2.4 Review of Related Literature

2.4.12 ERM Implementation as a Culture and Process

dire need of an organisational umbrella similar to, for example, the American National Association of State Boards of Accountancy (NASBA) as a sponsor that ensures continuity of professional higher education and management quality (Lundquist 2015).

The CAA made it clear that the “risk management plan, delegation of responsibilities, and insurance coverage for identified risks, are approved by the governing body on at least a biennial basis” (CAA, 2011). However, there has not been enough research evidence that similar formal risk management implementation processes are followed by UAE HEIs. What is confirmed so far is that the majority of universities in the UAE have implemented some form of quality assurance measures in a formal way to guarantee their objectives are met. Al Jundi and Ahmad (2016) give the example of Al Ain University (AAU) where “there is a quality assurance committee in each college of the AAU, which plays a key role in identification, analysis, prioritizing and remedying such risks and ensures that the program goals are met” (p. 75). According to the authors, clear and defined measures mark the implementation of assessment processes of this committee. These measures, according to Al Jundi and Ahmad (2016), would include steps such as clearly defining program goals, conceiving outcomes related to program learning, developing and sustaining assessment tools, defining a target to achieve each assessment measure, implementing the already conceived assessment tools, analyzing data, and getting results.

Figure 2.7 – Risk Management Process I (Adopted from Vandenberg (2017)

Hillson (2012), one of the most prominent modern risk management theorizers and practitioners, defines ERM as a process. According to him, “anyone who uses risk management and understands its benefits will recognise that the risk process provides risk-based data to inform decision-making” (p. 3). He explains the risk management process through asking (and answering) six simple questions, summarized as follows:

Question Answer

Q1. What are we trying to achieve from ERM? (Objective setting, Understanding scope) Q2. What might affect me? (Risk identification, uncertainties, future

events)

Q3. Which from Q2 answers are most important? (Risk assessment, likelihood/impact) Q4. What should we do about answers to Q3? (Mitigation, Prevention,

Avoid/Reduce/Transfer/Accept)

Q5. Did Q4 answers work? (Confirm effectiveness)

Q6. What has changed? (Adapting to changes in the enterprise)

In their extensive study on traditional risk management, Marsh Risk Consulting (2012) defined the risk management as a process, as follows:

Figure 2.8 – The Risk Management Process II (Adopted from Marsh Risk Consulting 2012)

On its website, Marsh argues that the ERM implementation as a process is viewed as a journey which typically comprises the eleven (11) principles of risk management outlined in ISO 31000, the international standard for risk management. Marsh also argues that ERM as a process must aim at the achievement of the desired level of risk maturity at a given organisation or institution.

In a similar approach, Cassidy et al. (2001) describes the ERM a continuum process. They argue that

“risk can be depicted on a continuum from managing hazards to seeing risk as an opportunity”, as shown in the diagram below (p. 6):

Figure 2.9 – ERM as a Continuum Process (Adopted from Cassidy et al. 2001, p. 6)

In their study, Helshoot and Jong (2006) strongly defend the thought that academic institutions must make “proper strategic decisions” which help them in the achievement of the objectives of their organization in a quality manner. They divided the risks into three main areas, covering the various factors which play a strategic role in assuring safety and security for higher education institutions. The

three main areas are Social safety and security, Organizational safety and security, and Security of knowledge. For example, the risk of fire is regarded as a primary risk of physical safety and is included in first and second areas of their division of risk.

In “The State of Enterprise Risk Management (ERM) at Colleges and Universities Today (2009)”, it was noted through a survey conducted by the Association of Governing Boards (AGB) and United Educators’

(UE) that 60% of higher education institutions fail to utilise an encompassing, strategic risk assessment model to identify major risks while conducting their missions, and only 5% claimed they applied certain practices for management of major risks.

In their book on higher education risk management; Willson, Negoi and Bhatnagar (2010) list some of the quality challenges which face students and educators at the higher education level. According to them, the absence of quality factors is a risk in itself that poses a pressure on all higher education institutions. This major challenge comes from the fact that there is a poor perception among students of the quality of an educational program. Other challenges touch on how to keep and attract students at a certain college, the quality of the facilities and infrastructure, cooperation with other academic organisations, completion of major projects and initiatives and campaigns, managing scholarships of a competitive nature, and the proper distribution of monetary support that come from federal agencies in certain cases. Online distance learning can also pose a major quality challenge for most universities as well as other recruitment and job filling issues within an acceptable time frame. Additionally, “one of the most known quality management models that has been implemented in higher education is Total Quality Management (TQM). TQM is a philosophy and system for continuously improving the services offered to customers” (Papanthymou and Darra 2017, p. 132).

Baranoff, Harrington and Niehaus (2005) argue that two categories of strategic processes need to be adopted for risk management: risk control and risk finance. According to them, there are six core control techniques that dominate risk management as a process: “avoidance, loss prevention, loss reduction, separation, duplication, and diversification” (p. 219). However, examples of risk finance techniques include transfer methods, insurances, free-hold agreements, and retention which is the self-funding of losses (pp. 221–223). More relevant to the subject of this study would be the research conducted by Murzagaliyeva, Aushakhman and Gumarova (2013). They approached risk management in the system of higher education by examining the risks and threats that contribute to risk reduction. They also argue that similar to what is being done in a market economy, every academic institution must constantly

reshape its activities and forecast the change required in their internal and external environment to achieve quality.

In summary, the major frameworks for ERM implementation, most importantly the COSO ERM Integrated Framework, and ISO 31,000 risk management framework and process, all indicate culture change as the main objective of ERM implementation. In a sense, such frameworks provide limited insight into what impact an organisational culture may have on ERM implementation, or to put it in different words, how such frameworks can or are able to change an organization’s culture to improve the ERM implementation processes. Additionally, research has proved that existing frameworks demonstrate the implementation of ERM in a way which reflects routine organizational cultures based on a given institution mechanism of running processes. Such mechanistic cultures may appear to be smeared by the necessity of controlling management where employees or staff are believed to be needing meticulous directions and enforcement to provide their required services for the organization. Therefore, this issue highlights the concern that ERM must be approached or viewed as a change factor of the organization’s culture. This would well contradict, and it must contradict, with the fact that organizations should adopt ERM to fit with their existing cultures. A very good example of such contradiction is found in a financial firm, for instance, aiming at the implementation of an ERM-based strategy which derives heavily from the risks and control mechanisms versus what a HEI may apply to implement such strategy in their culture. While a given strategy fits the culture at a financial firm, it may not show any relevance for the culture at a HEI.