Strengthening Enterprise Risk Management Independence: A Conceptual Oversight Framework

Authors

  • Shaharin Abdul Samad Risk & Assurance Professional Author

DOI:

https://doi.org/10.64229/smt92a97

Keywords:

Enterprise Risk Management, Corporate Governance, Independence, Reporting Structure, Agency Theory, Chief Risk Officer, Board of Directors

Abstract

In the rapidly evolving and increasingly volatile global business landscape, robust governance mechanisms are no longer a matter of best practice but are essential for organizational sustainability, resilience, and long-term value creation. At the heart of effective enterprise risk management (ERM) lies not only the sophistication of risk identification and mitigation processes, but also, critically, the unfettered structural independence of the risk management function. This conceptual paper examines the structural and behavioral impediments to ERM independence under prevailing corporate governance models. It analyzes three common reporting structures for the ERM function: reporting to senior management, reporting to the Chief Executive Officer (CEO), and a hybrid model of reporting to the Board of Directors with a “dotted line” to the CEO. This study contends that each paradigm, based on agency theory and corporate governance principles, harbors intrinsic conflicts of interest that undermine the impartiality, authority, and overall efficacy of Enterprise Risk Management (ERM). The CEO's impact on performance evaluations and compensation, even in a dotted-line relationship, is seen as a substantial threat to behavioral independence. Consequently, this paper develops a conceptual framework for an optimal reporting structure. It posits that true independence is only achievable when the ERM function reports directly and exclusively to the Board of Directors or a dedicated Board Risk Committee. Furthermore, the framework asserts that the remuneration, budget, and resources of the ERM function must be determined at the Board level, completely insulated from management’s influence. This proposed model, termed the “Unfettered Guardian” framework, is designed to align the ERM function with the Board’s oversight duty, ensuring it serves its primary purpose as an objective guardian of shareholder value and long-term organizational sustainability.

References

[1]Aabo, T., Fraser, J., & Simkins, B. (2005). The rise and evolution of the chief risk officer: Enterprise risk management at Hydro One. Journal of Applied Corporate Finance, 17(3), 5–5.

[2]Committee of Sponsoring Organizations of the Treadway Commission (COSO). (2017). Enterprise risk management: Integrating with strategy and performance.

[3]Fraser, J. R. S., & Simkins, B. J. (2016). The challenges of and solutions for implementing enterprise risk management. Business Horizons, 59(6), 689-698. https://doi.org/10.1016/j.bushor.2016.06.007

[4]Brewer, P. C., & Walker, P. L. (2014). Risk oversight: Evolving expectations for boards. Strategic Finance, 96(1), 22–33.

[5]Institute of Internal Auditors. (2025). The IIA’s three lines model: An update of the three lines of defense. https://www.theiia.org/globalassets/documents/resources/the-iias-three-lines-model-an-update-of-the-three-lines-of-defense-july-2020/three-lines-model-updated-english.pdf

[6]PwC. (2025). What’s important to the chief risk officer in 2025. https://www.pwc.com/us/en/executive-leadership-hub/chief-risk-officer.html

[7]Corporate Compliance Insights. (2025). Positioning the CRO to succeed. https://www.corporatecomplianceinsights.com/positioning-the-cro-to-succeed/

[8]Nocco, B. W., & Stulz, R. M. (2006). Enterprise risk management: Theory and practice. Journal of Applied Corporate Finance, 18(4), 8–20. https://doi.org/10.1111/j.1745-6622.2006.00106.x

[9]Gates, S., & Hexter, E. S. (2005). From the inside out: What makes a company a good risk manager? The Conference Board.

[10]Jensen, M. C., & Meckling, W. H. (1976). Theory of the firm: Managerial behavior, agency costs and ownership structure. Journal of Financial Economics, 3(4), 305–360. https://doi.org/10.1016/0304-405X(76)90026-X

[11]Institute of Internal Auditors (IIA). (2017). International standards for the professional practice of internal auditing (Standards).

