زيادة المرونة الستراتيجية في اطار التمكين

1

ENHANCING STRATEGIC FLEXIBILITY AND PERFORMANCE THROUGH RISK MANAGEMENT: THE ENABLING ROLE OF IT INTEGRATION

Vicky Arnold University of Central Florida

University of Melbourne

Tanya Benford University of Central Florida

Joseph Canada University of Central Florida

Steve G. Sutton University of Central Florida

University of Melbourne

October 2008

Preliminary Draft Please do not quote without permission.

* This research was funded by the Institute of Internal Auditors Research Foundation. The authors wish to thank the IIARF for their generous funding and support of our research. We thank Raj Echambadi and Clark Hampton for their advice and feedback during the development of this paper as well as participants in workshops at the University of Auckland and University of Central Florida for their valuable feedback on earlier versions of this manuscript. We also thank Randy Kuhn for his research assistance.

2

ENHANCING STRATEGIC FLEXIBILITY AND PERFORMANCE THROUGH RISK

MANAGEMENT: THE ENABLING ROLE OF IT INTEGRATION

Abstract

Since the passage of the Sarbanes-Oxley Act in the U.S., the business press has consistently reported on companies and business consortiums proclamations of the negative effect of new internal control requirements on supply chain performance. Early studies on organizations experience with SOX control compliance efforts have been contradictory; some organizations have experienced significant deleterious effects while other organizations have continued to prosper. In this study, theory on capability-building for entrepreneurial action (Sambamurthy et al. 2003) is used as a basis for understanding the observed phenomenon. In our research model, which operationalizes the theory, enterprise risk management (ERM) forms the primary organizational driver for enhanced IT integration, maintaining organizational strategic flexibility, and facilitating supply chain performance. Based on responses from 155 Chief Audit Executives, the results provide strong support for both the underlying theory and its applicability to understanding the varied effects of SOX 404 compliance on organizations.

The results indicate that ERM leads to higher levels of IT integration across two dimensions: IT compatibility and IT connectivity. The results also highlight the fundamental importance of high levels of IT integration to strategic opportunities within the firm as it is shown that IT integration fully mediates the relationship between ERM and strategic flexibility and partially mediates the relationship between ERM and supply chain performance. Additionally, the previously reported relationship between IT integration and supply chain performance is partially mediated by the level of organizational strategic flexibility. Overall, there is strong support for the theory and additional clarity is provided to the practice environment on the effective implementation of ERM processes and its use for facilitating competitive action.

Key words: Enterprise risk management, IT competence, IT integration, IT flexibility, strategic flexibility, organizational flexibility, supply chain performance, IT-enabled business processes.

3

ENHANCING STRATEGIC FLEXIBILITY AND PERFORMANCE THROUGH RISK MANAGEMENT: THE ENABLING ROLE OF IT INTEGRATION

1. INTRODUCTION

Substantial efforts by information systems (IS) researchers have been invested in

attempts to better understand how and when value is created by IT investments (Kohli and

Devaraj 2003; Melville et al. 2004). However, the documented results from the multitude of

studies are inconsistent; increasingly researchers are recognizing that value is generally driven by

other organizational factors, thus a different way of measuring IT value may be preferable (Kohli

and Devaraj 2003). The recent perspective has evolved toward a real options theory that views IT

investment as a means of building a platform to facilitate both current and future IT-enabled

functionalities (Sambamurthy and Zmud 2000). A critical part of developing this platform is the

integration of disparate information sources across the organization to facilitate process

integration. Absent such IT integration, business processes are often fragmented leading to poor

customer responsiveness and missed opportunities for innovation (Rai and Sambamurthy 2006).

The theory of capability-building for entrepreneurial action integrates these alternative views

into a more strategic, management-oriented perspective on creating value from IT (Sambamurthy

et al. 2003).

This study applies the theory of capability-building for entrepreneurial action as the basis

for interpreting the various experiences reported by companies during their efforts to comply

with new regulatory mandates for effective managerial control and risk management. These

regulatory mandates came about with the passage of the Sarbanes-Oxley Act of 2002 (SOX)

which radically changed the way organizations view corporate governance. One dimension of

this change is an increased focus on enterprise risk management (ERM) processes, a much

broader strategic view of organizational control than a more traditional, accounting-oriented

4

view on internal control. While SOX regulation focused on financial controls, the impact was to

extend the documentation and review of control systems to an enterprise level view that included

strategic, operational, reputational, regulatory, and information risks (Katz 2003; Banham 2003,

Sutton et al. 2008).1

The variances in experiences reported by companies during the SOX compliance process

have raised questions about the efficiency of control implementation in many organizations

(Arnold et al. 2007). Many organizations implemented heavily manual-oriented processes to

achieve control objective requirements and these manual-oriented controls appear to have often

slowed down organizations business processing, reduced organizations strategic flexibility, and

hampered supply chain activities. On the other hand, organizations that took a strategic focus to

implementing comprehensive ERM processes and used more automation in their control

processes appeared to be less impacted in terms of flexibility, supply chain performance, and

overall organizational competitiveness (Arnold et al. 2007). Still, the business press generally

focuses on the less successful implementations, frequently reporting on the negative

consequences of SOX compliance on organizations performance, and questioning SOX

compliant companies ability to maintain competitiveness in the marketplace (Banham 2003;

Katz 2003; Reason 2006).2

1Thispushtoanenterpriselevelfocusalsomeantthattheresponsibilityformanagingandreviewing

controlstructuressimilarlyrosetofallingundertheauspicesofClevelmanagement(e.g.CEOs,CFOs,CIOs,CAEs)(Beasleyetal.2005;Suttonetal.2008).InsomeorganizationstheChiefInformationOfficer(CIO)ledtheSOXinternalcontrolcomplianceeffortwhileinmostorganizationstheCIOwasacriticalmemberofthecomplianceplanningandimplementationteams(Arnoldetal.2007;SuttonandArnold2005).

2TheseconcernswerefurtherhighlightedwiththereleaseoftheSchumerBloombergMcKinsey(2007)reportontheU.S.SenatefloorwithitsfocusonthedecreasedcompetitivenessofU.S.stockexchangesinthefaceofSOXregulationandrelatedconcernsovertheflowofavailablecapitaltosupportgrowthandinnovation.

5

This studys examination of ERM implementation effects on organizational performance

uses an operational model based on Sambamurthy et al.s (2003) theory of capability-building

for entrepreneurial action. ERM becomes the focal point, as ERM is a process that can be used to

facilitate entrepreneurial alertness. ERM is both a critical element of an organizations ability to

monitor internal and external activities in order to effectively react to changes in the

marketplace; and, in the form of COSOs ERM Framework (COSO 2004), ERM was also the

most prevalent strategy used by firms to meet SOX compliance requirements3 (Beasley et al.

2005).

The purpose of this study is to examine the relationship between firms effectiveness of

ERM integration and the two issues of primary concern in critiques of SOX compliance

mandatesmaintaining strategic organizational flexibility and strengthening supply chain

performance. ERM is evaluated as a top down strategy driven by C-level management of the

firm. Accordingly, ERM is viewed as offensive and strategic as opposed to a more traditional

control orientation with a defensive posture (Liebenberg and Hoyt 2003). Central to our research

is a focus on the role of information technology (IT) integration in facilitating the

interrelationships between ERM, strategic organizational flexibility and supply chain

performance (Sambamurthy et al. 2003). IT integration is viewed as a key enabler of effective

ERM integration (COSO 2004) and case research provides preliminary evidence indicating IT

3ThefocusonenterpriselevelgovernanceandcontrolwasreinforcedbytheCommitteeofSponsoring

OrganizationsoftheTreadwayCommission(COSO)revisionoftheir1992internalcontrolframework(COSO1992)toencompassthissamebroadenterpriseriskmanagement(ERM)perspective(COSO2004).TheNewYorkStockExchange(NYSE)alsoaltereditsCorporateGovernanceRulestoexplicitlymandateBoardsauditcommitteestoassumespecificresponsibilitieswithrespecttoriskassessmentandriskmanagementattheenterpriselevel(Beasleyetal.2005).Accordingly,mostorganizationsfallingunderSOXsection404reportingrequirementsoninternalcontrolsadoptedCOSOs(2004)ERMFrameworkasthebasisfordocumenting,evaluating,andassessingtheviabilityofcontrolstructures(Beasleyetal.2005).

