You are on page 1of 175

AN ANALYSIS OF ENTERPRISE RISK MANAGEMENT AND IT EFFECTIVENESS

CONSTRUCTS

by

Errol Waithe

ALAN CHMURA, PhD, Faculty Mentor and Chair

MARY ROBINSON LIND, PhD, Committee Member

SHARON GAGNON, PhD, Committee Member

Rhonda Capron, EdD, Dean

School of Business and Technology

A Dissertation Presented in Partial Fulfillment

of the Requirements for the Degree

Doctor of Philosophy

Capella University

November 2016




ProQuest Number: 10250536




All rights reserved

INFORMATION TO ALL USERS
The quality of this reproduction is dependent upon the quality of the copy submitted.

In the unlikely event that the author did not send a complete manuscript
and there are missing pages, these will be noted. Also, if material had to be removed,
a note will indicate the deletion.






ProQuest 10250536

Published by ProQuest LLC (2016 ). Copyright of the Dissertation is held by the Author.


All rights reserved.
This work is protected against unauthorized copying under Title 17, United States Code
Microform Edition © ProQuest LLC.


ProQuest LLC.
789 East Eisenhower Parkway
P.O. Box 1346
Ann Arbor, MI 48106 - 1346
© Errol Stephen Waithe, 2016
Abstract

One major problem many organizations are facing is balancing the risk-management practices of

the organization with overall information technology (IT) effectiveness. The purpose of this

non-experimental quantitative correlational study was to assess the constructs and correlations

associated with enterprise risk management and IT effectiveness. The researcher used simple-

random sampling and a Web-based cross-sectional survey to collect data from Fortune 1000

companies in 12 different industry sectors. The researcher used multiple and simple regression

analysis to assess the extent of the relationship between risk management and IT effectiveness

constructs. The researcher conducted an independent sample t-test on each independent construct

and IT effectiveness based on high and low levels to explore group comparisons associations

between groups. The researcher used analyses of variance (ANOVA) to gauge industry sector IT

effectiveness levels. Overall, the multiple regression model produced R2 = .615, indicating that

61.5% of the variance in IT effectiveness was explained by risk management constructs. The

results also highlighted the significance of (a) response to risk (RTR), (b) monitoring risk (MR),

and (c) assessed risk (AR) as predictors of IT effectiveness, while frame risk (FR) only

contributed marginally. The linear regression results emphasized the significance of RTR (R2 =

.587) as a predictor of IT effectiveness. The analysis data also revealed the significant influence

of MR to ITE (R2 = .574), AR to ITE (R2 = .562), and FR to ITE (R2 = .494). The t-test results

revealed that both high and low groupings were significant (p < .05), meaning that IT

effectiveness levels differ between groups, and that organizations with high levels of risk

management have greater levels of IT effectiveness. The ANOVA results revealed there was no

statistical significant difference in IT effectiveness amongst industries and highlighted how many

organizations believed the response to a risk should be addressed first. The study provides
researchers a starting point to conduct comparative studies and enables organizations to gain a

better understanding of the risk-management constructs that contribute the most to IT

effectiveness.
Acknowledgements

I would like to thank Dr. Chmura, my Faculty Mentor, and Chair and my dissertation

committee members Dr. Gagnon and Dr. Robinson Lind for their timely feedback support and

guidance throughout this dissertation process. Their insight gave me focus and kept me on track

throughout this journey.

To the woman in my life, Shurunda Butler, I want to express my special and deep

appreciation for your support and endless patience. You were always there for me when I felt I

needed a word of encouragement. Her strength and reassurance have been my compass and

inspiration from day one of this journey.

To my good friends and colleagues Dr. Darrell Bratton, Dr. Stephanie Burg, Dr. Charles

Bogan, Dr. Cartmell Warington, Rodney Martin, Trenton Neal, Dr. Clifford Pope, Richard Jones,

Renita Watts, and Crystal Jacques thanks for being supportive and encouraging throughout this

whole dissertation process and thanks for being there when I needed someone to talk to.

To my family, thank you for your unending support and constant encouragement even

through trying times. Finally, I want to thank God for giving me the strength, health, and

patience necessary to make this dream a reality.

iii
Table of Contents

Acknowledgements ............................................................................................................ iii

List of Tables ................................................................................................................... viii

List of Figures .................................................................................................................... xi

CHAPTER 1. INTRODUCTION ....................................................................................................1

Introduction to the Problem .................................................................................................1

Background of the Study .....................................................................................................3

Statement of the Problem .....................................................................................................5

Purpose of the Study ............................................................................................................6

Rationale ..............................................................................................................................6

Research Questions ..............................................................................................................7

Significance of the Study ...................................................................................................10

Definition of Terms............................................................................................................11

Assumptions and Limitations ............................................................................................14

Conceptual Framework ......................................................................................................15

Organization of the Remainder of the Study .....................................................................17

CHAPTER 2. LITERATURE REVIEW .......................................................................................18

Enterprise Risk Management .............................................................................................18

Traditional Risk Management Versus ERM ......................................................................19

Traditional Risk Management............................................................................................20

ERM ...................................................................................................................................21

An Overview of TRM and ERM .......................................................................................22

iv
Two Approaches to Risk Management ..............................................................................23

The Risk-Analysis Approach .............................................................................................24

The Best-Practices Approach .............................................................................................25

The Origins of ERM ..........................................................................................................26

Common Frameworks, Approaches, and Standards of ERM ............................................29

Influences for ERM............................................................................................................38

Benefits of ERM ................................................................................................................40

IT Effectiveness .................................................................................................................42

Summary ............................................................................................................................45

CHAPTER 3. METHODOLOGY ................................................................................................47

Theoretical Foundation ......................................................................................................47

Research Design.................................................................................................................49

Conceptual Model ..............................................................................................................50

Operational Definition of Variables...................................................................................51

Research Questions and Hypotheses .................................................................................53

Sample Population .............................................................................................................56

Instrumentation/Measures ..................................................................................................57

Data Collection ..................................................................................................................59

Data Analysis .....................................................................................................................60

Validity and Reliability ......................................................................................................61

Ethical Considerations .......................................................................................................62

CHAPTER 4. RESULTS ...............................................................................................................64

v
Chapter Overview ..............................................................................................................64

Respondent Characteristics ................................................................................................65

Collected Data Descriptions ..............................................................................................67

Assessment of Scale Validity and Reliability ....................................................................74

The Testing of Hypothesis Using Multiple Regression Analysis ......................................75

The Testing of Hypotheses Using Simple Regression Analysis ........................................81

Testing Linear Regression Analysis Assumptions ............................................................82

The Testing of Hypotheses Using T-Test ..........................................................................90

The Testing of Hypothesis Using Analysis of Variance ..................................................101

Data Analysis Summary ..................................................................................................104

CHAPTER 5. DISCUSSION, IMPLICATIONS, RECOMMENDATIONS ..............................106

Overview ..........................................................................................................................106

Results, Discussion, and Summary ..................................................................................110

Conclusions ......................................................................................................................113

Limitations .......................................................................................................................114

Implications......................................................................................................................115

Recommendations ............................................................................................................116

Final Remarks ..................................................................................................................117

REFERENCES ............................................................................................................................121

APPENDIX A. STATEMENT OF ORIGINAL WORK ............................................................143

APPENDIX B. FREQUENCIES OF RISK MANAGEMENT CONSTRUCTS ........................145

APPENDIX C. ASSUMPTIONS OF MULTIPLE REGRESSION ANALYSIS .......................148

vi
APPENDIX D. ASSUMPTIONS OF SIMPLE REGRESSION ANALYSIS ............................150

APPENDIX E. ASSUMPTIONS OF INDEPENDENT SAMPLE T-TEST ANALYSIS ..........157

APPENDIX F. CONSTRUCT OVERVIEW .............................................................................161

vii
List of Tables

Table 1. Evolution of Risk Management ...........................................................................29

Table 2. Measurement Scales, Constructs, Survey Item Numbers, and Sections ..............59

Table 3. Sample Characteristics .........................................................................................66

Table 4. Distribution of Mean Scores of Internal Environment Controls..........................68

Table 5. Distribution of Mean Scores on Objective Settings.............................................69

Table 6. Distribution of Mean Scores on Control Activities .............................................70

Table 7. Distribution of Mean Scores on Risk Assessment Practices ...............................71

Table 8. Distribution of Mean Scores on Risk Response Practices ...................................72

Table 9. Distribution of Mean Scores on Monitoring Practices ........................................73

Table 10. Distribution of Mean Scores on IT Effectiveness ..............................................73

Table 11. Variable Reliability ............................................................................................75

Table 12. Research Question 1 and Hypothesis Statements ..............................................76

Table 13. Model Summary for RM Constructs of Regression on


Organizational IT Effectiveness ............................................................................79

Table 14. ANOVA for Regression of RM Constructs on


Organizational IT Effectiveness ............................................................................79

Table 15. Coefficients for Regression Model ITE on Organizational


IT Effectiveness .....................................................................................................80

Table 16. Summary Statistics of Multiple Regression Analysis, Results, and


Correlations ...........................................................................................................81

Table 17. Research Questions 2 to 5 and Hypotheses Statements .....................................81

Table 18. Model Summary for Regression on IT Effectiveness on Frame Risk ...............84

Table 19. ANOVA for Regression of IT Effectiveness on Frame Risk ............................84

viii
Table 20. Regression Model Coefficients of IT Effectiveness on Frame Risk .................85

Table 21. Model Summary for Regression on IT Effectiveness on Assessed Risk ...........85

Table 22. ANOVA for Regression of IT Effectiveness on Assessed Risk ........................86

Table 23. Regression Model Coefficients of IT Effectiveness on Assessed Risk .............86

Table 24. Model Summary for Regression on IT Effectiveness on Response to Risk ......87

Table 25. ANOVA for Regression of IT Effectiveness on Response to Risk ...................87

Table 26. Regression Model Coefficients of IT Effectiveness on Response to Risk ........88

Table 27. Model Summary for Regression on IT Effectiveness on Monitoring Risk .......88

Table 28. ANOVA for Regression of IT Effectiveness on Monitoring Risk ....................89

Table 29. Regression Model Coefficients of IT Effectiveness on Monitoring Risk .........89

Table 30. Simple Linear Regression Analyses Results, Correlations, and Summary
Statistics ................................................................................................................90

Table 31. High and Low Grouping Per Construct .............................................................91

Table 32. Research Questions 2.1 to 5.1 and Hypotheses Statements ...............................92

Table 33. Levene’s Test for Equality of Variance .............................................................94

Table 34. Group Statistics for LL-Group (n = 23) and HL-Group (n = 77).
Total Frame Risk Scores for 20 Items ...................................................................95

Table 35. Independent Samples t-Test. Total Frame Risk Scores for 20 Items.................95

Table 36. Group Statistics for LL-Group (n = 33) and HL-Group (n = 67).
Total Assessed Risk Scores for 20 Items ...............................................................97

Table 37. Independent Samples t-Test. Total Assessed Risk Scores for 20 Items ............97

Table 38. Group Statistics for LL-Group (n = 31) and HL-Group (n = 69).
Total Response to Risk Scores for 20 Items ..........................................................98

Table 39. Independent Samples t-Test. Total Response to Risk Scores for 20 Items .......99

ix
Table 40. Group Statistics for LL-Group (n = 36) and HL-Group (n = 64).
Total Monitoring Risk Scores for 20 Items .........................................................100

Table 41. Independent Samples t-Test. Total Monitoring Risk Scores for 20 Items.......100

Table 42. Summary of Independent Sample T-Test Results ...........................................101

Table 43. Research Question 6 and Null Hypothesis ......................................................102

Table 44. Industry Sectors and IT Effectiveness Descriptive Statistics ..........................103

Table 45. Industry Sectors on IT Effectiveness Homogeneity of Variances


Assumption Test .................................................................................................103

Table 46. Industry Sectors on IT Effectiveness ANOVA Test for Differences ..............104

x
List of Figures

Figure 1. Conceptual model of constructs and the primary elements used to


measure enterprise risk management .................................................................................16

Figure 2. Extended conceptual model of constructs and the primary elements used to
measure enterprise risk management ................................................................................51

Figure 3. G*Power 3 Power analysis to determine required sample size ......................................57

xi
CHAPTER 1. INTRODUCTION

Introduction to the Problem

Because of various corporate financial scandals and the fall of several leading

organizations, many organizational stakeholders have become interested in new ways to address

enterprise risk to and to safeguard and reinforce stakeholder value. Ahmed and Manab (2016a)

mentioned that various regulatory reforms are drastically extending public policies to make

corporate governance and risk management more efficient. The rapid change in regulatory policy

alone justifies the need for risk management processes that adapt and expand to changes as they

arise. In short, risk management has been integrated into the enterprise environment as a means

to increase organizational productivity, operational efficiencies, and competitive advantage.

Integrating risk management into the organizational framework makes risk management an

important part of an organization's business process (Walker, 2013).

Traditional risk management is effective in addressing risk in the enterprise environment,

but it has also added other issues of concern for many organizations. Issues regarding the lack of

knowledge that a risk exists or inadequate integration of stakeholders into risk management are

the most common issues of interest for many organizational entities. The issues mentioned lead

to a specific problem regarding the declining success rate of risk management projects, and its

impact on effectiveness within enterprise environments. KPMG (2013) noted that risk

management is an important topic amongst companies assessed, but only 66% of surveyed

organizations had implemented risk management as a strategic process. AON (2015) stated that

about 49% of respondents had indicated a loss of income due to risk in the last 12 months. In

2014, cyber attacks alone cost organizations an estimated $56.5 million in damages (AFP, 2015).

1
The mentioned issues are addressed by approaches that provide greater event identification,

reduce earnings' volatility, and help sustain competitive advantage. Thus, many organizations

have looked towards enterprise risk management (ERM) as a potential remedy for organizational

risk issues.

Enterprise risk management offers organizations the ability to management risk across all

dimensions of the organization and improves the amalgamation of operational and financial risk

management (Anquillare, 2010). ERM uses a holistic approach which allows organizations to

create options to transfer, finance, mitigate, evaluate, and identify risk. Recent researchers

studying ERM have often addressed the subject matter from a general perspective addressing

topics such as (a) firm value, (b) lessened earning volatility, (c) accurate risk adjustment, (d) risk

and return, (e) competitive advantage, and (f) shareholder's value (Jalal-Karim, 2013). It is not

clear, however, if organizations that have adopted an ERM program are better-off in overall IT

effectiveness. In short, the literature reviewed revealed there currently exists a lack of empirical

evidence addressing the relationship between ERM and IT effectiveness within enterprise

environments (Grace, Leverty, Phillips, & Shimpi, 2015; Mafrolla, Matozza, & D'Amico, 2016;

Steinhoff, Price, Comello, & Cocozza, 2016).

The purpose of this dissertation study was to assess the constructs and correlations of

enterprise risk management and IT effectiveness. The overall objective of this non-experimental

quantitative correlational study was to evaluate the relationship between the four independent

variables of frame risk, assessed risk, response risk, monitor risk, and the dependent variable of

IT effectiveness within the enterprise environment (i.e., Fortune 1000 companies). The

researcher addressed risk management in this study from a holistic perspective, acknowledging

2
both the strategic and tactical initiative, to ensure that risk-based decision making is assessed

from all aspects of the enterprise environment. Lundqvist (2015) and Đapić, Popović, Lukić, and

Mitrović (2012) stated that due to the increasing concern for modern risk management practices,

organizations have been pressured to manage risk holistically. The researcher deemed that a

holistic perspective to risk management is the most successful, because the holistic view treats

both positive and negative risk with equal importance. Furthermore, the correlational aspects of

the study allows organizations to gain an understanding of what association exists between the

strategic and tactical levels.

Background of the Study

Enterprise risk management has emerged as a powerful approach for managing risk from

a wide variety of sources. Numerous scholars have described the ways in which ERM offers

organizations increased firm value (Ahmed & Manab, 2016a; Ahmed & Manab 2016b; McNeil,

Frey, & Embrechts, 2015). Others have described the ways in which ERM helps regarding

compliance requirements (Arnold, Benford, Canada, & Sutton, 2011; Marchetti, 2012;

Ramakrishna, 2015). Through a review of 200 journal articles, scholars have revealed that many

ERM-related articles provide information regarding organizational benefits of ERM, but provide

limited information on IT effectiveness after implementation (Driscoll, 2014; Hoyt &

Liebenberg, 2015; Wallig, 2012). Kline (2014) noted that organizations are often intrigued by the

benefits offered by ERM, but forget about the potential performance risk involved in

transitioning from a traditional risk management approach. When an organization does not

consider the potential risk associated with an initiative, the organization is then more likely to be

3
less (a) secure, (b) strategically aligned, and (c) effective (Bradley et al., 2012; Gillespie, 2014).

In essence, the organization is potentially exposed to new sets of risk.

Many of the issues associated with ERM performance being ineffective are often related

to issues such as inadequate knowledge or insufficient incorporation of risk owners into the risk-

management activities. Fadun (2013) stated that organizations implementing ERM face various

challenges because the process is often not easily understood and complex. Arnold et al. (2011)

also mentioned that as executive management and boards begin to evaluate ERM, they usually

have more questions than answers. One of the main issues with ERM is that many corporations

have difficulty producing ERM value to support enforcement cost. ERM differs from

conventional asset expenditures that are assessed using routine metrics addressing reward and

risks such as return on assets (ROA) and return on equity (ROE; Wheeler, 2011). Value drivers

for ERM are less formal and rigid. In addition, ERM is often voluntary, resulting in a value

proposal void of regulatory encouragement and compliance language. To establish ERM value,

costs, and risk an organization must address ERM from a traditional perspective, using four

categories (a) shareholder value added, (b) avoided risk, (c) hard dollar savings, and (d)

improved risk transparency (Yazid, Razali, & Hussin, 2012).

Stakeholder buy-in has become the most significant barrier associated with the adoption

of ERM, followed by tolerance for poor standards, poor internal communication, and a culture

focused on the organization's priorities to the detriment of key risk. AICPA (2015) stated that in

a 2015 survey addressing ERM adoption practices and priorities, more than 47% of the

participants indicated that their organizations have yet to implement an enterprise-wide risk

management process. While many of the respondents could not indicate more than one

4
impediment, the most common response was that they believed that risks were monitored in

other ways. In today's business environment, the management of risk is imperative due to new

regulation and compliance request. For many organizations, a violation of data security is often a

problem that must be addressed, because of the potential impact it could have on the

functionality of the organization (Malik & Holt, 2013). Not only do data security issues present

confidentiality issues for an organization, but they could also could represent legal and ethical

issues as well. In addition, from an IT perspective, an organization must consider how the ERM

program or processes affect overall IT effectiveness.

Statement of the Problem

The problem that the researcher addressed in this research study was the lack of

information available regarding the relationship between ERM and IT effectiveness (Kiselitsa &

Shilova, 2016; Lukianchuk, 2015; Mafrolla et al., 2016; Paape & Speklé, 2012). ERM has

become a key issue of interest for many IT professionals and organizations worldwide, due to

recent events concerning IS breaches. Bitglass (2015) noted that 90% of the 1,000 surveyed IT

security practitioners were either moderately or very concerned about security. Researchers

performing studies regarding ERM have often addressed the subject matter from a general

perspective addressing topics such as (a) firm value, (b) reduced earning volatility, (c) accurate

risk adjustment, (d) risk and return, (e) competitive advantage, and (f) shareholder's value (Jalal-

Karim, 2013). It is not currently clear how organizations that have adopted ERM are better off

concerning overall IT effectiveness. Kutsch, Browning, and Hall (2014) noted that ERM

solutions should be studied extensively, to help raise awareness of existing safety and efficiency

issues. A review of 200 journal articles and 60 trade journals revealed a lack of empirical

5
evidence addressing the relationship between ERM, and IT effectiveness (Hoyt & Liebenberg,

2011; Lam, 2014; Louisot & Ketcham, 2014). In conclusion, the information presented in the

non-experimental quantitative correlational study helps provide insight into the relationship

mentioned and add scholarly knowledge associated with ERM as it applies to IT effectiveness in

the enterprise environment.

Purpose of the Study

The purpose of this non-experimental quantitative correlational study was to assess the

constructs and correlations associated with enterprise risk management and IT effectiveness. The

researcher utilized information flow theory, catastrophe theory, and the risk-management

framework together to examine how various risk management factors affect the overall IT

effectiveness. This study’s results would contribute to ERM literature, IS security practitioners,

and chief information officers (CIO) by providing an integrated perspective on how ERM

influences IT effectiveness. Furthermore, the answers to the research question would identify the

key risk management construct that affects IT effectiveness. The findings from the study may

prove to be useful to organizations seeking to make informed decisions addressing risk within

their organization.

Rationale

The rationale and justification for this quantitative study were to determine the influence

of the four risk management constructs of frame risk, assessed risk, response to risk, and

monitoring risk on IT effectiveness. Currently, no researchers have addressed the relationship

between an organization's risk management practices and its effect on IT effectiveness.

6
According to Murphy and Murphy (2013), it does not matter what software implementation is

implemented; governance and security must guide and lead all organizational implementations.

Determining the constructs that have the greatest correlation to IT effectiveness could allow

organizational risk managers and CIOs to sustain risk effectively and achieve optimal IT

effectiveness levels.

Information technology effectiveness based on risk management constructs has not

previously been correlated within the same regression model. Furthermore, no empirical studies

exist that address how ERM constructs affect an organization's IT effectiveness. The researcher

designed this quantitative study to fill that gap; the current study is the first to provide empirical

evidence of what risk management constructs affect IT effectiveness. The findings from the

study would help organizations, regardless of size or type, make better decisions regarding what

risk management constructs to address based on the significance of IT effectiveness. In addition,

the findings from this empirical study also extend the current body of knowledge concerning risk

management practices and IT effectiveness.

Research Questions

The researcher designed this quantitative correlational study to assess the constructs and

correlations associated with enterprise risk management and IT effectiveness. The dependent

variable was IT effectiveness; and the independent variables were frame risk, assessed risk,

response to risk, and monitoring risk. The omnibus research question (i.e., RQ1) and the main

and sub-research questions and hypotheses were as follows:

RQ1: What is the nature of the relationship between risk management constructs and IT

effectiveness?

7
H1 0 : There is no significant relationship between risk management constructs and IT

effectiveness.

H1 a : There is a significant relationship between risk management constructs and IT

effectiveness.

RQ2: What is the nature of the relationship between frame risk and IT effectiveness?

H2 0 : There is no significant relationship between frame risk and IT effectiveness.

H2 a : There is a significant relationship between frame risk and IT effectiveness.

RQ2.1: Is there a significant statistical difference in the level of IT effectiveness between

firms that have high levels of frame risk versus those that have low levels of frame risk?

H2 0 .1: There is no significant difference in the level of IT effectiveness between firms

that have high levels of frame risk versus those that have low levels of frame risk.

H2 a .1: There is a significant difference in the level of IT effectiveness between firms that

have high levels of frame risk versus those that have low levels of frame risk.

RQ3: What is the nature of the relationship between assessed risk and IT effectiveness?

H3 0 : There is no significant relationship between assessed risk and IT effectiveness.

H3 a : There is a significant relationship between assessed risk and IT effectiveness.

RQ3.1: Is there a significant statistical difference in the level of IT effectiveness between

firms that have high levels of assessed risk versus those that have low levels of assessed risk?

H3 0 .1: There is no significant difference in the level of IT effectiveness between firms

that have high levels of assessed risk versus those that have low levels of assessed risk.

H3 a .1: There is a significant difference in the level of IT effectiveness between firms that

have high levels of assessed risk versus those that have low levels of assessed risk.

8
RQ4: What is the nature of the relationship between response to risk and IT

effectiveness?

H4 0 : There is no significant relationship between response to risk and IT effectiveness.

H4 a : There is a significant relationship between response to risk and IT effectiveness.

RQ4.1: Is there a significant statistical difference in the level of IT effectiveness between

firms that have high levels of response to risk versus those that have low levels of response to

risk?

H4 0 .1: There is no significant difference in the level of IT effectiveness between firms

that have high levels of response to risk versus those that have low levels of response to risk.

H4 a .1: There is a significant difference in the level of IT effectiveness between firms that

have high levels of response to risk versus those that have low levels of response to risk.

RQ5: What is the nature of the relationship between monitoring risk and IT

effectiveness?

H5 0 : There is no significant relationship between monitoring risk and IT effectiveness.

H5 a : There is a significant relationship between monitoring risk and IT effectiveness.

RQ5.1: Is there a significant statistical difference in the level of IT effectiveness between

firms that have high levels of monitoring risk versus those that have low levels of monitoring

risk?

H5 0 .1: There is no significant difference in the level of IT effectiveness between firms

that have high levels of monitoring risk versus those that have low levels of monitoring risk.

H5 a .1: There is a significant difference in the level of IT effectiveness between firms that

have high levels of monitoring risk versus those that have low levels of monitoring risk.

9
RQ6: Is there a difference in the level of IT effectiveness among industry sectors?

H6 0 : There is no significant difference in the level of IT effectiveness among industry

sectors?

H6 a : There is a significant difference in the level of IT effectiveness among industry

sectors?

Significance of the Study

The results of the current non-experimental quantitative correlational study add to the

scholarly knowledge associated with enterprise risk management and IT effectiveness. The

research study will contribute to the body of knowledge of IT professionals, researchers, and

businesses seeking to determine the overall value of IT effectiveness while regarding the

organization's risk-management aspects. The researcher anticipated that the information

presented in the study will assist organizations in determining the degree to which risk

management practices could contribute real organizational value. The ramifications of an

organization not considering the constructs addressed by the non-experimental quantitative

correlational study could lead to an organization having inadequate security, technical and

business analysis. Samani, Honan, Reavis, and Jirasek (2015) noted that IT effectiveness could

provide enormous efficiency gains to an organization, but the need to address security and the

loss of confidentiality will impact the customer significantly. Furthermore, an organization not

addressing risk management by its value to IT effectiveness could lead to a wasted IT

investment, or an implementation not providing any real significant value.

10
Definition of Terms

In this research study, the researcher focused on the following constructs: frame risk,

assessed risk, response to risk, monitoring risk and IT effectiveness. The researcher will present

a brief overview of those constructs and other concepts and terminologies used throughout the

study.

Assessment of risk: Assessment of risk addresses whether an organization has identified

any possible issues related to threats to operations and assets, vulnerabilities internal and

external, and potential harm that could occur. Andreea (2014) noted that risk assessment is

necessary for determining development priorities and action strategies for an organization and

helps regarding the allocating of resources. The results from the assessment of risk assist an

organization with approaches for the removal, reduction, and avoidance of risk.

Committee of Sponsoring Organizations of the Treadway Commission: The Committee of

Sponsoring Organizations of the Treadway Commission consists of five private organizations,

dedicated to providing guidance on critical aspects of organizational governance and business

(COSO, 2004).

Cryptography: Cryptography is a process of using complicated numerical and

programming algorithms to achieve its objectives of hiding communications from the fallacious

audiences. Cryptography utilizes digital signatures that a user implements to inform the receivers

of the communication that is relevant to them (Otieno & Biko, 2015).

Enterprise risk management: Enterprise risk management is the implementation of the

management of risk to every aspect of the enterprise (Fadun, 2013).

11
Frame risk: The risk frame is the established foundation for managing risk, and the

delineated boundaries for risk-based decisions. The risk frame' concept is related to current (a)

risk assumptions, (b) risk constraints, (c) risk tolerance, and (d) priorities and trade-offs within

the organization. NIST (2010) mentioned that risk frames set the foundation for the risk-

management strategy that addresses how an organization intends to monitor, assess, and respond

to risk.

Identity management: Identity management is the management of identities outside the

applications and organizational borders that utilize them. The purpose of identity management is

to ensure that certain mechanisms are in place for accessing identity and management interfaces

(Jøsang et al., 2014).

