-
1
ENHANCING STRATEGIC FLEXIBILITY AND PERFORMANCE THROUGH RISK
MANAGEMENT: THE ENABLING ROLE OF IT INTEGRATION
Vicky Arnold University of Central Florida
University of Melbourne
Tanya Benford University of Central Florida
Joseph Canada University of Central Florida
Steve G. Sutton University of Central Florida
University of Melbourne
October 2008
Preliminary Draft Please do not quote without permission.
* This research was funded by the Institute of Internal Auditors
Research Foundation. The authors wish to thank the IIARF for their
generous funding and support of our research. We thank Raj
Echambadi and Clark Hampton for their advice and feedback during
the development of this paper as well as participants in workshops
at the University of Auckland and University of Central Florida for
their valuable feedback on earlier versions of this manuscript. We
also thank Randy Kuhn for his research assistance.
-
2
ENHANCING STRATEGIC FLEXIBILITY AND PERFORMANCE THROUGH RISK
MANAGEMENT: THE ENABLING ROLE OF IT INTEGRATION
Abstract
Since the passage of the Sarbanes-Oxley Act in the U.S., the
business press has consistently reported on companies and business
consortiums proclamations of the negative effect of new internal
control requirements on supply chain performance. Early studies on
organizations experience with SOX control compliance efforts have
been contradictory; some organizations have experienced significant
deleterious effects while other organizations have continued to
prosper. In this study, theory on capability-building for
entrepreneurial action (Sambamurthy et al. 2003) is used as a basis
for understanding the observed phenomenon. In our research model,
which operationalizes the theory, enterprise risk management (ERM)
forms the primary organizational driver for enhanced IT
integration, maintaining organizational strategic flexibility, and
facilitating supply chain performance. Based on responses from 155
Chief Audit Executives, the results provide strong support for both
the underlying theory and its applicability to understanding the
varied effects of SOX 404 compliance on organizations.
The results indicate that ERM leads to higher levels of IT
integration across two dimensions: IT compatibility and IT
connectivity. The results also highlight the fundamental importance
of high levels of IT integration to strategic opportunities within
the firm as it is shown that IT integration fully mediates the
relationship between ERM and strategic flexibility and partially
mediates the relationship between ERM and supply chain performance.
Additionally, the previously reported relationship between IT
integration and supply chain performance is partially mediated by
the level of organizational strategic flexibility. Overall, there
is strong support for the theory and additional clarity is provided
to the practice environment on the effective implementation of ERM
processes and its use for facilitating competitive action.
Key words: Enterprise risk management, IT competence, IT
integration, IT flexibility, strategic flexibility, organizational
flexibility, supply chain performance, IT-enabled business
processes.
-
3
ENHANCING STRATEGIC FLEXIBILITY AND PERFORMANCE THROUGH RISK
MANAGEMENT: THE ENABLING ROLE OF IT INTEGRATION
1. INTRODUCTION
Substantial efforts by information systems (IS) researchers have
been invested in
attempts to better understand how and when value is created by
IT investments (Kohli and
Devaraj 2003; Melville et al. 2004). However, the documented
results from the multitude of
studies are inconsistent; increasingly researchers are
recognizing that value is generally driven by
other organizational factors, thus a different way of measuring
IT value may be preferable (Kohli
and Devaraj 2003). The recent perspective has evolved toward a
real options theory that views IT
investment as a means of building a platform to facilitate both
current and future IT-enabled
functionalities (Sambamurthy and Zmud 2000). A critical part of
developing this platform is the
integration of disparate information sources across the
organization to facilitate process
integration. Absent such IT integration, business processes are
often fragmented leading to poor
customer responsiveness and missed opportunities for innovation
(Rai and Sambamurthy 2006).
The theory of capability-building for entrepreneurial action
integrates these alternative views
into a more strategic, management-oriented perspective on
creating value from IT (Sambamurthy
et al. 2003).
This study applies the theory of capability-building for
entrepreneurial action as the basis
for interpreting the various experiences reported by companies
during their efforts to comply
with new regulatory mandates for effective managerial control
and risk management. These
regulatory mandates came about with the passage of the
Sarbanes-Oxley Act of 2002 (SOX)
which radically changed the way organizations view corporate
governance. One dimension of
this change is an increased focus on enterprise risk management
(ERM) processes, a much
broader strategic view of organizational control than a more
traditional, accounting-oriented
-
4
view on internal control. While SOX regulation focused on
financial controls, the impact was to
extend the documentation and review of control systems to an
enterprise level view that included
strategic, operational, reputational, regulatory, and
information risks (Katz 2003; Banham 2003,
Sutton et al. 2008).1
The variances in experiences reported by companies during the
SOX compliance process
have raised questions about the efficiency of control
implementation in many organizations
(Arnold et al. 2007). Many organizations implemented heavily
manual-oriented processes to
achieve control objective requirements and these manual-oriented
controls appear to have often
slowed down organizations business processing, reduced
organizations strategic flexibility, and
hampered supply chain activities. On the other hand,
organizations that took a strategic focus to
implementing comprehensive ERM processes and used more
automation in their control
processes appeared to be less impacted in terms of flexibility,
supply chain performance, and
overall organizational competitiveness (Arnold et al. 2007).
Still, the business press generally
focuses on the less successful implementations, frequently
reporting on the negative
consequences of SOX compliance on organizations performance, and
questioning SOX
compliant companies ability to maintain competitiveness in the
marketplace (Banham 2003;
Katz 2003; Reason 2006).2
1Thispushtoanenterpriselevelfocusalsomeantthattheresponsibilityformanagingandreviewing
controlstructuressimilarlyrosetofallingundertheauspicesofClevelmanagement(e.g.CEOs,CFOs,CIOs,CAEs)(Beasleyetal.2005;Suttonetal.2008).InsomeorganizationstheChiefInformationOfficer(CIO)ledtheSOXinternalcontrolcomplianceeffortwhileinmostorganizationstheCIOwasacriticalmemberofthecomplianceplanningandimplementationteams(Arnoldetal.2007;SuttonandArnold2005).
2TheseconcernswerefurtherhighlightedwiththereleaseoftheSchumerBloombergMcKinsey(2007)reportontheU.S.SenatefloorwithitsfocusonthedecreasedcompetitivenessofU.S.stockexchangesinthefaceofSOXregulationandrelatedconcernsovertheflowofavailablecapitaltosupportgrowthandinnovation.
-
5
This studys examination of ERM implementation effects on
organizational performance
uses an operational model based on Sambamurthy et al.s (2003)
theory of capability-building
for entrepreneurial action. ERM becomes the focal point, as ERM
is a process that can be used to
facilitate entrepreneurial alertness. ERM is both a critical
element of an organizations ability to
monitor internal and external activities in order to effectively
react to changes in the
marketplace; and, in the form of COSOs ERM Framework (COSO
2004), ERM was also the
most prevalent strategy used by firms to meet SOX compliance
requirements3 (Beasley et al.
2005).
The purpose of this study is to examine the relationship between
firms effectiveness of
ERM integration and the two issues of primary concern in
critiques of SOX compliance
mandatesmaintaining strategic organizational flexibility and
strengthening supply chain
performance. ERM is evaluated as a top down strategy driven by
C-level management of the
firm. Accordingly, ERM is viewed as offensive and strategic as
opposed to a more traditional
control orientation with a defensive posture (Liebenberg and
Hoyt 2003). Central to our research
is a focus on the role of information technology (IT)
integration in facilitating the
interrelationships between ERM, strategic organizational
flexibility and supply chain
performance (Sambamurthy et al. 2003). IT integration is viewed
as a key enabler of effective
ERM integration (COSO 2004) and case research provides
preliminary evidence indicating IT
3ThefocusonenterpriselevelgovernanceandcontrolwasreinforcedbytheCommitteeofSponsoring
OrganizationsoftheTreadwayCommission(COSO)revisionoftheir1992internalcontrolframework(COSO1992)toencompassthissamebroadenterpriseriskmanagement(ERM)perspective(COSO2004).TheNewYorkStockExchange(NYSE)alsoaltereditsCorporateGovernanceRulestoexplicitlymandateBoardsauditcommitteestoassumespecificresponsibilitieswithrespecttoriskassessmentandriskmanagementattheenterpriselevel(Beasleyetal.2005).Accordingly,mostorganizationsfallingunderSOXsection404reportingrequirementsoninternalcontrolsadoptedCOSOs(2004)ERMFrameworkasthebasisfordocumenting,evaluating,andassessingtheviabilityofcontrolstructures(Beasleyetal.2005).
