Risk severity matrix.
Risk management is extremely important in achieving overall organizational goals and objectives. Achieving organizational goals amid risks entails determining and implementing critical success factors (CSFs). This chapter presents composite CSFs which organizations can focus on to achieve their overall goals and objectives by portraying a case study of the construction industry. Using this case study reveals statistical significance of impact of risk management on the project as reduction in design/production time, improved public perception, and improved team morale and productivity. Similarly, CSFs mostly implemented are awareness of risk management processes, appreciating that risk management practice is viable in the construction industry, organizations have policies to support the development of risk management and organization deal with internal/external environment that influences risk management in their organizations. The chapter also presents nine composite CSFs determined by the case study namely: management approach; goals and objectives of the organization; risk management policy and experts; information technology and culture; environment and usage of tools; teamwork and commitment of the top management; communication and training; awareness of risk management process and legal requirements; and risk monitoring and review. Lastly, the conclusion is drawn on nine composite CSFs for effective risk management.
- critical success factors
1. Risk management
Formal risk management is extremely important in achieving overall organizational goals and objectives. Risk management involves actions of identifying, analyzing, and controlling risks by organizations. Organizations undertake risk management to maximize opportunities and minimize consequences of events that may arise when implementing activities geared to achieving their goals and objectives. PMI  defines project risk management as the processes of conducting risk management planning, identification, analysis, response planning, and controlling risk on a project. Other explanations of risk management are found in the work of Berg  and Harry et al. . Berg  explains that risk management is a systematic approach to set the best course of action under uncertainty by identifying, assessing, understanding, acting on and communicating risk issues. Harry et al.  point out that risk management is a continuous process where the sources of uncertainties are systematically identified, their impact assessed and qualified and their effect and likelihood managed to produce an acceptable balance between the risks and opportunities. Smith  explains that although there are inconsistencies between the definitions, there are noted similarities such as: it is a formal process; employs systematic and scientific methods; aims to identify risks in an operation or business; evaluates the importance or impact of those risks on the operation or business; provides mechanisms to control the individual risk to provide an acceptable level of overall exposure; and is not a one-off event. PMI  states that the objectives of project risk management are to increase the likelihood and impact of positive events and to decrease the likelihood and impact of negative events in the project. Generally, the risk management process mainly involves risk planning, assessment (identification and analysis), ranking, treatment and monitoring. The risk management process has been expanded by Berg , AbouRizk  and PMI  to include establishing goals and context (i.e., the risk environment) and preparation for risk analysis. Techniques for risk identification, analysis and handling are traced in risk management books and chapters, as well as researches conducted by Cagliano et al. , Chinenye et al.  and PMI . Techniques for risk identification include but not limited to:
Information gathering techniques
Root cause analysis
SWOT analysis (strength, weakness, opportunities and threats)
Techniques for risk analysis both quantitative and qualitative include but not limited to:
Decision tree analysis
Expected monetary value (EMV) analysis
SWOT analysis (strength, weakness, opportunities and threats)
Risk handling techniques normally adopted during risk management are:
Risk reduction (mitigation)
Risk transfer (sharing)
Risk retention (acceptance/assumption)
In addition, Habib & Rashid  present another approach of risk handling techniques used in their study such as shape and mitigate (SMT), shift and allocate (SAT), influence and transfer (ITT) and diversify through portfolio (DTP) which they related to project outcomes. PMI  classifies risk handling options into risk strategies for dealing with negative risks or threats and those for dealing positive risks. While strategies for dealing with negative risks remain to be those listed in other studies, strategies for dealing with positives risks are exploit, enhance, share and accept. The use of any of these handling measures depends on the outcome of the analysis and rating of the risk. Qualitative and quantitative analyses determine the probability of occurrence of risk and its potential severity. Figure 1 summarizes a generic risk management process and Table 1 presents severity matrix used by organizations to decide on the handling option to follow.
