Abstract
Businesses are becoming more conscious of operational risk management practices due to the COVID-19 pandemic. However, some firms practice risk management without fully comprehending how it might help them and their needs. As a result, companies that practice risk management without realizing it are being controlled by the discipline itself. The goal of this study is to look into the epistemic process of risk management practice in the workplace. This phenomenological study interviewed 39 risk management officers, executives, and employees. Data are thematically analyzed. This study discovered five epistemic processes of risk mapping using Foucault’s governmentality paradigm. This phenomenological study, interestingly, revealed the black box of risk management practices, as well as the behavior of risk management officers, executives, and risk owners who preferred to monitor the compliance aspects of risk management practices rather than comprehend the capabilities of risk management that could be used within their strategic planning process. Unaware of this black box, organizational actors were blanketed by the organization’s culture of fear, which created the impression that the authority was always watching every word said and every action taken. Practically, this study contributes an improved understanding of the real function of risk management that helps them justify the practice and reduce unnecessary fear. The paper concludes with limitations and research recommendations.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
Introduction
Risk management becomes an act or proof of strong corporate governance in a more focused setting such as a business organization, which enhances organizational practices, reputation, accountability, and responsibility toward its stakeholders (Zainuddin et al. 2020a, 2020b). As a result of being too obsessed with this rationale, organizational actors such as employees and executives who are assigned as risk owners, management control owners, and risk champions in the risk management structure are more likely to comply with risk management practices without having the intention or interest to inquire about their implications on them (Koval 2021). Many previous studies focus on the benefits of adopting an operational risk management system (Kwak et al. 2018; Callahan and Soileau 2017; Munir et al. 2020; Hopkin 2018). However, no study gives attention to the real reason for the implementation and compliance of risk management adoption, which welcomes an organization’s emergence of a risk management system. Hence, this study aims to reveal the process of risk management practice in the organization, which may uncover the black box of the epistemic process of risk management discipline in the organization and implications toward organizational actors.
The operational risk management system has become a hot topic among corporations, particularly those that manage public money, such as pension institutions and aid employees with substantial holdings. This organization is also affected by the capitalist economy and industrialization, since it has been corporatized to become a more mature and efficient organization in handling the funds it holds. As in Malaysia, numerous institutions hold substantial funds such as EPF, KWAP, and Tabung Haji. These companies must maintain their image, responsibility, and legitimacy because they will always be scrutinized by the public and government stakeholders. Companies of this nature cannot avoid the burden of demonstrating their ability to manage public monies. One technique is implementing an effective operational risk management system capable of lowering risks that could harm the organization. The operational risk management system implementation receives a great deal of attention, and the country’s senior management frequently underlines the advantages of implementing it. During national management-related debates in parliament and the people’s house, for instance, questions regarding the adoption of risk management systems for government projects involving firms that handle government funds are frequently raised by representatives of the people. Everyone is persuaded that operational risk management implementation can provide a high level of assurance for the success of projects and corporate management.
However, some businesses deploy an operational risk management system due to external pressure and not because of the system’s utility and benefits to the businesses. These businesses cannot determine the optimal function and benefits an operational risk management system can provide for their operations because they feel pressed and compelled. Instead of utilizing a risk management system that was adopted with a specific level of investment, they just use it to portray a positive image to stakeholders. Even though many researchers from various fields and backgrounds have conducted numerous studies on risk management systems (see American Diabetes Association 2018; Wang et al. 2020; Szymański 2017; Burtonshaw-Gunn 2017; Leo et al. 2019; Greuning and Brajovic-Bratanovic 2022), the question of why many companies that implement operational risk management systems that require an investment of money, time, and energy are still not successful and some fail to manage risk in their operations, so why some business fail and cannot face the risk of continuing to survive, especially when a global economic crisis strikes the world, remains unanswered.
Although organizations must adopt risk management as strategic planning, there is a lack of studies that focus on the side effect of the adoption on employees. This creates an unfair treatment of the employees (Rachidi et al. 2022). In addition, there is a lack of studies focusing on the phenomenon that causes unnecessary fear among employees. Lack of knowledge and understanding about the real function of risk management is a cause of chaos (Patwary et al. 2022a; Rodrigues et al. 2020; Sharif et al. 2022; Wang et al. 2022; Wu et al. 2022). This phenomenology-based study aims to determine how the company’s risk management system is deemed an effective and valuable strategy for managing the company’s operational risk. The main contributions produced by this study are i) in practice, employees, and risk management officers get a better understanding of the main function of risk management that helps to reduce their feeling of fear; ii) from a theoretical perspective, the governmentality framework demonstrates the elements of the epistemic process of risk management discipline in the case company; iii) empirically, this study highlights how the macro and micro-organizational elements connected to assist the evolution of risk management in the case company.
