NATIONAL UNIVERSITY OF SCIENCE AND TECHNOLOGY

AN EVALUATION OF THE LEVEL OF ENTERPRISE RISK MANAGEMENT

ADOPTION AND MATURITY OF THE ZIMBABWEAN LIFE AND NON-LIFE
INSURANCE COMPANIES.

DURURU RHENEAS

N01310089T

Bachelor of Commerce Honours Degree in Risk Management and Insurance.

2017
AN EVALUATION OF THE LEVEL OF ENTERPRISE RISK MANAGEMENT
ADOPTION AND MATURITY OF THE ZIMBABWEAN LIFE AND NON-LIFE
INSURANCE COMPANIES.

By

DURURU RHENEAS

N01310089T

Dissertation submitted in partial fulfilment of the requirements for the degree of

Bachelor of Commerce Honours Degree in Risk Management and Insurance

Department of Insurance and Actuarial Sciences

National University of Science and Technology (NUST)

Supervisor: Mr BW Mazviona

2017

i
Declaration

I, Rheneas Dururu, do hereby declare that this dissertation is the result of my investigation and

research and that this has not been submitted in part or full for any degree or for any other

degree to any other University.

___________________ _________________

R. Dururu Date

ii
Dedication

To my family for their unwavering support and sacrifices.

iii
Acknowledgements

The academic writing, especially in the domain of research can make exacting demands on the
researcher. My accolades are attributed to various individuals and professionals for they
exceeded the level of commitment and enthusiasm towards the success of this research. Firstly,
my gratitude goes to God The Almighty without his grace this endeavor would have been a
failure. Surely the Lord has brought me this far.

In the same vein, the initiative by my supervisor, Mr BW Mazviona to guide and direct this
project remains illustrious and is accorded due acknowledgment. His unwavering guidance was
my pillar of strength during the course of the whole project. May he continue to guide all those
who will pass through his mentoring hands. I am also pleased to express my deep appreciation
to the NUST staff for their various contributions to this work, as this will go a long way in
fostering my career.

Lastly, recognition is extended to my family for their contributions for rendering their moral
support.

I thank you all!

iv
Abstract

The increased level of risk complexity in the Zimbabwean insurance industry in many instances
proved that there is need to manage risks in a holistic manner. In a bid to stay awake in the
prolonged survival mode some insurers shifted from the art of managing risks in silos to the
process of Enterprise Risk Management (ERM). This study, therefore, evaluates the adoption
and maturity level of ERM of the Zimbabwean life and non – life companies registered by
Insurance and Pension Commission as at30 September 2016. Ninety-nine questionnaires were
distributed to thirty three insurance companies and therefore analysed using SPSS v 21 using
descriptive statistics and correlation analysis before making sound conclusions. The research
reveals that there are more than eighty frameworks from which insurers can choose freely as a
guideline in ERM implementation. The findings from the research study established that the
COSO: 2004 framework is the most used guideline as a benchmark for ERM implementation.
The study found that enterprise risk management maturity level in the Zimbabwean insurance
industry is at level two (poor). Recommendations were made to insurance companies to strive
for level five (optimised) for which companies will benefit most from ERM associated plusses.
Lack of understanding of ERM benefits, ambiguity in roles and responsibilities in risk
management, lack of embodiment of ERM in organizational culture, time and cost required in
developing ERM, inadequate information to make risk-based decisions and lack of managerial
support and clear ERM guideline in their chronological order were found to be the most
challenges that Zimbabwean insurers are facing towards implementing ERM. It was also found
that the board and top management commitment, building a strong risk culture within the
organization, building a dedicated ERM function, appointment of a chief risk officer and
developing a risk appetite statement is among the strategies that can be employed towards a
robust ERM structure and therefore the attainment of the ERM optimized stage.

v
Table of contents
Dedication ............................................................................................................................ iii
Acknowledgements ............................................................................................................... iv
Abstract .................................................................................................................................. v
List of tables .........................................................................................................................xii
List of figures ..................................................................................................... ………….. xi
List of abbreviations and acronyms ..................................................................................... xv
1. CHAPTER ONE: INTRODUCTION ................................................................................ 1
1.1 Introduction ...................................................................................................................... 1
1.2 Background of the study .................................................................................................. 1
1.3 Problem Statement ........................................................................................................... 4
1.4 Objectives of the study Primary Objective. ..................................................................... 5
1.5 Secondary objectives. ....................................................................................................... 5
1.6 Research questions ........................................................................................................... 5
1.7 Assumption of study......................................................................................................... 6
1.8 Significance of the study .................................................................................................. 6
1.8.1 The Researcher .............................................................................................................. 6
1.8.2 The University ............................................................................................................... 6
1.8.3 Insurance companies ..................................................................................................... 7
1.9 Delimitation of the study .................................................................................................. 7
1.10 Limitations of the study.................................................................................................. 8
1.11 Organization of study ..................................................................................................... 8
1.12 Chapter summary ........................................................................................................... 9
2. CHAPTER TWO - LITERATURE REVIEW ................................................................. 10
2.1 Introduction .................................................................................................................... 10
2.2 Risk and the risk environment. ....................................................................................... 10
2.3 Development of Enterprise Risk Management .............................................................. 11
2.3.1 The TRM approach ..................................................................................................... 11
2.3.2 The ERM Approach .................................................................................................... 12
2.4 ERM Approach defined ................................................................................................. 12
2.4.1 The ERM Process ........................................................................................................ 13
2.5 ERM Frameworks .......................................................................................................... 14
2.5.1 COSO: 1992, 2004 and 2013 ERM – Integrated Approach ........................................ 14
vi
[Link] COSO ERM Framework Deficiencies ..................................................................... 17
2.5.2 ISO 31000:2009 .......................................................................................................... 17
[Link] ISO 31000 Framework deficiencies ......................................................................... 19
2.5.3 BS 31100: 2008, Code of Practice for RM ................................................................. 19
2.5.4 OCEG Red Book 2.0:2009. A GRC model................................................................. 20
2.6. Levels of ERM Maturity ............................................................................................... 21
2.6.1 ERM Maturity Level 1- Very Poor ............................................................................. 23
2.6.2 ERM Maturity Level 2- Poor ...................................................................................... 24
2.6.3 ERM Maturity Level 3- Mid ....................................................................................... 25
2.6.4 ERM Maturity Level 4- Good ..................................................................................... 25
2.6.5 ERM Maturity Level 5- Optimised ............................................................................. 26
2.7 Review of Empirical Research ....................................................................................... 27
2.7.1 Empirical Research Studies analysis ........................................................................... 27
2.7.2 Empirical research conclusions ................................................................................... 29
2.7.3 Research gap ............................................................................................................... 29
2.8 Challenges in Implementation of ERM .......................................................................... 29
2.8.1 Challenges in general .................................................................................................. 30
2.8.2 Ambiguity in roles and responsibilities in RM ........................................................... 30
2.8.3 Lack of embodiment of ERM in organizational culture ............................................. 30
2.8.4 Inadequate information to make risk-based decisions ................................................ 31
2.8.5 Lack of managerial support and clear ERM guideline ................................................ 32
2.8.6 Time and cost required in developing ERM ............................................................... 32
2.8.7 Lack of understanding of ERM benefits ..................................................................... 33
2.9 Strategies in Implementing of Enterprise Risk Management......................................... 34
2.9.1 Build a strong risk culture within the organization ..................................................... 34
2.9.2 Board of Directors and top management commitment ............................................... 35
2.9.3 Appointment of a CRO ............................................................................................... 36
2.9.4 Building a dedicated ERM function or department .................................................... 36
2.9.5 Developing a risk appetite statement .......................................................................... 37
2.10 Chapter Summary......................................................................................................... 38
3. CHAPTER THREE- RESEARCH METHODOLOGY .................................................. 39
3.1 Introduction .................................................................................................................... 39
3.2 Research philosophy ...................................................................................................... 39
vii
3.3.1 Positivism .................................................................................................................... 40
3.1.2 Phenomenology ........................................................................................................... 40
3.2 Research Design ............................................................................................................. 41
3.2.1 Descriptive Research ................................................................................................... 41
3.2.2 Justification ................................................................................................................. 42
3.3 Research approach.......................................................................................................... 42
3.3.1 Qualitative ................................................................................................................... 43
3.3.2 Quantitative ................................................................................................................. 43
3.4 Sampling Frame ............................................................................................................. 44
3.4.1 Population.................................................................................................................... 44
3.4.2 Sample Size ................................................................................................................. 44
[Link] Justification of the Sample Size ............................................................................... 45
3.5 Sampling Technique ....................................................................................................... 45
3.5.1 Purposive sampling ..................................................................................................... 45
3.5.2 Convenience sampling ................................................................................................ 46
3.6 Sources of Data .............................................................................................................. 46
3.6.1 Primary data collection method .................................................................................. 46
3.6.2 Questionnaire construction .......................................................................................... 46
[Link] Justifications for the use of a survey questionnaire.................................................. 47
3.6.3 Secondary data collection methods ............................................................................. 48
3.7 Data Collection Procedure ............................................................................................. 48
3.7.1 Primary Data- questionnaire administration ............................................................... 48
3.7.2 Secondary data ............................................................................................................ 48
3.8 Pilot Study ...................................................................................................................... 49
3.9 Data Presentation and Analysis Procedures ................................................................... 49
3.10 Validity and reliability of research instruments ........................................................... 50
3.11.1 Cronbach’s Alpha ...................................................................................................... 50
3.11.2 Data normality ........................................................................................................... 51
3.12 Limitations ................................................................................................................... 51
3.13 Elimination bias............................................................................................................ 51
3.14 Ethical considerations .................................................................................................. 52
3.15 Chapter Summary......................................................................................................... 52
4. CHAPTER FOUR: RESULTS, DISCUSSION AND INTERPRETATION OF ........... 54
viii
FINDINGS ........................................................................................................................... 54
4.1 Introduction .................................................................................................................... 54
4.2 Response rate.................................................................................................................. 54
4.3. Questionnaires sent and responded ............................................................................... 54
4.3.1 Demographic Characteristics ...................................................................................... 55
[Link] Gender ...................................................................................................................... 55
[Link] Position ..................................................................................................................... 55
4.4 Reliability and data normality analysis .......................................................................... 56
4.5.1 ERM adoption ............................................................................................................. 58
4.6 ERM frameworks used as guidelines. ............................................................................ 58
4.6.1 Correlation between ERM maturity and types of ERM frameworks .......................... 59
4.7 ERM maturity levels ...................................................................................................... 60
4.7.1 Zimbabwean insurance industry overall ERM Maturity Level ................................... 60
4.7.2 Contributions of each dimension to the overall score ................................................. 62
[Link] Level 1- Very weak .................................................................................................. 63
[Link] Level 2- Poor ............................................................................................................ 63
[Link] Level 3- Mid ............................................................................................................. 64
[Link] Level 4- Good........................................................................................................... 64
[Link] Level 5- Optimised ................................................................................................... 64
4.7.3 Components radar chart .............................................................................................. 65
4.7.4 Bivariate correlation analysis ...................................................................................... 66
4.7.5 Strength/ weaknesses analysis ..................................................................................... 68
4.8 Challenges that the Zimbabwean insurers are facing towards ERM implementation. .. 69
4.8.1 Ambiguity in roles and responsibility in RM .............................................................. 70
4.8.2 Lack of embodiment of ERM in organizational culture ............................................. 71
4.8.3 Inadequate information to make risk based decisions ................................................. 72
4.8.4 Lack of managerial support and clear ERM guideline ................................................ 72
4.8.5 Time and cost required in developing ERM ............................................................... 73
4.8.6 Lack of understanding of ERM benefits ..................................................................... 74
4.8.7 Factor analysis ............................................................................................................. 74
4.8.8 One sample T test ........................................................................................................ 77
4.9 Strategies to be employed towards robust ERM program ............................................. 77
4.9.1 Build a strong risk culture within the organization ..................................................... 78
ix
 4.9.2 Board of directors and top management commitment ................................................ 79
4.9.3 Appointment of a CRO ............................................................................................... 80
4.9.4 Developing a risk appetite statement .......................................................................... 80
4.9.5 Building a dedicated ERM function or department .................................................... 81
[Link] One sample T test ..................................................................................................... 82
4.10 Chapter summary ......................................................................................................... 82
5. CHAPTER FIVE: CONCLUSIONS AND RECOMMENDATIONS ............................ 83
5.1 Introduction .................................................................................................................... 83
5.2 Summary of findings ...................................................................................................... 83
5.2 Findings from the literature review ................................................................................ 83
5.2.1 ERM frameworks in place........................................................................................... 84
5.2.2 ERM maturity levels ................................................................................................... 84
5.2.3 Challenges insurance firms face towards a robust ERM structure.............................. 85
5.2.4 Strategies ..................................................................................................................... 86
5.3 Findings from the primary research ............................................................................... 86
5.3.1 ERM frameworks ........................................................................................................ 86
5.3.2 ERM maturity level ..................................................................................................... 87
5.3.3 Challenges ................................................................................................................... 87
5.3.4 Strategies ..................................................................................................................... 88
5.4 Conclusions .................................................................................................................... 88
5.4.1 ERM framework .......................................................................................................... 88
5.4.2 ERM maturity level ..................................................................................................... 89
5.4.3 Challenges faced by Zimbabwean insurers towards ERM development .................... 89
5.4.4 Strategies that Zimbabwean insurers might use towards ERM development ............. 89
5.5 Recommendations .......................................................................................................... 90
5.5.1 ERM Frameworks Recommendation .......................................................................... 90
5.5.2 Maturity level Recommendation ................................................................................. 90
5.5.3 Recommendation on the challenges faced .................................................................. 90
5.5.4 Recommendations on Strategies in the development of ERM .................................... 91
5.5.4 The regulator and the insurance industry .................................................................... 91
5.6 Areas of further study ..................................................................................................... 91
5.7 Summary ........................................................................................................................ 91
References ................................................................................................................................ 92
x
List of appendices............................................................................................................... 105
Appendix one: Questionnaire survey ................................................................................. 105
Appendix two ..................................................................................................................... 113

xi
List of tables

Table 3.1: Sample size ............................................................................................................. 45

Table 4.2: Response rate .......................................................................................................... 54

Table 4.3: Gender..................................................................................................................... 55

Table 4.4: Position ................................................................................................................... 55

Table 4. 5 Reliability statistics ................................................................................................. 56

Table 4.6: Tests for normality.................................................................................................. 57

Table 4.7: ERM adoption ......................................................................................................... 58

Table 4.8: ERM frameworks.................................................................................................... 59

Table 4.9: Correlations............................................................................................................. 60

Table 4.10: Correlations........................................................................................................... 66

Table 4.11: Descriptive Statistics for challenges analysis ....................................................... 70

Table 4.12: Descriptive analysis .............................................................................................. 71

Table 4.13: Descriptive statistics ............................................................................................. 71

Table 4.14: Descriptive statistics ............................................................................................. 72

Table 4.15: Descriptive statistics ............................................................................................. 73

Table 4.16: Descriptive analysis .............................................................................................. 73

Table 4.17: Descriptive analysis .............................................................................................. 74

Table 4.18: KMO and Bartlett's Test ....................................................................................... 75

Table 4.19 : Rotated Component Matrixa ................................................................................ 75

Table 4. 20: Total Variance Explained .................................................................................... 76

Table 4. 21: One-Sample Test ................................................................................................. 77

Table 4. 22: Descriptive Statistics on strategies towards a robust ERM ................................. 78

xii
Table 4.23: Descriptive statistics ............................................................................................. 79

Table 4.24: Descriptive statistics ............................................................................................. 79

Table 4.25: Descriptive statistics ............................................................................................. 80

Table 4.26: Descriptive statistics ............................................................................................. 80

Table 4.27: Descriptive statistics ............................................................................................. 81

Table 4.28:One-Sample Test ................................................................................................... 82

Table 29 ERM maturity computations ..................................... Error! Bookmark not defined.

xiii
List of figures

Figure 2.1: COSO ERM Evolution .......................................................................................... 17

Figure 2.2: The ISO 31000:2009 Framework. ......................................................................... 18

Figure 2.3: A GRC model ........................................................................................................ 20

Figure 2. 4: ERM components ................................................................................................. 22

Figure 2.5: ERM Maturity scale .............................................................................................. 23

Figure 2.6: Current ERM status ............................................................................................... 27

Figure 2.7: Risk appetite process. ............................................................................................ 38

Figure 4.1: ERM maturity level ............................................................................................... 61

Figure 4. 2: The maturity level analysis using dimension contributions ................................. 62

Figure 4. 3: ERM components radar ........................................................................................ 65

Figure 4.4: Dimension effect analysis ..................................................................................... 68

Figure 4. 5: Strength/ weaknesses analysis .............................................................................. 69

xiv
List of abbreviations and acronyms

BS British Standard
COSO Committee of Sponsoring Organizations
CRO Chief Risk Officer
D1 Dimension 1- Internal environment
D2 Dimension 2- Objective setting
D3 Dimension 3- Event identification
D4 Dimension 4- Risk assessment
D5 Dimension 5- Risk response
D6 Dimension 6- Control activities
D7 Dimension 7- Information and communication
D8 Dimension 8- Monitoring
ERM Enterprise Risk Management
ERMMM Enterprise Risk Management Maturity Model
ERMM Enterprise Risk Management Maturity
GRC Governance, Risk and Compliance
ISO International Standard Organization
IPEC Insurance and Pension Commission
S&P Standard and Poor
RM Risk Management
TRM Traditional Risk Management
NYSE New York Stock Exchange
KRI Key risk indicators

xv
1. CHAPTER ONE: INTRODUCTION

1.1 Introduction

Organizations exist to secure opportunities based on taking calculated risks. No business is

profitable without controlled risk taking and its effective management (Acharyya & Mutenga,
2013). Amelia (2013) alluded that it is of paramount importance that these pertinent risks are
properly and timely identified, measured, reported, integrated, analysed, monitored,
communicated and managed by an entity to facilitate management in making the appropriate
risk management decisions. It is therefore of supreme importance for insurers to adopt ERM
as it would at most cut down losses and at best maximises the shareholder value.

ERM development in the Zimbabwean insurance industry is congruent with stakeholder

demands for improved RM practices following the increased rate of business failure, failure of
insurers to compete in the international market and the jockeying for the paltry gross premium
per year. However, knowledge is scant about ERM development taking into consideration its
adoption and maturity level despite the global emphasis given to RM practices and its
disclosure. Thus, it is timely to have a study that precisely focuses on evaluating ERM adoption
and maturity in the Zimbabwean insurance industry.

1.2 Background of the study

As business leaders strive to manage the ever-changing micro and macro-environment they
face an exponentially increasing range of uncertainties that creates a highly complex portfolio
of potential risks that if unmanaged, can cripple an entity's business model and brand, (Beasley
et al., 2016). As an emerging requisite for the dynamics of the market, ERM, which is a
paradigm shift from the traditional approach to managing risks holistically has become a
primacy as a panacea for all business risks. This was evidenced by a 46% of Asian Pacific
CEO's statics which strongly agrees that the adoption of ERM practice is a top priority
(Mottaghi et al., 2012). Regrettably, the adoption of the ERM framework is still a voluntary
concept.

ERM first began to emerge in the early 1990s, when standardized frameworks and best
practices were developed and since then, its benefits have been increasingly publicized and

1
organizations have pursued to implement it (Locklear, 2012). This is being coerced by the
global pressure on RM issues. Since the year 2000, much has been done to induce all financial
institutions to adopt ERM. In 2004, the COSO released the ERM integrated approach to
managing risks holistically. During the very same year, the NYSE issued a corporate,
government procedure requiring audit committees of listed firms to be involved in the risk
oversight. Since the year 2007 ERM has been targeted by many organizations with rating
agencies taking part in the development of ERM, for example, the Standard and Poor's (S&P)
developed an RM rating system which functions as a key factor in the overall rating of insurers.

This was followed by several efforts regarding the management of risks, including the Troubled
Asset Relief Program (TARP) in October 2008 which stemmed from the Emergency of
Economic Stabilization Act (EESA) for the purpose of helping troubled financial institutions.
During the very same year, Ciorciari & Blattner (2008) developed an ERM maturity model in
an endeavour to evaluate the level of ERM practices in place. The maturity model consists of
26 topics, 123 elements and 8 components which were remodelled from the COSO ERM 2004.
Zhao & Low (2013) also developed an ERMMM consisting of 16 important ERM maturity
criteria and presented 66 applicable best practices under these criteria and this can be applied
in companies to measure maturity and identify areas of improvement. This helps insurers to
measure their risk standpoint. Several efforts were done in 2009 including of the ISO 31000:
2009 RM framework and the Shareholder Bill of Rights with the aim of encouraging firms to
create a stand- alone risk committees. These developments are said to promote increased risk
awareness and risk culture and move towards ERM adoption, which facilitates better
operational and strategic decision making.

However, despite the growth and evolution of ERM during the past two decades, the program
has been pragmatic across financial institutions (Danijela et al., 2015). According to COSO
ERM Frameworks study, ERM has already been an accepted approach, however, the stage of
most ERM systems is still immature. Beasley et al., (2016) also conducted a global state of risk
oversight and found out that there is an increased development of ERM from 9% in 2009
through 2012 with a levelling off of 25% for the subsequent three years after in the
organizations that claim they have a complete formal ERM process in place.

2
In a survey of the current state and development of ERM, it was visualized that only 41% of
the companies in Europe, North America, and Asia have adopted some form of ERM, (Danijela
et al., 2015). Danijela et al., (2015) also indicated very low levels ERM development in Croatia
evidenced by only 2% of the companies having a developed ERM system, 77% has
underdeveloped ERM system or corporate RM in general with the remainder having no
elements of ERM systems and do not manage corporate risks at all. Their findings also
concluded that ERM system is underdeveloped in Croatia.

Drawing closer home, the Central Bank of Nigeria (2012) maintains that RM is still at its
rudimentary stage and is bedevilled by some challenges. Chisasa and Young (2013) examined
the implementation and the status quo of operational RM in developing markets and indicated
that there is a lack of knowledge in the assembly of risk data and implementation models. This
indicated an underdeveloped ERM system and relatively immature ERM practices in
developing countries, Africa being the subject. The above statics reveal that a large number of
corporates are still not satisfied with their process of risk assessment and need further guidance
in implementing ERM (Beasley et al., 2010).

Furthermore, many researchers blamed poor ERM practices as the immediate cause for some
or all of the ills of the 2008-2009 Global Financial Crisis. The International Association of
Insurance Supervisors (IAIS) responded to the G20 heads of state’s calling for major
improvements in RM practices by promulgating an Insurance Core Principle paper on ERM
requiring insurance regulators to promote ERM practice and self-assessment of solvency needs
by insurers globally (IAIS, 2005). As such IPEC acted by issuing a directive on governance
and RM to ensure that the underwriters have in place systems for identifying, assessing,
monitoring the risks that affect their ability their obligations to policyholders (Huni, 2016).

In view of the ever-evolving nature of the Zimbabwean micro and macro-economic

environment, the need for regular and periodic evaluation of the effectiveness of the company's
ERM process cannot be overemphasized (Duru, 2013). Several stakeholders have decided to
face the economic and financial complexity by shifting from the traditional silo approach to a
robust ERM (Bertinetti et al., 2013). This paper, therefore, provides an evaluation of the level
of ERM adoption and maturity in the Zimbabwean insurance industry by evaluating ERM

3
maturity and challenges faced during the implementation process and finally provides an
insight on the available strategies to counter the challenges.

1.3 Problem Statement

With the emergence of the global economic crisis in 2008, which demonstrated the importance
of a robust ERM structure, the development of ERM has come under scrutiny and questionable.
Zimbabwe prior to this global financial crisis, for almost ten years, experienced a turbulent
hyperinflationary economic environment, characterized by the dry up of foreign investments,
shortages of the much needed foreign currency which resulted to low industrial capitalization.
As if this was not enough the emergence of dollarization in 2009 relentlessly continued to
cripple the progress of many sectors, resulting to even lower capitalization of businesses
evidenced by high levels of deregulation of insurers (Chikomba et al., 2013) .

In the wake of the Zimbabwean current economic crisis, some insurers have cut down: on the
number of staff tremendously, some were deregistered, branches and divisions. Moreover, in
terms of the overall performance, the short-term insurance industry experienced a decline in
the volume of business generated witnessed by a 4.97% decrease in total gross premium written
during the half year ended June 2016, though the life assurance industry showed a slight growth
momentum (IPEC, 2016). The aftermath of these events has brought to the surface, in many
instances a lack of preparedness or effective responses and hence placed the ERM issue to the
forefront.

In light of the increased attention to ERM, most studies have been conducted in the
Zimbabwean financial market mainly covering the banking sector and only a few in the
insurance sector with researchers focusing on the value implications of ERM and key drivers
towards ERM employment. Lindberg and Seifert (2011) revealed that the banking industry was
among the first to adopt ERM, but many bankers did not implement it properly. However, the
ERMM level has not been evaluated or investigated in the studies that measured the value of
ERM adoption in the Zimbabwean insurance industry. It would follow then that stakeholders
are interested to know the level of maturity of their ERM programs and strategies to improve
ERM so that the companies can derive value from it. It is in that regard that the researcher
evaluated the level of ERM adoption and maturity as a panacea to the pertinent risks. Hence,

4
this study addresses this knowledge and management gap as there is a direct link between ERM
maturity and value derived from it.

