Professional Documents
Culture Documents
CONSTRUCTS
by
Errol Waithe
Doctor of Philosophy
Capella University
November 2016
ProQuest Number: 10250536
All rights reserved
INFORMATION TO ALL USERS
The quality of this reproduction is dependent upon the quality of the copy submitted.
In the unlikely event that the author did not send a complete manuscript
and there are missing pages, these will be noted. Also, if material had to be removed,
a note will indicate the deletion.
ProQuest 10250536
Published by ProQuest LLC (2016 ). Copyright of the Dissertation is held by the Author.
All rights reserved.
This work is protected against unauthorized copying under Title 17, United States Code
Microform Edition © ProQuest LLC.
ProQuest LLC.
789 East Eisenhower Parkway
P.O. Box 1346
Ann Arbor, MI 48106 - 1346
© Errol Stephen Waithe, 2016
Abstract
One major problem many organizations are facing is balancing the risk-management practices of
the organization with overall information technology (IT) effectiveness. The purpose of this
non-experimental quantitative correlational study was to assess the constructs and correlations
associated with enterprise risk management and IT effectiveness. The researcher used simple-
random sampling and a Web-based cross-sectional survey to collect data from Fortune 1000
companies in 12 different industry sectors. The researcher used multiple and simple regression
analysis to assess the extent of the relationship between risk management and IT effectiveness
constructs. The researcher conducted an independent sample t-test on each independent construct
and IT effectiveness based on high and low levels to explore group comparisons associations
between groups. The researcher used analyses of variance (ANOVA) to gauge industry sector IT
effectiveness levels. Overall, the multiple regression model produced R2 = .615, indicating that
61.5% of the variance in IT effectiveness was explained by risk management constructs. The
results also highlighted the significance of (a) response to risk (RTR), (b) monitoring risk (MR),
and (c) assessed risk (AR) as predictors of IT effectiveness, while frame risk (FR) only
contributed marginally. The linear regression results emphasized the significance of RTR (R2 =
.587) as a predictor of IT effectiveness. The analysis data also revealed the significant influence
of MR to ITE (R2 = .574), AR to ITE (R2 = .562), and FR to ITE (R2 = .494). The t-test results
revealed that both high and low groupings were significant (p < .05), meaning that IT
effectiveness levels differ between groups, and that organizations with high levels of risk
management have greater levels of IT effectiveness. The ANOVA results revealed there was no
statistical significant difference in IT effectiveness amongst industries and highlighted how many
organizations believed the response to a risk should be addressed first. The study provides
researchers a starting point to conduct comparative studies and enables organizations to gain a
effectiveness.
Acknowledgements
I would like to thank Dr. Chmura, my Faculty Mentor, and Chair and my dissertation
committee members Dr. Gagnon and Dr. Robinson Lind for their timely feedback support and
guidance throughout this dissertation process. Their insight gave me focus and kept me on track
To the woman in my life, Shurunda Butler, I want to express my special and deep
appreciation for your support and endless patience. You were always there for me when I felt I
needed a word of encouragement. Her strength and reassurance have been my compass and
To my good friends and colleagues Dr. Darrell Bratton, Dr. Stephanie Burg, Dr. Charles
Bogan, Dr. Cartmell Warington, Rodney Martin, Trenton Neal, Dr. Clifford Pope, Richard Jones,
Renita Watts, and Crystal Jacques thanks for being supportive and encouraging throughout this
whole dissertation process and thanks for being there when I needed someone to talk to.
To my family, thank you for your unending support and constant encouragement even
through trying times. Finally, I want to thank God for giving me the strength, health, and
iii
Table of Contents
Rationale ..............................................................................................................................6
Definition of Terms............................................................................................................11
ERM ...................................................................................................................................21
iv
Two Approaches to Risk Management ..............................................................................23
IT Effectiveness .................................................................................................................42
Summary ............................................................................................................................45
Research Design.................................................................................................................49
Instrumentation/Measures ..................................................................................................57
v
Chapter Overview ..............................................................................................................64
Overview ..........................................................................................................................106
Conclusions ......................................................................................................................113
Limitations .......................................................................................................................114
Implications......................................................................................................................115
Recommendations ............................................................................................................116
REFERENCES ............................................................................................................................121
vi
APPENDIX D. ASSUMPTIONS OF SIMPLE REGRESSION ANALYSIS ............................150
vii
List of Tables
Table 2. Measurement Scales, Constructs, Survey Item Numbers, and Sections ..............59
Table 18. Model Summary for Regression on IT Effectiveness on Frame Risk ...............84
viii
Table 20. Regression Model Coefficients of IT Effectiveness on Frame Risk .................85
Table 21. Model Summary for Regression on IT Effectiveness on Assessed Risk ...........85
Table 24. Model Summary for Regression on IT Effectiveness on Response to Risk ......87
Table 27. Model Summary for Regression on IT Effectiveness on Monitoring Risk .......88
Table 30. Simple Linear Regression Analyses Results, Correlations, and Summary
Statistics ................................................................................................................90
Table 32. Research Questions 2.1 to 5.1 and Hypotheses Statements ...............................92
Table 34. Group Statistics for LL-Group (n = 23) and HL-Group (n = 77).
Total Frame Risk Scores for 20 Items ...................................................................95
Table 35. Independent Samples t-Test. Total Frame Risk Scores for 20 Items.................95
Table 36. Group Statistics for LL-Group (n = 33) and HL-Group (n = 67).
Total Assessed Risk Scores for 20 Items ...............................................................97
Table 37. Independent Samples t-Test. Total Assessed Risk Scores for 20 Items ............97
Table 38. Group Statistics for LL-Group (n = 31) and HL-Group (n = 69).
Total Response to Risk Scores for 20 Items ..........................................................98
Table 39. Independent Samples t-Test. Total Response to Risk Scores for 20 Items .......99
ix
Table 40. Group Statistics for LL-Group (n = 36) and HL-Group (n = 64).
Total Monitoring Risk Scores for 20 Items .........................................................100
Table 41. Independent Samples t-Test. Total Monitoring Risk Scores for 20 Items.......100
Table 46. Industry Sectors on IT Effectiveness ANOVA Test for Differences ..............104
x
List of Figures
Figure 2. Extended conceptual model of constructs and the primary elements used to
measure enterprise risk management ................................................................................51
xi
CHAPTER 1. INTRODUCTION
Because of various corporate financial scandals and the fall of several leading
organizations, many organizational stakeholders have become interested in new ways to address
enterprise risk to and to safeguard and reinforce stakeholder value. Ahmed and Manab (2016a)
mentioned that various regulatory reforms are drastically extending public policies to make
corporate governance and risk management more efficient. The rapid change in regulatory policy
alone justifies the need for risk management processes that adapt and expand to changes as they
arise. In short, risk management has been integrated into the enterprise environment as a means
Integrating risk management into the organizational framework makes risk management an
but it has also added other issues of concern for many organizations. Issues regarding the lack of
knowledge that a risk exists or inadequate integration of stakeholders into risk management are
the most common issues of interest for many organizational entities. The issues mentioned lead
to a specific problem regarding the declining success rate of risk management projects, and its
impact on effectiveness within enterprise environments. KPMG (2013) noted that risk
management is an important topic amongst companies assessed, but only 66% of surveyed
organizations had implemented risk management as a strategic process. AON (2015) stated that
about 49% of respondents had indicated a loss of income due to risk in the last 12 months. In
2014, cyber attacks alone cost organizations an estimated $56.5 million in damages (AFP, 2015).
1
The mentioned issues are addressed by approaches that provide greater event identification,
reduce earnings' volatility, and help sustain competitive advantage. Thus, many organizations
have looked towards enterprise risk management (ERM) as a potential remedy for organizational
risk issues.
Enterprise risk management offers organizations the ability to management risk across all
dimensions of the organization and improves the amalgamation of operational and financial risk
management (Anquillare, 2010). ERM uses a holistic approach which allows organizations to
create options to transfer, finance, mitigate, evaluate, and identify risk. Recent researchers
studying ERM have often addressed the subject matter from a general perspective addressing
topics such as (a) firm value, (b) lessened earning volatility, (c) accurate risk adjustment, (d) risk
and return, (e) competitive advantage, and (f) shareholder's value (Jalal-Karim, 2013). It is not
clear, however, if organizations that have adopted an ERM program are better-off in overall IT
effectiveness. In short, the literature reviewed revealed there currently exists a lack of empirical
evidence addressing the relationship between ERM and IT effectiveness within enterprise
environments (Grace, Leverty, Phillips, & Shimpi, 2015; Mafrolla, Matozza, & D'Amico, 2016;
The purpose of this dissertation study was to assess the constructs and correlations of
enterprise risk management and IT effectiveness. The overall objective of this non-experimental
quantitative correlational study was to evaluate the relationship between the four independent
variables of frame risk, assessed risk, response risk, monitor risk, and the dependent variable of
IT effectiveness within the enterprise environment (i.e., Fortune 1000 companies). The
researcher addressed risk management in this study from a holistic perspective, acknowledging
2
both the strategic and tactical initiative, to ensure that risk-based decision making is assessed
from all aspects of the enterprise environment. Lundqvist (2015) and Đapić, Popović, Lukić, and
Mitrović (2012) stated that due to the increasing concern for modern risk management practices,
organizations have been pressured to manage risk holistically. The researcher deemed that a
holistic perspective to risk management is the most successful, because the holistic view treats
both positive and negative risk with equal importance. Furthermore, the correlational aspects of
the study allows organizations to gain an understanding of what association exists between the
Enterprise risk management has emerged as a powerful approach for managing risk from
a wide variety of sources. Numerous scholars have described the ways in which ERM offers
organizations increased firm value (Ahmed & Manab, 2016a; Ahmed & Manab 2016b; McNeil,
Frey, & Embrechts, 2015). Others have described the ways in which ERM helps regarding
compliance requirements (Arnold, Benford, Canada, & Sutton, 2011; Marchetti, 2012;
Ramakrishna, 2015). Through a review of 200 journal articles, scholars have revealed that many
ERM-related articles provide information regarding organizational benefits of ERM, but provide
Liebenberg, 2015; Wallig, 2012). Kline (2014) noted that organizations are often intrigued by the
benefits offered by ERM, but forget about the potential performance risk involved in
transitioning from a traditional risk management approach. When an organization does not
consider the potential risk associated with an initiative, the organization is then more likely to be
3
less (a) secure, (b) strategically aligned, and (c) effective (Bradley et al., 2012; Gillespie, 2014).
Many of the issues associated with ERM performance being ineffective are often related
to issues such as inadequate knowledge or insufficient incorporation of risk owners into the risk-
management activities. Fadun (2013) stated that organizations implementing ERM face various
challenges because the process is often not easily understood and complex. Arnold et al. (2011)
also mentioned that as executive management and boards begin to evaluate ERM, they usually
have more questions than answers. One of the main issues with ERM is that many corporations
have difficulty producing ERM value to support enforcement cost. ERM differs from
conventional asset expenditures that are assessed using routine metrics addressing reward and
risks such as return on assets (ROA) and return on equity (ROE; Wheeler, 2011). Value drivers
for ERM are less formal and rigid. In addition, ERM is often voluntary, resulting in a value
proposal void of regulatory encouragement and compliance language. To establish ERM value,
costs, and risk an organization must address ERM from a traditional perspective, using four
categories (a) shareholder value added, (b) avoided risk, (c) hard dollar savings, and (d)
Stakeholder buy-in has become the most significant barrier associated with the adoption
of ERM, followed by tolerance for poor standards, poor internal communication, and a culture
focused on the organization's priorities to the detriment of key risk. AICPA (2015) stated that in
a 2015 survey addressing ERM adoption practices and priorities, more than 47% of the
participants indicated that their organizations have yet to implement an enterprise-wide risk
management process. While many of the respondents could not indicate more than one
4
impediment, the most common response was that they believed that risks were monitored in
other ways. In today's business environment, the management of risk is imperative due to new
regulation and compliance request. For many organizations, a violation of data security is often a
problem that must be addressed, because of the potential impact it could have on the
functionality of the organization (Malik & Holt, 2013). Not only do data security issues present
confidentiality issues for an organization, but they could also could represent legal and ethical
issues as well. In addition, from an IT perspective, an organization must consider how the ERM
The problem that the researcher addressed in this research study was the lack of
information available regarding the relationship between ERM and IT effectiveness (Kiselitsa &
Shilova, 2016; Lukianchuk, 2015; Mafrolla et al., 2016; Paape & Speklé, 2012). ERM has
become a key issue of interest for many IT professionals and organizations worldwide, due to
recent events concerning IS breaches. Bitglass (2015) noted that 90% of the 1,000 surveyed IT
security practitioners were either moderately or very concerned about security. Researchers
performing studies regarding ERM have often addressed the subject matter from a general
perspective addressing topics such as (a) firm value, (b) reduced earning volatility, (c) accurate
risk adjustment, (d) risk and return, (e) competitive advantage, and (f) shareholder's value (Jalal-
Karim, 2013). It is not currently clear how organizations that have adopted ERM are better off
concerning overall IT effectiveness. Kutsch, Browning, and Hall (2014) noted that ERM
solutions should be studied extensively, to help raise awareness of existing safety and efficiency
issues. A review of 200 journal articles and 60 trade journals revealed a lack of empirical
5
evidence addressing the relationship between ERM, and IT effectiveness (Hoyt & Liebenberg,
2011; Lam, 2014; Louisot & Ketcham, 2014). In conclusion, the information presented in the
non-experimental quantitative correlational study helps provide insight into the relationship
mentioned and add scholarly knowledge associated with ERM as it applies to IT effectiveness in
The purpose of this non-experimental quantitative correlational study was to assess the
constructs and correlations associated with enterprise risk management and IT effectiveness. The
researcher utilized information flow theory, catastrophe theory, and the risk-management
framework together to examine how various risk management factors affect the overall IT
effectiveness. This study’s results would contribute to ERM literature, IS security practitioners,
and chief information officers (CIO) by providing an integrated perspective on how ERM
influences IT effectiveness. Furthermore, the answers to the research question would identify the
key risk management construct that affects IT effectiveness. The findings from the study may
prove to be useful to organizations seeking to make informed decisions addressing risk within
their organization.
Rationale
The rationale and justification for this quantitative study were to determine the influence
of the four risk management constructs of frame risk, assessed risk, response to risk, and
6
According to Murphy and Murphy (2013), it does not matter what software implementation is
implemented; governance and security must guide and lead all organizational implementations.
Determining the constructs that have the greatest correlation to IT effectiveness could allow
organizational risk managers and CIOs to sustain risk effectively and achieve optimal IT
effectiveness levels.
previously been correlated within the same regression model. Furthermore, no empirical studies
exist that address how ERM constructs affect an organization's IT effectiveness. The researcher
designed this quantitative study to fill that gap; the current study is the first to provide empirical
evidence of what risk management constructs affect IT effectiveness. The findings from the
study would help organizations, regardless of size or type, make better decisions regarding what
the findings from this empirical study also extend the current body of knowledge concerning risk
Research Questions
The researcher designed this quantitative correlational study to assess the constructs and
correlations associated with enterprise risk management and IT effectiveness. The dependent
variable was IT effectiveness; and the independent variables were frame risk, assessed risk,
response to risk, and monitoring risk. The omnibus research question (i.e., RQ1) and the main
RQ1: What is the nature of the relationship between risk management constructs and IT
effectiveness?
7
H1 0 : There is no significant relationship between risk management constructs and IT
effectiveness.
effectiveness.
RQ2: What is the nature of the relationship between frame risk and IT effectiveness?
firms that have high levels of frame risk versus those that have low levels of frame risk?
that have high levels of frame risk versus those that have low levels of frame risk.
H2 a .1: There is a significant difference in the level of IT effectiveness between firms that
have high levels of frame risk versus those that have low levels of frame risk.
RQ3: What is the nature of the relationship between assessed risk and IT effectiveness?
firms that have high levels of assessed risk versus those that have low levels of assessed risk?
that have high levels of assessed risk versus those that have low levels of assessed risk.
H3 a .1: There is a significant difference in the level of IT effectiveness between firms that
have high levels of assessed risk versus those that have low levels of assessed risk.
8
RQ4: What is the nature of the relationship between response to risk and IT
effectiveness?
firms that have high levels of response to risk versus those that have low levels of response to
risk?
that have high levels of response to risk versus those that have low levels of response to risk.
H4 a .1: There is a significant difference in the level of IT effectiveness between firms that
have high levels of response to risk versus those that have low levels of response to risk.
RQ5: What is the nature of the relationship between monitoring risk and IT
effectiveness?
firms that have high levels of monitoring risk versus those that have low levels of monitoring
risk?
that have high levels of monitoring risk versus those that have low levels of monitoring risk.
H5 a .1: There is a significant difference in the level of IT effectiveness between firms that
have high levels of monitoring risk versus those that have low levels of monitoring risk.
9
RQ6: Is there a difference in the level of IT effectiveness among industry sectors?
sectors?
sectors?
The results of the current non-experimental quantitative correlational study add to the
scholarly knowledge associated with enterprise risk management and IT effectiveness. The
research study will contribute to the body of knowledge of IT professionals, researchers, and
businesses seeking to determine the overall value of IT effectiveness while regarding the
presented in the study will assist organizations in determining the degree to which risk
correlational study could lead to an organization having inadequate security, technical and
business analysis. Samani, Honan, Reavis, and Jirasek (2015) noted that IT effectiveness could
provide enormous efficiency gains to an organization, but the need to address security and the
loss of confidentiality will impact the customer significantly. Furthermore, an organization not
10
Definition of Terms
In this research study, the researcher focused on the following constructs: frame risk,
assessed risk, response to risk, monitoring risk and IT effectiveness. The researcher will present
a brief overview of those constructs and other concepts and terminologies used throughout the
study.
any possible issues related to threats to operations and assets, vulnerabilities internal and
external, and potential harm that could occur. Andreea (2014) noted that risk assessment is
necessary for determining development priorities and action strategies for an organization and
helps regarding the allocating of resources. The results from the assessment of risk assist an
organization with approaches for the removal, reduction, and avoidance of risk.
(COSO, 2004).
programming algorithms to achieve its objectives of hiding communications from the fallacious
audiences. Cryptography utilizes digital signatures that a user implements to inform the receivers
11
Frame risk: The risk frame is the established foundation for managing risk, and the
delineated boundaries for risk-based decisions. The risk frame' concept is related to current (a)
risk assumptions, (b) risk constraints, (c) risk tolerance, and (d) priorities and trade-offs within
the organization. NIST (2010) mentioned that risk frames set the foundation for the risk-
management strategy that addresses how an organization intends to monitor, assess, and respond
to risk.
applications and organizational borders that utilize them. The purpose of identity management is
to ensure that certain mechanisms are in place for accessing identity and management interfaces
Insider attack: An insider attack is an attack from a malicious insider associated with the
organization that has root access to the organization's host server (Greitzer & Hohimer, 2011)
incorporated the definition used by Ness (2005) defining IT effectiveness as delivery of services.
Key management: Key management is related the encryption process and regards the
management of user keys that help the user decrypt the authorized data from the data owner
12
National Institute of Standards and Technology: This is a U.S. Federal Governmental
agency responsible for technology activities and computer science activities within the Federal
Pure risk: Pure risk are risk which are considered either a loss or not. Common examples
are (a) home ownership, (b) premature death, and (c) identity theft (Crockford, 1982; Dionne,
respond to risk once the risk has been determined. Response to risk also considers whether an
organization has developed alternative courses of action and has implemented risk responses
based on those courses of action. Marchetti (2012) asserted that an organization’s risk
management action plan should represent the related factors and circumstances associated with
Risk IT: Risk IT describes a framework invented by the information systems audit and
control association to compliment the control objectives for information and related technology
uncertainty. Risk management is the overall process that integrates the analysis and identification
Risk monitoring: Risk monitoring is defined as the risk monitoring measures in place in
an organization. Belinskaja and Velickiene (2015) stated that both the internal and external
environment should be monitored for changes that could make a risk event occur.
13
Standard of Good Practice for Information Security: The standard of good practice for
information security was created by the information security forum for providing resources to
international and national organizations that are committed to addressing organizational risk
(ISF, 2014).
storage devices, operating systems, or servers on multiple machines at the same time (Bologa &
Bologa, 2011).
The assumptions of this study were that IT directors, CIOs, and IT security program
managers had knowledge of the risk-management procedures within the organization. The
researcher also assumed that the IT population identified as the population to satisfy the study’s
criterion was representative of the population acknowledging and addressing risk management
procedures. The researcher assumed that Qualtric's expert panel would be representative of
Fortune 1000 companies. The researcher assumed that participants would answer the survey
questions based on their technical abilities in IT. Lastly, the researcher assumed that participants
The limitation of the research study was that it was limited particularly to IT
professionals that had specific knowledge of organizational risk management practices. The
mentioned limitation could have led to results that cannot be generalized beyond an IT
perspective. The sample population was only U.S.-based organizations, which could also lead to
results that cannot be generalized from an international perspective. In addition, the results
14
would represent varying business sectors so the finding could not be generalized for any specific
Conceptual Framework
Figure 1 displays frame risk, assessed risk, response to risk, and monitoring risk having a
direct relationship to IT effectiveness and displays mutual relationships between frame risk,
assessed risk, response to risk, and monitoring risk. The purpose of this non-experimental
quantitative correlational study was to assess the constructs and correlations associated with
enterprise risk management and IT effectiveness. The researcher intended to help organizations
determine which risk constructs (a) organizational risk frame, (b) risk assessment processes, (c)
risk response procedures, and (d) monitoring procedures were affecting IT effectiveness. The
information presented is also beneficial for internal auditing because it provides insight into what
risk management internal processes are crucial for many organizations. Harris, Kinkela, and
Hayes (2011) mentioned that effective internal control starts with the design of an ERM system
that runs side by side with the strategic management system. The information from the study
could help organizations determine what potential issues exist within the infrastructure regarding
15
Figure 1. Conceptual model of constructs and the primary elements used to measure enterprise
risk management.
