“A cross sectoral comparison of risk management practices in selected South African organizations”

This paper examines the manner in which risk is governed in certain selected sectors of the South African economy. To extract the statement deemed as a proxy of risk management practices in the certain selected South African organizations, the disclosure risk measurement instrument was developed. This instrument was used as a gauging tool for the information disclosed in the integrated/annual report. Risk practices statements were formulated using the governance of risk chapter of the King III Report on Corporate Governance, applicable to all organization regardless of manner or form of incorporation and the Public Sector Risk Management Standards, applicable to South Africa’s public service organizations. The results obtained indicated a high level of risk management practices by the JSE listed companies. This could be attributed to the fact that the King Code has been incorporated as part of the JSE listings requirements. This paper further theorized that the high level practices in JSE listed companies could be attributable to the high level of scrutiny by shareholders in companies where they have vested interest. With regards to the National Government Departments and the South Africa’s higher education institutions, a lot of work still has to be done to embed key risk practices in these respective organization’s internal processes.


Introduction 
Several generic risk management principles have been developed to help organizations with the structured process to identify, manage, control and report their risks.These risk management principles, frameworks and standards include, among others; the risk management standards (FERMA, 2002), the Australian and New-Zealand risk management standards (Australian & New-Zealand Standards, 2004), the Committee of Sponsoring Organizations of the Treadway Commission (COSO, 2004) and the International Standards Organization (SABS, 2009).
The word generic in the first paragraph and sentence mean that the proposed risk management frameworks, principles and standards could be applied in any organization, regardless of that organizations nature of incorporation, i.e., they can be applied in private sector organizations, public sector organizations and nongovernmental organizations.Fone and Young (2005) support the idea that risk management frameworks, principles and standards are generic and they can be applied in private sector organizations, public sector organizations and nongovernmental organizations.This becomes clear in their statement where they advance the view that the process of managing risks in the private sector should not be different to its counterpart in the public sector (Fone &Young, 2005).
In its opening paragraph on the risk management guidelines, the Australian and New-Zealand standards (2004) underscore the point advanced by Fone and Young (2005) on risk management frameworks, principles and standards.This is clear in their (Australian & New-Zealand Standards, 2004) message where they emphasize that risk management is a key business process within both the private and public sector around the world.Similarly, their guidelines further emphasizes risk management as a holistic management process applicable in all kinds of organizations, at all levels and to individuals (Australian & New-Zealand Standards, 2004).
For Hood and Young (2005), much as risk management frameworks, principles and standards become generic and could be applied in private sector organizations, public sector organizations and nongovernmental organizations, public sector organizations tend to focus more on macro-economic, as well as public safety risks.Hood and Young (2005) affirmation could be interpreted as driven by the nature of public service organizations which mainly their mandate tend to be biased on issues such as the delivery of public goods and ensuring stability.
On the basis that risk management frameworks, principles and standards become generic and could be applied in private sector organizations, public sector organizations and non-governmental organizations, this study deemed it possible that a cross sectoral comparison could be undertaken.As such, this paper aimed at comparing risk management practices in selected South African organizations based on different sectors of the economy.

Objectives, scope and limitations of the study
The rationale behind this paper is to determine the extent in which risk is governed in the certain selected South African organizations.South African publicly funded higher education institutions, top 20 JSE listed companies and national government departments were selected for this purpose.
The information contained in the integrated/annual reports of selected organizations was deemed a proxy of risk management practices by these organizations.Reference is made to integrated/annual reports, because listed companies are already compiling integrated reports for their stakeholders.It was noted that both the national government departments and the higher educational institutions are still compiling annual reports.
To determine the extent of risk management practice in each individual organization, a risk disclosure measurement instrument was formulated.This instrument was made out of the risk governance statements.Each individual integrated/annual report was assessed to determine whether it contained the pre-determined statement as per the risk disclosure measurement instrument.
The main limitation of this study is that the focus was only narrowed to the top 20 Johannesburg Securities Exchange (JSE) listed companies, publicly funded universities and universities of technology, as well as national government departments.
In future, a broad study could be undertaken to include more companies listed on the JSE, private universities and other private higher education institutions with operations in South Africa, provincial government departments, state owned companies and municipalities.
The remainder of this paper is structured in the following manner: brief overview of latest developments in risk management literature.The method followed in extracting the relevant data is discussed and, then, a section presenting the research results and an analysis and interpretation of the findings is presented.