1.4 Objectives of the study Primary Objective.

The main objective of this research was to evaluate the level of ERM adoption and maturity
level in the Zimbabwean life and non- life Insurance Industry as at 30 September 2016. In an
endeavour to ensure that the primary objective of this research project was met, the researcher
developed the following listed below secondary objectives:

1.5 Secondary objectives.

1. To assess the ERM frameworks used by Zimbabwean insurers as guidelines in the

implementation of ERM.
2. To assess the ERM maturity level within the Zimbabwean insurance industry.
3. To assess the challenges faced by Zimbabwean insurers in developing ERM.
4. To provide an insight into the available strategies to the challenges faced by
Zimbabwean insurers when implementing ERM.

1.6 Research questions

The persistence of the research problem has engendered several investigative questions. It will
be of paramount importance that the effective responses to the questions be established if a
long lasting solution is to be identified. The below research questions were generated to furnish
a sound research.

1. Which ERM frameworks have been used as guidelines in the implementation process
by Zimbabwean insurance companies?
2. At what levels of maturity are the ERM processes in the Zimbabwean insurance
industry?
3. What are the challenges that Zimbabwean insurers are facing in ERM implementation?
4. What strategies can Zimbabwean insurers put in place to achieve the necessary level
of ERM maturity?

5
1.7 Assumption of study

To make this investigation a success, the researchers assumed that:

 The Bulawayo insurance market is a good reflection of the whole Zimbabwean
insurance market.
 The result from the sample size from which the data was gathered is a reflection of the
Zimbabwean insurance sector.
 Insurers are risk appetite, rational and always want to maximize return on the investor’s
investments.
 Respondents will provide the data timeously and truthful responses that will facilitate
reasonable inferences and deductions.
 The Zimbabwean insurance industry refers to life and non -life insurers.

1.8 Significance of the study

The primary objective of this research was to evaluate the level of ERM adoption and maturity
level in the Zimbabwean insurance industry. As such the subject under study is very useful to
many industry stakeholders as the issue of RM forms the foundation of the insurance industry.
The researcher gathered a lot of literature from various markets and primary data to create a
valid rich research study in facts and opinions and therefore to make valid conclusions. The
study will be very useful to:

1.8.1 The Researcher

The research is carried out in partial fulfilment of the requirements for the Bachelor of
Commerce Honours Degree in Risk Management and Insurance at the National University of
Science and Technology. The investigation will give the researcher the platform to integrate
the theoretical fundamentals mastered during his studies with the practical aspects of the
industry.

1.8.2 The University

This investigation will provide to other students a platform for further study areas. More so it
will aid the students to have a deeper understanding of the components of ERM. The objectives

6
of this study will become a foundation for students to further develop the research on the
development of ERM in the Zimbabwean insurance industry and other industry sectors.

1.8.3 Insurance companies

The findings will demonstrate the adequacy or lack of effective and robust internal measures
that will prompt senior management to take corrective measures in addressing the gaps
identified. The research aided and drive the organization towards implementing a robust ERM
to ensure that they can manage all types of risks in a holistic manner. This will ensure efficient
business management of the entities and therefore guarantees going concern of businesses.

1.8.4 Shareholders

This group of stakeholders who inject their funds into the business will visualize their industry
current standpoint in managing their risks which might guarantee their return on investment.
Most investors are risk averse, so the level of ERM will reveal the issues pertaining the risk
tolerance and risks assumed and therefore aid in highlight areas of high risks for the balance
sheet of an entity.

1.8.5 The Government and IPEC

The research will review to the regulatory board the current RM practises. This will disclose
the security of the policyholders and shareholders’ funds and also the business continuity of
entities. This follows that the board is responsible for the regulation and the performance
monitoring. More so the government as a key stakeholder need assurance that all business risks
is under control and the insurers continue to play a part in contributing to the country’s Gross
domestic product.

1.9 Delimitation of the study

The research was limited to the development of ERM in the insurance industry. The research
was also extended to incorporate the challenges that Zimbabwean insurers are facing towards
the development of ERM. More so some insights on strategies that can be employed by
Zimbabwean insurers were suggested to ensure a robust ERM structure in place. The research,
however, was centred on the Zimbabwean life and non-life insurance companies registered by

7
IPEC as at 30 September 2016. Special reference to other big firms across other industries and
nations where ERM viable was made.

1.10 Limitations of the study

There are very few insurance companies which are employing a robust ERM. This might lead
to data mining and sample selection errors which are linked to the research sample size.
However, the researcher gathered as much information which represents the true sample size
of the insurance target population. Financial constraints, thus inadequacy of financial resources
might impede the researcher to carry out an in-depth investigation. However to ensure that the
study succeeded the researcher optimized the available resources and channel them efficiently.
The issues of information confidential due to increased competition also deter the researcher
to get solid information about their RM practices. However, the researcher used the developed
relationships gained during the industrial attachment phase to overcome this limitation.

1.11 Organization of study

Chapter one – this chapter gave the introductory phase of the research study. Included in this
chapter is the background of the study, the problem statement, research objectives and the
research questions. Other subheadings were included to ensure that the primary objective was
achieved.
Chapter two- This chapter includes the review of the existing literature on the concepts and
applications of ERM. More so the gaps in literature were highlighted and therefore efforts were
made to channel the research towards filling the gap.
Chapter three– This chapter described the research methodology that the researcher used
towards attaining the research objectives. The researcher used questionnaires to gather data for
this research. The research philosophy and design adopted were explained in detail.
Furthermore the justification of the sample size, and research methodology adopted was
explained.
Chapter four- The data was gathered and analysed using computerized programs such as
Excel and SPSS. Graphs and tables were used to present the data followed by in-depth analysis
of the significance of the results presented.

8
Chapter five- The researcher gave a review of the objectives of the research against the results
obtained in chapter three, analysed and presented in chapter four, and provided conclusions
and recommendations. Further aspects of future investigations were unveiled.

1.12 Chapter summary

The risk complexity of the risk environment has increased over the past years. This therefore
forced insurance players to take a fresh look on how they manage risks. Thus the practise of
managing risks in a holistic manner has grown in importance. A robust ERM structure
systemically addresses the business’ risks surrounding an organization’s activities. ERM must
be wholly integrated into the culture of the organization to aid organizations achieve their
objectives through effective RM. The next chapter analysed the contributions to the literature
world pertaining the subject under study.

9
2. CHAPTER TWO - LITERATURE REVIEW

2.1 Introduction

The purpose of this chapter was to synthesize and contextualize information. It also
encompasses the review of previous literature on ERM development, specifically focusing on
RM frameworks used as a guideline in implementation, levels of ERM maturity, challenges on
implementation and strategies used to encounter these challenges. For the purpose of this study,
it is, therefore, vital to start by defining risk and analyse the risk environment.

2.2 Risk and the risk environment.

Risk is defined as the “effect of uncertainty on objectives” (ISO 31000, 2009). Several
definitions of risk emerged, but the general idea is, risk remains to be an intrinsic element for
both operational activities and strategic decision making in all business and policy matters
(Acharyya & Mutenga, 2013). This, therefore, requires a deeper analysis of both internal and
external environments to ensure sound decision-making process. This follows that risk has
become the most important factor that influences the attainment of organizational goals (Liu,
2012)

Traditionally risks were visualized as the product of a hazard without considering opportunities
associated and vulnerability to that hazard, (Chikomba et al., 2013). This idea came with an
acceptance that certain objects cannot be completely protected (Nyberg et al., 2014). Thus, risk
cannot be fully avoided, but however, knowing and assessing it in time is a way to gain a
sustainable competitive edge, (Thalita et al., 2014). As a result, how to deal with risks and how
to understand its nature has become nowadays every corporate’s first priority.

Although risks have always been integral to business operations in the last centuries, companies
have had to face several large-scale events that were once thought unlikely such as credit,
liquidity risks and major developments in technology, (Marika et al., 2013:51). Beasley et al.,
(2016) concurred with this view in that the volume and complexity of risks faced by firms
today continue to evolve at a rapid pace, creating huge challenges for management and board
in risk oversight.

10
The existing literature reviews that all business entities are challenged with risk in their
operations globally (Azende, 2012). Furthermore, being set to take a risk is necessary if
business growth is to occur, but what is necessary to succeed is the ability to circumvent as
much misfortune as probable, through well ERM structure (Gwangwava et al., 2014). This is
the prime cause for the development of ERM across all sectors.

2.3 Development of Enterprise Risk Management

RM is a systematic, integrated and an unceasing process composed of specific steps that can
serve as management tools for obtaining an in-depth understanding of relevant risks and effects
and for facilitating decision making (Alidoosti et al., 2012). It is worth noting that risks were
managed in silos and the process, however, developed for the management of risks in a holistic
manner. The evolution and development of the silo approach into the ERM show that the view
of enterprise risk has become a crucial component of contemporary corporate governance
reforms (Kaplan & Mikes, 2012).

2.3.1 The TRM approach

Mazviona et al., (2014) defined a silo structure as an organizational set up whereby each
operational activity is undertaken independently and frequently so too are the risks generated
by the firm's activities. He later alluded that managing risks in this perspective create
inefficiencies due to lack of coordination between the various risks departments. Furthermore,
he asserts that it is a weak strategy as it tends to focus more on the downside (risks) leaving the
upside (opportunities) in decision making and strategy setting.

Mazviona et al., (2014) also alluded that for these inefficiencies it drove to the popularity and
hence the development of ERM. Hoyt and Liebenberg (2011) shared the same view with
Mazviona et al, (2014) in their study and cited that most companies are moving on from the
TRM where risks were managed on an individual basis without considering the correlations,
towards ERM, where a holistic view of risks is conducted and overall risk exposure is assessed.

11
2.3.2 The ERM Approach

ERM is relatively a modern business paradigm and as such, a number of articles, books and
journals have been published with insights and definitions of the process. The below subsection
analysed many contributions in the literature world pertaining the definitions of the ERM
approach

2.4 ERM Approach defined

It is a RM philosophy which accentuates a strategic and integrated approach to managing risk

and uncertainties from which they emerge (Baxter et al., 2012). This concern with holism is
highlighted by many theorists including Baxter et al., ( (2012), Hoyt and Liebenberg (2011),
Kaplan and Mikes (2012) and McShane (2011), who defined and differentiated ERM from the
‘silo-based’ approach.

The core principle of ERM is to provide an enterprise-wide, strategically-aligned portfolio view

of an entity’s challenge that provides improved insight about how to more effectively prioritize
and manage risks to mission delivery (CFO, 2016:6). It is a common framework which is
applied by business management and other personnel to identify potential events that may
affect the enterprise, manage the associated risks and opportunities and provide reasonable
assurance that objectives of a firm are achieved (Johnson & Johnson, 2013:8). In line with
previous definitions MAS (2013:3) viewed ERM as the process of identifying, assessing,
measuring, monitoring, controlling and mitigating risks in respect of an enterprise as a whole.

The above definitions reflect certain fundamental concepts which involve systematic
assessments of all reasonably foreseeable and material risks that an insurer faces, including
longer-term business goals, strategies, and capital needs. Chipulu et al., (2014:2) however,
alluded that in light of the prominence of COSO as a thought leader in ERM, it is of utmost
importance to define the paradigm as per COSO 2004. ERM is a process, effected by an entity’s
board of directors, management and other personnel, applied in strategy setting and across
the enterprise, designed to identify potential events that may affect the entity, and manage risk
to be within its risk appetite, to provide reasonable assurance regarding the achievement of
entity objectives (COSO, 2004)

12
 The definition above captures key fundamental concepts on how companies and other
organizations manage risk and provide the basis for application across organizations, and
industries. In summary ERM:
 Is a continuous practice and therefore call for monitoring and consistent review.
 Is effected by people at every level of an organization. Thus each employee is responsible
for RM with the greater responsibility laid on the top management.
 Must be applied in strategy setting. This implies that an entity's strategic plan must clearly
outline objectives and RM solutions considering the firm's risk appetite.
 Is applied across the organization, at every level and unit, and comprises taking an entity
level portfolio view of risk.
 Designed to identify potential events that, if they occur, will affect the entity.
 Must be able to provide reasonable assurance to an enterprise management and the board
 Is geared towards achievement of objectives in one or more separate but overlapping
categories (COSO, 2004) and (Marchett, 2012:26).
Furthermore, the process embroils a pro-active holistic enterprise-wide view of all risks and
uncertainties and their related risk appetite and tolerances to ensure that they are fully aligned
with the firm's objectives and strategies.

2.4.1 The ERM Process

RIMS (2011) established an external and internal RM for evaluating risk which includes the
below steps:
 Identify where, when, why and how the business model, market, events, and operations,
associated with business changes might prevent, degrade or support goals.
 Assess risks through consistent, objective and pervasive evaluation criteria of impact and
likelihood to quantify the risk level.
 Evaluate risk tolerance to define acceptable risk and opportunity levels and consider the
balance between potential benefits and drawbacks.
 Mitigate risk and exploit opportunities.
 Monitoring the timeliness and effectiveness of mitigation activities by the appropriate risk
owners (RIMS, 2011).

13
This process, however, functions well with the support of an ERM function which might be
implemented with the guide of ERM frameworks.

2.5 ERM Frameworks

Quite a number of ERM frameworks were developed to guide entities in their implementation
and development processes. Worldwide, there are more than eighty RM frameworks from
which insurers can choose. However, there are some of the prominent and frequent mentioned
frameworks which include the COSO ERM Integrated Framework, the Joint Australia/ New
Zealand 4360 2004 Standards, ISO 31000-2009, the Casualty Actuarial Society Framework,
the International Association of Insurance Supervisors Framework (Lundqvist, 2014).

Frigo and Anderson (2014), observed that from the most frequently mentioned and prominent
ones the two most widely recognized frameworks are the COSO: 2004 ERM Integrated and
the ISO 31000:2009 RM Principles and guidelines. The authors also stated that the much
acceptance was caused by the fact that both were developed by internationally recognized
thought leadership (COSO) and standards setting (ISO) bodies and during development, each
received significant input and vetting from a wide range of RM experts and professionals.

However, with all the bodies and experts still there is no best practice to what ERM is. RIMS
(2011) postulated that all the standards and frameworks are similar in that they all require; the
adoption of an enterprise approach with defined accountabilities, the documentation of risks in
the analysis and monitoring treatment plans.

2.5.1 COSO: 1992, 2004 and 2013 ERM – Integrated Approach

The COSO ERM framework gained wide recognition, but to some extent, unfortunately, it was
published at the same time as the Sarbanes –Oxley Act of 2002 (SOX) as such most companies
were overwhelmed with the SOX implementation, and due to limited resources, very little
attention to the COSO ERM framework was placed (Goran et al., 2013). Despite the facts
alluded by the scholar above, the COSO 2004 ERM frameworks is one of the most cited and
argued frameworks (Beasley et al., 2010). It happens to be the most used internal control
framework (FERMA/ECIIA, 2010:15). Beasley (2010) however postulated, that the

14
framework is often used, but not necessarily understood by most leading ERM users and in
most cases considered as overly a theoretical framework in nature.

The ERM Framework (2004) is clearly dissimilar from the Internal Control Framework (1992)
and is visualized as a more robust conceptualization of risk approach than its predecessor as it
encompasses the strategic as a fourth ERM objective (Keith , 2014). For that cause, much
emphases and discussions will be placed on the 2004 framework. COSO (2004) framework
provides a three faced cube showing how ERM is to be integrated into the organization. The
framework is geared to achieve organizational objectives set forth in four categories
represented by the across top face of the visual cube which are:

 Strategic – high-level goals, aligned with and supporting its mission

 Operations – effective and efficient use of its resources
 Reporting – reliability of reporting
 Compliance – compliance with applicable laws and regulations (COSO , 2004).

The above classification of a firm's objectives tolerates a focus on separate aspects of ERM.
The objectives are distinct but however, overlap the categories. Nevertheless, this
categorization allows distinctions between what can be expected from each category of
objectives and hence provide a reasonable assurance that the board in its risk oversight role, is
made aware, in a timely manner, of the degree to which the entity is moving towards the
achievement of the objectives.

On the front face of the cube are ERM eight interrelated components which are expanded into
twenty-six related topics and 123 elements which work all together to maximize the
shareholder value. The COSO (2004) components were translated into relevant basic ERM
elements ( Ciorciari & Blattner , 2008) which are:
 Internal environment- This component encompasses the RM philosophy, corporate
governance, risk, responsibility, competence, integrity and ethical values.
 Objective setting- Objectives must align with the company's mission, and be consistent
with the firm’s risk appetite and tolerance. It also encompasses the strategy
formulation, strategy implementation, and strategy effectiveness.

15
  Event identification- This involves the external and internal events that affect the
achievement of the company’s objectives and the business.
 Risk assessment- This main topic is translated into the event characteristics,
assessment metrics, and the assessment mode in order to determine how risks can be
analysed.
 Risk response- It relates to risk mitigation strategies which include risk avoiding,
accepting, reducing, or sharing risk and assessment of residual risk.
 Control activities- This involves control basis, controls over objectives, controls over
processes and controls over information processing.
 Information and communication- Relevant information on objectives must be
identified and captured and communicated to the entity to ensure the best information
quality and information management.
 Monitoring- Risks must be monitored, and responses modified in accordance.

The right face of the visual cube contains the Subsidiary, Business Unit, Division, and Entity
Level demonstrating the need for all levels of an entity to be a part of the program. This calls
for the demolition of managing risks in a holistic manner taking for example in the insurance
industry, taking the risks from the underwriting function, claims function, marketing and
finance function and therefore manage the residual risks.

Leech (2012) however, notes that the COSO 2004 framework does have some deficiencies as
it ignored the communicating objectives to be a part of an integrated control framework.
Consequently, in 2013, the spirit of improvement continues and hence the committee released
an updated version aimed at improving the original framework and ensuring its continued
relevance to the modern industry. It developed principles within each of the five fundamental
components to diagnose issues more quickly and efficiently, assert effectiveness regarding
internal controls and help to avoid material weaknesses across an entity which are control
environment, risk assessment, control activities, information and communication, and
monitoring activities (Mcnally, 2013). The fig 2.1 overleaf shows how the COSO Framework
has changed over the past years. Evolution of the COSO ERM “Rubik” cube 1992–2004–2013.

16
Figure 2.1: COSO ERM Evolution

Source: (COSO, 1992,2004,2013)

Bonisch (2012) asserts that the 2013 COSO Framework signifies idealistic assumptions about
the depth of insight that experts and academics seek.

[Link] COSO ERM Framework Deficiencies

Bonisch (2012) alluded that nevertheless its successive revisions, questions have continued to
be raised as to its methodological robustness and whether it rests on an outdated linear
representation of control. One of its alleged material weaknesses is that it fails to address the
blend of various attributes that operate simultaneously (The Internal Auditor, 2013). This led
to the prominence of its main competitor the ISO 31000:2009.

2.5.2 ISO 31000:2009

One of the most ERM frameworks competing with the widely recognized COSO ERM
Framework is the ISO 31000:2009 which offers a set of standard operating principles and
implementation guidelines. The ISO is one of the world’s largest developers of standards and
its ISO 31000 of 2009 framework can be classified as principle-based rather than prescriptive
(Keith , 2014). However, many critics claim that it is a state-of-the-art framework, that
incorporates all the best principles contained in COSO, Project Management Institute (PMI),
the Australian and New Zealand Standard (AS/NZS 4360:2004), and all the other leading
international standards (Shortreed, 2010:99). Njagi (2015) alludes that the standard puts the
emphasis squarely on RM as a strategic discipline for making risk-adjusted decisions, rather
17
than a compliance-based function. RIMS ( 2011) alludes that ISO 31000 is a universal standard
that can be tailored to the specific needs and structures of an entity. This means that the standard
is not specific to any industry or entity.

The concept of the ISO 31000:2009 is that RM is well integrated into the corporate decision-
making process (Shortreed, 2010). This architecture, comprises a set of RM, principles, and
guidelines for the establishment of the risk framework, and finally to guide the establishment
of the RM process (Njagi, 2015). ISO, (2009) postulated that the principles provide a pragmatic
conceptual foundation for the rest of the standard. They latter argues that the approach to RM
ought to be an integral part of an entity's process, particularly in the business decision-making
process and should be tailored to its environment to create and protect the shareholder value.
All corporates can relate to the principles set in Fig 2.2 below, but in most cases, it must be
tailored to meet unique needs of the entity before implementation.

Figure 2.2: The ISO 31000:2009 Framework.

Source: (Shortreed, 2010).

18
Fig 2.2 above depicted that approach should not only be structured, systematic and iterative, it
should be dynamic, responsive and inclusive to deal with uncertainties that threaten the
organization‘s success (ISO 31000, 2009). Furthermore the ISO (2009) postulated that the RM
process starts by establishing the firm’s internal and external setting, followed by carrying out
risk assessment process, which embroils risk identification, analysing, and risk evaluating and
to implement risk treatment plans. The risk treatment phase determines how potential
opportunities and negative risk consequences are handled. The results and plans implemented
must also be monitored, reviewed, communicated and wherever the need arises consultations
must be made with various RM stakeholders to maximise the shareholder value.

[Link] ISO 31000 Framework deficiencies

ISO 31000 fails to stress the need to start risk assessments with clear and well-defined
objectives, and more-so to maintain a dynamic alignment of the identified risks with the
objectives in line with the company's risk appetite, (Leech, 2012). As it is ISO 31000:2009
lacks a clear connection with set firm’s objectives and hence fails to address the impact of
unclear objectives (Keith , 2014). In practice, this constitutes to a fundamental flaw of ERM
and means that risks indicated on the risk registers and reported to the top management and the
board of directors may not be directly linked to specific objectives (Leech, 2012).

The COSO (2004) and ISO 31000 (2009) demonstrate certain similarities in enterprise-wide
consistency and a rejection of the one-size-fits-all silo approach, but the generic attributes of
the ISO framework can be challenging to entities, because defining a specific ERM framework
may require a sizable investment in both time and money (Keith, 2014). However, unlike the
COSO framework, ISO 31000:2009 provides a detailed framework and hence is tailored to
provide the information that businesses need to develop an ERM program (ISO 31000, 2009).
Similar to other frameworks discussed below, the frameworks require proper RM efforts to
acquire higher benefits.

2.5.3 BS 31100: 2008, Code of Practice for RM

This practice provides the basis for understanding, developing, implementing and monitoring
proportionate and effective RM issues throughout an organization, in order to enhance the
probability of achieving objectives (BS, 2008). It establishes the principles and terminology

19
for RM and gives references for implementation and development which are derived from
experience and good practice. It is applicable to any entity at any level, limited to, risk oversight
role, but however, organizations must tailor it to meet the particular needs (Njagi, 2015).

2.5.4 OCEG Red Book 2.0:2009. A GRC model

The model provides a guide for implementing and managing a GRC system or aspect of that
system (Racz et al., 2011). These principles or guides can be applied to a range of situations
from small insurers to big industry trendsetters. Njagi, (2015)alluded that the Red Book has
been upgraded to four components which are learning about the organizational context, culture,
and key stakeholders to inform objectives, strategy, and actions and aligning strategy with
objectives. Njagi (2015) also asserted that the upgrade enhances an effective decision-making
approach that reports the values, opportunities, threats and requirements to ensure that
organizational objectives are met.

Figure 2.3: A GRC model

Source: (Moeller, 2011)

The model above helps entities to grow in the best possible way, and these principles need to
be integrated into one another. Notably, as alluded the model was upgraded to contain four
basic principles which are Strategy, Processes, People and Technology. These components are
necessary for the framework to work, but however, need to be integrated into one another.
Furthermore to build an efficient ERM program through the GRC model, five architectural
20
which are simplicity, effectiveness, alignment, accountability and consistency principles must
be adhered (Caldwell, 2012).

Kerstin et al., (2014) asserted that only a third of firms accomplished to integrate the strategy
into their GRC framework, leaving only 37 % of all organisations researched to have
understood the value and service of the GRC model and implemented it. Furthermore, the
author revealed that many organizations are not capable of employing an integrated framework
and still handle the three silos separately.

In light of the above frameworks which can be used as a guide for ERM implementation and
development, ERM maturity can be categorized in phases or levels depending on the best
current practices employed by an entity ( Ciorciari & Blattner , 2008). The below subsection
described in detail the levels of ERM maturity.

2.6. Levels of ERM Maturity

ERM is a complex process and hence the COSO 2004 developed a five stage ERMMM to be
used by entities in benchmarking their progress in ERM development. Maturity models offer
organizations a simple but effective method to measure the quality of their program (Wendler,
2012). In the context of risk, there are a number of ERMMM which act as useful tools for
gaining knowledge about the business current RM practices and therefore provides room for
further improvements.

Bearing in mind the importance of the organization ERMM assessment, several studies
pertinent to the development of the program had been carried out (Budi et al., 2014). These
maturity models provide specific benchmarking guidance on identifying the weakest maturity
points by rating the ERM components and or major principles of an entity. Organizations
wishing to implement a robust ERM or to develop the existing, need the better operational
framework to appreciate the nature of risk and requisite capability maturity and against which
to benchmark their current practices (Ren et al., 2014). Several conceptual frameworks have
been developed as guidelines for evaluating the level of ERM adoption and maturity level. The
below subsection discusses the framework that was used as a guide in this research study.

