Factor Analysis and the Creation of New Codes

Factor analysis was employed to extract critical factors in the questionnaire that explain risk governance determinants. According to Jackson (2015), factor analysis applies in the design of a valid and reliable scale because it extracts the most significant factors from observed data that explain a construct of interest. In the analysis of observed data, factor analysis employed maximum likelihood as an extraction method. Denis (2016) expounds that maximum likelihood is expedient because it permits computation of varied indexes, determination of significance of factor loadings, and calculation of confidence intervals and correlations. Factor analysis was done on 10 scales in the questionnaire, namely, strategy (S), risk appraisal and insight (RAI), risk management and governance (RMG), review risk development and decision (RRD), risk communication (RC), risk culture (RCU), risk appetite (RA), risk-based audit and project success (RG), Impact of negative events (IN) and Internal audit function (IAF).

KMO, Bartlett’s, and Cronbach’s alpha tests were determined and tabulated in the following table (Table 9.1).

KMO statistics for all variables are greater than 0.8, which means that the sample sizes are adequate for factor analysis. Field (2014) states that KMO values between 0.8 and 0.9 indicate a good sampling adequacy, whereas those greater than 0.9 exhibits an excellent sampling adequacy. Bartlett’s test indicates statistical significance, which means that the correlation matrix is dissimilar to the identity matrix (Pallant 2016). Cronbach’s alpha indicates that internal consistency of items is within a good level (0.8-0.9) and perfect level (above 0.9) for the reliability of the questionnaire to be robust (McCormick et al. 2017; Elliott & Woodward 2015). Thus, the following sections cover factor analysis of the ten scales in the questionnaire.

Factor Analysis for Strategy (s)

Factor analysis extracted, the first, second, and third factors with eigenvalues of 5.862, 0.434, and 0.261, which explained 65.13%, 4.82%, and 2.90% of variances correspondingly. Figure 9.1 confirms that maximum likelihood extracted three factors as demonstrated by the inflection point of the scree plot.

Table 91.1c above shows how each item loaded onto different latent clusters of Strategy (S). Three items, S3, S9, and S4, loaded onto the first latent variable with loadings of 0.829, 0.685, and 0.661 respectively. Four items, S7, S8, S6, loaded onto the second new latent variable with loadings of 0.719, 0.694, 0.628, and 0.557 in that order. Item S1 loaded onto the third latent variable with a loading of 0.849 and will be shifted to second new latent cluster.

The Table 9.1c depicts two latent clusters of Strategy (S):

• Four items, S1, S3, S4, and S9, are highly reliable as they loaded on the first latent cluster with Cronbach’s alpha of 0.912.
• Four items, S5, S6, S7, and S8, are highly reliable for they loaded onto the second latent cluster with Cronbach’s alpha of 0.863.

In summary, Table 9.1d illustrates that four items that loaded onto the first latent cluster were coded as a new item (SG1), while the other four items that loaded onto the second latent cluster were coded as a new item (SG2).

The interpretation of the (2) new latent clusters is provided below:

Risk alignment process – SG1

Risk alignment process (SG1) is a new cluster derived from nine factors of strategy. It comprises two components of the strategy that explains 68.03% of its variance. The first component with three items accounts for 65.13% of the variance, whereas the second component with one item accounts for 2.9% of the variation. Collectively, the four items are highly reliable in predicting risk alignment process as an aspect of strategy in risk governance. Risk alignment involves synchronisation of operations and activities in an organisation to meet objectives, performance measures, and strategies employed by organisations in risk management. In their study in the banking industry, Sheedy and Griffin (2017) established that infrastructure, culture, and strategy are three factors, which require synchronisation for organisations to achieve optimal performance in risk management. Infrastructure offers a supportive foundation for risk managers to implement risk management operations and activities. Culture promotes synchronisation for it encourages risk managers to follow established procedures and practices in their roles and responsibilities while exercising risk governance. The strategy provides a framework for implementing risk management successfully in an organisation. Thus, alignment is critical in risk governance because it optimises interventions of risk management.

The examination of questionnaire reveals that risk alignment process entails S1, S3, S4, and S9 items. The questionnaire shows that alignment of risks with strategic objective, risk profile with capital management, risk management with strategic decision-making, and financial crisis with risk management plan are main strategies that organisations should utilize in risk governance. Smith (2016) argues that the inability to align risk interventions in organisations does not only reduce the capacity to manage risks but also increases the occurrence and impacts. Organisations without risk alignment do not achieve optimal performance of their operations and activities due to incoordination and confusion emanating from conflicting processes. Organisations with poor risk alignment processes are characterized by inefficiencies, incoordination, inflexibility, and disintegrated operations and activities. Sheedy and Griffin (2017) recommend risk managers to streamline their operations by creating risk alignment process. Therefore, it is evident that organisations cannot forgo risk alignment process in managing risks that threaten their objectives.

Risk oversight practices – SG2

Risk oversight practices (SG2) forms a new cluster derived from nine items of strategy in risk governance framework. It constitutes a single component that explains 4.82% of the variation in strategy. The component comprises four factors that are highly reliable in predicting risk oversight practices in risk governance framework. Lyons (2015) defines risk oversight practices as interventions of enterprise risk management (ERM), which the board of directors undertakes in the management of risks. Oversight practices of risks entail identification, assessment of impacts, mitigation of occurrences and effects, and review of the efficacy of interventions. Lyons (2015) established five layers of defence in ERM, namely, the board, the executive management, the internal assurance, tactical oversight, and operational oversight, which helps the board of directors to manage risks effectively. The inclusion of tactical and operational layers of defence into the conventional three-layered model of defence has enhanced the capacity of organisations to undertake risk oversight practices.

The examination of questionnaire shows important themes that related to risk oversight practices applied in the development of strategies in risk governance. The existence of oversight body, the mechanism for comprehending risk practices, the process for regulatory compliance, and the internal audit process are major factors that explain risk oversight practices. These factors are in line with the findings of Lyons (2015), which shows that risk oversight practices should occur in various layers of organisations ranging from the management level to operational level. Organisations with widespread oversight practices have enhanced the ability to manage and control risks. Vecchiato (2015) recommends organisations to define oversight responsibility of the board, improve risk intelligence, assess risk appetite, align risk identification with interventions, evaluate the capacity of risk governance, and inform stakeholders about risk process. These recommendations capture risk oversight practices that organisations have to adopt and implement for effective management of risks. Thus, risk oversight practices promote the capacity of organisations to overcome challenges that are dominant in turbulent environments.

Factor Analysis for Risk Appraisal and Insight

Through the method of maximum likelihood, factor analysis extracted 1, 2, and 3 factors with eigenvalues of 7.267, 0.235, and 0.662, which explained 72.67%, 2.35%, and 6.62% respectively. Nevertheless, the scree plot shows extraction of two factors with a significant impact on risk appraisal and insight.

Pattern matrix (Table 9.2b) indicates that five items, RAI9, RAI8, RAI1, RAI2, and RAI10, loaded onto latent cluster 1 with 0.948, 0.689, 0.683, 0.646, and 0.562 loadings respectively. Two items, RAI4 and RAI5, loaded onto the second latent cluster with 1.001 and 0.477 loadings in that order. RAI6 is the only one item that loaded onto the third latent cluster with a loading value of 0.977 and will be shifter to second latent cluster.

The table 9.2c depicts the two new latent clusters:

• Five items, RAI1, RAI2, RAI8, RAI9, and RAI10, are significantly reliable because they loaded onto the first latent cluster with Cronbach’s alpha of 0.937.
• Three items, RAI4, RAI5, and RAI6, are significantly reliable for they loaded onto the second latent cluster with Cronbach’s alpha of 0.936.

In recap, Table 9.2c shows that the five items in component one were coded as a new item (RAIG1), while the three items that loaded onto the second component were coded as a new item (RAIG2).

