Including risk in the balanced scorecard: Adoption rate and implementation methods of Johannesburg Stock Exchange listed organisations

7It has been suggested in previous research that it might be worthwhile to include risk measures in the balanced scorecard (BSC) or to rework it in order to manage risk. The literature review in this study indicated that some conceptual and case study research has been done to investigate how an organisation could go about accomplishing this. A number of researchers noted that including risk measures on the face of the scorecard might lead to a problem of over-complexity. Using content analysis as the method of inquiry, this study explored how organisations are currently adding risk to their scorecards. The key fi nding of the study was that organisations that have reported adding risk measures to their BSCs are predominantly adding risk measures to the face of their scorecards. This fi nding is interesting because it would indicate that the previously reported and conceptualised problem of complexity does not seem to have such a great impact as previously thought. 8

has been suggested in previous research that it might be worthwhile to include risk measures in the balanced scorecard (BSC) or to rework it in order to manage risk. The literature review in this study indicated that some conceptual and case study research has been done to investigate how an organisation could go about accomplishing this. A number of researchers noted that including risk measures on the face of the scorecard might lead to a problem of over-complexity. Using content analysis as the method of inquiry, this study explored how organisations are currently adding risk to their scorecards. The key fi nding of the study was that organisations that have reported adding risk measures to their BSCs are predominantly adding risk measures to the face of their scorecards. This fi nding is interesting because it would indicate that the previously reported and conceptualised problem of complexity does not seem to have such a great impact as previously thought. 8K ey words: balanced scorecard, risk management, enterprise risk management, performance management, risk scorecard, risk perspective 1P erformance management is an age-old practice, whether through accounting methods, simple anecdotal evidence or, more recently, non-financial measures. The rationale for measurement is quite logical. Without measurement of some sort, a benchmark to improve upon would not be present and it would therefore be problematic to compare present against past performance or to determine whether the objectives have been met.
2Th e BSC provided a new approach to performance measurement by adding non-financial indicators and four insightful perspectives through which to view Mr P.N. Kotze is a lecturer in Finance, Risk Management and Banking, University of South Africa. Prof FNS Vermaak is an associate professor and Ms E Kirsten is a lecturer in Financial Management, University of Pretoria. E-mail: kotzepn@ unisa.ac.za; frans.vermaak@up.ac.za; elize.kirsten@up.ac.za an organisation as opposed to the traditional approach of measurement. The framework advocates four perspectives, namely financial performance, customer knowledge, internal organisational processes and learning and growth. These four perspectives allow the measurement of performance from the perspectives of all stakeholders (Kaplan, 2009(Kaplan, :1262. The BSC also facilitates the implementation of an organisation's strategy through its four perspectives and measurement framework. By using a top-down approach, strategic goals and objectives are filtered down through the organisation. This is achieved by starting with overall objectives and then breaking them down into smaller goals that are set in lower hierarchies of the organisation (Cronje & Maritz, 2007:171). The BSC, however, is not without critique. The framework has been criticised, amongst other things, for not taking risk into consideration (Nørreklit, 2003:617). 3O ver the past two decades, risk management has risen to prominence as an organised function (Woods, 2008(Woods, :1074. When formalised, the risk function considers a large number of possible threats to business. However, in order to monitor a large spectrum of threats throughout an organisation, the risk function would need to be integrated throughout the whole organisation. The rise of strategic risk management led to embedded risk management in formal strategic planning processes. Possible risks to successful strategy implementation can be anticipated and actions planned to mitigate the impact on the strategy (Mitchell & Jones, 2007:30). Enterprise risk management (ERM) formalises this concept further by advocating that risk management should be included in strategy setting and communicated downwards to all levels of the organisation (Woods, 2008(Woods, :1077. 4Bo th the BSC and ERM frameworks are top down in nature and have their starting points in strategy setting. Communicating the strategy of the organisation is a key feature of the BSC (Cobbold & Lawrie, 2004:632;De Geuser, Mooraj & Oyon, 2009:114). Previous papers have argued that it is a tool also suited to implementing strategic risk management or ERM. These papers, however, suggest differing methods of achieving this because of perceived difficulties faced when integrating risk management into the BSC (Palermo, 2011:3, Calandro & Lane, 2006. This paper further explores the difficulties and different methods used to achieve integration. The objective of the study was to determine the inclusion of risk in the BSC and the method, if any, used for implementation. This research provides novel evidence pertaining to the methods used to integrate risk management and the BSC as well as the adoption rates for both frameworks among Johannesburg Stock Exchange (JSE) listed organisations.

