Next Article in Journal
Assessment of Plant Origin By-Products as Lightweight Aggregates for Bio-Composite Bounded by Starch Binder
Next Article in Special Issue
Estimation of Internal Rate of Return for Battery Storage Systems with Parallel Revenue Streams: Cycle-Cost vs. Multi-Objective Optimisation Approach
Previous Article in Journal
The Determinants of the Environmental Performance of EU Financial Institutions: An Empirical Study with a GLM Model
Previous Article in Special Issue
Integrated Risk Analysis of Aggregators: Policy Implications for the Development of the Competitive Aggregator Industry
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:

Qualitative Analysis of Enterprise Risk Management Systems in the Largest European Electric Power Companies

Faculty of Economics and Business, University of Zagreb, J.F. Kennedy Sq. 6, 10000 Zagreb, Croatia
Faculty of Organisation and Informatics, University of Zagreb, Pavlinska 2, 42000 Varaždin, Croatia
Author to whom correspondence should be addressed.
Energies 2022, 15(15), 5328;
Received: 21 June 2022 / Revised: 17 July 2022 / Accepted: 19 July 2022 / Published: 22 July 2022
(This article belongs to the Special Issue Risk Management in the Energy Sector)


Enterprise risk management (ERM) is an important element of an efficient and comprehensive corporate governance system. It represents a combination of activities that minimise the negative impacts of the risk exposures on the company’s value and long-term corporate sustainability. Recently, there has been a growing awareness on the role and importance of the risk management function. Such trends are partly driven by the consequences of the last economic and financial crisis on the one hand, and on the other by legal and regulatory requirements. The economic downturn caused by the COVID-19 pandemic, volatility in the energy markets and increased uncertainty expected in the upcoming period reiterate the importance of timely risk management practices, because organisations with developed risk management systems are more resilient in case of crisis. This paper analyses the organisation and level of development of ERM systems in the ten largest European electric power companies. The companies’ data on risk management practices are collected from annual reports and analysed by applying Content Analysis (CA), searching for 29 characteristics of a developed ERM system. Research results reveal that ERM in the largest EU electric power companies can be considered as advanced as it applies the five dimensions of the COSO 2017 framework. The analysis confirms the existence of 27 out of 29 characteristics of a developed ERM system, confirming that these characteristics are rooted not only in the relevant ERM theory, but also in the practice of large and successful electric power companies.

1. Introduction

Enterprise Risk Management (ERM) is a key element of a mature corporate governance system. It enables identification, evaluation and management of key business risks by applying its strategies and tactics [1]. One of its key features is comprehensiveness in terms of managing all risk types, i.e., strategic, operational and financial, as well as analysing their interconnection. ERM is a new paradigm of risk management highlighted in the period following the global financial crisis, the consequences of which led to the realisation that the traditional approach to risk management, based on corporate silos (TRM), is not suitable to combating business uncertainties, as it does not include a portfolio of all risks and their interdependencies [2]. Therefore, the global financial crisis and the risks arising from the COVID-19 pandemic, joined with a high volatility and a sharp rise in the energy and other raw material prices, provide a strong incentive for a growing number of companies to build robust ERM systems. ERM supports the achievement of strategic goals and ensures the preservation and creation of new value for owners of invested capital [3,4,5]. However, ERM not only has a positive impact on the company’s value, but a significantly broader impact on the long-term corporate sustainability. According to [6], practising a holistic approach to risk management reduces the likelihood of bankruptcy and financial difficulties, thus providing benefits to company stakeholders, such as creditors or employees.
Considering the current negative economic outlook and trends, the volatility in the energy markets and the increased uncertainty expected in the upcoming period, robust ERM systems that are firmly linked to the company’s strategy will be crucial to building the company’s resilience and increasing its success. An effective ERM system implies not only protection against the negative consequences of risk, but also a strategic approach to taking the desired amount of risk that enables the achievement of business goals and creation of new value. The main challenge is to build an ERM system that provides protection against negative aspects of risk, but also that is proactive and focused on taking advantage of the opportunities arising from exposure to business challenges and risks that companies face. When implementing ERM systems, organisations may use standardised frameworks to build and implement ERM, the most used being COSO 2004 [7]. The framework was amended in 2017, and its revised version, COSO 2017 [8], views the ERM system as a strategic tool that helps companies achieve their strategic goals. Standardised frameworks provide only guidelines and not specific instructions on how to implement ERM in companies [9], so in practice ERM is implemented in different ways. Therefore, it is emphasised that the future ERM research should be directed towards effective implementation in organisations, and in this context, it is important to understand the characteristics of ERM systems that contribute to the overall corporate governance and corporate culture [10].
Following this direction for the prospective ERM research, the motive for this paper stems from the need to conduct exploratory research of ERM practices in the large companies operating in the energy sector, which is highly regulated and exposed to numerous business risks. Therefore, it is expected from these companies to have highly developed and efficient ERM systems, but we are interested in conducting exploratory research in the light of proposals for prospective ERM research. The main aims of this paper are to: (1) present a conceptual measure constructed by Dvorski Lacković et. al. [1] which reflects characteristics of a developed ERM system following the COSO (2017) framework, (2) explore how these characteristics are implemented in the practice of the EU electric power industry by analysing the ERM systems of the ten largest European electric power companies. These aims are met by using content analysis (CA), due to its flexibility and use of many analytical techniques to generate research results [11]. According to [12], CA is an objective and systematic document analysis and, as such, used in this paper for content analysis of annual reports of the ten largest companies in the electric power industry. The main contribution of this paper stems from a comprehensive analysis of ERM practices of the largest companies in the EU electric power sector. Another important contribution is related to the confirmation of the existence of 27 out of 29 characteristics of a developed ERM system covered by the conceptual measure. This finding serves as evidence that these characteristics are rooted not only in the relevant ERM theory, but also in the practice of large and successful electric power companies, thus confirming in practice the theoretical model developed by [1].

2. Literature Review

The results of the existing research related to ERM impact on a company’s performance are not consistent, mainly due to unclear evidence and expert opinion on the key features of a developed ERM system and the way they are implemented in organisations [9,13]. According to [14], an additional problem in defining key features of ERM systems stems from the fact that ERM implementation in non-financial companies is not legally prescribed, but dependent on the supervisory board incentives and top management motivation and support. Therefore, management is often faced with numerous doubts related to ERM system design and its implementation in the company [15]. On the other hand, it is exactly this flexibility in the creation and implementation of ERM systems that allows every company to adapt it to its own needs and use it as a strategic tool for better corporate governance, and not just as a checkbox to meet regulatory requirements.
Recognizing the literature gap, Miloš Sprčić [16] and Dvorski Lacković et al. [1] explored the existing ERM literature searching for characteristics of a developed ERM system. They identified variables that have been proven to be significant for ERM system development and sought to cover as much of the complexity of ERM as possible to ensure a better understanding of ERM dimensions and of how it is implemented in the company’s practice. An exploratory study by Miloš Sprčić [16] identifies 40 relevant ERM characteristics in the literature. These characteristics are further built around the COSO (2004) framework. Although conceptual in nature, this research provided a solid basis for further empirical research into ERM development due to a comprehensive analysis of existing ERM studies. Given the COSO (2017) revision that strongly emphasises the link between ERM and strategic management, Dvorski Lacković et al. [1] used the research by Miloš Sprčić [16] as a starting point in the process of identifying the research variables, but then revising them and updating the list of ERM characteristics with the findings of recent research. Dvorski Lacković et al. [1] formed a list of 29 variables (Table 1) that represent the characteristics of a developed ERM system. In Table 1, we connect each of these ERM characteristics to the COSO (2017) framework. Namely, COSO (2017) consists of five components: (1) governance and culture; (2) strategy and objective-setting; (3) performance; (4) review and revision and (5) information, communication and reporting. Each of the ERM characteristics is related to a specific COSO (2017) component, thus serving as a conceptual measure for the exploration of how and to what extent different ERM characteristics and COSO (2017) components are implemented in practice by European electric power companies.
A total of 29 characteristics of a developed ERM system were tested in [1] using exploratory factor analysis (EFA) with the aim of a deeper understanding of ERM implementation, which resulted in a three-factor ERM model based on strategic, operational and oversight factors. This study found that although COSO (2017) [8] consists of five components compared to the initial COSO (2004) [7] which had eight, the analysed companies use a simplified approach based on only three components. The practice of using ERM systems speaks in favour of simplifying the risk management process itself, which is easier to implement in corporate practice. Research results imply that, although ERM is comprehensive and should be implemented throughout the organisation, the implementation of ERM does not have to be overly complex. It is more important that it is understandable and logical to employees who practice ERM activities, because in this way the ERM system will truly be alive and meaningfully used throughout the company. Therefore, this paper seeks to determine whether the analysed companies in the electric power industry use more complex ERM systems that correspond to the theoretical settings of the COSO (2017) framework or are closer to simplified ERM systems as discovered in the analysis conducted by [1].
An important impetus for research of risk management practices and the application of ERM systems in electric power companies was found in the lack of such research in the existing literature. The only comparable research is the one conducted by Jonek-Kowalska (2019) [41], which evaluates the effectiveness of implementing a comprehensive enterprise risk management (ERM) system in the energy and fuel industry in Poland. The results of the study showed that all surveyed companies implemented the ERM system primarily due to the industry’s high exposure to numerous external risks, and above all market risk, but the implementation of the ERM system itself did not result in stabilisation of the company’s financial results and value.