The interpretation of the (2) new latent clusters is provided below:

Risk Guidelines – RAIG1

Risk guideline (RAIG1) is a new cluster derived from 19 items of risk appraisal and insight. It explains 72.267% of the variation in risk appraisal and insight. Risk guidelines encompass five factors, namely, RAI1, RAI2, RAI8, RAI9, and RAI10, which are highly reliable for they loaded onto a single component. Risk guidelines are central to risk management for they provide framework, principles, and process for managing risk in diverse organisations. The nature of risk guidelines determines their effectiveness in the management of risks. Evidently, organisations with comprehensive risk guidelines manage their risks successfully. The International Organisation for Standardisation formulated ISO 31000, which stipulates risk guidelines aimed at boosting the capacity of organisations to manage risks (Cooper et al. 2014). The ISO guidelines provide a concise, simple, and clearer process for organisations to expedite their risk management regarding planning and decision-making. The ISO focuses on the principles of risk management, integration into all operations, iteration of risk management, and streamlining of processes.

Risk guidelines are essential in the management of risk for they provide framework, principles, and processes that are not only effective but also promote standardisation of operations and activities. Bergstrom and Frykmer (2016) employed complexity theory in asserting that an analytical framework comprising dimension, scope, and resolution systems form the basis of risk management guidelines. The integration of risk guidelines into the analytical framework offers a robust way of streamlining and synchronising operations and activities. According to ISO 31000, organisations ought to formulate empirical guidelines and feasible principles, which guide risk managers on how to manage diverse risks. The existence of clear and concise risk guidelines eliminates ambiguity and obscurity in the process of risk management. The absence of risk guidelines creates confusion and reduces synergy of auditors for they would perform uncoordinated tasks, which hinder effective management of risks. Thus, the cluster of risk guidelines is critical in the assessment of the capacity of organisations to undertake effective risk governance.

Risk assessment process – RAIG2

Risk assessment process (RAIG2) is a new second cluster derived from 19 items of risk appraisal and insight. It comprises two components explaining 2.348% and 6.616% of the variation in risk appraisal and insight. The first component has two factors, RAI14 and RAI15, whereas the second component has one factor, RAI16. These components collectively explain 8.964% of the variation in risk appraisal and insight. Risk assessment process is an established method of risk management that allows risk managers to identify risk and formulate effective mitigation measures. In risk assessment, risk managers should identify risks, recognise vulnerable project objectives, determine the potential occurrence, provide a comprehensive report, and offer a continual review (Aven 2016). Identification of risk is the primary role of risk managers for it enables them to comprehend the nature and magnitude of impending impacts. Since risks have huge impacts on certain project objectives considered as weak points in an organisation, recognition of these objectives improves preparedness. The determination of potential occurrence aids in evaluation of the magnitude of the impacts, and thus, forms the basis of developing effective migration measures. Given that risk assessment process provides important information about risks, organisations require a detailed report for risk managers to examine, develop mitigation measures, and undertake a constant review.

Normally, risk assessment process entails the quantitative and qualitative risk analysis. The quantitative risk analysis considers risks, which have considerable effects on project objectives, whereas the qualitative risk analysis considers all risks identified in a given project. In the qualitative risk analysis, risk managers employ scientific and mathematical models in predicting the occurrence and the impacts of risk on respective projects in organisations. In contrast, risk managers apply expert judgment in the qualitative risk analysis to determine the occurrence and impacts of risks. Due to the increasing importance of the risk assessment process, modern organisations have integrated enterprise risk management in their boards (Viscelli, Beasley & Hermanson 2016). Risk management boards with established risk assessment process are effective in risk governance.

Factor Analysis for Risk Management and Governance

In Table 9.3a, the extracted factors had eigenvalues of 12.828 and 0.868 for the first and second factors, which explained 67.51% and 4.57% of the variation in risk management and governance respectively. However, the scree plot (Figure 9.3) demonstrates that four factors provide a significant influence on the variation of data.

The table 9.3b depicts the new latent clusters:

• Twelve items, RMG1, RMG2, RMG5, RMG6, RMG9, RMG10, RMG11, RMG12, RMG13, RMG14, RMG15, and RMG16, are highly reliable for they loaded onto the first latent cluster with Cronbach’s alpha of 0.97.
• Seven items, RMG3, RMG4, RMG7, RMG8, RMG17, RMG 18, and RMG19, are highly reliable for they have Cronbach’s alpha of 0.931.

In summary, the twelve items in the first latent cluster were coded into a new variable (RMGG1), whereas the seven items in the second latent cluster were coded into a new variable (RMGG2)

The interpretation of the (2) new latent clusters is provided below:

Risk Governance- RMGG1

Risk governance (RMGG1) is a new cluster emanating from 19 items in the questionnaire, which explains risk management and governance. It constitutes a single component with 12 factors, which are highly reliable in predicting the occurrence of risk governance in an organisation. Fundamentally, risk governance comprises regulations, rules, processes, conventions, and mechanisms that organisations employ in the management of risks. Stulz (2016) undertook a study in the banking industry and established that risk governance entails identification, measurement, aggregation, management, and monitoring of risks. The establishment indicates that risk governance is a process that requires proficient coordination of operations and activities in line with the prevailing management practices. Organisations grapple with the challenge of identifying, measurement, and aggregation of risks for they operate in dynamic environments. Once they have assessed risks, risk managers design strategies and processes of preventing, eliminating, mitigating, and avoiding risks. For sustainable risk governance, organisations have to undertake a review of risks continuously.

The assessment of the items in the questionnaire reveals important themes in risk governance. The existence of a support system and formalised approach to risk governance enables organisations to manage risks appropriately. Moreover, the existence of stipulated rules and regulations and elaborate policies and code of conduct is essential for employees to perform their duties and roles diligently. As accountability is a management matter that determines ownership of responsibilities, risk managers have to ensure that there are relevant mechanisms and procedures for employees to adhere (Stulz 2016). The existence of the internal auditing mechanism strengthens the capacity of risk managers to undertake risk governance. The auditing mechanism enables risk managers to streamline and synchronise their operations and activities in tandem with the dominant practices. In their study, Escuder-Bueno and Halpin (2016) found out that risk identification, evaluation, and prioritisation are crucial pillars that support risk governance in various organisations. The implication is that organisations ought to establish risk management process as the foundation of risk governance.

SG2 – Risk Control – RMGG2

As a new cluster, risk control (RMGG2) emanates from 19 items of risk management and governance. It constitutes a single component with seven factors that explain 4.57% of the variation in risk management and governance. Risk control is an elaborate process that organisations employ in managing risks. It entails operations and activities that organisations undertake in implementing interventions, monitoring of progress, identifying new risks, and the assessment of risk process efficacy. Risk managers deploy various strategies in risk control, which include avoidance of risk, prevention of loss, reduction of loss, separation from risks, duplication of resources, and diversification of organisational functions (Aven 2016). The avoidance of risk is the most effective approach to risk control because it reduces the probability of a risk occurring to naught. The prevention and reduction of loss apply in instances where the occurrence of a risk is inevitable, and the only available option is to mitigate their occurrence and impacts. The separation and duplication is a strategy that allows managers to reduce risks and their impacts on organisations. Since risks have different impacts on various objectives or sections of organisations, diversification of projects minimises their impacts when they occur.