Literature review
The BSC 1The aim of the BSC framework is to facilitate the implementation and monitoring of strategy by taking long-term strategic goals and breaking them down into shorterterm goals through scorecards (Cronje & Maritz, 2007:260). 2W hen formulating strategy, an organisation would set out a mission and vision statement. This statement would then be translated into specific goals and objectives. These goals are based on four perspectives. Each perspective represents the view that a certain stakeholder group would have of the organisation. The financial, customer, internal business process and learning and growth perspectives comprise the perspectives used in the BSC and include the main stakeholder groups of an organisation. 3Ea ch perspective is a collection of performance indicators that should reflect the organisation's performance from that specific perspective. Indicators can be performance drivers that influence future performance or measures that track past performance, referred to as leading and lagging indicators. According to Ahn (2001:442), there should be a balance between leading and lagging indicators in the four perspectives. 4Th e inclusion of leading and lagging measures is a critical feature of the BSC and the mechanism used to identify and manage causal relationships. It is argued that the financial perspective is the starting point of formulating strategy as this perspective also forms the basis of all the goals and measurements set in other perspectives. The rest of the methodology is mainly aimed at increasing the financial performance of the organisation (Albright & Davis, 2004:137). 5Th e customers of an organisation are essentially its revenue stream for business, and without satisfying customers or retaining the business of its customers, the organisation would lose out on income (Kaplan & Norton, 1996:64). It is therefore argued that increases in customer-related measures should lead to an increase in financial performance. Where the measures in the financial perspective are usually objective in nature, the measures in the customer perspective may commonly be more subjective. While it is easy to objectively quantify a desired profit margin, say, 10%, it is less clear to define and measure customer satisfaction for instance (Kaplan & Norton, 1996:70). This is where the subjective nature of measures in the BSC is introduced. Through the use of subjective measures it may be possible for management to identify possible relationships across the four perspectives that they believe are leading and lagging measures. The effectiveness of these relationships, and therefore by proxy, the real influence a leading measure may have on a lagging measure, could then be tested. This also allows for testing the validity of a subjective measure as the performance data becomes available. This may allow management to determine whether an improvement in a certain goal in a lower part of the hierarchy does indeed influence a higher goal in the hierarchy (Bukh & Malmi, 2005:10). 6C ustomer perspective measures are subsequently argued to influence measures in the financial perspective. This hierarchy of influences is then further extended as the measures in the customer perspective are deemed to be influenced by the measures in the internal business process perspective (Denton, 2006:35). 7Th e internal business process perspective deals with the business processes that are most critical for achieving strategic objectives and the related goals set to achieve them. Kaplan and Norton (1996:97) advocate a methodology of forming measures for processes throughout the value chain, from innovation, to operations, to postsales service. 8Th e order of development is dictated by cause and effect relationships. These relationships would hold that, at the top, strategy is dictated by financial measures. An organisation's customers are then key to achieving these financial goals because they are the source of revenue and thus the basis for a business. The internal business processes that follow in the chain of development are the actual work that has to be done and measured to enable the organisation to increase its scores on the customer and financial perspectives (Epstein & Wisner, 2001: 2;Cronje & Maritz, 2007:281). 9M easures in the learning and growth perspective would be used to form an overview of how well the firm is managing its human capital as well as the underlying systems the workforce need to do their work more efficiently. The learning and growth perspective is related to the internal business process perspective specifically through the relationship formed when new processes and process improvements are set as goals. In order to achieve set goals, the workforce of the organisation would need training to perform new tasks or do current tasks more efficiently. The underlying systems the organisation needs for growth, efficiency or the achievement of the set process goals would also need to be implemented (Kaplan & Norton, 1996:126). 1 0 The BSC advocates an organisation-wide strategy diffusion and measurement regime. Implementing a successful BSC has been shown to lead to a higher rate of acceptance and participation in strategy development (Cobbold & Lawrie, 2004:632;De Geuser et al., 2009:114). Despite the purported benefits of implementing the BSC, the concept is not without possible flaws or critique.
