Current Use of the Risk Register to Integrate Strategy and Risk- and Performance Management: A Case of a University of Technology in South Africa

Since October 2015, South African higher education institutions have faced continuous student protests: first, as a plea for free education and better accommodation; later, for revising policies on the language of instruction and the insourcing of cleaners, gardeners and security guards (Mavunga, 2019). Free education became a reality in 2018, increasing the burden on the constraints of resources faced by South African higher education institutions. Therefore, integrating strategy with risk and performance management has become urgent to ensure that higher education institutions can “incorporate tactics to deal with challenges” (Moloi, 2016).

Principle 11 of the King Report on Corporate Governance for South Africa (King IV Report) stipulates that risks should be governed to support the organization in setting and achieving its strategic objectives (IoDSA, 2016). In June 2017, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released their new framework where risk management is integrated with strategy and performance (COSO, 2017).

Figure 1 indicates how the risk register links the strategic objectives (required to identify risks) with risk management (required to manage the identified risks so that the strategic objectives are achieved) and performance management (to ensure effective and efficient execution of controls by control owners), resulting in achieving the strategic objectives. Independent performance measurement occurs when the internal auditor evaluates the controls’ effectiveness in achieving the strategic objectives. Therefore, strategy, specifically strategic objectives, is the starting point for internal audit engagements (Drascek, Buhovac & Lawrie, 2019).

Table 1 reflects the different performance outcomes if one of the risk register’s three elements (as depicted in Figure 1) is not identified or addressed. In the first scenario, the management of an entity does not identify any objectives (orange column) to be achieved, and it is impossible to identify risks (red column). As a result, no controls or internal audit engagements are required to test the effectiveness of controls (green column). In the second scenario, management has identified objectives but has no risk management in place to identify risks, resulting in no controls being identified and the objectives not being achieved. In Scenario 3, management identified objectives and risks but has not implemented the controls. The internal auditors concluded that the controls were ineffective, resulting in the objectives not being achieved. Scenario 4 depicts an ideal situation: management identified objectives and risks, implemented the necessary controls to address the identified risks, and internal auditors concluded that the controls were working effectively, achieving objectives.

The council of a higher education institution is responsible for providing strategic direction (SA, 2017) and therefore approves a five-year institutional strategic plan to provide the executive management with such direction. This plan details the vision, values, mission and institutional goals. To populate the risk register, management needs to be clear on what they want to achieve with each strategic objective, what prevents them from achieving these objectives (risk), what they need to do (internal controls) or not do to prevent, detect or correct the risk, and who (control owners) are responsible for managing the measures (internal controls) to achieve it. The internal auditors use these risk registers to evaluate the effectiveness of risk management and prepare their annual internal audit plan for the internal audit engagements (IPPF, 2017). At the university of technology (UOT) under review, the risk management policy prescribes that risk registers are reviewed and updated with risks not yet included, risks that have been dealt with and new or additional control measures to manage the identified risks monthly (UOT, 2019a).

The Institutional Statute (SA, 2017) also requires that employees are subject to continuous performance evaluations. Therefore, the council of the UOT under review has approved the implementation of the Performance Management and Development System (UOT, 2017a). One of the key objectives of the Performance Management and Development System is to “[c]reate a clear direction for employees by ensuring that individual and teamwork is aligned with the strategic efforts and direction of the University” (UOT, 2017b).

Reflecting on the above, if the risk register is only used for risk management purposes by the UOT’s management and not to integrate strategy and risk and performance management, it may result in the ineffective utilization of the UOT’s resources, adversely impacting the achievement of the UOT’s defined strategic objectives. Consequently, this research paper originated from a study by Pretorius (2021) on how a UOT’s management uses the risk register to integrate strategy, risk and performance management to fulfil the requirements of a Magister Technologiae inAuditing.

The literature review commenced by identifying the fields currently included in a risk register and the benefits and weaknesses of using a risk register. This was followed by reviewing the literature to understand the characteristics required by the risk register to integrate strategy and risk and performance management. Lastly, it addresses the use of task registers in international and local universities.