3. Materials and Methods

In this paper, ERM practices are analysed based on the study of the ten largest European electric power companies, measured by the market capitalization in 2019, according to S&P Global Market Intelligence [42]. Analysed companies and their business activities, which are retrieved from Reuters [43], are shown in the Table 2.
To evaluate ERM implementation in the aforementioned companies, content analysis (CA) was conducted based on their annual reports for 2020. CA is a research method that allows valid conclusions to be drawn from texts using analytical constructs, i.e., rules of inference, to answer research questions or to test research hypotheses [44]. Analytical constructs emerge from the known theories, experts’ experience or knowledge as well as from existing research. The CA results are usually placed within the relevant theoretical paradigm [11], in this case ERM theory. The analysed data should meet two important criteria to be valid for CA: (1) they must provide evidence for hypothesis testing or answering research questions, and (2) they must transmit a message from sender to recipient [45].
While conducting CA, we followed procedures suggested by [11]. We first establish the research hypothesis. H1: The largest European electric power companies implement state-of-the-art ERM systems following the five components of COSO (2017) framework proxied by ERM measure constructed by Dvorski Lacković et al. [1]. Next, we identified the appropriate data source required to test the hypotheses that served as a communicative material for CA. Data was retrieved from the annual reports of the selected companies, which were collected from their official web pages or from the web pages of the stock-exchange where companies are listed. The next step was to determine the appropriate sample for generalisation of findings on the population, which is a major objective of social science research. We collect data on risk management activities in the 10 largest European electric power companies which should serve as a benchmark for other companies in the EU electric power industry and globally in terms of corporate governance and risk governance practices. In the context of units of analysis, we analysed annual reports of the selected companies in detail, searching for sections of reports where risk governance practices were presented. We later discussed the CA results with independent researchers to minimise bias [46]. Establishing a coding scheme that allows for hypothesis testing is an important step and is determined before coding begins. Coding categories are usually inductively selected in social science, but when quantitative CA is employed, then a deductive approach is recommended, which implies defining categories from the literature review [47].
The 29 ERM characteristics built around COSO (2017) components serve as a coding scheme in this research. The goal was to critically evaluate different risk management dimensions to reach indicative conclusions about the level of ERM development in the leading companies operating in the electric power industry. CA does not necessarily require development of a new coding scheme, but it is possible to use schemes of other researchers. The last step in the process is coding data. Regardless of the use of the already existing scheme in the form of ERM characteristics presented in Table 1, text encoding is not an easy task, so careful iterative reading of the text is necessary [11]. After coding, coded data are analysed so that it is understandable and applied to hypothesis testing. Focus was put primarily on COSO (2017) ERM framework [8] that emphasises five risk management components: (1) governance and culture; (2) strategy and objective-setting; (3) performance; (4) review and revision and (5) information, communication and reporting. To reach a higher degree of clarity, similarities and differences in risk management practices in the analysed companies are presented separately for each component.

