Governance and Risk Governance Definitions and Framework

Introduction

This chapter critically reviews existing literature in the area of risk governance and related frameworks in the private and public sectors. It presents various views and perspectives on risk governance definitions and frameworks, culminating in the development of a maturity model for risk governance in the public investment projects. It concludes with a summary of the main issues and research gaps identified from literature and the emerging research questions that will guide the present study.

Risk has invariably existed in the society for a long time; however, its growing complexity has led to the evolution of risk management strategies to control its effects. The capacity to understand the development of risk and manage risk is a critical ingredient for the success of organisations and the society. In recent years, the government’s role and efforts in risk regulation and management have intensified. Public sector organisations manage and control risks at multiple integrated levels through policy, legislations, regulatory tools/regimes, feedback loops, and rules (van Asselt & Renn 2011). The different levels represent dynamic subsystems in the public sector that provide interfaces for interaction between the public and state actors. Therefore, effective management of risks relies on the interactions, learning processes, and communication among the various stakeholders acting at the federal or local level.

Risk can be difficult to frame in definitive terms. Its definition is marked by a diversity of perspectives and principles for its detection, evaluation, and management (van Asselt & Renn 2011). In spite of the diverse definitions, risk remains a key consideration in public and public sector projects. van Asselt and Renn (2011) distinguish between simple and systemic risk. While simple risks have clear causes or effects and involve minimal uncertainty levels, systemic risks are complex and are shrouded in uncertainty/ambiguity. In fact, one of the risk definitions often used is the one given by the International Organisation for Standardisation, i.e., risk is “the effect of uncertainty on objectives” (ISO 2015, p. 13). Therefore, uncertainty is a key component of risk. Uncertainty often results from complexity. The complex social issues and multiplicity of stakeholders in the public sector context increases uncertainty. The concept of uncertainty means that a risk does not conform to the known principles of causation. Firm-specific uncertainties may be related to R&D, employee/managerial behaviour (strikes), or operations – labour and input supply (Hopkin 2012). In the public sector, uncertainty may come from state policies related to expropriation and nationalisation as well as conflicting stakeholder values and interests. Social and economic policies can also increase uncertainty and risk levels in a country.

The introduction of the concept of risk governance in organisations was meant to support structures for predicting and managing systemic risks that are characterised by high-level complexity, ambiguity, and uncertainty. In the private and public sectors, a myriad of regulatory, social, and organisational pressures influence risks. Risk governance frameworks give a blueprint on how to identify, assess, and manage risks to realise organisational objectives. This literature review involves a synthesis of the existing risk governance frameworks in a bid to develop a maturity model applicable in public sector organisations or projects. It begins with a review of risk governance definitions followed by a descriptive analysis of various frameworks and the development of a maturity model. A summative assessment of the main issues and research gaps identified from literature is provided at the summary section.

Governance and Risk Governance Definitions

The Standards of IIA define governance as “the combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organisation toward the achievement of its objectives.” (IIA, 2011)

OECD has introduced another definition which is “Corporate governance involves a set of relationships between a company’s management, its board, its shareholders. Corporate governance provides the structure through which the objectives of the company are set and the means of attaining those objectives and monitoring performances are determined.”(OECD, 2004) while OCEG defines governance as: “Governance is the culture, values, mission, structure and layers of policies, processes and measures by which organisations are directed and controlled. Governance, in this context, includes but is not limited to the activities of the board, for governance bodies at various levels throughout the organisation also play a critical role. The tone that is set, followed and communicated at the top is critical to success.”

A risk, in general terms, connotes the uncertainty or unexpected ‘adverse’ outcome of a situation or activity. The scholarly literature on risk governance explains the processes and frameworks for managing risks based on diverse definitions of risk governance. Klinke and Renn (2012) define risk governance as a comprehensive risk-handling process for addressing the “complexity, uncertainty, and ambiguity” aspects of a risk (p. 274). It entails an evaluation of the totality of regulations, processes, and systems involved in the risk data collection, analysis, and risk-based decision-making. Therefore, it extends beyond the traditional risk analysis to include normative principles on how public and private actors can manage risks.

Renn, Klinke, and van Asselt’s (2011) definition of risk governance follows a technocratic approach. They define it as the organisational structure and policymaking process that guide or control the regulation or mitigation of risks at the group, societal, national, or global level (Renn, Klinke & van Asselt 2011). This definition is based on the shift from centralised decision-making to multi-level public administration that characterise modern governments. In another article, van Asselt and Renn (2011), extending on the International Risk Governance Council’s [IRGC] definition, describe risk governance as the application of core principles/concepts of governance in risk-based decision-making extending beyond formal (probabilistic and regulatory models) to include informal processes. The definition is informed by the inadequacies of risk probability models in managing public risks. It includes formal and informal systems for dealing with complex, uncertain, and ambiguous risks. In this article, the concept of governance primarily relates to policy development by government actors. However, since various stakeholders are involved in the management of the society, including nongovernmental organisations and the private sector, the definition has been expanded to include a diversity of actors/roles.

The phrase risk governance is utilised in a prescriptive and in a descriptive context. Decisions about risks involve diverse players, regulations, political systems, and organisational structures – aspects pertaining to governance. Risk decisions are the outcome of the interaction between many players. From a governance perspective, the societal factors that precipitate outcomes characterised as risks need to be analysed for effective mitigation. For Flemig, Osborne, and Kinder (2015), risk governance is both a normative and prescriptive process. They define it as a hybrid of “an analytical frame and a normative model” that guide risk decisions (Flemig, Osborne & Kinder 2015, p. 16). This decision-based risk governance differs from the technocratic approach in the sense that it assigns the decision-making role entirely to politicians.

Brown and Osborne’s (2013) definition of risk governance follows a different approach. They define risk governance as transparent engagement with the “nature, perceptions, and contested benefits of a risk” in complex situations (Brown & Osborne 2013, p. 199). This means that all relevant stakeholders in the public service are involved in the decision-making process. This transparent approach has been adopted in the modern public sector to enhance accountability. In addition to inclusive decision-making process, risk environment is characterised by regulations and best practices to enhance accountability in the public sector. Therefore, Brown and Osborne’s (2013) definition fits within the transparent risk management approach adopted in democratic systems.

Clearly, an appropriate conceptualisation of the concept of risk governance should encompass a global view of risks that emerge in public investment projects. It should go beyond the traditional concepts of risk management or analysis to include decision-making processes related to a particular project. In this regard, Brown and Osborne’s (2013) definition fits well within this description, as it points to decision-making processes in a complex environment, such as the public sector. From a descriptive perspective, an appropriate definition must capture the totality of stakeholders, standards, procedures, and processes involved in making risk decisions. Considering the fact that risk governance goes beyond simple descriptive management of public risks, a satisfactory definition should include the normative elements or rules on how to manage risks in the public sector. It should involve all actors working in a transparent decision-making process. The adopted definition for this paper is that of Brown and Osborne’s (2013) who define risk governance as genuine engagement with the “nature, perceptions, and contested benefits of a risk” in complex situations (p. 199). The authors point out that this definition fits well with the characteristics of the public sector risks, i.e., complexity, ambiguity, and uncertainty.

Risk Governance Frameworks

Various epistemological premises and ideas contributed the development of risk governance as a concept. While the positivistic/realist view relies on the assumption that a risk is assessed based on some ‘real’ standard, while the social constructivist approach considers risk a “social process”, not as a distinct entity (Renn 2011, p. 71). These ideas helped advance the principles and frameworks for managing contemporary risks. The conceptual use of the term ‘risk governance’ emerged in recent literature exploring policy development in the public/private sectors (van Asselt & Renn 2011). It is used within the context of public/private governance or development that has roots in the political science field. In this context, ‘governance’ stresses the role of non-state actors in the management and organisation of societal issues (van Asselt & Renn 2011). This approach challenges the classical policy perspectives that followed a hierarchical power model centred on the government.

In the governance view, collective binding decisions are produced in “complex multi-actor networks and processes” (Jonsson 2011, p. 126). This means that multiple social actors are involved in governance. Besides the state, the other social actors include nongovernmental organisations, private institutions, expert groups, etc. In this regard, power/capacity to organize and manage society is shared among the different actors. Governance can be considered a descriptive and prescriptive term. The descriptive sense of governance relates to the complex interplays between various social actors, structures, and processes (Jonsson 2011). In contrast, the prescriptive definition relates to the model/framework for the management of societal issues. The normative use of governance emphasises on transparency, involvement, and accountability.

