A Model of Risk Management in Globalizing Companies

Jukka Ojasalo, Ph.D., Professor, Laurea University of Applied Sciences, Espoo, Finland ABSTRACT The literature dealing with risk management includes surprisingly little knowledge of risks related to globalization of companies. The literature on globalization of firms, on the other hand, includes some knowledge of risks of globalization, however the systematic management of these risks has received very little attention. Clearly, there is a need to increase the knowledge and develop new approaches for risk management in globalizing companies. This article contributes by developing a model for systematic risk management in globalizing companies. The model integrates the essential elements of risk management process and risks of globalizing firms. The model attempts, both to contribute to the scientific literature, as well as respond to the needs of practitioners. The article is based on comprehensive literature analysis. First, it analyzes the literature on risk management and focuses on the relevant aspects of risk management process. Next, it analyzes the literature on risks of globalizing firms. Then, it proposes a model of risk management in globalizing companies. After that, the final conclusions are drawn. RISK MANAGEMENT Risk Risk refers to an exposure or probability of losses (Larson and Kusiak, 1996; Remenyi and Heafield, 1996; Chapman and Ward, 1997; Jaafari, 2001). The term risk generally has implications of negative or adverse results from an uncertain event (Ansell and Wharton, 1992). Thus, according to Williams, (1995), a bad event as such cannot be called risk, but instead, the two aspects have to have to be present in the context of risk:
uncertainty adverseness of the effect

Thus, risk can be characterized by its likelihood and impact. However, uncertainty may have different variations: we know the odds, we do not know the odds (but perhaps some the main parameters), and we do not know what we do not know (Wynne, 1992; Williams et al., 1995). Thus, likelihood and impact may not be quantifiable or known. Consequently, in addition to likelihood and impact, predictability also relates to the concept of risk (Charette, 1989). In more predictable cases, it is possible to quantify the likelihood and effect of each event more precisely. The case of low predictability occurs particularly when there is little historical evidence on which to base the prediction (c.f. Williams, 1995). Risk management process Risk management aims to provide decision makers with a systematic approach to coping with risk and uncertainty (Williams et al., 2006). The following four examples of a risk management process illustrate typical phases and activities involved with risk management (Table 1). The process is not necessarily straightforward, but often includes iteration. The model by Hollman and Forrest (1991; see also Hollman and Mohammad-Zahed, 1984) includes the phases of discovery of loss exposure, evaluation of loss exposures, selection of techniques, implementation of strategy, and monitoring. Hollman and Forrest (1991, p. 49) argue that The risk management process is universal in its application. The process is board enough to encompass individuals as well as business entities of all types service organisations as well as manufacturers. ASIS General Security Risk Assessment Guideline (2003) proposes an approach for risk management involving seven phases. The firs phase relates to understanding the organization and identifying the people and assets at risk, which includes assets, people, property, core business, networks, and information. The other phases relate to specifying loss risk events and vulnerabilities, establishing the probability of loss risk and frequency of events, determining the impact of the events, developing options to mitigate risks, studying the feasibility of implementation of options, and performing a cost/benefit analysis.

The Business Review, Cambridge * Vol. 13 * Num. 1 * Summer * 2009

200

Table 1. Examples of risk management process models

Hollman and Mohammad-Zahed (1984); Hollman and Forrest (1991) 1. Discovery of loss exposure - Checklist of possible exposures - Accounts and records - Flowchart of operation - Surveys - Personal inspection 2. Evaluation of loss exposures - Objectives - Operational techniques - Avoidance - Loss control - Loss prevention - Loss reduction - Separation - Combination - Non-insurance transfers - Financing techniques - Non-insurance transfers - Insurance - Retention 3. Selection of techniques - Type of business - Objectives - Performance dimensions - Insurance method - Essential - Desirable - Available - Minimum expected loss method - Probability formulas - Financial analysis - Forecasting 4. Implementation of strategy 5. Monitoring - Organizing information flows - Contract making - Inspections - Record keeping - Negotiating for insurance - Settling losses - Safety programmes - Investigating accidents ASIS General Security Risk Assessment Guideline (2003) 1. Understand the organization and identify the people and assets at risk - Assets - People - Property - Core business - Networks - Information 2. Specify loss risk events / vulnerabilities 3. Establish the probability of loss risk and frequency of events 4. Determine the impact of the events 5. Develop options to mitigate risks 6. Study the feasibility of implementation of options 7. Perform a cost/benefit analysis Standards Australia and Standards New Zealand (2004) 1. Risk recognition - Establish the context - Identify risks 2. Risk prioritization - Analyse risks - Likelihood - Consequence - Level of risk - Evaluate risks 3. Risk management - Decision whether or not to accept the risks? - Treat risks The following elements are involved in all above phases: - Communicate and consult - Monitor and review European Foundation for Quality Management, (2005) 1. Policy - Risk policy - Stakeholder liaison 2. Planning - Annual plan /strategy - Resource allocation - Multi-year development program 3. Implementation - Risk identification analysis - Risk transfer/finance - Control measures - Knowledge management - Process improvement - Event management 4. Monitoring - Monitoring procedures - Risk register/software design - Internal and external audit 5. Review - Review procedures - External reporting Ahmed, Kayis and Amornsawadwatana (2007) 1. Context establishment - Risk model and query mechanism 2. Risk identification - Prior risk knowledge (repository) 3. Risk analysis - Qualitative and quantitative measures 4. Risk evaluation - Decision support systems 5. Treat risks - Risk mitigation planning The following elements are involved in all above phases: - Interactive and collaborative interfaces - Risk focused project team

