SciELO - Scientific Electronic Library Online

vol.26 issue1Exponential smoothing for intermittent demand with demand basis updated more frequently than seasonality factorsThe complexity of new products: a dynamic model for productivity loss analysis within productive systems author indexsubject indexarticles search
Home Pagealphabetic serial listing  

Services on Demand




Related links


Gestão & Produção

Print version ISSN 0104-530XOn-line version ISSN 1806-9649

Gest. Prod. vol.26 no.1 São Carlos  2019  Epub Mar 18, 2019 

Original Article

The influence of contingencies factors strategy and structure in the enterprise risk management in a hospital

Influência dos fatores contingenciais estratégia e estrutura na gestão de riscos corporativos em um hospital

Marcia Zanievicz Silva1

Francisco Carlos Fernandes2

1 Programa de Pós-graduação em Ciências Contábeis – PPGCC, Universidade Regional de Blumenau – FURB, Rua Antônio da Veiga, 140, CEP 89012-900, Blumenau, SC, Brasil, e-mail:

2 Escola Paulista de Política, Economia e Negócios – EPPEN, Universidade Federal de São Paulo – UNIFESP, Rua Angélica, 100, CEP 06110-295, São Paulo, SP, Brasil, e-mail:


Founded on the premise that Enterprise Risk Management (ERM) as a Management Control System (MCS) and according to contingency theory, the design and the use of MCS tends to vary according to the organizational context. The aim of this paper is to describe how the contingency factor strategy and structure are interrelated with the control and presence and processes of ERM in a health organization. The methodology has a qualitative approach and, as a research procedure, the study of the case. Two theoretical propositions are presented to data analysis. Data were collected through interviews, observations, and documents. The theoretical propositions are: i) the kind of strategy adopted by the organization, typified according to Miles and Snow´s adaptive cycles interfering in the processes and in the controls of ERM; ii) the organization structure interfere in the processes and in the controls of ERM. The investigated hospital is a philanthropic entity distinguished as the general hospital of high complexity that is related to the Brazilian Sistema Único de Saúde (Unified Helth System). The main conclusions found in the study were: health area managers have bigger expertise regarding the use of controls and processes of ERM when compared to the administrative area managers; the strategy is the contingency factor that guides the way the organization is positioned against the risk management. The risk management supported in health certification systems revealed useful to minimize problem inherent to professional bureaucracy. In this case, the risk management helped to control inner characteristics related to the hospital professional structure, as well as, the organizational structure, defined by the formalization degree of tasks, contributing to the risk management.

Keywords:  Enterprise risk management; Contingency theory; Strategy; Structure


Apoiado na premissa de que o Enterprise Risk Management (ERM) é um Sistema de Controle Gerencial (SCG) e que, de acordo com a teoria de contingência, o design e o uso do SCG tende a variar de acordo com o contexto das organizações. O objetivo deste artigo é descrever como os fatores contingenciais estratégia e estrutura se inter-relacionam com a presença de controles e processos de ERM em uma organização de saúde. A metodologia possui abordagem qualitativa e adota-se o estudo de caso como procedimento de pesquisa. Duas proposições teóricas foram formuladas para análise dos dados. Por sua vez, os dados foram coletados por meio de entrevistas, observações e documentos. As proposições teóricas são: i) o tipo de estratégia adotada pela organização, tipificada de acordo com os ciclos adaptativos de Miles e Snow interferem nos processos e controles do ERM; ii) a estrutura organizacional interfere nos processos e nos controles do ERM. O hospital investigado é uma entidade filantrópica, classificada como hospital geral de alta complexidade e é conveniada com o Sistema Único de Saúde (SUS). As principais conclusões encontradas no estudo foram: os gestores da área de saúde possuem maior expertise quanto ao uso de controles e processos do ERM, quando comparados aos gerentes da área administrativa; a estratégia é o fator contingencial que orienta a maneira como a organização se posiciona sobre a gestão de riscos. A gestão de riscos, apoiada em sistemas de certificação de saúde, revelou-se útil para minimizar problemas inerentes à burocracia profissional, neste caso, a gestão de riscos contribui para a controlar características internas relacionadas à estrutura profissional dos hospitais, bem como, a estrutura organizacional, definida pelo elevado grau de formalização das tarefas, contribuindo para a gestão de riscos.

Palavras-chave:  Gerenciamento de riscos corporativos; Teoria da contingência; Estratégia; Estrutura

1 Introduction

The organizational risk management was initially conceived as a process to eliminate, transfer, mitigate or accept specific risks ( Soin & Collier, 2013 ). At the moment, it also assumes a corporate scope that, when evaluating jointly the various risks that affect an organization, it optimizes solutions and maximizes the obtainable benefits with the integrated risk management.

Risk management in an integrated manner is referred to in the international literature as Enterprise Risk Management (ERM) and, in Brazilian literature, with some variations, such as Gestão de Riscos Corporativos (GRC). In the academic world, it began to be investigated in the late 1990s and has attracted the attention of organizational researchers such as Beasley et al. (2005) , Collier et al. (2007) , Paulo et al. (2007) , Woods (2009) , Berry et al. (2009) , Bhimani (2009) , Collier & Woods (2011) , Kaplan & Mikes (2012) , Soin & Collier (2013) , Hayne & Free (2014) and Etges & Souza (2015) .

The studies on Enterprise Risk Management seek, among other aspects, the understanding of how it operates in practice, what are the mechanisms that guarantee its effectiveness and how it contributes to the improvement of the organizational performance. It is also verified that different theories have been adopted to investigate it. Contingency theory was used by authors such as Henschel (2008) , Woods (2009) and Collier & Woods (2011) , which is the theoretical basis for the present study.

The adoption of contingency theory is based on the following assumptions: (i) the success of an organization depends on how it understands its environment ( Ewusi-Mensah, 1981 ); (ii) Management Control Systems (MCSs) can become more efficient when designed to respond to environmental variables ( Govindarajan & Gupta, 1985 ); and (iii) for the reason that environmental attributes are constantly changing, their implications for MCSs require continuous evaluation ( Chenhall, 2003 ).

For Donaldson (2001) , the essence of the contingency theory paradigm is that organizational effectiveness results from an adjustment between organizational characteristics such as structure and strategy. The strategy refers to the way the company positions itself in the market ( Porter, 1994 ). Considering that the strategic posture of an organization can influence its Management Control Systems ( Ferreira & Otley, 2009 ; Gosselin, 2011 ), it is necessary to understand how it interacts with the ERM system. As for the organizational structure, according to Chenhall (2003) , it represents the arrangements that influence the efficiency and effectiveness of work, the motivation of the individuals, the information flows and the control system. In this condition, it must have an interrelation with the ERM system.

Hence, if on one hand, ERM is a way of reducing uncertainties or avoiding undesirable results, on the other, the success of its adoption depends on how it conforms to the contingency factors advocated by contingency theory. To study it in context of specific organizations can contribute to understand how it works in practice ( Chenhall, 2003 ). Among the various types of organizations seen as a fertile field for investigating the interrelationship between contingency factors and ERM, hospitals represent a promising sector. This assumption is based on the premise that hospitals, besides being complex organizations ( Pizzini, 2006 ; Tanaka & Tamaki, 2012 ), are exposed to specific risks, which extend those traditionally addressed in the literature.

Another factor that indicates that hospital organizations can represent a propitious sector for the study of ERM systems is that, regarding the contingency factors strategy and structure, these organizations operate in a highly regulated sector, whose managers have low control of basic functions like price, offer and mix of services. The organizational structure is comprised of different lines of authority and the sector presents constant technological development ( Pizzini, 2006 ; Dallora & Forster, 2008 ).

