The Significance of Policy and Guidelines on Risk Management Implementation and Development in Malaysian and United Kingdom Public Sector

The purpose of this paper was to identify the significance of the policy and guidelines on risk management implementation and development in the public sector. Specifically, this paper compared the risk management implementation in the Malaysian and United Kingdom public sector by emphasizing the significance of policy and guidelines. Archival documents from government websites and relevant government agencies in Malaysia and United Kingdom were collected and critically analyzed. This study found that policy and guidelines are significant in risk management implementation and development in the public sector context. The central government policy is classified as the most powerful element as compliance with regulation is the dominant factor driving risk control systems in many organizations. In addition, suitable guidelines ensure organizations have good risk management practices and not just a one-off exercise, to facilitate the development of sustainable processes of risk management. The Malaysian government needs to decide to adopt a more formal and structured approach to risk management by incorporating the best practices from the private sector and benchmarks from a variety of public sector organizations around the world, such as the United Kingdom. The relevant guides and reports should be prepared by adopting various methods to contribute toward the development of risk management in Malaysian public sector.


Introduction
The international risk management standard ISO 31000 defines risk as the effect of uncertainty in achieving objectives with risk management being the set of principles, frameworks, and processes for managing risks [1]. Generally, it is believed that the implementation of risk management is significant in achieving organizational goals by minimizing the negative impact before a risk happens [2]. Looking back in recent history, there have been a number of compelling cases that led to an increased demand for effective risk management processes, such as Enron in 2001, WorldCom in 2002, and the Asian financial crisis of 1997-1998 [3]. The pleasing outcome was a number of governance and risk management developments in the private sector, such as the Cadbury Report [4], Turnbull Guidance [5] and Enterprise Risk Management -Integrated Framework [6].
However, it would be inappropriate to say that the only response to calls for better risk management has been in the private sector. Both the public and private sectors face a range of risks that can disrupt or cause a serious detriment to the operation, efficiency, and even survival [7,8]. The Audit Commission in the United Kingdom clarified that much useful pioneering work has already been undertaken in parts of the public sector since 1999 [9]. The impact of governance and risk issues in the private sector has overshadowed the thinking and practices in the public sector to facilitate the achievement of strategic objectives [10,11].
Notwithstanding, it may be too simplistic to assume that the implementation of formal risk management in the private sector would have strong similarities and outputs, as the public sectors. Anecdotal evidence suggested that public sector risk management is distinct and different from private sector risk management [12,13], but there is a lack of academic literature that tests such views [11]. The techniques and processes adopted by private sector organizations cannot be transplanted into a public sector context due to the difference in objective and nature of the public sector in terms of monopolistic situation and the absence of a profit imperative [14].
In fact, most studies on risk management were related to the private sector rather than the public sector [7]. Only some studies on the implementation of risk management in the public sector were carried out in the United Kingdom and other countries (i.e., Chen & Bozeman [15]; Collier & Woods [16]; Crawford & Stein [17]; Hood & Smith [7]; Woods [11]) as shown in the summary in Table 1. More research is still required on the risk management practices in the public sector, especially in the Malaysian context. To date, there are no published studies on risk management in the Malaysian public sector, as reported by Bakar and Saleh [18]. Based on the previous research, one issue that is significant to be addressed is policy as the critical success factor in the first of stages implementation of any system in the public sector context. The central government's policy is classified as the most powerful contingent variable other than organizational size or information and communication technology [11]. A study by Collier, Berry, and Burke [19] found that compliance with legislation was the dominant factor driving risk control systems in many organizations. From the perspective of the government department, the policy reflects the obligation to execute any instructions stated in the policy. Thus, all actions taken by the managers in the public sector should be within the scope of that policy.
This paper aimed to examine the implementation of risk management in the Malaysian public sector and make comparison with that of the United Kingdom. The financial system in Malaysian public sector is heavily influenced by the United Kingdom and other Commonwealth countries as there are similarities in the structures of the countries' administrations [20]. The comparison was made through a review of publications issued by the relevant government bodies in Malaysia and the United Kingdom that clarified the policy and guidelines for risk management practices.
Specifically, the focus of this paper is based on two issues raised by previous researchers. The first issue was the lack of suitable guidance in implementing risk management, which emphasized the development of a sustainable process instead of a one-off exercise [17]. Second, the central government policy was classified as the most powerful contingent variable in driving the strategic objectives and achieving performance targets in the public sector [11]. Thus, this paper aims to make a significant contribution to the literature by exploring the gap in the present body of knowledge about risk management in the public sector context, particularly in Malaysia. Furthermore, the studies of risk management in the Malaysian public sector have not received due attention from researchers [18]. The findings from this study will assist the government in deciding the specific policy related to systematic risk management practices in the Malaysian public sector. This paper commences by highlighting the exposition of risk management implementation in the Malaysian and United Kingdom public sector, particularly on enforced policy matters. It then summarizes the essence of the contents of the risk management policies and guidelines in the United Kingdom to examine the key aspects of its implementation. The paper then highlights the approach used in preparing these guidelines to identify the view about risk management across the government departments. The conclusion section summarizes the findings and discusses the potential for implementing of risk management effectively in the Malaysian public sector.

