ENTERPRISE RISK MANAGEMENT IN PORTUGAL

The present chapter tries to assess the state of art of Enterprise Risk Management (ERM) among Portuguese non-financial companies regarding two main aspects: the ERM background in Portugal and the level of disclosure of ERM practices by non-financial listed companies. Since the analysis of disclosures is useful to understand the level of evolution and adoption of ERM framework we tried to assess the ERM practices disclosed by 26 Portuguese non-financial listed companies at the Euronext Lisbon Stock Exchange regulated market, during the period of 2006-2016. Main findings indicate that regulation on ERM in Portugal emanates from three main Codes (The Portuguese Companies Code, The Stock Exchange Code, and The Corporate Governance Code). The ERM professionalization in Portugal is its infancy and has been promoted mainly by the Institute of Portuguese Internal Auditors. Moreover, research on topics such as risk reporting and risk management/ERM is very scarce. Overall, findings of prior literature are consistent with results from our exploratory study. We conclude that Portuguese non-financial listed companies still disclose very little information on ERM activities. However, over the period of analysis, the disclosure practices evolved positively. Findings show that ERM disclosure can still be extensively improved in the future.


INTRODUCTION
In this chapter, we try to explore the status quo of Enterprise Risk Management (ERM) in Portugal.We focus on non-financial listed companies ate the Euronext Lisbon Stock Exchange regulated market, basically because listed companies are scrutinized closely by its investors and therefore subject to higher level of compliance with regulations regarding corporate governance structures, internal control and risk management systems, and risk reporting.
We start exploring the ERM background in Portugal regarding the institutional conditions that influence the adoption/alignment of Portuguese non-financial companies with the ERM framework: the economic environment, the regulatory framework, the level of research and its implications in the further implementation of ERM, and the level of development of the professionalization of ERM in Portugal.Afterwards, since the level of disclosure is a crucial element to better understand the stat of art of ERM in Portugal, we examine the disclosure level on ERM practices of Portuguese non-financial listed companies, during the period of 2006-2016.We finalize with a discussion on the main conclusions.

PORTUGAL´S ECONOMIC HIGHLIGHTS
Portugal is a country on the Iberian Peninsula in Southwestern Europe with approximately 10.3 million people.It is a developed country with a high-income advanced economy and a high living standard.It is the 5 th most peaceful country in the world, maintaining a unitary semi-presidential republican form of government (Banco de Portugal, 2019).Portugal is a member state of the European Union since 1986.
This has contributed to a stable economic growth and development, largely through increased trade ties and an inflow of European funds to improve the country's infrastructure in such a way that currently, Portugal is home to a number of notable leading companies with worldwide reputations, such as: the Navigator Company, a major world player in the international paper market; Sonae Indústria, the largest producer of wood-based panels in the world; Amorim, the world leader in cork production; Conservas Ramirez, the oldest canned food producer; Cimpor, on the world's 10 th largest producers of cement; EDP Renováveis, the 3 rd largest producer of wind energy in the world; Jerónimo Martins, consumer products manufacturer and retail market leader in Portugal, Polonia and Colombia; TAP Air Portugal, highly regarded for its safety record and one of the leading airlines linking Europe with Africa and Latin America.
From a macroeconomic perspective, However, Portugal has a high dependence on trade.The great majority of international trade is done within Europe (representing 72.8% of Portuguese exports and 76.5% of imports).Other regional trade partners equally significant are the NAFTA, the PALOP, the MAGREB and the MERCOSUL (Banco de Portugal, 2019).
Moreover, the last Global Financial Crisis (2007)(2008) impacted negatively on the Portuguese Sovereign Debt, that as lead Portugal (as well as other European countries such as Spain, Greece, and Italy) to a sovereign debt crisis between 2010-2013.It was the Portuguese economy's most severe recession since the 1970s and it was the culmination of continuous (since 1974-2010) over-expenditure governmental policies and investments bubbles through unclear public-private partnerships (PPPs), triggered by four main events: a) the financial collapse of the bank "Banco Português de Negócios (BPN)"; b) the bankruptcy of the bank "Banco Privado Português (BPP)"; c) the budgetary slippage with PPPs; and d) the Swaps contracted by State-owned companies with potential losses higher than 3,000 million euros (Banco de Portugal, 2019).
In Another interesting aspect is that the Portuguese companies' institutional environment in terms of its legal, corporate governance and financial systems is considered less developed than other European Union member states.The ownership structure of Portuguese companies is highly concentrated in a few larger shareholders.They are frequently family controlled (Lopes and Rodrigues, 2007;Oliveira et al., 2011aOliveira et al., , 2018)), and the majority of Portuguese listed companies have political connections and some politicians are connected to several companies (Bianchi et al., 2019).Portugal is a bank-oriented country, in which the banking system is strongly concentrated in a few financial groups and with very small influence of foreign banks (Lopes and Rodrigues, 2007).Portugal is considered a Code Law country (La Porta et al., 1997) and therefore follows a "stakeholder" governance model oriented towards "legal compliance", with low disclosure, alignment between financial and tax accounting, and weaker investor protection (Meek and Thomas, 2004;García-Castro et al., 2008;Oliveira et al., 2018).establishes the basic principles and rules of management and control of all kind of legal forms of companies (either listed or non-listed).In 2006, the governance model of Portuguese companies was updated in order to make them more competitive.Currently, all Portuguese companies have to adopt one of the following three models:

