. International Journal of Economics and Financial Issues ISSN: 2146-4138 available at http: www.econjournals.com International Journal of Economics and Financial Issues, 2017, 7(1), 6-13. International Journal of Economics and Financial Issues | Vol 7 • Issue 1 • 20176 Effects of Corporate Governance Structures on Enterprise Risk Management Practices in Malaysia Zuraidah Mohd-Sanusi1*, Shayan Motjaba-Nia2, Nurul A. Roosle3, Ria N. Sari4, Agus Harjitok5 1Accounting Research Institute, Universiti Teknologi MARA, Malaysia, 2Accounting Research Institute, Universiti Teknologi MARA, Malaysia, 3Department of Accounting, Kolej Matrikulasi Melaka, Malaysia, 4Department of Accounting, Faculty of Economics, Universitas Riau, Indonesia, 5Department of Management, Faculty of Economics, Universitas Islam Indonesia, Indonesia. *Email: zuraidahms@salam.uitm.edu.my ABSTRACT The risk management requirement, as part of best corporate governance practices has become compulsory for the public listed companies (PLCs) in Malaysia. This study examines on the existing governance structures including establishment of Risk Management Committee (RMC), board independence, auditor quality and institutional ownerships would influence the extent of enterprise risk management (ERM) practices. The study derived the aggregate ERM scores in measuring the relevant control and risk management practices of PLCs. For the purpose of the study, governance structure is proxied by RMC, board independence, auditor quality and institutional ownerships. Using a sample of large companies, data were regressed using regression analysis, based on three regression models. The study found that the establishment of RMC provided greater awareness of ERM within particular organization. However, the other governance variables have made less contribution to the risk management awareness and practices within a particular organization. Keywords: Enterprise Risk Management, Corporate Governance, Bursa Listing Requirement, Monitoring Mechanism, Risk Management Committee JEL Classifications: G3, G31 1. INTRODUCTION The companies’ failures together with others high profile corporate scandals have led to an issue concerning the efficiency and role of corporate governance nowadays. Firms that face financial difficulties were normally involved in many fundamental mistakes. As pointed out by Stulz (2009), these fundamental mistakes involved relying on past data, focusing on narrow measures of risk, overlooking knowable risks, overlooking concealed risks, failing to communicate risk and managing risks in real time. The lessons learnt from the crisis should lead to more involvement by companies in enterprise risk management (ERM). Companies that move beyond traditional risk management to implement a more comprehensive approach to their control environment will be better placed to prevent, minimize, or recover from losses in shareholder value (Deloitte, 2013). Risk management has attracted an increasing interest among corporations, practitioners, regulators and academicians, more commonly, term as ERM (Desender, 2009; Lam, 2001; Liebenberg and Hoyt, 2003; Manab et al., 2007; Miccolis and Shah, 2000). Many executives strongly believe that ERM is of primary importance to business enterprise. The challenge is how to ensure risk management is applied effectively. Many acknowledged there is a wide spectrum of ERM practices out there even in developed countries. In Malaysia, the implementation is at low level in particular among public listed firms. As discussed by Ping and Muthuveloo (2015), the extent of risk management practices are far beyond satisfaction through the disclosure of risk policies and management as per Committee for Sponsoring Organizations (COSO)-ERM guidelines. They argued that companies need to disclose more information pertaining to risks as this would help investors in better decision making relating to achievement of firms objectives. Malaysian firms would benefit from COSO-ERM framework in evaluating their risk weaknesses. The effectiveness of ERM program requires a lot of resources which ultimately need for the Board’s approval. The role of board of directors could be considered as crucial factor that influences the Mohd-Sanusi, et al.: Effects of Corporate Governance Structures on Enterprise Risk Management Practices in Malaysia International Journal of Economics and Financial Issues | Vol 7 • Issue 1 • 2017 7 extent of ERM (Kleffner et al., 2003). In the context of Malaysian setting, risk management has been cited as a key responsibility of the board of directors. The risk management requirement, as part of best corporate governance practices has become compulsory for the public listed companies (PLCs) which is part of the Malaysian Code on Corporate Governance (MCCG) (“the Code”) and Bursa Malaysia Listing Requirements (Securities Commission, 2012). The increasing roles of the board are the basis element that drives the other seven components in COSO-ERM (2004) framework which requires discipline and structure. While directors’ role significantly and increasingly affected by “the Code” an issue that constitutes the effectiveness of board of directors has become increasingly important nowadays. As role of the board in influencing ERM is heightened, it is argued that the effectiveness of board’s monitoring role is through its independence, given the mixed empirical findings on board independence (Dionne and Triki, 2004). The objective of the study is to examine the influence of corporate governance mechanisms that are establishment of a risk management committee (RMC), board independence, institutional ownership and auditor quality on the extent of firms’ ERM practices. This study contributes to the empirical evidence of risk management, commonly known as ERM and corporate governance literature. The study not only explores the factors associated with the extent of firms’ ERM practices but also provides insight into ERM practices adopted by Malaysian listed firms. A continuous effort to improve corporate governance through risk management initiatives is needed to create more awareness, interest and focus among public listed firms (PLCs) to adopt and implemented ERM. Such understanding would provide usefulness to the regulators, standard setters, investors, and professional bodies in particular and stakeholder in general. 