The strategy of inquiry for the study was non-experimental survey research, and the
design was quantitative correlational. The researcher chose the cross-sectional survey strategy
for its ability to provide descriptions of numerically of opinions, attitudes, and trends of a
population through a sample isolated to a point in time (Qingfeng, 2013). The researcher selected
the survey approach as a means of asking IT professionals about their current risk management
process and how that process affected IT overall effectiveness. Due to the statistical nature of
the study with discovering the extent of relationships between two or more variables, the
16
Organization of the Remainder of the Study
effectiveness. All articles cited are peer-reviewed articles from technology and scientific
journals. All chapter sections are divided based on the constructs and concepts being addressed
in the study.
Chapter 3 contains the conceptual model and methodological approach for this study. In
this chapter, the researcher presents the research questions, hypotheses, measurements of the
constructs, and variables. The researcher also outlines the observed variables, data collection
plan, sample population, survey instrument, data analysis techniques, validity and reliability,
Chapter 4 contains the findings and analysis performed on the survey data collected. In
this chapter, the researcher provides a summary of the respondents’ characteristics and collected
data descriptions. The researcher introduces a comprehensive presentation on the results of the
six hypotheses in detail, and presents an assessment of reliability, validity, and scales.
In Chapter 5, the researcher provides an overview of the entire study and provides an
analysis on how the findings apply to the hypotheses and research questions. In this chapter, the
addressed. Finally, the researcher presents recommendations for further research to expand the
17
CHAPTER 2. LITERATURE REVIEW
(ERM) as the implementation of the management of risk to every aspect of the enterprise.
Throughout the years, researchers have addressed ERM using various terms and acronyms,
including: (a) enterprise-wide risk management, (b) corporate risk management, (c) strategic risk
management, (d) business risk management, (e) holistic risk management, and (f) integrated risk
management (Fadun, 2013; Liebenberg & Hoyt, 2003; Tahir & Razali, 2011). Although varying
definitions of ERM exist, in recent years ERM has been used worldwide to describe an approach
to anticipating and managing business risk before problems occurred. Jalal-Karim (2013) stated
that ERM boosted the organization's significance by stabilizing earnings, capital, and reducing
expected cost of external capital and regulatory scrutiny. ERM enables organizations to align
business risk to business strategies and objectives with the purpose of creating business value.
Enterprise risk management affects an organization from both a macro (i.e., organization-
wide level) and micro level (i.e., business level). From a macro perspective, ERM equips
management with the ability to govern and quantify risk-return trade-offs that affect the
organizations as a whole (Baxter, Bedard, Hoitash, & Yezegel, 2013). In essence, the macro
level helps the organization maintain access to resources and capital markets that enable it to
implement its business plan and strategy. ERM from the micro level becomes more of a lifestyle
for employees and managers at every level in the organization (Mensah, 2015). All risks are
owned, and risk-return tradeoff associated with individual risk is internalized. According to
18
Tohidi (2011), the spreading of risk ownership throughout an organization has become a critical
concept in ERM. The spreading of risk concept allows risk to have an association with the
individuals who are the closest and in the best position to assess the risk.
security program. The focus mentioned does not mean the main goal is to protect IT assets alone
but to safeguard the organization's ability to perform its business. According to Stroie and Rusu
(2011), the risk management (RM) process must not be regarded as just a technological function,
as well. In essence, ERM should enable management to identify what controls are needed to
maintain IT factors that increase the probability of success and decreases the uncertainty of
organization must first gain an understanding of the difference that exists between traditional
RM and ERM.
uncertainty. RM is applied to all aspects of business, including; finance, safety, health, and
planning and project risk management (Nehari-Talet, 2014). According to Bojanc and Jerman-
Blažič (2013), RM is the overall process that integrates the analysis and identification of risk that
an organization is exposed to. Even though RM is recognized as a standard practice for many
organizations, there are distinguishing differences between the traditional method of approach
19
Traditional Risk Management
Traditional risk management (TRM) primarily focuses on risk specific to a given function
whereby RM is not integrated across the organization as a whole, and little consideration is given
to risk that could impede the organization's objectives (Hardy, 2014). Through TRM,
organizations infrequently make relative comparisons amongst its risks to determine how they
interrelate with one another or to assess their cumulative effect on the organization. TRM has a
specific objective to protect the organization from financial losses and has a tendency to create
an excessive cost to the organization. Furthermore, TRM does not provide a comprehensive,
clear view of RM. Mensah (2015) noted that managing of risk separately results in inefficiency
due to the lack of coordination between divisions. If an organization integrates the decision-
making process across all risk types, it has the potential to avoid risk expenditures and financial
distress.
When it comes to shareholder value, TRM makes no consideration for the shareholder’s
responsibility to investors regarding making decisions. The individual RM activities can reduce
earnings volatility by decreasing the possibility of catastrophic losses (Liebenberg & Hoyt, 2003;
Hoyt & Liebenberg, 2011). Paul and Vignno-Davillier (2014) asserted that TRM addresses RM
risk assessment by identifying information assets and detecting and evaluating risks on assets.
These risk assessment approaches often limit the focus to managing uncertainties around
physical and financial asset loss prevention instead of value. Researchers and practitioners,
within various fields of study, have stated that in today’s business environment, TRM practices
are no longer adequate to deal with today's threats. Anquillare (2010) asserted that as we move
20
into a more global economy and companies become more complex risk managers must remain
organizations were faced with several types of risk every day due to changes in the world
environment that might introduce new risk. In fact, in today's business environment, risk refers to
all actions, incidences, and events that could prevent an organization from realizing goals, plans,
and ambitions. Moving from the TRM approach to a more advanced one requires embedding
RM activities within the business processes of the enterprise and establishing an RM repository.
Some organizations are beginning to acknowledge that TRM procedures need to be broadened
given the effects of some key wide-scale disasters and today's business conditions. Golshan and
Rasid (2012) also agreed with the statement made and stated that in the current business
scandals, improper financials, and terrorist threats. For organizations that can expand their focus
beyond conventional concepts to include political factors can gain significant growth potential
(O'Donnell, 2005). Current events have established that a systematic; high-level approach to RM
is needed that expands further than the traditional scope of individuality risk.
ERM
ERM should be viewed as a composition of TRM and risk governance, with both having
transitional step for TRM. According to Lundqvist (2015), risk governance provides the structure
of the RM system as well as the procedures and rules for making decisions regarding RM. Lam
(2014) noted that ERM os a prominent discipline that is gaining popularity as being a just sound
management approach, and governance best practice. ERM takes a more comprehensive
21
approach to RM, by aligning with the organization’s business strategy while incorporating the
organization's personnel. The comprehensive approach provides a means for dealing with risk,
identifies and assesses risk an organization may encounter and examines potential control
measures. Brustbauer (2016) pointed out how the current trend of RM is moving towards an all
than the TRM approach of managing risk individually, which often can be ineffective due to its
decision making across all risk types, and organizations can potentially avoid risk expenditure by
exploiting natural hedges. The holistic approach of ERM contributes to reducing volatility by
preventing risk across the organization's different entities, whereas, TRM reduces volatility only
from specific sources. The ERM approach also requires a more organizational-wide support
system for (a) assessing, (b) identifying, and (c) managing risk. Yazid et al. (2011) mentioned
that when an organization adopts ERM into its business process, it helps identify all probable
incidents that could influence the organization, and helps determine current risk appetite.
separate component designed to protect the organization from financial loss. Also, ERM
The main difference between TRM and ERM is associated with how each is applied.
TRM addresses RM and its processes from a more isolated perspective whereby the focus is on
22
reducing the potential threat. Many organizations are implementing ERM processes to increase
the effectiveness of their TRM activities (Berry-Stölzle, Altuntas, & Hoyt, 2011). ERM applies
RM from a holistic perspective by applying it to all aspects of the organization (Liu, 2011; Paape
& Spekleé, 2012). Taylor (2014) asserted that ERM widens the TRM concept of threat reduction
to a managed risk embracement for increasing overall value. The concept mentioned allows
ERM to utilize risk-based decision making to all aspects that contribute to the objectives of an
organization such as (a) improved quality, (b) increased return, and (c) enhanced growth. ERM
Even though ERM emphases TRM in all forms in an organization, similar to TRM, it still
requires a level of ownership be placed for that risk. ERM does not acknowledge the ERM team
as being the sole proprietors responsible for all areas requiring RM but views ERM as a task that
is managed by everyone within the organization. (Liu, 2011; Taylor, 2014). In ERM, the ERM
team is more so the guardians of the overall program. The program is then challenged through
internal audits for assurance that ERM is being operated by the ERM team with the intentions of
Even though there exist various methods for (a) identifying, (b) analyzing, (c) evaluating,
and (d) monitoring and controlling amongst the varying RM methodologies. The goal of RM is
to maximize overall output while minimizing the possible chance for unexpected outcomes.
Some organizations will start out small and slowly take an incremental, step-by-step approach to
identifying and implementing key practices to obtain immediate results. For other organizations,
it makes more sense to identify first the major risks that can be handled and then expand from
23
there (Curtis & Carey, 2012). In addition, it is also possible for an organization to implement a
risk model differently across various areas. For example, one risk area could be addressed from a
sound practices approach, and another could be addressed from a risk perspective. Regardless of
which risk approach is used, the decisive success factor is to focus on a governable collection of
principal risks and then implement the lessons learned across the enterprise (COSO, 2011). Both
the risk-analysis and best-practices approach have been utilized and credited for helping
The risk-analysis approach has various methods associated with it, which are frequently
structured under one of the following groups (a) standard, (b) professional, and (c) research.
identification and valuation of assets perspective. The impact of many risk events makes it hard
to estimate precisely the assessment of those assets since one risk often triggers another and
eventually causes a chain reaction making measurement difficult (Kenett & Raphaeli, 2008). The
risk-analysis approach addresses the threats and vulnerabilities to assets and utilizing various
risk-analysis techniques to calculate risk value. Louisot and Ketcham (2014) asserted that
the probability of the risk occurrence must be defined, as well as the impact that the
particular risk will have on the project if it happens has to be assessed. The result obtained from
the analysis is utilized to evaluate the identified risks or risk exposures and provide justified
methods of approach to combat those risks. The main take away from the risk-analysis approach
is accurate results, effective protection measures, detailed documentation, and the creation of a
24
The Best-Practices Approach
The best-practices approach was developed to address the issues associated with the
into their overall business and strategic process, which, in essence, raises ERM importance and
achieve a particular RM goal. Saleh (2012) mentioned that there are various recommended
security best-practice documents and security standards to address ERM from different
perspectives. The best-practices approach utilizes best practice's documents to help standardize
the security controls and achieve a fast basic level within the enterprise. The approach uses a
checklist approach to achieve its objectives (Wheeler, 2011). Yeo, Rolland, Ulmer, and Patterson
(2014) posited that the checklist approach at times falls short due to workflow and threat changes
overtime. The best-practices approach is also disturbingly depended on the certification and
often invest more heavily into tools and infrastructure than do risk-analysis organizations
(Marchetti, 2012). This approach to RM provides increased transparency and broad employee
usage. The best-practices approach is often characterized by its (a) ease of use, (b) reduced cost,
distinct tools and techniques. Both approaches have the same goal of protecting enterprise
resources, by creating and defining security controls. Both approaches have different levels of
importance where some are high-level just for providing guidelines while others are detailed and
concentrated on better risk analysis. According to Wheeler (2011), it is best for an organization
25
not aimlessly apply the best-practices approach aimlessly across all facets of business, but seek
risk analysis techniques as well to identify critical focus areas. In sum, each RM approach has its
strength and weaknesses that need to be addressed during the RM transformation process, but
both can be utilized within the RM program creating a very effective RM process.
acknowledgment of its roots. The earliest form of an organizational decision process RM can be
traced back to the late 1940s and early 1950s (Crockford, 1982; Dickinson, 2001). RM at the
time focused on pure risk, risk in which there is either a loss or not (Crockford, 1982; Dionne,
2013; Eick, 2003). Some common examples of pure risk are (a) home ownership, (b) premature
death, and (c) identity theft. The risk managers of the time worked and taught in the insurance
field, and were often tasked with administering the organization's insurance portfolio (Verbano
& Venturini, 2011). The main focus of the pure risk approach was insurable risk. Furthermore,
the rationale for the approach stemmed from hazards being considered the greatest short-term
threats to an organization’s financial position. Fires at that time were known to put a company
out of business. Ferrer and Mallari (2011) mentioned that risk exposures of equipment,
machinery, improvements and buildings subjected to electrical disturbances and fires are the
greatest risk exposures because even though the typical factory building is constructed from
concrete materials, they have been built for more than 30 now. The minimizing of damage was
the best contingency plan to keep the organization going, and organizations often found ways to
reduce the occurrence. In addition, at the time, there were few means to address other risk types.
The risk managers figured out ways to quantify risk, and created methods of evaluation and
26
standardization. From the issues mentioned risk managers created an extensive terminology for
managing risk.
In the 1970s, RM shifted from an insurance focus to the treatment of risk from a financial
perspective. The RM shift meant that financial risk was then seen as a source of uncertainty to
organizations. Dickinson (2001) stated that the shift was brought about by new financial
derivatives such as options, swaps and financial futures that were created to hedge financial risk.
Due to this shift, new tools were developed to handle financial risk; the new instruments allowed
organizations to manage financial risk in the same manner as pure risk. The concern for financial
risk was brought on by a concern for (a) foreign exchange volatility, (b) interest rates, and (c)
prices (Young & Tippins, 2000). The focus of financial RM was created by financial
organizations to determine how much of the risk of investment should be retained by the
organization and how much should be offset to external arrangements (Malz, 2011). In essence,
financial institutions started considering carefully how (a) risk could be financed internally, (b)
to price risk, and (c) to determine the value of invest bank additional services. In addition, the
organizations began to realize that financial risk and insurable risk should be managed together
because the purchase of derivates and insurance to hedge financial risk performed the same role.
organizations in the 1980s still didn't consider applying RM techniques, or tools. Merna and Al-
Thani (2011) stated that the 1980s were the starting point for the first applications of system
dynamics. Hopkin (2014) also acknowledged the 1980s was a time when organizations were
developing RM tools and techniques to market or credit risk. One reason for the lack of
consideration for RM tools and techniques was that risk managers at the time determined that the
27
skill-set should be a specialty since it primarily focused on pure risk. When a new RM focus
emerged, risk managers did not incorporate it into their domain (Dickinson, 2001). The failure to
incorporate new risk focuses was costly to many organizations and the RM field. The refusal to
expand into other areas of RM delayed the transition of TRM to ERM by some decades. In the
end, the birth of ERM forced tradition risk managers into other areas of risk analysis one in
The 1990s ushered in the first integrated frameworks, for RM before was performed
separately for each activity (i.e., silo-based approach), with no interaction between activities.
One reason why frameworks were being created was due to rationalization with the current
economic perspective (Fraser, Simkins, & Narvaez, 2015). Carrel (2010) mentioned that the
emergence of new economies of The North American Free Trade Agreement, Central Europe,
Asia, and China in the world trade organization required RM to be addressed from a global
complexity and turbulence (Ballantyne, 2013). Undoubtedly, the concerns mentioned were due
to the types of risk that organizations, were taking into account, such as outsourcing and
organized stakeholder groups that often placed the spotlight on social and environmental issues.
organizations along with the financial business scandals between the 1990s and 2000s made the
Due to the events mentioned new regulations and codes of practice, such as the Sarbanes-
Oxley Act, were created that expanded RM past the financial sphere and linked an organization's
internal controls to RM (Dionne, 2013). Arena, Arnaboldi, and Azzone (2010) and Mehta (2010)
28
argued that the new holistic approach to RM provided a means for organizations to address
broader ranges of risk during the analysis phase. RM would be no longer addressed from just a
financial perspective, but would be viewed as a corporate governance requirement, due to its
relation to internal control. The relationship of internal control and RM made the concept of RM
broader and more systematic in its approach. The all-encompassing approach to RM helped to
usher in various standards and frameworks to address RM. Table 1 displays the evolution
process of RM from its traditional silo approach to the holistic strategic approach utilized
currently.
Table 1
with the various entities responsible for risks. In many organizations, corporate RM is regarded
29
as the highest level of RM, which needs to be addressed from a holistic perspective (Mensah,
2015). It is important to point out that ERM can vary in its level of embeddedness, cultural
significance, and calculative practices. Arena et al. (2010) and Brown (2013) noted that for ERM
to be efficient, organizations have to create an RM culture that permeates current practices and
the behavior of management. It is through collaborative efforts that risk is defined to include any
action that could prevent an organization from achieving its objectives, and reinforces risk
practices with employees and manages risk in an enterprise-wide fashion. Throughout year's
various frameworks and standards have been created to address ERM and IT resources. These
standards and frameworks share many similarities regarding the identification, assessment, and
management. Due to limitations in space, only an overview of some of the most common
standard and frameworks are covered, which are, The Committee of Sponsoring Organizations
(COSO), the international organization for standardization (ISO) 27000 series, Risk IT, The ISF
Standard of Good Practice for Information Security (The Standard), and The National Institute of
Standards and Technology (NIST) 800 series (Ahmad & Mohammad, 2012).
COSO
Researchers have often credited the COSO framework, released in 2004, for starting the
holistic approach to RM. Researchers created this framework in response to organizational needs
for a structured approach to managing the uncertainty of three objectives (a) effectiveness and
efficiency of operations, (b) law and regulation compliance, and (c) reliability of financial
reporting (Arena et al., 2010). The COSO framework outlines ERM as a practice that is affected
applied in a strategic setting across the whole enterprise. The COSO framework depicts ERM
30
from a managerial perspective whereby; it defines specifically normative elements. COSO
provides an implementation and design precise guide and is represented by a matrix that is three
dimensional in nature representing eight elements deemed as necessary for achieving reporting
The ISO 27000 series (i.e., ISO 27001 and ISO 27005) are a set of standards owned by
the International Standards Organization that focuses on IT-related matters. The ISO 27001
standard addresses the information security management system (ISMS). Mataracioglu and
Ozkan (2011) noted that the objective of the ISO 27001 standard was to acknowledge and
specify the requirements for (a) improving, (b) maintaining, (c) reviewing, (d) monitoring, (e)
operating, (f) implementing, and (g) establishing ISMS within an organization. The researcher
designed the ISO 27001 standard to ensure that security controls are sufficient and balanced to
guard information assets (Bahtit & Regragui, 2013). Watkins and Calder (2015) stated that the
ISO 27001 standard forms the basis for an assessment of the ISMS of the whole or part of an
organization. The basis mentioned is due to the ISO 27001 standard being recognized as a
According to Ahmad and Mohammad (2012), the ISO 27001 standard utilizes a model
that attempts to improve, monitor, establish and implement the overall efficiency of an
organization's ISMS. Organizations that adopt the ISO 27001 standard as a means of achieving
effective ISMS often overlooks the fact the standard was only geared to be utilized at a high
level. The ISO 27002 standard codes of practice provide controls that could be adopted by an
organization to address IS risk. Because the ISO 27002 standard only contains guidelines rather
31
than any certifiable criteria, organizations are often advised to implement and adopt other
controls or suites of IS controls to accommodate their needs. Watkins and Calder (2015) noted
that the ISO 27002 standard provides an international best practices framework that provides
guidance on implementing controls. The ISO 27002 standard is often viewed as a companion or
extension to the ISO 27000 standard because many organizations that adopt ISO 27000 also
Researchers designed the ISO 27005 standards to provide a focus of filling in gaps that
existed in ISO 27001 and IS0 27002. The ISO 27005 standard addresses' information security
risk management (ISRM) by supporting the requirements of ISMS, but does not provide any
specific methodology (Everett, 2011). Faris, Hasnaoui, Medromi, Iguer, and Sayouti (2014) also
mentioned that the ISO 27005 standard did not define or recommended any particular risk
analysis method, although it specifies that one should utilize a rigorous, systematic, and
structured process. The ISO 27005 standard applies to all organizations and specifies in great
detail the management of risk without identifying any given methodology or specifics. The ISO
27005 standard also contains six annexes that are for informative purposes (Faris et al. 2014).