6

integration may be a key construct to understanding the variable impact of SOX compliance

efforts on organizational performance (Arnold et al. 2007).

This research contributes to the information systems literature at two distinct levels. First,

the research demonstrates the joint effects of ERM, IT integration, and strategic flexibility on

supply chain performance, thereby providing support for Sambamurthy et al.s (2003) theory. In

this vein, the research also demonstrates how these relationships can be captured and modeled.

Second, this study helps broaden the perspectives on governance in the IS literature from a focus

on IT governance as a means for controlling the use of IT resources (e.g. Sambamurthy and

Zmud 1999; Xue et al. 2008) to instead viewing IT as an enabler of a broader governance

structure. Sambamurthy and Zmud (1999) note that IT governance is difficult to study in

isolation as overall organizational governance efforts influence how IT governance takes shape.

In contemporary ERM-driven business environments, we view IT as the enabler of ERM and IT

integration is driven by the needs of the organization as ERM strategies are expanded across and

beyond the enterprise.

This research is also important to practice as it examines the nature of ERM and explains

why some organizations have seen improved performance under new governance structures

while other organizations perceive a loss of flexibility and a deleterious effect on supply chain

performance (Robey and Boudreau 1999). The results of the research show that effective ERM

integration is associated with improved organizational strategic flexibility and higher levels of

supply chain performance. Further, the results show the critical role of broad IT integration in

facilitating and enabling these relationships.

The remainder of the paper is organized into four sections. In Section 2, the underlying

theoretical basis for the hypotheses is presented and the research model is developed. This is

7

followed by the research methods section and the results section. The fifth and final section

provides a summary of the research findings, a review of the limitations of the study, and a

discussion of the implications of the research findings.

2. THEORETICAL DEVELOPMENT & HYPOTHESES

The intent of Sambamurthy et al.s (2003) theory on capability-building and

entrepreneurial action is to broaden the understanding of the strategic role of IT through an

improved understanding of the interrelationships that create value from IT investments. There

has been a lack of clarity on the impact of IT at the organizational level as prior studies provide

contradictory evidence on the benefits of similar IT systems implemented in different

organizations (Robey and Boudreau 1999). Similarly, contradictory evidence has been prevalent

when examining firms experiences with SOX control compliance and ERM implementation

some firms show controls impeding flexibility and competitiveness while other firms do not

experience hindrances and oftentimes see improvement (Arnold et al. 2007).

Sambamurthy et al.s (2003) theory provides a basis for interpreting these contradictory

results in the case of both IT investment and ERM implementation. The theory focuses on the

interactive nature of organizational structures and IT competencies in supporting competitive

actions. These interactions are coevolutionary in that entrepreneurial alertness drives the

leveraging of IT competencies, encourages the maintenance of organizational agility, and

influences the interaction between the two (see Figure 1). In addition learning takes place as

organizations gather experience through competitive actions and gain an understanding of how

existing utilization of IT competencies and organizational agility facilitate successful action. As

organizations learn, their entrepreneurial alertness drives further utilization of IT competencies

and enhances the organizations agility.

8

[Insert Figure 1 about here]

Within the theory, entrepreneurial alertness is defined as the capability of a firm to

explore its marketplace, detect areas of marketplace ignorance, and determine opportunities for

action (p. 250). This includes both strategic foresight (i.e. the ability to foresee risks and

opportunities) and systemic insight (i.e. the ability to use foresight to shape competitive actions

that provide advantage). This entrepreneurial alertness can be encoded in many organizations

through ERM processes that are designed to aid organizations in identifying potential events that

may affect the organizations ability to manage identified risks (COSO 2004, p. 2) and enable it

to respond strategically to both risks and opportunities (Liebenberg and Hoyt 2003).

Accordingly, our operationalization of the theory focuses on ERM as an entrepreneurial strategy

for broadly influencing the various componentsleveraging IT capabilities, enhancing

organizational agility, and enabling competitive actions.

Sambamurthy et al. (2003) view the leveraging of IT competencies as evolving from the

(1) IT resources and capabilities that have been developed within the organization (IT

competence) and (2) the digital options which are the way in which management views that

existing IT competencies can be leveraged to facilitate agility and performance. To support ERM

activities, leveraging IT competencies becomes critical across two dimensions: IT compatibility

(i.e. the ability to share information across systems and business processes in order to facilitate

necessary information flow) and IT connectivity which forms the linkages to internal and

external information necessary for assessing risks and opportunities (Byrd and Turner 2000).

These two dimensions, which represent IT integration, help facilitate the flow of both internal

and external information needed to assess changes in and react to the marketplace (McAfee

9

2002; Cotteleer and Bendoly 2006; Swafford et al. 2006). The model within the current study

operationalizes IT competence and digital options through IT integration.

Agility is defined as the ability to detect opportunities for innovation and seize those

competitive market opportunities by assembling requisite assets, knowledge and relationships

with speed and surprise (Sambamurthy et al. 2003, p. 245). Agility is often thought of as

flexibility with the differentiating dimension being speed. The interest in this study is not on

speed but is on the organizations ability to be flexible at the customer and operational levels in

order to bring products to market more strategically. Thus, the emphasis is more on

organizational strategic flexibility than on the speed and surprise.

From an outcome perspective, the competitive actions of interest in this study revolve

around the ability to achieve high levels of performance in supply chain activities in a well-

controlled environment that comes with ERM. As such, we focus on supply chain performance

as the competitive actions of interest.

This forms the basis for our conceptual model, which is developed in the following

sections, as shown in Figure 2. A significant distinction between our operationalization and

Sambamurthy et als. (2003) theory is the types of relationships between entrepreneurial

alertness/ERM and the other firm competencies. Sambamurthy et al. 2003 theorizes that

entrepreneurial alertness enhances the relationships between the aforementioned firm

competencies, while our study models and observes more direct effects upon the firm

competencies themselves. Before proceeding to the specific hypotheses generation, the following

sub-section focuses on elaboration of ERM processes from a practical and applied perspective to

clarify further the entrepreneurial alertness that is inherently derived through ERM.


10

2.1 Entrepreneurial Alertness and ERM

COSO initiated its ERM framework in 2001 amidst the aftermath of a series of high

profile business scandals and in the face of calls for enhanced corporate governance and risk

management specifically to address legal, regulatory and compliance concerns (COSO 2004).

ERM is designed to enable an organizations management to address uncertainty and the

associated risks and opportunities in order to build value (COSO 2004). COSO (p. 2) defines

ERM as:

a process, effected by an entitys board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objects.

In reflecting upon this definition, COSO (2004) goes on to note several embedded, fundamental

concepts that are of particular concern here. First, because information must be shared across the

organization, ERM is affected by people at every level of an organization,. Second, ERM is

fundamentally applied in a strategy setting (COSO 2004, p. 2). This is consistent with the

Canadian Governments position on ERM as articulated by the Treasury Board (2001). In

particular, the Treasury Board defines ERM as being about making strategic decisions that

contribute to the achievement of an organizations overall corporate objectives (p. 10).

While everyone in the organization has some responsibility for ERM, an organizations

Board of Directors has overall responsibility for ensuring risks are managed while in practice the

management team is generally delegated with the responsibility (Institute of Internal Auditors

2004). This means the CEO is ultimately responsible and should take ownership while also

involving other key C-level executives such as the CFO, CIO and CAE (COSO, p. 6). As such,

ERM integrates risk management activities while elevating its status as a key component of the

11

firms overall strategy thus enabling the company to respond strategically to both risks and

opportunities (Liebenberg and Hoyt 2003).

In building an organizations risk profile, information and knowledge must be aggregated

across the strategic and operational levels to assist managers in understanding the range of risks

faced (internally and externally) and the related opportunities (Treasury Board 2001, p. 15). To

facilitate the aggregation of information and knowledge across the organization, the Treasury

Board recognizes the need to consider potential technological solutions to support the on-going

activities including technologies such as the Internet and organizational Intranets that can

facilitate risk awareness and management through information sharing both internally and

externally (Treasury Board 2001, p. 31). Similarly, COSO recognizes the need for information

and communication processes that assure relevant information is identified, captured, and

communicated in a timely manner to facilitate management responsiveness. Such information

communication must occur in a broad sense, flowing down, across, and up the entity (p. 4). In

essence, the IT systems must be designed in a manner that facilitates information sharing across

the organization and connectedness among the organizations management at both strategic and

operational levels.