A risk register answers the questions of what can go wrong (identify risk), what would cause it to go wrong (identify root causes) and what could be done to prevent it from going wrong (risk response and internal control) (Coetzee et al., 2018). Uzulāns (2018) states that “a risk register represents a significant risk management document that summarizes the identified risks, results of risk analysis and management”. Craig (2018) stresses that risks are included in the risk register to ensure “responsibility for planning and acting to mitigate the risk”. O’Har, Senesi and Molenaar (2017) explain that a risk register is “a document detailing identified risks in the organization at either the enterprise or the program level” and that for each risk, the risk register includes at least a description, cause, likelihood or probability of occurring, effect(s) on objectives, proposed responses, controls to mitigate the risks, remaining exposure, owner and current status.

Dunovic, Radujkovic and Vukomanovic (2013) agree that risk registers can include the following uses:

· a document that contains risk information;

· a risk management tool; or

· a central part of the risk management process.

The internal auditors also use the risk register to plan their internal audit engagements (IPPF, 2017). Appendix C of The Guide to Risk Based Internal Auditing (IIA Global, 2014) prescribes the following fields in a risk register:

· business unit;

· process;

· process description;

· key risk to process;

· inherent risk score (in terms of impact and likelihood);

· risk response (terminate, tolerate or transfer);

· detailed risk response (including the internal control);

· monitoring in terms of impact and likelihood;

· control effectiveness score; and residual riskscore.

COSO (2017) advises that the risks included in the risk register should be described precisely to assist management in:

· understanding the impact of the risk on strategy, strategic objectives and performance to effectively manage the risk;

· accurately assessing the likelihood and impact of the risk on the strategic objective;

· selecting the best risk response to address the root cause to minimize the impact; and

· identifying interdependencies between risks linked to different strategic objectives.

Risk is precisely described when it contains a potential root cause, the potential impact associated with the risk occurring, and the potential effect of poorly implemented risk responses (COSO, 2017).

Principle 11 (COSO, 2017) requires that the risks (inherent risk) included in the risk register should be assessed in terms of likelihood and impact to determine the severity of the risk.

When risk registers are used optimally, they bring together the different units and departments within entities and employees with different responsibilities (Budzier, 2011), stimulate communication between a diverse group of employees (Budzier, 2011), assist with prioritizing the “resources, attention and effort” for the root of the risk (Budzier, 2011), and help management to identify trends that can assist them in accurately responding to those risks (Whipple & Pitblado, 2010).

Nevertheless, incorrect use of a risk register may result in a poor understanding of risk terminology used while populating the risk register (Balfe, Leva, McAleer & Rocke, 2014), signify different risk consequences to a range of employees (Balfe et al., 2014), contain incomplete lists because not all risk categories were considered (Balfe et al., 2014), and, if the risk register is seen as another report that needs to be prepared, it adds to employees’ current workload and can reduce the quality of the data therein (Balfe et al. 2014). It may also become a tick-box exercise to comply with regulations (Sidorenko & Demidenko, 2017), and management might be so busy managing the risk registers that they forget to manage the risks within the entity (Budzier, 2011).

In comparing the fields of a risk register with the characteristics of strategic and risk and performance management (see Table 2), it is evident that the risk register can be used to integrate strategy with risk and performance management.

COSO (2017:98) further states that the focus should not be on creating a new and separate information system or even separate streams for ERM. It is usually more efficient for an organization to leverage its existing information systems to capture what it needs to understand risk, make risk-aware decisions and fulfil reportingrequirements.

The University of Canterbury’s Risk Management and Compliance Framework (2019) indicates that the risk manager is responsible for maintaining the strategic risk register developed by executive management as informed by the risk registers developed at faculty and service unit levels. The risk advisory committee, the audit and risk committee, and the council review the strategic risk register. This framework (University of Canterbury, 2019) explains a risk register as a document that includes

a description of the risk, its causes and its impacts, an outline of the existing internal and external controls, an assessment of the consequences of the risk should it occur and the likelihood of the consequence occurring, given the controls, a risk rating and an overall priority for the risk.