Risk Management Implementation in the Malaysian Public Sector
In identifying the extent of risk management implementation in the Malaysian public sector, a review of past literature was conducted. Thus, the study by Bakar and Saleh [18] was significant to depict the gap in public sector accounting research in Malaysia, particularly on risk management. The review of 65 academic literatures spanning 30 years from 1981 to 2010 found that no research on risk management was conducted on the public sector in Malaysia [18]. Since there was a lack of academic literature, this study attempted another approach by identifying and reviewing all the official publications issued by the government departments consisting of circulars, instructions and reports related to risk management practices.
This study's review of circulars or instructions issued by central agencies of the Federal Government of Malaysia, found that there were only two related documents. The first was the Malaysian Administrative Modernization and Management Planning Unit (MAMPU) circular [21] that provided guidelines on the implementation of a systematic and effective risk assessment of the information system. Second, the instruction issued by the Prime Minister's Department in the Prime Minister's Directive No. 1 of 2009 [22] entitled 'An Initiative to Consolidate the Integrity Management System of Malaysian Government Administration' on 20 November 2009 that stated the following: All ministries, departments, and agencies should practice risk management techniques before embarking on certain projects or programs in particular those that are high-risk in order to minimize the risk while being implemented.
The latter was merely a brief statement without being followed by any further and detailed guidance on how to set up a risk management system. Moreover, this circular was superseded by the Prime Minister's Directive No. 1 of 2014, which emphasized on enhancing integrity in government administration, including the matter of corruption risk [23]. These developments have not provided a clear direction on the implementation of a risk management practice in the public sector.
This raised the question of whether risk management has been implemented efficiently and effectively in the Malaysian public sector. The Auditor-General's Report [24] highlighted the issues of risk management implementation in the Royal Malaysian Customs Department (RMCD). The audit findings revealed that risk management was not widely used by RMCD. Among the weaknesses found were the risk management framework was not sufficient; the risk management systems and procedures were neither comprehensive nor updated; insufficient personnel were trained in the latest techniques of risk management; the concept of risk management had not been fully applied; and monitoring programs for continuous improvement of the risk management framework were not prepared [24].
Based on these facts, coupled with the absence or lack of guidelines on the implementation of risk management, it can be argued that the implementation of risk management in the Malaysian Federal Government agencies is yet to be explored. This deficiency can be overcome by looking at the method of execution of risk management in other countries such as the United Kingdom for some information and a better understanding of the risk management practices in the public sector context.