Insider attack: An insider attack is an attack from a malicious insider associated with the

organization that has root access to the organization's host server (Greitzer & Hohimer, 2011)

International Organization for Standardization (ISO): The International Organization for

Standardization is an international standard-setting body composed of representatives from

various national standards organizations (Bahtit & Regragui, 2013).

IT effectiveness: Varying definitions exist for IT effectiveness; the current researcher

incorporated the definition used by Ness (2005) defining IT effectiveness as delivery of services.

Key management: Key management is related the encryption process and regards the

management of user keys that help the user decrypt the authorized data from the data owner

(Nabeel & Bertino, 2014).

12
National Institute of Standards and Technology: This is a U.S. Federal Governmental

agency responsible for technology activities and computer science activities within the Federal

Government (NIST, 2010).

Pure risk: Pure risk are risk which are considered either a loss or not. Common examples

are (a) home ownership, (b) premature death, and (c) identity theft (Crockford, 1982; Dionne,

2013; Eick, 2003).

Response to risk: Response to risk refers to how well an organization is prepared to

respond to risk once the risk has been determined. Response to risk also considers whether an

organization has developed alternative courses of action and has implemented risk responses

based on those courses of action. Marchetti (2012) asserted that an organization’s risk

management action plan should represent the related factors and circumstances associated with

each risk as well as actual responses.

Risk IT: Risk IT describes a framework invented by the information systems audit and

control association to compliment the control objectives for information and related technology

(COBIT; ISACA, 2009).

Risk management: Risk management is a perceived way to reduce consequences and

uncertainty. Risk management is the overall process that integrates the analysis and identification

of risk that an organization is exposed to (Bojanc & Jerman-Blažič, 2013).

Risk monitoring: Risk monitoring is defined as the risk monitoring measures in place in

an organization. Belinskaja and Velickiene (2015) stated that both the internal and external

environment should be monitored for changes that could make a risk event occur.

13
Standard of Good Practice for Information Security: The standard of good practice for

information security was created by the information security forum for providing resources to

international and national organizations that are committed to addressing organizational risk

(ISF, 2014).

Virtualization: Virtualization refers to the imaging or versioning of network resources,

storage devices, operating systems, or servers on multiple machines at the same time (Bologa &

Bologa, 2011).

Assumptions and Limitations

The assumptions of this study were that IT directors, CIOs, and IT security program

managers had knowledge of the risk-management procedures within the organization. The

researcher also assumed that the IT population identified as the population to satisfy the study’s

criterion was representative of the population acknowledging and addressing risk management

procedures. The researcher assumed that Qualtric's expert panel would be representative of

Fortune 1000 companies. The researcher assumed that participants would answer the survey

questions based on their technical abilities in IT. Lastly, the researcher assumed that participants

would answer all survey questions.

The limitation of the research study was that it was limited particularly to IT

professionals that had specific knowledge of organizational risk management practices. The

mentioned limitation could have led to results that cannot be generalized beyond an IT

perspective. The sample population was only U.S.-based organizations, which could also lead to

results that cannot be generalized from an international perspective. In addition, the results

14
would represent varying business sectors so the finding could not be generalized for any specific

business size, type or sector.

Conceptual Framework

Figure 1 displays frame risk, assessed risk, response to risk, and monitoring risk having a

direct relationship to IT effectiveness and displays mutual relationships between frame risk,

assessed risk, response to risk, and monitoring risk. The purpose of this non-experimental

quantitative correlational study was to assess the constructs and correlations associated with

enterprise risk management and IT effectiveness. The researcher intended to help organizations

determine which risk constructs (a) organizational risk frame, (b) risk assessment processes, (c)

risk response procedures, and (d) monitoring procedures were affecting IT effectiveness. The

information presented is also beneficial for internal auditing because it provides insight into what

risk management internal processes are crucial for many organizations. Harris, Kinkela, and

Hayes (2011) mentioned that effective internal control starts with the design of an ERM system

that runs side by side with the strategic management system. The information from the study

could help organizations determine what potential issues exist within the infrastructure regarding

IT effectiveness and general risk management.

15
Figure 1. Conceptual model of constructs and the primary elements used to measure enterprise
risk management.

The strategy of inquiry for the study was non-experimental survey research, and the

design was quantitative correlational. The researcher chose the cross-sectional survey strategy

for its ability to provide descriptions of numerically of opinions, attitudes, and trends of a

population through a sample isolated to a point in time (Qingfeng, 2013). The researcher selected

the survey approach as a means of asking IT professionals about their current risk management

process and how that process affected IT overall effectiveness. Due to the statistical nature of

the study with discovering the extent of relationships between two or more variables, the

researcher selected a correlational design.

16
Organization of the Remainder of the Study

Chapter 2 contains a detailed analysis of existing literature regarding enterprise risk

management, common standards and frameworks of enterprise risk management, and IT

effectiveness. All articles cited are peer-reviewed articles from technology and scientific

journals. All chapter sections are divided based on the constructs and concepts being addressed

in the study.

Chapter 3 contains the conceptual model and methodological approach for this study. In

this chapter, the researcher presents the research questions, hypotheses, measurements of the

constructs, and variables. The researcher also outlines the observed variables, data collection

plan, sample population, survey instrument, data analysis techniques, validity and reliability,

assumptions and limitations, and ethical considerations.

Chapter 4 contains the findings and analysis performed on the survey data collected. In

this chapter, the researcher provides a summary of the respondents’ characteristics and collected

data descriptions. The researcher introduces a comprehensive presentation on the results of the

six hypotheses in detail, and presents an assessment of reliability, validity, and scales.

In Chapter 5, the researcher provides an overview of the entire study and provides an

analysis on how the findings apply to the hypotheses and research questions. In this chapter, the

researcher addresses the implications of the research study on U.S.-based organizations is

addressed. Finally, the researcher presents recommendations for further research to expand the

body knowledge of IT effectiveness and risk management.

17
CHAPTER 2. LITERATURE REVIEW

Enterprise Risk Management

In current academic literature, researchers have described enterprise risk management

(ERM) as the implementation of the management of risk to every aspect of the enterprise.

Throughout the years, researchers have addressed ERM using various terms and acronyms,

including: (a) enterprise-wide risk management, (b) corporate risk management, (c) strategic risk

management, (d) business risk management, (e) holistic risk management, and (f) integrated risk

management (Fadun, 2013; Liebenberg & Hoyt, 2003; Tahir & Razali, 2011). Although varying

definitions of ERM exist, in recent years ERM has been used worldwide to describe an approach

to anticipating and managing business risk before problems occurred. Jalal-Karim (2013) stated

that ERM boosted the organization's significance by stabilizing earnings, capital, and reducing

expected cost of external capital and regulatory scrutiny. ERM enables organizations to align

business risk to business strategies and objectives with the purpose of creating business value.

Enterprise risk management affects an organization from both a macro (i.e., organization-

wide level) and micro level (i.e., business level). From a macro perspective, ERM equips

management with the ability to govern and quantify risk-return trade-offs that affect the

organizations as a whole (Baxter, Bedard, Hoitash, & Yezegel, 2013). In essence, the macro

level helps the organization maintain access to resources and capital markets that enable it to

implement its business plan and strategy. ERM from the micro level becomes more of a lifestyle

for employees and managers at every level in the organization (Mensah, 2015). All risks are

owned, and risk-return tradeoff associated with individual risk is internalized. According to

18
Tohidi (2011), the spreading of risk ownership throughout an organization has become a critical

concept in ERM. The spreading of risk concept allows risk to have an association with the

individuals who are the closest and in the best position to assess the risk.

From an IT perspective, an effective ERM process has its focus on an efficient IT

security program. The focus mentioned does not mean the main goal is to protect IT assets alone

but to safeguard the organization's ability to perform its business. According to Stroie and Rusu

(2011), the risk management (RM) process must not be regarded as just a technological function,

completely implemented by IT professionals, but should be considered as an executive function

as well. In essence, ERM should enable management to identify what controls are needed to

maintain IT factors that increase the probability of success and decreases the uncertainty of

achieving objectives. For an organization to implement an ERM program effectively, the

organization must first gain an understanding of the difference that exists between traditional

RM and ERM.

Traditional Risk Management Versus ERM

Organizations perceive risk management as a way to reduce consequences and

uncertainty. RM is applied to all aspects of business, including; finance, safety, health, and

planning and project risk management (Nehari-Talet, 2014). According to Bojanc and Jerman-

Blažič (2013), RM is the overall process that integrates the analysis and identification of risk that

an organization is exposed to. Even though RM is recognized as a standard practice for many

organizations, there are distinguishing differences between the traditional method of approach

and the unique ERM holistic approach to risk management.

19
Traditional Risk Management

Traditional risk management (TRM) primarily focuses on risk specific to a given function

or job within an organization. TRM manages risk through a silo-fragmented perspective,

whereby RM is not integrated across the organization as a whole, and little consideration is given

to risk that could impede the organization's objectives (Hardy, 2014). Through TRM,

organizations infrequently make relative comparisons amongst its risks to determine how they

interrelate with one another or to assess their cumulative effect on the organization. TRM has a

specific objective to protect the organization from financial losses and has a tendency to create

an excessive cost to the organization. Furthermore, TRM does not provide a comprehensive,

clear view of RM. Mensah (2015) noted that managing of risk separately results in inefficiency

due to the lack of coordination between divisions. If an organization integrates the decision-

making process across all risk types, it has the potential to avoid risk expenditures and financial

distress.

When it comes to shareholder value, TRM makes no consideration for the shareholder’s

responsibility to investors regarding making decisions. The individual RM activities can reduce

earnings volatility by decreasing the possibility of catastrophic losses (Liebenberg & Hoyt, 2003;

Hoyt & Liebenberg, 2011). Paul and Vignno-Davillier (2014) asserted that TRM addresses RM

risk assessment by identifying information assets and detecting and evaluating risks on assets.

These risk assessment approaches often limit the focus to managing uncertainties around

physical and financial asset loss prevention instead of value. Researchers and practitioners,

within various fields of study, have stated that in today’s business environment, TRM practices

are no longer adequate to deal with today's threats. Anquillare (2010) asserted that as we move

20
into a more global economy and companies become more complex risk managers must remain

vigilant of the ever-changing environment. Nehari-Talet (2014) also mentioned that

organizations were faced with several types of risk every day due to changes in the world

environment that might introduce new risk. In fact, in today's business environment, risk refers to

all actions, incidences, and events that could prevent an organization from realizing goals, plans,

and ambitions. Moving from the TRM approach to a more advanced one requires embedding

RM activities within the business processes of the enterprise and establishing an RM repository.

Some organizations are beginning to acknowledge that TRM procedures need to be broadened

given the effects of some key wide-scale disasters and today's business conditions. Golshan and

Rasid (2012) also agreed with the statement made and stated that in the current business

environment, organizations were becoming more risk-aware due to corporate governance

scandals, improper financials, and terrorist threats. For organizations that can expand their focus

beyond conventional concepts to include political factors can gain significant growth potential

(O'Donnell, 2005). Current events have established that a systematic; high-level approach to RM

is needed that expands further than the traditional scope of individuality risk.

ERM

ERM should be viewed as a composition of TRM and risk governance, with both having

their important elements. Enforcement of risk governance in RM is often considered a

transitional step for TRM. According to Lundqvist (2015), risk governance provides the structure

of the RM system as well as the procedures and rules for making decisions regarding RM. Lam

(2014) noted that ERM os a prominent discipline that is gaining popularity as being a just sound

management approach, and governance best practice. ERM takes a more comprehensive

21
approach to RM, by aligning with the organization’s business strategy while incorporating the

organization's personnel. The comprehensive approach provides a means for dealing with risk,

identifies and assesses risk an organization may encounter and examines potential control

measures. Brustbauer (2016) pointed out how the current trend of RM is moving towards an all

risk-encompassing perspective that is constantly evolving. RM in ERM is handled differently

than the TRM approach of managing risk individually, which often can be ineffective due to its

lack of communication between departments and individuals.

According to Mensah (2015), ERM that is implemented institution-wide helps provide

decision making across all risk types, and organizations can potentially avoid risk expenditure by

exploiting natural hedges. The holistic approach of ERM contributes to reducing volatility by

preventing risk across the organization's different entities, whereas, TRM reduces volatility only

from specific sources. The ERM approach also requires a more organizational-wide support

system for (a) assessing, (b) identifying, and (c) managing risk. Yazid et al. (2011) mentioned

that when an organization adopts ERM into its business process, it helps identify all probable

incidents that could influence the organization, and helps determine current risk appetite.

Organizations that can conceptualize the importance of ERM consider it an integrated

component of the organization's business strategy, organizations utilizing TRM view it as a

separate component designed to protect the organization from financial loss. Also, ERM

considers shareholder value as a responsibility to investors.

An Overview of TRM and ERM

The main difference between TRM and ERM is associated with how each is applied.

TRM addresses RM and its processes from a more isolated perspective whereby the focus is on

22
reducing the potential threat. Many organizations are implementing ERM processes to increase

the effectiveness of their TRM activities (Berry-Stölzle, Altuntas, & Hoyt, 2011). ERM applies

RM from a holistic perspective by applying it to all aspects of the organization (Liu, 2011; Paape

& Spekleé, 2012). Taylor (2014) asserted that ERM widens the TRM concept of threat reduction

to a managed risk embracement for increasing overall value. The concept mentioned allows

ERM to utilize risk-based decision making to all aspects that contribute to the objectives of an

organization such as (a) improved quality, (b) increased return, and (c) enhanced growth. ERM

also requires that risk be recognized as both a threat or an opportunity.

Even though ERM emphases TRM in all forms in an organization, similar to TRM, it still

requires a level of ownership be placed for that risk. ERM does not acknowledge the ERM team

as being the sole proprietors responsible for all areas requiring RM but views ERM as a task that

is managed by everyone within the organization. (Liu, 2011; Taylor, 2014). In ERM, the ERM

team is more so the guardians of the overall program. The program is then challenged through

internal audits for assurance that ERM is being operated by the ERM team with the intentions of

providing the best value to the organization.

Two Approaches to Risk Management

Even though there exist various methods for (a) identifying, (b) analyzing, (c) evaluating,

and (d) monitoring and controlling amongst the varying RM methodologies. The goal of RM is

to maximize overall output while minimizing the possible chance for unexpected outcomes.

Some organizations will start out small and slowly take an incremental, step-by-step approach to

identifying and implementing key practices to obtain immediate results. For other organizations,

it makes more sense to identify first the major risks that can be handled and then expand from

23
there (Curtis & Carey, 2012). In addition, it is also possible for an organization to implement a

risk model differently across various areas. For example, one risk area could be addressed from a

sound practices approach, and another could be addressed from a risk perspective. Regardless of

which risk approach is used, the decisive success factor is to focus on a governable collection of

principal risks and then implement the lessons learned across the enterprise (COSO, 2011). Both

the risk-analysis and best-practices approach have been utilized and credited for helping

organizations achieve RM success.

The Risk-Analysis Approach

The risk-analysis approach has various methods associated with it, which are frequently

structured under one of the following groups (a) standard, (b) professional, and (c) research.

According to Saleh (2012), the risk-analysis approach addresses RM from a systematic

identification and valuation of assets perspective. The impact of many risk events makes it hard

to estimate precisely the assessment of those assets since one risk often triggers another and

eventually causes a chain reaction making measurement difficult (Kenett & Raphaeli, 2008). The

risk-analysis approach addresses the threats and vulnerabilities to assets and utilizing various

risk-analysis techniques to calculate risk value. Louisot and Ketcham (2014) asserted that

the probability of the risk occurrence must be defined, as well as the impact that the

particular risk will have on the project if it happens has to be assessed. The result obtained from

the analysis is utilized to evaluate the identified risks or risk exposures and provide justified

methods of approach to combat those risks. The main take away from the risk-analysis approach

is accurate results, effective protection measures, detailed documentation, and the creation of a

risk matrix that indicates the position of each risk.

24
The Best-Practices Approach

The best-practices approach was developed to address the issues associated with the

application of risk-analysis based methodologies. Best-practice organizations incorporate ERM

into their overall business and strategic process, which, in essence, raises ERM importance and

visibility in the organization. The best-practices approach utilizes various methods of RM to

achieve a particular RM goal. Saleh (2012) mentioned that there are various recommended

security best-practice documents and security standards to address ERM from different

perspectives. The best-practices approach utilizes best practice's documents to help standardize

the security controls and achieve a fast basic level within the enterprise. The approach uses a

checklist approach to achieve its objectives (Wheeler, 2011). Yeo, Rolland, Ulmer, and Patterson

(2014) posited that the checklist approach at times falls short due to workflow and threat changes

overtime. The best-practices approach is also disturbingly depended on the certification and

compliance processes when addressing existing protection controls. Best-practice organizations

often invest more heavily into tools and infrastructure than do risk-analysis organizations

(Marchetti, 2012). This approach to RM provides increased transparency and broad employee

usage. The best-practices approach is often characterized by its (a) ease of use, (b) reduced cost,

and (c) quick results.

Both RM approaches mentioned above approach RM differently by way of utilizing

distinct tools and techniques. Both approaches have the same goal of protecting enterprise

resources, by creating and defining security controls. Both approaches have different levels of

importance where some are high-level just for providing guidelines while others are detailed and

concentrated on better risk analysis. According to Wheeler (2011), it is best for an organization

25
not aimlessly apply the best-practices approach aimlessly across all facets of business, but seek

risk analysis techniques as well to identify critical focus areas. In sum, each RM approach has its

strength and weaknesses that need to be addressed during the RM transformation process, but

both can be utilized within the RM program creating a very effective RM process.

The Origins of ERM

To truly appreciate what ERM brings to an organization, there has to be some

acknowledgment of its roots. The earliest form of an organizational decision process RM can be

traced back to the late 1940s and early 1950s (Crockford, 1982; Dickinson, 2001). RM at the

time focused on pure risk, risk in which there is either a loss or not (Crockford, 1982; Dionne,

2013; Eick, 2003). Some common examples of pure risk are (a) home ownership, (b) premature

death, and (c) identity theft. The risk managers of the time worked and taught in the insurance

field, and were often tasked with administering the organization's insurance portfolio (Verbano

& Venturini, 2011). The main focus of the pure risk approach was insurable risk. Furthermore,

the rationale for the approach stemmed from hazards being considered the greatest short-term

threats to an organization’s financial position. Fires at that time were known to put a company

out of business. Ferrer and Mallari (2011) mentioned that risk exposures of equipment,

machinery, improvements and buildings subjected to electrical disturbances and fires are the

greatest risk exposures because even though the typical factory building is constructed from

concrete materials, they have been built for more than 30 now. The minimizing of damage was

the best contingency plan to keep the organization going, and organizations often found ways to

reduce the occurrence. In addition, at the time, there were few means to address other risk types.

The risk managers figured out ways to quantify risk, and created methods of evaluation and

26
standardization. From the issues mentioned risk managers created an extensive terminology for

managing risk.

In the 1970s, RM shifted from an insurance focus to the treatment of risk from a financial

perspective. The RM shift meant that financial risk was then seen as a source of uncertainty to

organizations. Dickinson (2001) stated that the shift was brought about by new financial

derivatives such as options, swaps and financial futures that were created to hedge financial risk.

Due to this shift, new tools were developed to handle financial risk; the new instruments allowed

organizations to manage financial risk in the same manner as pure risk. The concern for financial

risk was brought on by a concern for (a) foreign exchange volatility, (b) interest rates, and (c)

prices (Young & Tippins, 2000). The focus of financial RM was created by financial

organizations to determine how much of the risk of investment should be retained by the

organization and how much should be offset to external arrangements (Malz, 2011). In essence,

financial institutions started considering carefully how (a) risk could be financed internally, (b)

to price risk, and (c) to determine the value of invest bank additional services. In addition, the

organizations began to realize that financial risk and insurable risk should be managed together

because the purchase of derivates and insurance to hedge financial risk performed the same role.

Even though financial risk was a significant source of uncertainty to organizations,

organizations in the 1980s still didn't consider applying RM techniques, or tools. Merna and Al-

Thani (2011) stated that the 1980s were the starting point for the first applications of system

dynamics. Hopkin (2014) also acknowledged the 1980s was a time when organizations were

developing RM tools and techniques to market or credit risk. One reason for the lack of

consideration for RM tools and techniques was that risk managers at the time determined that the

27
skill-set should be a specialty since it primarily focused on pure risk. When a new RM focus

emerged, risk managers did not incorporate it into their domain (Dickinson, 2001). The failure to

incorporate new risk focuses was costly to many organizations and the RM field. The refusal to

expand into other areas of RM delayed the transition of TRM to ERM by some decades. In the

end, the birth of ERM forced tradition risk managers into other areas of risk analysis one in

which incorporated all other forms of risk analysis.

The 1990s ushered in the first integrated frameworks, for RM before was performed

separately for each activity (i.e., silo-based approach), with no interaction between activities.

One reason why frameworks were being created was due to rationalization with the current

economic perspective (Fraser, Simkins, & Narvaez, 2015). Carrel (2010) mentioned that the

emergence of new economies of The North American Free Trade Agreement, Central Europe,

Asia, and China in the world trade organization required RM to be addressed from a global

perspective. Organizations began to notice changes in the competitive environment, concerning

complexity and turbulence (Ballantyne, 2013). Undoubtedly, the concerns mentioned were due

to the types of risk that organizations, were taking into account, such as outsourcing and

organized stakeholder groups that often placed the spotlight on social and environmental issues.

In addition, an increase individualization of behavior and the global inter-connectivity of

organizations along with the financial business scandals between the 1990s and 2000s made the

risk society visible at the corporate level.

Due to the events mentioned new regulations and codes of practice, such as the Sarbanes-

Oxley Act, were created that expanded RM past the financial sphere and linked an organization's

internal controls to RM (Dionne, 2013). Arena, Arnaboldi, and Azzone (2010) and Mehta (2010)

28
argued that the new holistic approach to RM provided a means for organizations to address

broader ranges of risk during the analysis phase. RM would be no longer addressed from just a

financial perspective, but would be viewed as a corporate governance requirement, due to its

relation to internal control. The relationship of internal control and RM made the concept of RM

broader and more systematic in its approach. The all-encompassing approach to RM helped to

usher in various standards and frameworks to address RM. Table 1 displays the evolution

process of RM from its traditional silo approach to the holistic strategic approach utilized

currently.

Table 1

Evolution of Risk Management

Transactional Integrated Strategic


Years: 1940-1960 Years: 1970-1980 Years: 1990-Current
Traditional Risk Management Advanced Risk Management Enterprise-Wide Risk Management
Purchase insurance to cover risks Greater use of alternative risk A wide range of risk are discussed
financing techniques reviewed and evaluated
Claims management handled More proactive about preventing Aligns RM with the organizational
and reducing risk strategy
Hazard-based risk identification Integrates safety, claims, Helps in the management and growth of
emergency management and the RM program
contracts review into the RM
process
Compliance issues addressed Cost allocation used for Risk are owned by all and mitigated at the
separately education and accountability department level
"Silo" approach, RM is not More collaboration between Many risk mitigation and analytical tools
integrated across the institution departments are available
Note: Data are adapted from Gallagher (2009).

Common Frameworks, Approaches, and Standards of ERM

For an organization's RM system to function effectively, it has to be able to coordinate

with the various entities responsible for risks. In many organizations, corporate RM is regarded

29
as the highest level of RM, which needs to be addressed from a holistic perspective (Mensah,

2015). It is important to point out that ERM can vary in its level of embeddedness, cultural

significance, and calculative practices. Arena et al. (2010) and Brown (2013) noted that for ERM

to be efficient, organizations have to create an RM culture that permeates current practices and

the behavior of management. It is through collaborative efforts that risk is defined to include any

action that could prevent an organization from achieving its objectives, and reinforces risk

practices with employees and manages risk in an enterprise-wide fashion. Throughout year's

various frameworks and standards have been created to address ERM and IT resources. These

standards and frameworks share many similarities regarding the identification, assessment, and

management. Due to limitations in space, only an overview of some of the most common

standard and frameworks are covered, which are, The Committee of Sponsoring Organizations

(COSO), the international organization for standardization (ISO) 27000 series, Risk IT, The ISF

Standard of Good Practice for Information Security (The Standard), and The National Institute of

Standards and Technology (NIST) 800 series (Ahmad & Mohammad, 2012).

COSO

Researchers have often credited the COSO framework, released in 2004, for starting the

holistic approach to RM. Researchers created this framework in response to organizational needs

for a structured approach to managing the uncertainty of three objectives (a) effectiveness and

efficiency of operations, (b) law and regulation compliance, and (c) reliability of financial

reporting (Arena et al., 2010). The COSO framework outlines ERM as a practice that is affected

by an organization's divisional management, employees, and upper management, the approach is

applied in a strategic setting across the whole enterprise. The COSO framework depicts ERM

30
from a managerial perspective whereby; it defines specifically normative elements. COSO

provides an implementation and design precise guide and is represented by a matrix that is three

dimensional in nature representing eight elements deemed as necessary for achieving reporting

operational, strategic, compliance goals (Arena et al., 2010).

The ISO 27000 Series

The ISO 27000 series (i.e., ISO 27001 and ISO 27005) are a set of standards owned by

the International Standards Organization that focuses on IT-related matters. The ISO 27001

standard addresses the information security management system (ISMS). Mataracioglu and

Ozkan (2011) noted that the objective of the ISO 27001 standard was to acknowledge and

specify the requirements for (a) improving, (b) maintaining, (c) reviewing, (d) monitoring, (e)

operating, (f) implementing, and (g) establishing ISMS within an organization. The researcher

designed the ISO 27001 standard to ensure that security controls are sufficient and balanced to

guard information assets (Bahtit & Regragui, 2013). Watkins and Calder (2015) stated that the

ISO 27001 standard forms the basis for an assessment of the ISMS of the whole or part of an

organization. The basis mentioned is due to the ISO 27001 standard being recognized as a

standard dedicated to IS management.

According to Ahmad and Mohammad (2012), the ISO 27001 standard utilizes a model

that attempts to improve, monitor, establish and implement the overall efficiency of an

organization's ISMS. Organizations that adopt the ISO 27001 standard as a means of achieving

effective ISMS often overlooks the fact the standard was only geared to be utilized at a high

level. The ISO 27002 standard codes of practice provide controls that could be adopted by an

organization to address IS risk. Because the ISO 27002 standard only contains guidelines rather

31
than any certifiable criteria, organizations are often advised to implement and adopt other

controls or suites of IS controls to accommodate their needs. Watkins and Calder (2015) noted

that the ISO 27002 standard provides an international best practices framework that provides

guidance on implementing controls. The ISO 27002 standard is often viewed as a companion or

extension to the ISO 27000 standard because many organizations that adopt ISO 27000 also

adopt ISO 27002.

Researchers designed the ISO 27005 standards to provide a focus of filling in gaps that

existed in ISO 27001 and IS0 27002. The ISO 27005 standard addresses' information security

risk management (ISRM) by supporting the requirements of ISMS, but does not provide any

specific methodology (Everett, 2011). Faris, Hasnaoui, Medromi, Iguer, and Sayouti (2014) also

mentioned that the ISO 27005 standard did not define or recommended any particular risk

analysis method, although it specifies that one should utilize a rigorous, systematic, and

structured process. The ISO 27005 standard applies to all organizations and specifies in great

detail the management of risk without identifying any given methodology or specifics. The ISO

27005 standard also contains six annexes that are for informative purposes (Faris et al. 2014).

With proper customization, the annexes along with the ISO 27005 standard can be utilized as a

methodology for the assessment of security risks. The ISO 27005 standard helps IT

administrators and managers utilize a common approach to risk, which helps with agreements to

how risk should be addressed.