In the questionnaire, it is apparent that seven items highlight themes of risk control in risk governance framework. The existence of regulatory requirements is important in risk control for it provides a legal framework that supports interventions and practices of risk managers. Given that firms consist of stakeholders and the management teams, communication mechanisms is essential for it promotes the effectiveness of the decision-making process. Whistleblowing mechanism and fraud risk assessment are interventions to risk control that help in preventing corruption and supporting accountability among employees in an organisation. The existence of a formal oversight authority such as the board of directors or risk management board ensures the implementation of strategies successfully (Lyons 2015). Risk control requires an oversight body to supervise and management operations and activities involved in the management of risks. Brustbauer (2016) avers that risk control is a strategy that enables small- and medium-sized enterprises to control risks and become competitive in global markets. Hence, risk control is an integral predictor of risk management and governance in modern organisations.

Factor Analysis for Review Risk Development and Decision

The extracted factors (1, 2, and 3) had eigenvalues of 7.085, 0.391, and 0.319 explaining 70.85%, 3.91%, and 3.19% of the variation in review risk development and decision correspondingly. The scree plot (Figure 9.4) confirms that the three extracted factors explain significant variation in review risk development and decision.

The pattern matrix (Table 9.4b) depicts how different items load onto three latent clusters based on their loadings. Out of the 10 items in RRD scale, RRD6 and RRD5 loaded onto the first latent cluster, RRD1, RRD3, and RRD2, loaded onto the second latent cluster, and RRD9, RRD10, and RRD8 loaded onto the third latent cluster.

In Table 9.4c:

• The first latent cluster has two items, RRD6 and RRD5, exhibiting an excellent level of the reliability with a Cronbach’s alpha of 9.24.
• The second latent cluster has three items, RRD1, RRD3, and RRD2, depicting a high level of the reliability with Cronbach’s alpha of 0.857.
• The third latent cluster has three items, RRD9, RRD8, and RRD10, showing an excellent level of the reliability.

As a summary, the two items in the first latent cluster were coded into a new variable (RDG1). The three items in the second latent cluster were coded into a new variable (RDG2), whereas those in the third latent cluster were coded into a new variable (RDG3).

The interpretation of the (3) new latent clusters is provided below:

Risk monitoring guidelines– RDG1

Risk monitoring guidelines (RDG1) is a new cluster extracted from 10 factors of risk review risk development and decision. It comprises one component with two factors, which are highly reliable in explaining review risk development and decision. The two factors explain 70.85% of the variation in risk development and decision. Risk monitoring guidelines offer procedures, processes, and principles of analysing, evaluating, and tracking risks in an organisation. As risks vary over time, risk monitoring is necessary for real-time assessment and management. Scott et al. (2016) explain that the function of risk monitoring is to track the occurrence of risks and determine the efficacy of strategies that organisations deploy in risk management. According to Kaplan and Mikes (2016), risk monitoring guidelines direct risk managers to determine if risks have changed, interventions are still reliable, and previous assumptions apply. In risk monitoring, risk managers can undertake a continuous or re-assessment process to keep abreast with dynamic nature of risks in organisations.

Since risk monitoring is an active process, it entails identification and evaluation of risks for effective implementation of interventions. Essentially, risk-monitoring guidelines stipulate how risk managers identify and evaluate risks in their respective organisations. When risk managers identify risks and draft action plan for managing them, they apply monitoring process in checking and tracking the implementation process of interventions to guarantee efficacy and success. The monitoring process permits the collection of data for risk managers to analyse and generate essential information employed in risk management. Once there is an elaborate risk management plan, risk-monitoring guidelines arise to ensure that there is a meticulous implementation of risk interventions. In a case analysis, Kaplan and Mikes (2016) found out that continuous monitoring of risk is an integral ingredient for effective management of risks. From the questionnaire, it is apparent that the two factors of risk monitoring entail the existence of the formal process of addressing risks and guidelines that define roles and responsibilities of risk managers. The formal process empowers risk managers to create action plans and manage risks effectively. Guidelines that define roles and responsibilities direct risk managers in their operations and activities aimed at handling risks meritoriously.

Risk effectiveness assurance – RDG2

Risk effectiveness assurance (RDG2) is the second novel cluster generated from ten items of review risk development and decision. It comprises three factors, which accounts for 3.91% of the variation in review risk development and decision. Risk effectiveness assurance is a method that allows risk managers to assess risks and determine the capacity of interventions to assure effectiveness. The ability of a response to be effective in the management of risks is dependent on the quality assurance standards established by organisations. Davis (2017) explains that effective quality assurance in risk management is the one that considers dynamic changes in organisations and updates in standards. The board of directors ought to identify gaps in risk management, determine the capacity of the present interventions, and provide recommendations in a detailed report. In essence, the effectiveness of quality assurance determines how organisations response to diverse risks they encounter.

Risk effectiveness assurance is apparent in the questionnaire as different factors or items explain different themes, as exhibited in RRD1, RRd2, and RRd3. In the questionnaire, the apparent theme related to risk effectiveness assurance is the presence of the internal audit assurance. In assessing the role of audit committee, Haji and Anifowose (2016) found out that the internal assurance is significant to risk management because it empowers organizations to monitor and control their risks because they cause huge impacts. Owing to the dynamic nature of risks, the questionnaire captures the essence of an ongoing update of risk assessment. Davis (2017) explains that continuous update of quality assurance standards is necessary to keep abreast with changing risks and interventions. Additionally, the external assurance is essential to complement the internal mechanism. An independent body should undertake the external assurance to avert biases, which would influence the assessment and management of risks. Therefore, risk effectiveness assurance is an indispensable element in risk governance for it promotes standards of quality assurance.

Monitoring of risk exposure – RDG3

As the third novel cluster derived from ten factors of RRDG, monitoring of risk exposure (RDG3) is a vital variable in risk governance. RDG3 has three items, RRD8, RRD9, RRD10, which account for 3.19% of the variation in review risk development and governance. Fundamentally, monitoring of risk exposure is a continuous process of risk management. The main purpose of monitoring of risk exposure is to track identified risks, evaluate the existence of residual risks, and establish new risks (Bernklau 2016). Risk monitoring is an active process throughout the lifetime of a project or organisations. Changes and the emergence of new forms of risks require risk managers to update processes and procedures utilized in risk management. In monitoring risk exposure, risk managers aim to determine if reviews of risks are up to date, there is compliance with risk management practices, and contingency reserves are adequate.

Risk monitoring entails numerous operations and activities involving risk management. Boubaker, Buchanan, and Nguyen (2016) categorise monitoring of risk exposure as identification, risk analysis, risk control, measurement, and communication. Since risks are dynamic, risk managers have a constant task of assessing and determining if new risks have emerged in various projects. The identified risks need analysis to ascertain the degree of potential impacts and provide appropriate management interventions. For effective management of risks, control mechanisms are crucial for the sustainability of the risk management process. The management has to measure all risks align their impacts with available resources and interventions. Communication is an integral element in the monitoring of risk exposure for it enables risk managers to communicate their assessments and offer relevant mitigation measures. In the questionnaire, various themes of monitoring of risk exposure are apparent. The existence of escalating process, management process, and documentation allows the management to monitor risks reliably. Thus, monitoring of risk exposure provides real-time information, which helps the management to make informed decisions on when to implement contingency plans, take corrective actions, and change project objectives.

Factor Analysis for Risk Communication

Factor analysis extracted three factors with eigenvalues of 6.909, 1.091, and 0.970, which accounted for 57.58%, 9.10%, and 8.08% of the variation in risk communication. The scree plot affirms that the three extracted factors are significant predictors of risk communication.

The pattern matrix shows that the items load into three latent clusters with different loadings. Five items, RC2, RC5, RC6, RC7, and RC8, loaded onto the first latent cluster, while four items, RC9, RC10, RC11, and RC12, loaded onto the second latent cluster. Three items, RC1, RC3, and RC4, loaded onto the third latent cluster.