4. Results

4.1. Governance and Culture

According to COSO (2017), ERM is not a function or a department, but a combination of culture, skills and practices that organisations integrate with their strategy, with the aim of managing risks in the process of creating and preserving value [48]. This emphasises the strategic importance of ERM for companies. One of the most important elements in reaching ERM maturity and efficiency is top management’s active support, because their attitude and approach towards the ERM process is further reflected in the overall organisation’s culture and governance [18]. For ERM to be embraced on the level of the company, the top managements’ ERM philosophy should be spread down to lower managerial levels and to all employees equally.
As it can be recognized from annual reports, the top managers´ active support and dedication to ERM is valid for all of the analysed companies and seems that it is a common practice in the electric power industry since a long time [49]. The same can be concluded by screening through previous years’ reports. Namely, risk management has an important role in all aspects of doing business: from a strategic, organisational to operational levels, where all the employees are continuously involved in the risk management process. SSE PLC [50] (p. 6) reports this as the most important principle of risk management: “Within SSE, we apply the fundamental principle that everyone who works for us is responsible for the management of risk”. Furthermore, this is also shown in Iberdrola’s report which emphasises that the ERM process provides a comprehensive view of efficient and coordinated action of different parts of the organisation, thus increasing the effectiveness of the process of internal control and management of significant risks [51] (p. 80). This confirms that they recognize the importance of interdisciplinary efforts and encourage the cooperation between corporate units and the integration of information and knowledge, which leads to a more extensive business perspective [48].
Some of these companies have gone a step further and have not only established a supporting philosophy and ERM culture, but have also encouraged escalation of risk issues from middle to top management and mitigation proposals by adding a bottom-up approach. This is best described in ENDESA´s report [52] (p. 60) emphasising the importance of participation of a company’s employees at all levels to improve the complex process of comprehensive business risk identification and internal risk control. ENDESA has introduced the practice of a mailbox through which employees can report risks they have identified and propose measures to mitigate them, which complements the formal top-down risk management and control system.
High level of the top management support and integration of ERM systems in corporate governance is also visible in the companies´ organisational structure. Among all the analysed companies, there are only two companies that have appointed Chief Risk Officer (CRO): Energias de Portugal and Fortum Oyj (from what it seems from reports). Based on their organisational structure, The Risk Management Department/Corporate Risk Management (headed by the CRO) is under the strategy as a corporate function [53] (p. 53), [54] (p. 27), showing up as one of the most important elements of effective and mature ERM systems. Although we expected most of these companies to have an appointed CRO, other analysed companies do not report one, although each one has a formal body that represents risk management function: an audit and/or risk committee that, as pointed in [23] (p. 232), serves as a substitute for a CRO. These committees oversee the risk management process and are positioned near or right under the board, where risk management outputs, such as reviews and suggestions on principal risks, measurements and corrective means, are used by the board in strategic planning and decision making. More importantly, in all analysed companies, the board of directors appointed these committees to show its support for the risk management process. They report directly to the board [53] (p. 182) and assist them in selected business areas [55] (p. 58).
The analysed companies create a formal written risk management policy which establishes the basic principles as well as the risk management framework that can have an impact on the execution of the strategy and overall business. The aim of this policy is to ensure that risks are systematically identified and evaluated as well as effectively managed within established levels of risk control [52] (p. 133). This means that there is a predefined risk appetite or a certain amount of risk which the company is ready to accept to achieve its strategic goals [48]; [50] (p. 6). Enel [56] (p. 79) reports they are adopting the Risk Appetite Framework to ensure effective management—for each risk and for the risk portfolio—as well as risk metrics and modelling. At SSE PLC, there is a guide to risk management practices called The Risk Blueprint, which is available to all employees within the group. This document is updated annually in accordance with the group’s risk management and internal control policy [50] (p. 6).
Established frameworks and written procedures set by top managers are not just a fleeting fad to send the illusion or a positive image towards stakeholders about the ERM process without its implementation in the operating processes, as questioned in [1]. This is implied by the development of several different risk management policies that provide methodologies and guidelines for the identification and evaluation of the key risks. These include documents such as “the Enterprise Risk Management Policy, the Risk Appetite Framework Policy, the Limits Structure of the Energy Management Business Unit, the Financial Management Policy, the Counterparty Policy, the Insurable Risk Management Policy, the Occupational Health and Safety Policy, the Information Security Policy, and the Principles, Structure, and Procedures for Crisis Management and Business Continuity˝ [53] (p. 58). The purpose of these documents is to enable business continuity in different economic and environmental conditions as emphasised in [19].
A very important aspect of ERM implementation is the establishment of the so-called Three lines of defence. It provides an effective and coordinated interaction of different organisational parts to increase the efficiency of significant risks´ management and internal control processes [51] (p. 80). This is achieved through the separation of management and control functions, as well as their complementarity and independence [56] (p. 77). For every line of defence there are strictly specified and delegated risk responsibility bodies with formally established assignments. According to CA results of the selected annual reports, Enel Group, ENDESA, Fortum Oyj, Iberdrola, Terna, Electricité de France and Energias de Portugal implemented the Three lines of defence/control risk management framework. The first line of defence can be considered as an operational level of risk management, whose responsibility is to run day-to-day proactive management of business risks. ENDESA [52] (p. 51) assigned the responsibility of the first line of defence to the business line managers, the staff and the service functions. As stated in the Energias de Portugal report [53] (p. 181), they are responsible for risks pertaining to their business activities, which they should manage in accordance with their delegated function, knowledge and expertise. Fortum Oyj [57] (p. 12) additionally emphasises their responsibility for setting up and implementing operational processes and related controls, including monitoring. Finally, according to Terna [58] (p. 89), the aim of the first line of defence is to provide corrective actions that should ensure that the work is performed properly.
The second line of defence is carried out by different organisational areas and committees [52] (p. 51), whose responsibility is to ensure business support to the first line of defence by proposing guidelines and procedures for the risk management process. These include risk identification, valuation, mitigation and monitoring, as well as screening of any potential risks. Not only do they monitor environmental changes, but also changes in corporate governance and risk management practices to ensure the best solutions that should be implemented in the organisation [58] (p. 89). Finally, the second line of defence monitors implementation of these procedures by the first line of defence, and further reports it to the governing bodies [59] (p. 98), in coordination with the audit and compliance committee [52] (p. 51).
The third line of defence is a responsibility of the internal audit or group risk committee that should proactively ensure the proper functioning of the first two lines of defence. Namely, due to their high degree of independence in organisational, hierarchical and functional aspects, they provide an independent assessment of internal control compliance, assuring all practices are “fit for purpose˝ [57] (p. 12); [58] (p. 89).
These three lines of defence are complemented by an external assurance or audit and regulation/supervision, taken as the external fourth line of defence [51] (p. 80); [53] (p. 52); [54] (p. 13). Although not named that way, SSE PLC seems to follow a similar risk management framework. They declare the existence of the Group Risk Management and Internal Control Policy, responsible for the evaluation of the System of Internal Control (similar to the third line of defence). SSE’s group executive committee and relevant sub-committees are responsible for the supervision of the group´s main risks and revision of risk management procedures [50] (p. 6), while SSE´s managing directors of different business units are in charge of tailoring operational risk management: they conduct assessments of associated risks, but also evaluate and suggest improvements of risk controls and assurance arrangements. This procedure is largely related to the first line of defence.
Energias de Portugal [53] (p. 52) emphasises some of the main benefits of the presented three lines of the defence model, such as the possibility to avoid double efforts and certain gaps in the risk management process, cooperation and collaboration between different business areas, as well as facilitated communication on the most important sources of risk and mitigation procedures. This model also provides adequate actions to minimise any risks, which in turn maintains the stakeholders´ confidence and improves the company’s competitiveness [53] (p. 52). It is very important to incorporate a dynamic and flexible risk management framework to ensure quick and proactive response to any changes in the environment or internal problems, so as to ensure that strategic goals are achieved to the fullest.

4.2. Strategy and Objective-Setting

Integration of ERM in the organisational culture and corporate governance, as described above, enabled companies to use ERM as a strategic tool. This is confirmed by the fact that the risk management output is included in strategic planning, strategic decision-making and capital allocation process. We found the following evidence for this argument. According to SSE PLC report [50] (p. 3), successful achievement of their strategic business goals is related to identification, understanding, evaluation and management of principal risks. Therefore, the management has established a risk management framework and an internal control system to support the process of decision-making, value creation and achievement of the company’s strategic goals. SSE’s management claims they will remain “focused on risk management as an essential means of fulfilling its strategic goal of creating value for shareholders and society˝ [50] (p. 23). A similar use of ERM output is reported in ENDESA´s report [52] (p. 134). It emphasises that the key business aims are maximisation of profitability, preservation and capital increase for the owner, as well as insurance of a given level of achievement. In order to achieve the set aims, it is crucial to recognize and prevent the negative impact of uncertain future events that may jeopardise business, sustainability, resilience or company’s reputation, thus protecting both owners’ and other stakeholders’ interests. The importance and inseparability of risk and strategy could also be confirmed by reporting these two corporate functions together in annual reports under the same topic (example: Enel Strategy and Risk Management part of the report, [56] (p. 24)). Additionally, Enel reports Risk Management as an important element of the value chain or value creation process, in which Strategy and Risk Management perform together and are inseparable. Furthermore, they recognize that the board of directors directs and coordinates risk management activities, which enables informed strategic decision-making involving important business risks, but also opportunities in the context of long-term business sustainability [56] (p. 79).
In order to stay competitive in the rapidly changing and complex world, companies must conduct continuous and thorough analyses of the macroeconomic environment, the industry and the main competitive forces. As published in the SSE PLC report [50] (p. 3), the analysis of the macroeconomic and industrial environment is the basis for identifying the main risk groups, which establish the management board’s approach to setting strategic goals and making informed strategic decisions. Moreover, the management conducts SWOT analyses in terms of identifying the company’s strengths, weaknesses, opportunities and threats, as reported in Ørsted [55] (p. 71). There, it is stated that they analyse and manage climate-related risks and opportunities as an important part of their green vision and strategy. In doing so, they seek to take advantage of climate-related opportunities through research and development as well as through investment activities in renewable energy sources, and actively work to mitigate the associated risks. Energias de Portugal [53] (p. 56) reports that, in addition to in-depth monitoring of key business risks, the company analyses key environmental trends according to which it identifies threats and opportunities and proactively develops strategies for managing and mitigating the negative consequences of risk.
In the annual reports of the analysed companies, there are noticeable parts dedicated to the overview of macroeconomic and industry forces with reflection on the anticipated impact of these factors on a company’s prospects and performance. Companies report that they define their goals in accordance with environmental trends and global targets regarding energy systems and the ecological transition. These objectives are clearly communicated through annual reports with strictly-defined timeframes for achieving these goals. For example, the Italian electric power company Terna states that the goal of the Industrial Plan for 2021–2025 “Driving energy” is to reaffirm and strengthen Terna’s central role in managing Italy’s energy system and enabling the environmental transition as a major driver in the country’s efforts to achieve goals of the European Green Deal and Italy’s Integrated National Plan for Energy and the Climate primarily by reducing CO2 emissions by 55 % by 2030, which is the first step towards achieving zero emissions by 2050 [58] (p. 65). Moreover, the company precisely defines business objectives and links business success measures with potential risks, as stated in Terna’s report [58] (p. 90), which communicates that the set framework of business objectives allows management to identify risk events that may jeopardise the achievement of these objectives.
Most of the companies report three main drivers of future electricity markets: climate and environment, politics and regulation, and technology development. They emphasise the ongoing transition towards a decarbonized world, in which they need to take on an active and progressive role to stay competitive. Fortum Oyj [60] (p. 6) confirms this by reporting on the development of their business strategies using a scenario method that anticipated the expected development of the regulatory environment and its impact on existing and potential businesses and markets. They are aware that the complexity of regulatory changes in different markets in which they operate is an important risk factor, so they use an anticipatory approach in identifying and managing these changes. This confirms there is an adequate understanding of the impact of environmental changes for a company’s operations in the short and long term, once again confirming the utilisation of ERM as a strategic tool.

