“Governance of risks in South Africa’s public higher education institutions (HEIs)”

The author examines the manner in which risk is governed within higher education institutions (HEIs) in South Africa by formulating risk governance statements based on the requirements of the King III Report on Corporate Governance and other relevant literature. The formulated risk governance statements are used to develop the risk disclosure measurement index. Disclosure measurement method is accepted as a flexible method to use when extracting the pre-determined information in the annual reports. The developed risk disclosure index is used to extract the information from South Africa’s higher education institutions’ annual reports. The information disclosed in these annual reports is deemed a proxy of risk management practices within the higher education institution concerned. The results obtained indicate that South Africa’s higher education institutions have not embraced risk management as a key process in their activities. This is apparent in the assessed annual reports as compliance with the pre-determined set of statements was around 50%. For those that have not demonstrated these practices, it is stated that the concern is around the manner in which their highest decision makers make decisions, as it appears that risks may not necessarily be taken into account. As higher education institutions in South Africa continues to face challenges and they would possible be revising their strategies to take into account the recent events, every strategic decision being undertaken should be accompanied by a proper risk assessment to identify potential pitfalls (threats) and/or take advantage to achieve results promptly (opportunities).


Introduction ©
South African universities and universities of technology (higher education institutions) are currently facing highly publicized incidents (challenges) which includes amongst others the demand for free tertiary education, demand for sufficient student residences, demand for removal of "colonial symbols", transformation and the use of a singular medium of teaching.These demands often have been accompanied by protests, which sometimes have been violent in some campuses across the country.The challenges mentioned above would require South African higher education institutions to revisit their strategic objectives so that they can build strategic responses around these challenges.For instance, should the demand for free education become a reality, universities and universities of technology would have to revisit the strategic objective relating to their long term financial sustainability.This is because part of the universities income is funded through the national income.If tertiary education was to be completely free, either government contribution to the universities income would have to be increased to compensate for the part that universities would not be receiving from students or alternative sources of income would have to be found.
In a developing country such as South Africa, there are competing and pressing needs in the "fiscus" (national budget), this include amongst others, health services, shortages of housing, social security (government grants to the poor and most vulnerable) etc.In 2015, the Presidency (2015, cited in Moloi, 2016) highlighted some of these areas as key focus areas (priorities) namely: education, health, rural development, fighting against crime and corruption, the creation of decent work and sustainable livelihood and human settlements.
Operating in an environment where there are competing attention for scarce resources, South African higher education institutions would need to be proactive in identifying and harnessing other streams of revenue/income.The need for proactively identifying other sources of income by South African higher education institutions becomes paramount particularly due to the fact that the South African economy is not expected to grow at a quicker rate in the next few years.This, coupled with the fact that there are already competing and pressing issues would mean that revenue collected by government and distributed across sectors of the economy would be restricted.
As South Africa's higher education institutions long-term strategies shift to focus on the recent and most pressing issues, the upside and the downside of each tactical intervention aimed at addressing the challenges and ensuring long-term viability has to be taken into account.It is on this basis that enterprise risk management (ERM) within higher education institutions in South Africa has to be strengthened so that uncertainties around strategic objectives could be identified.Depending on how the uncertainty has been projected, i.e. on one hand, should the uncertainty be projected to be negative (threats), those charged with governance should ensure that those uncertainties are thoroughly mitigated to support the achievement of objectives.On the other hand, should uncertainties be projected to be positive (opportunities), they should be leveraged upon so that prompt value could be delivered to stakeholders.In this argument, risk, performance and strategy should be in tandem.
The idea as presented above that risk and strategic decision-making cannot be separated is consistent with ISO 31000 (SABS, 2009) definition of risk.In a similar manner, the projection of uncertainties as negative or positive is also found to be consistent with ISO 31000 (SABS, 2009).The argument for the consistency between risk and strategy could be deduced in the choice and manner in which risk is defined in the ISO standards.In this regard, risk is defined as the "effect of uncertainty on the objectives" (SABS, 2009).This definition introduces the concept of objectives.Naturally, objectives are long-term and forward looking.
Similarly, the idea that risk and strategic decision making cannot be separated is also found to be consistent with the Committee of Sponsoring Organizations of the Treadway Commission (COSO 2004) definition of risk.In the Committee of Sponsoring Organizations of the Treadway Commission (COSO 2004), risk is defined as "a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives" (COSO 2004).
The pending strategic revisions (shift) of most strategic objectives as a result of the recent issues points to the fact that the manner in which risk is viewed and governed in South Africa's higher education institutions is expected to shift to move closer to the strategic decision making.This is in congruence with the King III Report on Corporate Governance (IoD, 2009) where risk management has been placed at the nerve centre of strategic making process.It could be argued that the King III Report on Corporate Governance (IoD, 2009) places risk on the strategic agenda to ensure that those at the nerve centre of strategic decision-making could formulate scenarios that identifies causes of uncertainties and could hinder the achievement of that organizations strategic goal or the formulation of scenarios that could be leveraged for the achievement of objectives timely, cost efficiently and effectively.