The risk management process of Standards Australia and Standards New Zealand (2004; in Williams et al., 2006) includes the phases of recognition, risk prioritization, and risk management. The risk recognition phase has two parts: context establishment and risk identification. Context establishment defines what is at risk. Risk identification covers their identification within the established context of uncertain events that could cause harm or benefit, their associated causes and their potential consequences. The second phase is to understand and analyze the nature and level of the risks, so they can be managed in an appropriate manner. The risk prioritization phase consists of risk analysis and risk evaluation. Risk analysis is based on likelihood and consequence. Likelihood depends on the probability of occurrence and the frequency of activity. The consequence can be expressed in several ways, such as effects on results or on the enablers of results. Once risks are analyzed, risk evaluation may take place. Risks are

The Business Review, Cambridge * Vol. 13 * Num. 1 * Summer * 2009

201

evaluated against an appropriate risk-acceptance criterion to rank them, for example as low, medium, or high. Based on this, the risk profile of the company can be determined, showing the scale and complexity of risks faced. Based on this, the organization can decide the amount of risk it is willing to take. The third phase of this model is the management of the risks identified and prioritized. According to Williams et al. (2006), this can be done in a simple way with the four Ts of European Foundation of Quality Management (2005), which are terminate, treat, tolerate, and transfer. Terminating means ceasing activities related to the risk, in other words avoiding or eliminating the loss exposure. Treating refers to adding control measures or contingency plans to manage the likelihood and consequence of events. Tolerating means accepting the level of risk. Transferring refers to moving the impact of risks to another party, for example in terms of insurance or non-insurance. Communicating and consulting as well as monitoring and reviewing are involved with all the above phases. The model of European Foundation for Quality Management (2005), includes the following phases: policy, planning, implementation, monitoring, and review. Policy states why risk management is being carried out and what will be achieved. Planning develops the strategy for achieving the success. Implementation involves all activities for managing risks. Based on monitoring, the whole system is reviewed and improved. The model by Ahmed et al. (2007), consists of context establishment, risk identification, risk analysis, risk evaluation, and risk treatment. To a large extent, the above models resemble each other, even though the names of the phases and activities are somewhat different. Establishing the context for risk management According to Williams et al. (2006), context establishment defines what is at risk. According to Ahmed et al. (2007), context establishment in the risk management process involves representation of project units (functional, process, data, etc.) and their inter-relationships. Various project modelling tools and techniques can be used for context establishment in risk management. This enables in representing status in several forms such as resource usage, equipment requirements, budget availability, stakeholder involvement, contract deliverables, strategic goals and schedule, depending on the desirable aspect of the project that is important for any particular purpose. Identifying risks Risk identification relates to studying what can go wrong (Ahmed et. al., 2007). Sources of risk and potential consequences need to be identified, before they can managed. Risk identification, according to Tchankova (2002), includes the following basic questions: How can the organisational resources be threatened?, What adverse effect can prevent the organization from achieving it goals?, and What favourable possibility can be revealed?. Missing a good positive possibility that an organization seeks is a problem equal to bearing losses (Dickson and Hastings, 1989). Risk identification covers sources of risks, hazard factors, perils, and exposures to risks (Tchankova, 2002; Williams et al., 1998). Sources of risk are elements of the organizational environment that can bring negative or positive outcomes. General sources of risks include physical, social political, operational, economic, legal, and cognitive environment. For example, in the case of nuclear power plant, the physical environment is a source of risk. Hazard is a condition or circumstance that increases the chance of losses or gains and their severity. For example, human error can be hazard in nuclear power plant. Peril is something that is close to the risk and it has negative results. Peril is the cause of the losses. It can happen at any time and cause unknown, unpredictable losses. Peril does not include a positive meaning, it always causes losses. In a nuclear power plant, an example of peril is radioactive leakage. Resources exposed to risk are objects facing possible losses or gain. They are affected if the risk event occurs. Resources exposed to risk are physical, human, and financial ones. In the case of nuclear power plant, resources exposed to risk would be the people and local environment. According to Hollman and Forrest (1991; see also Hollman and Mohammad-Zahed, 1984), discovering and classifying the sources from which losses may arise should include both direct and indirect losses. Several techniques are available for risk identification. According to Ahmed et. al., (2007), they include checklists, influence diagrams, cause-and-effect diagrams, failure mode and effect analysis, hazard and operability studies, fault trees, and event trees (see also Birolini, 1993; Clemen and Reilly, 2001; Dhillon, 1982; Duncan, 1996; Kletz, 1985; Kumamoto and Henley, 1996; Lawley, 1974; Risk Management Standard AS/NZS 4360, 1999; Roach and Lees, 1981; Russell and Taylor, 2000; Webb, 1994). Checklists express pre-determined crucial points for symptoms of potential risk situation. Influence diagram refers to a graphical representation of the structure of the decision context involving decisions, uncertain events, consequences and their interrelationships. Cause-and-effect diagram or a fish bone diagram is a graphical representation of root causes of problems, where major causes of the ultimate problem are grouped and broken down into detailed sources. Failure mode and effect analysis provides a structure for determining causes, effects and relationships in a technical system. It is used to determine failures and

