Chapter 14

A Maturity Evaluation of Governance, Risk Management and Compliance (GRC)

within the Maltese public sector1,2,3
Clint Zammit, Simon Grima and Y. Murat Kizilkaya
ABSTRACT
The Public Sector is usually assumed to have a risk avoidance culture, with a reactive
rather than proactive approach towards the management. However, an improved holistic
approach seems to be required, especially when considering the complexity and size of the
Public Sector, and the challenges it faces to connect the services, clients and the different
levels of governance.
Within this chapter we lay out a maturity level evaluation of Governance, Risk
Management and Compliance (GRC) within the Maltese Public Sector. Through documentation
analysis of the available literature on the subject, we determine the principal themes required
to develop an effective GRC practice across the Public Sector. We then design statements
based on the identified GRC themes and administer it using an online survey tool to Public
employees across different Ministries, Departments, Agencies and Entities, in order to obtain
their perception. This in order to determine gaps, weaknesses or limiting factors towards the
implementation of an effective GRC.
The results show that, although, there is a substantial percentage of scepticism and
few disagreements towards some of the statements, especially those which related to Risk
Management (RM) and Internal Auditing (IA), the majority of Public Sector bodies do in fact
show high standards of GRC practices integrated and present in their day-to-day operations
and internal environment, showing that there is a well-developed Governance, Compliance
and Control structure and Internal Audit function across the Sector.
However, the perception of participants is that the RM function is the least developed
area IA needs some improvement especially where trust on advice is involved.

Keywords: Public Sector; GRC; Governance; Risk Management; Compliance; Internal Control;
Internal Auditing; Efficiency and Effectiveness.
Jel Codes: D81,G32, H83, M42

1. Introduction
The National Audit Office (NAO), in 2014, states that the Public Sector is continually
faced with challenges and opportunities due to the shifting developments and trends in
modern society. Such challenges, arise from the internal and external factors of a dynamic
world, affect the achievement of the Public Sector’s objectives and set-targets including: value
for money; customer care culture; increased decentralisation and flattened hierarchical
systems; increased diversity and demands for Work-Life Balance and the quality of work.
Academics, for many years, have published various policies and studies about
governance to help face these challenges, underlining the need to transform “the old
paradigm of an internal control focus to a business risk focus; from a reactive, after the fact
response to a real-time, monitoring response; from observers to participants in strategic plans
initiatives” (McNamee & Selim, 1998). The main challenge is to attach the dots between the
content of the business portfolio, the outside world as the object and Governance.
1
This chapter was edited by Engin Boztepe.
2
This Chapter is based on the unpublished MBA Thesis by Zammit, C. (2019).Governance, Risk and Compliance: A Case Study within the
Maltese Public Sector. Faculty of Economics, Management and Accountancy, University of Malta, supervised by Dr. Simon Grima.
3
The research work disclosed in this chapter is partially funded by the Endeavour Scholarship Scheme (Malta). Scholarships are part-
financed by the European Union – European Social Funds (ESF) – Operational Programme II – Cohesion Policy 2014-2020 “Investing in
human capital to create more opportunities and promote the well-being of society”.

1
 Every Sector experiences risk, particularly those operating with many employees such
as the Public Sector. Risk Management (RM) in the Public Sector is more complex, with a more
societal impact coming from the extensive variety of involved interests and stakeholders.
McConnell and Drennan (2007) mentioned that the Public Risk can have an impact on Public
values. Public RM is about Public Value Management, where Public leaders reach for public
values such as the way archers reach for their target.
Public leaders are continuously under scrutiny, held responsible for the efficient use of
public funds, and thus should encourage a culture where acting in the best interest of the
citizen is the routine, and not an exception to the rule. Public Governance approach is crucial
to enable Public leaders, as the main actors, deliver the electorally promised values related to
the Public domain (Kruf et. al, 2019).
An effective and functioning governance system encourage the efficient use of
resources; strengthen accountability; and performance with robust scrutiny in order to deliver
the necessary pressures for an overall improved decision making; enhanced Public Sector
performance and minimised corruption. Public Governance takes place in directing Public
values and objectives. Such effective Governance approach will ultimately improve
management; better service delivery; and better overall outcomes with improved People’s
lives (Baldacchino, et al. 2020a).
One of the principal challenges is to educate Public leaders and obtain their full
support. Established risks owners need to communicate the message and sustain an effective
relationship management. The Public Sector in its wide range of functions, must satisfy a
composite range of political, social, economic and environmental objectives subjecting it to
various internal and external constraints that may impact its Governance structures. A well-
informed management will allow the Public Sector to recognise the political, social, economic,
environmental and strategic risks impact of these objectives.
The Public Administration is usually linked with risk avoidance culture, taking a reactive
approach, employing bureaucratic processes to meet stakeholder and regulatory obligations.
This leads to adverse effects on the Public Sector’s reputation. Although significant
improvements have been made worldwide, GRC structures, are still considered to be in their
infancy phases with some limiting factors that are hindering to accomplish a holistic approach
towards GRC (Baldacchino, 2020b).
A pro-active, more risk-based approach is needed by leveraging unity across
regulations and stakeholder interests, to promote constant improvement. In the past years,
Public Risk Management Organisation (PRIMO) 4 has experienced risks not only in public values
but also risks coming from the high fragmentation present in governance principles and from
the high diversity of roles, stakeholders, perspectives, processes and interests. The scenario
makes services, citizens and governance poorly connected, crossing the line from good
governance. The challenge is to connect the services being offered, the clients and the
different levels of governance (Kruf, et al. 2019) (Dali, et al. 2019).

2. Aim and Objectives

Our main aim is to layout the characteristics of the Maltese Public Sector towards
implementing a robust Governance, Risk and Compliance (GRC) culture, and the subsequent
assumptions and perceptions by Public employees (In both the managerial and administrative
positions) on the management practices therein. In doing this we also aim to determine the
main drivers and barriers towards the implementation of an effective GRC framework and
obtain a better understanding of the role of the Public Leader as the actor; value in the
services being offered and the Public domain as the object.

4
European organisation established with the aim of advancing the knowledge and use of risk
management within the local governmental sector, as well as the public sector at large, in Europe.
https://www.primo-europe.eu/

2
 Moreover, we will also lay out our understanding and recommendations of how to
develop and strengthen a GRC maturity culture and good governance principles.

3. Research Questions

 What is the maturity level of GRC in the Malta Public Sector as perceived by Public
Employees? – RQ1
 How does this perception change with the different demographics? (specifically, (1)
Age, (2) Gender, (3) Qualification (Education Level), (4) Grade/Scale in the Public
Service, (5) Years of Employment in Public Service, (6) The different place of work and
(7) the department and section’s objective) –RQ2
 What are the gaps, limiting factors (if any) faced by the management in adopting a
robust GRC culture throughout the Public Sector? – RQ3

4. The Importance of the study and Malta as the case

Good governance practices can be maximised, starting with the needs of the objective
(Public domain) and not those of the actor (leader). If safety (value) is delivered by the Public
leaders towards the Public domain, then unsafety is the deviation of safety, where safety is
acting as the value, whereas unsafety is acting as the risk, which might harm society through
its unbalance which could affect the Government in terms of credibility. When based on
holistic principles, a proper connection needs to be established connecting the actor, value and
object.
Recommendations on how to improve the way the Public Sector is connecting its
services, citizens and governance; and ultimately better manage current risks are needed to
improve the stakeholder confidence and perception in the services being offered. A successful
implementation of GRC principles, will have a positive impact on the overall efficiency and
effectiveness of the Public Sector’s performance and operations.
Also, over the years, many leading and well-known researchers such as King (1993),
Briguglio (1995), Baldacchino (2006), Bezzina et. al (2014) and Xuereb et. al (2019) have made
use of small island states such as Malta in order to understand the complex financial
environments, dynamics, politics, policies and regulations of larger countries (Xuereb et al.
2019). Therefore, this unique position of Malta as a strong European Union small island state
with a robust economy is ideal for use in this study as laboratory small scale model and
experiment (Xuereb et al. 2019).

