2.3 Conceptual Framework and Definitions of Key Concepts

2.3.2 Corporate Governance and Internal Controls

Therefore, in this study, as well as in the survey instrument, the researcher would adopt this working definition of ERM by COSO since, as stated by Deck (2015, p. 23), this definition is so comprehensive and encompassing that it caters for six essential elements of ERM: 1) the fact it is initiated and controlled by senior management, 2) needs to be integrated across the whole organisation, 3) deals with risk in a strategic way, 4) provides a guarantee for the achievement of organisation’s goals, 5) identifies and forecasts expected risks, and 6) provides a unique way of managing risks based on organisation’s risk appetite, which is defined as individuals’ or groups’ tendency to take risk in a given situation to create opportunities. The UAEU also defines risk appetite as “the level of risk which an academic (or other) institution is prepared to accept, before action is deemed necessary to reduce it”. In a sense, this definition of ERM has all elements which make it comprehensive and inclusive of all aspects of what effective ERM implementation means. A reading in the literature of ERM shows that a definition of risk management and ERM that is tailored only for the purposes of academia is still missing. However, part of the researcher’s objectives in this study is to propose a set of workable guidelines for a more effective ERM framework in the UAE higher education context. By doing so, the parameters of risk management definition as tailored to the academic environment and its unique identity will be reflected. The researcher concluded that in a context such as the UAE, whatever definition is attached to ERM, ERM as a concept should not exist if it does not lead to one or all of the following actual objectives in relation to the academic process: boosting academic effectiveness and excellence, enhancing the overall quality of the higher education sector, and providing practical support for the contribution of higher education for the wellbeing of society in general and for the economy in particular.

of certain external factors which affect the adoption and implementation of ERM practices. They also called for the need to enable better risk quantification and analysis. In the UAE, the “top-down approach of governance in the UAE education sector offers a macro-level perspective of the challenges facing the education system. It enables a strategic overview to be possible, through which broad objectives can be proposed.” (Warner and Burton 2017, p. 30). Fraser (2014) views the corporate governance role as the outlining factor in defining risk function through obtaining comprehensive information that could well be the basis for further discussions on possible mitigation actions in relation to risks.

Related to the subject of corporate governance, the term internal control is crucial in the area of risk management and its relation to quality. Internal control is defined as “a process, affected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations;

reliability of financial reporting; and compliance with applicable laws and regulations.” (COSO 2004 Report, Internal Control-Integrated Framework, p. 9). Traditionally, internal control was introduced as an integral model in the perspective of COSO frameworks (2004 and 2017). According to Collier, et al.

(2006, pp. 2-3), internal control comprises eight components:

1. The internal environment sets the basis for how risk is viewed and the organisational appetite for risk; 2.

Organisational objectives must be consistent with risk appetite; 3. Events affecting achievement of objectives must be identified, distinguishing between risks and opportunities; 4. Risk assessment involves the analysis of risks into their likelihood and impact in order to determine how they should be managed; 5. Management then selects risk responses in terms of how risks may be mitigated, transferred or held; 6. Control activities in the form of policies and procedures ensure that risk responses are carried out effectively; 7. Information needs to be captured and communicated as the basis for risk management; 8. The enterprise risk management system should be regularly monitored and evaluated.

Lundquist (2013) concluded that corporate governance and leadership are among the seven categories which represent risk as a concept. By the same token, corporate governance is one of the six groups that categorise risk. According to her, “risk may be represented in seven categories: financial performance and long-term investment value, corporate governance and leadership, corporate social responsibility, workplace talents and culture, delivering customer promise, legal and regulatory compliance, and communication and crisis management” (p. 140). She also highlights the link between internal controls and academic leadership and how this bondage is crucial in the process of risk mitigation: “Effective internal controls and timely external disclosure about student outcomes, research productivity, financial

and will become increasingly critical in mitigating new risks to individual universities and the sector overall” (p. 147).

The significance of internal control systems to effective ERM practice has been the subject of a wide range of recent educational research, such as Teoh1, Lee and Muthuveloo (2017); Beasley, Branson and Hancock (2012); Lundquist (2013 and 2015); and Hillson (2016 and 2019). It is agreed among all such researchers that internal control has been incorporated and integrated into risk management in what is internationally referred to as contemporary corporate governance. Additionally, current research in the field, ideally in the years between 2000 and 2019, shows that in multinational organisations, both risk management and internal controls are important elements that govern good corporate governance.

Research also shows the inseparable relationship between application of good ERM through internal controls and the achievement of good quality corporate governance.

In higher education context, research has shown that the role corporate governance and internal controls play in the effective implementation of ERM. In this context, effective internal controls help higher education institutions to effectively manage their processes and operations under predefined and solid rules and regulations. “Most ERM programs, particularly in the corporate sector, have their roots in compliance and internal controls” (Lundquist 2015, p. 23). However, non-enterprise factors such as technological advancements and inventions might have their impact on the operations and strategic objectives of such organizations. Recent ERM research (Lundquist 2015, Deck 2015, Hillson, 2016 &

2019) provides that effective internal controls help enhance the overall academic performance and processes, including student achievement, research productivity, financial performance, and organisational efficiency. The UAE CAA (2019, p. 25) confirms that HEIs must ensure their risk management plans are “approved and monitored by the governing body on a regular basis”. This gives the clear indication that effective risk management processes must be handled by their governing body of corporate governance which owns the internal controls. The findings of this study provide evidence that solid internal controls always lead to effective academic processes since they help mitigate risks to HEIs in general by handling the top-down decision making. Therefore, in this study, the researcher proposes that internal control will guarantee the achievement of academic performance and effectiveness being one of the most critical operational and strategic objectives of academic organisations through the application of a successful ERM model.

However, recently and more particularly over the past ten years, organisations have started to move into a more solid and robust definition of ERM, through standardizing ERM elements and processes. In 2017,

COSO issued their latest and most important update to the already formalised findings on ERM, in the name of “Enterprise Risk Management — Integrating with Strategy and Performance” (COSO.org), which according to COSO.org became “one of the most widely recognised and applied risk management frameworks in the world”. This update was introduced to highlight the importance of ERM in strategic planning through the employment of good internal controls.