Risk management in the public sector: challenges in its adoption by Brazilian federal universities

Araújo, Artur; Gomes, Anailson Marcio

doi:10.1590/1808-057x202112300

ABSTRACT

The aim of this study was to analyze the perception of the members of the risk committees of federal universities in Brazil regarding the challenges in the adoption of risk management in those institutions. Currently, federal universities are obliged by law to manage their risks. This is a recent process that presents them with considerable challenges, which have scarcely been explored. Studying the challenges in adopting risk management enables federal universities to gradually improve their overall management, with the aim of adopting the process in the best way possible. This study contributes to the professional and academic areas by proposing a set of actions within the operational context of the universities to improve the maturity level of the risk management of those institutions. The procedure adopted was a survey covering 68 federal universities in operation in 2019. The quantitative study was based on a questionnaire sent to the public servants on their governance, risk, and control committees, which had a 73% response rate. The data were analyzed using descriptive statistics and position and dispersion measures. Perception was analyzed regarding the challenges arising from the adoption of risk management, in which a lack of process mapping, the need for staff engagement and training, the emergence of divergences concerning the treatment of risk, and excess demands on staff were highlighted. The evidence indicated that risk management can guarantee and facilitate compliance with laws, regulations, norms, and standards, as well as the identification of external scenarios that can influence the occurrence of events that negatively impact not only the universities but the whole community.

Keywords:
risk management; public sector; internal controls; university

RESUMO

O objetivo deste trabalho foi analisar a percepção dos membros dos comitês de riscos das universidades federais do Brasil quanto aos desafios na adoção da gestão de riscos nessas instituições. Atualmente, as universidades federais estão obrigadas por lei a gerir seus riscos, sendo esse um processo recente que as coloca diante de um desafio ainda pouco explorado. O estudo dos desafios para a adoção da gestão de riscos permite às universidades federais o aprimoramento gradual da gestão como um todo, visando adotar o processo da melhor maneira possível. Este estudo contribui para os meios profissional e acadêmico ao propor um conjunto de ações inseridas no contexto operacional das universidades para melhorar o grau de maturidade da gestão de riscos dessas instituições. O procedimento adotado foi o levantamento (survey) com as 68 universidades federais existentes em 2019. O estudo quantitativo foi baseado em um questionário enviado aos servidores pertencentes aos comitês de governança, riscos e controles, com taxa de resposta de 73%. Os dados foram analisados, utilizando-se estatística descritiva e medidas de posição e de dispersão. Analisou-se a percepção quanto aos desafios decorrentes da adoção da gestão de riscos, na qual se destacaram a falta de mapeamento de processos, a necessidade de engajamento e de capacitação dos servidores, o surgimento de divergências em torno do tratamento do risco e o excesso de demandas dos servidores. As evidências indicaram que a gestão de riscos pode garantir e facilitar desde o cumprimento de leis, regulamentos, normas e padrões até a identificação de cenários externos que podem influenciar a concretização de eventos que impactam negativamente não só as universidades, mas toda a comunidade.

Palavras-chave:
gestão de riscos; setor público; controles internos; universidade

1. INTRODUCTION

The complexity and scope currently faced by the new public administration can encompass the private as well as the third sector. This relationship is marked by intense interaction processes and bureaucratic mediations, revealing the need to continue efforts to redefine and implement innovative policies in order to strengthen management in the public sector (Matias-Pereira, 2009Matias-Pereira, A. (2009). Manual de gestão pública contemporânea (2a ed.). Atlas.).

Within this context, a race has begun to preserve the integrity and reputation of public organizations, to follow good practices established by their governance, to align them with the various laws, and to identify the various risks that can compromise the achievement of organizational objectives (Trivelato et al., 2018Trivelato, B. F., Mendes, D. P., & Dias, M. A. (2018). A importância do gerenciamento de riscos nas organizações contemporâneas. Revista FATEC Zona Sul, 4(2), 1-20. https://www.revistarefas.com.br/index.php/RevFATECZS/article/view/147
https://www.revistarefas.com.br/index.ph... ). Changes and vulnerability to internal and external factors constantly challenge these organizations, requiring decisions, actions, and the formulation and use of strategies related to their processes and management model.

Effective risk management reduces the probability and severity of undesirable events in the public administration, which implies, according to Hill and Dinsdale (2003Hill, S., & Dinsdale, G. (2003). Uma base para o desenvolvimento de estratégias de aprendizagem para a gestão de riscos no serviço público. Tradução L. C. Vasconcelos. Escola Nacional de Administração Pública.), predicting future risks and knowing how to deal with them proactively (proactive rather than reactive management). As in private organizations, public organizations are subject to fraud, embezzlement, corruption, and the inefficient allocation of public resources. However, according to Grateron (1999Grateron, I. R. (1999). Auditoria de gestão: utilização de indicadores de gestão no setor público. Fundação Instituto de Pesquisas Contábeis, Atuariais e Financeiras.), the public sector has an obligation to satisfy a wide range of social needs, thus requiring rigorous management of limited public resources, with the aim of meeting its social obligations.

For Cooper (2012Cooper, T. (2012). Exploring strategic risk in communities: evidence from a Canadian province. Journal of Enterprising Communities: People and Places in the Global Economy, 6(4), 350-368. https://doi.org/10.1108/17506201211272788
https://doi.org/10.1108/1750620121127278... ), it is an interesting time to study risk management in the public sector and the community. From the perspective of regional political development, public sector organizations will face substantial strategic risks in the coming years, due to a series of questions, including significant demographic changes (implications of the aging population), urbanization, economic recessions, as well as advances in technology and communication. Specific risks that can further impact the traditional economic and social objectives of communities emerge.

In this sense, public universities lie within the scope of the services provided by the State. Power et al. (2009Power, M., Scheytt, T., Soin, K., & Sahlin, K. (2009). Reputational risk as a logic of organizing in late modernity. Organization Studies, 30(2), 301-324. http://dx.doi.org/10.1177/0170840608101482
http://dx.doi.org/10.1177/01708406081014... ) verified how risk management can change organizational and management control practices in higher education in the United Kingdom, through the intermediation of public supervisory agencies. In the higher education sector in the United Kingdom, the Higher Education Funding Council for England (HEFCE) and, more recently, the Quality Assurance Agency for Higher Education (QAA), have used risk-based regulations as a form of control over university governance and internal controls. Since 2002, the HEFCE has set prescriptive guidelines for universities in the United Kingdom, requiring them to design risk management systems. The universities now have high-level risk and auditing committees and monitoring and control systems that provide supervision over the risk management process (Power et al., 2009Power, M., Scheytt, T., Soin, K., & Sahlin, K. (2009). Reputational risk as a logic of organizing in late modernity. Organization Studies, 30(2), 301-324. http://dx.doi.org/10.1177/0170840608101482
http://dx.doi.org/10.1177/01708406081014... ).

In the case of Brazil, the actions of supervisory bodies, such as the Comptroller General’s Office (CGU) and the Federal Court of Auditors (TCU), are gradually creating the conditions for this scenario to also take place in federal universities. One example is the enactment of Joint Normative Ruling n. 1/2016Joint Normative Instruction n. 1, of May 10 of 2016. Establishes organizational and presentational norms for management reports and complementary items that will constitute the accounts processes of the federal public administration, for the judgement of the Federal Court of Auditors, in the terms of art. 7 of Act n. 8,443, of 1992. http://www.planalto.gov.br/ccivil_03/_ato2007-2010/2007/lei/l11638.htm
http://www.planalto.gov.br/ccivil_03/_at... , elaborated by the CGU and by the Ministry of Planning, which discusses the establishment of the Policy for Integrity, Risk, and Internal Controls Management in the federal administration. Moreover, since 2010 the TCU has required the annual management reports of public organizations to provide information on the internal controls structure of their units as well as information on risk management, via Normative Decision n. 107/2010Normative Decision n. 107, of October 27 of 2010. Discusses the jurisdictional units whose responsible parties should present a management report relating to the 2010 financial year, specifying the organization, form, contents, and presentation deadlines, in the terms of art. 3 of TCU Normative Instruction n. 63, of September 1st of 2010. http://www.tcu.gov.br/Consultas/Juris/Docs/judoc/DN/20101029/DNT2010-107.doc
http://www.tcu.gov.br/Consultas/Juris/Do... . The Ministry of Education (MEC) also recently enacted MEC Ordinance n. 234/2018Ordinance n. 234, of March 15 of 2018. Discusses the Risk and Controls Management Policy of the MEC. http://www.in.gov.br/materia/-/asset_publisher/Kujrw0TZC2Mb/content/id/6848798/do1-2018-03-16-portaria-n-234-de-15-de-marco-de-2018-6848794
http://www.in.gov.br/materia/-/asset_pub... , which provides technical recommendations for observing the best practices for risk management. The aim of this study is to analyze the perception of the members of the risk committees in federal universities in Brazil regarding the challenges in the adoption of risk management in those institutions.

Within that context, this study aims to contribute to the academia, as well as providing the public sector with an additional view on the analysis of risk management in federal universities in Brazil. These are public institutions with their own characteristics and relevance that, in providing research and higher education services to society, face specific risks, requiring an adequate risk control system to achieve their objectives as teaching institutions. The study also seeks to contribute by highlighting challenges that may compromise the adoption of risk management in the universities analyzed, which can guarantee and facilitate compliance with laws, regulations, norms, and standards, as well as the identification of external scenarios that can influence the occurrence of events that negatively impact not only the universities, but the whole community.

2. THEORETICAL FRAMEWORK

2.1 Risk Management

Risk management consists of a structure that includes different processes to exert control over risks. Coetzee and Lubbe (2011Coetzee, P., & Lubbe, D. (2011). Internal audit and risk management in South Africa: adherence to guidance. Acta Academica, 43(4), 29-60. https://www.researchgate.net/publication/268814872_Internal_audit_and_risk_management_in_South_Africa_Adherence_to_guidance
https://www.researchgate.net/publication... ) consider risk management to be a relatively new addition to the wider concept of corporate governance. The structure created by a risk management system includes processes and systems established by management to ensure its risk philosophy is incorporated into the daily activities of the organization. These can be a variety of activities, in which the risks can be managed in the financial (credit, market, liquidity, and liquidation risk) and operational areas.

Trivelato et al. (2018Trivelato, B. F., Mendes, D. P., & Dias, M. A. (2018). A importância do gerenciamento de riscos nas organizações contemporâneas. Revista FATEC Zona Sul, 4(2), 1-20. https://www.revistarefas.com.br/index.php/RevFATECZS/article/view/147
https://www.revistarefas.com.br/index.ph... ) also highlighted the important relationship between risk management and corporate governance, in which risk management is an important tool that aims to preserve the resources and reputation of entities, thus strengthening good governance practices. The capacity to take better decisions in relation to policies, programs, and services is fundamental in an environment shrouded in uncertainty (Hill & Dinsdale, 2003Hill, S., & Dinsdale, G. (2003). Uma base para o desenvolvimento de estratégias de aprendizagem para a gestão de riscos no serviço público. Tradução L. C. Vasconcelos. Escola Nacional de Administração Pública.).

Finally, within the conceptual sphere, Brito (2003Brito, O. (2003). Controladoria de risco - Retorno em instituições financeiras. Saraiva. , p. 15) defines risk management as the “process through which the various risk exposures are identified, measured, and controlled.” It consists of a systematic and methodic process through which the risks that can influence the achievement of the organization’s goals are analyzed, evaluated, and addressed (action).