In the subsequent sections, this paper presents a literature review section that mentions a relevant study from the past related to risk management and governmentality that contributed to the development of this study. Next, the methodology of this paper is presented. Then, the case study findings and discussions are presented. Lastly, the paper ends with a conclusion section.
Literature review
Risk management
In an organizational context, risks are classified according to the nature of the firm. Risk management studies within an organizational context have discovered various risk categories such as operational risk (Alvarez-Alvarado and Jayaweera 2020), financial risk (Yagli 2020; Hashim et al. 2022; Patwary 2022), strategic risk (Zadeh et al. 2021), supply risk (Iqbal et al. 2020), regulatory risk (Weatherburn et al. 2020), etc. In managing these risks, every employee in the company is held accountable, particularly in recognizing, identifying, reporting, and controlling the risks. These employees are assigned risk management roles, jobs, and designations whose descriptions can be found in risk management guidelines or standards (see ISO 2009a, 2009b, 2018, 2019). To maintain consistent and successful risk management practices, the company must be fully aware of its internal and external environments (Hopkin 2018). Getting a good understanding of the surrounding environment may quickly address some risks, which improves the firm’s control and monitoring mechanism (Poteat et al. 2020).
Various organizational characteristics influence organizational actors' attitudes toward risk management practice (Fadzil et al. 2017), which is also known as risk attitude. The nature of the firm (Brunsson and Olsen 2018), top management influence (Wijethilake and Lama 2019), government impact (Patwary et al. 2022b; York et al. 2018), organizational actors’ knowledge and competence (Zhou et al. 2018), and cost of risk management implementation are all factors to consider. In other words, the pressure from the abovementioned elements influences the conduct of organizational actors such as employees responsible for implementing risk management systems. On the other hand, the organization looks at risk management as a way of persuading organizational actors, such as employees, to behave in a certain way as approved by the risk management practice (Hillson and Murray-Webster 2017).
Governmentality
In 1979, Foucault developed the term governmentality. The concept of government, according to Foucault, is the conduct of conduct. In applying Foucault’s concept of government and governmentality, it can be seen not only in the administration of the state and citizens but also in the government that signifies issues of self-control, management of a family, management of children, management of males and females, and management of souls. Thus, Foucault’s meaning of government is wide ranging, from governing the self to governing others. In brief, the government means to conduct others and oneself, and governmentality is about how to govern.
Moreover, the concept of government involves strategies, agendas, plans, aspirations, dreams, missions, visions, tactics, techniques, programs, and blueprints of authorities that shape the beliefs, confidence, trust, and conduct of the population (Nettleton 1991, p. 99). Hence, the government is an activity that aims to shape or affect the conduct to conduct people (Gordon 1991; Holmes and Gastaldo 2002).
Nowadays, governmentality can be achieved through applying knowledge as technology in an institution.
Accordingly, this study adopts Maran et al.’s (2016) governmentality framework, as shown in Fig. 1. The framework suggests that application of governmentality is divided into two dimensions with a reciprocal connection. The first dimension represents the macro-organizational level. At the macro-level, the discursive dimension of governmentality is highlighted. In this dimension, discourse, rhetoric, and language are used to promote the government’s ideology in political discourses. Here, the political discourses are divided into high and operational. In high political discourse, all the political rationalities will discuss the specific ideology/agenda. In operational political discourse, the ideology/agenda have been operationalized into government programs. The second dimension represents the micro-organizational level. At the micro level, the organization uses government technology to operationalize the agenda promoted at the macro-organizational level. Here, the knowledge and government apparatus that has been institutionalized provides and receives support for/from the first dimension. Figure 1 depicts that both the macro- and micro-levels (in both dimensions) are learning from each other. Finally, the two-way arrows show that each part is communicating with each other (Maran et al. 2016; Patwary et al. 2022c; Aziz et al. 2019).
Source: adapted from Maran et al. (2016)
Governmentality framework.
The governmentality framework adapted and used in this study explains the forces that contribute to the epistemic process of risk management emergence in organizations. Both governmentality dimensions (discursive dimension of governmentality and technologies of government) provide context that generates five epistemic processes that support the adoption and development of a risk management system within an organization.
Methodology
Research design
This research uses a post-positivistic accounting paradigm in which a positivistic accounting approach is unable to explain dynamic phenomena in an organization. Under the post-positivistic accounting paradigm, a qualitative method is the most appropriate option. To solve the research challenges mentioned in the previous quotation by Burawoy (1998), this study’s technique and methodologies must assist researchers in identifying and explaining the connections between the macro-political and micro-organizational components of risk management practice. As a result, an extended case study was used. An extended case study provides a more in-depth examination of a company’s risk management practices.
