Abstract
The integration of risk into management control has recently received increased attention in the management accounting and control literature. Much of this research has focused on the organizational and individual actor level. However, some studies suggest that the integration of risk into the organizational control package may equally be influenced by forces operating at other levels of analysis– including the economic and political level and the organizational field level. In this guest editorial for the special issue on “Courageous Risk Governance: Enabling Resilience, Autonomy, and New Thinking,” I therefore discuss how our collective understanding of the integration of risk into management control could be enhanced by research at multiple levels of analysis. The papers included in this special issue show that when this integration is successfully managed, organizations can achieve valuable outcomes, such as increased resilience. For both practitioners and academics, future research on such integration therefore seems fruitful and necessary. This article provides ideas for particularly relevant questions about this integration and for theories that can guide such research.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
1 Risk and management control systems
During the past few years, management accounting and control scholars have increasingly started to study risk management, risk governance, and their integration with other management control systems. For instance, in a recent review, Braumann et al. (2024) have analyzed research on enterprise risk management (ERM), an approach to study organization-wide risks holistically, from a management control perspective. They identified 69 articles in this domain, of which the vast majority has been published after 2010. At the organizational level, Braumann et al. (2024) found that there are various connections between risk management and other control systems and they suggest a complementarity perspective to further analyze the role of risk management as part of the organizational control package. If such integration is successful, organizations may gain increased risk awareness and other risk-related outcomes (Braumann, 2018), but may also benefit from improved resilience, autonomy, and new thinking. The latter was the focus of our call for papers that led to this special issue of the Journal of Management Control. Besides this focus on far-reaching organizational outcomes of forward-looking risk management and risk governance approaches, the special issue sought to investigate, in particular, the integration of risk into management control for reaching such outcomes.
The increased interest in the management accounting and control literature in risk management, risk governance and other forms of steering risk is often attributed to the financial crisis of 2008 and its aftermath (e.g., Braumann et al., 2024; Huber & Scheytt, 2013; Soin & Collier, 2013; van der Stede, 2011). This aftermath includes various new forms of regulation, professional frameworks and research paradigms that aim to modernize traditional approaches to risk management and make them more strategic and better intertwined with other business operations (e.g., Committee of Sponsoring Organizations of the Treadway Commission 2017; Prewett & Terry, 2018; Stein & Wiedemann, 2016). Although the impact of such frameworks and paradigms remains in debate (e.g., Arena et al., 2017; Crawford & Jabbour, 2024; Huber & Scheytt, 2013; Kaplan & Mikes, 2016; Power, 2009), most commentators agree that these frameworks have had an impact on how contemporary organizations perceive and try to handle risk (Hayne & Free, 2014; Viscelli et al., 2016).
In line with a more holistic view towards risk as proposed by ERM proponents such as COSO (2017), recent studies have presented evidence that risk is increasingly integrated into and affects the functioning of management control systems (Bracci et al., 2022; Braumann, 2018; Braumann et al., 2020; Posch, 2020; Rana et al., 2019b). While these studies have documented the fact that risk management and management control increasingly converge in many organizations, this cannot be observed in the same way in all organizations and, consequently, there is considerable variance between organizations in how such (non-)integration may play out (Mikes, 2009). Mikes and Kaplan (2013) have therefore advocated a contingency theory of risk management that may help to disentangle the factors driving the implementation of risk management and its integration with other control systems.
However, as shown in the recent review by Braumann et al. (2024), it still seems a long way before we arrive at a full understanding of why organizations deal with risk the way they do, and how they consequently integrate risk with their management control systems. Likewise, we still have limited knowledge of what organizations might gain from specific approaches of dealing with risk and their interplay with other management control systems (Braumann et al., 2024). While Braumann et al. (2024) primarily proposed to look at the organization-level complementarity between risk management and other management accounting and control systems, studies such as Hayne and Free (2014) suggest that the current prominence of risk management frameworks such as COSO can also be attributed to skillful institutional work that is performed beyond individual organizations and at the organizational field level or the more general political and economic level. In addition, there is evidence that such institutional work does not lead to the same outcomes in all countries. Regulation of risk management, which also affects its integration into management control, shows considerable variance between countries (e.g., Bledow et al., 2019; Maffei, 2021; Maffei & Spanò, 2021). How risk management is performed and integrated into management control is thus not a choice that is purely organizational or driven by individual actors but is considerably affected by the larger political and economic environment. In this guest editorial, I thus propose that future research on the integration of risk into management control systems should not only look at the organizational level and the individual level (although these continue to be important), but should also increasingly incorporate other levels of analysis, including: the economic and political level, the organizational-field level, and the more micro level of multiple actors.
In Sect. 2, I detail how future research could make use of these various levels of analysis to deepen our collective understanding of the integration of risk into management control systems. In Sect. 3, I then discuss how the articles included in this special issue contribute to such understanding. Section 4 concludes this guest editorial with its most important implications.
2 Towards a deeper understanding across multiple levels of analysis
There are various classifications of how different levels of analysis can be classified in organizational research and psychology (e.g., Coleman, 2000; Dansereau et al., 1984; Dionne et al., 2014; Hofstede et al., 1993). Many of these classifications primarily look at the organizational level as the macro level of analysis, and sub-organizational levels, such as teams and individuals, as micro levels of analysis (e.g., Foss et al., 2010; Yammarino et al., 2005). For this article, I adopt the idea that there are sub-organizational levels, which are important to understand how risk management is integrated into management control. As indicated by prior research, individual actors, such as risk experts or controllers, may indeed be highly influential in this regard (Braumann et al., 2024; Hall et al., 2015; Tillema et al., 2022). At the same time, interactions between groups of actors– for instance, between risk managers and management accountants (Giovannoni et al., 2016), or between risk managers and operational managers (Hall et al., 2015; Mikes, 2009)– may also contribute to explaining how risk is (not) integrated into management control, and why there are variations of such integration not just between, but also within, large organizations. For sub-organizational levels of analysis, I therefore distinguish between the level of individual actors and the level of multiple actors (see Fig. 1).