Over time, organizations have sought to adopt standardized and structured approaches that can be recognized. The adoption of a systematized risk management model combines reliability, standardization, and recognition of good practices by institutions, giving rise to various international reference standards, such as COSO ERM, ISO 31000, and Orange Book, among others.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a private organization of the United States created in 1985 with the aim of strengthening the guidance in relation to three interconnected subjects: corporate risk management, internal controls, and fraud prevention. In 2004, Enterprise Risk Management (ERM) - Integrated Framework (Committee of Sponsoring Organizations of the Treadway Commission, 2004Committee of Sponsoring Organizations of the Treadway Commission. (2004). Enterprise Risk Management (ERM) - Integrated Framework. https://www.coso.org/Pages/guidance.aspx
https://www.coso.org/Pages/guidance.aspx... ) was published. This was later updated in 2017 with the launch of Enterprise Risk Management - Integrating with Strategy and Performance (Committee of Sponsoring Organizations of the Treadway Commission, 2017Committee of Sponsoring Organizations of the Treadway Commission. (2017). Enterprise Risk Management Integrating with Strategy and Performance. https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf
https://www.coso.org/Documents/2017-COSO... ), which highlights the importance of considering risk in the process of defining strategy and achieving organizational performance.

International Organization for Standardization (ISO) ISO 31000 - Risk management system - Principles and guidelines was a norm responsible for providing general principles and guidelines for risk management. ISO 31000 provides an internationally accepted standard for identifying and analyzing risks that is highly adopted in numerous countries.

In 2004, The Orange Book: Management of risk - Principles and concepts was published by the British Treasury (Her Majesty’s TreasuryHer Majesty's Treasury. (2004). The Orange Book management of risk - Principles and concepts. Her Majesty's Stationery Office.) as the main reference for the risk management program adopted by the United Kingdom, introducing risk management concepts such as resources to develop and implement risk management processes in government organizations.

Such standards are also being adopted in the public sector in Brazil, which seeks to adopt risk management as a specific additional management method, thus enabling systemic controls and monitoring of incurred risks, as discussed in the following topic.

2.2 Risk Management in the Public Sector in Brazil

The importance of risk management has increased ostensibly during the last few decades, and this also applies to public entities. There are, however, unique traits that characterize the analysis and management of risks in the public sector, both in terms of areas of application and of execution (Domokos et al., 2015Domokos, L., Nyéki, M., Jakovác, K., Németh, E., & Hatvani, C. (2015). Risk analysis and risk management in the public sector and in public auditing. Public Finance Quarterly, 60(1), 7-28. https://ideas.repec.org/a/pfq/journl/v60y2015i1p7-28.html
https://ideas.repec.org/a/pfq/journl/v60... ).

Even though the risk management practices determined by the main institutions are meant for any type of entity, the public sector has characteristics that require a specific system for that segment. Emerging as an independent discipline at the end of the 1970s and start of the 1980s, public risk management is an relatively new but important element of public management and budgeting, and, consequently, the academic literature on this topic remains limited (Qiao, 2007Qiao, Y. (2007). Public risk management: development and financing. Journal of Public Budgeting, Accounting, & Financial Management, 19(1), 33-55. https://doi.org/10.1108/JPBAFM-19-01-2007-B002
https://doi.org/10.1108/JPBAFM-19-01-200... ).

When the focus of risk management is on the public sector, in general a more risk-averse view is traditionally adopted for management. This is partly due to the importance given to the legal framework that guides public administration and because public resources need to be managed with appropriate care (McPhee, 2005McPhee, I. (2005). Risk and risk management in the public sector. Public sector governance and risk forum. Australian Institute of Company Directors/Institute of Internal Auditors Australia. https://www.anao.gov.au/sites/g/files/net616/f/McPhee_risk_and_risk_management_in_the_public_sector_2005.pdf
https://www.anao.gov.au/sites/g/files/ne... ).

In their studies on risk management in the public sector, Hill and Dinsdale (2003Hill, S., & Dinsdale, G. (2003). Uma base para o desenvolvimento de estratégias de aprendizagem para a gestão de riscos no serviço público. Tradução L. C. Vasconcelos. Escola Nacional de Administração Pública.) describe various obstacles to effective risk management that can arise in each stage of the process and that form part of the operational routines of institutions, such as not developing an explicit process for decision making on risks, dealing inadequately with uncertainty, or simply ignoring important risks that can lead to serious consequences for the entity or for society. Inadequate institutional management structures and systems can, therefore, negatively affect the process. Thus, a continuous risk management effort requires a systematic and integrated position from the government, especially when a cultural change is sought. For this purpose, each ministry, particularly those directly involved with risk management, should evaluate its decision-making processes, its culture, its knowledge, and its skills within the field of risk management (Hill & Dinsdale, 2003Hill, S., & Dinsdale, G. (2003). Uma base para o desenvolvimento de estratégias de aprendizagem para a gestão de riscos no serviço público. Tradução L. C. Vasconcelos. Escola Nacional de Administração Pública.).

In the case of Brazil, the public sector has undergone various changes in terms of advances in the form of management. The formalization of risk management techniques occurred in the Brazilian Central Bank as early as 1997, with the use of market risk management tools to manage international reserves (Banco Central do Brasil, 2017Banco Central do Brasil. (2017). Gestão integrada de riscos no Banco Central do Brasil. Departamento de Riscos Corporativos e Referências Operacionais do BCB. https://www.bcb.gov.br/htms/getriscos/Gestao-Integrada-de-Riscos.pdf
https://www.bcb.gov.br/htms/getriscos/Ge... ). In 2007, with the creation of the Brazilian Federal Revenue Office, risk management was internalized in its regulations. In 2014, the current Committee for Risk Management, Control, and Integrity was created, which debated and approved the Risk Management Manual of the Treasury Ministry, the first edition of which was published in 2015, representing an important milestone for risk management in the public sector (Ministério da Fazenda, 2018Ministério da Fazenda. (2018). Manual de gestão de riscos do Ministério da Fazenda (3a ed.). ).

The question of risks in management, applied to public policies in Brazil, was recently incorporated as an internal controls procedure.

The supervisory bodies in Brazil have accompanied this process and standards have been issued constituting the legal framework of procedures to be adopted by federal public institutions. Via Joint Normative Instruction MP/CGU n. 1/2016Joint Normative Instruction n. 1, of May 10 of 2016. Establishes organizational and presentational norms for management reports and complementary items that will constitute the accounts processes of the federal public administration, for the judgement of the Federal Court of Auditors, in the terms of art. 7 of Act n. 8,443, of 1992. http://www.planalto.gov.br/ccivil_03/_ato2007-2010/2007/lei/l11638.htm
http://www.planalto.gov.br/ccivil_03/_at... , in article 13, it is determined that “the agencies and entities of the Federal Executive Branch should implement, maintain, and review their risk management process in accordance with their mission and strategic objectives, observing the established guidelines,” thus including federal universities. The ruling therefore provides general aspects that aim to guide the agencies of the federal executive branch in their adoption of measures to systematize good management practices, highlighting various concepts inherent to the topic of governance, risk management and internal controls, structure, principles, and objectives of internal controls, the definition of responsibilities, the basic structure of a model, and risk management and governance policy.

Another important point of Joint Normative Instruction MP/CGU n. 1/2016Joint Normative Instruction n. 1, of May 10 of 2016. Establishes organizational and presentational norms for management reports and complementary items that will constitute the accounts processes of the federal public administration, for the judgement of the Federal Court of Auditors, in the terms of art. 7 of Act n. 8,443, of 1992. http://www.planalto.gov.br/ccivil_03/_ato2007-2010/2007/lei/l11638.htm
http://www.planalto.gov.br/ccivil_03/_at... relates to the institution of the Committee for Governance, Risks, and Controls, which is responsible for promoting and supervising, in an integrated manner, the adequate practice, methodology, and structure of governance, risk management, and internal controls in the entities. The standard does not specify the number of members of the committee, but it does determine that it should be composed of the senior manager (in the case in question, the dean) and of the other managers of the subordinate units (pro-deans, heads of department, and coordinators).

2.3 Risk Management in Brazilian Federal Universities

Federal universities in Brazil have undergone a process of expansion over the course of recent governments, through the creation of new units, interiorization, and an increase in personnel and course places, among other factors (Carvalho et al., 2018Carvalho, F., Lima, L., Costa, F., & Santos Júnior, A. (2018). Educação superior pública no Rio Grande do Norte: expansão e interiorização. Revista Brasileira de Planejamento e Desenvolvimento, 7(2), 241-263. https://periodicos.utfpr.edu.br/rbpd/article/download/5724/5116
https://periodicos.utfpr.edu.br/rbpd/art... ).

Together with the process of expansion and development, the dynamic environment in which federal higher education institutions operate is shrouded in increasing and varying uncertainties and doubts, making risk management essential for the management and control of those institutions (Sedrez & Fernandes, 2011Sedrez, C., & Fernandes, F. (2011). Gestão de riscos nas universidades e centros universitários do estado de Santa Catarina. Gestão Universitária da América Latina, (número especial), 70-93. https://periodicos.ufsc.br/index.php/gual/article/view/1983-4535.2011v4nespp70
https://periodicos.ufsc.br/index.php/gua... ). The expansion of public universities has led to greater complexity in their operations, with a corresponding greater exposure to risks. There needs to be a change from a less controlled environment to a less trusting one with greater control, meaning public universities require a high level of professionalism and responsibility to manage their operations (Assunção et al., 2019Assunção, A., Silva, M., Rosa, R., & Campeão, R. (2019). Estudo de caso na pró-reitoria de gestão de pessoas da Universidade Federal do Mato Grosso do Sul: análise através da matriz de risco. Revista de Gestão e Secretariado, 10(2), 140-170. https://www.revistagesec.org.br/secretariado/article/view/868
https://www.revistagesec.org.br/secretar... ; Christopher & Sarens, 2015Christopher, J., & Sarens, G. (2015). Risk management: its adoption in Australian public universities within an environment of change management - A management perspective. Australian Accounting Review, 25(1), 2-12. https://onlinelibrary-wiley.ez16.periodicos.capes.gov.br/doi/full/10.1111/auar.12057
https://onlinelibrary-wiley.ez16.periodi... ; Souza et al., 2016Souza, J., Arima, C., Oliveira, R., Akabane, G., & Galegale, N. (2016). Gestão de riscos de segurança da informação numa instituição pública federal: um estudo de caso. ENIAC projetos, 5(2), 240-256.).

According to Wang et al. (2018Wang, H., Wang, J., Ren, C., & Zhang, S. (2018). Research on risk prevention and control of Sino-foreign cooperative universities - Based on ERM comprehensive risk management framework. Advances in Economics, Business and Management Research, 71, 301-306. ), risk management in higher education is inevitable, as the threats related to disasters, finance, information technology, maintenance, and research can directly affect the reputation and sustainable development of higher education, which could cause a crisis of survival for the institutions. Moreover, federal universities relate with various social segments by providing the teaching, research, and extension services demanded by the community and the market (Ramos et al., 2018Ramos, V., Lima, A., Silva, S., & Andrade, R. (2018). Uma proposta de utilização de gestão de risco para o planejamento acadêmico de uma universidade pública. In Anais do Simpósio Internacional de Gestão de Projetos, Inovação e Sustentabilidade (1-12).; Sousa et al., 2018Sousa, M., Finati, C., Perez, M., & Duarte, K. (2018). Gestão de risco nas instituições universitárias: uma análise comparativa da metodologia da Controladoria Geral da União e do Ministério do Planejamento, Desenvolvimento e Gestão. Anais do Colóquio Internacional de Gestion Universitária (1-17). https://repositorio.ufsc.br/handle/123456789/190469
https://repositorio.ufsc.br/handle/12345... ).

Internal controls are essential in universities, aiming to increase efficiency and effectiveness in the achievement of their goals, and risk management is a key component of this (Anchundia et al., 2018Anchundia, P., Romero, X., & Perez, A. (2018). Risk management and process management in universities: Application in the University Laica Eloy Alfaro Manabí. In Annals of the 35 th International Academic Conference (121-138). https://ideas.repec.org/p/sek/iacpro/6408929.html
https://ideas.repec.org/p/sek/iacpro/640... ).

