<?xml version="1.0" encoding="UTF-8"?><?xml-model type="application/xml-dtd" href="http://jats.nlm.nih.gov/publishing/1.1d3/JATS-journalpublishing1.dtd"?>
<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Publishing DTD v1.1d3 20150301//EN" "http://jats.nlm.nih.gov/publishing/1.1d3/JATS-journalpublishing1.dtd">
<article xmlns:ali="http://www.niso.org/schemas/ali/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:mml="http://www.w3.org/1998/Math/MathML" dtd-version="1.1d3" specific-use="1.2" article-type="research-article" xml:lang="en">
<front>
<journal-meta>
<journal-id journal-id-type="pmc">3836</journal-id>
<journal-title-group>
<journal-title specific-use="original" xml:lang="es">Cuadernos de Contabilidad</journal-title>
<abbrev-journal-title abbrev-type="publisher" xml:lang="es">Cuad. Contab.</abbrev-journal-title>
</journal-title-group>
<issn pub-type="ppub">0123-1472</issn>
<issn pub-type="epub">2500-6045</issn>
<publisher>
<publisher-name>Pontificia Universidad Javeriana</publisher-name>
<publisher-loc>
<country>Colombia</country>
<email>cuadernosdecontabilidad@javeriana.edu.co</email>
</publisher-loc>
</publisher>
</journal-meta>
<article-meta>
<article-id pub-id-type="art-access-id" specific-use="pmc">383667957013</article-id>
<article-id pub-id-type="doi">https://doi.org/10.11144/Javeriana.cc22.rmcs</article-id>
<article-categories>
<subj-group subj-group-type="heading">
<subject>Artículos</subject>
</subj-group>
</article-categories>
<title-group>
<article-title xml:lang="en"><bold>Risk management. A case study of a Colombian public sector company<xref ref-type="fn" rid="fn1">*</xref></bold></article-title>
<trans-title-group>
<trans-title xml:lang="es"><bold>Gestión del riesgo. Caso de una entidad del sector público colombiano</bold></trans-title>
</trans-title-group>
<trans-title-group>
<trans-title xml:lang="pt"><bold>Gestão de risco. Caso de entidade do setor público colombiano</bold></trans-title>
</trans-title-group>
</title-group>
<contrib-group>
<contrib contrib-type="author" corresp="yes">
<contrib-id contrib-id-type="orcid">https://orcid.org/0000-0001-6666-6444</contrib-id>
<name name-style="western">
<surname>Jurado-Zambrano</surname>
<given-names>Diego</given-names>
</name>
<xref ref-type="corresp" rid="corresp1"><sup>a</sup></xref>
<xref ref-type="aff" rid="aff1"/>
<email>diego.jurado@esap.edu.co</email>
</contrib>
<contrib contrib-type="author" corresp="no">
<contrib-id contrib-id-type="orcid">https://orcid.org/0000-0003-4545-4025</contrib-id>
<name name-style="western">
<surname>Villanueva</surname>
<given-names>Eduart</given-names>
</name>
<xref ref-type="aff" rid="aff2"/>
</contrib>
</contrib-group>
<aff id="aff1">
<institution content-type="original">Escuela Superior de Administración Pública (ESAP), Territorial Antioquia</institution>
<institution content-type="orgname">Escuela Superior de Administración Pública</institution>
<country country="CO">Colombia</country>
</aff>
<aff id="aff2">
<institution content-type="original">Universidad Eafit, Medellín</institution>
<institution content-type="orgname">Universidad Eafit</institution>
<country country="CO">Colombia</country>
</aff>
<author-notes>
<corresp id="corresp1"><sup>a</sup> Corresponding author. E-mail address: <email>diego.jurado@esap.edu.co</email>
</corresp>
</author-notes>
<pub-date pub-type="epub-ppub">
<season>Enero-Diciembre</season>
<year>2021</year>
</pub-date>
<volume>22</volume>
<history>
<date date-type="received" publication-format="dd mes yyyy">
<day>14</day>
<month>07</month>
<year>2020</year>
</date>
<date date-type="accepted" publication-format="dd mes yyyy">
<day>20</day>
<month>07</month>
<year>2021</year>
</date>
</history>
<permissions>
<ali:free_to_read/>
<license xlink:href="https://creativecommons.org/licenses/by/4.0/">
<ali:license_ref>https://creativecommons.org/licenses/by/4.0/</ali:license_ref>
<license-p>Esta obra está bajo una Licencia Creative Commons Atribución 4.0 Internacional.</license-p>
</license>
</permissions>
<abstract xml:lang="en">
<title>Abstract</title>
<p>The objective of this research is to analyze, in a Colombian public sector company, the key success factors for the implementation of a ERM initiative. To comply with the objective, an investigation with a qualitative approach and descriptive scope is developed. As instruments for collecting information, the following are used: The focus group technique; the documentary review specifically of the strategic plan, the operating policies, the risks previously identified, as well as the internal and external audit reports. The results show the existence of some key success factors, such as: Senior management leadership, resource allocation, methodological integration for risk management; which enabled the successful implementation of integrated risk management. Likewise, the main stages adopted in the implementation exercise are presented, which were based on the ISO 31000: 2018 standard.</p>
<p><bold>JEL Codes:</bold> D73, H83, M19.</p>
</abstract>
<trans-abstract xml:lang="es">
<title>Resumen</title>
<p>El objetivo de la investigación es analizar los factores clave de éxito para la implementación de una iniciativa de gestión integral del riesgo en una empresa del sector público de Colombia. Para dar cumplimiento al objetivo se desarrolla una investigación con enfoque cualitativo y de alcance descriptivo. Como instrumentos de recolección de información se emplean la técnica de grupo focal, la revisión documental específicamente del plan estratégico, las políticas de operación, los riesgos previamente identificados, así como los informes de auditoría interna y externa. Los resultados evidencian la existencia de algunos factores clave de éxito, tales como: el liderazgo de la alta dirección, la asignación de recursos, la integración metodológica para gestión de los riesgos; los cuales habilitaron la implementación exitosa de la gestión integrada de riesgos. De igual forma, se exponen las principales etapas adoptadas en el ejercicio de implementación las cuales se basaron en el estándar ISO 31000: 2018.</p>
<p><bold>Códigos JEL:</bold> D73, H83, M19.</p>
</trans-abstract>
<trans-abstract xml:lang="pt">
<title>Resumo</title>
<p>O objetivo da pesquisa é analisar os fatores-chave de sucesso para a implementação de uma iniciativa de gestão integral do risco em uma empresa do setor público na Colômbia. Para cumprir o objetivo, é desenvolvida uma pesquisa com abordagem qualitativa e âmbito descritivo. Como instrumentos de coleta de informações, utilizam-se a técnica de grupo focal, a revisão documental especificamente do plano estratégico, das políticas operacionais, dos riscos previamente identificados, bem como dos relatórios de auditoria interna e externa. Os resultados mostram a existência de alguns fatores-chave de sucesso, tais como: liderança da alta administração, alocação de recursos, integração metodológica para gestão de riscos; os quais permitiram a implementação bem-sucedida da gestão integrada de riscos. Da mesma forma, são expostas as principais etapas adotadas no exercício de implementação, as quais foram baseadas na norma ISO 31000: 2018.</p>
<p><bold>Códigos JEL:</bold> D73, H83, M19.</p>
</trans-abstract>
<kwd-group xml:lang="en">
<title>Keywords</title>
<kwd>Enterprise Risk Management</kwd>
<kwd>case study</kwd>
<kwd>ISO 31000</kwd>
<kwd>key success factors</kwd>
<kwd>public sector</kwd>
</kwd-group>
<kwd-group xml:lang="es">
<title>Palabras clave</title>
<kwd>Gestión integrada de riesgos</kwd>
<kwd>estudio de caso</kwd>
<kwd>ISO 31000</kwd>
<kwd>factores clave de éxito</kwd>
<kwd>sector público</kwd>
</kwd-group>
<kwd-group xml:lang="pt">
<title>Palavras-chave</title>
<kwd>Gestão integrada de risco</kwd>
<kwd>estudo de caso</kwd>
<kwd>ISO 31000</kwd>
<kwd>fatores-chave de sucesso</kwd>
<kwd>setor público</kwd>
</kwd-group>
<counts>
<fig-count count="1"/>
<table-count count="6"/>
<equation-count count="0"/>
<ref-count count="61"/>
</counts>
<custom-meta-group>
<custom-meta>
<meta-name>Cited as</meta-name>
<meta-value>Jurado-Zambrano, D., &amp; Villanueva, E. (2021). Risk management. A case study of a Colombian public sector company. <italic>Cuadernos de Contabilidad, 22</italic>. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.11144/Javeriana.cc22.rmcs">https://doi.org/10.11144/Javeriana.cc22.rmcs</ext-link>
</meta-value>
</custom-meta>
</custom-meta-group>
</article-meta>
</front>
<body>
<sec sec-type="intro">
<title><bold>Introduction</bold></title>
<p>The global financial crisis has turned the notion of risk as a central issue in the management of public and private organizations <xref ref-type="bibr" rid="ref52">(Rana, Wickramasinghe, &amp; Bracci, 2019)</xref>, risk management allows the identification of events that impact the organization's ability to create value and compliance with the strategy <xref ref-type="bibr" rid="ref23">(Giraldo &amp; Nunez, 2020)</xref>, in addition to providing information to improve the decision-making process in uncertain contexts <xref ref-type="bibr" rid="ref5">(Blanco-Mesa, Rivera-Rubiano, Patino-Hernandez et al., 2019)</xref>, being a focal point for executives and professionals <xref ref-type="bibr" rid="ref46">(Oliveira, Méxas, Meiriño et al., 2019)</xref>; ERM has been found to have a positive relationship with company performance <xref ref-type="bibr" rid="ref54">(Saeidi, Saeidi, Gutierrez et al., 2021)</xref>. Risk management has become an emerging key element of the New Public Management <xref ref-type="bibr" rid="ref40">(Lapsley, 2009)</xref>. In the Colombian public sector, guidelines around the subject are contained in the Integrated Planning and Management Model (MIPG for its translation into Spanish), which is regulated under Decree 1499 of 2017.</p>
<p>Enterprise Risk Management (ERM) has been used as a methodology to assess risks in achieving the objectives of an organization <xref ref-type="bibr" rid="ref17">(de Freitas Alves, Neto, Coli et al., 2017)</xref>. Given that there is a lack of studies on risk management in the public sector <xref ref-type="bibr" rid="ref17">(de Freitas Alves et al., 2017</xref>; <xref ref-type="bibr" rid="ref52">Rana et al., 2019</xref>; <xref ref-type="bibr" rid="ref59">Tabares, Jaramillo, Arias et al., 2017)</xref>, the objective of this paper was to analyze, the key factors for successful implementation of a risk management initiative in a Colombian public sector organization. For this case study, focus groups were developed with key employees of each entity process and internal and external audit reports over matrices were consulted.</p>
<p>The most relevant results of the study showed that 59% of risks were located in a high or extreme zone, which documented 30 action plans. Action plans in large percentage, focused on developing or updating operating policies and on training and educating employees in implementation. This is consistent with the distribution of risk, as 56% of the total identified were categorized as operational. Finally, we highlighted some of present key factors in the implementation such as the allocation of resources, participation of senior management, and the articulation of initial work agreements for the methodology of managing risk.</p>
</sec>
<sec>
<title><bold>Theoretical framework</bold></title>
<sec>
<title><bold>Risk management</bold></title>
<p>Risk is defined as a combination of the probability or frequency of an event and its consequences, which are generally negative<xref ref-type="bibr" rid="ref19"> (Elahi, 2013)</xref> or contain uncertainty about the objectives<xref ref-type="bibr" rid="ref31"> (International Organization for Standardization 31000, 2018)</xref>. Risk involves an element of unpredictability and an undesirable result such as a loss <xref ref-type="bibr" rid="ref57">(Soltanizadeh, Abdul, Mottaghi et al., 2016)</xref>. One can have unwanted operations, strategy, competitiveness, finance, reputation and compliance obligations with adverse impact <xref ref-type="bibr" rid="ref32">(Jalal-Karim, 2013)</xref>.</p>
<p>Because the business environment is complex as a result of deregulation, globalization, downsizing and technological advancement <xref ref-type="bibr" rid="ref53">(Rasid, Isa, &amp; Ismail, 2014),</xref> companies face a wide range of risks that must be managed holistically; and thus, there is growing interest in ERM<xref ref-type="bibr" rid="ref4"> (Beasley, Clune, &amp; Hermanson, 2005)</xref>. Unlike traditional approaches to risk management, ERM is a holistic approach to risk management that involves a joint review of the risk that is assessed, quantified, funded and managed at the enterprise-level<xref ref-type="bibr" rid="ref26"> (Grace, Leverty, Phillips et al., 2015)</xref>. ERM is also implemented at all levels of a company and applied in a configuration strategy so as to ensure the achievement of corporate goals<xref ref-type="bibr" rid="ref61"> (Zhao, Hwang, &amp; Low, 2015).</xref> However, the successful implementation of ERM depends on several factors. A table 1 is presented to summarize several of them.</p>
<p>
<table-wrap id="gt4">
<label>Table 1</label>
<caption>
<title>Several factors for ERM</title>
</caption>
<alt-text>Table 1 Several factors for ERM</alt-text>
<graphic xlink:href="383667957013_gt5.png" position="anchor" orientation="portrait"/>
<attrib>Source: Own elaboration</attrib>
</table-wrap>
</p>
<p>For example, there is a correlation between participative leadership style that allows employees to participate in the success of ERM <xref ref-type="bibr" rid="ref55">(Sax &amp; Torp, 2015)</xref>. Other example can be the establishment of the ERM function being headed by a senior person, such as a Chief Risk Officer or Risk Director <xref ref-type="bibr" rid="ref4">(Beasley et al., 2005</xref>; <xref ref-type="bibr" rid="ref46">Oliveira et al., 2019)</xref>. This person should be responsible for establishing and communicating policies regarding ERM, training current employees, and hiring ERM functional staff with professional experience in ERM <xref ref-type="bibr" rid="ref34">(Kerstin, Simone, &amp; Nicole, 2014)</xref>.</p>
<p>In addition, it is important to have the corporate culture, values, beliefs, knowledge, attitudes and understanding of the risks shared by a group of individuals, teams and workgroups in order to boost ERM initiatives<xref ref-type="bibr" rid="ref1"> (Agarwal &amp; Ansell, 2016</xref>; <xref ref-type="bibr" rid="ref45">Oliva, 2016)</xref>. These aspects contribute to the overall risk culture which has shown to be of great influence in facilitating ERM practices<xref ref-type="bibr" rid="ref46"> (Oliveira et al., 2019)</xref>.</p>
<p>On the other hand, resource availability is a determining factor in advancing ERM efforts <xref ref-type="bibr" rid="ref27">(Hallowell et al., 2013)</xref>, such as estimates of qualified staff, experience and time, in addition to improving the risk management processes based on the participation of people and the proper allocation of resources, tools and techniques<xref ref-type="bibr" rid="ref22"> (Gibson &amp; Young, 2012)</xref>.</p>