As indicated in Sect. 1, risk management phenomena are often driven by factors that lie beyond individual organizations, but are determined in organizational fields or at the economic and political level. This notion is not uncommon for accounting phenomena as they are often driven by law and regulation (Dennis, 2013). To better understand how accounting phenomena are framed at such macro levels, and how they may affect and are affected by organizational fields and individual organizations, Dillard et al. (2004) proposed a three-level model consisting of the economic-political level, the organizational-field level, and the organizational level. For structuring the following discussion, I therefore additionally include these three levels of analysis.
The resulting five levels of analysis are shown in Fig. 1. Importantly, these five levels of analysis do not work in isolation but, as explained in detail by Dillard et al. (2004), do affect each other (see the arrows between levels in Fig. 1). Additionally, the effects from one level to the other are not necessarily hierarchically cascading as depicted in Fig. 1. For instance, the institutions at the economic and political level may not only be influenced by organizational fields, but could also be affected by individual organizations, group of actors or individual actors. Relatedly, while the following discussion is structured along the five levels of analysis, research does not need to be strictly focused on one level of analysis, but may focus on multi-level or cross-level effects (Yammarino et al., 2005). The following potential topics for future research and theories to address such topics are illustrative only but shall now be detailed to showcase their potential influence on how risk is integrated into management control.
Future research on the integration of risk into management control across multiple levels of analysis
3 Economic and political level
The most macro level considered here, the economic and political level, is focused on the overarching political, economic, and social issues in a given society. Norms and values that are shaped and changed at this level can be expected to influence the members of the given society (Dillard et al., 2004). Viewed from an institutional-theory perspective, norms and values represent institutions that can more broadly be defined as taken-for-granted assumptions that guide our everyday behavior (Harmon, 2019). However, those institutions do not develop out of “thin air,” but are influenced and changed by organizational fields, individual organizations, and actors inhabiting a society (Barley & Tolbert, 1997; Englund & Gerdin, 2018; Hiebl, 2018).
Applied to the study of risk management, risk governance, and management control, we can expect that laws or regulations that call for greater integration of risk into management control are shaped by certain actors at the economic and political level. For instance, in its most recent edition, the ERM framework by Committee of Sponsoring Organizations of the Treadway Commission (2017) more prominently stresses the integration of risk management, strategy work, and performance, clearly pointing to greater integration of risk into traditional management control practices, such as strategic planning and performance management (Balakrishnan et al., 2019; Bracci et al., 2022). However, not all countries have equally adopted such integration principles into their national laws and regulations (Bledow et al., 2019; Maffei & Spanò, 2021). For instance, Rana et al. (2019a) analyze the case of regulatory reform in Australia that aimed to better integrate risk and performance into public sector entities. They conclude that an overly strong focus on compliance and regulatory accountability hindered closer integration of risk into performance management practices. The case study by Rana et al. (2019a) can thus be read as showcasing how national regulation affects the integration of risk into management control. Given clear variation in risk management laws and regulations between countries (Bledow et al., 2019; Maffei & Spanò, 2021), it would be interesting to understand how such variation has emerged, and thus better recognize potential differences between countries in terms of the integration of risk into management control. Such research could also pave the way for regulators and policymakers to better understand what steps might be needed to achieve increased integration of risk into management control, if so desired.
For such research, various strands of institutional theory might be suitable theoretical lenses. For instance, institutional work perspectives (Canning & O’Dwyer, 2016; Lawrence et al., 2009, 2011; Modell, 2022) could be useful to analyze how various actors try to push risk-related law and regulation towards their desired direction and what tactics they apply in this endeavor. Likewise, institutional logics perspectives (Thornton et al., 2012; Thornton & Ocasio, 2008) could be used to analyze how the prevalence of certain logics in a society change over time and how this affects the making and changing of law and regulation on risk and its integration into organizational control systems.
3.1 Organizational field level
The organizational field level is primarily concerned with the context in which individual organizations and actors are embedded, such as industries, markets, or professional associations (Dillard et al., 2004; Quinn & Hiebl, 2018). As argued by Barley & Tolbert, 1997, p. 93), individual actors and organizations are “suspended in a web of values, norms, rules, beliefs, and taken-for-granted assumptions, that are at least partially of their own making.”
A prime example of institutions that have been created at the organizational field level is the ERM framework by the Committee of Sponsoring Organizations of the Treadway Commission (2017). This committee– now regularly known as COSO– was formed in 1985 and is supported by five US professional associations, including the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Internal Auditors (IIA), and the Institute of Management Accountants (IMA). The COSO board is comprised of board members from each of these five associations, and a chairperson (Hayne & Free, 2014; Landsittel & Rittenberg, 2010). Amongst other activities, COSO is active in the organizational field of risk managers and, most famously, has issued ERM frameworks that have much influenced field-level actors and individual organizations (Jemaa, 2022).
Drawing on an institutional work perspective, Hayne and Free(2014) provide a detailed account of how the initial COSO ERM framework published in 2004 gained influence and popularity over time. As indicated above, the latest and revamped edition of this framework was published in 2017, long afterHayne and Free(2014) finished their data collection in 2012. Since this latest edition of the framework has stronger links to organizational operations, strategy, and performance–and thus management control (Balakrishnan et al., 2019)– it would be interesting to study how these changes have been developed at the organizational field level and why a stronger integration of risk and management control is now purported by COSO. Likewise, such research could also illuminate reasons why this and other international (e.g., the ISO 31,000 “Risk Management Guidelines”) and national risk management frameworks have gained varying popularity in individual countries (Bledow et al., 2019; Hunziker & Durrer 2021; Maffei & Spanò, 2021). From such research, we could gain a better understanding of why, across countries or fields, risk management frameworks have varying influence on the integration of risk into management control.
