Upload
qose
View
235
Download
4
Embed Size (px)
DESCRIPTION
ةةةىلا
Citation preview
1
ENHANCING STRATEGIC FLEXIBILITY AND PERFORMANCE THROUGH RISK MANAGEMENT: THE ENABLING ROLE OF IT INTEGRATION
Vicky Arnold University of Central Florida
University of Melbourne
Tanya Benford University of Central Florida
Joseph Canada University of Central Florida
Steve G. Sutton University of Central Florida
University of Melbourne
October 2008
Preliminary Draft Please do not quote without permission.
* This research was funded by the Institute of Internal Auditors Research Foundation. The authors wish to thank the IIARF for their generous funding and support of our research. We thank Raj Echambadi and Clark Hampton for their advice and feedback during the development of this paper as well as participants in workshops at the University of Auckland and University of Central Florida for their valuable feedback on earlier versions of this manuscript. We also thank Randy Kuhn for his research assistance.
2
ENHANCING STRATEGIC FLEXIBILITY AND PERFORMANCE THROUGH RISK
MANAGEMENT: THE ENABLING ROLE OF IT INTEGRATION
Abstract
Since the passage of the Sarbanes-Oxley Act in the U.S., the business press has consistently reported on companies and business consortiums proclamations of the negative effect of new internal control requirements on supply chain performance. Early studies on organizations experience with SOX control compliance efforts have been contradictory; some organizations have experienced significant deleterious effects while other organizations have continued to prosper. In this study, theory on capability-building for entrepreneurial action (Sambamurthy et al. 2003) is used as a basis for understanding the observed phenomenon. In our research model, which operationalizes the theory, enterprise risk management (ERM) forms the primary organizational driver for enhanced IT integration, maintaining organizational strategic flexibility, and facilitating supply chain performance. Based on responses from 155 Chief Audit Executives, the results provide strong support for both the underlying theory and its applicability to understanding the varied effects of SOX 404 compliance on organizations.
The results indicate that ERM leads to higher levels of IT integration across two dimensions: IT compatibility and IT connectivity. The results also highlight the fundamental importance of high levels of IT integration to strategic opportunities within the firm as it is shown that IT integration fully mediates the relationship between ERM and strategic flexibility and partially mediates the relationship between ERM and supply chain performance. Additionally, the previously reported relationship between IT integration and supply chain performance is partially mediated by the level of organizational strategic flexibility. Overall, there is strong support for the theory and additional clarity is provided to the practice environment on the effective implementation of ERM processes and its use for facilitating competitive action.
Key words: Enterprise risk management, IT competence, IT integration, IT flexibility, strategic flexibility, organizational flexibility, supply chain performance, IT-enabled business processes.
3
ENHANCING STRATEGIC FLEXIBILITY AND PERFORMANCE THROUGH RISK MANAGEMENT: THE ENABLING ROLE OF IT INTEGRATION
1. INTRODUCTION
Substantial efforts by information systems (IS) researchers have been invested in
attempts to better understand how and when value is created by IT investments (Kohli and
Devaraj 2003; Melville et al. 2004). However, the documented results from the multitude of
studies are inconsistent; increasingly researchers are recognizing that value is generally driven by
other organizational factors, thus a different way of measuring IT value may be preferable (Kohli
and Devaraj 2003). The recent perspective has evolved toward a real options theory that views IT
investment as a means of building a platform to facilitate both current and future IT-enabled
functionalities (Sambamurthy and Zmud 2000). A critical part of developing this platform is the
integration of disparate information sources across the organization to facilitate process
integration. Absent such IT integration, business processes are often fragmented leading to poor
customer responsiveness and missed opportunities for innovation (Rai and Sambamurthy 2006).
The theory of capability-building for entrepreneurial action integrates these alternative views
into a more strategic, management-oriented perspective on creating value from IT (Sambamurthy
et al. 2003).
This study applies the theory of capability-building for entrepreneurial action as the basis
for interpreting the various experiences reported by companies during their efforts to comply
with new regulatory mandates for effective managerial control and risk management. These
regulatory mandates came about with the passage of the Sarbanes-Oxley Act of 2002 (SOX)
which radically changed the way organizations view corporate governance. One dimension of
this change is an increased focus on enterprise risk management (ERM) processes, a much
broader strategic view of organizational control than a more traditional, accounting-oriented
4
view on internal control. While SOX regulation focused on financial controls, the impact was to
extend the documentation and review of control systems to an enterprise level view that included
strategic, operational, reputational, regulatory, and information risks (Katz 2003; Banham 2003,
Sutton et al. 2008).1
The variances in experiences reported by companies during the SOX compliance process
have raised questions about the efficiency of control implementation in many organizations
(Arnold et al. 2007). Many organizations implemented heavily manual-oriented processes to
achieve control objective requirements and these manual-oriented controls appear to have often
slowed down organizations business processing, reduced organizations strategic flexibility, and
hampered supply chain activities. On the other hand, organizations that took a strategic focus to
implementing comprehensive ERM processes and used more automation in their control
processes appeared to be less impacted in terms of flexibility, supply chain performance, and
overall organizational competitiveness (Arnold et al. 2007). Still, the business press generally
focuses on the less successful implementations, frequently reporting on the negative
consequences of SOX compliance on organizations performance, and questioning SOX
compliant companies ability to maintain competitiveness in the marketplace (Banham 2003;
Katz 2003; Reason 2006).2
1Thispushtoanenterpriselevelfocusalsomeantthattheresponsibilityformanagingandreviewing
controlstructuressimilarlyrosetofallingundertheauspicesofClevelmanagement(e.g.CEOs,CFOs,CIOs,CAEs)(Beasleyetal.2005;Suttonetal.2008).InsomeorganizationstheChiefInformationOfficer(CIO)ledtheSOXinternalcontrolcomplianceeffortwhileinmostorganizationstheCIOwasacriticalmemberofthecomplianceplanningandimplementationteams(Arnoldetal.2007;SuttonandArnold2005).
2TheseconcernswerefurtherhighlightedwiththereleaseoftheSchumerBloombergMcKinsey(2007)reportontheU.S.SenatefloorwithitsfocusonthedecreasedcompetitivenessofU.S.stockexchangesinthefaceofSOXregulationandrelatedconcernsovertheflowofavailablecapitaltosupportgrowthandinnovation.
5
This studys examination of ERM implementation effects on organizational performance
uses an operational model based on Sambamurthy et al.s (2003) theory of capability-building
for entrepreneurial action. ERM becomes the focal point, as ERM is a process that can be used to
facilitate entrepreneurial alertness. ERM is both a critical element of an organizations ability to
monitor internal and external activities in order to effectively react to changes in the
marketplace; and, in the form of COSOs ERM Framework (COSO 2004), ERM was also the
most prevalent strategy used by firms to meet SOX compliance requirements3 (Beasley et al.
2005).
The purpose of this study is to examine the relationship between firms effectiveness of
ERM integration and the two issues of primary concern in critiques of SOX compliance
mandatesmaintaining strategic organizational flexibility and strengthening supply chain
performance. ERM is evaluated as a top down strategy driven by C-level management of the
firm. Accordingly, ERM is viewed as offensive and strategic as opposed to a more traditional
control orientation with a defensive posture (Liebenberg and Hoyt 2003). Central to our research
is a focus on the role of information technology (IT) integration in facilitating the
interrelationships between ERM, strategic organizational flexibility and supply chain
performance (Sambamurthy et al. 2003). IT integration is viewed as a key enabler of effective
ERM integration (COSO 2004) and case research provides preliminary evidence indicating IT
3ThefocusonenterpriselevelgovernanceandcontrolwasreinforcedbytheCommitteeofSponsoring
OrganizationsoftheTreadwayCommission(COSO)revisionoftheir1992internalcontrolframework(COSO1992)toencompassthissamebroadenterpriseriskmanagement(ERM)perspective(COSO2004).TheNewYorkStockExchange(NYSE)alsoaltereditsCorporateGovernanceRulestoexplicitlymandateBoardsauditcommitteestoassumespecificresponsibilitieswithrespecttoriskassessmentandriskmanagementattheenterpriselevel(Beasleyetal.2005).Accordingly,mostorganizationsfallingunderSOXsection404reportingrequirementsoninternalcontrolsadoptedCOSOs(2004)ERMFrameworkasthebasisfordocumenting,evaluating,andassessingtheviabilityofcontrolstructures(Beasleyetal.2005).