With proper customization, the annexes along with the ISO 27005 standard can be utilized as a
methodology for the assessment of security risks. The ISO 27005 standard helps IT
administrators and managers utilize a common approach to risk, which helps with agreements to
Risk IT Framework
The information systems audit and control association (ISACA) created the Risk IT
framework (TRITF) after realizing that a comprehensive IT risk framework was needed to
32
compliment COBIT. COBIT focused on developing and defining IT control objectives for
setting good practices for RM. TRITF sets good practices by way of providing a framework for
organizations to manage, identify and govern IT risks (ISACA, 2009). Ahmad and Mohammad
(2012) noted that TRITF was built on seven principles that are derived from commonly accepted
ERM practices utilized in the IT domain. TRITF takes the seven principles mentioned and
utilizes an all-inclusive approach and process model to RM by addressing all risks related to the
utilization of IT, from the organizational culture to operational issues (Nishani, 2014). Key
activities are grouped in the comprehensive process model into a number of processes, which are
associated with the three domains of (a) risk response, (b) evaluation, and (c) risk governance.
ISF (2014) created the Standard of Good Practice for Information Security (The
Standard), which was aimed at major international and national organizations for providing
resources to organizations that are committed to addressing organizational risk (Tofan, 2011).
ISF (2014) stated that The Standard addressed all aspects of IS across the four main categories
of, security monitoring and improvement, control framework, security requirements, and security
governance and is split into six areas (a) critical business applications, (b) security management,
(c) networks, (d) computer installation, (e) system development, and (f) the end user. The
Standard acts as a complete, up-to-date reference for creating original organizational safety
measures as situations within the organization change. The Standard also provides
comprehensive coverage of controls included in various other frameworks and standards (i.e.,
ISO 27001, COBIT, NIST) and enables compliance with these frameworks and standards
33
(Tofan, 2011). The Standard also covers current topics that are not covered by other standards
and frameworks such as cybercrime attacks, mobile devices, and data privacy.
The NIST organization, which is a U.S. Federal Governmental agency, is responsible for
technology activities and computer science activities within the Federal Government. The
organization often creates publications and standards to address various industry-related issues
related to technology. The 800 series was developed out of an extensive analysis of cost-
effective, practical approaches for optimizing the security of IT systems. The suites of standards
provided by NIST to address ISRM are often considered as best practices for specific objectives
in the computer security domain (Stoneburner, Goguen, & Feringa, 2002). The publications
cover all NIST-recommended measures and criterion for assessing and documenting
The SP800-30 publication is a guide to performing risk assessment, and specifies the
guidelines addressed by the publication are meant to point IT security personnel in the right
direction toward proper risk assessment. The risk assessment model considers all possible threats
and risk while doing a risk assessment. SP800-30 covers three ways to measuring a risk
assessment—(a) quantitative, (b) qualitative, and (c) semi-qualitative—and addresses three areas
publication provides an integrated view of information security that could be applied across an
enterprise. Stoneburner et al. (2002) mentioned that depending on the size of the organization or
scope of the assessment the measuring techniques can be switched to suit the organizational
34
needs. Stoneburner et al. (2002) believed that this approach to risk evaluation and risk analysis
provides greater flexibility and provides greater ease with developing a new customized risk
framework and security controls to federal information systems. NIST (2010) mentioned that the
SP800-37 addressed information system approval, security control assessment, security control
monitoring, implementation and security control selection, and security categorization. The
guidelines presented in SP800-37 help with ensuring that the management of security risk is
consistent with the organization’s mission and risk strategy (NIST, 2010). SP800-37 also helps
organizations with ensuring that security requirements are integrated into the system
The SP800-39 publication covers the approaches and components to RM and is supported
by other NIST publications. Das (2015) described the SP800-39 publication as a guide for
The guidelines of the publication were broadly developed from a technical perspective and can
be applied to any entity. The SP800-39 publication, according to Ross, Katzke, Johnson,
SP800-39 addresses RM from the perspective of (a) frame the risk, (b) assessing the risk, (c)
The frameworks and standards mentioned share many similarities regarding the fact that
ERM risk must be managed, assessed, and identified (Yeo et al., 2014). Each framework and
35
standard have strength and weaknesses, and each fault to a general arbitrary approach that could
be carried out more or less as a checklist. According to Yeo et al. (2014), the administering of
risk is frequently accomplished or based on the conclusion of what risk to embrace or transfer.
The mitigation of risk is achieved by placing one or more controls at specific steps in the
business process. Often, the control mechanisms put into place might be a specific technology,
like logical access controls, or a procedure such as management oversight. It is important to note
that the controls put in place within the given standard or framework have varying degrees of
reliability regarding the detecting and prevention of fraudulent information moving through the
Both the COSO and NIST framework models are known and implemented throughout the
IS industry, but in many cases, a particular model is selected for various reasons. The NIST
inclined framework (Stoneburner et al., 2002). The NIST framework addresses the risk that
organization's structure, procedures, and process. The COSO framework is often viewed as being
better suit to address corporate risk than the NIST framework. Das (2015) stated that COSO
gained this trust by corporations because it was invented by five private financial auditing
entities, whereas, the NIST framework was invented by federal entities. Furthermore, the COSO
framework is considered more flexible, because it can be applied to organizations with varying
sizes. Both frameworks have similar components but differ in the nature of the components (Das,
2015). For example, NIST, regarding its information system scope has “respond,” whereas
COSO has “information and communication.” The RM process within the NIST framework is a
36
procedure while in COSO, it is reference points that are sets of operational and strategic
objectives (O'Donnell, 2005). Paape and Speklé (2012) asserted that COSO only provides broad
guidance by way of suggesting fundamental principles and concepts leaving the details of the
adoption to the organization. In addition, The NIST framework is more modular due to its
various publications whereas, COSO is more generically designed for organizations with huge
financial operations.
When comparing the NIST Framework to the ISO27000 series, RISK IT, and The
Standard, it is important to reiterate that the NIST framework was geared toward governmental
agencies. The lack of diversity leaves NIST framework’s approach to RM to be less holistic in
nature than the other three. NIST, and the ISO 27000 standard, and The Standard focus on
(ISACA, 2009; Stoneburner et al., 2002; Wieczorek-Kosmala, 2014). Due to Risk IT’s
association with COBIT, it is considered to be aligned with the ISO 27000 series (ISACA,
2009a). In addition, The Standard is derived from the ISO 27000 series and COBIT standards
and is updated annually, whereas, other approaches are updated as needed (ISF, 2014; Tofan,
2011).
Every framework and standard have many strength and weaknesses that affect whether it
will be adopted by an organization or not. In addition, Wheeler (2011) acknowledged the fact
that organizations could implement a different risk model differently across functional areas
based on that strength and weakness. Before an organization can be successful at implementing
and adopting a particular framework or standard, the organization should first gain an
understanding of its current enterprise requirements and objectives and take into consideration
37
the overall purpose and function of the standards and frameworks mentioned. Vladimirov,
Gavrilenko, and Mikhailovsky (2010) noted that an organization would have difficulty
transferring, retaining, or reducing risk without a prior professional risk evaluation of its needs
and goals. If an organization does not conduct a proper assessment of its current RM needs, the
organization could end up adopting an implementation that may work in some cases, but not in
others. Ahmad and Mohammad (2012) also mentioned that an RM implementation should not be
considered a one size fits all situations. In essence, what may work for one organization may not
work in another or have the same effect, for it is difficult to develop a document that applies to
all organizations. In many cases, organizations often utilize a customized approach whereby
more than one standard or framework is implemented. A customized approach builds on the
expertise and experience of the personnel in the organization in a way that best fits the
does not have to utilize the prescribed controls defined by the standard or framework but could
build its own controls for addressing threats and vulnerabilities related to its specific business
type. The added benefit of such an approach is that it allows the organization’s RM practices to
The factors contributing to an adoption of ERM are both internal and external in nature.
Some of the external influences that have driven many organizations to address RM from a
broader holistic perspective are (a) globalization, (b) consolidation of industry, (c) increased
regulatory attention, (d) deregulation, (e) corporate governance, and (f) technical advancement
regarding analysis and quantification (Caldarelli, Fiondella, Maffei, Spanò, & Zagaria, 2012;
38
Liebenberg & Hoyt, 2003). The internal factors are related to increasing shareholder’s wealth,
market expectation, internal audits, and bring your own devices (Mensah, 2015). In addition, the
lack of risk transparency about how enterprise risk is managed has become a factor as well. In
sum, the increased interest in ERM is driven by an organization's goal of managing risk
According to Liebenberg and Hoyt (2003) and Beasley, Clune, and Hermanson (2005),
increased regulative compliance, and governance is often regarded as the major external factor
affecting the adoption of ERM. The creation of new regulations regarding internal controls in the
U.S., Canada, and the United Kingdom such as: anti-money-laundering regulations, Gramm-
Leach-Bliley Act, the Kon Trag legislation, the Basil Capital Accord, and the Combined Code
have forced many organizations to embrace ERM as the best approach to regulatory compliance
(Liebenberg & Hoyt, 2003). Even though there are no specific regulatory required mandates,
COSO (2004) mentioned that regulatory developments regarding uncertainty had created a
climate in which ERM can facilitate compliance through an infrastructure and process that
strengthens the enterprises focused on enhancing and protecting enterprise value. In sum, the
increased community demand for more methodical disclosure and institutional shareholder RM
Other factors that contribute to ERM adoption are environmental uncertainty (EU), and
firm size. Malik and Holt (2013) described EU as the external forces that affect an organization's
overall performance in regard to (a) organizational structure, (b) customer and supplier
relationships, and (c) operations. EU is difficult for many organizations, due to the increased
volatility of future events affecting the organization. The risks associated with an organization,
39
and the proper reaction to such risks, will possibly vary depending on the EU confronting the
organization. The relationship between an organization's size and organizational structure has
been considered by Hoyt and Liebenberg (2011) to be positively related to the adoption of ERM.
Organizations with expansion prospects often tackle more uncertainty and require improved RM
practices to guide expansion in the best direction due to increased potential opportunities
(Beasley et al., 2005). COSO (2004) also endorsed the significance of organizational size when
designing an ERM system. In essence, many organizations attribute their organizational size with
Benefits of ERM
The main advantage that ERM offers to an organization is its ability to provide
organizations with the capability to manage risk across the enterprise and helps with improving
the linkage between financial risk and operational RM. According to Anquillare (2010), this
transferring risk. In essence, ERM improves corporate governance through risk assurance
volatility. The reduction of volatility is attributed to the fact that ERM stabilizes earnings by
lessening losses that are related to the interdependencies of traditional risk classes (Liebenberg &
Hoyt, 2003). In sum, ERM reduces risk exposure in the major areas that were once difficult to
manage. Another benefit to many organizations is better capital allocation, by way of the
reduction in cost regarding established risk shifting, and asset substitution problems. Lastly,
40
organizations that demonstrate a strong ERM disciple and capability (Farrell & Gallagher, 2015;
Regarding corporate governance, ERM helps to improve the relationship between the
board and RM. For the board becomes more involved in the risk-management process, whereby
organizational-wide guidelines for RM are often implemented. Organizations have also noticed
an improvement in business processes. Tao and Hutchinson (2013) posited that the board of
the assertion that the characteristics of the board members determine the board’s ability to
monitor compliance with appropriate regulations and laws. A risk-aware board of directors can
Malik and Holt (2013) agreed that enterprise controls are today considerably influenced by
public policy debates on RM and corporate governance issues. Furthermore, Carden, Boyd, and
Valenti (2015) considered RM and oversight as a general subset of overall corporate governance.
When it comes to risk managers, they have benefited from ERM by improved decision-
making procedures regarding corporate strategy. Anquillare (2010) noted how ERM grants risk
officers, the board, or committees of the board. For risk managers, the traditional approach (i.e.,
silo) of risk assessment has always been a major focus, but in ERM critical risk includes all risk
not just those in a given area. Lundqvist (2014a) acknowledged that ERM popularity has been
dramatically reduce control maintenance, compliance testing, and reduce external audit fees.
Arnold et al. (2011) addressed how having an ERM approach to compliance could create a
41
strong system of internal controls that establish procedures very early for addressing new
regulatory mandated required changes. The compliance benefit of ERM is because in many
organizations SOX compliance in IT is done by one group, and the internal controls in the
financial division are done by another without any direct communication with the other. Through
ERM, the separate entities are addressed connectively which in many cases reduces work (Segal,
2011). Lastly, organizations often realize a greater efficiency of operations and profitability,
because ERM helps in the removal of redundancy and overlaps between IT and SOX business
controls.
IT Effectiveness
measure of how well the organization's IT develops appropriate technology or business solutions
so that the organization can grow and operate according to its plans and business strategy,
whereby it works within its given constraints and behaves in its own style. Sevgi, Murat, and
Semih (2008) defined ITE as the overall extent of which a given information process contributes
value to an organization. Tallon (2011) acknowledged ITE as being the ability to apply IT
successfully to deliver, enhance and support the organization's business strategy by adding
tangable value. Even though different definition exists the basic premise of IT effectiveness is
the understanding that it directly affects an organization's performance and productivity (Byrd &
Davidson, 2006). ITE is usually viewed as a gauge for examining and measuring an
business solutions to the organization. Tallon, Kraemer, and Gurbaxani (2000) asserted that
many organizations are utilizing ITE and efficiency to improve productivity, performance, and
42
reduce cost. González-Benito (2007) discovered that IT investment and ITE are related to an
organization's strategic integration with business and its performance. Current researchers have
shown that organizations that spend more on IT upgrades have improved value and performance
over time.
A current review of the literature regarding ITE has revealed that there are only four
distinct research streams (a) justification research, (b) criteria relationship research, (c)
measurement research, and (d) statistical antecedents ITE research (Grover, Jeong, & Segars,
1996). Justification researchers seek to address ITE from the standpoint of criteria drawn from
other disciples and theories regarding (a) economics (i.e., cost and benefit), (b) methodologies,
(c) profit, (d) return on assets, and (e) firm performance (Grover et al., 1996). Many researchers
have used criteria ITE relationship research to evaluate various criteria associated with ITE. For
example, Ives, Olson, and Baroudi (1983) investigated system usage and information satisfaction
through a survey of 200 production managers. Ein-Dor, Segev, and Steinfield (1980) studied the
relationship between the primary criterion information systems and system success. Robey
Statistical antecedents ITE research focuses specifically on the determinants of ITE, from a
statistical perspective observing the independent variables that could affect effectiveness instead
of the given criterion concerning the antecedents that can be organizational or individual in
nature. Researchers have used measurements research to explain the attitudes, beliefs, and
perceptions associated with ITE characteristics. Finally, a considerable amount of ITE research
has been based on measured research due to its ability to create valid and reliable instruments
43
Research on ITE, in general, is non-cumulative and fragmented; the only true way to
measure the ITE of an organization is to take into account the business goals of that
organizations. There have been various studies across varying fields of business that have
attempted to measure ITE through some criteria. One of the best-known attempts to measure ITE
was conducted by Delone and McLean (1992), by way of defining a dependent variable that
dimensions including (a) personal impact, (b) organizational impact, (c) user satisfaction (d)
system quality, and (e) information quality. Each dimension is independent and interrelated and
forms the model's components to create an instrument that serves to measure ITE. Other
researchers have utilized other criteria to gauge ITE. For example, IS usage was the criteria
utilized by Ein-Dor and Segev (1978) to acknowledge the organizational variables persuasive
with the failure and success of MIS. IS usage was also utilized by Raymond (1990) by using
organizational context selected variables based on the theoretical framework presented by Ein-
Dor and Segev (1978) that focused on IS sophistication addressing; time frame, resources,
maturity, and size. User information satisfaction was the criteria utilized by Baroudi and
Orlikowski (1988) to create a framework to detect and diagnose problems with user satisfaction.
King and Rodriques (1978) utilized the quality decision-making criteria to develop a process
through which IS systems could be evaluated. Franzl and Robey (1986) used system quality to
investigate organizational factors linked to perceived system practicality and user participation in
information system development. The research studies mentioned above showed that ITE
research had provided a solid foundation for evaluating ITE based on system characteristics
44
derived off of individual responses, but provided no true theoretical framework for placing the
The lack of a true ITE framework has caused some researchers to question the overall
scope of performance measurements of ITE; meaning does ITE impose another criterion other
than just the ITE criterion. Cooper and Quinn (1993) mentioned that there is a gap in the
literature regarding ITE because there is no clear ITE theory. Melone (1990) noted that there
appears to be no theoretical model or explanation addressing ITE. Kanungo, Duda, and Srinivas
(1999) also asserted that IS research has an absence of a given model to assess ITE. Even though
no clear-cut model exists for ITE, several researchers have attempted to develop frameworks to
address the issue. For example, the IS success model by Delone and McLean (1992) has been
instrumental in structuring the concept of ITE. The research conducted by Cooper and Quinn
(1993) helped develop a framework for ITE that links IS characteristics to organizational
effectiveness. Pitt, Watson, and Kavan (1995) developed a logical model that illustrated the
comprehensive ITE evaluation framework that resolved many personal dilemmas of traditional
evaluation approaches.
Summary
efficient use of IT investment is through increased value to stakeholders. The overall challenge
of risk management is in determining what risk the organization is prepared to address while
enhancing stakeholder's value (Liu, 2011). Through ERM, researchers can address organizational
45
risks from a holistic perspective and take into consideration the scopes, processes, and people
within the organization (Anquillare, 2010). The ERM method of addressing risk offers a more
comprehensive approach to minimizing the hazard and risk, and in turn, increases shareholder's
value.
amongst risk owners across the whole organization. Also, ERM requires that risk owners be
capable of detecting potential issues as the occur and prevent risk (Babu, Babu, & Sekhar, 2013).
In essence, operational level risk owners must have considerable authority, control,
communication, and knowledge of the systems in which they manage. ERM can be a powerful
analyzes risks at the component levels of enterprise environment and focuses on organizational
priorities and impacts (Shad & Lai, 2015). Organizations must evaluate or measure RM on
various criterion; one of the most important is the specific contribution that is provided to
criteria, which would result in misguided decisions regarding the delivery of IT services
(Ballantyne, 2013).
46
CHAPTER 3. METHODOLOGY
The purpose of this non-experimental quantitative correlational study was to assess the
constructs and correlations associated with enterprise risk management and IT effectiveness.
Using information flow theory, catastrophe theory, and the risk-management framework, the
researcher examined how four risk management constructs affect overall IT effectiveness. The
results contributed to enterprise risk management literature, IS security practitioners, and chief
management influences IT effectiveness. Furthermore, the research questions identified the key
enterprise risk management constructs that affect IT effectiveness. The findings from the study
are useful to organizations seeking to make informed decisions addressing risk management
Theoretical Foundation
Two different theoretical ideas and a risk framework helped form the base of the non-
experimental quantitative correlational study. Both of the theoretical theories and framework
address various aspects of enterprise risk management but correlate with each other when
the research study because it is the most useful approach for tackling risk management issues.
Bayraktarli (2009) acknowledged that risk is an analytic and prescriptive concept, and the
normative approach is designed to address risk assessment and evaluation. The researcher
The information flow theory (IFT) developed by Barwise and Seligman (1997) provides a
mathematical framework that models the laws governing information flow in distributed
47
systems. IFT is based on the concept that information flow is attributed to distributed system
regularities, and some components contain information about other components (Liang, 2013). In
essence, the more regularities in a given system, the greater information flows, the more random
the system, less information will flow. Information flow security is concerned with how
information is permitted to flow through a computer system without security violations. IFT is a
crucial component of the research study, because is essential to consider the flow of information
when addressing any aspect of risk management. According to Winter, Zhao, and Aier (2010),
current IS models require that information from higher security levels be prevented from leaking
into lower security areas. The controlling of information flow is the central element of any risk-
management strategy.
The catastrophe theory created by French scientist Rene Thorn (1972) addresses concepts
and rules about the steady and discontinuous state of an item. Wang et al. (2014) noted that the
catastrophe model could model interrupted and irreversible changes reliably by looking at
responses produced by drastic, sudden changes from one equilibrium state to another. In the
research study, catastrophe theory is most applicable when assessing the risk construct, and
monitoring construct. In risk management, the risk is regarded based on risk levels; in
catastrophe theory, catastrophe membership values help to determine risk levels. Potential
changes to the current state of operation caused by changes of circumstances are addressed in
The risk management framework (RMF) created by the National Institute of Standards and
Technology (NIST) provides the basis for the non-experimental quantitative correlational study.
RMF addresses the four crucial components to a successful risk management program (a) frame
48
risk, (b) assessed risk, (c) response to risk, and (d) monitoring risk. In the research study, the
researcher addressed the four components mentioned as key constructs that approach risk
management from the perspective of it being an activity that requires the involvement of the
entire organization. In conclusion, the information flow theory, catastrophe theory, and RMF
measure what key enterprise risk management constructs are affecting an organization's IT
effectiveness.
