4.3 Results of the Study

4.3.3 Perceptions on the Effectiveness of ERM Implementation and Integration

regarding the ERM and QA adoption or implementation methods across the selected academic institutions. As for the academic effectiveness and economic aspects of ERM adoption, it was surprising for the researcher that the respondents agreed that they would not have a big impact on the decision for ERM adoption, and therefore they are not major drivers in the implementation process. This is why these drivers came at the bottom of the ranking of the resulting ERM adoption reasons list.

Table 4.20 – Levels of ERM Implementation Maturity by Years of Application

Statement Count Percentage

Initial 15 15.3%

Moderately Mature 69 71.4%

Very Mature 13 13.3%

Missing value 4 3.96%

Total 101 100%

Table 4.21 – Levels of ERM Implementation Maturity by Adopted Term of Application

Statement Initial (15) Moderate (70) Very Mature (13) Missing

# % # % # % (3)

RM 8 53.33% 52 74.29% 13 100.00% 0

ERM 4 26.67% 35 50.00% 10 76.92% 0

SRM 2 13.33% 8 11.43% 2 15.38% 0

QA 9 60.00% 29 41.43% 7 53.85% 1

All of the above 0 0.00% 2 2.86% 0 0.00% 0

Other; no idea 0 0.00% 0 0.00% 0 0.00% 2

From Tables 4.20 and 4.21 above, it is clear that the majority of respondents (n= 69) representing 71.4%

of all the respondents answered that the duration of risk management and ERM application at their institutions range between 6 and 10 years. However, Table 4.19 shows different frequencies and rates based on the term used for ERM implementation, since the researcher gave the option to the participants of the survey to choose more than one answer. Therefore, there would be no systematic way to classify the numbers and percentages for each choice. In all cases, the answers of 74.29% of the respondents who selected “risk management”, for example, assert that risk management has been used as a concept in their institutions for a period of 6–10 years, while at the same time the 50% of the respondents who selected

“ERM” argue that the concept has been in use for 6–10 years (moderately mature). This means that the majority of responses indicate a moderately mature level of ERM implementation and integration in the selected UAE HEIs, whether the concept in use is risk management or ERM.

What this means in terms of the type of institution variable is represented in Table 4.22, where respondents from both public universities (n= 31) and private universities (n= 38) showed a “moderately mature” level of ERM implementation and integration based on the numbers of years of application.

Table 4.22 – Levels of ERM Implementation Maturity by Type of Institution

Statement Public Private Missing

Initial 10 5 0

Moderately Mature 31 38 1

Very Mature 6 7 0

Missing 0 0 3

Total 47 50 4

The answers to item Q17 (Which programme of risk management or QA is your institution in compliance with?) also gives an indication of the level of awareness among the participants of ERM implementation and integration by relying on the source of their risk management framework and policies in general. In terms of standardised ERM frameworks, the majority of all participants (n= 65, representing 64.36%) stated that the risk management or ERM framework adopted in their institution is based on all universally accepted sources of ERM frameworks, including the COSO framework and ISO 31000, as well as local regulations and laws such as the CAA. Approximately a quarter of the respondents (n= 26, representing 25.7%) indicated that their risk management and ERM framework is driven by the requirement of complying with local regulations and laws. While only 1 respondent opted for “the ISO 31000” as the only source of ERM implementation process and 3 respondents opted for the COSO framework as the only source of their ERM implementation process; this gives a good indication that the greatest majority of survey participants show a good level of awareness of the ERM implementation processes at their institutions.

Tables 4.23, 4.24 and 4.25 summarise these findings and present a further analysis of ERM implementation and integration awareness based on the “type of institution” and “role of participants”

variables.

Table 4.23 – ERM Implementation and Integration Based on Source of Framework

Statement Count Order (descending)

The COSO framework 3 1. All of the above

ISO 31000 1 2. Local regulations and laws

Local regulations and laws 26 3. Other (don’t know)

All of the above 65 4. The COSO framework

None of the above 2 5. None of the above

Other (don’t know) 4 6. ISO 31000

Figure 4.8 – ERM Implementation and Integration Based on Source of Framework

Table 4.24 – ERM Implementation and Integration Based on Source of Framework – by Type of Institution

Statement Public (47) Private (53)

Missing

# % # %

The COSO framework 1 2.1% 2 3.8% 0

ISO 31000 1 2.1% 0 0.0% 0

Local regulations and laws 10 21.3% 15 28.3% 1

All of the above 35 74.5% 30 56.6% 0

None of the above 0 0.0% 2 3.8% 0

Other (don’t know) 0 0.0% 4 7.5% 0

Table 4.25 – ERM Implementation and Integration Based on Source of Framework – by Role of Participants

Statement

Administrator (45)

Faculty Member (33)

Both (23)

Missing (0)

# % # % # %

The COSO framework 0 0.0% 2 6.1% 1 4.3% 0

ISO 31000 1 2.2% 0 0.0% 0 0.0% 0

Local regulations and laws 11 24.4% 12 36.4% 3 13.0% 0

All of the above 31 68.9% 15 45.5% 19 82.6% 0

None of the above 0 0.0% 2 6.1% 0 0.0% 0

Other (don’t know) 2 4.4% 2 6.1% 0 0.0% 0

Summary:

All the survey responses showed a common trend of a “moderately mature” level of awareness with regards to the elements of risk management and ERM implementation and integration. Having a formal and standardised risk management or ERM policy is a common practice in both private and public UAE institutions. However, the above statistical results show that the basis and level of implementation and integration may vary depending on the years of application, type of institution, and the sourcing elements included in the framework itself. For example, 74.5% of the responses in public universities (n= 35) showed an awareness of the existence of all traditional and non-traditional elements of implementation in their ERM policy, while 56.6% of the responses in private universities (n= 30) showed the same awareness of the existence of all traditional and non-traditional elements of implementation in their ERM policy.

Other elements of risk management and ERM implementation and integration are also evident in further analysis of the respondents’ answers to the maturity level rating questions presented and analysed in the next section. In terms of how the selected UAE HEIs identify and assess their risk management and ERM implementation and integration processes, a more profound technique was used by the researcher in the next section where the maturity level rating was tested by asking questions especially dedicated to describing, besides adoption, initial versus advanced levels of implementation and integration. Further investigation into the levels of ERM implementation and integration was also conducted in the document analysis and interview phases of the study. The respondents in the interview phase were asked some open-ended questions to examine their awareness of the level of effective implementation of ERM framework and policies, and the themes elicited from them were very much in common with the findings of the quantitative phase.