Adding to Berkowitz's (2001) report, which states that there is a disconnection between the risk management tools and the organizational strategy. The study has as research problem: how are the contingency factors strategy and structure interrelated with Enterprise Risk Management in a hospital organization? As a result of the research problem, the aim of this paper is to describe how the contingency factors strategy and structure are interrelated with the presence of controls and processes of Enterprise Risk Management in a hospital.

The research responds to the call of several researchers who, with a view to contingency theory, continue to suggest their adoption for the development of studies in the accounting area ( Chenhall, 2003 ; Tillema, 2005 ; Gerdin, 2005 ; Abdel-Kader & Luther, 2008 ). In the case of MCSs, the study is justified by a deeper understanding of the organizational factors that explain the use of sophisticated control systems ( Tillema, 2005 ) and the need to expand ERM studies ( Ferreira & Otley, 2009 ; Bhimani, 2009 ; Soin & Collier, 2013 ).

Among the several MCSs adopted by organizations, the Enterprise Risk Management system, despite receiving increasing attention from organizational researchers, still has several research gaps. According to Liebenberg & Hoyt (2003) , little is known about how risk management helps to create value for the company, what are the determining factors for its application and the methods used. Beasley et aal. (2005) suggest exploring the motives that lead some organizations to adopt ERM. Mikes (2009) suggests investigating what kind of benefit ERM generates for organizations. Bhimani (2009) proposes to broaden the understanding of how ERM occurs in the context of specific organizations. Subramaniam et al. (2011) point out the need to explore the drivers of formalization of risk management and how formal approaches to risk management interact with existing managerial controls by investigating how the effects of technology and regulation put pressure on management of risks.

Specifically in the context of the health sector, the study is justified by contributing to the theoretical propositions of Liebenberg & Hoyt (2003) and Beasley et al. (2005) related to the need to understand what factors are determinant for managers to adopt ERM and what methods are used by organizations for their management. It responds to Mikes’ (2009) proposition, which reports the need to improve the understanding of the benefits that ERM generates for organizations, in addition to being in line with the recommendations of Subramaniam et al. (2011) regarding the need to analyze how formal approaches to risk management interact (or not) with existing managerial controls in organizations.

2 Theoretical foundation

The risk management process, in which risks are identified, assessed, monitored and reported, was initially studied in isolation and in specific areas of knowledge, focusing on different topics such as insurance, hedge, occupational health and safety. From 1990 on, more intensively, researchers began to develop an integrated approach to risk management and to consider the risk management process as belonging to the set of Management Control Systems ( Woods, 2009 ; Gordon et al., 2009 ; Subramaniam et al., 2011 ).

The concept of risk management adopted in this study is similar to that established by authors such as Renn (1992) and Berkowitz (2001) who consider risk management as a process by which the organization develops a broad and formal plan to identify, analyze, evaluate, manage or mitigate and monitor risks. Regarding the ERM concept, the Committee of Sponsoring Organizations of the Tro- thadway Commission ( COSO, 2004 ) is adopted, which defines it as a process conducted by the Board of Directors, executive board and other employees, that is applied in the strategies establishing to identify potential events that could affect the organization, manage risks to keep them compatible with pre-established levels, and provide reasonable assurance of compliance with the entity's objectives. The vision of integrated risk management is to maximize the value of the company, shaping it to the established risk profile.

2.1 Contingency factors strategy and structure

The strategy refers to how a company positions itself in the market considering to its competitors. According to the review studies of Langfield-Smith (2007) and Ferreira & Otley (2009) , several models of strategic typologies have been proposed over the years, such as Miles & Snow (1978) , Porter (1994) , Miller & Friesen (1986) and Govindarajan & Gupta (1985) .

According to Langfield-Smith (2007) , in studies that examine strategy and MCSs, there should be an adequacy between the strategic typology adopted and the purpose of the study. For the author, the Adaptive Cycle Typology ( Miles & Snow, 1978 ) has a broad scope, whereas the competitive positioning of cost versus differentiation leadership ( Porter, 1994 ) is narrower; in turn the entrepreneurial versus conservative classification ( Miller & Friesen, 1986 ) focuses on the degree of product innovation, while the build strategy in relation to harvest ( Govindarajan & Gupta, 1985 ) is related to the business unit objective. In the study, the typology of Miles & Snow (1978) was adopted, because its greater scope.

The strategic typology described by Miles & Snow (1978) , according to Conant et al. (1990) , is based on the assumption that firms establish relatively long-lasting strategic behavior patterns, which align the organization to its environment in a process called Adaptive Cycle typified as defenders, analyzers, prospectors and reactors, that involves alignment to the strategic components: (i) market problems; (ii) production technology problems; (iii) administrative problems.

In line with Gosselin (2011) , defenders operate within a narrow product and market domain characterized by high production volume and low product diversity. Their competitive advantage translates into cost, process and quality controls, which leads them to rely on MCS with a greater focus on financial measures, price, deviations or variations in work rate and efficiency ( Gosselin, 2011 ).

Prospectors gain competitive advantage primarily through innovation and do not prioritize cost control. They tend to emphasize the use of non-financial measures such as quantity or time-to-market of new products. Organizations with strategy typified as prospector have more complex processes than organizations whose strategy is typified as defenders. As they operate within a broad product domain, they need to quickly respond to the first signs of new opportunities ( Gosselin, 2011 ).

As for the analyzers, for Miles et al. (1978) , they are a unique combination of defender and prospector types and represent a viable alternative to these two strategies. An analyzer organization tries to minimize risk and maximize profit opportunity, that is, it combines the strengths of the two typologies into a single system.

A fourth type of organization is known as reactor. It presents a pattern of adaptation to its environment, which is inconsistent and unstable. This type does not have a set of response mechanisms that can be put into practice when faced with a changing environment. For Miles et al. (1978) , the reactor typology is characterized as a residual strategy, which arises when one of the others were incorrectly adopted.

Smallman’s (1996) study theorizes that risk management structures must have variations between the archetypes typified by Miles & Snow (1978) . For example, there should be a difference in the type of definition of limits (formal or informal), in the centralization or absence of risk management and also in the way risks are perceived. In this direction, McLarem et al. (2004) found the presence of risk management control systems only in companies classified as defender and analyzer, while Henschel (2008) related a set of characteristics and specific risk management practices for each one of the strategic typologies described by Miles & Snow (1978) .

Considering that the four typologies established by Miles & Snow (1978) are differentiated by the way companies respond to the problems, which make up the adaptive cycle and that the risk management structure can vary between each strategic typology ( Smallman, 1996 ; Henschel, 2008 ), it is theoretically assumed that the type of strategy adopted by the organization, typified in accordance with the Miles and Snow Adaptive Cycles, interferes with the processes and controls of Enterprise Risk Management.

According to Chenhall (2003) , the contingency factor structure is related to the formal distribution of roles and tasks among the members of the organization and considered as one of the organizational arrangements that influence the work efficiency, the motivation of the individuals, the flows and control systems. Dalton et al. (1980) , in describing the organizational structure, subdivided it into physical and functional. The physical structure focuses on the verticalization and horizontalization of the organization chart, on the size and levels of control. The functional structure is related to the organizational policies that prescribe or restrict the behavior of its members and are concerned whit the degree of Specialization, Formalization and Centralization of tasks ( Dalton et al., 1980 ).