It further explains that the risk register should identify “time-bound future actions or action plan” (University of Canterbury, 2019). The Southern Cross University risk management policy (2019) aims to “ensure that Risks to the University, its strategic plan or its objectives are identified, analyzed and appropriately managed”. It indicates that each work unit must maintain an operational risk register, and a project risk register must be kept for every major project in which the Southern Cross University is involved. A risk owner must be allocated to each identified risk in each of the above risk registers. A strategic risk register details the risks to the university’s strategic objectives. The risk management policy obtained from the University of Oxford indicates that template risk registers are available from the HeadofAssuranceanddescribesthestrategicriskregisteras“asummaryofthekey risks facing the University as a whole, and […] the document used by Council to manage risk” (University of Oxford, n.d).

South African public higher education institutions must prepare an annual performance plan, including an “institutional risk register” (SA, 2014). The risk register is, therefore, a legislated requirement.

This paper’s primary research objective was to establish how the UOT’s current management used the risk register in its processes to achieve strategic objectives, manage risk and assess performance. In addition, the study endeavoured to determine whether the UOT’s management used other management tools to achieve strategic objectives, manage risk and assess performance, and how often internal audits were performed to evaluate the effectiveness of the controls within the control environment of the UOT.

A mixed-method approach was used to obtain the relevant data for the paper’s defined objectives. The systematic steps followed in applying the mixed method approach are included in Figure 2. Mixed-method research is defined as “an approach to knowledge (theory and practice) that attempts to consider multiple viewpoints, perspectives, positions, and standpoints (always including standpoints of qualitative and quantitative research)” (Johnson, Onweugbuzie & Turner, 2007). Similarly, Bryman and Bell (2011) define mixed-method research as combining quantitative and qualitative research approaches in the same study.

As indicated in Figure 2, the research commenced with the qualitative collection of data through the analysis of the current literature to establish whether the risk register has the characteristics of a management tool (refer to Table 2 above). Based on the qualitative data collection and analysis, a structured questionnaire was developed to collect quantitative data to achieve the primary research objective, namely to establish how the UOT’s management currently uses the risk register to achieve strategic objectives, manage risk and assess performance. The structured questionnaire was administered through an online platform using Surveymonkey ®. A benefit of using a structured questionnaire for data collection is that it ensures that management is asked the same questions (Hofstee, 2006). Hofstee (2006) also indicates that some researchers recommend open-ended questions to provide the participants with an opportunity to “express themselves”. Therefore an “Other” option was included in most of the questions. According to Smidt (2016), the more understandable the questions included in the structured questionnaire, the more likely it is that the questions will be interpreted and answered correctly, contributing to the success of the research.

The research population consisted of 252 management members of the UOT under review (including all members of the executive management, campus management and faculty board committees, members of the risk reporting forum and staff contributing to developing the new strategic plan) who were invited to complete the questionnaire. The total number of online questionnaires returned was 127, resulting in a response rate of 50.4%.

Qualitative data gathered through current literature were analysed to establish whether the risk register has the characteristics of a management tool. Based on the qualitative data collection and analysis, a structured questionnaire was developed to collect quantitative data. Quantitative data gathered from the survey respondents were directly captured on Surveymonkey ® software and extracted into Microsoft Excel spreadsheet. This data were then analysed by the independent and objective statistician who imported it inot statistical analysis system. Some reformatting of the data was performed in order to have the data in an acceptable form to analyse. Recodeing was done on some of the responses to facilitate statistical data anslysis.

South African higher education institutions can either be public or private (SA, 1997:8). According to the current registers on the National Department of Higher Education and Training’s (DHET) website, there are 26 public (DHET, 2020) and 99 private higher education institutions (DHET, 2019) in South Africa. This study was limited to one higher education instititution, referred to as the “UOT under review”.

Another limitation of this study was its focus on management’s use of the risk register and not any other party.

