DOI: 10.17573/ipar.2017.2.03 1.01 Original scientific article A Review of Risk Management Planning and Reporting in South Africa's Public Institutions Tankiso Moloi University of Johannesburg, Department of Accountancy; Johannesburg, Republic of South Africa tankisomoloi@webmail.co.za ABSTRACT This exploratory work attempts to review the risk management planning and reporting practices applied in South Africa's public institutions by defining variables that were deemed indicators of risk management planning and reporting practices, namely: the timing of the institutions' strategic and combined assurance planning, documentation and active management of risks appearing in strategic risk registers and operational risk registers and the availability of risk management software (including its nature and usefulness). The results point to the fact that there is confusion regarding the timing of both strategic and combined assurance planning sessions. Some institutions conduct these in the preceding year, whereas others appear to be conducting these during the year of implementation. Results further suggest that the practice of implementing combined assurance has not yet been embedded in the majority of public institutions, pointing to uncoordinated assurance activities that could lead to 'assurance fatigue'. Results further point to the fact that there are still public institutions that are unable to prepare the strategic and operational risk registers. This raises the question of how these risks are managed if they have not been measured and documented. Keywords: enterprise risk management, risk planning, risk reporting, public institutions JEL: M4 1 Introduction According to Berg (2010), in recent years there has been significant growth in the area of risk management. As such, risk management is now being 'implemented in many large as well as small and medium sized industries'. Berg (2010) continues by highlighting the fact that the implementation of risk management has also extended to 'governmental organisations, research institutes and hospitals which are all now introducing risk management to some extent'. Moloi, T. (2017). A review of risk management planning and reporting in South 79 Africa's public institutions. International Public Administration Review, 15(2), 79-92. Tankiso Moloi Ennouri (2013) suggests that the significant growth in risk management has largely been driven by events such as 'violent incidents, health crises and natural disasters' that have severely affected the industry. In this regard, Ennouri (2013) cites incidents such as the Japanese earthquake and Tsunami, the semi-conductor plant fire that caused Ericson to lose millions of Euros, the loss of the DRAM order by Apple as well as the explosion at the Texas City Refinery that is owned by the British Petroleum Company, After reviewing recent advances in risk management, Aven (2016) indicates that 'risk assessment and risk management are established as a scientific field and provide important contributions in supporting decision-making in practice'. The idea that risk management provides an important contribution in supporting decision making is also underscored in the King IV Report on Corporate Governance for South Africa (loD, 2016). In underscoring the fact that risk should be an integral part of decision making and the execution of duties, principle 11 of the King IV Report on Corporate Governance for South Africa (IoD, 2016) emphasises that the 'governing body should govern risk in a way that supports the organisation in setting and achieving its strategic objectives' (IoD, 2016). There is consistency between Berg's (2010) observation that risk management has also extended to 'governmental organisations, research institutes and hospitals which are all now introducing risk management to some extent' and the recent developments in the South African public space on the subject of risk. In 2010, the South African government introduced the Public Sector Risk Management Framework (PSRMF) to make risk management an integral part of financial management. Accordingly, the main aim of the PSRMF is 'to assist accounting officers to maintain an efficient and effective system of internal controls in public service institutions through the process of identifying, assessing and managing risks' (National Treasury, 2010). It observed that the South African case is comparable to that of the United Kingdom (UK). In the case of the UK, Palermo (2014) argued that development of a risk management agenda has been fostered by central government guidance. To support this argument, Palermo (2014) points to guides on risk management such as those issued by NAO (2000), the Audit Commission (2001) and the HM Treasury (2004) as cases in point. Having emphasised the comparability, it would seem that public institutions in South Africa have not been able to maintain efficient and effective internal controls as envisaged by the PSRFM. This contention is a continuous theme in the Auditor General of South Africa reports where, on an on-going basis, it is consistently highlighted that the majority of South Africa's public institutions fail to maintain efficient and effective systems of internal