21
2.6.1 The ERMMM- Conceptual framework

Theories are formulated to explicate and used by researchers to understand a given

phenomenon and in many circumstances to extend existing knowledge within the limits of
critical boundaries provided. A conceptual framework is an analytical tool with various
variations and contexts. In other words, it is a structure that can hold or support a theory of a
research under study. Ciorciari and Blattner et al., (2008) developed a maturity model to
evaluate the current RM standpoint of an entity using COSO: 2004 ERM components. Each of
the above eight components equally contributes to the overall ERM maturity level. The
elements were later subdivided into twenty-six topics and expanded to one hundred and twenty-
three elements and result in the categorization of risk maturity levels.

Figure 2. 4: ERM components

Evaluation principles Evaluation topics

Source: ( Ciorciari & Blattner , 2008).

22
The COSO: 2004 ERM framework provided in fig2.4 were explained in detail in section [Link]
of this research. In summary, the components are integrated and evaluating finally used to
categorise the maturity level of the entity or an industry. Fig 2.5 below presented in summary
the ERM maturity levels suggested by the literature world.

Figure 2.5: ERM Maturity scale

Source: ( Ciorciari & Blattner , 2008).

The above maturity scale summarized the practices of an entity’s ERM structure bearing in
mind the nature of all the eight components. In their chronological order, level 1which is very
weak marks the introductory phase and therefore shares the similarities of a silo approach and
level 5 which is optimised stage marks the highest level of maturity. The below subsection
below analysed the specifications per each ERM maturity level, taking into considerations
other literature contributions.

2.6.1 ERM Maturity Level 1- Very Poor

Level 1 in this study refers to a very poor state, reflecting the lowest level of ERM maturity.
Ciorciari & Blattner (2008) alluded that this level is associated with: very low formalization,
no documentation available and no communication is carried out. Hillson (2002) concurs with
the view of Maria in that at level 1, there is no risk awareness, no upper management
involvement and there is resistance or reluctance to change. Budi et al., (2014) shared the same
view with the previous researchers, but however used a set of dimensions which encompasses
the objective setting, risk identification, risk assessment and risk response experiences and
noted that there are lower levels of RM process institutionalization within the larger business
processes. Budi et al., (2014) analysed all the dimensions, including of monitoring and control
23
activities and concluded that at this level, there is no structured application, no dedicated
resources and no RM tools in use and no risk analysis is performed.

The Internal Auditor (2013) developed a RM Maturity Assessment Toolkit, which is based on
the principles and guidelines from several ERM frameworks and named this level inconsistent.
They also have the same view with the previous researches in that there is no or minimal
awareness of the importance of RM and there are no processes in place across the entity. RM
issues are usually left to the individual and performed on an ad hoc basis. They concluded that
RM is more reactive than proactive representing a silo-based approach.

From the above researchers it can be deduced that at this level, there are no documented ERM
processes and policies and the firm attempts to manage risks on silo-based approach. This
further requires massive efforts from the internal personal to develop the structure to realise
ERM benefits. However, an improvement in these practices might result in the firm being rated
or categorized in level two.

2.6.2 ERM Maturity Level 2- Poor

Ciorciari & Blattner (2008) asserted that this level is characterised by informally regulated
ERM practices which are defined, no ERM, training and no communication is carried out and
named it poor. The Audit office (2013) observed and agreed with some researchers in that at
this level, there is organisational awareness of the importance of RM and some formal
processes will be in place, but however for few risks inconsistently across each business unit,
representing a limited standardisation of RM processes.

Hillson (2002) stated that at this level the ERM process may be viewed as additional overhead
with variable benefits, the board and top management encourage but does not require the use
of RM. There will be still the element of one size fits all -silo Approach. Hillson, (2002) also
observed that process dimension which includes the objective setting, event identification,
assessment and response lack the generic formal processes, although some specific formal
methods may be applicable.

24
From the above, it can be deduced that at this level, there is inconsistent application of resources
and qualitative risk analysis. Further, the ERM program in place might have been defined but
however, lacks the risk culture risk philosophy across the organization caused by poor training
and communication. At this level might not experience well the benefits of ERM as there exists
some features of a silo approach.

2.6.3 ERM Maturity Level 3- Mid

Ciorciari & Blattner (2008) indicated that at this level: the ERM practices are standardized,
principles are defined and documented and basic training is carried out to aid proper RM culture
and communication. The Audit Office (2013) concurred with Maria’s views as they noted that
at this level, the ERM framework exists covering all major risks and standardised RM
principles are defined and documented and basic training is conducted. Hillson (2002), named
this level risk normalised and noted that there is an accepted policy for RM philosophy, ERM
benefits are recognized and expected, top or senior management requires risk reporting, there
are dedicated resources for RM, and finally there is a common RM language. More so the
generic processes are applied to most business units, formal RM processes are incorporated
into a quality system, active allocation and management of risk budgets are at all levels.

This level represents a better or improved ERM process. Moreover, consistent RM processes
with communication and accountability exist throughout the business, but not all processes
have been fully implemented. This implies that the organization is expected to have an in-house
core of expertise, formally trained in basic ERM skills and the development and use of specific
processes and monitoring and risk control tool. Most organization ERM falls in this level.

2.6.4 ERM Maturity Level 4- Good

Ciorciari & Blattner, (2008) practices that at this level: RM practices are supervised, there are
regular evaluation and refining of a process, also the RM monitoring and control activities are
used with consistent feedback for improvement, principles are carried out and observance is
verified and regularly improved. At this level, ERM is fully implemented across the business,
consistently applied and used in decision making (The Internal Auditor, 2013).

25
Hillson (2002), however, in view of the improved practices named this level risk Natural and
indicated that there is a top-down commitment to RM, upper management uses risk information
in decision making and proactive RM is encouraged and rewarded. The author also indicated
that there is learning from experience as part of the process, and training is done regularly to
enhance skills and RM culture for better performance. In summary RM processes at this level
measured, evaluated and fed back into continuous improvement which implies a proactive
approach to managing risks.

2.6.5 ERM Maturity Level 5- Optimised

Ciorciari & Blattner (2008) proposed that this is the highest maturity level, which implies that
the process is optimized, that is the RM principles and processes are integrated with the
management process. The Audit Office (2013) also named this level optimised and concur
with Maria’s views in that RM is fully addressed and embedded into day to day management.
The authors believed that at this level RM is used as a key value driver supporting decision
making and the pursuit of opportunities and risks are proactively identified, monitored through
KRI and predictive risk analytics processes are used for all major risk types.

At this level, there is an alignment between project and business objectives and the board and
top management ensures that business risks and objectives are seriously considered and
understood by employees at all levels (Ren et al., 2014). Moreover, there is a comprehensive
RM plan with both qualitative and quantitative measures for event identification, risk
assessment and response (Ren et al., 2014). The above literature implies that opportunities and
risks are well understood across the organization and employees take responsibility for the risks
that falls within their risk limits.

RIMS ( 2011) noted that most entities still have a distance to go before their ERM programs
are fully optimized. In their study, very few respondents characterized their programs as fully
mature, with more than half of the respondents said their programs were at Initial stages.
Several firms have been rated across the globe, but however, there is little or no studies which
were conducted in the Zimbabwean insurance industry to assess the ERM maturity level.

26
2.7 Review of Empirical Research

This subsection assessed the empirical findings on the current state of ERM maturity as
evidenced by a survey of academic researchers. Much emphasis was placed in the insurance
industry. Furthermore due to limited researches which were conducted in the insurance industry
the review was extended to incorporate the financial service sector. More so references were
made to industries on a global scale and some specific countries where ERM is said to be
developed.

2.7.1 Empirical Research Studies analysis

Saudah (2014) used a questionnaire survey targeting 300 listed companies on the Australian
securities exchange and noted that despite the recent emphasis given to RM by the Australian
Securities Exchange (ASX), there is scant empirical evidence on ERM implementation across
the continent. In a bid to fill this gap some studies were conducted on an international scale.
Beasley et al., (2016)in their series of the survey from 2009 on the state of risk oversight found
out that only 24% of their study respondents (covering main parts of Europe) have an ERM
process in place. However, only 12% without ERM processes indicated that they are currently
investigating the concept, but have made no decisions to implement the approach.

Figure 2.6: Current ERM status

Source: ( Beasley et al., 2016)

27
Beasley et al., (2016)postulated that there is an increase in the implementation and adoption of
ERM represented by an increase from 2009 through 2012 with a levelling off for the subsequent
three years in the percentage (25%) of entities that claim they have a mature ERM process in
place. The author believes that there continues to be the noteworthy opportunity for ERM
development in most corporates, given the lower percentage of implementation. However, the
study mainly focused on firms that either implemented ERM or not without taking into
consideration the level of maturity among the organizations that claim to have ERM in place.

Njagi (2015) also conducted a survey to evaluate the level of ERM adoption and maturity in
Kenya with a descriptive research study. She conducted a survey of the 49 insurance companies
with a sample of 196 respondents from a population of 245 respondents to encapsulate the
ERM frameworks in use and the level of maturity. From their study, it was concluded that the
current level of ERM is at level 3, Risk Normalised or mid. However, the recommended level
of ERM practices is Level 5 where the practices are said to be optimized

Similar studies were conducted in Zimbabwe to assess the current RM practices. Mazviona et
al. (2014) carried a study to examine the current RM practices in the short term insurance
industry by investigating the RM culture, risk control, and extreme event management. The
author used a closed questionnaire survey structured on a five-point Likert – scale and
distributed eighty-six questionnaires to the industry. The findings from his study revealed that
there is poor RM culture and the RM practices are not adequate. From the above studies, it can
be deduced that the ERM practices are still weak in the industry though the participants are
jockeying and manoeuvring on the poultry industry stake.

Gwangwava et al., (2014) also conducted exploratory and descriptive practices to assess the
level of RM practices in Zimbabwe. They used both open ended and closed questionnaires.
The findings from their study revealed that 90% of enterprises, including the small to medium
enterprises, have a poor knowledge of the RM. They concluded that the majority of entities has
no RM strategies in place to address RM issues.

28
2.7.2 Empirical research conclusions

Despite the increasing importance of ERM as a panacea for all corporate risk and its core
benefit of enhancing shareholder value and preserving it, research on the ERM maturity level
have drawn little attention. The findings from the empirical research study revealed that the
current ERM maturity level is still rudimentary, ranging from very poor to mid with the
Zimbabwean industry level of maturity unknown. This is due to the fact that the ERM efforts
are hindered by several challenges following the economic challenges that the nation is facing.
The following subsection presents the gaps in the literature world.

2.7.3 Research gap

The academic literature on ERM mainly focused on the analysis of the drivers of ERM adoption
and its effects on the firm performance. Until now no studies in the Zimbabwean insurance
industry have been conducted yet to evaluate the maturity of ERM programs. The aim of this
study, therefore, is to fill in this gap in the literature world. The researcher reviewed some
recommendations which were made globally on the evaluation of ERM maturity scale Ghosh
(2015) conducted an empirical investigation for ERM in India and further asserts that future
research must focus on developing a maturity model and to assess the level of ERM
implementation in companies. However, few studies have been carried out to assess the level
of maturity using different ERM maturity models in the developed world and some parts of
Africa, Kenya, and Nigeria to mention a few. This is caused by several challenges that insurers
are facing globally.

2.8 Challenges in Implementation of ERM

The challenges associated with both ERM implementation and development have gradually
become one of the most significant and commonly researched aspects of the ERM arena.
Bharatany and McShane (2014) noted that many firms are attempting to implement ERM and
some are in the processing of developing it as the new holistic organizing principle to deal with
enterprise risks resulting from a vigorous risk environment characterized by complex issues
such as rapid changes in information technologies, and the explosion of globalization. This
subsection discusses the challenges that insurers face in a bid to implement and develop ERM.

29
2.8.1 Challenges in general

The major decision and hence challenge that many insurers face is about the selection of an
appropriate risk framework and the implementation in the organisation. Every framework has
its own advantages and deficiencies as suggested by the literature world, but however, blending
and implanting the process efficiently maximizes the benefits of ERM. Related to the challenge
above which is related to technology is important as well. Several RM packages use a
methodology that is not specifically based on the framework which causes deficiencies that can
lead to difficulties (Kerstin et al., 2014). Technology should be built around the methodology
and used in several ways. Another challenge is related to the integration of the personnel into
the ERM System (Deloitte , 2012). If personnel are not well trained, motivated, the entire
implementation exercise could fail. Furthermore, detailed challenges faced by insurers are
explained below.

2.8.2 Ambiguity in roles and responsibilities in RM

Establishing lines of responsibility for risk and defining the necessary structures to support
those responsibilities is a challenging task (Deloitte, 2012). Employees are set to know their
risk limits and set forth responsibilities in an organization. However, in most instances,
employees are unaware of what they are supposed to do concerning risk, hence the lack of
clarity of risk roles remains the prime cause for the ambiguities (Deloitte, 2012).

The role of the board in ERM oversight has become increasingly challenging as anticipations
for board engagement are at all times high (COSO, 2004). It is of paramount importance to
note that failure of the board to effectively define the lines of responsibility can nurture RM
failure. COSO (2004), postulates that an entity’s board of plays a critical role in controlling of
an ERM process. This implies that the top management with the help from the board must
draw the lines of risk limits to avoid the ambiguities in roles and responsibilities.

2.8.3 Lack of embodiment of ERM in organizational culture

A risk-aware culture is essential to ensure that the ERM process becomes a long-standing
within the organization (Kerstin et al., 2014). HBR (2011) report stated that most entities still
have a long way to go to embed a truly successful ERM culture that focuses on achieving a
sustainable and profitable business growth. In their survey, just one-third of all respondents felt
30
they were doing well at any of the six RM capabilities which are listed as those critical to
organizational performance, including: linking risk information to strategic decision making
that is matching the firm’s risk appetite with the set objectives, embedding a risk-aware culture
at all levels, embedding RM practices and responsibilities within strategy and operations,
ensuring that all decisions remain within the organization‘s risk tolerance and driving risk
mitigation activities.

Deloitte (2012) in their survey also found that the misalignment of the risk and business
operating models and the lack of vision to focus on most critical risks and weakness in risk
culture brings about challenges to effective ERM implementation and development.
Organizations which lack a strong risk culture may find themselves operating against their own
developed policies, resulting in the inability to reach their goals and (IRM, 2012). ERM culture
shows a lack of strength when decisions are not set with the alignment of organizational
policies and the desired risk profile (Brooks, 2010).

This implies that competing interests in an organization can ruin the consistency needed for
developing a sustainable risk culture. Many organizations suffer as a result of the greed of the
management to place the needs of the shareholders or policyholders at the forefront and hence
focus on their private benefits (Sweeting, 2011). Therefore the embodiment of the risk
management culture will reduce the level of agency problem and hence place the focus on
maximising the shareholder value.

2.8.4 Inadequate information to make risk-based decisions

Paape and Speklè (2012) postulated that in configuring ERM systems, organizations need to
face numerous design choices. Kerstin et al., (2014) believes that selecting an appropriate ERM
framework, tools and technology used in the implementation and development poses a big
challenge. Management must decide the best fit for their entities from a list of the frameworks.
Furthermore the process from event identification to monitoring all corporate risks means a lot
of challenges (Kerstin et al., 2014). Paape and Speklè, (2012) concurred with these views and
indicated that organizations need to address the question as to the frequency of risk
identification and analysis as it poses major challenges and therefore need to determine the
number of management levels to include in the risk appraisal exercise that is whether to

31
centralise risk assessment at the senior management level, or to include the middle management
level.

COSO (2004) reported that amongst the most critical management challenge is the
determination of the risk appetite and risk tolerance as it strives to maximise the shareholder
value. This duty requires risk information, coordination among all departments and managerial
support to ensure that the standard risk appetite statement is drawn (Mottaghi et al., 2012).
From the above, it can be deduced that information to make informed risk decisions poses a
major challenge for ERM development.

2.8.5 Lack of managerial support and clear ERM guideline

Several studies have indicated that managerial support and the appointment of a CRO are the
most significant aspects affecting the implementation and development of ERM. Desender
(2007) however, offers a different perspective in that that the board of directors and the
separation of the CEO and chairman roles are important in determining the characteristics of
ERM. This automatically calls for unit between the board and the top management in RM
issues to support all the departments on the floor.

It is a critical aspect of managerial responsibility to ensure that the risk appetite statement is
drawn and limits are set as it can impose destructive impacts on business performance (Pagach
& Warr, 2011). For that cause, strong governance and managerial support are very important
aspects of ERM sustainability. Furthermore the management is directly involved in the crafting
of budgets and strategy formulation, so the support from the management enables the flexibility
in RM resources.

2.8.6 Time and cost required in developing ERM

Bharatany and McShane (2014) articulated that that firms attempting to implement ERM are
struggling to make changes in their RM philosophy. This implies that an organization must
understand the impact of determining higher and lower risk tolerance levels for certain set
objectives and as such all employees must understand their risk limits. This means that there is
a need for a proper RM philosophy, communication, and training for all employees to ensure

32
an effective ERM program. However, finding the right approach draw a risk appetite statement,
training all employees, ERM system is a challenging task.

COSO (2004) also indicated that the ERM approach is the task of every single employee within
an organization, as such it requires the development of a risk framework, enterprise value
model and strategic planning, the embodiment of RM in organizational culture, internal audit
and ERM function, the evolving role of a CRO and senior management buy-in and sponsorship
of the integrated ethical RM from the CEO (Elena & Patrick, 2010). This implies that there
will be a huge capital base required.

From the above, it can be concluded that the process of ERM is very expensive and time-
consuming and in most instances it is very likely that large firms are associated with ERM
implementation. Furthermore bearing in mind the Zimbabwean case, the aftermath of the
effects of the post dollarization era has in many instances undercapitalised the insurance
industry and other players in the financial service sector. Therefore large corporates with excess
capacity and financial muscle to employ or outsource ERM experts are likely to employ ERM.

2.8.7 Lack of understanding of ERM benefits

Due to the fact that the concept of ERM is a relatively new to the Zimbabwean insurance
industry, it is perhaps natural that it has no universal and widely accepted definition. An array
of numerous definitions of ERM may cause some level of confusion as to what it means in
practice (Njagi, 2015). Each definition is related to a particular set of objectives, strategies and
implementation plans. Organizations suffer the understanding of ERM and its benefits yet it is
the starting point for implementation. This inadequate level of understanding of the right
definition of ERM and of how to implement it successfully in order to sustain its benefits in
the long term is one of the first challenges facing financial organizations (Locklear, 2012).

Grobstein (2010:3) noted that "the task is not to get it right but to get it less wrong, not to
disprove existing understandings but to recognize their context-dependence, not to discover
what is, but to construct from conflicting understandings previously unconceived alternative
understandings." It, therefore, suffices to note that organizations across the industry lack the
knowledge about the ERM program. However, the process of finding the solutions or the

33
strategies to counter these challenges cannot be over emphasized. The below subsection
assessed the proposed strategies to ensure an effective robust ERM program.

2.9 Strategies in Implementing of Enterprise Risk Management

As the risk environment became more complex, the global downturn has further underlined the
importance of efficient ERM implementation and development and at most to overcome the
challenges associated with the process (Keith , 2014). The development of ERM processes is
highly sophisticated and requires certain strategies as it involves configuring company ERM
systems (Kerstin et al., 2014). In general, firms need to focus their efforts on appreciating more
value of existing ERM elements, prioritize RM role and drive it further into a holistic system
(Elena & Patrick, 2010). Below are some of the strategies which might be used to ensure a
robust framework.

2.9.1 Build a strong risk culture within the organization

Risk culture involves the values, norms, and behaviours shared by staff, which govern how
they conduct daily operatives towards the enterprise risks (Abrahim et al., 2012). It, therefore,
influences many aspects which include the execution of the goals, the risk management
philosophy, and the risk language. The COSO (2004) emphasized the importance of culture
by considering the internal environment and the basis for a correct functioning of the control
system. Organizations which have a poor risk culture may operate against their own policies,
resulting in the inability to reach their objectives. (IRM, 2012). Having a proper risk culture
may be attained by having a consistent: in risk decision making, the existing policies and the
desired risk profile.

Arthur (2013) claims that ERM is not a discrete area of business management that can be
packaged mainly into a single role as it requires a risk-aware culture and the ability of all
employees to understand and proactively manage business risks in their day to day work.
Further, this requires employee engagement in the implementation stage to develop the
common risk language. Strong risk culture also involves the ability to analyse and redesign the
performance management system; compensation, benefits and rewards system; organizational
structure and the leadership system (Harold, 2014). The systems highlighted above shape the

34
corporate culture by having standard practices, for example, in penalizing or rewarding
employees.

Mazviona et al., (2014) also alluded that the absence of a supportive risk management culture
will at most the most sophisticated ERM structure. Therefore it is worth noting that every
personal at every level should be aware and have a knowledge of risk management practises.
This therefore ensures the development of a common risk language and therefore made it easy
for setting clear roles and responsibilities in an entity because each and every one will know
what is expected from them. From the above discussions, it can be deduced that management
must ensure that a common risk language is created across the organization to ensure a strong
risk culture.

2.9.2 Board of Directors and top management commitment

Most ERM researchers have proved that ERM is the answer for all the corporate risks, but
however successful implementation and development requires commitment of the top
management and board and training for all employees at all levels (Shenkir & Walker, 2011)
Moreover, responsibility for guaranteeing that RM is embedded into all processes and activities
rests firmly with the Board with the support of the top management (AIRMIC, ALARM, and
IRM, 2010).

The need to improve RM practices is universal and there have to be notable improvements in
the ERM process such as, significant increase in the amount of time allocated during
discussions of risk management issues in Board sessions, the establishment of specialized Risk
Committees to aid efficient flow of information and risk oversight (IIF, 2009). This implies
that the Board must demand focused reports on risk issues from the top management to ensure
clear articulation of firms’ risk appetites and engaged in monitoring and control activities.
Ensuring the reliability of these monitoring and control systems requires that the board
instigates appropriate systems of oversight and also specifying the lines of responsibility and
accountability for risk (OCEG, 2009). This requires high levels of the top management and the
board of directors as it requires some strategic decisions to be made.

35
COSO (2004) indicated that employees have some responsibility for ERM but the chief
executive officer or the CRO is ultimately responsible for the program. In summary, the success
of an ERM program rests on the shoulders of the board and the top management but however,
the CRO is ultimately responsible for the program.

2.9.3 Appointment of a CRO

The presence of a CRO is the most common practice that reflects a mature and more optimised
ERM function. Kleffner, Lee and McGannon (2003) asserted that 61% of companies surveyed
mention the influence of CRO as a key factor for driving and facilitating an efficient ERM
process. In addition, the employment of a CRO proves a formal ERM program and therefore
provides quality and skills to promote ERM (Hussin & Yazid, 2010). However, some
researchers don't show a positive relationship between ERM benefits and hiring a CRO.

The CRO is ultimately responsible for the risk oversight and the coordination of ERM
activities. The appointment of a CRO is a valuable way of making sure that RM is suitably
integrated into the business strategy and generates as well as preserve the real value of an
organization (Harold, 2014). However, the effectiveness of the CRO is dependent on the power
granted to the position to contribute and influence both strategic and operational decisions
(Deloitte, 2012). Responsibilities of the CRO function are divided into an advisory role,
involving the facilitation of the process and recommendations, and approval, with priority in
the area of facilitation and recommendation (Elena & Patrick, 2010). However, it is of
paramount importance to establish an effective reporting line for the CROs to ensure an
effective governance of ERM. This also requires a separate ERM function to ensure an
effective flow of information.

2.9.4 Building a dedicated ERM function or department

Beasley et al., (2016)asserted that an emerging good practice for an efficient ERM function is
the creation of a multidisciplinary risk committee and a dedicated risk function which can be
located at the top of the ERM function and be led by the CRO. This, however, does not depend
on whether risk should be centralized or decentralized depends on the organizational structure
of the company.

36
Leadership is needed to ensure that risks are identified, assessed and monitored consistently
across the organization. Management must be central in shaping the managerial usefulness of
ERM (Michela & Irvine, 2014). This requires a separate function to ensure that supervision at
all levels is carried out. Vladimir (2012) believes that a strong ERM function reduces the
likelihood of the following key failures in ERM: failure to identify strategic risk; failure to
properly assess risk frequency and severity; failure to evaluate the ability and cost of
mitigation; and, most importantly, failure to act.

An ERM function will govern how risks are to be assessed frequently in order to prioritize risks
in accordance with the frequency and severity for senior executive and board oversight. This
move will therefore ensure the management of risks in a holistic manner and therefore the
breakdown of silos. This requires the development of a risk appetite statement to identify
certain risk limits and tolerance.

2.9.5 Developing a risk appetite statement

Risk appetite is the amount of risk an entity is willing to take entirely and is a reflection of the
entities' RM (COSO, 2004). Risk tolerance and risk appetite in many instances have been used
both interchangeably, but however, mean two totally different things. Rittenberg and Martens,
(2012) defined the risk appetite as an effective way to communicate across a firm, a sense of
acceptable risks and it provides a basis for evaluating and monitoring the quantity of risk an
organization faces. Developing a risk appetite statement is the starting point of an
organization‘s commitment to the effective ERM program (Rittenberg & Martens, 2012).
Notably, as alluded before there is no standard risk appetite that applies to all as organizations
for all firms set different objectives as such risk appetite is diversified.

