Introduction of a Corporate Security Risk Management System: The Experience of Poland

: To ensure the economic security of companies, it is necessary to introduce a risk management system based on the use of various tools, especially ﬁnancial ones. The purpose of the article is to scientiﬁcally substantiate the paradigm of integration of the risk management mechanism into the system of economic security in companies on the basis of risk-oriented management. The main study method was an online survey of 50 Polish companies in January–April 2021 using a developed questionnaire consisting of 40 questions. According to the results of the expert survey, it is determined that regardless of the type of economic activity of the enterprise, the main goal of introducing risk-oriented management is to preserve assets and increase the efﬁciency of ﬁnancial and economic processes. The introduction of risk-oriented management is perceived as a tool to increase the value of the company and ensure the achievement of strategic goals. Fraud is a signiﬁcant risk to the state of economic security for modern enterprises. To prevent the fact of fraud, taking into account the speciﬁcs of the operation of companies, it is suggested to conduct an annual examination. As a result, the suggested procedure should include an audit (audit of ﬁnancial statements, forensics, transition to international ﬁnancial reporting standards, audit of systems and processes), assessment (assessment for audit and reporting in accordance with international ﬁnancial reporting standards, risk management assessment in accordance with international standards, assessment of the effectiveness of economic security), tax analytics (identiﬁcation of tax risks, analysis of compliance with tax legislation, tax audit), and a due diligence procedure for investment objects.


Introduction
Modernization of the process of economic security management in enterprises should become a priority of top management to ensure effective counteraction to threats and risks of internal and external environments of its operation.The development of the information economy and the globalization of business confirm the effectiveness of riskbased approaches in ensuring the economic security of enterprises.
Globalization and integration can lead to an increase in domestic and international competition, and the accuracy of assessing existing and potential risks will require taking into account an increasing number of indicators, and therefore the tools of diagnostics of the economic condition of economic entities tested by experience of the developed countries do not give exact forecasts any more.Given this, for the development of the economy there is an urgent need to create at the macro, micro, and meso levels effective mechanisms for ensuring economic security of enterprises in the strategic and short-term perspectives.
Risk-based management in the system of economic security of the enterprise is designed to reduce the level of negative consequences of threats that are present in all business processes of an entity of any kind of economic activity.(Khanyile et al. 2019).In addition, risk-based management is aimed at maximizing the possible positive effects in the case when the company's directors and its management make management decisions to take risks in a particular economic situation (Kähkönen et al. 2018).
The problem of ensuring the stability of the economic security system in conditions of uncertainty of different kinds of environments is similar to ensuring the stability of quality management, financial stability, which is increasingly becoming a management problem.Modern ideas about the role of entrepreneurship in the economy and its development are quite contradictory due to the huge number of different methods and approaches to assessment of the target function of the socio-economic process, in which uncertainty and risk are leading, namely, to assessment of the state of the economic security system of the economic entity (Lai and Wong 2020).To select effective methods, ways, and techniques for managing risks, threats, and dangers, it is first necessary to clearly determine the destabilizing factors of the company's economic security system (Dixit 2021).
Thus, the application of risk-based management practices, provided there is a proper theoretical and methodological basis for their application adapted to the crisis realities of economic activity, can have double benefits for the company and its stakeholders-both in countering risks to economic security and ensuring the maximum level of satisfaction of economic interests of owners and other interested parties.
The aim is to scientifically substantiate the paradigm of integration of the risk management mechanism into the system of economic security of companies on the basis of risk-oriented management.
In accordance with the defined goal, the study set and solved the following tasks: to specify the impact of risks, dangers, and threats on the state of the economic security system of companies; to substantiate the role of the process of risk-based management in the system of economic security of companies; and to diagnose risks and threats to the economic security of companies.

Analysis of the Concept of Risk-Oriented Company Management
The condition of uncertainty that exists for any manufacturing enterprise is due to the fact that the system of economic security in the process of its operation is dependent on a number of reasons that can be systematized (Fan and Stevenson 2018).It is from the interpretation and understanding of the concept of uncertainty that the ways and methods of minimizing the impact of risks, dangers, and threats follow, which is one of the priority goals of the economic security system of any enterprise (Kumar and Jha 2018).
In the study of destabilizing factors of the economic security of an economic entity, it is advisable to identify several such factors: risk as the probability of occurrence of circumstances that may cause danger (Kong and Castella 2021), danger as a real possibility of harm or damage (Kim and Chance 2018), and threat as a real intention to cause harm (Corbett and Smodis 2018).
The focus of risk management is shifted towards risk-based management of the entire company, rather than management of certain risks or separate management of the economic security system (DuHadway et al. 2019).Integrating risk management into the company's management system itself is an objective necessity.
Currently, the biggest problems in global risk management are the lack of sound theories and technologies of risk management in many areas, especially operational risk management (Chaudhuri et al. 2018).There are almost no effective quantitative methods for assessing the most important of the risks-the human factor, mechanisms for diversification, and hedging of operational risks; methods of assessing reputational risks are at the initial stage.
Note the characteristics of risk-based management in the system of economic security that distinguish it from "classical risk management."In classical risk management, the object of management is the risk with which management manipulations are carried out in order to avoid it, minimize it, or use it to the benefit of the enterprise (Liu and Jensen 2018).
In risk-based management in the system of economic security, the object is also risksnot general and specific to the entire enterprise and its economic activities, but those that are inherent in each asset and operation of the economic entity, and the negative impact of which reduces the level of economic security and harms its system (Villanueva et al. 2022).The subject of management is traditionally a risk manager.However, in the system of economic security, a professional in financial and economic security joins him or plays his role (Tarei et al. 2020).
Management functions also differ.In risk management, these are planning losses from the negative manifestation of risk, organizing the risk management process, motivating personnel involved in risk management processes to perform their duties conscientiously, and monitoring the results of risk management measures (Hinna et al. 2018).
In risk-based management in the economic security system, the functions of management are to plan security measures through risk management mechanisms, risk identification, and their analysis and evaluation, establishing their level of maturity and selecting one of many management solutions to avoid, minimize, compensate for, or diversify a risk (Karamouz and Heydari 2020).In this case, the function of motivation is to encourage the entire staff to comply with the rules of good conduct and professional performance of their duties, as staff in the economic security of the enterprise is both an asset in need of protection and a source of personnel risks (Kwak et al. 2018).
It is possible to say about the different influences of risks, dangers, and threats on the functioning of the system of economic security of enterprises and corresponding different responses of the system to these negative factors.Effective risk management within the economic security system is able to eliminate the negative manifestations of risks and will take advantage of their positive consequences (Azim and Nahar 2021).At the same time, the impact of dangers and threats on the state of the economic security system is completely negative, because the very fact of their existence in the external and internal environment of the enterprise is the reason for spending resources of economic security to counter them and prevent their negative effects.
Risk minimization means the selection of such management decisions to influence the risk, which can either limit the likelihood of its occurrence, or reduce its negative consequences for corporate resources and economic interests of the company (Tullo 2020).
The priority for modern founders and researchers of security science in this regard should be the development of a theoretical and methodological basis for the formation of an information base for risk-based management in the organization and implementation of business processes in the enterprise, and especially in its system of economic security and in its management.
The main differences between risk-oriented management and "classical risk management" in the economic security of a company are as follows.
Companies should focus their actions on integrating risk analysis into key business processes, rather than on risk assessment measures.Risks should not be the subject of analysis, and risk analysis should not be a result but a decision-making tool (Tai et al. 2020).
Different types of risks require different approaches.Different risk assessment methods are needed to integrate risk management into different business processes.This approach differs significantly from the common practice of implementing ERM (enterprise risk management) (Hsu et al. 2021).
Therefore, it can be argued that you should not use a single approach to risk management.Each process and each type of decision may have its own risk assessment methods, with its own criteria and tools.The priority task in risk-oriented management should be the development of competencies for risk assessment in employees of enterprises, which is the task of a risk manager (Joshi 2018).
The above confirms again that risk is the central object of study for the economic security system of a company.The company's security is faced with the task of integrating risk management into all business processes.There arises a need for a comprehensive study of risks as a tool for risk-oriented management (Mazumder and Hossain 2018).To conduct a detailed risk analysis in Polish companies, it is necessary to study all the parameters of this phenomenon.
The scientific problem of the study is to ensure the economic security of the enterprise in conditions of growth and increasing variability of business risks through the use of risk-oriented management based on the development of conceptual, methodological, and practical components.
It should be noted that for the authors' study there are other concepts at the micro level of the economy, in addition to the basic concept of risk management.The number of these concepts is large enough, and they are the subject of a review article.In this scientific article, we focused on the concept that is directly related to the risks of corporate culture.