controls. The reports from the Auditor General of South Africa point to the inability of the majority of these institutions to gain control over irregular expenditure, fruitless and 80 International Public Administration Review, Vol. 15, No. 2/2017 A Review of Risk Management Planning and Reporting in South Africa's Public Institutions wasteful expenditure and unauthorised expenditure (Auditor General South Africa (AGSA), 2013, 2014a, 2014b, 2015a, 2015b, 2016). In light of the developments in the South African public institutions space, it was deemed an opportune time to review the risk management planning and reporting practices applied in South Africa's public institutions. To achieve this objective, the paper defined five variables that were deemed indicators of risk management planning and reporting practices, namely: the timing of the institutions' strategic and combined assurance planning, the documentation and active management of risks appearing in strategic risk registers and operational risk registers and the availability of risk management software (including its nature and usefulness). The main limitation of this paper is that it focused only on South African public institutions, namely: the National Government Departments (NGDs), Provincial Government Departments (PGDs), Municipalities (local government) and Public Entities. Furthermore, another limitation of this study was that the focus was on one of the assurance providers, which is the risk management unit. Finally, only one hundred public institutions responded to the questionnaire. The results should be interpreted in this context. This paper's contribution relates to the fact that until now the risk management discipline, particularly in South Africa's public institutions, has not yet been widely studied in the literature. This paper is demarcated as follows: Section 2 briefly outlines a review of the related literature. This is followed by the research process in Section 3. In Section 4, the obtained results are presented and interpreted. Section 5 then provides conclusions and recommendations. 2 Brief Overview of Related Literature Academic literature in regard to risk management, particularly in the public sector, is scarce; this is particularly the case in the South African context. From analysing the existing South African literature on risk management in the public sector, it was found that it has largely confined itself to analysing existing data, i.e. secondary data. Academic literature on risk management in South Africa has primarily focused on answering questions regarding risk management processes and systems by analysing integrated/ annual reports as well as institutional websites (see amongst others Coetzee & Lubbe, 2013; Vergotine, 2012; Moloi, 2016a, 2016b; Siswana, 2007). It is argued here that this has had the effect of discounting the element of people. In essence, the weaknesses in the internal controls process, as highlighted in the Auditor General of South Africa's reports, have not necessarily been investigated and explored using data that has been directly extracted from a primary source, i.e. those that are directly involved in the process of risk management on a day-to-day basis in public institutions. Mednarodna revija za javno upravo, letnik 15, št. 2/2017 81 Tankiso Moloi Contrary to the South African case, in the international setting, academic literature on risk management in the public sector has been on the rise. In this regard, the literature has focused on both secondary and primary datasets. In essence, the literature has focused on people, systems and processes (see amongst others Domokos, Nyéki, Jakovác, Németh, & Hatvani, 2015; Braig, Gebre, & Sellgren, 2011; Palermo, 2014; Asenova, Bailey, & McCann, 2014; Leung, 2008; Lawlor, 2002; Smith & McCloskey, 1998; Baldry, 1998; Vincent, 1996). The brief review of international literature presented above shows that three angles have been explored in regard to risk management, namely; people, processes and systems. As such, conclusions from this literature regarding the weaknesses of a risk management programme are not connected only to the processes and systems. It is also recognised that people can cause the processes and systems to malfunction. Furthermore, the international literature has examined a variety of data, including primary and secondary data, in order to understand and provide a considered view in regard to risk management. 