<p>Because of its proactive nature of decision-making, ERM requires strong leadership, a substantial commitment of resources, timely reports, and real-time data insight <xref ref-type="bibr" rid="ref44">(Moshesh, Niemann, &amp; Kotzé, 2018)</xref>. The absence or lack of these requirements could lead to implementation challenges that impact on the success of ERM. When managers perceive that other control systems and risk management are satisfactory, ERM initiatives may struggle to find a space and to sell its value added to owners <xref ref-type="bibr" rid="ref3">(Arnaboldi &amp; Lapsley, 2014)</xref>.</p>
<p>Because of its integration of risk management practices and its holistic and different and simultaneous types of risk management, ERM has several benefits for organizations <xref ref-type="bibr" rid="ref35">(Khan, Hussain, &amp; Mehmood, 2016)</xref>. It enables a consistent treatment of risk; it encourages a view of the longer-term risk while allowing accurate resource allocation and improved and faster reaction to the emerging risk identified. All of this can lead to increased profitability <xref ref-type="bibr" rid="ref44">(Moshesh et al., 2018)</xref>. It has also been shown that companies that have ERM systems in place have a higher market value <xref ref-type="bibr" rid="ref28">(Hoyt &amp; Liebenberg, 2011)</xref>.</p>
<p>It is important to consider that these benefits are within the business as long as its context is associated with competition within the industry, company size, complexity of the company and its board of directors<xref ref-type="bibr" rid="ref24"> (Gordon, Loeb, &amp; Tseng, 2009)</xref>. Another benefits include the integration of decision-making across different risks within the business, the duplication of management risk fees are avoided, and a better understanding of aggregate risk in different commercial activities is obtained <xref ref-type="bibr" rid="ref28">(Hoyt &amp; Liebenberg, 2011)</xref>. Through its approach to identification, assessment, treatment, monitoring and communication of risks, ERM can have a positive impact on the promotion of competitive business advantage <xref ref-type="bibr" rid="ref32">(Jalal-Karim, 2013)</xref>, and has even been found to allow for better management of organizational reputation <xref ref-type="bibr" rid="ref49">(Pérez-Cornejo, de Quevedo-Puente, &amp; Delgado-García, 2019)</xref>.</p>
<p>In the Colombian public sector, risk management is established as a guideline in Decree 1499 of 2017 in which, among other elements, it is defined as the MIPG. The MIPG is structured in different dimensions and policies, with respect to the issue of risk management. It is referred to as Internal Control, and is contemplated within the dimension in the politics of the same name. The basis for implementing this internal control policy is the Standard Model of Internal Control, which adopted the structure of the 2013 Committee of Sponsoring Organizations of the Treadway Commission <xref ref-type="bibr" rid="ref9">(COSO)</xref> Integrated Framework, which includes the component of risk assessment <xref ref-type="bibr" rid="ref9">(Committee of Sponsoring Organizations of the Treadway Commission, 2013).</xref> Another factor to take into account within the internal control dimension is the model of the three lines of defense, which facilitates communication of the different roles regarding risk management and control in order to determine the different roles that must be completed; in this model the first line of defense refers to the monitoring of risks to be performed by management, the second line encompasses the various supervisory functions determined by the respective administrative and financial controls, security, risk management, and quality, among others; while the third line of defense is the internal audit <xref ref-type="bibr" rid="ref29">(Institute of Internal Auditors, 2020)</xref>.</p>
<p>The International Organization for Standardization (ISO) 31000 risk management standard was developed by professionals around the world, and used by all types of companies, this has made it the leading global guide for risk management practices <xref ref-type="bibr" rid="ref25">(Govender, 2019)</xref>. There is a lack of integrated approaches that consider the different types of risks, and the different sources of information to identify the risks, for this the use of ISO 31000 has been recommended as an adequate basis <xref ref-type="bibr" rid="ref48">(Parviainen, Goerlandt, Helle et al., 2021)</xref>. The aforementioned standard, recognized as a worldwide standard, allows organizations to implement the risk management process following key factors for successful implementation and contribute to performance <xref ref-type="bibr" rid="ref51">(Rampini, Takia, &amp; Berssaneti, 2019)</xref>. Additionally, it integrates a set of systematic techniques for the different stages of risk management, which allows excellent adaptability to companies in different sectors <xref ref-type="bibr" rid="ref2">(Antonionia &amp; Moreno, 2019)</xref>.</p>
<p>To implement risk management the following steps must be followed: Establish the context, assess risk, address the risk, communicate and consult, review and monitor, and record and report <xref ref-type="bibr" rid="ref31">(International Organization for Standardization 31000, 2018)</xref>.</p>
</sec>
<sec>
<title><bold>Context</bold></title>
<p>Companies must look within the organization in order to determine the cultural level of risk management that permeates both existing practices as well as individual behavior. It should also analyze the specific nature of the context of each company in order to determine if there are significant variations in the ERM practices, including companies that are in the same industry <xref ref-type="bibr" rid="ref8">(Caldarelli, Fiondella, Maffei et al., 2016)</xref>. Thus, risk management also includes another internal factors such as its own goals and activities of the company. It is important to consider that organizational factors could generate risks, hence the importance of conducting a thorough review of the internal context <xref ref-type="bibr" rid="ref31">(International Organization for Standardization 31000, 2018)</xref>.</p>
<p>The external context of the organizations must also be established since the exogenous factors create risks that must be managed with the implementation of the ERM<xref ref-type="bibr" rid="ref24"> (Gordon et al., 2009)</xref>. Therefore, external variables must be detailed that may affect the objectives and results of the organization; once the context of the company is defined, the scope of risk management can already be defined <xref ref-type="bibr" rid="ref31">(International Organization for Standardization 31000, 2018)</xref>. With this defined context, the entire portfolio of risks that could be presented can also be analyzed, controlled and monitored <xref ref-type="bibr" rid="ref20">(Farrell &amp; Gallagher, 2015)</xref></p>
</sec>
<sec>
<title><bold>Risk assessment</bold></title>
<p>This stage includes the identification of risks which must determine the events that may affect the achievement of objectives, including the causes and effects of each risk <xref ref-type="bibr" rid="ref41">(Mejía, 2006)</xref>; after this, the valuation of each risk based on the probability of the occurrence of each event and the magnitude of the consequences of these risks is determined<xref ref-type="bibr" rid="ref31"> (International Organization for Standardization 31000, 2018)</xref>; subsequently the risks are ranked in order to set up the priority of events that must be treated <xref ref-type="bibr" rid="ref6">(Brustbauer, 2016)</xref>.</p>
</sec>
<sec>
<title><bold>Risk treatment</bold></title>
<p>At this stage, companies determine how to respond to risks, with actions that reduce their frequency and / or impact, or establish the source of resources that will cover the losses generated by an event such as insurance or the company’s own financial funds <xref ref-type="bibr" rid="ref10">(Committee of Sponsoring Organizations of the Treadway Commission, 2017</xref>; <xref ref-type="bibr" rid="ref41">Mejía, 2006)</xref>. Thus, there are a variety of ways to mitigate significant risks that must be analyzed according to each context <xref ref-type="bibr" rid="ref7">(Calandro, 2015)</xref>. Allowing such treatment measures to respond to different risks and improve organizational management, increases opportunities and reduce threats <xref ref-type="bibr" rid="ref33">(Jaraba, Nuñez, &amp; Villanueva, 2018)</xref></p>
</sec>
<sec>
<title><bold>Monitoring and review</bold></title>
<p>It is essential to conduct a periodic review of risk behavior over time, and this stage must be carried out in a planned manner, with responsibilities defined by the company <xref ref-type="bibr" rid="ref31">(International Organization for Standardization 31000, 2018)</xref>. This is why the relationship of the ERM system and organizational performance depends largely on adequate monitoring of risks <xref ref-type="bibr" rid="ref24">(Gordon et al., 2009)</xref>. The dynamism of the environment leads to new risks which arise, that are becoming more complex, and that may affect organizations. This monitoring should be done in a nonlinear manner that integrates different natural sciences, both technical and social<xref ref-type="bibr" rid="ref38"> (Kravchenko, 2018)</xref>.</p>
</sec>
<sec>
<title><bold>Communication and consultation</bold></title>
<p>This step facilitates interaction with different stakeholders through accessible channels, so that they can be informed about the decisions that the organization must make regarding risk management and disagreements leading to these decisions; Similarly, it also allows for feedback from stakeholders to adjust the guidelines regarding how to act in the face of risks <xref ref-type="bibr" rid="ref31">(International Organization for Standardization 31000, 2018)</xref>. If an effective communication and consultation process is carried out, it will facilitate the generation of awareness in the company regarding the importance of risk management for decision-makers <xref ref-type="bibr" rid="ref61">(Zhao et al., 2015)</xref>.</p>
</sec>
<sec>
<title><bold>Recording and reporting</bold></title>
<p>This step is intended to document the entire risk management process in an official or formal consultation text, documenting the activities carried out and the results obtained, which support decision making. It is recommended that this report and all related quality data be presented and shared at all relevant levels within the organization, formally recording and sharing all actions taken, contributing to the overall risk management initiative<xref ref-type="bibr" rid="ref56"> (Shi, Wong, Li et al., 2018)</xref>.</p>
</sec>
</sec>
<sec sec-type="methods">
<title><bold>Methodology</bold></title>
<p>This document describes the results of the incorporation of a risk management initiative in a public sector Colombian company during the year 2019 by describing the processes and good practices followed by the company. This work was developed utilizing a qualitative research approach, because this type of research is defined primarily by its emphasis on the qualities, essences or categories of the study phenomenon, and its results are presented by using descriptive analysis and not through statistical models <xref ref-type="bibr" rid="ref43">(Morrow &amp; Smith, 2000)</xref>. In the qualitative approach, the researcher often makes knowledge claims based primarily on constructivist perspectives <xref ref-type="bibr" rid="ref13">(Creswell, 2003)</xref>, a characteristic that complies with this present study, because it was implemented by following the process of managing the risk outlined in the ISO 31000 standard. Thus, the product obtained adds value to management.</p>
<p>This qualitative study encompasses many approaches, among which is the case study <xref ref-type="bibr" rid="ref43">(Morrow &amp; Smith, 2000)</xref>. Case studies are a common way of doing qualitative research and in these studies the researcher explores in-depth, a program, an event, an activity, a process or one or more persons <xref ref-type="bibr" rid="ref58">(Stake, 1994)</xref>. <xref ref-type="bibr" rid="ref14">Creswell (2007)</xref> argues that a case study is the investigation of a “bounded system,” be it an individual, a group or an institution. This is why this present work is defined as an intrinsic case study, because it was developed based on a single institution <xref ref-type="bibr" rid="ref58">(Stake, 1994</xref>;<xref ref-type="bibr" rid="ref15"> Creswell et al., 2007)</xref>. The study was conducted at the <italic>Instituto Social de Vivienda y Habitat de Medellín</italic>, which is an entity dedicated to managing social housing plans that ensure the right to an adequate habitat and fair housing for its citizens. In this regard, the importance of researching risk management within this entity is of paramount importance, given that it is one of the pillars of social development for the city and on which a large portion of public financial resources are allocated. For the year 2019, the entity administered an income budget of around USD 24 million. Regarding its organizational structure, the entity had seven departments from where missionary, strategic, support and evaluation processes were developed, which in turn are supported by around 50 employees assigned to the fixed plant of positions and around of 200 employees under other contracting modalities.</p>
<p>Case study research builds a deep and contextual understanding of the case, based on multiple data sources<xref ref-type="bibr" rid="ref60"> (Yin, 1981)</xref>, using qualitative or quantitative evidence, from a variety of data collection procedures over an extended period of time <xref ref-type="bibr" rid="ref58">(Stake , 1994)</xref>, such as verbal reports and observations <xref ref-type="bibr" rid="ref60">(Yin, 1981</xref>; <xref ref-type="bibr" rid="ref15">Creswell et al., 2007</xref>; <xref ref-type="bibr" rid="ref12">Corbin &amp; Strauss 1990)</xref>; fieldwork and records<xref ref-type="bibr" rid="ref60"> (Yin, 1981)</xref>; interviews <xref ref-type="bibr" rid="ref12">(Corbin &amp; Strauss 1990</xref>; <xref ref-type="bibr" rid="ref15">Creswell et al., 2007)</xref>; audiovisual material <xref ref-type="bibr" rid="ref15">(Creswell et al., 2007)</xref>; government documents, video tapes, newspapers and books <xref ref-type="bibr" rid="ref12">(Corbin &amp; Strauss, 1990)</xref>, or any combination thereof <xref ref-type="bibr" rid="ref60">(Yin, 1981)</xref>, which can shed light on the questions under study<xref ref-type="bibr" rid="ref12"> (Corbin &amp; Strauss, 1990)</xref>.</p>