5. The Malta Public Administration

The Malta Public Administration’s vision is described by the Public Service
Management Code (PSMC) by: “The Public Service aims to give a service of excellence to all its
clients, both external as well as internal ones, characterised by professionalism, quality and
courtesy”. (PSMC, 2016). Part I, Article 2 of Chapter 497 of the Laws of Malta, the Public
Administration Act (PAA) established in 2009, defines the Public Administration as: “the
Government of Malta including its ministries and departments, and the agencies, government
entities, commissions and boards” referred to in this Act.
The Public Service, consisting of Ministries and Government Departments, is part of
the wider Public Sector which includes also all agencies, authorities and companies in which
the Government is a major shareholder. The Constitution of Malta (1964, Chapter XI Para 124
(1)) refers to the term Public Service as “the service of the Government of Malta in a civil
capacity”, and refers to the term Public officer as “the holder of any public office or of a person
appointed to act in any such office”, wherein such office is referred to as “an office of
emolument in the Public Service”.
Moreover, the term Public employee is referred to in the PAA (2009, Part I, Article 2)
as “includes public officers and employees of government agencies and government entities”.

3
Article 3 of the PAA states that Government Departments, agencies and entities are bodies
managing public resources, that provides services to the public on behalf of the State, and shall
be governed by the PAA provisions, values and the Code of Ethics, and be subject to Ministerial
direction under the Constitution of Malta and the PAA, for which shall be accountable to.
First and foremost, it is the responsibility of all public employees to serve the public in
the best way. The public has the right to expect the highest integrity and competence, fair,
efficient and reasonable service. As emphasized in the PAA (2009, Part I, Article 4), a public
employee forming part of any department, agency and government entity, shall be governed
by values inherent in duties including: deliver service to the general public and the business
community in an impartial, courteous way in the least time possible; be efficient and effective
in the implementation of the policies of the Government of the day, and through their own
conduct make their workplace one which recognizes talent, cultivate skills and abilities,
rewards performance and avoids discrimination.
Additionally, a public employee shall be competent enough in his/her sector and be
able to provide knowledgeable and objective advice when asked to. A public employee is
bound by the Code of Ethics and is obliged to report to his/her superiors any wrong doing;
corruption or bad governance. All Government Departments fall under the responsibility of a
Minister, appointed by the Prime Minister of Malta, to direct and control organisations within
his/her remit. A Ministry is made up of the Minister’s Private Secretariat; Parliamentary
Secretariats that may be appointed to assist the Minister; the office of the Permanent
Secretary which acts as the non-political administrative arm of the Ministry and various
departments, Government entities and agencies falling within the Minister’s portfolio.
The Principal Permanent Secretary (PPS) is the leader of the civil service, upholds and
promotes public administration values and Code of Ethics, and is accountable to the Prime
Minister on all matters relating to the Public Service and the wider Public Sector. The PPS is
empowered to issue directives and guidelines on any matter relating to the management of
the Public Service and provides leadership and direction to the Permanent Secretaries (PS’s),
including setting performance targets and monitor their performance.
The PS’s from their end, as leaders of their respective Ministries must ensure that their
Ministry and line-departments are working towards the fulfilment of government policy
objectives; that are operating efficiently and effectively and delivering satisfactory services and
that are managed as per applicable directives, policies and according to the law.
Headship positions headed by their respective PS’s consists mainly of the Director
General (DG) who is a head of a large department or a division in a ministry; and the Director
who is a head of a small department or a directorate in a ministry. DG’s and Directors are
responsible for encouraging and upholding the Public Administration values, Code of Ethics
and relevant directives governing staff conduct, management and the use of resources.
The office of the Permanent Secretary is made up of the Corporate Services
Directorate. This Directorate provides support services to the departments and sections falling
within the remit of the Ministry, mostly in the areas of accounting and finance, procurement,
human resources (HR), asset management, registry services, parliamentary questions (PQ’s)
and customer care.
In order to ensure that the Public Administration is governed corporately, public
employees at all levels need to establish equitable provision of services and assure that their
behaviour is appropriate to reduce corruption (The Institution of Global Auditors, 2012). The
roles and responsibilities of Public Sector employees found in the First Schedule of Chapter 497
of the PAA entails the assurance that the Public Sector is being governed corporately.

6. Governance Risk and Compliance (GRC)

The Open Compliance and Ethics Group’s (OCEG) notion is that of integrating
Governance, RM, internal control, assurance and compliance, into one main function i.e. the
GRC capability model (Mitchell and Stern Switzer, 2013). GRC integrates capabilities in order to

4
allow an organisation to realise its objectives, while addressing uncertainty and acts with
integrity. (OCEG, 2018).
Racz (2010) claimed that “GRC reflects an integrated approach on the issues of
governance, risk and compliance ensuring that an organisation acts in accordance with its self-
imposed rules, its risk appetite and external regulations”. It suggests horizontal and vertical
integration and the use of collaborations across processes and strategy. This can be realised by
concentrating on the leadership role the management must follow, influencing their way of
implementing responsibilities.
GRC needs to be an integration of different disciplines, philosophies to achieve
Principled Performance by setting, evaluating and ensuring the achievement of objectives with
responsibility and integrity and manage the effects of uncertainties on the same objectives.
People in Governance; Strategy and Performance Management; Risk discipline; Audit
discipline; Compliance; and those responsible for ethics are all crucial for realising an effective
GRC function.
PricewaterhouseCoopers (PwC), in its 2004 annual global survey was one of the
initiators in opening discussions regarding the idea of an integrated, holistic approach towards
GRC. PwC regarded GRC as a value adding principle, essential to competitiveness. Similarly,
OCEG’s survey results in 2008 exposed that respondents with an integrated GRC, reported
more effective performance capabilities and an improved level of maturity in their Enterprise
Risk Management (ERM) capabilities.
Consistent with PwC’s and OCEG’s respective surveys, Grant Thornton International
(2009) recommended that the integration of GRC can help organisations to efficiently and
effectively develop their drive for performance. GRC can be considered as the mature,
revolutionary way to approach an integrated version of GRC activities, wherein such activities
continually support and improve each other to help enhance the reliability of achieving an
organisation’s objectives. It goes beyond obstacles and seeks opportunities (Mitchell, 2017).

6.1 The GRC Capability Model and Principled Performance

OCEG (2012), defines the three pillars of Principled Performance as the principled
purpose i.e. vision, mission and value; principled people i.e. strong-minded people that work
hard towards the principled purpose; and principled pathway to breakdown silos and control
capabilities in governance, RM, compliance management, performance management, strategic
management, and audit management. OCEG in its GRC capability model (2012), the OCEG Red
Book, refers to a variety of outcomes and benefits of principled performance which every
Private or Public Sector organisation should pursue.
These embrace the achievement of objectives and the collaboration towards
organisational goals; the enhancement of organisational culture in order to promote integrity,
trust, accountability, performance; the preparation to address risks in order to be equipped for
any negative surprises such as non-compliance and unethical behaviour; the establishment of
necessary controls and actions against the impact of negative outcomes; the provision of
incentives to motivate and inspire desired conduct; the establishment of capabilities to
improve responsiveness, efficiency and quality whilst improving effectiveness in meeting
objectives; and the optimisation of economic and social value in the allocation of human and
financial resources. When all these Principled Performance characteristics are pursued,
stakeholder confidence and trust in the Public Sector are automatically increased.

