English / ქართული /








Journal number 3 ∘ Ketevan Nadirashvili
The Assessment of Risk Management Practice in Georgian Public Sector

Risk management is critical for public sector organizations as they are exposed to different categories of risks affecting their reputation, efficiency and effectiveness of services, budget governance and overall public interests. To improve and strengthen governance principles in public sector, organizations need to become more proactive, identify and assess the existing or potential risks, respond and mitigate the risks that will eventually be reflected in better outcomes and decisions. Moreover, it is fundamental that the importance of Risk Management discipline is understood, knowledge and experience is gradually improved and appropriate strategies are in place. Hence it is necessary that robust and solid risk management frameworks are developed and implemented by public organizations.
Given the above, the objective of the present article is to study and assess the current risk management practice in Georgian public sector. For that purpose, six major agencies were selected to conduct survey. In addition, the existing legala framework was studied and compared to best international standards. Based on comparative analysis the recommendations are introduced for further enhancement and improvement of Risk Management framework in public sector of Georgia.

Keywords: Risk management, risk assessment, public sector, unstructured risk management practice, risk management framework.
JEL Codes: D80, D81, G32,

Introduction

Over the decades, risk management discipline was mainly associated with financial institutions. But digital transformation, pandemic as well as fast changing landscape of public sector made clear how urgent and necessary is to implement holistic Risk Management framework. Furthermore, citizens and businesses expect governments to be prepared for a wide range of possible crises and global shocks and minimize the impact on economies and citizens daily lives. (OECD, Assessing Global Progress in the Governance of Critical Risks, November, 2018). Last but not least, Risk management is a critical in the process of achieving the organizational objectives, therefore notwithstanding the sector, organizations should have a clear strategy how to respond (accept, mitigate, transfer, avoid) the risks.
Risk Management in government sector is linked to effective control systems which in turn ensures increased efficiency, minimized inappropriate expenditures and improved processes. Effective control systems guarantee that risks are identified, assessed and responded in an organized and proactive manner (Braig, Gebre & Sellgren, 2011). Despite this, the implementation of risk management framework has always been more challenging in public sector rather than private sector. Moreover, it’s obvious that that there is an increased need for improving awareness on risk management in public sector, mainly is emerging and developing countries (Ahmeti, Valdi, 2017; Bracci et.al. 2021).
The main explanations encompass the mission and objectives of government institution counterweighing the risks. Other factors are high turnover rates of senior officials and overall lack of knowledge and understanding of this discipline. In addition, the limitations of methodological approaches, bureaucracy and inflexibility are acknowledged as preventive factors. In addition to above-mentioned, should be noted that overall risk culture is weak in public sector, and objectives and importance of risk management is not adequately understood. Few more barriers were identified in US public sector preventing the successful implementation of Risk Management program, like complex procedural requirements and risk matrixes and unclear budget allocations (Damayanti,2023).
By supporting the international standards implementation and enhancement of current Risk Management framework of Georgian public sector, this article does not aim to criticize or underestimate the existing approaches, but rather then introduces the recommendations for more systematic and overreaching framework. Author believes that maturity level is not sufficient at Georgian public sector and there is an urgent need for specific, fast and determined initiatives.

Literature Review
In Risk Management literature two most important Risk Management standards are known which are introduced by COSO and ISO . Both standards are critical in helping and guiding organizations how to implement Risk Management frameworks. Should be also mentioned that alongside the above mentioned standards, practitioners can access the scientific books guiding to make better decisions in uncertain circumstances ( Yoe,2019).
First Enterprise Risk Management-integrated framework was published in 2004 (COSO). The main focus of this framework was achieving the organizational objectives at strategic, operational, reporting and compliance level while setting the activities for strengthening the internal control environment. Those activities include objective setting, event identification, risk assessment, control activities, information and communication and monitoring. In addition, this framework provided main principles and common language for Enterprise Risk management.
Over the years it was realized that there was necessity to broaden the framework and respond to the dynamics of continuously changing environment including innovation and fast growing technology. Hence the close interrelation between strategy and risk became imperative. In 2017 COSO released the updated version of ERM framework- “Integrating with Strategy and Performance guiding the executive and non-executive members”. This

The history of COSO goes back 1985 when it was created to sponsor the National Commission on fraudulent financial reporting. Starting from the beginning Committee of Sponsoring Organizations of the Treadway Commission was supporting and giving recommendations both private and public sectors. Under the National Commission five major American associations are united: the American Accounting the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Institute of Internal Auditors (IIA), and the National Association of Accountants (now the Institute of Management Accountants [IMA]) The objective of the organization is to promote three disciplines: Enterprise Risk Management, Internal Control and Fraud deterrence. (COSO.org).
ISO nternational Organization for Standardization) -independent, non-governmental international organization with a membership of 168 national standards bodies. Based on expertise and voluntary, consensus-based, market relevant approaches the International Standards are developed to respond the global challenges and opportunities.