The normative-descriptive ideas also apply to risk governance. The word ‘governance’ is utilised in “a normative and descriptive sense” (van Asselt & Renn 2011). The argument here is that while the regulation/management of simple or systemic risk problems follows the governance framework, risk decisions emanate from interactions between stakeholder groups. The ‘governance’ view gives a framework for examining and describing the factors precipitating risks. However, the unpredictable nature of risks calls for multi-stakeholder collaboration to adequately address and manage them. In the collaborative frameworks, new risk management principles and approaches are proposed in line with the prescriptive/normative perspective (Renn 2011). Therefore, risk governance is a blend of an analytical framework and prescriptive exemplars.

The usage of the term ‘risk governance’ has its roots in the lessons learnt from the TRUSTNET undertaking, which developed a model that included collaborative processes in decision-making (Renn 2011). TRUSTNET was a European Union interdisciplinary network established to develop the criteria for determining best practices in the governance of hazards. It comprised 80 experts drawn from regulatory agencies in industrial and medical fields across Europe. The network developed the concept of risk governance and the first model. Later, this notion was used in literature as an alternative paradigm to the traditional concepts of risk analysis and management by advocating for multi-stakeholder roles, processes, and systems (van Asselt & Renn 2011). However, the risk governance was originally used to mean an all-encompassing system of “risk identification, assessment, management, and communication” (van Asselt & Renn 2011, p. 433). This view is consistent with the IRGC’s definition of the notion of risk governance. The IRGC (2015) incorporates the governance principles of “transparency, effectiveness, accountability, equity, and fairness” into its definition of governance framework (p. 12). The aim is to create effective collective actions to mitigate the effects of emerging risks.

The purpose of sound risk governance is to reduce the unequal risk distribution between different public/private institutions or social groups through multi-actor processes. A risk governance practice also creates consistent and uniform approaches for similar risk assessment and management (Renn 2011). Unlike the traditional approach of risk analysis that focused on high-profile risks, risk governance gives adequate consideration of high-probability risks irrespective of their profiles. It also involves risk trade-offs through effective regulations and policies. The approach also takes into account public perceptions, resulting in high public trust in the system.

Brown and Osborn’s (2013) Framework

The risk governance frameworks provide an approach for the analysis and management of risks within the public service or the private sector. Brown and Osborne (2013) suggest a risk governance model for managing risks related to innovation in the public sector. The framework links three management approaches and three innovation types (Figure 1). The first type is the evolutionary innovation, whereby institutions utilise new “skills or capacities” to meet specific user needs (Bernado 2016, p. 14). The second type is the expansionary innovation, whereby the current skills/capabilities are used to meet expanding user needs. The last one is total innovation, in which new capabilities/skills are developed to address new user needs (Brown & Osborne 2013). The authors offer three risk governance approaches, namely, technocratic, decisionistic, and transparent methodologies. The technocratic model is only applicable in evolutionary innovation. In contrast, the decisionistic model provides a framework for evolutionary and expansionary innovation. The transparent risk governance model can accommodate all the three types of innovation.

Figure 1: Risk Governance Framework for Public Service Innovation

Risk governance approach Technocratic (risk minimisation) Decisionistic (risk analysis) Transparent governance (risk negotiation)
Type of innovation
Evolutionary
Expansionary
Total

The IRGC’s Framework

Another risk governance framework is the IRGC’s model that consists of five related phases. The phases include pre-assessment, appraisal, characterisation and evaluation, management, and communication (Figure 2).

The model separates risk analysis from the understanding of risks. Risk appraisal is essential in understanding the nature of risks. In contrast, the implementation of risk decisions requires risk management. The framework begins with pre-assessment, whereby the risk is defined to facilitate its appraisal. The pre-assessment phase involves a set of questions that give the baseline data for risk assessment and mitigation. More importantly, it reveals the factors that precipitate the risk and the associated opportunities (Bernado 2016). It also brings out the risk indicators and patterns that help inform the risk management approach. The governance shortfalls that occur during this phase include failure to detect risk signals, perceive its scope, and frame it appropriately.

The risk appraisal phase is where facts and assumptions are developed to make a determination if a situation portends a risk and how it should be handled. The appraisal involves scientific approaches, including estimating the probability of occurrence, and risk-benefit analysis based on stakeholder concerns (Bernado 2016). The process ensures that policymakers consider stakeholder concerns and interests when making the decisions. The next phase – characterisation and evaluation – involves the consideration of societal values in decisions related to the acceptability or tolerability of the risk. At this stage, risk mitigation measures are identified for risks considered acceptable or tolerable (van Asselt & Renn 2011). However, if the risk is intolerable, the initiative is halted. The failure to address the issue of inclusivity, transparency, and societal values/needs, and timeframes precipitates risk governance problems.

The fourth phase is risk management. It entails the development and adoption of strategies or activities that help mitigate, avoid, or tolerate the identified risk. In this stage, multiple options are developed and the best one selected for implementation. The risk management processes entails the “generation, evaluation, and selection” of the best risk mitigation strategy (van Asselt & Renn 2011, p. 445). It also entails evaluating the potential impacts of the selected risk mitigation option. The final phase of the IRGC framework is the communication of the risk management decision. Effective communication helps create awareness among stakeholders. It also enables them to understand the stakeholder role in risk governance (van Asselt & Renn 2011). The communication should inform the stakeholders/actors about their specific roles in managing the risk.

The IRGC’s framework has been adopted across multiple industries. In this model, an iterative process of communication cuts across the four phases. The IRGC framework is criticised for being one-dimensional. The model depicts risk governance as an additive process with distinct phases. However, researchers argue that the process is rather iterative, with steps like risk assessment and management not clearly delineated (Flemig, Osborne & Kinder 2015). Moreover, since various actors interact and influence each other, risk governance cannot follow a logical sequence.

In the IRGC framework, risk communication remains the unifying factor of the five phases of the model. The IRGC expanded the new framework by introducing deliberation and engagement, suggesting a bipartisan process between the actors. Another significant aspect of the revised model is the emphasis on institutional capacity and resources. The organisational resources/capacities considered in the new model include finances, social capital, human resources, and technological capabilities (Flemig, Osborne & Kinder 2015). It also includes the consideration of the actor network, political and regulatory culture, and the social climate.

IRGC’s Risk Governance Framework
Figure 2: IRGC’s Risk Governance Framework

The Modified IRGC Framework

Renn, Klinke, and van Asselt (2011) propose a modified IRGC framework that includes the normative and descriptive aspects of risk governance. The proposed model comprises five stages, i.e., “pre-estimation, interdisciplinary risk estimation, risk characterisation, risk evaluation, and risk management” (p. 237). The modified framework is illustrated in Figure 3 below. The pre-estimation stage involves the testing of multiple problems as possible risks. It entails an exploration of societal/community and political agencies and the public to identify factors ‘framed’ as risks. The screening also explores the culturally constructed risk candidates. Therefore, the pre-estimation stage is a multi-stakeholder process that brings together government agencies, industry actors, consumers, and various interest groups.

The second stage, risk estimation, entails the scientific evaluation of risks through risk assessment and concern (societal issues) assessment (Renn 2011). Various approaches can be used in risk estimation. Examples include probability of occurrence, extent of damage, ubiquity, reversibility, etc. The third step, risk evaluation, involves the quantification of the societal effects of a risk and its probability of occurrence. The risk profiles are evaluated based on their level of acceptability (Renn 2011). Low risk situations or activities are considered highly acceptable. Risk management is applied to risks considered tolerable. It entails a suite of mitigation measures to reduce the adverse consequences of a risk. Risk communication/participation entails educating the masses through interactions to disseminate information related to the risks (Renn 2011). The aim is to build trust relationships in risk management through multi-actor inclusion.

Modified Risk Governance Framework
Figure 3: Modified Risk Governance Framework

The cyclic process of risk governance occurs in a logical sequence of five phases: pre-assessment, appraisal, characterisation and evaluation, risk management, and communication (Roeser et al. 2012). The individual phases and their specific components are described below.

Pre-assessment Phase

The pre-assessment phase is the screening stage of the risk governance process. Here, the actors consider diverse issues related to a specific risk. In addition, the different stakeholders review the risk indicators and practices at this stage. The main components of the pre-assessment phase include “problem framing, early warning, pre-screening, and the determination of scientific conventions” (Roeser et al. 2012, p. 51). The purpose of risk framing is to explore the multi-actor perspectives and establish a common understanding on the risk issues. Based on an agreed risk frame, the signals or indicators of the risk/problem can be monitored.

Early warning helps identify indicators that confirm the existence of a risk. It entails an exploration of institutional capabilities for monitoring early warning signs of a risk within an organisation (Rossignol, Delvenne & Turcanu 2015). Pre-screening encompasses preliminary analysis of risk candidates and prioritising them based on probabilistic models. It also entails identifying the appropriate evaluation and management route for each risk candidate. It is followed by a determination of the main “assumptions, conventions, and procedural rules” required for the assessment of the risk (Rossignol, Delvenne & Turcanu 2015, p. 137). The stakeholder emotions related to the risk issues are also considered in this step.

