Critical Success Factors for Effective Risk Management

Risk management is extremely important in achieving overall organizational goals and objectives. Achieving organizational goals amid risks entails determining and implementing critical success factors (CSFs). This chapter presents composite CSFs which organizations can focus on to achieve their overall goals and objectives by portraying a case study of the construction industry. Using this case study reveals statistical significance of impact of risk management on the project as reduction in design/production time, improved public perception, and improved team morale and productivity. Similarly, CSFs mostly implemented are awareness of risk management processes, appreciating that risk management practice is viable in the construction industry, organizations have policies to support the development of risk management and organization deal with internal/external environment that influences risk management in their organizations. The chapter also presents nine composite CSFs determined by the case study namely: management approach; goals and objectives of the organization; risk management policy and experts; information technology and culture; environment and usage of tools; teamwork and commitment of the top management; communication and training; awareness of risk management process and legal requirements; and risk monitoring and review. Lastly, the conclusion is drawn on nine composite CSFs for effective risk management.


Risk management
Formal risk management is extremely important in achieving overall organizational goals and objectives. Risk management involves actions of identifying, analyzing, and controlling risks by organizations. Organizations undertake risk management to maximize opportunities and minimize consequences of events that may arise when implementing activities geared to achieving their goals and objectives. PMI [1] defines project risk management as the processes of conducting risk management planning, identification, analysis, response planning, and controlling risk on a project. Other explanations of risk management are found in the work of Berg [2] and Harry et al. [33]. Berg [2] explains that risk management is a systematic approach to set the best course of action under uncertainty by identifying, assessing, understanding, acting on and communicating risk issues. Harry et al. [33] point out that risk management is a continuous process where the sources of uncertainties are systematically identified, their impact assessed and qualified and their effect and likelihood managed to produce an acceptable balance between the risks and opportunities. Smith [3] explains that although there are inconsistencies between the definitions, there are noted similarities such as: it is a formal process; employs systematic and scientific methods; aims to identify risks in an operation or business; evaluates the importance or impact of those risks on the operation or business; provides mechanisms to control the individual risk to provide an acceptable level of overall exposure; and is not a one-off event. PMI [1] states that the objectives of project risk management are to increase the likelihood and impact of positive events and to decrease the likelihood and impact of negative events in the project. Generally, the risk management process mainly involves risk planning, assessment (identification and analysis), ranking, treatment and monitoring. The risk management process has been expanded by Berg [2], AbouRizk [31] and PMI [1] to include establishing goals and context (i.e., the risk environment) and preparation for risk analysis. Techniques for risk identification, analysis and handling are traced in risk management books and chapters, as well as researches conducted by Cagliano et al. [4], Chinenye et al. [5] and PMI [1]. Techniques for risk identification include but not limited to: In addition, Habib & Rashid [6] present another approach of risk handling techniques used in their study such as shape and mitigate (SMT), shift and allocate (SAT), influence and transfer (ITT) and diversify through portfolio (DTP) which they related to project outcomes. PMI [1] classifies risk handling options into risk strategies for dealing with negative risks or threats and those for dealing positive risks. While strategies for dealing with negative risks remain to be those listed in other studies, strategies for dealing with positives risks are exploit, enhance, share and accept. The use of any of these handling measures depends on the outcome of the analysis and rating of the risk. Qualitative and quantitative analyses determine the probability of occurrence of risk and its potential severity. Figure 1 summarizes a generic risk management process and Table 1 presents severity matrix used by organizations to decide on the handling option to follow.

Risk framework and risk register
Recent developments in audit services have led to certain public organizations in Tanzania to develop risk management frameworks and registers. Risk management frameworks and risk registers are the vital tools for an organization to implement risk management activities. The risk management framework is the document that guides the implementation of risk management activity. The risk management framework covers:  Remarks and/ or comments Table 5. Template for risk treatment implementation report section/unit.

Critical success factor (CSFs)
CSFs are selected key result areas that can facilitate achievement of organizational goals and objectives including risk management. CSFs were first defined by Rockart ([35] cited in Chen [7]) as the limited number of area in which results, if they are satisfactory, will ensure successful competitive performance for the organization. Later on, a number of CSFs definitions were given by various researchers. CSFs are certain rules, executive procedures and environmental conditions (Pinto & Covin, [36]). CSFs are the critical areas which organizations must accomplish to achieve its mission by examination and categorization of their impacts (Oakland [37] cited in Salaheldin, [34]). Deros et al. [38] defined CSFs as a range of enablers which, when put into practice, will enhance the chance for successful benchmarking implementation and adoption in an organization.