4.3. Performance

A very important aspect of the ERM framework is its connection to performance. According to COSO (2017), Performance is related to the identification of risks, the assessment of their severity, the prioritisation of risks, the implementation of risk responses and the development of a portfolio view. Based on the environment screening, the management identifies and assesses the key or principal risks, which are most influential in achieving strategic plans and objectives. This covers all risk groups: strategic, financial and operational, which are then scaled according to their impact and probability, i.e., visualised via a risk map and other qualitative and quantitative tools. The operationalisation of the established framework consists of standardised phases of the risk management process, as reported in most annual reports. Namely, four stages of the risk management process are recognized: identification, valuation/assessment, treatment/mitigation and monitoring. These phases are repeatedly executed and periodically revised and updated (at least annually for Fortum Oyj [57] (p. 12); during the third quarter of the year for SSE PLC [50], (p. 2), etc.). For example, Terna [58] (p. 90) reports their risk management is spread and embedded within the organisation, where the defined process involve systematic and iterated risk identification, estimation, treatment and monitoring; Verbund [61] (p. 110) states that they structured their risk management system based on the framework established on uniformed principles of the group to provide extensive and holistic coverage of both key and potential risks and opportunities so they can be treated in the standardised way by all the members of the group; Enel [56] (p. 79) quotes that their internal control and risk management system (the ICRMS) is made up of rules, procedures and organisational structures that enable the aforementioned phases of the risk management process to manage the group’s principal risks properly.
The identification process includes the recognition of risks whose materialisation could cause serious material financial consequences and lead to non-compliance [57] (p. 12). All the analysed companies have a wide range of different risk categories, both existing and emerging. Table 3 provides a brief overview of the different risk categories reported by each company. It can be concluded that most of the companies identify similar risk types but categorise them under similar or somewhat different names. However, it can be recognized that the most common risk types identified by the electric power companies are strategic, financial, operational, compliance/regulatory, environmental, IT/cyber and market risk. ENDESA [52] (p. 60) best describes the purpose of the first phase of risk management, i.e., risk identification. Namely, the aim is to provide a list of risks which could disrupt the achievement of the set goals. For this reason, identification must consolidate risks that originate both inside and outside of the organisation, i.e., risks under and without the control of the company.
Each risk event is assessed based on the combination between the two dimensions: probability of risk occurrence and the significance or impact that it may have on business objectives achievement. Electricité de France [59] (p. 99) describes the stages of the risk mapping process starting from risk identification and typology (internal vs. external; operational, strategic, etc.), continuing with the assessment of the impact and probability of occurrence of each risk, setting the mitigation measures and action plans for dealing with identified risks, and finally review of the adopted measures´ effectiveness. Ørsted [55] (p. 70) reports they have a systematic approach to the risk management process, as suggested by the Three lines of defence model they adopted. Namely, the first line of defence, i.e., business units and selected staff functions are responsible for identification and prioritisation of different risks. The risks are then assessed based on their potential impact on the company’s objectives and time duration of impact and/or occurrence (short-, medium-, long-term or recurring). Further on, they report the use of scenario analysis that serves as a projection of impact on value and credit metric for risks that have over 10% of probability. After the group members have assessed all the risks, they are consolidated and evaluated at the group level.Similarly, ENDESA [52] (p. 60) reports the use of different methodologies suitable for risk assessment according to their characteristics, such as scenario analysis and sensitivity analysis.
Many other companies also report using the abovetechniques as an important practical tool in risk management. Ørsted [55] (p. 73) reports they conduct these studies through research, interviews and workshops across business units, but also through attending and participating in risk management related forums across the energy sector where they gather relevant and up-to-date experiences. Fortum Oyj [54] (p. 15) recognizes the importance of assessing different future market and regulation scenarios and including such projections in strategy development. SSE PLC [50] (p. 6) also confirms the usage of scenarios to estimate the interconnectedness and relations of different risks. Namely, based on real-life events on both local and global markets, they conduct stress tests of scenarios that are estimated to have a greatest adverse impact on SSE´s goals. Moreover, in addition to their individual impact, they also estimate the cumulative impact of different scenarios that are most relevant for the achievement of business objectives.
Once the principal or key risks have been identified, evaluated and classified as risk or opportunity category, possible mitigation measures and strategies are designed for each of them. The feature that differs ERM mostly from TRM (traditional risk management) is the development of a portfolio view on risks. Namely, in TRM, risks are managed in isolation, by practising the so-called silo-based approach. This means that every business unit managed risks it was exposed to in isolation, without assessing how these risks are connected to other risks on the level of the company [6], thus leading to missed opportunities in risk exploitation and impact on the company’s performance. Analysed companies implement a portfolio view by analysing interdependence between identified risks and their impact on performance, as discussed throughout this section, by implementing various analyses of how diverse risks may impact a company’s goals in financial and non-financial terms. Examples of this approach are visible in their annual reports (example: Verbund [61] (pp. 110–113); Energias de Portugal [53] (p. 56); SSE PLC [50] p. 3); Enel [56] (pp. 77–104)). Moreover, companies report that they regularly revise the mitigation measures and adjust them in accordance with the new risks that arise and the interdependencies of these risks to the already existing risks and the company’s performance. For example, Energias de Portugal [53] (p. 56) states that they map key local and global trends identified as potential threats and opportunities for which they proactively develop adequate risk management strategies. Ørsted [55] (p. 71) emphasises the importance of reassessing the risk level and further initiating corrective measures to achieve the appropriate and desired level in accordance with their risk appetite.

4.4. Review and Revision

All companies report the establishment of an audit and/or risk committee, an internal body whose main responsibility is to ensure the appropriate functioning of the risk management system. According to ENDESA [52] (p. 40), it provides support for a culture in which risk management is incorporated in decision making at all levels of the company, including the participation of senior management in strategic risk control and decision-making. Electricité de France [59] (p. 99) reports that the executive board meets at least twice a year as the risk committee. At thematic meetings, special focus is put on ranking and mapping the risks to which the group is exposed to, analysing internal control and audit activities, as well as analysing annual results and achievements of goals. The tasks of the risk committee are to identify priority risks for Electricité de France, to design and implement a risk mitigation strategy and to appoint the executive board members who are its sponsors.
Audit and/or risk committees are usually integrated into a company’s organisational structure directly under the board of directors and report directly to them, assisting them in making viable strategic decisions by providing important risk management outputs. For example, Energias de Portugal [53] (p. 184) reports that the main objective of the EDF group risk committee is to support the executive board of directors in decision making by providing important information about risks. Namely, the risk committee has some important tasks such as assisting the board in the identification of principal and potential risks and establishing the group´s risk appetite through review and risk-relevant information; participating in discussions of the results obtained through risk analysis and evaluations of corporate units and departments; performing an advisory role in developing risk management strategies; and monitoring significant risks evolution and trends. Similarly, ENDESA [52] (p. 63) lists some of the most important assignments of the risk committee, such as active participation in development of risk management strategy; ensuring proper functioning of risk management and control systems through identification, assessment and management of risks that significantly affect the company; ensuring adequate risk mitigation by the internal control and risk management system (ICFR); providing reports to the board of directors on current and potential risk exposure; promotion of culture in which employees at all levels incorporate risks in their decisions, etc. In short, Terna [58] (p. 89) concludes that the role of the audit and/or risk committee is the independent assessment of the internal control and the risk management system´s efficiency.
SSE PLC [50] (p. 28) reports in detail on the risk management process, confirming regular implementation of an extremely important process of continuous review and evaluation of the ongoing risk management strategy, as well as identification of various internal and external risk factors to which the company is exposed. The group’s executive board and its sub-committees oversee the SSE’s key risks. The SSE oversights committee evaluates the risks of the greatest impact on business during the third quarter of each financial year. Their estimation includes comments on changes in risk significance during the year. Emerging risks are also considered in terms of their potential to become key risks, as well as in terms of the time when this could happen. The members of the oversights committee consolidate their opinions into reports and present them to the committees. These reports also include interim viability test results, analysis of relevant management information and crucial information regarding business unit principal risks and controls. Therefore, they present the basis for a reasoned committee discussion and confirmation of risk trends, as well as assessment of the overall successfulness of risk control and monitoring process, including comments on required control improvements. This process is iterative and inclusive, and as such provides objective and robust assessments of key risks that are further presented to the group´s executive board for a complete audit.
Electricité de France [59] (p. 100) reports that their entities have several documents and tools at their disposal that provide support to the risk management process. The first is SIGR—risk management information system—which provides a methodology for risk analysis and software for risk mapping, while the second is internal control information system—a guide for internal control approach with detailed framework for self-assessment and a platform for summarising and sharing self-assessment outputs. Based on these reports, the EDF group´s risk department provides the management and governance bodies with a consolidated and updated overview that includes a map of key risks and an overall assessment of the internal control process. Finally, after these reports are verified by the risk committee and examined by the audit committee, they are presented to the board of directors.
These committees meet frequently, at least 2–3 times a year. According to reports, in 2020 these committees met as follow: three times (Verbund [61] (p. 37)), four times (Energias de Portugal [53] (p. 141)), eight times (Ørsted [55] (p. 64)), around ten times per year (Fortum Oyj [57] (p. 8)) and even twelve times per year (ENEL Group [56] (p. 38)).