In summary, the ERM movement from a practice perspective focuses on the use of ERM

to identify risk and opportunities to facilitate organizational strategic flexibilitythe

fundamental capabilities of interest in Sambamurthy et al.s (2003) view of entrepreneurial

alertness. Likewise, ERM should allow the organization to respond in a way that facilitates

improved performance both through effective risk management and through maintenance of

organizational strategic flexibility.

12

2.2 ERM, IT Integration & Facilitating Flexibility

As noted in the discussion on ERM, the availability of information from and sharing

knowledge across the organization is fundamental to supporting ERM processes. The

information needs specified within COSO necessitate the availability of IT systems that provide

a timely view of various risks spread across the organization (Levine 2004). Lam (2003) notes

that one of the greatest challenges of implementing effective ERM strategies is aggregating the

underlying data required to monitor diverse organizational risks. This view is consistent with the

evolving stream of IT research that maintains that one of the most critical roles of the IT function

is the support of on-going interactions among users to ensure management is prepared to respond

to emerging business needs and opportunities (Clark et al. 1997; Sambamurthy and Zmud 2000;

Rai and Sambamurthy 2006; Bharadwaj et al. 2007). This need becomes even more significant as

organizations make decisions in increasingly turbulent environments (Pavlou and El Sawy 2006).

One of the drivers of the enterprise systems movement was the value of such systems in

facilitating coordination and alignment of manufacturing production functions (OLeary 2000;

McAfee 2002; Gattiker and Goodhue 2005; Banker et al. 2006; Cotteleer and Bendoly 2006).

The development of strong IT integration is not prevalent in many organizations,

however, and Arnold et al. (2007) note this as an issue plaguing the companies in their case

studies that were struggling with SOX control compliance. This is consistent with Beasley et

al.s (2003) finding that many organizations have not initiated ERM processes or have only put

in place rudimentary procedures. ERM is often hampered by the lack of systems level integration

necessary to access information easily and to monitor risks across the organization (Frie et al.

1999).

13

IT integration such as that required for effective ERM is more likely to occur by design

than to be preexisting. This is consistent with the capability building aspect of Sambamurthy et

al.s (2003, p. 250) theory where a key component of entrepreneurial alertness is systemic

insightthe ability to visualize connections between digital options, agility capabilities, and

emerging market opportunities in architecting competitive actions. Firms with the strongest IT

integration tend to have established enterprise architecture standards to enhance compatibility of

IT components and to facilitate application integration and data sharing across the enterprise

(Boh and Yellin 2006-7). The existence of strong horizontal integration and coordination across

the enterprise usually evolves in the presence of enterprise architecture standards, which in turn

tend to be a product of effective IT governance (Brown 1999; Peterson 2004). This is not IT

governance from a centralized/decentralized perspective, but rather IT governance as a part of

the broader corporate governance structure and strategic planning (Sambamurthy and Zmud

1999; 2000).

This focus on enterprise wide data sharing and coordination is reflective of the need for

enterprise-wide systems to have strong IT compatibility and integration to support ERM

processes. IT compatibility is the ability to share any type of information across any type of

technology component (Byrd and Turner 2000). High IT compatibility is indicative of ready

accessibility to critical data from anywhere within the organization and suggests a transparency

of information. Such capability is viewed as arising from a firms leveraging of its investments in

IT resources to build systems that leverage effectiveness, efficiency and flexibility (Ross 2003).

This leveraging arises from the governance mechanisms adopted by organizations to facilitate IT

integration and in turn support ERM processes. This leads to the first hypothesis:

H1: Increases in enterprise risk management have a positive impact on information technology integration.

14

There is a general assumption that effective organizations have to cope with an

accelerating rate of change; and, in order to succeed in a given business environment, the

organization needs flexibility to adapt to the environment (Batra 2006). However, flexibility is

by design. Management must be concerned with the controllability or changeability of the

organization which is dependent on creating effective processes that foster flexibility (Batra

2006). The controllability aspect comes from effective ERM processes, (Treasury Board 2001)

while the IT integration designed to facilitate these ERM processes provides the monitoring to

ensure that the responses to the competitive environment are aligned with overall enterprise

strategy. This is consistent with Batras (2006) definition of flexibilitythe degree in which an

organization has the management capabilities to increase the control capacity in a timely fashion

to react to risks and opportunities. Thus, organizational strategic flexibility is reflective of an

ability to respond appropriately and timely to rapid changes in the competitive environment and

is dependent on the managerial capabilities and the organizational responsiveness (Volberda

1996). The continuous focus on timeliness is where the importance of strong IT integration

becomes apparent. IT flexibility and integration are key to facilitating a timely response to

changes in the environment. Without easy accessibility to enterprise-wide data on performance

and capabilities, an organization has little opportunity to respond to new product or service

opportunities that require high levels of organizational strategic flexibility (Swafford et al. 2006).

The focus on information accessibility from across the organization is consistent also

with the findings in the managerial control literature. First, this literature highlights the role of

effective managerial control for maintenance of strategic flexibility (Simon 1990; Davila 2000;

Chenhall 2003; Ditillo 2004; Naranjo-Gil and Hartman 2006). Second, the managerial control

literature points to the importance of diverse, accessible information. Broad-based information is

15

viewed as critical to strategically oriented firms (Bouwens and Abernethy 2000) and is necessary

to support organizational flexibility (Abernethy and Lillis 1995). This leads to the second

hypotheses:

H2: Increases in information technology integration have a positive impact on organizational strategic flexibility.

The use of this diverse information appears to be the source driving enhanced

organizational strategic flexibility. As the Treasury Board (2001) notes, risk management is the

systemic approach by which information is identified, assessed, and communicated in the

presence of environmental uncertainty. For effective ERM, this information flow and analysis

must be driven from an enterprise-wide view of easily accessible data. Nonetheless research

suggests that this relationship between ERM and organizational strategic flexibility is enhanced

through infrastructure standardization that facilitates the flow of information (Gattiker and

Goodhue 2005; Bendoly et al. 2007). Effective infrastructures both maintain routine control for

the organization and provide the means for adapting in the face of major changes (Bendoly et al.

2007). While effective ERM seems to be a precursor to the maintenance of organizational

strategic flexibility, the level of IT integration is the catalyst that allows for effective ERM and in

turn high levels of flexibility. That leads to the third hypothesis:

H3: Information technology integration mediates the impact of enterprise risk management on organizational strategic flexibility.

2.3 IT Integration, Flexibility & Supply Chain Performance

A growing body of literature that addresses the link between organizational strategic

flexibility and supply chain performance is currently emerging. As Palanisamy (2005) notes,

organizations look for flexibility to cope with environmental changes and thereby garner

competitive advantage. Flexibility does not necessarily imply added operational complexity

16

(Bendoly et al. 2007). At the same time, effective IT integration helps reduce this complexity

through easier and more timely access to information necessary to assess and react to risks (Rai

et al. 2006; Swafford 2006). Thus, the investment in technology is leveraged through the

existence of a flexible organization (Bendoly et al. 2007). Alternatively, firms lacking good IT

integration have difficulty supporting coordinated activities across the organization, which can

lead to inferior decision making (Bharadwaj et al. 2007). The result is a need for both

organizational strategic flexibility and IT integration for effective supply chain performance to

emerge.