Therefore, together with the process of expansion and development, federal universities have improved their management practices, seeking to achieve and meet their institutional objectives within the educational and social spheres (Ribeiro, 2014Ribeiro, R. (2014). Os desafios contemporâneos da gestão universitária: discursos politicamente construídos. In Anais do Congresso Ibero-Americano de Política e Administração da Educação (1-14). http://www.anpae.org.br/IBERO_AMERICANO_IV/GT2/GT2_Comunicacao/RaimundaMariadaCunhaRibeiro_GT2_integral.pdf
http://www.anpae.org.br/IBERO_AMERICANO_... ).

Analyzing the normative aspect in Brazil, federal universities, as autarchies affiliated with the MEC, are subject to Joint Normative Instruction MP/CGU n. 1/2016Joint Normative Instruction n. 1, of May 10 of 2016. Establishes organizational and presentational norms for management reports and complementary items that will constitute the accounts processes of the federal public administration, for the judgement of the Federal Court of Auditors, in the terms of art. 7 of Act n. 8,443, of 1992. http://www.planalto.gov.br/ccivil_03/_ato2007-2010/2007/lei/l11638.htm
http://www.planalto.gov.br/ccivil_03/_at... , as well as MEC Ordinance n. 234/2018Ordinance n. 234, of March 15 of 2018. Discusses the Risk and Controls Management Policy of the MEC. http://www.in.gov.br/materia/-/asset_publisher/Kujrw0TZC2Mb/content/id/6848798/do1-2018-03-16-portaria-n-234-de-15-de-marco-de-2018-6848794
http://www.in.gov.br/materia/-/asset_pub... , which discusses the same characteristics, principles, and requirements of the joint normative instruction and focuses on the MEC. Therefore, it establishes general guidelines related to risk management and internal controls that are applicable to the plans, goals, strategies, objectives, actions, and programs linked to the public educational policies of the MEC, considering a 60-month conclusion period for the implementation of the new risk management policy.

Consequently, the current standards seek to ensure that federal universities can increase the probability of achieving their objectives, eliminating or reducing risks to acceptable levels, enabling value to be added to the MEC through improved decision-making processes and by adequately addressing the risks and impacts caused by them (MEC Ordinance n. 234/2018Ordinance n. 234, of March 15 of 2018. Discusses the Risk and Controls Management Policy of the MEC. http://www.in.gov.br/materia/-/asset_publisher/Kujrw0TZC2Mb/content/id/6848798/do1-2018-03-16-portaria-n-234-de-15-de-marco-de-2018-6848794
http://www.in.gov.br/materia/-/asset_pub... ).

Table 1 summarizes some national and international studies on risk management that are applicable to the universities used in this research.

Thumbnail

Table 1
Studies related to the topic of risk management in universities

3. METHODOLOGY

First, in relation to its nature, this research is classified as applied and quantitative in terms of the approach to the problem. Regarding the objectives, it is descriptive, and with relation to the technical procedures, it consists of a survey.

The scope of this research includes the employees of federal universities in Brazil, totaling 68 institutions (Anísio Teixeira National Institute of Educational Studies and Research, 2019Instituto Nacional de Estudos e Pesquisas Educacionais Anísio Teixeira. (2019). Censo da educação superior. Ministério da Educação. http://portal.inep.gov.br/web/guest/educacao-superior
http://portal.inep.gov.br/web/guest/educ... ). Analyses were carried out of the respondents’ profile and their perception regarding the challenges derived from the adoption of risk management in the institutions. It should be noted that five of the universities analyzed were excluded from the study as they had not yet started their activities: the Federal University of Rondonópolis (Mato Grosso), the Federal University of the Agreste de Pernambuco, and the Federal University of the Delta do Parnaíba (Piauí). The study therefore covered 63 universities.

Besides containing information on the profile of the public servants involved, the structure of the variables (Table 2) was elaborated based on the main stages of risk management that feature in the literature and the main legislation, aiming to analyze characteristics that affect the objectives of this research.

Thumbnail

Table 2
Research variables

Thus, through the relationship between the groups of variables, we sought to analyze the perception of the public servants regarding the challenges arising from the adoption of risk management in federal universities in Brazil. The research followed the following steps:

The questionnaire followed the structure of the variables defined in the research and was composed of 19 questions divided into two sections: respondent’s profile and perception (Likert scale). The Google Forms^® tool was used to collect the answers.
A pre-test was conducted using members of the governance, risk, and control committees of four universities in order to validate the questionnaire.
The questionnaire was sent by email to a member of the governance, risk, and control committee of each university, as established by Joint Normative Instruction MP/CGU n. 1/2016 and MEC Ordinance n. 234/2018. Each university analyzed has its own committee, in which only one member answered the questionnaire, and so the member was not specifically chosen. The universities disclose the composition of the members of their committees through internal notices.
The data collection period occurred from 09/24/2019 to 10/31/2019. As a result, 43 responses were obtained, excluding the four questionnaires used during the pre-test phase, thus obtaining a 73% response rate.
The descriptive analysis of the data was carried out using dispersion and position measures.

After defining the methodological procedures of the research, the results analysis was carried out.

4. RESULTS ANALYSIS

4.1 Respondents’ Profile

The purpose of this item is to analyze the respondents’ profile. The items that compose Group 1 of the research variables will be shown and analyzed, thus characterizing the professionals of the federal universities in Brazil who are engaged in risk management.

Table 3 shows the sex and age group of the respondents.

Thumbnail

Table 3
Sex and age group of the respondents

The respondents in the 31 to 50 age group represent 74.5% of the total, this being the predominant age group. The 20 to 30 age group represents 16.3% and 9.3% are over 50, this being the least representative age group among the respondents. In absolute values, of the 43 respondents, 27 are men, thus representing the majority (62.8%).

In relation to education and position, it can be seen in Table 4 that most of the professionals engaged in risk management at the universities are made up of administrative technicians, who account for 83.7% of the total.

Thumbnail

Table 4
Position and education of the respondents

The results of the research show that the educational level of the public servants involved is at least degree level and 41.9% are specialists. A little more than half of the respondents (51.2%) have a master’s/PhD, indicating that the employees seek further qualifications. There is a noted movement toward further education through specializations, masters, and PhDs; three employees have a degree, representing 7% of the data.

Thumbnail

Table 5
Time of experience at the institution

Time of experience at the institution was considered in the research, as shown in Table 5. The data show that more than half of the public servants involved (48.8%) have from six to 15 years’ experience. The least experienced ones, with up to five years at their institution, represent 34.9% of the total, while those with more than 20 years’ experience account for 14%.

It is noted that the professional’s experience in public management and universities contributes to the set of skills, knowledge, and capacities that a public servant needs to perform their functions and resolve problems, as well as to create solutions, independently of their academic training.

In relation to their time of experience specifically in the position they occupy, only one employee has been in the role for more than 20 years, as shown in Table 6.

Thumbnail

Table 6
Time of experience in the role and participation in a course on risk management

On the other hand, 67.4% of the public servants have only been in the role since recently and have less than five years’ experience.

The data show that most (83.7%) have taken part in some training in this sense, showing concern on the part of the public servants about building skills. Moreover, the obligation to adopt internal control, governance, and risk management mechanisms established by Joint Normative Instruction MP/CGU n. 1/2016Joint Normative Instruction n. 1, of May 10 of 2016. Establishes organizational and presentational norms for management reports and complementary items that will constitute the accounts processes of the federal public administration, for the judgement of the Federal Court of Auditors, in the terms of art. 7 of Act n. 8,443, of 1992. http://www.planalto.gov.br/ccivil_03/_ato2007-2010/2007/lei/l11638.htm
http://www.planalto.gov.br/ccivil_03/_at... contributes to the dissemination of training within the scope of the federal executive branch. The governance, risk, and control committees of each university are responsible for promoting the continuous development of their public agents, through internal actions to train their staff.

It is noted that the risk management policies feature periodical training, with actions aimed at the continuous development of the public servants. The result is therefore positive, considering that most of those in the study have sought training with the aim of developing specific skills to help in the process of adopting risk management at their universities (Hill & Dinsdale, 2003Hill, S., & Dinsdale, G. (2003). Uma base para o desenvolvimento de estratégias de aprendizagem para a gestão de riscos no serviço público. Tradução L. C. Vasconcelos. Escola Nacional de Administração Pública.).

4.2 Respondents’ Perception Regarding the Challenges of Adopting Risk Management

In this stage we will analyze the answers relating to the respondents’ perceptions regarding various points that constitute challenges for the adoption of risk management at the universities analyzed.

Table 7 shows the descriptive statistics of the answers, which were evaluated using a five-point Likert scale of agreement. Next, Table 8 shows the results regarding the dispersion measures of the answers obtained.

Thumbnail

Table 7
Perception regarding the challenges of adopting risk management

Thumbnail

Table 8
Dispersion measures of the perception regarding the challenges of adopting risk management

Initially, as the first challenge, we evaluated the respondents’ perception regarding the possibility of them ignoring important risks in the institution. Almost half partially/totally agree (48.9%) that there is this possibility. Considering 215 as the maximum number of points possible, it was also one of the variables with the lowest total points in relation to the scale of agreement (Table 8). Moreover, it obtained the second lowest median among the variables. The result may indicate that even with efficient control measures, including the practice of risk management, flaws may emerge that can lead to serious threats to the institutions.

When conducting a study on risk management in universities, Sedrez and Fernandes (2011Sedrez, C., & Fernandes, F. (2011). Gestão de riscos nas universidades e centros universitários do estado de Santa Catarina. Gestão Universitária da América Latina, (número especial), 70-93. https://periodicos.ufsc.br/index.php/gual/article/view/1983-4535.2011v4nespp70
https://periodicos.ufsc.br/index.php/gua... ) verified various relevant risks, such as dropouts, difficulties in maintaining an economic surplus, human error, and image risks. In turn, the study by Ramos et al. (2018Ramos, V., Lima, A., Silva, S., & Andrade, R. (2018). Uma proposta de utilização de gestão de risco para o planejamento acadêmico de uma universidade pública. In Anais do Simpósio Internacional de Gestão de Projetos, Inovação e Sustentabilidade (1-12).) identified some relevant risks that can impact public universities, such as a lack of security in the system, insufficient financial transfers, and strikes. To overcome such obstacles, generic lists of risks can be frequently used to help avoid potential risks being ignored or forgotten (Hill & Dinsdale, 2003Hill, S., & Dinsdale, G. (2003). Uma base para o desenvolvimento de estratégias de aprendizagem para a gestão de riscos no serviço público. Tradução L. C. Vasconcelos. Escola Nacional de Administração Pública.). Domokos et al. (2015Domokos, L., Nyéki, M., Jakovác, K., Németh, E., & Hatvani, C. (2015). Risk analysis and risk management in the public sector and in public auditing. Public Finance Quarterly, 60(1), 7-28. https://ideas.repec.org/a/pfq/journl/v60y2015i1p7-28.html
https://ideas.repec.org/a/pfq/journl/v60... ) mention that the classification of processes by material risks helps to identify circumstances that threaten institutions in the public sector; while Braga (2017Braga, M. (2017). Risco bottom up: uma reflexão sobre o desafio da implementação da gestão de riscos no setor público brasileiro. Revista da Controladoria Geral da União, 9(15), 682-699. https://ojs.cgu.gov.br/index.php/Revista_da_CGU/article/view/103
https://ojs.cgu.gov.br/index.php/Revista... ) warns of the possibility of those risks being ignored by the senior management of the entities, thus requiring a search for dialogue in the main administrative functions.

Subsequently, we verified the perception regarding the possibility of adequately addressing the uncertainty resulting from incomplete or complex information. In this case, 58.1% partially/totally agree that this could occur in their institutions and this is one of the variables with the lowest standard deviation; that is, there was considerable consensus among the respondents (Table 8). For Helsloot and Jong (2006Helsloot, I., & Jong, W. (2006). Risk management in higher education and research in the Netherlands. Journal of Contingencies and Crisis Management, 14(3), 142-159. https://doi.org/10.1111/j.1468-5973.2006.00490.x
https://doi.org/10.1111/j.1468-5973.2006... ), complexity is a crisis factor in public universities in the Netherlands, in which the risks created can involve various players, each one having or claiming their own role, responsibility, or authority.