Within the field, a primary organization has been chosen. The selected company is then called the case company. To achieve the research objective, the case company’s employees and risk management officers were selected as the unit of analysis. They are subjected to an interview. It is because based on risk management standards, all the case company’s employees and risk management officers are responsible for identifying, managing, treating, and reporting risk through a structured process to the designated committee. The case company was chosen as it is the largest Malaysian organization and one of the world’s oldest organizations of sort that is mandated to manage public funds. After going through some security checks and proper procedures, the researcher was given 3 months of access as an employee to enter the company and conduct the study within the company’s business hours. All related employees found during the study period were interviewed and asked relevant questions to answer the research questions. The researcher has been given a few opportunities to attend the case company’s meetings and workshops. During the meetings and workshops, the researcher took the opportunity to meet the employees and risk management officers as much as possible to be interviewed.
Sampling and data collection
During the fieldwork, 39 risk officers, executives, and employees from various departments, including risk management, operation, investment department, and top management appointed for managing risk, were successfully interviewed. During the 3 months of field work, several employees were questioned twice or three times. Because the employees can be met every day during working hours, the researcher can conduct many interviews. A total of 42 interviews were completed. The interview data is acquired and transcribed during and after the field activity.
Following the transcribing process, each data point is double-checked against the interviews to ensure correct information. Thematic analysis is used to evaluate the transcribed data, allowing the researcher to categorize and frame the major theme related to the phenomena using the governmentality framework. Patterns can be identified, analyzed, and interpreted through thematic analysis, especially those that are derived from qualitative data. For a qualitative data study, thematic analysis is a very valuable tool. Researchers employ this technique to gain a deeper knowledge of the data. It is utilized to comprehend people’s experiences, opinions, and behaviors. In doing qualitative research, researchers employ thematic analysis extensively. In the context of this study, thematic analysis is used to obtain a deeper knowledge of the experience and viewpoint of employees and risk management officers pertaining to risk management practice.
Subsequently, an extended case study method developed by Burawoy (1998) is used for data analysis to explain the relationship of each theme found during the thematic analysis.
Data analysis and coding
In the data analysis process, the interview material is grouped and coded depending on the researcher’s observations and interviews. A notebook is utilized during the fieldwork to document every action and occurrence within the organization linked to the project. The written note and interview data are combined for the thematic analysis.
Reliability and validity
Analysis of qualitative research is no less distinct than quantitative research analysis in terms of reliability and validity. When conducting quantitative research, instrument components and constructs are examined to determine their degree of reliability and validity (Hashim et al. 2020a). When conducting qualitative research, the correctness of the findings depends on the researcher’s description of the data and the verification carried out by the unit of analysis.
Because qualitative investigation is inherently subjective, qualitative research aims to achieve high levels of internal reliability. The study’s ability to deliver consistent and trustworthy results depends on the level of internal dependability achieved during the data coding step. In qualitative research, one method that may be used to evaluate the validity of the findings is called respondent validation. Using this approach, initial results are evaluated with participants to establish whether or not they are still accurate. After the researcher has gathered all of the data, it is time to deliver them to the unit of analysis so that they may be verified.
Study limitations
Ten requests for qualitative research are sent out to the ten most prominent organizations in Malaysia. For this qualitative inquiry, subjective semi-structured interviews were used. However, because of worries about maintaining participants’ anonymity, just one individual decided to participate in the study. In subsequent research, it is feasible that it will be possible to use alternate methodologies such as quantitative approaches or case studies with smaller organizations. These are the kinds of studies that have been done.
Regarding the mentioned internal and external elements of the organization, other factors are more closely tied to the employees who execute risk management practices. These factors include attitude, subjective norms, and perceived behavioral control (Nik Hashim et al. 2019; Said et al. 2020). Because of these considerations, an action is taken to comply or not comply with regulations that control risk management practices. These regulations govern risk management practices. As a consequence of this, the theory that was used as a guide to generate the study findings also contributes to the achievement of research outcomes that are both clearer and broader.
Case study findings and discussion
Figure 2 shows the detailed explanation and relationship within the case company’s epistemic process of risk management. Epistemic process refers to the construction process of knowledge (i.e., risk management) in the organization (Roos and Von Krogh 2016; Choo 2016). Specifically, Fig. 2 shows how risk management knowledge is adopted from the macro-organizational level (through the discursive dimension of governmentality) and then constructed into an organizational discipline at the micro-organizational level by undergoing an epistemic process. Based on this governmentality framework, the study found the case company has adopted risk management as one of the technologies of the government in the organization to govern the mentality and behavior of organizational actors such as the case company’s employees. A certain factor in the organization shapes employees’ mentality and behavior such as risk management implementation (Ashena et al. 2019 and Shanker et al. 2017), which parallels what has been found in this study.