Strategic flexibility allows the organization to respond to opportunities as they are

presented, whether they are client relationships, new product releases, or new partnering

relationships within supply chains (Swafford et al. 2006). Thus, strategic flexibility in itself

facilitates organizational effectiveness; and, for those companies integrated within supply chains,

this flexibility should enhance related performance (Batra 2006). High flexibility also allows an

organization to respond quickly to strategic moves by competitors and likewise should allow the

organization to initiate its own strategic moves in order to garner competitive advantage (Byrd

and Turner 2001; Swafford et al. 2006). In either case, organizational strategic flexibility should

enable a firm to maintain stronger supply chain performance. This leads to the fourth hypothesis:

H4: Increases in organizational strategic flexibility have a positive impact on supply chain performance

Likewise, broad IT integration should also facilitate supply chain performance (McAfee

2002; Cotteleer and Bendoly 2006). IT is rapidly becoming an integral part of the supply chain

process and IT enhances supply chain logistics by providing real-time information on product

capability for delivery and markets (Paulraj and Chen 2007). IT is critical as information is

fundamental to decision making across the supply chain (Byrd and Davidson 2003). However IT

17

integration itself doesnt drives the supply chain, but rather the organizations ability to leverage

and use that information does (Rai et al. 2006)e.g. organizational strategic flexibility. IT

integration at the enterprise-wide level is beneficial if that information can be leveraged. That

leads to our fifth hypothesis:

H5: Organizational strategic flexibility mediates the impact of information technology integration on supply chain performance.

2.4 ERM and Supply Chain Performance

Proponents of ERM argue that monitoring risk and opportunities makes ERM a

significant source of competitive advantage (Beasley et al. 2003); but, ERM is only effective in

the presence of broad based information and knowledge that allows an accurate and timely

picture of the risks and opportunities to be assessed (Sambamurthy and Zmud 2000; Pavlou and

El Sawy 2006). Thus, IT integration would be expected to mediate the relationship between

ERM and supply chain performance. That leads to the sixth and final hypothesis:

H6: Information technology integration mediates the impact of enterprise risk management on supply chain performance.

3.0 RESEARCH METHOD

The purpose of this study was to examine the roles of ERM, IT integration and

organizational strategic flexibility in advancing supply chain performance. Partial least squares

analysis (SmartPLS 2.0 2005) was used for construct validation, data analysis, and path analysis

for the theoretical model hypothesized in the current study. The remainder of this section

discusses participant characteristics, instrument development and validation, data analysis, and

the study results.

18

Participants

The Institute of Internal Auditors Research Foundation hosted the survey used in the

current study on their Global Audit Information Network (GAIN). GAIN emailed invitations to

participate in the survey to 1,383 chief audit executives (CAEs) and 251 members responded for

a total response rate of 18.1%. Of the 251 respondents, 7 respondents did not identify themselves

as audit executives or the equivalent and each reported less than 5 years experience, and 5

respondents did not complete the survey. These 12 respondents were excluded from further

analysis. The remaining data were examined to determine whether there were patterns to any

missing responses. A test of overall randomness found all missing responses were missing

completely at random (MCAR) (chi-square = 585.634 df = 609 p-value = 0.745) and the

expectation maximization algorithm (EM) (SPSS 15.0 2006) was used to calculate replacement

values (Hair et al. 2006). Because the goal of this study was to examine factors affecting

organizations supply chain performance, participants indicating that more than 10% of the

survey measures were not applicable to their organization were also excluded from further

analysis; all of the subsequent analyses pertain to the remaining 155 participants.

Ninety of the participants in this study were employed at organizations that had

completed one or more filings consistent with section 404 of SOX and sixty-three were

employed at organizations that had not completed such a filing at the time of the survey.

Demographic data, shown in Table 1, reveals that 84.52% (131) of the participants had over ten

years of professional experience. The primary industries represented were manufacturing

(18.71%), insurance (16.77%), financial services (14.19%), and wholesale/retail (8.39%). One

hundred nine (70.3%) of the participants were male, 45 (29.0%) were female and 1 respondent

chose not to respond to this question on the survey.

19

[Insert Table 1 about here]

3.1 Survey Instrument

The online survey, which was hosted by GAIN, was designed to collect measures of the

latent variables as well as participant demographic data. As shown in Figure 2, the theoretical

model employed in this study depicts the hypothesized relationships between organizations

ERM processes, IT integration, organizational strategic flexibility, and supply chain

performance. Each item was measured using a five point Likert scale where 1 represented

strongly agree and 5 represented strongly disagree; 6 was used to allow participants to

participants to respond N/A Dont Know. The items used to measure these constructs and

descriptive statistics for each item are presented in Table 2.


Organizations adopt ERM to facilitate the holistic identification and assessments of risks

that can impact firm value. The COSO (2004) ERM Framework was used to develop the five

ERM measures employed in the current study. In developing the item measures for the construct,

discussions were conducted with six different organizations on their ERM implementations,

success level with ERM, and impact on SOX compliance difficulty. These discussions made it

clear that simply implementing the components of the COSO framework was inadequate and that

effectiveness was derived from the integration of the components and the flow of information to

top level management that could strategically address the risks and opportunities identified. As a

result, the item measures were designed to focus more on integrated objectives rather than

component parts with a desire for reflective measures rather than a component based formative

measure.

20

The measures of the IT integration construct combine two sub-components of Byrd and

Turners (2000) IT flexibility infrastructure and reflect the firms ability to engage in intra-

organization sharing of information. Organizational strategic flexibility is a measure of an

enterprises ability to manage the opportunities and challenges inherent in a competitive

environment. This study employs measures of organizational strategic flexibility consistent with

those previously validated by Cannon and St. John (2004). A supply chain represents the

integration of key business processes from end-user through original suppliers that provides

product, service, and information that add value for customers and other stakeholders. (Lambert

1998, p.1). The measures of supply chain performance are output measures, which were adapted

from Beamon (1999), and reflect the organizations ability to meet or exceed its customer service

goals and objectives. Item measures for all of the constructs are shown in Table 2.

3.2 Data Analysis

Because this study employed constructs that were both exogenous and endogenous (IT

integration and organizational strategic flexibility) and one of the latent variables (IT integration)

was formative rather than reflective, partial least squares analysis (SmartPLS 2.0 2005) was used

to both assess the reliability of the measurement model and test the structural model.

Initial data analysis revealed that four of the items shown in Table 2 were deemed not

applicable by more than 10% of the participants.4 A review of the industry demographics for this

study was consistent with non-applicability of these items; therefore, these items were also

dropped from further analyses. The N/A Dont Know responses for each of the remaining

4ThefirstitemwasOurorganizationconsistentlymeetsorexceedsourcorporategoalsforminimizingbackorders/stockouts;35.5%(55)selectednotapplicable.TheseconditemwasOurorganizationconsistentlymeetsorexceedsourcorporategoalsforminimizingshippingerror;32.3%(50)selectednotapplicable.ThethirditemwasDatareceivedbyourorganizationfromelectroniclinkswithoursupplychainpartnersarereliable;20%(31)selectednotapplicable.ThefourthitemwasNewlocationsoracquisitionsarequicklyassimilatedintoourITinfrastructure;10.3%(16)selectednotapplicable.

21

measures appear to be completely at random (chi-square = 708.295 df= 669 p-value =0.142) and

EM (SPSS 15.0 2006) was used for imputation of these data (Hair et al. 2006).

3.3 Measurement Model Reliability and Validity

In this study, factor loadings, composite construct reliability and average variance

extracted are employed to assess validity of the reflective constructs. As shown in Table 3, each

of the item measures has a standardized factor loading greater than 0.70. The related composite

construct reliability of each of the reflective constructs is greater than the recommended 0.70,

and the related average variance extracted is greater than or equal to 0.50 supporting the

convergent validity of the reflective constructs employed in this study (Fornell and Larcker

1981).


IT integration, a formative construct, combines measures of IT connectivity and IT

compatibility adapted from Byrd and Turner (2000), thus these measures represent different

facets of IT integration; the weights for the formative measures of IT integration are presented in

Table 4. Because a formative construct is specified as a multiple regression equation

(Diamantopoulos et al. 2008) it is important to rule out multicollinearity. Variance inflation

factors were calculated for each of the 10 indicators of IT integration, first using a measure of

organizational strategic flexibility and then using a measure of supply chain performance. As

shown in Table 5, the maximum variance inflation factor was 2.7 which is below thethreshold of

3.3 and therefore all ten items were retained in the model (Petter et al. 2007).5



5Hairetal.(2006)suggesttheVIFshouldbelessthan10.0,however,Petteretal.(2007)suggestamorestringentthresholdof3.3duetogreatermulticollinearityconcernswhenusingformativemeasures.