It is noted that bigger and/or more complex institutions (such as federal universities) tend to have a wider group of individuals involved in the risk management process and their processes tend to be more delegated (HEFCE, 2005Higher Education Funding Council for England. (2005). Risk management in higher education. ). Thus, the internal processes are naturally more complex, giving rise to the challenge of dealing in the most appropriate way possible with information that requires greater complexity, particularly in the public sector. Specifically in federal universities, questions that involve research, technology, and human resources, besides the constant scrutiny related to constant accountability, show the complexity of the university environment and the difficulty that the respondents will have in analyzing and evaluating the risks embedded in that environment.

There may also be a lack of trust or understanding among the public servants involved, according to 60.5% of the respondents, who totally/partially agreed that there is in fact this possibility in the institutions. It was also one of the variables with the highest level of variance and standard deviation, as shown in Table 8. The lack of consensus among the respondents may be a reflection of the difficulty in identifying the real objectives of the public organizations combined with the absence of a risk culture (Braga, 2017Braga, M. (2017). Risco bottom up: uma reflexão sobre o desafio da implementação da gestão de riscos no setor público brasileiro. Revista da Controladoria Geral da União, 9(15), 682-699. https://ojs.cgu.gov.br/index.php/Revista_da_CGU/article/view/103
https://ojs.cgu.gov.br/index.php/Revista... ).

The universities need to identify the need to reallocate resources to training, communication, promotion, and support for processes to guarantee a common understanding, management, and communications among the members of the team. Hill and Dinsdale (2003Hill, S., & Dinsdale, G. (2003). Uma base para o desenvolvimento de estratégias de aprendizagem para a gestão de riscos no serviço público. Tradução L. C. Vasconcelos. Escola Nacional de Administração Pública.) mentioned integrity, skill, empathy, transparency, dialogue, and communication of risks, as well as a consistent and well understood decision-making process as solutions. The lack of trust and understanding may contribute to the gradual abandonment of risk management as a whole in the universities even before its total adoption.

The next item asks whether there are divergences regarding the perceived seriousness of a risk or strategies adopted to manage it. According to the results, 79.1% totally/partially agree. This factor may cause a lack of consensus and solutions regarding the treatment of a particular risk, hindering a quicker resolution of some threat. Helsloot and Jong (2006Helsloot, I., & Jong, W. (2006). Risk management in higher education and research in the Netherlands. Journal of Contingencies and Crisis Management, 14(3), 142-159. https://doi.org/10.1111/j.1468-5973.2006.00490.x
https://doi.org/10.1111/j.1468-5973.2006... ) report that the level of risk awareness among staff and students is comparatively low, while universities believe that technical solutions could be widely employed. In this sense, Hill and Dinsdale (2003Hill, S., & Dinsdale, G. (2003). Uma base para o desenvolvimento de estratégias de aprendizagem para a gestão de riscos no serviço público. Tradução L. C. Vasconcelos. Escola Nacional de Administração Pública.) argue that effective risk management balances the analytical capabilities of science with the democratic virtues of dialogue with the public and their involvement.

Analyzing the next item, which asks whether there is an inadequate institutional structure for risk management, 62.8% partially/totally agree that this may be the case in the universities. Creating a risk management culture in the public sector is a big challenge for institutions, where there is a tendency to preserve the current organizational structure, even if it is clearly inefficient and inadequate for achieving objectives (Braga, 2017Braga, M. (2017). Risco bottom up: uma reflexão sobre o desafio da implementação da gestão de riscos no setor público brasileiro. Revista da Controladoria Geral da União, 9(15), 682-699. https://ojs.cgu.gov.br/index.php/Revista_da_CGU/article/view/103
https://ojs.cgu.gov.br/index.php/Revista... ; Christopher & Sarens, 2015Christopher, J., & Sarens, G. (2015). Risk management: its adoption in Australian public universities within an environment of change management - A management perspective. Australian Accounting Review, 25(1), 2-12. https://onlinelibrary-wiley.ez16.periodicos.capes.gov.br/doi/full/10.1111/auar.12057
https://onlinelibrary-wiley.ez16.periodi... ; Helsloot & Jong, 2006Helsloot, I., & Jong, W. (2006). Risk management in higher education and research in the Netherlands. Journal of Contingencies and Crisis Management, 14(3), 142-159. https://doi.org/10.1111/j.1468-5973.2006.00490.x
https://doi.org/10.1111/j.1468-5973.2006... ). Added to this are the organizational particularities and cultures of each management team appointed in federal universities, which can enable or impede the implementation of a new control method during their mandate.

The information system is also considered to be a critical factor for the success of risk management. It was asked whether the information system is inefficient and unable to support risk management. In this case, 48.8% partially/totally agree that the information system is a critical factor in supporting risk management and it is inefficient or unable to give support. This is also the factor with the greatest discrepancy among the answers, showing the highest standard deviation and variance. This discrepancy among the respondents may have occurred due to the universities analyzed not having standardized management information systems, creating different perceptions on whether these are able or unable to support risk management. These software programs contain tools capable of covering all stages of risk management, from detection to solution. The studies of Souza et al. (2016Souza, J., Arima, C., Oliveira, R., Akabane, G., & Galegale, N. (2016). Gestão de riscos de segurança da informação numa instituição pública federal: um estudo de caso. ENIAC projetos, 5(2), 240-256.) and Ramos et al. (2018Ramos, V., Lima, A., Silva, S., & Andrade, R. (2018). Uma proposta de utilização de gestão de risco para o planejamento acadêmico de uma universidade pública. In Anais do Simpósio Internacional de Gestão de Projetos, Inovação e Sustentabilidade (1-12).) highlighted the importance of security control requirements in order to reduce risks for the institution, involving platforms, databases, network applications, and audits, among others.

Next, we asked about the difficulty in renewing the risk management cycle, given that this should be continuous. To this, 62.8% of the respondents partially/totally agreed. The organizations need to continuously incorporate and improve their risk management processes, maintaining good practices to integrate risk management and build an organizational culture in which everyone is a risk manager. According to Braga (2017Braga, M. (2017). Risco bottom up: uma reflexão sobre o desafio da implementação da gestão de riscos no setor público brasileiro. Revista da Controladoria Geral da União, 9(15), 682-699. https://ojs.cgu.gov.br/index.php/Revista_da_CGU/article/view/103
https://ojs.cgu.gov.br/index.php/Revista... , p. 693), “risk management is a permanently unfinished process, which seeks to deal with threats and ever-changing organizations;” that is, the process should be proactively initiated and kept going.

Hill and Dinsdale (2003Hill, S., & Dinsdale, G. (2003). Uma base para o desenvolvimento de estratégias de aprendizagem para a gestão de riscos no serviço público. Tradução L. C. Vasconcelos. Escola Nacional de Administração Pública.) define risk management as a systematic decision-making and problem-solving process. This process should be well structured in public organizations, including a continuous cycle of learning and the introduction of improvements. Joint Normative Instruction MP/CGU n. 1/2016Joint Normative Instruction n. 1, of May 10 of 2016. Establishes organizational and presentational norms for management reports and complementary items that will constitute the accounts processes of the federal public administration, for the judgement of the Federal Court of Auditors, in the terms of art. 7 of Act n. 8,443, of 1992. http://www.planalto.gov.br/ccivil_03/_ato2007-2010/2007/lei/l11638.htm
http://www.planalto.gov.br/ccivil_03/_at... also highlights the importance of cyclical monitoring and the need to continuously develop public agents in risk management, while MEC Ordinance n. 234/2018Ordinance n. 234, of March 15 of 2018. Discusses the Risk and Controls Management Policy of the MEC. http://www.in.gov.br/materia/-/asset_publisher/Kujrw0TZC2Mb/content/id/6848798/do1-2018-03-16-portaria-n-234-de-15-de-marco-de-2018-6848794
http://www.in.gov.br/materia/-/asset_pub... guides federal universities toward measuring risk management performance using continuous activities or independent evaluations. The result obtained in the research serves as a warning for the entities that are implementing or have recently incorporated risk management, avoiding future weaknesses regarding adoption in the universities analyzed.

Then, we sought to analyze the respondents’ perception regarding the lack of process mapping, which is the decisive procedure for the effective adoption of risk management in the universities. The results show that 37.2% partially agree and 44.2% totally agree (totaling 81.4%), thus making it clear that the public servants see process mapping as a relevant tool for the adoption of risk management. Moreover, it was one of the variables with the highest total points on the scale (Table 8). Assunção et al. (2019Assunção, A., Silva, M., Rosa, R., & Campeão, R. (2019). Estudo de caso na pró-reitoria de gestão de pessoas da Universidade Federal do Mato Grosso do Sul: análise através da matriz de risco. Revista de Gestão e Secretariado, 10(2), 140-170. https://www.revistagesec.org.br/secretariado/article/view/868
https://www.revistagesec.org.br/secretar... ) demonstrated how the application of process mapping in one federal university contributed to its risk management, by recognizing and monitoring various threats.

The next item involves the lack of engagement of the public servants involved, which is a compromising factor for risk management. The results indicated that 51.2% totally agree and 32.6% partially agree (83.8%), and this is the variable with the highest score on the scale (182 out of 215) and, consequently, the greatest agreement among the respondents (Table 8). The highest mean and median among the variables analyzed were also obtained. The public servants recognize that a lack of engagement constitutes a challenge for risk management, considering that there may be a lack of proactivity from the public servant.

Braga (2017Braga, M. (2017). Risco bottom up: uma reflexão sobre o desafio da implementação da gestão de riscos no setor público brasileiro. Revista da Controladoria Geral da União, 9(15), 682-699. https://ojs.cgu.gov.br/index.php/Revista_da_CGU/article/view/103
https://ojs.cgu.gov.br/index.php/Revista... ) raises this question when analyzing the logic of the public structure, highlighting one set of difficulties related to the organizational culture in the public sector. In the study of Ramos et al. (2018Ramos, V., Lima, A., Silva, S., & Andrade, R. (2018). Uma proposta de utilização de gestão de risco para o planejamento acadêmico de uma universidade pública. In Anais do Simpósio Internacional de Gestão de Projetos, Inovação e Sustentabilidade (1-12).), it was identified that demotivation among collaborators (teachers and administrative technicians, among others) is a risk with a high impact on the risk framework in a public university. The authors verified that the high impact is due to the low productivity and difficulty of taking internal measures to mitigate this type of risk. Assunção et al. (2019Assunção, A., Silva, M., Rosa, R., & Campeão, R. (2019). Estudo de caso na pró-reitoria de gestão de pessoas da Universidade Federal do Mato Grosso do Sul: análise através da matriz de risco. Revista de Gestão e Secretariado, 10(2), 140-170. https://www.revistagesec.org.br/secretariado/article/view/868
https://www.revistagesec.org.br/secretar... ) verified that some errors are caused due to demotivated employees, who are under pressure or face very tight deadlines, use obsolete systems, and lack training.

It is therefore an aspect that needs to be reviewed by the universities analyzed and by their respective governance, risk, and control committees, and an environment and culture should be provided that are able to motivate employees and reduce the appetite for risk. The institutions should offer the support and reward systems needed for their teams to produce better results (Hill & Dinsdale, 2003Hill, S., & Dinsdale, G. (2003). Uma base para o desenvolvimento de estratégias de aprendizagem para a gestão de riscos no serviço público. Tradução L. C. Vasconcelos. Escola Nacional de Administração Pública.). Consequently, adequate communication channels are mechanisms that provide timely information, constant alignment, motivation, and engagement (COSO, 2007Committee of Sponsoring Organizations of the Treadway Commission. (2007). Gerenciamento de riscos corporativos - Estrutura integrada. https://www.coso.org/Documents/COSO-ERM-Executive-Summary-Portuguese.pdf
https://www.coso.org/Documents/COSO-ERM-... ; ISO, 2018International Organization for Standardization. (2018). ISO 31000 - Risk management system - Principles and guidelines. ).