4.5. Information, Communication and Reporting

For the risk management process to work properly, a reporting loop is a must. It is important to have a highly efficient risk reporting system that keeps management informed regarding the actual and emerging risks, and to enable corrective and mitigation actions to respond to risks [56] (p. 77). As stated before, one of the most important tasks of the risk committee’s is to question the existing risk management process/framework and to continuously improve it. At least once a year, the committee submits the formal report to the board of directors for a full review. For example, Iberdrola [51] (p. 23) states that they provide the board of directors with annual reports on risk management and control systems, as well as quarterly and semi-annual reports on risk analysis. To supply the board of directors with relevant and purposeful reports, the participation of all levels of management and all employees is necessary. First, the organisational structure of the firm and risk management framework should be supportive for the timely exchange of information. This is to the greatest extent achieved through the Three lines of defence system and the establishment of a risk committee that ensures the exchange of risk-related information between the middle and top management. Although risk management strategies are developed and procedures for risk management standardised, as reported in Review and revision, all of this is subject to revision, minimally on an annual basis.
Risk owners are meeting regularly to discuss existing and emerging risks and ways to improve their risk management strategies and practices. For example, Energias de Portugal [53] (p. 58) reports that these meetings are used to establish methods for periodically reporting on the most influential risks, allowing them to monitor current and potential risk trends and assess whether exposure to different risks is consistent with established limits. Similarly, ENDESA [52] (p. 64) finds risk owners responsible for preparation of Follow-up Reports for the Audit and Compliance Committee (˝CAC˝), in which they present compliance of risks in their scope of responsibility with the defined limits, as well as assessment of mitigation measures´ effectiveness. Moreover, Energias de Portugal [53] (p. 102) reports on the development of risk officers´ meetings through workshops with the EDP group’s network of risk officers as an important development in 2020, with it ranked high as a priority for 2021. The aim of these workshops and meetings is to share and exchange best practices in the risk management process. Something similar is reported in Verbund´s report [61] (p. 133), in which they report the number of workshops held through the year, where the focus was put on the crucial recent trends and developments in the energy market, such as decentralisation, digitalization, decarbonisation, etc.
Enel group [56] (p. 50) also reports forming working groups and panels of experts of various profiles essential for the appropriate analysis of important topics, as one of the phases of the strategic dialogue process. They are also preparing specialised workshops dedicated to discussing strategic options. This process allows for identification of business opportunities and threats related to any operational, economic or financial impact they may have, as well as a roadmap for implementing necessary initiatives. Results of the workshops are then discussed by top management in special meetings. Ørsted [55] (p. 71–73) similarly mentions workshops organised across business units dedicated to cyber and climate-related risks assessment, as well as regular attendance at various energy sector forums where they accumulate new and innovative ideas but also contribute with their experience and expertise.

5. Discussion

By performing detailed CA of the annual reports of the 10 largest European electric power companies, we collected enough data to test and confirm the research hypotheses that the largest European electric power companies implement state-of-the-art Enterprise Risk Management systems following the five components of COSO ERM 2017 framework proxied by ERM measure constructed by Dvorski Lacković et al. [1].
Regarding the first ERM dimension Governance and culture, as can be seen from the content of the annual reports, there is an active support to risk management systems from the top management levels in all analysed companies, and it plays an important role in the strategic and operational management of company resources. The analysed ERM practices indicate comprehensive and coordinated actions of different parts of the organisation, which increases the effectiveness of the process of internal control and management of significant risks. Most of the analysed companies have implemented a risk management framework called the Three lines of defence, that ensures effective and coordinated interaction of different parts of the organisation increase the efficiency of the process of significant risk management and internal controls. These three lines of defence are complemented by external audit and supervision, which are considered the fourth line of defence. This result confirms that top management recognizes the importance of interdisciplinary efforts and that they encourage cooperation between corporate silos and the integration of information and knowledge, which is clear evidence of advanced risk management systems. Each of the analysed companies has a formal body that represents the risk management function such as an audit and/or risk committee. These committees oversee the risk management process and are positioned near or immediately below the management board, thus ensuring the timely communication with decision-makers about risk exposures and inclusion of risk information in strategic planning and management. The analysis also found clear evidence that all electric power companies create a formal written risk management policy to ensure systematic and timely risk identification and assessment, as well as effective management within the established levels of risk control.
The integration of ERM into organisational culture and corporate governance described above has enabled the analysed companies to use ERM as a strategic tool, which is also evidence of the advanced ERM systems in line with the second dimension of the COSO (2017) framework called Strategy and objective-setting. Moreover, all companies conduct a constant and thorough analysis of the macroeconomic environment, industry and main competitive forces with reference to the expected impact of different external factors on the prospects and performance of the company. In that context, most companies report three main drivers of future electricity markets: climate and environment, policy and regulation, and technology development.
In the context of the third ERM dimension Performance, a detailed analysis of the business environment and business operations of the company allows management to identify and assess the key risks with the greatest impact on the achievement of strategic plans and goals. The analysis covers strategic, financial and operational risks, which are evaluated according to their impact and probability, i.e., they are visualised through the risk map and other qualitative and quantitative tools. The risk management model according to the three lines of defence avoids possible omissions in risk management procedures and activities and encourages cooperation and better communication within the organisation. The analysis of the report found evidence of the use of various methodologies suitable for risk quantification, such as scenario analysis and sensitivity analysis. Scenarios are also used to assess the interrelationships and correlations between different risks. Once the key risks have been identified, assessed and classified as a risk or opportunity, mitigation measures and strategies are created for each of them, all of which are presented to the public in annual reports.
The fourth ERM dimension Review and revision is reflected in the companies’ reports through the establishment of the audit and/or risk committee, an internal body whose main responsibility is to ensure the proper functioning of the risk management system. In the reports of the analysed companies, evidence was found that the mentioned committees meet often, at least 2–3 times a year. The tasks of the audit and/or risk committee are to identify priority risks, to design and implement a risk mitigation strategy and to appoint managers who are its sponsors. The ERM processes described in the reports confirm regular implementation of an extremely important process of continuous monitoring and evaluation of the existing risk management strategy, as well as identification of new internal and external risk factors that have not been previously addressed. Ongoing assessment also includes the analysis of the risks’ significant changes during a business year. Emerging risks are also considered in terms of their potential to become key risks, as well as in terms of the time when this could happen.
For the risk management process to function properly, the fifth dimension of the ERM process Information, communication, and reporting is unavoidable. Based on the conducted analysis, it can be confirmed that all analysed companies have an effective risk reporting system through which management is informed about existing and potential risks as well as methods and strategies for their management. Given the detail of the publicly announced annual reports, it can be concluded that the communication with external parties is quite extensive and transparent. There are significant parts of the report dedicated to emerging risks and risks that the company is exposed to, together with all the metrics of their possible impact on the company’s performance, as well as mitigation techniques. Organisational structure, policies and risk management frameworks in the analysed companies support the timely exchange of information. We also found evidence that risk owners meet regularly in workshops to discuss existing as well as new risks and to improve risk management strategies and practices.

