Factors Affecting Risk Management in Industrial Companies in Jordan

Abstract

This study aims to identify and rank the critical factors affecting risk management from the perspective of top and Lower Management in Jordanian industrial companies. Based on a rigorous literature review, critical factors affecting risk management are factors related to (1) flexibility and adaptation in the economic environment; (2) company characteristics; (3) external audit quality; (4) government rules and regulations; (5) top management and the board of directors; (6) organizational structure; (7) internal audit effectiveness; (8) trust; (9) human resources efficiency and training (10); communications (11); information technology (12); and the company’s culture. Quantitative research methods were used. A questionnaire was developed and distributed to a random sample of senior managers of industrial companies in Jordan. Kendall and Mann–Whitney tests, RII, and EFA were used to analyze the acquired data. The results show that all discussed factors have an effect on risk management, and there is no difference between top and Lower Management’s opinions regarding the ranking of the importance of those factors on risk management. This study provides an original perspective on the concept of risk management and the factors that impact it. These findings have important implications for Jordanian industrial companies’ decision makers. Companies should apply the results to their strategies and policies to reduce risks.

1. Introduction

Jordan is a country with limited natural resources and a dependence on tourism, foreign investment, and human resources. The industrial sector in Jordan has been significantly affected by the restriction of the movement of basic inputs used to manage the production cycle, as well as the closing of markets to which products are sent.

(Jordan Investment Commission 2018) The Investment Commission in Jordan mentioned that the industrial sector is one of the largest contributors to Jordan’s gross domestic product (GDP) (about 24% of the GDP), with about 18,000 industrial facilities and about 240,000 workers, mostly Jordanians.

The importance of the industrial sector is due to some factors, including Jordan’s competitiveness for industrial investors and its intermediate position between countries. The “Free Trade Agreements” (FTAs) support these, and finally, the agreement between Jordan and the European Union to ease the rules of origin to facilitate the arrival of Jordanian products on the European market. The International Labor Organization (ILO) and the United Nations Development Program (UNDP), in collaboration with FAFO, a Norwegian research institution and owner of the FAFO Institute for Labor and Social Research in Oslo, independently conducted two enterprise surveys in April 2020, about a month after the ban began in Jordan, resulting in a report in which the information from these two studies was consolidated to serve as the basis and justification for this study.

Risks are an essential component of all projects and businesses, and no organization, no matter how well it plans, can avoid them entirely. Risks have numerous impacts that may not show up straightaway or may appear out of nowhere during the execution of one of the stages of work, which directly influences the entire work. Risk management is defined, according to Oliveira et al. (2018), as “a coordinated process of identifying and analyzing risks through an incorporated methodology applied to the organization, so its strategies, activities, individuals, technology, and knowledge are adjusted by evaluating and managing risks to guarantee the accomplishment of organizational objectives”.

Risk management regards the following according to Na Ranong and Phuenngam (2009): (1) the process of eliminating, reducing, and controlling risks; (2) identifying, analyzing, assessing, monitoring, and controlling risks; (3) reducing negative opportunities; and (4) achieving business methods and goals.

Numerous studies have analyzed the effect of risks and their factors; however, there is still a shortage of studies that rank the factors affecting risk management according to their importance.

Due to the presence of this gap in the past literature in regard to this matter, this study aims to enrich the theoretical literature with recent studies in exploring and ranking the factors affecting risk management, thus making it important to know and determine the importance of several different factors in “risk management” in industrial companies in Jordan.

Consequently, there is an emerging need to identify these factors and determine which factors are the most significant from the viewpoint of experts and practitioners in the field, which helps managers take better decisions. Companies should enhance the less important factors to reduce risks and can apply the results in their strategies and policies. The objectives of this paper are (1) to identify factors that affect risk management by conducting a rigorous literature review. (2) Rank these factors from the viewpoint of experts for both upper and Lower Management in the industrial companies in Jordan. (3) Perform a comparison of viewpoints about factor importance between the opinions of upper and Lower Management in the industrial companies in Jordan. (4) To find out if the presence of an independent department or a special committee for “risk management” in industrial companies will help in predicting the upcoming risks and preserving the progress of work for the longest possible period.

The major contributions of this research are as follows:

• The current study’s findings expand earlier research conclusions while also adding some new findings to the body of knowledge, particularly in the field of risk management.
• This study on Jordanian industrial companies can be used as a sample to identify the most significant risk management factors and rank them according to their importance from the perspective of upper and Lower Management.
• To find if there are any differences in the responses of lower and Upper Management in terms of their viewpoints on the importance of the factors.
• This study can be considered the first to investigate all twelve factors that affect risk management and rank them based on their importance from the viewpoint of upper and Lower Management.
• The result of this study provides several important implications for managers and decision makers in Jordanian industrial firms.
• Identifying the least important factors will motivate companies to improve them to reduce risk.

In order to achieve the study’s aim and objectives, the following question was formulated:

Q1: What are the most important factors that affect “risk management” in industrial companies in Jordan?

2. Literature Review and Theoretical Framework

2.1. Literature Review

2.1.1. What Is a Risk?

Risks are vital to all projects and companies, and no company can overcome them all, regardless of its ability to plan. Therefore, risks are seen as uncertain cases, and if they occur, they may affect the objectives of the project positively or negatively (Hillson 2002; Ullah et al. 2021). Hence, risk is “an uncertain event or condition that affects the timeline, cost, and quality of projects” (Akhavan et al. 2019). Accordingly, there has been a rising awareness that risk management is essential. A risk management manager permits managers to effectively handle uncertainties (Yakob et al. 2022), as well as perceive some of these potential risks prior to starting the work, for instance, equipment breakdown or anticipated results, for instance, plan delay; yet, many risks are unpredictable and have results beyond imagination (Larson and Gray 2011).

Risk is not a factor of a certain procedure, division, or project. Nevertheless, a risk is a consequence of the overall segments in a firm. Consequently, risks are comprehensively viewed at the firm level (Fitriana and Wardhani 2020). The International Organization for Standardization (ISO, 2009) recommended companies make and improve their work frameworks by including a “risk management” process in their policies, governance, culture, strategic planning, management, and report production. Thaheem et al. (2014) classifies risks into two major types: Internal risks, which are those that are within the control of the industrial unit and are divided into two categories, technical risks and nontechnical risks. 2. External risks, which are outside the control of the industrial unit and are secluded into two sorts: (A) predictable risks and (B) unpredictable risks. Here, insurance may be a way to deal with the impact of some of these risks.