3 Research Process The main objective of this paper was stated earlier as follows: to review the risk management and reporting practices applied in South Africa's public institutions. To achieve this objective, the paper defined five variables that were deemed indicators of risk management planning and reporting practices, namely: the timing of the institutions' strategic and combined assurance planning, documentation and active management of risks appearing in strategic risk registers and operational risk registers and the availability of risk management software (including its nature and usefulness). As such, a questionnaire covering these variables was developed and inserted into a broader questionnaire that was sent to the public institutions (CROs). This paper reports on responses relating to the risk management planning and reporting practices applied in South Africa's public institutions. The detailed questionnaire, which included a section on risk management planning and reporting practices applied in South Africa's public institutions, was administered through emails via the Office of the Accountant General to National and Provincial Government Departments, Public Entities and Municipalities (Government Institutions). To supplement the data collection process, the Office of the Accountant General distributed the questionnaire for completion at the Chief Risk Officers Forum, which takes place biannually (i.e. Twice per annum for National and Provincial Government Departments and twice per annum for Public Entities). One hundred (100) responses were received through this process, as follows; twelve (12) responses from National Government Departments (NGDs), 80 International Public Administration Review, Vol. 15, No. 2/2017 A Review of Risk Management Planning and Reporting in South Africa's Public Institutions forty two (42) responses from Public Entities, thirty (30) responses from Provincial Government Departments (PGDs) and sixteen responses from (16) Municipalities. 4 Research Findings and Interpretation This Section now presents and discusses the obtained results. Subsection 4.1 to Subsection 4.7 as well as Table 1 to Table 7 present and discuss the findings on strategic planning, combined assurance planning, strategic and operational risk registers, availability and type of risk management as well as the perceived usefulness of risk management software. 4.1 Findings on Strategic Planning Respondents were asked to indicate the timing of their strategic planning. Table 1 below shows the obtained results. Eighteen (18) surveyed institutions indicated that they conduct their strategic planning in the fourth quarter of the year, fourteen (14) indicated that they conduct their strategic planning in the third quarter of the year, twelve (12) indicated that they conduct their strategic planning in the second quarter of the year and eleven (11) institutions indicated that they conduct their strategic planning in the first quarter of the year. It can be assumed that those conducting strategic planning in the third and fourth quarter of the year are conducting/ reviewing the strategy for the following year. It is concerning that there are some institutions that carry out strategic planning sessions during the year of implementation, i.e. those conducting their planning in the first and second quarter of the year. Table 1. Strategic planning Timing of strategic planning Timing National government departments Public entities Provincial departments Municipalities Total First quarter 1 4 5 1 11 Second quarter 1 3 1 7 12 Third quarter 2 7 4 1 14 Fourth quarter 5 5 6 2 18 Other 1 1 5 3 10 4.2 Findings on Combined Assurance Planning Respondents were asked to state the timing of their combined assurance planning. Ideally, when the risk planning process is approved, the combined assurance process should also be approved. Approving all assurance processes Mednarodna revija za javno upravo, letnik 15, št. 2/2017 81 Tankiso Moloi would aid the institution through coordination of assurance activities, i.e. assurance providers within the institution would be aware of what other assurance providers are engaged with. It could also assist with avoidance of 'assurance fatigue', The results presented in Table 2 below indicate that the majority of the surveyed institutions seem to be unsure as to when the combined assurance planning process takes place. This is apparent in their responses, as the majority of them did not indicate the quarter. It could be that the combined assurance process has not yet been embedded in the surveyed institutions' processes. Table 2. Combined assurance planning Timing of combined assurance planning Timing National government departments Public entities Provincial departments Municipalities Total First quarter 1 2 3 0 6 Second quarter 0 6 3 3 12 Third quarter 1 1 0 1 3 Fourth quarter 1 0 1 0 2 Other 0 5 8 4 17 4.3 Findings on Strategic Risk Registers Following a strategic risk assessment that would identify all strategic risks, institutions are expected to document all of those strategic risks and actively manage these so as to improve their chance of achieving their stated objectives. Table 3 below presents the results related to the strategic risk register. The obtained results indicate that the majority of surveyed institutions do have strategic risk registers in place. Two (2) Municipalities and one Public Entity indicated that they did not have strategic risk registers. In this regard, it can be assumed that those institutions have not conducted strategic risk assessments. The lack of strategic risk registers may result in failure to achieve their objectives, as they may not have gone through a rigorous process of identifying potential threats to their strategy. 