When asked whether a lack of employee training still constitutes a limiting factor for the success of risk management, 79.1% answered that they partially/totally agree. Thus, it is perceived that public servant training constitutes a limiting factor for the success of risk management. Despite most of the public servants having taken part in some specific course on risk management, there is still a need to extend training to the whole university, by incorporating training programs into internal training policies; one of the responsibilities of the governance, risk, and control committee is to promote the continuous development of public agents (Joint Normative Instruction MP/CGU n. 1/2016Joint Normative Instruction n. 1, of May 10 of 2016. Establishes organizational and presentational norms for management reports and complementary items that will constitute the accounts processes of the federal public administration, for the judgement of the Federal Court of Auditors, in the terms of art. 7 of Act n. 8,443, of 1992. http://www.planalto.gov.br/ccivil_03/_ato2007-2010/2007/lei/l11638.htm
http://www.planalto.gov.br/ccivil_03/_at... ). In addition, MEC Ordinance n. 234/2018 mentions that continuous education should be carried out at all levels of management.

Thus, despite this obligation, the data from the research revealed that there was a high level of agreement (Table 8) that the lack of training is a challenge for the adoption of risk management, serving as a warning for the universities analyzed. According to the HEFCE (2005Higher Education Funding Council for England. (2005). Risk management in higher education. ), there is a need to incentivize managers to develop skills and knowledge in risk management through training and self-development programs. Finally, the adoption of risk management will require managerial skills within the field of organizational behavior, team leadership, and change management (Hill & Dinsdale, 2003Hill, S., & Dinsdale, G. (2003). Uma base para o desenvolvimento de estratégias de aprendizagem para a gestão de riscos no serviço público. Tradução L. C. Vasconcelos. Escola Nacional de Administração Pública.).

It was also verified whether the current excess demands may compromise the success of the adoption of risk management in the institutions. To this, 76.8% of the respondents partially/totally agreed. It is understood that, with the current level of demand for services, the public servants may encounter difficulties in the adoption of risk management. The new rules making the adoption of risk management in federal universities obligatory (Joint Normative Instruction MP/CGU n. 1/2016Joint Normative Instruction n. 1, of May 10 of 2016. Establishes organizational and presentational norms for management reports and complementary items that will constitute the accounts processes of the federal public administration, for the judgement of the Federal Court of Auditors, in the terms of art. 7 of Act n. 8,443, of 1992. http://www.planalto.gov.br/ccivil_03/_ato2007-2010/2007/lei/l11638.htm
http://www.planalto.gov.br/ccivil_03/_at... and MEC Ordinance n. 234/2018Ordinance n. 234, of March 15 of 2018. Discusses the Risk and Controls Management Policy of the MEC. http://www.in.gov.br/materia/-/asset_publisher/Kujrw0TZC2Mb/content/id/6848798/do1-2018-03-16-portaria-n-234-de-15-de-marco-de-2018-6848794
http://www.in.gov.br/materia/-/asset_pub... ) create growing pressure on them to create a control process that enables operational accountability, efficiency, and effectiveness. The same occurs in relation to the audits carried out by the supervisory bodies (TCU and CGU). The lack of personnel may also be a limiting factor in this sense, making adoption slow and/or ineffective, thus giving rise to another warning for the universities analyzed, as it was one of the variables with the highest scores on the scale (Table 8).

Concluding the analysis, it was verified whether sufficient and appropriate resources (people, structure, information technology systems, and tools to manage risks) are allocated for risk management. More than half (53.5%) of the public servants partially/totally disagree, and this is the variable with the lowest median and lowest score out of the maximum total points possible (117 out of 215).

Each university analyzed probably provides appropriate resources at different levels for adopting risk management, resulting in higher standard deviations and variances in terms of the answers (Table 8). It is important to highlight that MEC Ordinance n. 234/2018Ordinance n. 234, of March 15 of 2018. Discusses the Risk and Controls Management Policy of the MEC. http://www.in.gov.br/materia/-/asset_publisher/Kujrw0TZC2Mb/content/id/6848798/do1-2018-03-16-portaria-n-234-de-15-de-marco-de-2018-6848794
http://www.in.gov.br/materia/-/asset_pub... defines that the senior management should establish the conditions and structure for risk management. For Hill and Dinsdale (2003Hill, S., & Dinsdale, G. (2003). Uma base para o desenvolvimento de estratégias de aprendizagem para a gestão de riscos no serviço público. Tradução L. C. Vasconcelos. Escola Nacional de Administração Pública.), the capacity to effectively manage risks depends a lot on the structure and on the systems used by the public servants. Thus, the creation of policies, norms, guidelines, and training may not be enough in the process of adopting risk management due to structural questions (Braga, 2017Braga, M. (2017). Risco bottom up: uma reflexão sobre o desafio da implementação da gestão de riscos no setor público brasileiro. Revista da Controladoria Geral da União, 9(15), 682-699. https://ojs.cgu.gov.br/index.php/Revista_da_CGU/article/view/103
https://ojs.cgu.gov.br/index.php/Revista... ). In this sense, it can be noted that the universities analyzed do not yet have enough of a general structure for risk management to be carried out effectively. Changes in the management of the universities require restructuring, investment in infrastructure, institutional expansion, and big capital projects.

5. CONCLUSION

The study sought to identify the perception of the members of the risk committees of federal universities in Brazil regarding the challenges of adopting risk management in those institutions.

First, we sought to analyze the profile of the public servants involved in the formation of the governance, risk, and control committees of the universities. Despite most of the respondents having experience and training in risk management, it was observed in the analysis of the challenges that a lack of staff training also constituted a limiting factor for the success of risk management, as well as a lack of engagement. Training and capacity building focused solely on members of the risk management committee may not be enough, considering that risk management should be present in all processes of the institutions.

Second, we analyzed the perception of the public servants of the universities analyzed in terms of the challenges arising from the adoption of risk management. It was possible to verify that most of the respondents agree with the challenges mentioned in the research in their institutions, recognizing that the adoption of risk management still needs to overcome various adversities.

The items related to the lack of trust, inefficiency of the information system, and insufficient resources were the ones that obtained the greatest divergence among the respondents, while complex information and divergences regarding the risk obtained the greatest consensus among the variables. It can be noted that the universities analyzed do not yet have a sufficient structure for risk management to be carried out effectively. Changes in the management of the universities require restructuring, investment in infrastructure, institutional expansion, and big capital projects.

With relation to the total scores, the items related to the lack of engagement, process mapping, lack of training, and excess demands were the ones that obtained the highest scores, while ignoring relevant risks and insufficient resources obtained the lowest scores. The lack of engagement perceived by the public servants is a factor that compromises risk management in the universities. Added to this is the relationship between the lack of training and excess demands.

Unmotivated, undertrained, and overworked public servants are challenges that require the universities to take a stance to avoid failure in the adoption of risk management. Leadership, training, and a fair demand of activities should be taken into account. The absence of process mapping is, for the public servants, a relevant challenge in the universities. Problems derived from non-compliance with processes may arise. If the universities do not have their activity processes mapped, the identification of the risks derived from non-compliance may be compromised, leaving the institutions more vulnerable.

Given the challenges proposed in the research, it was possible to note that the organizational structures, systems, and processes that enable the adoption of a systematic approach in risk management increase the probability of good decisions being taken regarding risks. In an environment shrouded in difficulties, the main managers should assume the most important role, ensuring that the structures, systems, and strategies for the effective management of risks are available in the universities. As highlighted by Braga (2017Braga, M. (2017). Risco bottom up: uma reflexão sobre o desafio da implementação da gestão de riscos no setor público brasileiro. Revista da Controladoria Geral da União, 9(15), 682-699. https://ojs.cgu.gov.br/index.php/Revista_da_CGU/article/view/103
https://ojs.cgu.gov.br/index.php/Revista... ), the characteristics of public administration (risk culture, fear of accountability, lack of planning) reveal the difficulties of adopting risk management in federal universities. It was also possible to perceive that the challenges proposed by Hill and Dinsdale (2003Hill, S., & Dinsdale, G. (2003). Uma base para o desenvolvimento de estratégias de aprendizagem para a gestão de riscos no serviço público. Tradução L. C. Vasconcelos. Escola Nacional de Administração Pública.) were perceived by most of the respondents, thus corroborating the literature on the topic.

Thus, the study aimed to contribute to the professional and academic areas by showing the perception of federal universities regarding the main aspects of risk management, even though this is in an initial phase of obligatory adoption in the Brazilian public sector. It may also therefore contribute or create perspectives regarding the challenges and benefits perceived by the public servants themselves.

Federal universities can identify each one of the points analyzed in the study in order to carry out various improvements, with the aim of adapting to the risk management recently imposed by the legislation. Based on the results of the study, a set of actions can be proposed, embedded in the operational context of the universities, in order to improve the level of maturity of the risk management of those institutions given the challenges proposed.

Finally, it is important to highlight the limitations of this study. One was the obtainment of answers from only one member of the risk committees of the universities, which does not guarantee representing the opinion of the rest. No specific member of the committees was chosen, which may have created some bias of opinion. It is also important to highlight that the study was applied to a specific niche, covering only federal universities, which have their own particular characteristics. We suggest also studying other federal bodies with the aim of better understanding risk management in the public sector in a more comprehensive way.

