Page 1 of 1

Risk assessment as a professional discipline and risk management in public institutions

Posted: 08 Aug 2019, 18:45
by Eralda Alhysa
Risk assessment as a professional discipline and risk management in public institutions
Eralda ALHYSA, Msc.
Ministry of Finance and Economy
alhysae@gmail.com
Fabiola LLAKA, MSc.
RIA 2000 shpk, Tirana
fabiola.llaka@hotmail.com
Arjana LLESHAJ, Msc.
Ministry of Finance and Economy, Ass. Lecturer at University Of Tirana
lleshajarjana@yahoo.com


Abstract
Risk assessment, risk management - has been transformed into an independent professional discipline. It brings its theories and principles, which are very important to be understood and taken into account during the implementation of the Risk Assessment. In public institutions risk assessment and management has a specific importance and is carried out by hierarchical levels of work and control and is monitored by specific financial control structures. However, in our country the process of risk assessment and monitoring still remains part of control and audit, especially in the public sector, so it has not reached the level of an independent professional discipline.
The lack of this specific profile leaves space for the question we can naturally do: "Why do not arrive public institutions to be effective and why them do not manage the risk in many situations? Why we may not use in practice recommendations done by relevant competent structures to measure the risk and manage it?
This paper first aims to provide a reflection of the process of risk assessment and management in public institutions in our country, focusing on ways of evaluation, management and control from the hierarchy and auditors. Also, in an effort to identify the challenges that an analytical and professional risk assessment has in Albania, the paper will present a specific analysis of the risk management process, the indices being measured and the measures being taken.
Key words: risk management, risk valuation, analysis.
JEL classification: A23, D73, D79, E02

Introduction
Risk management is an important process for every budget unit, and it makes the decision making efficient and effective. In the field of public administration, the risk management process as part of internal control is still unknown and fully realized. Moreover, you can not talk about the profession of risk manager in our country, especially in public institutions. In this paper we are writing about risk menagement proces, the case of Albania and especially in public institutions.
The first part discusses the literature's approach to the risk management process as part of internal control. According to the literature there is no method for accurate measurement of the risk, but there are different models of its evaluation, in order to prevent it and make a correct decision. The second part of this paper, describes how the risk management process in Albania works for public institutions. At the end, a reflection of the risk management process by public institutions in Albania and a description of the progress of this process is done by analyzing the self-assessment questionnaires carried out by the Ministry of Finance, which is actually called the Ministry of Finance and Economy.

Literature review
What is risk?
When talking about risk we must take in consideration the difference between risk and danger, which have common features but also differences in one another. The risk event is a random event, a potential future event that has a random impact on a predetermined target or, in general, at another perceived event by the target individual as a target. The danger event is a random event, a possible event in the future but unnecessarily associated with a target, namely another event perceived as a target.
Risks have positive and negative impacts, so they can not be prevented but should be directed. As the risk materializes (occurs) it only has a negative impact. The materialized risk causes the target to be reached, exceeded or not achieved.
Risk management is a process that deals with the real risk behavior at the level of the desired risks and the coverage of the expected, unexpected and extreme losses (of adverse impact) in the event of their materialization. The risk management is a process that involves target setting, risk assessment, risk management as well as monitoring of the entire process of its management.
From the point of view of economic sciences, there are three misguided risk perceptions: a) the risk is always bad; b) some risks are always bad enough to be eliminated regardless of cost; c) at risk each individual must behave in a safe manner. However, it should be said that the risk is neither good nor bad, it is just a risk. Simply eliminating it without taking into account cost-benefit analysis is an unjustifiable action and economically harmful for the individual and the business community.

Financial risk
The financial risk has a direct effect on the financial losses of the organization. While the non-financial risk has a later effect, however, in the long run, it affects the profitability of the organization for example: bad reputation, weaknesses in internal control, poor human resource management etc., are not financial risks but in the long term they will affect the profitability of the organization. Financial risks are as follows:
• Credit risk
• Liquidity risk
• Interest rate risk
• Exchange rate risk

Explanation of the concept of "financial management" according to law
Financial management and control is a system of policies, procedures, activities and controls that are regularly deployed, maintained and updated by the head of the public unit and implemented by all personnel in order to address the risks and to provide sufficient assurance that the objectives of the public entity will be achieved through:
• Effective, efficient and economical activities
• Compliance with legislation and internal acts and contracts
• Reliable and complete financial operating information
• Protection of information and assets