1.1. Risk framework and risk register
Recent developments in audit services have led to certain public organizations in Tanzania to develop risk management frameworks and registers. Risk management frameworks and risk registers are the vital tools for an organization to implement risk management activities. The risk management framework is the document that guides the implementation of risk management activity. The risk management framework covers:
Scope in terms of organizational activities and stakeholders
Risk policy and appetite statements
Roles and responsibilities of various organs, top management and staff in risk management in an organization
Risk management procedures
Templates for risk identification and analysis sheet, risk register, risk treatment schedule and action plan and risk treatment implementation report
A risk register is a tool used in the risk management process to keep record of all identified risks and their respective corresponding mitigations or counter measures. It comprises of:
Organizational goals and objectives
Risk assessment methodology
Overall risk profile of an organization
Summary of risks
Details of risks in each organization objective
Risk assessment sheets indicating causes, consequences, rating and mitigations measures
Tables 2 , 3 , 4 , 5 show templates of risk identification and analysis sheet, risk register, risk treatment schedule and action plan and risk treatment implementation report adopted by some organizations.
|3||Moderate||Low||Moderate||High||Very high||Very high|
|5||Almost certain||Moderate||High||Very high||Extreme||Extreme|
|Provide a brief description of the risk|
|Include title of the person managing the risk and the area where the risk falls|
|Supporting owner(s)||Provide title of other persons affected by the risk|
|Is it a financial, technical etc.|
|List the objective impacted by the risk|
|Inherent risk analysis (tick the appropriate ratings basing on the scenario that current controls do not exist or completely fail)|
|Very high||High||Moderate||Low||Very low|
|Very high||High||Moderate||Low||Very low|
|□ Multiply the ratings from impact and likelihood.|
□; Shade this area with appropriate color
|Very high||High||Moderate||Low||Very low|
|Very high||High||Moderate||Low||Very low|
|□ Multiply the ratings from impact and likelihood.|
□ Shade this area with appropriate color
|Objective||Risk title||Type of risk||Risk ID||Risk assessment||Risk rating||Principal risk owner|
|Impact (I)||Likelihood (L)||I × L|
|Date of review: ………………………………. Compiled by: …………………………………… Date: ……………………… Reviewed by: ………………………………… Date: ………………………………………………|
|Risk title and ID (from risk register in priority order)||Proposed treatment/control options (from risk identification sheet)||Results of cost-benefit analysis (A = accept, B = reject)||Person responsible for implementation of treatment options||Timetable for implementation (give specific start and end dates)||How will this risk and treatment options be monitored|
|Risk management quarterly implementation report for the quarter ending………………………………….. Prepared by: ………………………………… Date: ………………………………………………|
|Risk title and ID (from risk register in priority order)||Proposed treatment/control options (from risk identification sheet)||Person responsible for implementation of treatment options (as in the risk identification sheet)||Timetable for implementation (give specific start and end dates)||How will this risk and treatment options be monitored||Status of implementation (completed, ongoing, not done)||Remarks and/or comments|
2. Critical success factor (CSFs)
CSFs are selected key result areas that can facilitate achievement of organizational goals and objectives including risk management. CSFs were first defined by Rockart ( cited in Chen ) as the limited number of area in which results, if they are satisfactory, will ensure successful competitive performance for the organization. Later on, a number of CSFs definitions were given by various researchers. CSFs are certain rules, executive procedures and environmental conditions (Pinto & Covin, ). CSFs are the critical areas which organizations must accomplish to achieve its mission by examination and categorization of their impacts (Oakland  cited in Salaheldin, ). Deros et al.  defined CSFs as a range of enablers which, when put into practice, will enhance the chance for successful benchmarking implementation and adoption in an organization.