6
integration may be a key construct to understanding the variable impact of SOX compliance
efforts on organizational performance (Arnold et al. 2007).
This research contributes to the information systems literature at two distinct levels. First,
the research demonstrates the joint effects of ERM, IT integration, and strategic flexibility on
supply chain performance, thereby providing support for Sambamurthy et al.s (2003) theory. In
this vein, the research also demonstrates how these relationships can be captured and modeled.
Second, this study helps broaden the perspectives on governance in the IS literature from a focus
on IT governance as a means for controlling the use of IT resources (e.g. Sambamurthy and
Zmud 1999; Xue et al. 2008) to instead viewing IT as an enabler of a broader governance
structure. Sambamurthy and Zmud (1999) note that IT governance is difficult to study in
isolation as overall organizational governance efforts influence how IT governance takes shape.
In contemporary ERM-driven business environments, we view IT as the enabler of ERM and IT
integration is driven by the needs of the organization as ERM strategies are expanded across and
beyond the enterprise.
This research is also important to practice as it examines the nature of ERM and explains
why some organizations have seen improved performance under new governance structures
while other organizations perceive a loss of flexibility and a deleterious effect on supply chain
performance (Robey and Boudreau 1999). The results of the research show that effective ERM
integration is associated with improved organizational strategic flexibility and higher levels of
supply chain performance. Further, the results show the critical role of broad IT integration in
facilitating and enabling these relationships.
The remainder of the paper is organized into four sections. In Section 2, the underlying
theoretical basis for the hypotheses is presented and the research model is developed. This is
7
followed by the research methods section and the results section. The fifth and final section
provides a summary of the research findings, a review of the limitations of the study, and a
discussion of the implications of the research findings.
2. THEORETICAL DEVELOPMENT & HYPOTHESES
The intent of Sambamurthy et al.s (2003) theory on capability-building and
entrepreneurial action is to broaden the understanding of the strategic role of IT through an
improved understanding of the interrelationships that create value from IT investments. There
has been a lack of clarity on the impact of IT at the organizational level as prior studies provide
contradictory evidence on the benefits of similar IT systems implemented in different
organizations (Robey and Boudreau 1999). Similarly, contradictory evidence has been prevalent
when examining firms experiences with SOX control compliance and ERM implementation
some firms show controls impeding flexibility and competitiveness while other firms do not
experience hindrances and oftentimes see improvement (Arnold et al. 2007).
Sambamurthy et al.s (2003) theory provides a basis for interpreting these contradictory
results in the case of both IT investment and ERM implementation. The theory focuses on the
interactive nature of organizational structures and IT competencies in supporting competitive
actions. These interactions are coevolutionary in that entrepreneurial alertness drives the
leveraging of IT competencies, encourages the maintenance of organizational agility, and
influences the interaction between the two (see Figure 1). In addition learning takes place as
organizations gather experience through competitive actions and gain an understanding of how
existing utilization of IT competencies and organizational agility facilitate successful action. As
organizations learn, their entrepreneurial alertness drives further utilization of IT competencies
and enhances the organizations agility.
8
[Insert Figure 1 about here]
Within the theory, entrepreneurial alertness is defined as the capability of a firm to
explore its marketplace, detect areas of marketplace ignorance, and determine opportunities for
action (p. 250). This includes both strategic foresight (i.e. the ability to foresee risks and
opportunities) and systemic insight (i.e. the ability to use foresight to shape competitive actions
that provide advantage). This entrepreneurial alertness can be encoded in many organizations
through ERM processes that are designed to aid organizations in identifying potential events that
may affect the organizations ability to manage identified risks (COSO 2004, p. 2) and enable it
to respond strategically to both risks and opportunities (Liebenberg and Hoyt 2003).
Accordingly, our operationalization of the theory focuses on ERM as an entrepreneurial strategy
for broadly influencing the various componentsleveraging IT capabilities, enhancing
organizational agility, and enabling competitive actions.
Sambamurthy et al. (2003) view the leveraging of IT competencies as evolving from the
(1) IT resources and capabilities that have been developed within the organization (IT
competence) and (2) the digital options which are the way in which management views that
existing IT competencies can be leveraged to facilitate agility and performance. To support ERM
activities, leveraging IT competencies becomes critical across two dimensions: IT compatibility
(i.e. the ability to share information across systems and business processes in order to facilitate
necessary information flow) and IT connectivity which forms the linkages to internal and
external information necessary for assessing risks and opportunities (Byrd and Turner 2000).
These two dimensions, which represent IT integration, help facilitate the flow of both internal
and external information needed to assess changes in and react to the marketplace (McAfee
9
2002; Cotteleer and Bendoly 2006; Swafford et al. 2006). The model within the current study
operationalizes IT competence and digital options through IT integration.
Agility is defined as the ability to detect opportunities for innovation and seize those
competitive market opportunities by assembling requisite assets, knowledge and relationships
with speed and surprise (Sambamurthy et al. 2003, p. 245). Agility is often thought of as
flexibility with the differentiating dimension being speed. The interest in this study is not on
speed but is on the organizations ability to be flexible at the customer and operational levels in
order to bring products to market more strategically. Thus, the emphasis is more on
organizational strategic flexibility than on the speed and surprise.
From an outcome perspective, the competitive actions of interest in this study revolve
around the ability to achieve high levels of performance in supply chain activities in a well-
controlled environment that comes with ERM. As such, we focus on supply chain performance
as the competitive actions of interest.
This forms the basis for our conceptual model, which is developed in the following
sections, as shown in Figure 2. A significant distinction between our operationalization and
Sambamurthy et als. (2003) theory is the types of relationships between entrepreneurial
alertness/ERM and the other firm competencies. Sambamurthy et al. 2003 theorizes that
entrepreneurial alertness enhances the relationships between the aforementioned firm
competencies, while our study models and observes more direct effects upon the firm
competencies themselves. Before proceeding to the specific hypotheses generation, the following
sub-section focuses on elaboration of ERM processes from a practical and applied perspective to
clarify further the entrepreneurial alertness that is inherently derived through ERM.
[Insert Figure 2 about here]
10
2.1 Entrepreneurial Alertness and ERM
COSO initiated its ERM framework in 2001 amidst the aftermath of a series of high
profile business scandals and in the face of calls for enhanced corporate governance and risk
management specifically to address legal, regulatory and compliance concerns (COSO 2004).
ERM is designed to enable an organizations management to address uncertainty and the
associated risks and opportunities in order to build value (COSO 2004). COSO (p. 2) defines
ERM as:
a process, effected by an entitys board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objects.
In reflecting upon this definition, COSO (2004) goes on to note several embedded, fundamental
concepts that are of particular concern here. First, because information must be shared across the
organization, ERM is affected by people at every level of an organization,. Second, ERM is
fundamentally applied in a strategy setting (COSO 2004, p. 2). This is consistent with the
Canadian Governments position on ERM as articulated by the Treasury Board (2001). In
particular, the Treasury Board defines ERM as being about making strategic decisions that
contribute to the achievement of an organizations overall corporate objectives (p. 10).
While everyone in the organization has some responsibility for ERM, an organizations
Board of Directors has overall responsibility for ensuring risks are managed while in practice the
management team is generally delegated with the responsibility (Institute of Internal Auditors
2004). This means the CEO is ultimately responsible and should take ownership while also
involving other key C-level executives such as the CFO, CIO and CAE (COSO, p. 6). As such,
ERM integrates risk management activities while elevating its status as a key component of the
11
firms overall strategy thus enabling the company to respond strategically to both risks and
opportunities (Liebenberg and Hoyt 2003).
In building an organizations risk profile, information and knowledge must be aggregated
across the strategic and operational levels to assist managers in understanding the range of risks
faced (internally and externally) and the related opportunities (Treasury Board 2001, p. 15). To
facilitate the aggregation of information and knowledge across the organization, the Treasury
Board recognizes the need to consider potential technological solutions to support the on-going
activities including technologies such as the Internet and organizational Intranets that can
facilitate risk awareness and management through information sharing both internally and
externally (Treasury Board 2001, p. 31). Similarly, COSO recognizes the need for information
and communication processes that assure relevant information is identified, captured, and
communicated in a timely manner to facilitate management responsiveness. Such information
communication must occur in a broad sense, flowing down, across, and up the entity (p. 4). In
essence, the IT systems must be designed in a manner that facilitates information sharing across
the organization and connectedness among the organizations management at both strategic and
operational levels.