Risk Management Implementation in the United Kingdom Public Sector
Among the risk management development in the public sector context, the United Kingdom is exemplary, and should be followed by other countries. Much useful pioneering work and initiative in risk management have been undertaken progressively due to increased pressure on public sector organizations for better governance [9]. The government of the United Kingdom has decided to change its approach to risks since 1999 by introducing more rigorous methods to manage risks across government departments, as discussed below.
The starting point of risk management development in the United Kingdom public sector was the Turnbull Committee Report Internal Control: Guidance for Directors on the Combined Code in 1999 [25]. Although the guidance was not intended originally for the public sector, it was considerably relevant. The report provided a framework for reporting on the broader aspect of control and described the responsibility of the management and employees in implementing of risk management. Then, the Modernizing Government White Paper published in March 1999 raised the importance of sound risk management in the public sector [26]. One aspect was to improve the way departments and agencies manage risks and encourage them to adopt more innovative approaches drawn from a range of sources from the public and private sectors [27].
The risk management agenda within the central government in the United Kingdom was initially driven in 2000 by the National Audit Office's report [11,26,28]. The report promoted improvements in risk management by identifying examples of good practices in both the public and private sectors. Then, it was followed by the HM Treasury guideline in 2001 which, was commonly referred to as the Orange Book and updated in 2004 [28]. The guideline acts as a basic tool and technique which may be adopted by organizations to guide them in the development of risk management processes. In the same year, the initiative to implement risk management in local government started when the Audit Commission published a paper [9] as guidance on the development of formalized risk management systems.
A rigorous approach to improve risk management in the United Kingdom public sector had come from a two-year risk program set up in 2002 [27]. The government of the United Kingdom launched the risk program in November 2002 to ensure that all departments develop and implement effective risk management within two years [29]. The Risk Support Team (RST) based in the Treasury was set up to support the implementation of the risk program [28,29]. This program was concluded with significant improvements in 20 main departments in terms of well-established risk processes, good practices, stronger leadership, skilled and better-trained staff, and the ability to handle risks [29]. The National Audit Office (NAO) in the United Kingdom had published a case study report [30] which explained and provided evidence on how departments can secure the benefits of good risk management in practice; to improve efficiency, to deliver better public services, to make more reliable decisions, and to support innovation. Some of the benefits of the risk management practice secured by one of the departments in the NAO's report are shown in Table 2. By 2000, one in five cigarettes smoked in the UK was smuggled, costing around £2.5 billion in lost tax revenue, creating serious law and order problems and undermining government health objectives.
The department identified the risk to achieve a reduction in illegally imported tobacco and invested £209 over three years to tackle the problem. The department refined its risk assessment on the basis of new intelligence analysis, which enabled it to refocus resources to disrupt smuggling and reduce its profitability by directing its interventions to supply routes, activities and ports of entry where illegal importation was most likely. Benefit: Deliver Better Public Services

HM Customs and Excise
A series of high profile High Court trials in which prosecutions collapsed due to mistakes and omissions in procedures.
Customs and Excise created a new program of professional standard training to reduce the risk of officers making costly mistakes. The aim is to maximize the likelihood of a conviction by ensuring that when intercepting smuggled goods, customs officers follow precise legal rules and procedures.
Source. Managing Risk to Improve Public Service [30] The responsibility for risk management within the United Kingdom public sector was undertaken by various parties such as the Cabinet Office, HM Treasury, Office of Government Commerce, and the National Audit Office [3]. Furthermore, the involvement of many independent and professional bodies such as the Audit Commission, Chartered Institute of Public Finance and Accountancy (CIPFA), and the National Forum for Risk Management in the Public Sector (ALARM) facilitated in providing guidance and support to the public organizations [3]. However, primary accountability for further improvement will rest with individual departments. The HM Treasury and other central departments have supported all departments by addressing key challenges through guidance, which are discussed in the next section.
Since 2000, the government of the United Kingdom has issued a wealth of risk management publication as guidelines to be implemented at an organizational level in the public sector (such as Audit Commission [9], Cabinet Office [27], HM Treasury [28,31], and the National Audit Office [26,29,32]). For ease of understanding, the key reports and guides were listed chronologically in Table 3. A number of these publications were examined in this paper to describe the understanding of the development of risk management in the United Kingdom. As a result, two important matters are highlighted in this paper. First, the key issues discussed in these reports and guides, and second, the approach used in preparing these guides and reports. These two matters are significant because they give more understanding of the issues of risk management practices that need to be addressed not merely based on theory or concept but also in terms of practicality.