Analysis of the Theory of Bureaucracy in the System of Risk Management of Corporations
Sociological theories of bureaucracy consider bureaucracy both as an organization and as a social stratum, but not as a group of individual actors.Consequently, bureaucracy is distinguished by its solidity in sociological theories.This feature can acquire both positive (rational bureaucracy of M. Weber and T. Parsons) and negative (parasite bureaucracy of K. Marx) connotations.
Bureaucracy is considered a management system of society and its separate areas, emerging as society develops.This way of management has both strong (hierarchy, rationality, activity regulation, etc.) and weak (red tape, conformity, special status) sides (Pivoras and Kaselis 2019).
In patrimonial systems, management is carried out arbitrarily, and the management apparatus is personally subordinate to the head of the company (Drechsler 2020).Loyalty is a key professional requirement for bureaucrats.
A rational bureaucracy is a management system that maintains legal dominance based on impersonal order and legally established procedures (Reinsberg et al. 2019).This type of bureaucracy is characterized by a hierarchical organization, clearly defined responsibilities and rights, and professionalism.
The bureaucracy of professionalism implies (Bakker 2019) that a bureaucrat must have certain competencies to hold his position; if the qualification requirements are met, he has the right to career growth and he receives a salary established by the procedure for the fulfillment of his responsibilities.
As a result of bureaucracy, an employee spends time going to the instances (managers, responsible persons from related functional units) to obtain approvals (including electronic) and "waiting in line" for a decision (Kim et al. 2021).
Sometimes this time is useful and adequate, and sometimes it is excessive, leading to increased expenses.We distinguish between "healthy" and "unhealthy" bureaucracy.
By "healthy" or sound bureaucracy we mean a bureaucracy that is objectively necessary for documenting records under the requirements of the external environment (compliance with the terms of contracts with partners, compliance with labor and tax laws) (Bianco and Gamba 2019).In addition, you can consider "healthy" bureaucracy the minimum necessary to maintain the process at the proper professional level in a particular organization.
Bureaucracy is considered "unhealthy" when it is excessive and leads to increased time expenditure for employees, without changing the level of quality of the process or the degree of risk of the company and its shareholders (Kuo et al. 2021).
Here are the main reasons for "unhealthy" bureaucracy.
One is when managers have a low level of self-awareness and personal responsibility.This is the desire to be on the safe side, to play for time in case "you don't have to make a decision at all" (Christopher and Sarens 2018).In this case, the big question is about the compliance of managers with their positions.
Managers who try to change the behavior of subordinates often face persistent resistance to change, which cannot be explained reasonably (Gu and Yuan 2022).They see that separate units of the organization prefer war against each other.They face such communication problems and such misunderstandings between members of different groups that it would seem that "reasonable" people should not have them.
Second is criteria for the evaluation of decisions by superiors changing during the activity and inconsistency of the first party.It is probably the worst thing that can happen and generates not only "unhealthy" bureaucracy in the company (Shatnawi et al. 2019).The historical reevaluation of the decisions of subordinates according to the "new" criteria that arise suddenly and the very fact of unilateral change of these criteria (process regulations) give rise to mutual irresponsibility and demotivation in decision-making.
Third is a low degree of mutual trust of colleagues, the presence of precedents when the demand is "wrong", and the other employees not standing up for the fairness of the decision made by a colleague.Such mutual behavior of employees, as well as the selection of people, is an omission in the work of not only of the CEO, but in many respects of the HR service as well.
Fourth is excessive complexity of procedures in their original design.This is characteristic of large companies where the processes of coordination of decisions are built iteratively, often when changing the persons responsible for the regulations of the processes themselves.For example, an analyst from the head office building a procedure for remote departments may simply not understand the essence of the local process (Busru et al. 2020).On the ground, the proposed regulations of this or that coordination are considered a certain fact sent down from above by "smart people".When you look at this situation from the side, it is sad that clever people here and there lose company time due to simple miscommunication (lack of time, or unwillingness to go into detail/escalate for subjective reasons).
As a result of unhealthy bureaucracy, costs increase (and often disproportionately).The risk of unhealthy bureaucracy against the background of such an example is much higher, as it affects not only the development of the company's employees, but also its business reputation, "adequacy", and speed of response in the eyes of suppliers and customers (Jiang and Feng 2021).
The discussion about bureaucracy has a clear negative connotation, but initially we wanted to remain impartial to it.After all, there are a number of advantages (guarantees) that cannot be discounted.
Firstly, bureaucracy is already a sign of the process (Larasati and Asrori 2020).Whether this process is effective or not does not matter in this case.The main thing that can be stated is its actual presence, which is far from obvious for many companies.Secondly, bureaucracy largely insures against outright theft and overt sabotage of the employees (Cassano 2019).Thirdly, it somehow guarantees decision-making, despite being time-consuming (Hao and Kang 2019).Fourthly, it frees up top management's time, eliminating the need for "manual control" (Liu et al. 2019).In summary, bureaucracy, albeit "unhealthy," is much better than chaos.
All the above reasons for "unhealthy" bureaucracy are directly related to the degree of development of corporate culture.
Last is the mutual responsibility of managers, the so-called sense of "90% personal responsibility" for the "common" task, and self-awareness of the personality of a manager (Eriandani and Wijaya 2021).It is both a result and a sign of the presence of a corporate culture in the company.
Both corporate culture and bureaucracy evolve as power is centralized and expanded, as well as in connection with the emergence of new management tasks.Both of these phenomena, one way or another, ensure the controllability of the process in the absence of the first part.
The ideal environment does not exist, and people with their uniqueness make adjustments to any process.Both bureaucratic corporate cultures are present to varying degrees in any company.Studying in practice and trying to combine these concepts in a simple model, we came to the conclusion that they fill the same space, being mutually displaced, opposite in content, and not subject to diffusion.Any company can be characterized by the ratio of "corporate culture/unhealthy bureaucracy".