In Table 9.5c:

• Five items, RC2, RC3, RC6, RC7, and RC8, are reliable because their Cronbach’s alpha is excellent in the first latent cluster (0.932).
• Four items, RC9, RC10, and RC12, are reliable for their Cronbach’s alpha is superb in the second latent cluster (0.903).
• Three items, RC1, RC3, and RC4, are reliable for their Cronbach’s alpha is excellent in the third latent cluster (0.908).

Therefore, factor analysis of risk communication indicates that the fives items of the first latent cluster were coded into a new variable (RCG1), whereas the four variables of the second latent cluster were coded into a new variable (RCG2). The three variables of the third latent cluster were coded into a new variable (RCG3).

The interpretation of the (3) new latent clusters is provided below:

Risk Communication – RCG1

Risk communication (RCG) is a new cluster obtained from 10 items of risk communication. It forms a single component with five items that are highly reliable in predicting risk communication. Risk communication accounts for 57.58% of the explained variance by factor analysis. Risk communication entails sharing of information that is critical in the identification, assessment, and mitigation of risks. Since experts can identify, assess, and mitigate risks, they have to share information with various parties or stakeholders in organisations so that they can make informed choices regarding risk management strategies. The dynamic nature and the occurrence of risks require sustained communications to enhance the preparedness of parties involved in risk management. Eriksson (2016) holds that risk communication boosts strategies for monitoring hazards and improves the sustainability of risk management. When risk managers undertake an accurate assessment of risks and communicate appropriate information, they obtain optimum support from an organisation. Thus, risk communication is an indispensable aspect of risk management that allows organisations to undertake accurate monitoring of risks and intervention measures.

Risk communication encompasses different aspects of risk management as reflected in the questionnaire. Transparency is an important feature of risk communication for it allows everyone in an organisation to access and utilise information in risk governance. Given that communication can occur haphazardly, risk communication should occur in a system where there are formal procedures that differentiate internal and external communication. Moreover, the communication channels ought to discriminate information depending on their uses in risk management. The external communication is beneficial for it boosts transparency and accountability in risk governance. In risk management, assessment, monitoring, and reporting of risk analyses require effective communication. Arvai (2014) contends that risk communication is not a means of enlightening but a mechanism that supports enriching dialogue, which enables risk managers to access and utilise information in risk management. Thus, risk communication comprises mechanisms and processes that the management use in conveying and processing information.

Risk documentation – RCG2

Risk documentation (RCG2) is the first cluster generated from 12 factors of risk communication in risk governance. It constitutes four factors that form a single component, and they explain 9.10% of the variation in risk communication. Since risk management entails identification, assessment, and review of risks, it requires documentation to allow storage and utilisation of information in risk management. For instance, risk assessment document has detailed information about risks in organisations. Risks managers study risk assessment document so that they can design appropriate interventions and mitigation measures. Risk documents act as sources of evidence for insurance companies and courts use them in determining liability. Proper risk documentation enables an organisation to get favourable premium rates of insurance and prevent costly lawsuits of negligence. In a documentary analysis, Higgins et al. (2016) noted that organisations differed in the way they analyse risks, undertake risk-assessment procedures, and implement risk management strategies. Through risk documentation, reviewers can determine the efficacy of risk-assessment methods and interventions.

The analysis of items that represent risks documentation shows that the existence of risk indicators report and aggregated risk exposure report are dominant themes. Risk documentation ought to have key risk indicators for they are essential in promoting monitoring and development of mitigation measures. In assessing project-based organisations, Khameneh, Taheri, and Erhadi (2016) concluded that risk reporting is one of the key performance indicators of risk management and performance. In essence, risk indicators report show trends of risks over time, which have influenced the capacity of organisations to achieve their project objectives. By analysing risk indicators report, risk managers can predict the occurrence and impacts of risks on project objectives. The assessment of risks generates aggregated risk report, which qualifies and quantifies risks in an organisation. An aggregated report forms the basis for designing and implementing evidence-based risk management strategies. Therefore, risk documentation is central to risk governance because it accumulates information that risk managers require to analyse and construct relevant and effective mitigation measures.

Risk Coordination – RCG3

Another new cluster of risk communication is risk coordination (RCG3). It comprises three items, which explains 8.08% of the variation in risk communication. These factors are highly reliable in predicting the extent of risk communication that happens in organisations. Given that risk management involves different levels of management ranging from the board at the top to operational management at the bottom, there is a need to coordinate processes for effective management of risks in organisations. Lechner and Gudmundsson (2014) aver that risk coordination ensures synchronisation of operations and activities, resulting in optimised risk management. Risk management practices such as identification, assessment, and review of risks need well-organized coordination because they have concerted effects on risk management. According to Viscelli, Beasley, and Hermanson (2016), ERM is a system that allows organisations to coordinate risk management operations and activities for the board of directors can prioritise risks and launch appropriate responses to mitigate them. Therefore, the board of directors has a major role in coordinating ERM practices for effective and reliable management of risks in their organisations.

The existence of systems of risk management exhibits risk coordination in an organisation. From the questionnaire, risk communication is one of the factors that influence risk coordination. Communication promotes risk management because it allows risk managers to share vital information and design effective mitigation measures of risk. The existence of an elaborate communication mechanism within an organisation promotes risk management because the board of directors, managers, and employees can share information effortlessly. Additionally, the existence of guidelines for coordinating operations and activities is a factor that reflects risk coordination in an organisation. In their study, Xu and Berry-Stolzle (2018) highlight that ERM is an efficient system of coordinating risks for it integrates numerous interventions and strategies. Through risk coordination, the management delegates their responsibilities to appointed risk managers who can implement strategies for risk management as outlined in risk guidelines.

Factor Analysis for Risk Culture

Factor analysis extracted three factors with eigenvalues greater than 0.5 from eight items that make up the scale of risk culture. The extracted factors, 1, 2, and 3, have eigenvalues of 3.646, 2.297, and 0.349, which accounted for 45.58%, 28.71%, and 4.37% of the variation in risk culture. The scree plot supports the extraction of the three factors for they have marked influence on the variation of risk culture.

The pattern matrix demonstrates that three factors, RCU1, RCU4, and RCU6, load onto the first latent cluster, while another three factors, RCU2, RCU3, RCU8, load onto the second latent cluster. RCU5 loads onto the third factor with a very high loading value of 1.067 and will be shifter to first latent cluster.

In Table 9.6c:

• Four items, RUC1, RCU4, RCU5, and RCU6, are moderately reliable for they have Cronbach’s alpha of 0.880.
• Three items, RCU2, RCU3, and RCU8, are moderately reliable because they have Cronbach’s alpha of 0.891

In summary, four items, RUC1, RCU4, RCU5, and RCU6, were coded into a new variable (RCUG1), while the three items, RCU2, RCU3, and RCU8 were coded into a new variable (RCUG2).

The interpretation of the (2) new latent clusters is provided below:

Risk culture development – RCUG1

Risk culture development (RCUG1) consists of the first and the third components derived from eight factors of risk culture. The first component comprises three factors, while the third component encompasses one component, which explains 45.58% and 4.37% of the variation in risk culture respectively. Like in organisational culture, shared values, beliefs, principles, attitudes, goals, and practices determine the formation and the development of risk culture in organisations. Risk culture plays a central role in risk management and governance because it shapes processes, procedures, principles, and values in organisations. Risk culture development involves the growth of a culture that supports risk management and governance. The Institute of Risk Management has elucidated risk culture as a product of interrelationship of personal ethics, behaviours, and organisational culture (Chapman 2014). For risk culture to develop, organisations ought to define their principles, guidelines, roles, and regulations employed in the management of risks. To attain commendable risk culture, risk managers must educate employees on the essence of developing risk culture in their organisations.