Objectives, scope and limitations of the study
The main aim of the study was to determine the extent in which risk is governed within South Africa's higher education institutions.Risk governance statements were formulated and used to develop the risk disclosure instrument.This instrument was subsequently used for the purpose of extracting the information disclosed in the annual reports of higher education institutions.Each South African higher education annual reports were deemed a proxy of risk management practices within that particular institution.
The main limitation of this study was that it assessed the manner in which risk is governed in South Africa's higher education institutions.The institutions referred to herewith are publicly funded universities and universities of technology in the South African landscape.Private universities and other private higher education institutions with operations in South Africa were not considered and they present an opportunity for future research.
Currently, there are twenty five (25) universities and universities of technology in South Africa.Two (2) of these were new and the information relating to the governance of risk was not available at the time of assessment.In addition to this, annual reports of four (4) universities and universities of technology were requested from relevant institutions were not received.
The remainder of this paper is structured in the following manner: review of existing risk management literature in the higher education institutions.The method followed in extracting the relevant data is discussed and then a section presenting the research results and an analysis and interpretation of the findings is presented.

Risk management developments in higher education institutions
As far as this research work could determine, no research has specifically focused on risk management in South Africa's higher education institutions.This reinforces the point argued by Coetzee and Lubbe (2013) where they point out that the subject of risk has not been widely studied.During the preparatory work, it was noted that literature that has been conducted on this space has primarily focused on corporate governance (Hall et al., 2002;Marx, 2007;Grundling & Steynberg, 2008;Barac, Marx & Moloi, 2011).
Understanding the manner in which South African higher education institutions manage risk has become urgent given the complexities posed by recent highly publicised events.Bubka and Coderre (2010) highlight some of the reasons for proper risk management in higher education institution, amongst others, for instance, the fact that universities need to protect students, faculty, administration, support workers, contracted workers, the public and their school's reputation.Accordingly, Bubka and Coderre (2010) warn that should a catastrophic loss occurs, the media coverage may affect that particular university's reputation, posing a threat to future admissions, endowments and financial strength.
In the global context though, PwC (2014) observed that the increased complexities in the higher education business, including rapidly increasing regulatory requirements, increased public scrutiny and demands, and rapid technological change have resulted in the many higher education institutions evaluating and implementing various enterprise risk management and institutional compliance structures as a response to these complexities.
To emphasize its point on the rapidly increasing regulatory requirement, PwC (2014) citing the American Council on Education highlight that approximately 150 new federal regulations impacting higher education have been issued since 2008.Further, the American Council on Education report interestingly observes that "the rate of administrative hiring has surpassed that of enrolment-driven academic recruitment".
In this regard, the American Council on Education report (as cited in PwC, 2014) observes that lawyers, government relations specialists, risk managers, compliance officers, regulation analysts, and procurement specialists now compete for the same budget dollars, along with instructors and teaching assistants.
In South Africa, the Higher Education Amendment Bill of 2015 which is aimed at amending the Higher Education Act of 1997 (RSA, 1997) is currently being reviewed by relevant stakeholders.In summary, the Higher Education Amendment Bill of 2015 (RSA, 2015) is said to be aimed at providing mechanism for "the determination of transformation goals and oversight, providing mechanisms for the public higher education system; to provide for the development of articulation and recognition of prior learning frameworks; to provide for the conversion of public higher education institutions; to provide for the powers of the council of a public higher education institution to invest funds; to provide further for the issuing of Ministerial directives; to provide for indemnification of an independent assessor; to provide for the indemnification and termination of the term of office of an administrator; to provide for different categories of registration of private higher education institutions and the associated rights and to provide for the withdrawal and revocation of qualifications by public higher education institutions" (RSA, 2015).