2.1. Critical success factors for effective risk management
Effective risk management entails doing the right thing with respect to risk management process. Top management needs to embark on CSFs as means of minimizing or eliminating risks in their organizations. Studies worldwide have documented CSFs which serve as a cornerstone for managing risks. For example, Grabowski and Roberts  identify the four important factors for risk mitigation that are organizational structuring and design, communication, organizational culture and trust. Hasanali  categorizes five critical success factors into: leadership; culture; structure, roles, responsibilities; information technology infrastructure; and measurement. Na Ranong and Phuenngam  determined seven CSFs for the financial industry namely: commitment and support from top management, communication, culture, information technology (IT), organization structure, training and trust. Studies of Agyakwa-Baah & Chileshe  identified 10 CSFs for the construction industry which are: management style, awareness of risk management process (RMP), cooperative culture, positive human dynamics, customer requirements, goals and strategic objective, impact of environment, usage of tools, teamwork and communication and availability of specialist in risk management. Chileshe and Kikwasi  assessed the 10 CSFs and determined that awareness of risk management processes, team work and communications and management style were the top three for Tanzania. Zhao et al.  determine top three CSFs as commitment of the board and senior management, risk identification, analysis and response and objective setting. Tsiga et al.  reveal initiation, identification, assessment, response planning, response implementation and risk communication and attitude, monitoring and review as CSFs for the construction industry. The study by Renault et al.  reveal drivers for ERM implementation namely legal and regulatory compliance requirements, nonmandatory reports, credits rating agencies’ requirements, reduced earnings volatility, reduced cost and losses, increased profitability and earnings. Hosseini et al.  determine support from managers, inclusion of risk management in construction education and training courses for construction practitioners, attempting to deliver projects systematically and awareness and knowledge of the process for implementing risk management as factors for implementing risk management systems in developing countries. Chen  suggests four composite CSFs for the bank industry namely: bank operation management ability, developing bank trademarks ability, bank marketing ability and financial market. Collectively, CSFs identified in these studies can serve as key result areas which construction enterprises and other stakeholders can bank on to enhance risk management in their locality.
The manner that the chosen CSFs influence the performance of a certain organization or sector has been a subject of discussion in researches conducted worldwide. Commitment and support from top management has been found an important aspect in achievement of organizational goals. For example, Ifinedo  investigated the impact of contingency factors such as top management support, business vision and external expertise and established that top management support influences the success level of the organizational system. Similarly, Zwikael  argues that the high importance of top management support is considered to be among the CSFs for project management. Renault et al.  determine that lack of support from top management and management priorities are among key obstacles to enterprise risk management (ERM). Risk management happens to be a process that an organization has to assume. Awareness of risk management process has been identified by Chileshe and Kikwasi  as one of the barriers to adoption and implementation of risk assessment and implementation practices (RAMP). Likewise, Agyakwa-Baah and Chileshe  point out that awareness of risk management processes within an organization is paramount to the sound success of the project.
Communication is the backbone of any successful endeavor. Effective communication between the teams that are working on the project will enhance project success including mitigation of risks. Clutterbuck & Hirst  argue that communication ensures that the team members understand and support not only where the team is now but also what they want to be. Grabowski & Roberts  stress that communication plays an important role in risk mitigation and that provides opportunities for clarification, for making sense of the organization’s progress, and for members to discuss how to improve the organization and the impact of using different risk mitigation strategies. Culture has an influence on how organizations manage risks. This is echoed by Grabowski & Roberts  that risk management requires the combination of several cultures that make the system into a cohesive whole in which the deep assumptions and espoused values of each of the member organizations can be built around the need for melding a culture of reliability. Training is important in equipping trainees with knowledge on emerging issues including risk management. Carey  points out that the ability to respond to changing conditions in an organization’s operations relates to a range of activities including the development of risk training courses and the involvement of staff in responding to early warning systems. Advancement in technology and changing in clients’ requirements calls for embarking on information technology. Hasanali  points out that an organization is on such a large scale that it would be difficult for members to communicate and share information without an information technology infrastructure.
3. A case study: risk management in the construction industry
3.1. Overview of the case study
The construction industry in Tanzania like in many other countries contributes drastically to the national growth through gross domestic product (GDP), gross fixed capital formation, creation of employment and industrial productivity. The National Bureau of Standards (NBS)  reveals that in volume terms, the construction industry accounted for an average of 6.8% of GDP in the 2003–2010 periods. The contribution of the industry to gross fixed capital formation in 2011 was over 50% (URT, ). In 2016, data indicate the construction sector contribution to GDP was about 12%, the second single sector with highest growth rate preceded by agriculture. The general outlook of the contribution of various sectors of the economy is shown in Figure 2 .