The risk register combines strategy and risk and performance management in one document. The questionnaire results provided insight into how the UOT’s current management uses the risk register in its processes to achieve strategic objectives, manage risk, assess performance, whether the UOT’s management uses other management tools to achieve strategic objectives, manage risk, assess performance, and how often internal audits were performed to evaluate the effectiveness of the controls within the control environment of the UOT.

Almost half (49.6%) of the participants indicated they received training on using the risk register.

From Figure 3, it is evident that most participants (79.5%) believed that the risk register was populated to manage risks in their work environments. In comparison, 40.2% indicated that it was populated to comply with legal requirements. Moreover, 25.2% indicated that it was populated to comply with the requirements of the Executive Management Committee (EMC), and 19.7% indicated that it was populated to assist the auditors. In the “Other” category, two participants indicated that the risk register was populated:

· For the sake of doing it; and

· Just so that it was done — not really anything to do about risk.

Figure 4 depicts the participants’ opinions on how the risk register is initially populated in their environment. In total, 62 participants (48.8%) indicated that they “Agree” and “Strongly agree” that the risk register was populated during a risk assessment workshop. In comparison, 56 participants (44.1%) indicated that one person was responsible for initially populating the risk register, followed by 52 participants (40.1%) who indicated that it was populated during a strategic workshop, and 37 participants (29.1%) indicated that it was populated during an ordinary faculty board, Campus Management Committee (CMC) or Executive Management Committee (EMC) meeting. The “Unknown” category in Figure 4 represents the 11 participants who did not rate this statement. A statement under “Other” in the open-ended question worth mentioning was: Even though the risk register is populated in meetings or workshops, it is not always completed.

Regarding their understanding of risk, 47.2% of the participants correctly indicated that risk was an uncertain event that would prevent an objective from being achieved. Of the participants, 15.0% indicated it was an event that may occur leading to a control being implemented, 13.4% indicated it entails exposure to hazard or danger, 7.9% indicated it is a chance that something might go wrong, 4.7% indicated it is a loss (injury, death, financial, discomfort, inconvenience), and 0.8% indicated it implies taking a chance without knowing the outcome. It is important to note that 14 participants (11%) did not respond to this question.

As presented in Figure 5, brainstorming and SWOT analyses were mostly used to identify risks to be included in the risk registers: both had 83 participants (65.4%) who indicated that they “Agree” and “Strongly agree”, closely followed by the use of a document review with 81 participants (63.8%), a Political, Economic, Social and Technological (PEST) analysis (37%), a paper survey (33.1%), interviews (31.5%), and the least used, the online survey (26.8%). Eleven participants (8.7%) did not respond to this question.

Participants with expertise in strategic and risk and performance management mostly“Agree”or“Stronglyagree”with brainstorming as the method that best describes how risks are identified in their environment than those who indicated that they lacked this expertise. Participants who indicated they had been part of management for less than one year rated online surveys significantly higher than those who indicated they had been part of management for more than ten years. Thus, the participants who indicated they had been part of management for less than a year to a greater extent supported online surveys as a method to identify risk than participants who indicated they had been part of management for more than ten years.

Participants who indicated that they were not in an acting position rated document reviews and SWOT analyses more significant than participants who indicated that they were in acting positions. This means that permanent employees, as opposed to employees in acting positions, indicated that document reviews and SWOT analyses were primarily used as methods to identify risks in their environment.

Figure 6 depicts the responses to how often risk registers were reviewed and updated. Thirty-one participants (24.4%) indicated that their environments reviewed and updated their risk registers every quarter. In comparison, 28 participants (22.1%) reviewed and updated their environment’s risk register once a year, followed by 24 participants (18.9%) who updated them during the monthly meetings, 23 participants (18.1%) who updated them every time the new strategic plan had been approved for the UOT under review, and ten participants (7.9%) selected “Other”. In this case, 11 participants (8.6%) did not respond to this question.

Risk management is a standing item on the agenda of 65.4% of the participants’ environment management meetings.