The scrutiny of items in the questionnaire that predict risk culture shows that several factors contribute to the development of risk culture. The existence of guidelines for promoting accountability in risk management is necessary. By following established guidelines and applying them in risk management continually, risk managers reinforce accountability and create a culture of compliance. The questionnaire also reveals that training of employees and the board of directors is essential for the robust and extensive development of risk culture. Training boosts dissemination of guidelines and creates synergy in the implementation of strategies and interventions deployed in risk management. Ring et al. (2014) observe that lessons derived from regulatory notices enable organisations to strengthen their risk culture and manage risks efficiently. The existence of audit process, empowering programs, and guidelines for fostering risk management are integral to the development of risk culture.

Risk culture awareness – RCU2

Risk culture awareness (RCU2) is the second component derived from eight factors that cover risk culture. It constitutes three factors, which account for 28.71% of the variation in risk culture. Risk culture awareness involves the understanding of roles, regulations, and guidelines that organisations employ in risk management. In the development risk culture, the building of awareness is the first step. Risk managers cannot develop risk culture in their organisations without creating awareness among employees. Organisations create risk culture awareness through communication and training of employees to understand various guidelines and practices of risk management. Effective strategies for building awareness entail the delivery of risk communication, the definition of roles and responsibilities, the performance of risk management, and the review of risk guidelines (Arras 2016). Thus, risk culture awareness forms the basis of the development of risk culture.

The analysis of questionnaire provides significant insights relating to risk culture awareness themes in organisations. The questionnaire notes the existence of awareness program for it aids in the development of risk awareness. Besides, the internal audit system should have guidelines, which stipulate how organisations acquire and develop risk culture. Risk guidelines aids in the creation of uniform interventions and strategies employed in risk management. Evidently, ERM provides a framework through which the management integrates various aspects of risk management such as identification, evaluation, and review of risks. The implementation of ERM improves risk awareness in organisations and boost performance (Frigo 2018). As cases of fraud occur in organisations, employees should be aware of ethical guidelines for effective deterrence and prevention.

Factor Analysis for Risk Appetite

Factor analysis extracted three factors with eigenvalues of 6.811, 0.880, and 0.229, which accounted for 75.68%, 9.78%, and 2.55% of the variation in risk appetite in that order. The scree plot below endorses that the three extracted factors have a significant influence on the risk appetite.

The pattern matrix (Table 9.7b) shows that four items, RA1, RA2, RA4, and RA4, loaded onto the first latent cluster with high loadings. Subsequent four items, RA5, RA6, RA7, and RA9, loaded onto the second latent cluster, whereas RA8 is the only factor that loaded onto the third factor with a significant loading value. Thus, pattern matrix for new code included RA8 into the second latent cluster, as demonstrated in Table 9.7c.

In Table 9.7c:

• Four items, RA1, RA2, RA3, and RA4, loaded onto the first latent cluster with Cronbach’s alpha of 0.960 indicating an excellent reliability.
• Five items, RA5, RA6, RA7, RA8, and RA9, loaded onto the second latent cluster with Cronbach’s alpha of 0.967 also showing an excellent reliability.

Overall, the four items, RA1, RA2, RA3, and RA4, loaded onto the first latent cluster and created a new variable (RAG1), whereas the five items, RA5, RA6, RA7, RA8, and RA9, loaded onto the second latent cluster and formed a new variable (RAG2).

The interpretation of the (2) new latent clusters is provided below:

Risk Appetite – RAG1

Risk appetite (RAG1) is a novel cluster extracted from nine items of risk appetite in risk governance. It is the first component with four factors, which are not only reliable but also explain 75.68% of the variance in risk appetite. Risk appetite is a parameter that measures the capacity of an organisation to tolerate a certain level of risk without experiencing significant impacts on its objectives and goals. Organisations with a high level of risk appetite can overcome considerable impacts of risks, while organisations with low risk appetite cannot tolerate minor risks that they experience (Kaplan & Mikes 2016). Normally, organisations perform risk assessment and determine their ability to bear different forms of risks. Essentially, risk assessment report allows risk managers to design and implement strategies and interventions, which would boost risk appetite, and thus, cushion organisations from the effects of most risks.

The questionnaire supports the existence of risk appetite in risk governance. Risk appetite framework is the foundation of risk assessment because risk managers can utilize it in drafting guidelines and interventions employed in risk management. Moreover, the existence of a defined risk appetite statement aids in the establishment of a robust risk appetite framework, which is critical in the assessment of risk appetite (Baldan, Geretto & Zen 2016). The existence of mechanism of comprehending the degree of risk is necessary in determining risk appetite of an organisation. Due to the dynamic nature of risks, an elaborate review mechanism for periodic assessment appetite limits is necessary. Thus, risk managers need guidelines for risk assessment and review to ascertain risk appetite in organisations.

Risk appetite alignment process – RAG2

Risk appetite alignment process (RAG2) is the cluster component generated from nine factors of risk appetite. It contains the second and the third components with four factors and one factor respectively. The first component and the second component account for 9.78% and 2.55% of the variances in risk appetite respectively. Risk appetite alignment is a novel approach that modern organisations have developed and perfected in risk management. It entails alignment of risk appetite with risks, strategies, interventions, and activities of risk management. Proper alignment of risk appetite is beneficial to organisations because it promotes the achievement of strategic goals and reduces residual risks. According to risk-based performance, organisations align their risk appetite by defining strategic goals, assessing appetite, identifying risks, reviewing appetite, conducting a risk assessment, aligning appetite with established risks (Nahar, Jubb & Azim 2016). Hence, such a process of risk appetite alignment provides an opportunity for review of risks and reassessment of appetite.

The scrutiny of questionnaire shows important patterns of themes, which describes risk appetite process in risk governance. The questionnaire recognises that risks are dynamic, and thus, it suggests the existence of frequent reassessments of risk appetite to align with the prevailing changes of strategic goals of organisations. For guidelines are drivers of risk management in an organisation, risk alignment should consider optimising the interactions of business activities and the management. An effective interaction creates a favourable environment for risk management and alignment of risk appetites with organisational goals and objectives (Nahar, Jubb & Azim 2016). Constant reporting of the degree of risk appetite enhances the responsive capacity of organisations by alerting and preparing them. The existence of established frameworks such as ERM and risk-based performance aids in the integration risk appetite in performance.

Factor Analysis for Risk Based Audit and Project Success

The extracted factors, 1, 2, and 3, have eigenvalues of 20.017, 0.749, and 0.562, which accounted for 71.49%, 2.68%, and 2.01% of the variation in risk governance correspondingly. The scree plot demonstrates that the three factors extracted accounted for a significant variation in risk governance.

Pattern matrix demonstrates that RG10 has the highest loading value (0.816) while RG2 has the lowest loading value (0.471) in the first latent cluster with 11 items. In the second latent cluster with seven items, RG26 has the highest loading value (0.768), while RG27 has the lowest loading value (0.485). RG4 has the highest loading value of 0.866, whereas RG2 has the lowest loading value of 0.486.

In Table 9.8c:

• The 11 items, RG1, RG8, RG9, RG10, RG11, RG12, RG13, RG14, RG15, RG16, and RG18, loaded onto the first latent cluster with an excellent level of reliability (Cronbach’s alpha = 0.969).
• The seven items, RG20, RG21, RG22, RG24, RG25, RG26, and RG27, loaded on the second latent cluster with an excellent reliability index of 0.956.
• The five items, RG2, RG4, RG5, RG6, and RG23, have a superb reliability level for they have Cronbach’s alpha of 0.945.

In summary, the 11 items from the risk governance scale, RG1, RG8, RG9, RG10, RG11, RG12, RG13, RG14, RG15, RG16, and RG18, formed a new latent variable (RGP1). Likewise, the seven items, RG20, RG21, RG22, RG24, RG25, RG26, and RG27, formed a new latent variable (RGP2). The five items, RG2, RG4, RG5, RG6, and RG23, created a new latent variable (RGP3).