Construction being one sector of the economy is prone to risks. These include technical, social, construction, economic, legal, financial, natural, commercial, logistics and political risks. These risks are also classified into internal and external risks. Internal risks emanate from activities performed within the organizations such as technical, social and construction. External risks are risks which originate outside of the organization’s undertakings and these include economic, natural and political risks. Accordingly, the construction industry needs to adopt a sound risk management system to maximize opportunities and minimize negative events in its operations for it to contribute effectively to national growth.
3.2. Risk management in construction
The risk management as part of project management is extremely important in achieving project objectives of time, cost, quality, improved health and safety and no disputes. Changes in technology and more sophisticated clients’ requirements attract more risks in construction projects which call for formal risk management process. Although there have been remarkable efforts toward risk management in construction projects, implementation of risk management process is still inadequate. Studies [5, 21, 22, 23, 24, 25] have documented risk management practice in the construction industry. Akintoye & MacLeod  found that risk analysis and management in construction depend mainly on intuition, judgment and experience. They also cited the reasons to be lack of knowledge coupled with doubts on the suitability of these techniques for the construction industry. Ahmed & Azhar  established that risk analysis and management techniques are rarely used by the general contractors due to a lack of knowledge and expertise. This is echoed by the study by Chinenye et al.  which established that organizations within the construction industry do not work with risk management in such a structured manner due to additional cost to be incurred when performing risk management on construction projects and lack of knowledge in the area of risk management. Mahendra et al.  determined that the participants used to handle the risks with an informal approach because of less knowledge and awareness among the construction industry stakeholders. Similarly, Abdul-Rahman et al.  found that the implementation of risk management process in Malaysian construction industry is still at a low level, due to the fact that most of the construction employees involved in risk management are not fully aware of the available risk management techniques that can be applied in construction projects. Kikwasi  also noted inadequate risk management knowldege among consultants and determines that most consultants use document reviews and assumptions to identify risks and contingency sum method to quantify risks. A survey by Yusuwan et al.  also reveals low level of awareness of risk management in the clients’ organization and that they have implemented risk management in their operations on a small scale.
Previous studies in the construction industry reveal poor implementation of risk management process, as well as CSFs for effective risk management. This calls for the need to review the impact of risk management on project outcomes, assessment of implementation of previously identified CSFs and determination of a new set of CSFs.
The study drawn a sample of 200 practitioners from the construction industry comprised of consultants, clients and contractors. The study adopted a descriptive research type that attempts to provide an insight on categories of CSFs that can enhance effective risk management in the construction industry. Data were collected using literature review and questionnaires. Two hundred questionnaires were distributed to randomly selected respondents through emails and hand delivery. Out of 200 distributed questionnaires, 100 were returned, out of which 67 were fairly filled for analysis equating to a response rate of 33.5%. A list of critical success factors for effective risk management used in the study was extracted from previous studies. Previous studies also aided in establishing gap to be filled by the current study. The collected data were analyzed using the Statistical Package for Social Sciences (SPSS) version 20. Descriptive statistics were used to compute mean scores for project outcomes and CSFs and principal component analysis (PCA) was used to compute composite CSFs. A 5-Likert scale was used, i.e., 5 = Strong agree, 4 = Agree, 3 = Neutral, 2 = Disagree and 1 = Strong disagree.
3.4.1. Respondents’ profile
The participation of the intended groups namely consultants, client and contractors was 36.4, 21.2 and 42.4%, respectively. The three groups comprised of 13.4% architects, 23.9% engineers, 33.5% quantity surveyors, 17.9% project managers and 9% others. Furthermore, majority (83.9%) of these respondents have experience of more than 5 years. Majority of respondents (91%) have indicated that they worked on projects that have gone over budget.