Research framework
The extended case study has revealed how risk management has evolved and transformed into an organizational discipline through five main elements, which are structural, processual, relational, cultural, and historical. These five processes demonstrate that macro- and micro-organizational factors may affect how an organization’s operational risk management discipline develops. This conclusion is similar to the one made by Shah et al. (2018). They discovered micro- and macro-organizational components that helped a firm better understand how stakeholders perceived the company’s flood risk management. The management of the organization can better manage risk and meet stakeholder expectations because of this greater understanding.
Organizational actors (micro-level) and society at the political and economic levels (macro-level) both learn from one another through the epistemic process. Society and actors at all levels are adapting and learning new ways of thinking, acting, and making decisions based on a certain method presented as the best practice for greater performance and improvement. The learning loop between the two dimensions is depicted in Fig. 2. Furthermore, at the macro-level, governmentality emphasizes how government technology facilitates the acceptance of knowledge as a best practice, resulting in organizational actors being disciplined to implement and apply knowledge as an organizational discipline. The two-way arrow in Fig. 2 shows the distribution of tasks and powers and the risk management system communication. The thematic analysis results are used to describe the research framework better. The following are the five themes that have been developed.
Theme 1: the structural element
The organizational structure is the backbone of an organization’s epistemic process of risk management discipline (Braumann et al. 2020; Wijethilake and Lama 2019). The structural element explains the structure, hierarchy, bureaucracy, and accountability within risk management practice in the organization. This is because the influence of people with specific positions and their hegemonic power can enhance risk management implementation in the case company with less resistance or rejection from the people who work on the implementation. The clarity in the position a person holds will also clarify his/her motivation, along with the objectives that he/she wishes to achieve for the organization. The senior risk management officer mentioned:
“…we have a very good structure in risk management implementation. At the top level, we have a risk management board committee; at the bottom level, every head of department and spokes are appointed as risk champions, followed by the management team who then appointed as risk owners and management control owners...”
Structural elements are not only in terms of their position in the organizational hierarchy but also in terms of whether or not they are formal or informal (Osman 2017; Diefenbach and Sillince 2011). The official hierarchy may be laid out in black and white in the company’s handbooks, policies, procedures, and informal frameworks, including the mutual understanding of risk officers, executives, and employees in regard to conveying any risk-related problems to one another.
Theme 2: the processual element
A consistent and well-managed process is necessary for risk management practice (Willumsen et al. 2019). The processual element refers to the formal organizational processes employed by the case company in order to manage risk. The processual element is another way the case company may distribute powers and tasks among organizational actors. Examples of formal organizational processes are scheduled meetings, prompt meetings, site inspections and paper presentations. The scheduled and prompt meetings are conducted in order to discuss issues related to risk management practice. Senior operational risk management officers1, 4, and 6 mentioned:
“…in our scheduled meetings, the top management level attends together; for example, our CEO, as part of his task to monitor the progress and issues regarding risk management practice in every business unit…”
From the meeting, discussion, and presentation, they will undergo more specific processes in risk management, such as risk identification, analysis, evaluation, treatment, monitoring, and review.
Theme 3: the relational element
The relational element explains the relationships of the risk management system (RMS) and practices with other systems, departments and branches, and employees, also called an integrated system. The integrated system involves integration in governance and operating activities (Gordon et al. 2009; Anam et al. 2022). Moreover, the integration of the RMS with other systems and business units is a fundamental principle in establishing good communication and support (Florio and Leoni 2017; Farrell and Gallagher 2015). Beyond merely working together with other units, for the RMS to function effectively, it needs to be embedded into the other systems, departments, and branches, and attached to employees’ tasks. Senior analytic risk management officers 1 and 2 mentioned:
“…RMD is regarded as the second line of defence. The front offices, such as branches and departments, are regarded as the first line of defence, while an internal audit is the third line of defence in facing risks and uncertainty. The three lines of defence demonstrate the strong relationship between the RMS and the rest of the business units….”
RMS is not a system that can function independently. It is integrated into the systems already in place and links the performance of workers, departments, and organizations with risk management practices. Each report created is entered into a system that links the performance of employees in complying with responsibilities. This is done to ensure that the risks associated with their responsibilities are well managed, and it is also done to guarantee that other systems, including performance management systems, are not impacted.
Theme 4: the cultural element
The researcher observation on the case company’s culture is that the cultural element explains that risk management implementation is not only seen as a part of the employees’ task. It is nurtured as organizational culture (Chen et al. 2019; Wressell et al. 2018), constructed, and developed from risk thinking and risk action. For instance, risk thinking and risk action refer to the way employees behave in dealing with a risky situation (i.e., confidential information); they become more alert with their surrounding in order not to mistakenly leak the information. The employees are talking about risk merely in every space. For example, during lunch hour and company events, the employees always discuss how they should and should not behave to avoid risky actions.