THE PORTUGUESE CORPORATE GOVERNANCE LEGAL FRAMEWORK
1) The Latin model: this comprises two sub-models.First, there is the simple Latin model (where companies have a board of directors and a supervisory board or statutory auditor).Second, there is the Latin enhanced model (where companies have a board of directors, supervisory board, and an auditor who cannot be a number of the supervisory board).The later structure separates the supervision function of the supervisory board from the auditing function of the auditor; 2) Dual model: there is an executive board of directors, a general and supervisory board, and a statutory auditor; 3) New Anglo-Saxon model: there is a board of directors, an audit committee, and a statutory auditor -all elected at the annual general meeting.The audit committee, composed exclusively of non-executive directors, has oversight duties.At least one member of the audit committee is required to have sound knowledge of accounting and auditing (Companies Code, article 278º).
In Portugal, the existing regulations regarding internal control and risk management are based on the provisions and recommendations of the SOX Act.The Companies Code requires that all companies must include in their Management Report a risk management report section, but specifically related to financial risks.In its article 65º states that "the company's financial risk management objectives and policies, including the hedging policies of each main categories of expected transactions for which hedge accounting is used and the company's exposure to price, credit, liquidity and cash flow risks, when materially relevant for the valuation of assets and liabilities, financial position and results in relation to the use of financial instruments".Since 2017, all companies are also required to include a non-financial statement related to environmental, social, human resources, and corruption issues, including main risks exposures and how they were mitigated (article 66º-B).
On the other hand the Stock Exchange Code requires that listed companies disclose in a specific section of the annual report information on the main elements of their internal control and risk management system implemented that helps assuring the financial information disclosure (article 245º).
Regarding company's internal control and risk management systems, the Corporate Governance Code states that the board of directors of listed companies has the duty to discuss and approve the strategic plan and company's risk policy, which includes a definition of risk levels considered acceptable.Based on its risk policy, they establish a risk management system capable of identifying the main risk exposures, the probability of occurrence and its impact, the instruments and measures taken to mitigate them, the monitoring procedures implemented and the surveillance mechanisms in place.
The supervisory boards or auditing committees have other kind of duties.They must assess the effectiveness of the company's internal control, risk management and internal auditing systems, either in listed companies (Law n.º 148/2015, article n.º 3) or in non-listed companies (Companies Code, articles 420.º -A, 423.º -F, and 441.º).
Finally, the Corporate Governance Code states that the board of directors of listed companies shall assess the degree of internal compliance and the risk management performance as well as a perspective of change of the risk framework previously defined.However, the Portuguese Corporate Governance Code does not recommend any specific risk management framework companies should follow.Therefore, it is expected that companies do not disclose which risk management framework they follow.However, since ERM has become the dominant risk management model in North America and beyond (Moeller, 2011;Hayne & Free, 2014), this raises the following question: in which way the Portuguese non-finance listed companies are aligned with the ERM framework?

