Descriptive Method
The findings highlighted in this chapter were generated after analyzing the views of the research participants using the SPSS technique. This software package offers researchers different types of data analysis frameworks, such as bivariate statistics, prediction of numerical outcomes, group identification, geospatial analysis, GUI (R extension), and descriptive statistics, to analyze data. The researcher used the descriptive method to perform an independent analysis of the research variables to understand how they influenced the risk governance framework of the organization. This method only highlights the basic features of the data set. Based on the descriptive nature of the data collection method, the findings presented in this research will be simple summaries of the respondent’s views. The goal of employing this data analysis technique is to assess the quantitative descriptions of the research variables in a manageable way.
The researcher collected the information that was subject to review using the survey method. The review focused on 148 variables, including control variables such as job level, experience, education, age, gender, and nationality. The respondents gave their views using a questionnaire as the main data collection instrument. The survey had four main sections. The first one sought to find out the respondents’ opinions about the determinants of the risk governance framework. The second part of the analysis included a survey of the research participants’ views about the influence of risk-based audit processes on the success of organizational projects, while the third part of the investigation sought to find out the impact of negative events on project success. The last part of the analysis involved an examination of internal audit functions in risk management. The first determinant analyzed in this paper, in terms of its ability to influence risk governance, was the strategy. The findings appear below.
Strategy (S)
“Strategy” was the first determinant examined in relation to how it influenced the risk governance framework. During the investigation, the researcher asked the respondents to state whether their organizations had a process to align risks with objectives, an identification process for potential risks, a process for alignment of risk profile with business and capital management plans, and a procedure for integrating the risk management into the organization’s strategic decision-making plan. Additionally, the research participants had to give their views regarding the existence of a risk oversight body, a mechanism for understanding and enforcement of risk practices, a process for compliance with regulatory requirements, an internal audit process to implement a formal risk management program, and a financial crisis impact drive to implement risk management programs in their organizations.
A majority of the respondents sampled said that “strategy” was “likely” a key part of their organizations’ risk management processes. The mean percentage of respondents who held this view was 37%. A significant number of respondents also held “neutral” views about the likelihood of the above strategy existing in their organizations’ processes. Broadly, this group of respondents amounted to 26% of the total sample. Comparatively, a significant percentage of respondents said “strategy” “unlikely” existed in their organizations or “very likely” existed in their workplaces. The mean percentage of respondents who held these views was 16% and 18%, respectively. Generally, a majority of the respondents said that the variables associated with strategy likely existed in their workplaces.
Risk Appraisal and Insight (RAI)
The second determinant analyzed in the survey was risk appraisal and insight. The researcher analyzed ten variables in this investigation. The first five involved an analysis of whether organizations had risk identification mechanisms, mechanisms for risk repository, qualitative risk assessment criteria, quantitative risk assessment criteria, and mixed risk assessment criteria (both qualitative and quantitative). The presence of a mechanism for updating risk assessment frameworks, a process for regular quantification and aggregation of risks, guidelines for prioritization of risk management and control, a control framework calibrated in line with risk appetite, and the existence of guidelines for quantified tolerance for loss or negative events were the last five variables investigated. Most of the respondents sampled said that these risk appraisal and insight techniques existed in their organizations. For example, the least percentage of respondents who said these variables likely existed in their organizations was 46% and they were referring to the existence of guidelines for quantified tolerance for loss or negative events. The rest of the variables had higher percentages of respondents who believed that the risk appraisal methods queried existed in their organizations. Coupled with the number of respondents who said that these methods “very likely” existed in their organizations, it is safe to conclude that a majority of the participants sampled believed that the aforementioned variables of risk appraisal and insight existed in their organizations.