In summary, the ERM movement from a practice perspective focuses on the use of ERM
to identify risk and opportunities to facilitate organizational strategic flexibilitythe
fundamental capabilities of interest in Sambamurthy et al.s (2003) view of entrepreneurial
alertness. Likewise, ERM should allow the organization to respond in a way that facilitates
improved performance both through effective risk management and through maintenance of
organizational strategic flexibility.
12
2.2 ERM, IT Integration & Facilitating Flexibility
As noted in the discussion on ERM, the availability of information from and sharing
knowledge across the organization is fundamental to supporting ERM processes. The
information needs specified within COSO necessitate the availability of IT systems that provide
a timely view of various risks spread across the organization (Levine 2004). Lam (2003) notes
that one of the greatest challenges of implementing effective ERM strategies is aggregating the
underlying data required to monitor diverse organizational risks. This view is consistent with the
evolving stream of IT research that maintains that one of the most critical roles of the IT function
is the support of on-going interactions among users to ensure management is prepared to respond
to emerging business needs and opportunities (Clark et al. 1997; Sambamurthy and Zmud 2000;
Rai and Sambamurthy 2006; Bharadwaj et al. 2007). This need becomes even more significant as
organizations make decisions in increasingly turbulent environments (Pavlou and El Sawy 2006).
One of the drivers of the enterprise systems movement was the value of such systems in
facilitating coordination and alignment of manufacturing production functions (OLeary 2000;
McAfee 2002; Gattiker and Goodhue 2005; Banker et al. 2006; Cotteleer and Bendoly 2006).
The development of strong IT integration is not prevalent in many organizations,
however, and Arnold et al. (2007) note this as an issue plaguing the companies in their case
studies that were struggling with SOX control compliance. This is consistent with Beasley et
al.s (2003) finding that many organizations have not initiated ERM processes or have only put
in place rudimentary procedures. ERM is often hampered by the lack of systems level integration
necessary to access information easily and to monitor risks across the organization (Frie et al.
1999).
13
IT integration such as that required for effective ERM is more likely to occur by design
than to be preexisting. This is consistent with the capability building aspect of Sambamurthy et
al.s (2003, p. 250) theory where a key component of entrepreneurial alertness is systemic
insightthe ability to visualize connections between digital options, agility capabilities, and
emerging market opportunities in architecting competitive actions. Firms with the strongest IT
integration tend to have established enterprise architecture standards to enhance compatibility of
IT components and to facilitate application integration and data sharing across the enterprise
(Boh and Yellin 2006-7). The existence of strong horizontal integration and coordination across
the enterprise usually evolves in the presence of enterprise architecture standards, which in turn
tend to be a product of effective IT governance (Brown 1999; Peterson 2004). This is not IT
governance from a centralized/decentralized perspective, but rather IT governance as a part of
the broader corporate governance structure and strategic planning (Sambamurthy and Zmud
1999; 2000).
This focus on enterprise wide data sharing and coordination is reflective of the need for
enterprise-wide systems to have strong IT compatibility and integration to support ERM
processes. IT compatibility is the ability to share any type of information across any type of
technology component (Byrd and Turner 2000). High IT compatibility is indicative of ready
accessibility to critical data from anywhere within the organization and suggests a transparency
of information. Such capability is viewed as arising from a firms leveraging of its investments in
IT resources to build systems that leverage effectiveness, efficiency and flexibility (Ross 2003).
This leveraging arises from the governance mechanisms adopted by organizations to facilitate IT
integration and in turn support ERM processes. This leads to the first hypothesis:
H1: Increases in enterprise risk management have a positive impact on information technology integration.
14
There is a general assumption that effective organizations have to cope with an
accelerating rate of change; and, in order to succeed in a given business environment, the
organization needs flexibility to adapt to the environment (Batra 2006). However, flexibility is
by design. Management must be concerned with the controllability or changeability of the
organization which is dependent on creating effective processes that foster flexibility (Batra
2006). The controllability aspect comes from effective ERM processes, (Treasury Board 2001)
while the IT integration designed to facilitate these ERM processes provides the monitoring to
ensure that the responses to the competitive environment are aligned with overall enterprise
strategy. This is consistent with Batras (2006) definition of flexibilitythe degree in which an
organization has the management capabilities to increase the control capacity in a timely fashion
to react to risks and opportunities. Thus, organizational strategic flexibility is reflective of an
ability to respond appropriately and timely to rapid changes in the competitive environment and
is dependent on the managerial capabilities and the organizational responsiveness (Volberda
1996). The continuous focus on timeliness is where the importance of strong IT integration
becomes apparent. IT flexibility and integration are key to facilitating a timely response to
changes in the environment. Without easy accessibility to enterprise-wide data on performance
and capabilities, an organization has little opportunity to respond to new product or service
opportunities that require high levels of organizational strategic flexibility (Swafford et al. 2006).
The focus on information accessibility from across the organization is consistent also
with the findings in the managerial control literature. First, this literature highlights the role of
effective managerial control for maintenance of strategic flexibility (Simon 1990; Davila 2000;
Chenhall 2003; Ditillo 2004; Naranjo-Gil and Hartman 2006). Second, the managerial control
literature points to the importance of diverse, accessible information. Broad-based information is
15
viewed as critical to strategically oriented firms (Bouwens and Abernethy 2000) and is necessary
to support organizational flexibility (Abernethy and Lillis 1995). This leads to the second
hypotheses:
H2: Increases in information technology integration have a positive impact on organizational strategic flexibility.
The use of this diverse information appears to be the source driving enhanced
organizational strategic flexibility. As the Treasury Board (2001) notes, risk management is the
systemic approach by which information is identified, assessed, and communicated in the
presence of environmental uncertainty. For effective ERM, this information flow and analysis
must be driven from an enterprise-wide view of easily accessible data. Nonetheless research
suggests that this relationship between ERM and organizational strategic flexibility is enhanced
through infrastructure standardization that facilitates the flow of information (Gattiker and
Goodhue 2005; Bendoly et al. 2007). Effective infrastructures both maintain routine control for
the organization and provide the means for adapting in the face of major changes (Bendoly et al.
2007). While effective ERM seems to be a precursor to the maintenance of organizational
strategic flexibility, the level of IT integration is the catalyst that allows for effective ERM and in
turn high levels of flexibility. That leads to the third hypothesis:
H3: Information technology integration mediates the impact of enterprise risk management on organizational strategic flexibility.
2.3 IT Integration, Flexibility & Supply Chain Performance
A growing body of literature that addresses the link between organizational strategic
flexibility and supply chain performance is currently emerging. As Palanisamy (2005) notes,
organizations look for flexibility to cope with environmental changes and thereby garner
competitive advantage. Flexibility does not necessarily imply added operational complexity
16
(Bendoly et al. 2007). At the same time, effective IT integration helps reduce this complexity
through easier and more timely access to information necessary to assess and react to risks (Rai
et al. 2006; Swafford 2006). Thus, the investment in technology is leveraged through the
existence of a flexible organization (Bendoly et al. 2007). Alternatively, firms lacking good IT
integration have difficulty supporting coordinated activities across the organization, which can
lead to inferior decision making (Bharadwaj et al. 2007). The result is a need for both
organizational strategic flexibility and IT integration for effective supply chain performance to
emerge.