As suggested by Hayne and Free (2014), the institutional work perspective (Lawrence et al., 2009, 2011) again seems a useful theoretical lens to make sense of empirical material from specific organizational fields. Likewise, approaches rooted in structuration theory (Englund et al., 2011; Englund & Gerdin, 2008; Giddens, 1984) and the paradox of embedded agency (Englund & Gerdin, 2018; Hiebl, 2018) might also help to uncover how field actors that are influenced by institutionalized risk management frameworks may nevertheless engage in changing these very frameworks. Anyhow, given the considerable impact of COSO and field-level associations on the practice of risk management and, at the same time, little research effort targeted at the political and economic level and the organizational field level so far, there is much room to contribute to a better understanding of how the integration of risk into management control gets promoted and potentially institutionalized at these macro levels of analysis.
3.2 Organizational level
The organizational level of analysis, as understood in this article, is concerned with comparisons between organizations that consider these organizations as a whole. Organization-level studies thus do not address finer differences between sub-organizational units or actors. Typical organization-level studies in management accounting, management control or risk management research compare organizations in terms of implemented practices and analyze why these practices are in place, and what these organizations might gain (or lose) from such practices. This may include questions regarding why and how certain risk management and other management control practices complement or substitute each other at the corporate level, and what effects from such complementarity or substitution the organization as a whole might face (Braumann et al., 2024).
Thus far, the organizational level of analysis is probably the most researched in terms of why and how risk is integrated into management control or not, and existing research sheds light on a series of antecedents of such integration, and its outcomes and associated mediators or moderators (Braumann et al., 2024). However, many of these works have delivered insights on this integration more or less in passing and it was not the prime focus of their research efforts. For instance, many qualitative research studies offer a plethora of insights into how risk management is performed and how it interacts with other practices, and thereby also offer some insights into its integration with other management control devices (e.g., Arena et al., 2010; Arena et al., 2017; Hall et al., 2015; Mikes, 2009).
For more focused efforts on researching the integration of risk into organizational control packages, Braumann et al. (2024) advocate complementarity theory as a useful lens to study the interplay between risk management and other control devices and its outcomes. As the paper by Braumann et al. (2024) is fairly recent, there is no need to echo their recommendations here. But apart from complementarity approaches, contingency approaches as suggested by Mikes and Kaplan (2013) might also be useful to study the fit between organizational antecedents and risk and control practices, and the outcomes of such fit. While these complementarity and contingency approaches are mostly geared towards quantitative research, other theoretical lenses might also be useful to study the integration of risk into management control at the organizational level. For instance, the institutional logics perspective (Thornton & Ocasio, 2008; Thornton et al., 2012) cannot only be applied at the economic and political level, but also might be useful to tease out differences between organizations in terms of the integration of risk into management control. This perspective has already been applied recently in accounting studies of risk management (Metwally & Diab, 2021; Murr & Carrera, 2022) and, from the evidence presented there, it can be assumed that varying levels of integration of risk into management control across organizations could be rooted in different emphases of organizations on institutional logics, such as compliance or performance logics. Institutional logics may also compete with each other in specific organizations (Besharov & Smith, 2014; Pache & Santos, 2013), and may thus hinder or foster the integration of risk into management control. As this example of institutional logics should illustrate, organization-level studies of the integration of risk into management control not only offer much room for further quantitative research, but also for qualitative research.
3.3 Multiple actors’ level
This level of analysis is often referred to in organizational research and psychology as the team or group level of analysis (e.g., Chan, 2019; Yammarino et al., 2005). However, for the purpose of this article, the more general term “multiple actors’ level” is used, since the integration of risk into management control systems is likely to not only occur within a strictly defined team or group, but also across organizational departments, such as risk management and management accounting units (Giovannoni et al., 2016). So, the multiple actors’ level of analysis refers to the study of phenomena that arise through the interplay of multiple individual actors within an organization.
The integration of risk into the organizational control package seems generally possible through three different routes (Braumann et al., 2024):
1. the combined use of separate risk management (e.g., tone from the top) and management control practices (e.g., interactive use of budgets) that collectively secure the adequate integration of risk into management control (cf. Braumann et al., 2020);
2. one or several integrative tools that merge elements from risk management and management control in a single tool, such as risk-based forecasting and planning (Ittner & Michels, 2017), or a balanced scorecard with included risk measures (Cheng et al., 2018);
3. a combination of routes 1 and 2.
As indicated in prior research on specific practices that integrate risk into management control (Jordan et al., 2013; Themsen & Skærbæk, 2018), it seems likely that several actors are involved in the implementation and use of such practices. This interaction between multiple actors may run smoothly, but may also lead to challenges– for instance, due to the incompatibility between actors and practices (Tillema et al., 2022) or diverging political interests between the involved actors (Giovannoni et al., 2016). Another challenge could be the limited top management visibility of approaches that integrate risk and management control (Viscelli et al., 2017). Several available studies stress that such visibility is important for top management attention on the integration of risk into management control (Arena et al., 2017; Meidell & Kaarbøe, 2017; Mikes, 2009). However, such visibility may also be contested if risk managers and management accountants compete for top management access (Giovannoni et al., 2016). From all these findings from the present literature, it is apparent that the smooth interplay between several individual actors seems to be an important condition for a successful integration of risk into management control. While some existing studies offer insights on this interplay (Giovannoni et al., 2016; Arena et al., 2010), their numbers are still small, often focused on risk experts and less so on other actors, and suggest that the interplay is very much context-bound. Further studies are thus needed to shed more light on how the interaction between multiple actors enables the adequate integration of risk into management control in other contexts, and should not only focus on risk managers, but include the interaction between other types of actors, such as controllers, internal auditors, operational managers, and top managers.