As the organizational structure interferes with the organization's ability to collect and process information ( Gul & Chia, 1994 ), it is likely to affect MCSs. In this sense, studies indicate that there is a negative relationship between centralization and sophistication of MCSs, that is, the less centralized the organization, the greater the sophistication of MCSs ( Abdel-Kader & Luther, 2008 ). Specifically on the occurrence of a relationship between risk management and organizational structure, Smallman (1996) conjectures that centralized organizations can delegate to a specific sector the risk management process, unlike decentralized organizations, and assumes that the type of organizational structure should impact on the level of formalization of the limits established by the ERM process. Kleffner et al. (2003) find that one of the main impediments to the implementation of risk management is the organizational structure. In turn, the organizational structure of hospitals is considered by Mintzberg (1995) as a professional bureaucracy that has a differentiated vertical and horizontal structure, where power is concentrated in the operational center and professionals are subordinated to values, ethics and professional codes to the detriment of those established by internal hierarchies, which is why it is theoretically assumed that the organization structure interferes with ERM processes and controls.

Thus, the two theoretical propositions formulated (namely: P1 – the type of strategy adopted by the organization, typified according to the Adaptive Cycles of Miles and Snow, interferes in the processes and controls of Enterprise Risk Management; P2 – of the structure organization interferes with ERM processes and controls) guide the conduct of the case study. In agreement with Baxter & Jack (2008) , the theoretical propositions, in case studies, determine the meaning and scope of the research and form the conceptual basis that guides the data collection and the discussion of the results.

3 Methodology and research procedure

Contingency theory is contained in the functionalist tradition ( Burrel & Morgan, 1979 ). Enterprise Risk Management, although it may have different concepts ( Miller, 2009 ) and be analyzed from the perspective of different paradigms, in the present context, such as contingency theory, is contained in the functionalist paradigm, because it is conceived as “Systemic and continuous identification process of exposure, measurement, analysis, control, prevention, reduction and risk assessment and financing” ( Marshall, 2002 , p. 23).

Due to the nature of the research problem, a predominantly qualitative approach was adopted (see Denzin & Lincoln, 2006 ). As far as the research strategy was concerned, the case study was adopted. The operational models used to manage the risks described in the study by Collier et al. (2007) were used to operationalize the case study, regarding controls and risk management processes. Conant et al. (1990) and Gosselin (2011) , were investigated from the Adaptive Cycles typology of Miles & Snow (1978) , and to assess its interrelationship with risk management, a framework developed based on the study by Henschel (2008) was used. The contingency factor structure, which is based on the studies of Gordon & Narayanan (1984) , Schminke et al. (2002) and Gosselin (2011) , was investigated through the physical dimension and the functional dimension.

The choice of a hospital organization derives from the inherent complexity of such organizations, since, as regards contingency factors, strategy and structure, its managers have low control of basic functions, as well as double authority, and tend to have a large number of employees. Such factors should imply greater exposure to risks and the need for risk management processes capable of operating in complex organizations ( Mintzberg, 1995 ).

As to the quality assurance study, based on Yin (2005) , it is briefly noted that procedures were adopted that favored: the validity of the construct; triangulation; external validity; reliability and case selection based on their relevance. The validity of the construct was obtained by using multiple sources of evidence and by reviewing the study report by one of the key members of the organization ( Yin, 2005 ). Triangulation occurred through the use of multiple sources of data: interviews, documents, field notes, corporate website and information provided by the Ministry of Health. According to Yin (2005) , the case studies are based on analytical generalization. In the research, we sought to generalize a particular set of results for the two theoretical propositions established on the basis of contingency theory. The adoption of theoretical propositions in the study also follows Rowley (2002) , because, according to the author, descriptive and explanatory qualitative studies need propositions that, when formulated on the basis of literature or previous evidence it, allows the comparability of results. In this sense, data collection and analysis were structured to support or refute the research propositions.

As regards reliability, as proposed by Yin (2005) and Flick (2009) , a research protocol was elaborated, field notes were made and a database was created to store the records collected in the field. And, regarding the selection of the case, Moll et al. (2006) affirm that the choice of the case in organizational studies must be justified by its relevance. They cite, for example, organizations that stand out for their economic importance, their ability to offer new techniques and their size. In this direction, this study used as a criterion for the selection of the case the hospitals certified by the Organização Nacional de Acreditação –ONA (2012) (National Accreditation Organization), which have accreditation in Level 3 (Accreditation with Excellence). The investigated hospital is nominated in the study as Hospital Accreditation with Excellence (HACE).

The selected hospital is a non-profit institution, characterized as a high complexity general hospital. It has approximately 340 beds, 50 ICU beds, about 700 accredited doctors and 150 staff and 1,500 employees. In relation to the organizational structure, it has a statutory board of directors and an executive board. The criterion for the selection of the interviewees was that they should have managerial position or equivalent in function of staff. From this, 22 people met the criterion and 12 managers were interviewed, six of the administrative area and six of the assistance.

As data collection procedures, based on Yin (2005) , interviews, questionnaires, observation (recorded in a field diary) and documents were used. For the operationalization of data collection through interviews, an interview script was adopted. The order of the questions contained in the interview script followed the construct and the theoretical propositions. The interviews were carried out in the work area of the managers, recorded with the consent of the participants and later transcripted.

For the analysis of the data, the study used theoretical propositions and used techniques of content analysis, documentary analysis, observation and descriptive statistics. The transcripted interviews were transferred to the Nvivo® software, which favored the categorization process. This software generated a report containing the excerpts from the interviews, which were coded in each of the categories used. After the categorization process, the analysis itself was promoted. Table 1 describes the research construct.

Table 1 Research construct. 

Theoretical Proposition Dimensions of analysis Categories analyzed Collection instrument Previous studies that guided the collection and analysis
P1 and P2 - Controls and processes risk management Identification of risks Operational Models Interview
Collier et al. (2007) , COSO (2004) , Arena et al. (2010) .
Risk assessment Operational Models Interview
Risk response Accept
Communication of risks Means of Communication Interview
P1 - The type of strategy adopted by the organization, typified according to the Adaptive Cycles of Miles and Snow, interfere in the processes and controls of the Enterprise Risk Management. Entrepreneurial, Engineering, and Administrative Marketplace
Engineering range
Dominant Cotation
Shortell & Zajac (1990) , Conant et al. (1990) , Jokipii (2010) , Henschel (2008) , Gosselin (2011) .
P2 - The structure of the organization interferes with ERM processes and controls. Physical
Gordon & Narayanan (1984) , Miller & Dröge (1986) , Schminke et al. (2002) , Gosselin (2011) .

Source: Prepared by the authors.

In order to respond to the research objective, in terms of controls and risk management processes, four dimensions were established according to COSO (2004) , Collier et al. (2007) and Arena et al. (2010) . In the dimension of risk identification, interviewees were initially asked to indicate which of the 11 presented tools they knew and used. In the dimension of risk assessment, the interviewees indicated, among 22 useful tools to assess risks, which ones they knew and which they used. The risk response and risk communication dimensions questioned under what circumstances the responses were intended to avoid, reduce, share or accept risks. In order to collect data on the risk communication process, it was decided to check the regular reports to the board and other interested parties to report on the organization's risk policies and to monitor the effectiveness of these risks. policies.

According to Shortell & Zajac (1990) , Conant et al. (1990) , Jokipii (2010) and Gosselin (2011) , adopting the Adaptive Cycles of Miles and Snow (defenders, analyzers, prospectors and reactors), whose dimensions are Entrepreneurial, Engineering and Administrative. Henschel (2008) , when investigating the relationship between strategy and risk management practices in German companies, found that risk management practices differ between the strategic typologies of Miles & Snow (1978) . Based on the results of this study, a script was developed to compare the findings of Henschel (2008) with those found here. Table 2 , described in section 4, summarizes the results and contributes to the analysis of the data.

Table 2 Checklist of risk management practices in analytical companies. 