Strategic flexibility allows the organization to respond to opportunities as they are
presented, whether they are client relationships, new product releases, or new partnering
relationships within supply chains (Swafford et al. 2006). Thus, strategic flexibility in itself
facilitates organizational effectiveness; and, for those companies integrated within supply chains,
this flexibility should enhance related performance (Batra 2006). High flexibility also allows an
organization to respond quickly to strategic moves by competitors and likewise should allow the
organization to initiate its own strategic moves in order to garner competitive advantage (Byrd
and Turner 2001; Swafford et al. 2006). In either case, organizational strategic flexibility should
enable a firm to maintain stronger supply chain performance. This leads to the fourth hypothesis:
H4: Increases in organizational strategic flexibility have a positive impact on supply chain performance
Likewise, broad IT integration should also facilitate supply chain performance (McAfee
2002; Cotteleer and Bendoly 2006). IT is rapidly becoming an integral part of the supply chain
process and IT enhances supply chain logistics by providing real-time information on product
capability for delivery and markets (Paulraj and Chen 2007). IT is critical as information is
fundamental to decision making across the supply chain (Byrd and Davidson 2003). However IT
17
integration itself doesnt drives the supply chain, but rather the organizations ability to leverage
and use that information does (Rai et al. 2006)e.g. organizational strategic flexibility. IT
integration at the enterprise-wide level is beneficial if that information can be leveraged. That
leads to our fifth hypothesis:
H5: Organizational strategic flexibility mediates the impact of information technology integration on supply chain performance.
2.4 ERM and Supply Chain Performance
Proponents of ERM argue that monitoring risk and opportunities makes ERM a
significant source of competitive advantage (Beasley et al. 2003); but, ERM is only effective in
the presence of broad based information and knowledge that allows an accurate and timely
picture of the risks and opportunities to be assessed (Sambamurthy and Zmud 2000; Pavlou and
El Sawy 2006). Thus, IT integration would be expected to mediate the relationship between
ERM and supply chain performance. That leads to the sixth and final hypothesis:
H6: Information technology integration mediates the impact of enterprise risk management on supply chain performance.
3.0 RESEARCH METHOD
The purpose of this study was to examine the roles of ERM, IT integration and
organizational strategic flexibility in advancing supply chain performance. Partial least squares
analysis (SmartPLS 2.0 2005) was used for construct validation, data analysis, and path analysis
for the theoretical model hypothesized in the current study. The remainder of this section
discusses participant characteristics, instrument development and validation, data analysis, and
the study results.
18
Participants
The Institute of Internal Auditors Research Foundation hosted the survey used in the
current study on their Global Audit Information Network (GAIN). GAIN emailed invitations to
participate in the survey to 1,383 chief audit executives (CAEs) and 251 members responded for
a total response rate of 18.1%. Of the 251 respondents, 7 respondents did not identify themselves
as audit executives or the equivalent and each reported less than 5 years experience, and 5
respondents did not complete the survey. These 12 respondents were excluded from further
analysis. The remaining data were examined to determine whether there were patterns to any
missing responses. A test of overall randomness found all missing responses were missing
completely at random (MCAR) (chi-square = 585.634 df = 609 p-value = 0.745) and the
expectation maximization algorithm (EM) (SPSS 15.0 2006) was used to calculate replacement
values (Hair et al. 2006). Because the goal of this study was to examine factors affecting
organizations supply chain performance, participants indicating that more than 10% of the
survey measures were not applicable to their organization were also excluded from further
analysis; all of the subsequent analyses pertain to the remaining 155 participants.
Ninety of the participants in this study were employed at organizations that had
completed one or more filings consistent with section 404 of SOX and sixty-three were
employed at organizations that had not completed such a filing at the time of the survey.
Demographic data, shown in Table 1, reveals that 84.52% (131) of the participants had over ten
years of professional experience. The primary industries represented were manufacturing
(18.71%), insurance (16.77%), financial services (14.19%), and wholesale/retail (8.39%). One
hundred nine (70.3%) of the participants were male, 45 (29.0%) were female and 1 respondent
chose not to respond to this question on the survey.
19
[Insert Table 1 about here]
3.1 Survey Instrument
The online survey, which was hosted by GAIN, was designed to collect measures of the
latent variables as well as participant demographic data. As shown in Figure 2, the theoretical
model employed in this study depicts the hypothesized relationships between organizations
ERM processes, IT integration, organizational strategic flexibility, and supply chain
performance. Each item was measured using a five point Likert scale where 1 represented
strongly agree and 5 represented strongly disagree; 6 was used to allow participants to
participants to respond N/A Dont Know. The items used to measure these constructs and
descriptive statistics for each item are presented in Table 2.
[Insert Table 2 about here]
Organizations adopt ERM to facilitate the holistic identification and assessments of risks
that can impact firm value. The COSO (2004) ERM Framework was used to develop the five
ERM measures employed in the current study. In developing the item measures for the construct,
discussions were conducted with six different organizations on their ERM implementations,
success level with ERM, and impact on SOX compliance difficulty. These discussions made it
clear that simply implementing the components of the COSO framework was inadequate and that
effectiveness was derived from the integration of the components and the flow of information to
top level management that could strategically address the risks and opportunities identified. As a
result, the item measures were designed to focus more on integrated objectives rather than
component parts with a desire for reflective measures rather than a component based formative
measure.
20
The measures of the IT integration construct combine two sub-components of Byrd and
Turners (2000) IT flexibility infrastructure and reflect the firms ability to engage in intra-
organization sharing of information. Organizational strategic flexibility is a measure of an
enterprises ability to manage the opportunities and challenges inherent in a competitive
environment. This study employs measures of organizational strategic flexibility consistent with
those previously validated by Cannon and St. John (2004). A supply chain represents the
integration of key business processes from end-user through original suppliers that provides
product, service, and information that add value for customers and other stakeholders. (Lambert
1998, p.1). The measures of supply chain performance are output measures, which were adapted
from Beamon (1999), and reflect the organizations ability to meet or exceed its customer service
goals and objectives. Item measures for all of the constructs are shown in Table 2.
3.2 Data Analysis
Because this study employed constructs that were both exogenous and endogenous (IT
integration and organizational strategic flexibility) and one of the latent variables (IT integration)
was formative rather than reflective, partial least squares analysis (SmartPLS 2.0 2005) was used
to both assess the reliability of the measurement model and test the structural model.
Initial data analysis revealed that four of the items shown in Table 2 were deemed not
applicable by more than 10% of the participants.4 A review of the industry demographics for this
study was consistent with non-applicability of these items; therefore, these items were also
dropped from further analyses. The N/A Dont Know responses for each of the remaining
4ThefirstitemwasOurorganizationconsistentlymeetsorexceedsourcorporategoalsforminimizingbackorders/stockouts;35.5%(55)selectednotapplicable.TheseconditemwasOurorganizationconsistentlymeetsorexceedsourcorporategoalsforminimizingshippingerror;32.3%(50)selectednotapplicable.ThethirditemwasDatareceivedbyourorganizationfromelectroniclinkswithoursupplychainpartnersarereliable;20%(31)selectednotapplicable.ThefourthitemwasNewlocationsoracquisitionsarequicklyassimilatedintoourITinfrastructure;10.3%(16)selectednotapplicable.
21
measures appear to be completely at random (chi-square = 708.295 df= 669 p-value =0.142) and
EM (SPSS 15.0 2006) was used for imputation of these data (Hair et al. 2006).
3.3 Measurement Model Reliability and Validity
In this study, factor loadings, composite construct reliability and average variance
extracted are employed to assess validity of the reflective constructs. As shown in Table 3, each
of the item measures has a standardized factor loading greater than 0.70. The related composite
construct reliability of each of the reflective constructs is greater than the recommended 0.70,
and the related average variance extracted is greater than or equal to 0.50 supporting the
convergent validity of the reflective constructs employed in this study (Fornell and Larcker
1981).
[Insert Table 3 about here]
IT integration, a formative construct, combines measures of IT connectivity and IT
compatibility adapted from Byrd and Turner (2000), thus these measures represent different
facets of IT integration; the weights for the formative measures of IT integration are presented in
Table 4. Because a formative construct is specified as a multiple regression equation
(Diamantopoulos et al. 2008) it is important to rule out multicollinearity. Variance inflation
factors were calculated for each of the 10 indicators of IT integration, first using a measure of
organizational strategic flexibility and then using a measure of supply chain performance. As
shown in Table 5, the maximum variance inflation factor was 2.7 which is below thethreshold of
3.3 and therefore all ten items were retained in the model (Petter et al. 2007).5
[Insert Table 4 about here]
[Insert Table 5 about here]
5Hairetal.(2006)suggesttheVIFshouldbelessthan10.0,however,Petteretal.(2007)suggestamorestringentthresholdof3.3duetogreatermulticollinearityconcernswhenusingformativemeasures.