22

Construct discriminant validity provides evidence that the latent variables in the

measurement model are unique and distinct (Hair et al. 2006). As shown in Table 6, the average

variance extracted for each latent variable is greater than the related squared inter-construct

correlations indicating discriminant validity (Hair et al. 2006). In addition, the maximum inter-

construct correlation of 0.68, shown in Table 7, is below the standard threshold of 0.85, which

also supports construct discriminant validity (Kline 2005).



4. RESULTS

This study examines the relationships between organizations effectiveness of ERM

integration, IT integration, strategic organizational flexibility and the strengthening of supply

chain performance. The theoretical model proposed employs both reflexive and formative

constructs necessitating the use of PLS, thus parametric testing is not appropriate; bootstrapping

(500 samples with replacement) was used to calculate t-statistics and standard errors

(Diamantopoulos and Winklhofer 2001). PLS path analysis results (i.e. standardized beta

coefficients, t-values and construct R2) are presented in Figure 3.


H1 posits that increases in ERM have a positive impact on IT integration (Figure 2).

Analysis indicates that the standardized path coefficient of H1 (+0.682 t-value = 15.055) is

significant (p-value=0.01) and in the hypothesized direction, providing support for H1.

H2 states that increases IT integration positively impact organizational strategic

flexibility. The standardized path coefficient of H2 (+0. 656 t-value = 7.386) is also significant

(p-value=0.01) and in the hypothesized direction, providing support for H2.

23

H3 states that IT integration mediates the impact of ERM on organizational strategic

flexibility. Three conditions must be met to support a mediation effect (Baron and Kenney 1986).

First, there must be a significant relationship between ERM and IT integration; as noted

previously, H1 provides support for this condition. The next condition requires a significant

relationship between IT integration and organizational strategic flexibility; H2 provides support

for this condition. The third condition requires that when a relationship between ERM and IT

integration is included in the model, a relationship between ERM and organizational strategic

flexibility that was previously significant become less significant. This condition is also satisfied

as shown in Figure 4. For IT integration to mediate the impact of ERM on organizational

strategic flexibility, H1 and H2 should have significant path coefficients while the coefficient for

H3 decreases. Figure 4 suggests that IT integration fully mediates the effect of ERM on

organizational strategic flexibility (i.e. the H3 path coefficient is not significant, t-value = 0.546).

Results of the Sobel test (z-value = 7.314466, p-value =0.000001) confirm the full mediation

effect.


H4 posits that increases in organizational strategic flexibility have a positive impact on

supply chain performance. Analysis indicates that the standardized path coefficient of H4 (+0.377

t-value = 4.189) is significant (p-value=0.01) and in the hypothesized direction, providing

support for H4.

H5 states that organizational strategic flexibility mediates the impact of IT integration on

supply chain performance. As noted previously, there are the three conditions necessary to

support a mediation effect (Baron and Kenney 1986). The first condition requires a significant

relationship between IT integration and organizational strategic flexibility; as shown in Figure 5,

24

H2 provides support for this condition. The second condition requires a significant relationship

between organizational strategic flexibility and supply chain performance; H4 provides support

for this condition. The third condition requires that a significant relationship between IT

integration and supply chain performance become less significant when a relationship between

IT integration and organizational flexibility is included in the model. As shown in Figure 5, the t-

value decreases from 11.545 to 3.576 but the relationship between IT integration is still

significant, This significant relationship suggest that organizational strategic flexibility partially

mediates the impact of IT integration on supply chain performance. Results of the Sobel test (z-

value = 3.936834, p-value =0.000083) confirm the partial mediation effect.


H6 posits that IT integration mediates the impact of ERM on supply chain performance.

Once again, the conditions necessary to support a mediation effect are evaluated (Baron and

Kenney 1986).The first condition, which is that there must be a significant relationship between

ERM and IT integration, is satisfied by H1. The second condition, which requires a significant

relationship between IT integration and supply chain performance, is satisfied by H5. The third

condition requires that the inclusion of a relationship between ERM and IT integration causes the

previously significant relationship between ERM and supply chain performance become less

significant. Figure 6 indicates that IT integration fully mediates the effect of ERM on supply

chain performance; the H6 path t-value is reduced from 7.810 to 1.568. Results of Sobel test (z-

value = 5.638984, p-value =0.000001) confirm the full mediation effect.

[Insert Figure 6 here]

Overall the model has strong explanatory power. As demonstrated in Figure 3, ERM, IT

integration and organization strategic flexibility jointly explain 43.5% of the variation in supply

25

chain performance. Furthermore, ERM and IT integration jointly explain 41.9% of the variation

in organizational strategic flexibility, as shown by organizational strategic flexibilitys R2 of

0.419; while IT integrations R2 of 0.465 displays ERM singularly explaining 46.5% of the

variation in IT integration. The strong explanatory power of ERM upon and through the other

firm competencies provides very strong support for the theory of capability building and

entrepreneurial action.

5.0 SUMMARY AND DISCUSSION

The results of this study reveal the complex interrelationships that tie ERM and

organizational strategic flexibility together to provide a better understanding of their role in

supporting supply chain performance. The results show strong effects supporting the underlying

theory on capability-building for entrepreneurial action with a specific view towards ERM as a

positive factor in promoting both organizational strategic flexibility and supply chain

performance. However, importantly, IT integration was fundamental to all of the relationships in

the model. This indicates that strong IT integration and sharing of data through enterprise-wide

systems is critical to maximizing the value of ERM activities on both flexibility and

performance.

5.1 Limitations and Related Opportunities for Future Research

Before reviewing the implications of the research findings, the limitations of the research

that should be considered when weighing the results and considering future related research are

briefly outlined in this subsection. First, the use of a single informant to evaluate the various

dimensions of organizational structure and performance could be subject to common method

bias. However, the testing of the underlying dimensions of the various constructs should

minimize these concerns. Additionally, the access we were given to a C-level executive (i.e. the

26

Chief Audit Executive) who has primary responsibility for assessing, and in some cases

implementing, risk management procedures as well as assessing the efficiency and effectiveness

of operations provides access to the individual in the best position to assess the various

dimensions of the conceptual model.

Second, our measurement variables included constructs that were developed specifically

for this research and had not been previously validated. Additionally, our item measures for the

ERM construct adhere strictly to contemporary thinking on the need for an enterprise risk focus

and the relative newness of this concept may lead to the need for this particular construct to

evolve over time as ERM theory develops and further evolves. However, each of the constructs

that were developed, including ERM, evolved from existing theory on the underlying

components and characteristics of the constructs. Nonetheless, future use of these constructs in

other research studies will help over time to assess the robustness of the constructs both

temporally and across a variety of respondent types.

Third, our application of the theory on capability-building for entrepreneurial action takes

a slightly narrower view than the more general theory. The use of ERM as an operationalization

for entrepreneurial alertness is slightly narrower in scope. Likewise, the use of organizational

strategic flexibility to operationalize agility focuses on the reactive part of agility more than the

timeliness of reaction component. Finally, our focus on supply chain performance as the

competitive action of interest is only one of many competitive actions that will be of interest to

an organization. Further tests of Sambamurthy et al.s (2003) theory should consider the

appropriate operationalization of variables, especially in relation to the dependent variable (i.e.

competitive action) of interest.

27

5.2 Contributions and Implications for Theory

This study examined a theory of capability-building for entrepreneurial action that views

processes designed to facilitate entrepreneurial alertness as fundamental to the building on and

interrelationships between leveraging of IT capability, organizational agility, and resulting

competitive actions (Sambamurthy et al. 2003). ERM was introduced as a widely adopted

technique by many organizations for facilitating improved entrepreneurial alertness. In the face

of relatively new compliance requirements instigated by the passage of SOX and its related

requirements for compliance reporting on financial control systems, most organizations have

focused on applying COSOs (2004) ERM framework as the foundation for ensuring appropriate

compliance. Additionally, regulatory mandates at the stock exchange level (e.g. New York Stock

Exchange) have further highlighted the risk management aspects of control systems (Beasley et

al. 2005).