Risk Decision and Process Implementation (RD)
The third determinant affecting risk governance that the researcher investigated in the study was the risk decision and process implementation. This determinant of risk performance had four variables. They included the presence of a procedure for grounding of risk in all business decisions, the existence of a mechanism for embedding risk optimization in strategic decisions, the presence of procedures for executing core business processes and operations based on risk consideration, and the existence of a simple risk model as support business tools for decision-making. Most of the respondents sampled said that decision and process implementation tools “likely” existed in their organizations. Those who were “neutral” about the existence of the same tools formed the second-biggest percentage of respondents, followed by those who thought these systems were “unlikely” to exist in their organizations. The least percentage of respondents said it was “very unlikely” that the risk decision and process implementation procedures existed in their organization. The mean percentage of those who thought this way was 6%. The average percentage of respondents who said such procedures “likely” existed in their organizations (the majority group) was 34%. Based on an evaluation of these percentages, it is correct to conclude that a majority of the respondents said the highlighted risk decision and process implementation processes existed in their organizations.
Risk Management and Governance (RMG)
The existence of risk management and governance processes in organizations was the fourth determinant of risk governance investigated in the research. Cumulatively, there were 19 variables associated with this determinant. The first four included the existence of risk management policies and procedures, the presence of support and sponsorship of the risk management process by the board and executive, and the existence of regulatory requirements to adopt risk management practices. Other variables investigated included the existence of a CRO position in their organizations, the presence of a formalized approach to address risks, the availability of guidelines to define the roles and responsibilities of risk staff, the availability of a risk communication mechanism, the existence of a whistle-blowing mechanism and the existence of ethics and code of conduct policies. Other variables analyzed included the existence of guidelines for internal audit, the existence of a risk function, the availability of risk treatment plans, the presence of a process for risk identification, the presence of a process for identifying and monitoring key risk indicators, and the availability of a regular risk communication framework supported by the board and senior management. The existence of a formal risk oversight authority, guidelines for risk internal control, guidelines for the definition of risk accountability and ownership, and procedures for fraud risk assessment were the last variables analyzed in this segment of the analysis.
A general overview of the respondents’ views on this determinant showed that a majority of them believed that risk decisions and process implementation processes “likely” existed in their organizations. The average percentage of respondents who supported this view was 34%. The lowest number of respondents sampled said it was “very unlikely” that risk decision and process implementation processes existed in their organizations. An average of 20% of the respondents held “neutral” views about this subject, while a mean percentage of 16% of the respondents said that such processes “very likely” existed in their organizations. Therefore, a comprehensive review of the findings shows that a majority of the respondents believed that risk decision and process implementation processes existed in their workplaces.
Review Risk Development and Decision (RRD)
Another determinant investigated in the research involved a review of risk development and decision processes in organizations. The variables investigated involved an evaluation of whether the respondents believed their organizations had an internal audit assurance framework for risk management, a process for the ongoing update of risk assessment, a mechanism for independent assurance by a third party, guidelines for board/audit committee oversight processes, and a process for monitoring and reviewing the risk management framework. The respondents were are also asked to state if they believed their organizations had guidelines for revision and reconstruction of risk management, a framework for periodic reporting on risk, a process for escalating and notifying risks to the relevant authority, a process for management and monitoring of risk exposures, and a documentation process supporting the same. A majority of the respondents (45.9%) said their organizations had a documentation process. However, an analysis of the general opinions of the participants reveals that most of them believed their organizations “likely” practiced periodic reviews of risk development and included them in their decision-making processes. Only an average of 7% of the respondents believed that it was “very unlikely” that such processes did not exist in their organizations. This percentage shows that most organizations review their risk development processes and reflect the same findings in their decision-making processes.
Risk Communication (RC)
In the questionnaire, the researcher also analyzed risk communication as a determinant of risk governance. Relative to this investigation, a majority of the respondents said their organizations had a risk communication framework. In fact, most of them said their workplaces had guidelines outlining how to coordinate risk management activities as well as provisions for appointing risk champions from business units. In both of these variables, a mean percentage of 39.5 of the respondents said the processes “likely” existed in their organizations. No other variable attracted a similar percentage of views. This response rate referred to the perception of the research participants about 12 variables highlighted in the study. The variables explored the possibility of an existence of a process for risk communication, a process for promoting transparency in the organization, guidelines for coordinating risk management activities, rules for appointing risk champions from the business unit, a risk awareness initiative, and procedures for internal communication of amount, and type of risk to accept and manage. The researchers were also asked to state whether their organizations had processes for external communication to promote transparency and accountability, guidelines for monitoring and reporting of performance against risks, a risk register, a risk heat map (or dashboard indicating risk portfolio), key risk indicators report and an aggregated quantitative risk exposure report. Broadly, a majority of the respondents said these risk communication covariates “likely” existed in their organizations.