The risk management culture is one of the main strategies employed in strengthening the implementation of pervasive risk management practices in the organization. EPF boards, line managers, and all employees in the organization have endeavored to nurture a risk management culture in performing their daily work. Operational risk management officer 8, in charge of staff risk management training, said:
“…each of us talking about risk in many spaces. I mean, space here refers not to the location but more to occasions. We believe discussing and talking about risk will help us understand risk. It also helps form a culture that is alert to risk. I think that is how risk management can be easily understood and practised….”
When a topic is brought up in any setting, regardless of time or location, it will eventually develop into a routine discourse, which will develop into a habit for employees, which will eventually develop into a culture inside an organization (Hashim et al. 2020b; Wales et al. 2020). When new employees join an organization, their first task is to familiarize themselves with the company’s traditions by observing how such traditions are practiced (Hashim et al. 2019; Lyon 2018). As a result, the organization’s risk management culture is becoming more robust and contributes to forming a new identity for the company.
Theme 5: the historical element
The historical element explains how risk management’s history helps secure positive perceptions of risk management implementation among organizational actors. In some studies, historical elements refer to the level of risk management maturity in an organization (Alashwal et al. 2017; Chen et al. 2022; Omer 2019; Rahman et al. 2022). The history of risk management in the case company is proof that people believe in what is already established. Senior investment risk officer 3 said that the risk management structure was already there when she entered the department in 2009. She added by saying:
“At the time that I entered the department, the credit risk section was not yet created and was a subset of the investment risk section. When the current head of the department entered the office in 2008, he thought he needed to grow the credit risk section because he thought that the credit function was more like an independent assessment. The head of the department emphasized that it is the best practice and how it is practiced in a bank, [and it should be] noted that the head of the department was from a banking background.”
Risk management has been altered and given disciplinary authority to govern the thinking and behavior of organization actors thanks to these five fundamental parts of the epistemic process. As a result, organizational actors can only act in certain ways as defined by organizational discipline.
Limitations and future research directions
The study only focuses on one primary organization, the case company, which can be expanded in future research to focus on multiple case studies using other prominent organizations. In terms of methodology, this study adopts a qualitative approach. However, more interesting findings can be obtained by using a mixed-method approach.
Conclusion
At the micro-organizational level, the study discovered that all the five elements, structural, processual, relational, cultural, and historical, occur in both dimensions of governmentality (the discursive dimension and the technology of government dimension). Some features, however, are regarded as critical in a specific dimension of governmentality. The most prominent factors in the discursive dimension are historical and cultural. Both parts serve as a conduit for developing a risk management strategy. The influence of local culture, which is what Malaysian employees want, in creating a conducive and safe working environment, for example, justified the adoption and implementation of risk management methods in the first place inside the case organization.
Later, in the second dimension of governmentality, the discipline manages many elements of organizational players’ behavior by assigning roles and tasks. Processual, relational, and structural components are significant in the case company’s risk management establishment in this second level.
These five elements illustrate how risk management becomes an organizational discipline through an epistemic process. It is true that it is not a simple process that requires all levels of management to work together and go in the same direction. Furthermore, this steady and consistent growth is the outcome of great staff committed to the task at hand. This is not the case if it appears at first glance that the employees just obey the instructions. Employee compliance is not a result of fear but a necessary component of the process that requires total commitment and participation. Moreover, effective top-down and bottom-up communication is another relationship feature that aids the implementation process.
From the internal aspect, each of the five elements is critical in forming a robust risk management strategy for a business. If one of these components is missing, the risk management process may fail to be implemented. From the external aspect, despite the many negative consequences of the Covid-19 outbreak, it positively impacts the process. It puts pressure on organizational actors, for example, to change for better management and to accept and grasp the importance of having a risk management system to sustain and improve organizational performance. Therefore, the study accepts the assumption that elements from the macro- and micro-organization levels influence and cases change the risk management practice of the case company. This is because the case company, one of many organizations that implement and adopt risk management, now realizes there is a need for balance and deep understanding of the consequence of risk management adoption to the organizational actors and the organization itself.
This study’s main contribution is that risk management officers and employees gain a better understanding of the primary purpose of risk management, which helps to lessen their fear, while from a theoretical perspective the governmentality framework illustrates the elements of the epistemic process of risk management discipline in the case company. Empirically, this study emphasizes how the macro- and micro-organizational elements interact to produce risk management discipline.
Data availability
The data that support the findings of this study are openly available upon request.