Risk IT Framework

The information systems audit and control association (ISACA) created the Risk IT

framework (TRITF) after realizing that a comprehensive IT risk framework was needed to

32
compliment COBIT. COBIT focused on developing and defining IT control objectives for

setting good practices for RM. TRITF sets good practices by way of providing a framework for

organizations to manage, identify and govern IT risks (ISACA, 2009). Ahmad and Mohammad

(2012) noted that TRITF was built on seven principles that are derived from commonly accepted

ERM practices utilized in the IT domain. TRITF takes the seven principles mentioned and

utilizes an all-inclusive approach and process model to RM by addressing all risks related to the

utilization of IT, from the organizational culture to operational issues (Nishani, 2014). Key

activities are grouped in the comprehensive process model into a number of processes, which are

associated with the three domains of (a) risk response, (b) evaluation, and (c) risk governance.

The Standard of Good Practice for Information Security

ISF (2014) created the Standard of Good Practice for Information Security (The

Standard), which was aimed at major international and national organizations for providing

resources to organizations that are committed to addressing organizational risk (Tofan, 2011).

ISF (2014) stated that The Standard addressed all aspects of IS across the four main categories

of, security monitoring and improvement, control framework, security requirements, and security

governance and is split into six areas (a) critical business applications, (b) security management,

(c) networks, (d) computer installation, (e) system development, and (f) the end user. The

Standard acts as a complete, up-to-date reference for creating original organizational safety

measures as situations within the organization change. The Standard also provides

comprehensive coverage of controls included in various other frameworks and standards (i.e.,

ISO 27001, COBIT, NIST) and enables compliance with these frameworks and standards

33
(Tofan, 2011). The Standard also covers current topics that are not covered by other standards

and frameworks such as cybercrime attacks, mobile devices, and data privacy.

The NIST 800 Series

The NIST organization, which is a U.S. Federal Governmental agency, is responsible for

technology activities and computer science activities within the Federal Government. The

organization often creates publications and standards to address various industry-related issues

related to technology. The 800 series was developed out of an extensive analysis of cost-

effective, practical approaches for optimizing the security of IT systems. The suites of standards

provided by NIST to address ISRM are often considered as best practices for specific objectives

in the computer security domain (Stoneburner, Goguen, & Feringa, 2002). The publications

cover all NIST-recommended measures and criterion for assessing and documenting

vulnerabilities and threats related to risk events.

The SP800-30 publication is a guide to performing risk assessment, and specifies the

fundamentals of RM and describes to organizations ways to perform risk assessments. The

guidelines addressed by the publication are meant to point IT security personnel in the right

direction toward proper risk assessment. The risk assessment model considers all possible threats

and risk while doing a risk assessment. SP800-30 covers three ways to measuring a risk

assessment—(a) quantitative, (b) qualitative, and (c) semi-qualitative—and addresses three areas

of risk analysis: vulnerability-oriented, asset-oriented, and threat oriented). The SP800-30

publication provides an integrated view of information security that could be applied across an

enterprise. Stoneburner et al. (2002) mentioned that depending on the size of the organization or

scope of the assessment the measuring techniques can be switched to suit the organizational

34
needs. Stoneburner et al. (2002) believed that this approach to risk evaluation and risk analysis

provides greater flexibility and provides greater ease with developing a new customized risk

assessment program based on the NIST framework.

The SP800-37 publication contains information related to applying the NIST RM

framework and security controls to federal information systems. NIST (2010) mentioned that the

SP800-37 addressed information system approval, security control assessment, security control

monitoring, implementation and security control selection, and security categorization. The

guidelines presented in SP800-37 help with ensuring that the management of security risk is

consistent with the organization’s mission and risk strategy (NIST, 2010). SP800-37 also helps

organizations with ensuring that security requirements are integrated into the system

development life cycle and the organization’s architecture.

The SP800-39 publication covers the approaches and components to RM and is supported

by other NIST publications. Das (2015) described the SP800-39 publication as a guide for

integrating an organizational-wide program for managing IS RM and organizational operations.

The guidelines of the publication were broadly developed from a technical perspective and can

be applied to any entity. The SP800-39 publication, according to Ross, Katzke, Johnson,

Swanson, and Stoneburner (2008), is complementary to a more comprehensive ERM program.

SP800-39 addresses RM from the perspective of (a) frame the risk, (b) assessing the risk, (c)

responding to the risk, and (d) monitoring the risk.

Comparison and Contrast

The frameworks and standards mentioned share many similarities regarding the fact that

ERM risk must be managed, assessed, and identified (Yeo et al., 2014). Each framework and

35
standard have strength and weaknesses, and each fault to a general arbitrary approach that could

be carried out more or less as a checklist. According to Yeo et al. (2014), the administering of

risk is frequently accomplished or based on the conclusion of what risk to embrace or transfer.

The mitigation of risk is achieved by placing one or more controls at specific steps in the

business process. Often, the control mechanisms put into place might be a specific technology,

like logical access controls, or a procedure such as management oversight. It is important to note

that the controls put in place within the given standard or framework have varying degrees of

reliability regarding the detecting and prevention of fraudulent information moving through the

organization (Yeo et al., 2014).

Both the COSO and NIST framework models are known and implemented throughout the

IS industry, but in many cases, a particular model is selected for various reasons. The NIST

framework is often referred to as a federally related framework and is viewed as a IS risk

inclined framework (Stoneburner et al., 2002). The NIST framework addresses the risk that

could occur if an organization's information systems are compromised and acknowledges an

organization's structure, procedures, and process. The COSO framework is often viewed as being

better suit to address corporate risk than the NIST framework. Das (2015) stated that COSO

gained this trust by corporations because it was invented by five private financial auditing

entities, whereas, the NIST framework was invented by federal entities. Furthermore, the COSO

framework is considered more flexible, because it can be applied to organizations with varying

sizes. Both frameworks have similar components but differ in the nature of the components (Das,

2015). For example, NIST, regarding its information system scope has “respond,” whereas

COSO has “information and communication.” The RM process within the NIST framework is a

36
procedure while in COSO, it is reference points that are sets of operational and strategic

objectives (O'Donnell, 2005). Paape and Speklé (2012) asserted that COSO only provides broad

guidance by way of suggesting fundamental principles and concepts leaving the details of the

adoption to the organization. In addition, The NIST framework is more modular due to its

various publications whereas, COSO is more generically designed for organizations with huge

financial operations.

When comparing the NIST Framework to the ISO27000 series, RISK IT, and The

Standard, it is important to reiterate that the NIST framework was geared toward governmental

agencies. The lack of diversity leaves NIST framework’s approach to RM to be less holistic in

nature than the other three. NIST, and the ISO 27000 standard, and The Standard focus on

supporting security risk assessments, whereas RISK IT operates to a wider IT RM scope

(ISACA, 2009; Stoneburner et al., 2002; Wieczorek-Kosmala, 2014). Due to Risk IT’s

association with COBIT, it is considered to be aligned with the ISO 27000 series (ISACA,

2009a). In addition, The Standard is derived from the ISO 27000 series and COBIT standards

and is updated annually, whereas, other approaches are updated as needed (ISF, 2014; Tofan,

2011).

Every framework and standard have many strength and weaknesses that affect whether it

will be adopted by an organization or not. In addition, Wheeler (2011) acknowledged the fact

that organizations could implement a different risk model differently across functional areas

based on that strength and weakness. Before an organization can be successful at implementing

and adopting a particular framework or standard, the organization should first gain an

understanding of its current enterprise requirements and objectives and take into consideration

37
the overall purpose and function of the standards and frameworks mentioned. Vladimirov,

Gavrilenko, and Mikhailovsky (2010) noted that an organization would have difficulty

transferring, retaining, or reducing risk without a prior professional risk evaluation of its needs

and goals. If an organization does not conduct a proper assessment of its current RM needs, the

organization could end up adopting an implementation that may work in some cases, but not in

others. Ahmad and Mohammad (2012) also mentioned that an RM implementation should not be

considered a one size fits all situations. In essence, what may work for one organization may not

work in another or have the same effect, for it is difficult to develop a document that applies to

all organizations. In many cases, organizations often utilize a customized approach whereby

more than one standard or framework is implemented. A customized approach builds on the

expertise and experience of the personnel in the organization in a way that best fits the

organization’s enterprise requirements (Ahmad & Mohammad, 2012). To sum, an organization

does not have to utilize the prescribed controls defined by the standard or framework but could

build its own controls for addressing threats and vulnerabilities related to its specific business

type. The added benefit of such an approach is that it allows the organization’s RM practices to

evolve and mature and maintain alignment with organizational needs.

Influences for ERM

The factors contributing to an adoption of ERM are both internal and external in nature.

Some of the external influences that have driven many organizations to address RM from a

broader holistic perspective are (a) globalization, (b) consolidation of industry, (c) increased

regulatory attention, (d) deregulation, (e) corporate governance, and (f) technical advancement

regarding analysis and quantification (Caldarelli, Fiondella, Maffei, Spanò, & Zagaria, 2012;

38
Liebenberg & Hoyt, 2003). The internal factors are related to increasing shareholder’s wealth,

market expectation, internal audits, and bring your own devices (Mensah, 2015). In addition, the

lack of risk transparency about how enterprise risk is managed has become a factor as well. In

sum, the increased interest in ERM is driven by an organization's goal of managing risk

effectively to achieve business objectives and sustain operations.

According to Liebenberg and Hoyt (2003) and Beasley, Clune, and Hermanson (2005),

increased regulative compliance, and governance is often regarded as the major external factor

affecting the adoption of ERM. The creation of new regulations regarding internal controls in the

U.S., Canada, and the United Kingdom such as: anti-money-laundering regulations, Gramm-

Leach-Bliley Act, the Kon Trag legislation, the Basil Capital Accord, and the Combined Code

have forced many organizations to embrace ERM as the best approach to regulatory compliance

(Liebenberg & Hoyt, 2003). Even though there are no specific regulatory required mandates,

COSO (2004) mentioned that regulatory developments regarding uncertainty had created a

climate in which ERM can facilitate compliance through an infrastructure and process that

strengthens the enterprises focused on enhancing and protecting enterprise value. In sum, the

increased community demand for more methodical disclosure and institutional shareholder RM

policy has placed a significant amount of pressure on organizations to adopt ERM.

Other factors that contribute to ERM adoption are environmental uncertainty (EU), and

firm size. Malik and Holt (2013) described EU as the external forces that affect an organization's

overall performance in regard to (a) organizational structure, (b) customer and supplier

relationships, and (c) operations. EU is difficult for many organizations, due to the increased

volatility of future events affecting the organization. The risks associated with an organization,

39
and the proper reaction to such risks, will possibly vary depending on the EU confronting the

organization. The relationship between an organization's size and organizational structure has

been considered by Hoyt and Liebenberg (2011) to be positively related to the adoption of ERM.

Organizations with expansion prospects often tackle more uncertainty and require improved RM

practices to guide expansion in the best direction due to increased potential opportunities

(Beasley et al., 2005). COSO (2004) also endorsed the significance of organizational size when

designing an ERM system. In essence, many organizations attribute their organizational size with

the need to applying holistic RM approaches such as ERM.

Benefits of ERM

The main advantage that ERM offers to an organization is its ability to provide

organizations with the capability to manage risk across the enterprise and helps with improving

the linkage between financial risk and operational RM. According to Anquillare (2010), this

approach to RM creates options for identifying, evaluating, mitigation, financing, and

transferring risk. In essence, ERM improves corporate governance through risk assurance

delivery. Another benefit to an organization seeking to implement an ERM program is reduced

volatility. The reduction of volatility is attributed to the fact that ERM stabilizes earnings by

lessening losses that are related to the interdependencies of traditional risk classes (Liebenberg &

Hoyt, 2003). In sum, ERM reduces risk exposure in the major areas that were once difficult to

manage. Another benefit to many organizations is better capital allocation, by way of the

reduction in cost regarding established risk shifting, and asset substitution problems. Lastly,

ERM help organizations to increase stock price, by providing a competitive advantage to

40
organizations that demonstrate a strong ERM disciple and capability (Farrell & Gallagher, 2015;

Grace et al., 2015).

Regarding corporate governance, ERM helps to improve the relationship between the

board and RM. For the board becomes more involved in the risk-management process, whereby

organizational-wide guidelines for RM are often implemented. Organizations have also noticed

an improvement in business processes. Tao and Hutchinson (2013) posited that the board of

directors should be acknowledged as a crucial component of corporate governance derived on

the assertion that the characteristics of the board members determine the board’s ability to

monitor compliance with appropriate regulations and laws. A risk-aware board of directors can

contribute to an increased enterprise awareness of outdated risks by operational RM personnel.

Malik and Holt (2013) agreed that enterprise controls are today considerably influenced by

public policy debates on RM and corporate governance issues. Furthermore, Carden, Boyd, and

Valenti (2015) considered RM and oversight as a general subset of overall corporate governance.

When it comes to risk managers, they have benefited from ERM by improved decision-

making procedures regarding corporate strategy. Anquillare (2010) noted how ERM grants risk

managers a new sense of responsibility when it comes to providing information to senior

officers, the board, or committees of the board. For risk managers, the traditional approach (i.e.,

silo) of risk assessment has always been a major focus, but in ERM critical risk includes all risk

not just those in a given area. Lundqvist (2014a) acknowledged that ERM popularity has been

significantly impacted by regulatory frameworks. An ERM approach to compliance could

dramatically reduce control maintenance, compliance testing, and reduce external audit fees.

Arnold et al. (2011) addressed how having an ERM approach to compliance could create a

41
strong system of internal controls that establish procedures very early for addressing new

regulatory mandated required changes. The compliance benefit of ERM is because in many

organizations SOX compliance in IT is done by one group, and the internal controls in the

financial division are done by another without any direct communication with the other. Through

ERM, the separate entities are addressed connectively which in many cases reduces work (Segal,

2011). Lastly, organizations often realize a greater efficiency of operations and profitability,

because ERM helps in the removal of redundancy and overlaps between IT and SOX business

controls.

IT Effectiveness

Kurien, Rahman, and Purusottam (2004) defined IT effectiveness (ITE) as being a

measure of how well the organization's IT develops appropriate technology or business solutions

so that the organization can grow and operate according to its plans and business strategy,

whereby it works within its given constraints and behaves in its own style. Sevgi, Murat, and

Semih (2008) defined ITE as the overall extent of which a given information process contributes

value to an organization. Tallon (2011) acknowledged ITE as being the ability to apply IT

successfully to deliver, enhance and support the organization's business strategy by adding

tangable value. Even though different definition exists the basic premise of IT effectiveness is

the understanding that it directly affects an organization's performance and productivity (Byrd &

Davidson, 2006). ITE is usually viewed as a gauge for examining and measuring an

organization's IT flexibility and IT-business strategic alignment, on enabling the delivery of

business solutions to the organization. Tallon, Kraemer, and Gurbaxani (2000) asserted that

many organizations are utilizing ITE and efficiency to improve productivity, performance, and

42
reduce cost. González-Benito (2007) discovered that IT investment and ITE are related to an

organization's strategic integration with business and its performance. Current researchers have

shown that organizations that spend more on IT upgrades have improved value and performance

over time.

A current review of the literature regarding ITE has revealed that there are only four

distinct research streams (a) justification research, (b) criteria relationship research, (c)

measurement research, and (d) statistical antecedents ITE research (Grover, Jeong, & Segars,

1996). Justification researchers seek to address ITE from the standpoint of criteria drawn from

other disciples and theories regarding (a) economics (i.e., cost and benefit), (b) methodologies,

(c) profit, (d) return on assets, and (e) firm performance (Grover et al., 1996). Many researchers

have used criteria ITE relationship research to evaluate various criteria associated with ITE. For

example, Ives, Olson, and Baroudi (1983) investigated system usage and information satisfaction

through a survey of 200 production managers. Ein-Dor, Segev, and Steinfield (1980) studied the

relationship between the primary criterion information systems and system success. Robey

(1979) evaluated value of rewards received by the performance of information systems.

Statistical antecedents ITE research focuses specifically on the determinants of ITE, from a

statistical perspective observing the independent variables that could affect effectiveness instead

of the given criterion concerning the antecedents that can be organizational or individual in

nature. Researchers have used measurements research to explain the attitudes, beliefs, and

perceptions associated with ITE characteristics. Finally, a considerable amount of ITE research

has been based on measured research due to its ability to create valid and reliable instruments

that can be used to measure complex patterns (Grover et al., 1996).

43
Research on ITE, in general, is non-cumulative and fragmented; the only true way to

measure the ITE of an organization is to take into account the business goals of that

organizations. There have been various studies across varying fields of business that have

attempted to measure ITE through some criteria. One of the best-known attempts to measure ITE

was conducted by Delone and McLean (1992), by way of defining a dependent variable that

measured IS success or MIS effectiveness. Delone and McLean proposed a six-dimension

multidimensional taxonomy that identified effectiveness. Delone and McLean proposed

dimensions including (a) personal impact, (b) organizational impact, (c) user satisfaction (d)

system quality, and (e) information quality. Each dimension is independent and interrelated and

forms the model's components to create an instrument that serves to measure ITE. Other

researchers have utilized other criteria to gauge ITE. For example, IS usage was the criteria

utilized by Ein-Dor and Segev (1978) to acknowledge the organizational variables persuasive

with the failure and success of MIS. IS usage was also utilized by Raymond (1990) by using

organizational context selected variables based on the theoretical framework presented by Ein-

Dor and Segev (1978) that focused on IS sophistication addressing; time frame, resources,

maturity, and size. User information satisfaction was the criteria utilized by Baroudi and

Orlikowski (1988) to create a framework to detect and diagnose problems with user satisfaction.

King and Rodriques (1978) utilized the quality decision-making criteria to develop a process

through which IS systems could be evaluated. Franzl and Robey (1986) used system quality to

investigate organizational factors linked to perceived system practicality and user participation in

information system development. The research studies mentioned above showed that ITE

research had provided a solid foundation for evaluating ITE based on system characteristics

44
derived off of individual responses, but provided no true theoretical framework for placing the

measure within the greater context of overall ITE.

The lack of a true ITE framework has caused some researchers to question the overall

scope of performance measurements of ITE; meaning does ITE impose another criterion other

than just the ITE criterion. Cooper and Quinn (1993) mentioned that there is a gap in the

literature regarding ITE because there is no clear ITE theory. Melone (1990) noted that there

appears to be no theoretical model or explanation addressing ITE. Kanungo, Duda, and Srinivas

(1999) also asserted that IS research has an absence of a given model to assess ITE. Even though

no clear-cut model exists for ITE, several researchers have attempted to develop frameworks to

address the issue. For example, the IS success model by Delone and McLean (1992) has been

instrumental in structuring the concept of ITE. The research conducted by Cooper and Quinn

(1993) helped develop a framework for ITE that links IS characteristics to organizational

effectiveness. Pitt, Watson, and Kavan (1995) developed a logical model that illustrated the

determinants of IT service quality expectation. Finally, Kanungo et al. (1999) developed a

comprehensive ITE evaluation framework that resolved many personal dilemmas of traditional

evaluation approaches.

Summary

Organizations expend a considerable amount of capital and resources on their

information systems to provide a sustainable competitive advantage. One approach to an

efficient use of IT investment is through increased value to stakeholders. The overall challenge

of risk management is in determining what risk the organization is prepared to address while

enhancing stakeholder's value (Liu, 2011). Through ERM, researchers can address organizational

45
risks from a holistic perspective and take into consideration the scopes, processes, and people

within the organization (Anquillare, 2010). The ERM method of addressing risk offers a more

comprehensive approach to minimizing the hazard and risk, and in turn, increases shareholder's

value.

In order for ERM to be effective, an organization requires coordination and interactions

amongst risk owners across the whole organization. Also, ERM requires that risk owners be

capable of detecting potential issues as the occur and prevent risk (Babu, Babu, & Sekhar, 2013).

In essence, operational level risk owners must have considerable authority, control,

communication, and knowledge of the systems in which they manage. ERM can be a powerful

enhancement to the organization if the organization implements an integrated RM strategy that

analyzes risks at the component levels of enterprise environment and focuses on organizational

priorities and impacts (Shad & Lai, 2015). Organizations must evaluate or measure RM on

various criterion; one of the most important is the specific contribution that is provided to

organizational effectiveness. If RM is not deemed effective, it could lead to invalid performance

criteria, which would result in misguided decisions regarding the delivery of IT services

(Ballantyne, 2013).

46
CHAPTER 3. METHODOLOGY

The purpose of this non-experimental quantitative correlational study was to assess the

constructs and correlations associated with enterprise risk management and IT effectiveness.

Using information flow theory, catastrophe theory, and the risk-management framework, the

researcher examined how four risk management constructs affect overall IT effectiveness. The

results contributed to enterprise risk management literature, IS security practitioners, and chief

information officers (CIO) by providing an integrated perspective on how enterprise risk

management influences IT effectiveness. Furthermore, the research questions identified the key

enterprise risk management constructs that affect IT effectiveness. The findings from the study

are useful to organizations seeking to make informed decisions addressing risk management

within their organization.

Theoretical Foundation

Two different theoretical ideas and a risk framework helped form the base of the non-

experimental quantitative correlational study. Both of the theoretical theories and framework

address various aspects of enterprise risk management but correlate with each other when

addressing risk management as a whole. A normative approach to risk management is utilized in

the research study because it is the most useful approach for tackling risk management issues.

Bayraktarli (2009) acknowledged that risk is an analytic and prescriptive concept, and the

normative approach is designed to address risk assessment and evaluation. The researcher

describes the two theories and frameworks utilized below.

The information flow theory (IFT) developed by Barwise and Seligman (1997) provides a

mathematical framework that models the laws governing information flow in distributed

47
systems. IFT is based on the concept that information flow is attributed to distributed system

regularities, and some components contain information about other components (Liang, 2013). In

essence, the more regularities in a given system, the greater information flows, the more random

the system, less information will flow. Information flow security is concerned with how

information is permitted to flow through a computer system without security violations. IFT is a

crucial component of the research study, because is essential to consider the flow of information

when addressing any aspect of risk management. According to Winter, Zhao, and Aier (2010),

current IS models require that information from higher security levels be prevented from leaking

into lower security areas. The controlling of information flow is the central element of any risk-

management strategy.

The catastrophe theory created by French scientist Rene Thorn (1972) addresses concepts

and rules about the steady and discontinuous state of an item. Wang et al. (2014) noted that the

catastrophe model could model interrupted and irreversible changes reliably by looking at

responses produced by drastic, sudden changes from one equilibrium state to another. In the

research study, catastrophe theory is most applicable when assessing the risk construct, and

monitoring construct. In risk management, the risk is regarded based on risk levels; in

catastrophe theory, catastrophe membership values help to determine risk levels. Potential

changes to the current state of operation caused by changes of circumstances are addressed in

both the research study and catastrophe theory.

The risk management framework (RMF) created by the National Institute of Standards and

Technology (NIST) provides the basis for the non-experimental quantitative correlational study.

RMF addresses the four crucial components to a successful risk management program (a) frame

48
risk, (b) assessed risk, (c) response to risk, and (d) monitoring risk. In the research study, the

researcher addressed the four components mentioned as key constructs that approach risk

management from the perspective of it being an activity that requires the involvement of the

entire organization. In conclusion, the information flow theory, catastrophe theory, and RMF

measure what key enterprise risk management constructs are affecting an organization's IT

effectiveness.

Research Design

The researcher utilized a non-experimental, survey-based, correlational approach in the

current study. The researcher selected a correlational research approach because it (a) enabled

data to be collected from a large number of potential participants who meet a specific

requirement, (b) provided a method for complex data describing, and (c) allowed for inferences

of a statistical nature to be made about a population based on observations (Bulmer, Gibbs, &

Hyman, 2010). When generalizing a large population utilizing a sizable sample of data to

determine associations between two or more variables, the correlational cross-sectional survey

approach is often deemed applicable (Markovitz et al., 2012). Moreover, a recent literature

review revealed various studies utilizing the same approach, and similar strategies of inquiry to

evaluate other hypotheses (Cook, 2011).

The researcher utilized the correlational approach to determine the relationships between

the frame risk, assessed risk, response to risk, and monitoring risk constructs of enterprise risk

management and IT effectiveness. The researcher gathered data using a survey approach

centered on correlation level examinations involving the constructs mentioned above. The results

from the research study provided information regarding, which enterprise risk management

49
constructs contributes most significantly to IT effectiveness. Additionally, an analysis of the

quantitative data revealed the correlational relationships between the risk-management constructs

as well. The researcher utilized an online survey instrument to collect respondent information.

The researcher followed quality indicators regarding collecting data, population sampling, and

instrument design (Creswell, 2009). The researcher selected the sample from the study

population was conducted using an adequate sampling frame. The research instrument utilized in

the study included only closed-ended questions.

Conceptual Model

The extended conceptual model of the study is shown in Figure 2 below. It displays the

relationships of the hypotheses statements that the researcher addressed.

50
Figure 2. Extended conceptual model of constructs and the primary elements used to measure
enterprise risk management.

Operational Definition of Variables

To evaluate the constructs of frame risk, assessed risk, response to risk, monitoring risk,

and IT effectiveness, the researcher will describe the elements from preceding research that the

researcher utilized below.

Frame risk (FR): The frame risk variable addresses the current extent of risk

management context being dealt with by an organization. Frame risk is associated with the risk

frame construct and acknowledges the components that support and sustain risk management

throughout an organization. The focus of the frame risk variable is on whether or not the

organization has established foundations and organizational arrangements to address the

organization's enterprise risk. The components which make up the frame risk variable address

policies and procedures, accountability, security awareness, security organization, and executive

management support. The primary elements that the researcher used to assess the risk frame

construct are related to the frame variable and were taken from preceding research by Lundqvist

(2014a), which the researcher used to evaluate an organization’s integral ERM components. The

research questions, questions one through six, assessing risk management strategy was

represented by ordinal data and utilized a 4-point Likert-type scale. In this non-experimental

quantitative correlational study, the researcher utilized the same method of approach to measure

the FR variable.

51
Assessed risk (AR): The assessed risk variable regards whether an organization has

assessed the potential risk-related issues within the organization. Assessed risk is associated with

the assessment of risk construct and focuses on whether an organization has assessed enterprise

risk and set risk levels for those risks. The components that make up assessed risk address (a)

whether the organization maintains an inventory of systems, (b) whether current risk assessment

exists for systems, (c) whether information owners understand the risk associated with systems

under their control, and (d) have risk levels been set to address enterprise risk. The primary

elements that the researcher used to measure the assessed risk construct were taken from prior

research by Lundqvist, which the researcher to evaluate ERM practices (Lundqvist, 2015;

Lundqvist 2014a; Lundqvist 2014b). The research questions used by Lundqvist were represented

by ordinal data and utilized a 4-point Likert-type scale. The specific questions to assess the

assessed risk construct were appropriately suited for the study.

Response to risk (RTR): The response to risk variable addresses the extent of the

organization's response to risk. The response to risk variable is associated with the response to

risk construct and contains components that acknowledge an organization’s (a) development of

alternative courses of action, (b) implementation of risk responses, (c) disaster recovery, and (d)

incident handling. The primary elements that the researcher used to measure the response to risk

construct were taken from prior research by Lundqvist and were represented by ordinal data and

utilized a 4-point Likert-type scale. The specific questions to assess the response to risk construct

were appropriately suited for the study.

Monitoring risk (MR): The monitor risk variable assesses whether an organization can

monitor risk over time. The monitor risk variable is associated with the monitoring risk construct

52
and contains components that acknowledge an organization’s (a) periodic review process of risk

processes, (b) independent evaluation, (c) remedial activities, and (d) security controls testing.

The primary elements that the researcher were taken from Lundqvist and were represented by

ordinal data and utilized a 4-point Likert-type scale. The specific questions to assess the

monitoring risk construct were appropriately suited for the study.