Risk Culture (RCU)
Risk culture was also investigated as another key determinant of risk governance. The respondents were asked to state whether their organizations had set guidelines for promoting accountability, a risk awareness program, guidelines for internal audit, procedures for risk management training, a process for risk culture audit, a program for talent development, a framework for fostering risk understanding, and formal training processes for risk awareness and fraud. The biggest percentage of the respondents acknowledged the presence of guidelines for promoting sustainability. The mean percentage of those who felt this way was 37.7%. No other variable had such a high approval rate. Most of the respondents also acknowledged some type of risk culture in their organizations, because a majority of them said the variables highlighted above “likely” existed in their workplaces. An average of 13% of the respondents had a strong conviction that a risk culture existed in their organizations because they said most of the variables highlighted in the organization “very likely” existed in their workplaces. Therefore, it is possible to deduce the fact that a majority of the respondents either believed a risk culture “likely” or “very likely” existed in their organizations. Nonetheless, the percentage of respondents who said the processes “likely” existed was larger.
Financial and Technical Capacity (F)
The researcher also sampled the respondents’ views regarding the financial and technical capacity of their organizations. Five variables were analyzed to explore how this determinant influenced risk governance. They included an evaluation of the presence of a mechanism for allocating adequate capital to manage risk, a framework for acquiring skills and management capability, the existence of human skills, financial resources, and risk technology. A majority of the respondents sampled acknowledged the existence of a strong financial and technical capacity in their organizations. Within the majority, most of them said their organizations had adequate human skills. The least number of respondents sampled said it was “very unlikely” that their organizations had a strong financial and technical capacity. A mean of 15% of the respondents also answered in the affirmative because they said their organizations “very likely” had the financial and technical strategies discussed.
Risk Appetite (RA)
Another determinant investigated in the study was risk appetite. The respondents were asked to state whether different variables associated with the risk appetite were present in their organizations. The variables analyzed sought to establish whether a risk appetite framework, a risk appetite statement, an understanding of the current risk capacity, a periodic review of risk appetite limit, frequent reviews of risk appetite, and asynchrony of the risk appetite between the management board existed in the respondents’ organizations. The investigation also spread out further to establish whether organizational functions, a framework for communicating risk appetite tolerance, a reporting process that indicates when risk thresholds are reached, and a framework for integrating risk management into the organization’s performance framework also existed in their workplaces.
Most of the respondents sampled said that their organizations frequently changed their risk appetites depending on changes in organizational processes. Nonetheless, broadly, a majority of them said most of the risk appetite processes mentioned in the paper existed in their organizations. Averagely, 33% of the respondents felt this way. A significant percentage of the respondents (25%) also held “neutral” views about the existence of such risk appetite processes in their organizations. The least percentage of respondents said it was “very likely” that their organizations had the specific risk appetite processes questioned in their organizations. This finding was different from most of the other determinants investigated in this paper because the least percentage of respondents so far sampled believed the risk determinants “very unlikely” existed in their organizations. However, in this determinant, the least percentage of respondents were in the category of respondents who said it “very likely” existed in their organizations.
Ownership
When the respondents were asked to give their views about the presence of risk ownership processes in their organizations, a majority of them said such ownership processes “likely” existed in their organizations. This finding was similar to other responses given in this study when investigating the presence of other risk determinants because those who said they “likely” existed in the organization where the majority (again). The mean percentage of respondents who held the same view about the risk ownership process was 37%. The least percentage of respondents sampled said the risk ownership processes questioned “very unlikely” existed in their organizations. This finding means that most of the organizations where the respondents came from “likely” had a risk ownership process. Nonetheless, an interesting finding seen from this analysis is the high number of respondents who were almost evenly spread across all the response options when answering about the existence of a third-party service provider for risk management activities. In other words, the number of participants who said this variable “existed” and “did not exist” in their organizations was almost equal. Generally, compared to other determinants sampled in the study, the risk ownership determinant had the highest distribution of responses.