The interpretation of the (3) new latent clusters is provided below:

Efficient project delivery – RGP1

Efficient project delivery (RGP1) is a new cluster derived from 28 items of risk governance. It consists of 11 items that are highly reliable for they explain 71.49% of the variation in risk governance. Primarily, risk governance is the core of risk management for it involves institutions, policies, rules, regulations, practices, processes, and procedures that management utilises in making strategic decisions aimed at improving organizational performance and alleviating risks. Moreover, it constitutes frameworks, models, and systems that stipulate mechanism and define boundaries of organisational operations and activities. Viscelli, Beasley, and Hermanson (2016) place the responsibility of risk governance on the board for it can create, fund, and implement interventions of risks management. Risk governance enables organisations to assess risks, determine risk appetites, and align strategic operations to guarantee performance.

The conceptualisation of risk governance in relation to the successfulness of projects offers critical insights necessary for effective management of risks. The achievement of strategic objectives is an outstanding aspect of risk governance because risk managers focus on attaining expectations of projects. In their study, Stein and Wiedemann (2016) assert that risk governance acts as a bridge that links risk management and corporate governance to optimise outcomes. Evidently, risk governance is valuable to organisations because it boosts the efficiency of operations, prevents the occurrence of crises, saves costs in the delivery of projects, and streamlines processes.

Efficient risk monitoring – RGP2

This cluster is derived from 7 items of risk-based audit processes, that is, RG20, RG21, RG22, RG24, RG25, RG26, and RG27, and it is consistent with the literature on continuous risk monitoring in which it is regarded as critical in addressing and auditing project risks. It explains 2.68 % of the variance in risk-based audit and project success by factor analysis. Risk monitoring is the real-time assessment of an enterprise’s risk status using a set of key risk indicators to prioritise audit procedures.

Studies consider continuous risk monitoring a core element of a dynamic auditing process. For example, Bumgarner and Vasarhelyi (2014) consider it a systematic approach to risk evaluation and audit planning that supports the detection of shifts in an organisation’s risk profile for effective governance. They further highlight the significance of risk monitoring; it enables auditors to populate risk assessments and auditing with new data to support risk management. Given the changing nature of risks, auditors have to continually evaluate and monitor risks to relate them to risk auditing and management. From the questionnaire, risk monitoring captures different aspects and outcomes of a well-designed risk-based auditing process. The adoption of risk monitoring using KRIs would help uncover emerging risks in a real-time manner. In a study, Moon (2016) supports the principles of accountability, adequate identification of risk appetites, prudent financial resource utilization, better management of stakeholder expectations, and improved strategic plan execution at board level. A risk-based auditor evaluates and identifies areas of potential risk impacts through relevant KRIs to ensure timely mitigation. Thus, periodic audit processes may not be consistent with the principles of the risk-based auditing. It should be recursive and based on continuous risk monitoring to respond to changes in an entity’s risk status throughout a business cycle.

Effective project risk management – RGP3

This cluster was formed from five items, viz., RG2, RG4, RG5, RG6, and RG23, which predict the success of projects. Effective project risk management accounts for 2.01% of the explained variance through factor analysis. This research corroborates the findings of related studies on the influence of risk-based audit processes on project success. It is understood from the literature that risk-based auditing connects the internal audit function to the firm’s risk governance strategy, assuring the management that project risk management is aligned to the defined risk appetite (Moon 2016). Risk-based auditing assures the board – an organ bearing the ultimate responsibility for risk identification and management – that the risks are being managed effectively.

The specific components of effective risk management in projects, as identified in the questionnaire, include timely and on-budget delivery, board-level reporting of consolidated and key risks, and risk identification and sharing across departments. Raydugin (2016) holds that project management allows managers to “identify, assess, and control” key risks at corporate and project level, which tend to be similar across departments (p. 295). For this reason, organisations adopt integrated risk management frameworks, such as ERM, to strengthen their risk culture – identification, assessment, and management capabilities. Multiple reporting of project risks to the chief financial officer who sits at the board can help avoid the management of risks in silos and enhance the involvement of project managers in the planning and execution of risk management activities to mitigate risks and capitalize on opportunities (Raydugin 2016). At this point, the firm should utilise internal auditing to add value to the portfolio of project risk management. Thus, from the literature, effective project risk management supports strategic decisions through consolidated risk identification, reporting, and sharing across departments, and informed resource allocation.

Factor Analysis for Occurrence of Negative Events

The extracted factors, 1, 2, and 3, have eigenvalues of 4.252, 1.830, and 1.068, which account for 42.52%, 18.30%, and 10.68% of the variation in impacts of negative events. However, the scree plot indicates that five factors significantly influence impacts of negative events on projects.

The pattern matrix shows that four items, IN3, IN5, IN7, and IN9, loaded onto the first latent cluster, whereas another four items, IN1, IN2, IN4, and IN6, loaded onto the second latent cluster. Two items, IN8 and IN10, loaded onto the third latent cluster with loadings of 0.973 and 0.492 respectively.

In Table 9.9c:

• Latent cluster 1 has five items, IN3, IN5, IN7, IN8, and IN9, with an excellent reliability because the Cronbach’s alpha is 0.919.
• Latent cluster 2 has five items, IN1, IN2, IN4, IN6, and IN10, with a high reliability index of 0.861.

In summary, factor analysis created two new latent variables from 10 items on impacts of negative events. The five items, IN3, IN5, IN7, IN8, and IN9, formed INP1 as a new latent variable, while the remaining five items, IN1, IN2, IN4, IN6, and IN10, created INP2 as a new latent variable.

The interpretation of the (2) new latent clusters is provided below:

Governance Failure – INP1

Governance failure is a new cluster derived from five questionnaire items, that is, IN3, IN5, IN7, IN8, and IN9, associated with negative project impact. This cluster explains 42.52% of the variance determined through factor analysis. This finding is supported by the literature, where it is established that risk management failures result in the omission of opportunities and inability to meet strategic objectives (Fadun 2013). Since risk permeates all organisations and departments, integrated risk management can enhance the predictability of risks and enable them to take advantage of opportunities. However, in most firms, traditional models of risk governance that categorises and manages risks as separate entities are common, increasing the likelihood of governance failure. The major downside of this model is its narrow focus on organisational risks, as opposed to a holistic view of uncertainties and possible opportunities.

Risk governance failure could stem from various pitfalls as reflected in the questionnaire. Precisely, deficient control over project phases, deficient governance model, the absence of independent monitoring and board-level reporting, and inability to meet strategic objectives are linked to unsuccessful risk management. Fedun (2013) extends this list further by identifying three reasons why risk governance systems fail. First, agency risk, which describes the inadvertent or obstinate neglect of risk mitigation procedures of the firm by staff, can contribute to failure. Second, the dynamic nature of systematic risks related to the economic forces makes them inevitable in a business context. Thirdly, flaws in risk management processes may lead accumulate over time and cause governance failure. In this view, there is need to perform a regular review of an organisation’s risk management framework to recognise and address possible deficiencies on time.

Project failure – INP2

Project failure is the second new cluster created from five items (IN1, IN2, IN4, IN6, and IN10). It captures the adverse events occurring in organisations that impact negatively on projects. This cluster accounts for 18.30% of the variance in the occurrence of negative events. Project implementation often comes with the pressure to stay on budget and deliver within the expected timelines. From the questionnaire, delays in schedules, cost overrun, project failure history, unresolved disputes, and opportunity costs related to implementing wrong projects are the key factors contributing to failed projects. As Cagliano, Grimaldi, and Rafele (2015) note, the movement between project phases comes with a certain level of uncertainty. Therefore, the risk management approach should be flexible to accommodate unique threats inherent in each stage. In addition, the techniques selected must support corporate maturity towards the various threats that evolve during the project lifecycle.

