Understanding the Ecosystem of Enterprise Risk Governance

Approaches to risk governance are not homogeneous across organizations. Some organizations invest heavily in building formal and strategically focused enterprise-wide risk governance processes whereas others exhibit reduced formality and focus, allowing risk governance to be less structured. We argue that risk governance may best be described as a service dependent upon a network (or ecosystem) of participants who include users of risk information and providers who design and implement risk governance processes. Using a survey sample of 2,380 observations from 2011 to 2016, we find that external calls for enhanced risk governance are positively associated with risk governance processes having greater formality and strategic focus. We find this relationship is partially mediated by internal demands for enhanced risk governance. Further, we find that the positive association between internal demands and enhanced risk governance is reduced by resource constraints and that a risk-seeking attitude is negatively associated with enhanced risk governance.