1 1 It has been argued that the BSC is not reactive to external developing situations that could pose a risk to the successful implementation of a strategy (Nørreklit, 2003:617). In response to this criticism, it has been suggested that the strategy should be revised on a monthly or quarterly basis, depending on the situation and geographical location of the organisation's units, or as needed in ad hoc strategy meetings (Kaplan & Norton, 2008:233). While this seems to be a reasonable critique of the concept, the use of ad hoc strategy meetings may not necessarily be flexible and reactive enough, taking into consideration the amazing speed at which new situations and threats can materialise. This is one of the key considerations for including risk in the BSC as it could at least help to create risk awareness throughout the organisation. 12In ternally, criticism has been levelled atthe performance measurement of people or employees (Maltz, Reilly & Shenhar, 2003:190). The argument that the BSC does not take certain internal performance factors into consideration may stem from a common top-down approach in implementing the BSC. In such instances, objectives passed on to managers or employees may not be the best possible measure to gauge performance in their business unit or department for achieving strategic goals (Berry, Coad, Harris, Otley & Stringer, 2009:6). The issue in terms of ensuring credible measures may lie in testing, revisiting and retesting current measures for effectiveness. 13O wing to the complex nature of business, with each organisation, to a certain extent, being unique because it comprises a collection of people, ideas and resources, a unique business strategy is required to keep a specific business aligned. The BSC, as described by Kaplan and Norton (1996: 300), does seem to have a certain element of vagueness as emphasised in previous research (Bourguignon, Malleret & Nørreklit, 2004:116). The vagueness of the concept could be seen as both a drawback to implementation as well as a boon to organisations wishing to customise their scorecards. Withstanding the criticism of the concept, the proven role of the BSC in diffusing strategy was regarded as the main focus area of this study and the addition of risk as the main phenomenon explored because of the perceived benefits of using a current framework to implement risk management throughout an organisation.
Risk 1Risk can be defined as certain perils that an organisation faces in its normal business operations. These perils can be described as non-financial risks, that is, risk unrelated to the financial risk taking that comes with doing business. Such risks could be human-made, natural or economic (Drake & Fabozzi, 2009:557). These risks need to be managed to ensure the ongoing operations and success of an organisation. 2Th ese risks can be identified and then measured using indicators. When risks are identified and measured it thus follows that they are to some extent at least accepted as a potential threat to the organisation's operations. Tracking the risks through indicators allows an organisation to manage such accepted risks by taking action to mitigate, avoid or absorb the effects thereof. This would also allow an organisation to adjust operations to minimise the impact of the risk. 3A trend in risk management in the recent past has been that business has moved away from traditional risk management. Traditionally, the process entailed a more financial and operational approach and was based mostly on hedging risks with insurance and financial instruments. Organisations are now moving towards a broader view of risk management, which has been linked to strategy and corporate governance (Woods, 2008(Woods, :1075. 4St rategy is focused on internal competencies as well as the external environment. Hence the inclusion of risk in strategy would entail taking into consideration internal and external risk factors. Incorporating risk into strategy means that there would be an element of constant risk monitoring, measurement and correction diffused throughout the organisation. This would also be the case in performance strategy. This could address risks that may threaten the strategy and performance by monitoring them constantly, instead of only at strategy review meetings. Integrating risk into strategic planning and implementation could thus enhance strategy execution and address some of the criticism against the strategy implementation facet of the BSC (Nørreklit, 2003:617). 