80 International Public Administration Review, Vol. 15, No. 2/2017 A Review of Risk Management Planning and Reporting in South Africa's Public Institutions Table 3. Strategic risk registers Strategic Risk Register Option National government departments Public entities Provincial departments Municipalities Total Yes 12 41 29 14 96 No 0 1 0 2 3 4.4 Findings on Operational Risk Registers In a similar manner to strategic risk registers, it is argued here that failure to prevent operational risks from occurring will lead to an inability to achieve strategic milestones. Table 4 shows that the majority of surveyed institutions do have operational risk registers in place. Seven institutions indicated that they did not have operational risk registers, i.e. four (4) Public Entities and three (3) PGDs. Table 4. Operational risk registers t s s s ie Operational Risi Registers Option National governme departmen Public entities Provincial departmen al o. ici ni u M Total Yes 12 38 26 16 92 No 0 4 3 0 7 4.5 Findings on Risk Management Software Risk management is a tedious process that involves a significant amount of information. As such, most institutions invest in risk management software that aids risk professionals in capturing, analysing and aggregating risk information. In this regard, respondents were asked to indicate whether their institution has invested in risk management software. The results presented in Table 5 below indicate that the majority of surveyed institutions do not have risk management software. Of the surveyed institutions, thirty four (34) indicated that they had risk management software, Mednarodna revija za javno upravo, letnik 15, št. 2/2017 81 Tankiso Moloi Table 5. Risk management software Risk management tool (Risk computer software) Option National government departments Public entities Provincial departments Municipalities Total Yes 4 18 8 4 34 No 8 24 21 12 65 4.6 Findings on Type of Risk Management Software In conjunction with Table 5, respondents were also asked to indicate the type of risk management software that they have deployed in their risk management process. Table 6 below indicates that the surveyed institutions utilise a range of software, including Barn owl (twelve institutions), Cura (eleven institutions) and Excel (six institutions), Table 6. Type of risk management software Name of software tool Type National government departments Public entities Provincial departments Municipalities Total Barn owl 2 3 6 1 12 Cura 1 9 1 0 11 Excel 1 3 2 0 6 Other 0 4 1 2 7 4.7 Findings Regarding CROs' Perception on the Value of Risk Management Software For those institutions that had indicated that they had deployed risk management software, CROs were requested to indicate whether or not the risk management software that has been procured adds value in their risk management process. In this regard, forty two (42) CROs indicated that that the procured risk management software enabled them to do risk management better. Nineteen (19) CROs indicated that there was no value in the procured risk management software, The fact that a significant number of CROs indicated that there was no value derived from the procured risk management software points to the weaknesses regarding the involvement of a specialist in the procurement of tools that they apply, During the procurement process, risk specialists should examine the tools presented by service providers to determine whether or not these meet the needs. 80 International Public Administration Review, Vol. 15, No. 2/2017 A Review of Risk Management Planning and Reporting in South Africa's Public Institutions The discussions above centred around interpretation of the responses obtained. To give context to these results, the paper postulated reasons why certain practices had not been adhered to or applied. The following Section draws conclusions and offers recommendations, Table 7. Value in risk management software In the CRO's experience, does the risk management tool add value (does it enable the Option National government departments State-owned entities Provincial departments Municipalities Total CRO to do risk management better)? Yes 6 20 9 7 42 No 1 6 8 4 19 5 Conclusion This paper attempted to review the risk management planning and reporting practices applied in South Africa's public institutions. Five variables were utilised as indicators of risk management planning and reporting practices, namely; the timing of the institutions' strategic and combined assurance planning, documentation and active management of risks appearing in strategic risk registers and operational risk registers and the availability of risk management software (including its nature and usefulness), There appears to be confusion regarding the timing of both strategic and combined assurance planning sessions. Some institutions conduct these in the preceding year, whereas others appear to be conducting these during the year of implementation. With regard to combined assurance planning, the results suggest that the practice of implementing combined assurance planning has not yet been embedded in the surveyed institutions' processes. It is recommended that the institutions embed this process, as it can aid with the coordination of assurance activities, i.e. assurance providers within the institution will be aware of what other assurance providers are engaged with, and thus assist with the avoidance of 