IMPACT OF ACADEMIC RESEARCH ON ERM PRACTICES
In Portugal the implementation of ERM systems is not well developed so far due basically to two main issues: a) the non-existence of ERM courses promoted by Universities or Executive Education; and b) the scarce research in the field.Currently, Portuguese Universities do not have contemplated any course on ERM in their curricula.Frequently, they only include some topics on Corporate Governance in the syllabus of some courses provided, either at a Business Master or Executive Education programs.On the other hand, research on ERM is very scarce and it comprises studies on: a) risk reporting among nonfinancial (Oliveira et al., 2018(Oliveira et al., , 2011a) and financial companies (Oliveira et al., 2013(Oliveira et al., , 2011b(Oliveira et al., , 2011c)); b) on the role of internal auditing in ERM (Castanheira et al., 2009); and c) on the determinants of ERM disclosures (Pinto, 2019).
Research on risk reporting indicates that disclosures are generic, qualitative and backwardlooking.Companies' public visibility and agency costs associated with leveraged companies are relevant in promoting risk reporting.This is particularly intensified in periods of financial distress among countries with weaker legal environments, basically to manage strategic legitimacy and reputation by spending more time in the contextualization of their negative outcomes.Corporate governance mechanisms (such as the presence os independent directors, board meetings and the unitary board leadership structures) play a crucial role in improving risk reporting (Oliveira et al., 2018(Oliveira et al., , 2011a)).
Pinto ( 2019) examined the determinants of ERM disclosures of Portuguese and UK non-finance companies during 2006-2016 and found out that UK companies are more aligned with an ERM framework than Portuguese companies do.The number of independent directors, the number of board meetings, the management compensation, and the quality of external auditing help improving this level of alignment with an ERM framework.However, gender diversity, the existence of a risk committee and the ownership structure do not drive ERM disclosures.
Castanheira et al. ( 2009) through a questionnaire sent in 2006 to 96 chief internal auditors who were members of the Institute of Portuguese Internal Auditors found that half of them have implemented a formal ERM process or were doing so.In about 60 percent of the respondents, internal auditing performed a dynamic role in the implementation of ERM, and there is a tendency for internal auditing assuming a proactive role in ERM in smaller organizations.
However, data extracted from the content analysis of Pinto (2019) and Oliveira et al. (2018Oliveira et al. ( , 2011a) ) is not consistent with these findings.Portuguese non-finance listed companies do not disclose which risk management framework they follow.It is very hard to conclude through the usual disclosure channels (such as annual reports, corporate governance reports) if they implemented an ERM system.
ERM is distinguished from traditional risk management by simultaneously managing strategic, operational, reporting and compliance risks (Liebenberg and Hoyt, 2003;COSO, 2004;Beasley et al., 2005;Razali and Tahir, 2011;Golshan and Rasid, 2012;Paape and Speklé, 2012;Bertinetti et al., 2013;Bromiley et al., 2015).And ERM has as its fundamental purpose the protection and maximization of stakeholder value (COSO, 2004;2017).At an international level, current literature has supported these arguments and has been highlighting some future research avenues (Fatemi and Glaum, 2000;Dia and Zéghal, 2008;Schneider et al., 2009;Haron et al., 2010).Schneider et al. (2009) report that more robust internal control systems are associated with better corporate governance practices and more qualified management teams.In addition, Haron et al. (2010) point out that internal control systems improve the quality of financial reporting, reduce governance problems and that shareholders use internal control systems as a mechanism to protect their interests.Dia and Zéghal (2008) point out that the main obstacle to decision making is finding a way to convert the information disclosed by organizations, in order to risk management practices be easily understood.However, risk information is generally qualitative and with inaccurate nature, making analysis and decision making difficult.On the other hand, Fatemi and Glaum (2000) highlight the need for studies that analyze and evaluate risk management practices by organizations in order to broaden the literature on this subject.
On this regard, findings have not been conclusive.Some studies have concluded on the positive impact ERM has on firm value (Gordon et al., 2009;Hoyt and Liebenberg, 2011;McShane et al., 2011;Callahan and Soilleau, 2017), but others have found opposite results (Pagach and Warr, 2010;Quon et al., 2012).
Some of these conflicting results are due to different methodologies used to represent what an ERM firm is.Therefore, further research is needed to achieve thorough and robust conclusion that potentially can inform companies on the true ERM benefits and, consequently promote its implementation worldwide.