2. LITERATURE REVIEW 2.1. Malaysian Corporate Governance Environment The Bursa Malaysia Listing Requirement formerly known as the KLSE listing requirements revamped in 2001 mandated all listed firms to disclose their compliance with the MCCG in the annual report. In other words, public listed firms have to state their corporate governance compliance or non-compliance in their annual reports in accordance with the recommendations set out in the MCCG. The implication of these is greater obligations for public listed firms in enhancing corporate governance regime. The MCCG also recommends appointment of Remuneration and Nomination Committees by the board of directors apart from the Mandated Audit Committee since 1993. The Code also recommended establishment of a RMC and Corporate Governance Committee but less frequently set up by PLCs. Risk elements can be identified in the corporate governance definition. The MCCG also states as principle that the board of directors should maintain a sound system of internal control. This led to the issuance by the exchange of ‘‘A Guidance on Statement of Internal Control’’ in May 2000. This guideline explains the key areas that directors must pay attention to before they make a statement of internal control in their companies’ annual reports. The guideline emphasizes the need for proper risk management which is a critical element of a sound system of internal control. In making the internal control statement, a listed firm is required to address issues related to internal controls as recommended by the principle and best practices in the MCCG. This includes that the board of directors should (a) Maintain a sound system of internal control to safeguard shareholders’ investment and the firm’s assets, (b) identify principal risks and ensure the implementation of appropriate system to manage risk, and (c) review adequacy and the integrity of the firm’s internal control systems. 2.2. Background of ERM “The decline of many Asian corporations could be directly tied to a failure in corporate governance with respect to risk management and control” (Harvey and Roper, 1999). For example, during Malaysian economic crisis in 1997/1998 Tenaga Nasional Berhad and Malaysia Airline System suffered huge foreign exchange losses due to failure in managing risk. ERM is a more advanced and sophisticated approach to risk management emerged in the 1990s (Simkins and Ramirez, 2008). The framework incorporates and extends the broadly established “Internal Control – Integrated Framework” of 1992 with the target to satisfy both, the need for internal control and the implementation of a risk management process. The ERM framework has been released in September 2004 and defines a new standard for a comprehensive risk management. A common risk framework for its widely known definition by most corporations is the one proposed by the COSO of the Treadway Commission through its 2004 ERM – Integrated Framework which defined as: “A process, affected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” This framework is set up with established key concepts, principles and techniques intended for corporations to better control their activities in moving toward achievement of their established objectives (Committee of the Sponsoring Organizations of the Treadway Commission, 2004). In its new, integrated ERM framework, COSO envisions ERM as a continuous process that is overseen by senior executives and boards, and as the responsibility of everyone in the organization. Committee of the Sponsoring Organizations of the Treadway Commission (2004), identifies components of ERM and makes a direct relationship between these and organizational objectives, including strategy, operations, reporting, and compliance. Additionally, the new Integrated COSO Framework 2013 is a very broad one that includes both strategic risk management and corporate governance. The COSO Board believes internal control is an integral part of ERM but that ERM is broader in scope (McNally, 2013). The role of risk management has been changed dramatically in corporations, previously often denoted with the corporate insurance Mohd-Sanusi, et al.: Effects of Corporate Governance Structures on Enterprise Risk Management Practices in Malaysia International Journal of Economics and Financial Issues | Vol 7 • Issue 1 • 20178 demand and hedging. More and more are started to pay much attention to additional types of risk such as operational, reputation and strategic risks. Traditional risk management was rather seen more into financial discipline. The ERM functions are directed by a senior executive commonly known as Chief Risk Officer (CRO) and the role of the board in monitoring risk measures and setting limits for these measures has increased at many corporations (Beasley et al., 2005; Kleffner et al., 2003; Liebenberg and Hoyt, 2003). The