Group / Characteristics Presence in HACE
Control management:
The BSC takes a predominant position with a trend towards a more formal and continuous application. Y
2) Companies have ISO certification. Y
3) Make use of value-based management tools. Y
4) Increased use of external advisors for business strategy and business management issues * . X
5) The identified risks are also directly integrated into the business plan, which is facilitated by well-developed planning. Y
6) Have a contingency plan for the production and electronic processing of data. Y
7) There are clear replacement rules for superior management (rules of succession). F
Communication of risks
Information on observed risks is reported to senior management levels through a stream of routine reports in large companies through specific reports. Y
Risk management is formally documented. Y
Documentation is often part of the quality management manual. Y
Risk management processes
Management tools, based on value, are considered in risk management. Y
Identify a greater number of risk management fields*. F
Consider, on average, six risk areas. Y
Math and statistical distribution functions are found here. X
More effort is made to identify qualitative risks. Y
In terms of the frequency of risk identification, short-term risks predominate. Y
As a general rule, risks are checked quarterly or monthly. Y
The horizon of risk monitoring is focused on a period of up to two years. F
Analyzers aspire to a risk portfolio to estimate the company's risk position, although they have not yet implemented it. Y
The responsibility to identify and monitor risks is shared among a larger number of people. Y
Managers and employees of other units are heavily involved in risk management. X
There is a reduction in cases where higher levels of management are solely responsible for risk management and greater involvement of the controller and the unit managers for risk management. X
Risk identification involves a more formal * process, with questionnaires and checklists. Y
To a certain extent, workshops are carried out involving the staff of several units under the coordination of a manager (who has a managerial role). Y
Spreadsheets are used for risk assessment, with verbal descriptions for likelihood of occurrence and exposure to risk. X
Project Risk Management Processes
They employ classic project management techniques. Y
They prepare an operational project plan, a profit plan and cash flow. Y
Project risks are taken into account for most individual projects. Y
The types of project risk identification include business process risks, risk design and planning, credit risk, quality risks, and legal risks. Y
The identification of risks occurs during the bidding and planning phase. Y
More formal procedures are implemented for risk identification and assessment *, and use of the methods Failure Mode and Effect Analysis Method predominates. F
Documentation on project risks is done more comprehensively*. F
On average, several sources of documentation are combined (proposal, contracts, costing). F
To a certain extent, simple projects are consolidated in terms of risk aspects. X

Legend: (Y) There is evidence that indicates occurrence in HACE; (X) Evidence indicates that it does not occur in HACE or occurs in part; (-) No evidential data were collected that allow the analysis;

*Compared to other strategic typologies.

In order to analyze the second theoretical proposition that relates the contingency factor structure to the risk management practices, the studies of Gordon & Narayanan (1984) , Miller & Dröge (1986) , Schminke et al. (2002) and Gosselin (2011) , who investigated the structure in its physical and functional dimension. The physical dimension focused on the verticalization (organizational levels) and horizontalization (number of departments) of the organizational structure, while the functional dimension focused on aspects related to the level of specialization of teams, segregation of functions, formalization of rules and procedures and centralization of decision-making. For data collection, interviews, observation and documents were used. In the interviews, managers were questioned whether, in their area of ​​responsibility, the organizational structure had an impact on the way they attribute importance to Enterprise Risk Management; whether the organizational structure helped or hindered Enterprise Risk Management; and whether the organizational structure of their area of ​​responsibility was the same as the other areas of the hospital.

Regarding the ethical procedures adopted in conducting the research, the following stand out: approval of the project by the Ethics Committee of the investigated hospital; validation of texts transcripted by the interviewees; submission of the final study for approval by the institution. The confidentiality in this study covers the organization and the interviewees, which is why their names have been replaced by random codes initiated by GAdm for managers in the administrative area and GAssis for managers of the care area.

4 Analysis of results

In order to meet the established theoretical propositions, we initially sought to know about the controls and risk management processes in HACE. At that stage, the managers received a list containing the names of tools to identify and evaluate the risks and were asked to indicate the ones they knew and which they used. The collected data indicate that hospital members have mastered different risk management techniques, are familiar with and use tools to identify and analyze risks, and have formal risk communication mechanisms. It is noticed that the managers of the care area know and use a greater variety of methods of identification and evaluation of risks compared to the administrative area. In a comparative analysis between the data collected, regarding the adoption of methods of identification and evaluation of risks and those established by the literature ( COSO, 2004 ; ISO, 2008 ), it is inferred that the hospital does not adopt a management methodology risks, although silos are known for having its own expertise.

4.1 Risk management and contingency strategy

The first part of the analysis consisted in typifying the hospital in one of the archetypes described by Miles & Snow (1978) . With the use of the data collection procedure described in the methodology, based on the data collected, the study typifies HACE as an analyzer.

The managers were then charged with the purpose of investigating whether, in their view, the strategic position of the hospital exposed them to risks. As a summary, of the six managers in the administrative area, three considered that the strategic position of the hospital exposes them to risk, two considered that it does not and did not respond. In the group of managers of the area of ​​care, five considered that the strategic position of the hospital does not expose them to risk and one considered that yes. This indicates that there is disagreement about the perceptions between the areas. In the responses of managers in the administrative area, the issue of innovation is present, as justification, in four of the five data units: [GAdm 1] “It tends to be more innovative.”; [GAdm 2] “ For an innovative vein.”; [GAdm 3] “I think you have an innovative stance.”; [GAdm 5] “One of the things is that the hospital is always very innovative.” It should be noted that, of the four reports, three refer to the innovative posture, present in the entrepreneurial dimension of the adaptive cycles of Miles & Snow (1978) as a possible risk generator. In the group of health care managers, the only manager who considered that the hospital strategy exposes him to risk attributed this to the growth strategy.

Based on the collected data, it can be deduced that there are differences between the perceptions regarding the contingency strategy factor and the risk management processes between the administrative and healthcare areas. Perhaps because care managers know and use a larger set of risk identification and risk assessment techniques, they associate such practices with less exposure to the risks that HACE's strategic posture can run. It also emerged from the interviews of a care manager that the Balanced Scorecard (BSC) contributes to ensuring that HACE's entrepreneurial posture develops so as not to

[…] increase our legal, civil, criminal and labor risk component without increase our financial risks, our indebtedness indicators, of current liabilities, are all within the [standard] market [GAssis 2].

After identifying that the HACE has a analyzer strategic typology type and to verify that the perception regarding the strategic posture and the controls and processes of risk management are perceived differently by the two managerial areas, attention is focused on the inference of the first theoretical assumption: the type of strategy adopted by the organization, typified in accordance with the Adaptive Cycles of Miles & Snow (1978) , interferes in the processes and controls of Enterprise Risk Management.

Considering that Smallman (1996) describes that the analyzers have as characteristic the need to evaluate the environment, besides aversion to the risk and the instability, tends to suppose that the practices of risk management present in the HACE exist, partly, as a response to its strategic stance.

In a study of risk management practices in small and medium-sized German companies, Henschel (2008) found that risk management practices differ because of the strategic typology advocated by Miles & Snow (1978) . The author has identified, in an analytical way, a set of risk management practices that tends to be adopted by each of the strategic typologies of Miles & Snow (1978) - reactors, defenders, prospectors and analyzers. Based on the analytical description of Henschel (2008) , a checklist was prepared containing 34 risk management practices that are typical of organizations that fall into the category of analyzers. The first column of Table 2 describes the risk management practices of analyst companies, according to Henschel (2008) , and the second column records whether such practices are present in HACE: S indicates presence; X indicates absence; F indicates that the practice, for being outside the scope of the study, was not analyzed.