2.1.2. What Is Risk Management?

Firm “risk management” is defined as “a coordinated process of identifying and analyzing risks through an incorporated methodology applied to the organization, so its strategies, activities, individuals, technology, and knowledge are adjusted by evaluating and managing risks to guarantee the accomplishment of organizational objectives” (Oliveira et al. 2018). Moreover, depending on Akhavan et al. (2019), risk management is a “structured approach used for identifying, evaluating, and prioritizing risks after controlling probabilities and the impact of unplanned events”. In September 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued “Enterprise Risk Management: An Integrated Framework”, to give a model framework for Enterprise Risk Management (ERM).

That framework defines ERM as:

“… a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives”.

(COSO 2004)

Lately, attitudes toward risk management have changed and have tended to form a more comprehensive perspective. Although it is a new approach, several organizations have aimed to adopt it, as researchers believe that adopting risk management for the company improves its performance (Levine and Miller 2022). Because of the shortage of academic research on factors affecting risk management, interest in its role in companies and its use as a strategic instrument has increased (Gates and Hexter 2005). Lam (2001) claimed that organizational risk management improves a company’s proficiency to decrease loss, stabilize gaining volatility, and expand a firm’s return on equity and shareholder worth; therefore, it is a vital means to promote the success of the organization (Rehman and Anwar 2019).

Organizational risk management activities permit organizations to handle diverse risks such as “strategic risk, market risk, credit risk, operational risk, and financial risk, all of which can influence operations” (Banham 2004).

Since various social psychologists explain that natural disasters are less thought about by managers due to the popular perception that these disasters are “acts of God” that cannot be avoided or controlled, researchers have argued that informal cooperation across organizations may diminish the factors of “inactive risk” and crisis mitigation and response, inciting the need to understand and regulate disaster risk, postdisaster learning, and recovery (Chen et al. 2013). It is fundamental to approve using risk management in all stages of work and not to concede its implementation so as not to make it difficult to identify and overview, and in this manner, to conversely influence all stages of the company’s life (Korkmaz 2022).

2.1.3. Risk Types

Hayur and Khalas (2020) argued that there is a set of risks surrounding a company, for instance, the internal environment risks, which are risks achieved by events that occur inside a company that can be anticipated and controlled by the management. External environmental risks are the second sort of risk that comes about due to threats from outside factors. Hayur and Khalas (2020) assure the presence of various types of risks, including operational risks, informational risks from using misleading or mixed-up information in making decisions, and finally, financial risks.

2.1.4. Risk Management Procedures

Risk Identification

Risk identification is significant as it affects the next stages of the work of organizations (Petrovic 2017). Similarly, strategies ought to be developed that can simply identify risks to anticipate the opportunity of their occurrence, similarly to various strategies fit for dealing with risks once discovered (Potts and Ankrah 2008). Mhetre et al. (2016) show that we can review the risks that a company was previously exposed to, organized by its requirements, from the most dangerous to the least dangerous, which helps the company’s employees with knowing these risks and facilitating their identification.

Potts and Ankrah (2008) focused on the fact that this process is the most significant in risk management and has procedures and techniques for gathering information and making an exact database to obtain the best results. Several methodologies for identifying risks include brainstorming, holding workshops, analyzing scenarios, analyzing historical data, analyzing action plans (Klemetti 2006), and interviewing experts, which is considered the most beneficial (Steyn 2018).

Risk Evaluating (Assessment)

Saeidi et al. (2019) defined risk assessment as “permitting an entity to consider the impact and likelihood of events and analyze risk using quantitative and qualitative approaches. It examines the positive and negative effects of potential events all over the entity”. Therefore, the second stage is the primary strategy to examine for analyzing and evaluating risks. Thus, this process seeks to prioritize risks (Rovins et al. 2015). Risk evaluation is a high risk, and it should require the administration to operate effective techniques to deal effectively with these risks. Additionally, low risk should not be disregarded, whereas the amount of control should be less than for high risks (Serpell et al. 2015).

A—Qualitative analysis: It depends on the use of interviews, brainstorming, the Delphi Technique, and checklists, and here, the possibility and effect of risks can be applied negatively or positively to a company’s goals and expected outcomes (Banaitiene and Banaitis 2012). One of the qualitative methods for estimation is a “risk matrix”, as shown in Figure 1, which can be relied upon to decide the “probability of risk” (Serraino 2014), where the risks are isolated into three categories: high risk, medium risk, and low risk (Petrovic 2017).

B—Quantitative analysis is viewed as more unbiased than qualitative methods. The quantitative analysis depends on data to decide the degree of effect of each risk (low, medium, or high) and the probability of its appearance, which is why it is a significant process to decide the degree of effect of a risk on the company (Serpell et al. 2015). Petrovic (2017) argued that quantitative risk analysis methods include probability analysis, Monte Carlo simulation, sensitivity analysis, and scenario analysis.

Risk Response (Taking Measures)

It is the process of identifying the necessary procedures to decrease the adverse consequences of risks on the performance of companies and exploiting the opportunities that enhance their success. Alhassan (2016) indicated that it identifies risks through the optimal use of resources and activities in the budget. Multiple strategies can be operated to reduce the probability of risk intensity and the effects of risks. According to Petrovic (2017), there are four methods for risk response: (1) avoiding risks by effectively dealing with the reason, (2) reducing the risks by decreasing the risk cost through the utilization of emerging technology, (3) accepting the risks, and (4) dealing with risks effectively by designing an emergency scenario.

Figure 2 helps in decision making for the reaction to the likelihood and effect of the risk depending on two factors, the probability of the risk and the risk impact, and the actions could be as follows:

Risk Monitoring

In the last and most important step of risk management implementation, different subprocedures are used to keep track of found risks, keep an eye on remaining risks, and find new potential sources and their level of impact (Cooper et al. 2005; Korkmaz 2022). According to PMI (2017), risk monitoring and control is the “process of tracking identified risks, identifying and analyzing new risks, monitoring the implementation of risk response plans, and assessing the effectiveness of risk management processes throughout a project”. Chapman (2019) claimed that risk monitoring is constantly inadequately executed in building projects due to the lack of management and monitoring risks that have been determined.

