Perceived Critical Success Factors for Information System Risk Management Implementation in the Bank Sector

Information System (IS) risk management implementation is a program that enables an organizations capture, manage and analyses the risks that are peculiar to IS adoption in a secure system. By implementing IS risk management organizations can improve operation efficiencies and save cost of risk investment. Meanwhile, bank is an institution that relies heavily on information technology for the network of business activities therefore; there is need to be aware of various risks associated with the usage of information system such as criminal threat and natural disasters. The present study examines the effect of perceived critical success factors for information system risk management implementation in the bank sector. Data were obtained from top executives of the selected banks using questionnaire instrument. The study employed descriptive correctional research design. The study population comprises of banks located in Oyo State South-Western part of Nigeria. Overall, 30 banks were selected for the study with four respondents from each bank. The questionnaire was pre-tested prior to actual distribution to the respondents. SPSS software was employed as analytical tool to test the study hypotheses using correlation and multiple regression analysis. Three factors were employed in the study; organization culture, organization structure and trust. The finding revealed that only organization culture was perceived to be positive critical factor for IS risk management implementation in the bank sector, while organizational structure and trust are in weak positions. Therefore, culture as an internal factor should be given priority in IS risk management implementation in the bank sector.


INTRODUCTION
The development and advancement in the recent usage of information system (IS) that promotes automation and computerization of various aspects of business processes had exposed businesses to high level of risk and uncertainty [1]. In the process of integrating IS into business operations and performance management makes organizations liable of exposure to various types of hardware, software, and human factor risks, as a result of this businesses are facing different types of risk at one time or the other causing loss of money and sometimes permanent cessation of business operation [2]. Therefore, to develop, improve and maintain IS an organization need to be proactive in managing the risks that are associated with it. Risk management enable organizations prepare for unexpected uncertainty by minimizing risks and costs that are likely to occur [3].
However, every organization needs to build a performance strategy to achieve its establishment objective. Critical Success Factor (CSF) is one of those components employed by the organization in achieving those objectives. Management must be aware of those key CSFs in terms of the role they play in organizational success. A CSF is a factor or activity required for ensuring the success of an organization. CSF as a concept was developed [4] the concept became fully established between the period of 1979 to 1981 and it was been applied to the study of different business organizations to date [5].
CSFs are factors whose presence increases the probability of negative outcomes in an organization [6,7] study examined what constituted CSFs for performance efficiency and made conclusion that CSFs include individual factors like size of the project, new software development, and skillful employee. A Study [8] also reported that CSFs are combination of various factors like task, technology, business resources, individual, and team management. Identification of CSFs would enables an organization focuses its limited resources on those factors which effectively influence performance improvement. A study [9] in which one of the pioneer researchers in CSF concluded that CSFs are those area of activities in which favorable results are absolutely available for management of an organization to achieve their goals.
Additionally, Ali et al. [10] argued that CSFs for risk management are important things which must go right for the business to progress in terms of sustainable performance. Therefore, this study viewed CSFs as those tools if put into practice will enhance chances of successful implementation of IS risk management and performance improvement of the bank sector. CSF is defined as those elements which constitute risk free business environment.
However, due to the rapidly changing business environment, banks encountered high number of risks from internal and external business environments. These were associated with markets, competitors, technology infrastructure, government policies, business processes and et cetera. Additionally, technology has becomes a major player in the recent financial operations making IS the main component of business processing strategy [11]. Therefore, failure to be conscious of every likelihood of risks that might accompany the system could jeopardize the chances of bank's sustainability. Hence, IS risk management implementation is inevitable in the bank sector. However, cases of IS security breach is on the rise making banks to be losing significance amount of material information and trade secrets to the fraudsters. Banks are the most vulnerable to the risk of IS security breach, causing huge financial losses to the sector [12].
Therefore, considering the significance of IS to the bank sectors, there is no holistic view in the existing literature about what is perceived to be CSFs for IS risk management implementation to the best of my knowledge. IS risk management implementation is not a popular area of research right from time, particularly in the bank sector. Majorities of literature in this area were on credit risk management, financial risk management and general risk management [13][14][15][16]. That is only few were related to IS risk managements, whereas banks need efficient IS risk management implementation to remain competitive in the business. Moreover, there is need to explore more deliberate study on the perceived CSFs for IS risk management implementation in the bank sector. Due to this reason, this study developed the objectives of investigating organisation culture, organisation structure and trust as perceived critical success factors for IS risk management implementation.