<p>To develop the risk management process <xref ref-type="bibr" rid="ref31">(International Organization for Standardization 31000, 2018)</xref>, documents and reports <xref ref-type="bibr" rid="ref15">(Creswell et al., 2007)</xref> were used as sources of information, such as: The strategic plan; the process map and the characterization of each of them; the internal audit reports from the internal control office and from the quality management system audit exercises; the external audit reports focused on financial and public procurement matters, as well as regulations from control and regulatory bodies of the public sector and the existing risk matrices.</p>
<p>Focus groups are a form of group interview that capitalizes on communication between research participants. Group processes can help people to explore and clarify their views in a way that would be less accessible in an individual interview<xref ref-type="bibr" rid="ref37"> (Kitzinger, 1995)</xref>.</p>
<p>The number of times a focus group meets may vary from one meeting to several <xref ref-type="bibr" rid="ref47">(Onwuegbuzie, Dickinson, Leech et al., 2009)</xref>. As such, it was planned to develop four focus group sessions with a subset of employees from each of the 12 processes within the organization. The number of focus group sessions proposed was planned to try to cover relevant information from each of the risk management stages described in the theoretical framework of this document. In the focus groups, employees from the managerial, operational and auxiliary level participated, this because it was intended to cover the greatest number of activities that were developed in each process. The development of the focus groups was based on open questions so that participants could express their views <xref ref-type="bibr" rid="ref13">(Creswell, 2003)</xref>. During the development of the focus groups, participants explain their experiences with their peers, with whom they shared something in common. Since they were members of the process and knew the process in depth, this allowed them to share their views with each other<xref ref-type="bibr" rid="ref36"> (Kidd &amp; Parshall, 2000)</xref>.</p>
<p>For purposes of organizing the information resulting from focus groups, the transcription technique was used, which is an integral process in the qualitative analysis of language data <xref ref-type="bibr" rid="ref39">(Lapadat &amp; Lindsay, 1999)</xref>. It is used, in speech studies to resubmit the speech as written text <xref ref-type="bibr" rid="ref42">(Mishler, 1991)</xref>, selectively <xref ref-type="bibr" rid="ref16">(Davidson, 2009)</xref>. Although within the development of the multiple focus groups multiple discussions were generated, in order to consolidate the results, the agreed upon information from the members of the groups resumed. The transcription of each of the focus group sessions allowed, subsequently, to identify repetitive themes that were frequently mentioned by the participants, with which it was possible to build categories of analysis that shaped the results of the present investigation. An example of this is the information presented in <xref ref-type="table" rid="gt6">table 2</xref>.</p>
</sec>
<sec sec-type="results">
<title><bold>Results</bold></title>
<p>The development of the implementation of the risk management initiative was carried out based on the stages outlined in the ISO 31000: 2018, as follows: Establishing the context; assessment of the risk, which consists of identifying, analyzing and assessing the risk; and the treatment, monitoring, review, recording and reporting of risk<xref ref-type="bibr" rid="ref31"> (International Organization for Standardization 31000, 2018)</xref>. This is appropriate as the ISO 31000 standard has been formally adopted by many States <xref ref-type="bibr" rid="ref50">(Purdy, 2010)</xref>
</p>
<sec>
<title><bold>Context</bold></title>
<p>The establishment for the development of each of the 12 processes (see table 2) within the entity, where internal and external factors were identified, was based on the risk management guide (Departamento Administrativo de la Función Pública, 2018), established for the public sector in Colombia. As a result of this stage, common variables were found in in the exercises developed within each process. For each variable, its positive or negative incidence was determined, and the effect, positive or negative, for the same process was described. An example of the analysis performed for one of the identified variables is presented in <xref ref-type="table" rid="gt6">table 2</xref>
</p>
<p>
<table-wrap id="gt6">
<label>Table 2</label>
<caption>
<title>Example of the way to obtain a unified variable</title>
</caption>
<alt-text>Table 2 Example of the way to obtain a unified variable</alt-text>
<graphic xlink:href="383667957013_gt6.png" position="anchor" orientation="portrait"/>
<attrib>Source: Own elaboration.</attrib>
</table-wrap>
</p>
<p>Once the analysis was carried out, resorting to the crossing of information from each of the context identification exercises in the processes, the following was obtained: The variable with the greatest recurrence mentioned in the processes was the shortcomings in the organizational structure, which was identified in 92% of them. In the following way, the 83% of the processes owners agreed that the weakness of the information systems constituted a negative variable, which could be a cause of risks. Similarly, a comprehensive analysis of the information resulting from this phase was carried out, and the following recurrent variables were additionally identified: (67%), decrease in resource allocation (67%), inadequate physical work environment (58%) and shortcomings institutional planning (58%).</p>
</sec>
<sec>
<title><bold>Risk assessment</bold></title>
<p>Based on the information obtained in the context setting phase, and taking into account: The strategic plan; the process map and the characterization of each of them; the internal audit reports from the internal control office and from the quality management system audit exercises; the external audit reports focused on financial and public procurement matters, as well as regulations from control and regulatory bodies of the public sector and the existing risk matrices, 79 risks were identified, based on the knowledge and review of the objectives for each process.</p>
<p>The results are presented in <xref ref-type="table" rid="gt7">table 3</xref>. In this regard, the results presented in <xref ref-type="table" rid="gt7">table 3</xref> were obtained. To help understand the results, it is important to take into account two aspects: First, the 79 risks classified according to the typologies proposed by the Departamento Administrativo de la Función Pública (2018) are presented in its guide to managing risks, that is, it mentions whether they are strategic, operational, corruption, technological, compliance and financial. Second, as shown in<xref ref-type="fig" rid="gf1"> figure 1</xref>, an example of risk assessment is presented, for some risks of the Social Management process, in which the probability and impact tables presented in the appendix of this article were used (see <xref ref-type="table" rid="gt1">table A1</xref> and <xref ref-type="table" rid="gt2">table A2).</xref></p>
<p>With the initial evaluation, the inherent risk was identified, that is, the evaluation without considering the control measures already established in the process. Subsequently, the residual risk was identified, which is the one that remains once the impact of the controls on the causes that generate the risk has been analyzed. In the example presented in<xref ref-type="fig" rid="gf1"> figure 1</xref>, it is observed that risks R1, R2 and R4 had a considerable change in terms of their risk zone, from extreme to low and moderate. For R3, although it had a decrease in its probability of occurrence, the impact remained the same.</p>
<p>
<table-wrap id="gt7">
<label>Table 3</label>
<caption>
<title>Results of the risk evaluation</title>
</caption>
<alt-text>Table 3 Results of the risk evaluation</alt-text>
<graphic xlink:href="383667957013_gt7.png" position="anchor" orientation="portrait"/>
<attrib>Source: Own elaboration.</attrib>
</table-wrap>
</p>
<p>
<fig id="gf1">
<label>Figure 1</label>
<caption>
<title>Example of inherent and residual risk by Social Management process</title>
</caption>
<alt-text>Figure 1 Example of inherent and residual risk by Social Management process</alt-text>
<graphic xlink:href="383667957013_gf2.png" position="anchor" orientation="portrait"/>
<attrib>Source: Own elaboration.</attrib>
</fig>
</p>
<p>As can be seen in <xref ref-type="table" rid="gt7">Table 3</xref>, among relevant results, 57% of the risks were classified as operational, that is, they are events that can be caused by failures or inadequacy of processes, people or external events <xref ref-type="bibr" rid="ref11">(Committee on Banking Supervision Basel, 2003)</xref>. On the other hand, 13% of the risks associated with strategic situations, that is, they are the most important events for the organization to achieve its objectives, build and protect value <xref ref-type="bibr" rid="ref21">(Frigo &amp; Anderson, 2009)</xref>. Risks related to legal matters or compliance matters accounted for 11% of the total. The risk of corruption accounted for 10% of the total, which is a type typical of the public sector in Colombia, which began work on the issues after the issuance of Law 1474 of 2011.</p>
<p>Subsequently, as the analysis of the identified risks developed, it was necessary to determine the probability of their occurrence and impact. In this phase, the controls for each of the causes associated with risks were also identified. Controls were rigorously analyzed, determining for each one: Frequency, responsibility for the individual in charge, evidence of application and its nature (corrective or preventive). In those cases, in which the cause had no established controls, it was indicated so that the treatment step risk actions permitted that the development or strengthening would be documented.</p>
<p>The assessment of the residual risk, taking into account the incidence of controls, yielded the results shown in <xref ref-type="table" rid="gt7">table 3</xref>, where it is highlighted that 37% of the risks were located in the extreme zone and 25% in high zone, with the data indicating that corrective action should be taken immediately for the treatment of risks. For risks located in moderate and low zone, which correspond to 16% and 22%, respectively, actions should continue to be taken in implementing and or maintaining controls to manage these areas.</p>
</sec>
<sec>
<title><bold>Risk treatments</bold></title>
<p>The purpose of the risk treatment plan is to specify the manner in which the options chosen to mitigate the risks will be implemented, so that those involved understand the provisions, and that progress can be monitored regarding the planned actions <xref ref-type="bibr" rid="ref31">(International Organization for Standardization 31000, 2018)</xref>. The risk treatment indicated that 27% would be accepted, given that: They were located in lower zone, because the treatment actions were sufficient, or because the causes depended on external generating agents, for which there was no higher incidence.</p>
<p>On the other hand, 73% of the risk would be reduced through treatment actions. In this regard, the entity formulated 34 treatment actions in order to avoid the materializing of the risks. The formulation of the actions was carried out by the individual responsible for each process. In this regard, a documented action in a given process could impact others, so it was only formalized once and proceeded to socialize with the other processes on which some kind of effect would be presented.</p>
<p>It is highlighted that of the actions taken, 53% focused on updating or designing operating policies and 26% on raising awareness on existing training. The previous data are consistent with the risk distribution <xref ref-type="table" rid="gt7">(see table 3)</xref>, as 57% of them were classified as operational, so issues related to possible process failures and human failures had to be adjusted.</p>
</sec>
<sec>
<title><bold>Monitoring and review</bold></title>
<p>The purpose of monitoring and review is to ensure and improve the quality and effectiveness of the design, implementation and results of the process<xref ref-type="bibr" rid="ref31"> ( International Organization for Standardization 31000, 2018)</xref>. Given the definition of the risk criteria, a preliminary evaluation of the risk is defined, formalized and carried out according to the Risk Management Policy, where the monitoring and review processes are established based on the three lines of defense model <xref ref-type="bibr" rid="ref29">(Institute of Internal Auditors, 2020)</xref>. This was adopted by the National Government through the issuance of Decree 1499 of 2017, with specifically-developed operating manuals for implementation. As such, department head leaders would be responsible as the first line of defense through the ongoing supervision and monitoring of day-to-day activities.</p>
<p>This review process was carried out in three stages, as follows: First, although process leaders were charged with continuous monitoring of risks, it was also established that activities would be consolidated into quarterly reports, which were forwarded to the Corporate Planning area entity. Secondly, based on information from the first step, the Corporate Planning area proceeded with validating the consolidated quarterly reports with regular frequency. This allowed for the identification of possible improvement actions, in a focused and targeted manner for each process, with a transversal character for the entire risk management system. These activities configured the role of the second line of defense.</p>
<p>This corporate level risk report, consolidated by corporate planning, is integrated into the work of the Institutional Coordinating Committee for Internal Control for the organizational entity. This Committee is comprised of senior management, and operates as the highest monitoring and decision-making body in terms of control for the organization. As such, those decisions that could affect the operation in terms of risk management are taken by this committee since it has, as one of its main functions, the establishment and review of the risk management criteria, among which is the policy for risk management. Given this structure, the responsibility for strategic direction is established in the MIPG of the Consejo para la Gestión y Desempeño Institucional, and as such, is structured by the Institutional Committee Coordinator for Internal Control, an advisory and decision-making body on internal control for the overall senior management entity (Departamento Administrativo de la Función Pública, 2015).</p>