3.4.2. Impact of risk management on project outcomes
Risk management has an influence on both the risk management process and project success. This is echoed by Junior and de Carvalho  that risk management practices have an impact on project success. Similarly, Kishk & Ukaga  through their case study concluded that there is a direct relationship between the effective risk management and project success. The influence on the risk management process includes: creation of a risk sensitive organization, formalized risk reporting, improved focus and perspective on risk, efficient use of resources and compliance matters. The impact on project outcomes is aligned with fulfilling objectives of the project, mainly time, cost, quality, health and safety and no disputes.
Table 6 presents assessment of impact of risk management on project outcomes. Results reveal three significant outcomes of risk management in construction which can be adopted in other sectors namely: reduction in design/production time, improved public perception and improved team morale and productivity. The case study therefore underlines that risk management has positive results toward achievement of organizational goals and objectives.
|S/N||Outcome||t||df||Sig. (2-tailed)||Mean difference||95% Confidence interval of the difference|
|1||Project completed on time||−1.697||47||.096||−.271||−.59||.05|
|2||Project completed within budget/major cost saving||−1.855||46||.070||−.234||−.49||.02|
|3||Product to the required budget||−.535||45||.596||−.065||−.31||.18|
|4||Reduced accidents on site||1.273||46||.209||.170||−.10||.44|
|5||Reduction in design/production time||−3.207||44||.003||−.400||−.65||−.15|
|6||Improved public perception||−3.076||46||.004||−.447||−.74||−.15|
|7||Reduction in contract claims||−1.430||45||.160||−.217||−.52||.09|
|8||Improved team morale and productivity||−2.141||46||.038||−.298||−.58||−.02|
3.4.3. Selected areas of CSFs implementation in construction organizations
Figure 3 indicates selected areas of CSFs implementation. Among the areas assessed, the areas that seem least implemented are: understanding the risk management guideline or policy, organization has a documented risk management guideline or policy, the organization has guideline to support the goals and objectives of risk management, the organization conducts training to new employees, organization has established procedures for keeping up-to-date and informed with changes in regulations and organization use methods and tools to manage risk. This implies that organizations rarely formulate policy or guidelines for risk management and conduct training to new employees and the use of methods and tools to manage risks is at a low level.
3.4.4. CSFs effective risk management in construction
Several CSFs have been listed by researchers in the financial, construction and other sectors. Most of CSFs are associated to actions by top management, communication within organizations, organization structures, policies, risk management experts and knowledge.
Table 7 below presents 25 CSFs. Using descriptives, results reveal top seven CSFs for effective risk management which are training, communication, commitment and support from top management, awareness of risk management process, teamwork, clear objectives and guidelines for risk management and management styles. Generally, there are 23 CSFs that have scored a mean score greater than 3.5 indicating a fair agreement of respondents. This result calls for further analysis to scale down the number of CSFs and thus the use of principal component analysis (PCA).
|CSF 3||Commitment and support from top management||67||4.15||.680|
|CSF 4||Awareness of risk management process||67||4.10||.741|
|CSF 6||Clear objectives and guidelines for risk management||67||4.03||.904|
|CSF 7||Management style||67||4.01||.879|
|CSF 8||Availability of specialist risk management consultants||67||3.93||.804|
|CSF 9||Risk monitoring and review||66||3.92||.882|
|CSF 10||Having documented risk management policy or guidelines||67||3.87||.886|
|CSF 11||Consideration of internal and external environment||67||3.82||.869|
|CSF 13||Effective usage of methods and tools||67||3.75||.927|
|CSF 14||Cooperative culture||67||3.72||.982|
|CSF 15||Management priorities||67||3.70||.835|
|CSF 16||Impact for environment||67||3.66||.808|
|CSF 17||Risk identification, analysis and response||66||3.62||.837|
|CSF 18||Customer requirements||67||3.61||.870|
|CSF 19||Goals and objectives of the organization||67||3.58||1.002|
|CSF 20||Information technology infrastructure||67||3.55||.942|
|CSF 21||Positive human dynamics||67||3.54||.959|
|CSF 22||Organizational structure||65||3.52||.868|
|CSF 23||Objective setting||67||3.51||1.021|
|CSF 24||Allocating adequate resources||66||3.38||.837|
|CSF 25||Legal and regulatory compliance requirements||67||3.34||.845|
Further, principal component analysis reveals nine factors of CSFs for effective risk management. Table 8 reveals that about 74% of the total variance is explained by the first nine factors. The factors are arranged in decreasing order of total variance explained. To allow for flexibility in the results, the Eigen value greater or equal to 1 was assumed implying that that only factors that account for variances greater or equal to 1 are included in the factor extraction. On the coefficient display format, small coefficients with absolute value below 0.5 were suppressed. Consequently, only factor scores greater than 0.50 are shown on the rotated component matrix in Table 10 .
