Global risk concerns spurred a debate regarding empowering an organization's risk management system. Risk assessment, management, and planning are vital for running a firm, but they are not universal. This research investigates how operational risk management is institutionalized in an organization and reveals best practices from a Malaysian government-linked enterprise (GLC). This phenomenological study interviewed 39 risk management officers, executives, and employees. Data are thematically analyzed. Burawoy's Social Theory uses a case study to integrate micro- and macro-organizational elements. The case company's risk management officers, executives, and employees are involved in seven processual factors, according to the analysis. Strong leadership and external consultants, setting up the apparatus and assigning the task to the person in charge, risk framework, risk diagnostic, monitor and measure, developing and nurturing risk management culture, and consistent risk management enforcement and monitoring could explain the institutionalization process of risk management in the organization. Global and local entities have institutionalized risk management. This phenomenological study helps comprehend the role of risk management institutionalization in corporate risk management. This study contributes to a practical implication such as to the GLC. It suggests that top management support and a standard risk framework are necessary for risk management homogeneity. Leaders and frameworks must address organizational processes and capabilities to ensure risk management consistency. This study contributes to the literature on risk management practices in developing nations. The paper concludes with limitations and research recommendations.
* Title and MeSH Headings from MEDLINE®/PubMed®, a database of the U.S. National Library of Medicine.