ERM: PORTUGUESE PROFESSIONAL BODIES/ASSOCIATIONS
In We choose this time period because the literature has shown that throughout this period there has been a closer proximity between internal audit and ERM (Gramling & Myers, 2006;Castanheira et al., 2009).The definition of this time period will therefore serve to assess whether this alignment has evolved among the Portuguese companies.In addition, since the last global financial crisis of 2007/2008, several endeavors have been made to improve the internal control systems and robustness of corporate governance mechanisms, which helps promoting market transparency (Wilson, 2013).
The financial companies were not selected due to issues associated with different business models, and therefore different risk management practices.We also excluded those companies that went through any kind of restructuring, mergers or acquisitions processes during 2006-2016.Finally, we excluded those companies that between the periods of analysis were no longer their stocks admitted to trading at the Euronext Lisbon Stock Exchange regulated market.
The final balanced sample comprises a total of 26 non-financial companies and 286 companyyears observations.

Data
The consolidated annual reports and corporate governance reports were extracted from companies' web sites and then content analyzed in order to extract the information on ERM practices disclosed by Portuguese listed companies.
To perform the content analysis, an ERM disclosure index was constructed based on the conceptual framework "Enterprise Risk Management -Integrated Framework" of COSO (2004).The COSO ERM ( 2004) is not intended to be a tool for defining internal control processes and procedures.
Rather, it aims to meet the needs of internal control itself by directing it towards a more complete risk management process (COSO, 2004).In this sense, ERM would provide a significant improvement in corporate governance (COSO, 2004) and be an asset in terms of corporate management (COSO, 2013).
This framework presents ERM as an integrated set of eight interrelated components that are an integral part of an organization's management process (COSO, 2004): Internal Environment, encompassing information regarding the structure and organizational culture of the company, defining its philosophy and form of action, its integrity and ethical values, and its human resources;

II.
Objectives Setting, to occur at an early stage to the identification of potential events that may affect their achievement.ERM ensures that the organization puts in place a goal setting process that is aligned with the organization's mission and consistent with its risk profile;

III.
Events Identification, which may affect the achievement of objectives by distinguishing between risks and / or opportunities.In addition, identified opportunities should be channeled back to redefining the organization's strategy and goals; IV.
Risk Assessment, where the risk management structure is assessed, and the risks are analyzed and identified from a residual perspective, considering the probability of occurrence and impact in order to define their management mode; V.
Risk Response, in which the organization selects the risk response (avoid, reduce, share or accept), developing a series of actions in order to frame the risks according to the tolerance level and the risk profile of the organization;

VI.
Control activities, where ERM provides for the implementation of policies and procedures to ensure that the risk response is effectively conducted;

VII.
Information and Communication of relevant information and its communication, which should be performed in a top-down and bottom-up approach, allowing accountability;

VIII.
Monitoring, the ERM should be subject to continuous evaluation in terms of efficiency and effectiveness and, if necessary, subject to modification and / or restructuring.
Thus, it is possible to understand ERM not as a sequential business risk management process, where one component affects only the next component, but rather as a multidirectional and interactive process, where any component influences and is influenced by the others (COSO, 2004).Throughout the eight interrelated components of ERM we built a list of disclosure items that comprises 103 items (Appendix 1): internal environment (19 items); objectives setting (5 items); events identification (5 items); risk assessment (48 items); risk response (4 items); control activities (7 items); information and communication (10 items); and monitoring (5 items).The unweighted index was constructed as follows: where ERMD jt means the percentage of information on ERM disclosed by company j in the year t, n jt is the maximum of items for the company j in the year t (n jt = 103), and x ij assumes the value 1 if the item is disclosed, and 0 otherwise.