-
6
integration may be a key construct to understanding the variable
impact of SOX compliance
efforts on organizational performance (Arnold et al. 2007).
This research contributes to the information systems literature
at two distinct levels. First,
the research demonstrates the joint effects of ERM, IT
integration, and strategic flexibility on
supply chain performance, thereby providing support for
Sambamurthy et al.s (2003) theory. In
this vein, the research also demonstrates how these
relationships can be captured and modeled.
Second, this study helps broaden the perspectives on governance
in the IS literature from a focus
on IT governance as a means for controlling the use of IT
resources (e.g. Sambamurthy and
Zmud 1999; Xue et al. 2008) to instead viewing IT as an enabler
of a broader governance
structure. Sambamurthy and Zmud (1999) note that IT governance
is difficult to study in
isolation as overall organizational governance efforts influence
how IT governance takes shape.
In contemporary ERM-driven business environments, we view IT as
the enabler of ERM and IT
integration is driven by the needs of the organization as ERM
strategies are expanded across and
beyond the enterprise.
This research is also important to practice as it examines the
nature of ERM and explains
why some organizations have seen improved performance under new
governance structures
while other organizations perceive a loss of flexibility and a
deleterious effect on supply chain
performance (Robey and Boudreau 1999). The results of the
research show that effective ERM
integration is associated with improved organizational strategic
flexibility and higher levels of
supply chain performance. Further, the results show the critical
role of broad IT integration in
facilitating and enabling these relationships.
The remainder of the paper is organized into four sections. In
Section 2, the underlying
theoretical basis for the hypotheses is presented and the
research model is developed. This is
-
7
followed by the research methods section and the results
section. The fifth and final section
provides a summary of the research findings, a review of the
limitations of the study, and a
discussion of the implications of the research findings.
2. THEORETICAL DEVELOPMENT & HYPOTHESES
The intent of Sambamurthy et al.s (2003) theory on
capability-building and
entrepreneurial action is to broaden the understanding of the
strategic role of IT through an
improved understanding of the interrelationships that create
value from IT investments. There
has been a lack of clarity on the impact of IT at the
organizational level as prior studies provide
contradictory evidence on the benefits of similar IT systems
implemented in different
organizations (Robey and Boudreau 1999). Similarly,
contradictory evidence has been prevalent
when examining firms experiences with SOX control compliance and
ERM implementation
some firms show controls impeding flexibility and
competitiveness while other firms do not
experience hindrances and oftentimes see improvement (Arnold et
al. 2007).
Sambamurthy et al.s (2003) theory provides a basis for
interpreting these contradictory
results in the case of both IT investment and ERM
implementation. The theory focuses on the
interactive nature of organizational structures and IT
competencies in supporting competitive
actions. These interactions are coevolutionary in that
entrepreneurial alertness drives the
leveraging of IT competencies, encourages the maintenance of
organizational agility, and
influences the interaction between the two (see Figure 1). In
addition learning takes place as
organizations gather experience through competitive actions and
gain an understanding of how
existing utilization of IT competencies and organizational
agility facilitate successful action. As
organizations learn, their entrepreneurial alertness drives
further utilization of IT competencies
and enhances the organizations agility.
-
8
[Insert Figure 1 about here]
Within the theory, entrepreneurial alertness is defined as the
capability of a firm to
explore its marketplace, detect areas of marketplace ignorance,
and determine opportunities for
action (p. 250). This includes both strategic foresight (i.e.
the ability to foresee risks and
opportunities) and systemic insight (i.e. the ability to use
foresight to shape competitive actions
that provide advantage). This entrepreneurial alertness can be
encoded in many organizations
through ERM processes that are designed to aid organizations in
identifying potential events that
may affect the organizations ability to manage identified risks
(COSO 2004, p. 2) and enable it
to respond strategically to both risks and opportunities
(Liebenberg and Hoyt 2003).
Accordingly, our operationalization of the theory focuses on ERM
as an entrepreneurial strategy
for broadly influencing the various componentsleveraging IT
capabilities, enhancing
organizational agility, and enabling competitive actions.
Sambamurthy et al. (2003) view the leveraging of IT competencies
as evolving from the
(1) IT resources and capabilities that have been developed
within the organization (IT
competence) and (2) the digital options which are the way in
which management views that
existing IT competencies can be leveraged to facilitate agility
and performance. To support ERM
activities, leveraging IT competencies becomes critical across
two dimensions: IT compatibility
(i.e. the ability to share information across systems and
business processes in order to facilitate
necessary information flow) and IT connectivity which forms the
linkages to internal and
external information necessary for assessing risks and
opportunities (Byrd and Turner 2000).
These two dimensions, which represent IT integration, help
facilitate the flow of both internal
and external information needed to assess changes in and react
to the marketplace (McAfee
-
9
2002; Cotteleer and Bendoly 2006; Swafford et al. 2006). The
model within the current study
operationalizes IT competence and digital options through IT
integration.
Agility is defined as the ability to detect opportunities for
innovation and seize those
competitive market opportunities by assembling requisite assets,
knowledge and relationships
with speed and surprise (Sambamurthy et al. 2003, p. 245).
Agility is often thought of as
flexibility with the differentiating dimension being speed. The
interest in this study is not on
speed but is on the organizations ability to be flexible at the
customer and operational levels in
order to bring products to market more strategically. Thus, the
emphasis is more on
organizational strategic flexibility than on the speed and
surprise.
From an outcome perspective, the competitive actions of interest
in this study revolve
around the ability to achieve high levels of performance in
supply chain activities in a well-
controlled environment that comes with ERM. As such, we focus on
supply chain performance
as the competitive actions of interest.
This forms the basis for our conceptual model, which is
developed in the following
sections, as shown in Figure 2. A significant distinction
between our operationalization and
Sambamurthy et als. (2003) theory is the types of relationships
between entrepreneurial
alertness/ERM and the other firm competencies. Sambamurthy et
al. 2003 theorizes that
entrepreneurial alertness enhances the relationships between the
aforementioned firm
competencies, while our study models and observes more direct
effects upon the firm
competencies themselves. Before proceeding to the specific
hypotheses generation, the following
sub-section focuses on elaboration of ERM processes from a
practical and applied perspective to
clarify further the entrepreneurial alertness that is inherently
derived through ERM.
[Insert Figure 2 about here]
-
10
2.1 Entrepreneurial Alertness and ERM
COSO initiated its ERM framework in 2001 amidst the aftermath of
a series of high
profile business scandals and in the face of calls for enhanced
corporate governance and risk
management specifically to address legal, regulatory and
compliance concerns (COSO 2004).
ERM is designed to enable an organizations management to address
uncertainty and the
associated risks and opportunities in order to build value (COSO
2004). COSO (p. 2) defines
ERM as:
a process, effected by an entitys board of directors, management
and other personnel, applied in strategy setting and across the
enterprise, designed to identify potential events that may affect
the entity, and manage risk to be within its risk appetite, to
provide reasonable assurance regarding the achievement of entity
objects.
In reflecting upon this definition, COSO (2004) goes on to note
several embedded, fundamental
concepts that are of particular concern here. First, because
information must be shared across the
organization, ERM is affected by people at every level of an
organization,. Second, ERM is
fundamentally applied in a strategy setting (COSO 2004, p. 2).
This is consistent with the
Canadian Governments position on ERM as articulated by the
Treasury Board (2001). In
particular, the Treasury Board defines ERM as being about making
strategic decisions that
contribute to the achievement of an organizations overall
corporate objectives (p. 10).
While everyone in the organization has some responsibility for
ERM, an organizations
Board of Directors has overall responsibility for ensuring risks
are managed while in practice the
management team is generally delegated with the responsibility
(Institute of Internal Auditors
2004). This means the CEO is ultimately responsible and should
take ownership while also
involving other key C-level executives such as the CFO, CIO and
CAE (COSO, p. 6). As such,
ERM integrates risk management activities while elevating its
status as a key component of the
-
11
firms overall strategy thus enabling the company to respond
strategically to both risks and
opportunities (Liebenberg and Hoyt 2003).
In building an organizations risk profile, information and
knowledge must be aggregated
across the strategic and operational levels to assist managers
in understanding the range of risks
faced (internally and externally) and the related opportunities
(Treasury Board 2001, p. 15). To
facilitate the aggregation of information and knowledge across
the organization, the Treasury
Board recognizes the need to consider potential technological
solutions to support the on-going
activities including technologies such as the Internet and
organizational Intranets that can
facilitate risk awareness and management through information
sharing both internally and
externally (Treasury Board 2001, p. 31). Similarly, COSO
recognizes the need for information
and communication processes that assure relevant information is
identified, captured, and
communicated in a timely manner to facilitate management
responsiveness. Such information
communication must occur in a broad sense, flowing down, across,
and up the entity (p. 4). In
essence, the IT systems must be designed in a manner that
facilitates information sharing across
the organization and connectedness among the organizations
management at both strategic and
operational levels.