2.2. Theoretical Framework

This section explores a foundational review of existing factors in the literature that serves as a roadmap for ranking relevant factors in the Jordanian context. Once the factors are ranked, we are able to draw connections, make predictions, and contextualize the research.

2.2.1. Factors Affecting “Risk Management”

Na Ranong and Phuenngam (2009) indicated a set of seven basic factors that they considered proof of their ability to influence risk management and increase the efficiency of its procedures. They characterized it with the following factors: (1) commitment and support from Upper Management; (2) communication; (3) culture; (4) information technology (IT); (5) organizational structure; (6) training; and (7) trust.

Table 1. List of factors affecting risk management.

Factors Affecting Risk Management

1. Factors related to Upper Management and Board of Directors

2. Factors related to External Audit Quality

3. Factors related to Internal Audit Effectiveness

4. Factors related to Human Resources Efficiency and Training

5. Factors related to Government Rules and Regulations

6. Factors related to Communication

7. Factors related to Flexibility and Adaptation in the Economic Environment

8. Factors related to Information Technology

9. Factors related to Organizational Structure

10. Factors related to Trust

11. Factors related to Culture

12. Factors related to Company Characteristics (size)

summarizes the factors affecting risk management as described in the literature review, which led to an increase in the number of factors affecting risk management to twelve.

Factor 1: Upper Management and Board of Directors

Okello (2012) found that the commitment of Upper Management is a critical factor in managing risks and impacting the achievement of the organizational system. Important support of Upper Management includes several activities in the organization, including risk management, and as Young and Jordan (2008) proposed, “the essence of the support of Upper Management is related to efficient decision-making to manage risk and to delegate business process change”. While this support is considered essential for a successful project because it increases risk management decision making and, consequently, the success of any efforts within any company (Hasanali 2002), Upper Management details the objectives and procedures of all risk management activities and their general mission and goals (Henriksen and Uhlenfeldt 2006; Anton and Nucu 2020).

The significance and challenges of the board of directors and Upper Management’s role in establishing a risk management program to effectively secure the company’s resources were highlighted by (Lipton et al. 2011), as the company’s risk management is seen as a matter of governance and is subject to the Board of Directors’ oversight. The Board members must be persuaded that the risk management procedures are in line with the company’s strategies in order for them to take the necessary actions to raise the level of risk awareness and risk management skills in the organization in order to avoid or lessen the likelihood of risks occurring and their effects.

Boodman (1987) believes that the company’s directorate and Upper Management ought to be dynamic members in deciding and studying risk/reward tradeoffs, so that a risk management function is set up within the company’s structure with a clear delegation to manage the company’s risks.

According to BCBS (2006), the administrators of the risk management methods of Upper Management and the directorate should be convinced of their role in the company and should participate in identifying, evaluating, monitoring, and controlling risks, reducing risk, and everything else related to the risk profile.

Galorath (2006) and Hasanali (2002) emphasized that the commitment of Upper Management is vital to the degree of accomplishment of the risk management strategy at the company, as their commitment helps to embed risk management at the operational and strategic levels within the company. Beasley (1996) has demonstrated that the relationship between board characteristics and the degree of implementation of risk management in companies is positive.

Factor 2: External Audit Quality

External or traditional risks are not usually controlled by the company but depend on external and often complex dynamics. These risks include exchange rate fluctuations, forgery and fraud, and changing regulations (Giuffrida et al. 2019), which can cause unexpected cost increases (Li et al. 2020).

These types of risks can rarely be avoided but are typically mitigated, respectively, by hedging techniques, investment in cybersecurity measures, and cooperation with legal advisers and experts (Wang et al. 2020).

Similarly, according to Paape and Speklé (2011), companies that use high-quality auditors are more committed to risk management, which leads to enhanced good governance, because these companies are obliged to encourage their customers to improve their risk management procedures. While Desender (2011) and Anton and Nucu (2020) confirmed that there is a positive relationship between the quality of external audits and the degree of risk management implementation in companies.

Factor 3: Internal Audit Effectiveness

There should be strict internal control to avoid fines or the shipment of products that are not within the required standards (Jia 2020).

The Institute of Internal Auditors characterizes risk-based internal auditing as “a methodology that connects the internal audit framework within the general risk management framework of the organization, as it permits internal auditing to confirm to the directorate that the risk management program is managing risks adequately within worthy risk limits set by the Foundation “(Hayur and Khalas 2020). Beasley et al. (2006) asserted that internal auditors play an important role in giving confirmation and counseling services related to risk management in their organizations. The internal auditors’ competence increases based on their abilities, capabilities, knowledge, and goodness (Badara and Saidin 2014). Thus, it is evident that the relationship between the adequacy of internal audits and the degree of implementation of risk management in companies is positive.

Factor 4: Human Resources Efficiency and Training

Cardy and Selvarajan (2006) stated that there is currently a great interest in human resource efficiency and its role in risk management implementation, as efficient human resources play an important role in improving effective job performance, which leads to increased organizational competitiveness. Okello (2012) also sees training as a critical factor for training employees with appropriate skills to deal with risks. Since the success of any organization depends on the quality and competence of its employees, it is therefore important that it has a sufficient number of employees equipped with relevant skills in managerial positions.

Carey (2001) emphasized that the ability of employees to respond to the changing needs in the business environment is linked to the development of training courses on risks and encourages them to participate in responding to early warning systems, whereas increasing the competitiveness of the workforce in the organization enhances the chances of success, which confirms the existence of a positive relationship between the efficiency of human resources and the level of implementation of enterprise risk management.

Factor 5: Government Rules and Regulations

Okello (2012) indicated that government rules and regulations are the guiding principles that influence the formulation of risk management strategy because of the potential risks they represent to companies. Compliance with rules, regulations, and requirements for inclusion in risk management and corporate governance standards must be achieved, ensuring the maintenance of a solid and improved risk management system (Paape and Speklé 2011). Consequently, there is a positive relationship between compliance with rules and regulations and the level of implementation of risk management in companies.

Factor 6: Communication

Effective communication with members of the board of directors, management, senior management, and those concerned is critical for the risk manager’s role to be valuable and important, as stakeholders must understand the consequences that may result, as well as receive assistance in dealing with concerns and doubts, managers’ awareness of risk management decisions that affect all levels of business, creating a culture of transparency, and increasing credibility with stakeholders (-) (Doloi 2009).

