The Implementation of Risk Management in Malaysian Public Sector to Sustain Federal Government’s Revenue

The purpose of this paper is to examine the implementation of a risk management framework and process in the Malaysian public sector, particularly in the main collector agencies of the Federal Government of Malaysia (FGOM). The sustainability of the government’s financial situation became a concern among the public. The scrapped goods and services tax (GST), the reintroduction of the sales and services tax (SST) and level of national debt triggered various responses. The public expects the government to identify the risks systematically and take action to minimize the impact. Thus, the government should implement risk management to enhance the effectiveness of public sector financial management. The research method involved administering a questionnaire to five main revenue collector agencies of the FGOM. The respondents were staff members holding senior and middle positions in the accounts, finance, and revenue collection department or unit of the agencies. The significant findings on the extent of risk management in the Malaysian public sector were still not practiced systematically. The risk management framework was not sufficient and the risk management processes were not embedded to ensure that staff across the organization collaborate and co-operate to manage risks. In the Malaysian context, written policies should be published to practice risk management systematically in the public sector since it is the critical success factor in implementing any system in the government. The policies should be followed by further guidelines in phases to improve risk management implementation.


Introduction
Nowadays, a lot of people have started to gain financial awareness and be concerned about the government's financial ability, national deficit and level of debt. This is resultant from the global government financial crisis that happened in a few countries. The American government faced shutdown due to the issue of increment in its borrowing limit or the debt ceiling in 2013 [1]. Prior to that, there was the European Union sovereign-debt crisis caused by government over-spending that happened in late 2009 and was connected to debt increase as in the case of Greece [2].
The Malaysian government has been tabling budget deficits for many years since 1998 [3]. In the Government Transformation Plan (GTP), the government had set a target to ensure the economy grows continuously and progressively to reduce and put an end to its fiscal deficit by 2020 [4]. However, the fiscal deficit target was revised due to the change in the country's administration in 2018 after taking into account the scrapped goods and services tax (GST) and the reintroduction of sales and services tax (SST) [5]. The new government was committed to maintaining a path of fiscal consolidation to achieve a deficit of 3.4% in 2019, 3% in 2020 and 2.8% in 2021 of the Gross Domestic Product (GDP) [6]. Furthermore, the Federal Government debt was at RM741.05 billion or 51.8% of GDP as at December 2018 [5]. Thus, the government has to sustain revenue collection to control the deficit and debt levels. To achieve this, the effectiveness and efficiency of the revenue collection system needs to be improved.
This study reviewed the Federal Government's Financial Statements and the Auditor-General's Report over a five-year period (2014 to 2018) and found two issues presumed as risks in revenue management should be highlighted. First, the performance of revenue collection by the Federal Government for a few years did not achieve the actual target, as shown in Table 1. It was reported that the total amount of revenue collected from 2014 until 2018 was less than the targeted total revised estimate, by between 0.1% and 2.2% [5,[7][8][9][10]. Second, to increase the Federal Government's revenue, one of the actions that can be taken is to collect the account receivables (AR) as highlighted in the Auditor-General's Report [11]. Account receivables is the amount of money that should be received by the government in the time allocated yet fails to be collected which comprises arrears of revenue, loan repayments, and other outstanding amounts [11]. The net balance of AR as at 31 December 2018 was RM29.03 billion [11]. This huge amount, if successfully collected, can increase the government's revenue. In 2018, a total of RM0.02 billion of the uncollectable amount was written-off inclusive of the amount that has been outstanding for more than six years [11]. Table 2 summarizes the record of the receivable and written-off amounts for the period of five years. AR is as an assets to the government. However, amount uncollected after six years might be written off. Among the reasons for writing off AR are the debtor is bankrupt, not detected or unable to repay debt [12]. In the opinion of the Auditor-General [12], the written off AR is a loss to the government. The amount of AR aged more than six years is RM1.98 billion as at 31 December 2018 or 6.8% of the total net AR. The total of RM0.08 billion was written off in 2018 and a total of RM4.09 billion was written off for the five years since 2014.
Income tax, being the major income for the country, is very sensitive to the economic situation, so the government must identify the risk in relation to revenue collection and the appropriate action to mitigate the risk. The tax collection will be affected by factors such as lower average crude oil prices and economic growth or recession, which affect to individuals' or companies' incomes [10]. Thereby, it is believed that the implementation of systematic risk management is necessary to manage risks or seize opportunities to increase revenue collection and to achieve the target. This is because in the private sector, especially financial institutions, the implementation of risk management provides and enhances the ability to achieve the highest possible returns [13]. The impact on the in public sector context is yet to be discovered.
A vital responsibility of public sector organizations is to create greater efficiencies and effectiveness through providing better services that are less costly and minimize waste, fraud, and poor value-for-money decision-making [14]. For any organization to cope with these ever-increasing demands, the key business objectives need to be identified, along with the key risks to achieving those objectives [15]. Both the public and private sectors face a range of risks that can disrupt or cause a serious detriment to the operation, efficiency and even survival.
The public expects that the government to identify the risks systematically and take an action to minimize the impact. Thus, the government should also seek how risk management can be implemented to enhance the effectiveness of revenue management in the public sector.
This research aims to examine the implementation of a risk management framework and process in the Malaysian public sector particularly in main collector agencies for Federal Government. Two criteria, i.e., risk management framework and process, are used to measure the extent of risk management that had been implemented in the revenue system at main revenue collector for the Federal Government to sustain and achieve the targeted amount of revenue. Findings from this research would assist the government in deciding a policy on a systematic risk management practice in the public sector based on the present context. This paper makes a significant contribution to the literature by exploring the gap in the present body of knowledge about risk management in the public sector context, particularly in Malaysia. This article commences with a discussion on an overview of risk management and a review of the past studies conducted in the public sector context. Then, this article outlines the research approach, followed by an analysis of the empirical data. The last section summarizes the finding and discusses the potentials for implementing risk management effectively in the public sector.