<p>Finally, there is the role of the third line of defense, which is responsible for implementing the risk-based audit plan, <xref ref-type="bibr" rid="ref30">(Institute of Internal Auditors, 2017)</xref> an exercise which makes it possible to independently evaluate the effectiveness and efficiency of the controls for the established risks. This third line also serves as an information provider for the risk update exercise, as it generates reporting that identifies risks that become inputs for updating the overall process for the entity’s risk matrices.</p>
</sec>
<sec>
<title><bold>Communication and consultation</bold></title>
<p>Preliminarily to the development of the focus groups, as well as the theoretical explanation of the concepts, the importance and stages necessary to develop the risk management process were carried out so that members involved in the processes were made aware of the importance of the exercise. This served to facilitate knowledge seeking and the transfer of the methodological development for the application and implementation stages in the risk management process. These processes and procedures were developed so that any interested party within the management entity could be consulted and engaged.</p>
<p>Additionally, the selection of participants for focus groups for each process was made taking into account the need to have different training profiles, roles and responsibilities in order to promote discussion and feedback from a variety of viewpoints.</p>
</sec>
<sec>
<title><bold>Recording and reporting</bold></title>
<p>The results of the focus group’s working sessions were consolidated into a risk matrix process, which later would serve as the official consultation document. In establishing the criteria for risk management, it was determined by the Corporate Planning entity that progress reports would be consolidated and that implementation results for overall risk management would be disseminated to the Institutional Internal Control Committee Coordinator. This committee was composed of leaders from each of the processes as well as the legal representative. Similarly, in each of their own departmental meetings, the risks are monitored, emphasizing the existing controls, as well as the actions established for the treatment of the risks. As well, the assessment of the residual risks resulted in them being categorized as being in either high or extreme areas, as well as being classified as corruption (as required by the sector). The dissemination of information in these aforementioned areas is aimed at reviewing aspects that may be useful for updating risk the matrices.</p>
</sec>
</sec>
<sec sec-type="discussion">
<title><bold>Discussion and conclusions</bold></title>
<p>The research results reveal some key factors for successful implementation.</p>
<p>
	<list list-type="simple">
		<list-item>
			<p>(I) Resource availability, which allowed the company to hire a professional to methodologically guide the development of building exercises as well as train members regarding the processes, and finally advising on the design for guidelines for risk management. This observation is in line with previous studies that evidenced the importance of having qualified personnel, tools, techniques and resources for successful ERM implementation <xref ref-type="bibr" rid="ref22">(Gibson &amp; Young, 2012</xref>;<xref ref-type="bibr" rid="ref27"> Hallowell et al., 2013)</xref>.</p>
		</list-item>
		<list-item>
			<p>(II) The integration of methodologies, as there were different guidelines for managing specific risks for differing types of regulations for the public sector, with the importance of having a single consolidated procedure. This is a study finding that had not been highlighted in previous studies.</p>
		</list-item>
		<list-item>
			<p>(III) Participative leadership support from top management in the development and tracking of implementation exercises that addressed risks. These findings support earlier research <xref ref-type="bibr" rid="ref44">(Moshesh et al., 2018</xref>; <xref ref-type="bibr" rid="ref55">Sax &amp; Torp, 2015)</xref>.</p>
		</list-item>
		<list-item>
			<p>(IV) Support of senior management to conduct and carry out risk management in the organization as it creates greater commitment from the members of the organization, which corroborates the previous findings in the literature <xref ref-type="bibr" rid="ref46">(Oliveira et al., 2019)</xref>.</p>
		</list-item>
		<list-item>
			<p>(V) and finally, as an emerging category, the importance of articulating and auditing risk management in ensuring that this work becomes inputted to update the risk matrices.</p>
		</list-item>
	</list>
</p>
<p>Further, the results allowed us to observe that the implementation of ERM strengthened the identification of several types of risks within the entity, including strategic risks. Another benefit was also evidenced by improving the way in which treatment measures were designed and carried out to respond to risks. For example, the materialization of risks was reduced by maintaining updated policies within the institution, which helped to reduce one of the main risks associated with operational issues. These results are in line with previous studies that observed the benefits granted by this practice in supporting decision-making in the face of differing types of risks that may arise in companies <xref ref-type="bibr" rid="ref28">(Hoyt &amp; Liebenberg, 2011)</xref>.</p>
<p>Also evidenced in the studied company was an improved framework for managing risk, where the organizational structure was revised to provide support for these risk initiatives, which clarified the roles and responsibilities of those involved in this exercise. These results are consistent with previous findings in the literature, where it was observed that Latin American companies strengthen their management structure risks by creating specific areas of responsibility for this function (Mejia et al., 2017). With guideline revisions within the institution, it was also possible to improve the characterization of the population within the scope of entity, as this was another highlighted benefit of implementing the risk management initiative.</p>
<p>The results confirm the importance of carrying out a comprehensive risk management program that allows for the administration of several types of risks under the same methodology, and thus facilitate the implementation of one system of ERM within differing areas within the organization. This evidence presents similarities to the issues raised in another study where the benefits of such holistic management were found <xref ref-type="bibr" rid="ref35">(Khan et al., 2016)</xref>.</p>
<sec>
<title><bold>Theoretical and practical implications</bold></title>
<p>This research has theoretical implications to the literature because it contributes to the literature on the key success factors in implementing risk management. Theoretical knowledge is also strengthened on the importance of adapting flexible risk management frameworks adjusted to the organization's environment and not only using rigid and standardized frameworks to implement ERM.</p>
<p>On the other hand, other practical implications could be taken into account: The implementation of the process of managing risk within the organization sought to integrate practices based on a holistic management approach, so the methodology used articulated regulatory requirements which Colombian legislation has issued to respond to risk management. This helped to avoid reprocesses, confusion and duplication efforts. Another key aspect was the active participation of the different roles of the organization, an aspect that is recommended in the deployment of initiatives of similar contexts, highlighting that of management, as this enabled the empowerment of employees at all levels within the organization. Finally, the rigor in the design and qualification of the controls for the risk causes was a key point in undertaking the execution of pertinent action plans.</p>
<p>The practical implications could be useful to be considered in the areas in charge of comprehensive risk management, specifically from the role of chief risk officer. In the organizational context, it could also be of interest to senior management roles, from where the conditions for effective integrated risk management must be ensured. From the point of view of the public sector in general, the contributions of this research are useful to be taken into account by other organizations obliged to implement the ERM, as well as by entities in charge of providing guidelines on the matter.</p>
</sec>
<sec>
<title><bold>Limitations and future research</bold></title>
<p>A limitation of this current study is to have a single entity and, therefore, no comparisons are made that would allow for observing different behaviors of managing risk within different contexts. It is important to note, that for this reason, this study is not intended to generalize the results which are exposed in the research. Future studies could expand the sample, allowing for the ability to carry out comparative analyzes. For example, it would be interesting to conduct a similar study in small and medium-sized companies, which, having different characteristics, may reflect different realities regarding the implementation of risk management.</p>
<p>On the other hand, while the current research included aspects of leadership style and its relationship to ERM, it is suggested that further research could deepen the professional experience of the members of the board of directors, and how they are associated with the ERM system, given that they are responsible for monitoring the performance of the company and are responsible for the value of the company.</p>
<p>In this same sense, this present research inquired about the benefits received when implementing ERM in regard to the opinion of the people who participated in the exercise. Future research could also include how benefit is perceived from different exogenous interest groups within the entity, to broaden the implications in managing risks.</p>
<p>Another limitation is the use of the qualitative approach to observe the factors driving risk management in the company. It would be interesting to use, in future research, a quantitative study with structural equations that could help to identify factors associated with the development of such management in public companies, and to include a representative sample for the population, so that the results could be generalized. This could also make a theoretical contribution by raising possible factors supported by more robust samples.</p>
<p>The study focused on observing the stage of ERM implementation in a public entity, the process followed, the benefits achieved and the difficulties encountered. Although it is an interesting contribution from the case study perspective, it would, on the other hand, be interesting to carry out future research to analyze important aspects in the design, in the framework and in the principles of risk management (International Organization for Standardization, 2018), and, to include a quantitative study to relate variables associated with the characteristics of the company (size, structure, sector, trajectory), and the impact on the planning stage.</p>
</sec>
</sec>
<sec>
<title><bold>Ethical considerations</bold></title>
<p>The investigation requested authorization from the entity to carry out the investigation and it was mentioned that the use of data would be anonymous. No ethical endorsement was required.</p>
</sec>
<sec>
<title><bold>Authors’ contributions statement</bold></title>
<p>Professor Diego Jurado-Zambrano participated in the elaboration of the article in the thematic role. Professor Eduart Villanueva participated in the preparation of the article in the methodological role.</p>
</sec>
<sec>
<title><bold>Financing</bold></title>
<p>There was no funding for the preparation of the article.</p>
</sec>
<sec>
<title><bold>Interest conflicts</bold></title>
<p>The authors declare that there is no conflict of interest in the preparation of the article.</p>
</sec>
</body>
<back>
<ref-list>
<title><bold>References</bold></title>
<ref id="ref1">
<mixed-citation>Agarwal, R., &amp; Ansell, J. (2016). Strategic Governance Lessons from History for West. <italic>Strategic Change: Briefings in Entrepreneurial Finance, 25</italic>(4), 427–439. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1002/jsc">https://doi.org/10.1002/jsc</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Agarwal</surname>
<given-names>R.</given-names>
</name>
<name>
<surname>Ansell</surname>
<given-names>J.</given-names>
</name>
</person-group>
<article-title>Strategic Governance Lessons from History for West</article-title>
<source>Strategic Change: Briefings in Entrepreneurial Finance</source>
<year>2016</year>
<volume>25</volume>
<issue>4</issue>
<fpage>427</fpage>
<lpage>439</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1002/jsc">https://doi.org/10.1002/jsc</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1002/jsc</pub-id>
</element-citation>
</ref>
<ref id="ref2">
<mixed-citation>Antonionia, G., &amp; Moreno, V. C. (2019). A procedure for emergency planning for SMEs under Seveso III directive in the ISO 31000 framework. <italic>Chemical Engineering, 77</italic>.</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Antonionia</surname>
<given-names>G.</given-names>
</name>
<name>
<surname>Moreno</surname>
<given-names>V. C.</given-names>
</name>
</person-group>
<article-title>A procedure for emergency planning for SMEs under Seveso III directive in the ISO 31000 framework</article-title>
<source>Chemical Engineering</source>
<year>2019</year>
<volume>77</volume>
</element-citation>
</ref>
<ref id="ref3">
<mixed-citation>Arnaboldi, M., &amp; Lapsley, I. (2014). Enterprise-wide risk management and organizational fit: A comparative study. <italic>Journal of Organizational Effectiveness, 1</italic>(4), 365–377. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1108/JOEPP-09-2014-0056">https://doi.org/10.1108/JOEPP-09-2014-0056</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Arnaboldi</surname>
<given-names>M.</given-names>
</name>
<name>
<surname>Lapsley</surname>
<given-names>I.</given-names>
</name>
</person-group>
<article-title>Enterprise-wide risk management and organizational fit: A comparative study</article-title>
<source>Journal of Organizational Effectiveness</source>
<year>2014</year>
<volume>1</volume>
<issue>4</issue>
<fpage>365</fpage>
<lpage>377</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1108/JOEPP-09-2014-0056">https://doi.org/10.1108/JOEPP-09-2014-0056</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1108/JOEPP-09-2014-0056</pub-id>
</element-citation>
</ref>
<ref id="ref4">
<mixed-citation>Beasley, M., Clune, R., &amp; Hermanson, D. (2005). Enterprise risk management: An empirical analysis of factors associated with the extent of implementation. <italic>Journal of Accounting and Public Policy, 24</italic>(6), 521–531. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1016/j.jaccpubpol.2005.10.001">https://doi.org/10.1016/j.jaccpubpol.2005.10.001</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Beasley</surname>