Research Design
current study. The researcher selected a correlational research approach because it (a) enabled
data to be collected from a large number of potential participants who meet a specific
requirement, (b) provided a method for complex data describing, and (c) allowed for inferences
of a statistical nature to be made about a population based on observations (Bulmer, Gibbs, &
Hyman, 2010). When generalizing a large population utilizing a sizable sample of data to
determine associations between two or more variables, the correlational cross-sectional survey
approach is often deemed applicable (Markovitz et al., 2012). Moreover, a recent literature
review revealed various studies utilizing the same approach, and similar strategies of inquiry to
The researcher utilized the correlational approach to determine the relationships between
the frame risk, assessed risk, response to risk, and monitoring risk constructs of enterprise risk
management and IT effectiveness. The researcher gathered data using a survey approach
centered on correlation level examinations involving the constructs mentioned above. The results
from the research study provided information regarding, which enterprise risk management
49
constructs contributes most significantly to IT effectiveness. Additionally, an analysis of the
quantitative data revealed the correlational relationships between the risk-management constructs
as well. The researcher utilized an online survey instrument to collect respondent information.
The researcher followed quality indicators regarding collecting data, population sampling, and
instrument design (Creswell, 2009). The researcher selected the sample from the study
population was conducted using an adequate sampling frame. The research instrument utilized in
Conceptual Model
The extended conceptual model of the study is shown in Figure 2 below. It displays the
50
Figure 2. Extended conceptual model of constructs and the primary elements used to measure
enterprise risk management.
To evaluate the constructs of frame risk, assessed risk, response to risk, monitoring risk,
and IT effectiveness, the researcher will describe the elements from preceding research that the
Frame risk (FR): The frame risk variable addresses the current extent of risk
management context being dealt with by an organization. Frame risk is associated with the risk
frame construct and acknowledges the components that support and sustain risk management
throughout an organization. The focus of the frame risk variable is on whether or not the
organization's enterprise risk. The components which make up the frame risk variable address
policies and procedures, accountability, security awareness, security organization, and executive
management support. The primary elements that the researcher used to assess the risk frame
construct are related to the frame variable and were taken from preceding research by Lundqvist
(2014a), which the researcher used to evaluate an organization’s integral ERM components. The
research questions, questions one through six, assessing risk management strategy was
represented by ordinal data and utilized a 4-point Likert-type scale. In this non-experimental
quantitative correlational study, the researcher utilized the same method of approach to measure
the FR variable.
51
Assessed risk (AR): The assessed risk variable regards whether an organization has
assessed the potential risk-related issues within the organization. Assessed risk is associated with
the assessment of risk construct and focuses on whether an organization has assessed enterprise
risk and set risk levels for those risks. The components that make up assessed risk address (a)
whether the organization maintains an inventory of systems, (b) whether current risk assessment
exists for systems, (c) whether information owners understand the risk associated with systems
under their control, and (d) have risk levels been set to address enterprise risk. The primary
elements that the researcher used to measure the assessed risk construct were taken from prior
research by Lundqvist, which the researcher to evaluate ERM practices (Lundqvist, 2015;
Lundqvist 2014a; Lundqvist 2014b). The research questions used by Lundqvist were represented
by ordinal data and utilized a 4-point Likert-type scale. The specific questions to assess the
Response to risk (RTR): The response to risk variable addresses the extent of the
organization's response to risk. The response to risk variable is associated with the response to
risk construct and contains components that acknowledge an organization’s (a) development of
alternative courses of action, (b) implementation of risk responses, (c) disaster recovery, and (d)
incident handling. The primary elements that the researcher used to measure the response to risk
construct were taken from prior research by Lundqvist and were represented by ordinal data and
utilized a 4-point Likert-type scale. The specific questions to assess the response to risk construct
Monitoring risk (MR): The monitor risk variable assesses whether an organization can
monitor risk over time. The monitor risk variable is associated with the monitoring risk construct
52
and contains components that acknowledge an organization’s (a) periodic review process of risk
processes, (b) independent evaluation, (c) remedial activities, and (d) security controls testing.
The primary elements that the researcher were taken from Lundqvist and were represented by
ordinal data and utilized a 4-point Likert-type scale. The specific questions to assess the
management, has enhanced IT capabilities. The IT effectiveness variable is associated with the
IT effectiveness construct, and contains components regarding (a) overall quality of service, (b)
users’ satisfaction, and (c) the helpfulness of the IT staff. The ITE definition is associated with
the IT effectiveness construct and is acquired from a previous study by Tallon et al. (2000),
which was used to evaluate business value of information technology. The Tallon et al. (2000)
study addressed constructs related to user satisfaction, the overall service quality of IT, and IT
staff helpfulness. The specific research questions to assess IT effectiveness were all represented
by ordinal data and utilized a 7-point Likert-type scale (Tallon et al., 2000).
To maintain the same reliability and validity results from earlier investigative methods
and instrumentation by Lundqvist (2014a) and Tallon et al. (2000), 4-point and 7-point Likert
scales were utilized in the study to represent data values ordinally. Likert scales are frequently
used to evaluate attitudes provided a range of responses are utilized, and values fall within the
quantitative correlational study from the NIST (2010) publication regarding the managing of IS
53
risk. The publication guided managing security risk in unison with organizational operations and
focused on four constructs of risk management. The dependent variable, IT effectiveness, was
derived from the Tallon et al. (2000) instrument which evaluated business value of information
technology. The omnibus research question (i.e., RQ1) and the main and sub-research questions
RQ1: What is the nature of the relationship between risk management constructs and IT
effectiveness?
effectiveness.
effectiveness.
RQ2: What is the nature of the relationship between frame risk and IT effectiveness?
firms that have high levels of frame risk versus those that have low levels of frame risk?
that have high levels of frame risk versus those that have low levels of frame risk.
H2 a .1: There is a significant difference in the level of IT effectiveness between firms that
have high levels of frame risk versus those that have low levels of frame risk.
RQ3: What is the nature of the relationship between assessed risk and IT effectiveness?
54
H3 a : There is a significant relationship between assessed risk and IT effectiveness.
firms that have high levels of assessed risk versus those that have low levels of assessed risk?
that have high levels of assessed risk versus those that have low levels of assessed risk.
H3 a .1: There is a significant difference in the level of IT effectiveness between firms that
have high levels of assessed risk versus those that have low levels of assessed risk.
RQ4: What is the nature of the relationship between response to risk and IT
effectiveness?
firms that have high levels of response to risk versus those that have low levels of response to
risk?
that have high levels of response to risk versus those that have low levels of response to risk.
H4 a .1: There is a significant difference in the level of IT effectiveness between firms that
have high levels of response to risk versus those that have low levels of response to risk.
RQ5: What is the nature of the relationship between monitoring risk and IT
effectiveness?
55
RQ5.1: Is there a significant statistical difference in the level of IT effectiveness between
firms that have high levels of monitoring risk versus those that have low levels of monitoring
risk?
that have high levels of monitoring risk versus those that have low levels of monitoring risk.
H5 a .1: There is a significant difference in the level of IT effectiveness between firms that
have high levels of monitoring risk versus those that have low levels of monitoring risk.
sectors?
sectors?
Sample Population
The population that the researcher targeted for the research study included individuals
with knowledge regarding IT and its relationship to the organization, who play a critical role in
the decision process with determining how IT-related risks are addressed and have knowledge of
the organization's risk management strategies. The researcher identified senior IT managers (i.e.,
CIO, IT security program managers) as the population to satisfy this criterion. The sampling
frame source was Qualtrics, using Qualtrics expert panels. The sample approach was simple-
random sampling: sampling focused on organizations that have implemented some form of risk
management strategy. The minimal sample size determined for the study was 85 completed
surveys (see Figure 3). Utilizing the G*Power 3 software, the researcher calculated the minimum
56
sample size using power analysis; applying a medium effect of .15, a power of .80, and a
significance (alpha) level of .05 (Cohen, 1998; Faul, Erdfelder, Lang, & Buchner, 2007).
Instrumentation/Measures
The survey instrument that the researcher utilized in this non-experimental quantitative
dimension. To get a perspective of risk management relevancy, the researcher reviewed the
NIST risk management framework as a reference point (NIST, 2011). Due to a lack of credible
providing questions unique to risk management and IT effectiveness. The questionnaire contains
questions taken from the Lundqvist (2014a), and Tallon et al. (2000) instruments that addressed
information system security, risk management, and business value of information technology.
57
The researcher used the questionnaire instrument with the intention to address risk
management and IT effectiveness. The researcher retrieved the questions regarding enterprise
risk management from The Journal of Accounting, Auditing & Finance, created by Lundqvist
(2014a). The researcher retrieved the survey questions on IT effectiveness from The Journal of
Management Information Systems,created by Tallon et al. (2000) and later used by other
Chebrolu, 2010; Chebrolu & Ness, 2013; Eichman, 2013; Ness, 2005). In regard to the
conceptual model (Figure 1), the researcher took the primary elements of (a) internal
environment, (b) objective settings, (c) control activities, (d) assessed risk, (e) response to risk,
and (f) monitoring risk that were used to measure the constructs of (a) frame risk, (b) assessed
risk, (c) response to risk, (d) monitoring risk from prior research by Lundqvist (2014a). The
researcher obtained permission (see Appendix E) to use the templates from the authors
mentioned above. Table 2 displays the measurement scales, constructs, survey item numbers, and
58
Table 2
Data Collection
The researcher obtained the participants for this study from Qualtrics expert panels,
which are developed by Qualtrics. The set unit from which the researcher drew the sample
included individuals registered within the Qualtrics database of respondents who met the
following characteristics: (a) currently employed in a Fortune 1000 company, (b) had knowledge
pertaining to IT and its relationship to the organization, and (c) play a critical role in the decision
process with determining how IT-related risks are addressed. Participants who did not meet the
59
above characteristics did not participate in the study. Furthermore, the company has procedures
in place to ensure that everyone in the population has an equal possibility of being chosen. The
researcher made the online survey available to the participants once they gave their consent on
the consent form in the first section of the survey. Qualtrics protected the confidentiality and
privacy of the respondents, and did not share any personal information with the researcher.
Potential participants could contact the researcher by way of e-mail to address any questions or
Data Analysis
The researcher first exported the raw ordinal survey data from Excel 2013 into SPSS. The
researcher generated compute and “if” statements for transforming and recoding variable data.
No cases were missing data, so the researcher did not utilize the techniques of (a) list-wise
deletion, (b) pair-wise deletion, and (c) replacement of missing data. The sample was large
enough to be statistically significant, and the researcher evaluated the data to determine if the
regression approach being used in the research study is appropriate, given the ratio of cases
associated with the independent variables. Additionally, the researcher evaluated the data for
assessed risk, response to risk, and monitoring risk are independent variables.
The researcher conducted independent sample t-tests on each independent variable and IT
effectiveness based on high and low levels to explore group comparisons associations between
groups. The researcher based the simple linear regression procedures on one target variable of IT
effectiveness (Y), and each of the predictor variables, (a) frame risk (X 1 ), (b) assessed risk (X 2 ),
60
(c) response to risk (X 3 ), and (d) monitoring risk (X 4 ). The researcher based the multiple linear
regression procedures utilized on one target variable, IT effectiveness (Y), and predictor variables
of frame risk (X 1 ), assessed risk (X 2 ), response to risk (X 3 ), monitoring risk (X 4 ), and their
interaction term (X 1 X 2 X 3 X 4 ). The researcher evaluated the overall strength of the relationship
between frame risk, assessed risk, response to risk, and monitoring risk based on statistical
significance levels and correlation coefficients. Chatterjee and Simonoff (2013) mentioned that
the true regression function represents the expected relationship between the target and predictor
variables that are unknown. The researcher utilized one-way ANOVA procedures to examine the
differences in the mean scores of various industry sectors (i.e., education, public utility, financial
inst, public service, public health care) regarding risk management constructs and IT
effectiveness. George and Mallery (2011) mentioned that ANOVA procedures were reliable for
measuring (a) strength of association between variables, (b) means for each level, (c) standard
organization’s integral ERM components. The current researcher utilized this instrument to
address the constructs of frame risk, assessed risk, response to risk, and monitoring risk by
utilizes a 4-point Likert scale to examine distinct aspects of the operationalization. The
researcher verified the reliability and validity of the instrument through (a) prescreening, (b)
pretesting, (c) EFA, and (d) CFA. The results from the EFA analysis showed that a four-factor
model, using the Bentler Comparative Fit Index (CFI) was more suited for the study with a value
61
of 0.93. The CFA results confirmed the reliability and construct validity of the instrument using
the ERM by EFA5 model with a value 0.96 which exceeds the 0.80 baseline as well (Lundqvist,
The instrument that Tallon et al. (2000) created was designed to evaluate business value
construct and seemed to be the best source of measurement. Furthermore, the instrument has
been utilized in various other research studies regarding IT effectiveness (Bani, 2011; Burke,
2011; Chebrolu, 2010; Ness, 2005; Pierce, 2002). The researcher verified this instrument’s
reliability and validity through the use of CFA and Cronbach’s alpha. The results from the
Cronbach's alpha were greater than 0.70, and the CFA analysis showed a high degree of
reliability with a value of 0.95, which exceeded the baseline of acceptability suggested by Werts,
Linn, and Joreskog (1974) of 0.80 (Tallon, 1999; Tallon et al., 2000). The instrument utilizes a 7-
point Likert scale to examine various aspects of strategic alignment, business usefulness, and IT
flexibility.
The researcher maintained the outline and format of the preceding survey questionnaires
for added reliability and validity. All questions maintained their original Likert-type scale
standardized format for assessment, and as stated above, the researcher made no modifications to
the instruments.
Ethical Considerations
correlational study based upon the Belmont Report established by the National Commission for
the Protection of Human Subjects (1979). The Belmont Report established just guidelines and
62
principals that are designed to protect human participants of research, and addressed topics such
as (a) the respect for persons, (b) beneficence, and (c) justice. The topics mentioned are
applicable for (a) assessment of benefits and risk, (b) informed consent, and (c) subject selection.
In this non-experimental quantitative correlational study, the researcher addressed these topics
mentioned by first inviting participants to enter the study voluntarily. The researcher treated all
individuals equally by sending them the same cover memo and questionnaire. The researcher
treated all potential responses as anonymous, and in strict confidence; the researcher held all data
to ensure minimal harm and risk. The electronic informed consent forms received from
participants contained the correct definition of the intention and reasoning of the research study,
as well as the measures and constructs being addressed. The researcher also assured the
participants that the data retrieved in the survey would be treated with respect and remain
completely anonymous.
63
CHAPTER 4. RESULTS
Chapter Overview
study was to assess the constructs and correlations associated with enterprise risk management
study was to evaluate the relationship between the four constructs of frame risk (FR), assessed
risk (AR), response to risk (RTR), monitoring risk (MR), and the dependent variable of IT
effectiveness (ITE) within the enterprise environment. The researcher addressed risk
management from a holistic perspective acknowledging both the strategic and tactical level of
the initiative, in order to ensure that risk-based decision making is assessed from all aspects of
the environment. Lundqvist (2014a) and Đapić et al. (2012) stated that due to the increasing
concern for modern risk management practices, organizations have been pressured to manage
risk holistically.
and collected data descriptions. The researcher will introduce a comprehensive presentation on
the results of the six hypotheses. The researcher will address Hypothesis H1 first, and will
describe the results of the multiple linear regression to assess the association amongst risk
management constructs and IT effectiveness. In the next section, the researcher will address
hypotheses H2 to H5, in which the researcher performed simple linear regression analysis to
identify the level of association with the dependent variable IT effectiveness and each
independent risk construct. In addition, the researcher utilized independent sample t-tests for
H2.1 to H5.1 to determine the difference in the level of IT effectiveness between firms that have
64
high levels versus those that have low levels for each independent construct. Lastly, to identify
the level of IT effectiveness of the various industry sectors, the researcher conducted an analysis
of variance (ANOVA) to address hypothesis H6. The researcher conducted an analysis of the
fundamental assumptions before each hypothesis test to determine whether the data information
Respondent Characteristics
Twelve industry sectors took part in the quantitative correlational study: (a) advertising
and marketing, (b) airlines, (c) automotive, (d) construction, (e) entertainment, (f) information
technology, (g) healthcare and pharmaceuticals, (h) food and beverage, (i) financial services, (j)
insurance (k) nonprofit, (l) retail, (m) utilities, and (n) others. The industry sectors were from
Out of the 100 respondents invited to participate in the research study, 100 completed the
survey, representing a 100% response rate. None of the responses were incomplete and needed
to be removed. Out of the 100 that completed the survey 4.0% of the respondents were from
advertising and marketing, 1.0% were from airlines, 1.0% were from automotive, 17% were
from construction, 2.0% were from entertainment, 25% were from information technology,
6.0% were from healthcare and pharmaceuticals, 7.0% were from food and beverage, 4.0% were
from financial services, 2% were from insurance, 4.0% were from nonprofit, 24.0% were from
65
Table 3
Sample Characteristics
Experience (Years)
1-5 12 12.0
6-10 29 29.0
11-15 22 22.0
16-20 15 15.0
Over 20 22 22.0
Note. N = 100
The largest majority of respondents (39 in total or 39.0%) who took part in the study
were Chief Executive Officers with the duty of running an organization. Twenty-two
66
(representing 20%) were IT Specialists. Sixteen Chief Information Officers (representing 16%)
and three Chief Information Security Officers (representing 3.0%) also participated in the study.
Regarding the years worked in their current position, 12% had 1-5 years, 29% had 6-10 years,
22% had 11-15 years, 15% had 16-20 years, and 22.0% had 20 years or more.
In the following section, the researcher presents each measured construct’s frequency
Internal Environment
philosophy of risk management, and risk appetite. The internal environment statements were a
subset of the frame risk (FR) construct and were characterized by a mean score on a 4-point scale
where 3 (Robustly Implemented) designates the highest score of the scale, and 0 (Non-Existent)
designates the lowest score. Survey respondents answered specific questions regarding
(a) formally defined audit committee responsibilities, (b) the executive management
procedures designed to associate the concerns of managers and shareholders, and (e) employee
Table 4 provides an illustration regarding the overall level of the internal environment,
showing it as being strongly implemented with a mean score of 2.01 (SD = 1.03). Twenty-seven
point eight percent rated their organization’s internal environment (i.e., risk governance
67
practices) as being low, indicated by non-existent (13.2%), or implemented (14.6%).
Furthermore, 29.8% of participants indicated that internal environment controls were modestly
implemented in the organization. Lastly, 42.4% indicated that internal environment controls were
Table 4
Percentage (%)
Scale NE E MI RI Mean SD
Internal Environment 13.2 14.6 29.8 42.4 2.01 1.03
Note. NE - Non-Existent; E - Existent; MI - Moderately Implemented; RI - Robustly Implemented; N = 100
Objective Settings
operations, and compliance and reporting activities. The objective settings statements are also a
subset of the frame risk (FR) construct and were characterized by a mean score on a 4-point scale
where 3 (Robustly Implemented) designates the highest score of the scale, and 0 (Non-Existent)
designates the lowest score. The participants responded to 3-item Likert-type statements
acknowledging (a) organizational performance goal achievement, (b) formal business plan in
place to execute the strategy, and (c) the organization's formal mission statement (see Table B2).
The participant's responses to the three items had a mean score of 2.19 (SD = .998; Table 5).The
respondents rated their objective setting as non-existent (9.33%); existent (14.0%); modestly
68
Table 5
Percentage (%)
Scale NE E MI RI Mean SD
Objective Settings 9.33 14.0 24.6 52.0 2.19 .998
Note. NE - Non-Existent; E - Existent; MI - Moderately Implemented; RI - Robustly Implemented; N = 100
Control Activities
the current risk response procedures policies within their organization. Survey respondents
acknowledged (a) that procedure and policy verification procedures exist, (b) that authorization
processes are in accordance so that designated individuals can critique the use of procedures and
policies, and (c) that there is a procedure in place to guarantee that the processes and policies in
place are functioning effectively and in the best interest of the organization's objective.
The control activities statements are also a subset of the frame risk (FR) construct (Table B3).
Table 6 outlines the distribution of mean scores on the 3-item scale. Most of the
participants stated that their control activities were robustly implemented (37.3%). Thirty-five
percent of the participants indicated that their control activities were modestly implemented,
15.3% reported their control activities were existent, and less than 13% reported their control
activities as non-existent. In general, control activities had a mean score of 1.97(SD = 1.00).
69
Table 6
Percentage (%)
Scale NE E MI RI Mean SD
Control Activities 12.3 15.3 35.0 37.3 1.97 1.00
Note. NE - Non-Existent; E - Existent; MI - Moderately Implemented; RI - Robustly Implemented; N = 100
Survey respondents then assessed eight items addressing organizational risk assessment
type scale. Risk assessment practices are related to the assessed risk (AR) construct that
addresses whether an organization has identified any possible policy issues related to operations
and assets, vulnerabilities internal and external, and potential harm that could occur.
Respondents rated the level of their organization's risk assessment practices. Respondents ranked
the level of implementation regarding (a) the possibility that financial events influence the
organization's capability of achieving its goals, (b) the level to which the organization makes
objective achievement, (c) the level of implementation regarding the potential probability that
critical risk occurrences will affect organizational objective achievement, (d) the level of
implementation regarding the potential probability that compliance events will affect the
organization's objective achievement, and (e) the level of implementation regarding the
B4).
