=Paper=
{{Paper
|id=Vol-1726/paper-04
|storemode=property
|title=Model of Risk-Oriented Management in Governmental Institutions: Process Approach
|pdfUrl=https://ceur-ws.org/Vol-1726/paper-04.pdf
|volume=Vol-1726
|authors=Nina P. Grishina
}}
==Model of Risk-Oriented Management in Governmental Institutions: Process Approach==
https://ceur-ws.org/Vol-1726/paper-04.pdf
Model of Risk-Oriented Management in
Governmental Institutions: Process Approach
Nina P. Grishina
Saratov State University, Saratov, Russia
Abstract. The model of risk-based management in public authorities
is presented in the paper. The essence of process approach is defined
and implemented in modeling in order to reflect modern requirements of
quality management in the organizations. The principles of risk-oriented
management are formulated in the paper to identify the strategy of pro-
cess approach to the management in the public authority institutions.
Finally, the detailed model of risk-oriented management of governmental
bodies is described in the present paper.
Keywords: risk management, business engineering, process approach,
risk management system, business processes modeling, Enterprise Risk
Management (ERM)
1 Introduction
The activity of any organization is exposed to multiple risk factors due to the
high level of uncertainty of the external environment. Some risk factors or condi-
tions can trigger the implementation of specific risk on their own, others – only
in combination with other risk factors.
The concept of Risk Management (RM) is not new. On the one hand, RM
is well known approach to improve effectiveness of enterprise – Enterprise Risk
Management (ERM). On the other hand, it mainly used in financial sector of
economy in the form of restrictions or on the dangerous production in the form
of technology of production.
At the same time all potential of the risk management is not fully demanded
yet. For example, in public sector there are lots of opportunities to apply RM for.
Taking into account the specific features of this area we would like to propose
its adjusted shape – risk-oriented management. In this case risk management is
implemented in the standard organizational form of management where typical
procedures are added with risk-based approach.
2 Governmental Institutions
Risk factors influence effectiveness of the organization’s processes functioning
and achievement of objectives. The system of the organization’s processes always
has the goal that is fulfillment of tasks. This should provide reaching the key
�goal of any organization, in the case of public authorities the goal is to satisfy
particular public demand and to provide public service.
It is possible to identify the main processes of public administration in the
modeling of which it is advisable to apply business engineering:
– public policy;
– adopting regulatory legal acts;
– development of target-oriented program;
– implementation of the control and supervision over the implementation of
the established normative legal acts of the mandatory rules of conduct;
– purchases for state needs;
– issuing of permits (licenses) for carrying out certain activities to legal entities
and individuals;
– permitting registration of acts, documents, rights, objects;
– price and tariff setting;
– granting documents for citizens and legal entities;
– granting of rights of use of natural resources and so on.
The technology of business engineering is integrated environment for all sub-
systems of management not only in business but also in public administration.
The task for Russian managers here is not only reproduce old European and
American technologies of management but implement technologies of the future
in their practice. First of all we are talking about management of electronic re-
stricting of processes which taking place in the organizations [11]. This should
become a mass specialty.
The models of government agencies in the form of companies, which pro-
vide public services supported by appropriate tools should become a part of
information system of “electronic government”. This model then provides the
opportunity to observe accurate and complete picture of organization of any ac-
tivity for its managers and citizens-clients. The opportunity to have integrated
knowledge about all system of processes and its goals and strategies is reaching
by special ways of information organization and special software.
3 Process Approach
Despite the variety of approaches and tools the concept of process approach is
vague currently in Russia. This is due to several reasons. The first reason is
the fact that present culture of quality management, which is based on process
approach, is only beginning to develop in our country.
The second one – the activity of consulting companies, which promote the
process approach, interpret it in their own way and confuses the understanding
of this approach for managers. The main goal for these companies is subsequent
sale of expensive software of business processes modeling and automatization
(for example, BPMS, ERP).
The third reason is lack of training for top-level managers in the field of
quality management systems and process management [8]. So, what is process
�approach? According to ISO 9000:2005 the process is set of interrelated or inter-
acting activities, which transforms inputs and outputs. This means that process
is any activities, which use definite resources (staff, information, materials, in-
frastructure, technologies) and which serve for getting definite outputs [2]. This
definition of process is very wide but at the same time is sufficient for the pur-
poses of this paper.
4 Risk-Oriented Management
Analyzing the risk factors in relation to the processes, in which they originate,
and/or that they might affect, risk manager may develop the system of risk
management and thus reduce the probability of the risk and reduce the damage
caused by the residual risk. The essence of risk-oriented approach to management
in public authority institutions is to understand what in the first place prevents
the organization to achieve strategic goals, and to find the best way to mitigate
negative effects.