<given-names>M.</given-names>
</name>
<name>
<surname>Clune</surname>
<given-names>R.</given-names>
</name>
<name>
<surname>Hermanson</surname>
<given-names>D.</given-names>
</name>
</person-group>
<article-title>Enterprise risk management: An empirical analysis of factors associated with the extent of implementation</article-title>
<source>Journal of Accounting and Public Policy</source>
<year>2005</year>
<volume>24</volume>
<issue>6</issue>
<fpage>521</fpage>
<lpage>531</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1016/j.jaccpubpol.2005.10.001">https://doi.org/10.1016/j.jaccpubpol.2005.10.001</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1016/j.jaccpubpol.2005.10.001</pub-id>
</element-citation>
</ref>
<ref id="ref5">
<mixed-citation>Blanco-Mesa, F., Rivera-Rubiano, J., Patino-Hernandez, X., &amp; Martinez-Montana, M. (2019). The importance of enterprise risk management in large companies in Colombia. <italic>Technological and Economic Development of Economy, 25</italic>(4), 600-633. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.3846/tede.2019.9380">https://doi.org/10.3846/tede.2019.9380</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Blanco-Mesa</surname>
<given-names>F.</given-names>
</name>
<name>
<surname>Rivera-Rubiano</surname>
<given-names>J.</given-names>
</name>
<name>
<surname>Patino-Hernandez</surname>
<given-names>X.</given-names>
</name>
<name>
<surname>Martinez-Montana</surname>
<given-names>M.</given-names>
</name>
</person-group>
<article-title>The importance of enterprise risk management in large companies in Colombia</article-title>
<source>Technological and Economic Development of Economy</source>
<year>2019</year>
<volume>25</volume>
<issue>4</issue>
<fpage>600</fpage>
<lpage>633</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.3846/tede.2019.9380">https://doi.org/10.3846/tede.2019.9380</ext-link>
</comment>
<pub-id pub-id-type="doi">10.3846/tede.2019.9380</pub-id>
</element-citation>
</ref>
<ref id="ref6">
<mixed-citation>Brustbauer, J. (2016). Enterprise risk management in SMEs: Towards a structural model. <italic>International Small Business Journal, 34</italic>(1), 70–85. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1177/0266242614542853">https://doi.org/10.1177/0266242614542853</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Brustbauer</surname>
<given-names>J.</given-names>
</name>
</person-group>
<article-title>nterprise risk management in SMEs: Towards a structural model</article-title>
<source>International Small Business Journal</source>
<year>2016</year>
<volume>34</volume>
<issue>1</issue>
<fpage>70</fpage>
<lpage>85</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1177/0266242614542853">https://doi.org/10.1177/0266242614542853</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1177/0266242614542853</pub-id>
</element-citation>
</ref>
<ref id="ref7">
<mixed-citation>Calandro, J. (2015). A leader’s guide to strategic risk management. <italic>Strategy &amp; Leadership, 43</italic>(1), 26. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1108/SL-11-2014-0082">https://doi.org/10.1108/SL-11-2014-0082</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Calandro</surname>
<given-names>J.</given-names>
</name>
</person-group>
<article-title>leader’s guide to strategic risk management</article-title>
<source>Strategy &amp; Leadership</source>
<year>2015</year>
<volume>43</volume>
<issue>1</issue>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1108/SL-11-2014-0082">https://doi.org/10.1108/SL-11-2014-0082</ext-link>
</comment>
<comment>26</comment>
<pub-id pub-id-type="doi">10.1108/SL-11-2014-0082</pub-id>
</element-citation>
</ref>
<ref id="ref8">
<mixed-citation>Caldarelli, A., Fiondella, C., Maffei, M., &amp; Zagaria, C. (2016). Managing risk in credit cooperative banks: Lessons from a case study. <italic>Management Accounting Research, 32</italic>(July), 1–15. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1016/j.mar.2015.10.002">https://doi.org/10.1016/j.mar.2015.10.002</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Caldarelli</surname>
<given-names>A.</given-names>
</name>
<name>
<surname>Fiondella</surname>
<given-names>C.</given-names>
</name>
<name>
<surname>Maffei</surname>
<given-names>M.</given-names>
</name>
<name>
<surname>Zagaria</surname>
<given-names>C.</given-names>
</name>
</person-group>
<article-title>Managing risk in credit cooperative banks: Lessons from a case study</article-title>
<source>Management Accounting Research</source>
<year>2016</year>
<volume>32</volume>
<fpage>1</fpage>
<lpage>15</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1016/j.mar.2015.10.002">https://doi.org/10.1016/j.mar.2015.10.002</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1016/j.mar.2015.10.002</pub-id>
<issue-part>July</issue-part>
</element-citation>
</ref>
<ref id="ref9">
<mixed-citation>Committee of Sponsoring Organizations of the Treadway Commission (2013). Control Interno-Marco Integrado (COSO). <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1111/j.1559-1816.2000.tb02505.x">https://doi.org/10.1111/j.1559-1816.2000.tb02505.x</ext-link>
</mixed-citation>
<element-citation publication-type="webpage">
<person-group person-group-type="author">
<collab>Committee of Sponsoring Organizations of the Treadway Commission</collab>
</person-group>
<source>Control Interno-Marco Integrado (COSO)</source>
<year>2013</year>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1111/j.1559-1816.2000.tb02505.x">https://doi.org/10.1111/j.1559-1816.2000.tb02505.x</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1111/j.1559-1816.2000.tb02505.x</pub-id>
</element-citation>
</ref>
<ref id="ref10">
<mixed-citation>Committee of Sponsoring Organizations of the Treadway Commission (2017). Enterprise Risk Management—Integrating with Strategy and Performance. Committee of Sponsoring Organizations of the Treadway Commission.</mixed-citation>
<element-citation publication-type="book">
<person-group person-group-type="author">
<collab>Committee of Sponsoring Organizations of the Treadway Commission</collab>
</person-group>
<source>Enterprise Risk Management—Integrating with Strategy and Performance</source>
<year>2017</year>
<publisher-name>Committee of Sponsoring Organizations of the Treadway Commission</publisher-name>
</element-citation>
</ref>
<ref id="ref11">
<mixed-citation>Committee on Banking Supervision Basel (2003). Operacional risk transfer across financial sectors. <italic>Committee on Banking Supervision Basel</italic>. <ext-link ext-link-type="uri" xlink:href="https://www.bis.org/publ/joint06.pdf">https://www.bis.org/publ/joint06.pdf</ext-link>
</mixed-citation>
<element-citation publication-type="webpage">
<person-group person-group-type="author">
<collab>Committee on Banking Supervision Basel</collab>
</person-group>
<source>Committee on Banking Supervision Basel</source>
<year>2003</year>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://www.bis.org/publ/joint06.pdf">https://www.bis.org/publ/joint06.pdf</ext-link>
</comment>
</element-citation>
</ref>
<ref id="ref12">
<mixed-citation>Corbin, J., &amp; Strauss, A. (1990). Grounded Theory Methodology: Procedures, Canons, and Evaluative Criteria. <italic>Qualitative Sociology, 13</italic>(1), 3–21. <ext-link ext-link-type="uri" xlink:href="https://med-fom-familymed-research.sites.olt.ubc.ca/files/2012/03/W10-Corbin-and-Strauss-grounded-theory.pdf">https://med-fom-familymed-research.sites.olt.ubc.ca/files/2012/03/W10-Corbin-and-Strauss-grounded-theory.pdf</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Corbin</surname>
<given-names>J.</given-names>
</name>
<name>
<surname>Strauss</surname>
<given-names>A.</given-names>
</name>
</person-group>
<article-title>Grounded Theory Methodology: Procedures, Canons, and Evaluative Criteria</article-title>
<source>Qualitative Sociology</source>
<year>1990</year>
<volume>13</volume>
<issue>1</issue>
<fpage>3</fpage>
<lpage>21</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://med-fom-familymed-research.sites.olt.ubc.ca/files/2012/03/W10-Corbin-and-Strauss-grounded-theory.pdf">https://med-fom-familymed-research.sites.olt.ubc.ca/files/2012/03/W10-Corbin-and-Strauss-grounded-theory.pdf</ext-link>
</comment>
</element-citation>
</ref>
<ref id="ref13">
<mixed-citation>Creswell, J. (2003). <italic>Research design Qualitative, Quantitative, and Mixed Methods Approaches</italic>, 2<sup>nd</sup> ed. London: Sage Publications. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.3109/08941939.2012.723954">https://doi.org/10.3109/08941939.2012.723954</ext-link>
</mixed-citation>
<element-citation publication-type="book">
<person-group person-group-type="author">
<name>
<surname>Creswell</surname>
<given-names>J.</given-names>
</name>
</person-group>
<source>Research design Qualitative, Quantitative, and Mixed Methods Approaches</source>
<year>2003</year>
<publisher-loc>London</publisher-loc>
<publisher-name>Sage Publications</publisher-name>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.3109/08941939.2012.723954">https://doi.org/10.3109/08941939.2012.723954</ext-link>
</comment>
<edition>2nd</edition>
<pub-id pub-id-type="doi">10.3109/08941939.2012.723954</pub-id>
</element-citation>
</ref>
<ref id="ref14">
<mixed-citation>Creswell, J. (2007). <italic>Qualitative Inquiry &amp; Research Design: Choosing Among Five Approaches</italic>, 2<sup>nd</sup> ed. London: Sage Publications. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1016/S0022-3476(89)80781-4">https://doi.org/10.1016/S0022-3476(89)80781-4</ext-link>
</mixed-citation>
<element-citation publication-type="book">
<person-group person-group-type="author">
<name>
<surname>Creswell</surname>
<given-names>J.</given-names>
</name>
</person-group>
<source>Qualitative Inquiry &amp; Research Design: Choosing Among Five Approaches</source>
<year>2007</year>
<publisher-loc>London</publisher-loc>
<publisher-name>Sage Publications</publisher-name>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1016/S0022-3476(89)80781-4">https://doi.org/10.1016/S0022-3476(89)80781-4</ext-link>
</comment>
<edition>2nd</edition>
<pub-id pub-id-type="doi">10.1016/S0022-3476(89)80781-4</pub-id>
</element-citation>
</ref>
<ref id="ref15">
<mixed-citation>Creswell, J., Hanson, W., Clark, V., &amp; Morales, A. (2007). Qualitative Research Designs: Selection and Implementation. <italic>The Counseling Psychologist, 35</italic>(2), 236–264. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1177/0011000006287390">https://doi.org/10.1177/0011000006287390</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Creswell</surname>
<given-names>J.</given-names>
</name>
<name>
<surname>Hanson</surname>
<given-names>W.</given-names>
</name>
<name>
<surname>Clark</surname>
<given-names>V.</given-names>
</name>
<name>
<surname>Morales</surname>
<given-names>A.</given-names>
</name>
</person-group>
<article-title>Qualitative Research Designs: Selection and Implementation</article-title>
<source>The Counseling Psychologist</source>
<year>2007</year>
<volume>35</volume>
<issue>2</issue>
<fpage>236</fpage>
<lpage>264</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1177/0011000006287390">https://doi.org/10.1177/0011000006287390</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1177/0011000006287390</pub-id>
</element-citation>
</ref>
<ref id="ref16">
<mixed-citation>Davidson, C. (2009). Transcription: Imperatives for Qualitative Research. <italic>International Journal of Qualitative Methods, 8</italic>(2), 35–52. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1177/160940690900800206">https://doi.org/10.1177/160940690900800206</ext-link>
</mixed-citation>
<element-citation publication-type="book">
<person-group person-group-type="author">
<name>
<surname>Davidson</surname>
<given-names>C.</given-names>
</name>
</person-group>
<article-title>Transcription: Imperatives for Qualitative Research</article-title>
<source>International Journal of Qualitative Methods</source>
<year>2009</year>
<volume>8</volume>
<issue>2</issue>
<fpage>35</fpage>
<lpage>52</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1177/160940690900800206">https://doi.org/10.1177/160940690900800206</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1177/160940690900800206</pub-id>
</element-citation>
</ref>
<ref id="ref17">
<mixed-citation>de Freitas Alves, G., Neto, W., Coli, M., de Souza, P., Sant’Ana, T., &amp; Salgado, E. (2017). Perception of Enterprise Risk Management in Brazilian Higher Education Institutions. In European, Mediterranean, and Middle Eastern Conference on Information Systems (pp. 506-512). Springer, Cham.</mixed-citation>
<element-citation publication-type="book">
<person-group person-group-type="author">
<name>
<surname>de Freitas Alves</surname>
<given-names>G.</given-names>
</name>
<name>
<surname>Neto</surname>
<given-names>W.</given-names>
</name>
<name>
<surname>Coli</surname>
<given-names>M.</given-names>
</name>
<name>
<surname>de Souza,</surname>
<given-names>P.</given-names>
</name>
<name>
<surname>Sant’Ana</surname>
<given-names>T.</given-names>
</name>
<name>
<surname>Salgado</surname>
<given-names>E.</given-names>
</name>
</person-group>
<source>In European, Mediterranean, and Middle Eastern Conference on Information Systems</source>
<year>2017</year>
<fpage>506</fpage>
<lpage>512</lpage>
<publisher-name>Springer, Cham</publisher-name>
<chapter-title>Perception of Enterprise Risk Management in Brazilian Higher Education Institutions</chapter-title>
</element-citation>
</ref>
<ref id="ref18">
<mixed-citation>Departamento Administrativo de la Función Pública (2018). Guía para la administración del riesgo y el diseño de controles en entidades públicas: riesgos de gestión, corrupción y seguridad digital. <ext-link ext-link-type="uri" xlink:href="http://www.funcionpublica.gov.co/documents/418548/34150781/Guía+para+la+administración+del+riesgo+y+el+diseño+de+controles+en+entidades+públicas+-+Riesgos+de+gestión%2C+corrupción+y+seguridad+digital+-+Versión+4+-+Octubre+de+2018.pdf/68d324dd-55c5-11e0-9f">http://www.funcionpublica.gov.co/documents/418548/34150781/Guía+para+la+administración+del+riesgo+y+el+diseño+de+controles+en+entidades+públicas+-+Riesgos+de+gestión%2C+corrupción+y+seguridad+digital+-+Versión+4+-+Octubre+de+2018.pdf/68d324dd-55c5-11e0-9f</ext-link>
</mixed-citation>
<element-citation publication-type="webpage">
<person-group person-group-type="author">
<collab>Departamento Administrativo de la Función Pública</collab>
</person-group>
<source>Guía para la administración del riesgo y el diseño de controles en entidades públicas: riesgos de gestión, corrupción y seguridad digital</source>
<year>2018</year>
<comment>
<ext-link ext-link-type="uri" xlink:href="http://www.funcionpublica.gov.co/documents/418548/34150781/Guía+para+la+administración+del+riesgo+y+el+diseño+de+controles+en+entidades+públicas+-+Riesgos+de+gestión%2C+corrupción+y+seguridad+digital+-+Versión+4+-+Octubre+de+2018.pdf/68d324dd-55c5-11e0-9f">http://www.funcionpublica.gov.co/documents/418548/34150781/Guía+para+la+administración+del+riesgo+y+el+diseño+de+controles+en+entidades+públicas+-+Riesgos+de+gestión%2C+corrupción+y+seguridad+digital+-+Versión+4+-+Octubre+de+2018.pdf/68d324dd-55c5-11e0-9f</ext-link>