'assurance fatigue'. With regard to the strategic and operational risk registers, the majority of respondents indicated that they had these in place. Regarding those institutions that have not prepared and do not actively manage risks through strategic and operational risk registers, there is concern that those institutions may fail to achieve their objectives, as they may not have gone through a rigorous process of identifying potential threats to their strategy. A follow up review by the National Treasury could be undertaken with the CROs of these institutions to determine the reasons for their inability to prepare their strategic and operational risk registers. Mednarodna revija za javno upravo, letnik 15, št. 2/2017 81 Tankiso Moloi With regard to the risk software applied by public service institutions, the results indicated that the majority of the surveyed institutions did not have risk management software. This paper argued that the process of collecting and analysing risk management information is tedious and also involves a significant amount of information. For risk professionals to produce credible risk information that is useful, these institutions would have to invest in risk management software to aid risk professionals in capturing, analysing and aggregating risk information. Regarding those institutions that had procured and deployed risk management software, it was observed that there was a range of software in deployment, including Barn owl (twelve institutions), Cura (eleven institutions) and Excel (six institutions). It is concerning that a significant number of public institution CROs indicated that there was no value derived from the procured risk management system. This affirmation points to the weaknesses regarding the involvement of a specialist in the procurement of tools that they apply. This paper recommends that during the procurement process risk specialists should be given an opportunity to examine the tools presented by service providers in order to determine whether or not these meet the needs. Tankiso Moloi, PhD, is a professor in the Department of Accountancy at the University of Johannesburg. He has written and reviewed several articles on corporate governance and risk management in South Africa. 80 International Public Administration Review, Vol. 15, No. 2/2017 A Review of Risk Management Planning and Reporting in South Africa's Public Institutions References Auditor General South Africa (AGSA). (2016) National and provincial audit outcomes, PFMA 2015/16. Republic of South Africa, Pretoria. Auditor General South Africa (AGSA). (2015a) National and provincial audit outcomes, PFMA 2014/15. Republic of South Africa, Pretoria. Auditor General South Africa (AGSA). (2015b) Local government audit outcomes, MFMA 2014/15. Republic of South Africa, Pretoria. Auditor General South Africa (AGSA). (2014a) National and provincial audit outcomes, PFMA 2013/14. Republic of South Africa, Pretoria. Auditor General South Africa (AGSA). (2014b) Local government audit outcomes, MFMA 2013/14. Republic of South Africa, Pretoria. Auditor General South Africa (AGSA). (2013) Local government audit outcomes, MFMA 2012/13. Republic of South Africa, Pretoria. Audit Commission. (2001). Worth the risk: Improving risk management in local government. London: Audit Commission. Asenova, D., Bailey, S., & McCann, C. (2014). Public sector risk managers and spending cuts: mitigating risks. Journal of Risk Research, 18(5), 552-565. doi: 10.1080/13669877.2014.910683 Aven, T. (2016). Risk assessment and risk management: Review of recent advances on their foundation. European Journal of Operational Research, 253(1), 1-13. doi: 10.1016/j.ejor.2015.12.023 Baldry, D. (1998). The evaluation of risk management in public sector capital projects. International Journal of Project Management, 16(1), 35-41. doi: 10.1016/S0263-7863(97)00015-X Berg, H. P. (2010). Risk management: Procedures, methods and experiences. RT&A, 2(17), 79-95. Braig, S., Gebre, B., & Sellgren, A. (2011). Strengthening risk management in the US public sector. McKinsey & Company. Coetzee, G. P., & Lubbe, D. (2013). The risk maturity of South African private and public sector organisations. Southern African Journal of Accountability and Auditing Research, 14(1), 45-56. Domokos, L., Nyéki, M., Jakovác, K., Németh, E., & Hatvani, C. (2015). Risk analysis and risk management in the public sector and in public auditing. Public Finance Quarterly, 2015(1), 7-28. Ennouri, W. (2013). Risk management: New literature review. Polish Journal of Management Studies, 8(1), 288-297. HM Treasury. (2004). Management of risk: Principles and concepts. London: HM Treasury. Institute of Directors (loD). (2016). King IV Report of corporate governance for South Africa. Johannesburg: Institute of Directors for Southern Africa. Lawlor, T. (2002). Public sector risk management: A specific model. Administration and Policy in Mental Health and Mental Health Services Research, 29(6), 443-460. doi: 10.1023/A:1020708409422 Leung F., & Isaacs, F. (2008). Risk management in public sector research: approach and lessons learned at a national research organization. R & R Management, 38(5), 510-519. Mednarodna revija za