Analysis of Guides and Reports Documents
The authors reviewed all the seven documents listed in Table 3 to identify all of the key issues discussed and the method used to prepare these guides and reports.

Key Issues Discussed in Guides and Reports
The issues discussed particularly on the elements needed for effective risk management in these publications reflected the main and synthesis view about risk management across the government departments. For ease of understanding all the key issues in these reports and guides are summarized and listed in Table 4.  [26] b. Worth the Risk: Improving Risk Management in Local Government [9] c. Risk: Improving Government's Capability to Handle Risk and Uncertainty [27] d. Managing Risk to Improve Public Services [29] e. The Orange Book [28] f. Managing Risk in Government [32] g. The Green Book [31] The results in Table 4 show three key issues that were highlighted based on their frequency of discussion in the respective guides and reports. First, risk management should be fully embedded in management processes and applied throughout department delivery networks [9,26,27,28,29,31]. It must be fully embedded into the whole process in organizations including policy, planning and operational management. The management of risk is no longer limited to specific functions of an organization, but rather it should be part of any decision-making process [1]. These risk management activities should be embedded to ensure that staff across the organization will collaborate and co-operate to manage risks in a manner to achieve objective [33].
Second, the top management's support and commitment are important in ensuring the effective implementation of risk management [9,26,29,31,32]. The top management sets the agenda for the organization that has an impact on the priority that management and staff give to risk management. If the management and staff believe that the top management views risk management as a key part of successful management they are more likely to commit and understand its importance to the organization [32].
Third, risk management is most effective when ownership of risks and responsibility and accountability for risks are clear [9,27,28,29,32]. People throughout the organization should be tasked with taking clear responsibility for appropriate aspects of risk management in their area. There is a strong argument that all organizations should have specific entities responsible for the risk management function [34]. The appointment of specific entities for risk management functions such as local risk champions and a Chief Risk Office (CRO) will support the work of the risk management activities [33].

Methods Used in Preparing Guides and Reports
Of seven documents reviewed, four documents had mentioned the methods used to prepare these publications. These reports published by the Audit Commission [9] and National Audit Office [26,29,32] were developed and supported by case study examples, interviews, an advisory group, academic papers, focus groups, documents reviews or surveys. The methods used to prepare the relevant guides and reports are shown in Table 5.
The result in Table 5 shows that most publications examined had used at least three methods to set out the best guidance, which was supported by many examples of good practices and recommendations or plans for further improvements. First, three of the examined publications [9,26,29] commissioned a short academic paper from the local university to present a synthesis of views and the current debates about risk management across government, with an analysis of the forces that shape the components and systems used to manage risks. Second, input from the advisory board consisted of experts from various backgrounds, experience, and knowledge in the public or private sector, and academicians to provide the context for how risk management is developing and to draw on lessons from beyond the United Kingdom public sector. Three examined publications [9,26,29] constituted an expert panel to provide informed comments on the scope, findings, and presentation of information in the respective report.