The results provide strong support for the underlying theory. Stronger ERM processes

provide enhanced leveraging of enterprise-wide data sharing capability, higher levels of strategic

flexibility, and higher levels of supply change performance. IT integrations mediation effects

demonstrate the significance of a strong IT platform to future strategic purposes. This is

consistent with the real options theoretical lens, which views IT as a resource that should be

developed to provide future flexibility and competitive advantage (Sambamurthy and Zmud

2000). The results related to organizational strategic flexibility highlight a major component of

organizational agility and demonstrate the enhancing effects of both ERM and IT integration on

agility. This result is consistent with findings in managerial control research that suggests higher

levels of information availability are needed to maintain flexibility in strategic-oriented

organizations (Bouwens and Abernethy 2000; Abernethy and Lillis 1995). Our study improves

28

the understanding of this relationship by using the theory of capability-building and

entrepreneurial action to operationalize a model that demonstrates IT integration as the mediating

construct between managerial control processes and organizational strategic flexibility.

The study also focuses on one type of competitive action which is improved supply chain

performancea significant competitive issue for most organizations in todays interlinked

business world (e.g. Sutton et al. 2008). The results related to supply chain performance

demonstrate both the interactive effect of ERM and IT integration on supply chain performance

and the mediating effect of strategic flexibility on the relationship between IT integration and

supply chain performance. The complexity of these interrelationships highlights the richness of

the theory on capability-building for entrepreneurial action and strongly supports the

theorizations on the relationships. Relatedly, both the theory and our highly integrated model

operationalizing the theory highlight the complexity of organizations and the need for more

complex research models in order to understand these intra-organizational relationships.

5.3 Implications for Practice

From a practice standpoint, this research directly addresses concerns that have been

widely voiced in the business press as to the deleterious effect of SOX control compliance on

organizations flexibility and supply chain performance (e.g. Banham 2003; Katz 2003; Reason

2006; Schumer-Bloomberg-McKinsey 2007). Our results extend the preliminary case research

findings reported by Arnold et al. (2007) indicating that organizations that struggled through the

compliance process often had poor ERM processes in place when the compliance process started,

tended to react by implementing manual control processes that could be achieved quicker that

through integration of automation through IT systems, and ultimately suffered competitive

disadvantages from more rigid, restrictive processes coupled with reduced response time within

29

supply chain activities. Alternatively, Arnold et al. (2007) found that organizations that began

compliance with better risk management processes and automated more of their control

processes did not experience such negative competitive effects. As Robey and Boudreau (1999)

note, these contradictory experiences with organizations can be confusing absent a good

theoretical understanding of the organizational structures that surround these results. The

application of the theory of capability-building for entrepreneurial action provides a basis for

understanding these contradictory effects. Our results based on that theory add clarity to these

earlier findings by highlighting the interactive effects of strong ERM processes and strong IT

integration on the facilitation of strategic flexibility and ultimately on enhanced supply chain

performance.

Taken as a whole, the results of the research help explain the differential experiences of

companies during the SOX compliance process. Companies that effectively implemented ERM

processes, not just implementing the basic standalone processes but also integrating them to

derive strong entrepreneurial alertness, experienced higher levels of flexibility and higher levels

of competitive performance. But, this effect of ERM on flexibility and performance was heavily

dependent on the level of IT integration (e.g. IT compatibility and IT connectivity). This is

consistent with the case findings of Arnold et al. (2007), but our research isolates the effects that

are driving the observed phenomena and provides a theoretical basis for understanding the

inherent relationships.

For practice, our results add to the body of literature suggesting that IT value often comes

from the future leveraging of those systems to facilitate operational and strategic activities. From

a SOX perspective, our results suggest that effective ERM processes represent one more type of

strategic management activity that is enabled by strong IT integration; and, this synergy is

30

necessary to gain value from SOX compliance efforts. Our results also reinforce the importance

of strong ERM processes to first identifying and monitoring both internal and external risks and

opportunities, and second in facilitating an organizations ability to take strategically appropriate

competitive action.

31

REFERENCES

Abernethy, M.A. and A.M. Lillis. 1995. The impact of manufacturing flexibility on management control systems design. Accounting Organizations and Society 20(4): 241-258.

Arnold, V., T.S. Benford, J. Canada, J.R. Kuhn Jr., and S.G. Sutton. 2007. The Unintended Consequences of Sarbanes-Oxley on Technology Innovation and Supply Chain Integration. Journal of Emerging Technologies in Accounting 4: pp. 103-121.

Banham, R. 2003. Fear Factor: Sarbanes-Oxley Offers One More Reason To Tackle Enterprise Risk Management. CFO Magazine (June 1).

Banker, R.D., I. Bardhan, H. Chang, and S. Lin. 2006. Plant Information Systems, Manufacturing Capabilities, and Plant Performance. MIS Quarterly 30(2): 315-337.

Baron, R. M. and D. A Kenny. 1986. The Moderator-Mediator Variable Distinction in Social Psychological Research: Conceptual, Strategic, and Statistical Considerations. Journal of Personality and Social Psychology. 51(6) 1173-1182.

Batra, S. 2006. Impact of Information Technology on Organizational Effectiveness: A Conceptual Framework Incorporating Organizational Flexibility. Global Journal of Flexible Systems Management 7(1/2): pp. 15-25.

Beamon, B., 1999. Measuring Supply Chain Performance. International Journal of Operations and Production Management 19(3):

Bendoly, E., A. Citurs, and B. Konsynski. 2007. Internal Infrastructure Impacts on RFID Perceptions and Commitment: Knowledge, Operational Procedures, and Information-Processing Standards. Decision Sciences 38(3): pp. 423-449.

Bharadwaj, S., A. Bharadwaj, and E. Bendoly. 2007. The Performance Effects of Complementarities Between Information Systems, Marketing, Manufacturing, and Supply Chain Processes. Information Systems Research 18(4): pp. 437-453.

Boh, W.F. and D. Yellin. 2006-7. Using Enterprise Architecture Standards in Managing Information Technology. Journal of Management Information Systems 23(3): pp. 163-207.

Bouwens, J. and M. A. Abernethy. 2000. The consequences of customization on management accounting system design. Accounting Organizations and Society 25: 221-241.

Brown, C.V. 1999. Horizontal Mechanisms Under Differing IS Organization Contexts. MIS Quarterly 23(3): pp. 421-454.

Byrd, T. A. and N.W. Davidson. 2003. Examining Possible Antecedents of IT Impact on the Supply Chain and Its Effect on Firm Performance. Information & Management 41: pp. 243-255.

Byrd, T. A. and D. E. Turner. 2000. Measuring the flexibility of information technology infrastructure: Exploratory Analysis of a Construct. Journal of Management Information Systems; Summer Vol. 17, No. 1, 167-208.

Cannon, A. R. and St. John, C. H. (2004) Competitive Strategy and Plant Level Flexibility. International Journal of Production Research, 42(10): pp 1987-2007.

32

Chenhall, R.H. 2003. Management control systems design within its organizational context: findings from contingency-based research and directions for the future. Accounting Organizations and Society 28: 127-168.

Clark, C.E., N.C. Cavanaugh, C.V. Brown, and V. Sambamurthy. 1997. Building Change-readiness Capabilities in the IS Organization: Insights from the Bell Atlantic Experience. MIS Quarterly 21(4): 425-455.

Committee of Sponsoring Organizations of the Treadway Commission (COSO). 1992. Internal Control Integrated Framework. American Institute of Certified Public Accountants.

Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2004. Enterprise Risk Management Integrated Framework. (Committee of Sponsoring Organizations of the Treadway Commission, AICPA: New York).

Cotteleer, M.J. and E. Bendoly. 2006. Order Lead-Time Improvement Following Enterprise Information Technology Implementation: An Empirical Study. MIS Quarterly 30(3): 643-660.

Davila, T. 2000. An empirical study on the drivers of management control systems design in new product development. Accounting Organizations and Society 25: 383-409.

Diamantopoulos, A., R. Riefler, K.P. Roth. 2008. Advancing formative measurement models.

Journal of business Research. In Press. ____________ H. Winklhofer. 2001. Index construction with formative indicators: An

alternative to scale development. Journal of Marketing Research 38(2). Ditillo, A. 2004. Dealing with uncertainty in knowledge-intensive firms: the role of management

control systems as knowledge integration mechanisms. Accounting Organizations and Society 29: 401-421.

