural disaster that would directly affect the future direction and growth of SMEs. Therefore, ERM is crucial to be implemented by SMEs to reduce exposure to business loss (Kiew & Angeline, 2016). Hence, it is important to study ERM in the context of SMEs in order to understand the practice of ERM to encourage adoption of ERM among nonadopter and to extent the use of ERM at its full potential. Even though the study of ERM practices among SMEs is increasing recently, it is still limited (Amalina, Abdullah, Zakuan, Khayon, & Ariff, 2012;Ekwere, 2016;, 2011). SMEs risk management has not received desired attention in the literatures (Gorzeń-Mitka, 2013;Yusuf & Dansu, 2013). Furthermore, the majority of studies examined SMEs in developed European Countries (Falkner & Hiebl, 2015) and still limited in Asian Region (Togok, 2016). Although a current research stated that 80% of respondents from 214 SMEs in Malaysia are clear about the importance of risk management to achieve organizational long term sustainability (Kiew & Angeline, 2016), there is still a need to study on the adoption of ERM among non-adopters and extension factors among adopters to ease the extent and future research of ERM practices among SMEs. However, the more critical issues are arise from the study on how to identify adopters and nonadopters for SMEs. Most of the researches were focused on large firm, public listed company and government linked company that capable to employ chief risk officer (CFO) and form a team of management to handle risk issues, whereas, SMEs with limited resources such as financial and human resources are unable to adopt ERM in the same indication are used. Therefore, reconsidering on how to identify ERM adoption for SMEs should be more practical. Therefore, this paper aim to purpose a simple and systematic process to identify and determine adopters and non-adopters to help the researcher to do research regarding the topic on ERM for SMEs with three simple step and systematic approach. Hence this study will fill the gap in literature.

Literature Review
In the literature the name ERM is sometimes replaced by synonyms like Enterprise-Wide Risk Management, Holistic Risk Management, Integrated Risk Management and Strategic Risk Management. Enterprise Risk Management (ERM) has emerged as a new risk management technique aimed at managing the portfolio of risks facing an organization in an integrated, enterprise-wide manner. Unlike traditional risk management, where individual risk categories are managed from a silo-based perspective, ERM involves a holistic view of risks allowing business to take into account correlations across all risk classes (Monda & Giorgino, 2013) In general ERM is known as a systematically integrated and discipline approach in managing risks within organizations to ensure firms achieves their objective which is to maximize and create value for their stakeholder .Many organizations are implementing ERM process to increase the effectiveness of their risk management activities, with the prime goal of increasing stakeholder value (Beasley, Clune, & Hermanson, 2005a) In SMEs context, according to Vadiveloo & Aguirre (2013)ERM is a form of micro risk management and a comprehensive approach addressing risk in all functional areas and also an effective proactive risk prevention tool for SMEs. Therefore for the purpose of this study, ERM for SMEs can be defined as; ERM for SMEs is a micro risk management consist of culture, capabilities and practices that use comprehensive approach in addressing and managing risks proactively in all functional areas within organization with the ultimate goals to maximize stakeholder value.

The Identification Process of Adopters and Non-adopters of ERM
From the very beginning of this study, researcher has found difficulty to distinguish between adopters and non-adopters among SMEs especially in Malaysia. As mentioned by Hoyt, Moore, & Liebenberg (2008), a major obstacle to empirical research in ERM is the difficulty in identifying firms engaging in ERM. Moreover, most of the firm are either implemented a complete or partial ERM Framework (Abdul Rasid & Abdul Rahman, 2009). Lundqvist (2014) in the study of dimension used to determine ERM implementation in a firm have found that most of the available studies have used inconsistent dimension. Most of previous researchers identify and measure the ERM implementation using certain proxies such as chief risk officer or senior risk officer (Beasley, Clune, & Hermanson, 2005b;Hoyt et al., 2008;Lam, n.d.;Pagach & Warr, 2008;Yazid, Razali, & Hussin, 2011). Moreover, most of the studies done related to ERM were mainly US-based and scare to find research in Malaysia environment (Shanmugam et al., 2012). However, several research finding from Malaysia context on public listed companies (PLCs) (Togok, 2016;Wan Daud, Yazid, & Hussin, 2010) and Government-Linked Companies (GLCs) (Yazid, Hussin, & Daud, 2011b) also have shown that CRO is one of the indicator used to differentiate between adopters and non-adopters. However, using a CRO would identify too few firms as ERM adopters (Lundqvist, 2014). Hence, this research has purposed 3 steps process in order to identify the adopters or non-adopters of ERM among SMEs. See figure 1.2.

First step -Preliminary Identification:
SMEs need to answer 'Yes' or 'No' to show either they have adopted or have not adopted ERM. The instrument used as follow: However, (Beasley, Clune, & Hermanson, 2005c) purpose a range of ERM adoption level rather than just use 'Yes' or 'No as an indicator for ERM adoption. Therefore, second step was proposed.