Methodology
With recent challenges facing the South African higher education, strategies are expected to shift to incorporate tactics to deal with challenges.As strategies shift, there should be an enhanced role of enterprise risk management within higher education institutions, particularly with regards to the identification of uncertainties around the strategic direction chosen.As the role of enterprise risk management is enhanced, strong risk governance and risk management structures have to be in place.It is therefore important to determine the current extent of risk governance in South Africa's higher education institutions.On this basis, this study aimed at determining the extent in which risk is governed within South Africa's higher education institutions.
Using the King III Report on Corporate Governance (IoD, 2009) and related literature on the governance of risk, thirty (30) statements were formulated as a proxy of risk governance.The formulated statements were used to develop the risk disclosure instrument.This instrument was deemed a crucial element for the purpose of extracting the information disclosed in the annual reports higher education institutions which is deemed the proxy of current risk management practices.The method followed, which is the development of a disclosure measurement instrument is consistent with Cooke (1991) advice.Accordingly, the main idea behind the disclosure measurement instrument is the development of potential list of items that should be disclosed in the annual report of the selected institution.
Further on the paragraph above, Ali et al. (2004) observe that studies from developing countries tend to examine level of compliance with certain disclosures which are often mandatory disclosure because of a relaxed enforcement policy compared to that of developed countries.This is the case in this study as the King III Report on Corporate Governance (IoD, 2009) used for the purpose of formulating the proxy risk governance statement is a recommendation that is applicable to all organizations in South Africa regardless of manner or form and the fact that the King III Report on Corporate Governance (IoD, 2009) follows the apply or explain approach.Companies listed on the Johannesburg Securities Exchange would ordinarily have high compliance because the King III Report on Corporate Governance (IoD, 2009) is part of the listings requirements while other organizations and entities may argue that the requirements are not necessarily intended for them.
As far as this work can determine, Cerf (1961) appears to be the first researcher who used the disclosure measurement index for the purpose of measuring the extent of information disclosure in the annual reports.Since then, there have been several researchers who have adopted the disclosure measurement index as a methodology to measure the extent and the nature of information disclosed in the annual report of organizations under their review.In this regard, several other accounting related studies have investigated the use of disclosure analysis i.e.Marston andShrives (1991, 1996) Cooke and Wallace (1990) support the use of a disclosure measurement index.For them, such an index could be used to gain insight into the level of internal organizational practices through the information disclosed in the annual report.They further view the process of developing the disclosure measurement index as an attempt to measure abstract concepts.It would seem that their argument lies in the fact that the disclosure measurement index becomes the proxy in the absence of an instrument that can be used to measure the observed practices directly.This is consistent with the arguments proposed in this study as the information contained in the annual reports and extracted from these reports through the developed risk disclosure measurement instrument is viewed as a proxy of the observed South Africa's higher education institution's risk practices.
Different researchers have proposed different ways in which the disclosure measurement instrument can be carried out.Hassan and Marston (2010) agree that there are different ways in which the disclosure measurement index can be carried out.Therefore, the disclosure measurement index is viewed as a flexible method as it permits for the wide variety of approaches.
In their study of the use of disclosure measurement instruments, Hassan and Marston (2010) found that while various proprietary indices exist which permits researchers to use this as a base, many researchers still choose to construct their own indices to meet the needs of their own research.They further observed that self-constructed disclosure index studies generally employ small samples due to the laborintensive data collection process.
With regards to the manner in which the disclosure measurement instrument can be employed, there appears to be two schools of thought.The first school of thought led by researchers such as Cooke (1989) From the paragraph above, it is apparent that the disclosure measurement instrument can either be weighted or unweighted.For the purpose of this paper, the risk disclosure measurement instrument developed was unweighted.South African higher education annual reports were deemed a proxy of risk management practices within that particular institution.As such, formulated risk governance statements were used to determine whether there were (or not) risk governance structures in place in the observed South Africa's higher education institution.
The content contained in formulated risk governance statement was checked whether it was incorporated or not incorporated in the observed South Africa's higher education institution's annual report.This step was repeated for all the nineteen (19) units under observation as well as thirty (30) formulated risk governance statement contained in the developed risk disclosure instrument.