Brief overview of the latest developments on risk management
Coetzee and Lubbe (2013) have argued that the subject of risk management has not been widely studied both in the South African context and globally.In this study, it is noted though that the body of knowledge on risk management in both the private and the public sector perspective is on the rise.In the previous decade (2001)(2002)(2003)(2004)(2005)(2006)(2007)(2008)(2009)(2010), for instance, this study notes that some of the work conducted on the subject of risk management includes the study on adapting risk management principles to the public sector reforms (Ene & Dobrea, 2006), as well as strengthening risk management in the United States (US) public sector (Braig, Gebre & Sellgren, 2011).
In this decade (2011 to date), this study notes the work conducted by Cooper (2010) in the province of Newfoundland and Labrador.In this PhD thesis, Cooper (2010) focused on strategic risk management in the municipal and public sector by exploring the critical success factors and barriers to strategic risk management.In another PhD thesis conducted in the South African context, Vergotine (2012) constructed and evaluated an enterprise risk management instrument for state owned entities in South Africa.
Recently, Moloi (2016) studied risk management practices in the South African public service and Moloi (2015a) critically examined risks disclosed by South African mining companies' pre and post the Marikana event.
Further, in a study that analyzed integrated reports, Moloi (2015b) assessed the disclosure of risk management practices in the top 20 South Africa's listed companies, whilst Molotsi & Moloi (2015) reviewed human resources risks in a merged academic institution.From the banking perspective, Moloi (2014a) determined the leading external and internal indicators of credit risk in the top South African banks.Another study on risk management in the South African context determined the disclosure of risk management practices in the top South Africa's mining companies (Moloi, 2014b).
Studies highlighted above indicate that there is an increase in the number of studies conducted on the subject of risk management in both the private and the public sectors.It is, however, conceded that a cross sectoral comparison of risk management practices has not been widely conducted, both in the South African landscape and globally.
As far as this study could determine, few studies exist in this regard, for instance: in a study of almost a similar nature in the South African context, Coetzee and Lubbe (2013) used the evaluation research methodology to determine the nature and the extent of risk maturity levels of the top 40 JSE listed companies and the 37 national government departments in the South African public sector.Their findings were that on average the selected top 40 JSE listed companies were risk mature compared to the national government departments.
As indicated earlier that there is not much research that has been conducted in the context of cross sectoral comparison of risk management practices, this study contributes to the growing body of knowledge on risk management by providing an insight on the specific area, namely: the cross sectoral comparison of risk management practices in the South African context.

Methodology -the disclosure measurement instrument
This study followed the disclosure measurement instrument as a method for guidance in extracting relevant information contained in the selected organizations integrated/annual reports.Statements that formed part of the disclosure measurement instrument were constructed using the guidance of the risk governance chapter of the King III Report on Corporate Governance (IoD, 2009) 2004), as well as Mangena (2004).The reason for the rising number of accounting related research employing the disclosure measurement instrument could be attributed to the fact that most accounting related studies have in the past been more focused on the information contained in the integrated/annual reports.
The advantage of the disclosure measurement instrument is that it permits the researcher to gain insight into the level of internal organizational practices through the information disclosed in the annual report without conducting interviews or sending surveys.It is argued here that this advantage has its own drawbacks, for instance: should the information not be incorporated, for some reasons or the other in the report that is being reviewed by a researcher, a researcher could incorrectly conclude that the organization concerned does not have or apply such a practice.
Another advantage of the disclosure measurement instrument is highlighted by Hassan and Marston (2010) where they indicate that the disclosure measurement instrument permit flexibility.With flexibility, there is a wide variety of approaches.Once more, the drawback with this is that there would not be any uniform benchmark, as different researchers would use different instruments.
For the purpose of extracting the relevant information in the integrated/annual reports in the organizations under observation and to get into the results presented below, the content contained in formulated risk governance statement was checked whether it was incorporated or not incorporated in the observed national government departments, top 20 JSE listed companies and South Africa's higher education institution's integrated/annual reports.This step was repeated for all seventy three (73) units under observation, as well as thirty (30) formulated risk governance statement contained in the developed risk disclosure instrument.