Communication is an essential driver in achieving project objectives. Thus, it is hypothesized that reliable and efficient communication between members of the project team is a critical factor influencing relational partnering success (Williams and Lilley 1993).

Risk management needs to collect as much important information as possible to achieve its objectives of control and enable it to track actual performance and provide early warnings regarding potential events. (Frewer 2003)

Communication includes the flow of information from the top (Upper Management) to the bottom (employees) or vice versa and may include outside parties (Hayur and Khalas 2020). Communication helps to clearly define expectations, goals, and objectives and ensures that all company members support each other and the business strategy (Quirke 1996). The source must also be trusted, expert, honest, and unbiased for its message to contain clear, attention-grabbing, and easily interpretable content and influence decision making (Breakwell 2000; Chatterjee et al. 2020).

Factor 7: Flexibility and Adaptation in the Economic Environment

An ILO report indicated that the ability of companies to survive the economic crisis and most risks depends on several factors, such as the extent of their flexibility and adaptation to commercial operations, in addition to the existence of a business continuity plan, but only 25 percent of companies have one. As previously stated in the introduction survey, a small percentage of companies (25%) had plans to continue their work by managing and responding to risk, indicating that there is a positive relationship between the flexibility, adaptation, and existence of a business continuity plan and the level of risk management implementation in companies (ILO 2020).

Factor 8: Information Technology

As information technology has become an important factor in the presence of increasing competition, higher levels of performance, and globalization, Rolland (2008) suggests using information technology to enhance the effectiveness of risk management. Information technology tools also collect historical data, allowing the organization to learn from its mistakes and avoid making the same ones again.

Support should also be focused on accelerating the digital transformation of all enterprises, which includes technological transformation on the one hand, the integration of technology in all other areas of work on the other, and a radical change in business and organizational culture overall, which also requires government actions to assist and motivate companies to “build back better” (ILO 2020). Thus, there is a positive relationship between using information technology and accelerating digital transformation to enhance the effectiveness of risk management in companies.

Factor 9: Organizational Structure

Hasanali (2002) considers that the organizational structure is equally important because it provides understanding, direction, and support to employees. The structure provides prior researcherity to determine how employees work and provides concepts, guidelines, and support to employees (Hunter 2002). There is no ideal corporate structure, but rather successful structures that have strengths and weaknesses. Drucker (1999) asserted that there are organizations that contain more than one organizational structure that coexists side by side.

Factor 10: Trust

Trust is the key to cooperation and teamwork in an organization, and this is precisely what risk management needs. According to Grabowski and Roberts (1999), trust helps the members of the organization focus on their tasks without hindrance from doubts about the roles, responsibilities, and resources of others. Hasanali (2002) considered that trust is a key factor because risk management needs cooperation and teamwork to be successful. Earle (2010) argues that the effect of trust on risk management is greater when knowledge is little or missing, and this relationship may differ depending on whether respondents prefer or oppose management actions based on their judgments of trust. The researchers found that a final understanding of the contextual factors that influence the relationships between trust and the implementation of risk management still awaits further studies.

Factor 11: Culture

Hasanali (2002) defined culture as “a mixture of shared history, unwritten rules, and social customs that dictate behavior”. According to Grabowski and Roberts (1999), risk management requires the blending of different cultures; the organization must build a culture of reliability, so individuals must meet, interact, exchange ideas, share knowledge, and transfer it among themselves. Risk management implementation is linked to risk culture, as executives with a low-risk culture are usually not serious about weighing the benefits and harms of risk exposure, which leads to poor decision making and weak internal control (Selamat and Ibrahim 2018). Thus, it will be difficult to provide high-quality products or services without a positive risk management culture, so that customers do not ultimately lose confidence in the company as described by (Selamat and Ibrahim 2018).

Factor 12: Company’s Characteristics (Size)

According to Önder and Ergin (2012), the most important factors positively affecting the implementation of risk management are the size of the company and its financial leverage. Large firms will likely adopt enterprise risk management due to their need for a comprehensive risk management strategy (Anton and Nucu 2020). The type of industry also plays a role in increasing the use of risk management (Colquitt et al. 1999). Beasley et al. (2010) conducted a survey at North Carolina State University that shows that even though it is still relatively immature and is being developed, there is a positive relationship between the size of the company and risk management implementation.

2.2.2. List of Factors to Be Ranked

An extensive literature review was conducted to identify factors affecting risk management. The literature review was conducted using Scopus and Web of Science, which were determined to be the preliminary scholarly databases due to their comprehensive scope and faster indexing techniques. The papers were screened and filtered by title, keywords, and abstract, with “risk management”, “factors and risk”, and “factors affecting risk in industrial industries”.

To improve the superiority of the review, some acceptance and elimination criteria were formulated, and the determined papers depended on the following selection criteria: (1) the main theme of the paper was risk management, (2) it was in the industrial industry, and (3) it was written in English and published in an indexed journal. The factors of risk management were clustered into a set of twelve basic factors, as represented in

Table 2. List of factors to be ranked and their dimensions from the previous literature review.