Of the 34 items extracted from the Henschel (2008) study, seven were not assessable because they require comparison with other hospital organizations or because they are not part of the scope of analysis. Of the five characteristics indicated in the table as not occurring in HACE, the fourth, which deals with external consultants, is interpreted by the study as a consequence of the organizational culture. In line with the data collected, HACE develops its risk management team internally and acts with specific improvement groups for risk management, with the participation of managers (in accordance with the 24th item of the table). Another characteristic described by Henschel (2008) and not present in HACE is the use of quantitative models for risk management. As for the 22nd item, it is partially attended. There is a distribution of risk management assignments between areas, and the process is overseen by a staff area. What was observed was a disconnection between the controller and the process; however, it is not possible to conclude whether this stems from the prioritization of care risk management or, if there is the opposite, risk management in the administrative area is less developed due to a low participation of the controlling company in its process. Finally, regarding the 25th item, it was considered non-existent, since it is little explored in HACE. Even in risk management, several operational risks could be better monitored with the support of risk maps, for example.

With regard to the 22 items characterized by Henschel (2008) , which were considered present in the HACE, the most relevant ones are commented. Items one, three, five, and eleven, in a sense, interrelate. The BSC has been described in the literature as a tool capable of being integrated into the risk management system. Beasley et al. (2006) report that when the BSC is deployed, it provides a platform for the adoption of ERM. In addition, they say that a company can include aspects of risk management in the objectives and measurement components of the Balanced Scorecard. Woods (2009) , in a case study, notes that the company has developed a specific system to integrate the BSC into ERM for planning and control purposes, as it is also evidenced in HACE. The difference observed is that while in the study of Woods (2009) the ERM serves to identify and mitigate the potential threats to the strategic implementation directed by the BSC, in the HACE there is a reciprocity between the two systems, a feedback.

It is assumed that there is feedback between ERM and BSC because it is understood that at HACE, at the same time that ERM contributed to identify and mitigate threats to the implementation of the strategy - similar to Woods (2009) - the BSC incorporated guidelines to support ERM - similar to Beasley et al. (2006) - as one of the managers in the care area reports:

This is very monitored [management of philanthropy] by the tools and management model that the hospital adopts, [...] in the strategic plan, it has a specific perspective for this, he has a goal plan where he has goal indicators specifically for the service of philanthropy.

Because of the strategic need to monitor philanthropy, HACE has five strategic perspectives.

To this discussion, we add the second item in the table, which adds the certification utilization feature. At various points during the data collection, there were indications that both the BSC and the certification (Hospital Accreditation) that HACE possesses interact with the risk management process. He sought a better understanding of the issue with the care manager responsible for risk management. The following excerpt from the interview is described below.

Researcher: “[...] the stage of corporate management that you have, is it possible to link it to the BSC and accreditation tool’s? Interviewee: “Directly.” Researcher: Do [accreditation tools and BSC] influence quality, help minimize risk?” Interviewee: “The BSC is a generic management model, not specific to the area of health care as accreditation. But the BSC establishes, through the tool concept itself, this balance between the various strategies and the various stakeholders, so I establish this homogenous and balanced pattern, we take the fundamental concept of Kaplan, we take it well in the end, ... if I join this concept of management, with the concept of the tools of the fundamentals of accreditation systems, specific to the area [hospitals], these two models are fundamental so that much attention is paid to the risk and at the same time balance.

Based on the analyzed data, it is possible to observe the conscious use by HACE of multiple management tools, namely Risk Management, BSC and Quality Certification (Accreditation), as complementary mechanisms among them, being the fragility of one supported by others.

Regarding the 19th item, it is observed that, although HACE does not yet have a ERM in the models recommended by the literature, that is, risk management is strongly centered in the care area, the desire to expand the scope of risk management is evidenced by several managers, including the signaling of expectations regarding the use of ISO 31000.

Given the evidence collected and described in relation to the first theoretical assumption - the type of strategy adopted by the organization, typified according to the Adaptive Cycles of Miles & Snow (1978) , interferes with ERM processes and controls - in line with ( Gosselin, 2011 ), especially in the risk management framework ( Smallman, 1996 ), and based on the HACE framework in the classification proposed by Henschel (2008) , which assigns specific management practices risk analysis for companies categorized as analyzers, it is concluded that the current controls and risk management processes in HACE are at least partially part of their strategic typology. This analysis allows us to validate the first theoretical proposition.

4.2 The structure contingency factor and the process of risk management

Many of the characteristics of the organizational structure of hospitals, as defined by Mintzberg (1995) , are present in HACE. However, institutional movements were detected to minimize some critical points of this type of structure, such as: (i) the hiring of hospitalists; (ii) the incorporation of the structure model of the health care sectors organized into departments with delegation of medical heads; and (iii) the flexibility of the areas to organize their internal structures without, for what has been observed, to stop adopting a centralizing stance on what is strategic.

It has been shown that the organizational structure of HACE is dynamic. The following accounts contribute to this statement:

[...] perhaps until 2009. Our structure has always been more or less the same, the general superintendent, the executive superintendent [...]. We have just approved of the third organization chart in the third year because it has grown greatly (Genesis 2).

[...] our structure is always changing, now we are going to announce a new structure, precisely to give answers to these changes (GAssis 1).

The following account emphasizes the reason why organizational structure is so dynamic:

[...] we have had very rapid growth, in three years we have tripled the size of the network [...]. The accompaniment of the rearrangement of the structure, sometimes the mismatch of speed is great, but it is a structure that is in permanent revision and with proposition of adjustments to be able to give sustenance (GAdm 4).

It is believed that the ability of HACE to constantly reorganize its organizational structure (rearrangement) is a feature that can be explained by contingency theory, since, inferred, its structure tends to respond to strategy, as advocated by Chandler (1962) , Chenhall (2003) and Gerdin (2005) . This is positive and probably guarantees HACE an ability to constantly adjust to new environmental modifications.

Following the interviews, managers were asked if the structure of their area of ​​responsibility impacted on how they perceived the need for risk management. As an example, some of the answers are described:

Managers of the administrative area:

[1] Yes [...]. Researcher: In what way? Interviewee: Our area is segregated in sectors [...] and cells of action with coordinator and intermediate leaders, with well defined processes, with objectives and all the time evaluating [...].

[2] The structure does not. It is demand itself, not structure.

[3] Yes, we have the people, we set up our structure according to its importance.

[6] A lot, it impacts a lot. Researcher: Does it help or harm? Interviewee: Help. Researcher: It's already clear, the areas are different. Interviewee: They are different, the levels of exposure to risk are different and the management, the tools we use are different.

Assistants management:

[1] Very difficult, this question is very difficult to answer, if it were exclusively for the HACE I have no doubt, would be ideal, ideal, works with team, works by process, works matrix, for the whole network, not yet [...]. Researcher: And the greater the vertical and horizontal structure, [...], does it bring more stimulation to desire risk management? Interviewee: It's mandatory, it's mandatory.

[3] Researcher: Does the risk management process help or not make a difference? Interviewee: No, it makes a lot of difference - a lot of difference. Researcher: Would you have the same peace of mind if it did not exist, if you did not have [current risk management] that you have today? Interviewee: Not at all, not at all. [...] is a very large structure, a very big challenge, but it is also an institution that has a very well-developed management.

The reports indicate that managers converge on the understanding that the organizational structure that is under their control generates the need for risk management, which gives greater importance to this control system. Among the interviewees, only one manager, belonging to the administrative area, disagreed with the affirmative. It is understood, however, that there is a difference between the reasons that lead each of the groups to attach importance to the relationship between structure and risk management. In the case of managers in the administrative area, two of them refer to the use of the structure as a means of managing risk - work cells, team leaders, formalization of processes. Another report refers to a vision of the future, in which the manager declares that he does not practice risk management processes, but that there is a need to adapt his structure to do so. That is, the structure contributes to risk management.