Research findings and interpretation
The results demonstrated below present the aggregated research findings obtained based on the analysis performed on the seventy three (73) units observed, as well as thirty (30) formulated risk governance statement, contained in the developed risk disclosure instrument.Units observed were made up of thirty four (34) national government departments, twenty (20) JSE listed companies and nineteen (19) higher education institutions.Notes: n = number of integrated/annual reports observed in a sector; oversight body = board of directors, university council, accounting officer/authority; HEI = Higher Education Institution; COM = Selected JSE Listed Company; NGD = National Government Department.
Table 1 above demonstrates risk management practices and categories relating to the governance of risk, determination of tolerance and appetite levels, and establishment of relevant committee to assist the oversight body, as well as the delegation of responsibilities to management by the oversight body.Using the integrated/annual report as a proxy of risk management practices in the selected organizations, it is clear in Table 1 above that, in general, structures that are fundamental in ensuring the smooth transitioning of risk management practices were not practiced by higher education institutions and national government departments.On the contrary, these structures were highly present in the JSE listed companies, as the majority of the observed categories were disclosed in their integrated reports.
With regards to the statement relating to the existence of the oversight body's approved policy and plan of the system of risk management, in the higher education institutions, 42% disclosed the fact that the higher education institution concerned had the oversight body's approved policy and plan of the system of risk management.All JSE listed companies indicated that they had approved policy and plan of the system of risk management, whereas 29% of observed national government departments contained this information.
It was observed that only two (2) higher education institution units contained the information relating to the oversight body's comment on the effectiveness of the system of risk governance in the institutions they oversee.All JSE listed companies contained this comment, and eight (8) observed national government departments contained this information.
A further poor practices was observed around the ongoing national government departments and higher education institution's oversight body's training on risk governance (no higher education institution and no national government department disclosed this information), the distribution of risk management policy and plan across the institution (no higher education institution and no national government department disclosed this information), annual approval of risk management plans by the oversight body (21% of higher education institutions disclosed this information and no national government department disclosed this information) and continual monitoring of execution of risk management plan by the oversight body (26% of higher education institutions and 21% of national government departments disclosed this information).On the contrary and with the exception of the information relating to the ongoing training (45% of JSE listed companies disclosed this information), improved practices were observed in all these categories for the JSE listed companies.
The determination and monitoring of risk appetite and risk tolerance is also equally of concern in all observed organizations.In this regard, one (1) higher education institution and one (1) national government department had indicated that risk appetite and tolerance were determined annually and that risks assumed in the previous year and reported on were within the defined limit.
In JSE listed companies, eight (8) companies had indicated that risk tolerance and appetite levels were determined annually, and seven (7) companies had indicated that risks assumed in the previous year and reported on were within the defined limits.It is clear in this category that a huge percentage of South African organizations were silent on whether the appetite and tolerance had been determined and whether risks assumed and reported on in the previous year were within the limits.
In all organizations observed, an improved demonstration of risk management practices in the information relating to the committee members was observed, i.e., membership of the relevant committee charged with governance of risk (this is audit and risk committees, audit committees and risk committees of the oversight body).A fair demonstration of risk management practices was also observed with regard to the information relating to the relevant committees duty of considering and monitoring risk management policy and execution of the approved risk management plan.
Poor practices were demonstrated by all organizations with regards to the information relating to performance evaluation of relevant committee members by the oversight body.Only 5% of observed higher education institutions attached this statement.No national government department had this statement and only 25% of listed companies had this information.It is concerning that performance evaluation of oversight body's committees' members was not conducted.As previously argued in Moloi (2016), failure to conduct performance evaluation exposes the oversight body to the retention of ineffective members which may have the consequences of materialization of risks, depending on the magnitude of these risks, this could derail the strategy and the institution concerned.
In all organizations observed, further poor risk management practices were observed in the information relating to the relevant committee members having access to independent experts should they require expert opinions on certain matters.Again, as previously argued in Moloi (2016), it is concerning that there are poor practices relating to this.The inability of committee members to access quality advice as and when they require it on matters related to their duties could result in improper and costly decisions for the organization concerned (Moloi, 2016).
In conclusion, there were poor practices with regards to the information relating to the Chief Risk Officers or their equivalents in the organizations under review.
It is argued here that with the exception of financial institutions, including banks, it appears that the idea of having a Chief Risk Officers or their equivalents is still fairly new in the South African context.Table 2 above shows extracted risk management practices/categories relating to the risk identification risk assessment, risk response, risk monitoring, as well as assurance and risk disclosure.All JSE listed companies had disclosed the information relating to the role of relevant parties in promoting the combined assurance.Contrary, poor practices were observed in both national government departments and higher education institutions with regards to the information relating the role of relevant parties in promoting the combined assurance.
As such, there poor practices were observed with regards to the approved combined assurance framework (5% of higher education institutions disclosed this information and no national government departments disclosed this information), provision of assurance by management as a first line of defence in the combined assurance model that controls are in place for all risks (both higher education institutions and national government departments did not disclosed this information), written assessment by internal audit as a second line of defence in the combined assurance framework that the risk management system and process was effective (both higher education institutions and national government departments did not disclosed this information), written assessment by other external assurance providers that the risk management system and process was effective (both higher education institutions and national government departments did not disclosed this information).
Improved practices in all organizations were observed when it came to the management's role in monitoring risks and formulating risk responses.In this regard, 53% of higher education institution, 62% of national government departments and all JSE listed companies indicated that risk reports that are reviewed by the oversight body or a relevant committee contained the risk responses.A similar observation cannot be made on the use of the risk management process as a tool to identify and exploit opportunities that could arise to improve the performance of the higher education institutions and national government departments, as they both poorly performed on this observation.