5Th e strategic management of risk is referred to as strategic risk management (SRM). This concept can best be described as the process whereby strategic risks are identified, analysed and managed in order to minimise the impact of risk on the organisation's strategy. The implementation of SRM could be described as the process of identifying possible scenarios which could have an impact on the strategy of an organisation and the action of devising mitigating plans to deal with the identified scenarios (Frigo, 2009:7). SRM is a vital part of ERM. 6ER M refers to a holistic framework to manage the risk a business faces, and it is thus a strategic view of risk management. ERM provides a structured framework within which the organisation and its related business units would need to operate, in order to satisfy its strategic goals that have been set. This framework is usually implemented by determining the risk appetite of an organisation at a top level and then cascading down to lower management and operational levels. Here the specific processes or actions would need to fall into acceptable risk tolerances based on the cascaded risk appetite. In order to execute such a risk strategy and to realise this cascading effect, it has to be implemented throughout the organisation (Woods, 2008(Woods, :1076. The aim of ERM is therefore to align the whole organisation with a specific risk management strategy. 7W hereas the BSC relies on key performance indicators, risk management can rely on key risk indicators. This similarity is of importance in establishing a link between the two concepts and provides a practical method for the inclusion of risk in the BSC. The BSC's focus on business processes can be compared to risk mapping, where key risk indicators are mapped to processes (Scandizzo, 2005:232). Risk measures can also be classified as being either leading, current or lagging (Davies, Finlay, McLenaghen & Wilson, 2006:9). This important classification highlights the similarity between the measures used in risk management and the performance indicators used in the BSC. 8In trinsic commonalities also exist between performance and risk measures. In certain cases, a risk measure could also be a performance measure. Where the risk function of an organisation is of high importance, for example, a risk measure could directly measure the performance of a specific function or performance of a process. Conversely, a performance indicator can also be a risk indicator under certain circumstances. Specific variances in a performance measure may indicate underlying problems that can relate to risk management (Barnaby & Nagumo, 2006:22). 9Th e common attributes and relationships between performance and risk measures form the basis for integrating performance and risk management. Sharing of information between these two areas could sensibly be achieved because of these common features. The capacity to implement strategy through the use of both types of measures is underlined by the similarity between the measures used in the BSC and risk management.
Adding risk management to the BSC (previous research) 1A dding risk measures to the BSC has been suggested in different ways. Because the BSC is process driven, early proposed methods focused on adding risk to the framework in the same way as performance measures would be added. This entails choosing risk measures that could impact on critical processes (Beasly, Nunez & Wright, 2006:53;Barnaby & Nagumo, 2006:27). 2I t is argued that adding risk measures to the face of the scorecard may lead to an overly complex scorecard. The BSC is meant to present a meaningful overview of the performance information of an organisation at a single glance and should therefore not convey too much information (Palermo, 2011:5). In order to overcome this apparent problem of complexity, Calandro and Lane (2006:37) advocate the use of two separate scorecards: a BSC for strategy and performance management and an enterprise risk scorecard for risk management purposes. Palermo (2011:5), however, argues that less complex organisations might well be able to add risk measures to the face of the scorecard without introducing the problem of complexity. 3Sc holey (2005:35) supports the idea of adding a single aggregated risk measure to the internal business process perspective to overcome the problem of complexity. This approach may have the advantage of keeping the face of the scorecard cleaner and less complex than it would be if an organisation were merely to add risk measures to the face of the BSC. In some cases, especially where risks are more complex on the operational side, this approach could enable an organisation to include it in a concise manner. 4A survey on the inclusion of risk in the BSCs of major global financial organisations indicated that 20% of these organisations added risk measures to their BSCs. The survey also found that almost 50% of the organisations intended to implement risk management in their BSC's in the future (Ittner & Larcker, 2008:1246. 5O verall, the research on risk in the BSC has focused mainly on the implementation and theoretical aspects of the phenomenon. There are a few organisation case studies that focus on how risk is implemented in the BSC. Others consider how complexity is handled as well as how ERM is integrated into the BSC. Kaplan (2009Kaplan ( :1267 argued that more work needs to be done on how risk can be integrated into the BSC and mentioned that he expected advances in the areas during the period 2009 to 2014.