The Business Review, Cambridge * Vol. 13 * Num. 1 * Summer * 2009

202

malfunctions through exploration of failure modes, consequences of a system component failure so that solutions for rectifying these problems can be visualized. Hazard and operability study is an extension of failure mode and effect analysis. In this approach, check words are applied to process parameters in order to identify safety and operational problems, usually in new systems. Check words create other perspectives to the overall process and focus attention on unforeseen areas in the process, such as budget and strategy, to identify risk situations. Fault tree analysis is a visual technique for breaking down failure in the system into source events. A fault tree uses event and gate symbols to structure cause and effect relationships of a failure, and thus helps in reflecting on logical sequences that lead to failure. Event tree analysis is a graphical representation of potential consequences arising from a failure where possible consequences are generated and broken down from an initial event. Analyzing Risks Risk probability and consequence of risk event are the basic parameters used in risk analysis (Chapman and Ward, 1997; Ward, 1999; Boehm and DeMarco, 1997; Conroy and Soltan, 1998; Duncan, 1996; Baccarini and Archer, 2001; Patterson and Neailey, 2002; Pyra and Trask, 2002). Probability and consequenc can be expressed numerically (e.g. likelihood 0..100%) and by using qualitative verbalized categories (e.g. the total monetary cost of the loss). In the following, is an example of qualitative categorization by ASIS General Security Risk Assessment Guideline (2003):
Probability:
Virtually certain: Given no changes, the even will occur. Highly probable: The likelihood of occurrence is much greater than that of nonoccurence. Moderate probable: The event is more likely to occur than not to occur. Less probable: The event is less likely to occur than not to occur. Probably unknown: Insufficient data are available for an evaluation.

Impact of a loss event:

Fatal: The loss would result in total recapitalization or abandonment or long-term discontinuation of the enterprise. Very serious: The loss would require a major change in investment policy and would have a major impact on the balance sheet assets. Moderately serious: The loss would have noticeable impact on earnings as reflected in the operating statement and would require attention from the senior executive management. Relatively unimportant: The loss would be charged to normal operating expenses for the period in which sustained. Seriousness unknown: Before priorities are established, this provisional rating is to be replaced by a firm rating from one of the first four classes.

In addition to these, Hollman and Forrest (1991) bring forward the longitudinal time aspect by referring to the potential variation in losses that will actually occur during the exposure period. According to Ahmed et. al. (2007), probability and impact grids, estimation of system reliability, fault tree analysis, and event tree analysis are applicable techniques for risk analysis (see also Birolini, 1993; Chapman and Ward, 1997; Clemen and Reilly, 2001; Dhillon, 1982; Duncan, 1996; Henley and Kumamoto, 1991; Kletz, 1985; Kumamoto and Henley, 1996; Lawley, 1974; Pyra and Trask, 2002; Risk Management Standard AS/NZS 4360, 1999; Roach and Lees, 1981; Royer, 2000; Russell and Taylor, 2000; Stewart and Melchers, 1997; Ward, 1999; Webb, 1994). In probability and impact grids, risk events are represented on a grid consisting of probability on one axis and impacts on another. The grid defines threshold regions, which represent high risk events based on past experience or organizational procedures. Estimation of system reliability is a technique of determining chance of a system element such that it is functioning without a failure in a specified time period. System elements are integrated together as having either a serial or a parallel relationship and traditional reliability calculations are then used to determine the overall reliability of the system. Fault tree analysis as well as event tree analysis, which were referred to in the context of risk identification, can also be used in analyzing risks. Evaluating Risks Risk evaluation relates to the prioritization of risks (Williams et al., 2006). According to Ahmed et. al. (2007), risk evaluation is the function of risk management where risk events need to be prioritized so that risk mitigation plans are determined based on past experience, lessons learnt, best practices, organizational knowledge, industry benchmarks, and standard practices. In this context, different aspects of the operation, such as strategy, budget or schedule, may be considered in light of a risk event to determine risk mitigation options and incorporate the most suitable option into a mitigation plan. The risk exposure of the organization is represented. This ideally equates to the risk capacity, i.e. the maximum resource that the organisation is willing to put at risk, and risk appetite, i.e. the amount of risk the organisation is willing to take (Williams et al., 2006). Ahmed et. al. (2007) suggest decision tree analysis, portfolio management, and multiple criteria decision making method as usable