Areas of application of risk analysis and risk management in the public sector
There are countless events and circumstances that can prevent or threaten the achievement of an organization goalswhether it operates in the private sector or in public. Most of these events can be predicted, their circumstances and impact can be assessed and organizations can be prepared to respond to them and amortize their effect.
Risk management is an organic part of the responsibility of organizational governance; especially in defining its goals, defining risk and detecting risks, however, public sector institutions have unique features that differ from those of private organizations (Domokos, Nyéki, Jakovác, Németh, & Hatvani, 2015).
Risk management of financial institutions focuses on managing of returns and risk in modern financial institutions. The continued need to control and manage the risk is related to the fact that the risk that appears more frequently in financial institutions and the methods and markets through which these risks are managed are gradually becoming more similar if financial institutions act as commercial or non-commercial banks, investment banks, banks savings or insurance or credit companies. However there are differences that relate to the rational nature of each sector, such as quality assurance, international banking off-balance sheet banking (Saunders & Cornett, 2016).
The risk management framework is important for financial institutions such as banks, insurance companies, investment funds and loan companies. In fact, the generally accepted risk management process is generally the practice of identifying, analyzing, measuring and determining the desired level of risk through risk control and risk transfer. (BCBS, 2016) defines financial risk management as a series of four processes: (1) identifying events in one or more broad categories of market, credit, operational and other risks in specific sub-categories; (2) risk assessment using data and risk model; (3) monitoring and reporting of risk assessments in right time; and (4) control of these risks by senior management.
(BCBS, 2016) for risk management processes require that supervisors to be satisfied on banks and their banking groups have a comprehensive risk management process. This includes the Board and senior management who are capable of identifying, evaluating, reviewing and managing all material risks and assessing their overall capital adequacy in relation to their risk profile. In addition, as suggested by (Altamimi, 2002) in risk management, commercial banks can pursue a comprehensive risk management process that involves eight steps: identification of exposure; data collection and risk determination; management objectives; product and control instructions; risk management assessment; development of strategy; implementation; and performance evaluation(Harrington & Niehaus, 1999).
In general, according to IFSB (2005), IBs will have a complete risk management and treatment process, including proper board and senior management oversight, recognizing, measure, monitoring, report and control the categories of risk related risks and, to maintain sufficient capital for these risks.
The financing theory explains that risk control has become a major concern in financial institutions. Financial institutions usually use arithmetic tools and programs to calculate and predict the amplitude of possible movements of financial markets, and based on the values they receive from these mechanisms they react to risk by investing in derivative markets. However, classical theories are based on lighter assumptions such as Gaussian statistics and those results in data derived from modeling being unrealistic and so, in a form or anothernot presenting a real risk (Bouchaud & Potters, 2000).
The article (Dowd, 1999) provides guidance on decision-making to manage financial risk based on two important principles: the first is the "Sharpe Principle", whereby estimates of expected changes in one part of the financial sector and the expected return on the invested portfolio, taking into account the probability of an unpredictable situation occurring. The second principle relates to the fact that the rules can not be limited to the distribution of real returns since they have to be considered in the context of a set of elements that do not represent a normal distribution. Measurements and estimates can be applied with a risk assessment to the standard deviation risk measure of the portfolio.

Conceptual risk management model
This conceptual model shows the relationship between risk management practices and four aspects of the risk management process, namely: risk understanding and risk management; risk identification; analysis and risk assessment; and risk monitoring. Referring to the model shown by (Al-Tamim & Al-Mazrooei, 2007), the function of risk management practices is as follows:
RMP = f (MMR, IR, AVR, MR)
where:
RMP = Risk Management Practices;
MMR=Meaning and Management of Risk;
RI = Risk Identification
AVR = Analysis and Valuation of Risk
RM = Risk Monitoring
Based on the conceptual framework, we understand that there is a fair (positive) link between risk management practices and the aspect of the risk management process. There are many theoretical studies that show the important aspects of the risk management process that firms must have in order to better manage their risk throughout their activity (Tchankova, 2002), (Luck, 1998).

Concerning quantitative data studies ex. (Boston Consulting Group, 2001), (Altamimi, 2002), (Al-Tamim & Al-Mazrooei, 2007) show the importance of risk management from various financial institutions.
Over the past few years, there has been growing demand for more transparent financial reporting in the public and private sector. And this is due to the rise in massive joint failures (Enron, WorldCorn, Parmalat, ARMO), poorly managed public sector projects that significantly exceeded the budget or failed to meet the targets. Internal and external controls were seen as a necessity as bankruptcy of large businesses has an impact on international markets.