6P revious research has focused on addressing this and proposing and exploring new methods to add risk to the scorecard. To this end, different methods have been identified, proposed or tested. Even though different methods have been proposed, their actual implementation has not been extensively researched as far as could be determined. The only other previous study found on this topic focused only on the adoption of the inclusion of risk in the BSC. The study did not consider the methods used to include risk in the BSC (Ittner & Larcker, 2008:1246. It is therefore envisaged that this study will add to the literature by providing evidence of the adoption rate of the different methods for the inclusion of risk in the BSC.

Methodology
1P ossible research designs that were considered included survey and content analysis research. These two options would both be suitable to the purpose as both would be expected to yield insights into the research problem. Survey research would involve sending out a questionnaire to possible respondents who would be likely to be involved in activities relating to the frameworks explored in this study.
2C ontent analysis involves a structured, methodological analysis of text documents, in this instance, annual reports (Duriau, Pfarrer & Reger, 2007:6). For each phenomenon to be investigated, a category would be created which would eventually contain the measurement of the phenomenon. The categories can be described as a column that is tallied to obtain a total. Each category would be assigned a measurement unit such as a keyword, key phrase or paragraph. This unit would either be recorded or noted as being present, which would then be tallied in the above-mentioned categories. The method used is deemed to be qualitative because the study did not only quantify textual data by counting the number of times a word was used. The method applied went further and inferred meaning from certain words, phrases and descriptions (Hsieh & Shannon, 2005:1284. 3C ontent analysis was chosen as the preferred design for this study because it affords one the opportunity to handle a huge amount of data while survey research has notoriously low response rates (Baruch & Holtom, 2008:1139. If the researcher had opted for survey research, surveys would have had to be sent to executives or other high-placed persons involved in strategy setting. This would have presented another obstacle to the response rate as these persons are often limited by time constraints. 4T wo distinct methods can be used to conduct content analysis, namely the directed and traditional methods. Conventional content analysis entails using the data at hand to form categories. In other words, the data is used to identify unidentified phenomena or patterns in existing literature. Directed content analysis uses categories that are usually predetermined by previous research (Hsieh & Shannon, 2005: 1279). In the current study, directed content analysis was decided upon as the literature indicated distinct categories which could be used to group the different methods for adding risk to the BSC.

Data collection
1Data was collected for Johannesburg Stock Exchange (JSE) listed organisations for the year 2012. Annual reports for the financial year ended 2012 were collected for most organisations. Where these were not available, the latest possible report was used up to a maximum of five years prior (2007). The McGregor BFA database was used to obtain the annual reports of all JSE main board listed organisations. While the reports were obtained from the database, they had not been processed by McGregor BFA. The annual reports contained in the database were merely collected and stored in the database and were in fact the original reports issued by the organisation. Where the statements could not be obtained from this database, the website of the organisation was searched for its annual reports. The annual reports in the database and on the websites of the organisations are identical.

