The Importance of Enterprise Risk Management to Public Sector Organisations in Nigeria

The paper dealt with the importance of enterprise risk management to public sector organisations in Nigeria. The paper has reviewed literature on frameworks for enterprise risk management and established the global practice. The paper found that the practice of enterprise risk management is an evolving practice among public sector organisations globally. In Nigeria, it is mainly practiced in private sector organisations with inadequate levels of implementation in the public sector. The absence of a specific legal framework for the establishment of project and programme management practices in the public sector may be responsible. Based on available frameworks, practices, and benefits of enterprise risk management, the paper has recommended that public sector organisations establish enterprise risk management processes and cadres for project management officer, compliance and risk management officers.


Introduction
Risk cannot be avoided because it is said to surpass all human situations and it exists within public and private enterprises. Therefore, understanding risk dimensions and management is relevant for all organisations (Hardy 2010). The essence of risk management is to attain the most appreciable balance of opportunity and risk. This often means the organisation may in the process of pursuing a balance of opportunity and risk become exposed to new risks in adopting most preferred alternatives, hence the need for continuous awareness and proactive risk management practices (Vedpuriswar 2006).
Enterprise risk management (ERM) has become a necessity for many organisations today as it expands the scope of risk management from associated and accidental losses to include other organisation-wide operational aspects. enterprise risk management (ERM) is defined "as a discipline that addresses the full spectrum of an organisation's risks, including challenges and opportunities, and integrates them into an enterprise-wide, strategically-aligned portfolio view. ERM contributes to improved decision-making and supports the achievement of an organisation's mission, goals, and objectives" (PwC, 2015).
PricewaterhouseCoopers (PwC 2015) found that the use of ERM was becoming popular among Public Sector organisations as only 44% had not established an ERM programme and 80% of organisations with ERM programmes established them less than five years ago. The survey (PwC 2015) identified lack of Federal requirements for ERM, inability to bridge organisational silos, inadequate funding for implementation and lack of executive buy-in as significant barriers to effective ERM practice.
The recent adoption of the ERM process as observed in PwC (2015) agrees with an earlier study by Beasley et al. (2010) which stated that ERM was relatively immature. According to the study by Beasley et al. (2010), 28% of respondents described their phase of ERM implementation as "systematic, robust and repeatable" with consistent reporting to the board of the organisation. About 60% indicated that risk tracking was at best informal and on a need-to-do basis or only pursued within individual silos or categories as opposed to enterprise-wide.
A paper by McPhee (2014) stated that public sector entities in Australia are required by law to strengthen risk management approaches by complying with nine provisions which begin with the establishment of a risk management policy to reviewing and continuous improvement of the management of risks. According to McPhee (2014), this underscored the role of the Government in encouraging risk management in the public sector.
In Nigeria, various sectors and organisations are in competition for scarce resources. This means that the risk profile of many organisations has experienced an increase. Evidence in literature suggests that the failure or success of achieving organisational goals rests on the choices between good or bad project and programme management practices. Though enterprise risk management has received attention in Nigeria (Owojori et al. 2011;Ogwuanyi & Ibe 2012;Ayodele & Alabi 2014;Obalola et al. 2014), most of these studies highlight the scenarios in the private sector and have not adequately promoted the importance and practice of enterprise risk management in the public sector in Nigeria. This is further compounded by dearth of studies in this area as stated in Dabari & Saidin (2013) and Saidu & Saidin (2013). The huge divide in the practice of risk management between organisations that have mechanisms for enterprise risk management and organisations that don't have, has led to observable disparities in the achievement of organisational objectives (PwC 2015). The disparity in ERM practice stated in PwC (2015) has implications for the achievement of results in intergovernmental collaborations, public-private partnerships, and grant management by public sector organisations.
The public sector in Nigeria is governed by several legal provisions which allude to minimize risk in general. For example, the Nigerian Constitution which guides all judicial processes; Public Procurement Act which provides guidelines for Federal Government contracting processes; the Fiscal Policy Act which guides Government spending; the Civil Service Reform Act which guides reforms in the Federal Civil  Despite these provisions, the practice of compliance and risk management based on established enterprise risk management frameworks is quite unpopular in public sector organisations in Nigeria. This has led to accountability issues regarding planning, implementation, monitoring, completion, and quality assurance of public sector projects and policies. The United States Program Management Improvement and Accountability Act of 2015 (PMIAA, S.1550(PMIAA, S. , 2015 was signed into law in 2016. It is expected to enhance accountability and best practices in project and program management throughout the federal government. The absence of similar laws in Nigeria does not obligate public sector organisations to institute best practices in project and programme management which includes risk management. This is evident with the absence of cadres such as project managers, risk managers, and compliance managers, and the lack of recognition and support for certified project management professionals in the Nigerian public service scheme. As stated in Onofe et al. (2015), professionalism has the likelihood of influencing government accountability and transparency, and as such, the public service in Nigeria should be interested in staff professionalism. Highlighting the importance of adequate risk management in public sector organisations has become necessary, as the practice will improve the achievement of organisational strategic objectives and aspirations of government.