In summary, the ERM movement from a practice perspective focuses
on the use of ERM
to identify risk and opportunities to facilitate organizational
strategic flexibilitythe
fundamental capabilities of interest in Sambamurthy et al.s
(2003) view of entrepreneurial
alertness. Likewise, ERM should allow the organization to
respond in a way that facilitates
improved performance both through effective risk management and
through maintenance of
organizational strategic flexibility.
-
12
2.2 ERM, IT Integration & Facilitating Flexibility
As noted in the discussion on ERM, the availability of
information from and sharing
knowledge across the organization is fundamental to supporting
ERM processes. The
information needs specified within COSO necessitate the
availability of IT systems that provide
a timely view of various risks spread across the organization
(Levine 2004). Lam (2003) notes
that one of the greatest challenges of implementing effective
ERM strategies is aggregating the
underlying data required to monitor diverse organizational
risks. This view is consistent with the
evolving stream of IT research that maintains that one of the
most critical roles of the IT function
is the support of on-going interactions among users to ensure
management is prepared to respond
to emerging business needs and opportunities (Clark et al. 1997;
Sambamurthy and Zmud 2000;
Rai and Sambamurthy 2006; Bharadwaj et al. 2007). This need
becomes even more significant as
organizations make decisions in increasingly turbulent
environments (Pavlou and El Sawy 2006).
One of the drivers of the enterprise systems movement was the
value of such systems in
facilitating coordination and alignment of manufacturing
production functions (OLeary 2000;
McAfee 2002; Gattiker and Goodhue 2005; Banker et al. 2006;
Cotteleer and Bendoly 2006).
The development of strong IT integration is not prevalent in
many organizations,
however, and Arnold et al. (2007) note this as an issue plaguing
the companies in their case
studies that were struggling with SOX control compliance. This
is consistent with Beasley et
al.s (2003) finding that many organizations have not initiated
ERM processes or have only put
in place rudimentary procedures. ERM is often hampered by the
lack of systems level integration
necessary to access information easily and to monitor risks
across the organization (Frie et al.
1999).
-
13
IT integration such as that required for effective ERM is more
likely to occur by design
than to be preexisting. This is consistent with the capability
building aspect of Sambamurthy et
al.s (2003, p. 250) theory where a key component of
entrepreneurial alertness is systemic
insightthe ability to visualize connections between digital
options, agility capabilities, and
emerging market opportunities in architecting competitive
actions. Firms with the strongest IT
integration tend to have established enterprise architecture
standards to enhance compatibility of
IT components and to facilitate application integration and data
sharing across the enterprise
(Boh and Yellin 2006-7). The existence of strong horizontal
integration and coordination across
the enterprise usually evolves in the presence of enterprise
architecture standards, which in turn
tend to be a product of effective IT governance (Brown 1999;
Peterson 2004). This is not IT
governance from a centralized/decentralized perspective, but
rather IT governance as a part of
the broader corporate governance structure and strategic
planning (Sambamurthy and Zmud
1999; 2000).
This focus on enterprise wide data sharing and coordination is
reflective of the need for
enterprise-wide systems to have strong IT compatibility and
integration to support ERM
processes. IT compatibility is the ability to share any type of
information across any type of
technology component (Byrd and Turner 2000). High IT
compatibility is indicative of ready
accessibility to critical data from anywhere within the
organization and suggests a transparency
of information. Such capability is viewed as arising from a
firms leveraging of its investments in
IT resources to build systems that leverage effectiveness,
efficiency and flexibility (Ross 2003).
This leveraging arises from the governance mechanisms adopted by
organizations to facilitate IT
integration and in turn support ERM processes. This leads to the
first hypothesis:
H1: Increases in enterprise risk management have a positive
impact on information technology integration.
-
14
There is a general assumption that effective organizations have
to cope with an
accelerating rate of change; and, in order to succeed in a given
business environment, the
organization needs flexibility to adapt to the environment
(Batra 2006). However, flexibility is
by design. Management must be concerned with the controllability
or changeability of the
organization which is dependent on creating effective processes
that foster flexibility (Batra
2006). The controllability aspect comes from effective ERM
processes, (Treasury Board 2001)
while the IT integration designed to facilitate these ERM
processes provides the monitoring to
ensure that the responses to the competitive environment are
aligned with overall enterprise
strategy. This is consistent with Batras (2006) definition of
flexibilitythe degree in which an
organization has the management capabilities to increase the
control capacity in a timely fashion
to react to risks and opportunities. Thus, organizational
strategic flexibility is reflective of an
ability to respond appropriately and timely to rapid changes in
the competitive environment and
is dependent on the managerial capabilities and the
organizational responsiveness (Volberda
1996). The continuous focus on timeliness is where the
importance of strong IT integration
becomes apparent. IT flexibility and integration are key to
facilitating a timely response to
changes in the environment. Without easy accessibility to
enterprise-wide data on performance
and capabilities, an organization has little opportunity to
respond to new product or service
opportunities that require high levels of organizational
strategic flexibility (Swafford et al. 2006).
The focus on information accessibility from across the
organization is consistent also
with the findings in the managerial control literature. First,
this literature highlights the role of
effective managerial control for maintenance of strategic
flexibility (Simon 1990; Davila 2000;
Chenhall 2003; Ditillo 2004; Naranjo-Gil and Hartman 2006).
Second, the managerial control
literature points to the importance of diverse, accessible
information. Broad-based information is
-
15
viewed as critical to strategically oriented firms (Bouwens and
Abernethy 2000) and is necessary
to support organizational flexibility (Abernethy and Lillis
1995). This leads to the second
hypotheses:
H2: Increases in information technology integration have a
positive impact on organizational strategic flexibility.
The use of this diverse information appears to be the source
driving enhanced
organizational strategic flexibility. As the Treasury Board
(2001) notes, risk management is the
systemic approach by which information is identified, assessed,
and communicated in the
presence of environmental uncertainty. For effective ERM, this
information flow and analysis
must be driven from an enterprise-wide view of easily accessible
data. Nonetheless research
suggests that this relationship between ERM and organizational
strategic flexibility is enhanced
through infrastructure standardization that facilitates the flow
of information (Gattiker and
Goodhue 2005; Bendoly et al. 2007). Effective infrastructures
both maintain routine control for
the organization and provide the means for adapting in the face
of major changes (Bendoly et al.
2007). While effective ERM seems to be a precursor to the
maintenance of organizational
strategic flexibility, the level of IT integration is the
catalyst that allows for effective ERM and in
turn high levels of flexibility. That leads to the third
hypothesis:
H3: Information technology integration mediates the impact of
enterprise risk management on organizational strategic
flexibility.
2.3 IT Integration, Flexibility & Supply Chain
Performance
A growing body of literature that addresses the link between
organizational strategic
flexibility and supply chain performance is currently emerging.
As Palanisamy (2005) notes,
organizations look for flexibility to cope with environmental
changes and thereby garner
competitive advantage. Flexibility does not necessarily imply
added operational complexity
-
16
(Bendoly et al. 2007). At the same time, effective IT
integration helps reduce this complexity
through easier and more timely access to information necessary
to assess and react to risks (Rai
et al. 2006; Swafford 2006). Thus, the investment in technology
is leveraged through the
existence of a flexible organization (Bendoly et al. 2007).
Alternatively, firms lacking good IT
integration have difficulty supporting coordinated activities
across the organization, which can
lead to inferior decision making (Bharadwaj et al. 2007). The
result is a need for both
organizational strategic flexibility and IT integration for
effective supply chain performance to
emerge.
Strategic flexibility allows the organization to respond to
opportunities as they are
presented, whether they are client relationships, new product
releases, or new partnering
relationships within supply chains (Swafford et al. 2006). Thus,
strategic flexibility in itself
facilitates organizational effectiveness; and, for those
companies integrated within supply chains,
this flexibility should enhance related performance (Batra
2006). High flexibility also allows an
organization to respond quickly to strategic moves by
competitors and likewise should allow the
organization to initiate its own strategic moves in order to
garner competitive advantage (Byrd
and Turner 2001; Swafford et al. 2006). In either case,
organizational strategic flexibility should
enable a firm to maintain stronger supply chain performance.