Critical success factors for effective risk management
Effective risk management entails doing the right thing with respect to risk management process. Top management needs to embark on CSFs as means of minimizing or eliminating risks in their organizations. Studies worldwide have documented CSFs which serve as a cornerstone for managing risks. For example, Grabowski and Roberts [8] identify the four important factors for risk mitigation that are organizational structuring and design, communication, organizational culture and trust. Hasanali [9] categorizes five critical success factors into: leadership; culture; structure, roles, responsibilities; information technology infrastructure; and measurement. Na Ranong and Phuenngam [10] determined seven CSFs for the financial industry namely: commitment and support from top management, communication, culture, information technology (IT), organization structure, training and trust. Studies of Agyakwa-Baah & Chileshe [11] identified 10 CSFs for the construction industry which are: management style, awareness of risk management process (RMP), cooperative culture, positive human dynamics, customer requirements, goals and strategic objective, impact of environment, usage of tools, teamwork and communication and availability of specialist in risk management. Chileshe and Kikwasi [32] assessed the 10 CSFs and determined that awareness of risk management processes, team work and communications and management style were the top three for Tanzania. Zhao et al. [12] determine top three CSFs as commitment of the board and senior management, risk identification, analysis and response and objective setting. Tsiga et al. [13] reveal initiation, identification, assessment, response planning, response implementation and risk communication and attitude, monitoring and review as CSFs for the construction industry. The study by Renault et al. [14] reveal drivers for ERM implementation namely legal and regulatory compliance requirements, nonmandatory reports, credits rating agencies' requirements, reduced earnings volatility, reduced cost and losses, increased profitability and earnings. Hosseini et al. [15] determine support from managers, inclusion of risk management in construction education and training courses for construction practitioners, attempting to deliver projects systematically and awareness and knowledge of the process for implementing risk management as factors for implementing risk management systems in developing countries. Chen [7] suggests four composite CSFs for the bank industry namely: bank operation management ability, developing bank trademarks ability, bank marketing ability and financial market. Collectively, CSFs identified in these studies can serve as key result areas which construction enterprises and other stakeholders can bank on to enhance risk management in their locality.
The manner that the chosen CSFs influence the performance of a certain organization or sector has been a subject of discussion in researches conducted worldwide. Commitment and support from top management has been found an important aspect in achievement of organizational goals. For example, Ifinedo [16] investigated the impact of contingency factors such as top management support, business vision and external expertise and established that top management support influences the success level of the organizational system. Similarly, Zwikael [17] argues that the high importance of top management support is considered to be among the CSFs for project management. Renault et al. [14] determine that lack of support from top management and management priorities are among key obstacles to enterprise risk management (ERM). Risk management happens to be a process that an organization has to assume. Awareness of risk management process has been identified by Chileshe and Kikwasi [32] as one of the barriers to adoption and implementation of risk assessment and implementation practices (RAMP). Likewise, Agyakwa-Baah and Chileshe [11] point out that awareness of risk management processes within an organization is paramount to the sound success of the project.
Communication is the backbone of any successful endeavor. Effective communication between the teams that are working on the project will enhance project success including mitigation of risks. Clutterbuck & Hirst [18] argue that communication ensures that the team members understand and support not only where the team is now but also what they want to be.
Grabowski & Roberts [8] stress that communication plays an important role in risk mitigation and that provides opportunities for clarification, for making sense of the organization's progress, and for members to discuss how to improve the organization and the impact of using different risk mitigation strategies. Culture has an influence on how organizations manage risks. This is echoed by Grabowski & Roberts [8] that risk management requires the combination of several cultures that make the system into a cohesive whole in which the deep assumptions and espoused values of each of the member organizations can be built around the need for melding a culture of reliability. Training is important in equipping trainees with knowledge on emerging issues including risk management. Carey [19] points out that the ability to respond to changing conditions in an organization's operations relates to a range of activities including the development of risk training courses and the involvement of staff in responding to early warning systems. Advancement in technology and changing in clients' requirements calls for embarking on information technology. Hasanali [9] points out that an organization is on such a large scale that it would be difficult for members to communicate and share information without an information technology infrastructure.