Kerstin et al., (2014) alluded that there are three different approaches in coming up with
effective risk appetite statements that are to:
 Create an overall risk appetite statement which is broad, and descriptive enough for
organizational units to manage their risks within.
 Communicate risk appetite for each material class of corporate objectives.
 Review the statement continuously as the environment is always dynamic.

37
Notably, as alluded the risk appetite needs to be reviewed continuously as the environment is
dynamic to some extent. The whole process of creating, evaluating and monitoring is
summarised diagrammatically below:

Figure 2.7: Risk appetite process.

Source: (Rittenberg & Martens, 2012).

From the above subsection it can be deduced that the process of developing a firm risk appetite
statement calls for other main elements of a proper ERM structure which includes the proper
risk management culture and information and communication. Furthermore it suffices to note,
therefore, that a risk appetite and tolerance statement should be set to ensure that the objectives
are set in line with the corporate risk limits.

2.10 Chapter Summary

The objective of this chapter was to gain insight of ERM frameworks in use, assessing the
ERM maturity level, challenges faced and strategies for effective ERM implementation.
Previous studies have indicated that ERM is relatively immature though there are plenty of
frameworks which might be used as guidelines for implementation, with the level of maturity
ranging from poor to mid across the globe. However, little is known about the ERM Maturity
level in the Zimbabwean insurance industry. The evidence reviewed that there are many
challenges which the industry is facing and hence there is a need for proper strategies to ensure
a robust ERM function. The review of the literature provided a background for the
establishment of the next chapter on research methodology.

38
3. CHAPTER THREE- RESEARCH METHODOLOGY

3.1 Introduction

Embracing an appropriate research methodology aids in the gathering of data from the
respective population sets. Thus, identifying the appropriate methodology is of vital
importance not only to guarantee that the research objectives are met but also to establish a
comprehensive study. This chapter therefore describes and justifies the research methodology
adopted to explore the research questions addressed in chapter one. The population size and
sample size defined within boundaries and the methodologies used have been discussed.
Further, the data analysis methods are presented and the conclusion is drawn in the last section.

3.2 Research philosophy

Having scrutinized numerous theoretical contributions to the literature world, this sub-section
discusses the research philosophy. Research philosophy relates to the development of
knowledge, the nature of that knowledge and contains important assumptions about the way in
which researchers view the business world (Mugenda, 2008). The concept of research
philosophy is subdivided into two paradigms which are essential to social science researchers
thus positivism and phenomenology. These paradigms, however, differ in ontology and
epistemology.

Hatch and Cunliffe, (2006) researched the concept of ontology and concluded that individuals
define reality in different ways depending on experience ways that are as subjective or
objective. Researchers which are based on positivists are defined from an objective perspective.
Consequently, reality is built upon the values of a reason, truth and validity gathered through
direct observation and experiments and measured using mainly quantitative methods (Saunders
et al., 2007). On the other hand, epistemology is the theory of knowledge, reflecting views of
what the researchers can know about the business world and how they can know it (Easterby
et al., 2012). According to Bhattacherjee (2012) epistemology which is derived from the quest
of creating knowledge refers to the assumption that the best way to study the world is either to
use an objective or subjective approach. Hatch and Cunliffe (2006) summarise the concept as
knowing how one can know and focus on discovering how knowledge is generated.

39
In summary, ontology is defined as the nature of reality and epistemology is the relationship
between the researcher and the reality. There are two dominant ontological and epistemological
ideologies that are positivism and phenomenology. The below subsection describes these two
dominant ideologies and therefore there applicability to this research study.

3.3.1 Positivism

Positivism adheres to the view that only factual knowledge is gained through observations.
This implies that the role of the researcher is limited to data collection and interpretation
through the objective approach and the research findings are usually observable and
quantifiable. The researcher applied this approach as some data gathering instruments implied
quantifiable methods. This follows that the approach depends on quantifiable observations that
lead to statistical analysis. Furthermore, the researcher applied phenomenology approach in
this study.

3.1.2 Phenomenology

Phenomenology studies focus on experiences, events, and occurrences with minimum regard
for the external and physical reality. Accordingly, phenomenology ideas are generated from a
rich amount of information by means of induction and human interests. Phenomenology,
however, is a variation of interpretivism. Gummesson (2003) argues that all research is
interpretive and more researchers contended that every researcher battles with the problem of
risk perception while considering objective versus subjective viewpoints, only to favour the
subjective perspective as more balanced. Interpretivists believe that the topic of research can
be largely understood through subjective interpretation, which helps to gain the real insight
into and understanding of the subject (Easterby et al., 2012).

Bhattacherjee (2012) in his studies employed qualitative methods such as unstructured

interviews and questionnaires and rejected the positivism for its association with quantitative
research methods such as experiments. Cohen et al., (2007) moreover explain that positivism
cannot be applied to the study of human behaviour where the immerse complexity of human
nature and elusive and intangible quality of social phenomena contrast with the order and
regularity of the natural world. This is more related to the field of RM where risks can be
viewed from a human judgmental perspective.
40
Considering the nature of ERM, the researcher chose a mixed (both positivism and
phenomenology) approach as it encompasses all dimensions in ensuring that the research is
done properly. The justification associated with the use of phenomenology includes its ability
to understand the meanings attached by people and its contribution to the development of new
theories. However, it is associated with difficulties in the analysis and interpretation of data,
usually with lower levels of validity and reliability compared to positivism, so the positivism
approach will complement that gap. In that regard the phenomenology will take priority over
positivism as the researcher does not set out to test a single pre-existing theory nor does the
researcher intend to generate new theory or hypothesis.

3.2 Research Design

A research design is sometimes defined as a road map which links the empirical data to the
research questions and eventually to the research findings. It constitutes of the blueprint for
collection, measurement, and analysis of the data (Cooper & Schindler , 2011). The general
understanding of the above definitions is that a research design provides a logical fashion in
which data is collected, blended and analysed to address research objectives in the most
efficient style.

The research was conducted on a mixed approach. Data was collected from all the short term
insurance companies and long-term insurers. The study took a survey approach, which sought
to identify the frameworks used, the maturity level and the challenges which insurers are
facing. Moreover, the study was conducted using a descriptive research design which was
considered to be appropriate in describing and evaluating the current state of ERM

3.2.1 Descriptive Research

Orodho, (2005) defined a descriptive survey as a method of collecting information by

interviewing or administering a questionnaire to a sample of individuals. Kombo and Tromp
(2006) further assert that descriptive studies are not only restricted to fact findings, but may
often result in the formulation of important principles of knowledge and solution to significant
problems. In that way, it does not fit neatly into the definition of either qualitative or
quantitative but rather utilize the elements of both within the same study.

41
Considering the views propounded above a descriptive research bests suits this investigation
in that it will avail the present condition of ERM practices in the industry, thus its immediate
status and the facts about what is causing the underdevelopment of ERM for example as
suggested by the literature. Furthermore the analysis of the challenges that Zimbabwean
insurers are facing and therefore the suggested strategies analysis bests suits the format of a
descriptive research design.

3.2.2 Justification
The briefly explained below are some justifications for choosing a descriptive research design.
 Sekaran (2010) alluded that descriptive studies provide information for the future course of
action and hence suit this study as there is room for future action in mapping the multi-
period review of poor dimensions.
 The method is also flexible enough to provide an opportunity for considering different
aspects of a problem under study (Kothari, 2009).
 Cooper and Schindler (2011) suggested that using descriptive research enable an in-depth
study of phenomena or characteristics associated with a subject population, such as who,
what, when, where, and how of a topic. This is more relevant to the investigation of ERM
development in that a number of entities which implement ERM and the framework that
was used as a guideline will be reviewed.

The above validations furnish the information on why the researcher chose a descriptive
approach. This design will be used for all the life and non - life insurance companies registered
by IPEC as at 30 September 2016 to ensure a comprehensive research. The below subsection
therefore will discuss the research approach adopted which bests suits the descriptive design
adopted.

3.3 Research approach

Ranging from a purely positivistic to purely phenomenological standpoint are seven main
research strategies that are: experiments, surveys, case studies, action research, grounded
theory, ethnography and archival research (Keith, 2014). This research was conducted using a
combined research strategy with a survey approach, taking priority over a case strategy. This
will enable the researcher to carry out deep investigations about the ERM adoption level and

42
the maturity standpoint. Moreover, the questionnaire, therefore, followed this form to provide
reliable and valid data. In the same manner given above, there are three research choices: mono
methods, mixed methods, and multi-methods. Each of the research choices assumes the
adoption of either a single research method (mono methods) or combined qualitative and
quantitative methods (mixed methods). The below subsection will discuss the research method
that was used for the purpose of this research.

3.3.1 Qualitative

The qualitative research employs symbols and words to indicate the presence or absence of a
phenomenon (Matveev, 2002). The aim of this method is to study individuals and phenomena
in their natural settings and gain a better understanding. Administering a qualitative research
provided the author with an opportunity to be directly involved in the field through
questionnaires administering where people's beliefs, behaviour, and the relating environment
exist. It, therefore, provides flexibility in data gathering and hence provided an insight into the
RM practices in place through observations. Therefore the participative role in carrying out a
qualitative research was a key determining factor for the researcher in choosing this approach
and further due to its flexibility.

The researcher considers both qualitative and quantitative methods. Creswell (2007) supported
the use of mixed methods and highlighted that the use of mixed strategies can lead to a more
comprehensive and a better understanding of the research problem. This follows that the
concept of ERM is both qualitative and quantitative.

3.3.2 Quantitative

Quantitative methods in this research were used to complement the use of the qualitative
research described above. It provided a full picture of the research after having qualitative
research. The quantitative research employs numerical indicators to ascertain the relative size
of a particular phenomenon under study by involving the counting and measuring of events
and performing the statistical analysis of a body of numerical data (Matveev, 2002). This
implies that it assumes that there is an objective truth existing in the world that can be measured
and explained scientifically. This minimised the researcher's own bias and subjective favourites

43
as it is based on what emanates from the qualitative research and not based on the individual's
perspective. For these reasons, this study will embrace some form of quantitative elements to
complement the qualitative study.

3.4 Sampling Frame

Kothari (2009) defined a sampling frame as a complete and representative list of all the items
of a population. Such a list should be comprehensive, correct, reliable and appropriate. This
study targeted 33 insurance companies registered by IPEC as at September 2016. It also
targeted the middle to top management level with some help from the chief risk officers, heads
directors of risk, and internal auditors.

3.4.1 Population

Sekaran (2010)alluded that population refers to the entire group of people, events or things of
interest that a researcher wishes to investigate. Cooper and Schindler (2011) however, alluded
that a population is the total collection of elements about which the researcher wish to make
some inferences. For the purpose of this study, all the insurance companies registered by IPEC
as at 30 September 2016 forms the basis of the population of study. There are 33 licensed
insurance companies in Zimbabwe (22 offering general insurance and 11 offering life
insurance) as at 30 September 2016 (IPEC, 2016). The insurance companies are categorized
further into those offering general insurance and life insurance. In this study, the categories of
the sector thus life and non- life were not relevant as the component elements of a mature ERM
framework are expected to be present across all the companies.

3.4.2 Sample Size

According to Saunders et al., (2007), the sample size is the number of people to be surveyed.
The researcher sent questionnaires to companies to both life and non-life insurance companies
to furnish for a proper research study. Furthermore it is worth noting that the researcher
computed the sample size using a judgemental method bearing in mind the number of players
in each sector and the target respondents. Table 3.1 below overleaf presented the sample size
that was used.

44
Table 3.1: Sample size

SECTOR NUMBER ENTITIES TOTAL NUMBER OF PARTICIPANTS

Short Term 22 66
Life 11 33
Total 33 99

[Link] Justification of the Sample Size

The sample size was determined by reaching the point of data saturation, which is where no
new themes were appearing from the data. This was reached after issuing questionnaires to
nighty nine informants representing at least three questionnaires per company. Sixty-six were
from twenty-two short-term insurers and thirty-three were from eleven life insurance
companies as at 30 September 2016. Past researchers in identifying informants judged that the
top management within the insurance companies are the very people that are in a position to
know more about the ERM process (Danijela et al., 2015). Contact with the CEO or the CRO
was difficult, as such the target included also the internal auditors and any top employee in the
risk management department to middle management. These personnel were chosen because
they are more likely to be abreast with the major issues relating to ERM.

3.5 Sampling Technique

Sampling is the process of choosing a few characters from a bigger set to become the basis for
estimating the prevalence of an unknown piece of information, situation, or outcome regarding
a bigger group (Kumar, 2005). Sampling comprises of the intentional inclusion or exclusion
criteria for certain elements of a population, determined by the discretion of the researcher.
Moreover, from the 33 insurers, the researcher came up with a sample to carry the study. It
follows that every unit under observation carries imitation traits of the population.

3.5.1 Purposive sampling

The purposive sampling technique is a non-probabilistic method, also called judgment

sampling, is the deliberate choice of a variable due to its qualities. It is a non-random technique
that does not need underlying theories or a set number of variables. The researcher decides
what needs to be known and sets out to find people who can and is willing to provide such
information by virtue of knowledge or experience (Lewis & Sheppard, 2006). Personnel in
45
charge of the RM or in the managerial role were selected purposefully as they have the required
knowledge with regards to ERM. Moreover, the researcher used a convenience sampling
technique in the selection of the right personnel to fill in the questionnaire survey.

3.5.2 Convenience sampling

The research also took the form of convenience sampling as it selected employees from the
population that was conveniently available to complete the questionnaire. This technique is a
non-probability method that aims at obtaining a sample of convenient elements by selecting
the more readily available people for a study. It is, therefore, the best way of getting some basic
information quickly and efficiently. However, the researcher managed to gather as much
information as he can from the right targeted personnel.

3.6 Sources of Data

The research made use of both primary data and secondary data. The below subsection
describes the methods that were used in the collection of data. Furthermore the discussion was
extended to include the justification for the method used.

3.6.1 Primary data collection method

Cateora and Graham (2002) defined primary data as data collected specifically for the
particular research project. It was gathered through questionnaires that were distributed to the
top management. The researcher used this data because it is the most up to date data and close
to the truth as it is directly gathered from the people who understand the topic. Moreover, the
concept of ERM maturity is highly technical for it requires information from the employees
who are responsible for day to day operations of the business. So this required primary data to
get the process and practices in place.

3.6.2 Questionnaire construction

A questionnaire is a form given to people to fill out to obtain demographic information and
views and interests of the questioned (Kuter & Tilmaz, 2001). In other words, it is a method of
collecting information. Many researchers held an opinion that using questionnaires is the best
way of collecting data, especially where factual information is required. Primary data was
46
collected using a 5-scale Likert-based survey questionnaire to transform the qualitative nature
of the subject to the quantitative world for easier computation of the maturity level.

The researcher drafted a type of a questionnaire that included both open and closed ended
questions. Open-ended questions were to give respondents the liberty to express their ideas
clearly and freely without any limit. Closed questions were also used; these types of questions
were used to make it easy for respondents to answer the questions since the responses were
straight to the point.

The first part of the questionnaire comprises of the general information required for the
respondent to furnish sound decisions. These include question one to question four. Question
five was directed from a yes or no perspective to find whether the company had already an
ERM structure in place or no and extended to provide room for those which are in the process
of implementing. Question, six, eight and nine of the questionnaire was developed from the
various variables identified in the literature review. Taking into consideration the most
suggested used framework, challenges and strategies to ensure an optimized ERM structure.
Question seven of the survey questionnaire was specifically adopted from the ERMMM
developed by (COSO, 2004), ( Ciorciari & Blattner , 2008) and (Zhao & Low, 2013). This part
of the questionnaire consists of 26 important ERM maturity topics and presents 123 applicable
best practices (elements) for risk mature companies. The questionnaire was modified to map
out all the ERM maturity dimensions. The questionnaire was helpful in fully understanding
current status, maturity, and issues of ERM to facilitate the analysis and identification of
improvement opportunities or strategies.

[Link] Justifications for the use of a survey questionnaire

Kothari (2009) pointed out the merits of using questionnaires to collect data such as; low cost
when the universe is large, the instrument is free from bias of the interviewer, respondents have
adequate time to give well-thought answers and large samples can be reached. Respondents
had more time to give well-thought and researched answers since they were given time to
complete the questionnaires. This enhanced the quality of data collected and increased the
validity of the conclusions and recommendations made. These respondents were easily and
conveniently reachable with the use of questionnaires.

47
3.6.3 Secondary data collection methods

Secondary data is any information that complements and overcome subjectivity of primary
data. It is, therefore, secondary to the idea that the data refer to materials published previously.
It comprises of the information that was gathered from the internet, textbooks, publications and
academic journals. For easy access, the researcher used the library resources and the internet.
This type of data was used because of its vast merits which include less costly and reliability,
authenticity, reliability and well accepted in academic circles.

3.7 Data Collection Procedure

This section presented the means and ways the data was administered. These include the
administration of the primary and secondary data.

3.7.1 Primary Data- questionnaire administration

The researcher personally delivered the questionnaires to the targeted individuals. Most
respondents requested that they answer the questioners overnight, hence the researcher allowed
such arrangements allowing the respondents to complete the questioner under no pressure.
However, the researcher adhered to the agreed collection times to avoid the risk of respondents
misplacing the questioners in their busy offices. This gave respondents ample time to provide
factual information.

The researcher reported to the receptionist or at the information desk to seek for formal
introductions. The questionnaires were self-administered to the top management, however in
some companies the questionnaires were passed on to the audit and RM section. The
questionnaire was also emailed to the respondents, especially in Harare and some branches
across the country together with a cover letter. To increase the response rate, follow-up was
done by sending email reminders and follow up calls. A cover letter was also designed in a way
which assured the respondent of confidentiality.

3.7.2 Secondary data

Cooper and Schindler (2011) alluded that secondary sources are an interpretation of primary
data. For the purpose of this study, the information was collected from the libraries resources,

48
textbooks, the internet, newspapers, academic journals, Government documents and
publications, magazines, research findings, IPEC reports and lecture notes.

3.8 Pilot Study

A pilot study was carried out from the 21 of February to the 29th of February to test content
validities of the research questionnaire, its understandability, willingness of response and time
take to respond to the questionnaire. Two of the respondents were risk managers from two Life
different insurance companies in Harare using email and another two were from the short term
insurance sector in Bulawayo. Generally, a representative sample for pilot test was picked using
convenience sampling with the aid of the relations built during industrial attachment. Coopers
and Schindler (2011) pointed out that in piloting, selection of responses need not be statistically
assessed. Therefore, both qualitative and quantitative feedbacks from the respective
respondents were just accommodated and revisions were done to ensure that the instrument is
error free.

3.9 Data Presentation and Analysis Procedures

Data collected from primary and secondary research methods was compiled and edited for
accuracy, completeness, relevance, reliability and consistency through the use of computer
generated programs such as Microsoft Excel, SPSS and Microsoft Word for computing
summations, graphs, percentages and tables that will be necessary for clear data analysis and
presentation. Among the above, SPSS will be used mostly in data analysis. It is a Windows
based program that is used to perform data entry and analysis and to create tables and graphs.

Schehr, (2007) says the advantages of using SPSS, include data labelling options, can produce
multiple tables with few steps, recorded output, and powerful statistical options while those of
excel include, easy data entry, software widely available, quick and easy pivot tables and nice
and flexible charting options. Hence the researcher chose these tools because they are
appropriate for the study data analysis and presentation.

The data was quantitative in nature, therefore, descriptive statistics, frequencies, percentages
and ERM rank was used to analyse the data. The overall ERMM score for the industry will be
obtained by aggregating scores of dimensions by using a simple averaging method. An
49
individual dimension score was computed using the similar procedure of the corresponding
sub-dimensions. The mean scores will then be ranked to see which of the ERM maturity factors
is the most prominent and find the average industry ERMM level. Data analysis results will be
presented in tables.

Descriptive statistics was done in the analysis of challenges and strategies towards a robust
ERM. Furthermore, the challenges that insurers are facing towards the development of ERM
were analysed using the factor analysis on SPSS v 21 to determine the constructs for the set of
measured variables. Furthermore a factor analysis was conducted on the challenges to group
them accordingly. One sample T tests were conducted for both challenges and strategies to find
the significance of the variables.

3.10 Validity and reliability of research instruments

Validity usually measures the relevance of data to the subject topic or investigation and
reliability measure the consistency in the measurement of an instrument (Chikomba et al.,
2013). In other words, reliability deals with the accuracy of the both primary and secondary
research instruments used. This follows that if other researchers were to evaluate the level of
ERM adoption and maturity level in the insurance industry the results must be similar thereof
from the ones obtained. In this study, the processes by which data was collected varied, but
mainly involved the administering of a survey questionnaire. In order to ensure validity and
reliability the researcher;
 Tailor-made the research questions to meet the specific requirements for ERM maturity
level evaluation and more so, defined uncommon terms used in the questionnaire.
 The questionnaire was directed to specific informants and therefore a defined sample
that represented the whole population was developed.

3.11.1 Cronbach’s Alpha

The researcher used the Cronbach’s Alpha to test the reliability of data and of the research
instrument. That is each element or section in the questionnaire was tested for reliability. These
include the section on evaluation the maturity level of ERM, the section on the challenges that
Zimbabwean insurers are facing towards the development of ERM and finally on strategies
that can be employed. The literature suggested that an alpha of above 0.75 is accepted.

50
3.11.2 Data normality

The normality of data was tested using the Shapiro – Wilk test. Each section on the
questionnaire was tested for normality. These areas include the data on ERM maturity, the
challenges that Zimbabwean insurers are facing and finally the strategies that insurers can
employ towards a robust ERM structure. The p value > 0.05 represented that the data follows
a normal distribution. This gave the basis for further analysis of data including the correlation
analysis, factor analysis, and significance tests.

3.12 Limitations

This subsection highlighted the limitations that were faced by the researcher in collection and
administration of data. The study area was highly sensitive as such some managers were
unwilling to furnish such information. However, the researcher used the relations developed
during industrial attachment to ensure that a robust study. Furthermore the research
questionnaire was too long thus it included all the elements of ERM, thus the 8 ERM
dimension, 26 ERM topics and the 123 ERM elements. To overcome this limitation the
researcher tailor made the questionnaire to suit the requirements of an undergraduate without
losing the meaning and structure of the components.

3.13 Elimination bias

Researcher bias is inherent in both research methods and participants. However, the researcher
took necessary steps to ensure that bias was eliminated in the research study. These areas
include:
 There was a use of gender neutral words. This research accommodated both women and
man taking into consideration the level of understanding of the research under study.
 A quantitative approach was also used to prevent bias in gathering and presenting research
data. This was made possible through the construction of more closed-ended questions,
but however, a room for further explanations was provided through the inclusion of some
open-ended questions
 The researcher also self -administered the research questionnaires to ensure convenience
and to guard against bias.

51
  Moreover, the researcher avoids the use of language that proposes an evaluation of certain
categories. This ensured that the study will remain relevant to the industry as a whole.
Taking into consideration the above measures in ensuring that research bias was minimised or
eliminated the researcher was guided by some ethical considerations.

3.14 Ethical considerations

Most definitions of ethics in some shape or form describe ethics as being about what is right
and wrong. The student abides from the good ethical behaviour after noting that there is an
implied higher standard of behaviour attached to ethics and integrity as opposed to the
requirements of the law. Below are some of the ethical considerations which were taken into
considerations.
 The researcher chose top management to be part of the respondents on data gathering.
This followed that the top management is ultimately responsible for ERM issues and
for that reason they are aware of the nature and details of the research being conducted
and finally the capacity to understand the aspects of ERM.
 Throughout the study, the identity of all the participants was protected. This was made
possible through the construction of a questionnaire without the section of a company
and or the name of the respondent.
 All questionnaires send were completed after express permission from the respondents
 Integrity, which is a combination of honesty, good values, fairness and adherence to the
facts and sincerity was practiced at high levels
 Moreover, all the information gathered from the questionnaire survey was treated with
utmost confidentiality. This was done by aggregating the results from the findings that
are results were not presented individually.
The ethical considerations stated above were practiced during the course of the research study
to ensure that the researcher does not breach the mutual trust between the parties which is a
quotient of integrity and ethical conduct.

3.15 Chapter Summary

This chapter has described and justified the design of the study. This survey used a descriptive
research to evaluate the frameworks which insurance companies have adopted in the
implementation of ERM, and then to assess the maturity, challenges, and strategies in the
52
implementation of these programs. A questionnaire survey was conducted for a census of 33
insurance companies. The results from the survey will be analysed and subjected to descriptive
statistics and rankings to draw conclusions on the research questions. The next chapter presents
the findings from the field study.

53
4. CHAPTER FOUR: RESULTS, DISCUSSION AND INTERPRETATION OF
FINDINGS
4.1 Introduction
This chapter was built on the premise of the presentation and interpretation of findings obtained
from the descriptive survey. The researcher presented the findings using various types of
graphs and tables. The main goal of the study was to evaluate the level of ERM maturity. This
was accomplished through the justification of data that was collected and analysed.

4.2 Response rate

The response rate shows the magnitude of responses from the data collection methods used.
The response rate was considerably resounding as above average responses were attained as
shown below: The review of literature suggests that a response rate of at least 50 percent is
considered adequate for researches, 60 percent is generally good and 70 percent is very good
(Groves, 2006). Furthermore the response rate of 60% or more is desirable for academic
researches but however a response rate of greater than 65% is required when the sample size
has exceeded approximately the population of 500 (Duncan, 2008). Findings are summarised
below.