RESULTS
Table 1 presents data on the number of companies that disclose information on ERM practices.Overall, we can conclude that very few non-financial companies are aligned with ERM practices.However, throughout the years we can also see positive tendencies.
(insert table 1 here) Regarding the first element "Internal Environment" companies are improving disclosures on In a similar way, companies do not used to disclose on the third ERM element "Event Identification".In 2016, only 9 companies (2006=1) affirm that the organization's strategy incorporates the risk exposure degree; only 5 companies (2006=3) states that the risk assessment considers both expected and unexpected events, and only four companies (2006=1) declares that they perform a cost/benefit analysis.
In terms of the fourth ERM element "Risk Assessment", companies disclose very often information about the "structure, organization and procedures", "identification and risk assessment techniques", and "risk management policies".Basically, companies disclose information about the scope and objectives of risk management (2006=14; 2016=25), the risk management organizational structure Data from Table 1 shows that very few companies disclose information on the other four ERM elements: "risk response", "control activities", "information and communication", and "monitoring".
These findings allow us to conclude that the level of alignment with an ERM framework of the Portuguese non-financial listed companies is very limited.First of all, the organizational structures and cultural values do not seem to enable an effective ERM implementation.Moreover, it seems that management actions do not influence its implementation.In fact, management identifies the composition of the board of directors, the independent directors and their tasks, assume that they know their risk exposure degrees, but they do not describe their own tasks regarding ERM supervision.
Specifically, they present the scope and objectives of risk management and its organizational structure and assume that management is involved in risk management.Since these were the items with a higher level of consensus among companies, data seems to indicate that they only intend to simply comply with the self-regulatory (Corporate Governance Code) and legal (Companies Code and Stock Exchange Code) frameworks, similar to a tick-box exercise.These findings are not consistent with Castanheira et al. (2009).Portuguese non-financial listed companies do not follow the truly ERM concept: a holistic view of risk management, defined as an integrated set of risk management and management techniques (COSO, 2004).It seems that they look at risk management from the lenses of the traditional silo-based approach (Gordon et al., 2009), and therefore more focused on internal controls and procedures that effective risk management.
Only two companies declared the existence of a Chief Risk Officer.This corroborates Pinto (2019) findings, in which they found that the existence of risk committees do not influence ERM disclosures.
Previous literature indicate that Portuguese non-financial listed companies used risk reporting to manage stakeholder's perception on companies' reputation (Oliveira et al., 2018(Oliveira et al., , 2011a)).But, findings indicate that any company disclosed information on whether they monitor the effectiveness and efficiency of ERM systems.Somehow, this can be explained by the fact that, according to the Portuguese Companies Code this task is committed to supervisory boards and auditing committees, rather than management.Besides, there is no disclosure requirement regarding this information.
Table 2 shows the percentage of information on ERM practices disclosed per year by Portuguese listed companies.
(insert Table 2 here) On average, over the period of analysis, companies provide information about 21.85% of all the ERM elements.This highlights how far away the risk management structures and procedures of Portuguese listed companies are from the COSO ERM ( 2004) framework.However, data also shows that the alignment of their risk management structures and procedures with COSO ERM ( 2004) framework is evolving positively (2006=11.5%;2016=27.33%).
These results provide a better understanding of ERM practices adopted by Portuguese nonfinancial listed companies and allow us to conclude that the disclosure of this kind of information can still be extensively improved in the future.