Risk management and risk assessment in the public sector in Albania

Risk management is a new concept for the Albanian public administration, which is still unconsolidated. Regarding normative acts, in addition to the FMC (Financial Management and Control) law, which set basis for presenting risk concept and documentation of risk identification and evaluation procedures, sub-legal acts in the area of public finance management approved by the Ministry of Finance, elaborate on the duties and responsibilities in this area as follows.

The Head of Public Units is responsible for drafting policies, approving and monitoring the risk management strategy within his unit. The Authorizing Officer is responsible for the implementation of financial management systems; is the Risk Coordinator responsible for monitoring the risk minimization controls within the entity.
In risk management, there is an improvement in the preparation of risk registers, but the complete system for its management remains to be developed. The Risk Coordinator under FMC law is the Authorized Officer (AO) of the institution. In order for the institution's risk management process to be effective, a system for its realization should be established. For 2015, there may be improvements in the preparation of the Registry of Risks, which is evidenced by the increase in the number of institutions that have been completed as a document but which is not yet used as a tool that helps management in achieving the objectives . Also, another problematic element noted is that high-impact risks in the relevant institutions are not subject to Strategic Management Group discussions, but they are the subject of ongoing verbal discussion and assessment between the heads of staff and the staff, minimized and to enable the achievement of the objectives.
In Strategic and Annual Plans of Administration Public Institutions are made efforts by internal auditors to identify and evaluate the main risks for the activity of public units, but we emphasize that this procedure still requires work from the audit structures. (Work Group, Internal Audit Harmonization Directory, 2016). Such planning requires good knowledge of the functioning of the public entity and full independence of internal auditors. Risk assessment is an important process in which internal auditors should increasingly support their work planning, hoping to increase the quality of audit work. Changing audit plans shows that although the risk assessment process has begun to be implemented, it needs to be developed and further developed to comply fully with field standards.
During the exercise of the internal audit function throughout the activity of public units is included the assessment and functioning of internal control, classification, mode of operation and its effectiveness. In the units where the internal audit has identified and identified the main risks, the head of the public unit is informed about the areas of risk, where further action is needed, and the unit recommends improving the internal control system and clearing it out of responsibilities, to manage the risks with the aim of curbing and minimizing it, for a continuous risk assessment, for the regular review and review of the respective controls. In all systems, which are rated at a high risk level, the audit is anticipated to be performed at a more frequent frequency.
Components of Institutional Risk Management Institutional risk management consists of eight interlocked components other. They stem from how management directs and how these elements are integrated with the management process. (Risk Management Strategy, 2015)
These elements are:
• Control environment
• Setting objectives
• Identify the risks
• Risk assessment
• Risk response
• Control activities
• Information and Communication
• Monitoring

Responsibilities related to risk management are divided as follows:
The Minister of Finance is the authority responsible for introducing an effective risk management system as part of the financial management and control system in the public sector.
The first Authorizing Officer is responsible for monitoring the risk management system in the general government units and reports to the Minister of Finance.
The head of the unit of general government is responsible for drafting policies, approving and monitoring the risk management strategy within his unit and approving the level of tolerance of risk.

The Risk Coordinator of each Public Unit is the Authorizing Officer who is responsible for:
• Coordination of activities related to identification and risk assessment that jeopardize the achievement of unit objectives and the establishment of a risk management system in proportion to its size;
• Advising and providing instructions to other POEs in co-operation with the Central Harmonization Unit for Financial Management and Control;
• Presenting the general report on the risks of the public entity to the head of the public unit and the strategic management group of the public entity.
• Monitoring of risk controls that jeopardize the achievement of the objectives of the unit they manage;
The Strategic Management Group acts as a committee to discuss and take action on key issues and serious deficiencies in risk management. The Strategic Management Group needs to verify how the risks are managed within a public entity and to prepare an annual report on this
Other Unit Managers. All unit managers are responsible for identifying and creating a risk register, assessing, controlling risks that don’t let the achievement of objectives and the successful realization of the activities of the structures they manage.