REFERENCES

Anchundia, P., Romero, X., & Perez, A. (2018). Risk management and process management in universities: Application in the University Laica Eloy Alfaro Manabí. In Annals of the 35 ^th International Academic Conference (121-138). https://ideas.repec.org/p/sek/iacpro/6408929.html
» https://ideas.repec.org/p/sek/iacpro/6408929.html
Assunção, A., Silva, M., Rosa, R., & Campeão, R. (2019). Estudo de caso na pró-reitoria de gestão de pessoas da Universidade Federal do Mato Grosso do Sul: análise através da matriz de risco. Revista de Gestão e Secretariado, 10(2), 140-170. https://www.revistagesec.org.br/secretariado/article/view/868
» https://www.revistagesec.org.br/secretariado/article/view/868
Banco Central do Brasil. (2017). Gestão integrada de riscos no Banco Central do Brasil Departamento de Riscos Corporativos e Referências Operacionais do BCB. https://www.bcb.gov.br/htms/getriscos/Gestao-Integrada-de-Riscos.pdf
» https://www.bcb.gov.br/htms/getriscos/Gestao-Integrada-de-Riscos.pdf
Braga, M. (2017). Risco bottom up: uma reflexão sobre o desafio da implementação da gestão de riscos no setor público brasileiro. Revista da Controladoria Geral da União, 9(15), 682-699. https://ojs.cgu.gov.br/index.php/Revista_da_CGU/article/view/103
» https://ojs.cgu.gov.br/index.php/Revista_da_CGU/article/view/103
Brito, O. (2003). Controladoria de risco - Retorno em instituições financeiras Saraiva.
Carvalho, F., Lima, L., Costa, F., & Santos Júnior, A. (2018). Educação superior pública no Rio Grande do Norte: expansão e interiorização. Revista Brasileira de Planejamento e Desenvolvimento, 7(2), 241-263. https://periodicos.utfpr.edu.br/rbpd/article/download/5724/5116
» https://periodicos.utfpr.edu.br/rbpd/article/download/5724/5116
Christopher, J., & Sarens, G. (2015). Risk management: its adoption in Australian public universities within an environment of change management - A management perspective. Australian Accounting Review, 25(1), 2-12. https://onlinelibrary-wiley.ez16.periodicos.capes.gov.br/doi/full/10.1111/auar.12057
» https://onlinelibrary-wiley.ez16.periodicos.capes.gov.br/doi/full/10.1111/auar.12057
Coetzee, P., & Lubbe, D. (2011). Internal audit and risk management in South Africa: adherence to guidance. Acta Academica, 43(4), 29-60. https://www.researchgate.net/publication/268814872_Internal_audit_and_risk_management_in_South_Africa_Adherence_to_guidance
» https://www.researchgate.net/publication/268814872_Internal_audit_and_risk_management_in_South_Africa_Adherence_to_guidance
Committee of Sponsoring Organizations of the Treadway Commission. (2004). Enterprise Risk Management (ERM) - Integrated Framework https://www.coso.org/Pages/guidance.aspx
» https://www.coso.org/Pages/guidance.aspx
Committee of Sponsoring Organizations of the Treadway Commission. (2007). Gerenciamento de riscos corporativos - Estrutura integrada https://www.coso.org/Documents/COSO-ERM-Executive-Summary-Portuguese.pdf
» https://www.coso.org/Documents/COSO-ERM-Executive-Summary-Portuguese.pdf
Committee of Sponsoring Organizations of the Treadway Commission. (2017). Enterprise Risk Management Integrating with Strategy and Performance https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf
» https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf
Cooper, T. (2012). Exploring strategic risk in communities: evidence from a Canadian province. Journal of Enterprising Communities: People and Places in the Global Economy, 6(4), 350-368. https://doi.org/10.1108/17506201211272788
» https://doi.org/10.1108/17506201211272788
Domokos, L., Nyéki, M., Jakovác, K., Németh, E., & Hatvani, C. (2015). Risk analysis and risk management in the public sector and in public auditing. Public Finance Quarterly, 60(1), 7-28. https://ideas.repec.org/a/pfq/journl/v60y2015i1p7-28.html
» https://ideas.repec.org/a/pfq/journl/v60y2015i1p7-28.html
Grateron, I. R. (1999). Auditoria de gestão: utilização de indicadores de gestão no setor público Fundação Instituto de Pesquisas Contábeis, Atuariais e Financeiras.
Helsloot, I., & Jong, W. (2006). Risk management in higher education and research in the Netherlands. Journal of Contingencies and Crisis Management, 14(3), 142-159. https://doi.org/10.1111/j.1468-5973.2006.00490.x
» https://doi.org/10.1111/j.1468-5973.2006.00490.x
Her Majesty's Treasury. (2004). The Orange Book management of risk - Principles and concepts Her Majesty's Stationery Office.
Higher Education Funding Council for England. (2005). Risk management in higher education
Hill, S., & Dinsdale, G. (2003). Uma base para o desenvolvimento de estratégias de aprendizagem para a gestão de riscos no serviço público Tradução L. C. Vasconcelos. Escola Nacional de Administração Pública.
Instituto Nacional de Estudos e Pesquisas Educacionais Anísio Teixeira. (2019). Censo da educação superior Ministério da Educação. http://portal.inep.gov.br/web/guest/educacao-superior
» http://portal.inep.gov.br/web/guest/educacao-superior
International Organization for Standardization. (2018). ISO 31000 - Risk management system - Principles and guidelines
Joint Normative Instruction n. 1, of May 10 of 2016 Establishes organizational and presentational norms for management reports and complementary items that will constitute the accounts processes of the federal public administration, for the judgement of the Federal Court of Auditors, in the terms of art. 7 of Act n. 8,443, of 1992. http://www.planalto.gov.br/ccivil_03/_ato2007-2010/2007/lei/l11638.htm
» http://www.planalto.gov.br/ccivil_03/_ato2007-2010/2007/lei/l11638.htm
Matias-Pereira, A. (2009). Manual de gestão pública contemporânea (2a ed.). Atlas.
McPhee, I. (2005). Risk and risk management in the public sector Public sector governance and risk forum Australian Institute of Company Directors/Institute of Internal Auditors Australia. https://www.anao.gov.au/sites/g/files/net616/f/McPhee_risk_and_risk_management_in_the_public_sector_2005.pdf
» https://www.anao.gov.au/sites/g/files/net616/f/McPhee_risk_and_risk_management_in_the_public_sector_2005.pdf
Ministério da Fazenda. (2018). Manual de gestão de riscos do Ministério da Fazenda (3a ed.).
Normative Decision n. 107, of October 27 of 2010 Discusses the jurisdictional units whose responsible parties should present a management report relating to the 2010 financial year, specifying the organization, form, contents, and presentation deadlines, in the terms of art. 3 of TCU Normative Instruction n. 63, of September 1^st of 2010. http://www.tcu.gov.br/Consultas/Juris/Docs/judoc/DN/20101029/DNT2010-107.doc
» http://www.tcu.gov.br/Consultas/Juris/Docs/judoc/DN/20101029/DNT2010-107.doc
Ordinance n. 234, of March 15 of 2018 Discusses the Risk and Controls Management Policy of the MEC. http://www.in.gov.br/materia/-/asset_publisher/Kujrw0TZC2Mb/content/id/6848798/do1-2018-03-16-portaria-n-234-de-15-de-marco-de-2018-6848794
» http://www.in.gov.br/materia/-/asset_publisher/Kujrw0TZC2Mb/content/id/6848798/do1-2018-03-16-portaria-n-234-de-15-de-marco-de-2018-6848794
Power, M., Scheytt, T., Soin, K., & Sahlin, K. (2009). Reputational risk as a logic of organizing in late modernity. Organization Studies, 30(2), 301-324. http://dx.doi.org/10.1177/0170840608101482
» http://dx.doi.org/10.1177/0170840608101482
Qiao, Y. (2007). Public risk management: development and financing. Journal of Public Budgeting, Accounting, & Financial Management, 19(1), 33-55. https://doi.org/10.1108/JPBAFM-19-01-2007-B002
» https://doi.org/10.1108/JPBAFM-19-01-2007-B002
Ramos, V., Lima, A., Silva, S., & Andrade, R. (2018). Uma proposta de utilização de gestão de risco para o planejamento acadêmico de uma universidade pública. In Anais do Simpósio Internacional de Gestão de Projetos, Inovação e Sustentabilidade (1-12).
Ribeiro, R. (2014). Os desafios contemporâneos da gestão universitária: discursos politicamente construídos. In Anais do Congresso Ibero-Americano de Política e Administração da Educação (1-14). http://www.anpae.org.br/IBERO_AMERICANO_IV/GT2/GT2_Comunicacao/RaimundaMariadaCunhaRibeiro_GT2_integral.pdf
» http://www.anpae.org.br/IBERO_AMERICANO_IV/GT2/GT2_Comunicacao/RaimundaMariadaCunhaRibeiro_GT2_integral.pdf
Sedrez, C., & Fernandes, F. (2011). Gestão de riscos nas universidades e centros universitários do estado de Santa Catarina. Gestão Universitária da América Latina, (número especial), 70-93. https://periodicos.ufsc.br/index.php/gual/article/view/1983-4535.2011v4nespp70
» https://periodicos.ufsc.br/index.php/gual/article/view/1983-4535.2011v4nespp70
Sousa, M., Finati, C., Perez, M., & Duarte, K. (2018). Gestão de risco nas instituições universitárias: uma análise comparativa da metodologia da Controladoria Geral da União e do Ministério do Planejamento, Desenvolvimento e Gestão. Anais do Colóquio Internacional de Gestion Universitária (1-17). https://repositorio.ufsc.br/handle/123456789/190469
» https://repositorio.ufsc.br/handle/123456789/190469
Souza, J., Arima, C., Oliveira, R., Akabane, G., & Galegale, N. (2016). Gestão de riscos de segurança da informação numa instituição pública federal: um estudo de caso. ENIAC projetos, 5(2), 240-256.
Trivelato, B. F., Mendes, D. P., & Dias, M. A. (2018). A importância do gerenciamento de riscos nas organizações contemporâneas. Revista FATEC Zona Sul, 4(2), 1-20. https://www.revistarefas.com.br/index.php/RevFATECZS/article/view/147
» https://www.revistarefas.com.br/index.php/RevFATECZS/article/view/147
Wang, H., Wang, J., Ren, C., & Zhang, S. (2018). Research on risk prevention and control of Sino-foreign cooperative universities - Based on ERM comprehensive risk management framework. Advances in Economics, Business and Management Research, 71, 301-306.

Edited by

Editor-in-Chief: Fábio Frezatti Associate Editor: Eliseu Martins

Publication Dates

Publication in this collection
26 Apr 2021
Date of issue
May-Aug 2021

History

Received
16 May 2020
Reviewed
22 June 2020
Accepted
09 Nov 2020

This is an open-access article distributed under the terms of the Creative Commons Attribution License

[1] Anchundia, P., Romero, X., & Perez, A. (2018). Risk management and process management in universities: Application in the University Laica Eloy Alfaro Manabí. In Annals of the 35 ^th International Academic Conference (121-138). https://ideas.repec.org/p/sek/iacpro/6408929.html
» https://ideas.repec.org/p/sek/iacpro/6408929.html

[2] Assunção, A., Silva, M., Rosa, R., & Campeão, R. (2019). Estudo de caso na pró-reitoria de gestão de pessoas da Universidade Federal do Mato Grosso do Sul: análise através da matriz de risco. Revista de Gestão e Secretariado, 10(2), 140-170. https://www.revistagesec.org.br/secretariado/article/view/868
» https://www.revistagesec.org.br/secretariado/article/view/868

[3] Banco Central do Brasil. (2017). Gestão integrada de riscos no Banco Central do Brasil Departamento de Riscos Corporativos e Referências Operacionais do BCB. https://www.bcb.gov.br/htms/getriscos/Gestao-Integrada-de-Riscos.pdf
» https://www.bcb.gov.br/htms/getriscos/Gestao-Integrada-de-Riscos.pdf

[4] Braga, M. (2017). Risco bottom up: uma reflexão sobre o desafio da implementação da gestão de riscos no setor público brasileiro. Revista da Controladoria Geral da União, 9(15), 682-699. https://ojs.cgu.gov.br/index.php/Revista_da_CGU/article/view/103
» https://ojs.cgu.gov.br/index.php/Revista_da_CGU/article/view/103

[5] Brito, O. (2003). Controladoria de risco - Retorno em instituições financeiras Saraiva.

[6] Carvalho, F., Lima, L., Costa, F., & Santos Júnior, A. (2018). Educação superior pública no Rio Grande do Norte: expansão e interiorização. Revista Brasileira de Planejamento e Desenvolvimento, 7(2), 241-263. https://periodicos.utfpr.edu.br/rbpd/article/download/5724/5116
» https://periodicos.utfpr.edu.br/rbpd/article/download/5724/5116

[7] Christopher, J., & Sarens, G. (2015). Risk management: its adoption in Australian public universities within an environment of change management - A management perspective. Australian Accounting Review, 25(1), 2-12. https://onlinelibrary-wiley.ez16.periodicos.capes.gov.br/doi/full/10.1111/auar.12057
» https://onlinelibrary-wiley.ez16.periodicos.capes.gov.br/doi/full/10.1111/auar.12057

[8] Coetzee, P., & Lubbe, D. (2011). Internal audit and risk management in South Africa: adherence to guidance. Acta Academica, 43(4), 29-60. https://www.researchgate.net/publication/268814872_Internal_audit_and_risk_management_in_South_Africa_Adherence_to_guidance
» https://www.researchgate.net/publication/268814872_Internal_audit_and_risk_management_in_South_Africa_Adherence_to_guidance

[9] Committee of Sponsoring Organizations of the Treadway Commission. (2004). Enterprise Risk Management (ERM) - Integrated Framework https://www.coso.org/Pages/guidance.aspx
» https://www.coso.org/Pages/guidance.aspx

[10] Committee of Sponsoring Organizations of the Treadway Commission. (2007). Gerenciamento de riscos corporativos - Estrutura integrada https://www.coso.org/Documents/COSO-ERM-Executive-Summary-Portuguese.pdf
» https://www.coso.org/Documents/COSO-ERM-Executive-Summary-Portuguese.pdf

[11] Committee of Sponsoring Organizations of the Treadway Commission. (2017). Enterprise Risk Management Integrating with Strategy and Performance https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf
» https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf

[12] Cooper, T. (2012). Exploring strategic risk in communities: evidence from a Canadian province. Journal of Enterprising Communities: People and Places in the Global Economy, 6(4), 350-368. https://doi.org/10.1108/17506201211272788
» https://doi.org/10.1108/17506201211272788

[13] Domokos, L., Nyéki, M., Jakovác, K., Németh, E., & Hatvani, C. (2015). Risk analysis and risk management in the public sector and in public auditing. Public Finance Quarterly, 60(1), 7-28. https://ideas.repec.org/a/pfq/journl/v60y2015i1p7-28.html
» https://ideas.repec.org/a/pfq/journl/v60y2015i1p7-28.html

[14] Grateron, I. R. (1999). Auditoria de gestão: utilização de indicadores de gestão no setor público Fundação Instituto de Pesquisas Contábeis, Atuariais e Financeiras.