Overview of Risk Management
The international risk management standard or ISO 31000 defines risk as the effect of uncertainty on achieving objectives with risk management being the set of principles, frameworks and processes for managing risks [16]. Generally, the implementation of risk management is significant to achieve organizational goals by minimizing the negative impact before it happens [17]. This systematic methodology is needed to identify, analyze and mitigate risks that could be linked to the revenue collection process.
The risk management process typically involves a seven sequential process as illustrated in Figure 1, which can be distinguished into establish the context, risk identification, risk analysis, risk evaluation, risk treatment, risk monitoring/review and communication/consultation [16]. It may be a highly iterative process over time if new risks are identified where the earlier processes of identifying and analyzing risks will be revisited and the subsequent processes are repeated [13].

Past Studies on Risk Management in Public Sector
In a decade, there has been a number of high-profile cases that resulted in an increased demand for effective risk management processes such as Bhopal and Exxon Valdez [18]. The pleasing outcome was a number of governance and risk management developments in the private sector such as the Cadbury Report [19] and Turnbull Guidance [20]. However, it would be inappropriate to say that the only response to calls for better risk management has been in the private sector. Indeed, much useful pioneering work has already been undertaken in parts of the public sector. Apparently, the impact of governance and risk issues in the private sector has overshadowed the thinking and practices in the public sector to facilitate the achievement of strategic objectives [21,22].
However, it may be too simplistic to assume that the implementation of formal risk management in both private and public sectors that appear to have strong similarities will have similar results. Anecdotal evidence suggested that public sector risk management is distinct and different from private sector risk management [23], but there is a lack of academic literature that tests such views [22]. The techniques and processes originally developed for private sector organizations cannot be applied to the public sector context due to the difference in the objective and nature of the public sector in terms of monopolistic situation and the absence of a profit imperative [24].
In fact, most studies on risk management are related to the private sector rather than public sector [25]. Some studies on the implementation of risk management in the public sector were done in the United Kingdom and other countries (i.e., Chen & Bozeman [26]; Collier & Woods [27]; Crawford & Stein [28]; Hood & Smith [25]; Woods [22]) but there was no study conducted on the Malaysian public sector [29]. In general, the studies of risk management, particularly in the public sector, are still in the infancy stage and differ in focus than the current study. Table 3 shows the summary of previous studies on the implementation of risk management in the public sector.