Validity and limitations
1Content analysis can to some extent be subjective, especially where the analysis of text is involved. The qualitative analysis of the text involves a person reading the text and recording a certain word, phrase or theme as being present. A dummy value is then assigned to a specific category in order to keep track of the presence of the concept. Such a subjective identification of key terms raises some accuracy concerns. The use of computer software, however, would for the most part eliminate doubts about the validity of the method as words and phrases could be searched for and more exact matches located (Duriau et al., 2007:22). 2Th e coding categories and methods are standardised before the start of the analysis. For each coding category, predefined search terms are defined to ensure validity. Computer software is then used to search through each text according to these rules. This ensures consistency across the many annual reports to be analysed. In some cases, the predefined search term was recorded as being present where a description of the category was found to contain some of the search words and a highly accurate description of the category. However, it has been argued that this does not have an impact on the validity of the study because at least some of the keywords need to have been present and the description could place the keywords in context. 3A more subjective approach was used for a significant part of the study. The categories for risk in the BSC and the method of adding risk to it are subjective. To ensure validity for these sections, only where organisations explicitly described or mentioned adding risk to the BSC, was this recorded as such. The method of implementation would be recorded on the basis of the description of the BSC and would only be used for this section if there was a significant description from which the method could be ascertained.
4K ey limitations of this study included the use of different words or phrases in annual reports that differed from those obtained from the literature. This led to under-reporting of the use of the concepts involved. Owing to the nature of the frameworks investigated, the level of implementation could not be fully gauged, only the binary value describing whether a framework had been implemented or had not been determined. An extra category, chief risk officer (CRO) was added as a proxy to gauge the extent of ERM implementation. Previous research has determined that organisations with an appointed CRO are likely to be further along in terms of implementing ERM. This is ascribed to the presence of a person to advance the risk management agenda at senior management level (Beasly, Clune & Hermanson, 2005:529).

Data analysis
1An initial checklist was compiled against which the annual reports that had been collected were analysed. The name of each organisation was recorded as well as the industry in which the organisation operates. The literature did not suggest a more widespread implementation of the BSC with risk included in any specific industry, and the industry category was added in order to determine whether some industries may have been more inclined to do so. 2C ategories for each framework investigated were expressed as columns. In the initial analysis, the categories used were as follows: BSC used, ERM used, CRO appointed and Risk included in BSC. If one of the keywords identified in the literature review was present for a category, it was recorded as "Yes" on an Excel spreadsheet in the applicable column, while "No" was recorded, if not. 3A fter the initial analysis, organisations indicating that they include risk in their BSC were analysed again. This was done to determine which method of implementation, as categorised according to the literature, was used. The data at hand revealed that the categories identified from the literature would not encompass all of the methods used, as found in the analysis. Hence the coding categories were determined by the data at hand and the study became a hybrid between traditional content analysis and a directed analysis. 4Th e categories identified in the literature review were as follows: 5"F S" -Face of the scorecard. Here, risk measures are added to the face of the scorecard directly.
6" SR" -Separate risk scorecard. This is where a separate risk scorecard is constructed to manage risk in conjunction with the BSC.
7" AR" -Aggregated risk measure. An aggregated risk measure linked to detailed risk information is added to the face of the BSC. 1The additional category that was identified from the data at hand was as follows: 2"R P" -Risk perspective. Here, a separate risk perspective is added to the BSC's original four perspectives so that there are five perspectives in total.

Results
1The initial analysis consisted of four categories. These categories were used to gauge the adoption of frameworks such as the BSC, ERM, CRO appointment and whether risk is included in an organisation's BSC. The results of this analysis are interesting because they show the level of adoption of more than one framework as well as the integration of two different concepts. While the totals obtained may not be that large, the population used for the analysis was substantial, and this adds to the validity of the analysis.
Discussion on data collection 1Data was collected for 310 organisations. This represents all of the JSE main board listed organisations at the time of the study that had published annual reports in the preceding five years. Special investment vehicles were excluded from the study as these organisations do not hold meaningful operations, but are in fact indextracking equities.