22
Construct discriminant validity provides evidence that the latent variables in the
measurement model are unique and distinct (Hair et al. 2006). As shown in Table 6, the average
variance extracted for each latent variable is greater than the related squared inter-construct
correlations indicating discriminant validity (Hair et al. 2006). In addition, the maximum inter-
construct correlation of 0.68, shown in Table 7, is below the standard threshold of 0.85, which
also supports construct discriminant validity (Kline 2005).
[Insert Table 6 about here]
[Insert Table 7 about here]
4. RESULTS
This study examines the relationships between organizations effectiveness of ERM
integration, IT integration, strategic organizational flexibility and the strengthening of supply
chain performance. The theoretical model proposed employs both reflexive and formative
constructs necessitating the use of PLS, thus parametric testing is not appropriate; bootstrapping
(500 samples with replacement) was used to calculate t-statistics and standard errors
(Diamantopoulos and Winklhofer 2001). PLS path analysis results (i.e. standardized beta
coefficients, t-values and construct R2) are presented in Figure 3.
[Insert Figure 3 about here]
H1 posits that increases in ERM have a positive impact on IT integration (Figure 2).
Analysis indicates that the standardized path coefficient of H1 (+0.682 t-value = 15.055) is
significant (p-value=0.01) and in the hypothesized direction, providing support for H1.
H2 states that increases IT integration positively impact organizational strategic
flexibility. The standardized path coefficient of H2 (+0. 656 t-value = 7.386) is also significant
(p-value=0.01) and in the hypothesized direction, providing support for H2.
23
H3 states that IT integration mediates the impact of ERM on organizational strategic
flexibility. Three conditions must be met to support a mediation effect (Baron and Kenney 1986).
First, there must be a significant relationship between ERM and IT integration; as noted
previously, H1 provides support for this condition. The next condition requires a significant
relationship between IT integration and organizational strategic flexibility; H2 provides support
for this condition. The third condition requires that when a relationship between ERM and IT
integration is included in the model, a relationship between ERM and organizational strategic
flexibility that was previously significant become less significant. This condition is also satisfied
as shown in Figure 4. For IT integration to mediate the impact of ERM on organizational
strategic flexibility, H1 and H2 should have significant path coefficients while the coefficient for
H3 decreases. Figure 4 suggests that IT integration fully mediates the effect of ERM on
organizational strategic flexibility (i.e. the H3 path coefficient is not significant, t-value = 0.546).
Results of the Sobel test (z-value = 7.314466, p-value =0.000001) confirm the full mediation
effect.
[Insert Figure 4 about here]
H4 posits that increases in organizational strategic flexibility have a positive impact on
supply chain performance. Analysis indicates that the standardized path coefficient of H4 (+0.377
t-value = 4.189) is significant (p-value=0.01) and in the hypothesized direction, providing
support for H4.
H5 states that organizational strategic flexibility mediates the impact of IT integration on
supply chain performance. As noted previously, there are the three conditions necessary to
support a mediation effect (Baron and Kenney 1986). The first condition requires a significant
relationship between IT integration and organizational strategic flexibility; as shown in Figure 5,
24
H2 provides support for this condition. The second condition requires a significant relationship
between organizational strategic flexibility and supply chain performance; H4 provides support
for this condition. The third condition requires that a significant relationship between IT
integration and supply chain performance become less significant when a relationship between
IT integration and organizational flexibility is included in the model. As shown in Figure 5, the t-
value decreases from 11.545 to 3.576 but the relationship between IT integration is still
significant, This significant relationship suggest that organizational strategic flexibility partially
mediates the impact of IT integration on supply chain performance. Results of the Sobel test (z-
value = 3.936834, p-value =0.000083) confirm the partial mediation effect.
[Insert Figure 5 about here]
H6 posits that IT integration mediates the impact of ERM on supply chain performance.
Once again, the conditions necessary to support a mediation effect are evaluated (Baron and
Kenney 1986).The first condition, which is that there must be a significant relationship between
ERM and IT integration, is satisfied by H1. The second condition, which requires a significant
relationship between IT integration and supply chain performance, is satisfied by H5. The third
condition requires that the inclusion of a relationship between ERM and IT integration causes the
previously significant relationship between ERM and supply chain performance become less
significant. Figure 6 indicates that IT integration fully mediates the effect of ERM on supply
chain performance; the H6 path t-value is reduced from 7.810 to 1.568. Results of Sobel test (z-
value = 5.638984, p-value =0.000001) confirm the full mediation effect.
[Insert Figure 6 here]
Overall the model has strong explanatory power. As demonstrated in Figure 3, ERM, IT
integration and organization strategic flexibility jointly explain 43.5% of the variation in supply
25
chain performance. Furthermore, ERM and IT integration jointly explain 41.9% of the variation
in organizational strategic flexibility, as shown by organizational strategic flexibilitys R2 of
0.419; while IT integrations R2 of 0.465 displays ERM singularly explaining 46.5% of the
variation in IT integration. The strong explanatory power of ERM upon and through the other
firm competencies provides very strong support for the theory of capability building and
entrepreneurial action.
5.0 SUMMARY AND DISCUSSION
The results of this study reveal the complex interrelationships that tie ERM and
organizational strategic flexibility together to provide a better understanding of their role in
supporting supply chain performance. The results show strong effects supporting the underlying
theory on capability-building for entrepreneurial action with a specific view towards ERM as a
positive factor in promoting both organizational strategic flexibility and supply chain
performance. However, importantly, IT integration was fundamental to all of the relationships in
the model. This indicates that strong IT integration and sharing of data through enterprise-wide
systems is critical to maximizing the value of ERM activities on both flexibility and
performance.
5.1 Limitations and Related Opportunities for Future Research
Before reviewing the implications of the research findings, the limitations of the research
that should be considered when weighing the results and considering future related research are
briefly outlined in this subsection. First, the use of a single informant to evaluate the various
dimensions of organizational structure and performance could be subject to common method
bias. However, the testing of the underlying dimensions of the various constructs should
minimize these concerns. Additionally, the access we were given to a C-level executive (i.e. the
26
Chief Audit Executive) who has primary responsibility for assessing, and in some cases
implementing, risk management procedures as well as assessing the efficiency and effectiveness
of operations provides access to the individual in the best position to assess the various
dimensions of the conceptual model.
Second, our measurement variables included constructs that were developed specifically
for this research and had not been previously validated. Additionally, our item measures for the
ERM construct adhere strictly to contemporary thinking on the need for an enterprise risk focus
and the relative newness of this concept may lead to the need for this particular construct to
evolve over time as ERM theory develops and further evolves. However, each of the constructs
that were developed, including ERM, evolved from existing theory on the underlying
components and characteristics of the constructs. Nonetheless, future use of these constructs in
other research studies will help over time to assess the robustness of the constructs both
temporally and across a variety of respondent types.
Third, our application of the theory on capability-building for entrepreneurial action takes
a slightly narrower view than the more general theory. The use of ERM as an operationalization
for entrepreneurial alertness is slightly narrower in scope. Likewise, the use of organizational
strategic flexibility to operationalize agility focuses on the reactive part of agility more than the
timeliness of reaction component. Finally, our focus on supply chain performance as the
competitive action of interest is only one of many competitive actions that will be of interest to
an organization. Further tests of Sambamurthy et al.s (2003) theory should consider the
appropriate operationalization of variables, especially in relation to the dependent variable (i.e.
competitive action) of interest.
27
5.2 Contributions and Implications for Theory
This study examined a theory of capability-building for entrepreneurial action that views
processes designed to facilitate entrepreneurial alertness as fundamental to the building on and
interrelationships between leveraging of IT capability, organizational agility, and resulting
competitive actions (Sambamurthy et al. 2003). ERM was introduced as a widely adopted
technique by many organizations for facilitating improved entrepreneurial alertness. In the face
of relatively new compliance requirements instigated by the passage of SOX and its related
requirements for compliance reporting on financial control systems, most organizations have
focused on applying COSOs (2004) ERM framework as the foundation for ensuring appropriate
compliance. Additionally, regulatory mandates at the stock exchange level (e.g. New York Stock
Exchange) have further highlighted the risk management aspects of control systems (Beasley et
al. 2005).