6. Conclusions

Based on the comprehensive analysis of ERM practices of the largest companies in the EU electric power sector, we can conclude that these companies, representing the energy industry, can serve as a benchmark to other companies and industries in terms of quality of risk governance. Research results confirm the existence of 27 out of 29 characteristics of the developed ERM systems. This finding serves as proof that these characteristics are rooted not only in the relevant ERM theory, but also in the practice of large and successful power companies, which confirms the tested theoretical model in practice. Research results also suggest that analysed companies use more complex ERM systems that correspond to the theoretical settings of the five components of the COSO (2017) framework rather than to the simplified three-factor model as shown in [1].
We could not find evidence for the following two characteristics of a developed ERM system: (1) C4 which measures the trust of employees that the real level of risk a company is exposed to is reflected in the boards’ decisions concerning future business activities, and (2) C27 reflecting the existence of continuous board reporting about problems in risk management or problems related to measures determined for treating identified and assessed risks. This problem stems from the limitations of our research. By relying on the publicly available information, it was not possible to collect all research data, as companies do not report every detail related to risk management systems and risk governance practices. An in-depth interview or a survey should be conducted to enable the collection of insider information.
Another limitation of this research but also of the ERM research in general is the usage of different ERM measures. As there is no unique ERM measure in literature, different authors have tried to develop proxies for its measurement. Apart from the three-factor ERM model developed by [1] that measures strategic, operational and oversight dimensions of the ERM process, other authors proxied ERM with measures such as: (1) a binary variable noting the existence of a chief risk officer [63,64], (2) the usage of ERM ratings developed externally by rating agencies [14,27] or (3) ERM indices developed on the basis of certain characteristics an ERM system is expected to have [2,4,9,13,23]. The main problem arising from these inconsistencies in ERM measurement is the inability to compare results of different studies, especially in the segment of analysing ERM influence on company performance. While some authors have investigated impact of ERM on company value measured by Tobin’s Q [2,14,63,64], the others analysed ERM impact on company performance measured by financial indicators [4,5] or performance estimated by financial and non-financial measures [65]. The results are ambiguous and inconclusive and support the thesis that methodological advances and new empirical evidence are required in the field of ERM measurement and ERM performance analysis.
This paper opens the possibility for future research that should be conducted on a larger sample of companies as well as on other markets and industries, which would allow further verification of the presented theoretical ERM framework. We believe that future ERM research will use a predominantly qualitative methodology that allows an in-depth examination of the mechanisms through which ERM systems operate in practice and whose fundamental goal is to protect the existing value of the company, but also increase value for all stakeholders. Having in mind the growing complexity of the risk environment and all the information companies have to process and report related to risks, we believe that there are many venues for future research related to the usage of information and communications technology (ICT) in ERM.

Author Contributions

Conceptualization, D.M.S., E.P. and I.D.L.; methodology, D.M.S. and I.D.L.; validation, D.M.S.; formal analysis, E.P. and D.M.S.; investigation, E.P. and D.M.S.; resources, E.P., D.M.S. and I.D.L.; data curation, E.P. and D.M.S.; writing—original draft preparation, E.P., D.M.S. and I.D.L.; writing—review and editing, D.M.S., E.P and I.D.L.; visualisation, D.M.S., E.P. and I.D.L.; supervision, D.M.S. All authors have read and agreed to the published version of the manuscript.


This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Not applicable.

Conflicts of Interest

The authors declare no conflict of interest.