Risk Appraisal Phase

The purpose of risk appraisal is to create societal standards or scientific thresholds for a risk. It also gives a knowledge base for identifying an appropriate risk mitigation or containment approach. Its main components include risk assessment and concern assessment (Roeser et al. 2012). Risk assessment identifies the cause-effect relationship of a risk as well as its probability of happening. It may involve risk identification and evaluation to estimate its severity. The objective of concern assessment is to explore the stakeholder’s anxieties and fears related to the risk (Roeser et al. 2012). It also illuminates the socioeconomic impacts of a risk based on stakeholder perceptions.

Risk Characterisation/Evaluation Phase

This phase involves estimating how acceptable or tolerable a risk is to the stakeholders. Therefore, the two components of this phase are risk acceptability and tolerability. A risk problem considered acceptable has lower adverse impacts on health/environment than a highly unacceptable one (Karlsson, Gilek & Udovyk 2011). This means that the risk does not require mitigation efforts. On the other hand, a tolerable risk has significant trade-offs between benefits and adverse effects. As a result, specific mitigation measures are adopted to reduce the negative effects. Characterisation helps generate an evidence base from the outcome of the risk appraisal phase. In contrast, evaluation involves a consideration of extraneous factors relevant to the risk.

Risk Management

The risk management phase involves the development and application of mitigation actions geared towards averting, diminishing, or retaining risks. It proceeds through a six-step process that culminates in an optimal option for risk management. The first component involves the formulation of an array of options for addressing the risk (Roeser et al. 2012). This initial step relies on the acceptability-reliability considerations relevant to the specific risk. The next step involves the evaluation of the options based on specified criteria, e.g., sustainability or cost-effectiveness (Karlsson, Gilek & Udovyk 2011). Thirdly, a value judgment based on the weights assigned to each criterion is applied to the options. Subsequently, the best option(s) is chosen for further consideration in the fourth step. The fourth and fifth steps cover the execution of the best risk management strategy and monitoring and evaluation of its impact on the reversibility of the risk.

Communication Phase

Risk communication is an ongoing activity during the risk governance process. Its aim is to enlighten non-participating stakeholders regarding the risk decisions emanating from the preceding phases (Roeser et al. 2012). Additionally, risk communication helps support informed choices by stakeholders based on the consideration of societal/individual interests, fears, values, and resources (Roeser et al. 2012). As a result, conflicting perspectives are managed to arrive at a consensus risk management strategy for the institution. Effective communication is also required between policymakers and experts/assessors to avoid bottlenecks related to communication lapses.

The OCC’s Risk Governance Framework

Another existing framework is the one proposed by the Office of the Comptroller of the Currency [OCC] for risk governance in the financial industry (Figure 4). This model is intended to help the board/management of banks to establish an institutional risk culture, promote compliance with the risk appetite, and create a risk management system for the identification, measurement, and control of risks (IFC 2012). The OCC’s framework comprises of three additive steps – risk management system, risk appetite, and risk culture. It takes into consideration the various risk categories common in the financial sector. Examples include interest rate and price, which portend a significant risk to an institution’s financial performance.

The OCC’s Risk Governance Framework
Figure 4: The OCC’s Risk Governance Framework

Banks use different risk governance models depending on the nature of its operations and corporate strategies. In banks, the board/management oversees the formulation, execution, and evaluation of a risk governance model through independent assessments. Subsequently, based on the outcomes of the assessment, some or all of the elements of the model are reviewed to enhance its efficacy. In this structure, the institution’s senior management does the role of maintaining the framework and managing factors related to the defined risk appetite (Polk 2014). It also regularly informs the board about the institution’s risk profile and potential risks. The specific components of this framework are described below.

Risk Culture

In the OCC’s framework, risk culture covers the institutional “values, attitudes, competencies, and behaviours” that define the bank’s risk governance practices and decisions (Polk 2014, p. 14). It is, therefore, a subset of the organisational culture. The board plays a critical role in creating a sound risk culture through enhanced risk awareness and communication of the acceptable risk levels to the staff. This ensures that the employees make decisions that conform to the defined risk appetite or acceptable risk thresholds. Besides the board, the bank’s senior management promote a positive risk culture through staff incentives and sanctions for unacceptable behaviour (Polk 2014). The management is required to identify and address risk-taking behaviour or actions that go beyond the minimum thresholds.

Risk Appetite

In the OCC’s framework, risk appetite is considered an important element of sound risk governance. It entails the “aggregate level and types of risk”, which the board and the senior managers can assume to realise the institution’s strategic goals or objectives (Polk 2014, p. 13). However, a bank’s risk appetite must not exceed its capital or liquidity level. The establishment of a risk appetite involves concerted efforts from the board, senior managers, supervisors, and front-line staff. Furthermore, its execution requires effective interactions between the various stakeholders involved in the management system. Information about the bank’s risk appetite should be conveyed throughout the institution to ensure that risk decisions are aligned with the acceptable risk thresholds. The risk management and front line units should track, evaluate, and report the risks based on the risk appetite policy.

Risk Management System

The third component of the OCC framework is the risk management system. It encompasses policies, processes, and staff involved in the identification, measurement, tracking, and management of risks (Polk 2014). The nature of a bank’s risk management system depends on economic conditions that the organisation operates in and the complexity of its organisational structure. It entails three defensive structures. The first defensive structure involves “the frontline units or business units that create risk” (p. 46). The frontline/business units are the primary risk takers, and therefore, they must operate within the accepted risk appetite thresholds. The second defensive structure is the internal risk management (IRM) unit, which oversees the risk taking activities of the frontline units (IIA 2013). The IRM also recognises, measures, and tracks emerging risks and participates in risk decision-making in the bank (IIA 2013). Ordinarily, the IRM comprises of the credit officer and/or credit review manager. The final defensive structure in this framework is the audit unit, which facilitates external validation. It implements internal controls to ensure effective risk governance within the institution.

The International Finance Corporation (2012) extends the OCC’s risk governance framework by including the concept of conflict of interest. The elimination of possible conflict of interest situations is essential for effective risk governance in the financial sector (IFC 2012). It entails separation of duties, independent management of activities, and adequate revenue control systems in the bank. Effective communication is also required in staff education, deliberations, and reporting of risks in financial institutions.

IPCC Risk Governance Model

The Inter-governmental Panel on Climate Change’s [IPCC] (2012) developed a model for managing risks related to natural disasters. The key components of this model include methods for reducing risks and for managing the residual risk related to environmental hazards. The reduction of risks focuses on minimising vulnerability, hazards, and exposure (IPCC 2012). It also entails sharing or transferring the risk through mutual/reserve funds, financial insurance, and social capital.

In the public sector, risk vulnerability is reduced through society-level actions such as access to essential services, improvement in community security, and increased participation in decision-making. On the other hand, the reduction of the exposure levels to natural risks can be achieved through land use planning, incentive mechanisms, and ecosystem management, among others (IPCC 2012). The risk reduction phase of the IPCC framework also entails pooling or transferring of risks. This requires interventions like reserve funds, insurance cover, and social networks.

The second phase of this framework comprises the management of residual risks/uncertainties. The natural risks are managed through effective preparation and response and the enhancement of the capacity to deal with surprises (Hooper 2014). In this regard, the government can manage residual risks by implementing early warning systems, post-disaster support, flexible decision-making systems, and adaptive learning, among others. The IPCC model is illustrated in figure 5 below.

IPCC Risk Governance Framework
Figure 5: IPCC Risk Governance Framework

Risk-enabled performance management (REPM) Framework

Private sector organisations are shifting to performance-based approach to the management of risks. The risk-enabled performance management (REPM) focuses on value creation by supporting robust decision-making and the identification of business opportunities, while minimising uncertainties or risks (Palermo 2011). Therefore, using the REPM framework (Figure 6), organisations can achieve risk-enabled performance as opposed to simple identification and measurement of risks. In this way, the firm can obtain additional value from its risk management initiatives – a benefit that may not possible when the focus is on risk avoidance or minimisation alone. In the REPM framework, multiple business processes and components interact to create value for the organisation. The main components of this framework include strategic oversight/planning, business-level planning, operational execution, and monitoring and compliance.

Strategic Oversight/Planning

This component focuses on a range of board or senior management-level activities that triggers the development of a risk-enabled organisation. The strategic oversight function entails establishing risk governance “structure, roles, and responsibilities” of each individual within the organisation (Palermo 2011, p. 9). This role is achieved through delegation and performance evaluation. It is also incumbent upon the executive leadership to specify the appropriate risk appetite for the organisation. In this way, the capital allocation and investment decisions can be aligned with the acceptable risk thresholds. The oversight role also entails the identification of emerging risks and performance management to realise the value of the risks.