References
Alashwal AM, Abdul-Rahman H, Asef A (2017) Influence of organizational learning and firm size on risk management maturity. J Manag Eng 33(6):04017034
Alvarez-Alvarado MS, Jayaweera D (2020) Operational risk assessment with smart maintenance of power generators. Int J Electr Power Energy Syst 117:105671
American Diabetes Association (2018) 9. Cardiovascular disease and risk management: standards of medical care in diabetes—2018. Diabetes care 41(Supplement_1):S86–S104
Anam M, Setiawan R, Chinnappan SK, Nik Hashim NAA, Mehbodniya A, Bhargava C, Sharma PK, Phasinam K, Subramaniyaswamy V, Sengan S (2022) Analyzing the impact of lockdown in controlling COVID-19 spread and future prediction. Int J Uncertain Fuzziness Knowledge-Based Syst 30:83–109
Ashena M, Abaspour A, Dehghanan H, HaghighKafash M (2019) Detection of organizational deviant behaviors of employees and their reduction mechanisms in supervisory organizations: appling of the Q sort method. Public Adm Perspaective 10(1):39–58
Aziz RC, Hashim NAAN, Omar RNR, Yusoff AM, Muhammad NH, Simpong DB, Abdullah T, Zainuddin SA, Safri FHM (2019) Teaching and learning in higher education: e-learning as a tool. Int J Innov Technol Explor Eng (IJITEE) 9(1):458–463
Braumann EC, Grabner I, Posch A (2020) Tone from the top in risk management: a complementarity perspective on how control systems influence risk awareness. Acc Organ Soc 84:101128
Brunsson N, Olsen JP (2018) The reforming organization. Routledge, London
Burawoy M (1998) The Extended Case Method. Socioll Theory 16(1):4–33
Burtonshaw-Gunn SA (2017) Risk and financial management in construction. Routledge, London
Callahan C, Soileau J (2017) Does enterprise risk management enhance operating performance? Adv Account 37:122–139
Chen J, Jiao L, Harrison G (2019) Organisational culture and enterprise risk management: the Australian not-for-profit context. Aust J Public Adm 78(3):432–448
Chen X, Rahman MK, Rana MS, Gazi MAI, Rahaman MA, Nawi NC (2022) Predicting consumer green product purchase attitudes and behavioral intention during COVID-19 pandemic. Front Psychol 12:1–10
Choo CW (2016) The inquiring organization: how organizations acquire knowledge and seek information. Oxford University Press, Oxford
Diefenbach T, Sillince JA (2011) Formal and informal hierarchy in different types of organization. Organ Stud 32(11):1515–1537
Fadzil NS, Noor NM, Rahman IA (2017) Need of risk management practice amongst Bumiputera contractors in Malaysia construction industries. IOP Conference Series: Materials Science and Engineering. IOP Publishing, 271(1). IOP Publishing. Wuhan
Farrell M, Gallagher R (2015) The valuation implications of enterprise risk management maturity. J Risk Insur 82(3):625–657
Florio C, Leoni G (2017) Enterprise risk management and firm performance: The Italian case. Br Account Rev 49(1):56–74
Gordon C (1991) Governmental rationality: an introduction. Foucault Eff: Stud Govern 1:52
Gordon LA, Loeb MP, Tseng CY (2009) Enterprise risk management and firm performance: a contingency perspective. J Account Public Policy 28(4):301–327
Greuning, HV, Brajovic-Bratanovic S (2022) Analyzing banking risk: a framework for assessing corporate governance and risk management. 3(2):1–12
Hashim NAAN, Nawi NMM, Bakar NA, Rahim MA, Yusoff AM, Mohd Halim MHM, Ramlee SIF, Remeli MR (2022) Factors influencing customer revisit intention to Mamak restaurants in Penang. Lect Notes Netw Syst 485:275–289
Hashim NAA, Yusoff AM, Awang Z, Aziz RC, Ramlee SIF, Bakar NA, Fatt BS (2019) The effect of domestic tourist perceived risk on revisit intention in Malaysia. International Journal of Innovative Technology and Exploring Engineering 2(1):11–32
Hashim NAAN, Awang Z, Yusoff AM, Safri FHM, Fatt BS, Velayuthan SK, Novianti S (2020a) Validating the measuring instrument for determinants of tourist’s preferences toward revisit intention: a study of Genting highland. J Adv Res Dyn Cont Syst 12(2):51–72
Hashim NAAN, Aziz RC, FahmieRamlee SI, Zainuddin SA, Zain ENM, Awang Z, MuhamedYusoff A (2020) E-learning technology effectiveness in teaching and learning: analyzing the reliability and validity of instruments. In IOP Conference Series: Materials Science and Engineering 993(1):0120–96
Hillson D, Murray-Webster R (2017) Understanding and managing risk attitude. Routledge, London
Holmes D, Gastaldo D (2002) Nursing as means of governmentality. J Adv Nurs 38(6):557–565
Hopkin P (2018) Fundamentals of risk management: understanding, evaluating and implementing effective risk management. Kogan Page Publishers, London