Conclusion
This paper set to examine the manner in which risk is governed in certain selected sectors of the South African economy.Data were collected on publicly funded higher universities and universities of technology, top 20 JSE listed companies and the national government departments.For the purpose of extracting statement deemed to be a proxy of risk management practices in the selected, the disclosure risk measurement instrument was developed.This instrument was used as a gauging tool for the information disclosed in the integrated/annual report.Risk practices statements were formulated using the governance of risk chapter of the King III Report on Corporate Governance, applicable to all organization regardless of manner or form and the Public Sector Risk Management Standards, applicable to the South Africa's public service organizations.
The results obtained indicated a high level of risk management practices by the JSE listed companies.The author postulates that this is attributable to the fact that the King Code has been incorporated as the JSE listings requirements.The author further postulates that shareholders in private companies apply a high level of scrutiny in companies where they have vested interest.With regards to the National Government Departments and the South Africa's higher education institutions, it is clear from the obtained results that a lot of work still has to be done to embed key risk practices in these respective organizations internal processes.
the second tier of defence has provided a written assessment on the effectiveness of risk management and the entire system of internal controls [n = 19, n = 20, n = 34] providers as the third tier of defence have provided a written assessment on the effectiveness of risk management and the entire system of internal controls [n = 19, n = 20, n = 34] n = number of integrated/annual reports observed in a sector; oversight body = board of directors, university council, accounting officer/authority; HEI = Higher Education Institution; COM = Selected JSE Listed Company; NGD = National Government Department.
(Moloi, 2016)9)e Public Sector Risk Management Framework (NationalTreasury, 2009).thebasis of the King III Report on Corporate Governance (IoD, 2009) were meant to be generic and take into account (incorporate) all organizations.On the other hand, the Public Sector Risk Management Framework (NationalTreasury, 2009) is applicable to public sector organizations, it, therefore, provided an insight for risk governance statements in the context of the public sector organizations.A snap comparison was conducted between the Public Sector Risk Management Framework (NationalTreasury, 2009), as well as the King III Report on Corporate Governance (IoD, 2009).In conducting the comparison between risk governance requirements of the Public Sector Risk Management Framework (NationalTreasury, 2009), as well as the King III Report on Corporate Governance (IoD, 2009), it was noted that there are no evident differences in the approach to risk governance(Moloi, 2016).

Table 1 .
Incorporation of statement relating to the governance of risk, tolerance and appetite, relevant committee and delegation of responsibilities

Table 2 .
Incorporation of statement relating to risk approach, risk response and management responsibility, risk monitoring and the combined assurance

Table 2 (
cont.).Incorporation of statement relating to risk approach, risk response and management responsibility, risk monitoring and the combined assurance