Business-level Planning

It encompasses the conversion of business strategies into plans and budgeting. The organisation can use planning tools to analyse the “types and levels” of each risk inherent in a given investment (Palermo 2014, p. 328). In this way, the organisation will create a basis for risk-based investment and budgeting.

Operational Execution

This step covers the implementation of strategic plans from the previous stage. The operational reviews should consider the identified risk limits and appetite in evaluating performance (Palermo 2014). The risk tolerances indicate how well the firm’s operations are aligned with the established risk appetite. Another dimension of operational execution is the re-evaluation of risks linked to operational activities. The aim is to minimise possible ‘surprises’ or uncontrollable events in organisational operations.

Monitoring and Compliance

This phase entails audit and compliance measures. It involves the alignment of the “monitoring processes with the risk profile” to detect redundancies and inadequacies in the monitoring function (Palermo 2014, p. 331). An in-depth evaluation of the risk profile and the deployed monitoring measures can reveal issues or problems that could precipitate costly risks. Thus, the approach reduces costs and improves the efficacy of risk surveillance. The REPM framework was shown to give a clear risk profile of a power plant and facilitate more efficient budgeting for risk mitigation programs.

 REPM Framework – Risk-enabled Organisation
Figure 6: REPM Framework – Risk-enabled Organisation

Enterprise Risk Management Framework

The enterprise risk management (ERM) supports effective management of uncertainty in organisations. It entails a comprehensive model for the identification, measurement, prioritisation, and management of risks that threaten business activities or operations (PWC 2015). The ERM framework involves the development of a portfolio view of risks based on organisational operations at all levels, including enterprise-level, division/subsidiary, and business-level processes. The senior management first explores the interrelationships among risks before formulating a portfolio view from a business unit level and entity level (PWC 2015). The ERM framework comprises eight interrelated components. They include internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring (PWC 2015).

Internal Environment

A focus on the internal environment creates a risk management philosophy that leads to an increased recognition that both anticipated and unanticipated events may happen (Karim 2011). An internal environment focus also helps define the organisational risk culture and the actions that affect it.

Objective Setting

The formulation of business objectives should involve a risk strategy. Such an approach establishes an organisation’s risk appetite, i.e., the board- and management-level view of the acceptable risk levels. Through objective setting, the management can align risk tolerance with the established risk appetite.

Event Identification

The event identification step helps distinguish risks from opportunities. Risks involve events that impede the attainment of the business objectives, while those with a positive effect constitute the opportunities for strategic action (PWC 2015). Event identification is critical in each decision level, when implementing process or system changes, and for new projects. The initial risk identification process helps identify a risk profile for the organisation. Thereafter, more risks are identified for inclusion in the risk profile, as the event identification step becomes a part of the organisation’s culture.

Risk identification entails the identification of the incidents, whether internal or external, which could impede strategy. It also addresses the internal and external factors that affect an organisation’s risk profile. The risks are grouped based on their sources for easier root cause analysis and assignment of mitigation responses (Ng 2015). The major sources of risk include political influences, decision-making, human capital, natural events, and regulatory issues. The other sources of risk may be fraud, supplier factors, technology, and competitive pressures.

Risk Assessment

The assessment of the identified risks is the second step of the ERM framework. The assessment allows the management to formulate appropriate risk responses based on the likelihood/probability of occurrence and anticipated impact – using a risk rating scale (Ng 2015). The likelihood rating ranges from highly certain to unlikely to occur. In contrast, the risk impact rating focuses on the effects of each risk, including financial costs, missed operational milestones, regulatory breaches, failure to meet strategic objectives, and managerial staff turnover. A risk map is constructed from the results of the assessment.

Risk assessment gives a comprehensive picture of how potential risks may influence objectives. Therefore, the assessment focuses on the likelihood and impact and involves both qualitative and quantitative techniques. The risk is measured on an “inherent and residual basis”, taking into account the predefined time and objective horizons (Ng 2015, p. 14). The aim is to inform future actions or risk responses.

Risk Response

In this step, the entity identifies and develops responses to each identified risk. In this regard, the organisation considers multiple options based on its “risk appetite, cost-benefit analysis of the risk, and the degree to which a response will reduce the risk impact or likelihood” (Domokos et al. 2015, p. 8). After an analysis of a suite of risk/response options, the organisation selects and implements an optimal response to mitigate the risks. In this case, the organisation’s inherent and residual risks are measured during the execution of the risk response to achieve the desired risk level. Inherent risks differ from residual ones in the sense that they occur prior to the execution of any risk control or response.

The response options include the portfolio of management actions aimed at controlling or preventing the risk. The management can choose to mitigate, exploit, accept, transfer, or avoid a risk. Risk mitigation encompasses actions taken to minimise the likelihood of occurrence or impact of a particular risk (PWC 2015). Mitigation activities may include budget controls, forecasts, enhancing accountability, staff motivation programs, and building appropriate skill sets (Andreeva, Ansell & Harrison 2014). Risk exploitation allows an entity to leverage on opportunities presented to grow through activities such as strategic alliances, business portfolio expansion, innovative product development, and organisational restructuring.

The management can also choose to accept the risk impact and probability of occurrence. Risk transfer, as a response option, involves activities meant to shift the loss/impact to other parties. It can be achieved through outsourcing, insurance coverage, and hedging (Andreeva, Ansell & Harrison 2014). Risk avoidance involves activities meant to prevent hazards from occurring. They may include ceasing operations, divestiture, or reducing the scale of operations.

Control Activities

This step involves an ongoing process of tracking and reviewing the risk profile and responses (Mathews & Kompas 2015). The aim is to ensure that the management of risks occurs as planned, determine the relevance of the risk responses being executed, and track the impact of the activities on the risk profile. In addition, the control activities can inform new response plans for emerging risks. Risk monitoring comprises diverse methodologies for review, assurance, and auditing risks. The assurance techniques involve post-implementation reviews, performance appraisals, and quality reviews, among others.

The measurement of a response option should involve its efficiency and effectiveness (Walker, Tweed & Whittle 2014). In this case, efficiency indicates the execution costs related to finance/budget and time. In contrast, effectiveness indicates the extent to which the responses minimise the risk impact or probability of occurrence (Walker, Tweed & Whittle 2014). To achieve a higher level of response efficiency and effectiveness, the control activities should be incorporated into the current business processes at all levels of the organisation.

Information and Communication

This step involves reporting the risk in terms of its status and related responses. Various employees play different roles in the ERM process. The board plays a role in policy design and ERM framework development while the management oversees the implementation process. Having a risk reporting structure helps address issues that affect the response plan being executed. It helps staff responsible for various ERM activities to obtain pertinent information to effectively carryout their roles. The internal reporting process involves the operational staff, management team, senior leadership, and the board. In contrast, external reporting involves the communication of the risk profile and responses to the stakeholders.

Monitoring

The efficacy of the ERM elements is monitored regularly to determine the impact on the risk profile. The ERM monitoring may involve ongoing control activities or independent evaluations, such as audits and reviews.

ERM Framework
Figure 7: ERM Framework

Integrated Enterprise-Risk Management Framework

The banking sector faces unique challenges that pose a threat to growth. The integrated enterprise-risk management (ERM) framework provides a new approach to risk in the banking industry, which is structured around five dimensions. It places the responsibility of developing the ERM capabilities at the hands of a firm’s board. The five core dimensions of the integrated ERM framework include “risk transparency and insight, risk appetite and strategy, risk-related business processes and decisions, risk organisation and governance, and risk culture” (Brodeur et al. 2010, p. 1). The recommended actions in each of the five steps are described below.

Risk Transparency and Insight

Most firms have adopted risk identification processes for an early detection and prioritisation of risk events. The companies produce annual risk reports cataloguing the most significant risks and their likelihood of occurrence and impact. The only downside to this approach is that they omit company-wide risks, fail to reveal the causes of the risks, and overlook the multiplicity aspect of risks (Lamarre & Pergler 2009). A robust risk identification mechanism should uncover the root causes. The main components of risk transparency and insight proposed under the integrated ERM framework are risk taxonomy, a prioritised risk heat map, risk insight and foresight, risk models, and risk reporting.

Risk taxonomy entails creating common vocabulary for the risk types experienced or likely to occur (McNeil 2013). The rationale is to facilitate risk identification and classification for effective management and control. A prioritised risk heat map sorts the risks based on their potential impact, level of preparedness, and likelihood of occurrence (McNeil 2013). One recommended strategy for building a robust heat map is through adequate risk estimation that takes into consideration all the risk drivers. A good heat map can also be generated if a transparent and coherent approach is taken in naming and classifying risks across all the business units. In addition, besides likelihood and impact considerations, other variables – preparedness and lead-time –should be taken in account when constructing a risk heat map.