Research findings and interpretation
The results demonstrated below presents the aggregated research findings obtained based on the analysis performed on the nineteen ( 19) units observed as well as thirty (30) formulated risk governance statement contained in the developed risk disclosure instrument.Note: n = number of integrated/annual reports observed.
Table 2 above shows risk management categories relating to the governance of risk, determination of tolerance and appetite levels, establishment of relevant committee to assist the Council and the delegation of responsibilities to management of an institution concerned.Using the annual report as a proxy of risk management practices in the South Africa's higher education institutions, it is clear in Table 2 above that, in general, structures that are fundamental in ensuring the smooth transitioning of risk management practices were not practiced as the majority of the observed categories were not disclosed in the assessed higher education's annual reports.
With regards to the statement relating to the existence of the Council approved policy and plan of the system of risk management, of the nineteen (19) units observed, only 42% had disclosed the fact that the higher education institution concerned had the Council approved policy and plan of the system of risk management.Further, it was observed that only two (2) units contained the information relating to the Councils comment on the effectiveness of the system of risk governance in the institutions they oversee.
There was further poor practices around the ongoing Council training on risk governance (no higher education institution disclosed this information), the distribution of risk management policy and plan across the institution (no higher education institution disclosed this information), annual approval of risk management plans by Council (21% disclosed this information) and continual monitoring of execution of risk management plan by Council (26% disclosed this information).It is noted here that slightly more than half of South Africa's higher education institutions (58%) indicated that Council had expressed its responsibility of risk governance in its charter.
The determination and monitoring of risk appetite and risk tolerance is also equally of concern in South Africa's higher education institutions.In this regard, one (1) institution indicated that risk appetite and tolerance were determined annually and that risks assumed in the previous year and reported on were within the defined limit.Ninety five (95%) of South Africa's higher education institutions were silent on whether the appetite and tolerance had been determined and whether risks assumed and reported on in the previous year were within the limits.
There was an improved demonstration of risk management practices in the information relating to the committee members i.e. membership of the relevant committee charged with governance of risk within the higher education institution observed (this is audit and risk committees, audit committees and risk committees of Council).With regard to the stated relating to whether membership of Council committees consisted of executive members as invitees and non-executive members and that the committee had at least three members that met at least twice annually, it was observed that ninety five percent (95%) of higher education institutions observed disclosed this information.A fair demonstration of risk management practices was also observed with regard to the information relating to the relevant committees duty of considering and monitoring risk management policy and execution of the approved risk management plan.
Having showed the improvement in committee practices, it was immediately observed that poor practices were demonstrated in the information relating to performance evaluation of relevant committee by Council as 5% of observed higher education institutions attached this statement.It is concerning that it appears that performance evaluation of committees' members is not conducted.The inability to conduct performance evaluation exposes Councils to retention of ineffective members which may have the consequences of materialization of risks, depending on the magnitude of these risks, this could derail the strategy and the institution concerned.
Further, poor risk management practices were observed in the information relating to the relevant committee members having access to independent experts should they require expert opinions on certain matters.Again, it is concerning that there are poor practices relating to this.The inability of committee members to access quality advice as and when they require it on matters related to their duties could result in improper and costly decisions for the institution concerned.
It does not appear as if South Africa's higher education institutions have embraced the idea of separate risk departments within their structures.This is clear in the poor practices relating to the Chief Risk Officers (CROs).There seem to be reliance on the internal audit departments to conduct the day to day risk management activities.To the extent, the vulnerability of doing this to the institution concerned is that risks are likely to be taxonomy based as well as control driven, forcing the risk management process to be backward looking and missing the long term view (strategic imperatives) which is arguable important for the sustainability of an institution.
Some better practices were demonstrated with regards to the day to day integration of risks to the university activities as well as embedding of risk management systems and practices by management to deliver on the Councils strategy.Sixty eight (68%) of South Africa's higher education institutions indicated that they practiced this in their operations.Notes: n = number of integrated/annual reports observed.
Table 3 above shows coded risk management categories relating to the risk identification risk assessment, risk response, risk monitoring as well as assurance and risk disclosure.There was poor practices with regards to the information relating to the approved combined assurance framework (5% disclosed this information), provision of assurance by management as a first line of defence in the combined assurance model that controls are in place for all risks (no higher education institution disclosed this), written assessment by internal audit as a second line of defence in the combined assurance framework that the risk management system and process was effective (no higher education institution disclosed this), written assessment by other external assurance providers that the risk management system and process was effective (no higher education institution disclosed this).
In a similar note, there was poor practice by South Africa's higher education when it comes to the management's role in monitoring risks and formulating risk responses.In this regard, no higher education institution indicated that it uses the risk management process, in addition to identifying and managing threats, to identify and exploit opportunities that could arise to improve the performance of the higher education institution concerned.
There were improved practices on risk responses as fifty three (53%) of South Africa's higher education institutions did indicate that they had formulated risk responses to control each risk identified.With no assessment of internal audit as to whether the system of risk governance was effective, it should be a challenge to the Council and the relevant committee (Audit and Risk Committee of Council or Risk Committee of Council or Audit Committee of Council) to examine the effectiveness of these formulated controls.
Further, improved practices were observed in the information relating to the use of a systematic approach and process in the identification of risks (53%), identification of divergent risks (68%), conducting of risk assessments annually (74%), prioritization of risks (53%) as well as regular submission of risk reports to Council for deliberation and decisions (53%).The concern is that compliance with formulated risk governance statement in these statements was around 50% (except the conducting of risk assessments).For those that do not demonstrate these practices, the question is how their Councils (and Executive Management) do make decisions without risk considerations?