Table 7 shows that 14.8% of the participants ranked their risk assessment practices as
being non-existent; 17.8% of the participants ranked their risk assessment practices as being
70
existent; 30% of the participants ranked their risk assessment practices as being moderately
implemented, and 36.7% rated their risk assessment practices as being robustly implemented. The
mean score on the risk assessment practices scale was 1.89 (SD = 1.06). On the whole score, the
Table 7
Percentage (%)
Scale NE E MI RI Mean SD
Risk Assessment Practices 14.8 17.8 30.5 36.7 1.89 1.06
Note. NE - Non-Existent; E - Existent; MI - Moderately Implemented; RI - Robustly Implemented; N = 100
Survey respondents answered four items on a 4-point Likert-type scale regarding their
Implemented). The risk response practices statements are related to the response to risk construct
(RTR) that gauges whether an organization has developed any response to risk protocols in
accordance with the risk frame. Participants rated the level to which formal policies were being
created on how risk should be managed. Participants rated (a) the level of which the organization
has identified all relevant events in the risk response plan, (b) the level of substitute risk
responses for each critical situation; and (c) the risk tolerances of the organization (see Table
B5).
Generally, participants rated their risk response practices as strongly implemented (mean
= 1.88; SD = 1.05). Fifteen point two percent of the participants assessed their risk response
practices as being non-existent. Table 8 illustrates that 16.5% of the participants assessed their
71
risk response practices as being existent, 33.0% of the participants assessed their risk response
practices as being moderately implemented, and 35.2% assessed their risk response practices as
Table 8
Percentage (%)
Scale NE E MI RI Mean SD
Risk Response Practices 15.2 16.5 33.0 35.2 1.88 1.05
Note. NE - Non-Existent; E - Existent; MI - Moderately Implemented; RI - Robustly Implemented; N = 100
Monitoring Practices
Survey respondents addressed six items on a 4-point Likert-type scale regarding their
Implemented). The monitoring practice statements are related to the monitoring risk (MR)
construct that addresses the current risk monitoring measures in place. Specifically, respondents
ranked the level of monitoring of the organization's control activities, processes, and internal
environment. Participants rated (a) the emerging risk indicators, (b) the monitoring evaluation of
the organization's risk management practices completed by third party vendors, (c) the structured
and frequent updates of risk-related information, (d) the level to which an in-house risk
assessment team is granted the authority to gauge the progressing efficiency of the organization's
risk management practices, and (e) the level of which assigned risk owners have primary
authority for governing risk within their specific areas (see Table B6).
The participant responses indicated that monitoring practices in their organization was
strongly implemented (mean = 1.85; SD = 1.04; Table 9). Fourteen point five percent of the
respondents rated their monitoring practices non-existent, 19.3% of the respondents rated their
72
monitoring practices as existent, 32.5% of the respondents rated their monitoring practices as
moderately implemented, and 33.6% rated their monitoring practices as robustly implemented.
Table 9
Percentage (%)
Scale NE E MI RI Mean SD
Monitoring Practices 14.5 19.3 32.5 33.6 1.85 1.04
Note. NE - Non-Existent; E - Existent; MI - Moderately Implemented; RI - Robustly Implemented; N = 100
Survey respondents addressed three items on a 7-point Likert-type scale dealing with
their organization's IT effectiveness, ranging from ranging from 1 (Weak) to 7 (Strong). The IT
effectiveness from a context of actual performance, by way of addressing how risk management
quality of service, current user satisfaction with IT, and helpfulness of IT staff to users (see Table
B7).
The responses indicated that IT effectiveness for many organizations was between six
and seven (mean = 5.51, SD = 1.52; Table 10). Responses were classified as negative (Weak),
neutral (Average), and positive (Strong). The respondents rated their organization's IT
Table 10
Percentage (%)
Scale 1 2 3 4 5 6 7 Mean SD
IT Effectiveness 5.00 0.33 2.33 13.3 19.6 29.0 30.3 5.51 1.52
Note. 1-2 = Weak; 3-5 = Average; 6-7 = Strong; N = 100
73
Assessment of Scale Validity and Reliability
There are three common types of validity: construct validity, criterion validity, and
content validity. According to Swanson and Holton (2005), construct validity cannot be directly
perceived or measured; a construct can be measured statistically and quantitatively, which was
what the researcher incorporated in this study. Cooper and Schindler (2008) mentioned that in
order for a measure to be reliable it must be dependable. Reliability is not a requirement for
validity but is an essential contributor to validity. When the results from a study are repeated due
to its operations, it means that a level of reliability exists. The ability to repeat the study over
time with the same degree of precision and accuracy is an important element of instrumentation
and research design (Ness, 2005). For this study, the researcher used prior research as the basis
for instrumentation, measures, and construct elements to ensure construct validity and reliability.
Using Cronbach's Alpha and CFA analysis, Tallon (2000) measured reliability and validity;
Cronbach's alpha results were greater than 0.70, and CFA analysis results had a value of 0.95.
Using EFA analysis and CFA analysis, Lundqvist (2014a) measured reliability and validity; EFA
analysis results had a value of 0.93, and CFA results had a value of 0.96. All of the results
Through G*Power 3 power analysis, the researcher verified that 85 completed surveys
was adequate to obtain the statistical power needed for this research analysis with a power score
of .80. The sample collected by Qualtrics totaled 100. The researcher ran a post hoc analysis to
compute achieved power using G*Power 3, applying a medium effect of .15, a sample size of
100, and a significance (alpha) of .05. The results revealed that the additional responses
increased the power score to .87. Moreover, the researcher calculated an overall Cronbach's
74
Alpha score of 0.984 from standardized items, which helped to validate the internal consistency
of the research study. According to Nunnally (1978), a Cronbach's Alpha of 0.70 (or higher) is
required to validate a study's measures reliability. The statistical test utilized helped to provide
evidence that the measures used in the study are both reliable and valid. Table 11 displays the
reliability coefficients of the measures. All measures were above the threshold mentioned.
Table 11
Variable Reliability
Variables Reliability*
Frame Risk (FR) .959
Assessed Risk (AR) .971
Response to Risk (RTR) .929
Monitoring Risk (MR) .945
IT Effectiveness (ITE) .933
Note. * Cronbach's Alpha Reliability Statistic
amongst risk management constructs and IT effectiveness. This hypothesis (Table 12) argued
that risk management constructs namely frame risk (FR), assessed risk (AR), response to risk
(RTR), and monitoring risk (MR) are not positively related to IT effectiveness (ITE). When
testing the hypothesis, the predictor variables were the constructs FR, AR, RTR, and MR the
75
Table 12
What is the nature of the relationship between risk management constructs and IT effectiveness?
There is no significant relationship between risk management constructs and IT
H1 0
effectiveness.
There is a significant relationship between risk management constructs and IT
H1 a
effectiveness.
The researcher used multiple regression analysis to address hypothesis 1. The regression model
tested is as follows:
ITE represents the dependent variable; FR, AR, RTR, and MR are the independent variables; β 0
the constant or the ITE-intercept; β 1 to β 4 represent regression coefficients; and ε is the residual
error.
Given that the researcher sought to generalize the regression model to the populace from
which the sample was obtained, it was important to address the assumptions associated with the
regression model. It is important to address these assumptions because violations can lead to
unreliable results; a vital part of any regression analysis is to examine the assumptions using
various diagnostics, tests, and plots (Chatterjee & Simonoff, 2013). In Chapter 3, the researcher
observed and described the assumption of independence of observation through the use of
random sampling. The researcher addressed the normal distribution assumption through the
inspection of P-P plots, normal probability, and histograms. In addition, the researcher verified
the assumption of linearity utilizing scatter plots, and confirmed the assumption of
76
homoscedasticity by sight inspection of the regression standardized predicated values
justify statistical tests. Appendix B shows the histogram of standardized regression residuals for
the ITE construct. The histogram of standardized regression residuals reveals that the distribution
was roughly normal for ITE (see Figure C1). When regarding normality, it is also recommended
that P-P Plots be utilized to help in the decision, whether data is normal or not (Norusis, 2008).
The P-P Plots verifyiedthat the data is normally distributed if it is aligned along the diagonal line.
The P-P Plots showed that the majority of the points align close to the straight line for ITE (see
Figure C2). The P-P Plots confirmed that the regression assumption of normality was met and
independently and collectively between the dependent and independent variables. In addition,
due to the plot of regression standardized predicated values standardized residuals were evenly
and randomly dispersed within the zone, which means the homoscedasticity assumption was met
(Field, 2009). Also, the association amongst the independent variables FR, AR, RTR, and MR
and dependent variable ITE appeared to be linear in the regression model (see Figure C3).
The information presented indicates that the assumption of linearity for all joins of the
assumption was not violated, because the points on the figures were spread evenly and randomly
77
throughout the plot. The researcher considered plot points as being linear between the dependent
Testing of Hypothesis 1
accounted for by the constructs of frame risk, assessed risk, response to risk, and monitoring risk,
the researcher performed a multiple regression analysis. The descriptive statistics showed the
standard deviation and mean for each construct: IT effectiveness (N = 100; M = 16.5; SD = 4.29);
frame risk (N = 100; M = 22.5; SD = 9.47); assessed risk (N = 100; M = 15.13; SD = 7.79);
response to risk (N = 100; M = 7.53; SD = 3.84), and monitoring risk (N = 100; M = 11.1; SD =
5.56).
To identify which independent variable (i.e., FR, AR, RTR, and MR) individually
correlate with the dependent variable ITE, the researcher performed an initial Pearson's analysis
to determine relationship strength amongst variable pairs. The researcher used the mentioned
variables to uncover the percentage of variation in the dependent variable described by the
chosen independent variables and provide a precise prediction (i.e., relationship) of the
dependent variable (ITE). The results disclosed that the dependent variable ITE independently
correlated with all of the independent variables, that is, FR (r = .703, p < 0.01), AR (r =.749 p <
Table 13 illustrates the multiple regression model summary. The data showed that 61.5%
of the variance in IT effectiveness was accounted for by frame risk, assessed risk, response to
risk, and monitoring risk. According to the test statistic shown in Table 14, the null hypothesis
78
was not supported and would be rejected because results were significant (F (4, 95) = 37.947; p
< 0.001). The multiple regression results show that the four variables do influence information
Table 13
Model Summary b
Model R R Square Adjusted R Square Std. Error of the Estimate
1 .784 .615 .599 2.721
Table 14
ANOVAa
Model Sum of Squares df Mean Square F Sig.
1 Regression 1123.678 4 280.920 37.947 .000b
Residuals 703.282 95 7.403
Total 1826.960 95
The standardized estimate (i.e., b) absolute values from largest to smallest (Table 15) were as
79
Table 15
Unstandardized Standardized
Coefficients Coefficients
Model B Std. Error Beta t Sig.
1 (Constant) 9.453 .712 13.285 .836
FR .044 .059 .098 .756 .451
AR .081 .099 .147 .821 .414
RTR .375 .210 .336 1.786 .077
MR .181 .138 .234 1.307 .194
The researcher proposed that the independent variables describing the largest measure of
variation in ITE are in order of predicative value: response to risk, monitoring risk, assessed risk,
and frame risk. The coefficient of the regression model showed that response to risk contributed
to the model the most, while frame risk contributed the least.
Summary of Hypothesis 1
Through Research Question 1, the researcher attempted to verify the association between
risk management constructs and IT effectiveness. The null hypotheses stated that there is no
hypothesis was not supported, and the researcher rejected the null hypothesis. Table 16
80
Table 16
Correlation
with Regression Weights
Dependent
Variables Mean SD Variable R2 B Beta t Sig.
H1
ITE 16.5 4.29 .615
FR 22.5 9.47 .703 .044 .098 .756 .451
AR 15.13 7.79 .749 .081 .147 .821 .414
RTR 7.53 3.84 .769 .375 .336 1.786 .077
MR 11.1 5.56 .757 .181 .234 1.307 .194
Note. t= test statistical value
between risk management constructs and IT effectiveness. The four hypotheses groups under the
four research questions (see Table 17) argued that risk management constructs are not positively
related to IT effectiveness (ITE). The researcher tested the four hypotheses (H2 to H5) by way of
assigning the predictor variable to the constructs FR, AR, RTR, and MR, and assigning the
Table 17
RQ2 What is the nature of the relationship between H2 0 There is no significant relationship between
frame risk and IT effectiveness? frame risk and IT effectiveness
RQ3 What is the nature of the relationship between H3 0 There is no significant relationship between
assessed risk and IT effectiveness? assessed risk and IT effectiveness.
RQ4 What is the nature of the relationship between H4 0 There is no significant relationship between
response to risk and IT effectiveness? response to risk and IT effectiveness.
RQ5 What is the nature of the relationship between H5 0 There is no significant relationship between
monitoring risk and IT effectiveness? monitoring risk and IT effectiveness.
81
The researcher tested the four null hypotheses (H2 to H5) using simple regression analysis. The
ITE = β 0 FR + β 1 …………………….………..…H2
ITE = β 0 AR + β 1 ………………………………...H3
ITE = β 0 MR + β 1 ……………………………..…H5
The researcher had to verify the fundamental assumptions of linear regression before
sight inspection of the regression standardized predicated values standardized residuals plots.
The researcher verified the assumption of linearity using the scatter plots of residuals. The
researcher used an examination of P-P plots, normal probability plots, and histograms to validate
Test of normality. Berry (1993) stated that the normality assumption provided
justification for a particular statistical test. Appendix C shows the histograms of standardized
regression residuals for FR, AR, RTR, MR and ITE constructs. The histograms of standardized
regression residuals display the distributions as being nearly normal for FR, AR, RTR, and MR
(see Figures D1, D4, D7, and D10). In addition, the researcher created P-P plots to determine
how close to a straight line, points fall. Nearly all plot points fell along a straight line on the P-P
plots of the constructs FR, AR, RTR, and MR (see Figures D2, D5, D8, and D11); this suggested
82
that the fundamental normality regression assumption is met and verifies the regression
Test of linearity and homoscedasticity. The researcher tested the linearity assumption
associated with linear regression to identify if a linear association amongst the dependent
variable and each independent variable exists. The researcher tested the assumption the
dependent variable is plotted against the independent variable, and the point clusters are
observing around the straight line (Field, 2009). The scatter plots affirming linear relationships
amongst the independent variables and dependent variable indicated that the scatter plots points
were mostly linear for FR on ITE, AR on ITE, RTR on ITE, and MR on ITE (see Figures D3,
D6, D9, and D12). Furthermore, the homoscedasticity assumption was met and not violated
when points in the plot of regression standardized predicated values standardized residuals were
dispersed equally within the zone (Field, 2009). The homoscedasticity assumption was not
violated because the data showed points that were spread evenly and randomly within the plot.
Testing of Hypothesis 2
verify the percentage of variation in IT effectiveness that is associated with frame risk, the
researcher ran a regression analysis. IT effectiveness had a score of 16.5 (N =100; SD = 4.29)
and frame risk had a score of 22.5 (N = 100; SD = 9.47). Tables 18, 19, and 20 display the
regression analysis summary results. The information presented reveals that 49.4% (R2 = .494) of
the variation in IT effectiveness (ITE) was accounted for by frame risk (Table 18). With a
significant level of (F (1, 98) = 95.852; p < 0.001).The test statistic shows that frame risk
83
positively and significantly influences IT effectiveness (see Table 19). In sum, the researcher
Table 18
Model Summary b
Model R R Square Adjusted R Square Std. Error of the Estimate
1 .703a .494 .489 3.070
a. Predictors: (Constant), FR
b. Dependent Variable: ITE
Table 19
ANOVAb
Model Sum of Squares df Mean Square F Sig.
1 Regression 903.356 1 903.356 95.852 .000a
Residuals 923.604 98 .9425
Total 1826.960 99
a. Predictors: (Constant), FR
b. Dependent Variable: ITE
Table 20 illustrates that when the level of frame risk is higher, the greater the efficiency
of IT effectiveness (t (98) = 9.790; p < .001), which suggests that FR adds a contribution that is
significant to the model (IT effectiveness). In essence, the regression model may be described as
follows:
The information shows that a unit increase in frame risk raises IT effectiveness by .319 (i.e.,
b=.319).
84
Table 20
Coefficientsa
Unstandardized Standardized
Coefficients Coefficients
Model B Std. Error Beta t Sig.
1 (Constant) 9.321 .797 11.699 .000
FR .319 .033 .703 9.790 .000
Testing of Hypothesis 3
To verify the percentage of variation in IT effectiveness that is associated with assessed risk, the
researcher ran a regression analysis. Assessed risk had a score of 15.1 (N = 100; SD = 7.79) and
IT effectiveness had a score of 16.5(N = 100; SD = 4.296). The data revealed that 56.2% (R2 =
.562) of the variation in IT effectiveness (ITE) was accounted for by assessed risk (AR) (see
Table 21). The test statistics (F (1, 98) = 125.522; p < 0.001) in Table 22 indicates that assessed
risk positively and significantly influences information IT effectiveness. In sum, the researcher
Table 21
Model Summary b
Model R R Square Adjusted R Square Std. Error of the Estimate
1 .749a .562 .557 2.859
a. Predictors: (Constant), AR
b. Dependent Variable: ITE
85
Table 22
ANOVAb
Model Sum of Squares df Mean Square F Sig.
1 Regression 1025.957 1 1025.957 125.522 .000a
Residuals 801.003 98 8.174
Total 1826.960 99
a. Predictors: (Constant), AR
b. Dependent Variable: ITE
Table 23 reveals that when the level of assessed risk is higher, the greater the efficiency of IT
effectiveness (t (98) = 11.204; p < .001), which suggests that AR adds a significant contribution
to the model (IT effectiveness). The regression model could be stated as follows:
The information shows that a unit increase in assessed risk raises IT effectiveness by .413 (i.e., b
= .413).
Table 23
Coefficientsa
Unstandardized Standardized
Coefficients Coefficients
Model B Std. Error Beta t Sig.
1 (Constant) 10.272 .627 16.389 .000
AR .413 .037 .749 11.204 .000
Testing of Hypothesis 4
response to risk, the researcher performed regression analysis. Response to risk had a score of
86
7.53 (N = 100; SD = 3.84) and IT effectiveness had a score of 16.5 (N = 100; SD = 4.29). The
data revealed that 59.1% (R2 = .591) of the variation in IT effectiveness (ITE) was accounted for
by response to risk (RTR) (see Table 24). The test statistics (F (1, 98) = 141.565; p < 0.001) in
Table 25 indicates that response to risk positively and significantly influences information IT
Table 24
Model Summary b
Model R R Square Adjusted R Square Std. Error of the Estimate
1 .769a .591 .587 2.762
a. Predictors: (Constant), RTR
b. Dependent Variable: ITE
Table 25
ANOVAa
Model Sum of Squares Df Mean Square F Sig.
1 Regression 1079.597 1 1079.597 141.565 .000b
Residuals 747.363 98 7.626
Total 1826.960 99
a. Predictors: (Constant), RTR
b. Dependent Variable: ITE
Table 26 illustrates that when the level of response to risk is higher, the greater the efficiency of
IT effectiveness (t (98) = 11.898; p < .001), which suggests that RTR adds a significant
The information shows that a unit increase in assessed risk raises IT effectiveness by .858 (i.e.,
b=.858).
87
Table 26
Coefficientsa
Unstandardized Standardized
Coefficients Coefficients
Model B Std. Error Beta t Sig.
1 (Constant) 10.060 .609 16.516 .000
RTR .858 .072 .769 11.898 .000
Testing of Hypothesis 5
monitoring risk, the researcher performed regression analysis. Monitoring risk had a score of
11.12(N =100; SD = 5.56) and IT effectiveness had a score of 16.5(N = 100; SD = 4.29). The
data revealed that 57.4% (R2 = .574) of the variation in IT effectiveness (ITE) was accounted for
by monitoring risk (MR) (see Table 27). The test statistics (F (1, 98) = 131.929; p < 0.001) in
Table 28 indicates that monitoring risk positively and significantly influences information IT
Table 27
Model Summary b
Model R R Square Adjusted R Square Std. Error of the Estimate
1 .757a .574 .569 2.819
a. Predictors: (Constant), MR
b. Dependent Variable: ITE
88
Table 28
ANOVAb
Model Sum of Squares df Mean Square F Sig.
1 Regression 1048.275 1 1048.275 131.929 .000b
Residuals 778.685 98 7.946
Total 1826.960 99
a. Predictors: (Constant),MR
b. Dependent Variable: ITE
In Table 29, the information presented reveals that when the level of monitoring risk is higher,
the greater the efficiency of IT effectiveness (t (98) = 11.486; p < .001), which suggests that MR
adds a contribution that is significant to the model (IT effectiveness). The regression model is as
follows:
The information shows that a unit increase in monitoring risk raises IT effectiveness by .585
(i.e., b = .585).
Table 29
Coefficientsa
Unstandardized Standardized
Coefficients Coefficients
Model B Std. Error Beta t Sig.
1 (Constant) 10.014 .633 15.828 .000
MR .585 .051 .757 11.486 .000
a. Dependent Variable: ITE
Through this research hypotheses group (i.e., 2 to 5), the researcher established the
relationship between individual risk management constructs (i.e., FR, AR, RTR, MR) and
89
information technology effectiveness (ITE). The null hypotheses stated that risk management
constructs are not positively related to IT effectiveness. Table 30 summarizes the tests statistics,
and regression analyses results. The researcher found that the associations between ITE and FR,
AR, RTR, and MR are positively linear and statistically significant. The researcher rejected all
four null hypotheses. The results emphasized the significance of response to risk (R2 = .587) as a
predictor of IT effectiveness. The analysis data also revealed the significant influence of MR to
ITE (R2 = .574), AR to ITE (R2 = .562), and FR to ITE (R2 = .494).