Comparisons between the Researchers’ Proposed Factors and the Other Studies
Researcher(s)	Topic Dealt with
Commitment and Support from Upper Management and Board of Directors
Okello (2012)	Senior management commitment is a key factor in managing risks
Daniel Galorath (2006)	Upper Management commitment helps to embed risk management at the operational and strategic levels
Hasanali (2002)	-Leadership -Successful mitigation or bearing of risk is contingent upon commitment and support from Upper Management
Henriksen and Uhlenfeldt (2006)	Upper Management formulates and decides objectives and strategies for organizational risk management activities, mission, and overall objectives
Young and Jordan (2008)	Suggest “the essence of Upper Management support related to effective decision-making to manage risk and to researcherize business process change”
Barton et al. (2002)	The Board of Directors should create a risk management program to protect assets
Gentzoglanis (2010)	Increase the measures taken, such as hedging the risks, depending on the point of view of senior management and level of confidence
External audit quality
Paape and Speklé (2011)	Firms that hire high-quality auditors are more committed to risk management
Beasley et al. (2005)	The involvement of auditors has a great impact on the implementation of risk management.
Desender (2011)	There is a positive relationship between the quality of external audits and the level of implementation of risk management
Internal audit effectiveness
Hayur and Khalas (2020)	A methodology allows internal auditing to provide assurance to the board of directors that the risk management program is managing risks effectively
Beasley et al. (2006)	Internal auditors play an important role in providing assurance and consulting services related to risk management
Human resources efficiency and Training
(Cardy and Selvarajan 2006)	A great interest currently in human resource efficiency and its role in implementing risk management
(Badara and Saidin 2014)	There is a positive relationship between the efficiency of human resources and the level of implementation of enterprise risk management
Okello (2012)	Training is a critical factor for training employees with appropriate skills to deal with risks
NSW Department of State and Regional Development (2005)	Training staff appropriately
Government rules and regulations
Okello (2012)	Any change in government rules and regulations can be dangerous to business
(PWC 2004)	Cooperation between corporate governance, risk management, and compliance is essential
(Paape and Speklé 2011)	Compliance with rules and regulations in risk management and corporate governance must be achieved
Communication
Grabowski and Roberts (1999)	Communication
Carey (2001)	Verifying your judgments
Quirke (1996)	Good communication helps employees to receive and deliver the correct message from risk management
Breakwell (2000)	-Communication in risk management depends on the characteristics of the audience and the source of the message and its content -The source must be trusted in order for the risk management message to be effective
(Hayur and Khalas 2020)	Risk management collects information to achieve its objectives of control and provide early warnings
Economic environment
Na Ranong and Phuenngam (2009)	Focusing on the strategies in place within the economic environment
(ILO 2020)	The ability of companies to survive the economic crisis and most risks depends on flexibility and adaptation to commercial operations
Information Technology
Farida Hasanali (2002)	Information technology infrastructure
Organizational Structure
Farida Hasanali (2002)	-Structure, roles, and responsibilities - Organizational structure is equally important because it provides direction and support to employees
NSW Department of State and Regional Development (2005)	Setting clear objectives and guidelines for risk management
Hunter (2002)	The structure provides prior researcherity to determine how employees work
Trust
Grabowski and Roberts (1999)	Trust makes the members of the organization focus on their tasks without doubts
Hasanali (2002)	Risk management needs trust in order to cooperate, have teamwork, and to be successful
(Earle 2010)	The effect of trust on risk management is greater when knowledge is little or missing
Culture
Grabowski and Roberts (1999)	Organizational culture
(Selamat and Ibrahim 2018)	The implementation of risk management is linked to a risk culture
(Nocco and Stulz 2006)	Three factors associated with ERM are usually grouped under the leadership construct
Farida Hasanali (2002)	Culture
Company Characteristics (size)
Önder and Ergin (2012)	The most important factors positively affecting the implementation of risk management are the size of the company and its financial leverage
Colquitt et al. (1999)	Large firms will likely adopt enterprise risk management due to their need for a comprehensive risk management strategy
Beasley et al. (2010)	There is a positive relationship between the size of the company and risk management implementation

, which is a list of ranked factors and their dimensions.

2.2.3. Hypothesis

The fundamental objective was to identify and rank factors affecting risk management. Additionally, we tested the following hypothesis, which relates to the comparison part of objective 3, which is to “perform a comparison of viewpoint about factor importance between the opinions of the Upper Management and Lower Management in the industrial companies in Jordan”:

H₀: 

There are no significant differences in the opinions of the upper and Lower Management in the industrial companies in Jordan with regard to the importance of the factors affecting “risk management.”

3. Methodology

3.1. Research Population

This study covers 56 of the major publicly traded companies currently operating in the industrial sector in Jordan. The unit of analysis consists of Upper Management (chairman of the board of directors, chief executive officer “CEO”, senior executive vice president, and general directors), Lower Management (other departments’ managers), and risk management managers in Jordanian industrial companies. Higher-level management and stakeholders have different strategic objectives from those of the department’s managers in lower-level management. The study attempted to demonstrate that there is no conflict between the two management’s opinions on risk management implementation in industrial companies.

3.2. Research Sample

The sample was originally considered a census sample to cover the industrial companies in Jordan; therefore, the population is equal to the research sample. The list of the companies represented in Appendix B confirms this. The questionnaire was distributed to the senior managers of the selected industrial companies. The studied companies differ in their relative size, job structure, and therefore the number of their managers. It was not easy to obtain the exact number of all the managers working due to privacy issues. The researchers sent the questionnaires to all populations in the study via email and personally. The researchers received 312 questionnaires with a response rate of 62.4%. Additionally, from the 312 questionnaires received, 242 were valid and used for further analysis. Therefore, the census sample is considered a convenience sample.

3.3. Data Collection

Researchers used different sources of data to cover the need for variables for clarification on the one side and to enhance the study and give it greater reliability on the other side.

The data collection approach in this study is divided into two main categories:

(1)

Primary data sources: a questionnaire was created specifically for this study and distributed in both Arabic and English to guarantee a clear understanding of the questions.

(2)

Secondary data sources are textbooks and references; personal interviews or via email; articles; annual reports; specialized magazines; and internet sources; theories; previous research; and studies in the field, in addition to published research on the subject.

The questionnaire was used as a primary tool for data collection. The design of the questionnaire is consistent with the objectives of the study and is structured to assist the respondent in answering the research questions.

Ordinal scales were used in the questions that ask respondents to rank the factors, whereas Likert’s five-point response scale was used to measure the strength of the respondent’s opinion.

To collect the primary data, the researchers designed a closed questionnaire in which the participants include respondents from the senior managers of industrial sector companies, which represent the primary data for this study.

The design of the questionnaire is consistent with the objectives of the study, and it includes the following three sections:

A: A letter of introduction;

B: General and demographic information to shed light on the backgrounds of the companies;

C: Questions that ask respondents to rank the factors from 1 to 5.

Ordinal scales were used in this study, where Likert’s five-point response scale was also used to measure the strength of the respondent’s opinion (Sekaran and Bougie 2016).

The following table (

Table 3. Level of agreement about items according to mean value.

Mean Values	1–1.80	1.81–2.6	2.61–3.4	3.41–4.2	4.21–5.00
Agreement Level	Very low	Low	Moderate	High	Very High

) was used to assess and categorize the respondents’ level of agreement:

3.4. Validity and Reliability of Scales

Various approaches have been implemented to improve the validity and reliability of these research findings. The content validity of scale items was determined by sourcing questionnaire items, obtaining all references for each question, and then consulting one management Ph.D. holder to provide comments and evaluations for the questionnaires in both Arabic and English. He made the necessary adjustments to make the questionnaire as clear and simple to answer as possible. A reliability test of the factors was conducted before running exploratory factor analysis (EFA), and items of the factor loading below 0.6 were deleted. Cronbach’s alpha coefficient was conducted for all factors suggested that affect risk management and the number of items before calculating factor loading, as asserted by (Hair et al. 2014). Then, for each item in each factor of the study, a principal component analysis (PCA) with varimax rotation was performed. The loading of all items for all factors exceeded 0.60.