From Figure 7, it is evident that 108 participants (85.1%) referred to the risk register to assist them with their day-to-day responsibilities. Only eight participants (6.3%) indicated that they never referred to the risk register. Daily referral to the risk register was made by 36 participants (28.3%), while 24 (18.9%) indicated that they referred to the risk register every quarter. This was followed by 18 participants (14.2%) who referred to the risk register every semester, weekly referrals by 16 participants (12.6%), and both annual and monthly referrals were selected by seven participants (5.5%) each. Eleven participants (8.6%) did not respond to this question.

Although 108 participants (of the 116 participants that responded to this question) indicated that they referred to the risk register, 38 (32.8%) of these participants did not rate their reasons for referring to the risk register, as depicted in Figure 8.

The reasons for referring to the risk register (listed from the most “Agreed” and “Strongly agreed” responses to the least “Agreed” and “Strongly agreed” reasons) were:

• to create awareness of objectives, risks and controls applicable to the environment for which they were responsible (72 participants, representing 56.7% of the sample), and

• to ensure that a risk identified during the day-to-day operations was included in the risk register (64 participants, representing 50.3% of the sample).

In addition, reasons cited for referring to the risk register—other than for risk management purposes—were:

• to confirm the objectives of their environment (62 participants, representing 48.8% of the sample);

• to assess whether their environment’s efforts addressed the objectives of their environment (59 participants, representing 46.5% of the sample);

• to assist with the performance contracts/job profiles of subordinates (45 participants, representing 35.4% of the sample); and

• to assess subordinates’ performance (43 participants, representing 33.9% of the sample).

Figure 9 illustrates that 56.7% of the participants indicated their environment’s performance was annually assessed against their strategic objectives. In contrast, 14.2% of participants indicated that it was never assessed against their strategic objectives, and 9.5% indicated that it was assessed every five years. Fourteen participants did not respond to this question.

Responses included under “Other” (8.7% of participants) indicated:

· Every semester

· Quarterly;

· Monthly

· When feedback in this regard is requested by Pretoria

· Not since I started, and

· I don’t know, No idea, and Unsure.

As depicted in Figure 10 (below), the participants indicated that they used the following management tools (refer to the additional research objectives defined for this paper): strategic management was used by 70.9% of the participants, key performance indicators were used by 61.4%, job profiles were used by 50.4%; budgets were used by 49.6%, performance agreements were used by 49.6%, strategy maps were used by 11.8%, and balanced scorecards were used by 7.9% of the participants.

Two “Other” management tools were mentioned by the participants, namely:

· policies, and

· monitoring, evaluations and reporting systems (MERS) software.

Based on the discussion of Figure 8, four of the six reasons for referring to the risk register were not linked to risk management. Therefore, it was expected that the risk register would have been mentioned as an “Other” management tool.

Participants who claimed to have strategic and risk management expertise were more likely to use KPIs, performance agreements, job profiles and budgets as management tools used in their environment than those who reportedly did not have these areas of expertise. Participants with expertise in strategic management also selected strategy maps as a management tool used in their environment. Participants with reported expertise in performance management were more likely to select strategic management and key performance indicators as additional management tools used in their work environment than participants who did not report having performance management expertise.

Regarding the participants’ awareness of internal audit teams’ engagement in their environment (refer to the additional research objective defined for this paper), Figure 11 shows that 38.6% of participants were not aware of any visits by the internal auditors since their appointment in their environment. Of the participants, 27.6% indicated that they were audited in the previous year (2019), 7.9% were visited by internal auditors while completing this questionnaire, 2.4% were visited in the semester before data collection, and 1.6% were visited by internal auditors the month before the questionnaire was sent out (June 2020). Fourteen participants (11%) did not respond to this question. Comments included under “Other” included:

· Sometime in 2012

· Two years ago

· Three years ago

· 5 years back

· Almost 5 years ago

· 6 years

· More than 10 years ago

· More than 6 years ago

· Systems audits are done every 4 to 5 years

As part of the comments included under “Other”, participants also indicated that the Directorate of Quality and Promotions of the UOT under review performed an audit in 2010.

The comments included under the “Other” category illustrate that the many participants’ environment was last audited more than a year before this study. Of the 113 responses to this question, 64 participations’ (57.7%) environments had therefore been audited.