javno upravo, letnik 15, št. 2/2017 81 Tankiso Moloi Moloi, T. (2016a). Key mechanisms of risk management in South Africa's national government departments: The Public Sector Risk Management Framework and the King III benchmark. International Public Administration Review, 74(2-3), 37-52. doi: 10.17573/ipar.2016.2-3.02 Moloi, T. (2016b). Risk management practices in the South African public service. African Journal of Business and Economic Research, 7 7(1), 17-43. National Treasury. (2010). Public Sector Risk Management Framework. Pretoria, Republic of South Africa. NAO. (2000). Supporting innovation - Managing risk in government departments. London: National Audit Office. Palermo, T. (2014). Accountability and expertise in public sector risk management: a case study. Financial Accountability & Management, 30(3), 322-341. doi: 10.1111/faam.12039 Siswana, B. (2007). Leadership and governance in the South African public service: An overview of the public finance management system (PhD thesis). Pretoria: University of Pretoria. Smith, D., & McCloskey, J. (1998). Risk and crisis management in the public sector: Risk communication and the social amplification of public sector risk. Public and Money Management, 78(4), 41-50. doi: 10.1111/1467-9302.00140 Vergotine, H. W. (2012). The construction and evaluation of an enterprise risk management instrument for state owned enterprises (PhD Thesis). University of Johannesburg. Vincent, J. (1996). Managing risk in public services: A review of the international literature. International Journal of Public Sector Management, 9(2), 57-64. doi: 10.1108/09513559610119564 80 International Public Administration Review, Vol. 15, No. 2/2017 A Review of Risk Management Planning and Reporting in South Africa's Public Institutions POVZETEK 1.01 Izvirni znanstveni članek Pregled načrtovanja in poročanja o obvladovanju tveganj v javnih institucijah Južne Afrike V preteklih letih se je povečala uporaba discipline obvladovanja tveganja, Javne ustanove pri tem ne zaostajajo, na primer Berg (2010) ugotavlja, da se je obvladovanje tveganja razširilo na »vladne organizacije, raziskovalne inštitute in bolnišnice, ki sedaj do določene mere uvajajo obvladovanje tveganja«, Južna Afrika sledi svojim mednarodnim partnerjem, V zvezi s tem je vlada Južne Afrike preko Državne zakladnice uvedla Okvir za upravljanje tveganj v javnem sektorju (PSRMF), s katerim je obvladovanje tveganj postalo sestavni del finančnega upravljanja, Treba je omeniti, da je Zakladnica PSRMF uvedla v letu, v katerem Berg (2010) ugotavlja, da se je upravljanje tveganja razširilo na »vladne organizacije, raziskovalne inštitute in bolnišnice«, Ko je bil PSRMF uveden, je bilo navedeno, da bo v postopku prepoznavanja, ocenjevanja in upravljanja tveganj pomagal računovodjem pri ohranjanju učinkovitega in uspešnega sistema internega nadzora v institucijah javnih služb, S to drzno trditvijo je bilo pričakovano, da se bo sistem notranjega nadzora izboljšal, V trenutnem stanju se zdi, da javne institucije v Južni Afriki niso uspele vzdrževati učinkovitega in uspešnega notranjega nadzora, ki ga je predvidel PSRFM, Ta trditev je ponavljajoča se tema v poročilih generalnega revizorja Južne Afrike, ki nenehno poudarja, da večina javnih institucij Južne Afrike ne zmore ohranjati učinkovitega in uspešnega sistema notranjega nadzora, To raziskovalno delo je bilo namenjeno pregledovanju praks načrtovanja in poročanja o upravljanju tveganj, ki so v uporabi v javnih institucijah v Južni Afriki, z opredelitvijo petih spremenljivk, ki so se štele kot približek načrtovanja in poročanja o upravljanju tveganja, in sicer: časovni razpored načrtovanja strateških in kombiniranih zagotovil institucij, dokumentacija in aktivno upravljanje tveganj, ki se pojavljajo v registrih strateških tveganj in registrih operativnih tveganj, ter razpoložljivost programske opreme upravljanja tveganj (vključno z njeno naravo in koristnostjo), Glavna omejitev tega dela je, da se osredotoča na javne inštitucije Južne Afrike, in sicer na; državne vladne oddelke (NGD-je), deželne vladne oddelke (PGD-je), občine (lokalno vlado) in javne subjekte, Poleg tega je dodatna omejitev te študije, da se osredotoča na enega od ponudnikov zagotovil, torej na enoto za obvladovanje tveganj, Kot zadnje je na vprašalnik odgovorilo sto javnih institucij, Rezultate je torej treba razlagati v tem kontekstu, Mednarodna revija za javno upravo, letnik 15, št. 2/2017 91 Tankiso Moloi Pridobljeni rezultati kažejo na dejstvo, da obstaja zmeda glede časovnega načrta tako strateških kot tudi kombiniranih zagotovil. Nekatere institucije so to uvedle v preteklem letu, za nekatere pa se zdi, da to uvajajo v letu izvedbe. Rezultati tudi kažejo, da praksa izvajanja kombiniranih zagotovil še ni bila vključena v večino vladnih institucij, kar kaže na neusklajene dejavnosti zagotavljanja, ki bi lahko pripeljale do »utrujenosti zagotovil«. Rezultati tudi kažejo na dejstvo, da še obstajajo javne ustanove, ki še zmerajne morejo pripraviti registrov strateških in operativnih tveganj. To postavlja vprašanje, kako se ta tveganja upravljajo, če niso bila izmerjena in dokumentirana, 80 International Public Administration Review, Vol. 15, No. 2/2017