IT effectiveness (ITE): The IT effectiveness variable addresses, whether enterprise risk

management, has enhanced IT capabilities. The IT effectiveness variable is associated with the

IT effectiveness construct, and contains components regarding (a) overall quality of service, (b)

users’ satisfaction, and (c) the helpfulness of the IT staff. The ITE definition is associated with

the IT effectiveness construct and is acquired from a previous study by Tallon et al. (2000),

which was used to evaluate business value of information technology. The Tallon et al. (2000)

study addressed constructs related to user satisfaction, the overall service quality of IT, and IT

staff helpfulness. The specific research questions to assess IT effectiveness were all represented

by ordinal data and utilized a 7-point Likert-type scale (Tallon et al., 2000).

To maintain the same reliability and validity results from earlier investigative methods

and instrumentation by Lundqvist (2014a) and Tallon et al. (2000), 4-point and 7-point Likert

scales were utilized in the study to represent data values ordinally. Likert scales are frequently

used to evaluate attitudes provided a range of responses are utilized, and values fall within the

ordinal level of measurement (Shing-On, 2011).

Research Questions and Hypotheses

The researcher retrieved the four independent variables in the non-experimental

quantitative correlational study from the NIST (2010) publication regarding the managing of IS

53
risk. The publication guided managing security risk in unison with organizational operations and

focused on four constructs of risk management. The dependent variable, IT effectiveness, was

derived from the Tallon et al. (2000) instrument which evaluated business value of information

technology. The omnibus research question (i.e., RQ1) and the main and sub-research questions

and hypotheses are stated as follows:

RQ1: What is the nature of the relationship between risk management constructs and IT

effectiveness?

H1 0 : There is no significant relationship between risk management constructs and IT

effectiveness.

H1 a : There is a significant relationship between risk management constructs and IT

effectiveness.

RQ2: What is the nature of the relationship between frame risk and IT effectiveness?

H2 0 : There is no significant relationship between frame risk and IT effectiveness.

H2 a : There is a significant relationship between frame risk and IT effectiveness.

RQ2.1: Is there a significant statistical difference in the level of IT effectiveness between

firms that have high levels of frame risk versus those that have low levels of frame risk?

H2 0 .1: There is no significant difference in the level of IT effectiveness between firms

that have high levels of frame risk versus those that have low levels of frame risk.

H2 a .1: There is a significant difference in the level of IT effectiveness between firms that

have high levels of frame risk versus those that have low levels of frame risk.

RQ3: What is the nature of the relationship between assessed risk and IT effectiveness?

H3 0 : There is no significant relationship between assessed risk and IT effectiveness.

54
H3 a : There is a significant relationship between assessed risk and IT effectiveness.

RQ3.1: Is there a significant statistical difference in the level of IT effectiveness between

firms that have high levels of assessed risk versus those that have low levels of assessed risk?

H3 0 .1: There is no significant difference in the level of IT effectiveness between firms

that have high levels of assessed risk versus those that have low levels of assessed risk.

H3 a .1: There is a significant difference in the level of IT effectiveness between firms that

have high levels of assessed risk versus those that have low levels of assessed risk.

RQ4: What is the nature of the relationship between response to risk and IT

effectiveness?

H4 0 : There is no significant relationship between response to risk and IT effectiveness.

H4 a : There is a significant relationship between response to risk and IT effectiveness.

RQ4.1: Is there a significant statistical difference in the level of IT effectiveness between

firms that have high levels of response to risk versus those that have low levels of response to

risk?

H4 0 .1: There is no significant difference in the level of IT effectiveness between firms

that have high levels of response to risk versus those that have low levels of response to risk.

H4 a .1: There is a significant difference in the level of IT effectiveness between firms that

have high levels of response to risk versus those that have low levels of response to risk.

RQ5: What is the nature of the relationship between monitoring risk and IT

effectiveness?

H5 0 : There is no significant relationship between monitoring risk and IT effectiveness.

H5 a : There is a significant relationship between monitoring risk and IT effectiveness.

55
RQ5.1: Is there a significant statistical difference in the level of IT effectiveness between

firms that have high levels of monitoring risk versus those that have low levels of monitoring

risk?

H5 0 .1: There is no significant difference in the level of IT effectiveness between firms

that have high levels of monitoring risk versus those that have low levels of monitoring risk.

H5 a .1: There is a significant difference in the level of IT effectiveness between firms that

have high levels of monitoring risk versus those that have low levels of monitoring risk.

RQ6: Is there a difference in the level of IT effectiveness among industry sectors?

H6 0 : There is no significant difference in the level of IT effectiveness among industry

sectors?

H6 a : There is a significant difference in the level of IT effectiveness among industry

sectors?

Sample Population

The population that the researcher targeted for the research study included individuals

with knowledge regarding IT and its relationship to the organization, who play a critical role in

the decision process with determining how IT-related risks are addressed and have knowledge of

the organization's risk management strategies. The researcher identified senior IT managers (i.e.,

CIO, IT security program managers) as the population to satisfy this criterion. The sampling

frame source was Qualtrics, using Qualtrics expert panels. The sample approach was simple-

random sampling: sampling focused on organizations that have implemented some form of risk

management strategy. The minimal sample size determined for the study was 85 completed

surveys (see Figure 3). Utilizing the G*Power 3 software, the researcher calculated the minimum

56
sample size using power analysis; applying a medium effect of .15, a power of .80, and a

significance (alpha) level of .05 (Cohen, 1998; Faul, Erdfelder, Lang, & Buchner, 2007).

Figure 3. G*Power 3 Power analysis to determine required sample size.

Instrumentation/Measures

The survey instrument that the researcher utilized in this non-experimental quantitative

correlational study was a questionnaire to determine an organization’s risk management

dimension. To get a perspective of risk management relevancy, the researcher reviewed the

NIST risk management framework as a reference point (NIST, 2011). Due to a lack of credible

academic research on risk management dimension, no single research report or framework

providing questions unique to risk management and IT effectiveness. The questionnaire contains

questions taken from the Lundqvist (2014a), and Tallon et al. (2000) instruments that addressed

information system security, risk management, and business value of information technology.

The researcher made no modifications to the instruments.

57
The researcher used the questionnaire instrument with the intention to address risk

management and IT effectiveness. The researcher retrieved the questions regarding enterprise

risk management from The Journal of Accounting, Auditing & Finance, created by Lundqvist

(2014a). The researcher retrieved the survey questions on IT effectiveness from The Journal of

Management Information Systems,created by Tallon et al. (2000) and later used by other

researchers to address IT flexibility, strategic alignment and IT effectiveness (Burke, 2011;

Chebrolu, 2010; Chebrolu & Ness, 2013; Eichman, 2013; Ness, 2005). In regard to the

conceptual model (Figure 1), the researcher took the primary elements of (a) internal

environment, (b) objective settings, (c) control activities, (d) assessed risk, (e) response to risk,

and (f) monitoring risk that were used to measure the constructs of (a) frame risk, (b) assessed

risk, (c) response to risk, (d) monitoring risk from prior research by Lundqvist (2014a). The

researcher obtained permission (see Appendix E) to use the templates from the authors

mentioned above. Table 2 displays the measurement scales, constructs, survey item numbers, and

sections of the instruments.

58
Table 2

Measurement Scales, Constructs, Survey Item Numbers, and Sections

Survey Survey Measurement


Construct Section Item Scale
Categorical,
General Information 1.1 Nominal
(single-response)
Categorical,
General Information 2.1 Nominal
(single-response)
Categorical,
General Information 3.1 Nominal
(single-response)
Continuous
Frame Risk Internal Environment 4.1 – 4.5 Interval
(single-responses)
Continuous
Frame Risk Objective Settings 5.1 – 5.3 Interval
(single-responses)
Continuous
Frame Risk Control Activities 6.1 – 6.3 Interval
(single-responses)
Continuous
Assessed Risk Risk Assessment 7.1 – 7.8 Interval
(single-responses)
Continuous
Response to Risk Risk Response 8.1 – 8.4 Interval
(single-responses)
Continuous
Monitoring Risk Monitoring Practices 9.1 – 9.6 Interval
(single-responses)
Continuous
IT Effectiveness IT Effectiveness 10.1 – 10.3 Interval
(single-responses)

Data Collection

The researcher obtained the participants for this study from Qualtrics expert panels,

which are developed by Qualtrics. The set unit from which the researcher drew the sample

included individuals registered within the Qualtrics database of respondents who met the

following characteristics: (a) currently employed in a Fortune 1000 company, (b) had knowledge

pertaining to IT and its relationship to the organization, and (c) play a critical role in the decision

process with determining how IT-related risks are addressed. Participants who did not meet the

59
above characteristics did not participate in the study. Furthermore, the company has procedures

in place to ensure that everyone in the population has an equal possibility of being chosen. The

researcher made the online survey available to the participants once they gave their consent on

the consent form in the first section of the survey. Qualtrics protected the confidentiality and

privacy of the respondents, and did not share any personal information with the researcher.

Potential participants could contact the researcher by way of e-mail to address any questions or

concerns regarding the study.

Data Analysis

The researcher first exported the raw ordinal survey data from Excel 2013 into SPSS. The

researcher generated compute and “if” statements for transforming and recoding variable data.

No cases were missing data, so the researcher did not utilize the techniques of (a) list-wise

deletion, (b) pair-wise deletion, and (c) replacement of missing data. The sample was large

enough to be statistically significant, and the researcher evaluated the data to determine if the

regression approach being used in the research study is appropriate, given the ratio of cases

associated with the independent variables. Additionally, the researcher evaluated the data for

outliers, linearity, normality, independence of residuals, and homoscedasticity using

scattergrams. The researcher conducted a multicollinearity test to determine if frame risk,

assessed risk, response to risk, and monitoring risk are independent variables.

The researcher conducted independent sample t-tests on each independent variable and IT

effectiveness based on high and low levels to explore group comparisons associations between

groups. The researcher based the simple linear regression procedures on one target variable of IT

effectiveness (Y), and each of the predictor variables, (a) frame risk (X 1 ), (b) assessed risk (X 2 ),

60
(c) response to risk (X 3 ), and (d) monitoring risk (X 4 ). The researcher based the multiple linear

regression procedures utilized on one target variable, IT effectiveness (Y), and predictor variables

of frame risk (X 1 ), assessed risk (X 2 ), response to risk (X 3 ), monitoring risk (X 4 ), and their

interaction term (X 1 X 2 X 3 X 4 ). The researcher evaluated the overall strength of the relationship

between frame risk, assessed risk, response to risk, and monitoring risk based on statistical

significance levels and correlation coefficients. Chatterjee and Simonoff (2013) mentioned that

the true regression function represents the expected relationship between the target and predictor

variables that are unknown. The researcher utilized one-way ANOVA procedures to examine the

differences in the mean scores of various industry sectors (i.e., education, public utility, financial

inst, public service, public health care) regarding risk management constructs and IT

effectiveness. George and Mallery (2011) mentioned that ANOVA procedures were reliable for

measuring (a) strength of association between variables, (b) means for each level, (c) standard

errors, and (d) confidence limits.

Validity and Reliability

Lundqvist’s (2014a) instrument is a tool which the researcher designed to evaluate an

organization’s integral ERM components. The current researcher utilized this instrument to

address the constructs of frame risk, assessed risk, response to risk, and monitoring risk by

providing questions acknowledging an organization's ability to address risk. The instrument

utilizes a 4-point Likert scale to examine distinct aspects of the operationalization. The

researcher verified the reliability and validity of the instrument through (a) prescreening, (b)

pretesting, (c) EFA, and (d) CFA. The results from the EFA analysis showed that a four-factor

model, using the Bentler Comparative Fit Index (CFI) was more suited for the study with a value

61
of 0.93. The CFA results confirmed the reliability and construct validity of the instrument using

the ERM by EFA5 model with a value 0.96 which exceeds the 0.80 baseline as well (Lundqvist,

2015; 2014a; 2014b; 2014c).

The instrument that Tallon et al. (2000) created was designed to evaluate business value

of information technology appeared closely operationally aligned with the IT effectiveness

construct and seemed to be the best source of measurement. Furthermore, the instrument has

been utilized in various other research studies regarding IT effectiveness (Bani, 2011; Burke,

2011; Chebrolu, 2010; Ness, 2005; Pierce, 2002). The researcher verified this instrument’s

reliability and validity through the use of CFA and Cronbach’s alpha. The results from the

Cronbach's alpha were greater than 0.70, and the CFA analysis showed a high degree of

reliability with a value of 0.95, which exceeded the baseline of acceptability suggested by Werts,

Linn, and Joreskog (1974) of 0.80 (Tallon, 1999; Tallon et al., 2000). The instrument utilizes a 7-

point Likert scale to examine various aspects of strategic alignment, business usefulness, and IT

flexibility.

The researcher maintained the outline and format of the preceding survey questionnaires

for added reliability and validity. All questions maintained their original Likert-type scale

standardized format for assessment, and as stated above, the researcher made no modifications to

the instruments.

Ethical Considerations

The researcher addressed ethical considerations in the non-experimental quantitative

correlational study based upon the Belmont Report established by the National Commission for

the Protection of Human Subjects (1979). The Belmont Report established just guidelines and

62
principals that are designed to protect human participants of research, and addressed topics such

as (a) the respect for persons, (b) beneficence, and (c) justice. The topics mentioned are

applicable for (a) assessment of benefits and risk, (b) informed consent, and (c) subject selection.

In this non-experimental quantitative correlational study, the researcher addressed these topics

mentioned by first inviting participants to enter the study voluntarily. The researcher treated all

individuals equally by sending them the same cover memo and questionnaire. The researcher

treated all potential responses as anonymous, and in strict confidence; the researcher held all data

to ensure minimal harm and risk. The electronic informed consent forms received from

participants contained the correct definition of the intention and reasoning of the research study,

as well as the measures and constructs being addressed. The researcher also assured the

participants that the data retrieved in the survey would be treated with respect and remain

completely anonymous.

63
CHAPTER 4. RESULTS

Chapter Overview

As stated in Chapter 3, the purpose of this non-experimental quantitative correlational

study was to assess the constructs and correlations associated with enterprise risk management

and IT effectiveness. The overall objective of this non-experimental quantitative correlational

study was to evaluate the relationship between the four constructs of frame risk (FR), assessed

risk (AR), response to risk (RTR), monitoring risk (MR), and the dependent variable of IT

effectiveness (ITE) within the enterprise environment. The researcher addressed risk

management from a holistic perspective acknowledging both the strategic and tactical level of

the initiative, in order to ensure that risk-based decision making is assessed from all aspects of

the environment. Lundqvist (2014a) and Đapić et al. (2012) stated that due to the increasing

concern for modern risk management practices, organizations have been pressured to manage

risk holistically.

In Chapter 4, the researcher will provide a summary of the respondents’ characteristics

and collected data descriptions. The researcher will introduce a comprehensive presentation on

the results of the six hypotheses. The researcher will address Hypothesis H1 first, and will

describe the results of the multiple linear regression to assess the association amongst risk

management constructs and IT effectiveness. In the next section, the researcher will address

hypotheses H2 to H5, in which the researcher performed simple linear regression analysis to

identify the level of association with the dependent variable IT effectiveness and each

independent risk construct. In addition, the researcher utilized independent sample t-tests for

H2.1 to H5.1 to determine the difference in the level of IT effectiveness between firms that have

64
high levels versus those that have low levels for each independent construct. Lastly, to identify

the level of IT effectiveness of the various industry sectors, the researcher conducted an analysis

of variance (ANOVA) to address hypothesis H6. The researcher conducted an analysis of the

fundamental assumptions before each hypothesis test to determine whether the data information

appropriately fits the proposed statistical analysis model.

Respondent Characteristics

Twelve industry sectors took part in the quantitative correlational study: (a) advertising

and marketing, (b) airlines, (c) automotive, (d) construction, (e) entertainment, (f) information

technology, (g) healthcare and pharmaceuticals, (h) food and beverage, (i) financial services, (j)

insurance (k) nonprofit, (l) retail, (m) utilities, and (n) others. The industry sectors were from

Fortune 1000 companies within the United States.

Out of the 100 respondents invited to participate in the research study, 100 completed the

survey, representing a 100% response rate. None of the responses were incomplete and needed

to be removed. Out of the 100 that completed the survey 4.0% of the respondents were from

advertising and marketing, 1.0% were from airlines, 1.0% were from automotive, 17% were

from construction, 2.0% were from entertainment, 25% were from information technology,

6.0% were from healthcare and pharmaceuticals, 7.0% were from food and beverage, 4.0% were

from financial services, 2% were from insurance, 4.0% were from nonprofit, 24.0% were from

retail, 3.0% were from utilities. Table 3 illustrates the distribution.

65
Table 3

Sample Characteristics

Respondents Frequency Percentage (%)


Industry Sector
Advertising, Marketing 4 4.0
Airlines, Aerospace, Defense 1 1.0
Automotive 1 1.0
Construction 17 17.0
Entertainment 2 2.0
Information Technology 25 25.0
Health Care, Pharmaceuticals 6 6.0
Food, Beverage 7 7.0
Financial Services 4 4.0
Insurance 2 2.0
Nonprofit 4 4.0
Retail, Consumer, Electronics 24 24.0
Utilities, Energy 3 3.0

Job Title/ Function


IT Specialists (Managers) 20 20.0
Business or Line Managers 22 22.0
Chief Information Officers (CIO) 16 16.0
Chief Information Security Officer (CISO) 3 3.0
Chief Executive Officers (CEO) 39 39.0

Experience (Years)
1-5 12 12.0
6-10 29 29.0
11-15 22 22.0
16-20 15 15.0
Over 20 22 22.0
Note. N = 100

The largest majority of respondents (39 in total or 39.0%) who took part in the study

were Chief Executive Officers with the duty of running an organization. Twenty-two

respondents (representing 22%) were Business or Line Managers. Twenty respondents

66
(representing 20%) were IT Specialists. Sixteen Chief Information Officers (representing 16%)

and three Chief Information Security Officers (representing 3.0%) also participated in the study.

Regarding the years worked in their current position, 12% had 1-5 years, 29% had 6-10 years,

22% had 11-15 years, 15% had 16-20 years, and 22.0% had 20 years or more.

Collected Data Descriptions

In the following section, the researcher presents each measured construct’s frequency

distributions and overall statistics (standard deviations and mean).

Internal Environment

The survey respondents answered 5-item Likert-type statements regarding the

organization’s current internal environment. The researcher designed these statements d to

measure an organization’s current level of effectiveness regarding governance, structure, culture,

philosophy of risk management, and risk appetite. The internal environment statements were a

subset of the frame risk (FR) construct and were characterized by a mean score on a 4-point scale

where 3 (Robustly Implemented) designates the highest score of the scale, and 0 (Non-Existent)

designates the lowest score. Survey respondents answered specific questions regarding

(a) formally defined audit committee responsibilities, (b) the executive management

responsibilities, (c) the remuneration policies of executive management, (d) remuneration

procedures designed to associate the concerns of managers and shareholders, and (e) employee

training in ethical values (see Table B1).

Table 4 provides an illustration regarding the overall level of the internal environment,

showing it as being strongly implemented with a mean score of 2.01 (SD = 1.03). Twenty-seven

point eight percent rated their organization’s internal environment (i.e., risk governance

67
practices) as being low, indicated by non-existent (13.2%), or implemented (14.6%).

Furthermore, 29.8% of participants indicated that internal environment controls were modestly

implemented in the organization. Lastly, 42.4% indicated that internal environment controls were

robustly implemented throughout the organization.

Table 4

Distribution of Mean Scores of Internal Environment Controls

Percentage (%)
Scale NE E MI RI Mean SD
Internal Environment 13.2 14.6 29.8 42.4 2.01 1.03
Note. NE - Non-Existent; E - Existent; MI - Moderately Implemented; RI - Robustly Implemented; N = 100

Objective Settings

Survey respondents evaluated their organization's current objective settings. The

participants addressed questions related to the strategic intentions of the organizations'

operations, and compliance and reporting activities. The objective settings statements are also a

subset of the frame risk (FR) construct and were characterized by a mean score on a 4-point scale

where 3 (Robustly Implemented) designates the highest score of the scale, and 0 (Non-Existent)

designates the lowest score. The participants responded to 3-item Likert-type statements

acknowledging (a) organizational performance goal achievement, (b) formal business plan in

place to execute the strategy, and (c) the organization's formal mission statement (see Table B2).

The participant's responses to the three items had a mean score of 2.19 (SD = .998; Table 5).The

respondents rated their objective setting as non-existent (9.33%); existent (14.0%); modestly

implemented (24.6%), and robustly implemented (52.0%).

68
Table 5

Distribution of Mean Scores on Objective Settings

Percentage (%)
Scale NE E MI RI Mean SD
Objective Settings 9.33 14.0 24.6 52.0 2.19 .998
Note. NE - Non-Existent; E - Existent; MI - Moderately Implemented; RI - Robustly Implemented; N = 100

Control Activities

On a 4-point Likert-type scale, the respondents rated their organizational control

activities, ranging from 0 (Not-Implemented) to 4 (Implemented). Survey respondents evaluated

the current risk response procedures policies within their organization. Survey respondents

acknowledged (a) that procedure and policy verification procedures exist, (b) that authorization

processes are in accordance so that designated individuals can critique the use of procedures and

policies, and (c) that there is a procedure in place to guarantee that the processes and policies in

place are functioning effectively and in the best interest of the organization's objective.

The control activities statements are also a subset of the frame risk (FR) construct (Table B3).

Table 6 outlines the distribution of mean scores on the 3-item scale. Most of the

participants stated that their control activities were robustly implemented (37.3%). Thirty-five

percent of the participants indicated that their control activities were modestly implemented,

15.3% reported their control activities were existent, and less than 13% reported their control

activities as non-existent. In general, control activities had a mean score of 1.97(SD = 1.00).

69
Table 6

Distribution of Mean Scores on Control Activities

Percentage (%)
Scale NE E MI RI Mean SD
Control Activities 12.3 15.3 35.0 37.3 1.97 1.00
Note. NE - Non-Existent; E - Existent; MI - Moderately Implemented; RI - Robustly Implemented; N = 100

Risk Assessment Practices

Survey respondents then assessed eight items addressing organizational risk assessment

practices ranging from 0 (Not-Implemented) to 3 (Robustly Implemented) on a 4-point Likert-

type scale. Risk assessment practices are related to the assessed risk (AR) construct that

addresses whether an organization has identified any possible policy issues related to operations

and assets, vulnerabilities internal and external, and potential harm that could occur.

Respondents rated the level of their organization's risk assessment practices. Respondents ranked

the level of implementation regarding (a) the possibility that financial events influence the

organization's capability of achieving its goals, (b) the level to which the organization makes

acknowledgement of probable consequences that economic events will have an affect on

objective achievement, (c) the level of implementation regarding the potential probability that

critical risk occurrences will affect organizational objective achievement, (d) the level of

implementation regarding the potential probability that compliance events will affect the

organization's objective achievement, and (e) the level of implementation regarding the

implementation's economic events affecting organizational objective achievement (see Table

B4).

Table 7 shows that 14.8% of the participants ranked their risk assessment practices as

being non-existent; 17.8% of the participants ranked their risk assessment practices as being

70
existent; 30% of the participants ranked their risk assessment practices as being moderately

implemented, and 36.7% rated their risk assessment practices as being robustly implemented. The

mean score on the risk assessment practices scale was 1.89 (SD = 1.06). On the whole score, the

risk assessment practices was robustly implemented.

Table 7

Distribution of Mean Scores on Risk Assessment Practices

Percentage (%)
Scale NE E MI RI Mean SD
Risk Assessment Practices 14.8 17.8 30.5 36.7 1.89 1.06
Note. NE - Non-Existent; E - Existent; MI - Moderately Implemented; RI - Robustly Implemented; N = 100

Risk Response Practices

Survey respondents answered four items on a 4-point Likert-type scale regarding their

organization's risk response practices, ranging from 0 (Not-Implemented) to 3 (Robustly

Implemented). The risk response practices statements are related to the response to risk construct

(RTR) that gauges whether an organization has developed any response to risk protocols in

accordance with the risk frame. Participants rated the level to which formal policies were being

created on how risk should be managed. Participants rated (a) the level of which the organization

has identified all relevant events in the risk response plan, (b) the level of substitute risk

responses for each critical situation; and (c) the risk tolerances of the organization (see Table

B5).

Generally, participants rated their risk response practices as strongly implemented (mean

= 1.88; SD = 1.05). Fifteen point two percent of the participants assessed their risk response

practices as being non-existent. Table 8 illustrates that 16.5% of the participants assessed their

71
risk response practices as being existent, 33.0% of the participants assessed their risk response

practices as being moderately implemented, and 35.2% assessed their risk response practices as

being robustly implemented.

Table 8

Distribution of Mean Scores on Risk Response Practices

Percentage (%)
Scale NE E MI RI Mean SD
Risk Response Practices 15.2 16.5 33.0 35.2 1.88 1.05
Note. NE - Non-Existent; E - Existent; MI - Moderately Implemented; RI - Robustly Implemented; N = 100

Monitoring Practices

Survey respondents addressed six items on a 4-point Likert-type scale regarding their

organization's risk monitoring practices, ranging from 0 (Not-Implemented) to 3 (Robustly

Implemented). The monitoring practice statements are related to the monitoring risk (MR)

construct that addresses the current risk monitoring measures in place. Specifically, respondents

ranked the level of monitoring of the organization's control activities, processes, and internal

environment. Participants rated (a) the emerging risk indicators, (b) the monitoring evaluation of

the organization's risk management practices completed by third party vendors, (c) the structured

and frequent updates of risk-related information, (d) the level to which an in-house risk

assessment team is granted the authority to gauge the progressing efficiency of the organization's

risk management practices, and (e) the level of which assigned risk owners have primary

authority for governing risk within their specific areas (see Table B6).

The participant responses indicated that monitoring practices in their organization was

strongly implemented (mean = 1.85; SD = 1.04; Table 9). Fourteen point five percent of the

respondents rated their monitoring practices non-existent, 19.3% of the respondents rated their

72
monitoring practices as existent, 32.5% of the respondents rated their monitoring practices as

moderately implemented, and 33.6% rated their monitoring practices as robustly implemented.

Table 9

Distribution of Mean Scores on Monitoring Practices

Percentage (%)
Scale NE E MI RI Mean SD
Monitoring Practices 14.5 19.3 32.5 33.6 1.85 1.04
Note. NE - Non-Existent; E - Existent; MI - Moderately Implemented; RI - Robustly Implemented; N = 100

Information Technology Effectiveness

Survey respondents addressed three items on a 7-point Likert-type scale dealing with

their organization's IT effectiveness, ranging from ranging from 1 (Weak) to 7 (Strong). The IT

effectiveness statements are related to the IT effectiveness construct that acknowledges IT

effectiveness from a context of actual performance, by way of addressing how risk management

concerns affect on IT effectiveness. Specifically, participants rated the organization’s overall

quality of service, current user satisfaction with IT, and helpfulness of IT staff to users (see Table

B7).

The responses indicated that IT effectiveness for many organizations was between six

and seven (mean = 5.51, SD = 1.52; Table 10). Responses were classified as negative (Weak),

neutral (Average), and positive (Strong). The respondents rated their organization's IT

effectiveness as weak (5.33%); neutral (35.3%); and positive (59.3%).

Table 10

Distribution of Mean Scores on IT Effectiveness

Percentage (%)
Scale 1 2 3 4 5 6 7 Mean SD
IT Effectiveness 5.00 0.33 2.33 13.3 19.6 29.0 30.3 5.51 1.52
Note. 1-2 = Weak; 3-5 = Average; 6-7 = Strong; N = 100

73
Assessment of Scale Validity and Reliability

There are three common types of validity: construct validity, criterion validity, and

content validity. According to Swanson and Holton (2005), construct validity cannot be directly

perceived or measured; a construct can be measured statistically and quantitatively, which was

what the researcher incorporated in this study. Cooper and Schindler (2008) mentioned that in

order for a measure to be reliable it must be dependable. Reliability is not a requirement for

validity but is an essential contributor to validity. When the results from a study are repeated due

to its operations, it means that a level of reliability exists. The ability to repeat the study over

time with the same degree of precision and accuracy is an important element of instrumentation

and research design (Ness, 2005). For this study, the researcher used prior research as the basis

for instrumentation, measures, and construct elements to ensure construct validity and reliability.