Frameworks for Enterprise Risk Management
The The International Standard Organisation risk management standard 31000 (ISO 2009) provides series of steps to guide organisations in designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation. The ISO 31000 (ISO 2009) risk management standard is widely accepted across the globe due to its practical approach which includes components about risk management principles, risk management frameworks, and risk management processes. However, in practice, the ISO 31000 (ISO 2009) risk management standard not yet popular.
A practical ERM framework flow process was developed by Ernst and Young (EY 2014) which provides for integrated internal controls, compliance and risk management practices under an ERM framework. According EY (2014), key aspects of ERM for integrated risk and performance management towards improved outcomes are risk identification and reporting, risk insight and performance improvement, and risk-enabled performance management. Banham (2004) discussed the variance between enterprise risk management (ERM) and the more traditional risk management process. According to Banham (2004), the requirement for executive level oversight and support for ERM is critical. This is because ERM, if effectively implemented, manages the organisation's entire risk portfolio instead of silo risk management approaches under different projects. Table 1 highlights some variances between ERM and traditional risk management. Risks with no owners Defined risk responsibilities 7 Haphazard risk quantification Monitoring and measuring of risks 8 "Risk is not my responsibility" "Risk is everyone's responsibility" Source: Banham (2004).
It is important that risk identification is aligned with the objectives of the organisation. Major risks should be mapped on a matrix which is stored in a database that is accessible by the chief executive or management committee. This is important to alert the executive on risks that extend beyond acceptable limits (Banham 2004). According to Banham (2004), a major part of ERM implementation is dependent on the efficient and accurate gathering and grouping of risk data preferably with the use of electronic tools that can provide risk information on a timely basis to guide decision making. Banham (2004) stated that the implementation of effective ERM frameworks can support an organisation to define the adequate amount of funds to channel toward mitigation of risks, and assess risks across the organisation rather than on a per-project basis. This may limit the organisation's ability to weigh the impact the risk associated with projects have on the entire organisation.

The Importance of Enterprise Risk Management
The global practice of risk management suggests that organisational risks be preferably managed in an integrated, holistic, and enterprise-wide approach (COSO 2004;ISO 2009;Beasley et al. 2010;EY 2014;PwC 2015). This is against the practice of segmented management of risk in silo units. The paradigm has shifted to a more vigorous process called enterprise risk management also referred to as corporate risk management and integrated risk management (Hoyt & Liebenberg 2008;Razali et al. 2011). A survey by PricewaterCoopers in 2015 (PwC 2015) on ERM in the Public Sector in the United States revealed that the major risk categories receiving attention in public sector organisations include strategic risks, operational risks, data security/privacy risks, reputational risks, and financial/reporting risks.
According to McPhee (2014), many public sector organisations are yet to integrate risk management into organisational behaviour, and this limits employee contribution to stronger outcomes through more effective engagement. As posited by Owojori et al. (2011), the risk management structure and culture need to be understood and imbibed from the board of directors to all staff. Owojori et al. (2011) went on to state that having a risk management structure is not enough but ensuring compliance and the will to implement the structure effectively and efficiently. It is stated in literature (Power 2009) that risk management in the public sector strengthens the capacity of Government to diagnose, appreciate, manage and take advantage of emerging challenges and opportunities in order optimize performance improvement within public sector organisations. Ernst and Young (EY 2014) provided key indicators to determine public sector organisations that should implement enterprise risk management (Table 2). Organisations that have the following Organisations that lack the following 1 Where management is concerned with risk management, compliance cost and overall success.
Alignment across the agency on ERM -a common view on methodology, scope, process and tools to enable line of sight into organisational risks and related work. 2 A complex or categorised risk management and compliance organisational structure.
A consistent risk criteria and ratings across risk management, compliance and audit.
3 Multiple units responsible for risk assurance, risk management and compliance activities, leading to inefficiencies, and lack of responsibility and unclear span of control.
Defined risk appetite that is commonly understood across the agency.
4 Current tools that are manually intensive and decentralized, leading to inconsistent and inefficient monitoring and reporting.
Risk management knowledge needed to fully serve operations.
5 Organisations with a highly visible public profile.
Clear understanding of the interdependencies between various risks and between various internal controls, compliance and risk management initiatives.