This leads to the fourth hypothesis:
H4: Increases in organizational strategic flexibility have a
positive impact on supply chain performance
Likewise, broad IT integration should also facilitate supply
chain performance (McAfee
2002; Cotteleer and Bendoly 2006). IT is rapidly becoming an
integral part of the supply chain
process and IT enhances supply chain logistics by providing
real-time information on product
capability for delivery and markets (Paulraj and Chen 2007). IT
is critical as information is
fundamental to decision making across the supply chain (Byrd and
Davidson 2003). However IT
-
17
integration itself doesnt drives the supply chain, but rather
the organizations ability to leverage
and use that information does (Rai et al. 2006)e.g.
organizational strategic flexibility. IT
integration at the enterprise-wide level is beneficial if that
information can be leveraged. That
leads to our fifth hypothesis:
H5: Organizational strategic flexibility mediates the impact of
information technology integration on supply chain performance.
2.4 ERM and Supply Chain Performance
Proponents of ERM argue that monitoring risk and opportunities
makes ERM a
significant source of competitive advantage (Beasley et al.
2003); but, ERM is only effective in
the presence of broad based information and knowledge that
allows an accurate and timely
picture of the risks and opportunities to be assessed
(Sambamurthy and Zmud 2000; Pavlou and
El Sawy 2006). Thus, IT integration would be expected to mediate
the relationship between
ERM and supply chain performance. That leads to the sixth and
final hypothesis:
H6: Information technology integration mediates the impact of
enterprise risk management on supply chain performance.
3.0 RESEARCH METHOD
The purpose of this study was to examine the roles of ERM, IT
integration and
organizational strategic flexibility in advancing supply chain
performance. Partial least squares
analysis (SmartPLS 2.0 2005) was used for construct validation,
data analysis, and path analysis
for the theoretical model hypothesized in the current study. The
remainder of this section
discusses participant characteristics, instrument development
and validation, data analysis, and
the study results.
-
18
Participants
The Institute of Internal Auditors Research Foundation hosted
the survey used in the
current study on their Global Audit Information Network (GAIN).
GAIN emailed invitations to
participate in the survey to 1,383 chief audit executives (CAEs)
and 251 members responded for
a total response rate of 18.1%. Of the 251 respondents, 7
respondents did not identify themselves
as audit executives or the equivalent and each reported less
than 5 years experience, and 5
respondents did not complete the survey. These 12 respondents
were excluded from further
analysis. The remaining data were examined to determine whether
there were patterns to any
missing responses. A test of overall randomness found all
missing responses were missing
completely at random (MCAR) (chi-square = 585.634 df = 609
p-value = 0.745) and the
expectation maximization algorithm (EM) (SPSS 15.0 2006) was
used to calculate replacement
values (Hair et al. 2006). Because the goal of this study was to
examine factors affecting
organizations supply chain performance, participants indicating
that more than 10% of the
survey measures were not applicable to their organization were
also excluded from further
analysis; all of the subsequent analyses pertain to the
remaining 155 participants.
Ninety of the participants in this study were employed at
organizations that had
completed one or more filings consistent with section 404 of SOX
and sixty-three were
employed at organizations that had not completed such a filing
at the time of the survey.
Demographic data, shown in Table 1, reveals that 84.52% (131) of
the participants had over ten
years of professional experience. The primary industries
represented were manufacturing
(18.71%), insurance (16.77%), financial services (14.19%), and
wholesale/retail (8.39%). One
hundred nine (70.3%) of the participants were male, 45 (29.0%)
were female and 1 respondent
chose not to respond to this question on the survey.
-
19
[Insert Table 1 about here]
3.1 Survey Instrument
The online survey, which was hosted by GAIN, was designed to
collect measures of the
latent variables as well as participant demographic data. As
shown in Figure 2, the theoretical
model employed in this study depicts the hypothesized
relationships between organizations
ERM processes, IT integration, organizational strategic
flexibility, and supply chain
performance. Each item was measured using a five point Likert
scale where 1 represented
strongly agree and 5 represented strongly disagree; 6 was used
to allow participants to
participants to respond N/A Dont Know. The items used to measure
these constructs and
descriptive statistics for each item are presented in Table
2.
[Insert Table 2 about here]
Organizations adopt ERM to facilitate the holistic
identification and assessments of risks
that can impact firm value. The COSO (2004) ERM Framework was
used to develop the five
ERM measures employed in the current study. In developing the
item measures for the construct,
discussions were conducted with six different organizations on
their ERM implementations,
success level with ERM, and impact on SOX compliance difficulty.
These discussions made it
clear that simply implementing the components of the COSO
framework was inadequate and that
effectiveness was derived from the integration of the components
and the flow of information to
top level management that could strategically address the risks
and opportunities identified. As a
result, the item measures were designed to focus more on
integrated objectives rather than
component parts with a desire for reflective measures rather
than a component based formative
measure.
-
20
The measures of the IT integration construct combine two
sub-components of Byrd and
Turners (2000) IT flexibility infrastructure and reflect the
firms ability to engage in intra-
organization sharing of information. Organizational strategic
flexibility is a measure of an
enterprises ability to manage the opportunities and challenges
inherent in a competitive
environment. This study employs measures of organizational
strategic flexibility consistent with
those previously validated by Cannon and St. John (2004). A
supply chain represents the
integration of key business processes from end-user through
original suppliers that provides
product, service, and information that add value for customers
and other stakeholders. (Lambert
1998, p.1). The measures of supply chain performance are output
measures, which were adapted
from Beamon (1999), and reflect the organizations ability to
meet or exceed its customer service
goals and objectives. Item measures for all of the constructs
are shown in Table 2.
3.2 Data Analysis
Because this study employed constructs that were both exogenous
and endogenous (IT
integration and organizational strategic flexibility) and one of
the latent variables (IT integration)
was formative rather than reflective, partial least squares
analysis (SmartPLS 2.0 2005) was used
to both assess the reliability of the measurement model and test
the structural model.
Initial data analysis revealed that four of the items shown in
Table 2 were deemed not
applicable by more than 10% of the participants.4 A review of
the industry demographics for this
study was consistent with non-applicability of these items;
therefore, these items were also
dropped from further analyses. The N/A Dont Know responses for
each of the remaining
4ThefirstitemwasOurorganizationconsistentlymeetsorexceedsourcorporategoalsforminimizingbackorders/stockouts;35.5%(55)selectednotapplicable.TheseconditemwasOurorganizationconsistentlymeetsorexceedsourcorporategoalsforminimizingshippingerror;32.3%(50)selectednotapplicable.ThethirditemwasDatareceivedbyourorganizationfromelectroniclinkswithoursupplychainpartnersarereliable;20%(31)selectednotapplicable.ThefourthitemwasNewlocationsoracquisitionsarequicklyassimilatedintoourITinfrastructure;10.3%(16)selectednotapplicable.
-
21
measures appear to be completely at random (chi-square = 708.295
df= 669 p-value =0.142) and
EM (SPSS 15.0 2006) was used for imputation of these data (Hair
et al. 2006).
3.3 Measurement Model Reliability and Validity
In this study, factor loadings, composite construct reliability
and average variance
extracted are employed to assess validity of the reflective
constructs. As shown in Table 3, each
of the item measures has a standardized factor loading greater
than 0.70. The related composite
construct reliability of each of the reflective constructs is
greater than the recommended 0.70,
and the related average variance extracted is greater than or
equal to 0.50 supporting the
convergent validity of the reflective constructs employed in
this study (Fornell and Larcker
1981).
[Insert Table 3 about here]
IT integration, a formative construct, combines measures of IT
connectivity and IT
compatibility adapted from Byrd and Turner (2000), thus these
measures represent different
facets of IT integration; the weights for the formative measures
of IT integration are presented in
Table 4. Because a formative construct is specified as a
multiple regression equation
(Diamantopoulos et al. 2008) it is important to rule out
multicollinearity. Variance inflation
factors were calculated for each of the 10 indicators of IT
integration, first using a measure of
organizational strategic flexibility and then using a measure of
supply chain performance. As
shown in Table 5, the maximum variance inflation factor was 2.7
which is below thethreshold of
3.3 and therefore all ten items were retained in the model
(Petter et al. 2007).5
[Insert Table 4 about here]
[Insert Table 5 about here]
5Hairetal.(2006)suggesttheVIFshouldbelessthan10.0,however,Petteretal.(2007)suggestamorestringentthresholdof3.3duetogreatermulticollinearityconcernswhenusingformativemeasures.
