Risk governance and cybercrime
According to the Institute of Risk Management [22], digital technologies, devices, and media have brought us great benefits as well as enormous opportunities, but their use also exposes us to significant risks. The incidences of cyber-attack have continued to be on the increase which has now made the issue of security and resilience of IT systems; their governance and management a must to improve upon by boards and top management of businesses [7]. Imperatively, it is required by those charged with risk management within a business organization to have a full understanding of the nature of its risks exposure including the available practical tools and techniques that can be deployed to mitigate those risks. Risks exposures of business cannot be divulged from various strategies evolved by senior management and the robustness of its information technology (IT), but cyber risk as asserted by IRM [22] is not purely a matter for the IT team. Cybersecurity and cyberspace are considered as the virtual world since they are abstract in nature and as such led to an increase in cybercrime activities [23]. Risk governance is the effective protective measures that can be applied in increasingly complex cybercrime landscape [24].
Risk governance advocates the use of a preventive mechanism in safeguarding vulnerable assets of an organization. Robinson [24] noted that the use of policy guided by the principle of risk management could be employed, to help prevent security breaches and minimize losses from attacks that do get through. Klinle and Renn [4] opined that risk governance combines the institutional structure and corporate policies that help organization mitigate and reduce risk problems, especially, cyber risks. IRGC [25] believed that risk governance plays a major role in the reduction in cybercrimes in today’s contemporary risk environment. Therefore, it is imperative to examine the link between risk governance and cybercrime in today’s financial landscape.
Risk governance determinants
Chief risk officer centrality
Liebenberg and Hoyt [26] stated that a key function of Chief Risk Officer (CRO) is to communicate risk management objectives and strategies to investors thereby ensuring greater value for firms having opaque financial health. Erin et al. [21] argued that the supervising role of a CRO ensures an effective risk governance structure. According to Erin et al. [21], all financial institutions are statutorily required to hire a CRO who will be saddled with the responsibility of overseeing risk management affairs within the organization. The study carried out by Dickinson [27] found that riskier financial institutions that have a Chief Risk Officer are more likely to form a risk management committee. Also, it is believed that the role of Chief Financial Officer (CFO) is in no way better than the CRO and that the position of CRO should not be undermined in any way [28].
Enterprise risk management
Enterprise risk management (ERM) has emerged as a construct that ostensibly overcomes limitations of silo-based traditional risk management (TRM) [9, 29]. The emergence of Enterprise Risk Management (ERM) in recent times has resulted in a new paradigm for managing the portfolio of risks that face organizations thereby making policymakers focus on mechanisms that help to improve corporate governance and risk management [27, 30]. McShane et al. [29] posited that the purpose of ERM is to gain a systematic understanding of the interdependencies and correlations among risks aggregated into portfolios, then hedging the residual risk, which is more efficient and value maximizing than dealing with each risk independently. The study used five categories of the Standard and Poor’s (S&P) [31] ERM insurance rating to assess the impact of management activities on firm value for a dataset of 82 worldwide insurance companies. They found the existence of a positive relationship between an increasing level of risk management and firm value, while a change from traditional risk management to ERM does not lead to an increase in shareholder value. Risk management function and technique is largely examined using a measure called the Risk Management Index (RMI).
The study of Nocco and Stulz [32] described ERM at both macro- and micro-level stating that it enables senior management to identify, measure, and limit to acceptable levels the net exposures faced by the firm while ensuring that all material risks are “owned,” and risk‐return trade-offs carefully evaluated, by operating managers and employees throughout the firm. ERM gives the board and senior management the enabled capacity to effectively implement risk management framework [21]. Arumona et al. [33] in their study emphasized that the board and relevant committees should work with management to promote and actively cultivate a corporate culture and environment that understands and implements enterprise-wide risk management while recommending that risk management should be tailored to a specific company. The findings of Yong [34] showed that the successful implementation of ERM relies on corporate governance, especially periodic monitoring.
Board risk committee size
The board is charged with the overall responsibility for the oversight function of risk and risk management [33]. Going by the recent trends in corporate governance and risk management, companies have increased the proportion of independent directors and the diversity of those directors in order to enhance board performance [35]. This underscores the need to institute an independent committee within the board that will be responsible for risk management policies and framework. Financial companies covered by the Dodd-Frank Act must have dedicated risk management committees. The risk appetite and governance structure of an entity will assist in the composition of the risk committee. PwC [5] noted that risk committees provide a good way to improve board oversight of risk but not the only way to respond to the challenges.
Board risk committee activism
Board activism is the extent of involvement of a company’s board of directors in the affairs of an organization while measuring the scope of a board’s activities [30]. Activism promotes boardroom independence [36], and board activism increases as the proportion of outside board members increases [30]. Impliedly, it can be argued that board risk committee activism is enhanced by the proportion of independent board member in the committee. In the same vein, Boholm et al. [37] opined that board risk committee activism is intensified by the number of times the board meets in a year or quarter to discuss risk-related issues. Consistent with the view of [14, 37] revealed that board risk committee activism is indispensable in order to strengthen risk institution and governance.
Chief risk officer presence
Several studies have discussed the importance of chief risk officer [26, 35, 36] ranging from the appointment of a CRO as a part of ERM program to the influence of risk manager in driving and facilitating the ERM process in companies. Hoyt and Liebenberg [38] developed an analysis that evaluated the effects of Chief Risk Officer Presence and the board on the performance and risk of banks during the financial crisis with a specific focus on the European banks. Findings from the study showed that the sole presence of the CRO is not sufficient to reduce the riskiness of the bank but seems to increase risk. Although findings from the study of [13, 30] did not indicate any financial benefit for the shareholders in those companies that hired CRO.