7. Governance
World Bank (1992) refers to the term Governance as: “traditions and institutions by
which authority in a country is exercised”, whilst the Overseas Development Institute, London,
through Court, Hyden and Mease (2004) refers to the term as “the formation and stewardship
of the formal and informal rules that regulate the public realm, the arena in which state as well
as economic and societal actors interact to make decisions”. It is simply, “the culture, values,

5
mission, structure, and layers of policies, processes and measures by which organisations are
directed and controlled” (OCEG, 2004).
The Institute of Internal Auditors (IIA) refers to Governance as a mixture of structures
and processes executed by the board to advise, direct, manage and monitor an organisation’s
activities towards the attainment of its objectives (IIA, 2010). Governance specifies who is
responsible of what; gives responsibility to people and management; stipulates the
distribution of rights and assures that everything is moving in line with the risk appetite i.e. the
amount of risk an organisation is prepared to accept and risk tolerance i.e. what is acceptable
after putting in place the appropriate controls to mitigate risks.
OCEG (2004) states that it is essential that those in charge of Governance, must
include an “arm’s length direction and control” through the governing authority and direct
control and operation through the management and keep the organisation on track within
established boundaries, whilst managing performance against a plan informing all governing
bodies.
Public Governance can be associated with the way the state plays its role in social,
political and economic development. Managing public affairs incorporates aspects that relate
to Public administration, Public Management and Public Governance concepts (United Nations
World Public Sector Report, 2015). It is about setting direction, instilling ethics, overseeing
results, reporting on accountability, and correcting course of action. Governance is an
organisational culture where boards, directors and executives are committed to corporate
governance, with a high level of integrity and ‘tone at the top’ approach, principles of
transparency, ethics and morals.

7.1 Corporate Governance

While the notion of governance is very old, the phrase corporate governance did not
come into use until the 1980’s and it has rapidly been adopted worldwide. In fact, in the 21 st
century, the focus was no longer on management but on corporate governance. Today,
corporate governance codes and laws have been introduced in almost all economies (Tricker,
2012).
The Organisation for Economic Cooperation and Development (OECD) defined
Corporate Governance as “the full set of relationships among a company’s management, its
Board, its shareholders and other stakeholders” (OECD, 2004). It offers the structure through
which the objectives of an organisation are set and achieved and a way of monitoring
performance. OECD also mentions the attainment of accountability, openness and integrity
through Corporate Governance.
OECD’s definition is consistent with that of the Cadbury Report. This report refers to
directing and controlling an organisation, where the board of directors’ governance
responsibilities include those related to setting an organisation’s strategic targets; providing
the necessary leadership to put strategic targets into effect; controlling the management of
the business and reporting to shareholders on their stewardship. (Cadbury Report, 1992).
Such definitions identify openness, accountability and integrity as the pillars of good
corporate governance, which can be applied to both the private and public sector. The
Cadbury Report (1992) also adds that the political, economic and social objectives need to be
made subject to accountability towards the public and the private sector. OECD’s Steering
Group (2004) linked Corporate Governance with the best practices for RM i.e. to set a RM
function that reports directly to the board; analyse the effectiveness of the risk assessments;
monitors the management processes and discloses results.

7.2 Good Governance

The European Commission in a white paper on European Governance, defines good
governance as the “rules, processes and behaviour that affect the way in which powers are
exercised at European level” (The European Commission, 2001). In this white paper, the

6
commission underlined the need to reform European Governance to bring the citizens of the
member states (the object) closer to its institutions (the actors), where it highlights the five
main principles of good governance to be applied in all democratic Governments.
These principles consists mainly of; openness in terms of enhancing transparency in
the daily operations towards the general public and the member states; participation in terms
of inclusiveness in all stages of European policy decision-making; accountability where every
‘actor’ needs to provide clear explanation and assume his role in the policy decision-making
process; effectiveness in terms of policies that deliver what is required; and coherence.
The United Nations Economic and Social Commission for Asia and the Pacific
(UNESCAP) standards are consistent with the above analysis and indicate several fundamental
characteristics for good governance. These include; being participative, informed and
organized; reaching a broad consensus on what is the best interest for the whole community
i.e. consensus oriented; acting with long-term perspective and understanding what is needed
for sustainable human development; being accountable to the public, stakeholders and to
those who will be affected by decisions; being transparent in the decisions; being responsive in
serving stakeholders with a reasonable timeframe; being effective and efficient in producing
results that meet the society needs; making the best use of resources; being equitable and
inclusive in providing opportunities to improve or maintain well-being; and following the rule
of law (UNESCAP, 2009).
Many citizens consider good governance realisable solely by having laws, rules,
systems and structures. These alone do not guarantee good governance. Good leadership is
the major factor if one needs to achieve good governance (Okoth Okombo, et al. 2011). When
all the best practices are in place to assist leaders and managers in taking the best decisions,
then good governance can be achieved.

8. Risk
International Organisation for Standardization (ISO, 2018) refers to the term risk as an
uncertainty, a deviation from the norm. Her Majesty (HM) Treasury in the Orange Book (2004)
continues to add that it can either be positive creating an opportunity or negative acting as a
threat. Moreover, it must matter to the company’s objectives.
In an uncertain world an organisation can face the chance of loss but also the
opportunity for gain. The IIA (2009), consistent with the above definitions, continues to add
that risk needs to be measured in respect of the consequences, the likelihood of occurrence,
and its impact if it does happen.

8.1 Risk Management

ISO 31000 (2009), defines RM as the coordinated actions implemented to direct and
control an organisation’s risks. It needs to assign the key RM processes to the organisation’s
strategic objectives. The State of Queensland, Queensland Treasury (2011) refers to RM as a
step-by-step approach for recognising and responding to risks, stressing the importance of
communication of the identified risk to the relevant stakeholders. RM is crucial for every type
of organisation, to assure the achievement of its strategic goals and objectives. It must be a
proactive strategy designed to identify, analyse, measure, treat, monitor, manage and
communicate potential uncertainties, risks that may adversely affect an organisation in
achieving its objectives.
OCEG (2008), states that the role of RM in GRC is a critical component. An organisation
needs to have people working in RM who not only manage risk areas but also need to be
experts and act as a centre of excellence to help other departments manage risks across the
organisation. Jack Kruf, President of Public Risk Management Organisation (PRIMO) Europe
added that RM should be a way of managing and should be promoted as a management style
(Kruf, 2019).