Table 30
Variables Correlation
(DV/IV) with DV (R) Regression Weights
Mean SD 2
R B Beta t Sig.
H2
FR 22.5 9.47 .494
ITE 16.5 4.29 .703 .319 .703 9.790 .000
H3
AR 15.1 7.79 .562
ITE 16.5 4.29 .749 .413 .749 11.204 .000
H4
RTR 7.53 3.84 .587
ITE 16.5 4.29 .769 .858 .769 11.898 .000
H5
MR 11.1 5.56 .574
ITE 16.5 4.29 .757 .585 .757 11.486 .000
Note. t = test statistical value; DV is dependent variable; IV is independent variable
The researcher ran independent sample t-tests on each independent variable, and tested
the dependent variable IT effectiveness based on high and low levels to explore group
comparisons associations between groups. In terms of statistical analysis, the t-test is the ideal
mechanism to evaluate data from two groups, highlighting any deviations or differences between
90
the two. The researcher added the risk-management construct questions scaled from 0 (Not-
determine high and low groups (Table 31). The researcher then analyzed the groups were
through tools built into the SPSS software for t-test calculations between the two groups,
The four hypotheses under the four research questions (see Table 32) argued that no
statistical significant distinction exists regarding the degree of IT effectiveness between firms
that high or low levels of risk management, particularly, frame risk (FR), assessed risk (AR),
response to risk (RTR), and monitoring risk (MR). When testing all four hypotheses statements
(i.e., H2.1 to H5.1), the researcher assigned the dependent variable to the construct ITE, and the
high and low groups of each variable (i.e., FR, AR, RTR, and MR) were the predictor variables
Table 31
91
Table 32
RQ2.1 Is there a statistically significant difference H2 0 .1 There is no significant difference in the level of
in the level of IT effectiveness between IT effectiveness between firms that have high
firms that have high levels of frame risk levels of frame risk versus those that have low
versus those that have low levels of frame levels of frame risk.
risk?
RQ3.1 Is there a statistically significant difference H3 0 .1 There is no significant difference in the level of
in the level of IT effectiveness between IT effectiveness between firms that have high
firms that have high levels of assessed risk levels of assessed risk versus those that have
versus those that have low levels of assessed low levels of assessed risk.
risk?
RQ4.1 Is there a statistically significant difference H4 0 .1 There is no significant difference in the level of
in the level of IT effectiveness between IT effectiveness between firms that have high
firms that have high levels of response to levels of response to risk versus those that have
risk versus those that have low levels of low levels of response to risk.
response to risk?
RQ5.1 Is there a statistically significant difference H5 0 .1 There is no significant difference in the level of
in the level of IT effectiveness between IT effectiveness between firms that have high
firms that have high levels of monitoring levels of monitoring risk versus those that have
risk versus those that have low levels of low levels of monitoring risk.
monitoring risk?
Given that this area of the study seeks to perform a t-test to identify whether differences
exist between the means of the dependent variable and two independent groups, the assumptions
associated with an independent sample t-test must be addressed and not be violated. If the
assumptions are not assessed or violated, results could be considered unreliable. The normality
and homoscedasticity of variance assumptions are evaluated for statistical significance testing
and testing variance equality in each group. The normal distribution assumption was addressed
through the inspection of Q-Q plots; due to the sample size was greater than 50. The
homoscedasticity of variance assumption was assessed with the Levene's test for homogeneity of
variance.
92
Test of normality. When regarding normality from a graphical perspective, researchers
often use Q-Q Plots to assess normality (Marden, 2004). The Q-Q Plots verify that the data is
normally distributed by way of alignment along the diagonal line. The Q-Q Plots in the current
study showed that most of the points fall close to the straight line for FR on both groups (see
Figure E1 of Appendix E); AR on both groups (see Figure E2 of Appendix E); RTR on both
groups (see Figure E3 of Appendix E) and MR on both groups (see Figure E4 of Appendix E).
The Q-Q Plots confirmed that the assumption of normality was met for all groupings.
of variance to determine equality in each group. The researcher utilized the Levene’s test for
homogeneity of variance to assess the equality of variances for the two independent group
samples according to the CONSTRUCT_LEVEL variable for each construct (i.e., FR, AR, RTR,
and MR). The Levene’s test can be used to study the equality of p population variances and is
robust against divergences from normality, and is not constrained to sample sizes that are equal.
The Levene's Test (p = .05) (Table 33) indicated the following results for the two independent
group samples (i.e., HL-Group and LL-Group) for each construct; FR (p = .002); AR (p< .001);
RTR (p < .001) and MR (p < .001). The information provided verifies that the variances between
the two samples are significant; therefore, the assumption of homogeneity has been violated. To
correct the violation, the researcher assumed the assumption of unequal variances for each
construct.
93
Table 33
Levene's Test
For Equality of Variances
Hypothesis Construct Variable F Sig.
H2.1 FR FR_CONSTRUCT_LEVEL 9.673 .002
H3.1 AR AR_CONSTRUCT_LEVEL 23.827 .000
H4.1 RTR RTR_CONSTRUCT_LEVEL 23.441 .000
H5.1 MR MR_CONSTRUCT_LEVEL 23.262 .000
firms that have high levels of frame risk versus those that have low levels of frame risk. To
evaluate the means of the frame risk component for two independent sample groups—LL-Group
(n = 23) and HL-Group (n = 77)—the researcher performed an independent samples t-test. The
data analysis results are displayed in Tables 34 and 35 and the effect size (ES) or strength
between the two means was large based on Cohen’s d (i.e., .8-large, .5-medium, .2-small), and is
The results also show the observed level of significance of p < .001, t = -4914 with df = 26.1.
The results revealed that FR is more effective with organizations that have high levels of FR (M
= 17.82, SD = 2.98) than organizations that have low levels of FR (M = 12.17, SD = 5.27). In
addition, the mean difference in FR_CONSTRUCT_LEVEL score was -5.64, and the confidence
intervals are between -8.00 and -3.28. This result indicates that if the researcher collected a large
sample of high-level and low-level FR participants, the researcher might estimate 95% of the
94
scores for FR would fall between -8.00 and -3.48, and a mean difference of -5.64 would exist for
the FR HL-Group and LL-Group. In sum, a statistically significant difference exists between
groups that have low and high levels of FR (M = -5.64, 95% CI [-8.00, -3.24], t(26.17) = -4.91, p
< .001, d = 1.32); therefore, the researcher accepted the alternate hypothesis that there is a
difference that is significant regarding the level of IT effectiveness between firms that have high
levels of frame risk versus those that have low levels of frame risk.
Table 34
Group Statistics for LL-Group (n = 23) and HL-Group (n = 77). Total Frame Risk Scores for 20
Items
Std. Error
Group Statistics N Mean Std. Deviation
Mean
LL-Group 23 12.17 5.271 1.099
HL- Group 77 17.82 2.928 .334
Note. N = number of subjects
Table 35
95% Confidence
Interval of the
Difference
Sig. Mean Std. Error
t Df (2-tailed) Difference Difference Lower Upper
Equal variances
assumed
-6.617 98 .000 -5.644 .853 -7.337 -3.952
Equal variances not
assumed
-4.914 26.177 .000 -5.644 1.149 -8.005 -3.284
Note. t = test statistical value; df = degrees of freedom; p value (two-tailed)
firms that have high levels of assessed risk versus those that have low levels of assessed
risk.To evaluate the means of the assessed risk component for two independent sample groups—
95
LL-Group (n = 33) and HL-Group (n = 67)—the researcher performed an independent samples t-
test. The data analysis results are displayed in Tables 36 and 37. The ES or strength between the
two means was large (i.e., .8-large, .5-medium, .2-small), which is expressed in the following
calculation:
The results also show the observed level of significance of p < .001, t = -5.078 with df =
38.54. The results illustrate that AR is more effective with organizations that have high levels of
5.32). In addition, the mean difference in AR_CONSTRUCT_LEVEL score was -4.93, and the
confidence intervals are between -6.90 and -2.97. This result indicates that if the researcher
collected a large sample of high-level and low-level AR participants, that the researcher might
estimate 95% of the scores for AR would fall between -6.90 and -2.97, and the mean difference
score would be around -4.93 for AR HL-Group and LL-group. In sum, a statistically significant
difference exists between groups that have high and low levels of AR (M =-4.93, 95% CI [-6.90,
-2.97], t(38.54) = -5.078, p < .001,d = 1.22); therefore, the researcher accepted the alternate
hypothesis is accepted that there is a difference that is significant regarding the level of IT
effectiveness between firms that have high levels of assessed risk versus those that have low
96
Table 36
Group Statistics for LL-Group (n = 33) and HL-Group (n = 67). Total Assessed Risk Scores for
20 Items
Std. Error
Group Statistics N Mean Std. Deviation
Mean
LL-Group 33 13.21 5.325 .927
Table 37
95% Confidence
Interval of the
Difference
Sig. Mean Std. Error
T Df (2-tailed) Difference Difference Lower Upper
Equal variances
assumed
-6.404 98 .000 -4.937 .771 -6.467 -3.407
Equal variances not
assumed
-5.078 38.542 .000 -4.937 .972 -6.905 -2.970
Note. t= test statistical value; df = degrees of freedom; p value (two-tailed)
firms that have high levels of response to risk versus those that have low levels of response
to risk. To evaluate the means of the response to risk component for two independent sample
samples t-test. The data analysis results are displayed in Tables 38 and 39 and the ES or strength
between the two means was large (i.e., .8-large, .5-medium, .2-small), and is expressed in the
following calculation:
35.10. The results also revealed that RTR is more effective with organizations that have high
levels of RTR (M = 18.28, SD = 2.22) than organizations that have low levels of RTR (M =
5.56, and the confidence intervals are between -7.62 and -3.69. This result indicates that if the
researcher collected a large sample of high-level and low-level RTR participants, that the
researcher might estimate 95% of the scores for RTR would fall between -762 and -369, and a
mean score difference of -5.66 would exist for the RTR HL-Group and LL-Group. In sum, a
statistically significant difference exists between groups that have high and low levels of RTR
(M = -5.66, 95% CI [-7.62, -3.69], t(35.10) = -5.853, p <.001, d = 1.42); therefore, the researcher
accepted the alternate hypothesis that there is a difference that is significant regarding the level
of IT effectiveness between firms that have high levels of response to risk versus those that have
Table 38
Group Statistics for LL-Group (n = 31) and HL-Group (n = 69). Total Response to Risk Scores
for 20 Items
Std. Error
Group Statistics N Mean Std. Deviation
Mean
LL-Group 31 12.61 5.175 .929
98
Table 39
95% Confidence
Interval of the
Difference
Sig. Mean Std. Error
t Df (2-tailed) Difference Difference Lower Upper
Equal variances
assumed
-7.675 98 .000 -5.662 .738 -7.127 -4.198
Equal variances not
assumed
-5.853 35.101 .000 -5.662 .967 -7.626 -3.699
Note. t = test statistical value; df = degrees of freedom; p value (two-tailed)
firms that have high levels of monitoring risk versus those that have low levels of
monitoring risk. To evaluate the means of the monitoring risk component for two independent
independent samples t-test. The data analysis results are displayed in Tables 40 and 41 and the
ES or strength between the two means was large (i.e., .8-large, .5-medium, .2-small), and is
The results revealed the observed level of significance of p < .001, t = -5.855 with df =
42.68. The results also revealed that MR is more effective with organizations that have high
levels of MR (M =18.39, SD = 2.21) than organizations that have low levels of MR (M = 13.19,
SD = 5.05). Also, the mean difference in MR_CONSTRUCT_LEVEL score was -5.19, and the
confidence intervals are between -6.98 and -3.40. This result indicates that if the researcher
collected a large sample of high-level and low-level MR participants, that the researcher might
99
estimate 95% of the scores for MR would fall between -6.98 and -3.40, around a mean score
difference around -5.19 would exist for MR HL-Group and LL-Group. In sum, a statistically
significant difference exists between groups that have high and low levels of FR (M = -5.19, 95%
CI [-6.98, -3.40], t(42.68) = -5.855, p < .001, d = 1.33); therefore, the researcher accepted the
alternate hypothesis that there is a difference that is significant regarding the level of IT
effectiveness between firms that have high levels of monitoring risk versus those that have low
Table 40
Group Statistics for LL-Group (n = 36) and HL-Group (n = 64). Total Monitoring Risk Scores
for 20 Items
Std. Error
Group Statistics N Mean Std. Deviation
Mean
LL-Group 36 13.19 5.059 .843
Table 41
95% Confidence
Interval of the
Difference
Sig. Mean Std. Error
T Df (2-tailed) Difference Difference Lower Upper
Equal variances
assumed
-7.113 98 .000 -5.196 .730 -6.646 .3.747
Equal variances not
assumed
-5.855 42.684 .000 -5.196 .887 -.6.986 -.3.406
Note. t= test statistical value; df = degrees of freedom; p value (two-tailed)
The research hypotheses group (i.e., 2.1 to 5.1) assessed the high and low level grouping
between each individual risk management factor (i.e., FR, AR, RTR, MR) and information
100
technology effectiveness (ITE). The null hypotheses stated that regarding risk management
constructs, there was no significant difference between high and low levels. Table 42
summarizes the t-test results for all hypotheses statements. The researcher rejected all of the
hypotheses (i.e., 2.1 to 5.1). The high and low groupings of FR (t (26.17) = -491; p < .001); AR
(t (38.54) = -5.078; p < .001); RTR (t (35.10) = -5.853; p < .001); and MR (t(42.68) = -5.855; p
Table 42
95% Confidence
Interval of the
Difference
Risk
Management Sig. Mean Std. Error
Hypothesis Factor T Df (2-tailed) Difference Difference Lower Upper
H2.1 FR -4.914 26.177 .000 -5.644 1.149 -8.005 -3.284
H3.1 AR -5.078 38.544 .000 -4.937 .972 -6.905 -2.970
H4.1 RTR -5.853 35.101 .000 -5.662 .967 -7.626 -3.699
H5.1 MR -5.855 42.684 .000 -5.196 .887 -6.986 -3.406
Note. t= test statistical value; df = degrees of freedom; p value (two-tailed)
differences that are significant with regard to IT effectiveness. The researcher performed an
ANOVA to evaluate the null hypothesis statement (Table 44) that asserted industry sector IT
effectiveness levels do not differ. To ascertain 95% confidence intervals, standard deviation, and
the mean, the researcher conducted descriptive statistics analysis first for the independent
variable industry sector (i.e., advertising and marketing, airlines, automotive, construction,
financial services, insurance, nonprofit, retail, utilities, and others) and the dependent variable IT
101
effectiveness. In the following sections, the researcher presents the results of the ANOVA
analysis.
Table 43
industry sectors. Hypothesis 6 suggested that the level of IT effectiveness is identical amongst
industry sectors. The researcher ran a one-way ANOVA to assess this hypothesis. Table 45
displays the mean number of IT effectiveness in: advertising and marketing 15.25 (N = 4; SD =
4.64); airlines was 17.0 (N =1 ; SD = 0); automotive was 20.0 (N = 1 ; SD = 0); construction was
16.29 (N = 17; SD = .4.56); entertainment was 9.50 (N = 2; SD = 9.19); financial services was
15.25 (N = 4; SD = 8.342); food and beverage was 14.57 (N = 7; SD = 5.62); healthcare and
4.06); insurance was 19.5 (N = 2; SD = 2.12); nonprofit was 16.75 (N = 4; SD = 2.63); retail was
that states that population variance within each group should be comparable. The researcher
performed a test for similar variances; Table 46 illustrates the results of the Levene's test. The
102
results show that the homogeneity of variances assumption was met, because the test statistic had
Table 44
Table 45
103
The ANOVA analysis data presented in Table 47 illustrates whether the 13 industry
sectors have differences with and between groups that are significant statistically. The results
demonstrated that there are no differences that are statistically significant in the level of IT
effectiveness amongst the industry sectors (N = 100; F (12, 87) = .879; p = .570). Due, to these
Table 46
Hypothesis 6 assessed whether the level of IT effectiveness among industry sectors was
significantly different. The null hypotheses argued that the level of IT effectiveness was the same
amongst industry sectors. The researcher did not reject this hypothesis statement. The results and
test statistics (N = 100; F (12, 87) = .879; p = .570) from the ANOVA analysis indicated that IT
Through the various statistical analyses utilized in the study, the researcher assessed the
relationship between risk management constructs and IT effectiveness. To address the research
problem, the researcher proposed six main research questions and four sub-questions. Through
Research Question 1, the researcher sought to establish the relationships between risk
management constructs and IT effectiveness. According to the results of the multiple regression
analysis, there is a statistically significant relationship between FR, AR, RTR, MR and ITE. The
104
results emphasized the consistent value of FR, AR, RTR and MR as predictors of IT
between individual risk management constructs (i.e., FR, AR, RTR, and MR) and IT
effectiveness. The regression analyses results showed that there is a statistically significant
relationship between FR and AR, RTR, MR, and ITE. The results emphasized the consistent
value of RTR (R2 = .587) as a predictor of ITE. The results also showed that MR to ITE (R2 =
.574), AR to ITE (R2 = .562), and FR to ITE (R2 = .494) also provided significant contributions.
Research questions 2.1 to 5.1 assessed group comparisons between groups, based on the high
and low levels of each independent variable. The independent sample t-test results revealed FR
(p < .001); AR (p < .001), RTR (p < .001), and MR (p < .001) to be statistically significant (i.e.,
p < .05).
Through Research Question 6 , the researcher analyzed whether there were any
evaluated 13 industry sectors with regard to IT effectiveness. The results from the ANOVA
analysis revealed that there were no differences amongst industry sectors regarding IT
effectiveness.
105
CHAPTER 5. DISCUSSION, IMPLICATIONS, RECOMMENDATIONS
Overview
The global financial crisis introduced a wave of regulative developments for many large
organizations. The new regulatory landscape has placed significant demands on organizations in
such areas as risk culture, information systems and technology data, operational risk, stress tests,
capital adequacy, risk appetite, and corporate governance. In addition, cyber attacks on
corporations have increased dramatically, requiring organizations to reinforce the protections for
customer data and information systems. Organizations must not only comply with new
regulatory priorities and specifications, they also need the variability to acknowledge the next
surveyed organizations noted that their board of directors presently devote more time to
addressing risk than they did years ago. Deloitte also mentioned that it has become a regulative
expectation for organizations to have an ERM program in place; 92% percent of participants said
their institution either was in the process of implementing one or had an ERM program in place,
Despite the increased level of risk management adoption, there are many organizations,
enterprises, and individual users who still have not implemented a risk management strategy. In
present-day literature, issues related to trust, privacy, and security are at the top of the list of
issues for many potential users. In many cases, organizational management teams view
governance programs and risk assessments as optional options, and it is not unusual for
evaluation first. Without a formal risk evaluation, the implementation could contain threats or
106
vulnerabilities that could be disastrous to the organization. The situation mentioned shows that it
The rationale for this quantitative research study was to determine the level of influence
contained within the study helps to fill a gap by addressing how an organization's risk
management practices and procedures affect the organization's ability to provide adequate IT
effectiveness. In essence, the study is the first of its kind to provide empirical evidence of what
enterprise risk management constructs affect the organization's IT effectiveness the most. The
results from the study help organizations regardless of size or type make better judgments
regarding risk-management practices from the perspective of the level of significance to the
organization's IT effectiveness. The findings from this study are founded on the answers of
survey feedback received from 100 IT professional from U.S.-based firms listed as a Fortune
1000 company.
The researcher designed this quantitative correlational study to research the degree to
The dependent variable was IT effectiveness; and the independent variables were frame risk,
assessed risk, response to risk, and monitoring risk. The omnibus research question (i.e., RQ1)
and the main and sub-research questions and hypotheses were as follows:
RQ1: What is the nature of the relationship between risk management constructs and IT
effectiveness?
107
H1 0 : There is no significant relationship between risk management constructs and IT
effectiveness.
effectiveness.
RQ2: What is the nature of the relationship between frame risk and IT effectiveness?
firms that have high levels of frame risk versus those that have low levels of frame risk?
that have high levels of frame risk versus those that have low levels of frame risk.
H2 a .1: There is a significant difference in the level of IT effectiveness between firms that
have high levels of frame risk versus those that have low levels of frame risk.
RQ3: What is the nature of the relationship between assessed risk and IT effectiveness?
firms that have high levels of assessed risk versus those that have low levels of assessed risk?
that have high levels of assessed risk versus those that have low levels of assessed risk.
H3 a .1: There is a significant difference in the level of IT effectiveness between firms that
have high levels of assessed risk versus those that have low levels of assessed risk.
108
RQ4: What is the nature of the relationship between response to risk and IT
effectiveness?
firms that have high levels of response to risk versus those that have low levels of response to
risk?
that have high levels of response to risk versus those that have low levels of response to risk.