Source: Ernst and Young (EY 2014).
Regardless of the size of the organisation, the implementation of the ERM process has inherent benefits and will surely optimise organisational performance in the public sector. The ERM process strengthens operations and supplements the character, fiscal, and strategic processes of organisations (Onafalujo & Eke 2011).

The Practice of Risk Management in Nigeria
The absence of adequate project management practices including compliance and risk management in the public sector has cost Nigeria a lot in various ways. Fatile & Adejuwon (2014) posited that the absence of project management practices which includes risk management has been a long-standing issue in the public sector in Nigeria. Fatile & Adejuwon (2014) recommended the practice of project management to curb the level of failed projects in the Public sector. Nzekwe et al. (2015) assessed public sector project failure in Nigeria and found that the rate of failure was high. According to Nzekwe et al. (2015), all highly ranked factors leading to project failure in Nigeria were project management related issues. Similar findings were stated in Amade et al. (2015) were project management issues including inadequate compliance and risk issues were highlighted.
The practice of enterprise risk management is evident in some private sector organisations in Nigeria. Obalola et al. (2014) studied the relationship between ERM and organisational performance in the insurance industry in Nigeria from 2001 to 2010. Obalola et al. (2014) assessed the ERM functions of insurance risk, financial risk, operational risk and hazard risk as suggested by Acharyya (2009) in ten insurance companies operating in Nigeria. The study recommended the holistic management of risk through ERM in the insurance industry as it was observed that not all the ERM variables in the sampled insurance companies had a joint cause significant relationship.
Ugwuanyi & Ibe (2012) studied ERM and performance in the brewery industry in Nigeria by sampling 375 respondents. According to Ugwuanyi & Ibe (2012), 93% of respondents strongly agreed or agreed that enterprise risk management could improve the performance of companies in the brewery industry in Nigeria because the framework of an integrated approach to managing all risk is more effective than the fractional approach within the organisation. According to Ugwuanyi & Ibe (2012), the ERM process is influenced by the organisation's board of directors, management and staff, and strategies to identify potential risks and opportunities should be deployed across the enterprise and managed with assurance towards the achievement of the organisation's goals and objectives. Ayodele & Alabi (2014) assessed risk management in the banking industry in Nigeria with focus on credit risk, operational risk, market risk, and system risk. Based on the research findings, Ayodele & Alabi (2014) found that credit risk and operational risk were the major risk affecting banking operations in Nigeria. The risk management techniques utilized in banking operations were barely sufficient and required to be strengthened by legal frameworks for enforcement and compliance with international standards. The study by Ayodele & Alabi (2014) did not refer to a central or integrated approach to risk management which could imply that ERM is not yet widely used in the banking industry in Nigeria. This becomes critical when an earlier study by Owojori et al. (2011) assessed risk management in the banking industry during the post-consolidation era, and found that the banks assessed suffered losses chiefly from weak internal controls and lack of disciplinary actions for staff with high propensity for fraudulent practices. Though section 6.0 of the Code of Corporate Governance for Banks and Discount Houses in Nigeria (CBN 2014) provides for risk management, it was not very detailed on the risk management approach but rather encouraged clear roles and responsibilities for the Board, Board Risk Management Committee, Management, and Internal Audit. This could influence the modalities adopted by various banks in the establishment of risk management processes.  (DFID) to mention a few. The establishment of risk management processes is a key requirement by providers of Grants and Credit portfolios managed by public sector organisations in Nigeria. However, the practice of risk management in this regard is usually weak and limited to the operations of the Grant/Credit and not implemented enterprise-wide or viewed from the perspective of governance, risk, and compliance management. This limits the scope and practice of risk management processes as stated in Banham (2004). Furthermore, establishing risk management for specific projects does not insulate public sector organisations from all risk categories.
The Service Compact with all Nigerians Act (SERVICOM) came into effect in 2004 to ensure all Ministries, Departments, and Agencies (MDAs) of Government to deliver on services to which citizens are entitled, timely, fairly, honestly, effectively, and transparently. However, the SERVICOM Act has not provision for punitive sanctions for defaulting institutions. Other limitations of the SERVICOM Act is the focus on 'customer satisfaction' and inadequate emphasis on project management processes which should include compliance and risk management. The implementation and monitoring of SERVICOM activities are reliant on nominated focal officers from various MDAs with already defined job descriptions since there is no specific service improvement officer cadre in the public sector. This underscores the need for the establishment of cadres to promote project management, compliance, and risk management in the public sector.
The number of certified project management professionals and ERM practitioners in Nigeria is growing as evident in the existence of associations on the subjects.

