2.3 Conceptual Framework and Definitions of Key Concepts

2.3.1 Defining “Risk”, “Risk Management” and “Enterprise Risk Management”

“Wise men say, and not without reason, that whoever wished to foresee the future might consult the past.” With these words, Niccolò Machiavelli, an Italian Renaissance historian, politician and philosopher, defined the concept of risk in so much of an indirect but comprehensive manner. The requirement for HEIs to define their understanding of the term risk is never an easy task. Definition of risk and risk management comes at the core of the conceptual framework of this study and would inform the whole process of ERM implementation in the higher education context. The terms risk and risk management have been identified as the most widely used terminology among owners, stakeholders and managers of businesses and institutions of all kinds (Hillson, 2019). However, putting risk and risk management in the context of higher education research, more elaborate and profound definitions need to be put in place.

One of the earliest definitions of the word “risk” of all time is accounted to be first found in Bernstein (1998) who defines it as follows: “The derivation of the word “risk” reaches back to the early Italian risicare, which translates as to dare. Risk looked at from this viewpoint is a choice rather than a fate.”

(p. 8). Risk is viewed by all institutions; whether political, religious, philosophical, technological, legal, ethical or moral, etc.; as a way to refer to uncertainty (Hillson, 2019; Hillson, 2016; Spikin, 2013) as well as opportunity (Beasley, Branson and Hancock 2012; Hillson, 2019). Dionne (2013) argues that risk management is by definition handling uncertainty. “The goal of risk management is to create a framework that will allow companies to handle risk and uncertainty” (p. 8). Economist Frank Knight (1921) was among the first in history to draw attention to risk in the sense of uncertainty. Knight’s work Risk, Uncertainty, and Profit introduces risk in the meaning of uncertainty, claiming that since risk is immeasurable by nature, therefore it cannot be calculated. This study would rely on defining risk in a more positive perspective as opposed to the negatively viewed concept of uncertainty, in the same way as Emblemsvåg (2010) defines the difference between risk and uncertainty in that “risks arise due to decisions made, while uncertainty is due to lacking information” (p. 253). Al-Jundi and Ahmad (2016)

define risk as “the threat or possibility that an action or event will adversely or beneficially affect an organization’s ability to achieve its objectives” (p. 67). Their statement on risk tends to be acceptable to all researchers where they assume that “the first step first step in looking at risk management is to understand what risk itself means” (ibid.). According to Šotić and Rajić (2015), the Risk Management Vocabulary 2002 introduced the definition of risk as “a combination of the probability and scope of the consequences” (p. 19). All such definitions indicate how risk should be viewed in the ERM research context from its positive side of yielding opportunities, while at the same time not neglecting the negative impacts of uncertainties to learn lessons and achieve objectives.

It is accepted in recent ERM research that the most commonly used definition of risk management comes from ISO 31000: 2018 Principles and Guidelines. Risk is defined here as the “effect of uncertainty on objectives.” The ISO 31000 dissects the definition by explaining that an “effect” is a “deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats”. “Objectives” are materialised as “different aspects and categories and can be applied at different levels”. Lundquist (2015, p. 13) adds that “Uncertainty exists whenever the knowledge or understanding of an event, consequence, or likelihood is inadequate or incomplete”. In a similar manner, Boukhari (2013) also concluded that risks are uncertainties which may have considerable impacts on things and objectives. In this sense, risk is an impact that would lead to change or deviation from the norms, a deviation which could be either positive or negative. However, according to ISO 31000: 2018, uncertainty is manifested whenever our awareness of the events or circumstances surrounding us is not defined, or whenever the probability of events happening is not sufficient or complete.

In a corporate enterprise environment, risk would mean different things in different contexts. A well- established organisation will define its own risk in its own way. Businesses would define risk and measure it by the impact it would have as a concept on their performances and objectives (Sithipolvanichgul 2016, p. 17). Hopkin (2012) introduced the definition of the term “risk” from a corporate perspective based on the definition of the Institute of Risk Management (IRM): “Risk is the combination of the probability of an event and its consequence. Consequences can range from positive to negative”. In this sense, risks are defined and measured by the impacts and consequences they would create.

Following is an adaptation from Hopkin (2012) in his definition of risk from a business corporate perspective:

Table 2.1 – Definitions of Risks from Corporate Perspective (Sithipolvanichgul 2016, p. 17) Organisation Definition of Risk

Ward (2000) The cumulative effect of the probability of uncertain occurrences that may have a positive or negative effect on a project’s objectives.

ISO 31000 (2009) The effect of uncertainty on an objective. Note that the effect may be positive, negative or a deviation from the expected outcome. Risk is also often described by the event, a change in circumstances or a consequence.

IRM (2002) Risk is a combination of the probability of an event and its consequences, which can range from positive to negative.

HM Treasury (2004) Uncertainty of an outcome, within a range of exposure. This arises from a combination of the impact and the probability of potential events.

From an academic educational perspective, the definition of risk might not be different. A frequently used and common definition of risk is presented by the Higher Education Funding Council for England

“the threat or possibility that an action or event will adversely or beneficially affect an organization’s ability to achieve its objectives” (HEFCE, 2001). Risk management has also been defined in traditional terms as “the process of making and implementing decisions that will minimize the adverse effects of accidental losses on an organization” (Baranoff, Harrington and Niehaus 2005, p. 15). Spikin (2013, p.