The Business Review, Cambridge * Vol. 13 * Num. 1 * Summer * 2009

203

techniques for risk evaluation (see also Clarke and Varma, 1999; Clemen, 1996; Clemen and Reilly, 2001; DeMaio et. al., 1994; Dickinson et al., 2001; Duncan, 1996; Remenyi and Heafield, 1996; Russell and Taylor, 2000; Taha, 1997; Webb, 1994). Decision tree analysis is used to structure a decision process and evaluate outcomes from uncertain events. In a decision tree, decision nodes and chance nodes are represented graphically and expected monetary values (EMV) are attached to the nodes. EMV is then used to calculate expected returns from decisions and select the decisions that generate the maximum returns. In portfolio management multiple projects are compared in terms of their risk in investment and potential returns. Alternatives being evaluated are positioned in a matrix of risk and return, which enables decisions to be derived for corporate governance, based on the company strategy and the maximum portfolio value. Multiple criteria decision-making approach considers different attributes of an alternative being evaluated including the negative and the positive factors of a decision. Attributes are weighted according to the predefined criteria. Once the weighted scores for attributes are defined, the total weighted score for an alternative can be calculated, and if it is positive the alternative should be selected. Mitigating and Treating Risks Once the risks have been identified and prioritized, they can be treated. This is often called risk mitigation or risk management. According to Williams et al. (2006), there is a wide range of possibilities ranging from do nothing at all to attempting to nullify the effect of each and every identified risk. Managing risks involves minimizing, controlling and sharing of risks, and the methods often used include retention, transfer, mitigation, and prevention or any combination thereof (Kartam and Kartam, 2001). Treating risks refers to adding control measures and contingency plans to manage the likelihood and consequence of the event (European Foundation for Quality Management, 2005). Risk mitigation attempts to make sure that all controllable events have an action plan or a risk mitigation plan (Ahmed et. al. 2007). The distinction between preventive and mitigative action can be made (Kartam and Kartam, 2001). Preventive actions are those used to avoid or reduce the risk, and mitigative are those used to minimize the effects of risk. Very similar to this, Ahmed et al. (2007) refers to reactive and proactive approaches. A reactive approach or a feed back approach refers to risk mitigation actions initiated after risk events eventuate. They can be seen as initiation of contingency plans. A pro-active approach or a feed forward approach refers to actions initiated based on chance of a risk event occurring. The following approaches for treating risks are brought forward by Hollman and Forrest (1991):
Avoiding. Avoidance aims at restricting the possibility of loss to zero. This happens by terminating or evading the exposure to the risk. Yet, avoidance is not always a realistic method. Some risks are simply unavoidable. Also, avoiding some risks may introduce others. Avoiding approach is also called termination (European Foundation for Quality Management, 2005). Loss control techniques are designed to reduce but not entirely eliminate losses. Loss control techniques include three alternatives: loss prevention, loss reduction, and separation. Loss prevention focuses on reducing the frequency of adverse occurrences by eliminating or reducing the factors that may cause losses. Loss reduction techniques aim at lessen the severity of losses that occur when loss prevention efforts are not fully effective. With separation techniques the loss exposure is minimized by physical dimension, i.e. there is a dispersal of exposure units. A loss to one unit of personal property in an area where there is a high concentration of such items may subject many items to loss in a single occurrence. If the items are separated, an occurrence will not jeopardise the entire operation. Combination involves the accumulation of operating units to reduce the possibility or severity of losses through grouping. For example, police officers often patrol in pairs rather than singly in order to reduce their vulnerability to danger. Transferring risks includes insurances and non-insurances (European Foundation for Quality Management, 2005). Hollman and Forrest (ibid.) distinguish between operational and financing-type of non-insurances. Insurance method is an insurance-based approach in which the company designs an insurance programme on the assumption that the loss exposures can be insured. The types of insurance are classified into three groups: essential, desirable, and available. Essential insurance includes those coverages which are required by law, contract, or are necessary to ensure continuity of the operation. Purchasing desirable insurance is not crucial. However, it provides protection against losses that would significantly frustrate continuity of the operation, though the losses would not be likely to impair subsequent cash flow and profits beyond the tolerance of the company. Available insurance covers less severe losses which do not pose serious financial problems. In the case of operational non-insurance transfer the risk is transferred to persons or entities other than commercial insurers. The legal or financial burden is shifted to another party, for example by transferring the ownership. This is not an avoidance of risk through abandonment, but merely a contractual shift of ownership to someone else. Thus, the responsibility for any subsequent litigation, for example, is also shifted to someone else. Financing techniques do not alter the loss exposure itself, but provide funds for the losses that do occur despite loss control efforts. These funds for recovery may come from within the organization or from without. Financing-type of non-insurance transfers differ from operational type of non-insurance transfers in that the financial consequence of the loss exposure is transferred to some other party (e.g. supplier or customer), but the exposure itself is not eliminated. This resembles insurance since potential financial impact is transferred to another party. Yet, it differs from insurance because the risk is not transferred to a legal insurance company. Insurance allows the insured to transfer contractually the potential financial consequences of a loss exposure to an insurer. It serves as a buffer against large loss potential and helps to regulate income, promote budget stability, and assure financial integrity. In the case of financial retention, the company assumes the risk of loss. This is suitable when the severity of a potential loss is low and the losses are predictable. Finds used to restore losses come from within the firm, e.g. retained earnings, funded loss reserves, borrowing, or additional capital infusion.

The Business Review, Cambridge * Vol. 13 * Num. 1 * Summer * 2009

204

Combination of different methods. Often, several approaches are applied in the risk mitigation. Suitable combination of approaches can be selected with help of minimum expected loss method. This involves selecting the technique or combination of techniques that will minimize expected loss over the long run. Loss is defined in a holistic sense to include expenditures for insurance premiums, costs of safety programs and other loss exposure treatments, nonproductive downtime following an accident, out-ofpocket loss payments, the worry factor, etc. Feasibility studies, mathematical probability formulas, financial analyses, statistical techniques, simulations, and forecasting procedures, for example, can be used here.