7
 8.2 Risk Management in the Public Sector
The Public Sector face several challenges, uncertainties arising from both internal and
external factors that may affect the achievement of objectives. According to Braig, et al.
(2011), the main challenges in the Public Sector involve frequent leadership changes and
vacant headship positions. Leaders with lack of knowledge in RM and business; lack of clear
risk metrics; complex procedural requirements; and limited risk-culture and risk mind-set. The
variety of risks in the Public Sector is huge and the main responsibility is to guarantee to the
Public that no risk will threat the perceived public value.
Brown & Osbourne (2011) stated that there is a gap in the literature concerning RM in
the Public Sector. Vincent (1996) mentioned that the main difference between the private and
the Public sector lies in the accountability and responsibility of the management. Whereas
private sector organisations are accountable to their shareholders, who, in a voluntary way,
contributed capital for the formation of the organisation. On the other hand, public agencies
and authorities run on public funds collected from taxes.
In contrast with this literature, Spira & Page (2003) suggested that when it comes to
RM, all standards and principles apply much or less the same, concluding that there is no
substantial difference between sectors. However, Hansson (2005) highlighted another
difference in the attitude of the different sectors. This relates to the different measures that
are taken in the management of the identified risks.
A well-managed risk taking, delivers benefits and creates opportunities to citizens and
taxpayers. RM helps ensure that Public Sector activities are appropriately controlled. It assures
better and reliable decision-making; improves efficiency; reduces overall unnecessary costs;
supports innovation and most importantly preserves and enhances the Public Sector’s
reputation which is ultimately expressed in trust and confidence in the service provider.

8.3 Enterprise Risk Management (ERM)

RM process is extended by the term Enterprise Risk Management (ERM). The
Committee of Sponsoring Organisations of the Treadway Commission (COSO) describes it as “a
process, affected by an entity’s board of directors, management and other personnel, applied
in strategy setting and across the enterprise, designed to identify potential events that may
affect the entity, and manage risk to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives.” (COSO-ERM, 2004).
The IIA (2009) similarly defines it as a structured and continuous process across the
entire organisation for recognising, deciding on responses and reporting on opportunities and
threats that can affect the attainment of objectives. COSO (2004) added that the challenge in
managing an organisation’s ERM is to be able to balance the management of risks whilst
adding value to the organisation. The Risk Management Society (RIMS) refers to ERM as the
strategic discipline that supports the attainment of objectives by addressing the complete
range of its risks and dealing with the collective impact of those risks in an “interrelated risk
portfolio” (RIMS, 2013), rather than in an individual silo approach. It views ERM as a source of
competitive advantage.
ERM deals with risks and opportunities affecting value creation. It is not a one size fits
all approach, as each department has different cultures, structures and expectations all of
which needs to be considered in designing the right ERM for a department. ERM is an
important concept in the Public Sector, as it changes the reactive managerial style to a more
proactive one, where resources are allocated according to risk-based priorities, ensuring an
efficient, effective and economical way in safeguarding objectives.

8.4 COSO ERM Framework and ISO 31000

The COSO ERM framework (2004) recognised five significant ERM actions: establishing
an oversight structure; defining a common framework as language in the organisation;

8
targeting processes and their risks; establishing goals and objectives; and assessing the RM
capability.
COSO suggests that ERM encompasses the alignment of risk appetite and strategy,
enhances risk response, enhances risk avoidance, enhances risk reduction, enhances risk
sharing and enhances risk acceptance decisions; reduces operational surprises and losses; and
proactively seizes and realize opportunities.
COSO presents eight components for an effective ERM framework. These include the
Internal Environment, the significance that RM is given within a department; Objective Setting,
translating a department’s mission statement into strategic objectives; Event Identification,
identifying the internal and external existences of risk that can positively or negatively affect a
department’s objectives; Risk Assessment, analysing and prioritizing risks on the basis of their
occurrence, likelihood and impact; Risk response, addressing risk events in order to bring them
within an acceptable risk appetite and tolerance levels; Control Activities, the Management’s
introduced policies and procedures to implement risk responses; Information and
Communication, the process of identifying, acquiring and communicating relevant information;
and Monitoring, evaluating the ERM process and implement any necessary improvements in
order to keep it effective, efficient and relevant.
The ERM assessment tool has been developed in line with the principles of ISO 31000
(2009) “Risk management – Principles and Guidelines”. The introduction of ISO 31000 (2009)
offered a RM model with important steps that can be tailored according to an organisation’s
requirements; easily applicable in various industries including the Public Sector. It indicates
steps for establishing the context; identifying, analysing, evaluating, and treating risks;
communication and consultation; monitoring and review. The main principles found in this
standard includes those related to creating value; being an integral part of the organisational
processes including those related with decision making; addressing uncertainty; being
structured, systematic and in time; using the best available information; taking human factors
into account; facilitating continual improvement; and being transparent, inclusive, dynamic,
iterative and responsive to change.

9. Compliance
South African PwC advisory services leader once stated that a properly integrated GRC
develops the control environment permitting the management to send a message to the board
that the business is in control (Baldacchino, et al. 2019). According to Van Wyk (2013), a strong
interrelationship should exist between GRC and control. Open Compliance and Ethics Group
(OCEG) (2018) states that putting Compliance and ethics at the centre, will help an
organisation drive towards its objectives; act with integrity and stay within mandated
boundaries i.e. laws, rules and regulations and within voluntary boundaries i.e. organisation
values. OCEG continues to add that the main goals of compliance should include those related
with legal and regulatory requirements; with internal policies; managing compliance risks and
establishing an ethical culture.
Ideally, those with compliance responsibilities should understand the current and
future strategy of an organisation and be involved in strategy discussions to ensure that
compliance is factored in the strategic decisions. Collier and Woods (2011) in a study on
Australian and UK authorities revealed that compliance with legislation was a significant driver
in RM implementation, where subsequently the external monitoring of RM had effects on
financial resource allocation.
In few words, compliance develops control. It is the result of satisfying the
requirements of regulations, codes of ethics and conduct; the process of monitoring the
necessary controls. It is all about the adherence to criteria in the respective laws and
regulations, an important function in light of the ever-increasing policies, laws, and legislations.
However, it is not only about complying, adhering with the applicable laws and regulations. An
organisation needs to build an internal culture of compliance and incorporate an ongoing

9
support programme from the board and senior management. It is vital for the long-term
planning and growth of an organisation (Camilleri, et al. 2019)

9.1 Internal Control

COSO (1992), defined internal control as a process, affected by management, an
entity’s board of directors, and other employees, intended to provide reasonable assurance
concerning the achievement of objectives in respect to three important areas: efficiency and
effectiveness of operations; reliability of financial reporting; and compliance with applicable
laws, regulations. It is all about the necessary actions to mitigate risks.
Lim et al. (2017), concluded that the presence of an internal control structure is not
always a guarantee for the absence of risks, except when according to Pellegrini et al. (2017),
policies develop an obligation to enforce compliance followed by an auditor’s periodic
validation of operations. On the other hand, Horne (2017) concluded that overreliance on
external evaluators instead of incorporating a strong internal control structure sustained by a
good corporate governance principle, can enhance failure. Horne (2017) continues to add that
procedures applied by external evaluators can be dependent on the quality of evidence
gathered at that time.
On the other hand, Earley et al. (2016) explained that a sound judgement should be
based on an auditor’s knowledge and experience. Management should be encouraged to
employ an internal auditor (IA) and other supervisors to ensure that control activities and
segregation of duties are being enforced as a risk response. In this process, the negative
impacts of risks and any unforeseen events should be identified as threats while positive
impacts of risks will provide opportunities that will feed back into the overall strategy (Asante,
2015).
An effective internal control function supports Government departments to achieve
set objectives and improve the overall performance. Incorporating a well organised internal
control environment, delivers reasonable assurance of security. It should be an integral part of
the Public Sector’s governance system and RM measures, and needs to be understood,
effected, and monitored by the governing body, management, and other personnel.