Using Cronbach's Alpha and CFA analysis, Tallon (2000) measured reliability and validity;

Cronbach's alpha results were greater than 0.70, and CFA analysis results had a value of 0.95.

Using EFA analysis and CFA analysis, Lundqvist (2014a) measured reliability and validity; EFA

analysis results had a value of 0.93, and CFA results had a value of 0.96. All of the results

mentioned exceed measurement baselines.

Through G*Power 3 power analysis, the researcher verified that 85 completed surveys

was adequate to obtain the statistical power needed for this research analysis with a power score

of .80. The sample collected by Qualtrics totaled 100. The researcher ran a post hoc analysis to

compute achieved power using G*Power 3, applying a medium effect of .15, a sample size of

100, and a significance (alpha) of .05. The results revealed that the additional responses

increased the power score to .87. Moreover, the researcher calculated an overall Cronbach's

74
Alpha score of 0.984 from standardized items, which helped to validate the internal consistency

of the research study. According to Nunnally (1978), a Cronbach's Alpha of 0.70 (or higher) is

required to validate a study's measures reliability. The statistical test utilized helped to provide

evidence that the measures used in the study are both reliable and valid. Table 11 displays the

reliability coefficients of the measures. All measures were above the threshold mentioned.

Table 11

Variable Reliability

Variables Reliability*
Frame Risk (FR) .959
Assessed Risk (AR) .971
Response to Risk (RTR) .929
Monitoring Risk (MR) .945
IT Effectiveness (ITE) .933
Note. * Cronbach's Alpha Reliability Statistic

The Testing of Hypothesis Using Multiple Regression Analysis

In response to Research Question 1, the researcher analyzed the degree of association

amongst risk management constructs and IT effectiveness. This hypothesis (Table 12) argued

that risk management constructs namely frame risk (FR), assessed risk (AR), response to risk

(RTR), and monitoring risk (MR) are not positively related to IT effectiveness (ITE). When

testing the hypothesis, the predictor variables were the constructs FR, AR, RTR, and MR the

construct ITE was assigned the dependent variable.

75
Table 12

Research Question 1 and Hypothesis Statements

What is the nature of the relationship between risk management constructs and IT effectiveness?
There is no significant relationship between risk management constructs and IT
H1 0
effectiveness.
There is a significant relationship between risk management constructs and IT
H1 a
effectiveness.

The researcher used multiple regression analysis to address hypothesis 1. The regression model

tested is as follows:

ITE = β 0 + β 1 FR + β 2 AR+ β 3 RTR+ β 4 MR + ε

ITE represents the dependent variable; FR, AR, RTR, and MR are the independent variables; β 0

the constant or the ITE-intercept; β 1 to β 4 represent regression coefficients; and ε is the residual

error.

Testing Assumptions of Multiple Regression Analysis

Given that the researcher sought to generalize the regression model to the populace from

which the sample was obtained, it was important to address the assumptions associated with the

regression model. It is important to address these assumptions because violations can lead to

unreliable results; a vital part of any regression analysis is to examine the assumptions using

various diagnostics, tests, and plots (Chatterjee & Simonoff, 2013). In Chapter 3, the researcher

observed and described the assumption of independence of observation through the use of

random sampling. The researcher addressed the normal distribution assumption through the

inspection of P-P plots, normal probability, and histograms. In addition, the researcher verified

the assumption of linearity utilizing scatter plots, and confirmed the assumption of
76
homoscedasticity by sight inspection of the regression standardized predicated values

standardized residuals plots.

Test of normality. According to Berry (1993), the normality assumption is required to

justify statistical tests. Appendix B shows the histogram of standardized regression residuals for

the ITE construct. The histogram of standardized regression residuals reveals that the distribution

was roughly normal for ITE (see Figure C1). When regarding normality, it is also recommended

that P-P Plots be utilized to help in the decision, whether data is normal or not (Norusis, 2008).

The P-P Plots verifyiedthat the data is normally distributed if it is aligned along the diagonal line.

The P-P Plots showed that the majority of the points align close to the straight line for ITE (see

Figure C2). The P-P Plots confirmed that the regression assumption of normality was met and

the normal distribution of the regression standardized residuals.

Test of linearity and homoscedasticity. The researcher tested the assumption of

linearity in a multiple regression to determine whether a linear association exist both

independently and collectively between the dependent and independent variables. In addition,

due to the plot of regression standardized predicated values standardized residuals were evenly

and randomly dispersed within the zone, which means the homoscedasticity assumption was met

(Field, 2009). Also, the association amongst the independent variables FR, AR, RTR, and MR

and dependent variable ITE appeared to be linear in the regression model (see Figure C3).

The information presented indicates that the assumption of linearity for all joins of the

dependent and independent variables was achieved. Furthermore, the homoscedasticity

assumption was not violated, because the points on the figures were spread evenly and randomly

77
throughout the plot. The researcher considered plot points as being linear between the dependent

and independent variables on the scatter plots.

Testing of Hypothesis 1

H1 0 : There is no significant relationship between risk management constructs and

IT effectiveness. To identify the IT effectiveness variation percentage that may possibly be

accounted for by the constructs of frame risk, assessed risk, response to risk, and monitoring risk,

the researcher performed a multiple regression analysis. The descriptive statistics showed the

standard deviation and mean for each construct: IT effectiveness (N = 100; M = 16.5; SD = 4.29);

frame risk (N = 100; M = 22.5; SD = 9.47); assessed risk (N = 100; M = 15.13; SD = 7.79);

response to risk (N = 100; M = 7.53; SD = 3.84), and monitoring risk (N = 100; M = 11.1; SD =

5.56).

To identify which independent variable (i.e., FR, AR, RTR, and MR) individually

correlate with the dependent variable ITE, the researcher performed an initial Pearson's analysis

to determine relationship strength amongst variable pairs. The researcher used the mentioned

variables to uncover the percentage of variation in the dependent variable described by the

chosen independent variables and provide a precise prediction (i.e., relationship) of the

dependent variable (ITE). The results disclosed that the dependent variable ITE independently

correlated with all of the independent variables, that is, FR (r = .703, p < 0.01), AR (r =.749 p <

0.01), RTR (r = .769, p < 0.01), and MR (r = .757, p < 0.01).

Table 13 illustrates the multiple regression model summary. The data showed that 61.5%

of the variance in IT effectiveness was accounted for by frame risk, assessed risk, response to

risk, and monitoring risk. According to the test statistic shown in Table 14, the null hypothesis

78
was not supported and would be rejected because results were significant (F (4, 95) = 37.947; p

< 0.001). The multiple regression results show that the four variables do influence information

technology effectiveness ITE at the level of significance (i.e., p < 0.001).

Table 13

Model Summary for RM Constructs of Regression on Organizational IT Effectiveness

Model Summary b
Model R R Square Adjusted R Square Std. Error of the Estimate
1 .784 .615 .599 2.721

a. Predictors: (Constant), FR, AR, RTR, MTR


b. Dependent Variable: ITE

Table 14

ANOVA for Regression of RM Constructs on Organizational IT Effectiveness

ANOVAa
Model Sum of Squares df Mean Square F Sig.
1 Regression 1123.678 4 280.920 37.947 .000b
Residuals 703.282 95 7.403
Total 1826.960 95

a. Predictors: (Constant), FR, AR, RTR, MTR


b. Dependent Variable: ITE

The standardized estimate (i.e., b) absolute values from largest to smallest (Table 15) were as

follows: RTR (b = .375, t = 1.786, p = 0.07), MR (b = .181, t = 1.307, p= .195), AR (b = .081, t =

.821, p = 0.414), and FR (b = .044, t = .756, p = .451).

79
Table 15

Coefficients for Regression Model ITE on Organizational IT Effectiveness

Unstandardized Standardized
Coefficients Coefficients
Model B Std. Error Beta t Sig.
1 (Constant) 9.453 .712 13.285 .836
FR .044 .059 .098 .756 .451
AR .081 .099 .147 .821 .414
RTR .375 .210 .336 1.786 .077
MR .181 .138 .234 1.307 .194

a. Dependent Variable: ITE

The researcher proposed that the independent variables describing the largest measure of

variation in ITE are in order of predicative value: response to risk, monitoring risk, assessed risk,

and frame risk. The coefficient of the regression model showed that response to risk contributed

to the model the most, while frame risk contributed the least.

Summary of Hypothesis 1

Through Research Question 1, the researcher attempted to verify the association between

risk management constructs and IT effectiveness. The null hypotheses stated that there is no

significant relationship between risk management constructs and IT effectiveness. The

hypothesis was not supported, and the researcher rejected the null hypothesis. Table 16

summarizes the multiple regression analysis results and test statistics.

80
Table 16

Summary Statistics of Multiple Regression Analysis, Results, and Correlations

Correlation
with Regression Weights
Dependent
Variables Mean SD Variable R2 B Beta t Sig.
H1
ITE 16.5 4.29 .615
FR 22.5 9.47 .703 .044 .098 .756 .451
AR 15.13 7.79 .749 .081 .147 .821 .414
RTR 7.53 3.84 .769 .375 .336 1.786 .077
MR 11.1 5.56 .757 .181 .234 1.307 .194
Note. t= test statistical value

The Testing of Hypotheses Using Simple Regression Analysis

In Research Questions 2 through 5, the researcher evaluated the degree of correlation

between risk management constructs and IT effectiveness. The four hypotheses groups under the

four research questions (see Table 17) argued that risk management constructs are not positively

related to IT effectiveness (ITE). The researcher tested the four hypotheses (H2 to H5) by way of

assigning the predictor variable to the constructs FR, AR, RTR, and MR, and assigning the

dependent variable to the construct ITE.

Table 17

Research Questions 2 to 5 and Hypotheses Statements

RQ2 What is the nature of the relationship between H2 0 There is no significant relationship between
frame risk and IT effectiveness? frame risk and IT effectiveness
RQ3 What is the nature of the relationship between H3 0 There is no significant relationship between
assessed risk and IT effectiveness? assessed risk and IT effectiveness.
RQ4 What is the nature of the relationship between H4 0 There is no significant relationship between
response to risk and IT effectiveness? response to risk and IT effectiveness.
RQ5 What is the nature of the relationship between H5 0 There is no significant relationship between
monitoring risk and IT effectiveness? monitoring risk and IT effectiveness.

81
The researcher tested the four null hypotheses (H2 to H5) using simple regression analysis. The

regression models utilized to test the null hypotheses are as follows:

ITE = β 0 FR + β 1 …………………….………..…H2

ITE = β 0 AR + β 1 ………………………………...H3

ITE = β 0 RTR + β 1 ……………………………….H4

ITE = β 0 MR + β 1 ……………………………..…H5

Testing Linear Regression Analysis Assumptions

The researcher had to verify the fundamental assumptions of linear regression before

executing a regression analyses. The researcher validated the assumption of homoscedasticity by

sight inspection of the regression standardized predicated values standardized residuals plots.

The researcher verified the assumption of linearity using the scatter plots of residuals. The

researcher used an examination of P-P plots, normal probability plots, and histograms to validate

the normal distribution assumption. Furthermore, the independence of observations assumption

was addressed through samples that were randomly selected.

Test of normality. Berry (1993) stated that the normality assumption provided

justification for a particular statistical test. Appendix C shows the histograms of standardized

regression residuals for FR, AR, RTR, MR and ITE constructs. The histograms of standardized

regression residuals display the distributions as being nearly normal for FR, AR, RTR, and MR

(see Figures D1, D4, D7, and D10). In addition, the researcher created P-P plots to determine

how close to a straight line, points fall. Nearly all plot points fell along a straight line on the P-P

plots of the constructs FR, AR, RTR, and MR (see Figures D2, D5, D8, and D11); this suggested

82
that the fundamental normality regression assumption is met and verifies the regression

standardized residuals normal distribution.

Test of linearity and homoscedasticity. The researcher tested the linearity assumption

associated with linear regression to identify if a linear association amongst the dependent

variable and each independent variable exists. The researcher tested the assumption the

dependent variable is plotted against the independent variable, and the point clusters are

observing around the straight line (Field, 2009). The scatter plots affirming linear relationships

amongst the independent variables and dependent variable indicated that the scatter plots points

were mostly linear for FR on ITE, AR on ITE, RTR on ITE, and MR on ITE (see Figures D3,

D6, D9, and D12). Furthermore, the homoscedasticity assumption was met and not violated

when points in the plot of regression standardized predicated values standardized residuals were

dispersed equally within the zone (Field, 2009). The homoscedasticity assumption was not

violated because the data showed points that were spread evenly and randomly within the plot.

Testing of Hypothesis 2

H2 0 : There is no significant relationship between frame risk and IT effectiveness. To

verify the percentage of variation in IT effectiveness that is associated with frame risk, the

researcher ran a regression analysis. IT effectiveness had a score of 16.5 (N =100; SD = 4.29)

and frame risk had a score of 22.5 (N = 100; SD = 9.47). Tables 18, 19, and 20 display the

regression analysis summary results. The information presented reveals that 49.4% (R2 = .494) of

the variation in IT effectiveness (ITE) was accounted for by frame risk (Table 18). With a

significant level of (F (1, 98) = 95.852; p < 0.001).The test statistic shows that frame risk

83
positively and significantly influences IT effectiveness (see Table 19). In sum, the researcher

rejected the null hypothesis.

Table 18

Model Summary for Regression on IT Effectiveness on Frame Risk

Model Summary b
Model R R Square Adjusted R Square Std. Error of the Estimate
1 .703a .494 .489 3.070
a. Predictors: (Constant), FR
b. Dependent Variable: ITE

Table 19

ANOVA for Regression of IT Effectiveness on Frame Risk

ANOVAb
Model Sum of Squares df Mean Square F Sig.
1 Regression 903.356 1 903.356 95.852 .000a
Residuals 923.604 98 .9425
Total 1826.960 99
a. Predictors: (Constant), FR
b. Dependent Variable: ITE

Table 20 illustrates that when the level of frame risk is higher, the greater the efficiency

of IT effectiveness (t (98) = 9.790; p < .001), which suggests that FR adds a contribution that is

significant to the model (IT effectiveness). In essence, the regression model may be described as

follows:

ITE = .319 * FR + 9.321

The information shows that a unit increase in frame risk raises IT effectiveness by .319 (i.e.,

b=.319).

84
Table 20

Regression Model Coefficients of IT Effectiveness on Frame Risk

Coefficientsa
Unstandardized Standardized
Coefficients Coefficients
Model B Std. Error Beta t Sig.
1 (Constant) 9.321 .797 11.699 .000
FR .319 .033 .703 9.790 .000

a. Dependent Variable: ITE

Testing of Hypothesis 3

H3 0 : There is no significant relationship between assessed risk and IT effectiveness.

To verify the percentage of variation in IT effectiveness that is associated with assessed risk, the

researcher ran a regression analysis. Assessed risk had a score of 15.1 (N = 100; SD = 7.79) and

IT effectiveness had a score of 16.5(N = 100; SD = 4.296). The data revealed that 56.2% (R2 =

.562) of the variation in IT effectiveness (ITE) was accounted for by assessed risk (AR) (see

Table 21). The test statistics (F (1, 98) = 125.522; p < 0.001) in Table 22 indicates that assessed

risk positively and significantly influences information IT effectiveness. In sum, the researcher

rejected the null hypothesis.

Table 21

Model Summary for Regression on IT Effectiveness on Assessed Risk

Model Summary b
Model R R Square Adjusted R Square Std. Error of the Estimate
1 .749a .562 .557 2.859
a. Predictors: (Constant), AR
b. Dependent Variable: ITE

85
Table 22

ANOVA for Regression of IT Effectiveness on Assessed Risk

ANOVAb
Model Sum of Squares df Mean Square F Sig.
1 Regression 1025.957 1 1025.957 125.522 .000a
Residuals 801.003 98 8.174
Total 1826.960 99
a. Predictors: (Constant), AR
b. Dependent Variable: ITE

Table 23 reveals that when the level of assessed risk is higher, the greater the efficiency of IT

effectiveness (t (98) = 11.204; p < .001), which suggests that AR adds a significant contribution

to the model (IT effectiveness). The regression model could be stated as follows:

ITE = .413 * AR + 10.272

The information shows that a unit increase in assessed risk raises IT effectiveness by .413 (i.e., b

= .413).

Table 23

Regression Model Coefficients of IT Effectiveness on Assessed Risk

Coefficientsa
Unstandardized Standardized
Coefficients Coefficients
Model B Std. Error Beta t Sig.
1 (Constant) 10.272 .627 16.389 .000
AR .413 .037 .749 11.204 .000

a. Dependent Variable: ITE

Testing of Hypothesis 4

H4 0 : There is no significant relationship between response to risk and IT

effectiveness. To verify the percentage of variation in IT effectiveness that is associated with

response to risk, the researcher performed regression analysis. Response to risk had a score of

86
7.53 (N = 100; SD = 3.84) and IT effectiveness had a score of 16.5 (N = 100; SD = 4.29). The

data revealed that 59.1% (R2 = .591) of the variation in IT effectiveness (ITE) was accounted for

by response to risk (RTR) (see Table 24). The test statistics (F (1, 98) = 141.565; p < 0.001) in

Table 25 indicates that response to risk positively and significantly influences information IT

effectiveness. In sum, the researcher rejected the null hypothesis.

Table 24

Model Summary for Regression on IT Effectiveness on Response to Risk

Model Summary b
Model R R Square Adjusted R Square Std. Error of the Estimate
1 .769a .591 .587 2.762
a. Predictors: (Constant), RTR
b. Dependent Variable: ITE
Table 25

ANOVA for Regression of IT Effectiveness on Response to Risk

ANOVAa
Model Sum of Squares Df Mean Square F Sig.
1 Regression 1079.597 1 1079.597 141.565 .000b
Residuals 747.363 98 7.626
Total 1826.960 99
a. Predictors: (Constant), RTR
b. Dependent Variable: ITE

Table 26 illustrates that when the level of response to risk is higher, the greater the efficiency of

IT effectiveness (t (98) = 11.898; p < .001), which suggests that RTR adds a significant

contribution to the model (IT effectiveness). The regression model is as follows:

ITE = .858 * RTR + 10.060

The information shows that a unit increase in assessed risk raises IT effectiveness by .858 (i.e.,

b=.858).

87
Table 26

Regression Model Coefficients of IT Effectiveness on Response to Risk

Coefficientsa
Unstandardized Standardized
Coefficients Coefficients
Model B Std. Error Beta t Sig.
1 (Constant) 10.060 .609 16.516 .000
RTR .858 .072 .769 11.898 .000

a. Dependent Variable: ITE

Testing of Hypothesis 5

H5 0 : There is no significant relationship between monitoring risk and IT

effectiveness. To verify the percentage of variation in IT effectiveness that is associated with

monitoring risk, the researcher performed regression analysis. Monitoring risk had a score of

11.12(N =100; SD = 5.56) and IT effectiveness had a score of 16.5(N = 100; SD = 4.29). The

data revealed that 57.4% (R2 = .574) of the variation in IT effectiveness (ITE) was accounted for

by monitoring risk (MR) (see Table 27). The test statistics (F (1, 98) = 131.929; p < 0.001) in

Table 28 indicates that monitoring risk positively and significantly influences information IT

effectiveness. In sum, the researcher rejected the null hypothesis.

Table 27

Model Summary for Regression on IT Effectiveness on Monitoring Risk

Model Summary b
Model R R Square Adjusted R Square Std. Error of the Estimate
1 .757a .574 .569 2.819
a. Predictors: (Constant), MR
b. Dependent Variable: ITE

88
Table 28

ANOVA for Regression of IT Effectiveness on Monitoring Risk

ANOVAb
Model Sum of Squares df Mean Square F Sig.
1 Regression 1048.275 1 1048.275 131.929 .000b
Residuals 778.685 98 7.946
Total 1826.960 99
a. Predictors: (Constant),MR
b. Dependent Variable: ITE

In Table 29, the information presented reveals that when the level of monitoring risk is higher,

the greater the efficiency of IT effectiveness (t (98) = 11.486; p < .001), which suggests that MR

adds a contribution that is significant to the model (IT effectiveness). The regression model is as

follows:

ITE = .585 * MR + 10.014

The information shows that a unit increase in monitoring risk raises IT effectiveness by .585

(i.e., b = .585).

Table 29

Regression Model Coefficients of IT Effectiveness on Monitoring Risk

Coefficientsa
Unstandardized Standardized
Coefficients Coefficients
Model B Std. Error Beta t Sig.
1 (Constant) 10.014 .633 15.828 .000
MR .585 .051 .757 11.486 .000
a. Dependent Variable: ITE

Summary of the Linear Regression Analysis Hypotheses

Through this research hypotheses group (i.e., 2 to 5), the researcher established the

relationship between individual risk management constructs (i.e., FR, AR, RTR, MR) and
89
information technology effectiveness (ITE). The null hypotheses stated that risk management

constructs are not positively related to IT effectiveness. Table 30 summarizes the tests statistics,

and regression analyses results. The researcher found that the associations between ITE and FR,

AR, RTR, and MR are positively linear and statistically significant. The researcher rejected all

four null hypotheses. The results emphasized the significance of response to risk (R2 = .587) as a

predictor of IT effectiveness. The analysis data also revealed the significant influence of MR to

ITE (R2 = .574), AR to ITE (R2 = .562), and FR to ITE (R2 = .494).

Table 30

Simple Linear Regression Analyses Results, Correlations, and Summary Statistics

Variables Correlation
(DV/IV) with DV (R) Regression Weights
Mean SD 2
R B Beta t Sig.
H2
FR 22.5 9.47 .494
ITE 16.5 4.29 .703 .319 .703 9.790 .000
H3
AR 15.1 7.79 .562
ITE 16.5 4.29 .749 .413 .749 11.204 .000
H4
RTR 7.53 3.84 .587
ITE 16.5 4.29 .769 .858 .769 11.898 .000
H5
MR 11.1 5.56 .574
ITE 16.5 4.29 .757 .585 .757 11.486 .000
Note. t = test statistical value; DV is dependent variable; IV is independent variable

The Testing of Hypotheses Using T-Test

The researcher ran independent sample t-tests on each independent variable, and tested

the dependent variable IT effectiveness based on high and low levels to explore group

comparisons associations between groups. In terms of statistical analysis, the t-test is the ideal

mechanism to evaluate data from two groups, highlighting any deviations or differences between

90
the two. The researcher added the risk-management construct questions scaled from 0 (Not-

Implemented) to 3 (Robustly Implemented) together per construct and maximum possibility to

determine high and low groups (Table 31). The researcher then analyzed the groups were

through tools built into the SPSS software for t-test calculations between the two groups,

utilizing a t-test with two samples assuming unequal variances.

The four hypotheses under the four research questions (see Table 32) argued that no

statistical significant distinction exists regarding the degree of IT effectiveness between firms

that high or low levels of risk management, particularly, frame risk (FR), assessed risk (AR),

response to risk (RTR), and monitoring risk (MR). When testing all four hypotheses statements

(i.e., H2.1 to H5.1), the researcher assigned the dependent variable to the construct ITE, and the

high and low groups of each variable (i.e., FR, AR, RTR, and MR) were the predictor variables

under the variable name CONSTRUCT_LEVEL.

Table 31

High and Low Grouping Per Construct

No. of Survey Maximum Total


Construct Questions Points Low-Level Group High-Level Group
FR 11 33 0-16 17-33
AR 8 24 0-12 13-24
RTR 4 12 0-6 7-12
MTR 6 18 0-9 10-18

91
Table 32

Research Questions 2.1 to 5.1 and Hypotheses Statements

RQ2.1 Is there a statistically significant difference H2 0 .1 There is no significant difference in the level of
in the level of IT effectiveness between IT effectiveness between firms that have high
firms that have high levels of frame risk levels of frame risk versus those that have low
versus those that have low levels of frame levels of frame risk.
risk?
RQ3.1 Is there a statistically significant difference H3 0 .1 There is no significant difference in the level of
in the level of IT effectiveness between IT effectiveness between firms that have high
firms that have high levels of assessed risk levels of assessed risk versus those that have
versus those that have low levels of assessed low levels of assessed risk.
risk?
RQ4.1 Is there a statistically significant difference H4 0 .1 There is no significant difference in the level of
in the level of IT effectiveness between IT effectiveness between firms that have high
firms that have high levels of response to levels of response to risk versus those that have
risk versus those that have low levels of low levels of response to risk.
response to risk?
RQ5.1 Is there a statistically significant difference H5 0 .1 There is no significant difference in the level of
in the level of IT effectiveness between IT effectiveness between firms that have high
firms that have high levels of monitoring levels of monitoring risk versus those that have
risk versus those that have low levels of low levels of monitoring risk.
monitoring risk?

Testing Assumptions of T-Test Analysis

Given that this area of the study seeks to perform a t-test to identify whether differences

exist between the means of the dependent variable and two independent groups, the assumptions

associated with an independent sample t-test must be addressed and not be violated. If the

assumptions are not assessed or violated, results could be considered unreliable. The normality

and homoscedasticity of variance assumptions are evaluated for statistical significance testing

and testing variance equality in each group. The normal distribution assumption was addressed

through the inspection of Q-Q plots; due to the sample size was greater than 50. The

homoscedasticity of variance assumption was assessed with the Levene's test for homogeneity of

variance.

92
Test of normality. When regarding normality from a graphical perspective, researchers

often use Q-Q Plots to assess normality (Marden, 2004). The Q-Q Plots verify that the data is

normally distributed by way of alignment along the diagonal line. The Q-Q Plots in the current

study showed that most of the points fall close to the straight line for FR on both groups (see

Figure E1 of Appendix E); AR on both groups (see Figure E2 of Appendix E); RTR on both

groups (see Figure E3 of Appendix E) and MR on both groups (see Figure E4 of Appendix E).

The Q-Q Plots confirmed that the assumption of normality was met for all groupings.

Test of homogeneity of variances. The researcher tested the assumption of homogeneity

of variance to determine equality in each group. The researcher utilized the Levene’s test for

homogeneity of variance to assess the equality of variances for the two independent group

samples according to the CONSTRUCT_LEVEL variable for each construct (i.e., FR, AR, RTR,

and MR). The Levene’s test can be used to study the equality of p population variances and is

robust against divergences from normality, and is not constrained to sample sizes that are equal.

The Levene's Test (p = .05) (Table 33) indicated the following results for the two independent

group samples (i.e., HL-Group and LL-Group) for each construct; FR (p = .002); AR (p< .001);

RTR (p < .001) and MR (p < .001). The information provided verifies that the variances between

the two samples are significant; therefore, the assumption of homogeneity has been violated. To

correct the violation, the researcher assumed the assumption of unequal variances for each

construct.

93
Table 33

Levene’s Test for Equality of Variance

Levene's Test
For Equality of Variances
Hypothesis Construct Variable F Sig.
H2.1 FR FR_CONSTRUCT_LEVEL 9.673 .002
H3.1 AR AR_CONSTRUCT_LEVEL 23.827 .000
H4.1 RTR RTR_CONSTRUCT_LEVEL 23.441 .000
H5.1 MR MR_CONSTRUCT_LEVEL 23.262 .000

Testing of Hypothesis 2.1

H2 0 .1: There is no significant difference in the level of IT effectiveness between

firms that have high levels of frame risk versus those that have low levels of frame risk. To

evaluate the means of the frame risk component for two independent sample groups—LL-Group

(n = 23) and HL-Group (n = 77)—the researcher performed an independent samples t-test. The

data analysis results are displayed in Tables 34 and 35 and the effect size (ES) or strength

between the two means was large based on Cohen’s d (i.e., .8-large, .5-medium, .2-small), and is

expressed in the following calculation:

ES = Mean LL-Group – Mean HL-Group / Standard Deviation weighted

d = 12.17-17.82/ (5.271 + 2.928 /2) = 1.325

The results also show the observed level of significance of p < .001, t = -4914 with df = 26.1.