Errors committed by the project manager or teams also contribute to project failure. Fedun (2013) states that individual or corporate “risk attitude, risk culture, and risk appetite” influence staff perception of risks and opportunities (p. 233). The management’s position on acceptable risks would depend on the organisation’s perception of threats. Thus, a poor risk attitude could adversely affect project objectives. In addition, the way people perceive or interpret risk determines how they will manage potential project risks. In essence, the factors identified in the questionnaire – schedule delays, cost overruns, failure history, etc. – reflect the risk culture of the organisation. The prevalent attitudes and values about threats would determine how managers and staff perceive and respond to risks. Additionally, the risk appetite would depend on how risk-taking behaviour is rewarded in the organization (Fedun 2013). Thus, project failure can be avoided by inculcating the right risk attitudes, culture, and appetite.

Factor Analysis for Internal Audit Function

The extracted factors, 1, 2, and 3, have eigenvalues of 3.301, 3.065, and 1.623, which explained 30.00%, 57.87%, and 14.76% of the variation in the internal audit function. The scree plot indicates that five items in the scale are significant in explaining the variation in the internal audit function.

The pattern matrix illustrates that four items, IAF1, IAF2, IAF3, and IAF4, loaded onto the first latent cluster with the highest eigenvalue being 0.966. Another four items, IAF5, IAF8, IAF10, and IAF11, loaded onto the second latent cluster with the highest eigenvalue being 0.964. Two factors, IAF7 and IAF6, loaded onto the third latent cluster with eigenvalues of 0.954 and 0.551 respectively.

In Table 9.10c:

• Four items, IAF1, IAF2, IAF3, and IAF4, loaded onto the first latent cluster with have a superb reliability for they have Cronbach’s alpha of 0.901.
• Four items, IAF8, IAF9, IAF10, and IAF11, loaded onto the second latent cluster with an excellent reliability index of 0.935.
• Two items, IAF7 and IAF6, loaded onto the third latent cluster with an excellent reliability index of 0.905.

In recap, factor analysis created three new latent variables, IAFR1, UAFR2, and IAFR3, from 11 items in the scale. The four items, IAF1, IAF2, IAF3, and IAF4, formed IAFR1 as a new latent code, whereas other four items, IAF8, IAF9, IAF10, and IAF11, created IAFR2 as a new latent code. The two variables, IAF6 and IAF7, created IAFR3 as a new latent code.

The interpretation of the (3) new latent clusters is provided below:

Role of Internal Audit – IAFR1

This new cluster is derived from four items, that is, IAF1, IAF2, IAF3, and IAF4, of the internal audit function. It constitutes a fundamental aggregate component predicting the significance of auditing in risk management in organisations. The role of internal audit accounts for 30.01% of the variance as determined through factor analysis. In most firms, board directions on risk management are delivered via the audit committee – the unit around which all audit activities coalesce. Ravindran et al. (2015) outline three functions of internal auditing in risk management: assurance, consultative, and facilitative roles. This activity entails a systematic assessment and response to risk control issues to strengthen the risk governance process. It incorporates accounting controls that support financial reporting and accountability (Ravindran et al. 2015).

The roles investigated through the questionnaire are consistent with the tasks of the internal auditing identified in the literature. The main purpose of this department is to give objective assurance to the board regarding the efficiency of the risk governance process, that is, risks are well managed, and internal controls are working (Florea & Florea 2016). Internal auditing can also act as a catalyst for the creation of a formal risk management program. The internal auditor, given his/her knowledge of risks, can champion for enhanced ERM capabilities in the firm. Thus, he/she can give advice and consultancy services that can bolster the company’s risk management and control procedures (Florea & Florea 2016). However, resource availability and the level of risk maturity in the enterprise may limit the consulting role. Another critical obligation of internal auditors is facilitation. This role entails giving technical expertise, project coordination, and providing documentation controls to facilitate risk management.

Auditing of Risk Governance Function – IAFR2

This second cluster is created from five items, namely, IAF8, IAF9, IAF10, and IAF11. Auditing of the risk governance function can reliably predict audit functions involved in the management of risks in organisations. This cluster explains 27.86% of the variance obtained through factor analysis. The internal auditing function is primarily an assurance provider. Its independence and objectivity are ensured when it is not involved in the risk management process (Ravindran et al. 2015). However, from a business point of view, this unit may be integrated into formal risk management. Internal auditors may participate in setting the organisation’s risk appetite, developing the risk management policy and strategy, and implementing risk responses on behalf of the management. Therefore, linking internal auditing to risk management may create additional value for the organisation if there are adequate safeguards in place to preserve the objectivity of this function.

The auditing of risk governance activities requires collaborative practices to realize greater value for the firm. It entails tying audit plans to ERM to facilitate information sharing and avoid role duplication (Ravindran et al. 2015). Thus, the internal auditor, risk committee, and the team involved in the management of strategic risks and controls should collaborate in auditing the risk management framework. As Moon (2016) observes, in the current business environment, internal auditing primarily provides assurance that strengthens corporate governance. This function not only augments accounting management, but also assures the ERM process and supports the assessment of enterprise operations (Moon 2016). Therefore, internal auditing is a powerful tool for strengthening an organisation’s control environment and aligning audit objectives with risk management goals.

Provision of Audit Reports – IAFR3

This cluster is formed from two items assessing the internal audit function’s role in overseeing risk management, which include IAF6 and IAF7. This cluster accounts for 14.76% of the explained variance in this factor. The findings of this research are consistent with those of other studies on this subject. Audit reports give information about risks for which assurance and consultancy were given through the auditing of the risk governance procedures and responses (Benli & Celayir 2014). Reporting also gives details of the effects of resource constraints and the uncovered risks. The questionnaire focused on the assurance function of auditing, such as audit reports on the management of key risks and entity-wide risk management process. Reporting is required to reinforce the board’s ownership of risk governance. Audit findings help elicit a discussion on how management can assume responsibility for all threats included in the risk register (Pritchard 2015). Therefore, internal auditors would need to develop and deliver regular reports to the audit committee during a project lifecycle.

The findings may influence the conclusions on ERM efficacy and capacity to meet the organisation’s strategic objectives. The report should provide an opinion on the effectiveness of the current risk management process in the context of the firm’s strategic objectives. Ruse, Susmanschi, and Daneci-Patrau (2014) write that a continuous risk monitoring and assessment (CRMA) approach to auditing that allows internal auditors to report to the audit committee and the management on enterprise-wide risks to allow the prioritization of risk responses. In addition, significant business risks are identified in audit reports to support board decisions and remedial actions. The CRMA approach allows the management to understand and respond to the firm’s dynamic risks and determine the efficacy of the RM controls.

Summary

Preliminary analysis of the 10 scales in the questionnaire, namely, S, RAI, RMG, RRD, RC, RCU, RA, RG, IN, and IAF, shows that they have adequate sample as KMO statistics are greater than 0.8 and significant Bartlett’s test (p = 0.000) showing dissimilarity with the identity matrix. Factor analysis of RRD (10 items), RC (12 items), RG (28 items), and IAF (11 items) extracted three latent clusters from each scale, which created three new latent variables with a high level of the internal consistency. Comparatively, factor analysis of S (9 items), RIA (10 items), RCU (8 items), RA (9 items), and IN (10 items) extracted three latent clusters from each scale, but it created two new latent codes for each. Factor analysis of RMG (19 items) extracted two latent clusters and used them in creating two new latent codes.

Reference List

Arras, M 2016, Corporate risk management in emerging markets, GRIN Publishing, Munich, Germany.

Arvai, J 2014, ‘The end of risk communication as we know it’, Journal of Risk Research, vol. 17, no. 10, pp. 1245-1249.

Aven, T 2016, ‘Risk assessment and risk management: review of recent advances on their foundation’, European Journal of Operational Research, vol. 253, no. 1, pp. 1-13.