Table 4.2: Response rate

Respondents Questionnaires Questionnaires No responses Response rate
Sent responded to %
Life insurers 33 26 7 78.79
Non -life insurers 66 55 11 83.33
Total 99 81 18 81.82
Source: Primary data

4.3. Questionnaires sent and responded

Nighty-nine survey questionnaires were distributed by the use of emails and some hand
delivered by the researcher using a pick and drop later method. As depicted above, from the
thirty three (33) questionnaires that were distributed to life insurance companies, twenty six
(26) were responded to, which gave a response rate of 78.79%. The non- response rate of
21.21% was inflated by a high number of insurers who doesn’t have an ERM process in place.
Short term insurance companies represented a higher response rate compared to the life sector

54
of 83.82%. The overall response rate was arrived at using the average method which gave an
average of 81.82%. The researcher did a good follow up to obtain maximum response rate.

4.3.1 Demographic Characteristics

The below subsection presented the summary of findings from the demographic features which
aid the famishment of the research study. These include gender and position of the respondent.

[Link] Gender

The researcher presented a section in the questionnaire survey from the respondents to indicate
whether they are male or female. The findings are presented below.

Table 4.3: Gender

Frequency Valid percent %
Male 38 46.9
Female 43 53.1
Total 81 100
Source. Primary data

A greater percentage of 53.1% was found from female respondents as compared to males who
accounted for 46.9%, justified by a greater percentage of female holding managerial positions
in the insurance industry. The findings were aggregated and presented without reviewing any
gender issues for ethical considerations.

[Link] Position

All respondents were asked to specify their positions in the company. A higher respondents of
43.2% were in the Mid-level Management, 29.6% were in operations, including the risk
management department claims and underwriting and 27.2% from the top management.

Table 4.4: Position

Frequency Percent %
Top level management 22 27.2
Mid- level management 33 43.2
Operations 24 29.6
Total 81 100

Source. Primary data

55
The questionnaire survey was targeted to the top level management using a judgmental
sampling technique targeting the CRO, CEO, head of the RM department, which only resulted
in a lower responds rate of 27.2% due to the challenges of getting hold of them. Furthermore,
mid -level management was also targeted using the same approach targeting the heads of the
departments which reaped a higher rate of 43.2%. This higher rate helped in getting quality of
information required for the subject under study.

4.4 Reliability and data normality analysis

There exist many views on the acceptable values of the cronbach’s alpha. Generally an alpha
of .75 is acceptable (Mohsen & Reg , 2011). A low value of alpha of less than .75 may be due
to poor inter-relatedness between items or heterogeneous constructs (Mazviona et al., 2014).
Furthermore, low alpha appears if the set assumptions are not met and on the other hand a high
value of alpha (> 0.90) may suggest redundancies and show that the test length should be
shortened (Mohsen & Reg , 2011). The findings are summarised below.

Table 4. 5 Reliability statistics

Cronbach's Alpha Number of items
ERM maturity level .815 123
Challenges .798 6
Strategies .815 5

Source, Primary data

The above reliability statistics presented at .815, .798. 815 for testing maturity, evaluating ERM
challenges and strategies respectively. The reliability coefficients for the different categories
and the entire survey instrument have a value of greater than 0.75. Therefore, the survey
instrument is generally good and acceptable. After observing that the data was generally good
and acceptable the researcher checked for the normality of data using the Shapiro- Wilk Test.

4.4.1 Data normality

The tests for normality was conducted using the Shapiro wilk test on SPSS v 21. It is
recommended that the tests be conducted only for a sample size of less than 50 (Ghasemi,
2012). Since the sample size was less than 50, the researcher used the Shapiro wilk test to test

56
the normality of the data. The Significance value of the Shapiro – Wilk Test of greater than
0.05, reviewed that the data is normal (Graeme & Wiknson, 2015). The following set
hypothesis were used.

H0: The sample data is not significantly different from a normal population
H1: The sample data is significantly different from a normal population
Set conditions: do not reject the null hypothesis when p value > 0.05

The below analysis was done on individual section, thus the ERM maturity analysis, challenges
that Zimbabwean insurers are facing towards the development of ERM and finally the
strategies that can be employed by insurers for a wide enterprise risk management. The results
are presented below.

Table 4.6: Tests for normality

Shapiro-Wilk
Statistic Df Sig.
ERM maturity level .980 81 .349
Challenges .972 81 .078
Strategies .957 81 .051

*. This is a lower bound of the true significance.

a. Lilliefors Significance Correctiona
Source: Primary data

For ERM maturity analysis, it is possible to conclude that the data is from a normal distribution
justified by a p value > 0.05 which is 0.349. The leading conclusions is that we do not reject
the null hypothesis (Ghasemi, 2012). Furthermore the p value is resounding that as there is a
greater margin from the general accepted p value of 0.05. The challenge analysis presented
above revealed that the data is from a normal population justified by a p value of 0.78 > 0.05
which gave the basis for non - rejection of the null hypothesis. The tests of the strategies that
insurers are can employ towards a robust ERM structure presented a normal population
distribution. This was justified by a just above the normal required p value of 0.51 > 0.05. For
that cause the null hypothesis was not rejected. It is clear that all the cases have a p-value
greater than 0.05, which indicates normal distribution of data and therefore fit for further
analysis (Ghasemi, 2012).

57
4.5.1 ERM adoption
Beasley (2017) noted that the adoption level of ERM has increased over the years, but however
there appears a levelling off with 25% from 2015 and an increase by 3% in 2016. The researcher
also evaluated the adoption level of ERM in the Zimbabwean insurance industry. The majority
of insurers of about 46.9% indicated that they are still implementing or researching about the
program. Suria et al., (2015) also concurred with these views as they noted that many
corporates around the globe are still implementing ERM and concluded that 51% of Malaysian
companies are still in this phase. The findings also revealed that only 38.3% claimed to have a
formal ERM program. Furthermore, 14.8% indicated that they don’t have a formal ERM
program in place. The findings are summarised below

Table 4.7: ERM adoption

Frequency Valid percent
A robust ERM program 30 37.10 %
Still implementing ERM 38 46.90 %
No ERM program 13 16.00 %
Total 81 100 %
Source. Primary data

The results above indicated that the Zimbabwean insurance industry is accepting the ERM
program as a tool in managing all corporate risks represented by a higher number of insurers
participating in implementing with a few percentages lagging behind. Beasley et al., (2016)
concurred with these views when they noted that the concept of ERM has been accepted in
most listed companies. Researches in Zimbabwe were limited to the banking sector and a few
in the insurance industry. Kanhai et al., (2014) also noted that Zimbabwean banks have fully
implemented ERM in their corporate culture. Further analysis was carried out on the ERM
maturity level to find the actual adoption level.

4.6 ERM frameworks used as guidelines.

The research was also aimed at finding the ERM frameworks that were used as guidelines by
Zimbabwean insurers in implementing ERM. The results from the study indicated that the
COSO ERM framework is the most used reflected by 38.3%. ISO 31000:2009 marked the
second position with 33.3%. BS 31000: 2008, and the Red book had 6% and 3% respectively.
Mohd et al., (2014) and Racz et al., (2011) also reviewed the same findings as above as they

58
noted that the COSO: 2004 and ISO: 2009 framework are mostly used by organisation. A
relatively higher percentage of 14% indicated that they don’t have a framework in place as
many insurers are still implementing. The table below presents a summary of the findings.

Table 4.8: ERM frameworks

Frequency Percent%
COSO, 2004 ERM framework 31 38.3%
ISO 31000: 2009, RM - Principles and Guidelines 27 33.3%
BS 31100: 2008, Code of Practice for RM 6 7.4%
OCEG Red Book 2.0: 2009 - A GRC Capability Model 3 3.7%
Missing and not sure 14 17.3%
Total 81 100%
Source. Primary data
Lindquist, (2014) suggested that the most frequent used frameworks are the ones listed in table
4. 8 above. The researcher observed that from the four frequently used, the COSO: 2004 and
ISO: 2009 are the ones that are mostly used by the Zimbabwean insurance industry. Frigo and
Anderson (2014), shared the same notion and noted that the most used ERM frameworks are:
the COSO: 2004 ERM and ISO 31000:2009. However Kerstin et al., (2014) held a different
notion as they concluded that the COSO and GRC are the most used frameworks. It is possible
to conclude that the results obtained from the primary research are in consensus with the
literature world as the COSO and ISO framework are paving the way with 38.3% and 33.3%
respectively.

4.6.1 Correlation between ERM maturity and types of ERM frameworks

With the recognition of the widely used frameworks the researcher conducted the Pearson
correlation analysis to find if there is a link between the overall ERM maturity and the type of
an ERM framework used as a guideline during the implementation. Tests were conducted
using the following set hypothesis.
Key: H0 = There is no relationship between the variables
H1= There is the relationship between the variables
Set conditions: When the P Value is greater than .05, we reject the null hypothesis

The table presented a summarised the findings from the primary research. The data from the
ERM frameworks suggested by the Zimbabwean insurance to be the most used was
transformed and computed using SPSS v 21. The findings are summarised below.
59
 Table 4.9: Correlations
ERM maturity ERM framework
Pearson Correlation 1
ERM maturity Sig. (2-tailed)

Pearson Correlation -.173 1

ERM Sig. (2-tailed) .161
frameworks

Source. Primary data

The correlation results reviewed that there is no relationship between the variables justified by
the p value of 0.161>0.05, and therefore the null hypothesis was not rejected. This reviewed
that any framework used does not influence the level of maturity of the process in place. Njagi
(2015) also concurred with the views and concluded that the RM framework adopted does not
determine the level of ERM maturity. Further to the results obtained above, the researcher
combined the results from the industry, thus the ERM status regardless of the framework used
since there is no relation between maturity and the framework adopted.

4.7 ERM maturity levels

The study was also aimed at finding the level of ERM Maturity of the short term and life assures
in Zimbabwe. A risk mature entity has implemented an ERM process that contains all elements
laid down in the ERM framework and guidelines (Zhao & Low, 2013). Subject to the current
state of ERM employment, the program can be categorised in five levels which are Very weak,
Poor, Mid, Good or Optimised ( Ciorciari & Blattner , 2008). Eight dimensions of internal
environment, objective setting, event identification, risk assessment, risk response, control
activities, information and communication and monitoring were used to evaluate the maturity
level.

4.7.1 Zimbabwean insurance industry overall ERM Maturity Level

The primary objective of this research was to find the level of maturity of ERM processes in
the Zimbabwean insurance industry. The excellent level that can be attained is the level 5
which is characterised by a more mature ERM system ( Ciorciari & Blattner , 2008). The ERM
maturity level was computed using SPSS v 21 and some aid of the Microsoft excel. Appendix
two presented the case summarises for each dimension. Fig 4.8 below presented the maturity
level of the Zimbabwean insurance industry.

60
 Figure 4.1: ERM maturity level

MATURITY LEVEL
VERY WEAK POOR MID GOOD OPTIMISED

Internal environment 2.97

Objective setting 3.01

Event identification 2.91

Risk assessment 2.89

Risk response 3.07

Control activities 2.90

Information & communication 2.80

Monitoring 3.14

ERM 2.95
Source: Primary data

The results from the study indicated that most insurance firms were in level 2 ‘Poor’, with some
few having characteristics of level 3 ‘Mid’, with an overall risk maturity level of 2.95 ‘Poor’.
The computations are attached in appendix two. This level of ERM maturity is associated with
informally regulated ERM processes, a defined ERM program, but however with little or
trainings done to ensure a robust ERM structure (Njagi, 2015). More so due to the lack of
trainings to equip all staff risk language and culture lags behind.

The findings are not very different from the few research findings which were carried across
the globe. Njagi, (2015) did the very same survey in the Kenyan insurance industry and found
that the ERM adoption and maturity level is still at the Mid-level with the tier having an average
of 69.9%. Moreover Beasley et al., (2016), revealed that the global overall ERM level ranges
from poor to mid with most companies still investigating about ERM practices and therefore
implementing. Furthermore Mazviona et al., (2014)in a survey of the RM practices in the non
-life insurance sector in Bulawayo alluded that the RM practises are still poor in Zimbabwean
signifying low levels of ERM maturity.

61
The results above revealed a poor level of ERM maturity. Lindberg and Seifert (2011) and
Kanhai et al., (2014) was also in consensus with the statistics above as they noted that the
financial service sector are in a process of employing ERM with the Banking sector paving the
way. The results can be justified by the turbulent and dynamic economic Zimbabwean
economy which does not support the investment in risk management efforts (Chikomba et al.,
2013). Furthermore, Danijela (2015) also noted despite the growth and evolution of ERM
during the past two decades, the program has been pragmatic across financial institutions. This
revealed that ERM has been an accepted approach, however the level of ERMM is immature.

4.7.2 Contributions of each dimension to the overall score

Further analysis was conducted to evaluate the contributions of each dimension to each level
using the descriptive analysis. Fig 4.9 presented a summary of findings.

Figure 4. 2: The maturity level analysis using dimension contributions

Fig 4.2 Dimension analysis

100% 3
11 11 11 9
90% 11

13 14
80% 18 17 11

70% 10 11
11 12
11 7
60% 7
5 6
14 16
50% 12 17
18
40% 10 13
10 11
30% 11 11 7
7
6 9
20%
26 26 28
10% 21 21

0%
Very weak Poor Mid Good Optimesd
D1- Internal environment D2- Objective setting D3- Event identification
D4- Risk assesstment D5- Risk response D6- Control activities
D7- Information & communication D8- Monitoring

Source, Primary data

62
[Link] Level 1- Very weak

The internal environment dimension contributed a higher percentage of weak elements

contributing almost 26% to the level. This indicated a poor RM philosophy in all organization
followed by poor risk basis for which risk and control measures are viewed by all employees
in the industry. Budi et al., (2014) also concurred with these views in that at this level there is
poor risk management culture. Moreover the event identification, risk assessment, control
activities and monitoring activities shared almost equal contributions with 10%, 12%, 11%,
and 11% respectively. This indicated poor risk identification and measurement procedures with
the poorest risk response measures of 18%. Information and communication and objective
setting contributed a lower percentage of 7% and 5% respectively.

The above statistics reviewed very low formalisation and documentation ( Ciorciari & Blattner
, 2008). The Internal Auditor (2013) also concurred with the analyses above findings and noted
that at this level, there is no or minimal awareness of the importance of RM and there are no
processes in place across the entity. This is justified by a higher percentage contribution of 26%
from the internal environment dimension.

[Link] Level 2- Poor

The internal environment contributed a higher percentage of 21%, reflecting poor risk
philosophy and culture. The two dimensions of risk assessment and information and
communication shared higher percentage of 18% and 17% respectively. The above statistics
supported the notion of Ciorciari and Blattner (2008) which was stated that there is no
communication and hence an undefined ERM structure. Further, there an average of 11% was
shared by the monitoring, control and event identification representing poor risk measures in
place. Moreover the objective setting and risk response shared a lower value of 6%.

The statistics above presented the element of one size fits all -silo Approach. Several authors,
including Hillson, (2002) and Budi et al., (2014) also observed that process dimension which
includes the objective setting, event identification, assessment and response lacks the generic
formal processes, although some specific formal methods may be applicable. This is in
consensus with the findings from the study as there is a higher contribution from the internal
environment and the information and communication.

63
[Link] Level 3- Mid

The internal environment contributed a higher percentage of 21%, representing standardised

principles in place. The risk assessment dimension also contributed higher levels of 17%
reviewing moderate levels on managing risks. The other dimensions shared moderate
percentages of 11%, 13%, and 11% which are monitoring, information and communication and
event identification, of slightly above and below the average percentage contribution of 12.5%.
The objective setting and the control activities was marked the least with 9% and 10%
respectively. The Audit Office (2013) also found the similar results from the above statistics
as they concluded that at this stage, the process exists covering all major risks and standardised
RM principles are defined and documented and basic training is conducted evidenced by an
improved 11% contribution from the event identification and 13% from the information and
communication.

[Link] Level 4- Good

At this level the RM philosophy and culture is good represented by an industry‘s higher
percentage of 26%. The dimension of information and communication, risk assessment shared
an above average percentage of 14% per dimension representing good RM practises and
procedures to assess risk. The other dimensions are not yet mature as presented by below
average percentage of 12.5%. The statistics above were in consensus with the findings of
Hillson (2002), as they noted that at this stage there is top-down commitment to RM, upper
management uses risk information in decision making and proactive RM is encouraged and
rewarded. This is evidenced by several dimensions with less 12.5% contribution to the overall
maturity level dimension analysis.

[Link] Level 5- Optimised

The internal environment, risk assessment and event identification dimensions are matured as
presented by an above average of 12.5% per dimensions. The other dimensions were closer to
maturity except for monitoring activities lagging behind with only 3%. This may be as a result
of capital constraints to build to put in place proper RM monitoring activities. The literature
world suggested that at this level, both qualitative and quantitative measures for event
identification, risk assessment and response are improved (Ren et al., 2014). On the same
notion these dimension accounted for only 3% justifying the underdevelopment of the ERM

64
practises in the Zimbabwean insurance industry. Beasley et al., (2010) also concurred with
these views in that organisation need further guidance as there is a long way in attaining this
level. The researcher furthered the analysis to indicate the degree of maturity for each
component. This was done with the aid of a radar system.

4.7.3 Components radar chart

A radar chart below provided an overview of the maturity level degree for each of the
ERM maturity components. All twenty six ERM elements are still immature with monitoring
activities, paving the way with a mean of 3.5. The other elements are still far from maturity
with the information and communication dimension lagging behind with an average of 2.80.
ERM is optimized when all the components reach a score of 5 i.e. the radar is all shaded (
Ciorciari & Blattner , 2008). The diagram below presented the elements maturity level.

Figure 4. 3: ERM components radar

ERM ELEMENTS RADAR

Risk management philosophy
Monitoring corrective actions 3.5 Corporate governance
Monitoring activities Responsibility
3
Communication Competence
2.5
Information management 2 Integrity and ethical values

1.5
Information quality strategy formulation
1

Information over objectives 0.5 Strategy implementation

0
Control over information… Strategy effectiveness

Control over processes External factors driving events

Control over objectives Internal factors driving events

Control basis Events affecting business and…

Residual risk Event characteristics
Risk mitigation strategies Assessment metrics
Assessment mode

Source. Primary data

The findings by RIMS ( 2011) are in consensus with the research findings on the component
maturity as they noted that there exist a long distance to go before their ERM programs are
fully optimized. This was possible to conclude as the components are still poor. Since these
65
 components contribute less to the final maturity scale it is therefore vital to test the relationship
between the maturity and various components. Ciorciari and Blattne (2008) postulated that
there exists a positive relationship between ERM maturity and some different dimensions.
Therefore, before analysing further the effects of each dimension to the overall score it is vital
to conduct a bivariate analysis to review if there exist a relationship between the ERM maturity
and the eight dimensions used.

4.7.4 Bivariate correlation analysis

Pearson’s correlation coefficient is an extremely important and widely used analytical tool in
statistical data analysis in cases of linear relationships (Zheng, 2010). The key output includes
the Pearson r and the p-value were computed using SPSS v 21. The table below presented the
correlations between ERM dimension and the maturity level.

Table 4.10: Correlations

ERMM D1 D2 D3 D4 D5 D6 D7 D8
Pearson Correlation 1 .802 .782**
**
.816** .806** .628** .837** .868** .532**
ERMM Sig. (2-tailed) .000 .000 .000 .000 .000 .000 .000 .000

Pearson Correlation .802** 1 .788** .789** .723** .536** .744** .823** .085
D-1 Sig. (2-tailed) .000 .000 .000 .000 .000 .000 .000 .489

Pearson Correlation .782** .788** 1 .864** .621** .628** .777** .754** .120
D-2 Sig. (2-tailed) .000 .000 .000 .000 .000 .000 .000 .328

Pearson Correlation .816** .789** .864** 1 .781** .647** .830** .801** .098
D-3 Sig. (2-tailed) .000 .000 .000 .000 .000 .000 .000 .425

Pearson Correlation .806** .723** .621** .781** 1 .594** .842** .861** .129
D-4 Sig. (2-tailed) .000 .000 .000 .000 .000 .000 .000 .290

Pearson Correlation .628** .536** .628** .647** .594** 1 .718** .715** .018
D-5 Sig. (2-tailed) .000 .000 .000 .000 .000 .000 .000 .881

Pearson Correlation .837** .744** .777** .830** .842** .718** 1 .852** .137
D-6 Sig. (2-tailed) .000 .000 .000 .000 .000 .000 .000 .261

Pearson Correlation .868** .823** .754** .801** .861** .715** .852** 1 .160
D-7 Sig. (2-tailed) .000 .000 .000 .000 .000 .000 .000 .189

Pearson Correlation .545** .085 .120 .098 .129 .018 .137 .160 1
D-8 Sig. (2-tailed) .000 .489 .328 .425 .290 .881 .261 .189

**. Correlationis significant at the 0.01 level (2-tailed).

Source: Primary data

66
Key: H0 = There is no relationship between the variables
H1= There is the relationship between the variables
Set conditions: When the P Value is greater than .05, reject the null hypothesis (Zheng, 2010).

A Pearson correlation was conducted using SPSS to establish whether there exists a link
between the overall ERM maturity and each dimension. The results indicated that the p value
of all the eight dimensions are less than 0.05 which justified the rejection of the null hypothesis
H0 which purported that there is no relationship between ERM maturity and the cited
dimensions. The r values were greater than 0.5 for all the variables indicating a positive
correlation on all the cases. Furthermore there existence of stars in each component represents
that the dimension are significant. This reveals that any positive change in each dimension
results in an improved ERM maturity level ( Ciorciari & Blattner , 2008). Tran (2011)
purported that a positive r value implies a positive association whereas a negative number
implies the inverse association.

An average strong uphill linear relationship justified by an average of an r value of greater 0.7.
Furthermore, the internal environment, event identification, risk assessment, control activities
and the information and control presented a stronger positive correlation of more than .80, with
the monitoring and risk response attaining just above 0.50. Ciorciari & Blattner, (2008) also
held the same notion on the positive link between the maturity level and the. Having noted that,
these dimensions presented variations of correlations towards the ERM maturity score,
therefore a dimension effect analysis is of vital importance to review the effect of each
component on the maturity score ( Ciorciari & Blattner , 2008).

[Link] Dimension effect analysis

After establishing the link or relationship between each dimension and the overall maturity
score the researcher went further to find the effect of each dimension to the overall score. This
was done to find the components which negatively or positively impacted the overall score
since there exist a relation between the variables. Furthermore this follows that ERM ought to
be an integral part of an entity’s process, particularly in the business decision making process
and should be tailored to its environment to create and protect the shareholder value (Shortreed,
2010). The findings from the primary are presented below.

67
Figure 4.4: Dimension effect analysis

Dimension effect analysis

Monitoring activities
Information and communication
Control activities
Risk response
Risk assessment
Event identification
Objective setting
Internal environment
-0.2 -0.15 -0.1 -0.05 0 0.05 0.1 0.15 0.2

Source. Primary data

The above chart reflected that the monitoring activities, risk response and objective setting
positively impacted on the overall score with the first one paving the way with 0.18. The other
remaining components negatively impacted the overall score with the information and
communication having the least value of -0.15. Beasley et al., (2016) in their study concurred
with these views as they noted that there is need for information and communication to improve
the RM culture. The information computed above paves a way to determine the strength or
weaknesses associated with each dimension and therefore provides the basis for
recommendations for a robust ERM maturity by prioritizing.

4.7.5 Strength/ weaknesses analysis

After computation and analysis of each dimension the researcher went on to find the strength
and or weaknesses of each component. This aided the researcher to rank each component and
therefore prioritize the management efforts on each dimension thus according to high, medium
and low. The high priority measures derive from components that has a very weak or poor
maturity level degree, the medium priority measures derive from components that was
evaluated with a mid-maturity level degree and the low priority measures derive from

68
components that was evaluated with a good maturity level degree ( Ciorciari & Blattner , 2008).
The Summary of findings are presented below.

Figure 4. 5: Strength/ weaknesses analysis

Strenght/ weaknesses analysis

D8- Monitoring 22 11 12

D7- Information & communication 35 13 25

D6- Control activities 22 10 22

D5- Risk response 11 7 19

D4- Risk assessment 30 17 30

D3- Event identification 21 11 23

D2- Objective setting 13 9 18

D1- Internal environment 47 21 54

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

High priority Medium priority Low priority

Source, Primary data

The monitoring, information and communication, internal environment require relatively high
priority evidenced by a slightly above 38% per each towards achievement of a robust ERM
structure compared to other which comprised of risk response, and objective setting which
marked an average of just above 10%. This prioritization requires further analyses of the
challenges that Zimbabwean insurers are facing in a bid to develop ERM before suggesting the
strategies that can be employed.