9.2 Internal Control Frameworks COSO, INTOSAI, COCO

COSO in 1992, issued its first Internal Control Integrated Framework, which is widely
used around the world, as a model for evaluating controls. It enables organisations to develop
a system of control that can adapt to the changing operational environments to mitigate risks
to an acceptable level and support good governance. An updated framework which introduced
the concept of ERM was later issued. This considered internal control as an essential part of
RM.
The five components incorporated in the COSO internal control framework that must
be in place and functioning include: Control Environment; Risk Assessment; Control Activities;
Information and Communication and Monitoring Activities. The control environment sets the
tone of an organisation and should offer a combination of integrity and ethical values; a
management’s philosophy and operating style; organisation structure; assignment of authority
and responsibility; HR policies and practices and competence of personnel.
Lerskullawat (2017) specified that in responding to risks, it is important to perceive the
control environment as a reflection of the organisational culture, built around tolerance and
commitment to ethical values. The overall quality of GRC is reliant on the control environment.
The IIA (2010) defines control environment as the Management’s attitudes and actions
towards providing discipline and structure for the achievement of internal control objectives.
Moreover, Pellegrini (2017) stated that in the absence of an internal control environment, all
other elements stop to function.
The Risk Assessment identifies and s risks coming from the internal and external
sources concerning the achievement of objectives. The Control Activities are the policies and

10
procedures that guarantee management directives and ensures that actions are taken to
address risks identified in the risk assessment stage. Information and Communication is vital
both internally, flowing down, across and up the organisation, and externally with customers,
suppliers and shareholders.
The International Organisation of Supreme Audit Institutions (INTOSAI) framework
relies on the COSO framework, and is revised to the requirements of the public sector, where
controls are understood within the context and characteristics of meeting the social and
political objectives; the use of public funds; the importance of the budget cycle and the
complexity of performance in terms of integrity, legality, transparency, efficiency and
effectiveness in managerial values.
The Criteria of Control (COCO) Framework, developed by the Canadian Institute of
Chartered Accountants (CICA) in 1995, is another international standard built on COSO, with
principles organized to criteria including: Purpose; Commitment; Capability; Action; Monitoring
and Learning. By purpose, the model starts with the need for a clear direction i.e. objectives,
vision and strategy, mission, risks, opportunities, polices, planning and performance indicators.
It continues with the commitment people within the organisation must understand and the
way they need to position themselves within the organisation’s values such as ethical values,
human resource policies, integrity, authority, responsibility, accountability and trust.
The Capability criteria includes the resources and competences such as knowledge,
skills, tools, communication processes, information, co-ordination and control activities that
people must possess to understand and discharge the control model. Employees should have
the correct experience, skills and attitudes to perform well, assess risks and ensure controls.
Monitoring and learning embraces monitoring performance, the internal and external
environment, follow-up procedures, and assessing the effectiveness of control. Each control
activity must be seen as a positive learning process and not as a mechanism for punishing
people.
The COCO criteria encourage a positive response on control activities. COCO refers to
internal control as an action that fosters best results for an organisation through efficiency and
effectiveness of operations; reliability of internal and external reporting and compliance with
relevant laws and regulations (Grima et al. 2017).

10. International Benchmarking on Public Sector GRC

In recent years, the development of the Public Sector Governance and RM gained
popularity both in theory and real-life application regarding the performance of public sector
entities. The frameworks described in the above literature, have influenced the development
of internal controls and RM practices in various Public Sectors around the world.
In the past, it took various corporate scandals that involved deficiencies in internal
controls; weak corporate governance standards; non-compliance issues; managerial greed and
wrong ethical practices such as the Enron failure case and Lehman Brothers, before the
concept of Corporate Governance, Internal Control and RM was re-entered with positive
interventions through the introduction of legislative standards and measures including the
Sarbanes Oxley Act in America, the UK Corporate Governance code and the Corporate
Governance principles developed by OECD (Grima, et al. 2020).
Sterck et al (2005) in an international study on internal control practices in the Public
sector, mentioned Australia and the way they established a central control model based on the
five components of the first COSO control framework. In Sweden, Public institutions used a
mixture of approaches recommended by the Government and the policy makers, based on the
COSO framework together with systems and procedures that considered internal factors i.e.
type of activities; governance structure and organisation size as essential.
In contrast, in Ghana, the Public Sector is strictly governed by laws and legal
instruments that can be amended by parliamentary procedures, making it hard to implement
flexibility and innovation in such a fast-globalised world. In the United States of America,

11
standards for Internal Control are also based on the COSO framework, for identifying and
addressing key performance management challenges and high internal risks.
Other countries were more proactive in implementing and strengthening RM, making
it part of the priority list in the Public Sector Management agenda. In Canada, the Treasury
Board of Canada Secretariat (2001), developed an Integrated RM Framework that provided
guidance to adopt a holistic approach in managing risk, to enable employees understand and
manage the nature of risk, through an ongoing assessment of the likelihood of risks in an
organisation at every level. Results were than aggregated at the corporate level to ease
priority setting and improve decision-making. Such an integrated RM system tends to become
rooted in an organisation’s corporate strategy, which consequently form a RM culture across
the organisation.
In the United Kingdom (UK), the Chartered Institute of Public Finance and Accountancy
(CIPFA), in 2004, issued “The Good Governance Standard for Public Services”, an update of the
corporate governance framework, highlighting the underpinning governance principles. This
standard specified the meaning of good governance, and ways how to implement transparent
and informed decisions in order to manage risk.
An effective RM system is significant to the successful delivery of Public Services, as it
supports internal control. Subsequently, in the UK, Public service organisations are advised to
produce an annual statement on internal control, including their suitable responses to risks;
insuring against risks; and their executed internal controls together with any actions that were
taken to terminate or modify the activity that caused the risks.
Barrett (2005) stated that Australia failed to deliver reliable ways on assessing the
sector’s overall risk position and in establishing suitable risk treatments for assurance and
performance, given their silo approach towards RM in the Public sector. Thus, a measure of
the RM maturity in the Australian public sector was incorporated for entities to embrace
organisation-wide RM, known as ERM, and was integrated in their strategic and operational
objectives.

11. The Three Lines of Defence Model

The IIA in its 2013 paper stated that the three lines of defence model provides an
effective way to enhance the communication on RM and control. It assures the ongoing
success of RM initiatives, where important roles and responsibilities are clearly clarified to
provide a fresh look towards operations. This model provides a strong governance structure
where each unit has its segregation of duties clearly defined, that tolerates respectable
relationship and communication between the management, the internal audit and the audit
committee.
In this model, management controls and internal control measures, act as the first line
of defence. Viewing from the Public Sector perspective, this line of defence is all about the
controls a department has in place to deal with the day-to-day operations, the risk ownership
and those functions that own and manage risks. There should be adequate managerial controls
in place to ensure compliance and to highlight control breakdowns and follow up with
corrective actions.
The Second Line of defence is all about quality, RM, risk control, inspection,
compliance, functions and structures that should be in place to provide an oversight of the
effective operation of the internal control framework, facilitating risk assessments and
promoting a sound risk culture. The third line of defence focus on the role of the IA, as an
independent assurance body, provided by an established internal audit function that reports
to those charged with governance. An IA is needed to provide confidence, reduce uncertainty,
risks and add value for the organisation to be able to take important economic decisions. RM is
strongest when there are three separate identified lines of defence (Borg et al., 2020).