Studies presented at various conferences and publications have also been done in our country due to the lack of emphasis in Albania and the risk analysis in public institutions. Listing the risks and, moreover, building of diagrams or maps corresponding to their most fundamental characteristics, such as the object, the place, the expected damage and its mass, the possible preventive measures for their eventual elimination, may be a subject of study and action in the future. ("Risk Analysis", 2016)
According to international institutions such as the IMF, World Bank or USAID in Albania has highlighted shortcomings in feasibility studies and data for cost-benefit ratio, which indicate failure properly and not-depth analysis of the preliminary risk analysis.
In strategies, tactical and operational plans of most of our central institutions, the risk analysis is almost non-existent and the situation is constantly deteriorating.
No institution that we have audited with the performance audit has not had a SWOT analysis, or PESTLE (analysis focusing on "P" - Political, E, Economical, "S", "T", "L" - legal and "E"), or any other kind of technique that identifies, classifies, analyzes and manages the risks in the short and long term. And by itself in the SAI, which controls risk management for other public institutions, the PESTLE analysis is not being implemented, while the performance of the institution intends to measure according to the ISSAI "SAI Performance Measurement Framework" , a standard that is under preparation and will be confirmed at the forthcoming INTOSAI Congress. The High State Control through this Strategy commits itself to ensure that risks are identified and handled in a timely manner.
Evaluation procedure of internal control by the coordinating institutions
In Albanian public institutions, risk management is a self-management process of any self-governing institution and subsidiary institution. Coordination is also done by the Ministry of Finance and Economy and the responsible unit. Periodically each the questionnaire of risk management self-assessment are competed. The self-assessment questionnaire is designed to be used by public entities to self-evaluate the internal control system in unit structures. The questionnaire consists of five sections responding to the five financial management and control components according to international standards COSO and INTOSAI:
• Control Environment;
• Risk Management;
• Control activities;
• Information and Communication;
• Monitoring.
How is the questionnaire completed?
Each section contains a number of questions about each of these components. Each question is evaluated by points 1-4, as follows:
The 1-point rating indicates that this aspect of internal control is not yet applied and is not understood in any of the constituent parts of the unit.
The 2-point rating shows that this aspect of internal control is partially understood and functions only in some of the unit's constituent links.
The 3-point rating shows that this aspect of internal control is understood and functions in most of the unit, but not all its strands.
The 4 point rating shows that this aspect of internal control is understood and works very well in all unit structures.
The total score for each of the five financial management and control components should be collected and the average score per section should be calculated. The average score for the entire questionnaire will be calculated and should be written down. For each question, apart from the answer, the "justification / reasoning" column should be filled in as detailed as possible with the relevant information.
How should the results be interpreted?
1. If any of the questions has been evaluated 1 and 2, the aspect in question requires immediate intervention for improvement.
2. If any of the questions has been received by the 3 head of the unit, it should consider the possibility of making system improvements in that aspect.
3. If any of the questions has received 4 points, this field does not require any further interference.
The performance of the public sector risk management process and its efficiency analysis
From the analysis of the results of the self-assessment questionnaires in general we can say:
• All institutions have a mission statement based on this legal basis, in some cases drafted and specified in the 2014-2016 MTEF or 2016-2018.
• Most of the institutions had a strategic plan, while one was lacking in two or three ministries.
• Much of the institutions set measurable and achievable targets. • There were few problems with the complaints system and how they were being processed.
• For the most part, the organizational structure coincided with the activity of the unit, apart from some institutions that reportedly had many dependency institutions.
• At almost all institutions one of the issues was the part of risk management, because either the coordinator lacked or lacked proper risk registers or even a risk strategy. All institutions considered training necessary in this area, and it was also required that the training be extended not only to management levels but also to subordinate staff.

Results from Questionnaires for Risk Registers
The 2009 reports indicate that public institutions in the cases of practicing potential risks are focused on financial risks rather than on all kinds of risks that may affect the achievement of goals.
While in 2016 reports based on the self-assessment questionnaire responses to the risk management component result that approximately 70% of government units have prepared a consolidated risk register and strategy.
It should be noted that out of 30% of the institutions that have given negative answers, that is, they do not have a risk management strategy and consequently risk registers and 90% of them are local government units. Also, other issues related to this issue are that this process is not supported by formalized materials for strategic risk management, which would help to make effective decisions and achieve the institution's objectives.
Figure1. Risk evaluations in public institutions, Ministry and Municipalities
fIG 1.png
fIG 1.png (46.71 KiB) Viewed 1872 times