The results provide strong support for the underlying theory. Stronger ERM processes
provide enhanced leveraging of enterprise-wide data sharing capability, higher levels of strategic
flexibility, and higher levels of supply change performance. IT integrations mediation effects
demonstrate the significance of a strong IT platform to future strategic purposes. This is
consistent with the real options theoretical lens, which views IT as a resource that should be
developed to provide future flexibility and competitive advantage (Sambamurthy and Zmud
2000). The results related to organizational strategic flexibility highlight a major component of
organizational agility and demonstrate the enhancing effects of both ERM and IT integration on
agility. This result is consistent with findings in managerial control research that suggests higher
levels of information availability are needed to maintain flexibility in strategic-oriented
organizations (Bouwens and Abernethy 2000; Abernethy and Lillis 1995). Our study improves
28
the understanding of this relationship by using the theory of capability-building and
entrepreneurial action to operationalize a model that demonstrates IT integration as the mediating
construct between managerial control processes and organizational strategic flexibility.
The study also focuses on one type of competitive action which is improved supply chain
performancea significant competitive issue for most organizations in todays interlinked
business world (e.g. Sutton et al. 2008). The results related to supply chain performance
demonstrate both the interactive effect of ERM and IT integration on supply chain performance
and the mediating effect of strategic flexibility on the relationship between IT integration and
supply chain performance. The complexity of these interrelationships highlights the richness of
the theory on capability-building for entrepreneurial action and strongly supports the
theorizations on the relationships. Relatedly, both the theory and our highly integrated model
operationalizing the theory highlight the complexity of organizations and the need for more
complex research models in order to understand these intra-organizational relationships.
5.3 Implications for Practice
From a practice standpoint, this research directly addresses concerns that have been
widely voiced in the business press as to the deleterious effect of SOX control compliance on
organizations flexibility and supply chain performance (e.g. Banham 2003; Katz 2003; Reason
2006; Schumer-Bloomberg-McKinsey 2007). Our results extend the preliminary case research
findings reported by Arnold et al. (2007) indicating that organizations that struggled through the
compliance process often had poor ERM processes in place when the compliance process started,
tended to react by implementing manual control processes that could be achieved quicker that
through integration of automation through IT systems, and ultimately suffered competitive
disadvantages from more rigid, restrictive processes coupled with reduced response time within
29
supply chain activities. Alternatively, Arnold et al. (2007) found that organizations that began
compliance with better risk management processes and automated more of their control
processes did not experience such negative competitive effects. As Robey and Boudreau (1999)
note, these contradictory experiences with organizations can be confusing absent a good
theoretical understanding of the organizational structures that surround these results. The
application of the theory of capability-building for entrepreneurial action provides a basis for
understanding these contradictory effects. Our results based on that theory add clarity to these
earlier findings by highlighting the interactive effects of strong ERM processes and strong IT
integration on the facilitation of strategic flexibility and ultimately on enhanced supply chain
performance.
Taken as a whole, the results of the research help explain the differential experiences of
companies during the SOX compliance process. Companies that effectively implemented ERM
processes, not just implementing the basic standalone processes but also integrating them to
derive strong entrepreneurial alertness, experienced higher levels of flexibility and higher levels
of competitive performance. But, this effect of ERM on flexibility and performance was heavily
dependent on the level of IT integration (e.g. IT compatibility and IT connectivity). This is
consistent with the case findings of Arnold et al. (2007), but our research isolates the effects that
are driving the observed phenomena and provides a theoretical basis for understanding the
inherent relationships.
For practice, our results add to the body of literature suggesting that IT value often comes
from the future leveraging of those systems to facilitate operational and strategic activities. From
a SOX perspective, our results suggest that effective ERM processes represent one more type of
strategic management activity that is enabled by strong IT integration; and, this synergy is
30
necessary to gain value from SOX compliance efforts. Our results also reinforce the importance
of strong ERM processes to first identifying and monitoring both internal and external risks and
opportunities, and second in facilitating an organizations ability to take strategically appropriate
competitive action.
31
REFERENCES
Abernethy, M.A. and A.M. Lillis. 1995. The impact of manufacturing flexibility on management control systems design. Accounting Organizations and Society 20(4): 241-258.
Arnold, V., T.S. Benford, J. Canada, J.R. Kuhn Jr., and S.G. Sutton. 2007. The Unintended Consequences of Sarbanes-Oxley on Technology Innovation and Supply Chain Integration. Journal of Emerging Technologies in Accounting 4: pp. 103-121.
Banham, R. 2003. Fear Factor: Sarbanes-Oxley Offers One More Reason To Tackle Enterprise Risk Management. CFO Magazine (June 1).
Banker, R.D., I. Bardhan, H. Chang, and S. Lin. 2006. Plant Information Systems, Manufacturing Capabilities, and Plant Performance. MIS Quarterly 30(2): 315-337.
Baron, R. M. and D. A Kenny. 1986. The Moderator-Mediator Variable Distinction in Social Psychological Research: Conceptual, Strategic, and Statistical Considerations. Journal of Personality and Social Psychology. 51(6) 1173-1182.
Batra, S. 2006. Impact of Information Technology on Organizational Effectiveness: A Conceptual Framework Incorporating Organizational Flexibility. Global Journal of Flexible Systems Management 7(1/2): pp. 15-25.
Beamon, B., 1999. Measuring Supply Chain Performance. International Journal of Operations and Production Management 19(3):
Bendoly, E., A. Citurs, and B. Konsynski. 2007. Internal Infrastructure Impacts on RFID Perceptions and Commitment: Knowledge, Operational Procedures, and Information-Processing Standards. Decision Sciences 38(3): pp. 423-449.
Bharadwaj, S., A. Bharadwaj, and E. Bendoly. 2007. The Performance Effects of Complementarities Between Information Systems, Marketing, Manufacturing, and Supply Chain Processes. Information Systems Research 18(4): pp. 437-453.
Boh, W.F. and D. Yellin. 2006-7. Using Enterprise Architecture Standards in Managing Information Technology. Journal of Management Information Systems 23(3): pp. 163-207.
Bouwens, J. and M. A. Abernethy. 2000. The consequences of customization on management accounting system design. Accounting Organizations and Society 25: 221-241.
Brown, C.V. 1999. Horizontal Mechanisms Under Differing IS Organization Contexts. MIS Quarterly 23(3): pp. 421-454.
Byrd, T. A. and N.W. Davidson. 2003. Examining Possible Antecedents of IT Impact on the Supply Chain and Its Effect on Firm Performance. Information & Management 41: pp. 243-255.
Byrd, T. A. and D. E. Turner. 2000. Measuring the flexibility of information technology infrastructure: Exploratory Analysis of a Construct. Journal of Management Information Systems; Summer Vol. 17, No. 1, 167-208.
Cannon, A. R. and St. John, C. H. (2004) Competitive Strategy and Plant Level Flexibility. International Journal of Production Research, 42(10): pp 1987-2007.
32
Chenhall, R.H. 2003. Management control systems design within its organizational context: findings from contingency-based research and directions for the future. Accounting Organizations and Society 28: 127-168.
Clark, C.E., N.C. Cavanaugh, C.V. Brown, and V. Sambamurthy. 1997. Building Change-readiness Capabilities in the IS Organization: Insights from the Bell Atlantic Experience. MIS Quarterly 21(4): 425-455.
Committee of Sponsoring Organizations of the Treadway Commission (COSO). 1992. Internal Control Integrated Framework. American Institute of Certified Public Accountants.
Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2004. Enterprise Risk Management Integrated Framework. (Committee of Sponsoring Organizations of the Treadway Commission, AICPA: New York).
Cotteleer, M.J. and E. Bendoly. 2006. Order Lead-Time Improvement Following Enterprise Information Technology Implementation: An Empirical Study. MIS Quarterly 30(3): 643-660.
Davila, T. 2000. An empirical study on the drivers of management control systems design in new product development. Accounting Organizations and Society 25: 383-409.
Diamantopoulos, A., R. Riefler, K.P. Roth. 2008. Advancing formative measurement models.
Journal of business Research. In Press. ____________ H. Winklhofer. 2001. Index construction with formative indicators: An
alternative to scale development. Journal of Marketing Research 38(2). Ditillo, A. 2004. Dealing with uncertainty in knowledge-intensive firms: the role of management
control systems as knowledge integration mechanisms. Accounting Organizations and Society 29: 401-421.