4.8 Challenges that the Zimbabwean insurers are facing towards ERM implementation.

The six challenges which were selected from the literature review analyses were included in
the questionnaire survey to find the views of the industry pertaining these challenges. The data
was analysed using SPSS v 21. All challenges were analysed separately after ranking them
using the descending means and standard deviation analysis. This aided in finding the most

69
challenge that the industry perceive. The findings from the primary research are presented
below.
Table 4.11: Descriptive Statistics for challenges analysis
Challenges Mean Standard Deviation
Lack of understanding of ERM benefits 3.2222 1.12916
Ambiguity in roles and responsibilities in RM 3.1111 1.19373
Lack of embodiment of ERM in organizational culture 3.0617 1.17628
Time and cost required in developing 3.0494 1.10568
Inadequate information to make risk based decisions 2.9506 1.10568
Lack of managerial support and clear ERM guideline 2.8395 1.18803
Source. Primary data
Key.
Mean scores ranging from 1.0 ≤ M < 1.8: Very low importance
Mean scores ranging from 1.8 ≤ M < 2.6: Low importance
Mean scores ranging from 2.6 ≤ M ≤ 3.4: Neutral
Mean scores ranging from 3.4 < M ≤ 4.2: High importance
Mean scores ranging from 4.2 < M ≤ 5.0: Very high importance (Mazviona et al., 2014)

A survey of the 33 insurance companies indicated that most insurers do have the knowledge of
the benefits of implementing the program represented by the highest mean of 3.22 though they
seems to be equally important with the inadequate of information to make risk based decisions
and the lack of managerial support and clear ERM guideline lagging behind. Beasley et al.,
(2016) and Kerstin et al., (2014) also concurred with these views as they noted that there exists
a gap in the industry pertaining the functionality of ERM. In summary the industry’s views on
the challenges they are facing in a bid to employ a robust ERM program were relatively neutral
thus ranging from 2.4 to 3.22. Moreover, the standard deviations of all the challenges are
slightly greater than one ranging from 1.10 to 1.90, to which it indicates that the individual
responses on average were a little over one point away from the overall mean.

4.8.1 Ambiguity in roles and responsibility in RM

The findings from the research are summarised on the table 4.12 below showing a high degree
of 32.1% who agreed that there was ambiguity in roles and responsibilities in risk management
in Zimbabwe. Similarly the same percentage of 32.1% were in neutral position regarding the
challenge. Those who strongly agreed with the statement were 9.9% of the respondents, while
11.15 disagreed and finally 14.8% strongly disagree on whether there was ambiguity in roles
and responsibilities in ERM. Results are presented below.

70
 Table 4.12: Descriptive analysis
Frequency Percent Valid % Cumulative %
Strongly disagree 12 14.8 14.8 14.8
Disagree 9 11.1 11.1 25.9
Neutral 26 32.1 32.1 58.0
Valid
Agree 26 32.1 32.1 90.1
Strongly agree 8 9.9 9.9 100.0
Total 81 100.0 100.0
Source, primary data

The results presented above indicated a huge agreement of the industry towards the ambiguity
in roles and responsibility. Beasley et al., (2010) also concurred with views as they noted that
the ambiguities in roles and responsibility is the major challenge in the development of ERM.
The literature world suggested that employees in most cases are unaware of their
responsibilities and hence posing a huge challenge towards the development of a robust ERM
structure, (Deloitte, 2012). This, however creates backlogs and a room for errors as there might
be difficulties in setting up of risk limits.

4.8.2 Lack of embodiment of ERM in organizational culture

The findings from the research study indicated that the industry is facing the lack of
embodiment of ERM in organizational culture with a higher percentage of 18.5%, 28.4%, and
12.3% who are at a neutral position, who agree and strongly agree respectively. However a
higher percentage of 34.6% and 6.2% who disagree and strongly disagree were inflated by the
fact that most insurance companies are still implementing ERM so the knowledge of the risk
culture is still limited. The summary of findings are presented below.
Table 4.13: Descriptive statistics
Frequency Percent Valid % Cumulative %
Strongly disagree 5 6.2 6.2 6.2
Disagree 28 34.6 34.6 40.7
Neutral 15 18.5 18.5 59.3
Valid
Agree 23 28.4 28.4 87.7
Strong agree 10 12.3 12.3 100.0
Total 81 100.0 100.0
Source, primary data

71
The findings of HBR (2011)also indicated that organization have a long way to successfully
imbed the ERM into the risk culture. Kerstin et al., (2014) and Mazviona et al., (2014) was
also in consensus with the research findings as they noted that risk culture remains a weakness
or challenge towards the development of ERM. Further to this analysis the researcher observed
that there is no common risk language in the Zimbabwean insurance industry, which implies
that there is a huge gap towards the attainment of a proper ERM culture.

4.8.3 Inadequate information to make risk based decisions

The finding from the research reviewed a higher percentage of 34% disagreed with that
inadequate information to make risk-based decisions was a challenge in the industry. This is in
consensus with the views of Bofinger and Bearman (2015) and Kerstin et al., (2014) as they
noted that obtaining risk based information is extremely demanding and therefore remains a challenge.
A closer percentage of 32.1% agreed, 5% strongly agree and 19.8% at neutral position though
almost 6% strongly disagree. The table below presented a summary of findings.

Table 4.14: Descriptive statistics

Frequency Percent Valid % Cumulative %
Strongly disagree 6 7.4 7.4 7.4
Disagree 28 34.6 34.6 42.0
Neutral 16 19.8 19.8 61.7
Valid
Agree 26 32.1 32.1 93.8
Strongly agree 5 6.2 6.2 100.0
Total 81 100.0 100.0
Source, Primary data
Several researchers and organisations have agreed on this view of inadequate information to
make risk based decisions, including the (COSO, 2004). This indicated that the industry overall
is affected by this challenge.

4.8.4 Lack of managerial support and clear ERM guideline

The other challenge noted by the researcher was the lack of managerial support and clear ERM
guideline in the Zimbabwean insurance industry. The industry still perceive a neutral position
regarding the issue of managerial support and clear ERM guideline supported by a 17.3%,
2.4%, and 7.4% who were neutral, who agree and strongly agree stand point. However, 34.6%
and 12.3% disagree and strong disagree respectively, indicating that almost half of the

72
management team is in support of ERM development Beasley et al., (2017) and ISO: 31000
(2009) concurred with these views when they noted that management support and clear
guideline is a major challenge in ERM development.
Table 4.15: Descriptive statistics
Frequency Percent Valid % Cumulative %
Strongly disagree 10 12.3 12.3 12.3
Disagree 28 34.6 34.6 46.9
Neutral 14 17.3 17.3 64.2
Valid
Agree 23 28.4 28.4 92.6
Strongly agree 6 7.4 7.4 100.0
Total 81 100.0 100.0
Source, Primary data
The results tabulated above indicated a neutral position pertaining the lack of managerial
support and clear ERM guideline. Kerstin et al., (2014) and Grobstein (2010) also, supported
the findings as they noted that a structure that is appropriate in supporting the development of
ERM remains a challenge.

4.8.5 Time and cost required in developing ERM

The other challenge noted by the researcher is the lack of time and resources to furnish a robust
ERM structure. Most respondents did not agree that time and cost of developing is a major
challenge indicated by 37% of respondents who disagree and 2.5% who strongly disagree
though 19.8% and 13.6% agree and strongly disagree respectively. Further, 27.2% were in a
neutral position representing a slight agreement on that indeed the industry is facing a challenge
of time and cost required in developing ERM. These findings were also in consensus with the
findings of Beasley et al., (2017) and ISO: (2009) as they revealed that the concept of ERM
requires vast of resources. The findings are summarised below.
Table 4.16: Descriptive analysis
Frequency Percent Valid % Cumulative %
Strongly disagree 2 2.5 2.5 2.5
Disagree 30 37.0 37.0 39.5
Neutral 22 27.2 27.2 66.7
Valid
Agree 16 19.8 19.8 86.4
Strongly agree 11 13.6 13.6 100.0
Total 81 100.0 100.0
Source. Primary data
73
Similar results above were observed by Elena and Patrick, (2010) and Chikomba et al., (2013)
where they noted that all firms which are trying to implement ERM are struggling to raise the
capital towards the development of ERM. This is more prevalent in our economy where most
insurance firms are struggling to maintain the balance sheet values required by IPEC, and are
facing a nose dive in writing new business. This was evidenced by a relatively high percentage
of 14.8% of firms who doesn’t have an ERM structure in place.

4.8.6 Lack of understanding of ERM benefits

The other challenge worth noting is the lack of understanding of ERM benefits. The results
from the survey are summarised in the table 4.17 below.
Table 4.17: Descriptive analysis
Frequency Percent Valid % Cumulative %
Strongly disagree 2 2.5 2.5 2.5
Disagree 24 29.6 29.6 32.1
Neutral 23 28.4 28.4 60.5
Valid
Agree 18 22.2 22.2 82.7
Strongly disagree 14 17.3 17.3 100.0
Total 81 100.0 100.0
Source. Primary data

The results above indicated that there are a lack of understanding of ERM benefits of in general
the concept of ERM in the Zimbabwean insurance industry. The results from the study
indicated that 22% and 17.3% agree and strongly agree respectively, while 29.6% and 2.5%
disagree and strongly disagree respectively. Locklear (2012) and Njagi (2015) also observed
the same results and concluded that the industry lacks the knowledge on ERM. More over a
relatively high percentage of 28.4% were at a neutral position. In summary the results indicated
that indeed there is a lack of ERM understanding in the Zimbabwean insurance industry. This
is prevalent with the findings of Beasley et al., (2010). Further the researcher conducted a
factor analysis to explain the correlation between the challenges.

4.8.7 Factor analysis

The researcher conducted a factor analysis using SPSS v 21 wherein the factors were extracted
using the Principal Component Analysis and Varimax rotation method with Kaiser
Normalization. Two principle components with eigenvalue greater than 1, were identified in
74
the original six challenges that the insurers are facing towards embracing an optimised level of
ERM. This follows the notion by Fong (2014) and Kaiser (1974)as they noted that only factors
with eigenvalues of 1 should be considered significant.

4.8.7.1Test measures
The Kaiser-Meyer-Olkin and Bartlett's test of sphericity were conducted to check the
appropriateness of the principle component analysis and results tabulated below.

Table 4.18: KMO and Bartlett's Test

Kaiser-Meyer-Olkin Measure of Sampling Adequacy. .685
Approx. Chi-Square 141.742
Bartlett's Test of
Df 15
Sphericity
Sig. .000
Source: Primary data
The test results from the analysis must be greater than .50 or at least have a minimum of .50
(Fong, 2014) and Ngari (2014). Kaiser (1974) gave the following evaluation for the levels of
factorial simplicity: > .90 represents marvellous, the range of .80 meritorious, .70 middling,
.60 mediocre, .50 miserable and below .50 is considered unacceptable. A value of .685 was
obtained which is in the range of mediocre. The principal component analysis is appropriate
which is justified by a Bartlett test p value of less than 0.00< 0.001.

[Link] Rotated factors

Further analysis was conducted to suppress the information and hence find the significant
challenges that insurers are facing in Zimbabwe. The table below presented a summary of the
findings from SPSS.4
Table 4.19 : Rotated Component Matrixa
Component
1 2
Ambiguity in roles and responsibilities in risk management .892
Lack of embodiment of ERM in organizational culture .617
Inadequate information to make risk-based decisions .615
Lack of managerial support and clear ERM guideline .733
Time and cost required in developing .811
Lack of understanding of ERM benefits. .845
Extraction Method: Principal Component Analysis. Rotation Method: Varimax with Kaiser Normalization.
a. Rotation converged in 3 iterations.
Source: Primary data
75
The results above indicated that all the six challenges have a high positive loading of greater
than the .5 minimum required. The first component combines issues to do with the risk
management philosophy and culture and was labelled risk management culture with significant
loadings ranging from 0.617 to 0.892. The second component is made up of four factors with
issues concerning the resources to be employed towards a robust ERM process and was termed
resources with also highly significant values ranging from.615 to .845.

[Link] Principal component results interpretations

The table below presented the summary of findings.

Table 4. 20: Total Variance Explained

Challeng Initial Eigenvalues Extraction Sums of Squared Rotation Sums of Squared
es Loadings Loadings
Total % of Cumulati Total % of Cumulati Total % of Cumulativ
Variance ve % Variance ve % Variance e%
1 2.841 47.356 47.356 2.841 47.356 47.356 2.487 41.446 41.446
2 1.086 18.100 65.456 1.086 18.100 65.456 1.441 24.009 65.456
3 .777 12.952 78.407
4 .651 10.849 89.256
5 .365 6.081 95.337
6 .280 4.663 100.000
Source: Primary data

The results above reviewed that the ambiguities in roles and responsibilities is a major challenge
supported by an eigenvalue of 2.487 with a corresponding percentage of 41.446% as indicated
above. Sweeting (2011) also support the findings above as they noted that lack of risk management
culture hinders the development of ERM. Mazviona et al., (2014) on the same note concluded
that there is a poor risk management culture in Zimbabwe which hinders their implementation
efforts.

CPA also indicated that the resources are hindering the efforts of insurers influence to adopt or
develop as represented by an eigenvalue of 1.441 accounting for 24.009% of the total variance.
These factors include the time and cost required, inadequate information to make risk based
decisions and the lack of understanding of ERM benefits. The lack of understanding of ERM
benefits can be linked to few or no trainings conducted to aid for improved expertise on this
subject. Groblein, (2010) and Kerstin et al., (2014) also had a same view on the lack of ERM

76
understandably and concluded that the industry lacks know- how of the process of ERM and
its related benefits.

4.8.8 One sample T test

A one-sample t-test was conducted using SPSS to test whether the respective means of the two
challenges that Zimbabwean insurers are facing, as measured by the industry’s views is the
same as the mean of the population. Results are presented below.

Table 4. 21: One-Sample Test

One-Sample Test
Test Value = 0
T df Sig. (2- Mean 95% Confidence Interval
tailed) Difference of the Difference
Lower Upper
Risk management culture 28.614 80 .000 6.17284 5.7435 6.6022
Resources 30.694 80 .000 12.06173 11.2797 12.8438
Source: primary data

Both variables have a p < 0.05 respectively. Therefore, it suffices to note that the two challenges
respectively, have a significant relationship with the adoption and development of ERM.
Kanhai et al., (2014) also concurred with the view that the p values of less than 0.05 represents
that the variables are significant. This is consistent with the views of Beasley et al., (2016) and
Chikomba et al., (2013)who acknowledged that the volume, complexity of risks and challenges
faced by firms today continue to evolve at a rapid pace, creating huge challenges for the
development of ERM. Further the research was directed to provide an insight on the strategies
that can be employed towards a robust ERM structure.

4.9 Strategies to be employed towards robust ERM program

There are many strategies that insurance companies can embrace towards employing a robust
ERM structure. Few strategies were selected from the literature review to find the view of the
industry towards these strategies.

77
Table 4. 22: Descriptive Statistics on strategies towards a robust ERM
Strategies Mean Standard Deviation
Board and top management commitment 4.0741 1.00968
Build a strong risk culture within the organization 4.0123 .96817
Build a dedicated ERM function or department 3.9877 1.03070
Appointment of a CRO 3.9259 1.04616
Develop a risk appetite statement 3.7160 .97768
Source. Primary data
Key.
Mean scores ranging from 1.0 ≤ M < 1.8: Very low importance
Mean scores ranging from 1.8 ≤ M < 2.6: Low importance
Mean scores ranging from 2.6 ≤ M ≤ 3.4: Neutral
Mean scores ranging from 3.4 < M ≤ 4.2: High importance
Mean scores ranging from 4.2 < M ≤ 5.0: Very high importance (Mazviona et al., 2014)

The industry perceived that the board of directors and top management commitment is the
major key towards a robust ERM structure. Beasley et al., (2010) and Keith (2014) observed
the same findings as they noted that these strategies are the core strategies towards a robust
ERM. However the results showed that among the four strategies to develop a risk appetite is
the least strategy. Further to the use of descending means an analysis using the mean scores
using the key score below to ascertain how important these strategies was found to be useful
and therefore used.

The results indicated an average score of 3.94 representing a high importance placed on ERM
strategies. The respondents considered all the strategies to be useful towards a robust ERM
program ranging from 3.71 to 4.07. The standard deviations of these strategies was around one,
which indicated that the responses for each item do not differ greatly from each other with only
few thus board and top management commitment, build a dedicated ERM function or
department and an appointment of a CRO, slightly greater than one, which indicated that the
individual responses on average were a little over one point away from the mean. Furthermore
the researcher analysed these strategies separately.

4.9.1 Build a strong risk culture within the organization

Risk management culture remains a key to a success ERM structure. The findings from the
primary research are summarised below.

78
Table 4.23: Descriptive statistics
Frequency Percent Valid % Cumulative %
Disagree 10 12.3 12.3 12.3
Neutral 7 8.6 8.6 21.0
Valid Agree 36 44.4 44.4 65.4
Strongly agree 28 34.6 34.6 100.0
Total 81 100.0 100.0
Source. Primary data

The findings from the research study indicated that the majority of respondents agreed that
building a strong risk culture will embrace a mature ERM structure with a 44.4%, followed by
34.6% who strongly agree This is in consent with the findings of Ndudzo (2017) and Beasley
et al., (2016) as they noted that the development of ERM is hugely dependent on organizational
culture. Further .8.6% were neutral and 12.3% with a zero percent of those who strongly
disagree. The results represents an indicative of the results from the literature review where
much emphasis was placed by the COSO (2004) to have consistency in business operation and
however a common RM philosophy in an organization.

4.9.2 Board of directors and top management commitment

The other challenge that the industry perceive most is the board of directors and top
management commitment. The results are summarised below.
Table 4.24: Descriptive statistics
Frequency Percent Valid % Cumulative %
Disagree 10 12.3 12.3 12.3
Neutral 8 9.9 9.9 22.2
Valid Agree 29 35.8 35.8 58.0
Strongly agree 340 42.0 42.0 100.0
Total 81 100.0 100.0
Source, Primary data
This was evidenced by a high agreement level of 35.8% who agree, 42% who strongly agree
and a 9.9% at a neutral position. This is in consent with the views of Brodeur et al., (2010) and
COSO (2004) as they noted that the board plays a major role in overseeing the risk management
issues. However, only 12.3% disagreed, with a zero percent of those who strongly disagree.
Several researches were conducted on the importance of board and top management

79
commitment. Sheinker and Walker, (2011)also observed that successful implementation of
ERM structure requires board and top management commitment.

4.9.3 Appointment of a CRO

The other strategy worth noting is the appointment of a CRO. The industry perceived a high
importance on the appointment of a CRO supported by a higher percentage of 37% of the
respondents strongly agree and 30.9% agree and 21% at a neutral position. Pagach and Warr
(2011), Harold (2014) and Deloitte (2012) also observed that the hiring of a CRO is the starting
point for the development of ERM. However, on 9.9%, 1.2% disagree and strongly disagree
respectively. The findings are summarised below.
Table 4.25: Descriptive statistics
Frequency Percent Valid % Cumulative %
Strongly disagree 1 1.2 1.2 1.2
Disagree 8 9.9 9.9 11.1
Neutral 17 21.0 21.0 32.1
Valid
Agree 25 30.9 30.9 63.0
Strongly agree 30 37.0 37.0 100.0
Total 81 100.0 100.0
Source. Primary data
The results indicated a high importance placed on employing a CRO to oversee the RM process
in an organization. McGannon and Kleffner, (2011) , also found the same results where 61%
of the respondents on their survey indicated the importance of a CRO towards the development
of a robust ERM structure.

4.9.4 Developing a risk appetite statement

The other strategy worth noting is the development of a risk appetite statement. The results
from the findings are summarised below:
Table 4.26: Descriptive statistics
Frequency Percent Valid % Cumulative %
Strongly disagree 3 3.7 3.7 3.7
Disagree 5 6.2 6.2 9.9
Neutral 20 24.7 24.7 34.6
Valid
Agree 37 45.7 45.7 80.2
Strongly agree 16 19.8 19.8 100.0
Total 81 100.0 100.0
Source. Primary data

80
The majority of the respondents agreed with the view that developing a risk appetite statement
is of paramount importance, evidenced by a high percentage of 45.7 and 19.8% who agreed
and strongly agreed. The office of the controller of currency (2016) and Kerstin et al., (2014)
also concurs with these views as they noted that the risk appetite statement enables the firm to
achieve strategic objectives and therefore remain the preeminent strategy. Further, 24.7% were
on a neutral position. Fewer of 6.2% and 3.7% disagreed and strongly disagreed respectively.
Rittenberg and Martens, (2012) on that note indicated that the development of a risk appetite
is the starting point towards the development of ERM. The view above indicated that without
a risk appetite statement there is no development of an ERM program.

4.9.5 Building a dedicated ERM function or department

The results are summarised below.

Table 4.27: Descriptive statistics
Frequency Percent Valid % Cumulative %
Strongly disagree 3 3.7 3.7 3.7
Disagree 3 3.7 3.7 7.4
Neutral 16 19.8 19.8 27.2
Valid
Agree 29 35.8 35.8 63.0
Strongly agree 30 37.0 37.0 100.0
Total 81 100.0 100.0
Source. Primary data

The findings from the research study reviewed that building a dedicated ERM function is of
paramount importance. Major respondents agreed on this notion represented by 37%, and
35.8% who strongly agree and agree respectively. Vladimir (2012) also concurs with these
views as they noted that a dedicated risk function reduces the failures of coordination of
responsibilities. Further, 19.8% were in a neutral state and both disagree and strongly disagree
reported 3.7% both. The results above in literature are supported by the likes of ( Beasley et
al., 2016), who asserted that an emerging good practice for an efficient ERM function is the
creation of a multidisciplinary risk committee and a dedicated risk function.

81
[Link] One sample T test

The researcher also conducted a one sample t test to find the significance of the data on the
strategies. A null hypothesis was assumed that there will be difference on the mean of the
results at 95% confidence interval.

Table 4.28:One-Sample Test

Test Value = 0
t df Sig. (2-tailed)

Build a strong risk culture within the organization 37.298 80 .000

Board of directors and top management commitment 36.315 80 .000
Appointment of a CRO 33.774 80 .000
Developing a risk appetite statement 34.208 80 .000
Building a dedicated ERM function or department 34.820 80 .000
Source: Primary data

Both variables have a p < 0.005, respectively. Therefore, it suffices to note that the strategies
respectively, have a significant relationship with the development of ERM. More so the range
of the p values justifies the rejection of the null hypothesis which was assumed that there will
be difference in the means at 95% confidence interval.

4.10 Chapter summary

From the gathered data, it is evident that the ERM maturity level is still poor. Moreover, most
insurers are still in the process of implementing ERM or are in the process of investigating the
concept. The next chapter summarised the findings from this chapter and therefore pave a way
for recommendations and suggestions for future research.

82
5. CHAPTER FIVE: CONCLUSIONS AND RECOMMENDATIONS

5.1 Introduction
The primary objective of this research was to evaluate the level of ERMM level in the
Zimbabwean insurance industry. Further, as outlined in chapter one secondary objectives were
established to furnish a sound research study which includes:
 To assess the frameworks that Zimbabwean insurers are using as guidelines in
implementing the process
 To assess the ERM maturity level within the Zimbabwean insurance industry.
 To assess the challenges faced by Zimbabwean insurers in developing ERM.
 To provide an insight into the available strategies to the challenges faced by
Zimbabwean insurers when implementing ERM.
The above objectives were attained through carrying out a robust study. The intention of this
chapter, therefore, is to present the research findings and conclusions for the data that was
collected and analysed. Recommendations to the insurance sector and the regulatory policy are
given. Suggestions for the future study are also made in the last section of this paper.

5.2 Summary of findings

The below subsection presented the findings from the literature review and also from the
primary research. The last part of this subsection presented the conclusion from the findings
and therefore highlights some gaps and areas of consensus and conflicts between the review of
the literature and the study findings.

5.2 Findings from the literature review

The increased level of risk complexity proved beyond reasonable doubt that there is need to
manage risks in a holistic manner especially the Zimbabwean financial system which is
crippled by the aftermath of the hyperinflationary era in 2008 (Chikomba et al., 2013). The
summary of the findings from the review of literature is subdivided with the view of research
objectives in mind.

83
5.2.1 ERM frameworks in place

Worldwide, there are more than 80 risk management frameworks which insurers can use as a
guideline in implementation. However, among the 80 frameworks, the literature review
suggested that the most frequently used ones are COSO ERM Integrated Framework, the Joint
Australia/ New Zealand 4360 2004 Standards, ISO 31000-2009, the Casualty Actuarial Society
Framework, the International Association of Insurance Supervisors Framework (Lundqvist,
2014).

The COSO: 2004 ERM framework and the ISO: 2009 gained much recognition among the five
frequently used frameworks as the frameworks are said to originate from ERM experts and
frameworks, though the COSO and the Sarbanes –Oxley Act of 2002 were published in the
same year. Having noted that some authors, including ( Beasley et al., 2016) postulated that
these frameworks are used by many corporates but they lack an understanding of it and hence
considered thereof of as theoretical frameworks.

The study also revealed that the COSO:2004 and ISO 31000:2009 demonstrate certain
similarities in enterprise-wide consistency and a rejection of the one-size-fits-all silo approach,
but the generic attributes of the ISO framework can be challenging to entities, because defining
a specific ERM framework may require a sizable investment in both time and money (Keith,
2014). This remains the biggest challenge towards ERM development. In a nutshell, there is
need thereof to tailor make these frameworks to meet the organizational needs.