Overview of the case study
The construction industry in Tanzania like in many other countries contributes drastically to the national growth through gross domestic product (GDP), gross fixed capital formation, creation of employment and industrial productivity. The National Bureau of Standards (NBS) [20] reveals that in volume terms, the construction industry accounted for an average of 6.8% of GDP in the 2003-2010 periods. The contribution of the industry to gross fixed capital formation in 2011 was over 50% (URT, [39]). In 2016, data indicate the construction sector contribution to GDP was about 12%, the second single sector with highest growth rate preceded by agriculture. The general outlook of the contribution of various sectors of the economy is shown in Figure 2.
Construction being one sector of the economy is prone to risks. These include technical, social, construction, economic, legal, financial, natural, commercial, logistics and political risks. These risks are also classified into internal and external risks. Internal risks emanate from activities performed within the organizations such as technical, social and construction. External risks are risks which originate outside of the organization's undertakings and these include economic, natural and political risks. Accordingly, the construction industry needs to adopt a sound risk management system to maximize opportunities and minimize negative events in its operations for it to contribute effectively to national growth.

Risk management in construction
The risk management as part of project management is extremely important in achieving project objectives of time, cost, quality, improved health and safety and no disputes. Changes in technology and more sophisticated clients' requirements attract more risks in construction projects which call for formal risk management process. Although there have been remarkable efforts toward risk management in construction projects, implementation of risk management process is still inadequate. Studies [5,[21][22][23][24][25] have documented risk management practice in the construction industry. Akintoye & MacLeod [23] found that risk analysis and management in construction depend mainly on intuition, judgment and experience. They also cited the reasons to be lack of knowledge coupled with doubts on the suitability of these techniques for the construction industry. Ahmed & Azhar [22] established that risk analysis and management techniques are rarely used by the general contractors due to a lack of knowledge and expertise. This is echoed by the study by Chinenye et al. [5] which established that organizations within the construction industry do not work with risk management in such a structured manner due to additional cost to be incurred when performing risk management on construction projects and lack of knowledge in the area of risk management. Mahendra et al. [25] determined that the participants used to handle the risks with an informal approach because of less knowledge and awareness among the construction industry stakeholders. Similarly, Abdul-Rahman et al. [21] found that the implementation of risk management process in Malaysian construction industry is still at a low level, due to the fact that most of the construction employees involved in risk management are not fully aware of the available risk management techniques that can be applied in construction projects. Kikwasi [24] also noted inadequate risk management knowldege among consultants and determines that most consultants use document reviews and assumptions to identify risks and contingency sum method to quantify risks. A survey by Yusuwan et al. [26] also reveals low level of awareness of risk management in the clients' organization and that they have implemented risk management in their operations on a small scale.
Previous studies in the construction industry reveal poor implementation of risk management process, as well as CSFs for effective risk management. This calls for the need to review the impact of risk management on project outcomes, assessment of implementation of previously identified CSFs and determination of a new set of CSFs.

Methodology
The study drawn a sample of 200 practitioners from the construction industry comprised of consultants, clients and contractors. The study adopted a descriptive research type that attempts to provide an insight on categories of CSFs that can enhance effective risk management in the construction industry. Data were collected using literature review and questionnaires. Two hundred questionnaires were distributed to randomly selected respondents through emails and hand delivery. Out of 200 distributed questionnaires, 100 were returned, out of which 67 were fairly filled for analysis equating to a response rate of 33.5%. A list of critical success factors for effective risk management used in the study was extracted from previous studies. Previous studies also aided in establishing gap to be filled by the current study. The collected data were analyzed using the Statistical Package for Social Sciences (SPSS) version 20. Descriptive statistics were used to compute mean scores for project outcomes and CSFs and principal component analysis (PCA) was used to compute composite CSFs. A 5-Likert scale was used, i.e., 5 = Strong agree, 4 = Agree, 3 = Neutral, 2 = Disagree and 1 = Strong disagree.

Respondents' profile
The participation of the intended groups namely consultants, client and contractors was 36.4, 21.2 and 42.4%, respectively. The three groups comprised of 13.4% architects, 23.9% engineers, 33.5% quantity surveyors, 17.9% project managers and 9% others. Furthermore, majority (83.9%) of these respondents have experience of more than 5 years. Majority of respondents (91%) have indicated that they worked on projects that have gone over budget.

Impact of risk management on project outcomes
Risk management has an influence on both the risk management process and project success. This is echoed by Junior and de Carvalho [27] that risk management practices have an impact on project success. Similarly, Kishk & Ukaga [28] through their case study concluded that there is a direct relationship between the effective risk management and project success. The influence on the risk management process includes: creation of a risk sensitive organization, formalized risk reporting, improved focus and perspective on risk, efficient use of resources and compliance matters. The impact on project outcomes is aligned with fulfilling objectives of the project, mainly time, cost, quality, health and safety and no disputes. Table 6 presents assessment of impact of risk management on project outcomes. Results reveal three significant outcomes of risk management in construction which can be adopted in other sectors namely: reduction in design/production time, improved public perception and improved team morale and productivity. The case study therefore underlines that risk management has positive results toward achievement of organizational goals and objectives.   organization has a documented risk management guideline or policy, the organization has guideline to support the goals and objectives of risk management, the organization conducts training to new employees, organization has established procedures for keeping up-to-date and informed with changes in regulations and organization use methods and tools to manage risk. This implies that organizations rarely formulate policy or guidelines for risk management and conduct training to new employees and the use of methods and tools to manage risks is at a low level.