Some useful theoretical approaches to analyze the integration of risk into management control at the level of multiple actors include various strands of institutional theory, such as organizational rules and routines (Burns & Scapens, 2000; Quinn, 2011, 2014; Quinn & Hiebl, 2018). After their implementation, practices that integrate risk and management control may be repeated, eventually routinized and institutionalized (Burns & Scapens, 2000; Quinn, 2011). While this theoretical possibility is probably widely accepted, it remains an open question how this process may unfold and how potentially diverging interests between the involved actors (e.g., controllers, risk managers, internal auditors, operational managers, top managers) can be dissolved. The detailed frameworks for analyzing such routinization processes in the management accounting literature (Burns & Scapens, 2000; Quinn, 2011; Quinn & Hiebl, 2018; ter Bogt, Henk & Scapens, 2019) offer rich guidance on what factors and dynamics are most important to assess and understand in this regard.
Likewise, if research is not focused on a single integrative tool combining risk and management control, but on the interplay between separate risk management and management control practices, the routines literature can offer valuable theoretical guidance. For instance, Kremser and Schreyögg (2016) have introduced the idea of routine clusters and offer a framework to analyze under what conditions interrelated routines– such as risk management and management control routines (Nguyen et al., 2023; Pentland, 2016)– may offer beneficial outcomes.
3.4 Individual actors’ level
The last level of analysis considered in this article is the level of individual actors, which focuses on and compares individuals in organizational roles, such as leaders or subordinates (Yammarino et al., 2005). Indeed, several articles in the accounting literature on risk management have focused on individual actors, such as risk managers, risk experts, risk owners, chief financial officers (CFOs) or controllers (e.g., Hall et al., 2015; Ittner & Oyon, 2020; Tillema et al., 2022), and several more offer some information about these individual actors’ roles “in passing” (for an overview, see Braumann et al., 2024).
As reported in this literature, it seems far from easy for individual actors to successfully engage in the integration of risk into management control. For instance, based on a case study of a large European bank, Tillema et al. (2022) report the challenges experienced by management accountants when assigned to progressive roles in risk management. In this case, the respective management accountants experienced considerable ambiguity in their new roles, and eventually moved back to their incumbent, less progressive roles. How the role of management accountants, controllers or other actors can be successfully enhanced with risk management duties, so that the integration of risk into management control can be driven by these actors, remains an open question. At the same time, this question seems very important, given that, in many organizations, risk management and management accounting and control increasingly converge.
Similar to Tillema et al. (2022), future research along these lines could be based on role theory (e.g., Katz & Kahn, 1978) and the long-standing and rich literature on controllers’ (changing) roles and identities (for a review of this literature, see Wolf et al., 2020). Likewise, future research might draw on approaches rooted in practice theory (e.g., Schatzki, 2002). Such approaches could be used to better understand the actual “set of doings and sayings linked by practical understandings” (Schatzki, 2002, p. 87) of actors mandated with a closer integration of risk into management control. For a recent application of this approach to analyzing risk management, see Moschella et al. (2023).
4 Contributions in this special issue
Research on issues related to the steering of risk, such as suggested in Sect. 2, have long been the focus of the annual conferences on risk governance at the University of Siegen, Germany. The associated special issues emanating from these conferences have, for instance, looked at how specific actors and their organizational roles shape risk governance (Hiebl et al., 2018), how sustainability reporting and risk governance interact (Bischof et al., 2022), how risk management and risk governance change over time (Hiebl, 2022), and how research on risk governance can evolve from theoretical framing to empirical testing (Hiebl, 2019). The 2022 edition of this conference featured the general theme “Courageous Risk Governance: Enabling Resilience, Autonomy, and New Thinking” and the associated special issue in the Journal of Management Control invited researchers to specifically look into how such forward-looking risk governance might interact with management accounting and control systems. After a scrutinous review process, five papers could be selected for inclusion in this special issue. They all contribute to a better understanding of how risk management and risk governance can facilitate resilience, autonomy, and new thinking, and shed light on how the integration of risk into management accounting and control systems can help in this endeavor.
The first paper by Eichholz et al. (2024) is based on a survey of German medium-sized and large firms that was conducted in 2021 and thus in the midst of the COVID-19 crisis. The paper looks at the effect of general risk management orientation on the planning function of budgeting in explaining the level of organizational resilience. Among other findings, Eichholz et al. (2024) report that a generally stronger risk management orientation is related to higher levels of adaptive capabilities in times of crisis, and in turn, competitive advantage. While Eichholz et al. (2024) also find a positive association between risk management orientation and a focus on planning, planning did not emerge as being significantly related to competitive advantage. The paper thereby delivers further insights on the interplay between risk management aspects and management control devices, and reinforces the idea that risk management can be an important factor in developing organizational resilience in times of crisis.
Also focused on the interplay between risk management and management control is the paper by Monazzam and Crawford (2024). This paper is based on a case study of a Swedish iron ore producer and illustrates how a firm moved from a rather traditional approach to risk management that was little integrated with other management control devices, to an ERM approach that was more closely aligned with other management controls systems. Monazzam and Crawford (2024) stress the pivotal role of individual actors, such as the firm’s CFO and the chief risk officer (CRO), that pushed for closer consideration of risk in strategic planning, supplier selection, and investment decisions, and thus a stronger integration of risk into the organizational control package. In turn, such integration facilitated the development of resilience resources and capabilities over time, highlighting the potential benefits of this integration.