top level management is responsible for putting in place a well-defined risk governance framework and formulating the appropriate risk strategies. At the operational level, the roles of the business units are to ensure that key risks are appropriately identified, assessed and mitigated. Kleffner et al. (2003) cited that ERM requires an enterprise-wide top down approach of managing risk holistically across the enterprise. There are different guidelines for ERM frameworks in existence, each of them describe how a firm should practically approach risks within the internal and external environment faced by the organization. The COSO “ERM – Integrated Framework” (2004) however, is by far the most widely accepted and used framework as the standard for complying with regulated and legislated internal control, risk management and reporting requirements. These are derived from the way management runs the enterprise and are integrated with management process. ERM consists of eight interrelated components with much influence of the firms’ specific characteristics i.e., size, industry, maturity, management style, etc. The process is not strictly a serial one, but multidirectional and an ongoing process (Committee of the Sponsoring Organizations of the Treadway Commission, 2004; 2013). These factors reflect the role of corporate governance in ERM which is desired by external and internal constituencies. Furthermore, most of the literature on ERM has focused solely on developed countries. Evidence shows that the ERM concept is still not widely practiced in Malaysia despite having received much attention over the past years (Wan Daud and Yazid, 2009). It is important to note that the development and application of ERM, as a new concept of managing risks holistically, is rather limited in practice. This study will examine the impact of corporate governance factors on ERM practices. It is asserted that characteristics of corporate governance encourage firms to increase its ERM practice, which is beneficial to shareholders. 2.3. Hypotheses Development It is expected that the disclosure of control and risk management practices, which is still voluntary, indicates that the firm is very sensitive to the need to identify and manage those risks (Desender, 2009). This is further supported by Ponnu (2008) whom found improvement in disclosure of risk management and internal control among Malaysia listed companies in providing empirical evidence on the extent of corporate governance practices and firm performance. Liebenberg and Hoyt (2003) cited that the trend towards the adoption of ERM programs is usually attributed to a combination of internal and external factors. The author cited that overall the major external factors that have driven firms to approach risk management in a more holistic manner are a broader scope of risks arising from factors such as globalization, industry consolidation, and deregulation; increased regulatory attention to corporate governance; and technological progress that enables better risk quantification and analysis (Liebenberg and Hoyt, 2003). This is in line with Malaysia government initiatives of openness and transparency for the better of public investments. 2.3.1. RMC and ERM Past literatures have recognized the extent of ERM implementation through the existence of CRO or RMC (Hoyt et al., 2006; Liebenberg et al., 2003). Some study even recommended on establishment of separate risk management function drawn from a variety of disciplines rather than a combined with audit committee for risk management effectiveness (Fraser and Henry, 2007). In Malaysia, the board of banking institutions is required to establish a RMC as stipulated in Appendix 2 of BNM Guidelines GP 1: Guidelines on directorship in the Banking Institutions (BNM). Indeed larger listed companies also have generally established a RMC headed by the CEO or senior management member. It is expected the role of board to oversee the establishment and implementation of risk management system can be delegated through the RMC. While firms are mandated to set up an audit committee, no similar requirements are imposed concerning the establishment of other board committees such as RMC (Subramaniam et al., 2009; Yatim, 2010). A board committee is an efficient mechanism for focusing the company on appropriate risk oversight, risk management and internal control and that an appropriate board committee may be the RMC or other relevant committee, although ultimate responsibility for risk management would still rest with the full board (ASX, 2007, p.33 as cited in Subramaniam et al., 2009). Establishment of sub-board committees such as a RMC is recognized as one of an ERM governance structures (Deloitte, 2013; Standard and Poor, 2005). A firm that establishes ones demonstrates a greater awareness of the importance of risk management and control (COSO, 2004). The AICPA-CIMA research series by Beasley et al. (2010) reported movement of firms to strengthen enterprise risk oversight through separate risk committee. A conceptual study by Cernaukas et al. (2009) cited that such creation would be able to reduce the future risk management failure coincides with current global financial crisis. Such establishment should enhance the activities of risk management within particular organization. The above arguments suggest the following hypothesis in an alternative form: H1: The extent of firms’ risk management practices is positively related to establishment of a RMC. 2.3.2. Board independence and ERM Prior studies generally posit that board independence from management provides the most