Regarding the assistance group, two managers note that the increase (size) of HACE created a mismatch between the structure and the capacity to manage risks, while another report attributes to risk management processes a differentiated importance, given support to the management control of its area due to the number of sectors, functions and the volume of subordinate persons. That is, risk management contributes to control as a consequence of the type of structure. Therefore, although both groups of managers attach importance to the relationship between structure and risk management, it is inferred that the way of perceiving it is differentiated. One group tends to understand the structure as useful for managing risk (administrative area), while the other group understands it as useful in minimizing the risks inherent to its structure (care area). It should be noted that these have a more heterogeneous and complex organizational structure compared to those.

Then, the second theoretical proposition is analyzed - the organizational structure interferes in the processes and controls of Enterprise Risk Management.

The ERM literature based on contingency theory has little evidence regarding the relationship between the contingency factor structure and the ERM system. Smallman (1996) conjectures that decentralized organizations tend to shift responsibility for risk management to departments. In this sense, Hoyt & Hall (2003) observe that in hospitals, because of the heterogeneity of the teams, the decentralization of authority, the size of the physical structure and the technological diversity, it is unlikely that a person as Chief Risk Officer (CRO) is responsible for strategic, financial and operational risks.

In HACE, it is understood that there is an association between the organizational structure and the controls and processes of risk management. As advocated by Smallman (1996) and Hoyt & Hall (2003) , the organization does not have a CRO manager. Responsibility for risk management is distributed among different members of the organization and supported by multisectoral management committees. According to Mintzberg (1995) , hospitals have two distinct hierarchies: a professional, based on individual knowledge and autonomy of the teams, and a more autocratic one, with the power originated by the function performed. The autonomy of the care area, as described in the literature and corroborated by HACE managers, causes management problems. In this aspect, evidence collected in the organization indicates that one of the functions of risk management is the promotion of an alignment of professionals, whose leadership is based on knowledge ( Mintzberg, 1995 ), with the organizational guidelines.

Two reports from managers in the administrative area help support the inference that the risk management process can be a means used by HACE to reduce the negative reflexes of the professional bureaucracy advocated by Mintzberg (1995) . Report 1:

[...] has appeared by the contact insurance officials reporting: - Dr. So-and-so at the time of making certain procedure did not checkout, the surgery checklist safe. [...] as he is the authority, begins the surgery, she goes there and records, this is an operational issue, the technical director calls the professional, talk. [...] Thus, 30% of the records of the safe contact are of situations of non-observance of procedures, from simple procedures to more complex procedures (GAdm 1).

Report 2:

Today we have the conditions to say this way: - Look, if you do not comply with the protocol of prevention, you will not operate, you will operate in another place (GAdm 3).

It is noteworthy that the issue of professional autonomy emerges from the reports, and the two managers share a factor that is the non-observance by some professionals of the standards of health care established by the strategic guidelines. In this regard, risk management supported by the accreditation system seems to be cooperative. According to Mintzberg (1995 , p. 50-51), to contribute to the analysis:

Professional organizations give up much of the control over their choice of workers, as well as methods of work, to outside institutions that train and record them, and further establish standards that guide them in the conduct of work. As this control transfers fidelity, it turns out that professionals tend to identify more with their profession than with the organization within which it occurs.

By incorporating the managers' report, the citation of Mintzberg (1995) and the following comment:

[...] it was much easier for the group to assimilate the implementation and compliance by being a regulation of [accreditation] than by be a rule of sanitary surveillance” (GAdm 4)

it is possible to infer that in DOING accreditation contributes to leading professional groups to act within the risk management standards desired by the organization.

In short, it is understood that the controls and processes of risk management in HACE contribute to reduce the problems inherent to its structure, which in turn characterizes itself as professional bureaucracy. It is noted that managers deal with a large and diverse number of members, which can cause the administrator “not to be able to control the professionals directly”, but can, “[…] depending on the work in question, to be able to control it directly through its own procedures and rules” ( Mintzberg 1995 , p. 50). This leads to the deduction that the organizational structure interferes with the presence of ERM controls and processes, since, according to Dalton et al. (1980) , the structure is related to the organizational policies that prescribe and restrict the behavior of its members, which leads the study to validate the second theoretical proposition.

The HACE hospital accreditation system (which comes from profession-related entities) has a set of rules and standards specifically geared towards risk management. According to reports, the acceptance of certain risk management standards has improved since the justification was attributed to the requirements established by the accreditation body. Likewise, after the establishment of procedures recommended by the hospital accreditation standards, HACE managers feel supported to require that the professionals who work in patient care follow the standards of quality and safety recommended and desired by the institution.

Another aspect regarding the contingency factor structure is the fact that HACE routinely reorganizes its organizational structure to sustain (adjust) the constant growth, that is, the organizational structure of HACE remains constantly revised to meet the needs of growth which, in turn, are dimensioned by the organizational analyst strategy. It is seen that Miles et al. (1978) consider that one of the risks inherent in the analyzer strategy is that an organization lacks the ability to be efficient and effective in maintaining the necessary balance throughout its relationship between structure and strategy. From what is inferred in the case, HACE has promoted the organizational (re) adjustments needed to meet its strategy typology.

Figure 1 summarizes the interrelation between the two contingency factors studied and the effectiveness of the Enterprise Risk Management present in the hospital.

Figure 1 Interrelationship between contingency factors and risk management. 

The representation of the findings makes it possible to visualize the direct or indirect connections between the contingency factors that influence or are influenced by the controls and processes of risk management in HACE. It is observed that Figure 1 illustrates only the relationships considered by the research as more significant to explain the interrelationship between contingency factors and risk management. When comparing the results with the theoretical basis, it is verified that the contingency factors strategy and structure are determinant for the application and the current stage of ERM in the investigated hospital.

5 Final considerations

Based on the literature review, in particular Renn (1992) , it is understood that the type of risk exposure that prevails or demands greater demand for resources in its management may vary among the different organizational segments. Hospitals, banking institutions, insurance companies, petrochemical industries, public management entities all benefit from ERM, since, in general, any organization is exposed to operational, financial, legal and market risks, for example. Some organizations, however, have specific types of risks inherent in their activity. Such risks, if potentiated, can represent invaluable damage to the nature of the business. It is up to the administration, therefore, to promote actions to manage them.

Regarding the case analyzed, the findings indicate that the hospital's internal teams have several skills and abilities useful to operationalize Enterprise Risk Management. It can be seen that in HACE, the techniques used to identify and evaluate risks differ among the groups of managers, with a greater knowledge and use expertise among the care managers.

According to the managers' perceptions regarding the contingency factors strategy and structure, it is understood that the HACE has a strategy typified by Miles & Snow (1978) as analyzer, and it was evidenced, as a result of the strategy, that its organizational structure remains constant reformulation. When comparing the contingency factors with the risk management processes adopted by the two groups of managers - managers of the administrative area and managers of the care area -, it is concluded that the risk management practices are different and to some degree are a reflecting the contingency factors analyzed.

It is understood that one of the reasons for better risk management is the strategic orientation of the hospital, which prioritizes patient safety. However, in order for this to be feasible, given the nature of departmental interdependence required, several areas and different activities started to adopt risk management processes and controls.

Regarding the contingency factor structure and its relationship with risk management, there was a difference of perception between the areas. While managers in the administrative area tend to consider that the organizational structure contributes to management processes and controls, care managers understand that risk management contributes to the structure, which is larger and more complex in the case of group of managers in relation to their peers, since it incorporates a relatively large group of autonomous professionals and professions that have own directives to carry out their activities.