Risk Governance and Project Success
The second part of the investigation (Part B) involved an analysis of the contribution of risk audit processes to the realization of organizational project objectives. The respondents were asked to give their views regarding different aspects of this risk determinant. Comprehensively, they gave their views about how risk audit processes influenced their organizations’ strategic objectives, project time and budget, understanding of key risks, identification of project risks, reporting of risk patterns, risk-sharing across multiple departments, redirection of management’s focus on the important issues, led to fewer surprises and risk crises, and led to the efficiency of their organizations. Coupled with other variables, the research participants collectively responded to 28 variables.
The biggest percentage of respondents sampled said it was “likely” that risk-based audit processes contributed to their organization’s project objectives. The mean percentage of respondents who answered this way was 43%. Within this majority, there was a greater consensus among the respondents that the risk audit process led to an improved ability to execute operational plans. About 52% of the respondents (within the majority group) felt this way. The percentage of respondents who held neutral views about the influence of the risk determinant on the realization of their operational goals was almost equal to the percentage of respondents who said it was “very likely” the audit process helped in the realization of their organizational strategic objectives. The difference in mean percentage between both sets of respondents was 2%. Nonetheless, comprehensively, this determinant (audit process) also followed the same pattern of responses as that observed in other determinants of risk governance because the biggest percentage of respondents fell in the “likely” group (similar to how they responded to the other determinants).
Impact of Negative Events
The third part of the questionnaire sought to understand the respondents’ views about the impact of varied negative events on their organizations. Several adverse events were investigated. They included an experience of schedule delays, an experience of cost over-runs, a lack of control over project phases, an experience of project failure, an inability of the governance model to manage key projects, and the experience of unresolved issues and disputes. The lack of independent monitoring and progress, the failure to report to the management board and executives, the failure of an organization to achieve business objectives, and the lost opportunity cost of doing the wrong project are other variables investigated in the study. The biggest group of respondents sampled said the variables were “unlikely” to affect their organizations. The mean percentage of respondents who held this view was 32%. The second-largest group of respondents said the variables sampled “likely” affected their organizations. The mean percentage was 27. The third-largest group of respondents held “neutral” views about the research statements and their mean percentage was 26. Those who held extreme views about the research issue (“very likely” and “very unlikely”) formed the smallest percentage of respondents.
Internal Audit Functions (IAF)
The fourth part of the survey sought to find out the respondents’ views about the role of internal audit functions in their organizations. In line with this subject matter, they were asked to rate how specific aspects of their internal audit functions influenced their risk management processes. The internal audit functions investigated included the provision of independent assessments on risk management processes, the establishment of a formal risk management program, support for the implementation of a risk management program, and the provision of consultancy and advice on risk management processes. The interference of internal audit processes on risk management processes, assurance of how risk management processes will be handled, the provision of assurance through written audit reports about the entity-wide risk management process, and participation in setting the organization’s risk appetite, are other variables that were also investigated in this section.
The largest group of respondents sampled said that the internal audit functions mentioned above were “important” to their risk management functions. About 36% of the respondents felt this way. The second-largest group of research participants said that the internal audit processes were “very important” to their risk management processes. The mean percentage of respondents who thought this way was 34. The lowest percentage of respondents said the internal audit process was “very unimportant” to their organizations. This percentage of respondents was the lowest in the study (4%). Furthermore, in two variables sampled, none of the respondents said that internal audit processes were “unimportant” to their risk management process. The two variables were the provision of consultancy and risk advice practices and the provision of assurances through written reports covering how key risks are managed. Generally, a majority of the respondents sampled said that the internal audit process was instrumental in the proper functioning of their risk management processes.