Results of the initial analysis
1The results of the initial analysis are provided in Table 1. The total number of organisations indicating that they used the BSC was at about 8% of the sample. The adoption of ERM is much higher, at about 29% of the population. The appointment of a CRO is argued to indicate a more mature implementation of a risk management framework. Of the sample, 7.42% reported the appointment of a CRO. This was significantly lower than the number of organisations that reported implementing ERM. Only 2% of organisations listed on the JSE main board reported using a BSC with risk measures added or risk integrated in some form. This adoption rate is fairly low.  Table 2 show that 29% of organisations on the JSE that use the BSC have included risk in their scorecards. Of the BSC users, 42% have also implemented ERM. It is interesting to note that five organisations in the study had not integrated risk into their BSCs in spite of using both the scorecard and ERM. Two organisations also indicated including risk in their scorecards, but did not have ERM implementations. The results regarding the appointment of a CRO are used as a proxy to gauge the level of implementation of an organisation's risk management framework. The results indicated that only 13% of organisations that had implemented ERM and the BSC had also appointed a CRO. This might be due to the size and nature of operations of the organisations, but should, to a certain extent, give at least an indication of the level of implementation of the organisations in the sample. Results by sector 1In order to determine whether the level of implementation of any one of the frameworks considered had been adopted more in certain sectors, the results were grouped according to sector. The percentage was calculated by dividing the number of organisations adopting a specific framework in each sector according to the total amount of organisations in the sector. In Table 3 it is clear that there are indeed indications that some of the frameworks were implemented more widely in certain sectors than in others.  Table 3, the ICT sector was the only sector with a significantly higher number of organisations using the BSC, with the health sector having none. The implementation of ERM shows larger uptake in the health and ICT sectors which may be because of the risk environment in which these organisations function. Health organisations may face liabilities owing to negligence, for instance, while an example in ICT organisations would be intellectual property concerns. CRO appointments are highest in the ICT and financial sectors, possibly because of operational needs in these sectors. Risk in BSC implementations is found in only the resources, financial and industrials sectors. Implementation is the highest in resources and financials. A possible explanation for this could be the regulatory environment in which these two sectors operate, resulting in a greater need to measure and manage risk. the results of only the organisations that adopted the BSC are considered (Table 4), they show the highest level of adoption in the resources sector. It is also interesting to note that most of the organisations that have added risk to the BSC have also implemented ERM. Because the two frameworks are both largely encompassing, it is likely that to some extent the frameworks would be integrated in these organisations.

Results of the second analysis
1The methods used to add risk to the scorecard were analysed by scrutinising each of the descriptions given in the annual reports. Each description was then subjectively assigned to one of the categories as discussed in the methodology and design. The three categories identified in the literature were supplemented with a fourth category found in the actual study as outlined in the section on data analysis. 1 Figure 1: Methods used to incorporate risk measures in the BSC 1The SR category represents the creation of a separate risk-based BSC where the scorecard comprises risk measures instead of performance measures. One of the organisations in the sample reported using this method. 2Th e AR category represents the use of a scorecard with an aggregated risk measure added to the face of the BSC that provides summary information on the management of risk. None of the sampled organisations reported using a BSC incorporating an aggregated risk measure. 3Th e RP category represents the addition of a risk perspective in the BSC. Such a modified BSC would contain five perspectives, namely financial, customer, internal business processes, risk and learning and growth. One of the organisations in the sample reported using such a method.