Fornell, C. and D. F. Larcker. 1981. Evaluating Structural Equation Models with Unobservable

Variables and Measurement Error. Journal of Marketing Research, 18(1) 39-50. Frie, F.X., R. Kalakota, A.J. Leone, L.M. Marx. 1999. Process Variation as a Determinant of

Bank Performance Management Science 45(9): pp. 1210-1220. Gattiker, T. and D. Goodhue. 2005. What Happens after ERP Implementation: Understanding

the Impact of Interdependence and Differentiation on Plant-Level Outcomes. MIS Quarterly 29(3): pp. 559-585.

Hair, J. F., Black, W. C., Babin, B. J., Anderson, R. E., & Tathan, R. L. (2006). Multivariate Data Analysis. Upper Saddle River, NJ: Pearson Education Inc

Institute of Internal Auditors. 2004. Position Statement: The Role of Internal Audit in Enterprise-wide Risk Management. (Institute of Internal Auditors: Altamonte Springs, FL).

Katz, D.M. 2003. What You Dont Know About Sarbanes-Oxley: Snares, Pitfalls, and Trapdoors. CFO.com (April 22).

Katz, D.M. 2006. Panels on 404 skirt small-company woes. CFO.com (May 02).

33

Kline, R. B. 2005. Principles and Practice of Structural Equation Modeling, Second Edition. (The Guilford Press: New York)

Kohli, R. and S. Devaraj. 2003. Measuring Information Technology Payoff: A Meta-Analysis of Structural Variables in Firm-Level Empirical Research. Information Systems Research 14(2): pp. 127-145.

Lambert, D.M., M.C. Cooper, J.D. J.D. Pagh. 1998. Supply Chain management: Implementation issues and research opportunities. International Journal of Logistics Management. 9(2)

Levine, R. 2004. Risk management systems: understanding the need. EDPACS 32(2): 1-13. Liebenberg, A.P. and R.E. Hoyt. 2003. The Determinants of Enterprise Risk Management:

Evidence From the Appointment of Chief Risk Officers. Risk Management and Insurance Review 6(1): pp. 37-52.

McAfee, A. 2002. The Impact of Enterprise Information Technology Adoption on Operational Performance: An Empirical Investigation. Production and Operations Management 11(1): pp. 1-21.

Melville, N., K. Kraemer, and V. Gurbaxani. 2004. Information technology and organizational performance: an integrative model of IT business value. MIS Quarterly 28(2): 283-322.

Naranjo-Gil, D. and F. Hartmann. 2006. How top management teams use management accounting systems to implement strategy. Journal of Management Accounting Research 18: 21-53.

Naranjo-Gil, D. and F. Hartmann. 2007. Management accounting systems, top management team heterogeneity and strategic change. Accounting Organizations and Society 32: 735-756.

OLeary, D.E. 2000. Enterprise Resource Planning Systems: Systems, Life Cycle, Electronic Commerce, and Risk. (Cambridge University Press: New York).

Palanisamy, R. 2005. Strategic Information Systems Planning Model for Building Flexibility and Success. Industrial Management and Data Systems 105(1): 63-81.

Paulraj, A. and I.J. Chen. 2007. Strategic Buyer-Supplier Relationships, Information Technology and External Logistics Integration. The Journal of Supply Chain Management (Spring): pp. 2-14.

Petter, S., D. Straub, and A. Rai. 2007. Specifying Formative Constructs in Information Systems Research. MIS Quarterly 31(4): pp. 623-656.

Peterson, R. 2004. Crafting Information Technology Governance. Information Systems Management 21(4): pp. 7-22.

Rai, A., R. Patnayakuni, and N. Seth. 2006. Firm Performance Impacts of Digitally Enabled Supply Chain Integration Capabilities. MIS Quarterly 30(2): pp. 225-246.

Rai, A. and V. Sambamurthy. 2006. Editorial NotesThe Growth of Interest in Services Management: Opportunities for Information Systems Scholars. Information Systems Research 17(4): pp. 327-331.

Reason, T. 2006. Cry of pain from small companies. CFO.com (May 10).

34

Robey, D. and M.C. Boudreau. 1999. Accounting for the Contradictory Organizational Consequences of Information Technology: Theoretical Directions and Methodological Implications. Information Systems Research 10(2): pp. 167-185.

Ross, J.W. 2003. Creating a Strategic IT Architecture Competency: Learning in Stages MIS Quarterly Executive 2(1): pp. 31-43.

Sambamurthy, V. and R.W. Zmud. 1999. Arrangements for Information Technology Governance: A Theory of Multiple Contingencies. MIS Quarterly 23(2): pp.261-290.

Sambamurthy, V. and R.W. Zmud. 1999. Research commentary: The Organizing Logic for an Enterprises IT Activities in the Digital EraA Prognosis for Practice and a Call for Research. Information Systems Research 11(2): pp.105-114.

Sambamurthy, V., A. Bharadwaj, and V. Grover. 2003. Shaping agility through digital options: Reconceptualizing the role of information technology in contemporary firms. MIS Quarterly 27 (2): 237-263.

Schumer, C.E., M.R. Bloomberg, and McKinsey Consulting. 2007. Sustaining New Yorks and the U.S. Global Financial Services Leadership. U.S. Senate www.senate.gov/~schumer (January 22).

Sutton, S.G. and V. Arnold. 2005. The Sarbanes-Oxley Act and the Changing Role of the CIO and the IT Function. International Journal of Business Information Systems 1(1/2) : 118-128.

Sutton, S.G., D. Khazanchi, C. Hampton and V. Arnold. 2008. Risk Analysis in Extended Enterprise Environments: Identification of Critical Risk Factors in B2B E-Commerce Relationships. Journal of the Association for Information Systems 9(3/4): pp. 151-174.

Swafford, P.M., S. Ghosh, and N. Murthy. 2006. The Antecedents of Supply Chain Agility of a Firm: Scale Development and Model Testing. Journal of Operations Management 24: pp. 170-188.

Voberda, H.W. 1996. Toward the Flexible Form: How to Remain Vital in Hypercompetitive Environments. Organization Science 7(4): 359-374.

Xue, Y., H. Liang, W.R. Boulton. 2008. Information Technology Governance in Information Technology Investment Decision Processes: The Impact of Investment Characteristics, External Environment, and Internal Context. MIS Quarterly 32(1): pp. 67-96.

35

Figure 1 Capability-Building and Entrepreneurial Action Reproduced from Sambamurthy, Bharadwaj & Grover, 2003.

Capability-Building Processes Entrepreneurial Action Processes

IT COMPETENCE Investment scale IT capabilities

DIGITAL OPTIONS Process reach Process richness Knowledge reach Knowledge richness

AGILITY Customer agility Partnering agility Operational agility

COMPETITIVE ACTIONS Number of actions Complexity of action

repertoire

ENTREPRENEURIAL ALERTNESS Strategic foresight Systemic insight

36

Figure 2: Research Model on the Role of ERM and IT Flexibility

37

Figure 3 Structural Model Results

38

Figure 4 Structural Model Test of Mediating Effects of IT Compatibility on Organizational Strategic Flexibility

39

Figure 5 Structural Model Test of Mediating Effects of Organizational Strategic Flexibility on Supply Chain Performance

40

Figure 6 Structural Model Test of Mediating Effects of IT Compatibility on Supply Chain Performance

Supply Chain Performance

Information Technology Integration

Enterprise Risk Management H6+0.493

t-value =7.810**


Enterprise Risk Management

H1+0.690

t-value =16.139**

H6+0.141

t-value =1.568

H5+0.498

t-value =5.882**

* p-value = 0.05** p-value = 0.01

41

Table 1 Participant Demographics

Category Frequency Percentage N = 155

Gender Male 109 70.3% Female 45 29.0% Not answered 1 0.7%

Age

25 to 40 years 32 20.65% 40+ years 119 76.77% Not answered 4 2.58%

Experience

3 to 10 years 24 15.48% 10+ years 131 84.52%

Industry

Manufacturing 29 18.71% Insurance 26 16.77% Financial/real estate 22 14.19% Wholesale/retail 13 8.39% Technology 12 7.74% Utilities 11 7.10% Health 7 4.52% Communication 4 2.58% Aerospace & defense 4 2.58% Transportation 4 2.58% All other 23 14.84%

Organizational Structure

Publicly traded 90 58.06% Not publicly traded 63 40.65% Not answered 2 1.29%

42

Table 2 Descriptive Statistics

Variable Measures Min Mean Median Max Std dev.