Fornell, C. and D. F. Larcker. 1981. Evaluating Structural Equation Models with Unobservable
Variables and Measurement Error. Journal of Marketing Research, 18(1) 39-50. Frie, F.X., R. Kalakota, A.J. Leone, L.M. Marx. 1999. Process Variation as a Determinant of
Bank Performance Management Science 45(9): pp. 1210-1220. Gattiker, T. and D. Goodhue. 2005. What Happens after ERP Implementation: Understanding
the Impact of Interdependence and Differentiation on Plant-Level Outcomes. MIS Quarterly 29(3): pp. 559-585.
Hair, J. F., Black, W. C., Babin, B. J., Anderson, R. E., & Tathan, R. L. (2006). Multivariate Data Analysis. Upper Saddle River, NJ: Pearson Education Inc
Institute of Internal Auditors. 2004. Position Statement: The Role of Internal Audit in Enterprise-wide Risk Management. (Institute of Internal Auditors: Altamonte Springs, FL).
Katz, D.M. 2003. What You Dont Know About Sarbanes-Oxley: Snares, Pitfalls, and Trapdoors. CFO.com (April 22).
Katz, D.M. 2006. Panels on 404 skirt small-company woes. CFO.com (May 02).
33
Kline, R. B. 2005. Principles and Practice of Structural Equation Modeling, Second Edition. (The Guilford Press: New York)
Kohli, R. and S. Devaraj. 2003. Measuring Information Technology Payoff: A Meta-Analysis of Structural Variables in Firm-Level Empirical Research. Information Systems Research 14(2): pp. 127-145.
Lambert, D.M., M.C. Cooper, J.D. J.D. Pagh. 1998. Supply Chain management: Implementation issues and research opportunities. International Journal of Logistics Management. 9(2)
Levine, R. 2004. Risk management systems: understanding the need. EDPACS 32(2): 1-13. Liebenberg, A.P. and R.E. Hoyt. 2003. The Determinants of Enterprise Risk Management:
Evidence From the Appointment of Chief Risk Officers. Risk Management and Insurance Review 6(1): pp. 37-52.
McAfee, A. 2002. The Impact of Enterprise Information Technology Adoption on Operational Performance: An Empirical Investigation. Production and Operations Management 11(1): pp. 1-21.
Melville, N., K. Kraemer, and V. Gurbaxani. 2004. Information technology and organizational performance: an integrative model of IT business value. MIS Quarterly 28(2): 283-322.
Naranjo-Gil, D. and F. Hartmann. 2006. How top management teams use management accounting systems to implement strategy. Journal of Management Accounting Research 18: 21-53.
Naranjo-Gil, D. and F. Hartmann. 2007. Management accounting systems, top management team heterogeneity and strategic change. Accounting Organizations and Society 32: 735-756.
OLeary, D.E. 2000. Enterprise Resource Planning Systems: Systems, Life Cycle, Electronic Commerce, and Risk. (Cambridge University Press: New York).
Palanisamy, R. 2005. Strategic Information Systems Planning Model for Building Flexibility and Success. Industrial Management and Data Systems 105(1): 63-81.
Paulraj, A. and I.J. Chen. 2007. Strategic Buyer-Supplier Relationships, Information Technology and External Logistics Integration. The Journal of Supply Chain Management (Spring): pp. 2-14.
Petter, S., D. Straub, and A. Rai. 2007. Specifying Formative Constructs in Information Systems Research. MIS Quarterly 31(4): pp. 623-656.
Peterson, R. 2004. Crafting Information Technology Governance. Information Systems Management 21(4): pp. 7-22.
Rai, A., R. Patnayakuni, and N. Seth. 2006. Firm Performance Impacts of Digitally Enabled Supply Chain Integration Capabilities. MIS Quarterly 30(2): pp. 225-246.
Rai, A. and V. Sambamurthy. 2006. Editorial NotesThe Growth of Interest in Services Management: Opportunities for Information Systems Scholars. Information Systems Research 17(4): pp. 327-331.
Reason, T. 2006. Cry of pain from small companies. CFO.com (May 10).
34
Robey, D. and M.C. Boudreau. 1999. Accounting for the Contradictory Organizational Consequences of Information Technology: Theoretical Directions and Methodological Implications. Information Systems Research 10(2): pp. 167-185.
Ross, J.W. 2003. Creating a Strategic IT Architecture Competency: Learning in Stages MIS Quarterly Executive 2(1): pp. 31-43.
Sambamurthy, V. and R.W. Zmud. 1999. Arrangements for Information Technology Governance: A Theory of Multiple Contingencies. MIS Quarterly 23(2): pp.261-290.
Sambamurthy, V. and R.W. Zmud. 1999. Research commentary: The Organizing Logic for an Enterprises IT Activities in the Digital EraA Prognosis for Practice and a Call for Research. Information Systems Research 11(2): pp.105-114.
Sambamurthy, V., A. Bharadwaj, and V. Grover. 2003. Shaping agility through digital options: Reconceptualizing the role of information technology in contemporary firms. MIS Quarterly 27 (2): 237-263.
Schumer, C.E., M.R. Bloomberg, and McKinsey Consulting. 2007. Sustaining New Yorks and the U.S. Global Financial Services Leadership. U.S. Senate www.senate.gov/~schumer (January 22).
Sutton, S.G. and V. Arnold. 2005. The Sarbanes-Oxley Act and the Changing Role of the CIO and the IT Function. International Journal of Business Information Systems 1(1/2) : 118-128.
Sutton, S.G., D. Khazanchi, C. Hampton and V. Arnold. 2008. Risk Analysis in Extended Enterprise Environments: Identification of Critical Risk Factors in B2B E-Commerce Relationships. Journal of the Association for Information Systems 9(3/4): pp. 151-174.
Swafford, P.M., S. Ghosh, and N. Murthy. 2006. The Antecedents of Supply Chain Agility of a Firm: Scale Development and Model Testing. Journal of Operations Management 24: pp. 170-188.
Voberda, H.W. 1996. Toward the Flexible Form: How to Remain Vital in Hypercompetitive Environments. Organization Science 7(4): 359-374.
Xue, Y., H. Liang, W.R. Boulton. 2008. Information Technology Governance in Information Technology Investment Decision Processes: The Impact of Investment Characteristics, External Environment, and Internal Context. MIS Quarterly 32(1): pp. 67-96.
35
Figure 1 Capability-Building and Entrepreneurial Action Reproduced from Sambamurthy, Bharadwaj & Grover, 2003.
Capability-Building Processes Entrepreneurial Action Processes
IT COMPETENCE Investment scale IT capabilities
DIGITAL OPTIONS Process reach Process richness Knowledge reach Knowledge richness
AGILITY Customer agility Partnering agility Operational agility
COMPETITIVE ACTIONS Number of actions Complexity of action
repertoire
ENTREPRENEURIAL ALERTNESS Strategic foresight Systemic insight
36
Figure 2: Research Model on the Role of ERM and IT Flexibility
37
Figure 3 Structural Model Results
38
Figure 4 Structural Model Test of Mediating Effects of IT Compatibility on Organizational Strategic Flexibility
39
Figure 5 Structural Model Test of Mediating Effects of Organizational Strategic Flexibility on Supply Chain Performance
40
Figure 6 Structural Model Test of Mediating Effects of IT Compatibility on Supply Chain Performance
Supply Chain Performance
Information Technology Integration
Enterprise Risk Management H6+0.493
t-value =7.810**
Supply Chain Performance
Enterprise Risk Management
H1+0.690
t-value =16.139**
H6+0.141
t-value =1.568
H5+0.498
t-value =5.882**
* p-value = 0.05** p-value = 0.01
41
Table 1 Participant Demographics
Category Frequency Percentage N = 155
Gender Male 109 70.3% Female 45 29.0% Not answered 1 0.7%
Age
25 to 40 years 32 20.65% 40+ years 119 76.77% Not answered 4 2.58%
Experience
3 to 10 years 24 15.48% 10+ years 131 84.52%
Industry
Manufacturing 29 18.71% Insurance 26 16.77% Financial/real estate 22 14.19% Wholesale/retail 13 8.39% Technology 12 7.74% Utilities 11 7.10% Health 7 4.52% Communication 4 2.58% Aerospace & defense 4 2.58% Transportation 4 2.58% All other 23 14.84%
Organizational Structure
Publicly traded 90 58.06% Not publicly traded 63 40.65% Not answered 2 1.29%
42
Table 2 Descriptive Statistics
Variable Measures Min Mean Median Max Std dev.