CONCLUSIONS
The purpose of this exploratory work is to highlight the state of art of ERM in Portugal assessing both the background of ERM integration in Portugal and the ERM disclosures of Portuguese non-financial listed companies at Euronext Lisbon Stock Exchange regulated market, during the period 2006-2016.
The analysis was conducted using their consolidated annual reports and corporate governance reports published during the period 2006-2016.
Main findings indicate that ERM integration exists only through regulation (Corporate Governance Code, Companies Code, and Stock Exchange Code).The professionalization of ERM is still in its infancy and Universities do not include in their curricula courses of ERM.This may explain the low level of alignement of Portuguese non-financial listed companies with an ERM framework.It seems that management continue to look at risk management through the lenses of traditional silo-based perspective, giving relevance to the existing structures in place and main tasks affected, rather than paying attention to the regular monitoring of the entire system and how its aligned with the organizational goals, strategy and culture.Disclosures on ERM seem to be a ticking-box exercise that needs to be done to demonstrate that companies comply with all regulatory requirements.
It is noteworthy that over the period analyzed, the level of information disclosure has increased over the years.This positive growth of disclosures over the period of analysis can be justified both by periods of economic and financial crisis, in which companies potentially tried to voluntarily disclose information to ensure its credibility with various stakeholders (Ntim et al., 2013;Abraham & Shrives, 2014), and by the growing trend and concern of European and international regulators to incorporate into organizations a consistent set of good corporate governance practices, processes and procedures within organizations so that they are able to demonstrate more effective internal control systems and more comprehensive and consistent risk management processes, properly aligned with organizational strategy.However, there are huge endeavors that need to be undertaken to achieve an effective ERM integration among Portuguese non finance companies.On this regard, Universities have an important  The organizational structure enables an effective ERM 0 0 0 0 0 0 0 0 0 0 0

Management perspective and way of acting
Management is a reflection of the values of the organization, influencing its culture and way of operating Existence and application of a code of conduct with regard to integrity and ethical values 6 9 9 9 10 12 12 14 15 14 14

Human Resources -policies and procedures
Adequacy of HR capabilities to the tasks to be developed Existence of an objectives scale Communication and understanding of the objectives from the bottom up to the top of the organization Measurement and evaluation of the objectives Reflection of strategic management choices in order to create stakeholder value 2 2 5 6 9 9 9 9 10 9 9

Event Identification
The risk assessment considers both expected and unexpected events 3 4 3 5 6 6 6 6 6 5 5 The organization's strategy incorporates the risk exposure degree 1 1 2 5 5 5 5 6 6 9 9 The risk exposure degree determines resources allocation Adequacy of risk exposure degree to the organization, to its processes, infrastructure and HR Cost-benefit analysis as well as new opportunities Implementation of an integrated information system 1 2 2 6 6 5 5 5 5 3 4 Development of an operational response plan to adverse events Recruitment and maintenance of qualified HR