Monitoring and Improving Monitoring risks and the whole risk management activity can be done by setting performance objectives, checking actual performance against the objectives, deciding what degree of noncompliance from established goals calls for correction, and taking corrective action where performance needs to be improved (Hollman and Forrest,1991; Hollman and Mohammad-Zahed, 1984). Risk management process should be a continuous process and aim at finding new risks (Tchankova, 2002; Williams et al., 1998). Risk management process is not a one-off activity which is carried out when the organization is established and the current risks are identified. Also, risk identification has to clarify virtual risks as well, which do not affect the organizational resources at the moment. The risk register should be reviewed on a regular basis, e.g. as part of the quarterly performance review, to monitor progress made on actions required. On an annual basis, the score allocated to each risk should also be reassessed to refocus the attention of management on new risks, which may be expected with changing economic conditions (Campbell, 2008). RISKS OF A GLOBALIZING FIRM Several studies have examined internationalization of companies (Johanson and Wiedersheim-Paul, 1975; Bilkey and Tesar, 1977; Cavusgil, 1980; Reid, 1981; Czinkota, 1982; Johansson and Vahlne, 1990; Eriksson et al. 1997) and the traditional paradigm suggests that the internationalization of a company follows a sequence of stages through which the international involvement increases. Widely referred stages in the internationalization process are: no regular export activities, export via independent representatives (agents), establishment of an overseas subsidiary, and overseas production/manufacturing units (Johanson and Wiedersheim-Paul, 1975; see Andersen, 1993).
Table 2. Uncertainties in international business (Miller, 1992) General environmental uncertainties Industry uncertainties Firm uncertainties Political uncertainties - War - Revolution - Coup d'etat - Democratic changes in government - Other political turmoil Government policy uncertainties - Fiscal and monetary reforms - Price controls - Trade restrictions - Nationalization - Government regulation - Barriers to earnings repatriation - Inadequate provision of public services Macro economic uncertainties - Inflation - Changes in relative prices - Foreign exchange rates - Interest rates - Terms of trade Social uncertainties - Changing social concerns - Social unrest - Riots - Demonstrations - Small-scale terrorist movements Natural uncertainties - Variations in rainfall - Hurricanes - Earthquakes - Other natural disasters Input market uncertainties - Quality uncertainty - Shifts in market supply - Changes in the quantity used by other buyers Product market uncertainties - Changes in consumer tastes - Availability of substitute goods - Scarcity of complementary goods Competitive uncertainties - Rivalry among existing competitors - New entrants - Technological uncertainty - Product innovations - Process innovations Operating uncertainties - Labor uncertainties - Labor unrest - Employee safety - Input supply uncertainties - Raw materials shortages - Quality changes - Spare parts restrictions - Production uncertainties - Machine failure - Other random production factors Liability uncertainties - Product liability - Emission of pollutants R&d uncertainty - Uncertain results from research and development activities Credit uncertainty - Problems with collectibles Behavioral uncertainty - Managerial or employee selfinterested behavior

The Business Review, Cambridge * Vol. 13 * Num. 1 * Summer * 2009

205

The concepts of born global or international new ventures suggest that firms may become international almost immediately, from inception, instead of going through incremental path of several stages (Oviatt and McDougall, 1994; Gleason and Wiggenhorn, 2007). In their study, Harveston et al. (2000) found that managers of born global firms had significantly higher risk tolerance than managers of gradually globalizing companies. Network perspective to internationalization focuses on non-hierarchical systems where firms invest to strengthen and monitor their position in international networks (Johanson and Mattson, 1988; Sharma, 1992). Compared with incremental stage models, the network perspective is characterized by more multilateral element to internationalization (Johanson and Vahlne, 1992; Coviello and McAuley, 1993). Globalizing companies may face several risks and uncertainties. A number of reports deal with the various aspects of this issue, such as political risks, foreign exchange risks, country risks, macroeconomic risks, and risks of born global strategies (Haendel et al., 1975; Bunn and Mustafaoglu, 1978; Mascarenhas, 1982; Fitzpatrick, 1983; Herring, 1983; Shubik, 1983; Vernon, 1983; Agmon, 1985; Oxelheim and Wihlborg, 1987; Ting, 1988; Shrader et al., 2000; Gleason et al., 2006). Miller (1992; see also Miller, 1993) classified uncertainties related to international business. His comprehensive classification is a classic one and widely referred in the context risk management in international business (e.g. Werner et al., 1996). Miller classified the uncertainties into three groups: general environmental uncertainties, industry uncertainties, and firm-specific uncertainties (Table 2). General environmental uncertainties include political, government policy, macro economic, social uncertainties, and natural uncertainties. Industry uncertainties cover input market, product market, and competitive uncertainties. Firm uncertainties entail operating, liability, R&D, credit, and behavioral uncertainties. MODEL OF RISK MANAGEMENT IN GLOBALIZING COMPANIES Next, based on the above literature analysis, a model of risk management in globalizing companies is proposed. The present model includes the phases of context establishment, risk identification, risk analysis, risk mitigation, and monitoring and improving (Figure 1). The first step, context establishment, relates to understanding the company and its globalization process, and what is at risk in this context. Here, it is relevant to define the nature and objectives of international operation. It also important to define how slow or rapid the internationalization development is. Also, it should be defined, whether the operation in the target country or area is project-based or continuous. Also, it is relevant to understand the pattern of development in the internationalization process, which may be incremental, network based, or born global. Moreover, the degree of international involvement should be defined; is it question of export via independent agents, or establishment of an overseas sales subsidiary, or manufacturing, service, or R&D units. Furthermore, it is relevant to define the resources, budget availability, stakeholder involvement, and schedule of the internationalization. The second step is about identifying risks in the established context. General environmental uncertainties, industry uncertainties, and firm uncertainties should be examined in detail to identify relevant risks. General environment involves political, government policy, macro economic, social, and natural uncertainties. Industry uncertainties entail those of input market, product market, and competition. Firm uncertainties include operating, liability and behavioral uncertainties. The identified risks are analyzed in the third step. The likelihood of each risk should be defined. This may be conducted quantitatively and/or qualitatively. In quantitative definition, the likelihood is expressed numerically, e.g. 0..100%. In qualitative approach the likelihood is expressed in terms of verbalized categories, e.g. virtually certain, highly probable, moderate probable, and less probable. Also, the consequences, if the risk event occurs, are carefully analyzed. Similarly, this may be conducted quantitatively and/or qualitatively. The consequence of a risk event, if expressed quantitatively, may be for example the financial impact: less than 5.000$, 5.000..50.000$, 50.000..500.000$, and more than 500.000$. Or, if expressed qualitatively, the consequence may be, e.g. relatively unimportant, moderately serious, very serious, or fatal. The fourth step is risk evaluation. This includes prioritization of risks. Risks of different decision making alternatives are defined. Techniques, such as decision tree analysis, portfolio management, and multiple criteria decision making may be helpful here. Based on the earlier analyses, a conscious decision should be made on the amount of risk the organisation is willing to take in their internationalization.