H4 a .1: There is a significant difference in the level of IT effectiveness between firms that
have high levels of response to risk versus those that have low levels of response to risk.
RQ5: What is the nature of the relationship between monitoring risk and IT
effectiveness?
firms that have high levels of monitoring risk versus those that have low levels of monitoring
risk?
that have high levels of monitoring risk versus those that have low levels of monitoring risk.
H5 a .1: There is a significant difference in the level of IT effectiveness between firms that
have high levels of monitoring risk versus those that have low levels of monitoring risk.
109
RQ6: Is there a difference in the level of IT effectiveness among industry sectors?
sectors?
Through the multiple regression analysis employed for Research Question 1, the
researcher sought to establish the relationship between risk management constructs and IT
effectiveness. The null hypothesis stated that there is no significant relationship between risk
management constructs and IT effectiveness. The null hypothesis was not supported and was
therefore rejected. The results showed that there is a statistically significant relationship between
the risk-management constructs' FR, AR, RTR, MR, and IT effectiveness. The results indicate
that many organizations believe that the responses to risk (i.e., RTR) should be addressed first,
and then MR, AR, and FR can be implemented. This result could be associated with the
complexity of risk management implementation and the level of uncertainty in regard to the
proper risk management procedures to put into place. In addition, organizations may view the
response to the risk as being a priority, because the risk itself could have a huge impact on the
Through the linear regression analyses employed for the Research Questions 2 to 5, the
researcher attempted to establish the relationship between IT effectiveness and the risk-
management constructs of frame risk, assessed risk, response to risk, and monitoring risk. The
110
null hypotheses stated that there is no significant relationship between each risk management
factor and IT effectiveness. All of the null hypotheses (i.e., 2 to 5) were rejected and not
supported. An assessment is provided below regarding the associations amongst constructs, its
significances, and accordance with previous studies. It was revealed that there is a statistically
frame risk (R2 = .494), assessed risk (R2 = .562), response to risk (R2 = .587), and monitoring risk
(R2 = .574). The results provided evidence that risk management constructs are effective
predictors of IT effectiveness, and imply that efficient risk management practices greatly
The results presented supported the research conducted by Nair, Rustambekov, McShane,
and Fainshmidt (2014), which found that ERM capability is associated positively with firm
profitability. The information presented is also in agreement with earlier studies that have shown
favorable association between firm value and risk management (McShane, Nair, &
Rustambekov, 2011); firm performance and ERM (Nickmanesh, Zohoori, Happy & Akbari,
2013; Ping & Muthuveloo, 2015); ERM and program quality (Baxter et al., 2013); and ERM and
business performance (Fadun, 2013). In essence, the results showed that the correlation between
risk management and IT effectiveness is associated with the organization’s current procedures
and processes in place that enabled the organization to address risk before they occur. In
summary, an organization's current policies and procedures regarding its risk frame, ability to
assess risk, response to risk, and monitoring capabilities help increase its overall effectiveness.
111
Discussion and Summary of the T-Test Analysis
The research hypotheses group (i.e., 2.1 to 5.1) assessed the high- and low-level grouping
between each risk management factor (i.e., FR, AR, RTR, MR) and information technology
effectiveness (ITE). The null hypotheses stated that regarding risk management constructs, no
significant differences existed between high and low levels. The researcher ran an independent
sample t-test to assess whether distinctions existed. All of the null hypotheses (i.e., 2.1 to 5.1)
were not supported and were rejected. The high and low groupings of FR (t (26.17) = -4.91; p
<.001, d = 1.32); AR (t (38.54) = -5.078, p < .001, d = 1.22); RTR; (t (35.10) = -5.853, p <.001,
d = 1.42); and MR (t (42.68) = -5.855, p < .001, d = 1.33) were statistically significant (p < .05).
The information presented shows that between groups, IT effectiveness levels do differ.
Moreover, the results show that organizations that have high levels of risk management have
Through the ANOVA analysis employed for Research Question 6, the researcher sought
to discover if industry sectors influence their level of IT effectiveness. The null hypothesis stated
that the level IT effectiveness amongst industry sectors did no differ. The researcher rated 12
information technology, healthcare and pharmaceuticals, food and beverage, financial services,
insurance, nonprofit, retail, utilities, and energy—based on IT effectiveness in each sector. The
analysis showed that the null hypothesis was not rejected, but suggested that industry sector IT
effectiveness does not differ significantly. In sum, there is no significant difference between the
112
industry sectors regarding the level of IT effectiveness, meaning that IT effectiveness should not
be gauged by industry sector for each organization; in each industry sector, organizational
Conclusions
There exists a considerable amount of research in which scholars have explored the
constructs of risk management and the overall effectiveness of its implementation from a single
and paired factor perspective. Mensah (2015) studied the factors associated with the effective
alignment, risk management, portfolio control, and the relationship of these factors to IT
governance. Salifou (2016) explored the efficiency of the COSO’s ERM model in obtaining
enhanced value, competitive advantage, and organizational strategy. The current study differs
from those studies by filling an information gap in the literature by focusing on risk management
constructs (i.e., FR, AR, RTR, and MR) that affect the strategic objectives of the organization, by
way of first ensuring IT effectiveness and business assurance, then address the factors that have
less impact on the business process. Regarding IT effectiveness, many IT executives in various
According to the survey data collected, the opinion mentioned is shared by many IT executives
in various U.S. industries. The regression results emphasized the significance of RTR (R2 = .587)
113
as a predictor of ITE when compared to the other constructs. Strengthening an organization's
organization has appropriate monitoring practices in place, it can improve the organization's IT
effectiveness as well once risk has been addressed. Moreover, the multiple regression results in
Table 14 shows that all four constructs influence IT effectiveness at the level of significance (p <
0.001).
From a scholarly perspective, no empiric studies exist in literature in which scholars have
assessed the construct correlations regarding frame risk, assessed risk, response to risk,
monitoring risk, and IT effectiveness. This study helps to fill that particular gap. The study's
findings have provided a significant contribution to the study of IT effectiveness and risk
management and could be utilized by researchers, IT executives, and other stakeholders in order
Limitations
The purpose of this non-experimental quantitative correlational study was to assess the
constructs and correlations associated with enterprise risk management and IT effectiveness. One
of the study's limitations lies in its focus on only U.S.-based organizations. By focusing on U.S.-
based organizations, the researcher could not make any assumptions about obtaining the same
results for organizations in other countries. Another limitation was that participants were only
individuals in IT that had experience with the organization's risk-management practices. The
study's results cannot be generalized to organizations that don't have risk-management practices
in place. In addition, the study was limited by only addressing four constructs; it would be
beneficial if future scholars expanded the study scope to address the governance procedures
114
throughout the organization, since governance has a significant impact on an organization's IT
effectiveness as well.
Implications
Practical Implications
The results from this non-experimental quantitative correlational study have implications
for IS practitioners, managers, and academia in an area of study that has not been thoroughly
investigated. This research study helps to fill some of the existing gaps between practice and
theory regarding risk management. The information contained within the research study could be
used as a starting point for developing new theory-based guidelines to govern the enterprise risk
could be an aid for developing, maintaining, and improving risk management strategies once an
organization has an understanding of how the organizational context, and IT effectiveness affect
overall performance. Empirical insight into the risk constructs that could influence IT
effectiveness success or failure is another implication from the information presented in the
study.
organizations is presented. Due to the growing number of reported security breaches in the past
few years, contemporary approaches to security management need to be addressed from a more
holistic perspective (Broom, 2009; Taylor, 2014). IS professionals could use the results from the
research study as a starting point for determining what areas of their current risk-management
115
Theoretical Implications
Often, security issues are associated with topics regarding protective mechanisms, rather than the
organizations’ risk management practices (Kiselitsa & Shilova, 2016; Wu, Olson, & Dolgui,
2015). The findings presented in the current research study could provide empirical evidence that
there exists a direct correlation between organizational enterprise risk management practices and
IT effectiveness. Furthermore, the researcher discovered evidence that RMF could be expanded
to serve as a useful framework to assess IT effectiveness as well. The research results are
consistent with prior research on risk management regarding enterprise risk management having
Recommendations
The information presented in this study provides new empirical evidence that risk-
management constructs have a positive correlation with IT effectiveness. The findings presented
are consistent with other studies on risk management that have shown correlations between an
organization’s effectiveness and its risk management strategies (Mensah, 2015; Parry, 2014;
Spicer, 2006). In addition, the results of this study provide additional evidence that an
organization's risk management constructs combined have correlation with IT effectiveness. The
recommendations offered by the study is that organizations should attempt to understand the
risk-related constructs that affect the deployment of an integrated risk management system and
116
consider the influence of the organizational structure when regarding the efficiency of the
system.
expanding the research study to address governance practices, scholars could provide insight into
how issues such as SOX compliance affect IT effectiveness since both risk-management
constructs and governance factors affect internal controls. The researcher also recommends that
scholars carry such future studies out from a qualitative perspective to explore the dynamic
experiences of the study's participants. The information provided could provide additional
organizational hierarchy impacts risk management practices. The information presented could
provide insight into how an organization's chain of command affect's implementation and
effectiveness. In addition, future researchers could investigate whether additional factors such as
(a) organization risk culture, (b) growth rate, (c) firm size, and (d) board impendence impact IT
effectiveness. Lastly, future scholars could evaluate value creation through risk management and
IT effectiveness. The results from the study could provide comprehension into how a
Final Remarks
The purpose of this non-experimental quantitative correlational study was to assess the
constructs and correlations of enterprise risk management and IT effectiveness. The researcher
117
intended to provide organizations with significant data on the risk-management constructs that
influence their organization's IT effectiveness the most. The researcher also intended to help
organizations determine which individual risk construct regarding the (a) organizational risk
frame, (b) risk assessment processes, (c) risk response procedures, and (d) monitoring procedures
were affecting IT effectiveness. In addition, the information presented is also beneficial to risk
auditors for helping them decide what risk management processes are crucial for many
organizations. The research was comprised of question formulation, hypothesis testing, and data
analysis that addressed risk management relationships and the degree to which those
relationships could contribute real organizational value. Two different theoretical ideas and a risk
The information flow theory (IFT) developed by Barwise and Seligman (1997) provided a
mathematical framework that models the laws governing information flow in distributed
systems. The catastrophe theory created by French scientist Thorn (1972) addressed concepts
and rules about the steady and discontinuous state of an item. Also, the risk management
framework (RMF) created by the National Institute of Standards and Technology (NIST)
provides the basis for the non-experimental quantitative correlational study by addressing the
four crucial components to a successful risk management program: (a) frame risk, (b) assessed
The findings from the data analysis allowed conclusions to be made about the four risk
foundations for future research on risk management or any study on IT effectiveness. The
118
RQ1: What is the nature of the relationship between risk management constructs and IT
effectiveness? The researcher determined that a statistical significant relationship exists between
RQ2: What is the nature of the relationship between frame risk and IT effectiveness? In
response to this question, the researcher determined that there is a positive relationship between
firms that have high levels of frame risk versus those that have low levels of frame risk? In
response to this question, the researcher determined that there is a statistically significant
difference in the level of IT effectiveness between firms that have high levels of frame risk
RQ3: What is the nature of the relationship between assessed risk and IT effectiveness?
In response to this question, the researcher found that there is a positive relationship between
firms that have high levels of assessed risk versus those that have low levels of assessed risk?
The researcher found that there is a statistically significant difference in the level of IT
effectiveness between firms that have high levels of assessed risk versus those that have low
119
RQ4: What is the nature of the relationship between response to risk and IT
effectiveness? In response to this question, the researcher found a positive relationship between
firms that have high levels of response to risk versus those that have low levels of response to
risk? In response to this question, the researcher determined that there is a statistically significant
difference in the level of IT effectiveness between firms that have high levels of response to risk
RQ5: What is the nature of the relationship between monitoring risk and IT
effectiveness? The researcher found a positive relationship between monitoring risk and IT
effectiveness.
firms that have high levels of monitoring risk versus those that have low levels of monitoring
risk? The researcher determined that there is a statistically significant difference in the level of
IT effectiveness between firms that have high levels of monitoring risk versus those that have
RQ6: Is there a difference in the level of IT effectiveness among industry sectors? The
researcher found that there is no difference in the level of IT effectiveness among industry
sectors.
120
REFERENCES
AFP. (2015). 2015 AFP risk survey report of survey results. Retrieved from
http://www.oliverwyman.com
Ahmed, I., & Manab, N. A. (2016a). Influence of enterprise risk management success factors on
http://www.econjournals.com/
Ahmed, I., & Manab, N. A. (2016b). Moderating role of board equity ownership on the
21-28. http://www.ijmrr.com
Ahmad, W. A., & Mohammad, B. (2012). Can a single security framework address information
AICPA. (2015). 2015 report on the current state of enterprise risk oversight: Updates on trends
Brâncuşi Din Târgu Jiu : Seria Economie, 1(6), 107-109. Retrieved from
http://www.utgjiu.ro/
Anquillare, M. (2010). ERM helps risk managers cross barriers within, outside company.
http://www.propertycasualty360.com/National-Underwriter-Property-Casualty/
121
AON. (2015). Global risk management report. Retrieved from http://www.aon.com
Arena, M., Arnaboldi, M., & Azzone, G. (2010). The organizational dynamics of enterprise risk
doi:10.1016/j.aos.2010.07.003
Arnold, V., Benford, T., Canada, J., & Sutton, S. G. (2011). The role of strategic enterprise risk
doi:10.1016/j.accinf.2011.02.002
Babu, M. S., Babu, A. M., & Sekhar, M. C. (2013). Enterprise risk management integrated
Bahtit, H., & Regragui, B. (2013). Risk Management for ISO 27005 decision support.
Ballantyne, R. (2013). An empirical investigation into the association between enterprise risk
Bani, J. (2011). Assessing the relationships among information technology flexibility, IT-business
122
Baroudi, J. J., & Orlikowski, W. J. (1988). A short-form measure of user information
Barwise, J., & Seligman, J. (1997). Information flow: the logic of distributed systems. New York,
Baxter, R., Bedard, J. C., Hoitash, R., & Yezegel, A. (2013). Enterprise risk management
program quality: Determinants, value relevance, and the financial crisis. Contemporary
collection.library.ethz.ch/eserv/eth:969/eth-969-02.pdf
Beasley, M. S., Clune, R., & Hermanson, D. R. (2005). Enterprise risk management: An
Belinskaja, L., & Velickiene, M. (2015). Business risk management: Features and problems in
Publications.
Berry-Stölzle, T. R., Altuntas, M., & Hoyt, R. E. (2011). Implementation of enterprise risk
123
Bitglass. (2015). Bitglass cloud adoption report. Retrieved from http://www.bitglass.com
Bojanc, R., & Jerman-Blažič, B. (2013). A quantitative model for information-security risk
doi:10.1080/10429247.2013.11431972
Bologa, A., & Bologa, R. (2011). A perspective on the benefits of data virtualization technology.
Bradley, R. V., Pratt, R. M. E., Byrd, T. A., Outlay, C. N., & Wynn, J., Donald E. (2012).
2575.2011.00379.x
Broom, A. (2009). Security consolidation and optimisation: Gaining the most from your IT
Brown, J. (2013). Creating an ERM culture requires people. Financial Executives International,
Bulmer, M., Gibbs, J., & Hyman, L. (2010). Social measurement through social surveys: An
Burke, M. F. (2011). It effectiveness and flexibility versus strategic alignment: Assessing the
124
Byrd, T. A., & Davidson, N. W. (2006). An empirical examination of a process-oriented IT
doi:10.1007/s10799-006-8100-z
Caldarelli, A., Fiondella, C., Maffei, M., Spanò, R., & Zagaria, C. (2012). Towards an ethical
enterprise risk management: The case of an italian mutual credit cooperative bank.
Carden, L. L., Boyd, R. O., & Valenti, A. (2015). Risk management and corporate governance:
Safety and health work model. Southern Journal of Business and Ethics, 7(1), 137-148.
Carrel, P. (2010). The handbook of risk management: Implementing a post crisis corporate
Wiley.
Available from ProQuest Dissertations and Theses database. (UMI No. 3426510)
Chebrolu, S. B., & Ness, L. (2013). How does alignment of business and IT strategies impact
Cohen, J. (1998). Statistical power analysis for the behavioral sciences (2nd ed.). Hillsdale, NJ:
Lawrence Erlbaum.
125
Cook, L. A. (2011). Assessing the relationship of virtualization, strategic alignment, and
Cooper, C. R., & Schindler, P. S. (2008). Business research methods (10th ed.). Boston, MA:
McGraw-Hill.
Cooper, R. B., & Quinn, R. E. (1993). Implications of the competing values framework for
doi:10.1002/hrm.3930320109
COSO. (2004). Enterprise risk management framework: Integrated framework. Retrieved from
www.erm.coso.org.
COSO. (2011). Embracing enterprise risk management: Practical approaches for getting
Crockford, G. N. (1982). The bibliography and history of risk management: Some preliminary
doi:10.1057/gpp.1982.10
Curtis, P., & Carey, M. (2012). Risk assessment in practice. Retrieved from
http://www2.deloitte.com/content/dam/...Risk.../dttl-grc-riskassessmentinpractice.pdf
Đapić, M., Popović, P., Lukić, Lj., & Mitrović R. (2012). Risk assessment
126
concept in the new approach directives and its integration in the enterprise risk
http://scindeks.ceon.rs/journaldetails.aspx?issn=0350-0373&lang=en
Das, B. S. (2015). NIST frameworks vs COSO risk management framework. Retrieved from
https://www.researchgate.net/publication/272886636_NIST_Framework_vs_COSO_fram
ework
Deloitte. (2014). Global risk management survey. Retrieved from http:// www2.deloitte.com
Delone, W. H., & McLean, E. R. (1992). Information system success: The quest for the
Dickinson, G. (2001). Enterprise risk management: Its origins and conceptual foundation. The
Geneva Papers on Risk and Insurance: Issues and Practice, 26(3), 360-366.
doi:10.1111/1468-0440.00121
Dionne, G. (2013). Risk management: History, definition, and critique. Risk Management and
Driscoll, M. (2014). Enterprise risk management: Seven imperatives for process excellence.
https://www.apqc.org/knowledge-base/documents/enterprise-risk-management-seven-
imperatives-process-excellence-infographic
127
Eick, C. L. M. (2003). Factors that promote effective risk management at universities classified
dissertation). Available from ProQuest Dissertations and Theses database. (UMI No.
3095782)
Ein-Dor, P., & Segev, E. (1978). Organizational context and the success of management
Ein-Dor, P., Segev, E., & Steinfeld, A. (1980). Use of management information systems: An
Everett, C. (2011). A risky business: ISO 31000 and 27005 unwrapped. Computer Fraud &
Fadun, O. S. (2013). Risk management and risk management failure: Lessons for business
Faris, S., Hasnaoui, S. E., Medromi, H., Iguer, H., & Sayouti, A. (2014). Toward an effective
agent systems, ITIL, ISO 27002, ISO 27005. International Journal of Advanced
Farrell, M., & Gallagher, R. (2015). The valuation implications of enterprise risk management
Faul, F., Erdfelder, E., Lang, A. G., & Buchner, A. (2007). G* power 3: A flexible statistical
power analysis program for the social, behavioral, and biomedical sciences. Behavior
128
Research Methods, 39(2), 175-191. Retrieved from
http://www.springer.com/psychology/cognitive+psychology/journal/13428
Ferrer, R. C., & Mallari, N. C. (2011). Speculative and pure risks: Their impact on firms'
Field, A. (2009). Discovering statistics using SPSS (3rd ed.). New Jersey, NJ: Sage.
Franz1, C. R., & Robey, D. (1986). Organizational context, user involvement, and the usefulness
doi:10.1111/j.1540-5915.1986.tb00230.x
Fraser, J. R. S., Simkins, B. J., & Narvaez, K. (2015). Implementing enterprise risk management:
ERM-for-Colleges.pdf
George, D., & Mallery, P. (2011). SPSS for Windows step by step: A simple guide and
Golshan, N. M., & Rasid, S. Z. A. (2012). Determinants of enterprise risk management adoption:
129
González-Benito, J. (2007). Information technology investment and operational performance in
purchasing: The mediating role of supply chain management practices and strategic
doi:10.1108/02635570710723813
Grace, M. F., Leverty, J. T., Phillips, R. D., & Shimpi, P. (2015). The value of investing in
doi:10.1111/jori.12022
Greitzer, F. L., & Hohimer, R. E. (2011). Modeling human behavior to anticipate insider attacks.
Grover, V., Jeong, S. R., & Segars, A. H. (1996). Information systems effectiveness: The
construct space and patterns of application. Information & Management, 31(4), 177-191.
doi:10.1016/S0378-7206(96)01079-8
Hardy, K. (2014). Enterprise risk management: A guide for government professionals. San
Harris, P., Kinkela, K., & Hayes, N. T. (2011). Internal auditing developments: COSO studies
http://store.tax.thomsonreuters.com/accounting/Finance/Internal-Auditing/p/100201298
implementing effective risk management (3rd ed.). Philadelphia, PA: Kogan Page.
Hoyt, R. E., & Liebenberg, A. P. (2015). Evidence of the value of enterprise risk management.