Another element of the first dimension of this framework is risk insight and foresight. It entails using scenario testing, indicators, and stress tests to explicate high priority risks at the board level (McKinsey & Company 2013). Firms often use these methods to explore up to five risks that are significant to business operations. Constructing risk models can also provide a basis for business decisions for organisations. The subsequent step entails compiling insightful reports on key risks to illuminate the key actionable measures. Well-designed and integrated risk reports should highlight the board’s assessment of the risks, including the tradeoffs considered and the decisions made to facilitate consistent information flows across the organisation (McKinsey & Company 2013).

Natural Ownership, Risk Appetite, and Strategy

This step entails deciding on the risks an organisation owns, its risk capacity, risk appetite, and risk strategy. A firm’s risk appetite depends on its risk capacity, which describes a company’s ability to “withstand a risk when it materialises into actuality”, while staying clear of undesirable effects or constraints (Brodeur & Pritsch 2008, p. 12). The determination of risk capacity depends on the type of risk and may involve Monte Carlo simulations or discrete scenarios that would then help predict future trends. The risk appetite indicates how much risks a firm will take based on its capacity (McNeil 2013). From its risk appetite, a company can determine the risks it can own. Risk ownership describes the risks a firm has the capacity to control and exploit in order to realise its competitive goals (McNeil 2013). At the same time, a firm needs to define the risks it wants to mitigate, transfer out, or avoid at this point. Based on the risk appetite and ownership, a risk strategy for the company is formulated. The strategy represents a coherent message or affirmation of the risks that the company has decided to take or transfer. It is normally adapted in the organisation’s strategic plan and communicated to the shareholders.

Risk-related Decisions and Processes

This step entails the integration of risk considerations related to strategic planning, resource allocation, and financing in risk-related decisions and processes (Brodeur et al. 2010). A firm’s strategic choices should reflect its risk appetite/capacity. Strategic planning considers the risk assumptions and uncovers the return/risk tradeoffs inherent in a project. Resource allocation gives key personnel the green light to take risks based on the established risk appetite. On the other hand, financing or hedging decisions by the board would depend on the defined risk capacity and potential impacts. In the banking sector, the quality of risk-related decisions/processes depends on how well the liquidity risk is managed in the organisation (Brodeur et al. 2010). Therefore, in banks, risk-related decisions are aimed at managing and controlling liquidity risks.

This integrated ERM dimension encompasses three elements: risk-related decisions, risk optimisation, and risk processes. Risk-related decisions entail the grounding of risk in all business decisions, as opposed to working to meet regulatory requirements. Similarly, risk optimisation must also be embedded in all strategic decisions to achieve favourable return/risk tradeoffs. In addition, the core business operations of the firm must be risk-based to ensure risk-informed responses and actions across all levels of the organisation.

Risk Organisation and Governance

The role of risk oversight belongs to a firm’s board. In the risk governance structure, the board collaborates with the line managers and risk officers on risk issues and ensures that the ERM program is optimised for the specific risks that the firm faces. The oversight role also includes the evaluation of risks through the board-risk committee interactions and dialogue (Pergler 2012). The aim is to remove bureaucratic processes that impede effective risk governance. An ERM organisational model may involve a risk officer reporting to the firm’s chief executive officer and leading teams tasked with the management of various risks affecting the organisation.

The basic components of an ERM organisational model include risk archetypes, risk organisation, and risk-function profile. Risk archetypes entail defining the mandate of an ERM function within the finance unit to introduce risk thinking in managerial processes (Beckers et al. 2013). Risk organisation involves the design of enterprise-wide processes, including risk policies/guidelines and resource allocation. Creating a risk-function profile can help the risk team obtain traction in a firm’s businesses. It entails a clear allocation of duties and obligations of the risk taking personnel and risk management unit.

Risk Culture and Performance Transformation

The final ERM dimension focuses on risk culture and performance. Risk culture emerges when decision-making behaviours that involve an evaluation of risk/benefit tradeoffs become the norm in the organisation. It is defined as the “norms of behaviour for individuals and groups within a company that determine the collective willingness to accept or take risks” (Brodeur et al. 2010, p. 5). Appropriate risk norms should be embedded within the organisation through corporate-level processes and governance.

A cultural survey or diagnostic can help determine the flaws in a firm’s risk culture, necessitating the need for a change. Mikes (2011) provides four strategies for effecting a sustainable cultural change related to risk in an organisation, namely, fostering conviction/understanding among employees through incident reviews, role modelling by supervisors, talent and risk skill development, and establishing formal structures/processes for performance appraisal and compensation. According to Mikes (2011), the process of achieving a high-level risk culture change encompasses four steps: diagnostic risk culture, target risk norms articulation, development of multilayer initiatives, and ongoing monitoring of risk governance in the organisation. Therefore, the risk culture journey culminates in positive risk norms being embedded in all organisational structures and processes.

Integrated ERM Framework
Figure 8: Integrated ERM Framework

Risk IT Framework

Public organisations and private enterprises face IT risks in addition to strategic, operational, and market risks, among others. Poor IT security in organisations increase the likelihood of business risks related to cyber threats. The management of such risks is critical to the success of an organisation. The adoption of IT brings immense benefits to an entity; however, it also comes with risks.

Since IT lies at the heart of operational efficiency, IT risk is regarded like other enterprise risks that impede the achievement of strategic goals (Deloitte 2014). In most organisations, the management team does not handle IT risks, but delegate this role to the IT department. The risk IT framework (Figure 8) helps businesses integrate IT risk governance into the ERM to support risk-based decisions. The framework also highlights the nature of the risk as well as the organisation’s risk appetite and tolerance to facilitate appropriate risk responses. Therefore, it supports risk-aware decisions by organisations.

The risk IT framework is founded in six core principles that support risk governance in the organisations. The organisation must continuously connect the risk responses to the business objectives, align the management of the risk to its ERM, balance the risk costs and benefits, enhance risk reporting, establish top leadership risk appetite, and incorporate these processes into the day-to-day business activities (Deloitte 2014). The risk IT framework contains three components or domains, namely, risk governance, risk response, and risk evaluation (Svata & Fleishmann 2011).

Risk Governance

This risk IT domain ensures that risk management practices are integrated with the business processes for enhanced risk-based performance. Risk governance encompasses three processes, namely, integration with ERM, formulation of risk-based decisions, and establishment/maintenance of a common risk view (Svata & Fleishmann 2011). The goals of risk governance are to achieve acceptable risk appetite and tolerance, enhance role clarity in IT risk management, promote risk awareness, and establish a risk culture in the organisation.

In the risk IT framework, risk appetite is defined as the “broad-based amount of risk” that an entity can accept in pursuing its mission (Svata & Fleishmann 2011, p. 51). In contrast, risk tolerance means the acceptable variation around organisational objectives (Svata & Fleishmann 2011). These two concepts help an organisation establish a coherent view of the risk at all levels. However, they are subject to changes in technology, firm structures, and macro environment factors. Therefore, a firm should continually evaluate its risk portfolio to determine its risk appetite at different times. On the other hand, risk tolerance can be influenced by mitigation costs. Indeed, in some cases, the cost impact of mitigation can go beyond its resources, resulting in a higher risk tolerance (Svata & Fleishmann 2011). Thus, the cost-benefit trade-offs determine the risk levels that an enterprise is willing to tolerate.

The framework also defines the responsibilities of the people involved in IT risk governance. Various individuals are charged with the responsibility of managing IT risks. The board, chief executive officer, and chief risk officer as well as the personnel drawn from enterprise risk committee play a role in risk governance. In contrast, accountability applies to individuals who allocate resources or authorise specific actions, e.g., the board. Besides establishing responsibilities and accountabilities, risk governance enhances risk awareness and communication in the organisation. Risk awareness entails the recognition of risks for a specific management action. In contrast, risk communication enhances the discussion around risks to increase the management’s understanding of its effects for appropriate responses. An open risk communication practice enhances risk awareness among stakeholders and increases transparency in risk governance.

Risk Evaluation

The goal of the risk evaluation component of the risk IT framework is to identify, analyse, and provide “IT-related risks and opportunities” in the organisation (Flemig, Osborne & Kinder 2015, p. 6). It entails three processes, namely, analysing the risk, establishing an institutional risk profile, and collecting data. The goals are to highlight the business impact and develop risk scenarios. The evaluation entails converting IT risks into business risks. It requires the IT and the business teams to develop a mutual understanding of the risks that need management. The stakeholders must have a basic understanding of the risks impacting the business objectives. In this regard, the IT person should know the impact of the identified IT risks on strategic objectives. Similarly, the management should understand the IT-related risks that affect business processes (Flemig, Osborne & Kinder).

