4.3 Results of the Study
4.3.5 Current Status of ERM Policies and Practices in UAE HEIs
4.3.5.5 HEI 2 ERM Policies and Manuals (The Risk Management Policy)
and independently away from ERM, despite the fact that in the QA and effectiveness policies and procedures, HEI 1 ensured that the risk-based approach is covered and implemented. This is further discussed by the researcher in the interview data analysis section.
4.3.5.5 HEI 2 ERM Policies and Manuals (The Risk Management Policy)
Table 4.37 – HEI 2 Document Analysis Themes
Data Reduction & Data Display Drawing Conclusions & Theme Details Theme 7 The internal environment;
organisational appetite for risk;
organisational objectives; risk appetite; risk assessment; risk responses affecting how risks may be mitigated
Risk management as a concept does not have to be referred to as ERM if risk management is required to cater for all areas of effective ERM.
Theme 8 Distinguishing between risks and opportunities; risk likelihood and impact
The absence of full awareness of the policy and its guidelines among academics led to the misconception that risk means only something bad or negative.
Theme 9 Control activities; QA; ensuring that risk responses are carried out effectively; risk management system should be regularly monitored and evaluated
The absence or lack of practical implementation of the policy guidelines led to the misconception among academics that forms of QA processes are surplus to the academic process.
Theme 7: Risk management as a concept does not have to be referred to as ERM if risk management is required to cater for all areas of effective ERM.
ERM is not mentioned as a terminology in the Risk Management Policy of HEI 2. As is the case with the majority of private HEIs in the UAE, as the pilot study shows, the HEI 2 Policy uses the term risk management only, and yet it has all elements to comply with the ERM requirements of ISO 31000 and the COSO framework. In this context, this in itself confirms the fact that risk management as a concept does not have to be referred to as ERM per se, if risk management is required to cater for all areas of effective ERM or QA. Additionally, the HEI 2 Policy guidelines are comprehensive enough to suggest that it is not mandatory for risk management stakeholders to refer to their exercise as ERM if they elect to achieve their organisational objectives while performing the risk management process, starting with risk identification and reaching into risk mitigation and resolution planning.
Additionally, thematic coding helped the researcher identify areas in the policy of HEI 2 where the risk management officer and committee are responsible for integrating the guidelines into the organisational culture of the academic programmes. The policy clearly states that this procedure is supported by the institution’s management. Even though the content of the policy does not make direct reference to strategy-related planning, operational and academic objectives are accounted for in a way where the risk management responsibility is assigned throughout the institution to all heads and staff of all departments.
The policy’s thematic coding indicates a standard risk management process being applied through
supporting accountability, performance measurement, and programme evaluation and accreditation efficiencies.
Theme 8: The absence of full awareness of the policy and its guidelines among academics led to the misconception that risk means only something bad or negative.
The policy states that through risk assessment, the risk management stakeholders analyse risks in terms of distinguishing between risks and opportunities in order to determine how risks should be managed.
This commonly accepted concept among risk management practitioners and researchers is well reflected in the policy. However, through the document analysis, questionnaire responses and interview made at HEI 2, the researcher identified a trend that indicates insufficient awareness among both faculty members and administrators of the existence of the policy in the first place. This led to the misconception among all respondents that risks are only associated with uncertainty and negative incidents that may adversely impact the academic process at large.
As introduced by the researcher earlier in the Literature Review chapter, while defining the terms risk and risk management, it was found that only associating risk with uncertainty is the outcome of a lack of understanding of the concept or ignorance of its existence. In support of Theme 8, in her definition of
“risk” Lundquist (2015, p. 13) posited that “uncertainty exists whenever the knowledge or understanding of an event, consequence, or likelihood is inadequate or incomplete”. Hampshire (2012) stated that ERM tends to avoid classifying risks as good versus bad, but rather that risks need to be identified and understood so an institution can most proactively and effectively react with better planning. This would apply to the definition of the concept of risk as well as the awareness of its policy and implementation.