Political Risk
Holding partnerships with local organizations Use of international banking syndicates to finance external operations Adoption of strategies that are sensitive to changes in political and economic conditions organizational structure, integrity and ethical values, and board of directors.More specifically, in terms of organizational structure, most companies inform on the definition of responsibility and accountability of key areas (2006=14; 2016=25), and the existence of specific reporting lines (2006=2; 2016=25).Regarding integrity and ethical values, 10 companies in 2016 disclosed information on how the organization's performance shows integrity and respect for ethical values (in 2006=7), and 14 companies in 2016 informed that they have and apply a code of conduct (in 2006=6).Finally, companies used to disclose information about the board of directors, mainly on: its composition (2006=22; 2016=26); the level of independence of the board of directors (2006=9; 2016=24); the tasks of the board of directors (2006=18; 2016=24); and that the board of directors knows and agrees with the level of risk exposure (2006=11; 2016=24).However, any company disclosed information about how the organizational structure enables an effective ERM, and in 2016 only one company informed on the board of directors tasks of ERM supervision.In the second element "Objectives" very few companies disclosed information.The items more often disclosed are the definition of strategic objectives that embody the mission/vision of the company (2006=3; 2016=10), and the reflection of strategic choices in order to create stakeholder value (2006=2; 2016=9).
role in transferring knowledge to companies on the benefits of ERM implementation through Master courses or even Executive Education.In Portugal the Institute of Portuguese Internal Auditors have also an important role in training internal auditors towards the development and professionalization of ERM.
Involvement of HR in risk identification and development of control systems April 2011, Portugal confirmed the receipt of a financial bailout from the International Monetary Fund and the European Union.The three-year EU aid programme ended in May 2014, marking the recovery of the Portuguese economy.Since the third quarter of 2014, the Portuguese economy has been steady and expanding continuously.This economic growth has been accompanied by a continuous fall in the unemployment rate (6.3% in the first quarter of 2019, compared with 17.7% in early 2013).The Government budget deficit has also been reduced from 11.2% of GDP in 2010 to 0.5% in 2018 (Banco de Portugal, 2019).
information flows, the functioning of corporate bodies and, in particular, to oversight to conflicts of interests and transactions with related parties, the role of independent directors, diversity (including gender) in the composition of corporate bodies, and risk management(PICG, 2018).The compliance with the Corporate Governance Code issued by the PICG is voluntary.However, Portuguese listed companies are required to align their practices to a specific Corporate Governance Code and they must indicate in their Corporate Governance Report which Corporate Governance Code they follow (Stock Exchange Code, article 245º-A).Another interesting aspect is that the Corporate Governance Code follows the "comply or explain" rule.But, there are some elements that companies are required to disclose on their Corporate Governance Report.One of these requirements are related to the main elements of the internal control and risk management systems in place (Stock Exchange Mobiliários -CMVM, 2018).This Code tries to promote the good corporate governance practices as an essential tool for economic efficiency, sustainable growth and financial stability, based on a selfregulatory sharing model.It is aligned with international trends and best practices, with emphasis on the increased attention to On the other hand, non-listed companies are not obliged to follow any Corporate Governance Code.For them, the adoption is purely voluntary.They only have to comply with the existing legal framework in force, either in terms of their corporate governance structures or risk management policies.The legal framework embraces the Companies Code (Código das Sociedades Comerciais), the Stock Exchange Code (Código de Valores Mobiliários) and relevant EU regulation.The Companies Code We analyzed the ERM disclosures in consolidated annual reports and corporate governance reports of Portuguese listed companies on the Euronext Lisbon Stock Exchange regulated market between 2006 and 2016.Due to the low level of dissemination of ERM in Portugal we focus on disclosure in order to understand the level of alignment of the risk management practices of Portuguese with the principles and guidelines of ERM framework.
Portugal, the professional bodies more closely related to issues of corporate reporting, corporate governance, assurance of internal control systems are the Order of Certified Accountants, the Order of the Public Chartered Accountants, and the Institute of Portuguese Internal Auditors.The Order of Certified Accountants and the Order of the Public Chartered Accountants are not involved on the professionalization of ERM activities.The Order of Certified Accountants regulates the Accounting profession.The Order of the Public Chartered Accountants regulates the Public Chartered Accountants profession, only.basically promoted by the Portuguese Institute of Corporate Governance.Therefore, we can conclude that the ERM professionalization in Portugal is its infancy.

Table 1 -
Number of companies that disclose information on ERM practices

Table 1 -
Number of companies that disclose information on ERM practices (cont.)

Table 1 -
Number of companies that disclose information on ERM practices (cont.)

Market Risk (includes interest rate risk and exchange rate risk)
Use of derivative instruments to hedge risks, in particular at the level of interest rate and exchange rate risk

Table 1 -
Number of companies that disclose information on ERM practices (cont.)

Table 1 -
Number of companies that disclose information on ERM practices (cont.)

Table 1 -
Number of companies that disclose information on ERM practices (cont.)

Table 2 -
ERM disclosure index of Portuguese listed companies