The results revealed that FR is more effective with organizations that have high levels of FR (M

= 17.82, SD = 2.98) than organizations that have low levels of FR (M = 12.17, SD = 5.27). In

addition, the mean difference in FR_CONSTRUCT_LEVEL score was -5.64, and the confidence

intervals are between -8.00 and -3.28. This result indicates that if the researcher collected a large

sample of high-level and low-level FR participants, the researcher might estimate 95% of the
94
scores for FR would fall between -8.00 and -3.48, and a mean difference of -5.64 would exist for

the FR HL-Group and LL-Group. In sum, a statistically significant difference exists between

groups that have low and high levels of FR (M = -5.64, 95% CI [-8.00, -3.24], t(26.17) = -4.91, p

< .001, d = 1.32); therefore, the researcher accepted the alternate hypothesis that there is a

difference that is significant regarding the level of IT effectiveness between firms that have high

levels of frame risk versus those that have low levels of frame risk.

Table 34

Group Statistics for LL-Group (n = 23) and HL-Group (n = 77). Total Frame Risk Scores for 20
Items

Std. Error
Group Statistics N Mean Std. Deviation
Mean
LL-Group 23 12.17 5.271 1.099
HL- Group 77 17.82 2.928 .334
Note. N = number of subjects

Table 35

Independent Samples t-Test Total Frame Risk Scores for 20 Items

95% Confidence
Interval of the
Difference
Sig. Mean Std. Error
t Df (2-tailed) Difference Difference Lower Upper
Equal variances
assumed
-6.617 98 .000 -5.644 .853 -7.337 -3.952
Equal variances not
assumed
-4.914 26.177 .000 -5.644 1.149 -8.005 -3.284
Note. t = test statistical value; df = degrees of freedom; p value (two-tailed)

Testing of Hypothesis 3.1

H30.1: There is no significant difference in the level of IT effectiveness between

firms that have high levels of assessed risk versus those that have low levels of assessed

risk.To evaluate the means of the assessed risk component for two independent sample groups—
95
LL-Group (n = 33) and HL-Group (n = 67)—the researcher performed an independent samples t-

test. The data analysis results are displayed in Tables 36 and 37. The ES or strength between the

two means was large (i.e., .8-large, .5-medium, .2-small), which is expressed in the following

calculation:

ES = Mean LL-Group – Mean HL-Group / Standard Deviation weighted

d = 13.1 - 18.21/ (5.325 + 2.401 /2) = 1.222

The results also show the observed level of significance of p < .001, t = -5.078 with df =

38.54. The results illustrate that AR is more effective with organizations that have high levels of

AR (M = 18.15, SD = 2.40) than organizations that have low levels of FR (M = 13.21, SD =

5.32). In addition, the mean difference in AR_CONSTRUCT_LEVEL score was -4.93, and the

confidence intervals are between -6.90 and -2.97. This result indicates that if the researcher

collected a large sample of high-level and low-level AR participants, that the researcher might

estimate 95% of the scores for AR would fall between -6.90 and -2.97, and the mean difference

score would be around -4.93 for AR HL-Group and LL-group. In sum, a statistically significant

difference exists between groups that have high and low levels of AR (M =-4.93, 95% CI [-6.90,

-2.97], t(38.54) = -5.078, p < .001,d = 1.22); therefore, the researcher accepted the alternate

hypothesis is accepted that there is a difference that is significant regarding the level of IT

effectiveness between firms that have high levels of assessed risk versus those that have low

levels of assessed risk.

96
Table 36

Group Statistics for LL-Group (n = 33) and HL-Group (n = 67). Total Assessed Risk Scores for
20 Items

Std. Error
Group Statistics N Mean Std. Deviation
Mean
LL-Group 33 13.21 5.325 .927

HL-Group 67 18.15 2.401 .293

Note. N = number of subjects

Table 37

Independent Samples t-Test Total Assessed Risk Scores for 20 Items

95% Confidence
Interval of the
Difference
Sig. Mean Std. Error
T Df (2-tailed) Difference Difference Lower Upper
Equal variances
assumed
-6.404 98 .000 -4.937 .771 -6.467 -3.407
Equal variances not
assumed
-5.078 38.542 .000 -4.937 .972 -6.905 -2.970
Note. t= test statistical value; df = degrees of freedom; p value (two-tailed)

Testing of Hypothesis 4.1

H4 0 .1: There is no significant difference in the level of IT effectiveness between

firms that have high levels of response to risk versus those that have low levels of response

to risk. To evaluate the means of the response to risk component for two independent sample

groups—LL-Group (n = 31) and HL-Group (n = 69)—the researcher performed an independent

samples t-test. The data analysis results are displayed in Tables 38 and 39 and the ES or strength

between the two means was large (i.e., .8-large, .5-medium, .2-small), and is expressed in the

following calculation:

ES = Mean LL-Group – Mean HL-Group / Standard Deviation weighted

d = 12.61 - 18.28/ (5.175 + 2.229 /2) = 1.423


97
The results also show the observed level of significance of p < .001, t = -5853 with df =

35.10. The results also revealed that RTR is more effective with organizations that have high

levels of RTR (M = 18.28, SD = 2.22) than organizations that have low levels of RTR (M =

12.61, SD = 5.175). In addition, the mean difference in RTR_CONSTRUCT_LEVEL score is -

5.56, and the confidence intervals are between -7.62 and -3.69. This result indicates that if the

researcher collected a large sample of high-level and low-level RTR participants, that the

researcher might estimate 95% of the scores for RTR would fall between -762 and -369, and a

mean score difference of -5.66 would exist for the RTR HL-Group and LL-Group. In sum, a

statistically significant difference exists between groups that have high and low levels of RTR

(M = -5.66, 95% CI [-7.62, -3.69], t(35.10) = -5.853, p <.001, d = 1.42); therefore, the researcher

accepted the alternate hypothesis that there is a difference that is significant regarding the level

of IT effectiveness between firms that have high levels of response to risk versus those that have

low levels of response to risk.

Table 38

Group Statistics for LL-Group (n = 31) and HL-Group (n = 69). Total Response to Risk Scores
for 20 Items

Std. Error
Group Statistics N Mean Std. Deviation
Mean
LL-Group 31 12.61 5.175 .929

HL-Group 69 18.28 2.229 .268

Note. N = number of subjects

98
Table 39

Independent Samples t-Test. Total Response to Risk Scores for 20 Items

95% Confidence
Interval of the
Difference
Sig. Mean Std. Error
t Df (2-tailed) Difference Difference Lower Upper
Equal variances
assumed
-7.675 98 .000 -5.662 .738 -7.127 -4.198
Equal variances not
assumed
-5.853 35.101 .000 -5.662 .967 -7.626 -3.699
Note. t = test statistical value; df = degrees of freedom; p value (two-tailed)

Testing of Hypothesis 5.1

H5 0 .1: There is no significant difference in the level of IT effectiveness between

firms that have high levels of monitoring risk versus those that have low levels of

monitoring risk. To evaluate the means of the monitoring risk component for two independent

sample groups—LL-Group (n = 36) and HL-Group (n = 64)—the researcher performed an

independent samples t-test. The data analysis results are displayed in Tables 40 and 41 and the

ES or strength between the two means was large (i.e., .8-large, .5-medium, .2-small), and is

expressed in the following calculation:

ES = Mean LL-Group – Mean HL-Group / Standard Deviation weighted

d = 13.19 - 18.39/ (5.059 + 2.216 /2) = 1.331

The results revealed the observed level of significance of p < .001, t = -5.855 with df =

42.68. The results also revealed that MR is more effective with organizations that have high

levels of MR (M =18.39, SD = 2.21) than organizations that have low levels of MR (M = 13.19,

SD = 5.05). Also, the mean difference in MR_CONSTRUCT_LEVEL score was -5.19, and the

confidence intervals are between -6.98 and -3.40. This result indicates that if the researcher

collected a large sample of high-level and low-level MR participants, that the researcher might

99
estimate 95% of the scores for MR would fall between -6.98 and -3.40, around a mean score

difference around -5.19 would exist for MR HL-Group and LL-Group. In sum, a statistically

significant difference exists between groups that have high and low levels of FR (M = -5.19, 95%

CI [-6.98, -3.40], t(42.68) = -5.855, p < .001, d = 1.33); therefore, the researcher accepted the

alternate hypothesis that there is a difference that is significant regarding the level of IT

effectiveness between firms that have high levels of monitoring risk versus those that have low

levels of monitoring risk and the null hypothesis is rejected.

Table 40

Group Statistics for LL-Group (n = 36) and HL-Group (n = 64). Total Monitoring Risk Scores
for 20 Items

Std. Error
Group Statistics N Mean Std. Deviation
Mean
LL-Group 36 13.19 5.059 .843

HL-Group 64 18.39 2.216 .277

Note. N = number of subjects

Table 41

Independent Samples t-Test Total Monitoring Risk Scores for 20 Items

95% Confidence
Interval of the
Difference
Sig. Mean Std. Error
T Df (2-tailed) Difference Difference Lower Upper
Equal variances
assumed
-7.113 98 .000 -5.196 .730 -6.646 .3.747
Equal variances not
assumed
-5.855 42.684 .000 -5.196 .887 -.6.986 -.3.406
Note. t= test statistical value; df = degrees of freedom; p value (two-tailed)

Summary of T-Test Hypotheses

The research hypotheses group (i.e., 2.1 to 5.1) assessed the high and low level grouping

between each individual risk management factor (i.e., FR, AR, RTR, MR) and information

100
technology effectiveness (ITE). The null hypotheses stated that regarding risk management

constructs, there was no significant difference between high and low levels. Table 42

summarizes the t-test results for all hypotheses statements. The researcher rejected all of the

hypotheses (i.e., 2.1 to 5.1). The high and low groupings of FR (t (26.17) = -491; p < .001); AR

(t (38.54) = -5.078; p < .001); RTR (t (35.10) = -5.853; p < .001); and MR (t(42.68) = -5.855; p

< .001) are statistically significant (p < .05).

Table 42

Summary of Independent Sample T-Test Results

95% Confidence
Interval of the
Difference
Risk
Management Sig. Mean Std. Error
Hypothesis Factor T Df (2-tailed) Difference Difference Lower Upper
H2.1 FR -4.914 26.177 .000 -5.644 1.149 -8.005 -3.284
H3.1 AR -5.078 38.544 .000 -4.937 .972 -6.905 -2.970
H4.1 RTR -5.853 35.101 .000 -5.662 .967 -7.626 -3.699
H5.1 MR -5.855 42.684 .000 -5.196 .887 -6.986 -3.406
Note. t= test statistical value; df = degrees of freedom; p value (two-tailed)

The Testing of Hypothesis Using Analysis of Variance

In Research Question 6, the researcher questioned whether industry sectors have

differences that are significant with regard to IT effectiveness. The researcher performed an

ANOVA to evaluate the null hypothesis statement (Table 44) that asserted industry sector IT

effectiveness levels do not differ. To ascertain 95% confidence intervals, standard deviation, and

the mean, the researcher conducted descriptive statistics analysis first for the independent

variable industry sector (i.e., advertising and marketing, airlines, automotive, construction,

entertainment, information technology, healthcare and pharmaceuticals, food and beverage,

financial services, insurance, nonprofit, retail, utilities, and others) and the dependent variable IT

101
effectiveness. In the following sections, the researcher presents the results of the ANOVA

analysis.

Table 43

Research Question 6 and Null Hypothesis

Is there a difference in the level of IT effectiveness among industry sectors?


H6 0 There is no significant difference in the level of IT effectiveness among industry
sectors.
H6 a There is a significant difference in the level of IT effectiveness among industry sectors.

IT Effectiveness and Industry Sectors

H6 0 : There is no significant difference in the level of IT effectiveness among

industry sectors. Hypothesis 6 suggested that the level of IT effectiveness is identical amongst

industry sectors. The researcher ran a one-way ANOVA to assess this hypothesis. Table 45

displays the mean number of IT effectiveness in: advertising and marketing 15.25 (N = 4; SD =

4.64); airlines was 17.0 (N =1 ; SD = 0); automotive was 20.0 (N = 1 ; SD = 0); construction was

16.29 (N = 17; SD = .4.56); entertainment was 9.50 (N = 2; SD = 9.19); financial services was

15.25 (N = 4; SD = 8.342); food and beverage was 14.57 (N = 7; SD = 5.62); healthcare and

pharmaceuticals was 18.17 (N = 6; SD = 3.31); information technology was 16.84 (N = 25; SD =

4.06); insurance was 19.5 (N = 2; SD = 2.12); nonprofit was 16.75 (N = 4; SD = 2.63); retail was

16.88 (N = 24; SD = 3.34); and utilities was 18.0 (N = 3; SD = 2.64).

The assumption of homogeneity of variance is one assumption of a one-way ANOVA

that states that population variance within each group should be comparable. The researcher

performed a test for similar variances; Table 46 illustrates the results of the Levene's test. The
102
results show that the homogeneity of variances assumption was met, because the test statistic had

a value of .264 (p = .264) which indicates variances are equal.

Table 44

Industry Sectors and IT Effectiveness Descriptive Statistics

95% Confidence Interval for Mean


Std. Std.
N Mean Deviation Error Lower Bound Upper Bound Min Max
Advertising & 4 15.25 4.646 2.323 7.86 22.64 9 20
Marketing
Airlines 1 17.00 - - - - 17 17
Automotive 1 20 - - - - 20 20
Construction 17 16.29 4.566 1.500 .44 38.56 3 21
Entertainment 2 9.50 9.192 6.500 -73.09 92.09 3 16
Financial Services 4 15.25 8.342 4.171 1.98 28.52 3 21

Food & Beverage 7 14.57 5.623 2.125 9.37 19.77 3 19


Healthcare & 6 18.17 3.312 1.352 7.86 22.64 12 21
Pharmaceuticals
Information 25 16.84 4.069 .814 15.16 18.52 3 21
Technology
Insurance 2 19.50 2.121 1.500 .44 38.56 18 21
Non-Profit 4 16.75 2.630 1.315 12.57 20.93 13 19
Retail 24 16.88 3.340 .682 15.46 18.29 11 21
Utilities 3 18.00 2.646 1.528 11.43 24.57 15 20
Total 100 16.523 4.296 .430 15.67 17.37 3 21
Note. N = 100

Table 45

Industry Sectors on IT Effectiveness Homogeneity of Variances Assumption Test

Levene Statistic df1 df2 Sig.


1.263a 10 87 .264

103
The ANOVA analysis data presented in Table 47 illustrates whether the 13 industry

sectors have differences with and between groups that are significant statistically. The results

demonstrated that there are no differences that are statistically significant in the level of IT

effectiveness amongst the industry sectors (N = 100; F (12, 87) = .879; p = .570). Due, to these

findings, the researcher supported the null hypothesis.

Table 46

Industry Sectors on IT Effectiveness ANOVA Test for Differences

Sum of Squares Df Mean Square F Sig.


Between Groups 197.648 12 16.471 .879 .570
Within Groups 1629.312 87 18.728
Total 1826.960 99
Note. df = degrees of freedom

Summary for Hypothesis 6

Hypothesis 6 assessed whether the level of IT effectiveness among industry sectors was

significantly different. The null hypotheses argued that the level of IT effectiveness was the same

amongst industry sectors. The researcher did not reject this hypothesis statement. The results and

test statistics (N = 100; F (12, 87) = .879; p = .570) from the ANOVA analysis indicated that IT

effectiveness amongst industry sectors does not vary significantly.

Data Analysis Summary

Through the various statistical analyses utilized in the study, the researcher assessed the

relationship between risk management constructs and IT effectiveness. To address the research

problem, the researcher proposed six main research questions and four sub-questions. Through

Research Question 1, the researcher sought to establish the relationships between risk

management constructs and IT effectiveness. According to the results of the multiple regression

analysis, there is a statistically significant relationship between FR, AR, RTR, MR and ITE. The
104
results emphasized the consistent value of FR, AR, RTR and MR as predictors of IT

effectiveness. Overall, risk management constructs contributed 61.5% toward IT effectiveness.

Through Research Questions 2 to 5, the researcher sought to determine the relationship

between individual risk management constructs (i.e., FR, AR, RTR, and MR) and IT

effectiveness. The regression analyses results showed that there is a statistically significant

relationship between FR and AR, RTR, MR, and ITE. The results emphasized the consistent

value of RTR (R2 = .587) as a predictor of ITE. The results also showed that MR to ITE (R2 =

.574), AR to ITE (R2 = .562), and FR to ITE (R2 = .494) also provided significant contributions.

Research questions 2.1 to 5.1 assessed group comparisons between groups, based on the high

and low levels of each independent variable. The independent sample t-test results revealed FR

(p < .001); AR (p < .001), RTR (p < .001), and MR (p < .001) to be statistically significant (i.e.,

p < .05).

Through Research Question 6 , the researcher analyzed whether there were any

distinctions amongst industry sectors in regards to IT effectiveness. In total, the researcher

evaluated 13 industry sectors with regard to IT effectiveness. The results from the ANOVA

analysis revealed that there were no differences amongst industry sectors regarding IT

effectiveness.

105
CHAPTER 5. DISCUSSION, IMPLICATIONS, RECOMMENDATIONS

Overview

The global financial crisis introduced a wave of regulative developments for many large

organizations. The new regulatory landscape has placed significant demands on organizations in

such areas as risk culture, information systems and technology data, operational risk, stress tests,

capital adequacy, risk appetite, and corporate governance. In addition, cyber attacks on

corporations have increased dramatically, requiring organizations to reinforce the protections for

customer data and information systems. Organizations must not only comply with new

regulatory priorities and specifications, they also need the variability to acknowledge the next

round of regulative requirements. According to a survey conducted by Deloitte (2014), 85% of

surveyed organizations noted that their board of directors presently devote more time to

addressing risk than they did years ago. Deloitte also mentioned that it has become a regulative

expectation for organizations to have an ERM program in place; 92% percent of participants said

their institution either was in the process of implementing one or had an ERM program in place,

which is an increase from 83% in 2012 and 59% percent in 2008.

Despite the increased level of risk management adoption, there are many organizations,

enterprises, and individual users who still have not implemented a risk management strategy. In

present-day literature, issues related to trust, privacy, and security are at the top of the list of

issues for many potential users. In many cases, organizational management teams view

governance programs and risk assessments as optional options, and it is not unusual for

organizations to endorse a particular new implementation without exercising a formal risk

evaluation first. Without a formal risk evaluation, the implementation could contain threats or

106
vulnerabilities that could be disastrous to the organization. The situation mentioned shows that it

is important that risk management solutions be explored comprehensively to address various

concerns. It is essential to raise awareness of how organizational risk management practices

affect IT effectiveness and increase the overall performance of the organization.

The rationale for this quantitative research study was to determine the level of influence

of enterprise risk management constructs on organizational IT effectiveness. The information

contained within the study helps to fill a gap by addressing how an organization's risk

management practices and procedures affect the organization's ability to provide adequate IT

effectiveness. In essence, the study is the first of its kind to provide empirical evidence of what

enterprise risk management constructs affect the organization's IT effectiveness the most. The

results from the study help organizations regardless of size or type make better judgments

regarding risk-management practices from the perspective of the level of significance to the

organization's IT effectiveness. The findings from this study are founded on the answers of

survey feedback received from 100 IT professional from U.S.-based firms listed as a Fortune

1000 company.

The researcher designed this quantitative correlational study to research the degree to

which enterprise risk management constructs affect an organization’s overall IT effectiveness.

The dependent variable was IT effectiveness; and the independent variables were frame risk,

assessed risk, response to risk, and monitoring risk. The omnibus research question (i.e., RQ1)

and the main and sub-research questions and hypotheses were as follows:

RQ1: What is the nature of the relationship between risk management constructs and IT

effectiveness?

107
H1 0 : There is no significant relationship between risk management constructs and IT

effectiveness.

H1 a : There is a significant relationship between risk management constructs and IT

effectiveness.

RQ2: What is the nature of the relationship between frame risk and IT effectiveness?

H2 0 : There is no significant relationship between frame risk and IT effectiveness.

H2 a : There is a significant relationship between frame risk and IT effectiveness.

RQ2.1: Is there a significant statistical difference in the level of IT effectiveness between

firms that have high levels of frame risk versus those that have low levels of frame risk?

H2 0 .1: There is no significant difference in the level of IT effectiveness between firms

that have high levels of frame risk versus those that have low levels of frame risk.

H2 a .1: There is a significant difference in the level of IT effectiveness between firms that

have high levels of frame risk versus those that have low levels of frame risk.

RQ3: What is the nature of the relationship between assessed risk and IT effectiveness?

H3 0 : There is no significant relationship between assessed risk and IT effectiveness.

H3 a : There is a significant relationship between assessed risk and IT effectiveness.

RQ3.1: Is there a significant statistical difference in the level of IT effectiveness between

firms that have high levels of assessed risk versus those that have low levels of assessed risk?

H3 0 .1: There is no significant difference in the level of IT effectiveness between firms

that have high levels of assessed risk versus those that have low levels of assessed risk.

H3 a .1: There is a significant difference in the level of IT effectiveness between firms that

have high levels of assessed risk versus those that have low levels of assessed risk.

108
RQ4: What is the nature of the relationship between response to risk and IT

effectiveness?

H4 0 : There is no significant relationship between response to risk and IT effectiveness.

H4 a : There is a significant relationship between response to risk and IT effectiveness.

RQ4.1: Is there a significant statistical difference in the level of IT effectiveness between

firms that have high levels of response to risk versus those that have low levels of response to

risk?

H4 0 .1: There is no significant difference in the level of IT effectiveness between firms

that have high levels of response to risk versus those that have low levels of response to risk.

H4 a .1: There is a significant difference in the level of IT effectiveness between firms that

have high levels of response to risk versus those that have low levels of response to risk.

RQ5: What is the nature of the relationship between monitoring risk and IT

effectiveness?

H5 0 : There is no significant relationship between monitoring risk and IT effectiveness.

H5 a : There is a significant relationship between monitoring risk and IT effectiveness.

RQ5.1: Is there a significant statistical difference in the level of IT effectiveness between

firms that have high levels of monitoring risk versus those that have low levels of monitoring

risk?

H5 0 .1: There is no significant difference in the level of IT effectiveness between firms

that have high levels of monitoring risk versus those that have low levels of monitoring risk.

H5 a .1: There is a significant difference in the level of IT effectiveness between firms that

have high levels of monitoring risk versus those that have low levels of monitoring risk.

109
RQ6: Is there a difference in the level of IT effectiveness among industry sectors?

H6 0 : There is no significant difference in the level of IT effectiveness among industry

sectors?

Results, Discussion, and Summary

Discussion and Summary of the Multiple Regression Analysis

Through the multiple regression analysis employed for Research Question 1, the

researcher sought to establish the relationship between risk management constructs and IT

effectiveness. The null hypothesis stated that there is no significant relationship between risk

management constructs and IT effectiveness. The null hypothesis was not supported and was

therefore rejected. The results showed that there is a statistically significant relationship between

the risk-management constructs' FR, AR, RTR, MR, and IT effectiveness. The results indicate

that many organizations believe that the responses to risk (i.e., RTR) should be addressed first,

and then MR, AR, and FR can be implemented. This result could be associated with the

complexity of risk management implementation and the level of uncertainty in regard to the

proper risk management procedures to put into place. In addition, organizations may view the

response to the risk as being a priority, because the risk itself could have a huge impact on the

financial prospects of the organization.

Discussion and Summary of the Simple Linear Regression Analysis

Through the linear regression analyses employed for the Research Questions 2 to 5, the

researcher attempted to establish the relationship between IT effectiveness and the risk-

management constructs of frame risk, assessed risk, response to risk, and monitoring risk. The

110
null hypotheses stated that there is no significant relationship between each risk management

factor and IT effectiveness. All of the null hypotheses (i.e., 2 to 5) were rejected and not

supported. An assessment is provided below regarding the associations amongst constructs, its

significances, and accordance with previous studies. It was revealed that there is a statistically

significant positive relationship between IT effectiveness and the risk-management constructs:

frame risk (R2 = .494), assessed risk (R2 = .562), response to risk (R2 = .587), and monitoring risk

(R2 = .574). The results provided evidence that risk management constructs are effective

predictors of IT effectiveness, and imply that efficient risk management practices greatly

improve an organization’s IT effectiveness.

The results presented supported the research conducted by Nair, Rustambekov, McShane,

and Fainshmidt (2014), which found that ERM capability is associated positively with firm

profitability. The information presented is also in agreement with earlier studies that have shown

favorable association between firm value and risk management (McShane, Nair, &

Rustambekov, 2011); firm performance and ERM (Nickmanesh, Zohoori, Happy & Akbari,

2013; Ping & Muthuveloo, 2015); ERM and program quality (Baxter et al., 2013); and ERM and

business performance (Fadun, 2013). In essence, the results showed that the correlation between

risk management and IT effectiveness is associated with the organization’s current procedures

and processes in place that enabled the organization to address risk before they occur. In

summary, an organization's current policies and procedures regarding its risk frame, ability to

assess risk, response to risk, and monitoring capabilities help increase its overall effectiveness.

111
Discussion and Summary of the T-Test Analysis

The research hypotheses group (i.e., 2.1 to 5.1) assessed the high- and low-level grouping

between each risk management factor (i.e., FR, AR, RTR, MR) and information technology

effectiveness (ITE). The null hypotheses stated that regarding risk management constructs, no

significant differences existed between high and low levels. The researcher ran an independent

sample t-test to assess whether distinctions existed. All of the null hypotheses (i.e., 2.1 to 5.1)

were not supported and were rejected. The high and low groupings of FR (t (26.17) = -4.91; p

<.001, d = 1.32); AR (t (38.54) = -5.078, p < .001, d = 1.22); RTR; (t (35.10) = -5.853, p <.001,

d = 1.42); and MR (t (42.68) = -5.855, p < .001, d = 1.33) were statistically significant (p < .05).

The information presented shows that between groups, IT effectiveness levels do differ.

Moreover, the results show that organizations that have high levels of risk management have

greater levels of IT effectiveness. As an organization increases the implementation of risk

management processes and practices, the organization's overall effectiveness increases.

Discussion and Summary of the Analysis of Variance

Through the ANOVA analysis employed for Research Question 6, the researcher sought

to discover if industry sectors influence their level of IT effectiveness. The null hypothesis stated

that the level IT effectiveness amongst industry sectors did no differ. The researcher rated 12

industry sectors—advertising and marketing, airlines, automotive, construction, entertainment,

information technology, healthcare and pharmaceuticals, food and beverage, financial services,

insurance, nonprofit, retail, utilities, and energy—based on IT effectiveness in each sector. The

analysis showed that the null hypothesis was not rejected, but suggested that industry sector IT

effectiveness does not differ significantly. In sum, there is no significant difference between the

112
industry sectors regarding the level of IT effectiveness, meaning that IT effectiveness should not

be gauged by industry sector for each organization; in each industry sector, organizational

leaders address IT effectiveness differently.

Conclusions

There exists a considerable amount of research in which scholars have explored the

constructs of risk management and the overall effectiveness of its implementation from a single

and paired factor perspective. Mensah (2015) studied the factors associated with the effective

implementation of holistic approaches to risk management. Parry (2014) investigated IT

alignment, risk management, portfolio control, and the relationship of these factors to IT

governance. Salifou (2016) explored the efficiency of the COSO’s ERM model in obtaining

enhanced value, competitive advantage, and organizational strategy. The current study differs

from those studies by filling an information gap in the literature by focusing on risk management

as it pertains to IT effectiveness. Because the current research study is unique in regard to

acknowledging how an organization's risk management practices affect the organization's IT

effectiveness, scholars and practitioners can draw the following conclusions.