After conducting EFA, another reliability test of the instrument was performed to guarantee the instrument’s reliability after the removal of items with factor loadings of less than 0.6. In this study, two types of validity were analyzed: criterion validity and construct validity. In criterion validity, the Spearman coefficient and p-value are calculated between each item in one group, while in construct validity, they are calculated for each group. Because the p-value was less than 0.05, the correlation coefficient was statistically significant, indicating that the instrument is valid for measuring what it is intended to measure. Criterion validity was achieved for all factors, since the Spearman coefficient is significant for all items in the factors and the correlation coefficient is greater than 0.6 for all items in these factors (see Table in Appendix A).

This signifies that the items in the study questionnaire are highly related to one another and have a high level of internal consistency.

3.5. Data Analysis Techniques

To describe the attitude of respondents toward the factors affecting risk management, the Relative Importance Index (RII) was conducted for overall respondents. The RII was used to quantify the factors that may affect estimation accuracy. Thus, based on the RII values, the ranking of risk management factors was carried out. To calculate the RII, the following equation was used:

$$\mathit{R}\mathit{I}\mathit{I}=\frac{\sum \mathit{w}}{\mathit{A}\mathit{N}}\times \mathbf{100}\%$$

where:

W is the weighting given to each factor by the respondent. Ranging from 1 (not important) and 5 (very important).

A is the highest weight (which is 5 in this study).

N is the total number of samples.

In addition to RII, the Coefficient of Variation (COV) is obtained to compare the relative variability of various responses. It represents the standard deviation as a percentage of the mean. Large COV means that evaluated bias is dispersed and unpredictable. COV was computed using the following equation from Elhag et al. (2005):

$$\mathit{C}\mathit{O}\mathit{V}=\frac{\mathit{s}}{\mathrm{x}}\times \mathbf{100}\%$$

where S is the standard deviation and x is the mean.

4. Data Analysis

A questionnaire was built based on factors found in previous studies to measure the validity of the content. A factor analysis was performed to validate the instrument’s construction and determine the correlation between these factors (Hair et al. 1988). An exploratory factor analysis (EFA) was used to examine the interrelationships between factors. Accordingly, the Cronbach Alpha coefficient was measured for all factors, before and after EFA. After collecting the primary data, the data were analyzed using the Statistical Package for the Social Sciences (SPSS), version 24. The percentages and frequencies were obtained to describe the demographic profile of the sample, and the mean and standard deviation were obtained to describe the perceptions of the respondents regarding the factors affecting risk management in the industrial sector in Jordan.

In addition, the Mann–Whitney test and Kendall’s coefficient of concordance (W) were used to test the hypothesis of the study. The Mann–Whitney test was used to determine whether there is a statistically significant difference in ranking the factors affecting estimate accuracy at 0.05, while W was used to estimate the degree of agreement between upper and Lower Management opinions on the ranking of each of the tested factors and whether this agreement is statistically significant. To prioritize the risk management factors, simple ranking and the Relative Importance Index (RII) technique were used. The Relative Importance Index (RII) was calculated for each of the indicators and ranked accordingly.

4.1. Demographic Analysis

The demographic information section of the questionnaire in this study was designed to obtain the following information from respondents: Upper Management consists of the chairman of the board of directors, the chief executive officer, the senior executive vice president, and the general directors, while Lower Management consists of department managers **.

Frequencies and percentages were conducted to describe the profile information of the respondents, as shown in (

Table 4. Profile of the respondents.

Respondents’ Information	Frequency	%
Job Position
Upper Management	160	66%
Lower Management	82	33%
Total	242
Qualifications
Technical/Vocational Certificate	10	4%
Diploma	16	7%
Bachelor’s degree	121	50%
Master’s degree	57	24%
PhD	33	13%
Others	5	2%
Total	242
Years of Experience
Less than 3 years	21	9%
less than 5 years	12	5%
5 to 10 years	61	25%
10 years and more	148	61%
Total	242
Is there a functionally independent department for risk management
Yes	109	45%
No	133	55%
Total	242

).

According to Table 3, 160 of the respondents (66.12%) were upper managers, while the remaining 82 (33.88%) were lower managers. Demographic analysis revealed that a bachelor’s degree was the most frequent qualification in the sample, accounting for 50% of all qualifications. The second most frequent qualification was a master’s degree, with a frequency of 23.6%, while the least frequent qualification (others) had a frequency of 2.1%. The third part of the demographics section asked senior managers about their overall experience to determine their level of experience and how that would influence their practices.

According to the results, 61.2% of the managers questioned had more than 10 years of experience in this position, while 8.7% had worked for less than 3 years. The final part of the demographics section asked whether the company had a functionally independent risk management department, to which 55 % replied that they did not have any independent risk management department.

4.2. Descriptive Analysis

Table 5. Descriptive Analysis of Factors affecting Risk Management.

	Factor	Mean	Standard Deviation	COV	RII	Overall Rank
1	Factors related to Top Management and Board of Directors	3.8415	0.96221	25.05%	77.93%	5
2	Factors related to External Audit Quality	3.9339	1.01838	25.89%	82.97%	3
3	Factors related to Internal Audit Effectiveness	3.8392	0.86791	22.61%	75.86%	8
4	Factors related to Human Resources Efficiency and Training	3.8392	0.86791	22.61%	75.37%	10
5	Factors related to Government Rules and Regulations	4.0592	0.89807	22.12%	81.48%	4
6	Factors related to Communications	3.8489	0.87060	22.62%	76.11%	7
7	Factors related to Flexibility and Adaptation in the Economic Environment	3.9897	0.92728	23.24%	83.80%	2
8	Factors related to the Information Technology	3.5372	0.82757	23.40%	70.33%	12
9	Factors related to the Organizational Structure	3.8981	0.93134	23.89%	77.68%	6
10	Factors related to Trust	3.7273	0.88817	23.83%	75.53%	9
11	Factors related toCompany culture	3.7397	1.01791	27.22%	75.28%	11
12	Factors related to the Company’s Characteristics	4.0111	0.98542	23.92%	85.28%	1

shows that the RII values ranged between 85.28% and 77.33%. These values mean that all of these factors are considered important from the respondent’s perspective. As shown in the table, “factors related to the company’s characteristics” were ranked as the most important factor, while “factors related to the information technology” were ranked as the least important factor.

