Performance of the institutions in the public sector has always been among the main drivers that determine how the country is ultimately perceived by its citizens and the world, it is the policies and regulations established by these institutions that governs the private sector. The objectives of these public institutions can only be achieved through well formulated, well implemented and a continuous review of the strategies being pursued to achieve the stated objectives. At the core of setting strategies is Enterprise Risk Management (ERM), being an organisational procedure enabling the identification, assessment and action plans for the organisational risks linking to the achievement of objectives. The action plans formulated through the ERM should translate into strategic objectives mainly in the public sector where resources are chronically limited. Even with good intentions, government may spend badly because it has either chosen the wrong projects to fund or planned badly for good projects if the strategies are not continually and systematically reviewed.
The objective of this research was to gain an understanding of how risk management is conducted at an enterprise-wide level within public sector institutions to ensure that the institution complies with all the relevant requirements within its ambit. It was a qualitative study that was conducted using a case study methodology wherein a public sector institution was identified and the executives involved in the risk management were interviewed individually. Semi-structured interviews were conducted and the results were analysed through the themes that were identified.
The study identified that more understanding is required by public sector organisations to be able to realise the benefits of ERM. A clear distinction of what the objectives of the institution are, the related strategies, strategic objectives and risks to the strategic objectives, need to be made clear. The use of risk registers at different levels of the organisation is a tool to draw the relevant risks from deep in operations to a strategic level and this has to be understood at all levels. More importantly the correct action plans in reaction to identified risks can greatly turn risks into opportunities but this is not currently the case as risk registers are still not well implemented and utilized. Risk identification should not be a brainstorming session when the strategy is created but a continuous well operated system within operations throughout the period. The risk culture, roles and relevant systems are still lacking in public institutions.