Risk Management in the Malaysian Public Sector
In identifying to what extent the risk management has been implemented in the Malaysian public sector, a review of past literatures was conducted. In general, there is a lack of academic literature conducted in the Malaysian public sector. The study by Bakar and Saleh [29] is significant to be highlighted to depict the gap in the public sector accounting research in Malaysia. Their study aimed to identify the gaps by reviewing 65 literatures spanning 30 years, from 1981 to 2010. Their study in general provided evidence on the following issues: The scarcity of literatures on the Malaysian public sector accounting whereby on average only one journal article was published every year; The literatures do not sufficiently cover the various types of the Malaysian public sector entities, especially the statutory bodies; The literatures do not cover different accounting issues, and certain research areas such as governance and risk management do not receive much attention from researchers (summarized in Table 4); Since, there is a lack of academic literature, another approach has been taken by identifying and reviewing all the official publications issued by government departments which consists of circulars, instructions and annual reports. In the public sector context, the critical success factor in determining the first stages of implementation of any system is policy. The central government's policy is classed as the most powerful contingent variable other than organizational size or information and communication technology [22]. From a government department's perspective, a policy is reflected as an obligation to implement any instruction given as stated in that policy. The managers in the public sector have taken action within the boundaries allowed by the policy. All ministries, departments, and agencies should practice risk management techniques before embarking on certain projects or programs in particular those that are high-risk in order to minimize the risk while being implemented.
(Prime Minister's Department, 2009). The instruction was a brief statement without being followed by further details regarding the method or procedure for implementing risk management. This raises the question whether risk management has been implemented efficiently and effectively in the Malaysian public sector. The release of the Auditor-General's Report [31] also highlighted the issues of risk management implementation in the Royal Malaysian Customs Department (RMCD). The audit findings revealed that risk management was not widely used by RMCD [31]. Among the weaknesses found were the risk management framework was not sufficient; the risk management systems and procedures were neither comprehensive nor updated; insufficient personnel were trained in the latest techniques of risk management; the concept of risk management had not been fully applied; and monitoring programs for continuous improvement of the risk management framework were not prepared [31].
Based on these facts, it can be argued that the implementation of risk management in the Malaysian Federal Government agencies has not yet been explored. This is coupled with the absence or lack of policies and guidelines on the implementation of risk management, which can be obtained through a document issued by the government or past literature. More empirical evidence is required to understand on the risk management implementation in the public sector in Malaysia. Hence, this study contributes toward exploring the gap in the present body of knowledge about risk management in the public sector. In this study, each agency was sent a questionnaire with a Sector to Sustain Federal Government's Revenue personalized covering letter explaining the general purpose of the study and promising anonymity. The respondents were asked of their opinion on the stage of implementation of the risk management framework and process in their organization. Follow-ups were later made after two weeks through email to encourage them to respond to the survey which subsequently contributed to the high response rate.

Profile of Respondents
In this study, 161 responses were received from the 191 questionnaires distributed, representing a response rate of 84.3%. The non-response bias was tested by comparing the means on the variables of interest between 91 of the early respondents and 70 of the late respondents using the independent-samples t-test. No significant differences were found between the groups; providing little evidence of non-response bias in the data. The respondents comprised of assistant director or executive (44.8%), followed by accountants (24.2%), others (10.6%), directors of departments (9.9%), deputy directors (6.8%) and auditors (3.7%). The profiles are presented in Table 5.

Profile of Organizations
This study focused on five main collector agencies which contributed on average approximately 80% of the overall total of the Federal Government's annual revenue based on the figure in Table 6. Each agency is responsible for managing the collection for different categories of revenues. The IRBM is responsible for the collection of direct taxes, while the RMCD is responsible for the collection of indirect taxes. Non-tax revenue and non-revenue receipts are collected by various ministries and departments such as the JIM, JPJ, and PDRM. This study also identified the organizational entities that play a role in managing risk management. Some organizations institutionalize risk management through existing entities with other duties, such as internal audit or corporate strategy, while other organizations institutionalize risk management with a new and specific entity [32]. Thus, the organizational chart and profile were reviewed to determine the entity within the organization responsible for implementing the risk management function. The IRBM is the only main collector agency that has a specific risk management division in a formal structure. However, the RMCD established two small units responsible for executing the rating process of tax payers by measuring related risks. There are no specific divisions or units responsible for practicing risk management function in JPJ, JIM and PDRM.

Data Analysis and Results
A descriptive analysis was used to determine the extent of risk management practices implementation and the perception on the importance of its implementation. Data from the questionnaire survey were analyzed using the Statistical Package SPSS version 21. This study went through all the tests in data cleaning and screening by using different methods of analyses which included the non-response bias test, missing data imputation, outlier detection and treatment, and common method bias test. Thus, two individual cases were deleted at this stage when the missing data exceeded 10% for an individual case and eight cases with a large Mahalanobis distance were omitted because of outliers. Hence, the remaining 151 responses were utilized for further data analysis.

Development of Risk Management Framework
Based on ISO 31000, risk management (RM) framework is composed of five steps; mandate and commitment; design framework; implement framework; monitor framework and improve framework [16]. Table 7 shows the stage of RM framework development implemented in five main collector agencies based on respondents' opinions. The stage of RM framework is classified into five categories: complete RM framework in place; partial RM framework in place; no formal RM framework in place but there are plans to implement one; currently investigating the concept of RM but have made no decision yet; no RM framework in place and there are no plans to implement one; or not sure. All respondents in each organization considered their organization as having implemented RM but had a different view on the exact implementation stage as the results are presented in Table 7. The stage of RM framework development in each agency was measured based on the majority of the respondents' opinions in the respective agency. The majority of respondents in IRBM and RMCD stated that their organization had a complete RM framework in place that comprised of 58.8% and 71.4% of respondents, respectively. However, the majority of respondents in JIM (40.6%) and JPJ (33.3%) were not sure of the stages of risk management implementation in their organization while, PDRM has implemented a partial RM framework based on the opinion of 50.0% respondents. In addition, only four of respondents in JIM (12.5%), three respondents in JPJ (16.7%) and one respondent (25.0%) in PDRM believed their organizations had a complete RM framework in place.

