• RISK MANAGEMENT
• QUALITATIVE RESEARCH
• PERFORMANCE MANAGEMENT
• MANAGEMENT CONTROL SYSTEM
• INTEGRATION

Due to the financial crisis in 2007-2008, the awareness of the need to rethink the model of economic development in terms of sustainability arises. This sustainability, however, must not be seen as a “slogan”, but it must be understood as strategy of corporate development in the perspective of lasting economic balance, with the specific objective of creating value for all stakeholders, the environment, the social community and the company itself. To reach this objective, a new approach that integrates the performance management and the risk management is required. Indeed, such an integration could fulfil the important task of guaranteeing both the protection of the internal interests of the management and the employees, and the defence of the external interests expressed by the investors, the network in which the company operates, and the social community.
The financial cracks have, indeed, highlighted an element that represents a keystone for the success of the companies: the controls system. In the well-known cases of financial scandals, corporate governance was troubled, lacking, engaged in manipulation practices. This is why the legislative interventions aimed at increasing the stakeholders’ trust were compelling.
In this regard, the U.S. transposed the abovementioned necessity issuing the Sarbanes Oxley Act (SOX) in 2002. Along the same line, in Italy, laws and regulations were issued to highlight the importance of the internal control system. Such regulatory effort, combined with the increasing complexity of the environment and with the relevance of compliance activities, led to a proliferation of controls, to an expansion of the object of the controls and therefore to the birth of several control actors, delegated to the supervision of the whole control system.
This proliferation led to two different effects on companies’ control systems. On the one hand, there was a fragmentation of control activities, since actors were required to operate in accordance with specific laws with different demands. On the other, however, there was a spread of the control culture among all the stakeholders. Accordingly, it emerged the need for codifying the numerous types of controls in order to incorporate them into a system, since, by virtue of the systemic corporate order, an uncoordinated and not integrated set of the controls may generate negative consequences on the efficiency and effectiveness of the business activities.
It thus becomes relevant to study a systemic approach to corporate control activities by defining a balanced organizational structure and information flow able to improve the decision making process through an integration and coordination between the different control actors.
Therefore, this study finds its roots in the interest in understanding the relationships between management control, performance management and risk management systems. Specifically, the aim of the study is to analyse: 1) the evolution of the performance management systems as a part of a management control system; 2) the evolution of the risk management systems in the specific context of the management control system. Therefore, the ultimate purpose of the work is to interpret the possible configurations of the integration between performance management and risk management systems as a part of a management control systems. The project draws from the performance management, risk management and management control literature to develop an integrated framework.
Indeed, management control system expanded its boundaries, arriving to be more projected towards the interest of the different stakeholders, thus towards the corporate governance and the risk management. At the same time, risk management is extending its scope from the management of financial and compliance risks to the management of operational and strategic risks, moving beyond the traditional fields. Risk management has therefore moved from being a peripheral technical tool to representing an integrated process that involves the company in its entirety.
Recent research highlights the need for understanding this relationship, suggesting to incorporate and integrate risk management into the management control system.
The relationship between risk management and performance management (as part of a broader management control system) has been explicitly recognized and it has been defined as fundamental today for an effective creation of value. However, studies on how this integration can be configured are still in their infancy and the literature on the frameworks with which this integration can be implemented is still not very thorough.
Consistently with the aim of the study, and being aware of the necessity for supporting the experimental approach with the interpretation of the data and the understanding of the relations of concurrent cause and multiple effect between the elements considered, the definition of the framework was carried out following two main phases.
In the first phase, an in-depth literature review on the management control system, performance management system and risk management system is carried out. This phase is articulated into three chapters. More specifically, in Chapter 1, I explore the logical and historical evolution of the management control literature. Chapter 2 outlines the birth and the evolution of the performance management, highlighting the overlaps with the management control system and providing some original reflections on the topic. Chapter 3 focuses on the concept of risk management, its evolution towards an enterprise risk management and its current development. The second phase is based on the results and considerations that emerged from the literature review. Indeed, in Chapter 4, collecting the results of the previous phases, a first draft of a systematic framework that integrates the performance and the risk management system in a broader management framework is proposed. Finally, though an iterative process, the framework draft is reshaped in the light of interviews conducted in listed companies and a conclusive framework is proposed.
Being able to figure out an integration between different functions, we could benefit from a common base of data (and consequently of information) for different scopes, with clear advantages for the decision making process. Therefore, a framework that offers an integrated view of the performance-risk relationships inside the management control system could allow to fully exploit the opportunities of the big data. Moreover, an integrated approach could allow companies to overcome the “audit approach”, in favour of a more managerial approach also aimed at exploiting the emerging opportunities.
The identification of an evolutionary path that, from the expansion of the management control system, led to the development of the performance management helps in better understanding the company’s practices and organizational structure. Moreover, the identification of a definition of performance that does not create confusion with the management control system sets the stage for different conceptual frameworks developments.
The results of the empirical analyses give an extensive view of the integration between risk and performance management systems. Furthermore, the identification of the audit approach as a hinder factor in the evolutionary path towards an integration could lay the foundations for reflections both in the academic and practitioner realms.
The study has also practical implications of interest to companies, managers and professional associations. The empirical evidences offer practical indications to small-medium size companies and listed companies operating in sectors with characteristics similar to those examined, with reference to the subjects to be involved, to the reflections to put in place and to the directions of the different information flows. Indeed, in order to get an integration multiple levers can be used: a conscious management of inter-functional relationships and, more effectively, the organizational strengthening (i.e. the inclusion of risk mangers within the management control function and vice versa).