Similarly, but for much smaller firms, the cross-sectional field study by Riepl et al.(2024) examines how mid-sized family firms reacted to the COVID-19 crisis by developing their risk management approaches. Different from larger firms, the study shows that family firms often feature a mix of more formal and informal approaches to managing risk. Informal risk management may, for instance, occur via discussions in the controlling family over a meal, while more formal risk management was found to be closely related to other control practices, such as sales, liquidity, and investment planning (Riepl et al., 2024). According to the findings of Riepl et al. (2024), during the COVID-19 crises, both informal and formal approaches to risk management were strengthened, and functioned as complements in mastering the crisis and strengthening the studied family firms’ resilience. Given that the formal risk management practices studied by Riepl et al.(2024) were closely related to or part of traditional management accounting and control instruments, these findings can be viewed as another indication that integrated risk and management control practices help to increase organizational resilience.
Likewise, the study by Bruno et al. (2024) examines the (dis-)integration of performance management and risk management. Methodologically, it is based on a case study of an Italian regional government and draws on a series of official documents and interviews. While Bruno et al. (2024) find that on paper– that is, in the official documents and written governmental plans– performance management and risk management were indeed integrated, this integration was rather weak at the operational level as reported in the interviews conducted by the authors. In addition, Bruno et al. (2024) highlight several factors that favored or hindered the integration of performance management and risk management. Importantly, the paper thus shows that government officials may be cognizant of the importance of integrating risk in management control but may experience operational challenges in implementing such integration.
Finally, and zooming in on this integration, Röser (2024) conceptually develops an approach that should better account for risk in the analysis of product life-cycles. Life-cycle costing is a well-established management control practice that aims to assess the total costs that can be expected over the entire life-cycle of a product or a system (Rödger et al., 2018). However, as argued by Röser (2024), the existing approaches to such costing have not adequately accounted for risks that may occur over the life-cycle. Röser (2024) therefore develops such an approach and uses a simulation to illustrate the integration of risk factors in product life-cycle calculations. He shows that, with this approach, decision-makers can benefit from more detailed risk information and, in turn, improved risk assessments could also benefit risk reporting and, more generally, an organization’s resilience, due to more detailed and more robust risk information.
Collectively, all papers in this special contribute to furthering our understanding of integrating risk in management control, and the potential effects of such integration on organizational outcomes such as resilience. Similar to other available studies on integrating risk management and management control (see Sect. 2), the papers in this special issue are mostly situated at the organizational level and shed some light on the relevance of individual actors. The call for more research on other levels of analysis as voiced in Sect. 2 therefore can be upheld.
5 Conclusions
This guest editorial aimed to introduce the Journal of Management Control special issue on “Courageous Risk Governance: Enabling Resilience, Autonomy, and New Thinking” and provide some food for thought on how research on the integration of risk into management control may progress in the future across multiple levels of analysis. After a rigorous peer-review process, five excellent papers could be selected for inclusion in this special issue. They all contribute to our collective understanding of the integration of risk into management control and shed light on various contexts in which such integration may occur. Additionally, all papers highlight that there is much to be gained from such integration, including the strengthening of organizational resilience. Besides the important suggestions for future research provided in the five individual papers in this issue, I hope that fellow researchers will find the suggestions on future research across multiple levels of analysis interesting.
I would like to express my sincere thanks to all authors who submitted their work for consideration in this special issue and to the anonymous reviewers for their excellent and constructive feedback to the authors. My special thanks go to the Managing Editors of the Journal of Management Control, Thomas Günther and Frank Verbeeten, for featuring this special issue in the journal, for outstanding guidance in managing the peer review process, and for taking on large parts of the work in this process.
References
Arena, M., Arnaboldi, M., & Azzone, G. (2010). The organizational dynamics of Enterprise Risk Management. Accounting Organizations and Society, 35(7), 659–675. https://doi.org/10.1016/j.aos.2010.07.003.
Arena, M., Arnaboldi, M., & Palermo, T. (2017). The dynamics of (dis)integrated risk management: A comparative field study. Accounting Organizations and Society, 62, 65–81. https://doi.org/10.1016/j.aos.2017.08.006.
Balakrishnan, R., Matsumura, E. M., & Ramamoorti, S. (2019). Finding Common Ground: COSO’s control frameworks and the levers of Control. Journal of Management Accounting Research, 31(1), 63–83. https://doi.org/10.2308/jmar-51891.
Barley, S. R., & Tolbert, P. S. (1997). Institutionalization and structuration: Studying the links between Action and Institution. Organization Studies, 18(1), 93–117. https://doi.org/10.1177/017084069701800106.
Besharov, M. L., & Smith, W. K. (2014). Multiple institutional logics in Organizations: Explaining their varied nature and implications. Academy of Management Review, 39(3), 364–381. https://doi.org/10.5465/amr.2011.0431.
Bischof, J., Dutzi, A., & Gros, M. (2022). Sustainability reporting and risk governance. Journal of Business Economics, 92(3), 349–353. https://doi.org/10.1007/s11573-022-01096-7.
Bledow, N., Sassen, R., & Wei, S. O. S. (2019). Regulation of enterprise risk management: A comparative analysis of Australia, Germany and the USA. International Journal of Comparative Management, 2(2), 96. https://doi.org/10.1504/IJCM.2019.100856.
Bracci, E., Mouhcine, T., Rana, T., & Wickramasinghe, D. (2022). Risk management and management accounting control systems in public sector organizations: A systematic literature review. Public Money & Management, 42(6), 395–402. https://doi.org/10.1080/09540962.2021.1963071.
Braumann, E. C. (2018). Analyzing the role of risk awareness in Enterprise Risk Management. Journal of Management Accounting Research, 30(2), 241–268. https://doi.org/10.2308/jmar-52084.