130
Hoyt, R. E., & Liebenberg, A. P. (2011). The value of enterprise risk management. The Journal
ISF. (2014). Standard of good practice for information security: The definitive guide to enable
Ives, B., Olson, M., & Baroudi, J. (1983). The measurement of user information satisfaction.
Jalal-Karim, A. (2013). Leveraging enterprise risk management (ERM) for boosting competitive
Jøsang, A., Rosenberger, C., Miralabé, L., Klevjer, H., Varmedal, K. A., Daveau, J., . . .
Kanungo, S., Duda, S., & Srinivas, Y. (1999). A structured model for evaluating information
doi:10.1002/(sici)1099-1743(199911/12)16:6<495::aid-sres238>3.0.co;2-r
Kenett, R. S., & Raphaeli, O. (2008). Multivariate methods in enterprise system implementation,
risk management, and change management. International Journal of Risk Assessment and
131
Kiselitsa, E. P., & Shilova, N. N. (2016). Economic technology of enterprise risk management
based on information support for their activity. Journal of Internet Banking and
Kline, M. M. (2014). The benefits of implementing an enterprise risk management approach into
KPMG. (2013). Expectations of risk management outpacing capabilities: It’s time for action.
Kurien, P., Rahman, W., & Purusottam, V. S. (2004). The case for re-examining IT
doi:10.1108/02756660410525380
Kutsch, E., Browning, T. R., & Hall, M. (2014). Bridging the risk gap: The failure of risk
Lam, J. (2014). Enterprise risk management: From incentives to controls (2nd ed.). Hoboken,
NJ: Wiley.
Liang, X. (2013). The Liang-Kleeman information flow: Theory and applications. Entropy,
Liebenberg, A. P., & Hoyt, R. E. (2003). The determinants of enterprise risk management:
Evidence from the appointment of chief risk officers. Risk Management and Insurance
132
Liu, X. (2011). A holistic perspective of enterprise risk management (Doctoral dissertation).
Available from ProQuest Dissertations and Theses database. (UMI No. 3495808)
Louisot, J., & Ketcham, C. (2014). ERM, enterprise risk management: Issues and cases.
Lukianchuk, G. (2015). The impact of enterprise risk management on firm performance of small
and medium enterprises. European Scientific Journal, 11(13), 408-427. Retrieved from
http://www.eujournal.org
Lundqvist, S. A. (2015). Why firms implement risk governance: Stepping beyond traditional risk
doi:10.1177/0148558X14535780
lup.lub.lu.se/record/4689913/file/4689917.pdf
doi:10.1177/0148558X14535780
Mafrolla, E., Matozza, F., & D'Amico, E. (2016). Enterprise risk management in private firms:
Does ownership structure matter? Journal of Applied Business Research, 32(2), 671.
doi:10.19030/jabr.v32i2.9603
133
Malik, S. A., & Holt, B. (2013). Factors that affect the adoption of enterprise risk management
Malz, A. M. (2011). Financial risk management: Models, history, and institutions. Hoboken, NJ:
Wiley.
Marden, J. I. (2004). Positions and QQ plots. Statistical Science, 19(4), 606-614. Retrieved from
http://www.imstat.org/sts/
Markovitz, A. R., Goldstick, J. E., Levy, K., Cevallos, W., Mukherjee, B., Trostle, J. A., &
Mataracioglu, T., & Ozkan, S. (2011). Governing information security in conjunction with
COBIT and ISO 27001. International Journal of Network Security & Its Applications,
McNeil, A. J., Frey, R., & Embrechts, P. (2015). Quantitative risk management: Concepts,
McShane, M. K., Nair, A., & Rustambekov, E. (2011). Does enterprise risk management
increase firm value? Journal of Accounting, Auditing & Finance, 26(4), 641-658.
doi:10.1177/0148558X11409160
Mehta, S. (2010). It's time for ERM. Financial Executives International, 26(9), 34-38. Retrieved
from http://www.financialexecutives.org
134
Melone, N. P. (1990). A theoretical assessment of the user-satisfaction construct. Management
Merna, T., & Al-Thani, F. F. (2011). Corporate risk management. Hoboken, NJ: Wiley.
Murphy, D., & Murphy, R. (2013). Teaching cybersecurity: Protecting the business environment.
93. doi:10.1145/2528908.2528913
Nabeel, M., & Bertino, E. (2014). Attribute based group key management. Transactions on Data
Nair, A., Rustambekov, E., McShane, M., & Fainshmidt, S. (2014). Enterprise risk management
National Commission for the Protection of Human Subjects. (1979, April 18). Belmont
report: Ethical principles and guidelines for the protection of human subjects of
doi:10.17781/P001078
135
Ness, L. R. (2005). Assessing the relationships among information technology flexibility,
Nickmanesh, S., Zohoori, M., Happy, A. M. M., & Akbari, A. (2013). Enterprise risk
NIST. (2010). Guide for applying the risk management framework to federal information
http://csrc.nist.gov/publications/nistpubs/800-37/SP800-37.pdf
Norusis. M. J. (2008). SPSS 16.0 statistical procedures companion. New Jersey, NJ: Prentice
Hall.
Nunnally, J. (1978). Psychometric theory (2nd ed.). New York, NY: McGraw-Hill.
O'Donnell, E. (2005). Enterprise risk management: A systems-thinking framework for the event
195. doi:10.1016/j.accinf.2005.05.002
Otieno, O. C., & Biko, M. S. (2015). Security and cryptography on world wide web.
136
Paape, L., & Speklé, R. F. (2012). The adoption and design of enterprise risk management
doi:10.1080/09638180.2012.661937
Parry, V. A. (2014). The relationship between effective information technology governance and
Paul, S., & Vignon-Davillier, R. (2014). Unifying traditional risk assessment approaches with
doi:10.1016/j.jisa.2014.03.006
Ping, T. A., & Muthuveloo, R. (2015). The impact of enterprise risk management on firm
doi:10.5539/ass.v11n22p149
Pitt, L. F., Watson, R. T., & Kavan, C. B. (1995). Service quality: A measure of information
Qingfeng, L. (2013). Gaining longitudinal insights from repeated cross-sectional survey data:
137
Ramakrishna, S. P. (2015). Enterprise compliance risk management: An essential toolkit for
doi:10.1080/07421222.1990.11517869
Robey, D. (1979). User attitudes and management information system use. Academy of
Ross, R., Katzke, S., Johnson, A., Swanson, M., & Stoneburner, G. (2008). Managing risk from
Retrieved from
http://bradscholars.brad.ac.uk:8080/bitstream/handle/10454/5414/PhDMohamed%20S%2
0Saleh.pdf?sequence=1&isAllowed=y
Samani, R., Honan, B., Reavis, J., In Jirasek, V., & CSA (Organization). (2015). CSA guide to
cloud computing: Implementing cloud privacy and security. Waltham, MA: Syngress.
Segal, S. (2011). Corporate value of enterprise risk management: The next step in business
138
Sevgi, O., Murat, C., & Semih, B. (2008). A maturity based qualitative information systems
Shad, M. K., & Lai, F. (2015). A conceptual framework for enterprise risk management
performance measure through economic value added. Global Business and Management
Shing-On, L. (2011). A comparison of psychometric properties and normality in 4-,5-,6-, and 11-
doi:10.1080/01/488376.2011.580697
Steinhoff, J. C., Price, L. A., Comello, T. J., & Cocozza, T. A. (2016). Ten steps to sustainable
institute/articles/2016/06/ten-steps-to-sustainable-enterprise-risk-management.html
Stoneburner, G., Goguen, A. Y., & Feringa, A. (2002). Risk management guide for information
http://csrc.nist.gov/publications/nistpubs/800-30/SP800-30.pdf
Stroie, E. R., & Rusu, A. C. (2011). Security risk management: Approaches and methodology.
139
Swanson, R. A., & Holton, E. F., III (Eds). (2005). Research in organizations: Foundations and
Tahir, I. M., & Razali, A. R. (2011). The Relationship between enterprise risk management
(ERM) and firm value: Evidence from Malaysian public listed companies. International
http://www.omicsonline.com/open-access/economics-and-management-sciences.php
Tallon, P. P. (2011). Value chain linkages and the spillover effects of strategic information
Tallon, P. P., Kraemer, K. L., & Gurbaxani, V. (2000). Executives’ perceptions of the
doi:10.1287/isre.11.2.159.11779
Tao, N. B., & Hutchinson, M. (2013). Corporate governance and risk management: The role of
Taylor, L. (2014). Practical enterprise risk management: How to optimize business strategies
Thorn, R. (1972). Structural stability and morphogenesis. New York, NY: W. A. Benjamin.
140
Tofan, D. C. (2011). Information security standards. Journal of Mobile, Embedded and
security: Strategies, tactics, logic and framework. Ely, UK: IT Governance Pub.
Verbano, C., & Venturini, K. (2011). Development paths of risk management: Approaches,
doi:10.1080/13669877.2010.541562
Wallig, G. (2012). Expanding the 'enterprise' in enterprise risk management. The Journal of
https://www.highbeam.com/doc/1P3-2640146271.html
Walker, R. (2013). Winning with risk management. Hackensack, NJ: World Scientific.
Wang, X., Zhang, J., Tong, X., Shamsuddin, S., He, R., & Xia, X. (2014). Mechanism and
Watkins, S., & Calder, A. (2015). IT governance: An international guide to data security and
Werts, C. E., Linn, R., & Joreskog, K. (1974). Intraclass reliability estimates: Testing structural
doi:10.1177/001316447403400104
141
Wheeler, E. (2011). Security risk management: Building an information security risk
perspective. Journal for East European Management Studies, 19(2), 133-159. Retrieved
from http://www.hampp-verlag.de/hampp_e-journals_JEMS.htm
Winter, R., Zhao, J. L., & Aier, S. (2010). Global perspectives on design science research.
Wu, D., Olson, D. L., Dolgui, A. (2015). Decision making in enterprise risk management: A
doi:10.1016/j.omega.2015.04.011
Yazid, A. S., Razali, A. R., & Hussin, M. R. (2012). Determinants of enterprise risk management
Yeo, M. L., Rolland, E., Ulmer, J. R., & Patterson, R. A. (2014). Risk mitigation decisions for IT
doi:10.1145/2576757
Young, P. C., & Tippins, S. C. (2000). Managing business risk : An organization-wide approach
Zwikael, O., & Ahn, M. (2011). The effectiveness of risk management: An analysis of project
risk planning across industries and countries. Risk Analysis, 31(1), 25-37.
doi:10.1111/j.1539-6924.2010.01470.x
142
APPENDIX A. STATEMENT OF ORIGINAL WORK
Capella University’s Academic Honesty Policy (3.01.01) holds learners accountable for the
integrity of work they submit, which includes but is not limited to discussion postings,
assignments, comprehensive exams, and the dissertation or capstone project.
Established in the Policy are the expectations for original work, rationale for the policy,
definition of terms that pertain to academic honesty and original work, and disciplinary
consequences of academic dishonesty. Also stated in the Policy is the expectation that learners
will follow APA rules for citing another person’s ideas or works.
The following standards for original work and definition of plagiarism are discussed in the
Policy:
Learners are expected to be the sole authors of their work and to acknowledge the
authorship of others’ work through proper citation and reference. Use of another person’s
ideas, including another learner’s, without proper reference or citation constitutes
plagiarism and academic dishonesty and is prohibited conduct. (p. 1)
Plagiarism is one example of academic dishonesty. Plagiarism is presenting someone
else’s ideas or work as your own. Plagiarism also includes copying verbatim or
rephrasing ideas without properly acknowledging the source by author, date, and
publication medium. (p. 2)
Capella University’s Research Misconduct Policy (3.03.06) holds learners accountable for research
integrity. What constitutes research misconduct is discussed in the Policy:
Research misconduct includes but is not limited to falsification, fabrication, plagiarism,
misappropriation, or other practices that seriously deviate from those that are commonly
accepted within the academic community for proposing, conducting, or reviewing
research, or in reporting research results. (p. 1)
Learners failing to abide by these policies are subject to consequences, including but not limited to
dismissal or revocation of the degree.
143
Statement of Original Work and Signature
I have read, understood, and abided by Capella University’s Academic Honesty Policy (3.01.01)
and Research Misconduct Policy (3.03.06), including Policy Statements, Rationale, and
Definitions.
I attest that this dissertation or capstone project is my own work. Where I have used the ideas or
words of others, I have paraphrased, summarized, or used direct quotes following the guidelines
set forth in the APA Publication Manual.
144
APPENDIX B. FREQUENCIES OF RISK MANAGEMENT CONSTRUCTS
Measures (%)
Code Items NE E MI RI Mean SD
FRIE1 Training in ethical values for employees of all 11.0 12.0 32.0 45.0 2.11 1.00
levels
FRIE2 Compensation policies intended to align the 17.0 18.0 30.0 35.0 1.83 1.09
interests of managers and shareholders (i.e.,
balance short- and long term)
FRIE3 Formally defined remuneration policies of 16.0 16.0 28.0 40.0 1.92 1.09
executive management
FRIE4 Formally defined responsibilities for executive 8.0 12.0 34.0 46.0 2.18 .936
management (authority and accountability)
FRIE5 Formally defined audit committee 14.0 15.0 25.0 46.0 2.03 1.08
responsibilities
Note. NE - Non-Existent; E - Existent; MI - Moderately Implemented; RI - Robustly Implemented; N = 100
Measures (%)
Code Items NE E MI RI Mean SD
FROS1 Formal mission (vision/purpose) statement 10.0 15.0 22.0 53.0 2.18 1.02
FROS2 Formal business objectives/plan in place to 8.0 14.0 24.0 54.0 2.24 .976
execute the strategy
FROS3 Performance goals set to assess whether the 10.0 13.0 28.0 49.0 2.16 1.00
firm is achieving its objectives/plan
Note. NE - Non-Existent; E - Existent; MI - Moderately Implemented; RI - Robustly Implemented; N = 100
Measures (%)
Code Items NE E MI RI Mean SD
FRCA1 System to ensure that policies and procedures 11.0 11.0 41.0 37.0 2.04 .963
that are in place to manage the achievement of
the firm’s objectives/ plan are functioning and
effective
FRCA2 Authorization procedures in place to ensure 12.0 13.0 32.0 43.0 2.06 1.02
appropriate individuals review the use of
policies and procedures
FRCA3 Independent verification procedures to ensure 14.0 22.0 32.0 32.0 1.82 1.03
the use of policies and procedures
145
Table B4. Frequencies of Assessment Risk
Measures (%)
Code Items NE E MI RI Mean SD
AR1 Consideration of the likelihood that financial 14.0 15.0 33.0 38.0 1.95 1.04
events will affect the firm’s ability to achieve its
objectives
AR2 Consideration of the potential impact that 16.0 21.0 23.0 40.0 1.87 1.11
financial events will affect the firm’s ability to
achieve its objectives
AR3 Consideration of the likelihood that strategic risk 15.0 16.0 35.0 34.0 1.88 1.04
events will affect the firm’s ability to achieve its
objectives
AR4 Consideration of the potential impact that 15.0 18.0 31.0 36.0 1.88 1.06
strategic risk events will affect the firm’s ability
to achieve its objectives
AR5 Consideration of the likelihood that compliance 15.0 18.0 30.0 37.0 1.89 1.07
events will affect the firm’s ability to achieve its
objectives
AR6 Consideration of the potential impact that 17.0 19.0 29.0 35.0 1.82 1.09
compliance events will affect the firm’s ability
to achieve its objectives
AR7 Consideration of the likelihood that technology 13.0 18.0 35.0 34.0 1.90 1.02
events will affect the firm’s ability to achieve its
objectives
AR8 Consideration of the potential impact that 14.0 18.0 28.0 40.0 1.94 1.07
economical events will affect the firm’s ability
to achieve its objectives
Note. NE - Non-Existent; E - Existent; MI - Moderately Implemented; RI - Robustly Implemented; N = 100
Measures (%)
Code Items NE E MI RI Mean SD
RTR1 Formal policies about how risk should be 16.0 12.0 33.0 39.0 1.95 1.07
managed
RTR2 Risk response plan for all of the significant 15.0 15.0 36.0 34.0 1.89 1.04
events the firm has identified
RTR3 Alternative risk responses for each significant 14.0 25.0 28.0 33.0 1.80 1.05
event
RTR4 Risk tolerances (formal guidelines or measures 16.0 14.0 35.0 35.0 1.89 1.06
used at appropriate levels to assess whether the
firm will accept risk)
Note. NE - Non-Existent; E - Existent; MI - Moderately Implemented; RI - Robustly Implemented; N = 100
146
Table B6. Frequencies of Monitoring Risk
Measures (%)
Code Items NE E MI RI Mean SD
MR1 Monitoring of the firm’s internal environment, 13.0 19.0 30.0 38.0 1.93 1.04
processes, and control activities
MR2 Key risk indicators or indicators aimed at 14.0 19.0 35.0 32.0 1.85 1.02
emerging risks (not historical performance)
MR3 Monitoring assessment of the firm’s risk 17.0 18.0 36.0 29.0 1.77 1.05
management function done by an
independent/external party
MR4 Frequent and structured updates of risk-related 14.0 21.0 28.0 37.0 1.88 1.06
information
MR5 Internal risk assessment group or internal audit 14.0 22.0 28.0 36.0 1.86 1.06
function given the responsibility to evaluate the
ongoing effectiveness of the firm’s risk
management practices
MR6 Allocated risk owners who have primary 15.0 17.0 38.0 30.0 1.83 1.02
responsibility and accountability for managing
risk within their respective areas
Note. NE - Non-Existent; E - Existent; MI - Moderately Implemented; RI - Robustly Implemented; N = 100
Measures (%)
Code Items 1 2 3 4 5 6 7 Mean SD
ITE1 Overall quality of service 5.0 1.0 2.0 12.0 24.0 25.0 31.0 5.48 1.54
ITE2 User’s satisfaction with IT 5.0 0.0 2.0 14.0 20.0 27.0 32.0 5.53 1.52
ITE3 Helpfulness of IT staff to users 5.0 0.0 3.0 14.0 15.0 35.0 28.0 5.51 1.51
147
APPENDIX C. ASSUMPTIONS OF MULTIPLE REGRESSION ANALYSIS
148
Figure C3. Scatter plot of regression standardized residual for ITE (n = 100)
149
APPENDIX D. ASSUMPTIONS OF SIMPLE REGRESSION ANALYSIS
Figure D1. Histogram of regression standardized residuals for ITE on FR (n= 100)
Figure D2. P-P plot of regression standardized residuals for ITE on FR (n = 100)
150
Figure D3. Scatter plot of regression standardized residual for ITE on FR (n = 100)
151
Hypothesis H3: ITE = β 0 AR + β 1
Figure D5. P-P plot of regression standardized residuals for ITE on AR (n = 100)
152
Figure D6. Scatter plot of regression standardized residual for ITE on AR (n = 100)
153
Hypothesis H4: ITE = β 0 RTR + β 1
Figure D7. Histogram of regression standardized residuals for ITE on RTR (n = 100)
Figure D8. P-P plot of regression standardized residuals for ITE on RTR (n = 100)
154
Figure D9. Scatter plot of regression standardized residual for ITE on RTR (n = 100)
155
Figure D11. P-P plot of regression standardized residuals for ITE on MR (n = 100)
Figure D12. Scatter plot of regression standardized residual for ITE on MR (n = 100)
156
APPENDIX E. ASSUMPTIONS OF INDEPENDENT SAMPLE T-TEST ANALYSIS
Figure E1. Normal Q-Q Plots for FR low-level group and FR high-level group
157
Hypothesis H3.1: µ(AR Low-level group ) = µ(AR High-level group )
Figure E2. Normal Q-Q Plots for AR low-level group and AR high-level group
158
Hypothesis H3.1: µ(RTR Low-level group ) = µ(RTR High-level group )
Figure E3. Normal Q-Q Plots for RTR low-level group and RTR high-level group
159
Hypothesis H4.1: µ(MR Low-level group ) = µ(MR High-level group )
Figure E4. Normal Q-Q Plots for MR low-level group and MR high-level group
160
APPENDIX F. CONSTRUCT OVERVIEW
Instrument
Construct Source/Citation Variable Data Instrument
Source/Citation Scale
Type Name
Frame Risk NIST (2010) Frame Risk Lundqvist 4- Interval ERM
(FR) (2015) point Dimension
Likert Instrument
scale
Assessed NIST (2010) Assessed Lundqvist 4- Interval ERM
Risk Risk (AR) (2015) point Dimension
Likert Instrument
scale
Response to NIST (2010) Response to Lundqvist 4- Interval ERM
Risk Risk (RTR) (2015) point Dimension
Likert Instrument
scale
Monitoring NIST (2010) Monitoring Lundqvist 4- Interval ERM
Risk Risk (MR) (2015) point Dimension
Likert Instrument
scale
IT Ness (2005), IT Ness (2005), 7- Interval IT
Effectiveness Tallon (1999), Effectiveness Tallon, point Effectiveness
Tallon, (ITE) Kraemer and Likert Instrument
Kraemer and Gurbaxani scale
Gurbaxani (2000)
(2000)
161