Iqbal W, Fatima A, Yumei H, Abbas Q, Iram R (2020) Oil supply risk and affecting parameters associated with oil supplementation and disruption. J Clean Prod 255(1):231–355
ISO (2009a) ISO 31000: 2009 Risk management—principles and guidelines. Geneva, Switzerland: International Standards Organization. Retrieved from https://www.iso.org/obp/ui/#iso:std:iso:31000:en. Accessed 18 Jan 2022
ISO (2009b) ISO GUIDE 73:2009 Risk management — vocabulary. Geneva, Switzerland: International Standards Organization. Retrieved from https://www.iso.org/standard/44651.html. Accessed 28 Jan 2022
ISO (2018) ISO 31000:2018 Risk management - guidelines. Geneva, Switzerland: International Standards Organization. Retrieved from https://www.iso.org/home.html. Accessed 28 Jan 2022
ISO (2019) IEC 31010:2019 Risk management - risk assessment techniques. Geneva, Switzerland: International Standards Organization. Retrieved from https://www.iso.org/standard/72140.html. Accessed 28 Jan 2022
Koval S (2021) Risk management in the sphere of wages. Univ Econ Bull 51:66–73
Kwak DW, Seo YJ, Mason R (2018) Investigating the relationship between supply chain innovation, risk management capabilities and competitive advantage in global supply chains. Int J Oper Prod Manag 25(1):31–55
Leo M, Sharma S, Maddulety K (2019) Machine learning in banking risk management: a literature review. Risks 7(1):29
Lyon D (2018) The culture of surveillance: Watching as a way of life. John Wiley & Sons, New York
Maran L, Bracci E, Funnell W (2016) Accounting and the management of power: Napoleon’s occupation of the commune of Ferrara (1796–1799). Crit Perspect Account 34:60–78. https://doi.org/10.1016/j.cpa.2015.10.008. Retrieved from http://www.sciencedirect.com/science/article/pii/S1045235415001082. Accessed 8 Jan 2022
Munir M, Jajja MSS, Chatha KA, Farooq S (2020) Supply chain risk management and operational performance: the enabling role of supply chain integration. Int J Prod Econ 227:107667
Nettleton S (1991) Wisdom, diligence and teeth: discursive practices and the creation of mothers. Sociol Health Illn 13(1):98–111
Nik Hashim NAA, Yusoff AM, Awang Z, Aziz RC, Ramlee SIF, Bakar NA, Noor MAM, Fatt BS (2019) The effect of domestic tourist perceived risk on revisit intention in Malaysia. Int J Innov Technol Explor Eng (IJITEE) 8(10):4591–4596
Omer MS (2019) Level of risk management practice in Malaysia construction industry from a knowledge-based perspective. J Archit Plan Constr Manag 9(1):33–41
Osman LH (2017) The pattern of inter-organizational level of connectivity, formal versus informal ties. JurnalKomunikasi: Malaysian J Commun 33(1):59–79
Patwary AK, Mohamed M, Rabiul MK, Mehmood W, Ashraf MU, Adamu AA (2022a) Green purchasing behaviour of international tourists in Malaysia using green marketing tools: theory of planned behaviour perspective. Nankai Bus Rev Int 13 (2):246–265
Patwary AK, Rasoolimanesh SM, Rabiul MK, Aziz RC, Hanafiah MH (2022b) Linking environmental knowledge, environmental responsibility, altruism, and intention toward green hotels through ecocentric and anthropocentric attitudes. Int J Contemp Hosp Manag (ahead-of-print) 34(12):4653–4673
Patwary AK, Yusof MFM, Simpong DB, Ab Ghaffar SF, Rahman MK (2022c) Examining proactive pro-environmental behaviour through green inclusive leadership and green human resource management: an empirical investigation among Malaysian hotel employees. J Hosp Tour Insights (ahead-of-print)
Patwary AK (2022) Examining environmentally responsible behaviour, environmental beliefs and conservation commitment of tourists: a path towards responsible consumption and production in tourism. Environ Sci Pollut Res 1–10
Poteat T, Millett GA, Nelson LE, Beyrer C (2020) Understanding COVID-19 risks and vulnerabilities among Black communities in America: the lethal force of syndemics. Ann Epidemiol 47:1–3
Rachidi H, Hamdaoui S, Merimi I, Bengourram J, Latrache H (2022) COVID-19: unbalanced management of occupational risks—case of the analysis of the chemical risk related to the use of disinfectants in the dairy industry in Morocco. Environ Sci Pollut Res 29(1):106–118
Rahman MK, Masud MM, Akhtar R, Hossain MM (2022) Impact of community participation on sustainable development of marine protected areas: assessment of ecotourism development. Int J Tour Res 23(6):1–11
Rodrigues F, Borges M, Rodrigues H (2020) Risk management in water supply networks: Aveiro case study. Environ Sci Pollut Res 27(5):4598–4611