Braumann, E. C., Grabner, I., & Posch, A. (2020). Tone from the top in risk management: A complementarity perspective on how control systems influence risk awareness. Accounting Organizations and Society, 84, 101128. https://doi.org/10.1016/j.aos.2020.101128.
Braumann, E. C., Hiebl, M. R. W., & Posch, A. (2024). Enterprise Risk Management as Part of the Organizational Control Package: Review and implications for Management Accounting Research. Journal of Management Accounting Research, 1–23. https://doi.org/10.2308/JMAR-2021-071.
Bruno, A., Bracci, E., D’Amore, G., & Ievoli, R. (2024). The integration of performance management and risk management in the public sector: An empirical case. Journal of Management Control.
Burns, J., & Scapens, R. W. (2000). Conceptualizing management accounting change: An institutional framework. Management Accounting Research, 11(1), 3–25.
Canning, M., & O’Dwyer, B. (2016). Institutional work and regulatory change in the accounting profession. Accounting Organizations and Society, 54, 1–21. https://doi.org/10.1016/j.aos.2016.08.001.
Chan, D. (2019). Team-Level constructs. Annual Review of Organizational Psychology and Organizational Behavior, 6(1), 325–348. https://doi.org/10.1146/annurev-orgpsych-012218-015117.
Cheng, M. M., Humphreys, K. A., & Zhang, Y. Y. (2018). The interplay between strategic risk profiles and presentation format on managers’ strategic judgments using the balanced scorecard. Accounting Organizations and Society, 70, 92–105. https://doi.org/10.1016/j.aos.2018.05.009.
Coleman, J. S. (2000). Foundations of social theory (3rd ed.). Belknap Press of Harvard Univ.
Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2017). Enterprise Risk Management Integrating with Strategy and Performance. https://www.coso.org/guidance-erm.
Crawford, J., & Jabbour, M. (2024). The relationship between enterprise risk management and managerial judgement in decision-making: A systematic literature review. International Journal of Management Reviews, 26(1), 110–136.
Dansereau, F., Alutto, J. A., & Yammarino, F. J. (1984). Theory testing in organizational behavior: The varient approach. Prentice Hall.
Dennis, I. (2013). The Nature of Accounting Regulation. Routledge.
Dillard, J. F., Rigsby, J. T., & Goodman, C. (2004). The making and remaking of organization context: Duality and the institutionalization process. Accounting Auditing & Accountability Journal, 17(4), 506–542. https://doi.org/10.1108/09513570410554542.
Dionne, S. D., Gupta, A., Sotak, K. L., Shirreffs, K. A., Serban, A., Hao, C., et al. (2014). A 25-year perspective on levels of analysis in leadership research. The Leadership Quarterly, 25(1), 6–35. https://doi.org/10.1016/j.leaqua.2013.11.002.
Eichholz, J., Hoffmann, N., & Schwering, A. (2024). The role of Risk Management Orientation and the planning function of budgeting in enhancing Organizational Resilience and its Effect on competitive advantages during times of crises. Journal of Management Control.
Englund, H., & Gerdin, J. (2008). Structuration theory and mediating concepts: Pitfalls and implications for management accounting research. Critical Perspectives on Accounting, 19(8), 1122–1134. https://doi.org/10.1016/j.cpa.2007.06.004.
Englund, H., & Gerdin, J. (2018). Management accounting and the paradox of embedded agency: A framework for analyzing sources of structural change. Management Accounting Research, 38, 1–11. https://doi.org/10.1016/j.mar.2017.12.001.
Englund, H., Gerdin, J., & Burns, J. (2011). 25 years of Giddens in accounting research: Achievements, limitations and the future. Accounting Organizations and Society, 36(8), 494–513. https://doi.org/10.1016/j.aos.2011.10.001.
Foss, N. J., Husted, K., & Michailova, S. (2010). Governing knowledge sharing in Organizations: Levels of analysis, governance mechanisms, and research directions. Journal of Management Studies, 47(3), 455–482. https://doi.org/10.1111/j.1467-6486.2009.00870.x.
Giddens, A. (1984). The Constitution of society: Outline of the theory of Structuration. University of California Press.
Giovannoni, E., Quarchioni, S., & Riccaboni, A. (2016). The role of roles in Risk Management Change: The case of an Italian Bank. European Accounting Review, 25(1), 109–129. https://doi.org/10.1080/09638180.2014.990475.
Hall, M., Mikes, A., & Millo, Y. (2015). How do risk managers become influential? A field study of toolmaking in two financial institutions. Management Accounting Research, 26, 3–22. https://doi.org/10.1016/j.mar.2014.12.001.
Harmon, D. J. (2019). When the Fed speaks: Arguments, emotions, and the microfoundations of Institutions. Administrative Science Quarterly, 64(3), 542–575. https://doi.org/10.1177/0001839218777475.
Hayne, C., & Free, C. (2014). Hybridized professional groups and institutional work: COSO and the rise of enterprise risk management. Accounting Organizations and Society, 39(5), 309–330. https://doi.org/10.1016/j.aos.2014.05.002.
Hiebl, M. R. (2018). Management accounting as a political resource for enabling embedded agency. Management Accounting Research, 38, 22–38. https://doi.org/10.1016/j.mar.2017.03.003.
Hiebl, M. (2019). Guest editorial: From theoretical framing to empirical testing in risk governance research: Moving the field forward. Management Research Review, 42(11), 1217–1223. https://doi.org/10.1108/MRR-11-2019-495.
Hiebl, M. R. (2022). Risk governance and risk management in change: A guest editorial. Journal of Accounting & Organizational Change, 18(1), 1–11. https://doi.org/10.1108/JAOC-02-2022-212.