Enterprise Risk Management (ERM) Process
1. Our organization performs a thorough enterprise-wide risk assessment at least once a year
1 3.46 4.00 5 1.337
2. The strength of our internal control system enhances our organizations ability to identity events that may affect the achievement of our objectives
1 2.86 3.00 5 1.047
3. Our organization regularly evaluates the effectiveness of internal controls to mitigate identified risks
1 2.88 3.00 5 1.213
4. Management has effective processes to respond to identified risks 1 2.97 3.00 5 1.090
5. Our risk management procedures provide the necessary information top management needs to monitor changes that could impact our organizations well-being.
1 3.06 3.00 5 1.062
IT Integration
1. Compared to rivals in our industry, our organization has the foremost in available IT systems
1 3.01 1.00 5 0.822
2. User-friendly electronic links exist between our organization and its supply chain partners
1 2.96 1.00 5 0.558
3. Our organization formally addresses the issue of data security 1 2.34 1.00 5 0.704
4. All remote, branch, and mobile offices are electronically connected to the central office
1 1.96 2.00 5 1.240
5. There are numerous identifiable communication bottlenecks within our organization
1 2.77 1.00 5 0.790
6. New locations or acquisitions are quickly assimilated into our IT infrastructure (D)
7. Remote, branch, and mobile offices have easy access to data from the home or central office
1 2.41 2.00 5 1.138
8. Our organization's ability to make rapid IT change is high 1 2.55 3.00 5 1.007
43
9. Information is shared seamlessly across our organization, regardless of the location
1 2.92 3.00 5 1.084
10. Our organization offers a wide variety of types of information to end users (e.g. multimedia) (D)
11. Our user interfaces provide transparent access to all applications. 1 3.37 3.00 5 1.093
12. Data received by our organization from electronic links with supply-chain partners are reliable
1 3.03 3.00 5 1.151
Organizational Strategic Flexibility
1. Our organization has difficulty maximizing new market opportunities (RC)
1 2.50 2.00 5 1.085
2. Our organization is able to introduce new products/services 1 2.23 2.00 5 1.023
3. Our organization has difficulty accommodating major changes in basic product designs or service offerings (RC)
1 2.38 2.00 5 1.081
4. Our organization is able to manage the impact of serving new classes of customers
1 2.44 2.00 5 0.995
Supply Chain Performance
1. Our organization consistently meets or exceeds our corporate goals for the proportion of product/service orders immediately filled
1 2.36 2.00 5 0.966
2. Our organization consistently meets or exceeds our corporate goals for on-time delivery of products/services
1 2.40 2.00 5 0.966
3. Our organization consistently meets or exceeds our corporate goals for minimizing back-orders/stock-outs. (D)
4. Our organization consistently meets or exceeds our corporate goals for customer response time (the time between an order and its delivery).
1 2.35 2.00 5 0.909
5. Our organization consistently meets or exceeds our corporate goals for minimizing the total amount of time required to produce an item or provide a service.
1 2.50 2.00 5 0.985
6. Our organization consistently meets or exceeds our corporate goals for minimizing shipping errors. (D)
44
7. Our organization consistently meets or exceeds our corporate goals for minimizing goals for customer complaints
1 2.42 2.00 5 0.940
RC: Items reverse coded D: Items dropped due to volume of not applicable/dont know responses; items not included in data analyses Scale: 1 through 5 were 1 equals Strongly Agree and 5 equals Strongly Disagree
45
Table 3 Tests of Convergent Validity
Variable Measures Factor Loading
Construct Composite Reliability
Average Variance Extracted
Enterprise Risk Management (ERM) Process 0.9365 0.7480
1. Our organization performs a thorough enterprise-wide risk assessment at least once a year 0.7329
2. The strength of our internal control system enhances our organizations ability to identity events that may affect the achievement of our objectives
0.8899
3. Our organization regularly evaluates the effectiveness of internal controls to mitigate identified risks 0.8780
4. Management has effective processes to respond to identified risks 0.9244
5. Our risk management procedures provide the necessary information top management needs to monitor changes that could impact our organizations well-being.
0.8864
Organizational Strategic Flexibility 0.8408 0.5692
1. Our organization has difficulty maximizing new market opportunities (RC) 0.7486
2. Our organization is able to introduce new products/services 0.7339
3. Our organization has difficulty accommodating major changes in basic product designs or service offerings (RC)
0.7557
4. Our organization is able to manage the impact of serving new classes of customers 0.7789
Supply Chain Performance 0.9456 0.7773
1. Our organization consistently meets or exceeds our corporate goals for the proportion of product/service orders immediately filled
0.8927
2. Our organization consistently meets or exceeds our corporate goals for on-time delivery of products/services 0.9296
3. Our organization consistently meets or exceeds our corporate goals for customer response time (the time between an order and its delivery).
0.9046
4. Our organization consistently meets or exceeds our corporate goals for minimizing the total amount of time required to produce an item or provide a service.
0.8931
5. Our organization consistently meets or exceeds our corporate goals for minimizing goals for customer complaints
0.7806
RC: reverse coded
46
Table 4 IT Integration
IT Integration Formative Measures Weights
1. Compared to rivals in our industry, our organization has the foremost in available IT systems 0.064908
2. User-friendly electronic links exist between our organization and its supply chain partners 0.267506
3. Our organization formally addresses the issue of data security 0.318061
4. All remote, branch, and mobile offices are electronically connected to the central office 0.038028
5. There are numerous identifiable communication bottlenecks within our organization 0.277407
6. New locations or acquisitions are quickly assimilated into our IT infrastructure (D)
7. Remote, branch, and mobile offices have easy access to data from the home or central office 0.285407
8. Our organization offers a wide variety of types of information to end users (e.g. multimedia) 0.04279
9. Our user interfaces provide transparent access to all applications -0.14486
10. Data received by our organization from electronic links with our supply-chain partners are reliable (D)
11. Our organizations ability to make rapid IT change is high 0.16233
12. Information is shared seamlessly across our organization, regardless of the location 0.158774
47
Table 5 Tests of Multicollinearity
IT Integration Formative Measures
Variance Inflation Factor
(Dependent variable = Organizational
Strategic Flexibility)
Variance Inflation Factor
(Dependent variable = Supply Chain Performance)
1. Compared to rivals in our industry, our organization has the foremost in available IT systems
1.807 1.807
2. User-friendly electronic links exist between our organization and its supply chain partners 1.925 1.925
3. Our organization formally addresses the issue of data security 1.624 1.624
4. All remote, branch, and mobile offices are electronically connected to the central office 1.961 1.961
5. There are numerous identifiable communication bottlenecks within our organization
1.392 1.392
6. New locations or acquisitions are quickly assimilated into our IT infrastructure (D)
7. Remote, branch, and mobile offices have easy access to data from the home or central office
2.347 2.347
8. Our organization offers a wide variety of types of information to end users (e.g. multimedia)
2.114 2.114
9. Our user interfaces provide transparent access to all applications 2.164 2.164
10. Data received by our organization from electronic links with our supply-chain partners are reliable (D)
11. Our organizations ability to make rapid IT change is high 2.570 2.570
12. Information is shared seamlessly across our organization, regardless of the location 2.723 2.723
48
Table 6 Tests of Discriminant Validity
ERM
Organizational Strategic
Flexibility Supply Chain Performance
Average Variance Extracted 0.748041 0.569175 0.777269 SQUARED INTER-CONSTRUCT CORRELATIONS ERM 1.00 Organizational Strategic Flexibility 0.189349 1.00 Supply Chain Performance 0.236413 0.352501 1.00
49
Table 7 Inter-Construct Correlations
ERM IT IntegrationOrganizational
Strategic Flexibility Supply Chain Performance
ERM 1.000000 IT Integration 0.682187 1.000000 Organizational Strategic Flexibility 0.435142 0.647511 1.000000
Supply Chain Performance 0.486223 0.580876 0.593718 1.000000