Roos J, Von Krogh G (2016) Organizational epistemology. Springer, Berlin
Said NBM, Zainal HB, Din NBM, Zainuddin SAB, Abdullah TB (2020) Attitude, subjective norm, and perceived behavioural control as determinant of hibah giving intent in Malaysia. Int J Innov Creativity Change 10(10):61–70
Shah MAR, Rahman A, Chowdhury SH (2018) Challenges for achieving sustainable flood risk management. J Flood Risk Manag 11:S352–S358
Shanker R, Bhanugopan R, Van der Heijden BI, Farrell M (2017) Organizational climate for innovation and organizational performance: the mediating effect of innovative work behavior. J Vocat Behav 100:67–77
Sharif A, Saqib N, Dong K, Khan SAR (2022) Nexus between green technology innovation, green financing, and CO2 emissions in the G7 countries: the moderating role of social globalisation. Sustain Dev 14(1):70–121
Szymański P (2017) Risk management in construction projects. Procedia Eng 208:174–182
Wales WJ, Covin JG, Monsen E (2020) Entrepreneurial orientation: the necessity of a multilevel conceptualization. Strateg Entrep J 14(4):639–660
Wang C, Cheng Z, Yue XG, McAleer M (2020) Risk management of COVID-19 by universities in China. J Risk Financ Manag 13(2):36
Wang L, Cheng Y, Wang Z (2022) Risk management in sustainable supply chain: a knowledge map towards intellectual structure, logic diagram, and conceptual model. Environ Sci Pollut Res 29(2):66041–66067
Weatherburn CJ, Guthrie B, Dreischulte T, Morales DR (2020) Impact of medicines regulatory risk communications in the UK on prescribing and clinical outcomes: systematic review, time series analysis and meta-analysis. Br J Clin Pharmacol 86(4):698–710
Wijethilake C, Lama T (2019) Sustainability core values and sustainability risk management: moderating effects of top management commitment and stakeholder pressure. Bus Strateg Environ 28(1):143–154
Willumsen P, Oehmen J, Stingl V, Geraldi J (2019) Value creation through project risk management. Int J Project Manage 37(5):731–749
Wressell JA, Rasmussen B, Driscoll A (2018) Exploring the workplace violence risk profile for remote area nurses and the impact of organisational culture and risk management strategy. Collegian 25(6):601–606
Wu J, Xiong Y, Ge Y, Yuan W (2022) A sustainability assessment-based methodology for the prioritization of contaminated site risk management options. Environ Sci Pollut Res 29(5):7503–7513
Yagli I (2020) Bank competition, concentration and credit risk. Intelektinėekonomika 14(2):17–35
York JG, Vedula S, Lenox MJ (2018) It’s not easy building green: the impact of public policy, private actors, and regional logics on voluntary standards adoption. Acad Manag J 61(4):1492–1523
Zadeh HS, Weir T, Filinkov AI, Lord S (2021) Strategic risk management in practice. Data and Decision Sciences in Action 2: Proceedings of the ASOR/DORS Conference. Springer Nature, Berlin
Zainuddin SA, Hashim NAAN, Abdullah T, Mohamad SR, Anuar NIM, Deraman SNS, Awang Z (2020a) Risk management as governmentality in organization. Int J Eng Res Technol 13(12):4439–4449
Zainuddin SA, Hashim NAAN, Abdullah T, Uthamaputhran S, Nasir NAM, Said NM, Anuar NIM (2020b) Risk management: a review of recent philosophical perspectives. Palarch’s J Archaeol Egypt/Egyptology 17(9)
Zhou J, Bi G, Liu H, Fang Y, Hua Z (2018) Understanding employee competence, operational IS alignment, and organizational agility–an ambidexterity perspective. Inform Manag 55(6):695–708
Funding
We would like to thank the UMK FUND research grant for funding this study and publication (project code: UMK FUND (UMK FUND R/FUND A0100/00685A/001/2020/00746).
Author information
Authors and Affiliations
Contributions
Siti Afiqah Zainuddin: conceptualization and data analysis. Borhan Abdullah: idea generation and discussion. Noorul Azwin Md Nasir: final review. Tahirah Abdullah: literature review and editing. Noorshella Che Nawi: methodology and literature review. Ataul Karim Patwary: data screening and coding. Nik Alif Amri Nik Hashim: review and editing.
Corresponding author
Ethics declarations
Competing interests
The authors declare no competing interests.
Additional information
Responsible Editor: Arshian Sharif
Publisher's note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Zainuddin, S.A., Abdullah, B., Nasir, N.A.M. et al. Sustainable risk management practice in the organization: a Malaysian case study. Environ Sci Pollut Res 30, 24708–24717 (2023). https://doi.org/10.1007/s11356-022-23897-7
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11356-022-23897-7