Risk evaluation helps define the link between anticipated IT risks and their impact on operations through the expression of such risks in business terms. The methods prescribed in the risk IT framework for risk evaluation include the balanced scorecard, COSO ERM, and the COBIT information criteria (Potts & Kastelle 2014). Risk scenarios are important in IT risk governance. The scenarios are utilised in risk analysis to determine the likely impact of a risk to the organisation. Two complementary methods are used to develop the risk scenarios: a top-down approach and a bottom-up approach. The latter utilises generic scenarios to develop improved scenarios tailored to the organisational realities, whereas in the former approach scenarios are derived from the business objectives.

Risk Response

The purpose of a risk response is to address IT risks in a cost-efficient way and according to the organisation’s priorities. The essential processes in this domain of the risk IT framework include risk management, reaction to risks, and risk articulation (Svata & Fleishmann 2011). This step encompasses the definition of a risk response and identification of the key performance indicators (KPIs) based on project objectives. The KPIs indicate whether an organisation is likely to face a risk that outstrips the established risk appetite. The choice of the KPIs is dependent on micro and macro environment factors, the size of the organisation, and the prevailing regulatory regime (Svata & Fleishmann 2011). The KPI selection process should involve stakeholders to achieve buy-in and support. Further, the selection should involve consideration of the major performance indicators and root causes. The selected KPIs must meet the following criteria: optimal business impact, high sensitivity, and reliability (Claudia, Tehler & Wamsler 2015).

The reason for providing a risk response definition is to align the identified risk with the established risk appetite (Claudia, Tehler & Wamsler 2015). This implies that defining a response will ensure potential residual risk falls within the acceptable tolerance threshold. The possible risk response options include avoidance, reduction/mitigation, sharing/transfer, and acceptance. The choice of the risk response option depends on its cost (capital, wages, and operational costs), the significance of the risk as shown in a risk map, the efficacy and efficiency of the response, and the organisation’s capacity to execute the response (Hooper 2014). Therefore, an entity should prioritise the response options based on the above criteria and select the optimal risk response.

The Risk IT Framework
Figure 8: The Risk IT Framework

Development of a Maturity Model for Public Risk Governance

This research utilises the IRGC, the ERM, and the integrated ERM frameworks as the basis to build a maturity model for risk governance in the public sector. The developed maturity model derives its four phases – risk appraisal, risk evaluation, and communication – from the IRGC framework, while the risk response and control activities stages have been adapted from the ERM framework. In the IRGC framework, risk appraisal focuses on risk analysis based on stakeholder concerns. This concept has been extended in the maturity model to include a wide array of stakeholders in the public sector, such as government agencies, citizens, and the private sector. The purpose of the risk appraisal stage of the maturity model is to specify or map out societal standards for risks inherent in the public sector through a multi-stakeholder engagement. The inclusivity aspect of the model ensures adequate consideration of stakeholder concerns within the context of risk appraisal and selection of good joint indicators to track progress.

The risk evaluation, in IRGC terms, focuses on the determination of risk acceptability and tolerability based on societal values and needs of the beneficiaries. Therefore, by including this element in the maturity model, it would be easier to determine the amount of risk that the public can accept or tolerate in a bid to achieve project objectives. Communication is critical for creating risk awareness during project execution. Its inclusion in the maturity framework is grounded in the need to inform the stakeholders their roles, risk tolerance levels, and project performance based on the indicators for necessary adjustments. To improve accountability in the downstream project activities, the principles of risk response and control activities of the ERM – a corporate risk management model – were adapted for the maturity model. The aim is to mitigate, exploit, transfer, or a void a risk to maintain the risk acceptance threshold established in the risk evaluation phase. The fourth stage, i.e., control activities centres on tracking project progress based on selected indicators. Of particular importance are the risk indicators that help measure the exogenous factors with a direct impact on the project outcomes. The post-risk management phase is included in the model to give a description of how to manage a risk in the event that it occurs.

Five elements representing the dimensions of the integrated ERM framework have also been adapted in the proposed maturity model. The integrated ERM framework is anchored in risk transparency and insight, which is a big problem in the public sector due to the multiplicity of actors, functions, and protocols. For this reason, adopting an ERM infrastructure would enhance data consistency and accessibility when managing public sector risks. The ERM capabilities would lead to better risk control and management in public projects. The elements included in the maturity model are risk governance, risk analysis and reporting, risk culture, risk decision processes and performance, and risk capacity and ownership strategy.

Risk governance, according to the integrated ERM framework, entails operational/business risk controls, organisational structure of risk control, and legal entity governance (Gates, Nicolas & Walker 2012). The clarity of roles and responsibilities defines the mandates of the teams, management, and board/directors involved in the ERM function. Therefore, its inclusion in the maturity model aims at supporting stakeholder interactions, roles, and risk dialogue to enhance insights into various public sector risks. Since stakeholders in public investment projects come from different backgrounds, the clarity of roles/responsibilities and the inclusion of governance controls will remove rigidity and bureaucracy in risk processes. The risk governance will also enhance stakeholder interactions and dialogue focused on specific risks affecting the public.

Another element adapted from the integrated ERM framework is risk analysis and reporting. Risk analysis looks at the impact, probability of occurrence, and level of preparedness in relation to a particular risk (Frigo & Anderson 2011). From the integrated ERM framework, the analysis involves risk taxonomy, risk heat map, and models. The measurement and monitoring through stress testing of identified risks is critical in risk transparency and insight. Therefore, data collection, analysis, and reporting infrastructure would improve the understanding of high-priority risks by the public project stakeholders. The inclusion of this element in the maturity model is also meant to enhance risk transparency through integrated risk reports that illuminate the risk/return tradeoffs, managerial decisions, and rationales for effective risk governance (Brodeur et al. 2010).

The role of risk culture is to fortify the risk control environment (Mikes 2011). Based on the integrated ERM framework, risk culture is developed through the articulation of the desired risk norms, multilayer initiatives, and ongoing monitoring of risk governance activities (Mikes 2011). The justification for including risk culture in the maturity model is to achieve a mindset change that would be the impetus for attaining shared risk ownership, risk anticipation, and accurate resource allocation. In the public sector, a positive risk culture can help avoid flaws such as denial and detachment from risk that stems from overconfidence, indifference, or slow response.

The maturity model’s risk decision processes and performance is derived from the third dimension of the integrated ERM framework – risk-related decisions and processes. Effective risk governance should integrate firm strategy, resource allocation, and financing into the risk processes (Arena, Arnaboldi & Azzone 2010). The strategic decisions must be grounded in risk management. This approach will ensure that risk decisions reflect the organisation’s risk appetite and capacity. Since the maturity model is designed for the management of risks in the public sector, risk-based investment decisions are critical in realising the macroeconomic goals of the projects. Risk-based decisions and performance will also avoid faulty execution that lead to project failure.

Risk capacity and ownership strategy is another element included in the maturity model that is adapted from the integrated ERM framework. Risk capacity denotes the organisation’s ability to remain resilient in a risk environment (Arena, Arnaboldi & Azzone 2010). Assessing the risk capacity through Monte Carlo simulations or discrete scenarios can be a panacea for project cancelation/failure, delays, and insolvency that bedevil mega government projects. It also helps define the risk appetite, i.e., the amount of risk an organisation can take (Hoyt & Liebenberg 2011). From the risk appetite, the risks that the organisation can own – utilise competitively – can be obtained. Subsequently, an explicit ownership strategy can be developed to communicate the risks the organisation can take or exploit competitively and those to avoid or transfer. The maturity model is illustrated in Figure 9 below.

Maturity Model for Risk Governance in the Public Sector
Figure 9: Maturity Model for Risk Governance in the Public Sector

In this model, the risk appraisal step focuses on the identification of potential risks. In the public service organisations, especially local government agencies, the risks inherent in projects relate to natural hazards or events that affect the delivery of public goods or services (Butsch et al. 2016). The likelihood and frequency of such risks should be determined as well as the associated residual uncertainties through stakeholder engagement. The reason for including the risk appraisal phase that is based on the IRGC framework was to determine the vulnerability and exposure levels of the project beneficiaries from the start. Therefore, direct stakeholder engagement through surveys can help identify risks and performance indicators for project performance management.

Risk evaluation entails the determination of societal acceptability and tolerability. The rationale for including this step is that public projects should establish a balance between benefits and risks. If the risks exceed the benefits, as indicated through feasibility studies, the project should be abandoned. As in the IRGC model (third step), acceptable and tolerable risks are identified through the consideration of societal values stated by the stakeholders. This helps decide whether to continue with the project by developing appropriate mitigation measures or halt it altogether. In the ERM model, the equivalent of the risk acceptability and tolerability could be the risk appetite and tolerance, respectively.