|Component||Initial Eigen values||Extraction sums of squared loadings|
|Total||% of variance||Cumulative %||Total||% of variance||Cumulative %|
In Table 9 , some of the variables are more highly correlated with some factors than others. In order to make it easier to assign meaning to the factors, it is ideal to see groups of variables with large coefficients for one factor and small coefficients for the others. The component matrix is therefore rotated to achieve simple structure, where each factor has large loadings in absolute value for only some of the variables, making it easier to identify.
|CSF 1||Risk identification, analysis and response||.783|
|CSF 2||Customer requirements||.735|
|CSF 3||Allocating adequate resources||.654|
|CSF 4||Having documented risk management policy or guidelines||.632||.549|
|CSF 5||Objective setting||.611||−.501|
|CSF 7||Consideration of internal and external environment||.586|
|CSF 8||Availability of specialist risk management consultants||.573||.511|
|CSF 9||Impact for environment||.554|
|CSF 10||Clear objectives and guidelines for risk management||.521|
|CSF 11||Effective usage of methods and tools|
|CSF 12||Organizational structure||.771|
|CSF 13||Information technology infrastructure||.705|
|CSF 14||Cooperative culture||.688|
|CSF 17||Management style||.663|
|CSF 19||Commitment and support from top management|
|CSF 20||Goals and objectives of the organization||.544||.616|
|CSF 21||Management priorities|
|CSF 22||Legal and regulatory compliance requirements|
|CSF 23||Awareness of risk management process|
|CSF 24||Positive human dynamics|
|CSF 25||Risk monitoring and review||.526|
Table 10 shows the rotated component matrix after varimax rotation and after the variables have been sorted by the absolute values of the loadings with nine components. Five variables are highly correlated to factor 1; variables 6 and 7 are highly correlated to factor 2; variables 9 and 10 are highly correlated to factor 3; variables 11 to 13 are highly correlated to factor 4; variables 14 and 15 are highly correlated to factor 5; variables 16 to18 are highly correlated to factor 6; variables 19 and 21 are highly correlated to factor 7; variables 22 and 24 are highly correlated to factor 8; and variable 25 is highly correlated to factor 9.
|CSF 1||Management style||.823|
|CSF 2||Allocating adequate resources||.788|
|CSF 3||Risk identification, analysis and response||.737|
|CSF 4||Clear objectives and guidelines for risk management||.725|
|CSF 5||Customer requirements||.563|
|CSF 6||Goals and objectives of the organization||.924|
|CSF 7||Objective setting||.878|
|CSF 8||Positive human dynamics|
|CSF 9||Having documented risk management policy or guidelines||.918|
|CSF 10||Availability of specialist risk management consultants||.899|
|CSF 11||Information technology infrastructure||.805|
|CSF 13||Cooperative culture||.673|
|CSF 14||Consideration of internal and external environment||.881|
|CSF 15||Effective usage of methods and tools||.789|
|CSF 16||Impact of environment||.669||.|
|CSF 18||Commitment and support from top management||.630|
|CSF 20||Management priorities||.609|
|CSF 22||Legal and regulatory compliance requirements||.717|
|CSF 23||Awareness of risk management process||.629|
|CSF 24||Organizational structure||.608|
|CSF 25||Risk monitoring and review||.878|
In summary, the following are categories of CSFs for effective risk management:
CSF 1 Management approach: Comprise of five CSFs with management style scoring high followed by allocating adequate resources and risk identification, analysis and response
CSF 2 Goals and objectives of the organization: Comprise of two CSFs all with high scores
CSF 3 Risk management policy and experts: Comprise of two CSFs all with high scores
CSF 4 Information technology and culture: Comprise of three CSFs with information technology infrastructure scoring high followed by trust.