From a practitioners perspective IT personnel need to address the risk-management

constructs (i.e., FR, AR, RTR, and MR) that affect the strategic objectives of the organization, by

way of first ensuring IT effectiveness and business assurance, then address the factors that have

less impact on the business process. Regarding IT effectiveness, many IT executives in various

industries agreed that an organization's response to risk is critically important to IT effectiveness.

According to the survey data collected, the opinion mentioned is shared by many IT executives

in various U.S. industries. The regression results emphasized the significance of RTR (R2 = .587)

113
as a predictor of ITE when compared to the other constructs. Strengthening an organization's

response to risk, therefore, is critical to improving its IT effectiveness. In addition, when an

organization has appropriate monitoring practices in place, it can improve the organization's IT

effectiveness as well once risk has been addressed. Moreover, the multiple regression results in

Table 14 shows that all four constructs influence IT effectiveness at the level of significance (p <

0.001).

From a scholarly perspective, no empiric studies exist in literature in which scholars have

assessed the construct correlations regarding frame risk, assessed risk, response to risk,

monitoring risk, and IT effectiveness. This study helps to fill that particular gap. The study's

findings have provided a significant contribution to the study of IT effectiveness and risk

management and could be utilized by researchers, IT executives, and other stakeholders in order

to sustain and achieve greater IT effectiveness within their organization.

Limitations

The purpose of this non-experimental quantitative correlational study was to assess the

constructs and correlations associated with enterprise risk management and IT effectiveness. One

of the study's limitations lies in its focus on only U.S.-based organizations. By focusing on U.S.-

based organizations, the researcher could not make any assumptions about obtaining the same

results for organizations in other countries. Another limitation was that participants were only

individuals in IT that had experience with the organization's risk-management practices. The

study's results cannot be generalized to organizations that don't have risk-management practices

in place. In addition, the study was limited by only addressing four constructs; it would be

beneficial if future scholars expanded the study scope to address the governance procedures

114
throughout the organization, since governance has a significant impact on an organization's IT

effectiveness as well.

Implications

Practical Implications

The results from this non-experimental quantitative correlational study have implications

for IS practitioners, managers, and academia in an area of study that has not been thoroughly

investigated. This research study helps to fill some of the existing gaps between practice and

theory regarding risk management. The information contained within the research study could be

used as a starting point for developing new theory-based guidelines to govern the enterprise risk

management issues associated with IT effectiveness. Furthermore, the research information

could be an aid for developing, maintaining, and improving risk management strategies once an

organization has an understanding of how the organizational context, and IT effectiveness affect

overall performance. Empirical insight into the risk constructs that could influence IT

effectiveness success or failure is another implication from the information presented in the

study.

A potential point of reference to developing new theory-based principals for security

practitioners regarding information flow and the discontinuity of information within

organizations is presented. Due to the growing number of reported security breaches in the past

few years, contemporary approaches to security management need to be addressed from a more

holistic perspective (Broom, 2009; Taylor, 2014). IS professionals could use the results from the

research study as a starting point for determining what areas of their current risk-management

program may need to be addressed.

115
Theoretical Implications

Developing enterprise risk management strategies requires an organization taking a

holistic approach to security. Applying IT effectiveness to the development of enterprise risk

management strategies is an important theoretical contribution provided by the research study.

Often, security issues are associated with topics regarding protective mechanisms, rather than the

organizations’ risk management practices (Kiselitsa & Shilova, 2016; Wu, Olson, & Dolgui,

2015). The findings presented in the current research study could provide empirical evidence that

there exists a direct correlation between organizational enterprise risk management practices and

IT effectiveness. Furthermore, the researcher discovered evidence that RMF could be expanded

to serve as a useful framework to assess IT effectiveness as well. The research results are

consistent with prior research on risk management regarding enterprise risk management having

a relationship with IT effectiveness (Hopkin, 2014; Zwikael & Ahn, 2011).

Recommendations

Recommendations for Practice

The information presented in this study provides new empirical evidence that risk-

management constructs have a positive correlation with IT effectiveness. The findings presented

are consistent with other studies on risk management that have shown correlations between an

organization’s effectiveness and its risk management strategies (Mensah, 2015; Parry, 2014;

Spicer, 2006). In addition, the results of this study provide additional evidence that an

organization's risk management constructs combined have correlation with IT effectiveness. The

recommendations offered by the study is that organizations should attempt to understand the

risk-related constructs that affect the deployment of an integrated risk management system and

116
consider the influence of the organizational structure when regarding the efficiency of the

system.

Recommendations for Further Research

This researcher recommends that this study be expanded to acknowledge security

governance factors as well as risk management constructs concerning IT effectiveness. By

expanding the research study to address governance practices, scholars could provide insight into

how issues such as SOX compliance affect IT effectiveness since both risk-management

constructs and governance factors affect internal controls. The researcher also recommends that

scholars carry such future studies out from a qualitative perspective to explore the dynamic

experiences of the study's participants. The information provided could provide additional

verification that risk management constructs have a relationship to IT effectiveness.

The researcher recommends that further research be conducted to assess how

organizational hierarchy impacts risk management practices. The information presented could

provide insight into how an organization's chain of command affect's implementation and

effectiveness. In addition, future researchers could investigate whether additional factors such as

(a) organization risk culture, (b) growth rate, (c) firm size, and (d) board impendence impact IT

effectiveness. Lastly, future scholars could evaluate value creation through risk management and

IT effectiveness. The results from the study could provide comprehension into how a

collaborative approach to risk management influences stakeholder value creation.

Final Remarks

The purpose of this non-experimental quantitative correlational study was to assess the

constructs and correlations of enterprise risk management and IT effectiveness. The researcher

117
intended to provide organizations with significant data on the risk-management constructs that

influence their organization's IT effectiveness the most. The researcher also intended to help

organizations determine which individual risk construct regarding the (a) organizational risk

frame, (b) risk assessment processes, (c) risk response procedures, and (d) monitoring procedures

were affecting IT effectiveness. In addition, the information presented is also beneficial to risk

auditors for helping them decide what risk management processes are crucial for many

organizations. The research was comprised of question formulation, hypothesis testing, and data

analysis that addressed risk management relationships and the degree to which those

relationships could contribute real organizational value. Two different theoretical ideas and a risk

framework formed the base of this non-experimental quantitative correlational study.

The information flow theory (IFT) developed by Barwise and Seligman (1997) provided a

mathematical framework that models the laws governing information flow in distributed

systems. The catastrophe theory created by French scientist Thorn (1972) addressed concepts

and rules about the steady and discontinuous state of an item. Also, the risk management

framework (RMF) created by the National Institute of Standards and Technology (NIST)

provides the basis for the non-experimental quantitative correlational study by addressing the

four crucial components to a successful risk management program: (a) frame risk, (b) assessed

risk, (c) response to risk, and (d) monitoring risk.

The findings from the data analysis allowed conclusions to be made about the four risk

management constructs as factors influencing IT effectiveness. The results can be used as

foundations for future research on risk management or any study on IT effectiveness. The

researcher fully answered the following research questions:

118
RQ1: What is the nature of the relationship between risk management constructs and IT

effectiveness? The researcher determined that a statistical significant relationship exists between

risk management constructs and IT effectiveness.

RQ2: What is the nature of the relationship between frame risk and IT effectiveness? In

response to this question, the researcher determined that there is a positive relationship between

frame risk and IT effectiveness.

RQ2.1: Is there a significant statistical difference in the level of IT effectiveness between

firms that have high levels of frame risk versus those that have low levels of frame risk? In

response to this question, the researcher determined that there is a statistically significant

difference in the level of IT effectiveness between firms that have high levels of frame risk

versus those that have low levels of frame risk.

RQ3: What is the nature of the relationship between assessed risk and IT effectiveness?

In response to this question, the researcher found that there is a positive relationship between

assessed risk and IT effectiveness.

RQ3.1: Is there a significant statistical difference in the level of IT effectiveness between

firms that have high levels of assessed risk versus those that have low levels of assessed risk?

The researcher found that there is a statistically significant difference in the level of IT

effectiveness between firms that have high levels of assessed risk versus those that have low

levels of assessed risk.

119
RQ4: What is the nature of the relationship between response to risk and IT

effectiveness? In response to this question, the researcher found a positive relationship between

response to risk and IT effectiveness.

RQ4.1: Is there a significant statistical difference in the level of IT effectiveness between

firms that have high levels of response to risk versus those that have low levels of response to

risk? In response to this question, the researcher determined that there is a statistically significant

difference in the level of IT effectiveness between firms that have high levels of response to risk

risk versus those that have low levels of response to risk.

RQ5: What is the nature of the relationship between monitoring risk and IT

effectiveness? The researcher found a positive relationship between monitoring risk and IT

effectiveness.

RQ5.1: Is there a significant statistical difference in the level of IT effectiveness between

firms that have high levels of monitoring risk versus those that have low levels of monitoring

risk? The researcher determined that there is a statistically significant difference in the level of

IT effectiveness between firms that have high levels of monitoring risk versus those that have

low levels of monitoring risk.

RQ6: Is there a difference in the level of IT effectiveness among industry sectors? The

researcher found that there is no difference in the level of IT effectiveness among industry

sectors.

120
REFERENCES

AFP. (2015). 2015 AFP risk survey report of survey results. Retrieved from

http://www.oliverwyman.com

Ahmed, I., & Manab, N. A. (2016a). Influence of enterprise risk management success factors on

firm financial and non-financial performance: A proposed model. International Journal

of Economics and Financial Issues, 6(3), 830-836. Retrieved from

http://www.econjournals.com/

Ahmed, I., & Manab, N. A. (2016b). Moderating role of board equity ownership on the

relationship between enterprise risk management implementation and firms performance:

A proposed model. International Journal of Management Research and Reviews, 6(1),

21-28. http://www.ijmrr.com

Ahmad, W. A., & Mohammad, B. (2012). Can a single security framework address information

security risks adequately? International Journal of Digital Information and Wireless

Communications, 2(3), 222-230. Retrieved from http://sdiwc.net/ijdiwc/

AICPA. (2015). 2015 report on the current state of enterprise risk oversight: Updates on trends

and opportunities. Retrieved from https://www.aicpa.org

Andreea, A. (2014). Risk assessment at enterprise level. Analele Universităţii Constantin

Brâncuşi Din Târgu Jiu : Seria Economie, 1(6), 107-109. Retrieved from

http://www.utgjiu.ro/

Anquillare, M. (2010). ERM helps risk managers cross barriers within, outside company.

National Underwriter P & C, 114(15), 22-29. Retrieved from

http://www.propertycasualty360.com/National-Underwriter-Property-Casualty/

121
AON. (2015). Global risk management report. Retrieved from http://www.aon.com

Arena, M., Arnaboldi, M., & Azzone, G. (2010). The organizational dynamics of enterprise risk

management. Accounting, Organizations and Society, 35(7), 659-675.

doi:10.1016/j.aos.2010.07.003

Arnold, V., Benford, T., Canada, J., & Sutton, S. G. (2011). The role of strategic enterprise risk

management and organizational flexibility in easing new regulatory compliance.

International Journal of Accounting Information Systems, 12(3), 171-188.

doi:10.1016/j.accinf.2011.02.002

Babu, M. S., Babu, A. M., & Sekhar, M. C. (2013). Enterprise risk management integrated

framework for cloud computing. International Journal of Advanced Networking and

Applications, 5(3), 1939-1950. Retrieved from http://www.ijana.in/

Bahtit, H., & Regragui, B. (2013). Risk Management for ISO 27005 decision support.

International Journal of Innovative Research in Science, Engineering and Technology,

2(3), 530-538. Retrieved from http://www.ijirst.org/

Ballantyne, R. (2013). An empirical investigation into the association between enterprise risk

management and firm financial performance (Doctoral dissertation). Available from

ProQuest Dissertations and Theses database. (UMI No. 3557261)

Bani, J. (2011). Assessing the relationships among information technology flexibility, IT-business

strategic alignment, and information technology effectiveness: An investigation of

business intelligence implementation (Doctoral dissertation). Available from ProQuest

Dissertations and Theses database. (UMI No. 3443310)

122
Baroudi, J. J., & Orlikowski, W. J. (1988). A short-form measure of user information

satisfaction: A psychometric evaluation and notes on use. Journal of Management

Information Systems, 4(4), 44-59. doi:10.1080/07421222.1988.11517807

Barwise, J., & Seligman, J. (1997). Information flow: the logic of distributed systems. New York,

NY: Cambridge University Press.

Baxter, R., Bedard, J. C., Hoitash, R., & Yezegel, A. (2013). Enterprise risk management

program quality: Determinants, value relevance, and the financial crisis. Contemporary

Accounting Research, 30(4), 1264-1295. doi:10.1111/j.1911-3846.2012.01194.x

Bayraktarli Y. Y. (2009). Construction and application of Bayesian probabilistic networks for

earthquake risk (Doctorial dissertation, University of Karlsruhe) Retrieved from e-

collection.library.ethz.ch/eserv/eth:969/eth-969-02.pdf

Beasley, M. S., Clune, R., & Hermanson, D. R. (2005). Enterprise risk management: An

empirical analysis of factors associated with the extent of implementation. Journal of

Accounting and Public Policy, 24(6), 521-531. doi:10.1016/j.jaccpubpol.2005.10.001

Belinskaja, L., & Velickiene, M. (2015). Business risk management: Features and problems in

small and medium-sized trading and manufacturing enterprises. European Scientific

Journal, 2(30), 30-58. Retrieved from http://eujournal.org/

Berry, W. D. (1993). Understanding regression assumptions. Newbury Park, CA: Sage

Publications.

Berry-Stölzle, T. R., Altuntas, M., & Hoyt, R. E. (2011). Implementation of enterprise risk

management: Evidence from the german property-liability insurance industry. The

Geneva Papers, 36(3), 414-439. doi:10.1057/gpp.2011.11

123
Bitglass. (2015). Bitglass cloud adoption report. Retrieved from http://www.bitglass.com

Bojanc, R., & Jerman-Blažič, B. (2013). A quantitative model for information-security risk

management. Engineering Management Journal, 25(2), 25-37.

doi:10.1080/10429247.2013.11431972

Bologa, A., & Bologa, R. (2011). A perspective on the benefits of data virtualization technology.

Informatica Economica, 15(4), 110-118. Retrieved from http://revistaie.ase.ro/

Bradley, R. V., Pratt, R. M. E., Byrd, T. A., Outlay, C. N., & Wynn, J., Donald E. (2012).

Enterprise architecture, IT effectiveness and the mediating role of IT alignment in US

hospitals. Information Systems Journal, 22(2), 97-127. doi:10.1111/j.1365-

2575.2011.00379.x

Broom, A. (2009). Security consolidation and optimisation: Gaining the most from your IT

assets. Computer Fraud & Security, 2009(5), 15-17. doi:10.1016/S1361-3723(09)70061

Brown, J. (2013). Creating an ERM culture requires people. Financial Executives International,

29(3), 61-63. Retrieved http://www.financialexecutives.org

Brustbauer, J. (2016). Enterprise risk management in SMEs: Towards a structural model.

International Small Business Journal, 34(1), 70-85. doi:10:1177/0266242614542853

Bulmer, M., Gibbs, J., & Hyman, L. (2010). Social measurement through social surveys: An

applied approach. Burlington, VT: Ashgate.

Burke, M. F. (2011). It effectiveness and flexibility versus strategic alignment: Assessing the

correlative effects in higher education (Doctoral dissertation). Available from ProQuest

Dissertations and Theses database. (UMI No. 3426510)

124
Byrd, T. A., & Davidson, N. W. (2006). An empirical examination of a process-oriented IT

business success model. Information Technology and Management, 7(2), 55-69.

doi:10.1007/s10799-006-8100-z

Caldarelli, A., Fiondella, C., Maffei, M., Spanò, R., & Zagaria, C. (2012). Towards an ethical

enterprise risk management: The case of an italian mutual credit cooperative bank.

Retrieved from https://www.iris.unina.it

Carden, L. L., Boyd, R. O., & Valenti, A. (2015). Risk management and corporate governance:

Safety and health work model. Southern Journal of Business and Ethics, 7(1), 137-148.

Retrieved from http://www.salsb.org/sjbe/

Carrel, P. (2010). The handbook of risk management: Implementing a post crisis corporate

culture. Hoboken, NJ: Wiley.

Chatterjee, S., & Simonoff, J. S. (2013). Handbook of regression analysis. Hoboken, NJ :

Wiley.

Chebrolu, S. B. (2010). Assessing the relationships among cloud adoption, strategic

alignment and information technology effectiveness (Doctoral dissertation).

Available from ProQuest Dissertations and Theses database. (UMI No. 3426510)

Chebrolu, S. B., & Ness, L. (2013). How does alignment of business and IT strategies impact

aspects of IT effectiveness? International Journal of Applied Management and

Technology, 12(1), 1-15. Retrieved from http://scholarworks.waldenu.edu/ijamt/

Cohen, J. (1998). Statistical power analysis for the behavioral sciences (2nd ed.). Hillsdale, NJ:

Lawrence Erlbaum.

125
Cook, L. A. (2011). Assessing the relationship of virtualization, strategic alignment, and

information technology effectiveness (Doctoral dissertation). Available from ProQuest

Dissertations and Theses Database. (UMI No. 3487528)

Cooper, C. R., & Schindler, P. S. (2008). Business research methods (10th ed.). Boston, MA:

McGraw-Hill.

Cooper, R. B., & Quinn, R. E. (1993). Implications of the competing values framework for

management information systems. Human Resource Management, 32(1), 175-201.

doi:10.1002/hrm.3930320109

COSO. (2004). Enterprise risk management framework: Integrated framework. Retrieved from

www.erm.coso.org.

COSO. (2011). Embracing enterprise risk management: Practical approaches for getting

started. Retrieved from www.erm.coso.org.

Crockford, G. N. (1982). The bibliography and history of risk management: Some preliminary

observations. Geneva Papers on Risk & Insurance, 7(2), 169-179.

doi:10.1057/gpp.1982.10

Creswell, J. W. (2009). Research design: Qualitative, quantitative, and mixed methods

approaches. Thousand Oaks, CA: Sage.

Curtis, P., & Carey, M. (2012). Risk assessment in practice. Retrieved from

http://www2.deloitte.com/content/dam/...Risk.../dttl-grc-riskassessmentinpractice.pdf

Đapić, M., Popović, P., Lukić, Lj., & Mitrović R. (2012). Risk assessment

126
concept in the new approach directives and its integration in the enterprise risk

management (ERM). Industrija, 40(1), 3-38. Retrieved from

http://scindeks.ceon.rs/journaldetails.aspx?issn=0350-0373&lang=en

Das, B. S. (2015). NIST frameworks vs COSO risk management framework. Retrieved from

https://www.researchgate.net/publication/272886636_NIST_Framework_vs_COSO_fram

ework

Deloitte. (2014). Global risk management survey. Retrieved from http:// www2.deloitte.com

Delone, W. H., & McLean, E. R. (1992). Information system success: The quest for the

dependent variable. Information Systems Research 3(1), 55-69. doi:10.1287/isre.3.1.60

Dickinson, G. (2001). Enterprise risk management: Its origins and conceptual foundation. The

Geneva Papers on Risk and Insurance: Issues and Practice, 26(3), 360-366.

doi:10.1111/1468-0440.00121

Dionne, G. (2013). Risk management: History, definition, and critique. Risk Management and

Insurance Review, 16(2), 147-166. doi:10.1111/rmir.12016

Driscoll, M. (2014). Enterprise risk management: Seven imperatives for process excellence.

Corporate Finance Review, 19(3), 13-19. Retrieved from

https://www.apqc.org/knowledge-base/documents/enterprise-risk-management-seven-

imperatives-process-excellence-infographic

Eichman, B. W. (2013). An examination of the correlative effects of it outsourcing with it agility,

it strategic alignment and it effectiveness (Doctoral dissertation). Available from

ProQuest Dissertations & Theses Database. (UMI No. 3602871)

127
Eick, C. L. M. (2003). Factors that promote effective risk management at universities classified

by the carnegie system as Doctoral/Research universities - extensive (Doctoral

dissertation). Available from ProQuest Dissertations and Theses database. (UMI No.

3095782)

Ein-Dor, P., & Segev, E. (1978). Organizational context and the success of management

information systems. Management Science, 24, 1064-1077. doi:10.1287/mnsc.24.10.1064

Ein-Dor, P., Segev, E., & Steinfeld, A. (1980). Use of management information systems: An

empirical study. Proceedings of the International Conference on Information Systems, 2,

215-228. Retrieved from http://aisel.aisnet.org/icis1981/1

Everett, C. (2011). A risky business: ISO 31000 and 27005 unwrapped. Computer Fraud &

Security, 2011(2), 5-7. doi:10.1016/S1361-3723(11)70015-X

Fadun, O. S. (2013). Risk management and risk management failure: Lessons for business

enterprises. International Journal of Academic Research in Business and Social Sciences,

3(2), 225-239. Retrieved from http://hrmars.com/index.php/pages/detail/IJARBSS

Faris, S., Hasnaoui, S. E., Medromi, H., Iguer, H., & Sayouti, A. (2014). Toward an effective

information security risk management of universities’ information systems using multi

agent systems, ITIL, ISO 27002, ISO 27005. International Journal of Advanced

Computer Science and Applications, 5(6), 114-118. doi:10.14569/IJACSA.2014.050617

Farrell, M., & Gallagher, R. (2015). The valuation implications of enterprise risk management

maturity. Journal of Risk and Insurance, 82(3), 625-657. doi:10.1111/jori.12035

Faul, F., Erdfelder, E., Lang, A. G., & Buchner, A. (2007). G* power 3: A flexible statistical

power analysis program for the social, behavioral, and biomedical sciences. Behavior

128
Research Methods, 39(2), 175-191. Retrieved from

http://www.springer.com/psychology/cognitive+psychology/journal/13428

Ferrer, R. C., & Mallari, N. C. (2011). Speculative and pure risks: Their impact on firms'

earnings per share. Journal of International Business Research, 10(S1), 115-136.

Retrieved from http://www.iabe.org/

Field, A. (2009). Discovering statistics using SPSS (3rd ed.). New Jersey, NJ: Sage.

Franz1, C. R., & Robey, D. (1986). Organizational context, user involvement, and the usefulness

of information systems. Decision Sciences, 17(3), 329-356.

doi:10.1111/j.1540-5915.1986.tb00230.x

Fraser, J. R. S., Simkins, B. J., & Narvaez, K. (2015). Implementing enterprise risk management:

Case studies and best practices. Hoboken, NJ: Wiley.

Gallagher, A. (2009).Road to implementation: Enterprise risk management for colleges a

universities. Retrieved from http://www.ajg.com/media/850674/Road-to-Implementation-

ERM-for-Colleges.pdf

George, D., & Mallery, P. (2011). SPSS for Windows step by step: A simple guide and

reference (11th ed.). Boston, MA: Pearson.

Gillespie, S. J. (2014). Correlational study of risk management and information technology

project success technology (Doctoral dissertation). Available from ProQuest

Dissertations and Theses database. (UMI No. 3610813)

Golshan, N. M., & Rasid, S. Z. A. (2012). Determinants of enterprise risk management adoption:

An empirical analysis of Malaysian public listed firms. Proceedings of World Academy of

Science, Engineering and Technology, Malaysia, 62.

129
González-Benito, J. (2007). Information technology investment and operational performance in

purchasing: The mediating role of supply chain management practices and strategic

integration of purchasing. Industrial Management & Data Systems, 107(2), 201-228.

doi:10.1108/02635570710723813

Grace, M. F., Leverty, J. T., Phillips, R. D., & Shimpi, P. (2015). The value of investing in

enterprise risk management. Journal of Risk and Insurance, 82(2), 289-316.

doi:10.1111/jori.12022

Greitzer, F. L., & Hohimer, R. E. (2011). Modeling human behavior to anticipate insider attacks.

Journal of Strategic Security, 4(2), 25-48. doi:10.5038/1944-0472.4.2.2

Grover, V., Jeong, S. R., & Segars, A. H. (1996). Information systems effectiveness: The

construct space and patterns of application. Information & Management, 31(4), 177-191.

doi:10.1016/S0378-7206(96)01079-8

Hardy, K. (2014). Enterprise risk management: A guide for government professionals. San

Francisco, CA: Jossey-Bass.

Harris, P., Kinkela, K., & Hayes, N. T. (2011). Internal auditing developments: COSO studies

key risk assessment as a component of enterprise risk management. Internal Auditing,

26(5), 11-15. Retrieved from

http://store.tax.thomsonreuters.com/accounting/Finance/Internal-Auditing/p/100201298

Hopkin, P. (2014). Fundamentals of risk management: Understanding evaluating and

implementing effective risk management (3rd ed.). Philadelphia, PA: Kogan Page.

Hoyt, R. E., & Liebenberg, A. P. (2015). Evidence of the value of enterprise risk management.

Journal of Applied Corporate Finance, 27(1), 41-47. doi:10.1111/jacf.12103

130
Hoyt, R. E., & Liebenberg, A. P. (2011). The value of enterprise risk management. The Journal

of Risk and Insurance, 78(4), 795-822. doi:10.1111/j.1539-6975.2011.01413.x

ISACA. (2009). The risk IT framework. Retrieved from http:// www.isaca.org

ISF. (2014). Standard of good practice for information security: The definitive guide to enable

information security compliance. Retrieved from http://www.securityforum.org

Ives, B., Olson, M., & Baroudi, J. (1983). The measurement of user information satisfaction.

Communications of the ACM 26(10), 785-793. doi:10.1145/358413.358430

Jalal-Karim, A. (2013). Leveraging enterprise risk management (ERM) for boosting competitive

business advantages in bahrain. World Journal of Entrepreneurship, Management and

Sustainable Development, 9(1), 65-75. doi:10.1108/20425961311315728

Jøsang, A., Rosenberger, C., Miralabé, L., Klevjer, H., Varmedal, K. A., Daveau, J., . . .

Taugbøl, P. (2015). Local user-centric identity management: Doc 9. Journal of Trust

Management, 2(1), 1. doi:10.1186/s40493-014-0009-6

Kanungo, S., Duda, S., & Srinivas, Y. (1999). A structured model for evaluating information

systems effectiveness. Systems Research and Behavioral Science, 16(6), 495-518.

doi:10.1002/(sici)1099-1743(199911/12)16:6<495::aid-sres238>3.0.co;2-r

Kenett, R. S., & Raphaeli, O. (2008). Multivariate methods in enterprise system implementation,

risk management, and change management. International Journal of Risk Assessment and

Management, 9(3), 258-276. doi:10.1504/ijram.2008.019744

King, W. R., & Rodriquez, J. I. (1978). Evaluating management information systems

MIS Quarterly 2(3), 43-51. doi:10.2307/249177

131
Kiselitsa, E. P., & Shilova, N. N. (2016). Economic technology of enterprise risk management

based on information support for their activity. Journal of Internet Banking and

Commerce, 21(1), 1-14. Retrieved from http://www.icommercecentral.com/

Kline, M. M. (2014). The benefits of implementing an enterprise risk management approach into

an organization (Doctoral dissertation). Available from ProQuest Dissertations and

Theses database. (UMI No. 1564395)

KPMG. (2013). Expectations of risk management outpacing capabilities: It’s time for action.

Retrieved from https://nacm.org

Kurien, P., Rahman, W., & Purusottam, V. S. (2004). The case for re-examining IT

effectiveness. Journal of Business Strategy, 25(2), 29-36.

doi:10.1108/02756660410525380

Kutsch, E., Browning, T. R., & Hall, M. (2014). Bridging the risk gap: The failure of risk

management in information systems projects. Research Technology Management, 57(2),

26. Retrieved from http://www.iriweb.org/rtm

Lam, J. (2014). Enterprise risk management: From incentives to controls (2nd ed.). Hoboken,

NJ: Wiley.