[12]Beasley, M. S., Clune, R., & Hermanson, D. R. (2005). Enterprise risk management: An empirical analysis of factors associated with the extent of implementation. Journal of Accounting and Public Policy, 24(6), 521–531. https://doi.org/10.1016/j.jaccpubpol.2005.10.001

[13]Power, M. (2009). The risk management of nothing. Accounting, Organizations and Society, 34(6-7), 849–855. https://doi.org/10.1016/j.aos.2009.06.001

[14]Jankensgard, H. (2019). A theory of enterprise risk management. Corporate Governance: The International Journal of Business in Society, 19(2), 286–304. https://doi.org/10.1108/CG-05-2018-0172

[15]Vlerick Business School. (2022). Effective board-level risk oversight. https://www.vlerick.com/en/insights/effective-board-level-risk-oversight/

[16]Institute of Risk Management, The. (n.d.). From the cube to the rainbow double helix: A risk practitioner’s guide to the COSO ERM frameworks. https://www.theirm.org/media/6885/irm-report-review-of-the-coso-erm-frameworks-v2.pdf

[17]Lundqvist, S. A. (2015). Why do firms implement enterprise risk management? The role of the chief risk officer. Journal of Accounting and Public Policy, 34(3), 394-419. https://doi.org/10.1016/j.jaccpubpol.2015.04.002

[18]Leblanc, R., & Gillies, J. (2005). Inside the boardroom: How to be an effective director. John Wiley & Sons.

[19]Bebchuk, L. A., & Fried, J. M. (2004). Pay without performance: The unfulfilled promise of executive compensation. Harvard University Press.

[20]Senior Supervisors Group. (2008). Observations on risk management practices during the recent market turbulence. https://www.sec.gov/news/press/2008/report030608.pdf

[21]Gatzert, N., & Martin, M. (2015). Determinants and value of enterprise risk management: Empirical evidence from Germany. Risk Analysis, 35(2), 226–246. https://doi.org/10.1111/risa.12285

[22]Paape, L., & Spekle, R. F. (2012). The adoption and design of enterprise risk management practices: An empirical study. European Accounting Review, 21(3), 533–564. https://doi.org/10.1080/09638180.2012.661742

[23]North Carolina State University ERM Initiative. (n.d.-b). Revamping ERM: How seven companies improved ERM effectiveness. https://erm.ncsu.edu/wpcontent/uploads/sites/41/migratedfiles/Revamping_ERM__How_Seven_Companies_Improved_ERM_Effectiveness.pdf

[24]Risk Leadership Network. (2022). What are the most common risk reporting lines and operating models? https://www.riskleadershipnetwork.com/insights/what-are-the-most-common-risk-reporting-lines-and-operating-models

[25]Diligent. (n.d.-b). Corporate governance reporting: Definition, requirements & best practices. https://www.diligent.com/resources/blog/corporate-governance-reporting

[26]Harvard Law School Forum on Corporate Governance. (2025, June 23). Board effectiveness: A survey of the C-suite. https://corpgov.law.harvard.edu/2025/06/23/board-effectiveness-a-survey-of-the-c-suite-4/

[27]Arena, M., Arnaboldi, M., & Azzone, G. (2010). The organizational dynamics of enterprise risk management. Accounting, Organizations and Society, 35(7), 659–675. https://doi.org/10.1016/j.aos.2010.07.003

[28]Walker, D. (2009). A review of corporate governance in UK banks and other financial industry entities. HM Treasury.

[29]Rittenberg, L. E., & Martens, F. (2012). Enterprise risk management: Understanding and communicating risk. The Committee of Sponsoring Organizations of the Treadway Commission.

[30]Lam, J. (2014). Enterprise risk management: From incentives to controls (2nd ed.). John Wiley & Sons.

Downloads

Published

2025-11-20

Issue

Vol. 1 No. 2 (2025)

Section

Articles

License

Copyright (c) 2025 Shaharin Abdul Samad (Author)

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.