CSF 5 Environment and usage of tools: Comprise of three CSFs with consideration of internal and external environment scoring high followed by effective usage of methods and tools.
CSF 6 Teamwork and commitment of the top management: Comprises of two CSFs all of them scoring fairly.
CSF 7 Communication and training: Comprise of three CSFs with communication scoring high followed by management priorities.
CSF 8 Awareness of risk management process and legal framework: Comprise of three CSFs with legal and regulatory compliance requirements scoring high followed by awareness of risk management process
CSF 9 Risk monitoring and review: Comprising of risk monitoring and review with high scores
Collectively, the nine categories of CSFs have yielded the top eight CSFs with component loading of between 1 and 0.8:
Goals and objectives of the organization (0.924);
Having documented risk management policy or guidelines (0.918);
Availability of specialist risk management consultants (0.899);
Consideration of internal and external environment (0.881);
Objective setting (0.878);
Risk monitoring and review (0.878);
Management style (0.823);
Information technology infrastructure (0.805).
The case study has underlined that risk management in construction projects has positive results such as reduced accidents on sites, product to the required budget, reduction in contractual claims, project completed within budget and project completed on time. This finding is partly in line with the study by Al-Shibly et al.  on aspects of time. On the other hand, this finding supports the work of Kishk and Ukaga  that the conventional view of project success based on cost, time and quality objectives is not sufficient. They argue that the project success has to base on the predetermined and preagreed success criteria set by all stakeholders.
Through description, the study identified top seven CSFs; however, about 23 CSFs were generally within acceptable limits based on the mean score. These CSFs were further reduced using PCA and nine composite CSFs for effective risk management were determined. This approach also was used by Chen  to suggest four composite CSFs for the banking industry. These CSFs are management approach, goals and objectives of the organization, risk management policy and experts: information technology and culture, environment and usage of tools, teamwork and commitment of the top management, communication and training, awareness of risk management process and legal requirements and risk monitoring. Collectively, the nine CSFs have yielded the top eight CSFs namely: goals and objectives of the organization, having documented risk management policy or guidelines, availability of specialist risk management consultants, consideration of internal and external environment, objective setting, risk monitoring and review, management style and information technology infrastructure. To a great extent, this finding supports the works of Grabowski and Roberts , Hasanali , Agyakwa-Baah and Chileshe , Chileshe and Kikwasi (2014), Zhao et al.  and Tsiga et al. . The current study supports the work of Hosseini et al.  on issues of management support, training and awareness of risk management process. The study also noted lack of understanding of risk management guideline or policy, organizations lacking documented risk management guideline or policy and guideline to support the goals and objectives of risk management, organizations not conducting training to new employees, organizations lacking established procedures for keeping up-to-date and informed with changes in regulations and organizations not using methods and tools to manage risks.
The chapter sought to explore theories on risk management and using the construction industry as a case study establishes CSFs for effective risk management. The case study also has explored the impact of risk management to project outcomes and the status of implementation of selected previously identified CSFs. Generally, risk management in organizations has positive results to the risk management process as well as achievement of organizational goals and objectives. Similarly, organizations at certain levels have been implementing previously determined CSFs. From a list of 25 CSFs determined previously, a new set of 9 composite CSFs have established for effective risk management. The findings of the current study provide snapshot on the composite CSFs that can be assumed by organizations in achieving their goals and objectives. The limitation of this which is worth to be acknowledged is that the study has drawn 9 composite CSFs from only 25 CSFs.
Conflict of interest
The author declares that there is no conflict of interests regarding the publication of this chapter.