The Business Review, Cambridge * Vol. 13 * Num. 1 * Summer * 2009

206

Context establishment Understand the globalizing organization. Identify the people and assets at risk related to internationalization. Understand the internationalization process. What is the nature and objectives of international operation? Slow or rapid internationalization? Project based or continuous presence in target area? Incremental internationalization, network approach, or born global? The degree of international involvement? - Export via independent agents - Establishment of an overseas sales subsidiary - Overseas manufacturing, service or r&d-units What are the resources, budget availability, stakeholder involvement, and schedule of international operation?

Risk identification General environmental uncertainties - Political uncertainties - Government policy uncertainties - Macro economic uncertainties - Social uncertainties - Natural uncertainties Industry uncertainties - Input market uncertainties - Product market uncertainties - Competitive uncertainties Firm uncertainties - Operating uncertainties - Liability uncertainties - Behavioral uncertainty

Risk analysis Likelihood of each risk - Quantitatively and/or qualitatively Consequence of each risk - Quantitatively and/or qualitatively

Risk evaluation Prioritize the risks Analyze the risk of different decision making alternatives - Decision tree analysis - Portfolio management - Multiple criteria decision making What is the amount of risk the organisation is willing to take?

Risk mitigation Avoiding Loss control - Loss prevention - Loss reduction - Separation Combination Insurance Operational noninsurance Financing-type of non-insurance Financial retention Optimal combination of different methods

Monitor & Improve Set performance objectives Compare actual performance against the objectives Decide what degree of noncompliance from established goals requires improvement Take the needed corrective action Make the risk management process continuous instead of one-off activity Search for new risks which do not affect the organizational resources at the moment

Figure 1. Model of risk management in globalizing companies

The next step involves risk mitigation. Various approaches are available for this purpose, such as avoiding, loss control, combination, insurance, operational and financing type-of non-insurance, and financial retention. The globalizing company should choose an optimal combination of different methods. The final step relates to monitoring and improving the operation. This is done by setting performance objectives, comparing actual performance against the objectives, deciding what degree of noncompliance from established goals requires correction, and taking corrective action where performance needs to be improved. Risk management process should be a continuous process, not a one-off activity. The risk register should be reviewed on a regular basis. Also, the risk identification should consider risks, which do not affect the organizational resources at the moment, but possibly in the future. CONCLUSIONS There is a need to increase the knowledge and develop new approaches for risk management in globalizing companies. This article contributed by developing a model for systematic risk management in globalizing companies. The model integrates the essential elements of risk management process and risks of a globalizing firm. The model includes the phases of context establishment, risk identification, risk analysis, risk mitigation, and monitoring and improving.