 

framework accentuates on setting and implementing the strategy in the organization, gives stronger insights on interrelation of ERM and business performance by introducing the indicators and targets. The imperative in new approach is that risks need to be brainstormed and judged at the top of the organization while setting the strategy. Moreover, this version recognizes the current landscape of business, like intense globalization of markets and supply chains as well as importance of data based decision making process. Likewise, previous version, this framework sets terminology and principles for step by step guidance on implementation of Enterprise Risk Management practice.
By implementing a holistic and integrated approach, ERM improves the sustainability and overall risk profile of the organization. With this approach, organizations are moving away from Traditional ˝silo-based˝ Risk Management, whereas risks are managed in isolated way-at departments or functions levels. Lack of coordination in turn obscures risks and impact of particular risk management decisions on organizational risks and strategy (Sprčić et.al.2017).
Should be noted that COSO standards explain the benefits of integrating Risk management at all levels across the organization. The imperative for organizations is not just understanding the risks, but embedding in values and behaviors, aligning the organizational risk appetite to strategy setting and implementation. Besides, adoption of COSO ERM has positive correlation on financial performance of organizations (Tavakoli, 2016).
As it was noted second important framework on Risk Management is introduced by International Organization for Standardization named as ISO 31000-Risk Management framework. The standard provides guidance and principles for any type of organization despite the industry, size or complexity of organizations and is applicable for both public and private sectors. ISO 31000 was published in 2009 and updated in 2018.
In general, this is a universal and multiple-risk approach standard, reinforcing the accountability of top managers and involving Risk professionals in decision making (Lalonde & Boiral, 2012). Among important principles, great emphasis is given to integration. The standard continually indicates that risk management should be integral part of management processes at all levels, and lists processes of particular significance (Leitch,2010; Murray & Enang 2022; Tavakoli, et.al. 2016).
ISO 31000 clearly states about critical role of leadership. Risk management must be initiated and supported by management. This approach ensures that appropriate tones is set at the tone and alignment to organizational culture and objectives is achieved.

 

To visualize the risk Management process flow, the activities
figure 1.

To guarantee that ISO 31000 is effectively implemented in the organizations, the key point is to understand the internal and external factors of organization as well as objectives. Only afterwards activities can be implemented for risk identification, analysis, evaluation, treatment and monitoring and consultation.
The literature on Risk Management in public sector was specifically studied ( Ahmeti& Vladi.2017) concluding that there is no sound theoretical background focusing on strategic risk management at public sector and governments must invest in research. Moreover, setting the public-private partnerships were recommended to support this initiative as well as raising the awareness on criticality of Risk Management.

Research Methodology

The study aimed to understand and assess current maturity level of risk management practice in public sector of Georgia. For this purpose, research included two steps: analysis of legal framework and qualitative assessment.
At first stage, intensive analysis was conducted of legal framework supporting Risk Management implementation in public sector. It included all relevant legislative acts, laws, and government orders adopted during the period of 2010-2022.
As the second component of research, the maturity model approach was selected supposing that quality and depths of Risk Management practice was implementing since 2010. Qualitative interviews with representatives. The interviews were based on questionnaire which was developed in accordance with best international practice (ISO and COSO). To assess the maturity level, interviewers were allowed to run a self-assessment and discuss the results with author.