  1. Dvorski Lacković, I.; Kurnoga, N.; Sprčić, D.M. Three-factor model of enterprise risk management implementation: Exploratory study of non-financial companies. Risk Manag. 2022, 24, 101–122. [Google Scholar] [CrossRef]
  2. Miloš Sprčić, D.; Mešin Žagar, M.; Šević, Ž.; Marc, M. Does enterprise risk management influence market value—A long-term perspective. Risk Manag. 2016, 18, 65–88. [Google Scholar] [CrossRef]
  3. Lechner, P.; Gatzert, N. Determinants and Value of Enterprise Risk Management: Empirical Evidence from Germany. Eur. J. Financ. 2017, 24, 867–887. [Google Scholar] [CrossRef]
  4. Florio, C.; Leoni, G. Enterprise risk management and firm performance: The Italian case. Br. Account. Rev. 2017, 49, 56–74. [Google Scholar] [CrossRef]
  5. Callahan, C.; Soileau, J. Does Enterprise risk management enhance operating performance? Adv. Account. 2017, 37, 122–139. [Google Scholar] [CrossRef]
  6. Marc, M.; Miloš Sprčić, D.; Mešin Žagar, M. Is enterprise risk management a value added activity? Ekon. Manag. 2018, 21, 68–84. [Google Scholar] [CrossRef]
  7. Committee of Sponsoring Organizations of the Treadway Commission (COSO 2004). Enterprise Risk Management Framework; American Institute of Certified Public Accountants: New York, NY, USA, 2004. [Google Scholar]
  8. Committee of Sponsoring Organizations of the Treadway Commission (COSO 2017). Enterprise Risk Management Integrating with Strategy and Performance; Executive Summary; American Institute of Certified Public Accountants: New York, NY, USA, 2017. [Google Scholar]
  9. Lundqvist, S.A. An Exploratory Study of Enterprise Risk Management: Pillars of ERM. J. Account. Audit. Financ. 2014, 29, 393–429. [Google Scholar] [CrossRef]
  10. McShane, M.K. Enterprise risk management: History and a design science proposal. J. Risk Financ. 2018, 19, 137–153. [Google Scholar] [CrossRef]
  11. White, M.D.; Marsh, E.E. Content Analysis: A Flexible Methodology. Libr. Trends 2006, 55, 22–45. [Google Scholar] [CrossRef][Green Version]
  12. Conley, C.; Tosti-Kharas, J. Crowdsourcing content analysis for managerial research. Manag. Decis. 2014, 52, 675–688. [Google Scholar] [CrossRef]
  13. Miloš Sprčić, D.; Kožul, A.; Pecina, E. Managers’ Support—A Key Driver behind Enterprise Risk Management Maturity. Zagreb Int. Rev. Econ. Bus. 2017, 20, 25–39. [Google Scholar] [CrossRef][Green Version]
  14. Farrell, M.; Gallagher, R. The Valuation Implications of Enterprise Risk Management Maturity. J. Risk Insur. 2015, 82, 625–657. [Google Scholar] [CrossRef]
  15. Paape, L.; Spekle, R.F. The Adoption and Design of Enterprise Risk Management Practices: An Empirical Study. Eur. Account. Rev. 2012, 21, 533–564. [Google Scholar] [CrossRef][Green Version]
  16. Miloš Sprčić, D. Determining Quality and Effectiveness of Enterprise Risk Management System. In Proceedings of the 33rd International Business Information Management Association Conference, Granada, Spain, 10–11 April 2019; pp. 902–913. [Google Scholar]
  17. Herrinton, M. How Mature Is Your Risk Management? Harvard Business Review, 29 June 2012. Available online: (accessed on 5 July 2022).
  18. Mikes, A.; Kaplan, R.S. Towards a Contingency Theory of Enterprise Risk Management; Working Paper; Harvard Business School: Brighton, MA, USA, 2014. [Google Scholar]
  19. Power, M. The risk management of nothing. Account. Organ. Soc. 2009, 34, 849–855. [Google Scholar] [CrossRef]
  20. Grace, M.F.; Leverty, J.T.; Phillips, R.D.; Shimpi, P. The Value of Investing in Enterprise Risk Management. J. Risk Insur. 2015, 82, 289–316. [Google Scholar] [CrossRef]
  21. Ittner, C.D.; Michels, J. Risk-based forecasting and planning and management earnings forecasts. Rev. Account. Stud. 2017, 22, 1005–1047. [Google Scholar] [CrossRef]
  22. Aebi, V.; Sabato, G.; Schmid, M. Risk management, corporate governance and bank performance in the financial crisis. J. Bank. Financ. 2012, 36, 3213–3226. [Google Scholar] [CrossRef]
  23. Beasley, M.; Branson, B.; Pagach, D. An analysis of the maturity and strategic impact of investments in ERM. J. Account. Public Policy 2015, 34, 219–243. [Google Scholar] [CrossRef]
  24. Henschel, T. Risk Management Practices in the Main Industries of German Small to Medium-Sized Enterprises. An empirical Investigation. Ph.D. Thesis, Napier University, Edinburgh, UK, 2007; pp. 1–301. [Google Scholar]
  25. Monda, B.; Giorgino, M. An Enterprise Risk Management Maturity Model. MPRA Paper No. 45421. 2013. Available online: (accessed on 5 July 2022).
  26. Thekdi, S.; Aven, T. An enhanced data-analytic framework for integrating risk management and performance management. Reliab. Eng. Syst. Saf. 2016, 156, 277–287. [Google Scholar] [CrossRef]
  27. Nair, A.; Rustambekov, E.; McShane, M.; Fainshmidt, S. Enterprise Risk Management as a Dynamic Capability: A test of its effectiveness during a crisis. Manag. Decis. Econ. 2014, 35, 555–566. [Google Scholar] [CrossRef]
  28. Nocco, B.W.; Stulz, R.M. Enterprise Risk Management: Theory and Practice. J. Appl. Corp. Financ. 2006, 18, 8–20. [Google Scholar] [CrossRef]
  29. Frigo, M.; Anderson, R.J. Strategic Risk Assessment: A first step for improving risk management and governance. Strateg. Financ. 2009, 12, 25–33. [Google Scholar]
  30. ERM Initiative Faculty. Five Basics to Managing Innovation Risk. 2014. Available online: (accessed on 5 July 2022).
  31. CGMA. Global State of Enterprise Risk Oversight, 2nd ed.; Analysis of the Challenges and Opportunities for Improvement; CGMA: New York, NY, USA, 2015. [Google Scholar]
  32. Woods, M. A contingency theory perspective on the risk management control system within Birmingham City Council. Manag. Account. Res. 2009, 20, 69–81. [Google Scholar] [CrossRef]
  33. Jordan, S.; Jørgensen, L.; Mitterhofer, H. Performing risk and the project: Risk maps as mediating instruments. Manag. Account. Res. 2013, 24, 156–174. [Google Scholar] [CrossRef]
  34. OECD. Risk Management and Corporate Governance; OECD Publishing: Paris, France, 2014. Available online: (accessed on 6 July 2022).
  35. Ittner, C.D.; Oyon, D.F. The Internal Organization of Enterprise Risk Management. 2014. Available online: (accessed on 6 July 2022).
  36. Fraser, J.R.; Simkins, B.J. The challenges of and solutions for implementing enterprise risk management. Bus. Horiz. 2016, 59, 689–698. [Google Scholar] [CrossRef]
  37. Beasley, M.; Branson, B.C.; Hancock, B.V. Developing Key Risk Indicators to Strengthen Enterprise Risk Management; ERM Initiative at North Carolina State University and the Committee of Sponsoring Organizations of the Treadway Commission: Raleigh, NC, USA, 2010. [Google Scholar]
  38. Zhao, X.; Hwang, B.G.; Low, S.P. Developing a fuzzy enterprise risk management maturity model for construction firms. J. Constr. Eng. Manag. 2013, 139, 1179–1189. [Google Scholar] [CrossRef]
  39. Arena, M.; Arnaboldi, M.; Azzone, G. Is enterprise risk management real? J. Risk Res. 2011, 14, 779–797. [Google Scholar] [CrossRef]
  40. Viscelli, T.R.; Hermanson, D.R.; Beasley, M.S. The Integration of ERM and Strategy: Implications for Corporate Governance. Account. Horiz. 2017, 31, 69–82. [Google Scholar] [CrossRef]
  41. Jonek-Kowalska, I. Efficiency of Enterprise Risk Management (ERM) systems. Comparative analysis in the fuel sector and energy sector on the basis of Central-European companies listed on the Warsaw Stock Exchange. Resour. Policy 2019, 62, 405–415. [Google Scholar] [CrossRef]
  42. S&P Global Market Intelligence. Available online: (accessed on 25 October 2021).
  43. Reuters. Available online: (accessed on 6 July 2022).
  44. Krippendorff, K. Content Analysis: An Introduction to Its Methodology, 2nd ed.; Sage: Thousand Oaks, CA, USA, 2004. [Google Scholar]
  45. Beaugrande, R.D.; Dressler, W.U. Einführung in Die Textlinguistik; Niemeyer: Tübingen, Germany, 1981. [Google Scholar]
  46. Linsley, P.M.; Shrives, P.J. Examining risk reporting in UK public companies. J. Risk Financ. 2005, 6, 292–305. [Google Scholar] [CrossRef]
  47. Baregheh, A.; Rowley, J.; Sambrook, S. Towards a multidisciplinary definition of innovation. Manag. Decis. 2009, 47, 1323–1339. [Google Scholar] [CrossRef]
  48. Miloš Sprčić, D. Enterprise risk management-value based approach to managing corporate risks holistically. In Enterprise Risk Management: Theory and Practice with Selected Case Studies of Multinational Companies; Miloš Sprčić, D., Ed.; Faculty of Economics and Business, University of Zagreb: Zagreb, Croatia, 2020; pp. 1–61. [Google Scholar]
  49. Radić, D.; Pecina, E.; Miloš Sprčić, D. Enterprise Risk Management in the Electric Power Industry. In Risk Management: Strategies for Economic Development and Challenges in the Financial System; Miloš Sprčić, D., Ed.; Nova Science Publishers: Hauppauge, NY, USA, 2014; pp. 303–318. [Google Scholar]
  50. SSE PLC. Annual Report 2020. 2021. Available online: (accessed on 21 November 2021).
  51. Iberdrola. Activities Report of the Board of Directors and of the Committees Thereof 2020. 2021. Available online: (accessed on 10 January 2022).
  52. Endesa, S.A.; Subsidiaries. Consolidated Annual Financial Report for the Year Ended 31 December 2020. 2021. Available online: (accessed on 12 November 2021).
  53. Energias de Portugal. Changing Tomorrow Now-Annual Report 2020. 2021. Available online: (accessed on 1 December 2021).
  54. Fortum Oyj. Financials 2020. 2021. Available online: (accessed on 5 December 2021).
  55. Ørsted. Annual Report 2020. 2021. Available online: (accessed on 15 January 2022).
  56. Enel. Integrated Annual Report 2020. 2021. Available online: (accessed on 18 January 2022).
  57. Fortum Oyj. Governance 2020. 2021. Available online: (accessed on 5 December 2021).
  58. Terna. 2020 Integrated Annual Report. 2021. Available online: (accessed on 8 November 2021).