Figure 12 illustrates that 61.7% of participants indicated that the internal audit findings were discussed, and action plans were developed to implement recommendations. However, 13.3% indicated that they did not know the audit’s outcome, as the internal audit report was not discussed with them but with other management members. Similarly, 13.3% indicated no internal audit report was issued, and 6.7% indicated that the internal audit report was discussed with them, but no recommendations for improvements were actioned. The 5% comments included under the “Other” category were:

· Financial Audit Reports are done annually and reported to shareholders

· Don’t know

Since the UOT under review is faced with rising student enrolment figures with a decrease in resources, an effective management tool is required to improve the application of these resources in reacting to the increased challenges. The risk register has the potential to be used as a management tool as it includes the UOT’s strategic objectives, risks preventing the UOT from achieving its objectives, measures (controls) implemented to prevent the risk from occurring, the staff (control owners) responsible for the measures, and an evaluation of the control effectiveness. The following paragraphs will discuss the implications for the previous section for the primary research objective of this paper, namely to determine how the UOT’s management used the risk register to integrate strategy with risk and performance management.

The analysis of the structured questionnaire indicated that management of the UOT under review used the risk register to manage risk. On the questionnaire, they selected as the best description of the populated risk register the option “to create awareness of objectives, risks and controls applicable to the environment responsible for”. It is important to note that the management was aware that the risk register included the three elements required to integrate strategy with risk and performance management, namely objectives (as part of governance), risks (as part of risk management) and controls. This aligns with Principle 11 of the King IV Report (IoDSA, 2016:61), which states that risk should be governed to support the organization in setting and achieving its strategy. However, it is concerning that only 18.9% of the respondents indicated that the risk register should be reviewed and updated monthly. Therefore, it appears as if the majority of the respondents did not see the risk register as a dynamic document that needs to be updated regularly, which is contradictory to the recommended practice of IoDSA (2016:61), requiring that risk should be “integral” to the day-to-day running of the business.

One of the weaknesses raised by Balfe et al. (2014:572) when populating the risk register is that the terminology used is not always well understood. This study determined that although only 47 participants (37%) had risk management expertise, 49.6% of the participants indicated that they had received training on the risk register’s use at the UOT under review. As a result, this should minimize the possibility of the risk register being incorrectly populated due to management not understanding the terminology.

The result of the structured questionnaire supports the concern raised by Balfe et al. (2014, 575) that the risk register is seen as just another report. Although 79.5% of the participants agreed that the risk register was populated to manage risk at the UOT under review, 40.2% agreed that it was populated to comply with legal requirements. However, 25.2% cited that the reason for completing the risk register was to comply with the EMC requirements, which aligns with the concern raised by Sidorenko and Demidenko (2017, 2) that a risk register is only prepared to comply with the reporting regulations.

In response to the additional research objective defined for this paper, namely to determine how often internal audits are performed to evaluate the effectiveness of the controls within the control environment of the UOT, 60 respondents indicated that internal auditors had audited their environment. Of this group, 70% indicated that it was performed in 2019, 16.7% were being audited at the time of the survey (July 2020), 5% were audited during the previous semester (Semester 1 of 2020), 5% were audited before 2019, and 3.3% was audited in the previous month (June 2020). Of the 60 respondents who indicated that their work environments had been audited, 61.7% reported that the internal audit reports had been discussed with them and action plans were developed to implement the recommendations included in the report. Regular internal audit evaluations of control effectiveness also took place. As suggested before, these evaluations of controls can be applied as independent and objective performance management of the control owners (IPPF, 2017:29).

Included in the management tools also used by the management of the UOT under review was monitoring evaluation and reporting system (MERS) software. This software assists management in linking plans, goals, objectives, performance indicators, risk management to the performance management and development systems (UOT, 2019b:79). Although the primary research objective of this paper was to establish how the UOT’s management uses the risk register to achieve strategic objectives, manage risk and assess performance, it appears that management realized the value of integrating strategy with risk and performance management, but not through the use of the risk register.