In order to effective risk management the organization at all levels must sat-
isfy the following principles, according to Standard GOST R ISO 31000-2010 [1]:
1. The risk management creates and protects value. The risk management is
clearly contributing to the fulfillment of the objectives and performance im-
provements, for example, to ensure public health and safety, protection, com-
pliance with legal and regulatory requirements, public acceptance, environ-
mental protection, project management, performance features, management
and reputation;
2. The risk management is the part of all organizational processes. The risk
management is not isolate activity, which separates from the main activity
and processes in the organization. The risk management is the part of obli-
gations of management and an integral part of all organizational processes,
including strategic planning and all processes of project and measurement
management;
3. The risk management is the part of decision-making processes. The risk man-
agement helps decision-makers to make informed choices, prioritize actions
and distinguish among alternative ways of action;
4. The risk management is explicitly associated with uncertainty. The risk man-
agement explicitly takes into account the uncertainty, the character of un-
certainties and the way how to deal with it;
5. The risk management is systematic, structured and timely process. A sys-
tematic, regular and structured approach to risk management contributes to
the efficiency and sustainability of comparable and reliable results;
6. The risk management is based on the best available information. The input
data for the process of risk management based on such sources of informa-
tion as historical data, experience, feedback from stakeholders, observation,
forecasts and expert assessments. However, decision-makers must be aware
of and take into account any limitations of the data or used modeling or the
possibility of differences of opinion among the experts;
� 7. The risk management is adaptable. Risk management should comply with
internal and external situation (context) and risk profile;
8. The risk management takes into account the human and cultural factors.
The risk management recognizes the capabilities, perceptions and intentions
of people outside and within the organization that may contribute to or
impede the achievement of the organization’s objectives;
9. The risk management is transparent and takes into account the interests of
stakeholders. Appropriate and timely involvement of stakeholders and, in
particular, decision-makers at all levels of the organization ensure that risk
management is at the appropriate level and meet modern requirements. This
allows interested parties to be properly represented and to be sure that their
opinions are taken into account in the process of establishing risk criteria;
10. The risk management is dynamic, iterative and responsive to changes. The
risk management is continuously detects changes and react to them. As soon
as the external or internal event is taking place, context or knowledge are
changing, the monitoring and reviewing of risks are held, new risks are emerg-
ing, some risks are changing, other ones are disappearing;
11. The risk management facilitates continual improvement of the organization.
The organization should develop and implement strategies for improving the
perfection of risk management in conjunction with its other aspects.
The risk-oriented approach is based on the system of risk management, which
consists of five steps:
1. Identification of risks;
2. Analysis and evaluation of risks;
3. Management of risks;
4. Monitoring of risks;
5. Culture of risk management in the organization.
Taking into account the main steps of the system of risk management the basic
parts of risk-oriented management can be formulated as:
1. Identification and approval of the key risks list of the public authorities and
their owners;
2. Development of measures for management of key risks of the public authori-
ties together with the risk owners and their inclusion in the plan and budget
of the organization;
3. Actualization of the identified risks and the risk management activities of
the governmental institution on an annual basis;
4. Appointment of coordinators of risk management system;
5. Organization of training of risk management for stuff;
6. Approval of the Risk Management Policy.
According to the Eduard Pfister the evaluation of risks on the basis of the prob-
ability of their occurrence and the extent of any resulting damage together with
the subsequent derivation of suitable measures forms is the starting point for
operative risk and opportunity management [7]. He suggested the four steps to
a risk-oriented management approach, which includes:
� 1. Preparation, design, strategy;
2. Establishment;
3. Implementation;
4. Operation.
Compliance with the rules described above will create the risk-based man-
agement model, which bears the preventive character and which uses proactive
monitoring tools and risk assessment, in the public authority institutions.
In order to be effective a risk-oriented thinking is implemented in this model
throughout the organization that is the identification of possible risks and min-
imization their negative impact [2].
The concept of risk-based thinking previously expressed through require-
ments for planning, analysis and improvement. The understanding of its envi-
ronment and identification of risks as the basis of the planning are required from
the organization nowadays. This reflects the application of risk-based thinking
in planning and implementation of the quality management system processes
and will assist in determining the scope of documented information [2].
One of the key objectives of the quality management system is that it acts
as a prevention tool. The concept of preventive action is expressed through the
use of risk-based thinking.
Not all of the quality management system processes have the same level of
risk in relation to the organization’s ability to achieve its objectives, and the
impact of uncertainty is not the same for organizations. In accordance with the
requirements of ISO 9001 the organization is responsible for the use of risk-based
thinking and the action in relation to risk, including the feasibility of registering
and maintaining a documented information as evidence of the identification of
organization’s risks [3].
In order to formalize and control the effectiveness of risk management system
the following forms of documentation of processes and results of risk management
might be used:
1. Risk Register;
2. Risk Map;
3. Report of Risk Management;
4. Risk Management Policy.
The following principles should be taken into account when implementing a risk-
based approach in the public authorities:
– setting strategic objectives for the risk management (instead of simple pro-
cess management);
– reliance on sufficient data for management decision-making and better risk
management. This involves the use of not only its own resources, which
certainly are basic, but significant amount of external sources;
– centralization of data as part of the centralized risk management – a com-
pulsory condition for achieving results;
� – integrated use of various control tools for assessing progress in reaching the
goals of organization: starting from the mechanisms of self-assessment of
their risks and the results to external audit by the stakeholders;
– “mirror” system of evaluation of the goal fulfillment, which involves the avail-
ability of the results for both the public and the departments of the executive
bodies;
– relevance of performance indicators of the goal fulfillment, which is achieved
through a balance of quantitative and qualitative indicators.