Materials and Methods
The online survey followed the logic of traditional survey methodology.The task of the mass survey is to determine the relationship between different variables (for example, between socio-economic status and political preferences).It is a survey of a group of people based on a formed sample: a subgroup of a given population, which allows relatively reasonable conclusions to be made about the population as a whole.As a rule, in the analysis of the obtained data, various methods of quantitative measurements are used: correlation analysis, regression analysis, etc. (Omar and Javaria 2019).In terms of technology and organization, the newest online survey is closest to the oldest scheme of mass surveys-mail surveys, a method that has more than a century of history.
Among the main characteristics of the online survey one can note the completion of the web questionnaire by the participants themselves, the availability of precise instructions, and the opportunity to demonstrate numerous incentives for respondents.The online survey allows for testing photo, video, and audio materials.In general, the tools of the online survey are more varied and provide a large number of different opportunities, such as click-tests, eye-tracking techniques, 3D modeling of goods, visual scales for measuring emotions, etc. (Shakya et al. 2020).
Surveys on the Internet have advantages over other indirect methods, in particular telephone surveys, in terms of a higher level of respondents' willingness to participate in the survey and a cheaper cost per interview (Embi and Shafii 2018).Online surveys also increase participants' involvement through the inclusion of visual, audio, and textual perceptions.These surveys give the opportunity to select a convenient time and place of participation and can be completed at any time convenient for the respondent.
In general, one can highlight the following benefits of online surveys (Lee and Lee 2018): saving resources (not only money, but also time and labor costs), large sample size, speed of the survey (the possibility to interview several thousand people in a short time); the possibility to respond quickly (for example, change tools); breadth of coverage (crossing borders and distances, access to various social groups and communities); reachability (opportunity to interview those who are not accessible in real life, such as marginalized groups); focus (the possibility to build a specific sample); relevance (independence) of communication, that is, a lower level of influence of the interviewer on the respondent and the possibility to give more detailed answers; high level of trust (due to the anonymity of the online environment); the breadth of subject fields (opportunity to study topics that are delicate and closed for public discussion); organizational flexibility (a respondent chooses the time and place of participation); strict logic of the survey (special software eliminates traditional errors in filling out the questionnaire); and operating control over the completion of the questionnaire (for example, detection of logical inconsistencies in the answers and their correction).
Moreover, a survey via the Internet provides additional opportunities (apart from the opportunity to select the channel of influence).These are the opportunities of subsequent communication with respondents, automatic collection of additional information, and automatic recording of data and processing of questionnaires (Jepson et al. 2020).
The main disadvantage of online surveys is related to the problems of ensuring the representativeness of the sample.Firstly is the lack of a sampling frame.One can successfully solve this problem in the studies of organizations with wide network bases, and also when building a sample with the results of an offline survey (Shatnawi and Eldaia 2020).Secondly is the problem of coverage, which is the inability of the sampling procedure used to cover the real population (i.e., to set a known non-zero probability of being included in the sample for each population unit) (Girangwa et al. 2020).Thirdly are non-responses or refusals to participate (Yeargin et al. 2021).Usually, the first two problems are successfully solved.
The main disadvantages and limitations of online surveys include the following (Elmsalmi et al. 2021): lack of representativeness (population structure does not coincide with user structure), spontaneity of the sample ("self-selection method"), audience coverage possibly not being relevant to the target audience (e.g., limited to visitors to a single site), mobility and variability of social space on the Internet (for example, high "mortality" of the panel), repeated participation in the survey (especially in the case of an anonymous survey), lack of data on the general population (for example, on the audience structure of the portal or forum), intentional distortion of data, the possibility of hostile actions ("hacking" software), limited length of the questionnaire (in practice no more than 20-25 questions), limited control over the completion time and the number of corrections in the answers (important when using some techniques), communication problems (incorrect interpretation of the questionnaire, errors in transitions, filling in tables, etc.), and individual system parameters (influence of software installed on the respondent's computer).
Some of these disadvantages may be eliminated in the near or distant future.For some surveys, these limitations are critical, in other surveys they can be ignored.
Within the authors' study, directional sampling was used in the online survey.
Panel or directional sampling is based on databases (lists) of potential respondents using socio-demographic data for surveying homogeneous audiences; the sample includes mainly those objects that have typical values of the studied characteristics for the general sample as a whole.
If the internal validity (the degree of certainty with which one can judge the assumed causal relationship between variables) and the randomization of experimental conditions (by pairwise or other non-random distribution of observation objects by groups) is more important than the randomly selected external validity (the possibility of distributing the results of a selective study to the general sample), an online study is carried out not according to a selective, but rather experimental and quasi-experimental plans.Our study did not require a selective assessment of the distribution of characteristics of the general sample, but was aimed at studying causal relationships between variables.Here, finding an effect in the general sample was the primary task in relation to estimating the scale of this effect.
In 2021, the authors conducted a study.The main areas of the study were as follows: the portrait of a modern risk management unit, assessment of the current level of risk management, the key problems related to the development of risk-based management in non-financial companies, and prospects for further development of risk-based management of certain types of risks.The authors conducted a survey of various Polish companies for assessment of existing risk management practices to ensure economic security, prospects for the development of risk-based management in the system of economic security of enterprises, and to identify key business risks.
The expert survey was conducted over four months (January-April 2021).The study involved 50 Polish companies representing various sectors of the economy.For example, 17% of respondents represented agriculture, hunting, and forestry; 14% of respondents represented trade, repair of motor vehicles, household products, and articles for personal use; 11% of respondents represented industry; 10% of respondents represented transport and communications; and 7% of respondents represented IT technologies, etc.
When developing the questionnaire, the following methodical aspects were taken into account: (1) Questions should not contain explicit or implicit prompts; (2) The meaning of a question should be unambiguous for all respondents and interviewers; (3) Questions should not contain terms and concepts that are unclear to a respondent; (4) When formulating evaluative questions, it is necessary to monitor the balance of positive and negative judgments; (5) If a question is difficult, instructions are required after its formulation; (6) All questions must correspond to the study task; (7) A questionnaire should correspond to the capabilities of a respondent as a source of information.
The operation of control and approbation of the questionnaire included three stages: (1) Logical control over the compliance of the questionnaire questions with quality criteria; (2) Clarification of the compliance of the questionnaire with methodical requirements; (3) Approbation of the questionnaire (conducting a pilot survey).
The target audience of the study was risk managers, enterprise directors, CFOs, CEOs, heads of security services, and specialists from leading departments who were asked to complete the questionnaire of 40 questions, which was developed by the authors (Appendix A).The respondents answered questions about risk management practices to ensure enterprise economic security.