12
 11.1 Internal Auditing
The IIA (2013), define Internal Auditing as a consulting, independent and objective
assurance intended to add value and improve on organisation’s operations. Internal Auditing
helps an organisation achieve its objectives and improve the effectiveness of governance, RM
and control processes.
OCEG (2018) states that people in Internal Audit and assurance roles needs to be at
the heart of GRC and principled performance. IA’s should be more than just assurance
providers. An IA should provide insight; suggest and advice; guarantee accuracy; assess risks;
be able to access controls; promote ethics in order to improve operations. An IA should assist
the management, audit committee and the board by evaluating, monitoring, examining,
reporting and recommending improvements, however the primary responsibility for
implementation or maintenance rests at the hand of management.
An IA’s primary responsibility is to examine, scrutinise and contribute to the constant
effectiveness of the RM processes and internal control systems. Consistent with the above, the
UK Audit Commission (2001) states that an IA must challenge the risk identification and
evaluation process and provide assurance to officers on the effectiveness of controls. It adds
that such roles should be separated from the operating RM processes and control structures,
as these should remain the management’s responsibility.
Moeller Robert (2007) describes the role of the IA as the “eyes and ears” of
management who visit all areas of an organisation, review, monitor and report back to the
management on the status of operations and activities. However, due to today’s changing
business, increase in complexity and risky environment; the IA functions seen from such a
narrow perspective are not viewed as valuable. The role of IA should be perceived as both an
assurance provider and a value-added trusted advisor to the organisation, by aligning
expectations, building capabilities, delivering quality and increasing value.

12. Methodology

12.1 The Research Instrument

Being Public Service employees and having a good familiarity and understanding of the
Public Sector enabled us as “practitioner-researcher” to spend less valuable time in “learning
the context” of the Public Sector’s inner mechanisms, culture and processes (Saunders et al.,
2007). However, we were very careful in our evaluation to avoid bias by not providing our
opinions and sticking mainly to the facts, even when choosing our samples this was done
randomly from all the population available and able to reply.
We first carried out an analysis of all documentation and a review of the existing
literature related to Governance, Risk Management and Compliance. This provided us with
initial comprehensive information about the subject and its overall issues.
Findings, recommendations and conclusions from any recent publically available
Government NAO Audit reports on Public Sector Governance and finance were also assessed.
Local and international academic journals, and related books that outline central frameworks
and standards of Governance, Risk Management and Internal Controls were also examined.
Overall, these helped us make comparisons between different sources; establish and
rationalise the significance of the issues in place; and become more familiar with the current
situation both locally and abroad. Moreover, it helped us develop the main themes that
explained and impacted the maturity levels of GRC and are required to develop an effective
GRC practice across the Public Sector (i.e. the maturity framework developed) using the
Thematic approach as applied by Braun et, al. (2006). ). Specifically 4 main themes,
Governance (G), Risk Management (RM), Effective Compliance and Control (ECC) and Internal
Audit (IA).
We then designed statements based on the identified GRC themes which formed part
of an online survey purposely prepared (vide Appendix A) and administered randomly by email

13
during the month of July 2019 to all Maltese Public employees across the Public Service and
the Public Sector (Ministries, Departments, agencies and other public entities). This in order to
obtain participants perception on each statement.
Designing and administering such a questionnaire required important steps. Prior to its
distribution, a piloting exercise was conducted with a small group of public employees in order
to obtain feedback on the quality and effectiveness of the questions and theme statements
(Saunders et al. 2007). The first version of the questionnaire, consisted of eight statements per
theme, with five themes, i.e. forty statements in total. After scrutinising the preliminary pilot
study feedback, we decided to shorten and redesign the statements with less technical words.
Moreover, we reduced the statements based which explained the 4 themes to twenty-five
statements in total. This made the questionnaire less time consuming for the respondents.
Pilot testing provided us with indications on the initial time consumed to complete the
questionnaire; if the instructions, questions, and statements were clear or not; if some of the
questions were objected to be answered or not; if the wording was with simple language and if
the overall layout was user friendly.
The first part of the questionnaire included a covering statement, stating the scope
and objectives of the research and the use of information. The second part consisted of five
different demographic questions, asking for personal details including age; gender; the highest
academic qualification; what Public employment position they hold; and the number of years
employed in the Public Sector. These questions were grouped in three categories, in order to
maintain general responses and make respondents comfortable to participate. Two additional
demographic questions asking for their current office i.e. where they perform their duties, and
their set departmental objectives were included in order to understand better the actor, value
and the object.
The third part, being the salient part of the questionnaire, consisted of twenty-five
different statements explaining the four different themes, to which participants were asked to
answer on a 5 point-Likert scale as to their level of agreement or disagreement with the
themed statements vis-à-vis the level of compliance and enforcement at their place of work.
“1” being a total disagreement; “2” being disagreement; “3” -neutrality; “4” - agreement; and
“5” - total agreement. The last part of the questionnaire was optional, asking for any additional
comments. The responses data were initially inputted into an Ms excel sheet and then
transferred to SPSS software to allow for statistical analysis.

12.2 Sampling Procedure

The population size of the Public Service and the Public Sector, as confirmed on the
official website of the Malta Public Service i.e. publicservice.gov.mt, (2020) is approximately
fifty thousand, of which thirty thousand are Public Service employees working at different
Ministries and Departments, whilst the other twenty thousand are Public Sector employees
working at different Government agencies, authorities and entities. 305 Public employees
showed an interest to participate. A sample of three hundred and five (305) participants
selected from a population of around fifty thousand guarantees a maximum margin of error of
5.61% assuming a 95% confidence level (Surveysystem.com, 2020).
Prior to circulation, approval from the People and Standards Division, Office of the
Prime Minister was sought and granted as per section 2.11 of the Data Protection HR
Corporate Procedures.

12.3 Sample Characteristics

The sample was composed of 305 responses of whom 59% were in the 31-49 age
bracket; 22% in the over 50 age bracket and the remaining 19% in the younger 18-30 age
bracket. The highest proportion of respondents were Females 59.7%, while 40.3% were males.
The distribution of qualifications shows an increasing level of education in the Malta
Public Sector, resulting from the sponsorship opportunities the Government is offering for a

14
more educated workforce. In fact most of the respondents (49.8%) have a Post-Graduate
qualification; 29.2% have an undergraduate qualification and the remaining 21% have a school
leaving/ordinary level. From this result, the researcher can notice t
Most of the respondents (59%) hold a middle management position between scale 6-
12, ranging from Assistant Managers; Managers I to Managers II. 21.6% of the respondents
hold a headship position between scale 1-5. These can range from Assistant Directors;
Directors; DG’s to PS’s. The remaining 19.3% hold a lower position between scale 13-16,
including Clerks, Senior Clerks and Executive officers.
The more experienced public employees segment i.e. over 20 years of service,
participated the most (41%), followed by the new comers (33.4%) i.e. public employees with 1-
9 years of experience. The remaining 25.6% of the respondents were in the 10-19 years of
experience category.
Most of the respondents (32.5%) were from the Ministry for Finance (MFIN) and its
line departments; 10% from the Office of the Prime Minister (OPM); and 8.5% from the
Ministry for Health (Health). These 3 were categorised separately, given the substantial
percentage of respondents. The remaining participants i.e. small percentage of respondents
from various other Ministries and Departments across the Public Service were clustered
together and labelled as Public Service others i.e. an amalgamated 40.5%; whilst the
remaining 8.5% from agencies, authorities and entities were clustered together and labelled as
Public Sector.
Similarly, we conducted a thematic analysis of the respondent’s departmental
objectives. 49% of the respondents mentioned financial related objectives; 24% mentioned
Operational related objectives and the remaining 27% mentioned Services related objectives.