</comment>
</element-citation>
</ref>
<ref id="ref19">
<mixed-citation>Elahi, E. (2013). Risk management: The next source of competitive advantage. <italic>Foresight, 15</italic>(2), 117–131. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1108/14636681311321121">https://doi.org/10.1108/14636681311321121</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Elahi</surname>
<given-names>E.</given-names>
</name>
</person-group>
<article-title>Risk management: The next source of competitive advantage</article-title>
<source>Foresight</source>
<year>2013</year>
<volume>15</volume>
<issue>2</issue>
<fpage>117</fpage>
<lpage>131</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1108/14636681311321121">https://doi.org/10.1108/14636681311321121</ext-link>
</comment>
<pub-id pub-id-type="doi">/10.1108/14636681311321121</pub-id>
</element-citation>
</ref>
<ref id="ref20">
<mixed-citation>Farrell, M., &amp; Gallagher, R. (2015). The Valuation Implications of Enterprise Risk Management Maturity. <italic>Journal of Risk and Insurance, 82</italic>(3), 625–657. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1111/jori.12035">https://doi.org/10.1111/jori.12035</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Farrell</surname>
<given-names>M.</given-names>
</name>
<name>
<surname>Gallagher</surname>
<given-names>R.</given-names>
</name>
</person-group>
<article-title>The Valuation Implications of Enterprise Risk Management Maturity</article-title>
<source>Journal of Risk and Insurance</source>
<year>2015</year>
<volume>82</volume>
<issue>3</issue>
<fpage>625</fpage>
<lpage>657</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1111/jori.12035">https://doi.org/10.1111/jori.12035</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1111/jori.12035</pub-id>
</element-citation>
</ref>
<ref id="ref21">
<mixed-citation>Frigo, B., &amp; Anderson, R. (2009). Strategic Risk Assessment. <italic>Strategic Finance</italic>, 25–33.</mixed-citation>
<element-citation publication-type="book">
<person-group person-group-type="author">
<name>
<surname>Frigo</surname>
<given-names>B.</given-names>
</name>
<name>
<surname>Anderson</surname>
<given-names>R.</given-names>
</name>
</person-group>
<source>Strategic Finance</source>
<year>2009</year>
<fpage>25</fpage>
<lpage>33</lpage>
<chapter-title>Strategic Risk Assessment</chapter-title>
</element-citation>
</ref>
<ref id="ref22">
<mixed-citation>Gibson, M., &amp; Young, J. (2012). Critical success factors for the implementation of an operational risk management system. <italic>Corporate Ownership and Control</italic>. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.22495/cocv10i1art12">https://doi.org/10.22495/cocv10i1art12</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Gibson</surname>
<given-names>M.</given-names>
</name>
<name>
<surname>Young</surname>
<given-names>J.</given-names>
</name>
</person-group>
<article-title>Critical success factors for the implementation of an operational risk management system</article-title>
<source>Corporate Ownership and Control</source>
<year>2012</year>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.22495/cocv10i1art12">https://doi.org/10.22495/cocv10i1art12</ext-link>
</comment>
<pub-id pub-id-type="doi">10.22495/cocv10i1art12</pub-id>
</element-citation>
</ref>
<ref id="ref23">
<mixed-citation>Giraldo, A. &amp; Nunez, M. (2020). Administración del riesgo estratégico en algunas grandes empresas privadas de Colombia. <italic>AD-minister</italic>, (36), 67-96. <ext-link ext-link-type="uri" xlink:href="https://vlex.com.co/vid/administracion-riesgo-estrategico-grandes-852187552">https://vlex.com.co/vid/administracion-riesgo-estrategico-grandes-852187552</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Giraldo</surname>
<given-names>A.</given-names>
</name>
<name>
<surname>Nunez</surname>
<given-names>M.</given-names>
</name>
</person-group>
<article-title>Administración del riesgo estratégico en algunas grandes empresas privadas de Colombia</article-title>
<source>AD-minister</source>
<year>2020</year>
<issue>36</issue>
<fpage>67</fpage>
<lpage>96</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://vlex.com.co/vid/administracion-riesgo-estrategico-grandes-852187552">https://vlex.com.co/vid/administracion-riesgo-estrategico-grandes-852187552</ext-link>
</comment>
</element-citation>
</ref>
<ref id="ref24">
<mixed-citation>Gordon, L., Loeb, M., &amp; Tseng, C. (2009). Enterprise risk management and firm performance: A contingency perspective. <italic>Journal of Accounting and Public Policy, 28</italic>(4), 301–327. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1016/j.jaccpubpol.2009.06.006">https://doi.org/10.1016/j.jaccpubpol.2009.06.006</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Gordon</surname>
<given-names>L.</given-names>
</name>
<name>
<surname>Loeb</surname>
<given-names>M.</given-names>
</name>
<name>
<surname>Tseng</surname>
<given-names>C.</given-names>
</name>
</person-group>
<article-title>Enterprise risk management and firm performance: A contingency perspective</article-title>
<source>Journal of Accounting and Public Policy</source>
<year>2009</year>
<volume>28</volume>
<issue>4</issue>
<fpage>301</fpage>
<lpage>327</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1016/j.jaccpubpol.2009.06.006">https://doi.org/10.1016/j.jaccpubpol.2009.06.006</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1016/j.jaccpubpol.2009.06.006</pub-id>
</element-citation>
</ref>
<ref id="ref25">
<mixed-citation>Govender, D. (2019). The use of the risk management model ISO 31000 by private security companies in South Africa. <italic>Security Journal, 32</italic>(3), 218-235. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1057/s41284-018-0158-x">https://doi.org/10.1057/s41284-018-0158-x</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Govender</surname>
<given-names>D.</given-names>
</name>
</person-group>
<article-title>The use of the risk management model ISO 31000 by private security companies in South Africa</article-title>
<source>Security Journal</source>
<year>2019</year>
<volume>32</volume>
<issue>3</issue>
<fpage>218</fpage>
<lpage>235</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1057/s41284-018-0158-x">https://doi.org/10.1057/s41284-018-0158-x</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1057/s41284-018-0158-x</pub-id>
</element-citation>
</ref>
<ref id="ref26">
<mixed-citation>Grace, M., Leverty, J., Phillips, R., &amp; Shimpi, P. (2015). The value of investing in enterprise risk management. <italic>Journal of Risk and Insurance, 82</italic>(2), 289–316. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1111/jori.12022">https://doi.org/10.1111/jori.12022</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Grace</surname>
<given-names>M.</given-names>
</name>
<name>
<surname>Leverty</surname>
<given-names>J.</given-names>
</name>
<name>
<surname>Phillips</surname>
<given-names>R.</given-names>
</name>
<name>
<surname>Shimpi</surname>
<given-names>P.</given-names>
</name>
</person-group>
<article-title>The value of investing in enterprise risk management</article-title>
<source>Journal of Risk and Insurance</source>
<year>2015</year>
<volume>82</volume>
<issue>2</issue>
<fpage>289</fpage>
<lpage>316</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1111/jori.12022">https://doi.org/10.1111/jori.12022</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1111/jori.12022</pub-id>
</element-citation>
</ref>
<ref id="ref27">
<mixed-citation>Hallowell, M., Molenaar, K., &amp; Fortunato, B. (2013). Enterprise risk management strategies for state departments of transportation. <italic>Journal of Management in Engineering, 29</italic>(2), 114–121. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1061/(ASCE)ME.1943-5479.0000136">https://doi.org/10.1061/(ASCE)ME.1943-5479.0000136</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Hallowell</surname>
<given-names>M.</given-names>
</name>
<name>
<surname>Molenaar</surname>
<given-names>K.</given-names>
</name>
<name>
<surname>Fortunato</surname>
<given-names>B.</given-names>
</name>
</person-group>
<article-title>Enterprise risk management strategies for state departments of transportation</article-title>
<source>Journal of Management in Engineering</source>
<year>2013</year>
<volume>29</volume>
<issue>2</issue>
<fpage>114</fpage>
<lpage>121</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1061/(ASCE)ME.1943-5479.0000136">https://doi.org/10.1061/(ASCE)ME.1943-5479.0000136</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1061/(ASCE)ME.1943-5479.0000136</pub-id>
</element-citation>
</ref>
<ref id="ref28">
<mixed-citation>Hoyt, R. &amp; Liebenberg, A. (2011). The value of enterprise risk management. <italic>Journal of Risk and Insurance, 78</italic>(4), 795–822. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1111/j.1539-6975.2011.01413.x">https://doi.org/10.1111/j.1539-6975.2011.01413.x</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Hoyt</surname>
<given-names>R.</given-names>
</name>
<name>
<surname>Liebenberg</surname>
<given-names>A.</given-names>
</name>
</person-group>
<article-title>The value of enterprise risk management</article-title>
<source>Journal of Risk and Insurance</source>
<year>2011</year>
<volume>78</volume>
<issue>4</issue>
<fpage>795</fpage>
<lpage>822</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1111/j.1539-6975.2011.01413.x">https://doi.org/10.1111/j.1539-6975.2011.01413.x</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1111/j.1539-6975.2011.01413.x</pub-id>
</element-citation>
</ref>
<ref id="ref29">
<mixed-citation>Institute of Internal Auditors (2020). El modelo de las tres lineas del IIA 2020. Institute of Internal Auditors. <ext-link ext-link-type="uri" xlink:href="https://na.theiia.org/translations/PublicDocuments/Three-Lines-Model-Updated-Spanish.pdf">https://na.theiia.org/translations/PublicDocuments/Three-Lines-Model-Updated-Spanish.pdf</ext-link>
</mixed-citation>
<element-citation publication-type="webpage">
<person-group person-group-type="author">
<collab>Institute of Internal Auditors</collab>
</person-group>
<source>Institute of Internal Auditors</source>
<year>2020</year>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://na.theiia.org/translations/PublicDocuments/Three-Lines-Model-Updated-Spanish.pdf">https://na.theiia.org/translations/PublicDocuments/Three-Lines-Model-Updated-Spanish.pdf</ext-link>
</comment>
</element-citation>
</ref>
<ref id="ref30">
<mixed-citation>Institute of Internal Auditors (2017). Marco Internacional para la práctica profesional de la auditoría interna. <ext-link ext-link-type="uri" xlink:href="https://na.theiia.org/translations/PublicDocuments/IPPF-Standards-2017-Spanish.pdf">https://na.theiia.org/translations/PublicDocuments/IPPF-Standards-2017-Spanish.pdf</ext-link>
</mixed-citation>
<element-citation publication-type="webpage">
<person-group person-group-type="author">
<collab>Institute of Internal Auditors</collab>
</person-group>
<source>Marco Internacional para la práctica profesional de la auditoría interna</source>
<year>2017</year>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://na.theiia.org/translations/PublicDocuments/IPPF-Standards-2017-Spanish.pdf">https://na.theiia.org/translations/PublicDocuments/IPPF-Standards-2017-Spanish.pdf</ext-link>
</comment>
</element-citation>
</ref>
<ref id="ref31">
<mixed-citation>International Organization for Standardization 31000 (2018). Risk management-Guidelines (standard No. ISO 31000:2018). Washington, DC: International Organization for Standardization. <ext-link ext-link-type="uri" xlink:href="https://www.iso.org/obp/ui#iso:std:iso31000">https://www.iso.org/obp/ui#iso:std:iso31000</ext-link>
</mixed-citation>
<element-citation publication-type="confproc">
<person-group person-group-type="author">
<collab>International Organization for Standardization</collab>
</person-group>
<source>Risk management-Guidelines (standard No. ISO 31000:2018)</source>
<year>2018</year>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://www.iso.org/obp/ui#iso:std:iso31000">https://www.iso.org/obp/ui#iso:std:iso31000</ext-link>
</comment>
<comment>International Organization for Standardization</comment>
<conf-loc>Washington, DC</conf-loc>
</element-citation>
</ref>
<ref id="ref32">
<mixed-citation>Jalal-Karim, A. (2013). Leveraging enterprise risk management (ERM) for boosting competitive business advantages in Bahrain. <italic>World Journal of Entrepreneurship, Management and Sustainable Development, 9</italic>(1), 65–75. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1108/20425961311315728">https://doi.org/10.1108/20425961311315728</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Jalal-Karim</surname>
<given-names>A.</given-names>
</name>
</person-group>
<article-title>Leveraging enterprise risk management (ERM) for boosting competitive business advantages in Bahrain</article-title>
<source>World Journal of Entrepreneurship Management and Sustainable Development</source>
<year>2013</year>
<volume>9</volume>
<issue>1</issue>
<fpage>65</fpage>
<lpage>75</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1108/20425961311315728">https://doi.org/10.1108/20425961311315728</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1108/20425961311315728</pub-id>
</element-citation>
</ref>
<ref id="ref33">
<mixed-citation>Jaraba, I., Nuñez, M. A., &amp; Villanueva, E. (2018). Riesgos estratégicos. Un estudio de las medidas de tratamiento implementadas por las grandes empresas privadas de Antioquia, Colombia. <italic>Cuadernos de Contabilidad, 19</italic>(47), 171–181. <ext-link ext-link-type="uri" xlink:href="https://doi.org/https://doi.org/10.11144/Javeriana.cc19-47">https://doi.org/https://doi.org/10.11144/Javeriana.cc19-47</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Jaraba</surname>
<given-names>I.</given-names>
</name>
<name>
<surname>Nuñez</surname>
<given-names>M. A.</given-names>
</name>
<name>
<surname>Villanueva</surname>
<given-names>E.</given-names>
</name>
</person-group>
<article-title>Riesgos estratégicos. Un estudio de las medidas de tratamiento implementadas por las grandes empresas privadas de Antioquia, Colombia</article-title>
<source>Cuadernos de Contabilidad</source>
<year>2018</year>
<volume>19</volume>
<issue>47</issue>
<fpage>171</fpage>
<lpage>181</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/https://doi.org/10.11144/Javeriana.cc19-47">https://doi.org/https://doi.org/10.11144/Javeriana.cc19-47</ext-link>
</comment>
<pub-id pub-id-type="doi">10.11144/Javeriana.cc19-47</pub-id>
</element-citation>
</ref>
<ref id="ref34">