IP1 selected from HEI 2 emphasised this finding when he assured that the majority of faculty members and administrators in his institution are not familiar with the policy, and therefore with its implementation and effectiveness. Consequently, according to the interviewee, when asked about risk, the majority of faculty members and administrators would express their beliefs that risk management is when an institution reacts to an incident or hazard that could negatively impact one of its functions, departments or resources.
Theme 9: The absence or lack of practical implementation of the policy guidelines led to the misconception among academics that forms of QA processes are surplus to the academic process.
Upon analysis of the HEI 2 Policy, the researcher identified all elements that are supposed, in theory at least, to help the academic institution achieve their objectives of QA, and therefore their overall academic
processes. However, just like other HEIs under investigation in this study, there is always a difference between theory and practice. Further investigation into the HEI 2 case, carried out through the survey questionnaire and in-depth interviews, showed a sort of absence of awareness among academics, both administrators and faculty members, of the presence of practical implementation of the policy guidelines across different departments of the institution. IP1 averred the fact that at least 80% of faculty members, those who do not work in QA as part of their job description, or as mandated by the management at their institution, still argue that any form of QA is there just to please the academic accreditation partners. In this context, according to them it is not something that could or will create organisational change or have a real impact on the academic process. Even when they complete forms and templates in relation to the policy guidelines, they do it in a way to reduce any liability that could negatively impact their responsibilities or career at a later date. For them, in short, it is a data-filling exercise that they conduct as a response to an assignment or task. The policy’s biggest highlight is that it does not make a reference to QA, nor does it include QA either as part of the process or as an outcome of it, but rather it makes a reference to the stipulations mandated by the CAA for risk management reviews and programme accreditation.
This finding should contribute to one of the recommendations made by the researcher in Chapter Five of the thesis. Risk management stakeholders are required to establish a tone that fits the prevalent corporate culture at their academic institution. Additionally, because the policy to a degree fails to make a link between the risk management process and academic QA, the academics at HEI 2 are still not able to digest the concept of QA in its entirety, a concept that has been present in the business sector for decades.
In summary, the findings relating to the HEI 2 document analysis show that many of the academic administrators and faculty members argue that any form of QA exercise is a luxury and they do not have confidence in its outcomes. This finding was also supported by the statements of IP1 from HEI 2 who asserts that the academics in UAE HEIs in general, and in his HEI in particular, argue they have to address any form of QA or risk management as a response to the accreditation requirement only.
In this sense, the policy manifests itself as a routine data-filling tasking document that makes risk management appear surplus to the academic process. There are very few academics or universities that argue in favour of the fact that the details of QA documentation would make any added value, at least to their academic operations. IP1 confirmed that no matter what these documents include, should they not include any binding terms to enforce the implementation of their guidelines as directed by the board of directors or senior management, these documents will not add any practical value to the achievement of
QA or the enhancement of academic processes. In general, faculty members mainly focus on two objectives: teaching and research. These remain their priority unless the decision makers tell them otherwise.
iii) Summary
Through the extensive document analysis of the HEI 2 Policy, three major themes were identified that would inform on the nature of the risk management guidelines being implemented at the institution.
These themes were supported by the information provided by the interview conducted with P1, who provided very detailed information on the extent to which the guidelines of the policy are implemented.
As a general conclusion from the analysis of the HEI 2 Policy, it became clear to the researcher that risk management can be effective and bring about organisational change as a standalone process, even if it is not referred to as ERM or if kept separate from the QA function. However, as will be evident in the analysis of the HEI 3 policy documents, the absence of ERM implementation would still suggest a lack of maturity in terms of risk management implementation. Another conclusion identified in the review of these themes is that in the UAE higher education context, public universities exhibit a clearer form of ERM implementation, at least as evidenced in the analysis of the risk management policy documents of public universities. The findings of the survey also provide for a better and more encompassing understanding of this conclusion based on the detailed statistical analysis of the survey responses.
4.3.5.6 HEI 3 ERM Policies and Manuals (Risk Management Policies and Manuals)