Discussion and conclusion
1Out of the 310 organisations in the study, 24 (7.7%) reported using the BSC. This percentage in itself does not necessarily represent a large rate of adoption. It does, however, provide a meaningful sample of organisations, which meets the objective of the study, namely to determine whether organisations add risk to the BSC and what methods are used. Of the total population, only seven organisations reported using the BSC with risk added. This seems fairly low, but it could be attributed to the low adoption rate of the BSC that was evident. The inherent limitations of the study may also be a factor in the low adoption rate because the methodology used might have under-reported this rate. Subjective analysis of the text was limited so as to include only a clear description of the inclusion of risk in the BSC to ensure validity, and this may have led to under-reporting. The number of organisations adding risk to their balanced scorecards was found to be lower than that indicated in a previous international study on financial organisations, where an adoption rate of 20% was found in comparison to 2.25% in this study. When comparing only financial organisations, the adoption was 4% compared to 20%, which was still significantly lower (Ittner & Larcker, 2008:1246. 2I n this study, a significant number of organisations reported implementing ERM, namely 29%. The adoption of ERM was reported across all industries, which indicates that the formalisation of risk management does not only occur in a specific sector, but is being commonly adopted. The appointment of a CRO was measured at 7.42%. This is indicates that a significant number of organisations that have implemented ERM have not appointed a CRO. This may be an indication that these organisations that had appointed a CRO had more advanced ERM implementations than the remainder of the organisations. This measure provides some insight into the level of implementation that may have been achieved by the majority of ERM users. Most of these organisations would thus be likely to have less mature implementations. In the ICT and financial sectors, CRO appointment was found to be higher than in other industries, indicating that these industries could be more focused on risk or have more mature or developed risk management implementations. 3Th e other main focus of the study was to determine what methods organisations applied to add risk to their BSCs. The result of the study was that organisations predominantly add risk measures to the face of their scorecards, as proposed by Beasly et al. (2006:53) and Barnaby and Nagumo (2006:27). This could indicate that concerns relating to the increase in complexity might have been overstated or overestimated in previous studies (Calandro & Lane, 2006:37). It is also possible that the organisations in the study did not have complex enough operations to warrant an alternative approach to adding risk measures to the face of the scorecard, as postulated by Palermo (2011:5). 4U nderpinning this was the result that the use of a separate risk scorecard, as proposed by Calandro and Lane (2006: 37), was reported only once. The use of an aggregated risk measure as proposed by Scholey (2005: 35) was not found in the study. The addition of a separate risk perspective was also reported only once. Such a separate risk perspective option was not described in the literature that was reviewed for this study, and could therefore be a new method of implementation. 5This study found a significantly lower rate of implementation than that reported in previous literature. This could be ascribed to factors such as the size and apparent complexity of the organisations in South Africa when compared to their larger global counterparts. The predominant method for adding risk to the BSC was found to be through adding risk measures to the face of the scorecard. This was contrary to perceptions that this would not be ideal because of the increased complexity of the scorecard. A new method of adding risk to the BSC was also found, which had not been addressed in previous literature surveyed. 6I t is proposed that future research should be conducted in this area in a longitudinal manner to ascertain whether adding risk to the BSC is increasing or decreasing. Another area that might produce interesting results would be to find an organisation currently considering implementing a BSC or adding risk to it (one such organisation was found in the study) and to conduct case study research on the implementation of the concept. Lastly, the separate risk perspective found in the study could be of interest and warrant further investigation.

Implications for industry
1A clear implication relevant for industry can be drawn from this study, namely that risk can be added to an organisation's existing BSC. The BSC can be used to diffuse strategy throughout a business, and adding risk to this framework allows an organisation to make use of its strengths in order to implement a holistic risk management framework in the form of ERM. The study showed that some organisations are currently doing this, mainly by adding risk measures to the face of their scorecards. 2Th e inclusion of risk in the BSC by adding it to the face of the scorecard has previously been argued to increase the complexity of the scorecards too much for practical implementation. While this study found some implementations based on methods that reduce the apparent complexity, the majority of organisations added risk measures straight to the faces of their scorecards. The implication that can be drawn from this for industry is that in many organisations, the level of complexity or nature of risk in the organisations allows for the use of this method. Organisations already utilising a BSC can therefore make use of an enhanced scorecard to add risk measurement to performance measurement. This has the benefit of using an established system to implement and diffuse risk in an encompassing risk management framework such as ERM. Organisations that are currently using different frameworks for performance and risk management could also draw from this, namely that it is possible to combine both of these management aspects into one framework or system and that this has been successfully implemented in other South African organisations.