5.2.2 ERM maturity levels

The study revealed that there are five levels of ERM maturity which are very weak, poor, mid,
good and optimised ( Ciorciari & Blattner , 2008). The general logic states that the firm in the
development passes through these levels very poor marking the introductory phase in the
development process and optimised denoting a robust ERM structure. Ciorciari & Blattner
(2008) and Zhao and Low (2013) suggested that level 1(very weak) is characterised by very
low formalisation with no risk management culture and communication. On that note very few
corporates are still at this stage as the concept of ERM was widely accepted due to the increased
level of the risk environment (Beasley et al., 2017). Beasley et al., (2010) concurred with these
views as their study revealed an increment in the adoption level of ERM since year 2009.
84
Ciorciari & Blattner (2008) also postulated that level two (poor) is characterised by an informal
regulated structure which is defined but however lacks proper training and communication
flow. Considering the nature of the Zimbabwean economy in relation to the capital budgets of
ERM and expertise required it was evident thereof that most insurers are still in this stage
though no study was carried out to reveal this. Mazviona et al., (2014) on the same note
concluded that the Zimbabwean short term insurance sector is characterised by poor risk
management culture which falls under this category. This view is in consensus with the
observable results, though there exists a gap in the literature to justify the notion.

At level 3 (mid) the ERM structure is standardised, principles are defined and the information
documentation but however only basic training is carried out. Njagi (2015) conducted a similar
research and conducted that the Kenya insurance sector falls in this category with a few
companies lagging behind. Level four (good) and level five (optimised) is characterised by a
mature ERM structure with level four having a supervised structure lacking the integration of
the strategy into the risk management process ( Ciorciari & Blattner , 2008). More so several
researchers including Danijela et al., (2015) and Beasley et al., (2017) observed that very few
companies are in these stages Africa being the subject with an exception of the first world
countries.

5.2.3 Challenges insurance firms face towards a robust ERM structure.

The vigorous risk environment characterized by complex issues such as rapid changes in
information technologies, and the explosion of globalization is hindering the success of an
enterprise-wide risk management. There are a countless number of challenges that
Zimbabwean insurers are facing towards a robust ERM structure considering the prevailing
nature of the financial system they are operating in. Several authors including Kerstin et al.,
(2014), Deloitte (2012) and COSO (2004) suggested that the most prominent challenges are
ambiguities in roles and responsibilities in risk management, lack of embodiment of ERM in
organizational culture, inadequate information to make risk-based decisions, lack of
managerial support and clear ERM guideline, time and cost required in developing and Lack
of understanding of ERM benefits.

In view of the challenges cited above, several authors including Mazviona et al., (2014) and
Gwangwava et al., (2014) are also in consensus that there is the lack of risk management culture
85
in the industry paving a way for the justification of the underdevelopment of the ERM process.
Furthermore, the effects of the inflationary gap during the 2008 era and the emergence of
dollarization in 2009 relentlessly continued to cripple the progress of many sectors, resulting
to even lower capitalization of businesses evidenced by high levels of deregulation of insurers
(Chikomba et al., 2013). This gave birth to some of the challenges cited above including the
time for some insurers are in a prolonged survival strategy mode, resources, lack of
understanding of ERM benefits as a result of lack of training as well as the lack of information
to make risk-based decisions for expertise e.g. actuaries are journeying to greener pastures.

5.2.4 Strategies

The development of ERM processes is highly sophisticated and requires certain strategies as it
involves configuring company ERM systems (Kerstin et al., 2014). Considering a countless
number of challenges there are many strategies that can be employed by insurers towards a
robust ERM system. Several authors including Beasley et al., (2016) and Brodeur et al., (2010)
revealed that building a strong risk culture within the organization, board of directors and top
management commitment, appointment of a CRO, developing a risk appetite statement and
building a dedicated ERM function or department are among the major strategies that can be
employed by insurers towards the development of ERM. It suffices to note however that all
these strategies are important and are aimed at the attainment of the highest level of ERM.

5.3 Findings from the primary research

The research was conducted using both primary and secondary data using various statistical
tools which include SPSS and Excel. Thirty-three insurance companies registered by IPEC as
at September 2016 were targeted with a population of 99 respondents which gave a resounding
81.32% response rate. The findings are summarised below.

5.3.1 ERM frameworks

Insurers can choose a variety of frameworks in their implementation process. However, the
study indicated that the COSO: 2004 is the most used framework followed by the ISO: 2009
risk management framework. Insures recognized the existence of the BS 31100: 2008, Code of
practice and the OCEG Red book respectively but however, only a few companies have

86
adopted them. A relatively high percentage were not sure as indicated by gaps provided. This
high figure was inflated by lower levels of ERM development justified by poor practices
prevailing in the industry. The study also extended to reveal if there exist a link between ERM
maturity and the adopted framework. The findings revealed that any framework used does not
influence the level of ERM maturity.

5.3.2 ERM maturity level

This objective formed the basis of this research study. The results indicated that the insurance
industry in Zimbabwe is at level 2 (Poor). At level 2 there is an informal regulated structure
which is defined but however lacks proper training and information and communication. The
overall mean score of 2.94 is however close to level three marked at an average of 3.00 where
the principles are defined reflecting greater opportunities for risk experts.

Furthermore, it suffices to note that the poor level was attributed to the lower levels of mean
dimensions for there exists a strong positive correlation between the variables. This is
evidenced by only three dimensions having a positive impact which are monitoring activities,
risk response and objective setting with the remaining five dimensions reaping a negative effect
on the overall maturity level. This is a true reflection of a silo-based approach where the
downside risk is only taken into consideration by placing in actions of reducing the potential
impact only ignoring other dimensions, for example, the information and communication
which accounted for the worst negative impact.

5.3.3 Challenges

The industry indicated that they are facing all the six challenges denoted by high levels of
means. Furthermore a descriptive analysis was conducted and the industry perceived the
following challenges in a chronological order; lack of understanding of ERM benefits,
ambiguity in roles and responsibilities in RM, lack of embodiment of ERM in organizational
culture, time and cost required in developing, inadequate information to make risk-based
decisions and lack of managerial support and clear ERM guideline.

The researcher also conducted a factor analysis of challenges faced. Two challenges were
identified and hence were grouped into the risk management culture and resources. A one

87
sample t-test was conducted to find the significance of the results. It was possible to conclude
that there exists a strong relationship between these challenges and the development of ERM.
It, therefore, suffices to conclude that these challenges are hindering the development of ERM.

5.3.4 Strategies

A descriptive statistics analysis was conducted to rank the strategies according to their
importance. The results from the study revealed that all the strategies must be given priority
justified by means falling within the range of high importance. The chronological order of the
strategies was also presented with the board and top management commitment paving the way,
followed by building a strong risk culture within the organization, build a dedicated ERM
function or department, the appointment of a CRO and develop a risk appetite statement
respectively.

A one sample t-test was conducted for all the five strategies to establish the significance of
these strategies. A null hypothesis was assumed that there will be no difference between the
mean of the results. In all cases, it was possible not to reject the null hypothesis signified by
the results falling within the range.

5.4 Conclusions

This subsection provided the conclusion to bridge the gap between the literature world and
research findings. Areas of consensus and conflicts were highlighted to furnish for better
conclusions. The conclusions are divided as per each objective.

5.4.1 ERM framework

The results found from the review of the literature and the findings were in consensus as COSO:
2004 and the ISO: 2009 frameworks are the most used guidelines of course with the COSO
framework paving the way. These were the same findings by Njagi (2015) and Lundqvist
(2014). Zimbabwean insurers, however, can choose and tailor make the framework they want
among many which suit their desired needs. Moreover, the research findings revealed that the
framework used does not influence the level of ERM maturity which was also found by Njagi
(2015).

88
5.4.2 ERM maturity level

Moreover, there existed a gap in the literature review on the level of ERM maturity in the
Zimbabwean insurance industry and this study aimed at filling in the gap. The findings
reviewed that the ERM maturity level is at level two (poor) justified by several types of research
which proved risk management practices in the insurance industry. The researches by Deloitte
(2012), Zhao and Low (2013), Mazviona et al., (2014) and Beasley et al., (2017) was focusing
on the adoption and other issues pertaining the development of ERM but did not test the
Maturity level. Thus the main purpose of this research was to fill in this gap in the literature.

5.4.3 Challenges faced by Zimbabwean insurers towards ERM development

The review of the literature suggests that there are many challenges that Zimbabwean insurers
are facing taking into account the nature of the risk environment and the financial service
sector. Furthermore, the results were in consensus with the findings Beasley et al., (2017) and
Gwangwava et al., (2014) who concluded that the development of ERM is still bedevilled by
many challenges including the resources and management commitment. The results presented
an above average mean reflecting close to high importance on the challenges. The research was
also extended to give an insight on the strategies that Zimbabwean insurers can employ towards
a robust ERM structure.

5.4.4 Strategies that Zimbabwean insurers might use towards ERM development

The research findings concurred with the views of the literature world. The findings by
Abrahim et al., (2012), IRM (2012) and Arthur (2013) revealed that the employment of these
strategies helps the organization in the achievement of the objectives. The industry also
perceived the same view justified by high importance level placed on the strategies. Similar
results were found by Beasley et al., (2017) on strategies as the industry perceived high
importance or priority to be placed on these challenges towards a robust ERM structure. Several
authors also suggest the same view as they are perceived to be the most strategies to be
employed.

89
5.5 Recommendations

There is poor risk management practices in the Zimbabwean insurance industry. The following
subsection provided the recommendations to the Zimbabwean insurers from the findings of the
research conducted.

5.5.1 ERM Frameworks Recommendation

Among the various frameworks that insurers might adopt the researcher recommend
Zimbabwean insurers to adopt the ISO 3100: 2009 framework as it provides guidance on the
nature of the RM process and how to implement it holistically and methodologically.
Furthermore the ISO: 2009 framework incorporates all the best principles contained in COSO,
Project Management Institute (PMI), the Australian and New Zealand Standard (AS/NZS
4360:2004), and all the other leading international standards. The COSO framework and other
several frameworks, on the other hand, provides an evaluation benchmark and the basis for
evaluating the ERM maturity. This follows that the COSO framework went under a series and
successive revisions it suffers from the methodological robustness and hence remains a
theoretical framework (Bonisch, 2012).

5.5.2 Maturity level Recommendation

The researcher recommends insurance companies to strive for the optimised stage (level 5). It
is only at this level that ERM starts to significantly contribute to the shareholder wealth
maximisation (Zhao & Low, 2013). The Zimbabwean insurance industry maturity level is still
at level 2. Much has to be done in the information and communication dimension, risk
assessment and control as they massively impacted negatively on the overall maturity level.

5.5.3 Recommendation on the challenges faced

The Zimbabwean insurance industry has to invest much towards building a risk management
culture. However, this requires resources through conducting training of all employees,
acquiring of experts to have a common risk language within the industry. This will ensure the
overcoming of the most faced challenge which is the lack of knowledge of the ERM benefits
(Beasley et al., 2010). This specifically mean that employees do not know what ERM is, which

90
is justified by a high negative impact of the information and communication dimension to the
overall maturity.

5.5.4 Recommendations on Strategies in the development of ERM

The Zimbabwean insurance industry should aim at maximising the board and top level
management commitment in the process of ERM as evidenced by the highest mean from the
findings. This will ensure an embedding of the corporate risk management culture in the
organisation, strategic planning within the corporate risk limits and finally the flexibility of
budgets towards risk management issues (Beasley et al., 2017). This on the same note improves
the level of the firm’s risk maturity.

5.5.4 The regulator and the insurance industry

The research findings revealed that there is poor risk management practises in the industry.
Having noted that the researcher recommends to the regulator (IPEC) to tighten their directive
to Zimbabwean insurance companies to adopt ERM. Furthermore it was noted that there is lack
of ERM expertise in the industry. The researcher therefore recommends insurers to employ or
outsource ERM professionals as this at most benefit the company

5.6 Areas of further study

The study conducted recommends further studies to be done on the investigation of the
development of ERM in the Zimbabwean insurance industry in relation to the benefits of each
stage. The research must aid at providing the benefits of ERM maturity as there exists the lack
of understanding on ERM.

5.7 Summary
Insurers are in a business of pooling risks thus underwriting risks from corporate and personal
lines. Though they rely on the concept of spreading the risk for example through reinsurance
and insurance securitisation the benefits of ERM cannot be overemphasized. The insurers need
to have a robust ERM, level five (optimised) structure for growth opportunities. Thus the
emergence of enterprise-wide risk management as a panacea to the dynamic risk environment
should be accepted by all insurers.

91
References

Abrahim, Henry, & Keith. (2012, April 18). ERM culture alignment to enhance competitive advantage.
ERMSymposium.RetrievedNovember14,2016,from:[Link]
s/Other-Monographs/2012/April/[Link]

Acharyya, M., & Mutenga, S. (2013). The Benefits of Implementing Enterprise Risk Management:
Evidence from the U.S. Non-Life Insurance Industry,. International Association, Society of, 26.
Retrieved December 14, 2016, from [Link]
Monographs/2013/April/[Link]

Ahmad, S. (2014). ERM Implementation: some empirical evidence from large Australian Companies.
RetrievedDecember3,2016,from:[Link]
2814059643

AIRMIC, ALARM, and IRM. (2010). Risk management and the requirements of ISO 31000. A structured
approach to enterprise risk. Retrieved December 28, 2016, from
[Link]

Alidoosti, A., Mohamad , M., & Fouladgar, H. (2012, February). Risk assessment of critical assest using
fuzzy inference system, 14(1), 77-91. Retrieved January 25, 2017, from
[Link]

Althonayan, A. &. (2010). Aligning business and technology strategy within the airline industry.
International Journal of Business Information Systems,within the airline industry. International
Journal of Business Information Systems,wit, 6(1), 79-94.

Amelia , H. (2013, Aril 22). Integration and Use of Enterprise Risk Management (ERM) Information. 5-
17. Retrieved December 14, 2016, from [Link]
[Link]

Amelia. (2013, April). Integration and Use of Enterprise Risk Management (ERM) Information.

Arthur, W. (2013). Theory of economic growth. London: Taylor and Francis., 1(1). Retrieved September
14,2016,from[Link]
[Link]

Azende, T. (2012). International Journal of finance and Accounting,. Risk Management and Insurance
of Small and Medium Scale Enterprises (SMEs) in Nigeria., 1(1), 8-17. Retrieved December 13,
2016, from [Link]

Baxter, Bedard, Hoitash, & Yezegel. (2012). Enterprise risk management program quality.
Determinants, value relevance, and the fiancial crisis’, 30(4), 164-1295. Retrieved September
5, 2016, from [Link]

92
Beasley , M., Branson , B., & Hancock , B. (2016, April). (P. C. management, Ed.) The state of enterprise
risk management, An over view of enterprise risk management, 1(1), 9-25. Retrieved January
5,2017,from[Link]
ces/ERM/DownloadableDocuments/AICPA_ERM_Research_Study_2016.pdf

Beasley, M., Branson , & Hancock. (2010, September). Developing key risk indicators to strengthen
enterprise risk management. Committee of Sponsoring Organizations of the Treadway
Commission., 2(1), 10-12. Retrieved December 4, 2016, from
[Link]

Beasley, M., Branson, B., & Hancock, B. (2017). The state of risk oversigt. an overview of enterprise risk
management practices, 8, 1-41. Retrieved May 23, 2017, from
[Link]
pdf

Bertinetti , Cavezzali , & Gardenal. (2013, May). The effect of the enterprise risk management
implementation on the firm value of European companies., 1(1). Retrieved January 2, 2017,
from[Link]
20enterprise%20risk%20management%20implementation%20on%20the%20firm%20value%
20of%20European%20companies%20(2).pdf

Bharatany , & Mcshane. (2014). Engineering Management Journal;. Applying a systems model to
enterpriseriskmanagement.,26(4),38-46.
[Link]

Bhattacherjee. (2012). Social Science Research; Principles, method andPractices. Florida: Creative
Commons Attribution-Non Commercial-Share Alike, 1(1). Retrieved December 15, 2016, from
[Link]

Bofinger, H., & Bearman, V. (2015). OHS risk and decision-making. In Safety Institute of Australia. The
Core Body of Knowledge for Generalist OHS Professionals, 1(1), 2-64. Retrieved March 20,
2017, from [Link]

Bonisch. (2012, april 18). We need to talk about COSO. Retrieved November 17, 2016, from
[Link]
of-evidence/

Brodeur, A., Buehler, k., & Pegler, M. (2010). a borad perspective on enterprise risk management.
(McKinsey, Ed.) Retrieved Februay 19, 2017, from
[Link]
rs/18_a_board_perspective_on_enterprise_risk_management.ashx

93
Brooks, D. W. (2010). Creating a risk-aware culture. In J. Fraser & B. J. Simpkins. Enterprise risk
management - today’s leading research and best practices fortomorrow’s executives Hoboken:
John Wiley & Sons., 87-95. [Link]/doi/10.1002/9781118267080.ch6/pdf

BS. (2008). BS 31100 -Risk management. Code of Practice andGuidance for the Implementation of BS
ISO 31000., 1. Retrieved September 14, 2016, from
[Link]

Budi, Deo Wijaya, W., & Arini. (2014). International Journal of Managing Projects in Business. An
empirically verified project risk maturity model., 7(2), 263-284. Retrieved December 1, 2016,
from [Link]

Caldwell. (2012). 5 principles for effective GRC., 1(1). Retrieved September 14, 2016, from
[Link]

Ciorciari , M., & Blattner , P. (2008). Enterprise Risk Management Maturity-Level Assessment Tool, 1(1),
1-28. Retrieved November 2, 2016, from [Link]
monographs/2008/april/[Link]

Carson (2001). Qualitative Marketing Research, Sage Publications London.

Cateora, P., & Grahanam, J. (2002). International Marketing, series in marketing, Irwin McGraw Hill.
Retrieved December 19, 2016, from
[Link]

CFO. (2016:6). Enterprise Risk Management for the U.S Federal Government. Memorandum from the
Chief Financial Officer. Finance. U. S. A: Chief Financial Officer. Retrieved September 26, 2016,
from [Link]

Chikomba, C., Dube, m., & Tsekea, S. (2013, February). An investigation into the effectiveness of risk
management employed on credit finance to SMEs, A case study of SEDCO Zimbabwe, Bindura
Batellite Branch, Zimbabwe. Business and Management Research Journal , 2(1), 9-28.
Retrieved November 14, 2016, from [Link]
issue8/Version-6/[Link]

Chipulu , M., Yue , L. W., Udechukwu , O., & Alasdair , M. (2014:2). Enterprise risk management and
fim value within China’s insurance industry. Retrieved September 14, 2016, from
[Link]

Chisasa , & Young. (2013). International Business & Economics Research Journal. Implementing a Risk
Management Framework In Developing Markerts, 12(6), 603-612. Retrieved November 4,
2016

94
Cohen, Manion , & Morrison . (2007). Research Methods in Education. (6th Ed.).London. Routledge
Group., 6(1). Retrieved December 14, 2016, from
[Link]

Controller of the currency. (2016, April). Enterprise risk appetite statement. 1(1). Retrieved May 20,
2017, from [Link]
publications-reports/[Link]

Cooper, & Schindler . (2011). Business Research Methods. New York: McGraw-Hill. Retrieved
December 15, 2016, from [Link]

COSO. (1992,2004,2013). Enterprise risk management framework. Retrieved December 23, 2016,
from [Link]

COSO. (2004). Enterprise Risk Management – Integrated Framework Executive Summary. Retrieved
September 15, 2016, from [Link]
c9b46e385241/

COSO. (2004). Enterprise Risk Management – Integrated Framework – Executive Summary. COSO.
Retrieved November 7, 2016, from [Link]
4f59-84f9-c9b46e385241/

Creswell. (2007). Qualitative Inquiry and Research Design: Choosing Among Five Approaches. 2nd edn.
London, UK: Sage Publications Ltd. Retrieved December 15, 2016, from
[Link]
_2007_

Danijela, M., Sprcia , A., & Kozula, P. (2015). State and perspectives of Enterprise risk management
system development - the case of Croatian companies, 1, 5-25. doi:
[Link]

Deloitte. (2012). Enterprise risk management survey report of 2012, where do you stand. Nairobi.:
Deloitte Publication. Retrieved December 14, 2016, from
[Link]

Desender. (2007). The influence of board composition on ERM implementation. Retrieved November
24, 2016, from [Link]

Duncan, N. (2008). The adequacy of response rates to online and paper surveys:. Assessment &
Evaluation in Higher Education, 33(3), 301-324. Retrieved February 19, 2017, from
[Link]

Duru, N. (2013). STI adopts enterprise risk management framework. Retrieved December 21, 2016,
from [Link]
managementframework/139330/
95
Easterby, S., Thorpe, & Jackson. (2012). Management Research. 4th edn. London: Sage Publications
Ltd. Retrieved December 14, 2016, from [Link]
Mark-Easterby-Smith/dp/0857021176

Elena , & Patrick. (2010). The ethics of enterprise risk management as a key component of corporate
governance. International Journal of Social Economics,component of corporate governance.
International Journal of Social Economics,, 37(10), 802 – 815. Retrieved December 14, 2016,
from [Link]

Eriksson, P. and Kovalainen. (2008). Qualitative Methods in Business Research. 1st edn. London: Sage
Publications Ltd.

FERMA/ECIIA. (2010:15). Federation of European Risk Management Association,. Europe: Guidance

for boards and audit committees. Retrieved October 15, 2016, from
[Link]
%20FERMA%20%20Guidance%20on%208th%20EUcompany%20law%20directive%20Sept%2
[Link]

Fong, W. (2014, may). Examining the Dimensions of Enterprise Risk Management Implementation
Framework. Journal of economics business managemet, 2(2). Retrieved February 16, 2017,
from [Link]

Fraser & Simkins. (2010). Enterprise risk management: Today's leading researchand best practices for
tomorrow's executives. New York: John Wiley & Sons.

Frigo, & Anderson. (2014). Strategic Finance Journal. Riskmanagement frameworks: Adapt don‘t
adopt., 96(1), 47-52. Retrieved November 14, 2016, from [Link]
content/uploads/sfarchive/2014/01/[Link]

Ghasemi. (2012). Normality Tests for Statistical Analysis: A Guide for Non-Statisticians. 486,489.

Ghosh, A. (2015). an empirical investigation into enterprise risk management in india, indian institute
of management calcutta,, 722. Retrieved September 14, 2016, from
[Link]

Goran , Lidskog, R., & Sundqvist. (2013, February 18). Sociology in risk- Essential of risk theory,, 3(1),
75-105. Retrieved November 15, 2016, from [Link]

Graeme, R., & Wiknson, D. (2015). advice on testing the null hypothesis that a sample is drawn from
a normal distribution. 1(1). Retrieved February 15, 2017, from
[Link]

Grobstein. (2010). Education in the evolving systems context.. Retrieved December 14, 2016, from
[Link]

96
Grobstein. (2010:3). Education in the evolving systems context., 1(1). Retrieved December 14, 2016,
from [Link]

Groves, R. M. (2006). NONRESPONSE RATES AND NONRESPONSE. 70(5), 646-675. Retrieved February
19, 2017, from [Link]

Gummesson. (2003). All research is interpretive! Journal of Business & Industrial Marketing, 18(6),
482-492. Retrieved December 24, 2016, from
[Link]

Gwangwava, E., Faitira , M., Gutu , K., Chinoda , T., & Frank , R. (2014, August). An Assessment of Risk
Management Practices in Smes in Zimbabwe: A Review and Synthesis. IOSR Journal Of
Humanities And Social Science, 19(8), 6-14. Retrieved January 3, 2017, from
[Link]

Harold, S. (2014). An art and science approach to strategic risk management. StrategicDirection,,
30(4), 28-30. Retrieved September 15, 2016, from
[Link]
trategic_risk_management

Hatch , & Cunliffe. (2006). Organization Theory. 2nd edn. Oxford: Oxford University Press. Retrieved
December 14, 2016, from [Link]

HBR. (2011). Risk Management in a Time of Global Uncertainty. Havard Business . Retrieved December
14, 2016, from [Link]
[Link]

Hillson, D. (2002). Towards a risk maturity model. International Journal of ProjectManagement,, 1(1),
33-45. Retrieved November 17, 2016, from [Link]

Hoyt , & Liebenberg. (2011). Journal of Risk and Insurance. The Value of Enterprise Risk Management.,
78(4), 795-822. Retrieved September 5, 2016, from
[Link]
[Link]?AWSAccessKeyId=AKIAJF7V7KNV2KKY2NUQ&Expires=1490108408&Signature=
n4qfT53WTE%2BAvP230t3thHgoLn4%3D

Huni, S. (2016, November 14). IPEC issues directive on risk management. The Herald, p. 1. Retrieved
February 14, 2017, from [Link]
management/

Hussin, D., & Yazid. (2010). The effect of Chief Risk Officer (CRO) on Enterprise risk Management
Practices: Evidence from Malaysia. International Business & Economics Research Journal.

97
IAIS. (2005). International Association of Insurance Supervisors. Towards a common structure and
common standards for the assessment of insurer solvency, 25-50. Retrieved December 14,
2016, from [Link]

IIF. (2009). practices for a more stable system. The Institute of International Finance.59.. Risk culture.
Reform in the financial services industry: Strengthening. Retrieved December 14, 2016, from
[Link]

IPEC. (2016). Reports for life and non- life insurers for the half year ended 30 June 2016. Harare: IPEC.