12.4 Data Analysis

The respondents’ data was inputted into SPSS (Version 20) and subjected to statistical
analysis, specifically ‘exploratory factor analysis’, which is a method of testing our GRC
Maturity Model, which will later be used for our evaluation of the Maltese Public Sector as per
our research question RQ1.
Since the items used the ordinal scale of measurement, we used the median (Md) as
measure of central tendency and the inter-quartile range (IQR) as measure of spread. Where a
group of items could be grouped into a construct (or theme), we assessed the internal
consistency reliability of the measures via the Cronbach alpha. After the items were combined
into a single Likert scale, we computed the mean (M) as measure of central tendency and the
standard deviation (SD) as measure of spread (Saunders et al., 2007).
Exploratory factor analysis, via principal components extraction with direct oblimin
and with Kaiser normalization, was assessed by computing the Cronbach’s alpha coefficients.
This further supported continuance of factor analysis and so the analysis proceeded. Factor
analysis loaded best on 4 factors and 25 statements. The Kaiser–Meyer–Olkin (KMO) statistic,
which is a measure of sampling adequacy for the appropriateness of applying factor analysis,
fell within the acceptable range (above 0.6), with a value of 0.935.
The factors were interpreted cautiously with scientific utility (Tabachnick and Fideli,
2001) and the GRC Maturity Evaluation (GRCME) measure from these 4 factors and 25
statements computed. (Özdamar, 2002; Tavşancıl, 2002; Büyüköztürk, 2002). Principal
component analysis (PCA) was conducted on the 24 items with direct oblimin and with Kaiser
normalization and four components had eigenvalues greater than Kaiser’s criterion of one and
in combination the factors explained 61.98% of the variance.
Then the Shapiro-Wilk test was used to determine whether the score distribution of
each GRCME Model was normal i.e. satisfying the normality condition or skewed i.e. not
normal. Since all Shapiro-Wilk P-values, as shown in table 4 are do not satisfy the normality
assumption, we used a non-parametric test to analyse the data i.e. the Friedman test, to
compare the mean scores between the 4 themes/factors and later the Kruskal Wallis test (a

15
non-parametric analogue of the One-Way ANOVA test) to determine how the GRCME Model
measures vary with participants’ (1) Age, (2) Gender, (3) Qualification (Education Level), (4)
Grade/Scale in the Public Service, (5) Years of Employment in Public Service, (6) The different
place of work and (7) the department and section’s objective (i.e. RQ2). The later test was
carried out due to the non-normal distribution identified by the Shapiro-Wilk test.
We then used Structural equation models (SEM); a model that is a most frequently
used technique to perform confirmatory analysis in various data sets. SEM is a general
statement that covers many models that cannot be directly measured and that contain
potential errors in measurement (Raykov and Marcoulides, 2006) and in the literature.
Therefore, path analysis, confirmatory factor analysis, structural equations and structural
equation models are examined under different headings and methods (Bayram 2010).
Confirmatory factor analysis (CFA) is the best method to test the construct validity of
the scale to be used after performing the explanatory factor analysis (EFA). In this respect, CFA
can be considered as an extension of EFA. With EFA we provided information about the factor
structure. We determined the amount of factors of observed variable measure, what these
factors are and whether the factors are related (Schumacker & Lomax, 2004). With CFA, we
tested whether there is a satisfactory relationship between these factors, whether the factors
under consideration are sufficient to explain the model, and the relationships between the
observed variables and the measured structure (Özdamar, 2004, Wetson & Gore, 2006). We
specifically used AMOS 16 software, to check and demonstrate by CFA the validity of the 4-
factor structure resulting from EFA and the reliability of the dimensions in the structure.
The main function of the fit indexes is to determine how much an established model
fits with the data set at hand. There are many fit indexes developed for this purpose. However,
scientists have made several recommendations, regarding which fit indices to report.
McDonald and Ho (2002); TLI (Tucker Lewis Index), carry out the same measurements in CFI
(Comparative Fit Index), GFI (Goodness of Fit Index), NFI (Normed Fit Index) and NNFI (Non-
normed Fit Index). AMOS; Garver and Mentzer (1999); RMSEA (Root Mean Square Error of
Approximation), CFI and NNFI (TLI); Brown (2006); RMSEA, SRMR, CFI and NNFI (TLI); Iacobucci
(2010) recommend reporting CFI and SRMR (Standardized Root Mean Square Residual) fit
indices.
As we can note, researchers have different opinions about which to report. Despite
this, all researchers agree on reporting the χ2 / df ratio. The reason for not giving χ2 value
alone is that χ2 value is sensitive to the sample volume; aimed at eliminating this sensitivity by
dividing the sensitivity value by the degree of freedom.

12.2 Limitations of the Methodology

A limitation in administering an online questionnaire is the level of response, since
respondents at first may not participate or ignore the invitation. Therefore we sent continual
reminders in order to improve the response rate. Also, although we tried our best to ensure
that the statements and questions were easily understandable another limitation which
concerns the use of Likert Scales was the neutral option (i.e. neither agree nor disagree) which
may have been abused by some of the respondents either because they did not understand
the statement or because they wanted to avoid any extreme responses i.e. suffering from
Central Tendency Bias.

13. Analysis of results and discussion, interpretation of the findings

13.1 Exploratory Factor Analysis (EFA)

The ‘GRCME Model’ on the Maltese Public sector using factor analysis was supported
with 4 factors and 25 statements. Table 1 shows which statements are grouped under each of
the 4 factors. The pattern of items loading onto factors after rotation was clear and
interpretable. Factor 1, which is termed “Effective Compliance and Control (ECC)” explained

16
44.21% of the variance and comprised 8 items. Factor 2, which has been termed “Internal
Audit (IA)” explained 6.90% of the total variance and comprised 5 items. Factor 3, which has
been termed “Risk Management (RM)” explained 6.32% of the total variance and comprised of
7 items. Factor 4, which has been termed “Governance (G)” explained 4.54% of the total
variance and comprised 5 items (Hair et al., 1998).

Table 1: Factorsa
Factors/Themes
Statements 1 2 3 4
(Vide
Appendix A)
T1.1 -.725
T1.2 -.737
T1.3 -.606
T1.4 -.673
T1.5 -.670
T2.1 -.687
T2.2 -.617
T2.3 -.500
T2.4 -.759
T2.5 -.649
T2.6 -.552
T2.7 -.497
T3.1 .663
T3.2 .652
T3.3 .680
T3.4 .448
T3.5 .580
T3.6 .584
T3.7 .690
T3.8 .470
T4.1 .559
T4.2 .710
T4.3 .835
T4.4 .879
T4.5 .807
Extraction Method: Principal Component Analysis.
Rotation Method: Oblimin with Kaiser Normalization.a
a. Rotation converged in 16 iterations.
Source: Authors’ Compilation
13.2 Scale Reliability Test
We then generated in SPSS (version 20) the average scores for each theme and the
Cronbach alpha, which revealed that the measures of the 4 factors were internally consistent
with scale reliability. The Cronbach’s alpha coefficients of this scale were between 0.85-0.88 –
Table 2. Therefore, we can conclude that this scale is reliable as part of our statistical analysis.
We also checked the inter-item correlations, which all resulted positive, indicating that
the mean scores of (G); (RM); (CCE) and IA variables are positively related.