[15] Helsloot, I., & Jong, W. (2006). Risk management in higher education and research in the Netherlands. Journal of Contingencies and Crisis Management, 14(3), 142-159. https://doi.org/10.1111/j.1468-5973.2006.00490.x
» https://doi.org/10.1111/j.1468-5973.2006.00490.x

[16] Her Majesty's Treasury. (2004). The Orange Book management of risk - Principles and concepts Her Majesty's Stationery Office.

[17] Higher Education Funding Council for England. (2005). Risk management in higher education

[18] Hill, S., & Dinsdale, G. (2003). Uma base para o desenvolvimento de estratégias de aprendizagem para a gestão de riscos no serviço público Tradução L. C. Vasconcelos. Escola Nacional de Administração Pública.

[19] Instituto Nacional de Estudos e Pesquisas Educacionais Anísio Teixeira. (2019). Censo da educação superior Ministério da Educação. http://portal.inep.gov.br/web/guest/educacao-superior
» http://portal.inep.gov.br/web/guest/educacao-superior

[20] International Organization for Standardization. (2018). ISO 31000 - Risk management system - Principles and guidelines

[21] Joint Normative Instruction n. 1, of May 10 of 2016 Establishes organizational and presentational norms for management reports and complementary items that will constitute the accounts processes of the federal public administration, for the judgement of the Federal Court of Auditors, in the terms of art. 7 of Act n. 8,443, of 1992. http://www.planalto.gov.br/ccivil_03/_ato2007-2010/2007/lei/l11638.htm
» http://www.planalto.gov.br/ccivil_03/_ato2007-2010/2007/lei/l11638.htm

[22] Matias-Pereira, A. (2009). Manual de gestão pública contemporânea (2a ed.). Atlas.

[23] McPhee, I. (2005). Risk and risk management in the public sector Public sector governance and risk forum Australian Institute of Company Directors/Institute of Internal Auditors Australia. https://www.anao.gov.au/sites/g/files/net616/f/McPhee_risk_and_risk_management_in_the_public_sector_2005.pdf
» https://www.anao.gov.au/sites/g/files/net616/f/McPhee_risk_and_risk_management_in_the_public_sector_2005.pdf

[24] Ministério da Fazenda. (2018). Manual de gestão de riscos do Ministério da Fazenda (3a ed.).

[25] Normative Decision n. 107, of October 27 of 2010 Discusses the jurisdictional units whose responsible parties should present a management report relating to the 2010 financial year, specifying the organization, form, contents, and presentation deadlines, in the terms of art. 3 of TCU Normative Instruction n. 63, of September 1^st of 2010. http://www.tcu.gov.br/Consultas/Juris/Docs/judoc/DN/20101029/DNT2010-107.doc
» http://www.tcu.gov.br/Consultas/Juris/Docs/judoc/DN/20101029/DNT2010-107.doc

[26] Ordinance n. 234, of March 15 of 2018 Discusses the Risk and Controls Management Policy of the MEC. http://www.in.gov.br/materia/-/asset_publisher/Kujrw0TZC2Mb/content/id/6848798/do1-2018-03-16-portaria-n-234-de-15-de-marco-de-2018-6848794
» http://www.in.gov.br/materia/-/asset_publisher/Kujrw0TZC2Mb/content/id/6848798/do1-2018-03-16-portaria-n-234-de-15-de-marco-de-2018-6848794

[27] Power, M., Scheytt, T., Soin, K., & Sahlin, K. (2009). Reputational risk as a logic of organizing in late modernity. Organization Studies, 30(2), 301-324. http://dx.doi.org/10.1177/0170840608101482
» http://dx.doi.org/10.1177/0170840608101482

[28] Qiao, Y. (2007). Public risk management: development and financing. Journal of Public Budgeting, Accounting, & Financial Management, 19(1), 33-55. https://doi.org/10.1108/JPBAFM-19-01-2007-B002
» https://doi.org/10.1108/JPBAFM-19-01-2007-B002

[29] Ramos, V., Lima, A., Silva, S., & Andrade, R. (2018). Uma proposta de utilização de gestão de risco para o planejamento acadêmico de uma universidade pública. In Anais do Simpósio Internacional de Gestão de Projetos, Inovação e Sustentabilidade (1-12).

[30] Ribeiro, R. (2014). Os desafios contemporâneos da gestão universitária: discursos politicamente construídos. In Anais do Congresso Ibero-Americano de Política e Administração da Educação (1-14). http://www.anpae.org.br/IBERO_AMERICANO_IV/GT2/GT2_Comunicacao/RaimundaMariadaCunhaRibeiro_GT2_integral.pdf
» http://www.anpae.org.br/IBERO_AMERICANO_IV/GT2/GT2_Comunicacao/RaimundaMariadaCunhaRibeiro_GT2_integral.pdf

[31] Sedrez, C., & Fernandes, F. (2011). Gestão de riscos nas universidades e centros universitários do estado de Santa Catarina. Gestão Universitária da América Latina, (número especial), 70-93. https://periodicos.ufsc.br/index.php/gual/article/view/1983-4535.2011v4nespp70
» https://periodicos.ufsc.br/index.php/gual/article/view/1983-4535.2011v4nespp70

[32] Sousa, M., Finati, C., Perez, M., & Duarte, K. (2018). Gestão de risco nas instituições universitárias: uma análise comparativa da metodologia da Controladoria Geral da União e do Ministério do Planejamento, Desenvolvimento e Gestão. Anais do Colóquio Internacional de Gestion Universitária (1-17). https://repositorio.ufsc.br/handle/123456789/190469
» https://repositorio.ufsc.br/handle/123456789/190469

[33] Souza, J., Arima, C., Oliveira, R., Akabane, G., & Galegale, N. (2016). Gestão de riscos de segurança da informação numa instituição pública federal: um estudo de caso. ENIAC projetos, 5(2), 240-256.

[34] Trivelato, B. F., Mendes, D. P., & Dias, M. A. (2018). A importância do gerenciamento de riscos nas organizações contemporâneas. Revista FATEC Zona Sul, 4(2), 1-20. https://www.revistarefas.com.br/index.php/RevFATECZS/article/view/147
» https://www.revistarefas.com.br/index.php/RevFATECZS/article/view/147

[35] Wang, H., Wang, J., Ren, C., & Zhang, S. (2018). Research on risk prevention and control of Sino-foreign cooperative universities - Based on ERM comprehensive risk management framework. Advances in Economics, Business and Management Research, 71, 301-306.

Author	Objective	Conclusions
Helsloot & Jong (2006Helsloot, I., & Jong, W. (2006). Risk management in higher education and research in the Netherlands. Journal of Contingencies and Crisis Management, 14(3), 142-159. https://doi.org/10.1111/j.1468-5973.2006.00490.x https://doi.org/10.1111/j.1468-5973.2006... )	To analyze the risk in higher education in the Netherlands, considering the risks inherent to universities, society, and education as an organization by means of field research.	The results (derived from questionnaires, meetings, and interviews) show that the higher education institutions do not yet have an integrated security, protection, and crisis management policy. Institutions, staff, and students have limited awareness of the range of risks to which they and their environment are exposed.
Power et al. (2009Power, M., Scheytt, T., Soin, K., & Sahlin, K. (2009). Reputational risk as a logic of organizing in late modernity. Organization Studies, 30(2), 301-324. http://dx.doi.org/10.1177/0170840608101482 http://dx.doi.org/10.1177/01708406081014... )	To increase the importance of reputational risk in the organizations.	In the context of universities, there are both specific transformations in organizational practices and a growing generalized concern about reputational risk.
Christopher & Sarens (2015Christopher, J., & Sarens, G. (2015). Risk management: its adoption in Australian public universities within an environment of change management - A management perspective. Australian Accounting Review, 25(1), 2-12. https://onlinelibrary-wiley.ez16.periodicos.capes.gov.br/doi/full/10.1111/auar.12057 https://onlinelibrary-wiley.ez16.periodi... )	To examine to what extent the main participants in Australian public universities have developed and implemented risk management in an environment of change management.	The discoveries show that wider influences - largely a result of conflicting management cultures - have had different impacts on the values of the main players and on the consequent adoption of the process.
Souza et al. (2016Souza, J., Arima, C., Oliveira, R., Akabane, G., & Galegale, N. (2016). Gestão de riscos de segurança da informação numa instituição pública federal: um estudo de caso. ENIAC projetos, 5(2), 240-256.)	To verify how information security risk management features in a federal public institution according to the perception of the information technology managers. The study was applied in the Federal Institute of Science and Technology of São Paulo.	The results found show the importance of the roles performed by the people, the responsibilities, the development of policies, norms, and procedures, and their implementation, seeking greater control over risks, as well as the various opportunities that involve information technology security.
Sousa et al. (2018Sousa, M., Finati, C., Perez, M., & Duarte, K. (2018). Gestão de risco nas instituições universitárias: uma análise comparativa da metodologia da Controladoria Geral da União e do Ministério do Planejamento, Desenvolvimento e Gestão. Anais do Colóquio Internacional de Gestion Universitária (1-17). https://repositorio.ufsc.br/handle/123456789/190469 https://repositorio.ufsc.br/handle/12345... )	To compare the risk management methodologies presented by the Comptroller General’s Office and by the Ministry of Planning, Development, and Science and to verify the possibility of adapting these to university management.	It is possible to apply the methodologies to the risk management of university institutions, but there is a need for adaptation, respecting the particularities of university management.
Ramos et al. (2018Ramos, V., Lima, A., Silva, S., & Andrade, R. (2018). Uma proposta de utilização de gestão de risco para o planejamento acadêmico de uma universidade pública. In Anais do Simpósio Internacional de Gestão de Projetos, Inovação e Sustentabilidade (1-12).)	To propose to investigate, identify, and analyze possible risks that can impact the academic planning of a public university, enabling a contingency plan to be created to mitigate and reduce the impacts on an academic semester.	Risks in university environments can cause various impacts on the academic semester; research applied using stakeholders could be an efficient mechanism for identifying and prioritizing these risks. Identifying the impact and probability of the risks could provide academic managers with a quicker response to the problems identified.
Wang et al. (2018Wang, H., Wang, J., Ren, C., & Zhang, S. (2018). Research on risk prevention and control of Sino-foreign cooperative universities - Based on ERM comprehensive risk management framework. Advances in Economics, Business and Management Research, 71, 301-306. )	To explore the possibility of applying the enterprise risk management structure in higher education in China based on that structure.	It is necessary to strengthen the self-regulation of the universities based on external supervision of the administrative departments of education and form a prevention and control mechanism that combines academics, governments, and social multi-subjects, as well as broadly identifying and analyzing various risks, so that the cooperative universities can effectively avoid or control all types of risks.
Anchundia et al. (2018Anchundia, P., Romero, X., & Perez, A. (2018). Risk management and process management in universities: Application in the University Laica Eloy Alfaro Manabí. In Annals of the 35 th International Academic Conference (121-138). https://ideas.repec.org/p/sek/iacpro/6408929.html https://ideas.repec.org/p/sek/iacpro/640... )	To develop tools for managing processes and risk management at the Eloy Alfaro Secular University of Manabi.	The application of a checklist enabled it to be confirmed that there are inadequacies and opportunities for improvement in the dimensions of direction, strategy, and design in preparing the university for risk management, the integrated management of risks, and implementation and control.
Assunção et al. (2019Assunção, A., Silva, M., Rosa, R., & Campeão, R. (2019). Estudo de caso na pró-reitoria de gestão de pessoas da Universidade Federal do Mato Grosso do Sul: análise através da matriz de risco. Revista de Gestão e Secretariado, 10(2), 140-170. https://www.revistagesec.org.br/secretariado/article/view/868 https://www.revistagesec.org.br/secretar... )	To demonstrate a method for identifying and evaluating risks by mapping processes, aiming to contribute to risk management in one department of the Federal University of Mato Grosso do Sul.	A risk matrix was developed with indicators that were able to reveal the level of risks that the unit is willing to bear and seek new ways of addressing them and mitigating them.