effective monitoring and control of firms’ activities (Fama and Jensen, 1983). Many scholars and corporate governance codes stress the important role of board of directors. The board of directors is usually considered as one of the most important mechanisms used under agency theory. The principal role of a board of directors is to represent the interests of the firm’s shareholders. Agency literature suggests that board independence provides the most effective monitoring and controlling of firm activities in reducing opportunistic managerial Mohd-Sanusi, et al.: Effects of Corporate Governance Structures on Enterprise Risk Management Practices in Malaysia International Journal of Economics and Financial Issues | Vol 7 • Issue 1 • 2017 9 behaviors and expropriation of firm resources (Yatim, 2010). In the Malaysian context, the KLSE listing requirements amendments released January 2001 require at least one third of the board to comprise of independent directors (Bursa Malaysia, 2001). Thus it is expected that the board of directors with higher proportion of outside directors is more likely to provide oversight of a firm’s risk management activities. In this sense, Borokhovich et al. (2004) reports a positive relation between the number of outside directors on the board and the quantity of interest rate hedging held by the firm. It is concluded that unrelated directors play an active role in the decision making of risk management policy. Companies with greater non-executives representation are expected to favor more extensive risk management and (internal or external) auditing in order to complement their own monitoring responsibilities. The following hypothesis is proposed in the alternative form: H2: The extent of firms’ risk management practices is positively related to board independence. 2.3.3. Institutional ownership and ERM Inclusion of institutional investors regards as importance to corporate governance in acting of monitoring control such as board independence. Institutional investors who have greater ability to influence firm risk management policy are more likely to be responsible for this external pressure to install control associated with ERM (Liebenberg and Hoyt, 2003). It is regarded as a monitoring agent (Abdul-Wahab et al., 2008). Fama and Jensen (1983) argued that outside directors have strong reputational incentives to effectively monitor CEOs and management. Shleifer and Vishny (1997) argue that large “outside” ownership can help reduce agency conflicts because they have the power and incentive to prevent expropriation by insiders. In this regard, large outside ownership plays a monitoring role and can be expected to put more pressure on management to disclose additional information. Likewise Hoyt et al. (2006) find ERM usage to be positively related to institutional ownership. These support the contention that pressure from institutional investors is an important determinant of ERM adoption. It is measured as the percentage of the firm’s stock held by institutional ownership above five percent outstanding shares. The implication that should be highlighted is that corporate governance plays an important role in assessing risk management’s value through quality governance in terms of strong internal and external corporate governance. H3: The extent of firms’ risk management practices is positively related to institutional ownership. 3. METHODOLOGY 3.1. Data Collection The population comprises of the Bursa Malaysia PLCs which annual reports are available as at December 31, 2013. The period chosen for the study is to reflect the revision of MCCG (the Code) in 2012. This study excludes from the sample those firms related to the financial industries such as banks and insurance companies due to different compliance and regulatory environment, and therefore need to be studied independently (Yatim, 2010; Linsley and Shrives, 2006). One firm is eliminated from the sample in absence of the accounting data. A sample of 87 companies was chosen randomly to eliminate bias in the selection process. The sample comprising a wide cross-section of industries such as industrial products, consumer products, technology, construction, trade and services, properties, plantations, and infrastructure companies. 3.2. Model of Study The study test the extent of the firms’ ERM practices against risk management committee (RMC), board independence (BOD-IND), institutional ownership (INST_OWN), auditor quality (BIG 4), firm size (LN_TA), leverage (LEV) and profitability (EPS). The model is based on Desender (2009), Beasley et al. (2005) and Beasley et al. (2008). The following regression equation is estimated in the study: ERM = α + β1RMC + β2BOD_IND + β3INST_OWN + β4BIG4 + β5LN_SIZE + Β6LEV + β7PROFIT + ε 3.3. Development of ERM Score The aggregate ERM scoring sheet to measure the relevant control and risk management practices based on prior work developed by Desender (2009) derived from the COSO-ERM framework. The list is composed of 87 items, scoring 1 or 0. An assessment of the state of internal control is checked upon the Internal Control Guidelines (ICGs) issued by the Institute of Internal Auditors Malaysia (IIAM) (Institute of Internal Auditors Malaysia, 2000) while measurement of risk management effort upon the COSO-ERM 2004 framework (Committee of the Sponsoring Organizations of the Treadway Commission, 2004). Table 1 shows the definition and measurement of the variables in the study. Thus information about firms’ specific types of control and risk and related ERM practices are evaluated through their publicly available annual report. By