Implementation of Risk Management Process
The implementation of risk management framework refers to the execution of the risk management process, implying the extent of risk management practices in each organization. The respondents were asked their opinions on the risk management process that had been carried out in their organizations which are: establishing the context; risk identification; risk analysis; risk evaluation; risk treatment; risk monitoring and review; and communication and consultation [16]. Table 8 shows the respondents' feedback on the RM process that had been carried out in their organizations. The implementation of the RM process in each agency was measured based on the majority of respondents' opinions in the respective agency. Two groups of respondents in IRBM, which comprised 29.4% of respondents, expressed views that their organization had carried out all or just half of the seven RM processes. In RMCD, the majority of respondents (44.5%) stated that their organization had performed all the RM processes. Meanwhile, the majority of respondents in JIM (62.4%) and JPJ (77.8%) felt that their organization had performed only one or two of the RM process. However, each of the four respondents that were involved in PDRM gave a different view about the RM process.
Further analysis was carried out to determine whether the stages of RM framework development were in line with the implementation of all seven sequential RM process stated in ISO 2009. Ideally, if the organization has implemented a complete RM framework it means all the seven processes also have been carried out. Thus, the analysis matched two opinions on the development of the RM framework and the RM process carried out as shown in Table 9.
The result in Table 9 shows that even though the 73 respondents stated that their organizations had implemented a complete RM framework, only 36 (49.3%) of them mentioned that their organizations had carried out all the seven RM processes. Other respondents gave different views by specifying that their organizations performed most of the RM processes (nine respondents or 12.3%), half of the RM processes (20 respondents or 27.4%) and a few of the RM processes (eight respondents or 11.0%). It was also found that for other stages of RM framework development, the majority of respondents felt that their organization was only implementing one or two RM processes.

Discussion
This study was conducted to review the extent of risk management that had been implemented in the revenue system by the main revenue collectors for the Federal Government to sustain and achieve the targeted amount of revenue. Effective risk management is needed to enable the organization to deliver its objectives in light of those risks. Various responses on the stages of RM framework development and process indicated that risk management was not implemented systematically. Thus, it is not surprising when the Auditor-General's Report [31] highlighted the weaknesses of risk management implementation in one of the main collector agencies, such as the risk management framework was not sufficient, the risk management systems were not comprehensive, and the concept of risk management had not been fully applied [31].
The findings of this study also indicate that the risk management process is not embedded to ensure that staff across the organization collaborate and co-operate to manage risks. Effective risk management within organizations can only be achieved when staff are engaged in the risk management process to achieve objectives [33]. The management of risk is no longer limited to specific functions of an organization, but rather it should be part of any decision-making process [16]. Effective corporate governance requires risk management to be integral to policy, planning and operational management.
In general, risk management is not widely implemented in the Malaysian public sector, particularly in the main revenue collector agencies. This study found that just one surveyed agency, i.e., IRBM, implemented risk management systematically. The findings are supported by the feedback from the majority of respondents including the high-ranking officer, and the existence of a specific department responsible for the risk management function of IRBM. There is a strong argument that all organizations should have a specific entity that responsible for risk management function [32]. IRBM was the only organization with a risk management division in a formal structure. Since IRBM is a statutory body established under the Inland Revenue Board of Malaysia Act 1995, the organization is empowered by more autonomy especially in financial and personnel management. In contrast, other main collector agencies are government departments that only execute any activities in accordance with the policies and guidelines set by the central agencies.
In the public sector context, the critical success factor in determining the first stages of any system implementation is policy. The central government policy is classed as the most powerful contingent variable in driving the strategic objectives and achieving the performance targets of the public sector [22]. From a government department's perspective, policy reflects an obligation to comply and implement any instruction or regulation enforced by the government. The instruction issued by the Prime Minister's Department in 2009 to all agencies to practice risk management was inadequate since it was not followed by further and detailed guidance regarding the method or procedure for implementing risk management.

Conclusion
The government has been increasingly focusing on achieving a better performing public sector for some years now. Thus, the implementation of a systematic risk management process is a corner stone of good governance in the public sector to achieve its objectives for providing better service to citizens. The regulating body should promote best management practices of systematic risk management among all government ministries, departments or agencies as these practices will create a competitive advantage as well as help those organizations enhance their performance. In the Malaysian context, the written policies should be published to practice risk management systematically in the public sector since it is the critical success factor in implementing any system in government. The policies should be followed by further guidelines in phases to improve risk management implementation.
This study covered only the Malaysian public sector and thus, results might not be generalizable to other contexts. A future studies could investigate the implementation of risk management more comprehensively. A future studies could replicate the current study by utilizing different methodologies such as case studies. A case study approach might be employed to highlight differences and reasons in a more detailed context so that how and why practices and techniques are applied or not applied can be identified.