4.3 Results of the Study

4.3.5 Current Status of ERM Policies and Practices in UAE HEIs

4.3.5.4 HEI 1 ERM Policies and Manuals (Risk Management Policy Manual and Risk Procedures Manual)

4.3.5.4 HEI 1 ERM Policies and Manuals (Risk Management Policy Manual and Risk Procedures

in detail the process and activities required to implement ERM and therefore achieve the desired objectives. The Manual is designed in four chapters covering the background and purpose information, the exact procedures for establishing and implementing ERM, and some visual representations of the processes and forms required for effective ERM implementation.

ii) Themes of the HEI 1 Document Analysis

While reviewing both the ERM Policy and Procedures Manual documents of HEI 1, the researcher followed the interactive data analysis model to obtain three major themes that helped answer RQ2 (and partially RQ1).

Table 4.36 – HEI 1 Document Analysis Themes

Data Reduction & Data Display Drawing Conclusions & Theme Details Theme 4 Key performance indicator; key

controls; event; roles and responsibilities; process map;

comprehensive ERM framework implementation; mandatory for all employees

ERM implementation is not a coincidence or gap filler: it must entail a clear and defined process owned by an independent risk management unit and performed by specialised and dedicated risk unit members.

Theme 5 Integration of ERM with different processes;

effectiveness and QA functions;

business continuity management

Academic programme effectiveness, QA and the ERM implementation process can and do exist as separate but interrelated functions.

Theme 6 ERM implementation; corporate governance; internal control;

Executive Leadership Committee; functional areas

UAE HEIs can evidence a good representation of corporate governance and internal controls through their ERM implementation.

 Theme 4: ERM implementation is not a coincidence or gap filler: it must entail a clear and defined process owned by an independent risk management unit and performed by specialised and dedicated risk unit members.

Both HEI 1 ERM Policy and Procedures Manual documents show evidence of how ERM can and must be implemented as a “mandatory” procedure rather than a choice. In its definition of usage and control of both the Policy and Procedures Manual, HEI 1 state that “adherence to the provisions and requirements of this document is mandatory for all employees” (Policy, p. 5; Procedures, p. 7). By implication, all staff and members of the institution are required to comply with ERM procedures and criteria, and through key performance indicators they must show evidence of fulfilling ERM implementation. Chapter 2 of the Procedures Manual sets eight important processes towards the application and effective implementation of ERM, most importantly including Risk Monitoring, Recording, Reporting, Business Continuity

Management, and Risk Management Assurance. Each of these eight processes includes a definitive and quantifiable key performance indicator with a target value and completion time, which make it compulsory for staff to comply with.

The HEI 1 Risk Management Policy Manual and Risk Procedures Manual documents also show evidence of events tied to start and end dates and a process map, as well as entry and exit parameters. In other words, in addition to making it an ideal, traceable, and manageable institutional process, this helps drive a message to all stakeholders of the academic process that ERM is strategic to their assigned functions.

In fact, the ERM Policy of HEI 1 goes further to state that ERM is applicable not only to all colleges, departments and sections, but also to all “strategic and governance activities”. Additionally, the Quality Assurance Manual document of HEI 1 makes cross-references to the risk-based programme reviews mandated by the CAA Standards. The requirement for these risk-based review cycles stresses the notion that risk management adoption and implementation by public universities in the UAE, such as HEI 1, is not a choice but rather represents the fulfilment of the federal authorities’ mandates applicable for and mandatory to all HEIs in the UAE.

Based on this, the researcher has concluded that this mandatory designation to the whole ERM process of adoption, implementation and integration needs to be emphasised as a major element in the researcher’s proposed guidelines, to be completed at the end of this study.

 Theme 5: Academic programme effectiveness, QA and the ERM implementation process can and do exist as separate but interrelated functions.

Minor reference is made to academic effectiveness and QA functions being the outcomes of ERM process adoption and implementation. Under the “Integration of ERM with Different Processes” heading (p. 18), it is clear that the HEI 1 Policy does not include the two major functions of academic effectiveness and QA as being integrated within the ERM process. The HEI 1 ERM Policy rather mandates the integration of ERM with functions such as internal audits, business continuity management, strategic business planning, and key information systems (Policy, p. 18). This clearly indicates that HEI 1 intentionally separated ERM implementation from programme effectiveness and QA for their own decision-making and institutional requirement purposes. A “Quality Assurance Manual” does exist as a separate but complementary and interrelated document that sets up the criteria for academic QA and programme accreditation through risk-based requirements. The researcher took note of this and planned to further question the nature of the relationship between ERM as a function or department with effectiveness and

QA functions, in an interview analysed in the interview data analysis section. To this added question, the interviewee from this institution answered:

there are basically several levels of quality assurance implementation at the institution. This is number one. Number two, there are different requirements for the general risk management-based qualifications. So, for the academic quality assurance, we do rely on the requirements of national and

international accreditation bodies of the programmes offered at our institution, but in terms of relationship between the two functions, I would say they are still separate from each other but surely

interdependent (IP1).