Hiebl, M. R., Baule, R., Dutzi, A., Stein, V., & Wiedemann, A. (2018). Roles and actors in risk governance: Guest editorial. The Journal of Risk Finance, 19(4), 318–326. https://doi.org/10.1108/JRF-08-2018-194.
Hofstede, G., Bond, M. H., & Luk, C. (1993). Individual Perceptions of Organizational Cultures: A methodological treatise on levels of analysis. Organization Studies, 14(4), 483–503. https://doi.org/10.1177/017084069301400402.
Huber, C., & Scheytt, T. (2013). The dispositif of risk management: Reconstructing risk management after the financial crisis. Management Accounting Research, 24(2), 88–99. https://doi.org/10.1016/j.mar.2013.04.006.
Hunziker, S., & Durrer, M. (2021). Enterprise Risk Management in Switzerland. In (pp. 227–242).
Ittner, C. D., & Michels, J. (2017). Risk-based forecasting and planning and management earnings forecasts. Review of Accounting Studies, 22(3), 1005–1047. https://doi.org/10.1007/s11142-017-9396-0.
Ittner, C. D., & Oyon, D. F. (2020). Risk ownership, ERM Practices, and the role of the finance function. Journal of Management Accounting Research, 32(2), 159–182. https://doi.org/10.2308/jmar-52549.
Jemaa, F. (2022). Recoupling work beyond COSO: A longitudinal case study of Enterprise-wide risk management. Accounting Organizations and Society, 103, 101369. https://doi.org/10.1016/j.aos.2022.101369.
Jordan, S., Jørgensen, L., & Mitterhofer, H. (2013). Performing risk and the project: Risk maps as mediating instruments. Management Accounting Research, 24(2), 156–174. https://doi.org/10.1016/j.mar.2013.04.009.
Kaplan, R. S., & Mikes, A. (2016). Risk Management—the revealing hand. Journal of Applied Corporate Finance, 28(1), 8–18. https://doi.org/10.1111/jacf.12155.
Katz, D., & Kahn, R. L. (1978). The social psychology of organizations (2nd ed.). Wiley.
Kremser, W., & Schreyögg, G. (2016). The dynamics of interrelated routines: Introducing the Cluster Level. Organization Science, 27(3), 698–721. https://doi.org/10.1287/orsc.2015.1042.
Landsittel, D. L., & Rittenberg, L. E. (2010). COSO: Working with the Academic Community. Accounting Horizons, 24(3), 455–469. https://doi.org/10.2308/acch.2010.24.3.455.
Lawrence, T. B., Suddaby, R., & Leca, B. (Eds.). (2009). Institutional work: Actors and agency in institutional studies of organizations. Cambridge University Press.
Lawrence, T., Suddaby, R., & Leca, B. (2011). Institutional work: Refocusing Institutional studies of Organization. Journal of Management Inquiry, 20(1), 52–58. https://doi.org/10.1177/1056492610387222.
Maffei, M. (2021). Introduction. In M. Maffei (Ed.), Enterprise risk management in Europe (pp. 1–5). Emerald Publishing.
Maffei, M., & Spanò, R. (2021). Enterprise Risk Management Across Europe. In M. Maffei (Ed.), Enterprise risk management in Europe (pp. 279–303). Emerald Publishing.
Meidell, A., & Kaarbøe, K. (2017). How the enterprise risk management function influences decision-making in the organization– a field study of a large, global oil and gas company. The British Accounting Review, 49(1), 39–55. https://doi.org/10.1016/j.bar.2016.10.005.
Metwally, A. B. M., & Diab, A. (2021). Risk-based management control resistance in a context of institutional complexity: Evidence from an emerging economy. Journal of Accounting & Organizational Change, 17(3), 416–435. https://doi.org/10.1108/JAOC-04-2020-0039.
Mikes, A. (2009). Risk management and calculative cultures. Management Accounting Research, 20(1), 18–40. https://doi.org/10.1016/j.mar.2008.10.005.
Mikes, A., & Kaplan, R. S. (2013). Managing risks: Towards a contingency theory of Enterprise Risk Management. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.2311293.
Modell, S. (2022). Accounting for institutional work: A critical review. European Accounting Review, 31(1), 33–58. https://doi.org/10.1080/09638180.2020.1820354.
Monazzam, A., & Crawford, J. (2024). The role of enterprise risk management in enabling organisational resilience: A case study of the Swedish mining industry. Journal of Management Control. https://doi.org/10.1007/s00187-024-00370-9.
Moschella, J., Boulianne, E., & Magnan, M. (2023). Risk Management in Small- and medium‐sized businesses and how accountants Contribute*. Contemporary Accounting Research, 40(1), 668–703. https://doi.org/10.1111/1911-3846.12819.
Murr, P., & Carrera, N. (2022). Institutional logics and risk management practices in government entities: Evidence from Saudi Arabia. Journal of Accounting & Organizational Change, 18(1), 12–32. https://doi.org/10.1108/JAOC-11-2020-0195.
Nguyen, D. H., Hiebl, M. R., & Quinn, M. (2023). Integrating a new management accounting routine into a routine cluster: The role of interactions between multiple management accounting routines. Qualitative Research in Accounting & Management, 20(4), 543–568. https://doi.org/10.1108/QRAM-03-2022-0049.
Pache, A. C., & Santos, F. (2013). Inside the Hybrid Organization: Selective coupling as a response to competing institutional logics. Academy of Management Journal, 56(4), 972–1001. https://doi.org/10.5465/amj.2011.0405.
Pentland, B. T. (2016). Risk and routine in the Digitized World. In M. Power (Ed.), Riskwork (pp. 193–210). Oxford University Press.