Results
The authors' study proved that regardless of the type of economic activity of the enterprise, the main goal of introducing risk-based management is to preserve assets and increase efficiency.This emphasizes that companies use corporate risk management systems as a tool not only for strategic management but also operational management (Figure 1).The participation of the risk manager in the process of agreeing on key management decisions provides an independent approach to alternative opportunities and contributes to a more open discussion of risks.Practice proves the existence of the problem of reporting and perception of negative information, which is typical for many companies.This is primarily due to the specifics of thinking-the so-called mental traps.These traps may, for example, manifest in excessive optimism about decisions in which the employee is personally interested, in the general risk culture of society, and the Polish mentality.
At the same time, there are companies that create an open environment in which the employees have the opportunity to freely express their fears or doubts, both at the level of personal interaction and through, for example, a hotline (implementation at the level of IT systems), to report potential risks.The combination of these measures contributes to the formation of the necessary corporate risk culture and risk-based management in general, within which top management is an example to follow.
One of the key organizational questions that were asked of the respondents concerned the existence of a separate structural division responsible for the coordination of risk management.The existence of such a division is one of the conditions for ensuring If one ranks the objectives of introducing risk-based management in a company, then rank 1-preserving assets and improving efficiency (25%), rank 2-increasing corporate rating (22%), rank 3-guaranteeing the achievement of strategic goals (18%), rank 4-increasing the value of a company (17%), rank 5-compliance with regulatory requirements (12%), and rank 6-access to IPO (6%).
It should also be noted that the introduction of risk-based management is perceived as a tool to increase the value of a company and ensure the achievement of strategic goals.The first three positions of the respondents' answers with the highest percentages allowed for a conclusion to be drawn that corporate risk management systems can be an effective tool for creating business value in both the short-and long-term perspectives.
The participation of the risk manager in the process of agreeing on key management decisions provides an independent approach to alternative opportunities and contributes to a more open discussion of risks.Practice proves the existence of the problem of reporting and perception of negative information, which is typical for many companies.This is primarily due to the specifics of thinking-the so-called mental traps.These traps may, for example, manifest in excessive optimism about decisions in which the employee is personally interested, in the general risk culture of society, and the Polish mentality.
At the same time, there are companies that create an open environment in which the employees have the opportunity to freely express their fears or doubts, both at the level of personal interaction and through, for example, a hotline (implementation at the level of IT systems), to report potential risks.The combination of these measures contributes to the formation of the necessary corporate risk culture and risk-based management in general, within which top management is an example to follow.
One of the key organizational questions that were asked of the respondents concerned the existence of a separate structural division responsible for the coordination of risk management.The existence of such a division is one of the conditions for ensuring the independence of the risk management function.
At the time of the survey, 36% of the surveyed companies had a separate structural division responsible for coordination of risk management processes, with 21% of the companies saying that they plan to create such a structural division in the near future.These results indicate the readiness of Polish companies to introduce risk-based management in the economic security system.
The absence of a separate risk management division does not indicate the absence of risk management practices in the company.Therefore, in the absence of such a division, respondents answered the question "Who is responsible for coordination of risk management processes in the absence of a separate structural division?"According to the data (Figure 2), in 40% of the companies the internal control/audit department is responsible for coordination of risk management processes and in 35% of the companies CFO is responsible for it.Usually, the enterprises see the implementation of force, information, personnel, or other functions in the security department, and 20% of the enterprises assign the function of risk management coordination to the security department.
This situation illustrates where the risk management process has historically originated in a company.Generally, it is due to advanced risk management practices and access to larger volumes of information compared to the other functional divisions.
The share of Polish companies that have a separate risk management division in their structure is characterized by a decentralized approach when risk management is entrusted to risk owners appointed from employees of functional divisions.It should be noted that in 37% of the companies the existing risk management divisions are accountable to the CFO, in 17% of the companies to the audit committee, and in 13% of the companies to the security service (Figure 3).Usually, the enterprises see the implementation of force, information, personnel, or other functions in the security department, and 20% of the enterprises assign the function of risk management coordination to the security department.
This situation illustrates where the risk management process has historically originated in a company.Generally, it is due to advanced risk management practices and access to larger volumes of information compared to the other functional divisions.
The share of Polish companies that have a separate risk management division in their structure is characterized by a decentralized approach when risk management is entrusted to risk owners appointed from employees of functional divisions.It should be noted that in 37% of the companies the existing risk management divisions are accountable to the CFO, in 17% of the companies to the audit committee, and in 13% of the companies to the security service (Figure 3).separate structural division in 50 Polish companies.Source: authors' study.
Usually, the enterprises see the implementation of force, information, personnel, or other functions in the security department, and 20% of the enterprises assign the function of risk management coordination to the security department.
This situation illustrates where the risk management process has historically originated in a company.Generally, it is due to advanced risk management practices and access to larger volumes of information compared to the other functional divisions.
The share of Polish companies that have a separate risk management division in their structure is characterized by a decentralized approach when risk management is entrusted to risk owners appointed from employees of functional divisions.It should be noted that in 37% of the companies the existing risk management divisions are accountable to the CFO, in 17% of the companies to the audit committee, and in 13% of the companies to the security service (Figure 3).The peculiarity of the accountability of the structural division responsible for dealing with risks is the specificity of such activities.At an industrial enterprise such a structural division is often accountable to the CEO, and in the transport or telecommunications sector to the CFO.Based on international practice, the head of the division responsible for the introduction of risk-based management is directly accountable to the CEO.This makes it possible to ensure a sufficient level of authority and to avoid conflicts of interest, which may be associated with a combination of responsibilities for managing one of the functional areas of the enterprise and introducing risk management approaches in all processes.Thus, as shown in Figure 3, the Polish practice is quite different from worldwide ones because of the rather low culture of risk management.It should be noted that in the industrial sector the CEO or another top manager is usually the initiator of the creation of a structural division for risk management.In contrast to this, in public-sector enterprises, in the sectors of education, health, and social protection middle managers usually introduce risk-based management.
Analyzing the study data on the average time of risk management activities in the enterprise, which is mostly up to five years, one can conclude that most of the surveyed companies have passed the stage of development of basic knowledge and skills in risk management.At present, the issues of implementation of adopted procedures and effective integration of risk management in the decision-making process come to the fore.It should also be noted that in 33% of respondents' answers the lack of corporate culture of risk management is an obstacle to effective risk management.Within the development of corporate risk culture, companies need to pay significant attention to the development of employee skills in risk management.According to the data of the authors' study, 59% of the surveyed Polish companies conduct regular training of employees, 46% of the companies conduct seminars for top management, and 40% of the companies have an internal portal and a form for discussion of risk management issues.Quite a small percentage, namely, 19% of the respondents, had passed a certification in risk management.
More than 60% of the surveyed Polish companies have detected fraudulent transactions.A total of 40% of the companies have faced theft of assets and fictitious expenses.A total of 20% of the companies estimated their losses in the range from EUR 100,000 to EUR 5 million per year.A total of 38.2% of fraud cases were detected from unofficial internal sources.
The most frequent cases of fraud were recorded in the sectors of industrial production, trade, the food industry, and agriculture.This situation is in line with global trends according to the ACFE report (Association of Certified Fraud Examiners) on a global study of fraud in organizations (Occupational Fraud 2022, a report to the nations).Industrial production is among the top five sectors prone to fraudulent schemes.As in Poland, asset theft is the most common type of fraud in the world; as evidenced by the ACFE study (Occupational Fraud 2022, a report to the nations), it is recorded in 83% of all cases of fraud.As is known, fraud risks are most common in companies in Eastern Europe, and Poland is no exception.This statement is confirmed by the data of international reports on fraud (Figure 4).According to the ACFE report for 2021, the fact of professional fraud was detected in 40% of reported crimes, in 23% of internal audit results, and in 16% of management checks (Figure 5).Thus, for the countries of Eastern Europe, corruption is the most typical type of fraud (Figure 4), which accounts for 20% of all professional fraud schemes.The second place (18%) is occupied by fraudulent actions with non-cash payments.Almost in equal parts, these are followed by falsification, fraud with compensation payments, theft of cash, and fraud with financial statements and cash on hand (Occupational Fraud 2022, a report to the nations).
According to the ACFE report for 2021, the fact of professional fraud was detected in 40% of reported crimes, in 23% of internal audit results, and in 16% of management checks (Figure 5).According to the ACFE report for 2021, the fact of professional fraud was detected in 40% of reported crimes, in 23% of internal audit results, and in 16% of management checks (Figure 5).One should pay attention to the occasional identification of fraud, as it is as much as 7%, and therefore may lead to significant losses for the company or not be detected at all.Occasional cases of detection indicate unsystematic and uncontrolled processes of risk management in the enterprise, which could be as low as possible or completely leveled under the condition of effective risk management.
Given the shift in focus from cost to value, relationships with third parties have begun to be viewed in terms of the strategic opportunity that such third parties can offer organizations.Thus, according to the study, there are five key areas that need improvement in most organizations: dependency and vulnerability, relationship management, corporate governance and risk management processes, technology platforms, and new models of providing products and services.One should pay attention to the occasional identification of fraud, as it is as much as 7%, and therefore may lead to significant losses for the company or not be detected at all.Occasional cases of detection indicate unsystematic and uncontrolled processes of risk management in the enterprise, which could be as low as possible or completely leveled under the condition of effective risk management.
Given the shift in focus from cost to value, relationships with third parties have begun to be viewed in terms of the strategic opportunity that such third parties can offer organizations.Thus, according to the study, there are five key areas that need improvement in most organizations: dependency and vulnerability, relationship management, corporate governance and risk management processes, technology platforms, and new models of providing products and services.
Among the key risks that may adversely affect the activities of enterprises, respondents noted the following: strategic risks involving changes in macroeconomic parameters and market conditions, operational risks related to the implementation of investment projects, regulatory risks related to tax legislation, and financial or price risks.
According to the study of Polish companies, an important element of the organization of the risk management function is its documentation.The existence of a full set of quality regulations and methodological documents contributes to the overall institutionalization of the process, awareness of all participants, improvement of the culture of risk management, and strict implementation of the corresponding procedures (Figure 6).