However, the researcher concluded that by focusing on “business continuity management” the Policy provides for the real interpretation of ERM implementation in its original genesis. Since ERM is originally a business-oriented concept, the HEI 1 ERM Policy manages to, or at least shows some serious attempts to migrate this concept and adapt it into an academic context of a representative UAE public university such as HEI 1.

On the other hand, upon review of the HEI 1 QA document, as stated earlier, the document showed clear references to the interrelatedness between risk management and QA and institutional effectiveness. The QA of academic affairs at HEI 1 has a number of particular, well-defined requirements that are based on risk management and form a part of HEI 1’s core business. These requirements specifically address the teaching and learning processes and include, among other items, the “Quality assurance of existing degree programs, including assessment of student learning and risk-based programme review” and

“Performance evaluation of the teaching faculty”. HEI 1 in this context views QA as a process based on key elements that take life and meaning from its risk-based programme review that aims at enhancing the learning outcomes’ assessment and helping the faculty promotion and evaluation process. These risk- based programme review cycles come exactly in line with the federally issued regulations of academic programme accreditation as mandated by the UAE CAA Standards. The review process came as a major development that was covered under themes 1 to 3 in the previous section while analysing the CAA Standards document. These risk-based programme reviews, as evidenced in the introduction and presentation of themes 1 to 3, are measurable factors that lead to academic programme’ effectiveness and sustain QA.

 Theme 6: UAE HEIs can evidence a good representation of corporate governance and internal controls through their ERM implementation.

Both the Risk Management Policy and the Procedures Manuals show that ERM is essential to all strategic governance activities. In fact, and as stated earlier in the literature review and the Conceptual Framework of the study, ERM implementation is the ownership of the senior executive management of the institution. The Conceptual Framework of this study concluded that internal controls are the essential pillar for the ERM implementation process. HEI 1 gave the internal control authority to the Vice Chancellor, as is the case with several other HEIs in the UAE. In this context, the corporate governance internal control ensures the full oversight, management, and implementation of the ERM process as “The Executive Leadership Committee is responsible for ensuring ERM practices are in place within their respective functional areas and are applied consistently with the [HIE 1’s] ERM Framework” (Policy, p.

11). Additionally, HEI 1 decided that ERM is not only applicable to all colleges, departments, and sections, but also “for strategic and governance activities that are undertaken by the [HIE 1] Executives and Senior Management” (Policy, p. 10).

Theme 6 is also informed by HEI 1’s assurance of the fact that some of the main objectives of ERM implementation include to:

 “Instil increased confidence in [HEI 1’s] corporate governance and ability to deliver services.

 Integrate risk management into daily activities, decision-making, and strategic direction of [HEI 1];” (Policy, p. 9)

Furthermore, these the Risk Management Policy and the Procedures Manuals present a detailed and clear ERM governance model that shows how reporting in the ERM process is carried out and defines exactly the order of information flow.

iii) Summary

Themes 4 to 6 obtained through the document analysis of HEI 1’s ERM the Risk Management Policy and the Procedures Manuals show that ERM can be, and indeed is implemented effectively and integrated into the academic processes of an HEI. They also show a coherence with the stipulations and standards mandated by the CAA Standards, where the risk-based approach to programme review and evaluation is integrated by HEI 1’s ERM Policy into at least eight of its major processes and functions. However, and by way of answering RQ2, the main aspect identified from the major themes of the HEI 1 document analysis is the absence of reference to QA and academic programme effectiveness as two major functions proven by the literature and previous research to be interrelated to ERM implementation. It was later identified by one of the interviewees in the same HEI 1 that those two functions are handled separately

and independently away from ERM, despite the fact that in the QA and effectiveness policies and procedures, HEI 1 ensured that the risk-based approach is covered and implemented. This is further discussed by the researcher in the interview data analysis section.

4.3.5.5 HEI 2 ERM Policies and Manuals (The Risk Management Policy)