Second step -Basic ERM implementation
To support the first answer, the adopters need to state the level of ERM involvement or adoption in their business area including business planning, human resource management, outsourcing, sales of product and services, emergency plan, financial management, product and services development. All this area suggested in application of enterprise risk management in SMEs (Alliance, 2005). In addition, these area are important to be included in the questionnaire since the risks faced by companies are highly interdependent between financial risk and business risk, business risk and operational risk, and operational risk and financial risks (Lam, 2014). See figure 1.1 Figure 1.1, shows enterprise-wide risks or enterprise risk management (ERM) is assumed practiced by SMEs by looking at this three major organizational area namely; business risk, finance risk and operational risk. The reason to use this second step as indicator of ERM adoption for SME as the finding by Lundqvist (2014) in his study that 73% out of 143 respondents from large firms have said that they use definition of ERM other than COSO. Only few companies can claim they have fully implemented ERM, as defined by COSO (Proviti Inc., 2006). COSO (2004) is widely used in developed countries, while Asia Pacific Region are more familiar with AS/NZS 4360,2004 as a guide to ERM practices. Moreover, Bursa Malaysia Guideline also only adapted three of eight components of effective ERM namely control activities, information and communication and monitoring (Togok, 2016). Using 11-point scales, the respondent need to agree at level 3 and above for at least three ERM activities involved in their businesses to be considered as adopters. Leung (2016) suggest that 11-point scale as it increase sensitivity and is closer to interval level of scaling and normality. Details of the instrument form are as followed:

Figure 1.1: Enterprise-Wide Risks
Please circle ONE answer only the level of agreement (0 -very disagree until 10 -very agree) for the statement below. Your company business activities as stated below have already used ERM. .

Third step -Global ERM Framework Practices
Third step is to strengthen the second step; the adopters need to answer the ERM question based on COSO (2004) framework. As mention before, COSO is more practiced in developed country since regulation on ERM are much more matured and advanced as compared to less developed countries (Togok, 2016). Since, Malaysia aims to be developed country; step 3 can give better measure to what extent ERM are fully practiced by SMEs. This framework defines eight components of ERM such as internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring (Chandra Shekhar & Warrier, 2004). Also by using 11 -point scale, the respondent need to agree at level 3 and above for at least three COSO (2004) components involved in their businesses. Some components is sufficient to represent the existence of COSO in the implementation of ERM among SMEs (Kiew Heong Angeline & Saw Teng, 2016). Details of the instrument as mentioned below: Please circle ONE answer only the level of agreement (0 -very disagree until 10 -very agree) for the given statement. Your company has already implemented ERM for the following activities as stated below.

Table 1.4: Question base on Global ERM Framework COSO (2004) Question Level of agreement 1) Objective Setting
Has aligned its business risks with its corporate-level and business-unit-level goals and objectives Very disagree -Very agree 0 1 2 3 4 5 6 7 8 9 10 Has established explicit, corporate-wide risk tolerance levels or limits for all major risk categories Very disagree -Very agree 0 1 2 3 4 5 6 7 8 9 10 Has clearly communicated its expectations for risk-taking to senior managers Very disagree -Very agree 0 1 2 3 4 5 6 7 8 9 10 2) Internal Environment Has communicated a risk management mission statement, value proposition, and benefits statement to senior managers Very disagree -Very agree 0 1 2 3 4 5 6 7 8 9 10 Has incorporated responsibility for risk management into the position description of all managers Very disagree -Very agree 0 1 2 3 4 5 6 7 8 9 10 Board of directors or committee of the board is actively involved in the risk management process.

3) Information and Communication
Has a corporate-wide common language for communicating risk-type exposures, control activities, and monitoring efforts Very disagree -Very agree 0 1 2 3 4 5 6 7 8 9 10 Has regular briefs to the board and executive committee on risk management issues Very disagree -Very agree 0 1 2 3 4 5 6 7 8 9 10 4) Event Identification Has established a comprehensive business risk inventory of the risks you expect your managers to manage 2.

8) Control Activities
Policies and procedures were established and implemented to make sure an efficient risk response has been done Very disagree -Very agree 0 1 2 3 4 5 6 7 8 9 10 Control on sales aspect has been done Very disagree -Very agree 0 1 2 3 4 5 6 7 8 9 10 Control on emergency planning has been done Very disagree -Very agree 0 1 2 3 4 5 6 7 8 9 10 Control on routine check on control effectiveness has been done Very disagree -Very agree 0 1 2 3 4 5 6 7 8 9 10 Control on task segregation has been done Very disagree -Very agree 0 1 2 3 4 5 6 7 8 9 10 Control on authority to approve has been done Very disagree -Very agree 0 1 2 3 4 5 6 7 8 9 10 Control on document and record has been done Very disagree -Very agree 0 1 2 3 4 5 6 7 8 9 10 Control on the implementation process of ERM has been done Very disagree -Very agree 0 1 2 3 4 5 6 7 8 9 10 All these steps will then use to conclude either the respondents are adopters or non-adopters. Moreover it can help researcher to understand the level of adoption.

Conclusions
Previous literatures discussed ERM and SMEs but yet there is a lack of study being proposed especially regarding ERM practices among SMEs in the Malaysian context. From the review of literature, the identification process of ERM adaptors and non-adopter will help researcher to have simple and systematic approach to develop more research on ERM and SMEs topic in the future. This study is very significant in enhancing understanding of ERM adoptions among SMEs in general and specifically in Malaysia.