making reference to the work of Desender (2009) it is expected that the disclosure of control and risk management practices indicates Table 1: Definition and measurement of variables Variables (acronym) Measurement Predicted significance Dependent variable ERM Aggregate scores of ERM item practices disclosed based on Desender (2009) Independent variable RMC RMC established and disclosed in annual report + BOD_IND Independence non-executive directors + Auditor quality Big 4=1; Non-Big 4=0 + INST_OWN The percentage of the firm’s stock held by institutional ownership above five percent outstanding shares. + Control variable Size Log of total asset (LN_ SIZE) + Leverage LEV=TotalDebt/TotAsset + Profitability EPS + EPS: Earnings per share, ERM: Enterprise risk management, RMC: Risk Management Committee Mohd-Sanusi, et al.: Effects of Corporate Governance Structures on Enterprise Risk Management Practices in Malaysia International Journal of Economics and Financial Issues | Vol 7 • Issue 1 • 201710 that the firm is very sensitive to the need of identifying and managing those risks. The items of dependent variables are numerically scored on a dichotomous basis (Haniffa and Cooke, 2002). Disclosure index were employed in this study when a partial form of content analysis where the studied items are specified ex ante (Beattie et al., 2004). When no significance is given to any specific user groups, the usage of unweighted index is considered the most appropriate (Cooke, 1989). According to the unweighted disclosure index, a firm is scored “1” if the information related to an item disclosed in the specific sections of the narratives of annual report and “0” if it is undisclosed. The total score is then computed as the aggregate scores of ERM item practices disclosed by each sample firm. 3.4. Measurement of Variables The measurement of ERM is based on the aggregate scores of ERM item practices disclosed by each firm adapted from Desender (2009). In addition to the four explanatory variables, this study also includes three firm-specific characteristics identified in prior research as determinants of ERM practices. These variables consist of size, leverage and profitability. The inclusion of profitability variable is based on its most common financial proxy to control the level of risk within an organization (Table 1). 4. ANALYSIS OF RESULTS 4.1. Descriptive Analysis Table 2 report descriptive statistics for sample firms. It highlights all the variables used in the test of association between independent variables and the extent of firms’ ERM practices. The main objective of describing all the variables is to identify the distribution of the data. 4.2. Correlation Analysis Table 3 shows the correlation between all independent variables and dependent variables. The establishment of a RMC, auditor quality and institutional ownership are strongly correlated with ERM practices at significant level of 0.01 and 0.10 respectively. It failed to find any significant correlation of other corporate governance mechanism that is board independence with ERM. In terms of control variables, size and also profit are strongly correlated with ERM at significant level of 0.01. These findings support the empirical evidence in previous literature on the importance of firm-characteristics in determining the level of ERM (Beasley et al., 2005; Desender, 2009; Liebenberg and Hoyt, 2003; Beasley et al., 2008). Since agency costs are expected to be higher in larger organizations, it is contended that large firm need greater monitoring and thus the need for comprehensive risk management. 4.3. Results of Regression Analysis This study performed all variables using an ordinary least square analysis, the results of which are presented in Table 4. The regression is an extension of the correlation analysis done as above. Model 1 is based on the full regression model that was developed in the methodology section. In Model 2 and 3, separate analyses are done on the effect of independent variables after controlling for the RMC sample and non RMC sample. As shown in the Table 4, Model 1 has better R2 among all the models. The fits of the full model (i.e., Model 1) in explaining ERM practices with R2 of 0.34, is statistically significant since the significance = 0.011 (P < 0.01). These suggest that a significant percentage of variation in ERM practices can be explained by 34% of the variance in the four independent variables, after controlling the control variables. The strongest unique contribution of corporate governance mechanism on ERM practices is an establishment of a RMC. The largest beta value is 0.24, evidence through a significant value of 0.017. This suggests that firms with an establishment of a RMC will provide greater awareness in risk management and control, and enhance risk management practices within particular organization. The next strongest governance Table 2: Descriptive statistics (N = 87) Variable Minimum Maximum Mean ± SD Skewness Kurtosis ERM 25.0 62.0 37.4138 ± 6.24 1.026 2.116 INST_OWN 0.00 29.53 6.3433 ± 7.93 1.250 0.821 BOD_IND 0.200 0.833 0.4381 ± 0.12 0.979 0.858 RMC 0.00 1.00 0.5287 ± 0.50 −0.117 −2.084 BIG 4 0.00 1.00 0.66 ± 0.48 −0.664 −1.596 LN_SIZE 10.76 17.38 13.4169 ± 1.37 0.857 0.405 LEV 0.000 0.747 0.2435 ± 0.18 0.633 −0.011 PROFIT 0.00 1.50 1.4943 ± 0.28 0.023 −2.047 ERM: Enterprise risk management, RMC: Risk Management Committee Table 3: Summary of the correlation results ERM RMC BOD_IND INST_OWN BIG4 LN_SIZE LEV EPS ERM - RMC 0.352*** - BOD_IND −0.070 0.128 - INST_OWN 0.166* 0.046 −0.081 - BIG4 0.266*** 0.187** 0.069 −0.017 - LN_SIZE 