Reliability Analysis
The researcher used Cronbach alpha to measure the internal consistency of the variables and to conduct a reliability test. This technique was used in the study as the most convenient way of assessing the relationship between the coded variables. Here, it is important to point out that the measure of internal consistency was not merely done through a simple reliability test; the researcher measured the validity of the scales used using two techniques. The first one involved a substantive assessment of specific measures to establish their levels of accuracy and the second one involved the application of theoretical knowledge to determine the factuality of the information collected.
Table 1 below assesses the Cronbach alpha associated with each of the determinants of risk governance measured.
Table 1: Cronbach Alpha
As seen in the table above, all the variables highlighted are within acceptable limits and align with the study requirements. Indeed, most of them had Cronbach alpha indices that were closer to 1 as opposed to 0. Since the variables had high coefficients, it is correct to deduce that the items analyzed had shared covariance. From the same statistic, it could also be deduced that they were all measuring the same research issue. This statement stems from the fact that the general rule of thumb in analyzing the reliability of SPSS data states that the Cronbach alpha should be higher than 0.8. Conversely, many analysts consider scales that have less than 0.5 Cronbach alpha to be unacceptable. Based on the above findings, it is important to point out that all the values highlighted above showed relatively similar levels of co-efficiency.
Risk governance and project success emerged as having the highest Cronbach value of 0.986. This number means that it had the highest internal consistency out of all the variables sampled in the study. “Risk appetite” had the second-highest Cronbach alpha of 0.978, meaning that it had the second-highest internal consistency, followed by risk management and governance, risk appraisal and insight, risk development and decision, strategy, risk culture, risk decision, and process implementation, ownership, the impact of negative events, and financial and technical capacity, in that order. Collectively, the items complete a list of variables with an internal consistency higher than 0.9. Comparatively, the internal audit function had the lowest internal consistency of 0.834. This finding could mean that most of the respondents did not understand its role in the risk governance processes or their organizations, relative to how they comprehended the other variables investigated.
Lastly, since all the determinants of risk governance highlighted above have high internal consistency, it is correct to assume that there was no distortion of the measurement process and that there were consistent outcomes. However, this finding does not imply the lack of systematic errors in the study because the Cronbach alpha mostly focuses on the internal consistency of the variables and not necessarily on guaranteeing the non-existence of errors.
Summary
In this chapter, the findings of the survey are presented through a holistic assessment of 13 key determinants of risk governance. They included strategy, risk appraisal and insight, risk decision and process implementation, risk management, and governance, review risk development and decision, risk communication, risk culture, financial and technical capacity, risk appetite, ownership, risk governance and project success, the impact of negative events, and internal audit function. In all these 13 determinants of risk governance, the largest percentage of respondents said these covariates “likely” existed in their organizations or influenced their risk management processes. This finding means that most of the risk determinants were practiced in the respondents’ organizations and they influenced their risk management guidelines. However, an interesting finding that emerged in this study is the similarly high number of respondents who held “neutral” views about the research questions asked. In other words, they did not know whether the variables influenced their organizations’ risk management plans or were practiced in their workplaces in the first place. This large percentage of respondents who held “neutral” views about the issues investigated could have arisen because of their unfamiliarity with some aspects of their organizations’ risk management process.
Lastly, the findings deduced from this report are reliable because the items investigated have a high internal consistency. Evidence of this fact emerged from the reliability analysis report undertaken in this chapter, which showed that 12 variables had a Cronbach that was higher than 0.9. Conversely, only one variable had a Cronbach of less than this figure (0.8). Since all the indices are within acceptable limits, it is correct to assume that the research findings had a strong level of reliability. Therefore, all the variables highlighted are within acceptable limits and align with the study requirements. More importantly, most of them had Cronbach alpha indices that were closer to 1 as opposed to 0. Since these numbers are high coefficients, it is correct to assume that the items analyzed had shared covariance. From the same view, one could also assume that they were all measuring the same research issue. As highlighted in this chapter, these assumptions stem from the fact that the general principle in analyzing the reliability of SPSS data states that the Cronbach alpha should be higher than 0.8. Thus, if the research process had produced Cronbach alpha numbers of less than 0.5, they would be unacceptable. Based on the above findings, presumably, all the items sampled had similar levels of co-efficiency.