LITERATURE REVIEW
The concept of CSF is always considered as the factor that influence effective implementation of IS risk management implementation in this study. Prior studies on IS risk management have made significance contributions [17][18][19]. Most of the studies on the CSFs for IS related studies employed qualitative as the research technique while the unit of analysis was majorly the organizations, ranging from SMEs to large organizations [19,20]. Therefore, this study made contribution by employing quantitative research approach using bank sector as unit of analysis. Moreover, existing literature on IS risk management mostly originated and concentrated in developed countries like U.S.A, U.K, and Australia [21].
The concept of risk and risk management arose from the volatile nature of present business environment that had made organizations aware and remain conscious of any adverse effects that could pose danger to business processes. A study [22] refers to risk as an undesirable situations or circumstances which have probability of happening. A study [23] describes risk as any phenomenon that is likely to affect the achievement of organizational objectives. Risk management is a plan that considered various potential risks or bad events before they occur. An organization that valued risk management implementation saves money and protects its future. Risk management enables organization avoids potential harms, minimize their impact should they occur and make the results bearable to cope with. Ability to understand, managed, and control risk will allow organizations to be more confident in their business dealings.
However, for the banks probability of risk can come from losses related to financial operation threat, vulnerability of information security breach, and financial asset characteristics. Others include exposure to IS adoption risks, investment risk, market risk, credit risk, operational risk, liquidity risk, government policy risk, physical environment and others risks which are peculiar to businesses. To counter the effects of those risks exposure, an effective risk management is required. Risk management is one of the basic tasks required by an organization to achieve the establishment objectives [24].
Nevertheless, existing literature had discussed about the correlation between risk management and enhanced organizational performance by giving explanations on the relationship that exist between the two concepts. Example of such is the study of project management undertaken in the context manufacturing companies which demonstrated the understanding between risk management and industrial performance with positive outcome [25]. Studies on IS risk management and assessment practice have been closely aligned with improved overall organizational performance over the years according to the findings [26,27] also revealed that implementation of risk management will enable organizations and their associated parties determine the strength of the entire businesses. A study [28] highlighted a framework that provides three major areas where the performance of risk management needs to be concentrated. The first area explains the operational activities of risk management, the second area emphasizes on the corporate objectives i.e. financial, operational and strategic, and the third area focuses on the expectations of the stakeholders.
A study [29] considered IS risk management in software projects as a neglected organizational activity, and concluded that it is an essential activity that has direct impact on the success of software development. A study [30] found effective IS risk management as a discouraging task that can be made successful by motivating the commitment of individual stakeholders. Organizations which implement effective IS risk management can be more successful compare to others that do not practice the concept. A study [23] considered the concept of risk management as an important area of accomplishment to achieve performance objectives. Therefore, IS risk management implementation can be an effective strategy for successful IS adoption in the bank sector. Surprisingly, there is no existing literature on the perceived IS risk management implementation in the bank sector. This research promotes the discovery of the relevancy of IS risk management implementation which will as a matter of fact empirically incorporates IS risk implementation into management of bank sectors. Since the financial environment is dynamic in terms of IT multidisciplinary research would be advantageous in the process of investigating issues relating to IS risk management implementation.

Hypotheses development
CSFs for IS risk management implementation can be categorized into internal and external factors. The external factors are those related to outside environment of the organisations in the form of competitive pressure, while the internal factors covered those characteristics which act as a component of internal structure of organisations. Few of such are considered as perceived CSFs for this study, which include organisation culture, organization structure, and trust. These factors are discussed below to explain the statement of hypotheses for the study.