  59. Electricité de France. Universal Registration Document 2020—Including the Annual Financial Report. 2021. Available online: (accessed on 10 December 2021).
  60. Fortum Oyj. CEO´s Business Review 2020. 2021. Available online: (accessed on 6 December 2021).
  61. Verbund. Integrated Annual Report 2020. 2021. Available online: (accessed on 1 November 2021).
  62. Endesa, S.A.; Subsidiaries. Corporate Governance Report 2020. 2021. Available online: (accessed on 13 November 2021).
  63. Hoyt, R.E.; Liebenberg, A.P. The Value of Enterprise Risk Management. J. Risk Insur. 2011, 78, 795–822. [Google Scholar] [CrossRef]
  64. Pagach, D.; Warr, R. The characteristics of firms that hire chief risk officers. J. Risk Insur. 2011, 78, 185–211. [Google Scholar] [CrossRef]
  65. Peljhan, D.; Miloš Sprčić, D.; Marc, M. Strategy and organizational performance: The Role of Risk Management System Development. In Performance Measurement and Management Control: The Relevance of Performance Measurement and Management Control Research; Emerald Group Publishing Limited: Binglay, UK, 2018. [Google Scholar]
Table 1. ERM characteristics build around COSO (2017) components.
Table 1. ERM characteristics build around COSO (2017) components.
ERM CharacteristicLiterature Source for ERM CharacteristicCOSO (2017) Component
C1Existence of a written document, i.e., a formal risk management policyHerrinton [17];(1) Governance and culture
Lundqvist [9]
C2The „tone at the top“ and active support to risk management by the company’s top managementMikes and Kaplan [18];(1) Governance and culture
Miloš Sprčić et al. [13]
C3Existence of a business continuity plan, i.e., crisis management planPower [19](1) Governance and culture
C4Trust of employees that the real level of risk a company is exposed to is reflected in boards’ decisions concerning future business activitiesGrace et al. [20];(1) Governance and culture
Ittner and Michels [21]
C5Establishment of the risk committee on the company levelHerrinton [17];(1) Governance and culture
Aebi et al. [22];
Lundqvist [9];
Beasley et al. [23]
C6Clear identification of company’s goals and connection to adequate measures of business successHenschel [24];(2) Strategy and objective-setting
Monda and Giorgino [25];
Thekdi and Aven [26]
C7Thorough understanding of the macroeconomic environment and the industry in which the company operatesNair et al. [27](2) Strategy and objective-setting
C8Business objectives and risks associated to these objectives are clearly communicated on all levels of the companyMonda and Giorgino [25](2) Strategy and objective-setting
C9The results of the risk management process and the person in charge for risk management are included in strategic decision makingNocco and Stulz [28];(2) Strategy and objective-setting
Frigo and Anderson [29];
ERM Initiative Faculty [30]
C10Existence of the standardised process and methodology for risk identification (explicit guidelines for risk identification)CGMA [31](3) Performance
C11Identification of significant risk factors that may have negative impacts on the ability of the company to achieve its strategic plans and business goalsLundqvist [9](3) Performance
C12Two-dimensional risk assessment (assessment of the risk probability occurrence and its significance for company’s business goals)Woods [32];(3) Performance
Jordan et al. [33]
C13Risk identification and risk evaluation are performed regularly, at minimum annuallyOECD [34];(3) Performance
Paape and Spekle [15]
C14Estimation of interdependencies between different types of risks a company is exposed toNocco and Stulz [28];(3) Performance
Lundqvist [9];
Mikes and Kaplan [18]
C15Usage of quantitative techniques for risk assessmentPaape and Spekle [15];(3) Performance
Lundqvist [9]
C16Quantification of the impact of risks on strategy and key risk indicatorsLundqvist [9](3) Performance
C17Determination of measures for treating identified and assessed risks with the aim to increase risk management efficiency.Woods [32](3) Performance
C18Determination of risk owners responsible for conducting defined measures for treating risksLundqvist [9];(3) Performance
Mikes and Kaplan [18];
Ittner and Oyon [35]
C19Existence of risk register containing all risks, its owners and measures for risk managementNocco and Stulz [28];(3) Performance
Fraser and Simkins [36]
C20Continuous meetings of the risk committee, at least 2–3 times a yearAebi et al. [22];(4) Review and revision
Lundqvist [9];
OECD [34]
C21Continuous assessment and revision of risk management strategy and exposure to internal and external risk factorsBeasley et al. [37](4) Review and revision
C22Active and continuous review of the risk management processBeasley et al. [23](4) Review and revision
C23Continuity in risk monitoring is assured through the internal audit or risk committee and is not dependent of personnel changes in internal audit or risk committeeZhao et al. [38](4) Review and revision
C24Continuous discussions regarding risk (for example, risk workshops)Mikes and Kaplan [18](5) Information, communication and reporting
C25Existence of formal risk report that is presented to the management board at minimum once a yearAebi et al. [22];(5) Information, communication and reporting
Lundqvist [9];
C26Exchange of information on risk exposure and risk management between higher and middle management levelFrigo and Anderson [29];(5) Information, communication and reporting
Grace et al. [20];
CGMA [31]
C27Continuous board reporting about problems in risk management or problems related to measures determined for treating identified and assessed risks.Paape and Spekle [15];(5) Information, communication and reporting
Lundqvist [9]
C28Face-to-face discussions with the lower levels of management concerning relevant risk management issuesArena et al. [39];(5) Information, communication and reporting
Miloš Sprčić et al. [13]
C29Communication with external parties related to risk management through formal reportingHerrinton [17];(5) Information, communication and reporting
Lundqvist [9];
OECD [34];
Viscelli et al. [40]
Source: Based on Dvorski Lacković et al. [1].
Table 2. Ten largest EU electric power companies.
Table 2. Ten largest EU electric power companies.
CompanyCountryActivitiesMarket Capitalization as of 29 March 2019 (in Billions of Euros)
Enel SpAItalyProduction, distribution and supply of energy57.99
Iberdrola SASpainProduction, transmission, distribution, wholesale and retail of electricity49.89
Electricité de France SAFranceGeneration, transmission, distribution, energy trading, energy sales and energy services36.65
Ørsted A/SDenmarkProcuring, producing, distributing and trading energy and related products28.38
ENDESA, S.A.SpainGeneration, distribution and sale of electricity24.08
Fortum OyjFinlandPower generation, trading and optimisation16.19
VERBUND AGAustriaGeneration, trading and transmission of electricity14.86
SSE PLCU.K.Generation, trading and transmission of electricity14.31
EDP—Energias de Portugal SAPortugalElectricity generation, distribution and supply12.74
Terna—Rete Elettrica Nazionale Societa per AzioniItalyTransmission of electricity11.35
Source: According to S&P Global Market Intelligence [42] and Reuters [43].
Table 3. A brief overview of reported risk groups managed in the analysed companies.
Table 3. A brief overview of reported risk groups managed in the analysed companies.
FirmRisk Categories
ENEL [56] (p. 77)Strategic, financial, digital technology, operational, compliance
ENDESA [62] (p. 51)Strategic, financial, digital technology, operational, compliance risk (including corruption and tax risks), culture and corporate governance risk
Fortum Oyj [54] (p. 28)Strategic, sustainability, financial, operational
Iberdrola [51] (p. 23)Risks arising from climate change, technological risks, cybersecurity risks, risks associated with the activities of the finance, control and resources division, reputational risks
Ørsted [55] (p. 72)Currencies and commodity prices, inflation and interest rates, price pressures due to the increased competition, US offshore development and construction, cybersecurity, legal compliance, climate-related risks
SSE PLC [50] (pp. 28–36)Commodity prices, financial liabilities, large capital projects quality, climate change, cybersecurity and resilience, energy affordability, energy infrastructure failure, politics, regulation and compliance, people and culture, safety and the environment, speed of change, emerging risk: joint venture and partner management
Electricité de France [59] (pp. 105–126)Financial and market risks; market regulation, political and legal risks; group transformation and strategic risks; operational performance; specific risks related to nuclear activities
Energias de Portugal [53] (pp. 184–191)Strategic, operational and financial risk
Verbund [61] (pp. 110–113)Financial statements impact, price risk, volume risk, asset/infrastructure risk, legal risk, financial risk, operational risk, project risk, strategic risk, other (reputational) risks
Terna [58] (p. 90)External/market risks, operational risks, legal/contractual risks, compliance risks, counterparty risks and natural/human-induced events
Source: authors’ compilation.
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Pecina, E.; Miloš Sprčić, D.; Dvorski Lacković, I. Qualitative Analysis of Enterprise Risk Management Systems in the Largest European Electric Power Companies. Energies 2022, 15, 5328.

AMA Style

Pecina E, Miloš Sprčić D, Dvorski Lacković I. Qualitative Analysis of Enterprise Risk Management Systems in the Largest European Electric Power Companies. Energies. 2022; 15(15):5328.

Chicago/Turabian Style

Pecina, Ena, Danijela Miloš Sprčić, and Ivana Dvorski Lacković. 2022. "Qualitative Analysis of Enterprise Risk Management Systems in the Largest European Electric Power Companies" Energies 15, no. 15: 5328.

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop