Critical Success Factors for Dynamic Enterprise Risk Management in Responsive Organisations: A Factor Analysis Approach

. Globalisation and technology advancements have disrupted the organisational landscape and with the proliferation of new technology; risk management is fundamental to transforming the business especially considering the dynamic nature of the digital society organisations now exist in. However, the challenge faced by the enterprise risk management (ERM) function operating in such a dynamic and transformative environment, is the capability to continuously innovate, evolve and transform its risk management processes to meet the needs of the organisation. Questionnaire survey research examined the relative importance of 18 critical success factors for dynamic ERM. Factor analysis revealed that the appropriate grouping of the 18 critical success factors (CSFs) are ERM charter, ERM processes, and ERM business alignment. These findings should empower organisations to identify risk management processes influencing agility in the risk management practise applied.


Introduction
Globalisation and technology advancements have disrupted the organisational landscape.In a time of extraordinary economy and market disturbances, as well as changing market conditions, organisations are faced with the challenge of being competitive and having to meet customer requirements [1].Organisational flexibility is defined in terms of an organisation's response to change, as well as the ability to judge environmental change and respond readily [2].Therefore, organisations are required to be fast moving, rapidly creating new products through the use of different exponential technologies and methods, while possessing the capabilities to respond to aggressive competitors, quickly navigate volatile markets and successfully penetrate new markets [3].The ability of an organisation to be responsive to changing conditions requires that it addresses ambiguity which may be generated through innovative initiatives and market change [4].The reliance of risk management practices to aid in these decision making processes and addressing ambiguity, are therefore vital, taking into account uncertainty and its effect on achieving the organisation's objectives [5].
Although attempts have been made to solve this more dynamic risk management capability problem by suggesting the integration of the risk management processes with the agile development processes, the proposed integration model lacked guidelines on how to actually conduct risk management in a dynamic and responsive environment [6].Therefore, in order to guide such responsive organisations towards more dynamic risk management, this research study considers the following research question: what is the relative importance of critical success factors that will enable dynamic ERM in responsive organisations?We will reflect on this research question by considering ERM in general, the nature of responsive organisations and the role of CSFs towards more dynamic risk management.
The remainder of the paper is structured as follows: in section 2 we provide the background to the study presenting an overview of risk management, as well as risk management principles, processes and models.The approach to this study is discussed in section 3 where after we provide an overview of quantitative findings in section 4. In section 5 we present the CSFs for dynamic risk management in responsive organisations and conclude in section 6.

Background
In a progressively digital world, organisations are faced with challenges to sustain or establish a competitive advantage in the market and stay ahead of competitors [7], [8].Responsive organisations are designed, structured and operate differently from the traditional organisations.Dynamic, exponential and disruptive thinking have been introduced in these organisational environments with goals of experiencing exponential growth [9].How an organisation is structured and operates informs the organisations ERM practices.Therefore, to perform effective risk management, constant alignment should exist between the organisation and enterprise risk function [3,10], with ERM integrated into the organisations decision making processes.As a decision making tool, ERM should be aligned to the organisation with specific focus on the organisation's processes, in order to assist in the active and effective management of risk across the business [11].ERM defines a "process that combines the organisation's entire risk management activities in one integrated, holistic framework to achieve a comprehensive corporate perspective" [12: 4, 13].
Several existing ERM frameworks are used by organisations.The Committee of Sponsoring Organisations of the Treadway Commission (COSO) [14] and the ISO31000 [11], are well known risk frameworks.COSO addresses the need for organisations to improve their approach to managing risk to meet the demands of an evolving business environment.With the adoption of COSO, organisations should be able to understand risk impacting the outcome of the business strategy and objectives.ISO3100 is currently best practice for risk management frameworks and incorporates best practice from COSO [13].It provides a generic guideline for risk management, not intending to impose uniformity of risk management practices.ISO 31000 includes a detailed list of the suggested principles for risk management, and has an open system model to fit multiple needs and context.Both COSO and ISO consider the important influences that culture and biases carry in decision-making and risk management practices, but no guideline is given on how responsive organisations operating in dynamic and changing environments, can implement more dynamic risk management practices [12,13].
Furthermore, adequate risk management capabilities are needed when operating in an environment of uncertainty [9,15].This is opposed to the current systematic and linear risk management approach applied [16], that is in line with the organisational structure of the traditional organisation which is linear in nature [17,18].Responsive attributes will guide organisations towards implementing essential components for managing risk.
In the next sections we present a high level synopsis of ERM and responsive organisations, as well as an overview of CSFs in the context of ERM.

Enterprise Risk Management
Organisations of all forms, types and sizes face a range of risks that can affect the achievement of the organisation's objectives.These organisational objectives can relate to a range of organisational activities, such as operations and processes reflected in terms of strategic, operational, financial and reputational outcomes and impacts [19].An enterprise wide approach to risk management draws together these impacts to provide a structured approach to consider the potential impact of all types of risks on all processes, activities, stakeholders, products and services [20].Stakeholders, both external and internal to the organisation, are now much more concerned with risk [20], understanding that adequate risk management capabilities are needed when operating in an environment of uncertainty [15].
Before an organisation select the most effective strategy or decision, it needs to understand the risks being taken when seeking to achieve objectives and it needs to assess the organisations exposure, risk profile, financial position and acceptable risk and reward trade-off [13].Therefore, for the ERM to be effective, it must be directly connected to company strategy, and designed to recognise events that could have an impact on organisational performance as defined by its strategic objectives [19].A successful ERM initiative can affect the likelihood and consequences of risks materializing, as well as deliver benefits related to better informed strategic decisions, successful delivery of change and increased operational efficiency [4,19].Other benefits include reduced cost of capital, more accurate financial reporting, competitive advantage, improved perception of the organisation and better marketplace presence and enhance informed decision making ability [19,21].
As organisations attempt to gain maximum benefit from ERM in the current dynamic organisational environments, we consider the nature of responsive organisations in the next section.

The Nature of Responsive Organisations
The development of new technology influences the design of organisations and their ways of work [22].For organisations to thrive in an environment of continuous and often unanticipated change, they are required to quickly adapt by reshaping the culture of the organisation, reforming business practices to cater for more collaborative and robust management, provide for the increased use of iterative practices and consider rigorous change management [1,23,24].The shift in organisational design principles from old to new distinguishes speed, flexibility, integration and innovation as key success factors [22].Therefore, organisational attributes that provide for flexibility is needed in an environment that is continuously changing [3,25].
To consider the nature of responsive organisations, we reviewed various definitions of responsiveness from the literature in order to identify the essential attributes embedded within those definitions as shown in Table 1.For each responsive organisation attribute, we provide a brief description, as well as the references for the particular attribute.The purpose of Table 1 is to guide the CSF identification towards responsiveness.

Table 1. Attributes of responsive organisations
According to Table 1, responsive organisations represent flexible organisational structures with few levels of management that enable clear accountability and decision-making.Responsive organisations operate with a high degree of readiness to purposefully address any business-or external environment changes, grounded in a culture of trust.Employees are highly skilled with a strong focus on continuous learning and assessed on output.These findings are confirmed by the allencompassing definition presented by Dove [27: 4]: "an effective integration of response ability and knowledge management in order to rapidly, efficiently and accurately adapt to any unexpected (or unpredictable) change in both proactive and reactive business / customer needs and opportunities without compromising with the cost or the quality of the product / process".
For responsive organisations, the challenge now faced by the ERM function is the question of linearity, where risk management processes are planned, and methodically and systematically applied [17].Risk management agility within organisations is not easily attained due to organisation-wide functions and processes still functioning and

Responsive Organisation Attribute and References Description
Slimmer, flatter and adaptable organisational structure [26,27] Employing organisational structures that are lean and foster flexibility; an organisation with fewer layers of management (flat), is able to respond more flexibly to business challenges.Robust learning, knowledge and adaptation processes [26,27] Ability to integrate working and learning, focus on life-long learning and learn and work effectively both as individuals and in teams.
Disposal of non-core activities [26] Outsourcing, separation from core business or selling off of non-core activities.Delegation and decentralisation [26] Assignment of decision making to the customer interface, with few management layers between customers and decision points, utilising more lateral communication.Fast moving and nonlinear eco-system [28,29] Risk management in a dynamic and rapidly growing organisation must be differently defined and executed.Measurement of output [2,26] Assessment and remuneration based on output rather than position in the organisation, as well as measurement of organisational agility.Responsive to various stakeholders [25,[30][31][32] Customising engagement to the individual customer, suppliers and community.Access to skill [26,30] Skills capacity planning and acquisition of skills to enable response to diverse customer needs.Cohesion and high degree of readiness [33,34] React purposefully and within an appropriate timescale, to significant events, opportunities or threats (especially from the external environment) to bring about or maintain competitive advantage; handle disturbances in an organic fashion.Diversity of employees [26] Extent to which resources contrast in their competence and attitudes, market value, and their work, life style and learning preferences.Culture of trust [3,34] Create a collaborative environment where failure is not feared.
operating in a linear manner [17,35].Traditionally, risk management has always followed a more linear approach to the identification, assessing, managing and monitoring of risks, providing drawn-out projections of emerging risks and tracking currents risks within the control environment of a stretched period of time [25].Therefore, adequate risk management capabilities are needed when operating in an environment of uncertainty and risk management should be the product of both responsiveness and capability [15].In order to identify CSFs for dynamic ERM in responsive organisations, we consider ERM CSF categories in the next section.

Risk Management Critical Success Factors
CSFs refer to a limited number of characteristics, conditions, or variables that have a direct and significant impact on the effectiveness, efficiency, and viability of an organisation [21].Activities associated with CSFs must be performed at the highest possible level of excellence to achieve the intended overall objectives [36].The main principle of ERM is that it delivers value to the organisation [13].In order for an organisation to understand the characteristics of ERM and what it is to deliver on, ERM practices operate on a set of principles [2].Such principles define the essential features of ERM, describing what ERM should be in practice, while including information on what ERM should deliver on [13].Furthermore, such principles point to a systematic process that involves activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording and reporting of risk [11,20].

Table 2. Critical success factors for Enterprise Risk Management in Responsive Organisations
By considering the factors identified in the sections above and the literature, we extracted 18 relevant CSFs depicted in Table 2. Key decisions in an organisation are informed by a range of possible outcomes, and these outcomes are rarely binary.The CSFs depicted in Table 2 point to a well-developed capability to identify, measure, Critical success factor manage and monitor risks across the organisation e.g.adequate internal reporting, risk indicator tracking, timeous communication to and involvement of all stakeholders, as well as a structured approach.Furthermore, the dynamic nature and the ability to adapt to changing risks and varying business cycles, are reflected in CSFs such as effectiveness agility, responsive to change and accommodation of a changing organisation.Explicit consideration of risk and risk management are supported by value creation, the identification of new risks using internal and external information and ultimately moving from prevention of risks to exploit risk.In addition, these CSFs should also accommodate emerging risks and other nonquantifiable risks as a result of extreme internal or external organisational events [21].

Research Approach
Our overall objective of this paper was to provide CSFs for dynamic ERM in responsive organisations.These CSFs empower organisations to identify risk management processes influencing agility in the risk management practise applied.Eighteen CSFs as identified from the literature are given in Table 2.However, it is necessary to investigate these factors with respect to relative importance and underlying groupings: Are these CSFs equally important?Can these CSFs be reduced to fewer essential factors?
In order to answer these questions, we chose quantitative research, namely factor analysis, to determine the underlying patterns amongst these CSFs.We utilised survey research as a research strategy with the selection of a large sample of participants from a pre-determined population of interest [44].By choosing survey as a research strategy, it allowed us to obtain the same kind of data from a large group of people, in a standardised manner [45].We utilised an on-line questionnaire for data collection as a questionnaire enabled the collection of a large data set over a short period of time [46].The attributes of responsive organisations (Table 1) and the CSFs defined (Table 2) were included in the design of the on-line questionnaire.After the online questionnaire was pilot tested to ensure that all items were clear and meaningful, respondents had to provide data on their role and years of experience.They also had to rate the 18 CSF statements using a 5-point Likert rating scale.
Specific criteria and rationale were used in identifying the research participants for the online questionnaire i.e. risk practitioners working in a risk function, professionals working in a business function that engages with the risk fraternity, and professionals with a business strategy understanding.Convenience sampling was used where research participants are of the target population that meet certain practical criteria, such as easy accessibility, geographical proximity, availability at a given time, or the willingness to participate [47].A web link to the questionnaire, was emailed to the identified target audience, which comprised of 319 research participants representing various organisational structures and business sectors.The total number of respondents (refer profile in Table 3) for the questionnaire was 183, yielding a response rate of 57%.

Table 3. Profile of questionnaire respondents
Based on the specific criteria used to identify potential research participants, 35.6% of respondents are risk practitioners as shown in Table 1, 45.8% is professionals in business functions engaging with the risk function and 18.6% are professionals in business functions that in addition, engage specifically with business strategy in their roles.In terms of research participants' roles, 31.5% are in senior and executive management, 34.7% are in management, 27.5% indicated that they are general staff members and 6.2% indicated specialists.With reference to tenure, between 11-30 years account for 67.4% of the research participants highlighting extensive industry experience.5.1% of research participants have a tenure of between 31 -40 years and 0.6% has a tenure of more than 40 years.
In the next section, we discuss the quantitative analysis of the data collected in order to derive CSF groupings for dynamic risk management in responsive organisations.

Data Analysis and Findings
The relative importance of the CSFs (Table 4) identified from the literature was explored by means of a Likert rating scale (1 = strongly disagree, 5= strongly agree) questions in a questionnaire instrument.Statistical analysis undertaken with SPSS v25 included descriptive analysis, reliability tests using Cronbach's alpha, one-way analysis of variance and factor analysis.The Cronbach's alpha reliability for the factors is 0.914 suggesting that the 18 CSFs has excellent internal reliability [40,48].This implies that the factors are closely correlated with each other.
Factor analysis is used to identify a relatively small number of factor groupings that can be used to represent relationships among sets of many interrelated variables [39,49].This technique was applied to the questionnaire data to explore the groupings that might exist among the CSFs enabling dynamic ERM.Varimax rotation method was used to produce factor loading that minimizes the number of variables with high loadings, either positive or negative, for each factor [50].For the CSFs extracted from the literature, the factor analysis shows that 18 CSFs can be grouped into 3 principal factors depicted in Table 4  After the Varimax rotation, factor grouping 1 (ERM charter) accounts for 27.14% of the total variances between CSFs, while factor grouping 2 (ERM processes) accounts for 23.93% of variances between CSFs.Factor grouping 3 (ERM business alignment) accounts for 19.16% of the total variances between CSFs.In the next section we present individual statistics and discuss each factor grouping in detail.

Factor analysis of Critical Success Factors for Enterprise Risk Management in Responsive Organisations
Factor grouping 1, ERM charter, consists of 7 CSFs all reflecting high factor loading [49].The factors with the strongest association (0.871 and 0.860 respectively), are appropriate and timeous communication of framework modification and clear risk management framework development and implementation accountability.It is key that any changes to an ERM charter are communicated timeously to ensure that no accountability gaps, for charter development as well as charter implementation, are created through the modifications.The next 3 CSFs with a strong association (0.775, 0.750 and 0.745 respectively) call for a fit-for-purpose and appropriate ERM charter.Adequate internal reporting of framework effectiveness ensures that the ERM charter remains relevant for the organisation through measuring its effectiveness, as well as continuously checking the suitability of the risk management framework.This process of continuous optimization is achieved by consciously considering the internal and external organisational context.This comprehensive monitoring and alignment of the ERM charter, relates to the next CSF with fairly strong association (0.722) as any changes in the internal or external environment, reporting, measurement or accountability, will trigger a regular review of the risk management policy and framework in response to changes.This CSF also points to the fact that an organisation must ensure that their ERM remain relevant and aligned in times of any change impacting the organisation.The last CSF in factor 1, also with the lowest association of 0.705, is integration of risk management within overall risk management system.ERM involves establishing actions to respond to risk and implement adequate internal controls with which to limit the possibility of occurrence or consequences of risk, if it materialized.In order to ensure efficiency in achieving objectives, the process must be coherent and convergent, integrated to objectives, activities and operations carried out within the organization.The entire ERM system must be managed.ERM charter update is required whenever the organisation changes its strategic objectives, or when the risk policy changes.
Factor grouping 2, ERM processes, consists of 7 CSFs with integral part of organisational processes and embedded in organisational decision making depicting the highest association (0.817 and 0.800 respectively).A dynamic approach to ERM calls for preventing losses, as well as regarding risks as a source of competitive advantage.This approach requires that all organisational functions (human resources, sales, finance, procurement, information technology, legal, strategic development etc.) participate in the organisational risk management process.Facilitation of continual improvement and enhancement of organisation and creates value for the organisation both have a significant association of 0.775.The role of ERM is to enable organisations to determine what level of risk it is prepared to accept to achieve its strategic objectives, add value to activities and to achieve planned goals.This is achieved through a structured process to ensure that the outcome is coherent and that risk response measures are integrated.ERM can therefore guide the organisation to improve work according to the benefits of good risk management.Work improvement requires employees to obtain the necessary skills in order to monitor and control based on principles of efficiency and effectiveness.The next CSF in factor 2, foster skills diversity and expertise with an association of 0.724, points to the fact that employees, regardless of their hierarchical level in the organisation, should be aware of the importance of ERM to achieve planned results.The lowest association of 0.543 and 0.508 respectively are associated with the CSFs systematic, planned and structured approach and joint practitioner and business contingency planning.From the description of the other CSFs in factor 2, the structured approach and ERM knowledgeable employees are re-enforced and implied.
Factor grouping 3, ERM business alignment, consists of 4 CSFs -all with high loading.Effectiveness agility and resilience dependent with an association of 0.936 points to the key requirement that a dynamic approach to ERM should be based on an enhanced level of organisational agility.Furthermore, organisational resilience builds upon, and extends beyond, existing strategies for the management of unforeseen risk; it is based on a more organic capacity in the organisation.This CSF is a key mind set in terms of ERM principles.The following two CSFs with high loading (0.918 and 0.907 respectively) are risk management practice should accommodate changing organisation and iterative and responsive to change.Risk assessment is an essential component of the organisation, as the employees change, regulations change, suppliers change, etc. the objectives must be reviewed or new ones established.This change mind set on the organisational risk profile, informs the emergence of new risks and modification of existing risks.The last CSF in factor 3, risk indicators tracking directly aligned to business performance indicators, has a high association (0.834) and points to the philosophy that risk management is integrated and aligned to business strategy.A more proactive focus is required to ensure that key performance indicators (and the resulting outcomes) are achieved, by proactively identifying risks associated with those key performance indicators and managing those risks.
The three factor groupings with their CSFs will have a direct impact on the effectiveness and efficiency of ERM.ERM is powerful tool that enables the organisation to have a view of the risks affecting the achievement of strategic and operational objectives.At the same time, ERM provides the process of identification, analysis and assessment of risks taking into account the events of and change in the organisation, which can take negative shape and are associated with risks or positive shape and are associated with opportunities.

Conclusion
In order to address the lack of guidelines on how to conduct risk management in a dynamic and responsive environment, this research identifies three factor groupings of 18 CSFs for effective ERM in responsive organisations.The three dimensions describe factors to consider in establishing and monitoring risk management policies and frameworks (ERM charter), defining risk management processes (ERM processes) and aligning risk management processes with business (ERM organisational alignment).These groupings give a holistic view of critical factors to take into account when responding to risk while transforming risk management practices to meet the dynamic needs of the organisation.
Although our starting point with identifying CSFs was related to responsive environments, one could argue that the CSF groupings identified are equally applicable to risk management in linear, traditional organisations.The existing risk management frameworks are not meant for dynamic, responsive organisations.Further research is therefore needed on how existing frameworks can be extended to be appropriate in continuously changing environments.

Table 4 . Rotated factor matrix (loading) of critical success factors for ERM
and interpreted as follows:• Factor grouping 1 represents enterprise risk management charter.•Factorgrouping 2 represents enterprise risk management processes.•Factor grouping 3 represents enterprise risk management business alignment.