Enterprise Risk Management (ERM) Process

1. Our organization performs a thorough enterprise-wide risk assessment at least once a year

1 3.46 4.00 5 1.337

2. The strength of our internal control system enhances our organizations ability to identity events that may affect the achievement of our objectives

1 2.86 3.00 5 1.047

3. Our organization regularly evaluates the effectiveness of internal controls to mitigate identified risks

1 2.88 3.00 5 1.213

4. Management has effective processes to respond to identified risks 1 2.97 3.00 5 1.090

5. Our risk management procedures provide the necessary information top management needs to monitor changes that could impact our organizations well-being.

1 3.06 3.00 5 1.062

IT Integration

1. Compared to rivals in our industry, our organization has the foremost in available IT systems

1 3.01 1.00 5 0.822

2. User-friendly electronic links exist between our organization and its supply chain partners

1 2.96 1.00 5 0.558

3. Our organization formally addresses the issue of data security 1 2.34 1.00 5 0.704

4. All remote, branch, and mobile offices are electronically connected to the central office

1 1.96 2.00 5 1.240

5. There are numerous identifiable communication bottlenecks within our organization

1 2.77 1.00 5 0.790

6. New locations or acquisitions are quickly assimilated into our IT infrastructure (D)

7. Remote, branch, and mobile offices have easy access to data from the home or central office

1 2.41 2.00 5 1.138

8. Our organization's ability to make rapid IT change is high 1 2.55 3.00 5 1.007

43

9. Information is shared seamlessly across our organization, regardless of the location

1 2.92 3.00 5 1.084

10. Our organization offers a wide variety of types of information to end users (e.g. multimedia) (D)

11. Our user interfaces provide transparent access to all applications. 1 3.37 3.00 5 1.093

12. Data received by our organization from electronic links with supply-chain partners are reliable

1 3.03 3.00 5 1.151

Organizational Strategic Flexibility

1. Our organization has difficulty maximizing new market opportunities (RC)

1 2.50 2.00 5 1.085

2. Our organization is able to introduce new products/services 1 2.23 2.00 5 1.023

3. Our organization has difficulty accommodating major changes in basic product designs or service offerings (RC)

1 2.38 2.00 5 1.081

4. Our organization is able to manage the impact of serving new classes of customers

1 2.44 2.00 5 0.995


1. Our organization consistently meets or exceeds our corporate goals for the proportion of product/service orders immediately filled

1 2.36 2.00 5 0.966

2. Our organization consistently meets or exceeds our corporate goals for on-time delivery of products/services

1 2.40 2.00 5 0.966

3. Our organization consistently meets or exceeds our corporate goals for minimizing back-orders/stock-outs. (D)

4. Our organization consistently meets or exceeds our corporate goals for customer response time (the time between an order and its delivery).

1 2.35 2.00 5 0.909

5. Our organization consistently meets or exceeds our corporate goals for minimizing the total amount of time required to produce an item or provide a service.

1 2.50 2.00 5 0.985

6. Our organization consistently meets or exceeds our corporate goals for minimizing shipping errors. (D)

44

7. Our organization consistently meets or exceeds our corporate goals for minimizing goals for customer complaints

1 2.42 2.00 5 0.940

RC: Items reverse coded D: Items dropped due to volume of not applicable/dont know responses; items not included in data analyses Scale: 1 through 5 were 1 equals Strongly Agree and 5 equals Strongly Disagree

45

Table 3 Tests of Convergent Validity

Variable Measures Factor Loading

Construct Composite Reliability

Average Variance Extracted

Enterprise Risk Management (ERM) Process 0.9365 0.7480

1. Our organization performs a thorough enterprise-wide risk assessment at least once a year 0.7329

2. The strength of our internal control system enhances our organizations ability to identity events that may affect the achievement of our objectives

0.8899

3. Our organization regularly evaluates the effectiveness of internal controls to mitigate identified risks 0.8780

4. Management has effective processes to respond to identified risks 0.9244

5. Our risk management procedures provide the necessary information top management needs to monitor changes that could impact our organizations well-being.

0.8864

Organizational Strategic Flexibility 0.8408 0.5692

1. Our organization has difficulty maximizing new market opportunities (RC) 0.7486

2. Our organization is able to introduce new products/services 0.7339

3. Our organization has difficulty accommodating major changes in basic product designs or service offerings (RC)

0.7557

4. Our organization is able to manage the impact of serving new classes of customers 0.7789

Supply Chain Performance 0.9456 0.7773

1. Our organization consistently meets or exceeds our corporate goals for the proportion of product/service orders immediately filled

0.8927

2. Our organization consistently meets or exceeds our corporate goals for on-time delivery of products/services 0.9296

3. Our organization consistently meets or exceeds our corporate goals for customer response time (the time between an order and its delivery).

0.9046

4. Our organization consistently meets or exceeds our corporate goals for minimizing the total amount of time required to produce an item or provide a service.

0.8931

5. Our organization consistently meets or exceeds our corporate goals for minimizing goals for customer complaints

0.7806

RC: reverse coded

46

Table 4 IT Integration

IT Integration Formative Measures Weights

1. Compared to rivals in our industry, our organization has the foremost in available IT systems 0.064908

2. User-friendly electronic links exist between our organization and its supply chain partners 0.267506

3. Our organization formally addresses the issue of data security 0.318061

4. All remote, branch, and mobile offices are electronically connected to the central office 0.038028

5. There are numerous identifiable communication bottlenecks within our organization 0.277407


7. Remote, branch, and mobile offices have easy access to data from the home or central office 0.285407

8. Our organization offers a wide variety of types of information to end users (e.g. multimedia) 0.04279

9. Our user interfaces provide transparent access to all applications -0.14486

10. Data received by our organization from electronic links with our supply-chain partners are reliable (D)

11. Our organizations ability to make rapid IT change is high 0.16233

12. Information is shared seamlessly across our organization, regardless of the location 0.158774

47

Table 5 Tests of Multicollinearity

IT Integration Formative Measures

Variance Inflation Factor

(Dependent variable = Organizational

Strategic Flexibility)

Variance Inflation Factor

(Dependent variable = Supply Chain Performance)

1. Compared to rivals in our industry, our organization has the foremost in available IT systems

1.807 1.807

2. User-friendly electronic links exist between our organization and its supply chain partners 1.925 1.925

3. Our organization formally addresses the issue of data security 1.624 1.624

4. All remote, branch, and mobile offices are electronically connected to the central office 1.961 1.961

5. There are numerous identifiable communication bottlenecks within our organization

1.392 1.392


7. Remote, branch, and mobile offices have easy access to data from the home or central office

2.347 2.347

8. Our organization offers a wide variety of types of information to end users (e.g. multimedia)

2.114 2.114

9. Our user interfaces provide transparent access to all applications 2.164 2.164

10. Data received by our organization from electronic links with our supply-chain partners are reliable (D)

11. Our organizations ability to make rapid IT change is high 2.570 2.570

12. Information is shared seamlessly across our organization, regardless of the location 2.723 2.723

48

Table 6 Tests of Discriminant Validity

ERM

Organizational Strategic

Flexibility Supply Chain Performance

Average Variance Extracted 0.748041 0.569175 0.777269 SQUARED INTER-CONSTRUCT CORRELATIONS ERM 1.00 Organizational Strategic Flexibility 0.189349 1.00 Supply Chain Performance 0.236413 0.352501 1.00

49

Table 7 Inter-Construct Correlations

ERM IT IntegrationOrganizational

Strategic Flexibility Supply Chain Performance

ERM 1.000000 IT Integration 0.682187 1.000000 Organizational Strategic Flexibility 0.435142 0.647511 1.000000

Supply Chain Performance 0.486223 0.580876 0.593718 1.000000

Documents

زيادة المرونة الستراتيجية في اطار التمكين