Source: Ministry of Finance
Based on the graphs, positive for 2016 compared to 2015 is the fact that we have an increase of institutions that are aware of the importance of risk management for the preparation of risk management procedures and the basic document, the risk register.
However, based on the self-assessment questionnaire it is concluded that a significant number of public institutions (about 30%) are in the early stages of implementation of this component or have not yet begun for this process.
In the effectiveness chart it is noted that there is a difference between the levels of the units of general government and specifically the local government units have 66% efficiency, lower than the ministries and independent institutions, respectively assessed at 86% and 79%. Finally, we can say that risk management is an essential component in implementing a modern FMC system, which public institutions need for technical assistance and awareness raising in the coming period.
Figure 2: Level of risk menagement procedures in centeral institutions
FIG 2.png
FIG 2.png (22.47 KiB) Viewed 1872 times


Source: Ministry of Finance

Figure 3: Level of risk menagement procedures in local institutions
FIG 3.png
FIG 3.png (29.28 KiB) Viewed 1872 times


Source: Ministry of Finance

Deficiencies ascertained
1. The risk management process and the establishment of controls at several levels for higher risk areas remain in the initial phase.
2. Although there is a greater awareness of the importance of preparing the risk register and the risk strategy, these documents remain unfinished with identifying strategic risks and discussing them in the Head of Strategic Management Group.
3. Authorizing officers are reluctant to delegate certain functions and tasks related to risk management to a finance officer, as defined in Article 10, paragraph 2 of Law 10296, dated 08.07.2010 "On Financial Management and Control" as amended.
4. Based on the above, there is a lack of assumption of responsibility / delegation of competences and, consequently, lack of monitoring to minimize the risks.

Conclusions
Risk management as part of internal control is not widely recognized at managerial and operational level, and evaluative and analyzing actions are undertaken to become part of effective decisions.
Risk management is a process that is self-assessment by public institutions and subordinate institutions, and self-assessment is reported to the relevant unit in the Finance Ministry that makes inter-institutional coordination in this area.
The risk register realized periodically every year, and includes some areas of internal control including risk management.
We must emphasize that risk management is not an easy but essential process to ensure the effectiveness of public revenue management by the administration, so more attention needs to be paid to methods for measuring and managing the risk.


Bibliography
Domokos, D., Nyéki, M., Jakovác, K., Németh, E., & Hatvani, C. (2015). Risk Analysis and Risk Management in the Public Auditing. Public Finance Quarterly.
Al-Tamim, H. A., & Al-Mazrooei, F. M. (2007). Banks Risk Management: A Comparison Study of UAE National and Foreign Banks. Journal of Risk Finance.
Altamimi, Z. (2002). IRTF2000: A new release of the International Terrestrial Reference Frame for earth science applications.
BCBS, B. (2016). International Convergence of Capital Measurement and Capital Standards.
Bookstabber, R., Cetinaa, J., Feldbeerg, G., Floood, M., & Glasserman, P. (18 July 2013). Stress Tests too Prommote FFinancial Staability: Asssessingg Progress and Loooking tto thee Futurre. Office of Financial Research Working Paper.
Boston Consulting Group. (2001). Dealing with investitors' expectations.
Bouchaud, J.-P., & Potters, M. (2000). Theory of Financial Risks from Statistical Physcis to Risk Management. Cambridge Univeristy Press.
Braig, S., Gebre, B., Sellgren, A., & Braig, S. (May 2011). Strengthening risk management in the US public sector. McKinsey Working Papers on Risk, Number 28, 1-13.
Broadbent, J., & Guthrie, J. (2014). Public sector to public services:20 years of “contextual”accounting research. Accounting Auditing & Accountability Journal, Vol. 21 No. 2, 2008, pp. 129-169.
Dowd, K. (1999). A free retail investment market? Institute of Economic Affaris.
Harrington, S., & Niehaus, G. (1999). Risk Management and Insurance.
Luck, S. (1998). Neurophysiology of Selective Attention. University of Lowa, USA.
Palermo, T. (2016). Accountability and expertise in public sector risk management: a case study. Financial Accountability & Management .
Prokopenko, Y., & Bondarenko, D. (2011, September 10-11). Operational Risk Management:Operational Risk Management:. International Finance Corporation World Bank Group.
Robertson, A. Risk managment in the public and private sector- a perspective. Non-executive Director. Convent Garden Market Authority.
Saunders, A., & Cornett, M. M. (2016). Financial Institutions Management, A risk management aproach.
Tchankova, L. (2002). Risk identification - basic stage in risk managment. Enviromental Management and Health, 290-297.