Board risk committee independence
The independence of the risk committee is pivotal to risk management activities of any organization [39]. It is expected that the risk governance process is founded on sound corporate governance principles. Studies of [12, 13] argued that the inclusion of independent persons in the risk committee will further strengthen the risk culture, risk architecture, and risk disclosure. Also, the study of Peters et al. [40] revealed that independent directors that are knowledgeable in risk and financial matters are skilled in financial models in evaluating projects that have a positive and significant impact on the organization.
Other factors
Corporate governance determinants
Board of directors independence
Board independence is a central issue in risk governance practice. Board independence is to ensure that the board is objective enough to act in the best interests of the company’s stakeholders [41]. It is the responsibility of the board to provide oversight function regarding risk strategy, risk implementation, risk compliance, and risk disclosure [30]. However, the board of directors in many organizations are unaware of their responsibility in developing and providing management guidance regarding risk management strategy within the organization. Decker and Galer [42] revealed that the board of director independence is a crucial factor in risk governance in any organization. The independence of the board should be clearly distinct from the management’s responsibility of implementing the risk strategies developed by the board of directors. The study of Beasley et al. [30] found that the board of director independence positively influenced ERM implementation among firms.
Board size
The size of the board is one of the major determining factors in corporate governance principle [43]. Similarly, Rochette [44] argued that firms with high board size have a greater tendency to adopt a holistic risk management system and follow the risk governance process. Also, Pagach and Warr [13] revealed that board size plays a determining factor in risk governance, risk implementation, and risk disclosure. Consistent with the view of Rochette [44] and Beasley et al. [30] found that most financial institutions with diverse board members are likely to adopt a holistic approach in tackling the issue of cybercrimes and ensure strict risk governance process.
Firm characteristics determinants
Firm age
The subject of firm age appeared in most empirical research in finance. It is mostly used as a control variable in studies on firm performance [45], corporate diversification [46], ownership structure [47], and risk management research [13]. Firm age is viewed as the number of years of incorporation [48], even though some authors argued that firm age starts when it is listed [29]. The subject of firm age is contentious in research; however, studies opined that the age of a firm is a key determinant in firm’s sustainability, performance, and survival [49,50,51].
Firm size
It is believed that when organization size increases, it is bound to experience different threatening events (risk) that could affect the business sustainability. Beasley et al. [30] found that larger firms are more likely to commit greater resources to their risk management activities. The study of Ilaboya and Ohiokha [48] found that larger firms are more likely to take the issue of risk governance more serious than smaller firms. In tandem with this view, [7] revealed that larger firms have higher risk exposure and greater financial distress and as a result, they are more likely to implement integrated risk management and put more attention on risk governance process. Previous studies [30, 52] found a positive correlation between firm size and risk management activities. It thus means that larger firms are more willing to allocate more resources to tackle the issue of risks affecting their business operations.
Based on the above issues, the study hypothesized is developed:
H
0
Risk governance has no significant impact on cybercrime of firms operating in the Nigerian financial sector.
Conceptual model
The conceptual model depicts the various variables or factors that affect cybercrime (Fig. 1).
The conceptual framework forms the basis on which this study is anchored and is linked to the research hypothesis.
Literature gaps
Previous research has been limited in empirically showing the relevance of risk management in financial institutions in Nigeria [6, 9, 49, 53,54,55]. The research gap identified with these previous studies only examined risk management from the perspective of firm performance and firm value without holistically considering the impact of risk governance on cybercrime. Also, previous studies have only been limited to the banking sector without researching the financial sector as a whole. Against this backdrop, this study seeks to extend the frontier of knowledge by filling the identified gap.
Theoretical consideration
The theory of legitimacy has been a popular theory in the field of management and accounting in recent times. It is important due to its ability in analyzing the relationship between companies and their environment. Dowling and Pfeffer [56] opined that legitimation is a process where the organization has the right to transform, import, and export information within the organizational context. Legitimacy theory is derived organizational legitimacy which means a firm’s value system is congruent within the large social system of which the firm is a part. Deegan [57] considered the legitimacy theory as a social contract between the organization and the society in which it operates. They argued that values and norms within the society are not fixed but continuously changing over time. The continuous societal value has heightened social expectation; therefore, for the organization to be successful, it has to be attentive to societal (environmental, human, and social) needs. Risk management and governance are considered as a legitimate function the organization has to fulfill in order to create value for its stakeholders [58, 59]. Many researchers argued that risk management and governance must meet the societal needs in order to be considered relevant and successful especially in mitigating cybercrimes [30, 60, 61].
Most studies viewed legitimacy theory with respect to organizational dynamics and value creation in determining risk governance process [6, 62]. These authors argued that societal pressure was heightened after the corporate scandals experienced in recent times. These corporate failures increased regulatory and stakeholders’ pressure on the need for organizations to adopt more rigorous corporate governance and risk management framework in creating value and performance. Some studies revealed that is legitimate for the organization to adopt a risk process that will facilitate the firm’s performance, growth and reduce cybercrimes. Mikes and Kaplan [63] considered legitimacy has an important resource in which organization is dependent for its survival. Their study claimed that legitimacy as a resource can be achieved through disclosure strategies. Also, Bromiley et al. [12] and Shima et al. [64] explained that in recent times, corporate legitimation strategies have increased focus on risk management practices with regard to firm’s reputation. Reputation risk studies emphasized the importance of legitimacy theory for financial growth of the organization. It is considered a good resource for future profit which invariably affects the firm’s long-term sustainability.