-
22
Construct discriminant validity provides evidence that the
latent variables in the
measurement model are unique and distinct (Hair et al. 2006). As
shown in Table 6, the average
variance extracted for each latent variable is greater than the
related squared inter-construct
correlations indicating discriminant validity (Hair et al.
2006). In addition, the maximum inter-
construct correlation of 0.68, shown in Table 7, is below the
standard threshold of 0.85, which
also supports construct discriminant validity (Kline 2005).
[Insert Table 6 about here]
[Insert Table 7 about here]
4. RESULTS
This study examines the relationships between organizations
effectiveness of ERM
integration, IT integration, strategic organizational
flexibility and the strengthening of supply
chain performance. The theoretical model proposed employs both
reflexive and formative
constructs necessitating the use of PLS, thus parametric testing
is not appropriate; bootstrapping
(500 samples with replacement) was used to calculate
t-statistics and standard errors
(Diamantopoulos and Winklhofer 2001). PLS path analysis results
(i.e. standardized beta
coefficients, t-values and construct R2) are presented in Figure
3.
[Insert Figure 3 about here]
H1 posits that increases in ERM have a positive impact on IT
integration (Figure 2).
Analysis indicates that the standardized path coefficient of H1
(+0.682 t-value = 15.055) is
significant (p-value=0.01) and in the hypothesized direction,
providing support for H1.
H2 states that increases IT integration positively impact
organizational strategic
flexibility. The standardized path coefficient of H2 (+0. 656
t-value = 7.386) is also significant
(p-value=0.01) and in the hypothesized direction, providing
support for H2.
-
23
H3 states that IT integration mediates the impact of ERM on
organizational strategic
flexibility. Three conditions must be met to support a mediation
effect (Baron and Kenney 1986).
First, there must be a significant relationship between ERM and
IT integration; as noted
previously, H1 provides support for this condition. The next
condition requires a significant
relationship between IT integration and organizational strategic
flexibility; H2 provides support
for this condition. The third condition requires that when a
relationship between ERM and IT
integration is included in the model, a relationship between ERM
and organizational strategic
flexibility that was previously significant become less
significant. This condition is also satisfied
as shown in Figure 4. For IT integration to mediate the impact
of ERM on organizational
strategic flexibility, H1 and H2 should have significant path
coefficients while the coefficient for
H3 decreases. Figure 4 suggests that IT integration fully
mediates the effect of ERM on
organizational strategic flexibility (i.e. the H3 path
coefficient is not significant, t-value = 0.546).
Results of the Sobel test (z-value = 7.314466, p-value
=0.000001) confirm the full mediation
effect.
[Insert Figure 4 about here]
H4 posits that increases in organizational strategic flexibility
have a positive impact on
supply chain performance. Analysis indicates that the
standardized path coefficient of H4 (+0.377
t-value = 4.189) is significant (p-value=0.01) and in the
hypothesized direction, providing
support for H4.
H5 states that organizational strategic flexibility mediates the
impact of IT integration on
supply chain performance. As noted previously, there are the
three conditions necessary to
support a mediation effect (Baron and Kenney 1986). The first
condition requires a significant
relationship between IT integration and organizational strategic
flexibility; as shown in Figure 5,
-
24
H2 provides support for this condition. The second condition
requires a significant relationship
between organizational strategic flexibility and supply chain
performance; H4 provides support
for this condition. The third condition requires that a
significant relationship between IT
integration and supply chain performance become less significant
when a relationship between
IT integration and organizational flexibility is included in the
model. As shown in Figure 5, the t-
value decreases from 11.545 to 3.576 but the relationship
between IT integration is still
significant, This significant relationship suggest that
organizational strategic flexibility partially
mediates the impact of IT integration on supply chain
performance. Results of the Sobel test (z-
value = 3.936834, p-value =0.000083) confirm the partial
mediation effect.
[Insert Figure 5 about here]
H6 posits that IT integration mediates the impact of ERM on
supply chain performance.
Once again, the conditions necessary to support a mediation
effect are evaluated (Baron and
Kenney 1986).The first condition, which is that there must be a
significant relationship between
ERM and IT integration, is satisfied by H1. The second
condition, which requires a significant
relationship between IT integration and supply chain
performance, is satisfied by H5. The third
condition requires that the inclusion of a relationship between
ERM and IT integration causes the
previously significant relationship between ERM and supply chain
performance become less
significant. Figure 6 indicates that IT integration fully
mediates the effect of ERM on supply
chain performance; the H6 path t-value is reduced from 7.810 to
1.568. Results of Sobel test (z-
value = 5.638984, p-value =0.000001) confirm the full mediation
effect.
[Insert Figure 6 here]
Overall the model has strong explanatory power. As demonstrated
in Figure 3, ERM, IT
integration and organization strategic flexibility jointly
explain 43.5% of the variation in supply
-
25
chain performance. Furthermore, ERM and IT integration jointly
explain 41.9% of the variation
in organizational strategic flexibility, as shown by
organizational strategic flexibilitys R2 of
0.419; while IT integrations R2 of 0.465 displays ERM singularly
explaining 46.5% of the
variation in IT integration. The strong explanatory power of ERM
upon and through the other
firm competencies provides very strong support for the theory of
capability building and
entrepreneurial action.
5.0 SUMMARY AND DISCUSSION
The results of this study reveal the complex interrelationships
that tie ERM and
organizational strategic flexibility together to provide a
better understanding of their role in
supporting supply chain performance. The results show strong
effects supporting the underlying
theory on capability-building for entrepreneurial action with a
specific view towards ERM as a
positive factor in promoting both organizational strategic
flexibility and supply chain
performance. However, importantly, IT integration was
fundamental to all of the relationships in
the model. This indicates that strong IT integration and sharing
of data through enterprise-wide
systems is critical to maximizing the value of ERM activities on
both flexibility and
performance.
5.1 Limitations and Related Opportunities for Future
Research
Before reviewing the implications of the research findings, the
limitations of the research
that should be considered when weighing the results and
considering future related research are
briefly outlined in this subsection. First, the use of a single
informant to evaluate the various
dimensions of organizational structure and performance could be
subject to common method
bias. However, the testing of the underlying dimensions of the
various constructs should
minimize these concerns. Additionally, the access we were given
to a C-level executive (i.e. the
-
26
Chief Audit Executive) who has primary responsibility for
assessing, and in some cases
implementing, risk management procedures as well as assessing
the efficiency and effectiveness
of operations provides access to the individual in the best
position to assess the various
dimensions of the conceptual model.
Second, our measurement variables included constructs that were
developed specifically
for this research and had not been previously validated.
Additionally, our item measures for the
ERM construct adhere strictly to contemporary thinking on the
need for an enterprise risk focus
and the relative newness of this concept may lead to the need
for this particular construct to
evolve over time as ERM theory develops and further evolves.
However, each of the constructs
that were developed, including ERM, evolved from existing theory
on the underlying
components and characteristics of the constructs. Nonetheless,
future use of these constructs in
other research studies will help over time to assess the
robustness of the constructs both
temporally and across a variety of respondent types.
Third, our application of the theory on capability-building for
entrepreneurial action takes
a slightly narrower view than the more general theory. The use
of ERM as an operationalization
for entrepreneurial alertness is slightly narrower in scope.
Likewise, the use of organizational
strategic flexibility to operationalize agility focuses on the
reactive part of agility more than the
timeliness of reaction component. Finally, our focus on supply
chain performance as the
competitive action of interest is only one of many competitive
actions that will be of interest to
an organization. Further tests of Sambamurthy et al.s (2003)
theory should consider the
appropriate operationalization of variables, especially in
relation to the dependent variable (i.e.
competitive action) of interest.
-
27
5.2 Contributions and Implications for Theory
This study examined a theory of capability-building for
entrepreneurial action that views
processes designed to facilitate entrepreneurial alertness as
fundamental to the building on and
interrelationships between leveraging of IT capability,
organizational agility, and resulting
competitive actions (Sambamurthy et al. 2003). ERM was
introduced as a widely adopted
technique by many organizations for facilitating improved
entrepreneurial alertness. In the face
of relatively new compliance requirements instigated by the
passage of SOX and its related
requirements for compliance reporting on financial control
systems, most organizations have
focused on applying COSOs (2004) ERM framework as the foundation
for ensuring appropriate
compliance. Additionally, regulatory mandates at the stock
exchange level (e.g. New York Stock
Exchange) have further highlighted the risk management aspects
of control systems (Beasley et
al. 2005).
The results provide strong support for the underlying theory.