Findings and Discussion

Public Internal Financial Control reforms have been initiated in Georgia starting from 2010, followed by the planning phase which was conducted in 2009. The objective of this initiative was to establish the sound governance principles and internal control system in public services. The Public Internal Financial Control system itself is comprised of three components: Financial Management and Control, Internal Audit and Central Harmonization Unit. The latter is responsible to implement and coordinate the Financial Management/Control and Audit systems throughout the public sector of Georgia. To achieve it, strong emphasis was made towards strengthening the internal controls systems in accordance with concept of European Public Internal Financial Control system.
In 2009-2013 significant achievements were made from legislative and practical perspectives, though the high importance was given to internal audit function. In particular, the law on Public Internal Control was adopted (2010, revision 2011) resulting the intensive training and awareness programs as well as establishing the internal audit functions across public sector of Georgia. Should be mentioned that this law introduced the concept of Risk Management under the components of Financial Management and Control. As a follow up, the Minister of Finance issued the order on Risk management manual in public sector of Georgia. Remarkably the manual was based on ISO 31000 standard fully reflecting the methodology and process of Risk Management. Even through that initially intensive emphasis was made to Internal Audit activities, Center of Harmonization made strong efforts towards raising awareness on Risk Management and promote the establishment of Risk Management systems at the Ministries of Georgia.
The above-mentioned objectives and attempts were supported by “EU-Georgia Association Agreement (AA)” which was signed in 2014. The purpose of this act was to extend the political and economic relationship with Europe which in turn was the step ahead towards EU integration. The Association Agreement, chapter-279 specifically defines the objectives and steps for improvement of public internal financial controls, including managerial accountability, independent internal audit function, financial inspection system, supporting the development of competencies in Harmonization unit etc. While AA is accentuating about good governance and improving public internal financial controls, Georgia continued to take further steps aiming to strengthen the operational efficiency of public finance management.
The next important initiative was made by Government of Georgia in 2017, by introducing and approving the instruction on the rules and procedures for establishing the financial management and control system. Overall objective of the instruction was to improve the effectiveness and efficiency of government institutions. In accordance to the instruction, the Head of any government institution is responsible for successful implementation of financial management and control system as well as for proper accountability structure within the institution, ensuring the appropriate distribution of roles and responsibilities. Financial management and control includes all activities on financial and non-financial processes, operations and actions and aims to follow the principles efficiency and productivity principles from budget, time and other perspectives. Three stage approach was introduced for implementation addressing the Financial Controls at the first stage, Managerial Controls at the second and Financial Management-at the third stage. Should be mentioned that proposed financial management and control system was based on internationally recognized framework of COSO (Internal Control-Integrated Framework, 2013).
Under the abovementioned three pillars/stages, the risk management process stands under the implementation of Managerial controls. The instruction defines the clear responsibility for risk identification, management and reporting for which the head of each program/sub-programme is responsible. Moreover, the increased managerial responsibilities indicate the development of effective control mechanisms, risk management and reporting process. The managers at all hierarchical levels of the public institution are expected to assess the risks that prevent the achievement of goals; In addition to abovementioned strong emphasis was made towards operational risks, including non-compliance to laws and regulations, losses, damages and misuses of the institution's resources. The managers are accountable to take into account the risks associated with any activities or processes and provide appropriate reporting system.
The next significant move was made towards the practical steps, in particular the establishment of risk management function was promoted and reinforced during the year 2021. The latter was achieved again within the framework of managerial control and financial management. Importantly these initiatives were conducted within the cooperation between SIDA and Harmonization Department.
The practical steps included the enhancement of Risk Management manual, development of Risk registers and establishing the roles and responsibilities for Risk officers. The enhanced Risk Management manual defined the risk management as an important mechanism for achieving the institutional objectives. The template for risk register is a practical tool for depicting the main processes, related risks and controls. Since analyzing and assessing the likelihood and impact for the risks, Risk register enables to define the overall risk profile by aggregating the residual risk levels for the whole institution. Moreover, this is the tool which helps to discover the weaknesses and deficits across the Public Institutions, which in turn are reflected in duplicated, complex and resource consuming processes.
In addition to above-mentioned, the Harmonization Center prepared the list of recommendations to assist the Ministries in fast and systemic implementation of Risk Management systems, in particular:
• To unify the systemic and sustainable approach of Risk Management practice
• To define the Role of Risk Coordinator/Officer
• To develop methodological and policy documents
The Harmonization Center continues close collaboration with Public Institutions to strengthen and promote Risk Management implementation, though at this stage the maturity level is still at initial stage.
After reviewing and studying the legislative framework, the author conducted the qualitative survey, to assess the maturity level of Risk Management practice. The survey fully reflected the requirements if legislative framework as well as was consistent to ISO 31000 requirements.
The results showed that structural level of the implementation of risk Management system is reflected only in one Ministry of Georgia, whereas the independent department is established. This is a fully functional department with systemic approach of Risks identification, assessment, and treatment. The Significant progress is also achieved in one more ministry, whereas the full-time risk officer role is created. In other Ministries, the role of Risk officer is combined with other responsibilities.
Regarding the tools and instruments, the Risk registers are developed in 6 major ministries. Currently risk registers are acknowledged as an important informative asset, though they are not fully utilized, lacking the connections with decision making process and budgeting.