95) defines risk management as “the distribution of possible deviations from expected results and objectives due to events of uncertainty, which might be internal or external to the organization”. He then argues that the effects of risk factors could be either positive or negative and proposes that the risk also mean the cause of both potential losses and opportunities.

Over the past two decades, risk management has been used as a synonym of ERM in almost all fields of study (Lundquist 2015). Examples can be drawn from the findings of a study conducted by Hoyt and Liebenberg (2011) which shows examples of how in research ERM is used in different organisational contexts, such as banking, corporate, academic… etc., as a term synonymous with all kinds of risks, including the holistic, the strategic and the integrated risks. Ibrahim and Esa (2017, P. 186) stated that

“Enterprise-Wide Risk Management (EWRM), Holistic Risk Management (HRM), Integrated Risk Management (IRM), Strategic Risk Management (SRM), Corporate Risk Management (CRM) and Business Risk Management (BRM) are the examples of different terminologies which are synonymous with ERM term”. The term ERM was first introduced into “the business lexicon two decades ago and has since developed into the gold standard of corporate governance practices” (Blaskovich and Taylor 2011, p.5). Lundquist (2015) defines ERM as “a process, built into routine business practices, designed to identify, assess, prioritize, and manage key risks that may have an impact on the ability of an organization to attain their long-term strategic objectives” (p. 2). The majority of ERM literature also

defines the term risk management in the same way it defines integrated risk management, business risk management, holistic risk management, and most importantly ERM (Liebenberg and Hoyt, 2003; Drew, Kelley and Kenrick, 2006; D’Arcy, 2012; Lundquist 2013 and 2015; Hillson, 2019). Lermack (2008) explained ERM by comparing it to traditional risk management, where risks are responded to on an ad hoc basis only once identified. According to the author, ERM “is a process designed to identify, assess and prioritize, and prevent and manage the key risks that may have an impact on the ability of an enterprise to attain their long-term strategies and objectives” (p.2). Hillson (2013) defines ERM as a comprehensive and integrated framework for managing risk at all levels within an organisation. Hillson (2019) also elaborate on the definition of ERM when he investigates the positive side of organisational risk, a concept he refers to as the “upside” of risk, meaning an obtained opportunity. Recent literature review in this area would also manifest the work of Bromiley et al. (2015) who provided a variety of different definitions of ERM. They managed to present a fresh definition of ERM as “the integrated management of all the risks an organization faces, which inherently requires alignment of risk management with corporate governance and strategy” (Bromiley et al. 2015). This definition fits into the context of this study since it presents ERM within the perspective of corporate governance and strategy, which is an essential element of the conceptual framework of this study. However, it lacks reference to ERM as a comprehensive organisational process.

On the use and adoption of ERM terminology into organisational strategies and processes, Lundquist (2013 and 2015) argued that there is still a huge variability into the concept. In her view, the term risk management has been utilised in different ways and through different approaches in its implementation in different organisations. She also stated that “recently, the term “governance, risk and compliance”

(GRC) has begun to be used in addition to, or to replace, ERM, thus causing confusion in identifying and articulating the elements of ERM models” (Lundquist 2013, p. 146). COSO (2004) introduced a working definition of ERM which has later been referenced by several United States and international official standardization organisations (Deck 2015, p. 22). According to COSO (2004), ERM is “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives” (p. 4). This definition includes all the elements of ERM required by academic stakeholders in order to achieve academic effectiveness and quality assurance.

Therefore, in this study, as well as in the survey instrument, the researcher would adopt this working definition of ERM by COSO since, as stated by Deck (2015, p. 23), this definition is so comprehensive and encompassing that it caters for six essential elements of ERM: 1) the fact it is initiated and controlled by senior management, 2) needs to be integrated across the whole organisation, 3) deals with risk in a strategic way, 4) provides a guarantee for the achievement of organisation’s goals, 5) identifies and forecasts expected risks, and 6) provides a unique way of managing risks based on organisation’s risk appetite, which is defined as individuals’ or groups’ tendency to take risk in a given situation to create opportunities. The UAEU also defines risk appetite as “the level of risk which an academic (or other) institution is prepared to accept, before action is deemed necessary to reduce it”. In a sense, this definition of ERM has all elements which make it comprehensive and inclusive of all aspects of what effective ERM implementation means. A reading in the literature of ERM shows that a definition of risk management and ERM that is tailored only for the purposes of academia is still missing. However, part of the researcher’s objectives in this study is to propose a set of workable guidelines for a more effective ERM framework in the UAE higher education context. By doing so, the parameters of risk management definition as tailored to the academic environment and its unique identity will be reflected. The researcher concluded that in a context such as the UAE, whatever definition is attached to ERM, ERM as a concept should not exist if it does not lead to one or all of the following actual objectives in relation to the academic process: boosting academic effectiveness and excellence, enhancing the overall quality of the higher education sector, and providing practical support for the contribution of higher education for the wellbeing of society in general and for the economy in particular.