CSFs effective risk management in construction
Several CSFs have been listed by researchers in the financial, construction and other sectors.
Most of CSFs are associated to actions by top management, communication within organizations, organization structures, policies, risk management experts and knowledge. Further, principal component analysis reveals nine factors of CSFs for effective risk management. Table 8 reveals that about 74% of the total variance is explained by the first nine factors. The factors are arranged in decreasing order of total variance explained. To allow for flexibility in the results, the Eigen value greater or equal to 1 was assumed implying that that only factors that account for variances greater or equal to 1 are included in the factor extraction. On the coefficient display format, small coefficients with absolute value below 0.5 were suppressed. Consequently, only factor scores greater than 0.50 are shown on the rotated component matrix in In Table 9, some of the variables are more highly correlated with some factors than others. In order to make it easier to assign meaning to the factors, it is ideal to see groups of variables with large coefficients for one factor and small coefficients for the others. The component matrix is therefore rotated to achieve simple structure, where each factor has large loadings in absolute value for only some of the variables, making it easier to identify.  Table 10 shows the rotated component matrix after varimax rotation and after the variables have been sorted by the absolute values of the loadings with nine components. Five variables are highly correlated to factor 1; variables 6 and 7 are highly correlated to factor 2; variables 9 and 10 are highly correlated to factor 3; variables 11 to 13 are highly correlated to factor 4; variables 14 and 15 are highly correlated to factor 5; variables 16 to18 are highly correlated to factor 6; variables 19 and 21 are highly correlated to factor 7; variables 22 and 24 are highly correlated to factor 8; and variable 25 is highly correlated to factor 9.

Component Initial Eigen values Extraction sums of squared loadings
In summary, the following are categories of CSFs for effective risk management:

Discussion
The case study has underlined that risk management in construction projects has positive results such as reduced accidents on sites, product to the required budget, reduction in contractual claims, project completed within budget and project completed on time. This finding is partly in line with the study by Al-Shibly et al. [29] on aspects of time. On the other hand, this finding supports the work of Kishk and Ukaga [28] that the conventional view of project success based on cost, time and quality objectives is not sufficient. They argue that the project success has to base on the predetermined and preagreed success criteria set by all stakeholders.
Through description, the study identified top seven CSFs; however, about 23 CSFs were generally within acceptable limits based on the mean score. These CSFs were further reduced using PCA and nine composite CSFs for effective risk management were determined. This approach also was used by Chen [7] to suggest four composite CSFs for the banking industry. These CSFs are management approach, goals and objectives of the organization, risk management policy and experts: information technology and culture, environment and usage of tools, teamwork and commitment of the top management, communication and training, awareness of risk management process and legal requirements and risk monitoring. Collectively, the nine CSFs have yielded the top eight CSFs namely: goals and objectives of the organization, having documented risk management policy or guidelines, availability of specialist risk management consultants, consideration of internal and external environment, objective setting, risk monitoring and review, management style and information technology infrastructure.
To a great extent, this finding supports the works of Grabowski and Roberts [8], Hasanali [9], Agyakwa-Baah and Chileshe [11], Chileshe and Kikwasi (2014), Zhao et al. [12] and Tsiga et al. [13]. The current study supports the work of Hosseini et al. [15] on issues of management support, training and awareness of risk management process. The study also noted lack of understanding of risk management guideline or policy, organizations lacking documented risk management guideline or policy and guideline to support the goals and objectives of risk management, organizations not conducting training to new employees, organizations lacking established procedures for keeping up-to-date and informed with changes in regulations and organizations not using methods and tools to manage risks.

Conclusion
The chapter sought to explore theories on risk management and using the construction industry as a case study establishes CSFs for effective risk management. The case study also has explored the impact of risk management to project outcomes and the status of implementation of selected previously identified CSFs. Generally, risk management in organizations has positive results to the risk management process as well as achievement of organizational goals and objectives. Similarly, organizations at certain levels have been implementing previously determined CSFs. From a list of 25 CSFs determined previously, a new set of 9 composite CSFs have established for effective risk management. The findings of the current study provide snapshot on the composite CSFs that can be assumed by organizations in achieving their goals and objectives. The limitation of this which is worth to be acknowledged is that the study has drawn 9 composite CSFs from only 25 CSFs.