The third step of this model involves the development of a risk response. Again, the justification for the inclusion of this element is to shield the beneficiaries from the effects of risks without compromising the objectives or outcomes. As established in literature, a risk response covers the suite of risk management activities meant to address a risk in the most cost-effective way and in line with the entity’s priorities (Ward et al. 2013). In this model, it is conceptualised that a public sector organisation can avoid, share/transfer, or mitigate/reduce, but not accept a hazard since it is driven by altruistic or societal values rather than business goals. In this regard, risk reduction entails minimising vulnerability through government interventions like poverty reduction and partnerships with the private sector (Jain 2015). Public organisations can also reduce the exposure to a risk or hazard through the provision of infrastructure and essential services to vulnerable groups. In addition, incentives to at-risk individuals can change behaviours that increase the exposure to a risk.

The fourth step, control activities, is derived from the ERM phase of risk management. The rationale is to develop and execute optimal strategies to help reduce, avoid, or tolerate the risk during project implementation. Further, the essence of risk control/monitoring is to evaluate the impact of the risk response on the residual risk levels. It also includes the alertness or readiness to respond to a potential risks through adequate stakeholder preparedness. It may involve the use of early warning signs such as risk simulations in a bid to mitigate the effects (Dodman et al. 2014).

The post-risk management involves the activities performed after a risk event has occurred. It entails a needs assessment to determine the damage or impact of the risk (Taheri &Tomlinson 2013). Concerted humanitarian efforts are also critical in managing a risk that has occurred (Osborne & Brown 2011). The justification for including this step is to provide a mechanism for handling the after-effects of risks in the event that they occur. The different stakeholders can collaborate to provide direct aid to those affected and promote recovery through the restoration of essential services. The coordination of the multi-stakeholder action involves the local government or public sector organisations in the community. Risk communication is considered an essential component in the IRGC and ERM frameworks. Similarly, in this model, risk communication and reporting are critical throughout the project to track progress and enhance accountability among the stakeholders.

Risk Governance in Public and Government Sector

Risk governance approaches differ between governments and public policy domains. In the UK, the dominant historical feature of risk governance was decision-making processes founded in scientific research, economics, and technical knowhow (Rothstein & Downer 2012). As such, public risks were managed through policies, e.g., the road safety policy, informed by distinct philosophical and practice foundations. More recently, risk analysis tools and principles have been adopted in risk governance initiatives in the public sector with an aim of improving risk tolerability to nurture creativity. Risk analysis based on probability models is used by the central government on a regular basis to inform the public about issues, such as the possibility of floods or depressed GDP growth. Moreover, public policy domains related to “service delivery, inspection, and enforcement” in the social service sector use risk-based strategies for prioritisation and regulation of activities (Rothstein & Downer 2012, p. 791). The same approaches are entrenched in state-owned enterprises.

Certain structural reforms precipitated the current risk governance practices in the UK. First, the occurrence of high-profile crises, e.g., disastrous floods, increased government efforts in risk analysis. As a result, the National Risk Register was created to help in the framing and evaluating public risks based on “probability-x-impact frameworks” (Lodge & Wegrich 2011, p. 94). Second, risk governance is adopted in regulatory interventions, inspections, and enforcement. The rationale is to provide checks and balances for the bureaucratic systems to spur entrepreneurial growth in the public sector. Third, accountability systems have been implemented to create transparency and minimise the risk of failure. Managerial approaches, e.g., the New Public Management system, aim at improving decision-making processes to reduce the risk of failure (Lodge & Wegrich 2011). The approaches have made civil servants accountable for their governance/managerial actions or inactions.

In addition, the UK’s bureaucratic and legal systems are a source of accountability pressure for civil servants. They have to consider the expected tradeoffs for a risk/failure to be defensible before the public. However, risk-based rationalisations tend to conflict with professional principles in certain public sectors (Lodge & Wegrich 2011). For instance, risk-based management of the medical practice may conflict with the professionalism enshrined in the Hippocratic Oath (Lodge & Wegrich 2011). In addition, predicted risk-based rationalisations have gained use in the legal environment with attorneys framing risks based on costs and the probability of occurrence (Rothstein & Downer 2012).

Other comparable jurisdictions use different risk governance approaches from that of the UK. The French practice is founded in a technocratic (elitist) system and various institutional/constitutional principles that stand in the way of institutionalised risk-based governance. These philosophies include the government commitment to public security, establishment of public order, equal rights principle, and general interest maxim (Lofstedt 2011). Public officials must defend these paternalistic principles. However, the entrenched institutional cultures conflict with open and inclusive decision-making systems that are crucial in risk-based governance. The French government deals with this limitation through opacity, failure acknowledgement, and reactive crisis management (Lofstedt 2011). As a result, public officials tend to be risk averse and precautionary as opposed to being receptive to risk tolerance/acceptability principles.

In contrast, in Germany, constitutional provisions limit the development of a risk governance culture in the government and state-owned agencies. In particular, the ‘Schutzpflicht’ principle emphasis on the “state’s duty of protection of the public from dangers” tend to conflict with risk governance norms for delineating acceptable/unacceptable risks (Krieger 2012, p. 15). The doctrine calls for equality of treatment in terms of risk related to life and individual freedoms. In contrast, the US, quantitative risk assessment is entrenched in its systems with the focus being on prohibition, e.g., gun ownership restrictions, to prevent risks.

Risk communication is a key issue in risk governance within the public sector. Well-framed communication is vital for successful risk governance, as it fosters multi-actor trust relationships. Palermo (2014) establishes that defining the best practices is crucial to successful risk governance in innovation-oriented public service organisations. The important skills of an effective risk manager are communication and relationship-building abilities, which relate to the principle of technocratic financial accountability. Risk communication requires a social learning approach and institutionalised transparency systems to promote an open and inclusive assessment of the risk. The main challenge here is how to promote effective multi-actor interaction and inclusion given the diversity of views and backgrounds. Social learning helps identify the effective communication strategy and inclusion level appropriate for a particular context or public actors. Inclusivity also has implications for risk framing and pre-assessment, as public values and concerns often determine the acceptability of risk governance interventions.

A second issue is how to integrate the diverse knowledge/experiences of the actors into the risk governance process. The consideration of the diverse risk perceptions and values in risk assessment is suggested as a way of developing effective solutions to identified risks (Palermo 2014). Therefore, the risk governance in public institutions requires multidimensional evaluations, as scientific assessments cannot be adequate. Effective risk assessment goes beyond probability determination and cause-effect quantification. The integration principle requires the additional consideration of important values/issues like reversibility, equity, etc. (Assmuth 2011). Effective risk governance involves a risk-benefit analysis and tradeoffs related to a systemic risk or risks.

A third issue relates to the uniqueness of each risk problem. As Rothstein et al. (2013) write, establishing routines/conventions for risk governance is difficult given the “uncertainty, ambiguity, and complexity” of risks (p. 219). As such, public actors and institutions must engage in a reflective discourse to balance between the benefits and adverse effects of a risk. A prudent precautionary approach is necessary to capitalise on the opportunities inherent in the risk while mitigating its effects. The key question here is what level of uncertainty/effect the stakeholders can endure to receive the benefits of a risk.

The risk governance process often culminates in regulations/standards. However, the institutionalisation of rigid guidelines results in reduced flexibility that impedes creativity (Rothstein et al. 2013). Further, the rigidity affects the system’s responsiveness to unexpected risks. Therefore, the regulatory systems in public service organisations do not necessarily eliminate the probability of a risk occurring. On the contrary, the institutions should adopt “knowledgeable oversight” in risk management, as the responsibility of risk governance is not a preserve of the government (Power 2016, p. 15). However, delegating the ‘knowledge oversight’ responsibility to multiple actors introduces the challenge of accountability in public service provision (Andreeva, Ansell & Harrison 2014). Innovative regulatory standards can help promote accountability and risk governance in the public service sector.