As shown in Table 5, the mean of the respondents was relatively high for all factors that affect risk management; the highest mean of respondents was for factor five (4.0592), which is related to government rules and regulations, which means most respondents agree that government rules and regulations strongly affect risk management. The lowest mean of the responses towards risk management was 3.5372, which is related to factor eight, which is related to the factor of information technology. The acceptable values of standard deviation, as asserted by Sekaran and Bougie (2016), ranged between −2 and 2; in this study, the standard deviation of all factors was acceptable because it ranged between 1.01838 and 0.82757.

In this study, the COV of all factors ranged between 25.05% for factors related to top management and the board of directors and 27.22% for factors related to company culture. The results of the COV for all factors indicated that the variations in respondents’ attitudes related to factors affecting cost estimation accuracy are relatively low. This is a good indication that there is a relatively high level of agreement among the respondents.

4.3. Hypotheses Testing

To reach the last goal of this study, which was already mentioned, one main hypothesis was presented. To test the hypothesis written below, two nonparametric tests, the Mann–Whitney test and Kendall’s coefficient of concordance (W), were conducted. The Mann–Whitney test is used here to investigate if there is a significant difference at α ≤ 0.05 in ranking the factors affecting the estimate accuracy, while W is used to estimate the degree of agreement between Upper Management and Lower Management opinions related to the ranking of each of the tested factors and if this agreement is statistically significant. The range of the value W is between 0 and 1:1 represents the perfect agreement between contractors and consultants, while 0 represents complete disagreement between upper and Lower Management.

H₀: 

There are no significant differences in the opinions of the Upper Management and Lower Management in the industrial companies in Jordan, in regard to the importance of the factors affecting “risk management”.

The 12 factors achieved an RII between 84.61% and 72.28% according to Upper Management perception and an RII between 82.14% and 70.76% according to Lower Management perception. The relatively high values of RII for both upper and Lower Management indicate that these variables have a relatively high degree of influence on risk management.

Table 6. The Results for the study Hypothesis.

Factors	Upper Management		Lower Management
	RII	Rank	RII	Rank
Factors related to Top management and Board of Directors	80.93%	5	79.22%	6
Factors related to External Audit Quality	83.97%	3	81.16%	2
Factors related to Internal Audit Effectiveness	76.25%	7	74.98%	10
Factors related to Human Resources Efficiency and Training	74.22%	9	75.89%	9
Factors related to Government Rules and Regulations	83.48%	4	80.54%	4
Factors related to Communications	74.11%	10	77.44%	7
Factors related to Flexibility and Adaptation in the Economic Environment	84.61%	1	80.17%	5
Factors related to the Information Technology	72.33%	11	70.76%	12
Factors related to the Organizational Structure	78.68%	6	80.79%	3
Factors related to Trust	74.54%	8	76.87%	8
Factors related to the Company Culture	72.28%	12	73.53%	11
Factors related to the Company’s Characteristics	84.28%	2	82.14%	1
Mann–Whitney	106.5
Sig	0.654
Kendall’s Coefficient	0.458
Sig	0.000

shows that Mann–Whitney U = 106.5, and the p-value is 0.654, which is larger than the 0.05 significance level. The null hypothesis is therefore accepted at p > 0.05. Hence, there is no statistically significant difference between Upper Management and Lower Management regarding the factors that affected risk management. Moreover, Kendall’s Coefficient is 0.458, and the p-value is at the 0.00 < 0.05 significance level. The conclusion to be drawn here is that there is a significant and strong degree of agreement between Upper Management and Lower Management toward the factors related to risk management.

Consequently, the conclusion to draw here is that there is a significant and strong degree of agreement between top management and Lower Management toward the factors related to risk management, evidenced by Kendall’s coefficient = 0.458 and a p-value of 0.00 < 0.05 significance level.

5. Conclusions

Risks are a vital part of all projects and companies, and no company can overcome them all, regardless of its ability to plan. Therefore, risks are seen as uncertain cases, and if they occur, they may affect the objectives of the project positively or negatively (Hillson 2002; Ullah et al. 2021). Depending on Oliveira et al. (2018), risk management is defined as “a coordinated process of identifying and analyzing risks through an incorporated methodology applied to the organization so that its strategies, activities, individuals, technology, and knowledge are adjusted by evaluating and managing risks to guarantee the accomplishment of organizational objectives”.

Risk management procedures are the following: identification, evaluation, response, and monitoring of risks.

It is fundamental to approve using risk management in all stages of the work process and not to concede its implementation; therefore, it is not difficult to identify, overview, and, in this manner, conversely influence all stages of a company’s life (Albasara et al. 2018; Korkmaz 2022).

Industrial companies in Jordan are regarded as one of the most crucial areas that contribute to the national economy. The development of the industrial sector has become necessary, not a choice; this particularly stems from the changing conditions and other risks experienced by the world.

This study investigated the factors that affect risk management and ranked these factors based on the responses of the managers in the upper and Lower Management of industrial companies in Jordan. These factors are grouped according to the first research objective of this study, which was to identify factors that affect risk management by conducting a rigorous literature review. The critical factors affecting risk management are factors related to (1) flexibility and adaptation in the economic environment; (2) company characteristics; (3) external audit quality; (4) government rules and regulations; (5) top management and the board of directors; (6) organizational structure; (7) internal audit effectiveness; (8) trust; (9) human resources efficiency and training; (10) communications; (11) information technology; and (12) the company’s culture.

Many studies assert that a company’s characteristics affect risk management; this result is similar to the research conducted by Adam et al. (2016) and Alabdullah et al. (2021). Many studies’ results are similar to this recent study’s results, which prove that flexibility and adaptation in the economic environment have a positive effect on risk management, as the studies by Obrenovic et al. (2020) and Bartlett and Morse (2020) show. A lot of studies’ results are similar to this recent study’s results, which found that external audit quality affects risk management. This action implies that firms that employ auditors of high quality are more concerned and committed to risk management implementation and thereby improve good governance (Dabari and Saidin 2014). Therefore, there is a relationship between external audit effectiveness and the level of risk management implementation.