0.482*** 0.260*** −0.091 0.352*** 0.319*** - LEV 0.020 −0.122 0.042 0.110 0.023 0.270*** - EPS 0.382*** 0.121 −0.026 0.235** 0.020 0.432*** −0.115 - ***Correlation is significant at the 0.01 level, **Correlation is significant at the 0.05 level, *Correlation is significant at the 0.10 level. ERM: Enterprise risk management, RMC: Risk Management Committee, EPS: Earnings per share Mohd-Sanusi, et al.: Effects of Corporate Governance Structures on Enterprise Risk Management Practices in Malaysia International Journal of Economics and Financial Issues | Vol 7 • Issue 1 • 2017 11 variables that contribute to ERM is auditor quality measured by Big Four audit firm, with coefficient of 0.137 but statistically insignificant with significance = 0.107; slightly far from the conventional level (P < 0.10). The other governance variables have lower beta values indicating those variables are made less contributions. It is interesting to note that for control variables, size and profitability (both at P < 0.05) are significantly associated with ERM. For leverage, the study failed to find any association between leverage and ERM practices. 4.4. Sensitivity Analysis Two sensitivity tests are performed to provide confidence in the robustness of results. First, as part of the sensitivity analysis, the results are repeated using 65 items. The list of ERM scoring sheet originally composed of 87 items which include mandatory and non-applicable items to Malaysian listed firms. All items were initially checked against the mandatory requirements in Malaysia in order to arrive at the checklist with items relevant to the Malaysian environment. These items were compared with the listing requirements for Bursa Malaysia, the Internal Control Guidance issued by the IIAM and the MCCG (“the Code”). Some items were excluded in this process. For example, information on board responsibility; audit committee responsibility; training, coaching and educational programs and compliance with recommendations of corporate governance were treated as mandatory information as per listing requirements for Bursa Malaysia and hence, excluded. The final checklist excluded another twelve items from the original list such as information on data management, computer systems, privacy information held on customers and software security, all of which sub-headed under technology risk for event identification, risk assessment and risk response components, due to the non-applicability of the items to all firms (more than 95% are not disclosing such items). The study finds this does not change the conclusion found in Table 4. The results presented in Table 5 indicate that the governance variable, that is an establishment of a RMC, is still positive and significant using 65 items. The study concluded that the direction of association between RMC towards the extent of firm’s ERM practices is significant and positive although slightly weaker than the original full sample. However for other governance variables that are board independence, institutional ownership and audit quality, the results do not affect firms’ ERM practices. For control variables, the effect remains the same. For a second part of the sensitivity test, the results are tested using the weighted ERM following Desender (2009). This study finds a slightly improve model compared to full sample as in Table 4. The result presented in Table 6 for the association between RMC and firms’ ERM are fully in line with the result in Table 4. Indeed the significant and positive association is much higher than the previous model (P < 0.01). Nonetheless, for the presence of Big Four audit firm the study find positive and significant association with the extent of ERM practices which support the findings found by Desender (2009) and Beasley et al. (2005). Concerning the control variables only size is significant while profit variable is statistically insignificant towards firms’ ERM practices. 5. CONCLUSIONS The study derived the aggregate ERM scores using prior work by Desender (2009) and the COSO-ERM eight components framework, in measuring the relevant control and risk management practices of PLCs. An assessment of control is based upon the Table 4: Summary of the regression analysis results Variables Model 1 Model 2 RMC=0 Model 3 RMC=1 Intercept 19.041** 24.629*** 15.489 RMC 0.240** - - Board independence −0.080 −0.014 −0.127 Institutional ownership 0.002 0.008 −0.038 Big four 0.137 0.184 0.149 Control independent variables Size 0.266** 0.250 0.335* Leverage 0.005 −0.248 0.129 EPS 0.233** 0.317* 0.283 R2 0.344 0.269 0.316 Adjusted R2 0.286 0.141 0.211 F value 5.921*** 2.090* 3.006** ***Significant at the 0.01 level, **Significant at the 0.05 level, *Significant at the 0.1 level. RMC: Risk Management Committee, EPS: Earnings per share Table 5: Summary of sensitivity analysis (1) result Variables Standardized coefficient t Significant (α) Intercept 13.009* 1.904 0.061 RMC 0.231** 2.329 0.022 Board independence −0.077 −0.814 0.418 Institutional ownership 0.000 −0.004 0.997 Big Four 0.108 1.078 0.284 Control independent variables Size 0.284** 2.236 0.028 Leverage 0.050 0.488 0.627 EPS 0.222* 2.065 0.042 R 0.579 R2 0.335 F 5.696*** ***Significant at the 0.01 level, **Significant at the 0.05 level, *Significant at the 0.10 level. RMC: Risk Management Committee, EPS: Earnings per share Table 6: Summary of sensitivity analysis (2) result Variables Standardized coefficient t Significant (α) Intercept 2.625*** 3.941 0.000 RMC 0.297*** 3.021 0.003 Board independence −0.071 −0.760 0.449 Institutional ownership 0.038 0.381 0.704 Big Four 0.198** 1.998 0.049 