<mixed-citation>Kerstin, D., Simone, O., &amp; Nicole, Z. (2014). Challenges in implementing enterprise risk management. <italic>ACRN Journal of Finance and Risk Perspectives, 3</italic>(3), 1-14. <ext-link ext-link-type="uri" xlink:href="https://silo.tips/download/challenges-in-implementing-enterprise-risk-management">https://silo.tips/download/challenges-in-implementing-enterprise-risk-management</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Kerstin</surname>
<given-names>D.</given-names>
</name>
<name>
<surname>Simone</surname>
<given-names>O.</given-names>
</name>
<name>
<surname>Nicole</surname>
<given-names>Z.</given-names>
</name>
</person-group>
<article-title>Challenges in implementing enterprise risk managemen</article-title>
<source>ACRN Journal of Finance and Risk Perspectives</source>
<year>2014</year>
<volume>3</volume>
<issue>3</issue>
<fpage>1</fpage>
<lpage>14</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://silo.tips/download/challenges-in-implementing-enterprise-risk-management">https://silo.tips/download/challenges-in-implementing-enterprise-risk-management</ext-link>
</comment>
</element-citation>
</ref>
<ref id="ref35">
<mixed-citation>Khan, M., Hussain, D., &amp; Mehmood, W. (2016). Why do firms adopt enterprise risk management (ERM)? Empirical evidence from France. <italic>Management Decision, 54</italic>(8), 1886–1907. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1108/MD-09-2015-0400">https://doi.org/10.1108/MD-09-2015-0400</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Khan</surname>
<given-names>M.</given-names>
</name>
<name>
<surname>Hussain</surname>
<given-names>D.</given-names>
</name>
<name>
<surname>Mehmood</surname>
<given-names>W.</given-names>
</name>
</person-group>
<article-title>Why do firms adopt enterprise risk management (ERM)? Empirical evidence from France</article-title>
<source>Management Decision</source>
<year>2016</year>
<volume>54</volume>
<issue>8</issue>
<fpage>1886</fpage>
<lpage>1907</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1108/MD-09-2015-0400">https://doi.org/10.1108/MD-09-2015-0400</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1108/MD-09-2015-0400</pub-id>
</element-citation>
</ref>
<ref id="ref36">
<mixed-citation>Kidd, P., &amp; Parshall, M. (2000). Getting the focus and the group: Enhancing analytical rigor in focus group research. <italic>Qualitative Health Research, 10</italic>(3), 293–308. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1177/104973200129118453">https://doi.org/10.1177/104973200129118453</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Kidd</surname>
<given-names>P.</given-names>
</name>
<name>
<surname>Parshall</surname>
<given-names>M.</given-names>
</name>
</person-group>
<article-title>Getting the focus and the group: Enhancing analytical rigor in focus group research</article-title>
<source>Qualitative Health Research</source>
<year>2000</year>
<volume>10</volume>
<issue>3</issue>
<fpage>293</fpage>
<lpage>308</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1177/104973200129118453">https://doi.org/10.1177/104973200129118453</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1177/104973200129118453</pub-id>
</element-citation>
</ref>
<ref id="ref37">
<mixed-citation>Kitzinger, J. (1995). Qualitative Research: Introducing focus groups. <italic>Bmj, 311</italic>(7000), 299. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1136/bmj.311.7000.299">https://doi.org/10.1136/bmj.311.7000.299</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Kitzinger</surname>
<given-names>J.</given-names>
</name>
</person-group>
<article-title>Qualitative Research: Introducing focus groups</article-title>
<source>Bmj</source>
<year>1995</year>
<volume>311</volume>
<issue>7000</issue>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1136/bmj.311.7000.299">https://doi.org/10.1136/bmj.311.7000.299</ext-link>
</comment>
<comment>299</comment>
<pub-id pub-id-type="doi">10.1136/bmj.311.7000.299</pub-id>
</element-citation>
</ref>
<ref id="ref38">
<mixed-citation>Kravchenko, S. (2018). The development of non-linear knowledge: New risks, vulnerabilities, and hopes. <italic>RUDN Journal of Sociology, 18</italic>(2), 195–207. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.22363/2313-2272-2018-18-2-195-207">https://doi.org/10.22363/2313-2272-2018-18-2-195-207</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Kravchenko2</surname>
<given-names>S.</given-names>
</name>
</person-group>
<article-title>The development of non-linear knowledge: New risks, vulnerabilities, and hopes</article-title>
<source>RUDN Journal of Sociology</source>
<year>2018</year>
<volume>18</volume>
<issue>2</issue>
<fpage>195</fpage>
<lpage>207</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.22363/2313-2272-2018-18-2-195-207">https://doi.org/10.22363/2313-2272-2018-18-2-195-207</ext-link>
</comment>
<pub-id pub-id-type="doi">10.22363/2313-2272-2018-18-2-195-207</pub-id>
</element-citation>
</ref>
<ref id="ref39">
<mixed-citation>Lapadat, J., &amp; Lindsay, A. (1999). Transcription in research and practice: From standardization of technique to interpretive positionings. <italic>Qualitative Inquiry, 5</italic>(1), 64–86. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1177/107780049900500104">https://doi.org/10.1177/107780049900500104</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Lapadat</surname>
<given-names>J.</given-names>
</name>
<name>
<surname>Lindsay</surname>
<given-names>A.</given-names>
</name>
</person-group>
<article-title>Transcription in research and practice: From standardization of technique to interpretive positionings</article-title>
<source>Qualitative Inquiry</source>
<year>1999</year>
<volume>5</volume>
<issue>1</issue>
<fpage>64</fpage>
<lpage>86</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1177/107780049900500104">https://doi.org/10.1177/107780049900500104</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1177/107780049900500104</pub-id>
</element-citation>
</ref>
<ref id="ref40">
<mixed-citation>Lapsley, I. (2009). New public management: The cruellest invention of the human spirit? <italic>Abacus, 45</italic>(1), 1–21. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1111/j.1467-6281.2009.00275.x">https://doi.org/10.1111/j.1467-6281.2009.00275.x</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Lapsley</surname>
<given-names>I.</given-names>
</name>
</person-group>
<article-title>New public management: The cruellest invention of the human spirit?</article-title>
<source>Abacus</source>
<year>2009</year>
<volume>45</volume>
<issue>1</issue>
<fpage>1</fpage>
<lpage>21</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1111/j.1467-6281.2009.00275.x">https://doi.org/10.1111/j.1467-6281.2009.00275.x</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1111/j.1467-6281.2009.00275.x</pub-id>
</element-citation>
</ref>
<ref id="ref41">
<mixed-citation>Mejía, R. (2006). <italic>Administración de riesgos. Un enfoque empresarial</italic>. Medellín: Fondo Editorial Universidad EAFIT.</mixed-citation>
<element-citation publication-type="book">
<person-group person-group-type="author">
<name>
<surname>Mejía</surname>
<given-names>R.</given-names>
</name>
</person-group>
<source>Un enfoque empresarial</source>
<year>2006</year>
<publisher-loc>Medellín</publisher-loc>
<publisher-name>Fondo Editorial Universidad EAFIT</publisher-name>
<chapter-title>Administración de riesgos</chapter-title>
</element-citation>
</ref>
<ref id="ref42">
<mixed-citation>Mishler, E. (1991). Representing Discourse: The Rhetoric of Transcription. <italic>Journal of Narrative and Life History, 1</italic>(4), 255–280. <ext-link ext-link-type="uri" xlink:href="https://doi.org/https://doi.org/10.1075/jnlh.1.4.01rep">https://doi.org/https://doi.org/10.1075/jnlh.1.4.01rep</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Mishler</surname>
<given-names>E.</given-names>
</name>
</person-group>
<article-title>Representing Discourse: The Rhetoric of Transcription</article-title>
<source>Journal of Narrative and Life History</source>
<year>1991</year>
<volume>1</volume>
<issue>4</issue>
<fpage>255</fpage>
<lpage>280</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/https://doi.org/10.1075/jnlh.1.4.01rep">https://doi.org/https://doi.org/10.1075/jnlh.1.4.01rep</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1075/jnlh.1.4.01rep</pub-id>
</element-citation>
</ref>
<ref id="ref43">
<mixed-citation>Morrow, S., &amp; Smith, M. (2000). Qualitative Research for Counseling Psychology. In S. Brown &amp; R. Lent (Eds.),<italic> Hanbook of Counseling Psychology</italic> (3<sup>rd</sup> ed., pp. 199–230). New York: John Wiley.</mixed-citation>
<element-citation publication-type="book">
<person-group person-group-type="author">
<name>
<surname>Morrow</surname>
<given-names>S.</given-names>
</name>
<name>
<surname>Smith</surname>
<given-names>M.</given-names>
</name>
</person-group>
<person-group person-group-type="editor">
<name>
<surname>Brown</surname>
<given-names>S.</given-names>
</name>
<name>
<surname>Lent</surname>
<given-names>R</given-names>
</name>
</person-group>
<source>Hanbook of Counseling Psychology</source>
<year>2000</year>
<fpage>199</fpage>
<lpage>230</lpage>
<publisher-loc>New York</publisher-loc>
<publisher-name>John Wiley</publisher-name>
<chapter-title>Qualitative Research for Counseling Psychology.</chapter-title>
<edition>3rd</edition>
</element-citation>
</ref>
<ref id="ref44">
<mixed-citation>Moshesh, R., Niemann, W., &amp; Kotzé, T. (2018). Enterprise risk management implementation challenges: A case study in a petrochemical supply chain. South <italic>African Journal of Industrial Engineering</italic>, 29(4), 230-244. <ext-link ext-link-type="uri" xlink:href="https://dx.doi.org/10.7166/29-4-1782">https://dx.doi.org/10.7166/29-4-1782</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Moshesh</surname>
<given-names>R.</given-names>
</name>
<name>
<surname>Niemann</surname>
<given-names>W.</given-names>
</name>
<name>
<surname>Kotzé</surname>
<given-names>T.</given-names>
</name>
</person-group>
<article-title>Enterprise risk management implementation challenges: A case study in a petrochemical supply chain</article-title>
<source>South African Journal of Industrial Engineering</source>
<year>2018</year>
<volume>29</volume>
<issue>4</issue>
<fpage>230</fpage>
<lpage>244</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://dx.doi.org/10.7166/29-4-1782">https://dx.doi.org/10.7166/29-4-1782</ext-link>
</comment>
<pub-id pub-id-type="doi">10.7166/29-4-1782</pub-id>
</element-citation>
</ref>
<ref id="ref45">
<mixed-citation>Oliva, F. (2016). A maturity model for enterprise risk management. <italic>International Journal of Production Economics, 173</italic>, 66–79. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1016/j.ijpe.2015.12.007">https://doi.org/10.1016/j.ijpe.2015.12.007</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Oliva</surname>
<given-names>F.</given-names>
</name>
</person-group>
<article-title>A maturity model for enterprise risk management</article-title>
<source>International Journal of Production Economics</source>
<year>2016</year>
<volume>173</volume>
<fpage>66</fpage>
<lpage>79</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1016/j.ijpe.2015.12.007">https://doi.org/10.1016/j.ijpe.2015.12.007</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1016/j.ijpe.2015.12.007</pub-id>
</element-citation>
</ref>
<ref id="ref46">
<mixed-citation>Oliveira, K., Méxas, M., Meiriño, M., &amp; Drumond, G. (2019). Critical success factors associated with the implementation of enterprise risk management. <italic>Journal of Risk Research, 22</italic>(8), 1004–1019. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1080/13669877.2018.1437061">https://doi.org/10.1080/13669877.2018.1437061</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Oliveira</surname>
<given-names>K.</given-names>
</name>
<name>
<surname>Méxas</surname>
<given-names>M.</given-names>
</name>
<name>
<surname>Meiriño</surname>
<given-names>M.</given-names>
</name>
<name>
<surname>Drumond</surname>
<given-names>G.</given-names>
</name>
</person-group>
<article-title>Critical success factors associated with the implementation of enterprise risk management</article-title>
<source>Journal of Risk Research</source>
<year>2019</year>
<volume>22</volume>
<issue>8</issue>
<fpage>1004</fpage>
<lpage>1019</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1080/13669877.2018.1437061">https://doi.org/10.1080/13669877.2018.1437061</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1080/13669877.2018.1437061</pub-id>
</element-citation>
</ref>
<ref id="ref47">
<mixed-citation>Onwuegbuzie, A., Dickinson, W., Leech, N., &amp; Zoran, A. (2009). A Qualitative Framework for Collecting and Analyzing Data in Focus Group Research. <italic>International Journal of Qualitative Methods, 8</italic>(3), 1–21. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1177/160940690900800301">https://doi.org/10.1177/160940690900800301</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Onwuegbuzie</surname>
<given-names>A.</given-names>
</name>
<name>
<surname>Dickinson</surname>
<given-names>W.</given-names>
</name>
<name>
<surname>Leech</surname>
<given-names>N.</given-names>
</name>
<name>
<surname>Zoran</surname>
<given-names>A.</given-names>
</name>
</person-group>
<article-title>A Qualitative Framework for Collecting and Analyzing Data in Focus Group Research</article-title>
<source>International Journal of Qualitative Methods</source>
<year>2009</year>
<volume>8</volume>
<issue>3</issue>
<fpage>1</fpage>
<lpage>21</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1177/160940690900800301">https://doi.org/10.1177/160940690900800301</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1177/160940690900800301</pub-id>
</element-citation>
</ref>
<ref id="ref48">
<mixed-citation>Parviainen, T., Goerlandt, F., Helle, I., Haapasaari, P., &amp; Kuikka, S. (2021). Implementing Bayesian networks for ISO 31000: 2018-based maritime oil spill risk management: State-of-art, implementation benefits and challenges, and future research directions. <italic>Journal of Environmental Management</italic>, 278, 111520.</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Parviainen</surname>
<given-names>T.</given-names>
</name>
<name>
<surname>Goerlandt</surname>
<given-names>F.</given-names>
</name>
<name>
<surname>Helle</surname>
<given-names>I.</given-names>
</name>
<name>
<surname>Haapasaari</surname>
<given-names>P.</given-names>
</name>
<name>
<surname>Kuikka</surname>
<given-names>S.</given-names>
</name>
</person-group>
<article-title>Implementing Bayesian networks for ISO 31000: 2018-based maritime oil spill risk management: State-of-art, implementation benefits and challenges, and future research directions</article-title>
<source>Journal of Environmental Management</source>
<year>2021</year>
<volume>278</volume>
<elocation-id>111520</elocation-id>
</element-citation>
</ref>
<ref id="ref49">