According to the study, the application of risk management documents such as policies for the management of certain types of risks, methods of risk identification, assessment and management, risk management policies, and so on were the most popular among the companies that participated in the survey.A significant gap among the documents of a strategic nature was found in the low level of the document on risk appetite and strategy for the development of a risk management system.Therefore, in order to reduce the risk of fraud, documentary deficiencies should be taken into account and risk management should be diagnosed and self-assessed.This will not only ensure the continuity of the system's development and eliminate its shortcomings, but will also be the basis for providing objective information to stakeholders.The lack of risk management policy was noted by enterprises in the industrial, transport, and telecommunications sectors, as well as those enterprises with no more than 100 employees.At the same time, companies that have a risk management policy build their goals, objectives, and basic principles in accordance with international standards.
rameters and market conditions, operational risks related to the implementation of investment projects, regulatory risks related to tax legislation, and financial or price risks.
According to the study of Polish companies, an important element of the organization of the risk management function is its documentation.The existence of a full set of quality regulations and methodological documents contributes to the overall institutionalization of the process, awareness of all participants, improvement of the culture of risk management, and strict implementation of the corresponding procedures (Figure 6).According to the study, the application of risk management documents such as policies for the management of certain types of risks, methods of risk identification, assessment and management, risk management policies, and so on were the most popular among the companies that participated in the survey.A significant gap among the documents of a strategic nature was found in the low level of the document on risk appetite and strategy for the development of a risk management system.Therefore, in order to reduce the risk of fraud, documentary deficiencies should be taken into account and risk management should be diagnosed and self-assessed.This will not only ensure the continuity of the system's development and eliminate its shortcomings, but will also be the basis for providing objective information to stakeholders.The lack of risk management policy was noted by enterprises in the industrial, transport, and telecommunications sectors, as well as those enterprises with no more than 100 employees.At the same time, companies that have a risk management policy build their goals, objectives, and basic principles in accordance with international standards.
According to the study, the average level of risk management maturity is present in the companies of almost 42% of respondents, which indicates a significant potential for According to the study, the average level of risk management maturity is present in the companies of almost 42% of respondents, which indicates a significant potential for further development and improvement of risk management.Enterprises with more than 1000 employees have a high level of risk management maturity.
A total of 34% of respondents mentioned risk appetite statement at the enterprise, whereas 31% plan to define and document it in the near future.In 39% of the companies, risk information is taken into account in the process of investment planning/project management.The fact that 34% of the companies have no risk appetite statement indicates an insufficient level of maturity.Risk appetite was stated mainly in large companies, as well as in energy companies.In the sectors of industrial production and agriculture they mostly did not have a risk-appetite statement but planned to have one the near future.
Effective operation of the economic security system when using risk-based management requires integration with all business processes.To achieve the declared goals, top management must take into account information about the risks in business processes, especially when building an enterprise strategy.In 49% of the companies, risk information is taken into account in the processes of internal checks/audits, which suggests the development of risk-based management in the system of internal audit, during which the system is required in matters of internal communication and interaction of stakeholders.A significant part of the representatives of large and medium-sized businesses, which was 68% of respondents, reported that the risks related to the main business processes of the company are identified and assessed quarterly, semi-annually, or annually.
Representatives of industrial enterprises stated that risk management is fully integrated into the main operational processes, and that risks are analyzed not at regular intervals, but on a regular basis (in the process of operational activities)-twice as often as in other sectors.The processes of integrating risk-based management into the management system are more effective in small companies with no more than 100 employees.Disclosure of information on the integration of risk-based management into key enterprise processes and decision-making, as well as information on the management of separate risks in the company's annual reports or on the corporate website, is a positive sign for partners, regulators, investors, and customers.This not only increases the investment attractiveness of the enterprise, but also gives financial results and allows for saving on the cost of insurance and borrowed capital.
For most Polish companies, the results of risk analysis are related to the achievement of strategic goals and budget planning and are taken into account by top management for goal setting/budgeting.Risk analysis in the process of strategic and budget planning is one of the key elements of defective risk management.For example, 39% of the respondents take into account information on risks during the investment planning/project management process, 57% of the respondents during the strategic/business planning process, 49% of the respondents during the processes of internal checks/audits, and 38% of the respondents during the budgeting process/cash flow forecasting.Within the framework of budgeting, it is important not only to identify risks that may affect the goals in order to assess the feasibility of achieving them, but also to take into account in the budget the costs related to risk management in priority areas.Enterprises with a high level of risk management maturity successfully complement this approach using quantitative assessment of the impact of risks on key financial and economic indicators, which provides a relationship with motivation management, and, accordingly, fully implements risk-based management in the context of planning/budgeting.Integration of risk management in cash flow forecasting processes is more typical for enterprises with less than 100 employees.
One of the applied tools of risk-based management is maintaining a risk register.According to the study, most Polish companies (31%) plan to create a risk register in the near future and 50% already have one (Figure 7).No, but it is planned to create one in the near future No, but it isn't planned to create one in the near future The effectiveness of working with a risk register depends on the quality of analysis of both the internal and external environment of the enterprise.At the same time, excessive detail, as well as insufficiency, can significantly reduce the result of the implementation of this document.The average level of detail of risks is offered, namely, from 30 to 80 risks that will give the chance to analyze them more qualitatively and to consider in further work.In this case, it is optimal to create an extended register to reflect the entire field of risk, but detailed analysis and processing should be carried out with a small number of key risks.
When forming a risk register, which is becoming increasingly popular in enterprises, it is important to establish and delineate responsibilities.The risk owner is responsible for its management, timely identification, monitoring, analysis, evaluation, and prevention.The majority of enterprises, namely, 43% of the respondents, confirmed that the risk owners are identified in their organization.In 38% of the enterprises the risk owners are identified but not for all risks, and only 19% of the respondents answered in the neg- The effectiveness of working with a risk register depends on the quality of analysis of both the internal and external environment of the enterprise.At the same time, excessive detail, as well as insufficiency, can significantly reduce the result of the implementation of this document.The average level of detail of risks is offered, namely, from 30 to 80 risks that will give the chance to analyze them more qualitatively and to consider in further work.In this case, it is optimal to create an extended register to reflect the entire field of risk, but detailed analysis and processing should be carried out with a small number of key risks.
When forming a risk register, which is becoming increasingly popular in enterprises, it is important to establish and delineate responsibilities.The risk owner is responsible for its management, timely identification, monitoring, analysis, evaluation, and prevention.The majority of enterprises, namely, 43% of the respondents, confirmed that the risk owners are identified in their organization.In 38% of the enterprises the risk owners are identified but not for all risks, and only 19% of the respondents answered in the negative about the existence of risk owners.Analysis of economic feasibility is a necessary condition for the implementation of effective allocation of resources within risk-based management in the system of economic security of the enterprise.Usually, the analysis of economic feasibility accompanies the decision on key risks or those risks where the conclusions on the feasibility of implementing certain measures are not clear.For example, the majority of respondents, 61% of the companies, conduct cost-benefit analysis when implementing new risk management measures.
Analytical data clearly illustrated the barriers to effective risk management in the respondent companies.The most significant obstacles (20%) were the lack of interconnection between functional structures in terms of management and (19%) the lack of corporate culture of risk management.As a result, cultural and communicative tasks come first (Figure 8).Specialists in risk management must have good psychological skills, the ability to avoid mental traps in decision-making, and a high level of industry knowledge.This may require additional qualifications and competencies to train employees.A total of 59% of the respondents conduct regular training of employees, 46% of the respondents conduct seminars for top management, 40% of the respondents use an internal portal and forum to discuss risk management, and 19% of the respondents conduct certification in the field of risk management.It is important to note that training should not be focused on risk identification, assessment, and management, but on risk-based business management.The lack of competencies required for quantitative risk assessment is one of the main problems in the development of risk management.The low quality of information provided to top management for decision-making, irregularity, and the outdated format used by most respondents are all key reasons for the low level of development of risk management in Polish companies.
The system of regulatory internal control to prevent fraud by staff at various levels is perceived as the most effective mechanism.Unlike in Poland, in global practice an external audit of financial statements is the most effective mechanism to prevent fraud.Specialists in risk management must have good psychological skills, the ability to avoid mental traps in decision-making, and a high level of industry knowledge.This may require additional qualifications and competencies to train employees.A total of 59% of the respondents conduct regular training of employees, 46% of the respondents conduct seminars for top management, 40% of the respondents use an internal portal and forum to discuss risk management, and 19% of the respondents conduct certification in the field of risk management.It is important to note that training should not be focused on risk identification, assessment, and management, but on risk-based business management.The lack of competencies required for quantitative risk assessment is one of the main problems in the development of risk management.The low quality of information provided to top management for decision-making, irregularity, and the outdated format used by most respondents are all key reasons for the low level of development of risk management in Polish companies.
The system of regulatory internal control to prevent fraud by staff at various levels is perceived as the most effective mechanism.Unlike in Poland, in global practice an external audit of financial statements is the most effective mechanism to prevent fraud.According to the ACFE study (Occupational Fraud 2022, a report to the nations), 82% of companies regularly use this tool.At the same time, regular external audits are positively correlated with lower financial losses as a result of fraud and faster detection of negative factors.
Examining the issue of recording the facts of fraud, it should be noted that more than 60% of the respondents have encountered facts of fraud in the company, although most often such offenses are found in the following sectors: industrial production, trade, the food industry, and agriculture.In large enterprises, facts of fraud are recorded more often.This is primarily due to the fact that large companies have a wider range of opportunities to implement fraudulent schemes.More than half (60%) of Polish companies have faced fraud and estimated the average financial loss from such actions as EUR 100,000 for the year, and in 20% of companies, losses ranged from EUR 100,000 to EUR 5 million.
For example, in order to prevent the fact of fraud, taking into account the specifics of the operation of Polish companies, it is suggested to conduct an annual examination.The suggested procedure should include an audit (audit of financial statements, transition to international financial reporting standards (IFRS), forensics, audit of processes and systems), assessment (assessment for audit and reporting according to IFRS, risk management assessment according to international standards, economic security assessment), tax analytics (identification of tax risks, analysis of compliance with tax legislation, tax audit), and a due diligence procedure for investment objects.