Conclusions and Recommendations

Current Risk Management system in the public sector of Georgia is at premature level and corresponds with unstructured risk management practice. On one hand there were number of actions/steps taken to promote the Risk Management activities and solid legal framework was prepared. On another hand the reform was extremely extended in time and only after 10 years the practical steps were initiated only in selected institutions. So far, this process is unstructured and needs improvement.
Studying the legal framework provided evidence of persistent attempts of improving and pushing Risk Management activities ahead. Though practical implication was difficult and took more than 10 years to launch the basic activities at selected government institutions. The conducted research showed all initiatives were promoted and supported by the Center of Harmonization with the help of international agencies.
This paper recommends to government officials to understand the importance of Risk Management and enhance efforts towards raising the awareness. Moreover, top-down efforts are very important to enforce the practical implementation of Risk Management activities, hence the roles of senior officials are critical. To improve awareness the intensive trainings shall be delivered at senior and middle management levels.
It is obvious that information about existing or emerging risks are not considered in decision making. If Risk Management system is aligned with best international standards, senior officials will have high visibility on all risks and will use Risk Management as a strategic tool.
In most of the cases the failure of Risk Management attempts is associated with Silo approaches and not integrating the risks and processes. Instead of creating blocks and bottlenecks, the risks shall be naturally embedded in h
And finally Risk Management should be structured and systematic process, hence the holistic Risk Management framework needs to be in place. On one hand it will engage all necessary stakeholders and leverage their expertise and capabilities. On another hand it will allow to collect and study all necessary information and data considering internal and external factors and their interdependencies. To achieve all above mentioned, government institutions will need Risk Management professionals in place.

References:

• Ahmeti R., Valdi B. (2017). Risk Management in Public Sector: A Literature Review European Journal of Multidisciplinary Studies May-August 2017 Volume 2, Issue 5
• Back S. (2022). The Embedment of Risk Management in Enterprise Management System International Journal of Contemporary Management,59(2)
• Bracci E., Tallaki M., Gobbo G., Papi, L. (2021). Risk Management in Public Sector. International Journal of Public Sector Management, 34(2), pp.205–223
• Braig St., Gebre A.,Selgreen (2011). McKinsey Working Papers
• Damayanti E. (2023). Risk Management: In an Overview of Literature Review Formosa Journal of Science and Technology (FJST) Vol. 2, No. 4, pp: 1115-1122
• Lalonde,C., Boiral,O. (2012). Managing Risks through ISO 31000: A Critical Analysis; https://doi.org/10.1057/rm.2012.9
• Leitch M. (2010). “ISO 31000:2009 - The New International Standard on Risk Management”, Risk Analysis, Vol. 30, No. 6).
• Murray J., Enang I. (2022). "Risk Assessment: The Three Eras of Risk Assessment", Conceptualizing Risk Assessment and Management across the Public Sector, Emerald Publishing Limited, Bingley, pp. 17-27.
• Said J., Alam M.M., Johari R.J. (2020). Assessment of Risk Management Practices in the Public Sector of Malaysia, International Journal of Business and Emerging Markets, 12(3),pp: 377–390.
• Simona-Iulia C. (2014). Comparative Study between Traditional and Enterprise Risk Management-a Theoretical Approach. Annalis of the University of Oradea, 23(1), pp: 276-282.
• Sprčić D., Kožul,A., Pecina E. (2017). Managers’ Support – A Key Driver behind Enterprise Risk Management Maturity; Zagreb International Review of Economics & Business, Vol. 20.
• Tavakoli S., Binti N., Talib A., Kish E.& Soltan,H. (2016). Enterprise Risk Management Adoption and Financial Benefits Creation: Examining the Contributions of COSO ERM Maturity and Board of Directors; Journal of Soft Computing and Decision Support Systems;
• Yoe Ch. (2019). Principles on Risk Analysis Decision Making, Under Uncertainty, Enterprise Risk Management, Tailor &Francis . Kindle, pp. 25- 73
• OECD (2018). Assessing Global Progress in the Governance of Critical Risks.
• EU/Georgia Association Agreement. https://www.eeas.europa.eu/delegations/georgia/eugeorgia-association-agreement_en?s=221
• https://matsne.gov.ge/ka/document/download/3613890/0/ge/pdf;
• https://matsne.gov.ge/ka/document/view/91618?publication=11
• COSO ERM Framework, (2017); www. COSO.com
• COSO Internal Control Framework; (2013); www.COSO.com
• ISO 31000 Risk Management Principles and Guidelines (2018).
https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-2:v1:en
• International Standards Organization – ISO 31000:2009 Risk M.