Control independent variables Size 0.212** 1.684 0.096 Leverage −0.001 −0.015 0.988 EPS 0.177 1.657 0.101 R 0.587 R2 0.345 F 5.944*** ***Significant at the 0.01 level, **Significant at the 0.05 level, *Significant at the 0.10 level. RMC: Risk Management Committee, EPS: Earnings per share Mohd-Sanusi, et al.: Effects of Corporate Governance Structures on Enterprise Risk Management Practices in Malaysia International Journal of Economics and Financial Issues | Vol 7 • Issue 1 • 201712 ICGs issued by Bursa Malaysia (2001) while measurement of risk management effort upon COSO-ERM framework. Information about firms’ specific types of control and risk and related ERM practices is evaluated through their publicly available annual report and the company website. The study explores the extent of firms’ ERM practices derived from the eight components of COSO- ERM framework (Committee of the Sponsoring Organizations of the Treadway Commission, 2004; 2013). Furthermore, the study examines how the existing governance structures including establishment of RMC influence the extent of ERM practices. Consistent with past studies, ERM program increases with an establishment of RMC (Yatim, 2010), board independence (Desender, 2009), institutional ownership (Liebenberg and Hoyt, 2003), and auditor type (Beasley et al., 2005). Firms that established a RMC, who acts like a representative on the board of directors, will provide better oversight on ERM. Firms with higher quality of board, measured through board independence are more likely to provide top support and encouragement to ERM effectiveness. While institutional investors have greater ability to influence firm risk management policy, audit quality measured through auditor type (i.e. Big Four audit firm) are well versed with its knowledge spill over in assisting firms on ERM. As such this study will examines whether these corporate governance will influence ERM practices of public listed firms in Malaysia. An examination of corporate governance mechanisms namely the board independence, institutional ownership, and audit quality including ERM governance structures that is RMC in emerging market such as Malaysia provides useful information to our regulators in enhancing and promoting more transparency and openness through corporate risk management practices. For firms, such findings should urge them to take an integrated approach to ERM which promulgates as the best practice by industry organizations. It is interesting to note that the MCCG added a new function of internal audit role on risk management which requires the internal auditors to assume primary responsibility for monitoring enterprise risk exposures. As highlighted by Manab et al. (2007) risk management should not be led by the internal audit division as this would contradicts their independent roles. In view of this, thus it is suggested that government should enhance risk management initiatives by making compulsory requirement of establishing a RMC on public listed firms in Malaysia. While this study provides some insights into firms’ ERM practices in Malaysia, it is subjected to a number of limitations. First, the study use publicly available data to proxy the extent of firms’ ERM practices. To the extent that annual report does not reflect the true state of control and risk management practices, the results are limited. Second, there may be other organizational governance characteristics of ERM deployments that were not reflected in this study. For example, board compositions such as board size, Chairman-CEO separation, board expertise, and ownership concentration are some variables not included in this study. Recent corporate governance scandals have significantly increased expectations about the roles of corporate governance participants including regulators and local and international investors. Some of these expectations relate to calls for expanded risk management activities. Research methods such as interviews and surveys may be complementary to the archival data method in order to provide more meaningful insights to findings of the study. There is a need for future research on the role of holistic risk management as it is relatively an unexplored field. Future empirical research should spawn on the issue of ERM effectiveness particularly on specific way that ERM enhances shareholder value. This may include ways to measure risks that is non-quantifiable in nature. 6. ACKNOWLEDGMENTS We would like to thank the Accounting Research Institute and the Research Management Institute, Universiti Teknologi MARA, in collaboration with the Ministry of Education of Malaysia, for providing support to this project. We are grateful for the grant, without which we would not be able to conduct this study. REFERENCES Abdul-Wahab, E.A., How, J., Verhoeven, P. (2008), Corporate governance and institutional investor: Evidence from Malaysia. Asian Academy of Malaysian Journal of Accounting and Finance, 4(2), 67-90. Beasley, M.S., Branson, B.C., Hancock, B.V. (2010), Enterprise Risk Oversight: A Global Analysis CIMA and AICPA Research Series. Raleigh: North Carolina University College of Management. Beasley, M.S., Clune, R., Hermanson, D.R. (2005), Enterprise risk management: An empirical analysis of factors associated with the extent of implementation. Journal of Accounting and Public Policy, 24, 521-531. Beasley, M.S., Pagach, D., Warr, R. (2008), The information conveyed in hiring announcements of senior executives overseeing enterprise- wide risk management processes. Journal of Accounting, Auditing and Finance, 23(3), 