Baldan, C, Geretto, E & Zen, F 2016, ‘A quantitative model to articulate the banking risk appetite framework’, Journal of Risk Management in Financial Institutions, vol. 9, no. 2, pp. 175-196.

Benli, F & Celayir, D 2014, ‘Risk based internal auditing and risk assessment process’, European Journal of Accounting, Auditing and Finance Research, vol. 2, no. 7, pp. 1-16.

Bergstrom, J & Frykmer, T 2016, ‘A complexity framework for studying disaster response management’, Journal of Contingencies and Crisis Management, vol. 24, no. 3, pp. 124-135.

Bernklau, P 2016, The possible impacts of a crisis on a company’s risk management and performance: a case study of BP plc and its Deepwater Horizon disaster, GRIN Verlag, Munich, Germany.

Boubaker, S, Buchanan, B & Nguyen, K 2016, Risk management in emerging markets issues, framework, and modeling, Emerald Publishing Limited, Bingley, England.

Brustbauer, J 2016, ‘Enterprise risk management in SMEs: towards a structural model’, The International Small Business Journal, vol. 34, no. 1, pp. 70-85.

Bumgarner, N & Vasarhelyi, M 2014, ‘Continuous auditing: a new view’, in American Institute of Certified Public Accountants (ed), Audit analytics and continuous audit: looking toward the future, American Institute of Certified Public Accountants, New York, NY, pp. 3-39.

Cagliano, AC, Grimaldi , S & Rafele, C 2015, ‘Choosing project risk management techniques: a theoretical framework’, Journal of Risk Research, vol. 18, no. 2, pp. 232-248.

Chapman, R 2014, The rules of project risk management: implementation guidelines for major projects, Ashgate Publishing, New York, NY.

Cooper, D, Bosnich, M, Grey, J, Purdy, G, Raymond, A, Walker, R & Wood, M 2014, Project risk management guidelines: managing risk with ISO 31000 and IEC 62198, 2^nd edn, Cengage Learning, New York, NY.

Davis, A 2017, ‘Managerialism and the risky business of quality assurance in universities”, Quality Assurance in Education, vol. 25, no. 3, pp. 317-328.

Denis, D 2016, Applied univariate, bivariate, and multivariate statistics, Wiley, Hoboken, NJ.

Elliott, C & Woodward, A 2015, IBM SPSS by example: a practical guide to statistical data, SAGE Publications, Thousand Oaks, CA.

Eriksson, L 2016, ‘Components and drivers of long-term risk communication: exploring the within-communicator, relational, and content dimensions in the Swedish forest context’, Organisation & Environment, vol. 30, no. 2, 162-179.

Escuder-Bueno, I & Halpin, E 2016, ‘Overcoming failure in infrastructure risk governance implementation: large dams journey’, Journal of Risk Research, vol. 1, no. 1, pp. 1-18.

Fadun, OS 2013, ‘Risk management and risk management failure: lessons for business enterprises’, International Journal of Academic Research in Business and Social Sciences, vol. 3, no. 2, pp. 225-239.

Field, A 2014, Discovering statistics using IBM SPSS statistics, 4th edn, SAGE Publications, Los Angeles, CA.

Florea, R & Florea, R 2016, ‘Internal audit and risk management: ISO 31000 and ERM approaches’, Economy Transdisciplinarity Cognition, vol. 19, no. 1, pp. 72-77.

Frigo, L 2018, Strategic risk management: the new core competency, Wiley, Hoboken, NJ.

Haji, A & Anifowose, M 2016, ‘Audit committee and integrated reporting practice: does internal assurance matter?’, Managerial Auditing Journal, vol. 31, no. 9, pp. 915-948.

Higgins, A, Doyle, L, Morrisey, J, Downes, C, Gill, A & Bailey, S 2016, ‘Documentary analysis of risk-assessment and safety-planning policies and tools in a mental health context’, International Journal of Mental Nursing, vol. 24, no. 4, pp. 385-395.

Jackson, J 2015, Research methods and statistics: a critical thinking approach, 5th edn, Cengage Learning, Belmont, CA.

Kaplan, R & Mikes, A 2016, ‘Risk management: the revealing hand’, Journal of Applied Corporate Finance, vol. 28, no. 1, pp. 8-18.

Khameneh, A, Taheri, A & Erhadi, M 2016, ‘Offering a framework for evaluating the performance of project risk management system’, Procedia-Social and Behavioural, vol. 226, no. 1, pp. 82-90.

Lechner, C & Gudmundsson, V 2014, ‘Entrepreneurial orientation, firm strategy and small firm performance’, International Small Business Journal, vol. 32, no. 1, pp. 36-60.

Lyons, S 2015, ‘Enterprise risk management and the five lines of corporate defence’, The Journal of Enterprise Risk Management, vol. 1, no. 1, pp. 1-26.

McCormick, K, Salcedo, J, Peck, J, Wheeler, A & Verlen, J 2017, SPSS statistics for data analysis and visualisation, Wiley, Indianapolis, IN.

Moon, D 2016, ‘Continuous risk monitoring and assessment: CRMA’, PhD thesis, Rutgers, The State University of New Jersey, New Jersey.

Nahar, S, Jubb, C & Azim, M 2016, ‘Risk governance and performance: a developing country perspective’, Managerial Auditing Journal, vol. 31, no. 3, pp. 250-268.

Pallant, J 2016, SPSS survival manual: a step-by-step guide to data analysis using IBM SPSS, Allen & Unwin, Sydney.

Pritchard, L 2015, Risk management: concepts and guidance, 5th edn, CRC Press, Boca Raton, FL.

Ravindran, V, Ahmad, HI, Mohapatra, P & Choksy, S 2015, A UAE perspective on non-financial institutions, UAE Internal Audit Association, Dubai.

Raydugin, Y 2016, Handbook of research on leveraging risk and uncertainties for effective project management, IGI Global, Hershey, PA.

Ring, P, Bryce, C, McKinney, R & Webb, R 2014, ‘Taking notice of risk culture: the regulator’s approach’, Journal of Risk Research, vol. 19, no. 3, pp. 364-387.

Ruse, E, Susmanschi, G & Daneci-Patrau, D 2014, ‘Internal audit and risk management’, Practical Application Science, vol. 2, no. 1, pp. 525-531.

Scott, Z, Wooster, K, Few, R, Thomson, A & Tarazona, M 2016, ‘Monitoring and evaluating disaster risk management capacity’, Disaster Prevention and Management, vol. 25, no. 3, pp. 412-422.

Sheedy, R & Griffin, B 2017, ‘Risk governance, structures, culture, and behaviour: a view from the inside’, Corporate Governance an International Review, vol. 26, no. 1, pp. 4-22.

Smith, B 2016, The art of integrating strategic planning, process metrics, risk mitigation, and auditing, ASQ Quality Press, Milwaukee, WI.

Stein, V & Wiedemann, A 2016, ‘Risk governance: conceptualization, tasks, and research agenda’, Journal of Business Economics, vol. 86, no. 8, pp. 813-836.

Stulz, R 2016, ‘Risk management, governance, culture, and risk taking in banks’, Economic Policy Review, vol. 1, no. 1, pp. 43-60.

Vecchiato, R. 2015, ‘Strategic planning and organizational flexibility in turbulent environments’, Foresight, vol. 17, no. 3, pp. 257-273.

Viscelli, T, Beasley, M & Hermanson, D 2016, ‘Research insights about risk governance: implications from a review of ERM research’, SAGE Open, vol. 4, no. 6, pp. 1-17.

Xu, J & Berry-Stolzle, T 2018, ‘Enterprise risk management and the cost of capital’, The Journal of Risk and Insurance, vol. 85, no. 1, pp. 159-201.