Recommended structure and practice of ERM for public sector organisations in Nigeria
Based on the global frameworks for enterprise risk management (COSO 2004;ISO 2009), the following is a guide for the establishment of enterprise risk management processes in public sector organisations in Nigeria. Public sector organisations require risk management as an integral part of the decision-making process to improve decision making concerning the allocation and utilization of funds, operational processes, and to continuously utilise risk review outcomes to improve operations.
A Public Sector focused enterprise risk management process should be guided by a policy document and comprise four key stages which will produce outputs necessary for the improvement of decision making. The risk identification process should be done in consultation with all directorates and divisions as this requires knowledge depth of organisational strategic objectives and key processes, understanding of the key stakeholders, and understanding of risk management tools such as the risk register. The structure of risk categories should cover major areas of potential risks to the organisation as suggested in PwC (2015). These should include but not limited to Strategic risks, Operational risks, Data security/privacy risks, Reputational risks, and Financial/reporting risks. According to the Project Management Institute (PMI 2008), the risk register refers to "identified risk, root causes of risk, list of potential responses, risk owners, symptoms and warning signs, the relative rating or priority list of risks, a list of risks requiring response in the near term, a list of risk for additional analysis and response, trends in quantitative and qualitative analysis results, and a watch list of low priority risks." The risk register is a document that highlights all the risks identified concerning the operations of an organisation and ranked according to the likelihood and severity of impact on strategic objectives. The risk register provides details of management actions to avoid or mitigate high risks and the residual risk trend. Risk registers should be continuously updated and should reflect adjustments to ranking of existing risk after management action and new risks are identified. The risk management process should be continuously monitored and appraised as part of routine performance monitoring and compliance activities.
The supervisory ministerial body or the board of the organisation should be the final authority in ensuring that enterprise risk management is implemented with integrity with clearly defined roles and responsibilities with regards to risk management. The chief executive is the statutory risk lead, and in consultation with the management team, is responsible for the overall management of enterprise risk management within the organisations. A corporate risk management unit will be of benefit in assisting the chief executive implement the enterprise risk management processes. Such a unit will deploy necessary tools and personnel for the implementation of risk management within the organisation. All staff of the organisation have shared ownership of the enterprise risk management process and would be responsible in ensuring risk management actions are effectively implemented. Public sector organisations maintain strong linkages with external partners such as states, public and private organisations, and civil societies. These partners have risk implications, and therefore, it is important to sensitise external partners and interface with the risk management processes of partners.

Conclusion
The benefits of risk management are not in doubt. A robust risk management approach which integrates risk management processes with enterprise-wide internal control and compliance mechanisms, and aligned with organisational objectives is now a global practice. The enterprise risk management approach is holistic and centralised. It is a deviation from the traditional risk management approach which independently manages segments of risk in categories or silos. Enterprise risk management strengthens the achievements organisational objectives. In addition, it is recommended that the public sector in Nigeria should support staff professionalism and create cadres for compliance and risk management officers. Establishment of enterprise risk management processes will enhance accelerated achievement of the aspirations of the Government of Nigeria.