Regarding the first theoretical proposition investigated, in the context of the study, it is considered as valid the proposition that theoretically predicts that the type of strategy adopted by the organization, typified in accordance with the Adaptive Cycles of Miles & Snow (1978) , interferes in the processes and in Enterprise Risk Management controls. In this case, the current risk management processes and controls adopted are, to some extent, influenced by its strategic characteristic typified as an analyzer. By crossing the risk management practices present in the hospital with those recommended by Henschel (2008) as inherent to the organizations analyzers, it was observed that there is a relevant alignment. In this aspect, the study contributes to test the classification of Henschel (2008) in an organizational context different from the one originally developed.

As for the contingency factor structure, which serves as the basis for the second theoretical proposition, it is concluded that, in HACE, the current controls and risk management processes collaborate to reduce organizational problems characteristic of professional bureaucratic structures. Risk management, as it is structured, provides the hospital with the possibility of aligning its strategic priority in terms of risk management (care risks) with the specificities of the clinical staff's way of acting and, as mentioned by one of the interviewees, with the behavior of patients and companions, allowing the control of some of the actions of their stakeholders.

In summary, it is concluded that the contingency factors strategy and structure influence and are influenced by risk management processes and controls. The strategy proved to be the contingency factor that guides the way the organization positions itself in risk management - the analyst organization tends to pay attention to risk management. In the case of the structure, the organization's way of managing risks, supported by healthcare certification systems, has proved useful in reducing the problems inherent in professional bureaucracy. In this case, risk management is useful, since it contributes to minimize problems arising from characteristics of the contingency factor structure.

In addition, the existence of interaction between different MCSs and ERM emerged from the case, contributing to its realization (Balanced Scorecard - BSC, budget and quality systems) and also delimiting its scope of application (BSC). In the literature investigated, there is evidence that when the BSC is deployed, it provides a platform for ERM adoption ( Beasley et al., 2006 ) and that organizations can develop a specific system to integrate BSC with ERM for planning and control ( Woods, 2009 ). In the study, the difference observed is that there is reciprocity between some systems, a feedback. For example, while ERM contributed to identifying and mitigating threats to strategy implementation - similar to Woods (2009) - the BSC incorporated specific guidelines to support ERM - similar to Beasley et al. (2006) . Therefore, it is considered opportune that new studies should advance in the search for an understanding of how the interconnections between the MCSs occur, how they interact and how they contribute to the effectiveness of risk management.

Future research may continue to investigate the relationship between strategic typologies and risk management processes and controls. Here is an important point: if Henschel's (2008) findings regarding analytical and corroborated organizations in the study are pertinent, then to comprise why the contingency strategy factor affects the ERM component processes and controls and understand how optimal levels of control can be obtained in different strategic typologies seem to be relevant issues to be investigated. During the study, it was observed that national accreditation systems have evolved and increasingly incorporate risk management standards, as in the case of international certifications in the area. Research can explore this alignment, for example, by investigating the influence of accreditation on hospital risk management practices, including in light of other organizational theories.


I hereby declare that the academic paper was translated from Portuguese to English by Professor Luiz Henrique da Silva a certified translator, from FURB Idiomas – FURB University.

How to cite: Silva, M. Z., & Francisco, C. F. (2019). The influence of contingencies factors strategy and structure in the enterprise risk management in a hospital. Gestão & Produção, 26(1), e2315.

Financial support: This research, carried out with the support of the Coordination for the Improvement of Higher Education Personnel in Brazil (CAPES), Financing Code 001.


Abdel-Kader, M., & Luther, R. (2008). The impact of firm characteristics on management accounting practices: a UK-based empirical analysis. The British Accounting Review , 40(1), 2-27. [ Links ]

Arena, M., Arnaboldi, M., & Azzone, G. (2010). The organizational dynamics of Enterprise Risk Management. Accounting, Organizations and Society, 35(7), 659-675. [ Links ]

Baxter, P., & Jack, S. (2008). Qualitative case study methodology: study design and implementation for novice researchers. Qualitative Report, 13(4), 544-559. [ Links ]

Beasley, M., Chen, A., Nunez, K., & Wright, L. (2006). Working hand in hand: balanced scorecards and enterprise risk management. Strategic Finance, 87(9), 49-55. [ Links ]

Beasley, M., Clune, R., & Hermanson, D. R. (2005). Enterprise risk management: an empirical analysis of factors associated with the extent of implementation. Journal of Accounting and Public Policy, 24(6), 521-531. [ Links ]

Berkowitz, S. L. (2001). Enterprise risk management and the healthcare risk management. Journal of Healthcare Risk Management, 21(1), 29-39. PMid:11507940. [ Links ]

Berry, A. J., Coad, A. F., Harris, E. P., Otley, D. T., & Stringer, C. (2009). Emerging themes in management control: a review of recent literature. The British Accounting Review , 41(1), 2-20. [ Links ]

Bhimani, A. (2009). Risk management, corporate governance and management accounting: emerging interdependencies. Management Accounting Research, 20(20), 2-5. [ Links ]

Burrel, G., & Morgan, G. (1979). Sociological paradigms and organizational analysis. London: Heinemann Educational Books. [ Links ]

Chandler, A. D. (1962). Strategy and structure, chapters in the history of the America industrial enterprise. Cambridge: MIT Press. [ Links ]

Chenhall, R. H. (2003). Management control systems design within its organizational context: findings from contingency-based research and directions for the future. Accounting, Organizations and Society, 28(2-3), 127-168. [ Links ]

Collier, P. M., Berry, A. J., & Burke, G. T. (2007). Risk and management accounting: best practice guidelines for enterprise-wide internal control procedures. CIMA , 2(11), 1-8. [ Links ]

Collier, P. M., & Woods, M. (2011). A comparison of the local authority adoption of risk management in england and australia. Australian Accounting Review, 57(21), 111-123. [ Links ]

Committee of Sponsoring Organizations of the Treadway Commission – COSO. (2004). Enterprise Risk Management: integrated framework. New York: AICPA. [ Links ]

Conant, J. S., Mokwa, M. P., & Varadarajan, P. R. (1990). Strategic types, distinctive marketing competencies and organizational performance: a multiple measures-based. Strategic Management Journal, 11(5), 365-383. [ Links ]

Dallora, M. E., & Forster, A. C. (2008). A importância da gestão de custos em hospitais de ensino: considerações teóricas. Medicina , 41(2), 135-142. PMid:18499962. [ Links ]

Dalton, D. R., Todor, W. D., Spendolini, M. J., Fielding, G. J., & Porter, W. (1980). Organization structure and performance: a critical review. Academy of Management Review , 1(1), 49-64. [ Links ]

Denzin, N. K., & Lincoln, Y. S. (2006). O planejamento da pesquisa qualitativa: teorias e abordagens (S. R. Netz, Trad.). Porto Alegre: Artmed. [ Links ]

Donaldson, L. (2001). The contingency theory of organizations. London: Sage. [ Links ]

Etges, A. P. B. S., & Souza, J. S. (2015). Estudo de campo sobre gestão de riscos corporativos em empresas participantes de um parque científico e tecnológico. International Journal of Knowledge Engineering and Management, 4(8), 23-42. [ Links ]

Ewusi-Mensah, K. (1981). The external organizational environment and its impact on managerial informations systems. Accounting, Organizations and Society, 6(4), 310-316. [ Links ]

Ferreira, A., & Otley, D. (2009). The design and use of performance management systems: an extended framework for analysis. Management Accounting Research , 20(4), 263-282. [ Links ]