Posch, A. (2020). Integrating risk into control system design: The complementarity between risk-focused results controls and risk-focused information sharing. Accounting Organizations and Society, 86, 101126. https://doi.org/10.1016/j.aos.2020.101126.
Power, M. (2009). The risk management of nothing. Accounting Organizations and Society, 34(6–7), 849–855. https://doi.org/10.1016/j.aos.2009.06.001.
Prewett, K., & Terry, A. (2018). COSO’s updated Enterprise Risk Management Framework— A Quest for depth and clarity. Journal of Corporate Accounting & Finance, 29(3), 16–23. https://doi.org/10.1002/jcaf.22346.
Quinn, M. (2011). Routines in management accounting research: Further exploration. Journal of Accounting & Organizational Change, 7(4), 337–357.
Quinn, M. (2014). Stability and change in management accounting over time—A century or so of evidence from Guinness. Management Accounting Research, 25(1), 76–92. https://doi.org/10.1016/j.mar.2013.06.001.
Quinn, M., & Hiebl, M. R. (2018). Management accounting routines: A framework on their foundations. Qualitative Research in Accounting & Management, 15(4), 535–562. https://doi.org/10.1108/QRAM-05-2017-0042.
Rana, T., Hoque, Z., & Jacobs, K. (2019a). Public sector reform implications for performance measurement and risk management practice: Insights from Australia. Public Money & Management, 39(1), 37–45. https://doi.org/10.1080/09540962.2017.1407128.
Rana, T., Wickramasinghe, D., & Bracci, E. (2019b). New development: Integrating risk management in management control systems—lessons for public sector managers. Public Money & Management, 39(2), 148–151. https://doi.org/10.1080/09540962.2019.1580921.
Riepl, J., Mitter, C., & Kuttner, M. (2024). Risk management during the COVID-19 crisis: Insights from an exploratory case study of medium-sized family businesses. Journal of Management Control. https://doi.org/10.1007/s00187-023-00363-0.
Rödger, J. M., Kjær, L. L., & Pagoropoulos, A. (2018). Life Cycle Costing: An Introduction. In M. Z. Hauschild, R. K. Rosenbaum, & S. Irving Olsen (Eds.), Life cycle assessment: Theory and practice (pp. 373–399). Cham: Springer.
Röser, M. (2024). More certainty in uncertainty: A special life-cycle approach for management decisions in volatile markets. Journal of Management Control. https://doi.org/10.1007/s00187-023-00364-z.
Schatzki, T. R. (2002). The site of the social: A philosophical account of the constitution of social life and change. Pennsylvania State University Press.
Soin, K., & Collier, P. (2013). Risk and risk management in management accounting and control. Management Accounting Research, 24(2), 82–87. https://doi.org/10.1016/j.mar.2013.04.003.
Stein, V., & Wiedemann, A. (2016). Risk governance: Conceptualization, tasks, and research agenda. Journal of Business Economics, 86(8), 813–836. https://doi.org/10.1007/s11573-016-0826-4.
ter Bogt, Henk, J., & Scapens, R. W. (2019). Institutions, situated rationality and agency in management accounting. Accounting Auditing & Accountability Journal, 32(6), 1801–1825. https://doi.org/10.1108/AAAJ-05-2016-2578.
Themsen, T. N., & Skærbæk, P. (2018). The performativity of risk management frameworks and technologies: The translation of uncertainties into pure and impure risks. Accounting Organizations and Society, 67, 20–33. https://doi.org/10.1016/j.aos.2018.01.001.
Thornton, P. H., & Ocasio, W. (2008). Institutional logics. In R. Greenwood, C. Oliver, K. Sahlin, & R. Suddaby (Eds.), The SAGE handbook of organizational institutionalism (pp. 99–129). Sage.
Thornton, P. H., Ocasio, W., & Lounsbury, M. (2012). The Institutional Logics Perspective: A New Approach to Culture, structure and process. Oxford University Press.
Tillema, S., Trapp, R., & van Veen-Dirks, P. (2022). Business partnering in Risk Management: A resilience perspective on Management accountants’ responses to a role change. Contemporary Accounting Research, 39(3), 2058–2089. https://doi.org/10.1111/1911-3846.12774.
van der Stede, W. A. (2011). Management Accounting Research in the wake of the Crisis: Some reflections. European Accounting Review, 20(4), 605–623. https://doi.org/10.1080/09638180.2011.627678.
Viscelli, T. R., Beasley, M. S., & Hermanson, D. R. (2016). Research insights about Risk Governance. SAGE Open, 6(4), 215824401668023. https://doi.org/10.1177/2158244016680230.
Viscelli, T. R., Hermanson, D. R., & Beasley, M. S. (2017). The integration of ERM and Strategy: Implications for corporate governance. Accounting Horizons, 31(2), 69–82. https://doi.org/10.2308/acch-51692.
Wolf, T., Kuttner, M., Feldbauer-Durstmüller, B., & Mitter, C. (2020). What we know about management accountants’ changing identities and roles– a systematic literature review. Journal of Accounting & Organizational Change, 16(3), 311–347. https://doi.org/10.1108/JAOC-02-2019-0025.
Yammarino, F. J., Dionne, S. D., Chun, U., J., & Dansereau, F. (2005). Leadership and levels of analysis: A state-of-the-science review. The Leadership Quarterly, 16(6), 879–919. https://doi.org/10.1016/j.leaqua.2005.09.002.
Funding
Open access funding provided by Johannes Kepler University Linz.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Hiebl, M.R. The integration of risk into management control systems: towards a deeper understanding across multiple levels of analysis. J Manag Control (2024). https://doi.org/10.1007/s00187-024-00373-6
Accepted:
Published:
DOI: https://doi.org/10.1007/s00187-024-00373-6