Organization culture
Every organization has its own underlying beliefs, assumptions, values and method of interaction which define the uniqueness of social and psychological environment. Organization culture includes the accepted way of behavior that is based on shared attitudes, beliefs, and customs, written and unwritten constitutions developed over time and considered valid upon members of the organization [31].
However a study [32] conducted study on the problem of risk mitigation and came out with a process to support high performance in an organization through identification of organizational culture as a CSF for risk management implementation. A study [7] gave the importance of risk management and evaluates processes which are required for the effective implementation of risk management in SMEs. The study considered the CSFs which influence risk management implementation as managerial structure and processes, organization cultural, and a pattern of measurement. Therefore, this study view organization culture as corporate habits, assumptions, beliefs, languages, systems, vision, values, norms, and symbols which make organizations to be distinct. Hence, investment decision in IS risk management implementation is a strategic vision that could contribute to performance value and cultural outstanding.
As a result of this, there is need to investigate organization culture as a perceived CSF for IS risk management implementation. Therefore, the following hypothesis statement was developed: H1: There is a relationship between organization culture and IS risk management implementation

Organization structure
Organizations are corporate settings which consist of people and responsibility known as organization structure. It defines the hierarchical arrangement of lines of authority in terms of rights and duties as well as communications.
Over the years, organization structure has been widely adopted as a variable in management studies; for example, a study [32] conducted study in U.S. organizations by studied the problem of risk mitigation as a process to support high performance, organizational structure was found as a CSF for risk management.
A study [33] examined CSFs required for complex industrial projects management, organizational structure was identified as an important CSF that promotes successful project completion. A study [34] also confirmed that organizational structure is the main factor in employee's efficient job performance. A study [35] presented the idea that organizational structure provides the authority to predict and determine the ways by which employees complied with their tasks allocation. Therefore, organization structure can be considered effective in IS risk management implementation based on the role it plays in the concept of given the guidelines, direction, and support in all forms of organization's projects. Including the outlines of how activities like IS risk management implementation should be directed to achieve organization's goal of establishment.
As a result of this, there is need to investigate the perception of organization structure as a CSF for IS risk management implementation. Therefore, the following hypothesis statement was developed: H2: There is a relationship between organization structure and IS risk management implementation.

Trust
Trust could be associated with fiduciary duty that exists between employees and their employers as a matter of contract. It is central to human relationships, including business associate, family, romantic relationship, politics, medical practices and friendship [6]. Trust an enforced mutual benefit between the parties involved setting honest behaviors that makes one depends on another.
Trust refers to the circumstance where an individual usually a trustor is willing to rely on the activities of another (a trustee) based on the expectation that the trustee performs a particular action that is important to the trustor, not considering the capability of that trustor to monitor and control the trustee [36].
An empirical study [37] on German company's offshore project risk management. Trust was found as the major determinant of success in such projects. That is, it is one of those internal factors critical for successful software project implementation.
Trust is an important factor in risk management because it permits organization's member to concentrate on their mission without having doubts in other members' role, responsibility, and resources allocation [38]. Therefore, this study concludes that trust is a key CSF capable of promoting honest attitude and behavior that support IS risk management implementation. Nonetheless, effective implementation of IS risk management requires trust to ensure transparency of the process.
As a result of this, there is need to investigate the perception of trust as a CSF for IS risk management implementation. Therefore, the following hypothesis statement was developed: H3: There is a relationship between trust and IS risk management implementation.

METHODOLOGY
This study employed confirmatory research approach and data was collected through the use of questionnaire instrument. Therefore, in order to determine perceived CSFs for IS risk management implementation in the bank sector, three variables were adopted from the existing literature as follow; organization structure, organization culture and trust. The questionnaire was designed using closed ended questions approach which enables researcher get precise response. Respondents were selected from 30 banks, four (4) questionnaires were administered to each bank accordingly [39]. Total number of hundred and twenty (120)  Disagree=2, strongly disagree=1. The questionnaire items were based on all the variables considered in the study.
Data obtained from the field were analysed using SPSS version 9. Table 1 represents measurement of variables in the study.

Pre-testing
The questionnaire was pre-tested prior to actual distribution to the respondents Ten respondents participated in the process representing different background relating to IS which include information officers, Ph.D. students, bank officers, and administrative staff in the field of information management. The respondents' feedback and comments were noted and addressed accordingly.

The category and sample size of respondents
As its earlier explained in the previous section, the targeted respondents include the Chief executive officers CEO, Directors, Managers and Chief financial officers who are in charge of decision regarding IS risk management implementation Table 2.
Reliability and validity of research instruments were conducted on the operational variables using Cronbach Alpha coefficient and Content Validity Index.