Issues Learned from Literature

Issues raised in literature Theoretical argument Research gaps Emerged Research questions
Stakeholders or actors in risk governance An important theme emerging from the frameworks reviewed relates to the stakeholders involved in public or private sector organisations. Good risk governance depends on how relationships/interactions among the stakeholders are harnessed into collective actions in risk identification, assessment, analysis, response, and monitoring (Arena, Arnaboldi & Azzone 2010). Different stakeholders are mentioned in the frameworks in the context of the public sector, including national/local government, the private sector, civil society, communities, etc. Although the frameworks reviewed specify the key steps in risk governance, the description of the actors or stakeholders and their interactions in risk management is limited. – Who are the specific stakeholders or actors involved in risk governance in the public sector?
– What are the stakeholder relationship dynamics or interactions inherent in risk governance, especially risk decision-making processes?
– How does positive or negative power dynamics affect risk decision processes?
The appropriate risk appetite based on the risk capacity of an organisation The frameworks reviewed (OCC, REPM, ERM) affirm that the risks an organisation is willing to take should not exceed its risk appetite (IIA 2013). It requires a confirmation of financial implications of a particular risk strategy, possible constraints during execution, and risk integration into strategic planning. These elements constitute a firm’s risk capacity. Given that any risk process should consider the risk/return tradeoffs, it becomes evident that the risk appetite threshold should exceed an organisation’s risk capacity. It is not explicitly explained as to what extent the risk appetite should exceed the risk capacity to realise the full benefits/opportunities of a risk, while safely avoiding its negative impacts. – What is the risk appetite threshold that a public sector organisation can establish to profit from identified risks without experiencing dismal surprises?
– What level of uncertainty can public sector organisations accept in exchange for risk advantages given their altruistic/societal foundations?
Risk communication and reporting Communication, as a critical component of risk governance, recurs in most of the frameworks reviewed – IRGC, modified IRGC, ERM, and Risk IT frameworks. Effective communication is essential in risk governance activity (Renn 2011). The intent of risk communication and reporting is to educate and inform stakeholders to achieve trust in the process. Good risk reports by the board or the management lead to enhanced risk transparency. One main challenge with risk communication and reporting that is lacking in literature is how to identify and meet the expectations of the stakeholders through the communiqué or risk reports. Given the diversity of backgrounds of the stakeholders, misjudgements in communications can cause mistrust that can hamper responsible governing of risks. – How can meaningful interactions among stakeholders with different backgrounds be realised in the context of public investment projects?
– What specific elements should be included in risk reports to support information flows that are consistent with the diverse risk interpretations?
Embedding a positive risk culture in the organisation One area that has been the focus of the studies reviewed is the establishment of a risk culture in the organisation. It is noted that a consistent risk culture across the organisation is a critical aspect of risk governance: it ensures that operations or decisions fall within the established risk thresholds or appetite (IFC 2012; Polk 2014). Certain leadership activities, such as risk anticipation, can help change mindsets to cultivate a positive risk culture. In the literature reviewed, the common assumption is that risk culture is an intangible aspect of risk governance. This makes it difficult to measure improvement in risk culture or change from the baseline. Further, it is not clear from research the indicators of a positive risk culture in organisations. – What set of leadership interventions should be considered to cultivate new risk mindset and culture in public organisations?
– What assessments or measurements can be used to determine an organisation’s risk culture?

Summary

In this chapter, a systematic review of scholarly literature on risk governance has been done. Although risk governance definitions vary widely, they all feature multi-actor involvement and transparency/accountability principles. It can be conceptualised as multi-stakeholder network/process for evaluating and managing public risks. Risk governance provides a framework for the involvement of all actors in responsible management of risk problems. The major risk governance frameworks reviewed in this research include the Brown and Osborne’s (2013) model for public service innovation, IRGC model, modified IRGC framework. Risk governance is a cyclic process comprising five interconnected phases that culminate in an optimal risk management option for an identified risk. The adopted risk governance approaches in public service organisations in countries such as the UK focus on the institutionalisation of risk analysis tools to support policy/decision rationales and accountability. The identified issues of risk governance in the public/government sector include the communication/inclusion of multiple stakeholders, multidisciplinary knowledge/experience integration, routines, and flexibility of regulatory approaches.

The review has examined eight existing frameworks of risk governance in various sectors. The first one is the Brown and Osborn’s (2013) framework, which is applicable in the public sector innovation. It links technocratic, decisionistic, and transparency to different possible formulations of innovation, i.e., evolutionary, expansionary, and total innovation. Evidently, this framework is too simplistic to cater for the diverse multi-actor processes involved in public sector risk governance. The second framework reviewed is that provided by the IRGC. Its five phases – pre-assessment, appraisal, characterisation and evaluation, management, and communication – provide a foundational theoretical lens for risk governance across all sectors. However, clearly, the framework is too linear to reflect the iterative and integrated nature of public sector decision-making. Nevertheless, it provides a good starting point for the development of a more integrated framework of risk governance. To avoid the problem seen in the earlier IRGC model (linearity), the modified IRGC framework by Renn, Klinke, and van Asselt (2011) involves a cyclic process. It also introduces the element of multi-actor inclusion in the pre-estimation stage.

The problem seen in the IRGC framework also occurs in the OCC’s framework, which is meant for corporate risk governance in banks. This framework involves additive steps of establishing a risk management system, risk appetite, and risk culture that proceed in a logical sequence. In contrast, the IPCC model highlights a host of activities for reducing natural risks and managing residual risk events. The REPM framework centres on value creation for the organisation through oversight/planning, business-level planning, operational execution, and monitoring and compliance of corporate risks. In contrast, the ERM framework focuses on the unit-level and entity-level business risks that threaten a firm’s operations. The risk IT framework gives integrated activities for risk governance, risk evaluation, and risk response to help organisations make risk-aware decisions. The maturity model developed draws on the components of the IRGC, ERM, and integrated ERM frameworks. It has been developed to include the multiple stakeholders involved in risk governance in the public sector and the risk appraisal and risk evaluation phases of the IRGC model and the risk response and control activities phases of the ERM model. It also includes five elements drawn from the integrated ERM framework. In brief, the risk governance component adapted from this framework clarifies the roles and responsibilities of the various actors as well as the established controls. In contrast, risk analysis and reporting centres on the impact and probability of each risk, while risk culture defines the mindset changes or norms cultivated in the organisation through leadership interventions. Risk decision processes and performance involve risk-related decisions that are attuned to the organisation’s strategic plan and resource allocation. The last element, risk capacity and ownership strategy, ensures that the risks taken or accepted reflect the organisation’s risk appetite and capacity. The advantages of the new model include its relevance to the public sector and the inclusion of all actors in this sector.

Four key issues or themes emerge from the literature reviewed. The first one is the diversity of stakeholders and breadth of their interactions in a public risk environment. The appropriate risk appetite for organisations is another issue evident in literature. Effective risk communication/reporting that reflects the diversity of stakeholder backgrounds and interpretations is another key issue in this research. Finally, the challenge of embedding a new risk mindset or culture comes up as a significant issue in risk governance literature.

Reference

Arena, M, Arnaboldi, M & Azzone, G 2010, ‘The organizational dynamics of enterprise risk management’, Accounting, Organizations and Society, vol. 35, pp. 659-675.

Beckers, F, Chiara, N, Flesch, A, Maly, J, Silva, E & Stegemann, U 2013, ‘A risk-management approach to a successful infrastructure project: initiation, financing, and execution’, McKinsey Working Papers on Risk, vol. 1, no. 52, pp. 1-18.

Brodeur, A, Buehler, K, Patsalos-Fox, M & Pergler, M 2010, ‘A board perspective on enterprise risk management’, McKinsey Working Papers on Risk, vol. 1, no. 18, pp. 1-22.

Brodeur, A & Pritsch, G 2008, ‘Making risk management a value-adding function in the boardroom’, McKinsey Working Papers on Risk, vol. 1, no. 2, pp. 1-20.

Frigo, ML & Anderson, RJ 2011, ‘Strategic risk management: a foundation for improving enterprise risk management and governance’, Journal of Corporate Accounting & Finance, vol. 22, pp. 81-88.

Gates, S, Nicolas, J & Walker, P 2012, ‘Enterprise risk management: a process for enhanced management and improved performance’, Management Accounting Quarterly, vol. 13, no. 2, pp. 1-11.

Hopkin, P 2012, Fundamentals of risk management: understanding, evaluating and implementing effective risk management, Kogan Page Publishers, London.

Hoyt, RE & Liebenberg, AP 2011, ‘The value of enterprise risk management’, Journal of Risk and Insurance, vol. 78, pp. 795-822.

ISO 2015, Risk management: a practical guide for SMEs,Web.

Lamarre, E & Pergler, M 2009, Risk: seeing around the corners,Web.

McKinsey & Company 2013, Practitioners guide to transforming ERM infrastructure, McKinsey & Company, New York, NY.

McNeil, AJ 2013, ‘Enterprise risk management’, Annals of Actuarial Science, vol. 7, pp. 1-2.

Mikes, A 2011, ‘From counting risks and making risks count: boundary-work in risk management’, Accounting, Organizations and Society, vol. 36, pp. 226-245.

Pergler, M 2012, ‘Enterprise risk management’, McKinsey Working Papers on Risk, vol. 1, no. 40, pp. 1-17.

van Asselt, M & Renn, O 2011, ‘Risk governance’, Journal of Risk Research, vol. 14, no. 4, pp. 431-449.