The activity of the public authority requires operational control and compar-
ison of plans with actual results [5]. In order to effective operational management
of organizational activity the following steps are recommended to take:
1. The documents establishing the strategy and policy of the organization in the
field of internal control of reaching the goals should be periodically approved
and reviewed by management.
2. Approved strategy and policy should be implemented in practice by man-
agement on the basis of risk assessment.
3. The necessary infrastructure, which ensures the effectiveness of internal con-
trol processes, should be created.
4. The effective and safe channels of reporting of information should be created.
5. The systematic monitoring and evaluation of the effectiveness of the internal
control system of the organizational processes should be conducted.
5 The Model
Finalizing process approach to the risk-oriented management in the public au-
thorities the following graphic model is presented in Figure 1.
As can be seen the input ‘Public Demand’ is transforming to output ‘Sat-
isfied Public Demand’ by operational interaction between Key, Managing and
Supporting processes. At the same time the risk-based management is imple-
mented in the model by three components: Risk Management Infrastructure,
Risk Management Process and Risk Management Culture. Risk Management
Process itself is the risk management system with four first steps. The fifth step
is separate and presented in more details as isolated component. As reflected in
Figure 2 all three parts of risk-oriented management approach are influencing
Key processes of public authority institution, which has main goal to provide
public service by several functions. This graphic version of present model is
one of possible representations of becoming more and more popular nowadays
risk-oriented approach to management in the organizations. The new detailed
models are coming in the future. The more uncertain future becomes the more
risk-based approach in business and public authorities is demanded.
The paper [6] presents a data-centred conceptual reference model for a strate-
gic integrated governance, risk and compliance management. Following the ideas
of papers [4, 6, 10] we develop a new model of the risk-oriented management in
the public authorities using the well-known ARIS methodology [9].
�Fig. 1. The model of process approach to the risk-oriented management in the public
authorities.
6 Conclusion
As the external environment and challenges in modern world continue to grow,
the models of management, especially in federal sector, are needed to be changed.
This will require a government structure that responds quickly to fast changing
events, is transparent and accountable. It will also require agency leadership to
take a long-term view regarding their strategic objectives and the threats and
opportunities that await them in the future. The recent failures of the finan-
cial markets are an indication that effective risk management is not dependent
upon a workforce responsible for carrying out risk-oriented tasks, but must be
recognized and mitigated within an organization processes and systems as well.
Risk-oriented management has been recognized as the bridge to make this con-
nection.
The effort to integrate risk management throughout the organization and
tying risk processes together through RM will separate adaptable and respon-
sive organizations from stagnate ones. Many agencies have succeeded in meeting
compliance requirements through the completion of risk assessments within in-
dividual silos, or at assessing a specific risk area that crosses multiple functions
(i. e. IT across an agency), but few have accomplished the integration of a risk
management system throughout the organization and its management. Neverthe-
less, as risk-oriented approach in management continues to evolve in the federal
sector, agencies and their various stakeholders will benefit as a whole over time.
�References
1. ISO 31000-2010 Risk management. Principles and guidelines, url: http://www.
novsu.ru/file/1156050
2. ISO 9001-2008 Quality management system, url: http://www.iso.org/iso/ru/
04_concept_and_use_of_the_process_approach_for_management_systems.pdf
3. ISO 9001-2015 Quality management system, url: http://mskstandart.ru/
upload/medialibrary/gost-iso/gost-r-iso-9001-2015.pdf
4. Caspar, J., Valentin, C.D., Maier, S., Mayer, D., Pussep, A., Schief, M.: Vom
geschäftsmodell zum geschäftsprozess und zurück. HMD Praxis der Wirtschaftsin-
formatik 50(4), 13–22 (2013)
5. Mohapatra, S.: Business Process Reengineering: Automation Decision Points in
Process Reengineering. Verlag – Springer US, Berlin (2013)
6. Nissen, V., Marekfia, W.: The development of a data-centred conceptual reference
model for strategic grc-management. Journal of Service Science and Management
7(2), 63–76 (2014)
7. Pfister, E.: A risk-based approach to management (2016), url: http://www.parm.
com/data/docs/download/1696/en/Risk-based-management-approach.pdf
8. Repin, V., Eliferov, V.: Process Approach to the Management. Modeling of
Business-Processes. Mann, Ivanov and Ferber, Moscow (2013)
9. Scheer, A.W.: ARIS – Vom Geschaftsprozess zum Anwendungssystem. Springer,
Berlin (2002)
10. Thomas, O., Scheer, A.W.: Verfahren und Werkzeuge zur Informationsmodel-
lierung, pp. 1–30. Springer Berlin Heidelberg, Berlin, Heidelberg (2016)
11. Wicks, A.M., Roethlein, C.J.: A satisfaction-based definition of quality. Journal of
Business and Economic Studies 15(1), 82–97 (2009)