The Business Review, Cambridge * Vol. 13 * Num. 1 * Summer * 2009

207

REFERENCES
Agmon, Tamir. 1985. Political economy and risk in world financial markets. Lexington, Mass.: Lexington Books. Ahmed, Ammar, Berman Kayis and Sataporn Amornsawadwatana (2007), A review of techniques for risk management in projects, Benchmarking: An International Journal, Vol. 14 No. 1, pp. 22-36. Andersen, Otto, 1993, On The Internationalization Process of Firms: A Critical Analysis, Journal of International Business Studies, Vol. 24 No. 2, pp. 209-231. Ansell, J. and F. Wharton (eds.) 1992. Risk: Analysis, Assessment and Management, Wiley, New York. ASIS General Security Risk Assessment Guideline, 2003. ASIS International, USA. Baccarini, D. and Archer, R. (2001), "The risk ranking of projects: a methodology", International Journal of Project Management, Vol. 19 No. 3, pp. 139-45. Bilkey, Warren J. and George Tesar, 1977, The export behavior of smaller Wisconsin manufacturing firms, Journal of International Business Studies, 9 (Spring/Summer), pp 93- 98. Birolini, A. (1993), Design for reliability, in Kusiak, A. (Ed.), Concurrent Engineering: Automation, Tools, and Techniques, Wiley, New York, NY, pp. 307-47. Boehm, B.W. and DeMarco, T. (1997), "Software risk management", IEEE Software, Vol. 14 No. 3, pp. 17-19. Bunn, D.W. & M.M. Mustafaoglu. 1978, Forecasting political risk, Management Science, Vol. 24, pp. 1557-67. Campbell, Teresa, 2008, Risk Management: Implementing an Effective System, Accountancy Ireland, Vol. 40 No. 6, pp. 54-57. Cavusgil, S. Tamer, 1980, On the internationalization process of firms, European Research, 8 Nov, pp. 273-81. Chapman, C.B. and Ward, S.C. (1997), Project Risk Management: Processes, Techniques and Insights, Wiley, Chichester. Charette, R., 1989. Software Engineering Risk Analysis and Management, McGraw-Hill, New York. Clarke, C.J. and Varma, S. (1999), Strategic risk management: the new competitive edge, Long Range Planning, Vol. 32 No. 4, pp. 414-24. Clemen, R.T. (1996), Making Hard Decisions: An Introduction to Decision Analysis, Druxbury Press, New York, NY. Clemen, R.T. and Reilly, T. (2001), Making Hard Decisions with Decision Tools, Druxbury Thomson Learning, Toronto. Conroy, G. and Soltan, H. (1998), "ConSERV, a project specific risk management concept", International Journal of Project Management, Vol. 16 No. 6, pp. 353-66. Coviello, Nicole E. and Andrew McAuley, 1993, Internationalisation and the Smaller Firm: A Review of Contemporary Empirical Research, Management International Review, Vol. 39, pp. 223-256. Czinkota, Michael R., 1982. Export development strategies: US promotion policies. New York: Praeger Publishers. DeMaio, A., Verganti, R. and Corso, M. (1994), A multi-project management framework for new product development, European Journal of Operational Research, Vol. 78 No. 2, pp. 178-91. Dhillon, B.S. (1982), Reliability Engineering in Systems Design and Operation, Van Nostrand Reinhold Company, New York, NY. Dickinson, M.W., Thornton, A.C. and Graves, S. (2001), Technology portfolio management: optimizing interdependent projects over multiple time periods, IEEE Transactions on Engineering Management, Vol. 48 No. 4, pp. 518-27. Dickson, G.C.A. and W.J. Hastings, 1989. Corporate Risk Management. Witherby Co., London. Duncan, W.R. (1996), A Guide to the Project Management Body of Knowledge, Project Management Institute, Newtown Square, PA, pp. 111-21. Eriksson, Kent, Jan Johansson, Anders Majkgrd, and D. Deo Sharma, 1997, Experiential Knowledge and Cost in the Internationalization Process, Journal of International Business Studies, Vol. 28 No. 2, pp. 337-360. European Foundation for Quality Management (2005), EFQM Framework for Risk Management, European Foundation for Quality Management, Brussels. Fitzpatrick, Mark. 1983, The definition and assessment of political risk in international business: A review of the literature; Academy of Management Review, Vol. 8, pp. 249-54. Gleason, K., Madura, J., & Wiggenhorn, J. (2006), Operating Characteristics, Risk, and Performance of Born-Global Firms, International Journal of Managerial Finance, Vol. 2, pp. 96-120. Gleason, Kimberly C. and Joan Wiggenhorn, 2007, Born Globals, The Coice of Globalization strategy, and Markets Perception of Performance, Journal of World Business, Vol. 42, pp. 322-335. Harveston, Paula D., Ben L. Kedia, and Peter S. Davis, 2000, Internationalization of Born Global and Gradual Globalizing Companies: The Impact of the Manager, Advances in Competitiveness Research, Vol. 8 No. 1, pp. 92- 99. Haendel, Dan, Gerald T. West, and Robert G. Meadow, 1975. Overseas investment and political risk Philadelphia. Foreign Policy Research Institute. Henley, E.J. and Kumamoto, H. (1991), Probabilistic Risk Assessment: Reliability Engineering, Design and Analysis, IEEE Press, New York, NY. Herring, Richard J., editor. 1983. Managing foreign exchange risk. New York: Cambridge University Press. Hollman, K.W. and Mohammad-Zahed, S. (1984), Risk Management in Small Business, Journal of Small Business Management, Vol. 22 No. 1, pp. 47-56. Hollman, Kenneth W. and Jack E. Forrest, 1991, Risk Management in a Service Business, International Journal of Service Industry Management, Vol. 2 No. 2, pp. 49-56. Jaafari, A. (2001), Management of risks, uncertainties and opportunities on projects: time for a fundamental shift, International Journal of Project Management, Vol. 19 No. 2, pp. 89-101. Johanson, J. and L.G. Mattson, 1988, Internationalisation in Industrial Systems a Network Approach, in Hood, N. and Vahlne, J.E. (eds.) Strategies in Global Competition, London, Croom Helm, pp. 287-314. Johanson, J. and J-E. Vahlne, 1992, Management of Foreign Market Entry, Scandinavian International Business Review, 1, 3, pp. 9-27. Johanson, Jan and Finn Wiedersheim-Paul, 1975, The internationalization of the firm- Four Swedish cases, Journal of Management Studies, Vol. 12 No. 3, pp. 305-22. Johanson, Jan and Jan-Erik Vahlne, 1990, The Mechanism of Internationalization, International Marketing Review, Vol. 7 No. 4, pp. 11-24. Kartam, N.A. and Kartam, S.A. (2001), Risk and its management in the Kuwaiti construction industry: contractors perspective, International Journal of Project Management, Vol. 19 No. 6, pp. 325-35. Kletz, T.A. (1985), Eliminating potential process hazards, Chemical Engineering, Vol. 92 No. 4, pp. 48-68. Kumamoto, H. and Henley, E.J. (1996), Probabilistic Risk Assessment and Management for Engineers and Scientists, IEEE Press, Piscataway, NJ.