RESULTS
For this study, the AVE qualities ran somewhere around 0.5 and 0.7 showing a pleasant level of construct validity of measures were utilized.
The reliability of the analysis was examined with the use of alpha and composite reliability. Table 3 indicated that the alpha value and composite reliability for every construct exceeds 0.7, the required benchmarking for appropriate reliability as stated [40].

Validity and reliability of the construct
R-squared is also referred to as coefficient of determination; this is commonly used in evaluating the goodness of fit (GoF) of the regression equation. Hence, result obtained from this study possessed an average value of (0.702) according to Table  4. Additionally, all the components of AVE are > 0.5. Lastly, the construct on IS risk management data indicate GoF value to be equal to 70% (0.7) this is in proportion with the required validity and reliability of the construct.

The discriminant validity of the measures
To affirm the construct validity of the external model, it was important to build up the discriminant validity. This step was

Variable Measurement Source
Organization culture Underlying beliefs and assumption towards IS risk management implementation as a value. Oluwafemi [31] Organization structure Allocation of authority and responsibility in relation to IS risk management implementation.
New South Whale (NSW) [39] Trust Display of good intent behavior towards the IS risk management implementation.
Grabowski & Robert [32]  Chief financial officers 30 Total 120  compulsory preceding the testing of the hypotheses through the investigation. The discriminant validity of the measures demonstrate the extent to which items separate among constructs As represented in Table 5, the square root of AVE for every one of the constructs was put at the diagonal elements of the correlation matrix. As the diagonal elements are greater than the element of the row and column in which they are found, this affirms the discriminant validity of the external model. Having built up the construct validity of the external model, it is expected that the generated results relating to the hypotheses testing ought to be valid and reliable. Table 6 represents regression coefficients of each CSFs (hypotheses).
One out of the three regression analysis were significant (p ≤ 0.05) with positive results of (β=0.317, β=0.198, and β=0.720) respectively. The t-values of the factors are (t= 1.792, t=1.620, and t=3.352 respectively, p<0.05) which shows that (competitive pressure, organization culture and strategy) positively influence IS risk management implementation in the bank sector. This findings therefore, explained the significant level of each factor in IS risk management implementation.

DISCUSSION AND CONCLUSION
The research objective of this study was to investigate the perceived CSFs for IS risk management implementation in the bank sector. However, out of the three factors perceived to be critical for IS risk management implementation only one was found to be positively related to IS risk management implementation, that is hypothesis one H1 (organization culture). The positive effect was at 0.05 level of significant (β=0.317, t=1.792, p ≤ 0.05). This is in line with the finding [41,42].
From the analysis, it could be deduced that, there is a positive relationship between organization culture as a perceived CSF for IS risk management implementation in the bank sector. While other factors showed weak relationship.
The study adopted and discussed three CSFs perceived to influence IS risk management implementation in the bank sector. Therefore, the analysis revealed the significance of each factor as it influence IS risk management implementation in the bank sector. The uniqueness of this work is that it drawn scholars and practitioners attention to the usefulness of CSFs to IS risk management implementation. Also, it is highly relevant to practitioners who wish to enhance the success of IS risk management implementation irrespective of the industries/sectors.
In conclusion, IS play important roles in the bank sector as a service oriented business. Nowadays, IS was surrounded with uncertainty which eventually gave rise to risks. Therefore, banks need to lay much emphasis on IS risk management implementation. Nevertheless, effective IS risk management is highly necessary for the survival of the bank sectors.
According to above analysis, the hypotheses below explained the causal effect relationship that exists between the perceived CSFs and IS risk management implementation: H1. Organization culture strongly affects IS risk management implementation.
H2. Organization structure weakly effects IS risk management implementation.
H3. Trust weakly effects IS risk management implementation.

Practical implication
This study suggested that practitioners should take cognizance of organization culture as a CSF perceived to be positively influenced IS risk management implementation to enhance performance efficiency. The finding is of great benefits to bank executives to progress and compete in the global business environment. In addition, this study contributes towards the sustainability of the global financial performance.

Future study
We suggest that data collection should extend to other sources different from the one employed in this study to test for further valid results. Also, future researchers can statistically validate the hypotheses to assure the accuracy of the findings since out of three hypotheses only one display a positive response, also new set of CSFs can be introduce along the line on the same topic. Furthermore, the sample size can be reduce or increase to obtain more valuable outcome. The same set of CSFs can be tested on other organizations.