Discussion and Conclusions
Disclosure of risk management information to stakeholders is one of the most important measures to reduce fraud in an enterprise.Stakeholders expect detailed information on the risk management system of a company and the key risks to which a particular business is exposed (Yang et al. 2018).Such information is primarily needed to ensure that risk-based management is integrated into all business processes of the enterprise, as well as able to identify and respond to new risks, dangers, and threats in a timely manner.
The strengthening and growth of business reputation is facilitated by the disclosure of information on the most important risks and data that confirm the ongoing work of a company on risk management and prevention (Renault et al. 2018).
Rarely used methods of detecting facts of professional fraud are as follows: rewards for informants, job rotation, and active monitoring.At the same time, for companies operating in Western Europe, a code of conduct (93%) is the most popular method of combating fraud (Catanzaro and Teyssier 2021).It is suggested to include some elements of such a code in the "Concept of risk management in the enterprise" as the main document governing risk management in a company.The management of the certification of financial reporting and an external audit of financial statements (88% each) have proven to have a highly preventive effect in Western Europe (El Baz and Ruel 2021).
The main problem they face when generating risk statistics is the lack of reliable information.Under such conditions, specialists spend from 70% to 80% of working time collecting quality data, and the remaining time is spent on analytics (Singh 2020).For enterprises planning to build a statistical database on risks for the first time, it is necessary to establish and formalize the process of data selection in a single format using IT systems that reduce time and labor costs (Vincent et al. 2019).In this case, you only need to format the processes and build requirements for analysts on the quality of the source data.
According to the authors' study, the key elements of building an effective risk management system in the enterprise are the development and implementation of a risk management policy/concept (31%), the implementation of a risk management process in all functional units of the enterprise (44%), and active support from the executive management (41%).Thus, the priority for the introduction of risk-based management in the economic security of the enterprise is the development and implementation of a basic document that would regulate the processes of coordination of risk management along with practical actions to implement this approach in all functional units of the enterprise.In this process, Polish companies pay special attention to the support from top management.
We believe that Polish companies, when forming an effective system of corporate risk management, should take into account the modern methods of increasing confidence in accounting-analytical support of management information-blockchain technology.For example, among its possibilities, blockchain technology promises the following advantages: decreasing the number of errors-when data gets into the blockchain intelligent contracts carry out many accounting functions, automatically reducing the likelihood of human error; cost reduction-the blockchain will increase the efficiency of the accountant's work and reduce the number of errors, which will help reduce the cost of accounting and check for correctness in the medium term; reducing the likelihood of fraud-to change a record in the blockchain, you must make the same change for all copies of the distributed network at the same time, which is almost impossible; and reduction of audit time-with the help of intelligent contracts you can automate many audit functions, which will reduce the time required by the auditor to view records.
According to the study, for the development of risk-based management in an enterprise priority is given to the following: accounting of information on risks in decisionmaking on enterprise management, accounting of risks in strategic and business planning, budgeting/risk-based planning, quantitative methods and models of risk assessment, etc.
Data from surveys of top management of Polish companies signal the lack of risk management culture and the lack of understanding of the importance of this aspect in the processes of operational and strategic financial and economic activities of business structures.
First of all, the prospects for further studies involve increasing the base of respondentsthe number of Polish companies.It is appropriate to increase the number of surveyed companies to 150.This is necessary because, according to the authors' study, Polish companies with less than 100 employees have no risk management policy.In addition, increasing the number of respondents will allow for additional statistical verification and export of relative conclusions related to the answers about the characteristics of the sample (for example, the economic sector, number of employees, etc.).
Without state intervention and assistance in advisory and regulatory activities, this situation will be difficult to change.Given that macro-level threats and risks are complemented by internal threats, the introduction of risk-based management in economic security systems in enterprises is an urgent task for modern management.The following questions apply to the case when your company works on risk management.Therefore, if you answered "Yes" to the above question, you can go to questions 23-42, 23.How long has your been engaged in risk management activities?We diversify products, activities, etc.
We have a reserve fund (financial resources, stocks of raw materials, finished products, etc.) for contingencies We have developed a strategic plan Others (specify) No answer 29.In your opinion, has risk management been effective for your company?(For example, it has made it possible to cancel unpromising projects or implement risky but successful projects.Or vice versa, it did not prevent erroneous decisions, did not improve the state of the enterprise in the market, etc.) No, but it is planned to do so in the near future