Liang, X. (2013). The Liang-Kleeman information flow: Theory and applications. Entropy,

15(1), 327-360. doi:10.3390/e15010327

Liebenberg, A. P., & Hoyt, R. E. (2003). The determinants of enterprise risk management:

Evidence from the appointment of chief risk officers. Risk Management and Insurance

Review, 6(1), 37-52. doi:10.1111/1098-1616.00019

132
Liu, X. (2011). A holistic perspective of enterprise risk management (Doctoral dissertation).

Available from ProQuest Dissertations and Theses database. (UMI No. 3495808)

Louisot, J., & Ketcham, C. (2014). ERM, enterprise risk management: Issues and cases.

Chichester, UK: Wiley.

Lukianchuk, G. (2015). The impact of enterprise risk management on firm performance of small

and medium enterprises. European Scientific Journal, 11(13), 408-427. Retrieved from

http://www.eujournal.org

Lundqvist, S. A. (2015). Why firms implement risk governance: Stepping beyond traditional risk

management to enterprise risk management. Journal of Accounting and Public Policy,

34(5), 441-466. doi:10.1016/j.jaccpubpol.2015.05.002

Lundqvist, S. A. (2014a). An exploratory study of enterprise risk management: Pillars of ERM.

Journal Of Accounting, Auditing & Finance, 29(3), 393-429.

doi:10.1177/0148558X14535780

Lundqvist, S. A. (2014b). Abandoning Silos for integration. Retrieved from

lup.lub.lu.se/record/4689913/file/4689917.pdf

Lundqvist, S. A. (2014c). An exploratory study of enterprise risk management: Pillars of ERM.

Journal of Accounting, Auditing & Finance, 29(3), 393-429.

doi:10.1177/0148558X14535780

Mafrolla, E., Matozza, F., & D'Amico, E. (2016). Enterprise risk management in private firms:

Does ownership structure matter? Journal of Applied Business Research, 32(2), 671.

doi:10.19030/jabr.v32i2.9603

133
Malik, S. A., & Holt, B. (2013). Factors that affect the adoption of enterprise risk management

(ERM). OR Insight, 26(4), 253-269. doi:10.1057/ori.2013.7

Malz, A. M. (2011). Financial risk management: Models, history, and institutions. Hoboken, NJ:

Wiley.

Marchetti, A. M. (2012). Enterprise risk management best practices: From assessment to

ongoing compliance. Hoboken, NJ: Wiley.

Marden, J. I. (2004). Positions and QQ plots. Statistical Science, 19(4), 606-614. Retrieved from

http://www.imstat.org/sts/

Markovitz, A. R., Goldstick, J. E., Levy, K., Cevallos, W., Mukherjee, B., Trostle, J. A., &

Eisenberg, J. N. S. (2012). Where science meets policy: Comparing longitudinal and

cross-sectional designs to address diarrhoeal disease burden in the developing world.

International Journal of Epidemiology, 41(2), 504-513. doi:10.1093/ije/dyr194

Mataracioglu, T., & Ozkan, S. (2011). Governing information security in conjunction with

COBIT and ISO 27001. International Journal of Network Security & Its Applications,

3(4), 111-116. doi:10.5121/ijcsit.2011.3321

McNeil, A. J., Frey, R., & Embrechts, P. (2015). Quantitative risk management: Concepts,

techniques and tools. Princeton, NJ: Princeton University Press.

McShane, M. K., Nair, A., & Rustambekov, E. (2011). Does enterprise risk management

increase firm value? Journal of Accounting, Auditing & Finance, 26(4), 641-658.

doi:10.1177/0148558X11409160

Mehta, S. (2010). It's time for ERM. Financial Executives International, 26(9), 34-38. Retrieved

from http://www.financialexecutives.org

134
Melone, N. P. (1990). A theoretical assessment of the user-satisfaction construct. Management

Science, 36(1), 76-91. Retrieved from http://pubsonline.informs.org/journal/mnsc

Mensah, G. K. (2015). Enterprise risk management: Factors associated with effective

implementation (Doctoral dissertation). Available from ProQuest Dissertations and

Theses database. (UMI. 3745481).

Merna, T., & Al-Thani, F. F. (2011). Corporate risk management. Hoboken, NJ: Wiley.

Murphy, D., & Murphy, R. (2013). Teaching cybersecurity: Protecting the business environment.

Proceedings of the Information Security Curriculum Development Conference, USA, 88-

93. doi:10.1145/2528908.2528913

Nabeel, M., & Bertino, E. (2014). Attribute based group key management. Transactions on Data

Privacy, 7(3), 309-336. doi:10.1145/1542207.1542227

Nair, A., Rustambekov, E., McShane, M., & Fainshmidt, S. (2014). Enterprise risk management

as a dynamic capability: A test of its effectiveness during a crisis. Managerial and

Decision Economics, 35(8), 555-566. doi:10.1002/mde.2641

National Commission for the Protection of Human Subjects. (1979, April 18). Belmont

report: Ethical principles and guidelines for the protection of human subjects of

research. Washington, DC: Department of Health and Welfare.

Nehari-Talet, A. (2014). Risk management and information technology projects. International

Journal of Digital Information and Wireless Communications, 4(1), 1-9.

doi:10.17781/P001078

135
Ness, L. R. (2005). Assessing the relationships among information technology flexibility,

strategic alignment, and information technology effectiveness (Doctoral dissertation).

Available ProQuest Dissertations & Theses database. (UMI No. 3178531)

Nickmanesh, S., Zohoori, M., Happy, A. M. M., & Akbari, A. (2013). Enterprise risk

management and performance in Malaysia. Interdisciplinary Journal of Contemporary

Research in Business, 5(1), 670-707. Retrieved from http://www.ijcrb.com/

Nishani, E. V. (2014). Maturity of it risk management practices and reporting structure: An IT

manager perspective (Doctoral dissertation). Available from ProQuest Dissertations and

Theses database. (UMI No. 3691822).

NIST. (2010). Guide for applying the risk management framework to federal information

systems (NIST Special Publication 800-37). Retrieved from

http://csrc.nist.gov/publications/nistpubs/800-37/SP800-37.pdf

Norusis. M. J. (2008). SPSS 16.0 statistical procedures companion. New Jersey, NJ: Prentice

Hall.

Nunnally, J. (1978). Psychometric theory (2nd ed.). New York, NY: McGraw-Hill.

O'Donnell, E. (2005). Enterprise risk management: A systems-thinking framework for the event

identification phase. International Journal of Accounting Information Systems, 6(3), 177-

195. doi:10.1016/j.accinf.2005.05.002

Otieno, O. C., & Biko, M. S. (2015). Security and cryptography on world wide web.

International Journal of Computer Science and Information Security, 13(9), 136.

Retrieved from https://sites.google.com/site/ijcsis/

136
Paape, L., & Speklé, R. F. (2012). The adoption and design of enterprise risk management

practices: An empirical study. European Accounting Review, 21(3), 533-564.

doi:10.1080/09638180.2012.661937

Parry, V. A. (2014). The relationship between effective information technology governance and

project portfolio control, risk management, and business/information technology

alignment in an organization (Doctoral dissertation). Available from ProQuest

Dissertations and Theses database. (UMI. 3630588).

Paul, S., & Vignon-Davillier, R. (2014). Unifying traditional risk assessment approaches with

attack trees. Journal of Information Security and Applications, 19(3), 165-181.

doi:10.1016/j.jisa.2014.03.006

Pierce, A. C. (2002). The effect of business and information technology strategic

alignment on information technology investment returns and corporate

performance (Doctoral dissertation). Available from ProQuest Dissertations and Theses

database. (UMI. 3058558)

Ping, T. A., & Muthuveloo, R. (2015). The impact of enterprise risk management on firm

performance: Evidence from Malaysia. Asian Social Science, 11(22), 149-159.

doi:10.5539/ass.v11n22p149

Pitt, L. F., Watson, R. T., & Kavan, C. B. (1995). Service quality: A measure of information

systems effectiveness. MIS Quarterly, 19(2), 173-187. doi:10.2307/249687

Qingfeng, L. (2013). Gaining longitudinal insights from repeated cross-sectional survey data:

With simulation-based validation and application (Doctoral dissertation). Available from

ProQuest Dissertations & Theses database. (UMI No. 3578791)

137
Ramakrishna, S. P. (2015). Enterprise compliance risk management: An essential toolkit for

banks and financial services. Hoboken, NJ: Wiley.

Raymond, L. (1990). Organizational context and information systems success: A contingency

approach. Journal of Management Information Systems, 6(4), 5-20.

doi:10.1080/07421222.1990.11517869

Robey, D. (1979). User attitudes and management information system use. Academy of

Management Journal, 22(3), 527-538. doi:10.2307/255742

Ross, R., Katzke, S., Johnson, A., Swanson, M., & Stoneburner, G. (2008). Managing risk from

information systems an organizational perspective (NIST Special Publication 800-39).

Retrieved from http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39.pdf

Saleh, M. S. M. (2012). Analysis of information security risks and protection management

requirements for enterprise networks (Doctoral dissertation, University of Bradford).

Retrieved from

http://bradscholars.brad.ac.uk:8080/bitstream/handle/10454/5414/PhDMohamed%20S%2

0Saleh.pdf?sequence=1&isAllowed=y

Salifou, D. A. (2016). Analysis of the effectiveness of COSO's ERM model on organization

strategy, competitive advantage, and value: A qualitative study (Doctoral dissertation).

Available from ProQuest Dissertations and Theses database. (UMI. 10002584)

Samani, R., Honan, B., Reavis, J., In Jirasek, V., & CSA (Organization). (2015). CSA guide to

cloud computing: Implementing cloud privacy and security. Waltham, MA: Syngress.

Segal, S. (2011). Corporate value of enterprise risk management: The next step in business

management. Hoboken, NJ: Wiley.

138
Sevgi, O., Murat, C., & Semih, B. (2008). A maturity based qualitative information systems

effectiveness evaluation of a public organization in turkey. Journal of Cases on

Information Technology, 10(3), 58-71. doi:10.4018/jcit.2008070106

Shad, M. K., & Lai, F. (2015). A conceptual framework for enterprise risk management

performance measure through economic value added. Global Business and Management

Research, 7(2), 1-11. Retrieved from http://www.gbmr.ioksp.com/

Shing-On, L. (2011). A comparison of psychometric properties and normality in 4-,5-,6-, and 11-

point Likert scales. Journal of Social Service Research, 37(4), 412-421.

doi:10.1080/01/488376.2011.580697

Spicer, R. L. (2006). Enterprise risk management and sarbanes-oxley compliance: A model of

convergence in accounting audit practice (Doctoral dissertation). Available from

ProQuest Dissertations and Theses database. (UMI. 3234980)

Steinhoff, J. C., Price, L. A., Comello, T. J., & Cocozza, T. A. (2016). Ten steps to sustainable

enterprise risk management. The Journal of Government Financial Management, 65(2),

12-18. Retrieved from http://www.kpmg-institutes.com/institutes/government-

institute/articles/2016/06/ten-steps-to-sustainable-enterprise-risk-management.html

Stoneburner, G., Goguen, A. Y., & Feringa, A. (2002). Risk management guide for information

technology systems (NIST Special Publication 800-30). Retrieved from

http://csrc.nist.gov/publications/nistpubs/800-30/SP800-30.pdf

Stroie, E. R., & Rusu, A. C. (2011). Security risk management: Approaches and methodology.

Informatica Economica Journal, 15(1), 228-240. Retrieved from http://revistaie.ase.ro/

139
Swanson, R. A., & Holton, E. F., III (Eds). (2005). Research in organizations: Foundations and

methods of inquiry. San Francisco, CA: Berrett-Koehler.

Tahir, I. M., & Razali, A. R. (2011). The Relationship between enterprise risk management

(ERM) and firm value: Evidence from Malaysian public listed companies. International

Journal of Economics and Management Sciences, 1(2), 32-41. Retrieved from

http://www.omicsonline.com/open-access/economics-and-management-sciences.php

Tallon, P. P. (1999). A process-oriented assessment of the alignment of information systems and

business strategy: Implications for IT business value (Doctoral dissertation). Available

from ProQuest Dissertations & Theses database. (UMI No. 9974164)

Tallon, P. P. (2011). Value chain linkages and the spillover effects of strategic information

technology alignment: A process-level view. Journal of Management Information

Systems, 28(3), 9-44. doi:10.2753/MIS0742-1222280301

Tallon, P. P., Kraemer, K. L., & Gurbaxani, V. (2000). Executives’ perceptions of the

business value of information technology: A process-oriented approach. Journal

of Management Information Systems, 16(4), 145–173.

doi:10.1287/isre.11.2.159.11779

Tao, N. B., & Hutchinson, M. (2013). Corporate governance and risk management: The role of

risk management and compensation committees. Journal of Contemporary Accounting &

Economics, 9(1), 83-99. doi:10.1016/j.jcae.2013.03.003

Taylor, L. (2014). Practical enterprise risk management: How to optimize business strategies

through managed risk taking. Philadelphia, PA: Kogan Page.

Thorn, R. (1972). Structural stability and morphogenesis. New York, NY: W. A. Benjamin.

140
Tofan, D. C. (2011). Information security standards. Journal of Mobile, Embedded and

Distributed Systems, 3(3), 128-135. Retrieved from http://www.jmeds.eu

Tohidi, H. (2011). The role of risk management in IT systems of organizations. Procedia

Computer Science, 3, 881-887. doi:10.1016/j.procs.2010.12.144

Vladimirov, A. A., Gavrilenko, K. V., Mikhailovsky, A. A. (2010). Assessing information

security: Strategies, tactics, logic and framework. Ely, UK: IT Governance Pub.

Verbano, C., & Venturini, K. (2011). Development paths of risk management: Approaches,

methods and fields of application. Journal of Risk Research, 14(5), 519-550.

doi:10.1080/13669877.2010.541562

Wallig, G. (2012). Expanding the 'enterprise' in enterprise risk management. The Journal of

Government Financial Management, 61(1), 33-36. Retrieved from

https://www.highbeam.com/doc/1P3-2640146271.html

Walker, R. (2013). Winning with risk management. Hackensack, NJ: World Scientific.

Wang, X., Zhang, J., Tong, X., Shamsuddin, S., He, R., & Xia, X. (2014). Mechanism and

comprehensive countermeasure for drought management from the view of catastrophe

theory. Natural Hazards, 71(1), 823-835. doi:10.1007/s11069-013-0915-4

Watkins, S., & Calder, A. (2015). IT governance: An international guide to data security and

ISO 27001/ISO 27000. London, UK: Kogan Page.

Werts, C. E., Linn, R., & Joreskog, K. (1974). Intraclass reliability estimates: Testing structural

assumptions. Educational and Psychological Measurements, 34(1), 25-33.

doi:10.1177/001316447403400104

141
Wheeler, E. (2011). Security risk management: Building an information security risk

management program from the ground up. Amsterdam, Holland: Syngress.

Wieczorek-Kosmala, M. (2014). Risk management practices from risk maturity models

perspective. Journal for East European Management Studies, 19(2), 133-159. Retrieved

from http://www.hampp-verlag.de/hampp_e-journals_JEMS.htm

Winter, R., Zhao, J. L., & Aier, S. (2010). Global perspectives on design science research.

Heidelberg, Germany: Springer

Wu, D., Olson, D. L., Dolgui, A. (2015). Decision making in enterprise risk management: A

review and introduction to special issue. Omega, 57(1), 1-4.

doi:10.1016/j.omega.2015.04.011

Yazid, A. S., Razali, A. R., & Hussin, M. R. (2012). Determinants of enterprise risk management

(ERM): A proposed framework for malaysian public listed companies. International

Business Research, 5(1), 80-86. doi:10.5539/ibr.v5n1p80

Yeo, M. L., Rolland, E., Ulmer, J. R., & Patterson, R. A. (2014). Risk mitigation decisions for IT

security. ACM Transactions on Management Information Systems, 5(1), 1-21.

doi:10.1145/2576757

Young, P. C., & Tippins, S. C. (2000). Managing business risk : An organization-wide approach

to risk management. New York, NY: AMACOM.

Zwikael, O., & Ahn, M. (2011). The effectiveness of risk management: An analysis of project

risk planning across industries and countries. Risk Analysis, 31(1), 25-37.

doi:10.1111/j.1539-6924.2010.01470.x

142
APPENDIX A. STATEMENT OF ORIGINAL WORK

Academic Honesty Policy

Capella University’s Academic Honesty Policy (3.01.01) holds learners accountable for the
integrity of work they submit, which includes but is not limited to discussion postings,
assignments, comprehensive exams, and the dissertation or capstone project.
Established in the Policy are the expectations for original work, rationale for the policy,
definition of terms that pertain to academic honesty and original work, and disciplinary
consequences of academic dishonesty. Also stated in the Policy is the expectation that learners
will follow APA rules for citing another person’s ideas or works.
The following standards for original work and definition of plagiarism are discussed in the
Policy:
Learners are expected to be the sole authors of their work and to acknowledge the
authorship of others’ work through proper citation and reference. Use of another person’s
ideas, including another learner’s, without proper reference or citation constitutes
plagiarism and academic dishonesty and is prohibited conduct. (p. 1)
Plagiarism is one example of academic dishonesty. Plagiarism is presenting someone
else’s ideas or work as your own. Plagiarism also includes copying verbatim or
rephrasing ideas without properly acknowledging the source by author, date, and
publication medium. (p. 2)
Capella University’s Research Misconduct Policy (3.03.06) holds learners accountable for research
integrity. What constitutes research misconduct is discussed in the Policy:
Research misconduct includes but is not limited to falsification, fabrication, plagiarism,
misappropriation, or other practices that seriously deviate from those that are commonly
accepted within the academic community for proposing, conducting, or reviewing
research, or in reporting research results. (p. 1)
Learners failing to abide by these policies are subject to consequences, including but not limited to
dismissal or revocation of the degree.

143
Statement of Original Work and Signature

I have read, understood, and abided by Capella University’s Academic Honesty Policy (3.01.01)
and Research Misconduct Policy (3.03.06), including Policy Statements, Rationale, and
Definitions.
I attest that this dissertation or capstone project is my own work. Where I have used the ideas or
words of others, I have paraphrased, summarized, or used direct quotes following the guidelines
set forth in the APA Publication Manual.

144
APPENDIX B. FREQUENCIES OF RISK MANAGEMENT CONSTRUCTS

Table B1. Frequencies of Frame Risk Measures – Internal Environment

Measures (%)
Code Items NE E MI RI Mean SD
FRIE1 Training in ethical values for employees of all 11.0 12.0 32.0 45.0 2.11 1.00
levels
FRIE2 Compensation policies intended to align the 17.0 18.0 30.0 35.0 1.83 1.09
interests of managers and shareholders (i.e.,
balance short- and long term)
FRIE3 Formally defined remuneration policies of 16.0 16.0 28.0 40.0 1.92 1.09
executive management
FRIE4 Formally defined responsibilities for executive 8.0 12.0 34.0 46.0 2.18 .936
management (authority and accountability)
FRIE5 Formally defined audit committee 14.0 15.0 25.0 46.0 2.03 1.08
responsibilities
Note. NE - Non-Existent; E - Existent; MI - Moderately Implemented; RI - Robustly Implemented; N = 100

Table B2. Frequencies of Frame Risk Measures – Objective Settings

Measures (%)
Code Items NE E MI RI Mean SD
FROS1 Formal mission (vision/purpose) statement 10.0 15.0 22.0 53.0 2.18 1.02
FROS2 Formal business objectives/plan in place to 8.0 14.0 24.0 54.0 2.24 .976
execute the strategy
FROS3 Performance goals set to assess whether the 10.0 13.0 28.0 49.0 2.16 1.00
firm is achieving its objectives/plan
Note. NE - Non-Existent; E - Existent; MI - Moderately Implemented; RI - Robustly Implemented; N = 100

Table B3. Frequencies of Frame Risk – Control Activities

Measures (%)
Code Items NE E MI RI Mean SD
FRCA1 System to ensure that policies and procedures 11.0 11.0 41.0 37.0 2.04 .963
that are in place to manage the achievement of
the firm’s objectives/ plan are functioning and
effective
FRCA2 Authorization procedures in place to ensure 12.0 13.0 32.0 43.0 2.06 1.02
appropriate individuals review the use of
policies and procedures
FRCA3 Independent verification procedures to ensure 14.0 22.0 32.0 32.0 1.82 1.03
the use of policies and procedures

Note. NE - Non-Existent; E - Existent; MI - Moderately Implemented; RI - Robustly Implemented; N = 100

145
Table B4. Frequencies of Assessment Risk

Measures (%)
Code Items NE E MI RI Mean SD
AR1 Consideration of the likelihood that financial 14.0 15.0 33.0 38.0 1.95 1.04
events will affect the firm’s ability to achieve its
objectives
AR2 Consideration of the potential impact that 16.0 21.0 23.0 40.0 1.87 1.11
financial events will affect the firm’s ability to
achieve its objectives
AR3 Consideration of the likelihood that strategic risk 15.0 16.0 35.0 34.0 1.88 1.04
events will affect the firm’s ability to achieve its
objectives
AR4 Consideration of the potential impact that 15.0 18.0 31.0 36.0 1.88 1.06
strategic risk events will affect the firm’s ability
to achieve its objectives
AR5 Consideration of the likelihood that compliance 15.0 18.0 30.0 37.0 1.89 1.07
events will affect the firm’s ability to achieve its
objectives
AR6 Consideration of the potential impact that 17.0 19.0 29.0 35.0 1.82 1.09
compliance events will affect the firm’s ability
to achieve its objectives
AR7 Consideration of the likelihood that technology 13.0 18.0 35.0 34.0 1.90 1.02
events will affect the firm’s ability to achieve its
objectives
AR8 Consideration of the potential impact that 14.0 18.0 28.0 40.0 1.94 1.07
economical events will affect the firm’s ability
to achieve its objectives
Note. NE - Non-Existent; E - Existent; MI - Moderately Implemented; RI - Robustly Implemented; N = 100

Table B5. Frequencies of Response to Risk

Measures (%)
Code Items NE E MI RI Mean SD
RTR1 Formal policies about how risk should be 16.0 12.0 33.0 39.0 1.95 1.07
managed
RTR2 Risk response plan for all of the significant 15.0 15.0 36.0 34.0 1.89 1.04
events the firm has identified
RTR3 Alternative risk responses for each significant 14.0 25.0 28.0 33.0 1.80 1.05
event
RTR4 Risk tolerances (formal guidelines or measures 16.0 14.0 35.0 35.0 1.89 1.06
used at appropriate levels to assess whether the
firm will accept risk)
Note. NE - Non-Existent; E - Existent; MI - Moderately Implemented; RI - Robustly Implemented; N = 100

146
Table B6. Frequencies of Monitoring Risk

Measures (%)
Code Items NE E MI RI Mean SD
MR1 Monitoring of the firm’s internal environment, 13.0 19.0 30.0 38.0 1.93 1.04
processes, and control activities
MR2 Key risk indicators or indicators aimed at 14.0 19.0 35.0 32.0 1.85 1.02
emerging risks (not historical performance)
MR3 Monitoring assessment of the firm’s risk 17.0 18.0 36.0 29.0 1.77 1.05
management function done by an
independent/external party
MR4 Frequent and structured updates of risk-related 14.0 21.0 28.0 37.0 1.88 1.06
information
MR5 Internal risk assessment group or internal audit 14.0 22.0 28.0 36.0 1.86 1.06
function given the responsibility to evaluate the
ongoing effectiveness of the firm’s risk
management practices
MR6 Allocated risk owners who have primary 15.0 17.0 38.0 30.0 1.83 1.02
responsibility and accountability for managing
risk within their respective areas
Note. NE - Non-Existent; E - Existent; MI - Moderately Implemented; RI - Robustly Implemented; N = 100

Table B7. Frequencies of IT Effectiveness

Measures (%)
Code Items 1 2 3 4 5 6 7 Mean SD
ITE1 Overall quality of service 5.0 1.0 2.0 12.0 24.0 25.0 31.0 5.48 1.54

ITE2 User’s satisfaction with IT 5.0 0.0 2.0 14.0 20.0 27.0 32.0 5.53 1.52

ITE3 Helpfulness of IT staff to users 5.0 0.0 3.0 14.0 15.0 35.0 28.0 5.51 1.51

Note. 1-2 - Weak; 3-5 - Average; 6-7 - Strong; N = 100

147
APPENDIX C. ASSUMPTIONS OF MULTIPLE REGRESSION ANALYSIS

Hypothesis H1: ITE = β 0 + β 1 FR + β 2 AR+ β 3 RTR+ β 4 MR + ε

Figure C1. Histogram of regression standardized residuals of ITE (n = 100)

Figure C2. P-P plot of regression standardized residuals of ITE (n = 100)

148
Figure C3. Scatter plot of regression standardized residual for ITE (n = 100)

149
APPENDIX D. ASSUMPTIONS OF SIMPLE REGRESSION ANALYSIS

Hypothesis H2: ITE = β 0 FR + β 1

Figure D1. Histogram of regression standardized residuals for ITE on FR (n= 100)

Figure D2. P-P plot of regression standardized residuals for ITE on FR (n = 100)

150
Figure D3. Scatter plot of regression standardized residual for ITE on FR (n = 100)

151
Hypothesis H3: ITE = β 0 AR + β 1

Figure D4. Histogram of regression standardized residuals for ITE on AR (n = 100)

Figure D5. P-P plot of regression standardized residuals for ITE on AR (n = 100)

152
Figure D6. Scatter plot of regression standardized residual for ITE on AR (n = 100)

153
Hypothesis H4: ITE = β 0 RTR + β 1

Figure D7. Histogram of regression standardized residuals for ITE on RTR (n = 100)

Figure D8. P-P plot of regression standardized residuals for ITE on RTR (n = 100)

154
Figure D9. Scatter plot of regression standardized residual for ITE on RTR (n = 100)

Hypothesis H5: ITE = β 0 MR + β 1

Figure D10. Histogram of regression standardized residuals for ITE on MR (n = 100)

155
Figure D11. P-P plot of regression standardized residuals for ITE on MR (n = 100)

Figure D12. Scatter plot of regression standardized residual for ITE on MR (n = 100)

156
APPENDIX E. ASSUMPTIONS OF INDEPENDENT SAMPLE T-TEST ANALYSIS

Hypothesis H2.1: µ(FR Low-level group ) = µ(FR High-level group )

Figure E1. Normal Q-Q Plots for FR low-level group and FR high-level group

157
Hypothesis H3.1: µ(AR Low-level group ) = µ(AR High-level group )

Figure E2. Normal Q-Q Plots for AR low-level group and AR high-level group

158
Hypothesis H3.1: µ(RTR Low-level group ) = µ(RTR High-level group )

Figure E3. Normal Q-Q Plots for RTR low-level group and RTR high-level group

159
Hypothesis H4.1: µ(MR Low-level group ) = µ(MR High-level group )

Figure E4. Normal Q-Q Plots for MR low-level group and MR high-level group

160
APPENDIX F. CONSTRUCT OVERVIEW

Instrument
Construct Source/Citation Variable Data Instrument
Source/Citation Scale
Type Name
Frame Risk NIST (2010) Frame Risk Lundqvist 4- Interval ERM
(FR) (2015) point Dimension
Likert Instrument
scale
Assessed NIST (2010) Assessed Lundqvist 4- Interval ERM
Risk Risk (AR) (2015) point Dimension
Likert Instrument
scale
Response to NIST (2010) Response to Lundqvist 4- Interval ERM
Risk Risk (RTR) (2015) point Dimension
Likert Instrument
scale
Monitoring NIST (2010) Monitoring Lundqvist 4- Interval ERM
Risk Risk (MR) (2015) point Dimension
Likert Instrument
scale
IT Ness (2005), IT Ness (2005), 7- Interval IT
Effectiveness Tallon (1999), Effectiveness Tallon, point Effectiveness
Tallon, (ITE) Kraemer and Likert Instrument
Kraemer and Gurbaxani scale
Gurbaxani (2000)
(2000)

161

You might also like