<mixed-citation>Pérez-Cornejo, C., de Quevedo-Puente, E., &amp; Delgado-García, J. B. (2019). How to manage corporate reputation? The effect of enterprise risk management systems and audit committees on corporate reputation. <italic>European Management Journal, 37</italic>(4), 505–515. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1016/j.emj.2019.01.005">https://doi.org/10.1016/j.emj.2019.01.005</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Pérez-Cornejo</surname>
<given-names>C.</given-names>
</name>
<name>
<surname>Quevedo-Puente</surname>
<given-names>E.</given-names>
</name>
<name>
<surname>Delgado-García</surname>
<given-names>J. B.</given-names>
</name>
</person-group>
<article-title>How to manage corporate reputation? The effect of enterprise risk management systems and audit committees on corporate reputation</article-title>
<source>European Management Journal</source>
<year>2019</year>
<volume>37</volume>
<issue>4</issue>
<fpage>505</fpage>
<lpage>515</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1016/j.emj.2019.01.005">https://doi.org/10.1016/j.emj.2019.01.005</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1016/j.emj.2019.01.005</pub-id>
</element-citation>
</ref>
<ref id="ref50">
<mixed-citation>Purdy, G. (2010). ISO 31000:2009 - Setting a new standard for risk management: Perspective. <italic>Risk Analysis, 30</italic>(6), 881–886. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1111/j.1539-6924.2010.01442.x">https://doi.org/10.1111/j.1539-6924.2010.01442.x</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Purdy</surname>
<given-names>G.</given-names>
</name>
</person-group>
<article-title>Setting a new standard for risk management: Perspective</article-title>
<source>Risk Analysis</source>
<year>2010</year>
<volume>30</volume>
<issue>6</issue>
<fpage>881</fpage>
<lpage>886</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1111/j.1539-6924.2010.01442.x">https://doi.org/10.1111/j.1539-6924.2010.01442.x</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1111/j.1539-6924.2010.01442.x</pub-id>
</element-citation>
</ref>
<ref id="ref51">
<mixed-citation>Rampini, G., Takia, H., &amp; Berssaneti, F. (2019). Critical success factors of risk management with the advent of ISO 31000 2018-Descriptive and content analyzes. <italic>Procedia Manufacturing, 39</italic>, 894-903. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1016/j.promfg.2020.01.400">https://doi.org/10.1016/j.promfg.2020.01.400</ext-link>
</mixed-citation>
<element-citation publication-type="webpage">
<person-group person-group-type="author">
<name>
<surname>Rampini</surname>
<given-names>G.</given-names>
</name>
<name>
<surname>Takia</surname>
<given-names>H.</given-names>
</name>
<name>
<surname>Berssaneti</surname>
<given-names>F.</given-names>
</name>
</person-group>
<article-title>Critical success factors of risk management with the advent of ISO 31000 2018-Descriptive and content analyzes</article-title>
<source>Procedia Manufacturing</source>
<year>2019</year>
<volume>39</volume>
<fpage>894</fpage>
<lpage>903</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1016/j.promfg.2020.01.400">https://doi.org/10.1016/j.promfg.2020.01.400</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1016/j.promfg.2020.01.400</pub-id>
</element-citation>
</ref>
<ref id="ref52">
<mixed-citation>Rana, T., Wickramasinghe, D., &amp; Bracci, E. (2019). New development: Integrating risk management in management control systems—lessons for public sector managers. <italic>Public Money and Management, 39</italic>(2), 148–151. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1080/09540962.2019.1580921">https://doi.org/10.1080/09540962.2019.1580921</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Rana</surname>
<given-names>T.</given-names>
</name>
<name>
<surname>Wickramasinghe</surname>
<given-names>D.</given-names>
</name>
<name>
<surname>Bracci</surname>
<given-names>E.</given-names>
</name>
</person-group>
<article-title>New development: Integrating risk management in management control systems—lessons for public sector managers</article-title>
<source>Public Money and Management</source>
<year>2019</year>
<volume>39</volume>
<issue>2</issue>
<fpage>148</fpage>
<lpage>151</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1080/09540962.2019.1580921">https://doi.org/10.1080/09540962.2019.1580921</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1080/09540962.2019.1580921</pub-id>
</element-citation>
</ref>
<ref id="ref53">
<mixed-citation>Rasid, S., Isa, C., &amp; Ismail, W. (2014). Management accounting systems, enterprise risk management and organizational performance in financial institutions. <italic>Asian Review of Accounting, 22</italic>(2), 128–144. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1108/ARA-03-2013-0022">https://doi.org/10.1108/ARA-03-2013-0022</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Rasid</surname>
<given-names>S.</given-names>
</name>
<name>
<surname>Isa</surname>
<given-names>C.</given-names>
</name>
<name>
<surname>Ismail</surname>
<given-names>W.</given-names>
</name>
</person-group>
<article-title>Management accounting systems, enterprise risk management and organizational performance in financial institutions</article-title>
<source>Asian Review of Accounting</source>
<year>2014</year>
<volume>22</volume>
<issue>2</issue>
<fpage>128</fpage>
<lpage>144</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1108/ARA-03-2013-0022">https://doi.org/10.1108/ARA-03-2013-0022</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1108/ARA-03-2013-0022</pub-id>
</element-citation>
</ref>
<ref id="ref54">
<mixed-citation>Saeidi, P., Saeidi, S., Gutierrez, L., Streimikiene, D., Alrasheedi, M., Saeidi, S., &amp; Mardani, A. (2021). The influence of enterprise risk management on firm performance with the moderating effect of intellectual capital dimensions. <italic>Economic Research-Ekonomska Istraživanja, 34</italic>(1), 122-151.</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Saeidi</surname>
<given-names>P.</given-names>
</name>
<name>
<surname>Saeidi</surname>
<given-names>S.</given-names>
</name>
<name>
<surname>Gutierrez</surname>
<given-names>L.</given-names>
</name>
<name>
<surname>Streimikiene</surname>
<given-names>D.</given-names>
</name>
<name>
<surname>Alrasheedi</surname>
<given-names>M.</given-names>
</name>
<name>
<surname>Saeidi</surname>
<given-names>S.</given-names>
</name>
<name>
<surname>Mardani</surname>
<given-names>A.</given-names>
</name>
</person-group>
<article-title>The influence of enterprise risk management on firm performance with the moderating effect of intellectual capital dimensions</article-title>
<source>Economic Research-Ekonomska Istraživanja</source>
<year>2021</year>
<volume>34</volume>
<issue>1</issue>
<fpage>122</fpage>
<lpage>151</lpage>
</element-citation>
</ref>
<ref id="ref55">
<mixed-citation>Sax, J., &amp; Torp, S. (2015). Speak up! enhancing risk performance with enterprise risk management, leadership style and employee voice. <italic>Management Decision, 53</italic>(7), 1452–1468. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1108/MD-10-2014-0625">https://doi.org/10.1108/MD-10-2014-0625</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Sax</surname>
<given-names>J.</given-names>
</name>
<name>
<surname>Torp</surname>
<given-names>S.</given-names>
</name>
</person-group>
<article-title>Speak up! enhancing risk performance with enterprise risk management, leadership style and employee voice</article-title>
<source>Management Decision</source>
<year>2015</year>
<volume>53</volume>
<issue>7</issue>
<fpage>1452</fpage>
<lpage>1468</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1108/MD-10-2014-0625">https://doi.org/10.1108/MD-10-2014-0625</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1108/MD-10-2014-0625</pub-id>
</element-citation>
</ref>
<ref id="ref56">
<mixed-citation>Shi, X., Wong, Y., Li, M., &amp; Chai, C. (2018). Key risk indicators for accident assessment conditioned on pre-crash vehicle trajectory. <italic>Accident Analysis and Prevention, 117</italic>(December 2017), 346–356. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1016/j.aap.2018.05.007">https://doi.org/10.1016/j.aap.2018.05.007</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Shi</surname>
<given-names>X.</given-names>
</name>
<name>
<surname>Wong</surname>
<given-names>Y.</given-names>
</name>
<name>
<surname>Li</surname>
<given-names>M.</given-names>
</name>
<name>
<surname>Chai</surname>
<given-names>C.</given-names>
</name>
</person-group>
<article-title>Key risk indicators for accident assessment conditioned on pre-crash vehicle trajectory</article-title>
<source>Accident Analysis and Prevention</source>
<year>2018</year>
<volume>117</volume>
<issue>December 2017</issue>
<fpage>346</fpage>
<lpage>356</lpage>
<pub-id pub-id-type="doi">10.1016/j.aap.2018.05.007</pub-id>
</element-citation>
</ref>
<ref id="ref57">
<mixed-citation>Soltanizadeh, S., Abdul, S., Mottaghi, N., &amp; Wan, W. (2016). Business strategy, enterprise risk management and organizational performance. <italic>Management Research Review, 39</italic>(9), 1016–1033. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1108/MRR-05-2015-0107">https://doi.org/10.1108/MRR-05-2015-0107</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Soltanizadeh</surname>
<given-names>S.</given-names>
</name>
<name>
<surname>Abdul</surname>
<given-names>S.</given-names>
</name>
<name>
<surname>Mottaghi</surname>
<given-names>N.</given-names>
</name>
<name>
<surname>Wan</surname>
<given-names>W.</given-names>
</name>
</person-group>
<article-title>Business strategy, enterprise risk management and organizational performance</article-title>
<source>Management Research Review</source>
<year>2016</year>
<volume>39</volume>
<issue>9</issue>
<fpage>1016</fpage>
<lpage>1033</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1108/MRR-05-2015-0107">https://doi.org/10.1108/MRR-05-2015-0107</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1108/MRR-05-2015-0107</pub-id>
</element-citation>
</ref>
<ref id="ref58">
<mixed-citation>Stake, R. (1994). Case Studies. In N. Denzin &amp; Y. Lincoln (Eds.), <italic>Handbook of Qualitative Research.</italic> London: SAGE publications.</mixed-citation>
<element-citation publication-type="book">
<person-group person-group-type="author">
<name>
<surname>Stake</surname>
<given-names>R.</given-names>
</name>
</person-group>
<person-group person-group-type="editor">
<name>
<surname>Denzin</surname>
<given-names>N</given-names>
</name>
<name>
<surname>Lincoln</surname>
<given-names>Y</given-names>
</name>
</person-group>
<source>Handbook of Qualitative Research London: SAGE publications</source>
<year>1994</year>
<publisher-loc>London</publisher-loc>
<publisher-name>SAGE publications</publisher-name>
<chapter-title>Case Studies</chapter-title>
</element-citation>
</ref>
<ref id="ref59">
<mixed-citation>Tabares, J., Jaramillo, J., Arias, M., &amp; Arias, A. (2017). Tendencias en la investigación sobre gestión del riesgo empresarial: un análisis bibliométrico. <italic>Revista Venezolana de Gerencia, 22</italic>(79), 506-524. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.37960/revista.v22i79.23036">https://doi.org/10.37960/revista.v22i79.23036</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Tabares</surname>
<given-names>J.</given-names>
</name>
<name>
<surname>Jaramillo</surname>
<given-names>J.</given-names>
</name>
<name>
<surname>Arias</surname>
<given-names>M.</given-names>
</name>
<name>
<surname>Arias</surname>
<given-names>A.</given-names>
</name>
</person-group>
<article-title>Tendencias en la investigación sobre gestión del riesgo empresarial: un análisis bibliométrico</article-title>
<source>Revista Venezolana de Gerencia</source>
<year>2017</year>
<volume>22</volume>
<issue>79</issue>
<fpage>506</fpage>
<lpage>524</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.37960/revista.v22i79.23036">https://doi.org/10.37960/revista.v22i79.23036</ext-link>
</comment>
<pub-id pub-id-type="doi">10.37960/revista.v22i79.23036</pub-id>
</element-citation>
</ref>
<ref id="ref60">
<mixed-citation>Yin, R. (1981). The case study crisis: Some answers. <italic>Administrative Science Quarterly, 26</italic>(1), 199–208. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1177/107554708100300106">https://doi.org/10.1177/107554708100300106</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Yin</surname>
<given-names>R.</given-names>
</name>
</person-group>
<article-title>Some answers</article-title>
<source>Administrative Science Quarterly</source>
<year>1981</year>
<volume>26</volume>
<issue>1</issue>
<fpage>199</fpage>
<lpage>208</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1177/107554708100300106">https://doi.org/10.1177/107554708100300106</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1177/107554708100300106</pub-id>
</element-citation>
</ref>
<ref id="ref61">
<mixed-citation>Zhao, X., Hwang, B., &amp; Low, S. (2015). Enterprise risk management in international construction firms: Drivers and hindrances. <italic>Engineering, Construction and Architectural Management, 22</italic>(3), 347–366. <ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1108/ECAM-09-2014-0117">https://doi.org/10.1108/ECAM-09-2014-0117</ext-link>
</mixed-citation>
<element-citation publication-type="journal">
<person-group person-group-type="author">
<name>
<surname>Zhao</surname>
<given-names>X.</given-names>
</name>
<name>
<surname>Hwang</surname>
<given-names>B.</given-names>
</name>
<name>
<surname>Low</surname>
<given-names>S.</given-names>
</name>
</person-group>
<article-title>Enterprise risk management in international construction firms: Drivers and hindrances</article-title>
<source>Engineering Construction and Architectural Management</source>
<year>2015</year>
<volume>22</volume>
<issue>3</issue>
<fpage>347</fpage>
<lpage>366</lpage>
<comment>
<ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1108/ECAM-09-2014-0117">https://doi.org/10.1108/ECAM-09-2014-0117</ext-link>
</comment>
<pub-id pub-id-type="doi">10.1108/ECAM-09-2014-0117</pub-id>
</element-citation>
</ref>
</ref-list>
<fn-group>
<title>Notes</title>
<fn id="fn1" fn-type="other">
<label>*</label>
<p>Research paper.</p>
</fn>
</fn-group>
<app-group>
<app id="app1">
<title>Appendix</title>
<sec>
<title/>
<p>
<table-wrap id="gt1">
<label>Table A1</label>
<caption>
<title>Likelihood scale</title>
</caption>
<alt-text>Table A1 Likelihood scale</alt-text>
<graphic xlink:href="383667957013_gt2.png" position="anchor" orientation="portrait"/>
<attrib>Source: Own elaboration</attrib>
</table-wrap>
</p>
</sec>
</app>
<app id="app2">
<title>Appendix</title>
<sec>
<title/>
<p>
<table-wrap id="gt2">
<label>Table A2</label>
<caption>
<title>Impact scale</title>
</caption>
<alt-text>Table A2 Impact scale</alt-text>
<graphic xlink:href="383667957013_gt3.png" position="anchor" orientation="portrait"/>
</table-wrap>
</p>
<p>
<table-wrap id="gt3">
<graphic xlink:href="383667957013_gt4.png" position="anchor" orientation="portrait"/>
<attrib>Source: Own elaboration.</attrib>
</table-wrap>
</p>
</sec>
</app>
</app-group>
</back>
</article>