313-331. Beattie, V., McInnes, W., Fearnley, S. (2004), A methodology for analysing and evaluating narratives in annual reports: A comprehensive descriptive profile and metrics for disclosure quality attributes. Accounting Forum, 28(3), 205-236. Borokhovich, K.A., Brunarski, K.R., Crutchley, C.E., Simkins, B.J. (2004), Board composition and corporate investment in interest rate derivatives. Journal of Financial Research, 27(2), 199-216. Bursa Malaysia. (2001), Kuala Lumpur Stock Exchange (KLSE) Listing Requirements 2001. Kuala Lumpur: KLSE. Cernaukas, D.A., Sury, S.M., Tarantino, A.G. (2009), Risk Management in Finance: Six Sigma and other Next Generation Techniques. New Jersey: Wiley. Committee of the Sponsoring Organizations of the Treadway Commission. (2004), Enterprise Risk Management, Integrated Framework (COSO- ERM Report). New York: AICPA. Committee of the Sponsoring Organizations of the Treadway Commission. (2013), Internal Control - Integrated Framework (2013). Available from: http://www.coso.org/documents. [Last accessed on 2014 Nov 10]. Cooke, T.E. (1989), Voluntary disclosure by Swedish companies. Journal of International Financial Management and Accounting, 1(2), 171-195. Desender, K. (2009), On the determinants of enterprise risk management implementation (Working Paper). Available from: http://www.ssrn. com/abstract=1025982. [Last accessed on 2009 Dec 27]. Dionne, G., Triki, T. (2004), On risk management determinants: What Mohd-Sanusi, et al.: Effects of Corporate Governance Structures on Enterprise Risk Management Practices in Malaysia International Journal of Economics and Financial Issues | Vol 7 • Issue 1 • 2017 13 Really matters? (Working Paper, No.04-04). Canada Research Chair in Risk Management, HEC Montréal. Deloitte. (2013), Setting a higher bar. Global Risk Management Survey. 8th ed. Available from: https://www.www2.deloitte.com/content/ dam/Deloitte/global/Documents/Financial-Services/dttl-fsi-us-fsi- aers-global-risk-management-survey-8thed-072913.pdf. Fama, E.F., Jensen, M.C. (1983), Separation of ownership and control. Journal of Law and Economics, 26(2), 301-326. Fraser, I., Henry, W. (2007), Embedding risk management: Structures and approaches. Managerial Auditing Journal, 22(4), 392-409. Haniffa, R.M., Cooke, T.E. (2002), Culture, corporate governance and disclosure in Malaysian Corporations. Abacus, 38(3), 317-349. Harvey, C.R., Roper, A.H. (1999), The Asian bet. In: Harwood, A., Litan, R.E., Pomerleano, M., editors. Financial Markets and Development: The Crisis in Emerging Markets. Washington, USA: Brookings Institution Press. p29-116. Hoyt, R.E., Moore, D.L., Liebenberg, A.P. (2006), The Value of Enterprise Risk Management: Evidence from the U.S. Insurance Industry (Working Paper). Available from: http://www.aria.org/ meetings/2006papers/Hoyt_Liebenberg_ERM_070606.pdf. [Last accessed on 2010 Jan 10]. Institute of Internal Auditors Malaysia. (2012), Statement on Risk Management & Internal Control: Guidelines for Directors of Listed Issuers. Available from: http://www.iiam.com.my/wp-content/ uploads/2015/12/guideline-risk-management-new1.pdf. Kleffner, A., Lee, R., McGannon, B. (2003), The effect of corporate governance on the use of enterprise risk management: Evidence from Canada. Risk Management and Insurance Review, 6(1), 53-73. Lam, J. (2001), The CRO is here to stay. Risk Management, 48(4), 16-22. Liebenberg, A.P., Hoyt, R.E. (2003), The determinants of enterprise risk management: Evidence from the appointment of Chief Risk Officers. Risk Management and Insurance Review, 6(1), 37-52. Linsley, P.M., Shrives, P.J. (2006), Risk reporting: A study of risk disclosures in the annual reports of UK companies. The British Accounting Review, 38(4), 387-404. Manab, N.A., Kassim, I., Hussin, M.R. (2007), Enterprise-Wide Risk Management (EWRM) Practices: Between Corporate Governance Compliance and Value Creation (Working Paper). McNally, J.S. (2013), The 2013 COSO Framework and SOX compliance: One approach to an effective transition. Available from: http://www. coso.org/documents/COSO. Miccolis, J., Shah, S. (2000), Enterprise risk management: An analytic approach. Tillinghast - Towers Perrin. Available from: http://www. tillinghast.com. [Last accessed on 2009 Dec 07]. Ping, T.A., Muthuveloo, R. (2015), The impact of enterprise risk management on firm performance: Evidence from Malaysia. Asian Social Science, 11(22), 149-159. Ponnu, C. (2008), Corporate governance structures and the performance of Malaysian public listed companies. International Review of Business Research Papers, 4(2), 217-230. Securities Commission. (2012), The Malaysian Code on Corporate Governance. Available from: https://www.sc.com.my/wp-content/ uploads/eng/html/cg/cg2012.pdf. [Last accessed on 2013 Nov 10]. Shleifer, A., Vishny, R. (1997), A survey of Corporate Governance. Journal of Finance, 52, 737-775. Simkins, B., Ramirez, S.A. (2008), Enterprise-wide risk management and corporate governance. Loyola University Chicago Law Journal, 39, 571-584. Stulz, R.M. (2009), Ways companies mismanage risk. Harvard Business Review, 87(3), 86-94. Subramaniam, M., McManus, L., Zhang, J. (2009), Corporate governance, board characteristics and Risk Management Committee. Managerial Auditing Journal, 24(4), 316-339. Wan Daud, W.N., Yazid, A.S. (2009), A conceptual framework for the adoption of enterprise risk management in government linked companies. International Review of Business Research Papers, 5(5), 229-238. Yatim, P. (2010), Board structures and the establishment of a risk management committee by Malaysian listed firms. Journal of Managerial Governance, 14, 17-36.