A lot of study results are similar to this recent study’s results, which prove that government rules and regulations have an effect on risk management, as shown in studies conducted by Hutter and Jones (2007) and Dang et al. (2020). The studies by Yang et al. (2018), Rothrock et al. (2018), and Shad et al. (2019) shared this study’s result, which is that top management and the board of directors have a positive impact on risk management. Many studies’ results are similar to this recent study’s results, which prove that organizational structure has an effect on risk management, as studied by Fan and Stevenson (2018) and Willumsen et al. (2019). The study by Smallman (2019) and the study by Akter (2020) share this study’s result that communications have a positive impact on risk management.

Regarding Internal audit effectiveness, the result of this study is similar to the result of the studies by Waseem-Ul-Hameed et al. (2017) and Alazzabi et al. (2020). Many studies’ results are similar to this recent study’ results, which show that trust has an effect on risk management (Boussard et al. 2019). The study by Shah et al. (2019) and the study by Lukovac et al. (2017) share this study’s result that human resources efficiency and training has a positive impact on risk management.

The result of this study is similar to the studies of Tranchard (2018) and Gamayuni (2018), which asserted that organizational culture can influence risk management in a company. These studies confirm the result of this study based on the responses of managers that information technology can affect risk management; this result comes from the study by Akatov et al. (2019) and the study by Samimi (2020).

Relating to the second research objective of this study, the ranking of the factors from the viewpoint of both upper and Lower Management in Jordanian industrial companies is listed in

Table 7. The rank of factors for Upper Management and Lower Management.

For Upper Management	For Lower Management
1—Factors related to Flexibility and adaptation in the economic environment	1—Factors related to Company’s Characteristics
2—Factors related to Company’s Characteristics	2—Factors related to External Audit Quality
3—Factors related to External Audit Quality	3—Factors related to Organizational Structure
4—Factors related to Government Rules and Regulations	4—Factors related to Government Rules and Regulations
5—Factors related to Top Management and Board of Directors	5—Factors related to Flexibility and Adaptation in the Economic Environment
6—Factors related to Organizational Structure	6—Factors related to Top Management and Board of Directors
7—Factors related to Internal Audit Effectiveness	7—Factors related to Communications
8—Factors related to Trust	8—Factors related to Trust
9—Factors related to Human Resources Efficiency and Training	9—Factors related to Human Resources Efficiency and Training
10—Factors related to Communications	10—Factors related to Internal Audit Effectiveness
11—Factors related to Information Technology	11—Factors related to the Company’s Culture
12—Factors related to the Company’s Culture	12—Factors related to Information Technology

.

In many studies, these factors were found as factors that can influence risk management, but based on the current researchers’ knowledge, no study ranks these factors based on upper and Lower Management. This study fills this gap.

Regarding the third study objective, which is related to the differences in the opinions of upper and Lower Management about their ranking of the factors, this study’s results find that there are no differences in the opinions of upper and Lower Management about their ranking of the importance of the factors; this result is similar to the studies by Richter and Wilson (2020) and (Li et al. 2020).

The study’s findings revealed that all of the previous factors have an impact on risk management, and there is no difference in the opinions of upper and Lower Management when it comes to rating the effect of these factors on risk management and their importance.

Theoretically, it can be said that the findings of the present study extend the findings of previous studies and also contribute some new results to the body of knowledge, especially in the area of risk management. Using Jordanian industrial companies as a sample, this study aims to identify the most important risk management factors and rank them based on their importance from the perspectives of upper and Lower Management, as well as determine whether there are any differences in the responses of lower and Upper Management regarding the importance of the factors. Most previous studies found many factors that affect risk management, but there is no study that investigated all twelve factors investigated in this study and ranked them based on their importance from the viewpoint of upper and Lower Management.

The results of this study have a number of important implications for the managers and decision makers of industrial firms in Jordan. The findings generally can provide empirical research in the field of risk management related to the factors and their importance; for example, some factors that have less importance, such as organization culture and information technology, should be improved to decrease risk. Moreover, the result of the study confirms that there are no differences between upper and Lower Management in their responses to the importance of risk management. Firms can use this result in their plans and policies.

6. Research Limitations and Recommendations

This study presented some penetration into the importance of risk management and factors that can affect risk management in industrial firms in Jordan. However, the present study has numerous essential limitations, which should not demean the contribution of this research. Firstly, many difficulties were faced while conducting this research, such as difficulties in convincing companies to participate in this study, since the majority of the companies had privacy concerns or were busy most of the time. Secondly, this study employed a cross-sectional design of the data collection method, i.e., the survey method, which obtains the participant’s perceptions at a single point in time. Because of this, the current study is not suitable to prove causal relationships on a longitudinal basis, and hence, the explanation of factors influencing risk management is limited.

Thirdly, the findings may not be generalized in a broader context across cultures of other industries because the data collected from the current study were restricted to the Jordanian industrial firms’ sector. Different industries and business environments may have different factors that influence risk management, so other studies can explore their relationships in different contexts. Finally, concerning the study approach, the present study only employed a quantitative approach to defining the relationships between all factors and risk management.

Future research is suggested in the following aspects to overcome the limitations: Firstly, future research may have the advantage of recognizing longitudinal research designs to indicate a more accurate cause-and-effect relationship and widen the explanation of factors influencing risk management. Secondly, it would be desirable to test the cross-level model in other industries, cultures, or countries. As a result, it would be interesting to investigate whether the relative predictive power in this study applies to other industries or countries, as well as to compare any differences in results based on national background or cultural differences and their influences on risk management.

Thirdly, this study suggests that there should be more follow-up research emanating from this study, so that a comparison is made between the industrial companies in Jordan that contain in their functional structure a separate department for risk management and those that do not have a separate department for risk management, since, until now, there are few large companies that have independent risk management departments. Finally, future research in the field of risk management in Jordanian companies should focus on “depth” rather than “quantitative width”, as this study did.

Because this study applied quantitative methods in both its design and analysis, the collected information is limited to the responses to the questionnaire. On the other hand, a qualitative method could contribute to further insights and understanding of the problem set. Furthermore, integrating the use of both qualitative and quantitative methods, which are complementary to one another, could result in a more meaningful determination.