Stronger ERM processes
provide enhanced leveraging of enterprise-wide data sharing
capability, higher levels of strategic
flexibility, and higher levels of supply change performance. IT
integrations mediation effects
demonstrate the significance of a strong IT platform to future
strategic purposes. This is
consistent with the real options theoretical lens, which views
IT as a resource that should be
developed to provide future flexibility and competitive
advantage (Sambamurthy and Zmud
2000). The results related to organizational strategic
flexibility highlight a major component of
organizational agility and demonstrate the enhancing effects of
both ERM and IT integration on
agility. This result is consistent with findings in managerial
control research that suggests higher
levels of information availability are needed to maintain
flexibility in strategic-oriented
organizations (Bouwens and Abernethy 2000; Abernethy and Lillis
1995). Our study improves
-
28
the understanding of this relationship by using the theory of
capability-building and
entrepreneurial action to operationalize a model that
demonstrates IT integration as the mediating
construct between managerial control processes and
organizational strategic flexibility.
The study also focuses on one type of competitive action which
is improved supply chain
performancea significant competitive issue for most
organizations in todays interlinked
business world (e.g. Sutton et al. 2008). The results related to
supply chain performance
demonstrate both the interactive effect of ERM and IT
integration on supply chain performance
and the mediating effect of strategic flexibility on the
relationship between IT integration and
supply chain performance. The complexity of these
interrelationships highlights the richness of
the theory on capability-building for entrepreneurial action and
strongly supports the
theorizations on the relationships. Relatedly, both the theory
and our highly integrated model
operationalizing the theory highlight the complexity of
organizations and the need for more
complex research models in order to understand these
intra-organizational relationships.
5.3 Implications for Practice
From a practice standpoint, this research directly addresses
concerns that have been
widely voiced in the business press as to the deleterious effect
of SOX control compliance on
organizations flexibility and supply chain performance (e.g.
Banham 2003; Katz 2003; Reason
2006; Schumer-Bloomberg-McKinsey 2007). Our results extend the
preliminary case research
findings reported by Arnold et al. (2007) indicating that
organizations that struggled through the
compliance process often had poor ERM processes in place when
the compliance process started,
tended to react by implementing manual control processes that
could be achieved quicker that
through integration of automation through IT systems, and
ultimately suffered competitive
disadvantages from more rigid, restrictive processes coupled
with reduced response time within
-
29
supply chain activities. Alternatively, Arnold et al. (2007)
found that organizations that began
compliance with better risk management processes and automated
more of their control
processes did not experience such negative competitive effects.
As Robey and Boudreau (1999)
note, these contradictory experiences with organizations can be
confusing absent a good
theoretical understanding of the organizational structures that
surround these results. The
application of the theory of capability-building for
entrepreneurial action provides a basis for
understanding these contradictory effects. Our results based on
that theory add clarity to these
earlier findings by highlighting the interactive effects of
strong ERM processes and strong IT
integration on the facilitation of strategic flexibility and
ultimately on enhanced supply chain
performance.
Taken as a whole, the results of the research help explain the
differential experiences of
companies during the SOX compliance process. Companies that
effectively implemented ERM
processes, not just implementing the basic standalone processes
but also integrating them to
derive strong entrepreneurial alertness, experienced higher
levels of flexibility and higher levels
of competitive performance. But, this effect of ERM on
flexibility and performance was heavily
dependent on the level of IT integration (e.g. IT compatibility
and IT connectivity). This is
consistent with the case findings of Arnold et al. (2007), but
our research isolates the effects that
are driving the observed phenomena and provides a theoretical
basis for understanding the
inherent relationships.
For practice, our results add to the body of literature
suggesting that IT value often comes
from the future leveraging of those systems to facilitate
operational and strategic activities. From
a SOX perspective, our results suggest that effective ERM
processes represent one more type of
strategic management activity that is enabled by strong IT
integration; and, this synergy is
-
30
necessary to gain value from SOX compliance efforts. Our results
also reinforce the importance
of strong ERM processes to first identifying and monitoring both
internal and external risks and
opportunities, and second in facilitating an organizations
ability to take strategically appropriate
competitive action.
-
31
REFERENCES
Abernethy, M.A. and A.M. Lillis. 1995. The impact of
manufacturing flexibility on management control systems design.
Accounting Organizations and Society 20(4): 241-258.
Arnold, V., T.S. Benford, J. Canada, J.R. Kuhn Jr., and S.G.
Sutton. 2007. The Unintended Consequences of Sarbanes-Oxley on
Technology Innovation and Supply Chain Integration. Journal of
Emerging Technologies in Accounting 4: pp. 103-121.
Banham, R. 2003. Fear Factor: Sarbanes-Oxley Offers One More
Reason To Tackle Enterprise Risk Management. CFO Magazine (June
1).
Banker, R.D., I. Bardhan, H. Chang, and S. Lin. 2006. Plant
Information Systems, Manufacturing Capabilities, and Plant
Performance. MIS Quarterly 30(2): 315-337.
Baron, R. M. and D. A Kenny. 1986. The Moderator-Mediator
Variable Distinction in Social Psychological Research: Conceptual,
Strategic, and Statistical Considerations. Journal of Personality
and Social Psychology. 51(6) 1173-1182.
Batra, S. 2006. Impact of Information Technology on
Organizational Effectiveness: A Conceptual Framework Incorporating
Organizational Flexibility. Global Journal of Flexible Systems
Management 7(1/2): pp. 15-25.
Beamon, B., 1999. Measuring Supply Chain Performance.
International Journal of Operations and Production Management
19(3):
Bendoly, E., A. Citurs, and B. Konsynski. 2007. Internal
Infrastructure Impacts on RFID Perceptions and Commitment:
Knowledge, Operational Procedures, and Information-Processing
Standards. Decision Sciences 38(3): pp. 423-449.
Bharadwaj, S., A. Bharadwaj, and E. Bendoly. 2007. The
Performance Effects of Complementarities Between Information
Systems, Marketing, Manufacturing, and Supply Chain Processes.
Information Systems Research 18(4): pp. 437-453.
Boh, W.F. and D. Yellin. 2006-7. Using Enterprise Architecture
Standards in Managing Information Technology. Journal of Management
Information Systems 23(3): pp. 163-207.
Bouwens, J. and M. A. Abernethy. 2000. The consequences of
customization on management accounting system design. Accounting
Organizations and Society 25: 221-241.
Brown, C.V. 1999. Horizontal Mechanisms Under Differing IS
Organization Contexts. MIS Quarterly 23(3): pp. 421-454.
Byrd, T. A. and N.W. Davidson. 2003. Examining Possible
Antecedents of IT Impact on the Supply Chain and Its Effect on Firm
Performance. Information & Management 41: pp. 243-255.
Byrd, T. A. and D. E. Turner. 2000. Measuring the flexibility of
information technology infrastructure: Exploratory Analysis of a
Construct. Journal of Management Information Systems; Summer Vol.
17, No. 1, 167-208.
Cannon, A. R. and St. John, C. H. (2004) Competitive Strategy
and Plant Level Flexibility. International Journal of Production
Research, 42(10): pp 1987-2007.
-
32
Chenhall, R.H. 2003. Management control systems design within
its organizational context: findings from contingency-based
research and directions for the future. Accounting Organizations
and Society 28: 127-168.
Clark, C.E., N.C. Cavanaugh, C.V. Brown, and V. Sambamurthy.
1997. Building Change-readiness Capabilities in the IS
Organization: Insights from the Bell Atlantic Experience. MIS
Quarterly 21(4): 425-455.
Committee of Sponsoring Organizations of the Treadway Commission
(COSO). 1992. Internal Control Integrated Framework. American
Institute of Certified Public Accountants.
Committee of Sponsoring Organizations of the Treadway Commission
(COSO). 2004. Enterprise Risk Management Integrated Framework.
(Committee of Sponsoring Organizations of the Treadway Commission,
AICPA: New York).
Cotteleer, M.J. and E. Bendoly. 2006. Order Lead-Time
Improvement Following Enterprise Information Technology
Implementation: An Empirical Study. MIS Quarterly 30(3):
643-660.
Davila, T. 2000. An empirical study on the drivers of management
control systems design in new product development. Accounting
Organizations and Society 25: 383-409.
Diamantopoulos, A., R. Riefler, K.P. Roth. 2008. Advancing
formative measurement models.
Journal of business Research. In Press. ____________ H.