IRM. (2012). Risk culture. Under the microscope guidance for Board. The Institute of Risk Management.
Retrieved,December,292016,from[Link]
WEB15_Oct_2012.pdf

Ishaya John (2015:3). Current State of Enterprise Risk Management Practices in the Nigerian banking
industry Issu. 17(6).

ISO 31000. (2009). Risk management principles and guidelines. Austrialia: International Organization
for Standardization. Retrieved November 14, 2016, from
[Link]
t_FA3_23082010_0.pdf

Jabbour, M. (2013). Investigation of risk management changes in insurance companies,.

Johnson & Johnson. (2013:8). Framework for Enterprise Risk Management. Retrieved September 14,
2016, from [Link]
[Link]

Kaiser. (1974). an index of factorial simplicity. 1(1), 31-36. Retrieved March 2, 2017, from
[Link]

Kanhai, Muhwandavaka, & Ganesh, l. (2014, March). An investigation of the extent of adoption of
enterprise risk management by banks in Zimbabwe. international journal of business and
commerce, 3(7), 19-33. Retrieved May 1, 2017, from [Link]
[Link]

Kaplan, & Mikes. (2012, June). Harvard Business. Managing risks: A new framework’, 90(6), 48–56.
Retrieved,December,14,2016,from:[Link]
49

Keith , J. L. (2014). Journal of insurance and risk management. Enterprise risk management: developing
a strategic ERM alignment framework - finance sectorUniversity, 46-95. Retrieved December
15, 2016, from [Link]

98
Kerstin, Simone, & Nicole . (2014). ACRN Journal of Finance and Risk Perspectives,. Challenges in
implementing enterprise risk management., 3(3), 1-14. Retrieved November 14, 2016, from
[Link]

Kombo , & Tromp . (2006). Proposal and Thesis Writing, an Introduction. Retrieved December 14, 2016,
from [Link]

Kothari. (2009). Research methodology. Methods and Techniques, Second revised, new international.,
2. Retrieved December 14, 2016, from [Link]

Kumar. (2005). Research Methodology: A Step by Step Guide for Beginners (second ed.). Sage
[Link],December,17,2016,from:[Link]
oads/2014/06/Ranjit_KumarResearch_Methodology_A_Step-by-Step_G.pdf

Kuter , & Tilmaz. (2001). Survey Methods: Questionnaires and Interviews. Retrieved December 18,
2016,from:[Link]
ey_Methods_Questionnaires_and_Interviews/links/5489a6ca0cf225bf669c6e2c/Survey-
[Link]

Leech. (2012). The High Cost of “ERM Herd Mentality”. Calgary, Canada: Risk Oversight., 95-100.
Retrieved,November,17,2016,from:[Link]
011/03/Risk_OversightThe_High_Cost_of_ERM_Herd_Mentality_March_2012_Final.pdf

Lewis , & Sheppard. (2006). Culture and communication: Landscape and Urban Planning, 77, 291-313.
doi:[Link]

Liu, J. (2012:289, September). The Enterprise Risk Management and the Risk Oriented Internal Audit’,,
6(1). doi:[Link]

Locklear. (2012, April 18). (S. o. International Association, Ed.) Toward a theory of everything?
Exploring at the edges of the ERM construct. Enterprise Risk Management Symposium, 2-23.
Retrieved December 14, 2016, from [Link]
Monographs/2012/April/[Link]

Lundqvist. (2014). An Exploratory study of enterprise risk management: Pillars of ERM. Journal of
Accounting, Auditing & Finance, 29(3), 393-429. Retrieved December 15, 2016, from
[Link]
[Link]?AWSAccessKeyId=AKIAJF7V7KNV2KKY2NUQ&Expires=1490108408&Signature=
n4qfT53WTE%2BAvP230t3thHgoLn4%3D

Marchett, A. (2012:26). Enterprise Risk Management Best Practices:. From Assessment to Ongoing
Compliance, 5-30. Retrieved September 15, 2016, from
[Link]

99
Marika, A., Giovanni , A., Enrico , C., Gianclaudio , F., Enrico , P., & Amerigo. (2013:51, February).
Integrated Risk Management through dynamic capabilities within project-based
organizations:, 15(1), 50-77. Retrieved January 14, 2017, from
[Link]

Mark Beasley Bruce Branson Bonnie Hancock. (2016:6). The state of risk oversight: an overview of
enterprise risk management practices.

Martens, & Rittenberg . (2012). Understanding and Communicating Risk Appetite.

MAS. (2013:3). Enterprise Risk Management for Insurers. Monetary Authority of Singapore. Singapore.
Retrieved November 14, 2016, from
[Link]
02013%20Enterprise%20Risk%20Management%20for%[Link]

Matveev. (2002). The advantages of employing questionnaire and qualitative method in intercultural
research. Research Methods. Retrieved December 18, 2016, from
[Link]
[Link]

Mazviona, W., Chiranga, & Zhanje. . (2014, June 5). The Perception of ERM in the Zimbabwe’s Short
Term Insurance Industry: A Case for Bulawayo Metropolitan City. British Journal of Economics,
Management & Trade, 4(10), 2-11. Retrieved October 5, 2016, from
[Link]
JEMT10242_1.pdf

McGannon, & Kleffner , L. (2003). The effect of corporate governance on the use of enterprise risk
management: evidence from Canada. Risk Management and Insurance.
doi:[Link]

Mcnally. (2013). The 2013 COSO Framework and SOX Compliance, 1(1). Retrieved November 17, 2016,
from [Link]
[Link]

McShane, Nair, & Rustambekov. (2011). Journal of Accountig, Auditig & Finance. Does Enterprise risk
management increase fim value, 26(4), 15-25. Retrieved November 14, 2016, from
[Link]
nterprise_Risk_Management_Increase_Firm_Value/links/55a971ef08aea3d086803f9b/Does
-[Link]?origin=publication_detail

Michela, & Irvine. (2014). Enterprise-wide risk management and organizational fit: a comparative
study. Journal of Organizational Effectiveness: People andPerformance,, 1(4), 365-377.
Retrieved September 29, 2016, from

100
 [Link]
[Link]

Moeller. (2011). COSO Enterprise Risk Management: Establishing Effective Governance, Risk, and
Compliance (GRC) Processes, 2, 384. Retrieved December 14, 2016

Mohd , S., Norhayati , Z., & Azira , A. (2014). A Framework for Risk Manage ment Practices. 3(2), 1-11.
Retrieved May 2, 2017, from
[Link]

Mohsen, T., & Reg , D. (2011). Making sense of Cronbach’s alpha. International Journal of Medical
Education, 2(1), 53-55. Retrieved February 11, 2017, from
[Link]

Mottaghi , N., Golshan, S., Zaleha , A., & Nargress, M. (2012). Determinants of Enterprise Risk
Management Adoption: An Empirical Analysis of Malaysian Public Listed Firms. 1(1), 453-490.
Retrieved January 14, 2017, from
[Link]

Mugenda. (2008). Social Science Research: Theory and Principles, Nairobi: Applied Research and
Training Services, 4(1), 22-30. Retrieved December 15, 2016, from
[Link]

Ndzudzo, D. (2017, January). Enterprise Risk Management in ODL, the imperatives and lessons from
the Zimbabwean open Unirvesity. Journal of business and management, 19(1), 24-28.
Retrieved March 25, 2017, from [Link]
issue1/Version-3/[Link]

Ngari, D. (2014, june 23). A STATISTICAL METHOD FOR ANALYZING DATA FROM NATIONAL. 1(1).
Retrieved February 19, 2017, from
[Link]
Ngari_Project_I56_80521_2012.pdf

Nigeria, C. B. (2012, July 31). Central Bank of Nigeria. Exposure Draft CODE for Banks in Nigeria., 1, 5-
34. Retrieved November 14, 2016, from
[Link]
0Governance%20Code%20&%20Whistle%20Blowing%[Link]

Njagi, C. (2015). Evaluation of the level of enterprise risk management adoption and maturity of
insurance companies in kenya, united states international universityafrica,, 15-110. Retrieved
October 15, 2016, from
[Link]
0of%20Enterprise%20Risk%20Management%20Adoption%20and%20Maturity%20of%20Ins
urance%20Companies%20in%[Link]?sequence=

101
Nyberg, L., Mariele , E., & Magnus , J. (2014, January 12). Using innovative university didactics for flood
risk reduction and transfer of risk knowledge,, 5-13. Retrieved November 25, 2016, from
[Link]
20al.,%202014.%20Using%20innovative%20university%20didactics%20for%20flood%20risk
%20reduction%20and%20transfer%20of%20risk%20knowledge%[Link]

OCEG. (2009). A governance, risk and compliance (GRC) capability model. Retrieved December 29,
2016,from[Link]
[Link]

Orodho. (2005). Techniques of writing research proposals and reports in education and social sciences.
Second Edition, Nairobi,Kanezja HP enterprises, 2. Retrieved December 14, 2016, from
[Link]

Paape and Speklè, . (2012). The adoption and design of enterprise risk management practices: an
empirical study. European Accounting Review,, 8(2), 279-289. Retrieved December 14, 2016,
from[Link]
dAccess=true

Pagach , & Warr. (2011). Journal of Risk and Insurance, 78(1), 185-211. The characteristics of firms that
hire chief risk officers., 78(1), 185-211.

Racz, Weippl, & Bonazzi. (2011). IT governance, risk & compliance (GRC)status quo and integration:
An explorative industry case study, 429-436. Retrieved December 29, 2016, from
[Link]

Ren, Yeo, & Yingju. (2014). Journal of Engineering, Project, and Production Management. Risk
management capability maturity and performance of complex product and system projects
with an Asian perspective., 4(2), 81-98. Retrieved December 14, 2016, from
[Link]

RIMS. (2006 & 2011, November 27). Risk Management Society. RIMS risk maturity model for enterprise
riskmanagement, 1(1), 7-10. Retrieved November 15, 2016, from
[Link]

Rittenberg , & Martens. (2012). Understanding and Communicating Risk Appetite., 1(1). Retrieved
September 29, 2016, from [Link]
[Link]

Saunders , Lewis, & Thornhill. (2007). Research Method for Business Students. 4th edn. Harlow:
Pearson Educational Ltd., 5(1). Retrieved December 14, 2016, from
[Link]
%20(5th%20Edition)/Cover%20&%20Table%20of%20Contents%20%20Research%20Method
s%20for%20Business%20Students%20(5th%20Edition).pdf

102
Schehr. (2007). Data Analysis Using Excel and SPSS, Director of Institutional Research. Retrieved
January 10, 2017, from [Link]
research/documents/workshops/[Link]?la=en

Seifert, L. &., Lindberg , & Seifert. (2011). Enterprise risk management can assist insurers incomplying
with the Dodd-Frank Act. . Journal of Insurance Regulation, 4(1), 320-337. Retrieved December
15,2016,from[Link]
[Link]?AWSAccessKeyId=AKIAJF7V7KNV2KKY2NUQ&Expires=14901084
08&Signature=n4qfT53WTE%2BAvP230t3thHgoLn4%3D

Sekaran. (2010). Research Methods for Business, a Skill Building Approach, (Vol. 4). United states of
America. Retrieved December 14, 2016, from
[Link]

Shenkir, & Walker. (2011). Enterprise risk management: Frameworks,. elements and integration.
Montvale, NJ: Institute of Management Accountant (IMA).57., 1(1). Retrieved October 29,
2016,from[Link]
se_risk_management_frameworks.pdf

Shortreed. (2010). ERM Frameworks. In: J. FRASER AND B. J. SIMKINS, ed,Enterprise Risk Management:
Today´s leading research and best practices for tomorrow´sexecutives., 97-111. Retrieved
September 16, 2016, from [Link]
resources/enterprise_risk_management_2010.pdf

Paul Sweeting. (2011). financial enterprise risk management, university of Kent, Canterbury.
Retrieved March, 16, 2017 from [Link]/statistics

Suria , Z., Salinah , T., & Che , R. (2015). ERM ADOPTION IN MALAYSIA: A DISCLOSURE. Journal of
Developing Areas,1(1),1-11. Retrieved February 11, 2017, from
[Link]
[Link]

Thalita , M., Yuh, C., & Hong, C. (2014, July 1). Journal of Management Research. Enterprise Risk
Management Good Practices and Proposal of Conceptual Framework, 6(3). Retrieved
September 15, 2016, from
[Link]

The Internal Auditor. (2013). A Reflection of the Times. Retrieved November 14, 2016, from
[Link]

Tran. (2011). Robustness of the tow formulars to correct pearson correlation. Retrieved May 1, 2017,
from [Link]

103
Vladimir. (2012). Enterprise risk management for non-financial companies: From risk control and
compliance to creating shareholder value. Retrieved December 14, 2016, from
[Link]
[Link]

Walker, & Shenkir &. (2011). Enterprise risk management: Frameworks,.

Wendler, R. (2012). The maturity of maturity model research: A systematic mapping study. Journal of
Information and Software Technology,, 54(12), 1317-1339. Retrieved September 14, 2016,
from [Link]

Zhao , H., & Low. (2013). Developing fuzzy enterprise risk management maturity model for
construction firms. . Journal of Construction Engineering and Management, 139(9), 1179-
1189. Retrieved November 2, 2016, from
[Link]

Zheng. (2010). Generalized Measures of Correlation, 1

104
List of appendices

Appendix one: Questionnaire survey

Date………/………/2017

Dear Sir / Madam:

Ref: Request for Information for a research

My name is Rheneas Dururu Student Number N01310089T, a bona fide student at the
National University of Science and Technology (NUST). In partial fulfilment of the Bachelor
of Commerce Honours degree in Risk Management and Insurance, I am carrying out a study
to investigate the development of Enterprise Risk Management (hereinafter referred to as
ERM) in the Zimbabwean life and non- life insurance industry by assessing the ERM maturity
level, challenges and strategies in the implementation and development of the program.

The findings from this study will be relevant to you as you build capacity in ERM. The results
will be used only for research purposes and be presented only in aggregate without being
revealed individually. The information provided will be treated with utmost confidentiality.

If you have any concerns, please contact the undersigned

Email Address. rdururu@[Link]

Cell. +263 779 202 976

Thank you for your assistance.

105
PART A: GENERAL INFORMATION

Kindly answer all questions either by ticking in the ovals or boxes or writing in the spaces
provided

1. Type of business: Life Insurance ( ) Non- Life Insurance ( )

2. Gender of the respondent Male () Female ( )
3. Position: Top Management ( ) Top Management ( ) Mid Management ( ) Operations ( )
4. Work experience: Less than 1 Year ( ) 2-3 Years ( ) 4-5 Years ( ) 6 Years and above ( )

PART B: Questions on Enterprise Risk Management

5. Has ERM process been implemented in the company? Yes ()
Not yet but we're implementing it ( ) No ( )
6. What ERM framework has been used as a benchmark in implementation process? (tick as
appropriate)

COSO: 2004, Enterprise Risk Management - Integrated Framework

ISO 31000: 2009, Risk Management - Principles and Guidelines
BS 31100: 2008, Code of Practice for Risk Management
OCEG Red Book 2009, A Governance, Risk and Compliance Capability Model

ENTERPRISE RISK MANAGEMENT MATURITY

7. An ERM mature organization has implemented an ERM process that contains all elements
laid down in ERM frameworks and guidelines. Depending on the current state of ERM
implementation, the ERM process or program in your company can either be classified as
at a Very Weak, Poor, Mid, Good or Optimised stage. Eight dimensions (D1 to D8)
comprising of eight ERM elements (COSO, 2004) with 26 topics and 123 elements are
used to assess each level of ERM maturity. Use the key below to indicate how effective
your organization is on the below statements.

KEY
VW = Very Weak, P = Poor, M = Mid, G = Good, O = Optimised

106
 Please indicate the current state of ERM practises by ticking in the appropriate box

# ERM maturity criteria and best practices VW P M G O

D1 INTERNAL ENVIRONMENT
1.1 Risk Management Philosophy
An ERM policy is approved by the board and made known to all employees.
Risk related decisions and practises are fully consistent with the ERM policy.
ERM plan is developed and tailored to the corporate objectives and context
Early risk discussions related to long-range initiatives are done among high level
leadership
Risk appetite is made known to all the staff in the organization
Risk appetite is formally and clearly defined according to the corporate strategy
Risk tolerance for each risk is formally and clearly defined according to
objectives
Risk taking is aligned with its core competencies and risk appetite
1.2 Corporate governance
Consequences are applied evenly to employees who breach set controls
A disciplinary team, reward system and recruiting policies are in place.
The body and senior management actively takes part in ERM
Risk-aware culture is incorporated into the corporate culture
A risk-aware culture is created throughout the company at all levels
1.3 Responsibility
A devoted senior executive and a standalone unit takes charge of risk oversight.
All risk owners have adequate authority to oversee any risk-related action and
accept clear defined responsibilities.
Each category of critical risk has a risk owner who fully understands the limits.
ERM is incorporated into the employees performance review.
1.4 Competence
Sufficient qualified staff with skills is available to develop ERM.
Well trained staff from different units is available for risk assessment.
Regular training is done to maintain the acquired knowledge and skills.
Trainings enables staff to learn from successes and failures from prior and current
projects
Experienced staff in ERM share their knowledge during training programs
External consultants are engaged to reinforce and complement existing internal
knowledge.

107
 VW P M G O
1.5 Integrity and Ethical Values
A climate of trust is built up within the firm
Staff adhere to standard behaviour that considers integrity
All employees adhere to standard behaviour that considers ethical values
Expected behaviour is explicitly expressed to sustain a strong risk culture
Corporate values are made known to all employees

D2 Objective setting
2.1 Strategy formulation
A situational analysis is conducted before formulating the business strategy to
identify the strength, weaknesses, opportunities and threats
Possible strategies are defined for which risks and opportunities are identified
ERM is continual and is not interrupted by changes in the board or management.
ERM is fully integrated into all business processes and strategy formulation.
2.2 Strategy implementation
Objectives have performance measures and are understood by all employees
Strategic objectives are accompanied by operations, reporting and compliance
related objectives
Objectives are dynamically adjusted and be aligned with the entity’s strategy
2.3 Strategy effectiveness
The objectives’ achievement degree and client’s satisfaction is monitored
The results among peers is compared to identify improved opportunities.
A strength, weaknesses, opportunities and threats (SWOT) analysis is conducted
to identify strategy choices
Deviations from plans are assessed against the entity and project objectives

D3 Event identification
3.1 External factors driving events
External factors which affect the achievement of objectives are analysed
There is a formal and defined process to identify and review potentially risks.
The organization register all external risks that materialise.
The process is performed on an ongoing basis at all levels of the entity
3.2 Internal factors driving Events
The internal process is performed on an ongoing basis at every level of entity
Internal factors which affect the achievement of objectives are analysed
108
 VW P M G O
The organization register all the internal risks that materialises.
3.3 Events affecting business and strategies
The company has a formalized and standardized ERM process
The risk information on objectives collected is always relevant and reliable
Qualitative and quantitative ERM tools and techniques are constantly used
The firm comprehensively identifies sources of risk and potential impacts
Opportunities are regularly identified, explored and channelled back to the
objective and strategy setting process.
Diverse risk information sources are considered during risk identification and
negative events are assessed and actions are taken.

D4 Risk assessment
4.1 Event characteristics
Emphasis is employed on searching for root causes of risks and its effects
Risk response is designed to deal with critical risks at their sources
Management considers both expected and unexpected losses in risk assessment
The relationship of different risks is considered and assessed.
4.2 Assessment Metrics
The frequency and severity of risks identified are analysed in order to identify
the risk rank and management priority
A full set of metrics is consistently applied to measure ERM performance
Risk identified is repeatable and scalable
4.3 Assessment Mode
New and emerging risks are always identified in a timely and proactive manner.
Existing controls are standard and assessed for good design and effectiveness
A composite assessment of risks across the entity is performed.
Risk identification, analysis, and response activities are done continuously
Best practises assessment techniques are used.
Differences between risk tolerance and actual risks are regularly assessed
Expected effects of risk response strategies are assessed against risk tolerance
Opportunities are regularly assessed by weighing the expected benefits and
relevant likelihood against the potential losses and their likelihood
Opportunities for the likely growth of the firm are actively pursued through ERM
The organization have an access and uses external support for risk analysis
Risk maps are completed at department or campus level
109
 VW P M G O
Risks are integrated with a scorecard or corporate performance measurement
criteria

D5 Risk response
5.1 Risk mitigation strategies
The appropriate risk response strategy is identified through considering the risk
significance, appetite, tolerance, resource availability, cost- benefit comparison
Alternative risk mitigation strategies for the identified risks is developed
The selected strategy is accompanied by an implementation plan
Risk responses have clear accountability and are implemented in good time
An exhaustive and comprehensive analysis of risk management options is
performed to find the best response strategy
5.2 Residual Risk
Residual risks measures are fully assessed and mitigated
The residual risk is aligned with the risk appetite
There is a portfolio view of residual risks by entity at all levels

D6 Control Activities
6.1 Control Basis
Control policies and procedures are established and made known to all staff
The risk control processes are documented and assure a segregation of duties
The Key Risk Indicators(KRIs) are identified for all the critical risks
6.2 Control Over Objectives
Control activities over strategic operations, reporting and compliance objectives
are established and executed
Unexpected results are investigated and corrective actions are applied
Actual performance versus forecasts and prior periods are reviewed using a
balanced scorecard
There is a performance management (vision and strategy)
6.3 Control over processes
Risk limits are observed, prices and models are appropriate and new products are
managed
Resources are allocated to risk response based on risk analysis and risk priority
Resources are continuously invested in improving the ERM process

110
 VW P M G O
6.4 Control over information processing
Control activities over information systems vis-à-vis data validity is established
Employee relationships, external, process, and systems views is considered
The information technology programs are always available, smart and secure.

D7 Information and Communication

7.1 Information over objectives
Information over strategic, operations, reporting and compliance objectives is
delivered in a timely manner to enable ERM related business activities
Information over objectives is collected and updated regularly
Reporting on corporate objectives is regularly done
7.2 Information quality
Quality information is provided in terms of depth, timeliness, availability,
accuracy and accessibility.
ERM process is clearly recorded to make it convenient to review and improve
The risk language clearly explains the risk management terminologies and
methodologies used
7.3 Information management
A Risk Management Information System (RMIs) serves for risk communication
and reporting, records ERM activities, risk identification and analysis
The functions of the RMIS are fully used in ERM practices
Risk information, risk response strategies tolerance and appetite is considered in
all decision making activities
Stress testing is done
Risk modelling is done
7.4 Communication
Risk information is regularly communicated and shared across departments
Critical risk information (severity or urgency) is reported to the board and top
management in a periodic or immediate manner
Clear communication lines are established to ensure that all managers are
promptly notified of critical information and decisions from senior management
Individual comments and views of internal or external experts are encouraged
There are open communication channels with all stakeholders
The risk language is used consistently in all the communications within a firm
There is are upward channel to encourage the reporting of relevant information.

111
 VW P M G O
In partnership with the Audit and Advisory services the staff produces a
newsletter (risk business)
D8 Monitoring
8.1 Monitoring Activities
Deviations from plans are assessed and weaknesses are identified to take
corrective measures
Automated systems reporting on key compliance areas are in place e.g. Effort
reporting and effort commitment tracking systems, on-line ledger review.
There is a risk oversight committee involvement and review
There is a risk dashboard providing periodic reporting, comprised of metrics
aligned with key exposures
KRIs are identified for all the critical risks that the company faces
The KRIs are always reviewed, updated, monitored and analysed by risk owners
Incidents and loss events are continuously identified, recorded, updated,
monitored and analysed
8 .2 Monitoring Corrective Actions
The ERM framework, policy and plans are consistently reviewed to ensure that
they are still relevant to the external and internal context
ERM framework, policy, plan, is improved based on results of monitoring and
reviews.
The implementation levels of the ERM best practices are periodically assessed to
identify gaps and improve ERM practices
The firm report all deficiencies on actions in place to take necessary actions
The changes in process, strategies, structure and system is monitored
The evaluation process is based on clear and documented methodologies

8. To what extent is your company faced with the following challenges in ERM
implementation? Use the key below
SD= Strongly Disagree, D= Disagree, N= Neutral, A= Agree, SA= Strongly Agree

CHALLENGES ON ERM DEVELOPMENT SD D N A SA

Ambiguity in roles and responsibilities in risk management
Lack of embodiment of ERM in organizational culture
Inadequate information to make risk-based decisions
Lack of managerial support and clear ERM guideline
Time and cost required in developing
Lack of understanding of ERM benefits.
112
 9. To overcome the challenges faced in ERM development, what do you suggest needs to be
done? Kindly indicate your level of agreement.

STRATEGIES OF ERM IMPLEMENTATION (development) SD D N A SA

Build a strong risk culture within the organization
Board of Directors and top management commitment
Appointment of a Chief Risk Officer (CRO)
Developing a risk appetite statement
Building a dedicated ERM function or department

Thank You!

Appendix two

Table 29 ERM maturity computations

DIMENSIONS Overall Mean Number of Actual Mean

elements
Internal environment 83.1449 28 2.97
Objective setting 33.0725 11 3.01
Event identification 37.7826 13 2.91
Risk assessment 54.8841 19 2.89
Risk response 24.5942 8 3.07
Control activities 37.7536 13 2.90
Information and communication 53.2319 19 2.80
Monitoring 37.6812 12 3.14
ERM Maturity 362.1449 123 2.95

113