The Business Review, Cambridge * Vol. 13 * Num. 1 * Summer * 2009

208

Larson, N. and Kusiak, A. (1996a), Managing design processes: a risk assessment approach, IEEE Transactions on System, Man and Cypernetics Part A: Systems and Humans, Vol. 26 No. 6, pp. 749-59. Lawley, H.G. (1974), Operability studies and hazard analysis, Chemical Engineering Progress, Vol. 70 No. 4, pp. 45-56. Miller, Kent D., 1992, A Framework for Integrated Risk Management in International Business, Journal of International Business Studies, Vol. 23 No. 2, pp. 311-331. Miller, Kent D., 1993, Industry and Country Effects on Managers Perceptions of Environmental Uncertainties, Journal of International Business Studies, Vol. 24 No. 4, pp. 693-714. Mascarenhas, Briance. 1982, Coping with uncertainty in international business, Journal of International Business Studies, Vol. 13 No.2, pp. 87-98. Oviatt, B. and P. McDougall, 1994, Toward a Theory if International New Ventures, Journal of International Business Studies, Vol. 25, pp. 4564. Oxelheim, Lars and Clas G. Wihlborg, 1987. Macroeconomic uncertainty: International risks and opportunities for the corporation. New York. Patterson, F.D. and Neailey, K. (2002), "A risk register database system to aid the management of project risk", International Journal of Project Management, Vol. 20 No. 5, pp. 365-74. Pyra, J. and Trask, J. (2002), "Risk management post analysis: gauging the success of a simple strategy in a complex project", Project Management Journal, Vol. 33 No. 2, pp. 41-8. Reid, Stan D., 1981, The decision-maker and export entry and expansion, Journal of International Business Studies, 12 (Fall), pp. 101-12. Remenyi, D. and Heafield, A. (1996), Business process re-engineering: some aspects of how to evaluate and manage the risk exposure, International Journal of Project Management, Vol. 14 No. 6, pp. 349-57. Risk Management Standard AS/NZS 4360 (1999) Risk Management Standard AS/NZS 4360, Standards Association of Australia, Sydney. Roach, J.R. and Lees, F.P. (1981), Some features of and activities in hazard and operability (Hazop) studies, The Chemical Engineer, October, pp. 456-62. Root, Franklin R. 1988, Environmental risks and the bargaining power of multinational corporations, International Trade Journal, Vol. 3 No. 1, pp. 111-24 Royer, P.S. (2000), Risk management: the undiscovered dimension of project management, Project Management Journal, Vol. 31 No. 1, pp. 613. Russell, R.S. and Taylor, B.W. III (2000), Operations Management, Prentice-Hall Inc., Upper Saddle River, NJ. Sharma, D., 1992, International Business Research: Issues and Trends, Scandinavian International Business Review, 1, 3, pp. 3-8. Shrader, R., Oviatt, B., & McDougall, P. (2000), How new ventures exploit trade-offs among international risk factors: Lessons for the accelerated internationalization of the 21st century, Academy of Management Journal, 43, pp. 12271247. Shubik, Martin. 1983, Political risk: Analysis. process and purpose, in Richard J. Herring. ed., Managing international risk, New York: Cambridge University Press, pp. 109-38 Standards Australia and Standards New Zealand (2004), Australia New Zealand Handbook: Risk Management Guidelines Companion to AS/NZS 4360, Standards Australia, Sydney/Standards New Zealand, Auckland. Stewart, M.G. and Melchers, R.E. (1997), Probabilistic Risk Assessment of Engineering Systems, Chapman & Hall, London. Taha, H.A. (1997), Operations Research: An Introduction, Prentice-Hall, Upper Saddle River, NJ. Tchankova, Lubka, 2002, Risk Identification Basic Stage in Risk Management, Environmental Management and Health, Vol. 13 No. 3, pp. 290-297. Ting, Wenlee. 1988. Multinational risk assessment and management. Westport, Conn.: Greenwood Press. Vernon, Raymond. 1983, Organizational and institutional responses to international risk, in Richard J. Herring (ed.) Managing international risk, New York: Cambridge University Press, pp. 191-216. Ward, S.C. (1999), "Assessing and managing important risks", International Journal of Project Management, Vol. 17 No. 6, pp. 331-6. Webb, A. (1994), Managing Innovative Projects, Chapman & Hall, London. Werner, Steve, Lance Eliot Brouthers, and Keith T. Brouthers, 1996, International Risk and Perceived Environmental Uncertainty: The Dimensionality and Internal Consistency, Journal of International Business Studies, Vol. 27 No. 3, pp. 571-587. Williams, Terry, 1995, A classified bibliography of recent research relating to risk management, European Journal of Operational Research, Vol. 85 No. 1, pp. 18-38. Willams, Roger, Boudewijn Bertsch, Barrie Dale, Ton van der Wiele, Jos van Iwaarden, Mark Smith, and Rolf Visser, 2006, Quality and Risk Management: What Are the Key Issues?, The TQM Magazine, Vol. 18 No. 1, pp. 67-86. Williams, C.A., M.I. Smith, and P.C. Young, 1998. Risk Management and Insurance. Irwin, McGraw-Hill. Wynne, B. (1992), "Science and social responsibility", in: J. Ansell and F. Wharton (eds.), Risk: Analysis, Assessment and Management, Wiley, New York, 137-152.

The Business Review, Cambridge * Vol. 13 * Num. 1 * Summer * 2009

209

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.