Winklhofer. 2001. Index construction with formative indicators:
An
alternative to scale development. Journal of Marketing Research
38(2). Ditillo, A. 2004. Dealing with uncertainty in
knowledge-intensive firms: the role of management
control systems as knowledge integration mechanisms. Accounting
Organizations and Society 29: 401-421.
Fornell, C. and D. F. Larcker. 1981. Evaluating Structural
Equation Models with Unobservable
Variables and Measurement Error. Journal of Marketing Research,
18(1) 39-50. Frie, F.X., R. Kalakota, A.J. Leone, L.M. Marx. 1999.
Process Variation as a Determinant of
Bank Performance Management Science 45(9): pp. 1210-1220.
Gattiker, T. and D. Goodhue. 2005. What Happens after ERP
Implementation: Understanding
the Impact of Interdependence and Differentiation on Plant-Level
Outcomes. MIS Quarterly 29(3): pp. 559-585.
Hair, J. F., Black, W. C., Babin, B. J., Anderson, R. E., &
Tathan, R. L. (2006). Multivariate Data Analysis. Upper Saddle
River, NJ: Pearson Education Inc
Institute of Internal Auditors. 2004. Position Statement: The
Role of Internal Audit in Enterprise-wide Risk Management.
(Institute of Internal Auditors: Altamonte Springs, FL).
Katz, D.M. 2003. What You Dont Know About Sarbanes-Oxley:
Snares, Pitfalls, and Trapdoors. CFO.com (April 22).
Katz, D.M. 2006. Panels on 404 skirt small-company woes. CFO.com
(May 02).
-
33
Kline, R. B. 2005. Principles and Practice of Structural
Equation Modeling, Second Edition. (The Guilford Press: New
York)
Kohli, R. and S. Devaraj. 2003. Measuring Information Technology
Payoff: A Meta-Analysis of Structural Variables in Firm-Level
Empirical Research. Information Systems Research 14(2): pp.
127-145.
Lambert, D.M., M.C. Cooper, J.D. J.D. Pagh. 1998. Supply Chain
management: Implementation issues and research opportunities.
International Journal of Logistics Management. 9(2)
Levine, R. 2004. Risk management systems: understanding the
need. EDPACS 32(2): 1-13. Liebenberg, A.P. and R.E. Hoyt. 2003. The
Determinants of Enterprise Risk Management:
Evidence From the Appointment of Chief Risk Officers. Risk
Management and Insurance Review 6(1): pp. 37-52.
McAfee, A. 2002. The Impact of Enterprise Information Technology
Adoption on Operational Performance: An Empirical Investigation.
Production and Operations Management 11(1): pp. 1-21.
Melville, N., K. Kraemer, and V. Gurbaxani. 2004. Information
technology and organizational performance: an integrative model of
IT business value. MIS Quarterly 28(2): 283-322.
Naranjo-Gil, D. and F. Hartmann. 2006. How top management teams
use management accounting systems to implement strategy. Journal of
Management Accounting Research 18: 21-53.
Naranjo-Gil, D. and F. Hartmann. 2007. Management accounting
systems, top management team heterogeneity and strategic change.
Accounting Organizations and Society 32: 735-756.
OLeary, D.E. 2000. Enterprise Resource Planning Systems:
Systems, Life Cycle, Electronic Commerce, and Risk. (Cambridge
University Press: New York).
Palanisamy, R. 2005. Strategic Information Systems Planning
Model for Building Flexibility and Success. Industrial Management
and Data Systems 105(1): 63-81.
Paulraj, A. and I.J. Chen. 2007. Strategic Buyer-Supplier
Relationships, Information Technology and External Logistics
Integration. The Journal of Supply Chain Management (Spring): pp.
2-14.
Petter, S., D. Straub, and A. Rai. 2007. Specifying Formative
Constructs in Information Systems Research. MIS Quarterly 31(4):
pp. 623-656.
Peterson, R. 2004. Crafting Information Technology Governance.
Information Systems Management 21(4): pp. 7-22.
Rai, A., R. Patnayakuni, and N. Seth. 2006. Firm Performance
Impacts of Digitally Enabled Supply Chain Integration Capabilities.
MIS Quarterly 30(2): pp. 225-246.
Rai, A. and V. Sambamurthy. 2006. Editorial NotesThe Growth of
Interest in Services Management: Opportunities for Information
Systems Scholars. Information Systems Research 17(4): pp.
327-331.
Reason, T. 2006. Cry of pain from small companies. CFO.com (May
10).
-
34
Robey, D. and M.C. Boudreau. 1999. Accounting for the
Contradictory Organizational Consequences of Information
Technology: Theoretical Directions and Methodological Implications.
Information Systems Research 10(2): pp. 167-185.
Ross, J.W. 2003. Creating a Strategic IT Architecture
Competency: Learning in Stages MIS Quarterly Executive 2(1): pp.
31-43.
Sambamurthy, V. and R.W. Zmud. 1999. Arrangements for
Information Technology Governance: A Theory of Multiple
Contingencies. MIS Quarterly 23(2): pp.261-290.
Sambamurthy, V. and R.W. Zmud. 1999. Research commentary: The
Organizing Logic for an Enterprises IT Activities in the Digital
EraA Prognosis for Practice and a Call for Research. Information
Systems Research 11(2): pp.105-114.
Sambamurthy, V., A. Bharadwaj, and V. Grover. 2003. Shaping
agility through digital options: Reconceptualizing the role of
information technology in contemporary firms. MIS Quarterly 27 (2):
237-263.
Schumer, C.E., M.R. Bloomberg, and McKinsey Consulting. 2007.
Sustaining New Yorks and the U.S. Global Financial Services
Leadership. U.S. Senate www.senate.gov/~schumer (January 22).
Sutton, S.G. and V. Arnold. 2005. The Sarbanes-Oxley Act and the
Changing Role of the CIO and the IT Function. International Journal
of Business Information Systems 1(1/2) : 118-128.
Sutton, S.G., D. Khazanchi, C. Hampton and V. Arnold. 2008. Risk
Analysis in Extended Enterprise Environments: Identification of
Critical Risk Factors in B2B E-Commerce Relationships. Journal of
the Association for Information Systems 9(3/4): pp. 151-174.
Swafford, P.M., S. Ghosh, and N. Murthy. 2006. The Antecedents
of Supply Chain Agility of a Firm: Scale Development and Model
Testing. Journal of Operations Management 24: pp. 170-188.
Voberda, H.W. 1996. Toward the Flexible Form: How to Remain
Vital in Hypercompetitive Environments. Organization Science 7(4):
359-374.
Xue, Y., H. Liang, W.R. Boulton. 2008. Information Technology
Governance in Information Technology Investment Decision Processes:
The Impact of Investment Characteristics, External Environment, and
Internal Context. MIS Quarterly 32(1): pp. 67-96.
-
35
Figure 1 Capability-Building and Entrepreneurial Action
Reproduced from Sambamurthy, Bharadwaj & Grover, 2003.
Capability-Building Processes Entrepreneurial Action
Processes
IT COMPETENCE Investment scale IT capabilities
DIGITAL OPTIONS Process reach Process richness Knowledge reach
Knowledge richness
AGILITY Customer agility Partnering agility Operational
agility
COMPETITIVE ACTIONS Number of actions Complexity of action
repertoire
ENTREPRENEURIAL ALERTNESS Strategic foresight Systemic
insight
-
36
Figure 2: Research Model on the Role of ERM and IT
Flexibility
-
37
Figure 3 Structural Model Results
-
38
Figure 4 Structural Model Test of Mediating Effects of IT
Compatibility on Organizational Strategic Flexibility
-
39
Figure 5 Structural Model Test of Mediating Effects of
Organizational Strategic Flexibility on Supply Chain
Performance
-
40
Figure 6 Structural Model Test of Mediating Effects of IT
Compatibility on Supply Chain Performance
Supply Chain Performance
Information Technology Integration
Enterprise Risk Management H6+0.493
t-value =7.810**
Supply Chain Performance
Enterprise Risk Management
H1+0.690
t-value =16.139**
H6+0.141
t-value =1.568
H5+0.498
t-value =5.882**
* p-value = 0.05** p-value = 0.01
-
41
Table 1 Participant Demographics
Category Frequency Percentage N = 155
Gender Male 109 70.3% Female 45 29.0% Not answered 1 0.7%
Age
25 to 40 years 32 20.65% 40+ years 119 76.77% Not answered 4
2.58%
Experience
3 to 10 years 24 15.48% 10+ years 131 84.52%
Industry
Manufacturing 29 18.71% Insurance 26 16.77% Financial/real
estate 22 14.19% Wholesale/retail 13 8.39% Technology 12 7.74%
Utilities 11 7.10% Health 7 4.52% Communication 4 2.58% Aerospace
& defense 4 2.58% Transportation 4 2.58% All other 23
14.84%
Organizational Structure
Publicly traded 90 58.06% Not publicly traded 63 40.65% Not
answered 2 1.29%
-
42
Table 2 Descriptive Statistics
Variable Measures Min Mean Median Max Std dev.