Figure 1 .
Figure 1.Objectives of introducing risk-based management in 50 Polish companies.Source: authors' study.

Figure 2 .
Figure 2. Responsibility for the coordination of risk management processes in the absence of a separate structural division in 50 Polish companies.Source: authors' study.

Figure 2 .
Figure 2. Responsibility for the coordination of risk management processes in the absence of a separate structural division in 50 Polish companies.Source: authors' study.

Figure 3 .
Figure 3. Accountability of the structural division responsible for the coordination of risk management in 50 Polish companies.Source: authors' study.

Figure 3 .
Figure 3. Accountability of the structural division responsible for the coordination of risk management in 50 Polish companies.Source: authors' study.

Figure 5 .
Figure 5. How is professional fraud discovered?Source: based on Occupational Fraud 2022, A report to the nations.

Figure 4 .
Figure 4. Most common professional fraud schemes in Eastern Europe and Western/Central Asia.Source: based on (Occupational Fraud 2022), a report to the nations.

Figure 4 .
Figure 4. Most common professional fraud schemes in Eastern Europe and Western/Central Asia.Source: based on Occupational Fraud 2022, a report to the nations.

Figure 5 .
Figure 5. How is professional fraud discovered?Source: based on (Occupational Fraud 2022), A report to the nation.

Figure 6 .
Figure 6.Risk management documents developed and introduced in 50 Polish companies.Source: authors' study.