Guides & Reports
a. Supporting Innovation: Managing Risk in Government Department [26] b. Worth the Risk: Improving Risk Management in Local Government [9] c. Managing Risk to Improve Public Services [29] d. Managing Risk in Government [32] Third, the case study method was used in three examined publications [9,26,29] to identify the existing practices and initiatives within the public and private sectors both in the United Kingdom and elsewhere. The case study is an intensive study to explore, understand, and explain about one or more specific cases of the social study unit. A case study gives focus on the phenomenon, event, individual, program, activity, or process which are unique and specific. Fourth, the document review method was used to prepare two of the examined documents [29,32]. The method involved reviewing the departments' internal documents including minutes of meetings and associated agenda papers which included reported risk information such as the risk program's progress reports to the Prime Minister and the Chief Secretary to the Treasury.
The fifth method used was focus group, designed to gather views and experiences of applying risk management from staff involved in risk management practices in the departments. Two examined publications [26,29] used the focus group approach that involved an organized discussion with a selected group of individuals to gain information about their views and experience of a topic. The sixth method was interviews, which were conducted with members of organizations as a study method to prepare three of the examined publications [26,29,32]. The interviews gathered qualitative information which gave a more in-depth understanding of the risk management activities undertaken in the department, and provided practical examples of how risk management is implemented or plans to be implemented.
Lastly, the survey method was also used to prepare three examined publications [9,26,29]. The respective bodies carried out the survey in departments, agencies and non-departmental public bodies to obtain an overview of the extent of risk management practices across organizations responsible for delivery of public services. For example, one of the surveys asked the respondents about their understanding of risk management and its importance to their performance and risk management activities [26].

Discussion
By comparing the way risk management is practiced in the Malaysian and United Kingdom public sector, it was noted that two key elements drive organizations to have risk management processes in place, namely a specific policy and effectiveness of guidelines. First, the significant influence of government policy on risk management implementation, as studied by Woods [11], had enabled a more comprehensive implementation in the public sector in the United Kingdom compared to Malaysia. The main impetus to improve risk management in the United Kingdom's public sector had come from the two-year risk program in 2002, supporting government departments in establishing the overall framework, processes and tools for managing risks. In Malaysia's context, the instruction issued by the Prime Minister's Department in 2009 to all agencies to practice risk management seemed inadequate since it was not followed by further and detailed guidance regarding the method or procedure for implementing risk management. In another perspective, although the policy considers the practice of risk management a compliance activity, it is the critical success factor in the first stages of implementation in the public sector context. Even so, risk management begins as a compliance activity but becomes more sophisticated, and its value improves through improved performance [7]. Any shortcomings inherent in the early stages will be remedied through guidelines issued from time to time.
Second, the guides and reports reviewed in this paper provided valuable inputs about how risk management specifically needs to be implemented in the public sector context. Even though there were many guides and reports issued by different government bodies in the United Kingdom, all these reviewed publications were intended to complement and not replace existing guidance. In the earlier stages, much of the guidance revolved around the application of a risk management process which enabled organizations to identify, assess and control risk. It also looked at the elements of a good risk management system, and examined why risk management is currently of crucial importance. Then, the content focused on revisited approaches to risk management to understand the challenges that organization faced in making the most effective use of their risk management areas that departments needed to address to take risk management forward.
The effectiveness of guides and reports published by the United Kingdom government bodies was reflected in the similarities of the key issues addressed in respective publications. In fact, all the key issues highlighted were inputs from the study conducted by using various methods to make it the best guidance and relevant to the public sector context. The method used in preparing these guides and reports enabled the generation of a synthesis content that reflected the current views from those involved in risk management at the organizational level. Case studies, interviews, surveys, and focus groups supported by input from the advisory board were tailored to meet the needs of the public from an organizational perspective. The key issues that involved the elements needed for effective risk management as discussed above should be taken seriously. In this way the risk management strategy of the organization will be led from the top, ensuring clear responsibility and fully embedding risk management into business processes.

Conclusion
This paper suggests that the Malaysian government adopts a more formal and structured approach to risk management in the central government, followed by a look at risk management in the local government. Moreover, these findings will encourage policy makers to formulate sound risk management practices in the Malaysian public sector. A risk improvement program could be rolled out in the government bodies by incorporating the best practices from the private sector and benchmarks from a variety of public sector organizations around the world, such as the United Kingdom. Then, more guides and reports supported by of academic literature should be published to contribute to the development of risk management in the Malaysian public sector. The relevant guides and reports should be prepared by adopting the various methods and take into account the key issues based on the United Kingdom's experience.