Enterprise Risk Management (ERM) Process
1. Our organization performs a thorough enterprise-wide risk
assessment at least once a year
1 3.46 4.00 5 1.337
2. The strength of our internal control system enhances our
organizations ability to identity events that may affect the
achievement of our objectives
1 2.86 3.00 5 1.047
3. Our organization regularly evaluates the effectiveness of
internal controls to mitigate identified risks
1 2.88 3.00 5 1.213
4. Management has effective processes to respond to identified
risks 1 2.97 3.00 5 1.090
5. Our risk management procedures provide the necessary
information top management needs to monitor changes that could
impact our organizations well-being.
1 3.06 3.00 5 1.062
IT Integration
1. Compared to rivals in our industry, our organization has the
foremost in available IT systems
1 3.01 1.00 5 0.822
2. User-friendly electronic links exist between our organization
and its supply chain partners
1 2.96 1.00 5 0.558
3. Our organization formally addresses the issue of data
security 1 2.34 1.00 5 0.704
4. All remote, branch, and mobile offices are electronically
connected to the central office
1 1.96 2.00 5 1.240
5. There are numerous identifiable communication bottlenecks
within our organization
1 2.77 1.00 5 0.790
6. New locations or acquisitions are quickly assimilated into
our IT infrastructure (D)
7. Remote, branch, and mobile offices have easy access to data
from the home or central office
1 2.41 2.00 5 1.138
8. Our organization's ability to make rapid IT change is high 1
2.55 3.00 5 1.007
-
43
9. Information is shared seamlessly across our organization,
regardless of the location
1 2.92 3.00 5 1.084
10. Our organization offers a wide variety of types of
information to end users (e.g. multimedia) (D)
11. Our user interfaces provide transparent access to all
applications. 1 3.37 3.00 5 1.093
12. Data received by our organization from electronic links with
supply-chain partners are reliable
1 3.03 3.00 5 1.151
Organizational Strategic Flexibility
1. Our organization has difficulty maximizing new market
opportunities (RC)
1 2.50 2.00 5 1.085
2. Our organization is able to introduce new products/services 1
2.23 2.00 5 1.023
3. Our organization has difficulty accommodating major changes
in basic product designs or service offerings (RC)
1 2.38 2.00 5 1.081
4. Our organization is able to manage the impact of serving new
classes of customers
1 2.44 2.00 5 0.995
Supply Chain Performance
1. Our organization consistently meets or exceeds our corporate
goals for the proportion of product/service orders immediately
filled
1 2.36 2.00 5 0.966
2. Our organization consistently meets or exceeds our corporate
goals for on-time delivery of products/services
1 2.40 2.00 5 0.966
3. Our organization consistently meets or exceeds our corporate
goals for minimizing back-orders/stock-outs. (D)
4. Our organization consistently meets or exceeds our corporate
goals for customer response time (the time between an order and its
delivery).
1 2.35 2.00 5 0.909
5. Our organization consistently meets or exceeds our corporate
goals for minimizing the total amount of time required to produce
an item or provide a service.
1 2.50 2.00 5 0.985
6. Our organization consistently meets or exceeds our corporate
goals for minimizing shipping errors. (D)
-
44
7. Our organization consistently meets or exceeds our corporate
goals for minimizing goals for customer complaints
1 2.42 2.00 5 0.940
RC: Items reverse coded D: Items dropped due to volume of not
applicable/dont know responses; items not included in data analyses
Scale: 1 through 5 were 1 equals Strongly Agree and 5 equals
Strongly Disagree
-
45
Table 3 Tests of Convergent Validity
Variable Measures Factor Loading
Construct Composite Reliability
Average Variance Extracted
Enterprise Risk Management (ERM) Process 0.9365 0.7480
1. Our organization performs a thorough enterprise-wide risk
assessment at least once a year 0.7329
2. The strength of our internal control system enhances our
organizations ability to identity events that may affect the
achievement of our objectives
0.8899
3. Our organization regularly evaluates the effectiveness of
internal controls to mitigate identified risks 0.8780
4. Management has effective processes to respond to identified
risks 0.9244
5. Our risk management procedures provide the necessary
information top management needs to monitor changes that could
impact our organizations well-being.
0.8864
Organizational Strategic Flexibility 0.8408 0.5692
1. Our organization has difficulty maximizing new market
opportunities (RC) 0.7486
2. Our organization is able to introduce new products/services
0.7339
3. Our organization has difficulty accommodating major changes
in basic product designs or service offerings (RC)
0.7557
4. Our organization is able to manage the impact of serving new
classes of customers 0.7789
Supply Chain Performance 0.9456 0.7773
1. Our organization consistently meets or exceeds our corporate
goals for the proportion of product/service orders immediately
filled
0.8927
2. Our organization consistently meets or exceeds our corporate
goals for on-time delivery of products/services 0.9296
3. Our organization consistently meets or exceeds our corporate
goals for customer response time (the time between an order and its
delivery).
0.9046
4. Our organization consistently meets or exceeds our corporate
goals for minimizing the total amount of time required to produce
an item or provide a service.
0.8931
5. Our organization consistently meets or exceeds our corporate
goals for minimizing goals for customer complaints
0.7806
RC: reverse coded
-
46
Table 4 IT Integration
IT Integration Formative Measures Weights
1. Compared to rivals in our industry, our organization has the
foremost in available IT systems 0.064908
2. User-friendly electronic links exist between our organization
and its supply chain partners 0.267506
3. Our organization formally addresses the issue of data
security 0.318061
4. All remote, branch, and mobile offices are electronically
connected to the central office 0.038028
5. There are numerous identifiable communication bottlenecks
within our organization 0.277407
6. New locations or acquisitions are quickly assimilated into
our IT infrastructure (D)
7. Remote, branch, and mobile offices have easy access to data
from the home or central office 0.285407
8. Our organization offers a wide variety of types of
information to end users (e.g. multimedia) 0.04279
9. Our user interfaces provide transparent access to all
applications -0.14486
10. Data received by our organization from electronic links with
our supply-chain partners are reliable (D)
11. Our organizations ability to make rapid IT change is high
0.16233
12. Information is shared seamlessly across our organization,
regardless of the location 0.158774
-
47
Table 5 Tests of Multicollinearity
IT Integration Formative Measures
Variance Inflation Factor
(Dependent variable = Organizational
Strategic Flexibility)
Variance Inflation Factor
(Dependent variable = Supply Chain Performance)
1. Compared to rivals in our industry, our organization has the
foremost in available IT systems
1.807 1.807
2. User-friendly electronic links exist between our organization
and its supply chain partners 1.925 1.925
3. Our organization formally addresses the issue of data
security 1.624 1.624
4. All remote, branch, and mobile offices are electronically
connected to the central office 1.961 1.961
5. There are numerous identifiable communication bottlenecks
within our organization
1.392 1.392
6. New locations or acquisitions are quickly assimilated into
our IT infrastructure (D)
7. Remote, branch, and mobile offices have easy access to data
from the home or central office
2.347 2.347
8. Our organization offers a wide variety of types of
information to end users (e.g. multimedia)
2.114 2.114
9. Our user interfaces provide transparent access to all
applications 2.164 2.164
10. Data received by our organization from electronic links with
our supply-chain partners are reliable (D)
11. Our organizations ability to make rapid IT change is high
2.570 2.570
12. Information is shared seamlessly across our organization,
regardless of the location 2.723 2.723
-
48
Table 6 Tests of Discriminant Validity
ERM
Organizational Strategic
Flexibility Supply Chain Performance
Average Variance Extracted 0.748041 0.569175 0.777269 SQUARED
INTER-CONSTRUCT CORRELATIONS ERM 1.00 Organizational Strategic
Flexibility 0.189349 1.00 Supply Chain Performance 0.236413
0.352501 1.00
-
49
Table 7 Inter-Construct Correlations
ERM IT IntegrationOrganizational
Strategic Flexibility Supply Chain Performance
ERM 1.000000 IT Integration 0.682187 1.000000 Organizational
Strategic Flexibility 0.435142 0.647511 1.000000
Supply Chain Performance 0.486223 0.580876 0.593718 1.000000