Flick, U. (2009). Qualidade na pesquisa qualitativa (R. C. Costa, Trad.). Porto Alegre: Artmed. [ Links ]

Gerdin, J. (2005). Management accounting system design in manufacturing departments: an empirical investigation using a multiple contingencies approach. Accounting, Organizations and Society, 30(2), 99-126. [ Links ]

Gordon, L. A., Loeb, M. P., & Tseng, C. Y. (2009). Enterprise risk management and firm performance: a contingency perspective. Journal of Accounting and Public Policy, 28(4), 301-327. [ Links ]

Gordon, L. A., & Narayanan, V. K. (1984). Management accounting systems, perceived environmental uncertainty and organizations structure: an empirical investigation. Accounting, Organizations and Society, 9(1), 33-47. [ Links ]

Gosselin, M. (2011). Contextual factors affecting the deployment of innovative performance measurement systems. Journal of Applied Accounting, 12(3), 260-277. [ Links ]

Govindarajan, V., & Gupta, A. K. (1985). Linking control systems to business unit strategy: impact on performance. Accounting, Organizations and Society, 10(1), 51-66. [ Links ]

Gul, F., & Chia, Y. (1994). The effects of management accounting systems, perceived environmental uncertainty and decentalization on managerial performance: a test of a three-way interaction. Accounting, Organizations and Society, 5(4), 413-426. [ Links ]

Hayne, C., & Free, C. (2014). Hybridized professional groups and institutional work: COSO and the rise of enterprise risk management. Accounting, Organizations and Society, 39(5), 309-330. [ Links ]

Henschel, T. (2008). Risk management practices of smes: evaluating and implementing effective risk management system. Berlin: Erich Schmidt Verlag. [ Links ]

Hoyt, R. E., & Hall, E. W. (2003). Enterprise Risk Management: evidence shows changing roles of health care risk managers. Journal of Healthcare Risk Management , 23(2), 7-11. PMid:15825467. [ Links ]

International Organization for Standardization – ISO. (2008). ISO 31000: risk management: principles and guidelines on implementation. Genebra. [ Links ]

Jokipii, A. (2010). Determinants and consequences of internal control in firms: a contingency theory based analysis. The Journal of Management and Governance, 14(2), 115-144. [ Links ]

Kaplan, R. S., & Mikes, A. (2012). Managing risks: a new framework. Harvard Business Review, 6, 1-8. [ Links ]

Kleffner, A. E., Lee, R. B., & McGannon, B. (2003). The effect of corporate governance on the use of enterprise risk management: evidence from Canada. Risk Management & Insurance Review, 6(1), 53-73. [ Links ]

Langfield-Smith, K. (2007). A review of quantitative research in management control systems and strategy. In C. S. Chapman, A. G. Hopwood & M. D. Shields (Eds.), Handbook of management accounting research. Oxford: Elsevier. [ Links ]

Liebenberg, A. P., & Hoyt, R. E. (2003). The determinants of enterprise risk management: evidence from the appointment of chief risk officers. Risk Management & Insurance Review, 6(1), 37-52. [ Links ]

Marshall, C. (2002). Medindo e gerenciando riscos operacionais em instituições financeiras. Rio de Janeiro: Qualitymark. [ Links ]

McLarem, T., Head, M., & Yuan, Y. (2004). Strategic fit of supply chain management information systems: a measurement model. In Proceedings of the International Conference on Information Systems (ICIS) (pp. 596-606). Washington: AIS. [ Links ]

Mikes, A. (2009). Risk management and calculative cultures. Management Accounting Research, 20(1), 18-40. [ Links ]

Miles, R. E., & Snow, C. C. (1978). Organizational strategy: structure and process . New York: McGraw-Hill. [ Links ]

Miles, R. E., Snow, C. C., Meyer, A. D., & Coleman, H. J., Jr. (1978). Organizational strategy, structure, and process. Academy of Management Review, 3(3), 546-562. PMid:10238389. [ Links ]

Miller, D., & Dröge, C. (1986). Psychological and traditional determinants of structure. Administrative Science Quarterly, 31(4), 539-560. [ Links ]

Miller, D., & Friesen, P. H. (1986). Innovation in conservative and entrepreneurial firms: two models of strategic momentum. Strategic Management Journal , 3(1), 1-25. [ Links ]

Miller, K. D. (2009). Organizational risk after modernism. Organization Studies , 30(2-3), 157-180. [ Links ]

Mintzberg, H. (1995). Criando organizacoes eficazes: estruturas em cinco configurações . São Paulo: Atlas. [ Links ]

Moll, J., Major, M., & Hoque, Z. (2006). The qualitative research tradition. In Z. Hoque (Ed.), Methodological issues in accounting research: theories and methods . London: Spiramus Press. [ Links ]

Organização Nacional de Acreditação – ONA. (2012). Retrieved in 2012, December 20, from [ Links ]

Paulo, W. L., Fernandes, F. C., Rodrigues, L. G., & Eidit, J. (2007). Riscos e controles internos: uma metodologia de mensuração dos níveis de controle de riscos empresariais. Revista Contabilidade & Finanças , 43(43), 49-60. [ Links ]

Pizzini, M. J. (2006). The relation between cost-system design, managers evaluations of the relevance and usefulness of cost data, and financial performance: an empirical study of US hospitals. Accounting, Organizations and Society, 31(2), 179-210. [ Links ]

Porter, M. E. (1994). Estrategia competitiva:tecnicas para analise de industrias e da concorrencia (E. M. Braga, Trad., 8. ed.). Rio de Janeiro: Campus. [ Links ]

Renn, O. Concepts of risk: a classification. In S. Krimsky & D. Golding (Eds.), Social theories of risk (pp. 53-79). Westport: Praeger, 1992. [ Links ]

Rowley, J. (2002). Using case studies in research. Management Research News , 25(1), 16-27. [ Links ]

Schminke, M., Cropanzano, R., & Rupp, D. E. (2002). Organization structure and fairness perceptions: The moderating effects of organizational level. Organizational Behavior and Human Decision Processes, 89(1), 881-905. [ Links ]

Shortell, S. M., & Zajac, E. J. (1990). Perceptual and archival measures of Miles and Snow’s strategic types: a comprehensive assessment of reliability and validity. Academy of Management Journal, 33(4), 817-832. PMid:10108144. [ Links ]

Smallman, C. (1996). Risk and organizational behaviour: a research model. Disaster Prevention and Management, 5(2), 12-26. [ Links ]

Soin, K., & Collier, P. (2013). Risk and risk management in management accounting and control: editorial. Management Accounting Research, 24(2), 82-87. [ Links ]

Subramaniam, N., Collier, P., Phang, M., & Burke, G. (2011). The effects of perceived business uncertainty, external consultants and risk management on organisational outcomes. Journal of Accounting & Organizational Change, 7(2), 132-157. [ Links ]

Tanaka, O. Y., & Tamaki, E. M. (2012). O papel da avaliação para a tomada de decisão na gestão de serviços de saúde. Ciencia & Saude Coletiva, 17(4), 821-828. PMid:22534834. [ Links ]

Tillema, S. (2005). Towards an integrated contingency framework for MAS (management accounting systems) sophistication. Case studies on the scope of accounting instruments in Dutch power and gas companies. Management Accounting Research, 16(1), 101-129. [ Links ]

Woods, M. (2009). A contingency theory perspective on the risk management control systems within Birmingham city council. Management Accounting Research, 20(1), 69-81. [ Links ]

Yin, K. R. (2005). Estudo de caso: planejamento e métodos (3. ed.). Porto Alegre: Bookman. [ Links ]

Received: May 22, 2017; Accepted: February 08, 2018

Creative Commons License  This is an Open Access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.