Conclusion, recommendations and implications of the study
This paper examined the manner in which risk is governed within higher education institutions in South Africa.Risk governance statements were formulated, primarily based on the risk requirements of King III Report on Corporate Governance (IoD, 2009) and other related literature.This approach was found to be consistent and supported by literature particularly when it comes to the developing nations i.e.Ali et al. (2004) observe that studies from developing countries tend to examine level of compliance with mandatory disclosure because of a relaxed enforcement policy compared to that of developed countries.
Formulated risk governance statement was used to develop the risk governance disclosure measurement index.The disclosure measurement method was found to be acceptable for the purpose of this study as most researchers have argued that this methodology is flexible.Further, it has been argued that this methodology is appropriate when the researcher is attempting to gain insight into the level of internal organizational practices through the information disclosed in the annual report.
Using annual reports as a proxy of risk management practices within the higher education institutions in South Africa, the main finding is that South Africa's higher education institutions do not appear to have embraced risk management as a key process in their activities due to the lack of necessary structures.It was observed, for instance, that higher education institutions have not been able to leverage the risk management process to exploit opportunities so that they can improve the performance of the university concerned.Higher education institutions should look at risk in ways, the threat and an opportunity.
Further, the combined assurance process seems to be totally lacking within the higher education institutions in South Africa.The main downside with this would be that there could be duplication of efforts amongst different assurance providers due to the lack of coordinated assurance activities, institutions facing this problem would be unable to leverage the efforts of other assurance providers as no other knows what the other is doing, there could be assurance fatigue resulting in resistance to participate by risk owners.Higher education institutions should look into putting in place the process of combined assurance.
In conclusion, it was observed that on average, compliance with the pre-determined set of statements was around 50%.For those that have not demonstrated these practices, the concern will be around the manner in which decision are made, as it appears that risks may not necessarily be taken into account.As higher education institutions in South Africa continues to face challenges and they would possible be revising their strategies to take into account the recent happening, every strategic decision being undertaken should be accompanied by a proper risk assessment to identify potential pitfalls (threats) or take advantage to achieve results promptly (opportunities).

Table 1 .
Universities and universities of technology in South Africa Durban University of Technology

Table 2 .
Governance of risk, tolerance & appetite, relevant committee and delegation of responsibilities

Table 3 .
Risk identification, assessment, risk response, risk monitoring, assurance and risk disclosure