Figure 6 .
Figure 6.Risk management documents developed and introduced in 50 Polish companies.Source: authors' study.

Figure 7 .
Figure 7. Presence of a risk register in 50 Polish companies.Source: authors' study.

Figure 7 .
Figure 7. Presence of a risk register in 50 Polish companies.Source: authors' study.

Figure 8 .
Figure 8. Obstacles to effective risk management in 50 Polish companies.Source: authors' study.
the economic activity of your company related to making risky decisions?No, it is not Some economic decisions are related to risks All economic decisions are risky Difficult to answer 11.In your opinion, has the activity of your company become more risky compared to last year or over a 10-year period?economic risks were realized and negatively affected the economic life of your company?Risks in the internal environment of the enterprise Risks in the external environment of the enterprise Risks in the internal and external environment of the enterprise Difficult to answer 13.What internal environment risks were realized and negatively affected the economic life of your company?Check all that apply: Violation of the main production activities of the company Non-implementation of investment and innovation projects or plans Failure in the area of sales (termination of contracts, return of products, refusal to pay for shipped products, etc.) Supply disruptions (disruption of supplies of raw materials, components, etc.) Failures or violations in the management system of the company (failures of software and hardware, management errors, non-compliance with management decisions) Personnel errors and violations of production discipline Other risks (specify) Difficult to answer 14.What external environment risks were realized and negatively affected the economic life of your company?Change of economic legislation and other normative legal acts Possible changes in the conditions of foreign economic activity Actions of regional or local authorities in the economic sphere Deterioration of the socio-economic situation in the region of the enterprise location Emergence of technological, product, and other innovations from competitors Deterioration of the environmental situation or change in environmental regulations Other dangerous trends in the foreign economic environment of the enterprise (specify) Difficult to answer 15.What do you think are the goals of introducing risk-based management in the enterprise?To guarantee the achievement of strategic goals To preserve assets and improve activity efficiency To comply with regulatory requirements To increase the value of the company To improve corporate/credit rating Access to IPO Other 16.Does your company have a separate structural unit responsible for coordination of risk management?Yes, it has No, and it is not planned to create one in the near future No, but it is planned to create one in the near future 17.Who is responsible for coordination of risk management processes in the absence of a separate structural unit?do you think hindered the effective risk management of your company in the current year and may hinder it in the following year?Lack of interconnection between functional units in terms of management Low quality of risk information received Lack of corporate culture of risk management Impossibility to obtain an accurate assessment of enterprise risks Insufficient support of the risk management process by the board of Lack of necessary support from the executive management Lack of necessary financial resources Low efficiency of used tools and methods of risk detection, assessment, and management Other 19.Which of these aspects, in your opinion, are key to building an effective risk management system in the enterprise?Active support from the executive management Accounting for information on risks when making decisions on risk management of the enterprise Support of the risk management system by the board of directors Implementation of the risk management process in all functional units of the enterprise Commitment of all employees of the enterprise to risk management development Organized and formalized process of risk identification and management Effective risk-reporting system Development and implementation of a risk management policy/concept Accessibility of risk information for all interested users Quantitative models of risk assessment Automation of risk management system Clearly defined level of risk appetite Other 20.What areas of risk management development, in your opinion, are key for your company?Accounting for information on risks in making management decisions Risk accounting in strategic and business planning Risk-based budgeting/planning Quantitative methods and models of risk assessment Automation of risk management system Formalization of risk management processes Personnel training Determination of the level of risk appetite (level of acceptable risk) Cost-benefit analysis Creation of a risk register Preparation/improvement of the insurance protection program Other 21.What way of implementation/development of risk management in ensuring economic security do you consider the most effective for your company?Involvement of external experts/consultants Independent development Combined 22.Does your company carry out risk management activities as an independent type of management activity?Select one variant: Not conducted and not planned Not conducted but planned Conducted Conducted as a different type of activity (specify) Difficult to answer representative of your company's top management is responsible for risk management?Director Deputy director Head of one of the administrative services Head of a specially created unit for risk management Head of the security service of the enterprise Other person (specify) 25.Which of the following documents related to risk management have been developed and implemented at your company?Risk management policy Methods of risk detection, assessment, and management Regulations of risk management processes (including reporting forms) Job descriptions of risk managers Provisions of the structural division responsible for risk management Provisions of the risk committee Policy for management of certain risks Risk management development strategy Risk appetite document Other 26.Who does the risk management work at your company?Special risk management division Professionals and specially appointed employees of the enterprise Employees of the enterprise according to one-time management orders Our enterprise risk management is organized differently (specify) 27.Does your company attract external consultants for risk management?We use our own employees We attract consultants that work together with the company's employees We fully involve external consultants in risk management work 28.Which risk management methods were used in your company?We avoid risky decisions We use insurance of transactions We share the responsibility between the partners Risk management only led to losses at our company Risk management gave no positive or negative results Risk management was useful for the company Difficult to answer/do not know 30.Which area of economic activity of your company, in your opinion, could risk management be most useful in?In enterprise financial management In strategic planning In planning investment or innovation projects In the operational economic activity of the enterprise Risk management should cover all areas of the enterprise activities Other (specify) Risk management is not required for our company Difficult to answer/do not know 31.What, in your opinion, could be an indicator of the success of risk management in your company?Number of rejected dangerous (risky) projects Number of accepted risky but successfully implemented projects Reduction of the resources reserved for risk compensation Improvement of the general economic indicators of the enterprise (increase in sales, gross income, profit growth, reduction of non-production costs, etc.) Business expansion of the enterprise (new activities, new products, new markets, etc.) Increase in dividends paid to shareholders Strengthening the market position of the enterprise (expanding market share) Other (specify) Difficult to answer/do not know 32.In your opinion, what prevents your company from using risk management methods?Risk management is useless for such enterprises as our company We have no tradition of risk accounting in economic activity We have no information on the positive results of risk management in other enterprises We have no well-grounded and understandable methodological materials on risk management This requires additional costs and organizational efforts Nothing prevents us from it but we manage to do without risk management Other (specify) Difficult to answer/do not know 33.The structural unit of your company responsible for coordination of risk management processes is accountable to: activities are carried out at your company to develop risk management skills in employees: Regular training of employees Seminars for top management Internal portal and forum for discussion of risk management issues Certification in the area of risk management Other 35.Has a risk register been created in your company?Yes No No, but it is planned to create one in the near future 36.Have risk owners been identified in your company?Yes Yes, but not for all risks No 37. Does your company keep statistics on realized risks (database on realized risks)?Yes No No, but it is planned to do so in the near future 38.Does your company carry out a cost-benefit analysis during the implementation of risk management measures?Yes No 39.Has a risk appetite been stated in your company?Yes No Obstacles to effective risk management in 50 Polish companies.Source: authors' study.