Groups of variables	References	Scale
Profile of the employees
Age	This study	Ordinal
Gender	This study	Nominal
Position (teacher/TAE)	This study	Nominal
Education	This study	Ordinal
Time of experience at the institution	This study	Ordinal
Time of experience in the role	This study	Ordinal
Have they already taken part in a specific risk management course?	This study	Binary
Challenges for the adoption of a risk management system in the universities
Ignoring relevant risks	Hill & Dinsdale (p. 47, 2003Hill, S., & Dinsdale, G. (2003). Uma base para o desenvolvimento de estratégias de aprendizagem para a gestão de riscos no serviço público. Tradução L. C. Vasconcelos. Escola Nacional de Administração Pública.), Braga (2017Braga, M. (2017). Risco bottom up: uma reflexão sobre o desafio da implementação da gestão de riscos no setor público brasileiro. Revista da Controladoria Geral da União, 9(15), 682-699. https://ojs.cgu.gov.br/index.php/Revista_da_CGU/article/view/103 https://ojs.cgu.gov.br/index.php/Revista... )	Ordinal
Complex information	Hill & Dinsdale (p. 47, 2003Hill, S., & Dinsdale, G. (2003). Uma base para o desenvolvimento de estratégias de aprendizagem para a gestão de riscos no serviço público. Tradução L. C. Vasconcelos. Escola Nacional de Administração Pública.), Braga (2017Braga, M. (2017). Risco bottom up: uma reflexão sobre o desafio da implementação da gestão de riscos no setor público brasileiro. Revista da Controladoria Geral da União, 9(15), 682-699. https://ojs.cgu.gov.br/index.php/Revista_da_CGU/article/view/103 https://ojs.cgu.gov.br/index.php/Revista... )	Ordinal
Lack of trust/understanding	Hill & Dinsdale (p. 47, 2003Hill, S., & Dinsdale, G. (2003). Uma base para o desenvolvimento de estratégias de aprendizagem para a gestão de riscos no serviço público. Tradução L. C. Vasconcelos. Escola Nacional de Administração Pública.), Braga (2017Braga, M. (2017). Risco bottom up: uma reflexão sobre o desafio da implementação da gestão de riscos no setor público brasileiro. Revista da Controladoria Geral da União, 9(15), 682-699. https://ojs.cgu.gov.br/index.php/Revista_da_CGU/article/view/103 https://ojs.cgu.gov.br/index.php/Revista... )	Ordinal
Divergences regarding the risk	Hill & Dinsdale (p. 47, 2003Hill, S., & Dinsdale, G. (2003). Uma base para o desenvolvimento de estratégias de aprendizagem para a gestão de riscos no serviço público. Tradução L. C. Vasconcelos. Escola Nacional de Administração Pública.), Braga (2017Braga, M. (2017). Risco bottom up: uma reflexão sobre o desafio da implementação da gestão de riscos no setor público brasileiro. Revista da Controladoria Geral da União, 9(15), 682-699. https://ojs.cgu.gov.br/index.php/Revista_da_CGU/article/view/103 https://ojs.cgu.gov.br/index.php/Revista... )	Ordinal
Inadequate institutional structure	Hill & Dinsdale (p. 47, 2003Hill, S., & Dinsdale, G. (2003). Uma base para o desenvolvimento de estratégias de aprendizagem para a gestão de riscos no serviço público. Tradução L. C. Vasconcelos. Escola Nacional de Administração Pública.), Braga (2017Braga, M. (2017). Risco bottom up: uma reflexão sobre o desafio da implementação da gestão de riscos no setor público brasileiro. Revista da Controladoria Geral da União, 9(15), 682-699. https://ojs.cgu.gov.br/index.php/Revista_da_CGU/article/view/103 https://ojs.cgu.gov.br/index.php/Revista... )	Ordinal
Inefficient information system	Author	Ordinal
Renewing the RM cycle	Braga (2017Braga, M. (2017). Risco bottom up: uma reflexão sobre o desafio da implementação da gestão de riscos no setor público brasileiro. Revista da Controladoria Geral da União, 9(15), 682-699. https://ojs.cgu.gov.br/index.php/Revista_da_CGU/article/view/103 https://ojs.cgu.gov.br/index.php/Revista... )	Ordinal
Process mapping	COSO (2007Committee of Sponsoring Organizations of the Treadway Commission. (2007). Gerenciamento de riscos corporativos - Estrutura integrada. https://www.coso.org/Documents/COSO-ERM-Executive-Summary-Portuguese.pdf https://www.coso.org/Documents/COSO-ERM-... ), Her Majesty's Treasury (2004Her Majesty's Treasury. (2004). The Orange Book management of risk - Principles and concepts. Her Majesty's Stationery Office.), ISO (2018International Organization for Standardization. (2018). ISO 31000 - Risk management system - Principles and guidelines. )	Ordinal
Lack of engagement	COSO (2007Committee of Sponsoring Organizations of the Treadway Commission. (2007). Gerenciamento de riscos corporativos - Estrutura integrada. https://www.coso.org/Documents/COSO-ERM-Executive-Summary-Portuguese.pdf https://www.coso.org/Documents/COSO-ERM-... ), Her Majesty's Treasury (2004Her Majesty's Treasury. (2004). The Orange Book management of risk - Principles and concepts. Her Majesty's Stationery Office.), ISO (2018International Organization for Standardization. (2018). ISO 31000 - Risk management system - Principles and guidelines. )	Ordinal
Lack of training	Braga (2017Braga, M. (2017). Risco bottom up: uma reflexão sobre o desafio da implementação da gestão de riscos no setor público brasileiro. Revista da Controladoria Geral da União, 9(15), 682-699. https://ojs.cgu.gov.br/index.php/Revista_da_CGU/article/view/103 https://ojs.cgu.gov.br/index.php/Revista... )	Ordinal
Excess demands	Braga (2017Braga, M. (2017). Risco bottom up: uma reflexão sobre o desafio da implementação da gestão de riscos no setor público brasileiro. Revista da Controladoria Geral da União, 9(15), 682-699. https://ojs.cgu.gov.br/index.php/Revista_da_CGU/article/view/103 https://ojs.cgu.gov.br/index.php/Revista... )	Ordinal
Insufficient resources	COSO (2007Committee of Sponsoring Organizations of the Treadway Commission. (2007). Gerenciamento de riscos corporativos - Estrutura integrada. https://www.coso.org/Documents/COSO-ERM-Executive-Summary-Portuguese.pdf https://www.coso.org/Documents/COSO-ERM-... ), Joint Normative Instruction MP/CGU n. 1/2016Joint Normative Instruction n. 1, of May 10 of 2016. Establishes organizational and presentational norms for management reports and complementary items that will constitute the accounts processes of the federal public administration, for the judgement of the Federal Court of Auditors, in the terms of art. 7 of Act n. 8,443, of 1992. http://www.planalto.gov.br/ccivil_03/_ato2007-2010/2007/lei/l11638.htm http://www.planalto.gov.br/ccivil_03/_at... , ISO (2018International Organization for Standardization. (2018). ISO 31000 - Risk management system - Principles and guidelines. )	Ordinal

Age group (years)	Sex				Total
	Female		Male		Total
	n	%	n	%	n	%
20-30	4	9.3	3	7.0	7	16.3
31-40	6	14.0	16	37.2	22	51.2
41-50	4	9.3	6	14.0	10	23.3
51-60	0	0.0	2	4.7	2	4.7
Over 60	2	4.7	0	0.0	2	4.7
Total	16	37.2	27	62.8	43	100.0

Education	Position				Total
	Teacher		Administrative technician		Total
	n	%	n	%	n	%
Degree	0	0.0	3	7.0	3	7.0
Specialization	0	0.0	18	41.9	18	41.9
Master’s	0	0.0	12	27.9	12	27.9
PhD	7	16.3	3	7.0	10	23.3
Total	7	16.3	36	83.7	43	100.0

Time (years)	n	%
Up to 5	15	34.9
6-10	13	30.2
11-15	8	18.6
16-20	1	2.3
More than 20	6	14.0
Total	43	100.0

Perception regarding the challenges	Level of agreement n (%)
Perception regarding the challenges	Totally disagree	Partially disagree	Neither agree nor disagree	Partially agree	Totally agree
Ignoring relevant risks	2 (4.7)	12 (27.9)	8 (18.6)	19 (44.2)	2 (4.7)
Complex information	2 (4.7)	4 (9.3)	12 (27.9)	21 (48.8)	4 (9.3)
Lack of trust/understanding	5 (11.6)	3 (7.0)	9 (20.9)	23 (53.5)	3 (7.0)
Divergences regarding the risk	1 (2.3)	4 (9.3)	4 (9.3)	27 (62.8)	7 (16.3)
Inadequate institutional structure	2 (4.7)	4 (9.3)	10 (23.3)	17 (39.5)	10 (23.3)
Inefficient information system	4 (9.3)	6 (14.0)	12 (27.9)	12 (27.9)	9 (20.9)
Renewing the RM cycle	2 (4.7)	4 (9.3)	10 (23.3)	20 (46.5)	7 (16.3)
Process mapping	2 (4.7)	2 (4.7)	4 (9.3)	16 (37.2)	19 (44.2)
Lack of engagement	2 (4.7)	1 (2.3)	4 (9.3)	14 (32.6)	22 (51.2)
Lack of training	2 (4.7)	2 (4.7)	5 (11.6)	16 (37.2)	18 (41.9)
Excess demands	1 (2.3)	4 (9.3)	5 (11.6)	14 (32.6)	19 (44.2)
Insufficient resources	5 (11.6)	18 (41.9)	8 (18.6)	8 (18.6)	4 (9.3)

Perception regarding the challenges	Mean	Median	Mode	Standard deviation	Variance	Total
Ignoring relevant risks	3.16	3.00	4.00	1.04	1.09	136.00
Complex information	3.49	4.00	4.00	0.96	0.92	150.00
Lack of trust/understanding	3.37	4.00	4.00	1.11	1.24	145.00
Divergences regarding the risk	3.81	4.00	4.00	0.91	0.82	164.00
Inadequate institutional structure	3.67	4.00	4.00	1.08	1.18	158.00
Inefficient information system	3.37	3.00	3.00	1.23	1.52	145.00
Renewing the RM cycle	3.60	4.00	4.00	1.03	1.05	155.00
Process mapping	4.12	4.00	5.00	1.07	1.15	177.00
Lack of engagement	4.23	5.00	5.00	1.04	1.09	182.00
Lack of training	4.07	4.00	5.00	1.08	1.16	175.00
Excess demands	4.07	4.00	5.00	1.08	1.16	175.00
Insufficient resources	2.72	2.00	2.00	1.18	1.40	117.00