17
 Table 2: Cronbach’s Alpha (N=305)
Factor/Theme Item Mean Min-Max Crombach’s
Alpha
1 5 3.70 3.531-3.911 0.85
2 7 3.16 2.715-3.587 0.88
3 8 3.67 3.187-4.069 0.88
4 5 3.35 3.302-3.685 0.87
Source: Authors’ Compilation

The computed ‘GRCME Model’ measure of GRC Maturity Level for the Public sector
shows a mean of 3.51 (SD =0.678). All the Factors (1, 2, 3 and 4) produced means that were
close to the computed GRCME Model - Table 3. This shows that participants from the Public
sector, overall, are in agreement that the Maturity level is high. However, they are neutral
about the public sector maturity in ‘Risk Management’. That is, they do not have an opinion or
are unsure whether Risk Management in the public sector is mature enough.

13.3 Shapiro-Wilk Normality test

Then the Shapiro-Wilk test was used to determine whether the score distribution of
each GRC theme was normal i.e. satisfying the normality condition or skewed i.e. not normal.
All Shapiro-Wilk P-values, as shown in the below table 4 are less than the 0.05 level of
significance, indicating that the score distributions of the 4 GRC themes are skewed and do not
satisfy the normality assumption. For this reason, we used a non-parametric test to analyse the
data i.e. the Friedman test.

Table 3: GRCME Model

Factors/Themes N Mean Standard
Deviation
Governance 305 3.70 0.770
Risk management 305 3.16 0.835
Effective Compliance 305 3.67 0.725
and Control
Internal Audit 305 3.50 0.867
GRCME Model 305 3.51 0.678
Source: Authors’ Compilation

Table 4: Shapiro-Wilk
Statistic df sig
Governance .974 305 .000
Risk Management .991 305 .049
Effective Compliance and Control .975 305 .000
Internal Audit .968 305 .000
Source: Authors’ Compilation

13.4 Structured Equation Modelling

We created the CFA shown in Figure 1 to show the 4 factors obtained as a result of
EFA and the sub-dimensions forming the factors . This model, i.e. the first order four-factor is
called the CFA model, another name for the model is the measurement model.
As a result of the measurement model, some of the fit indexes of the model were not
within acceptable limits (χ2 = 767,509, df = 269, p = 0,000, χ2 / df = 2,853, AGFI = 0,79, RMSA =

18
0,078, SRMR = 0,057, IFI = 0,087 ). Upon this, the modifications proposed by AMOS were made
and the measurement model was re-estimated and the results are shown in Table 5. According
to the results obtained, the model complied with the data. These results show that the scale
sizes revealed by the EFA are valid and an acceptable scale has emerged.

Table 5. The Modified Model Fit

The Model Fit Ideal Fit Acceptable Fit Result
2
χ /df 1,986 0≤ χ2/df ≤2 2≤ χ2/df ≤3 Ideal Fit
AGFI 0,854 0,90≤AGFI≤1,0 0,85≤AGFI≤0,90 Acceptable
RMSA 0,057 0≤RMSA≤0,05 0,05≤RMSA≤0,1 Acceptable
0
IFI 0,943 0,95≤IFI≤1,0 0,90≤IFI≤0,95 Acceptable
SRMR 0,045 0≤SRMR≤0,05 0,05≤SRMR≤0,10 Ideal Fit

Source: Authors’ Compilation

Figure 1: The Created CFA Model

Source: Authors’ Compilation

The Factor loads standardized in the four-factor model ranged between 0.524 to 0.768
for F1, 0.679 to 0.816 for F2, 0.535 to 0.828 for F3, and 0.551 to 0.768 for F4. In addition, the
correlation between F1 and F2 was calculated as 0.759, the correlation between F1 and F3 was
0.779, the correlation between F1 and F4 was 0.828, the correlation between F2 and F3 was
0.716, the correlation between F2 and F4 was 0.664 and the correlation between F3 and F4

19
was 0.776. When the coefficients, validity and reliability tests that emerged as a result of the
analysis were examined, it was revealed that the model was structurally valid.

13.5 Friedman Test

Table 6 shows the results of the non-parametric Friedman test in our sample which are
significant since the p-value <0.001. Therefore we reject the null hypothesis and therefore the
distribution of the 4 ‘GRCME Model’ themes are different.
The Mean scores resulting from the 4 ‘GRCME Model’ themes exceed 3 indicating an
overall positive perception of participants on the GRC maturity in relations to (G), (ECC) and
(IA) and a neutral perception in relation to (RM). The mean rank score of (G) (μ=3.70) which
was the highest amongst the 4 themes. This was followed by the (ECC) (μ=3.67); then (IA)
(μ=3.50); and (RM) with the lowest score (μ=3.16).

Table 6: Friedman’s Two-Way Analysis of Variance by Ranks

Sampl Mean Std. Minimum Maximum
e Size Dev.
Governance 305 3.70 .770 1 5
Risk Management 305 3.16 .835 1 5
Effective Compliance and 305 3.67 .725 1 5
Control
Internal Auditing 305 3.50 .867 1 5
X 2 =195.345, df=3, p-value<0.001
Source: Authors’ Compilation

13.6 Kruskal Wallis test

The results of the Kruskal Wallis test is insignificant with p-value>0.05 meaning that
there is no variance in the ‘GRCME Model’ measure and in the individual 4 themes/factors as a
result of the different demographic variables with the exception of:

(1) (IA), which varies with the different place of work (X 2 =7.149, df=2, p-value<0.05); that
is Ministry with a mean rank (μ =96.57), Department with a mean rank (μ =79.35) and
Section with a mean rank (μ =104.19) and the Ministry, Department and Section’s
objectives (X 2 =6.556, df=2, p-value<0.05); Finance with a mean rank (μ =107.93),
Operations with a mean rank (μ =80.72) and Services with a mean rank (μ =102.50).

(2) (RM, which varies with Gender (X 2 =4.719, df=2, p-value<0.1), Male with a mean rank
(μ =101.23), Female with a mean rank (μ =121.36) and Other with a mean rank (μ
=130.41).

13.7 Discussion
The Governance (G) Theme – findings indicate a perception by participants of a
mature and a robust governance culture across the Public Sector, where its Ministries,
Departments, entities and agencies are in line with the essential Governance mechanisms,
following the latest practices; functioning with openness, accountability, transparency,
integrity and ethics in their daily operations. No evident limiting factors were identified with
regards to Governance, except for a visible level of neutral responses in statements T1.1 and
T1.2. This could be because respondents might have been unsure on the response.
Risk Management (RM) Theme – Risk Management in the Public Sector is relatively
still a new area. However, from the results obtained, it can be noted that more effort is
required in order to consider RM in the Maltese Public Sector as being at a mature stage. As
noted also from literature regarding RM in the Public Sector, this area requires the largest

20
improvement. The RM function faces various challenges and uncertainties including
continuous leadership changes; lack of knowledge in RM; lack of clear risk metrics; limited risk-
culture and risk mind-set (Braig, Gebre & Sellgren, 2011).
Also, findings show that Males perceived their place of work as less conscious of RM
practices than how Females perceived it. The need of more consciousness is surely required in
order to adopt a robust internal culture of RM.
From the further comments, it transpires (73 participants) that the Public Sector may
not be fully aware about the amount of risks present in its daily operations. Exercises on
evaluating and prioritizing risks demanded by COSO ERM and ISO 31000 are still in their
infancy phases as shown in most of the responses (33 participants). Moreover, it seems that
there is lack of RM strategies in place, with lack of risk identification, documentation and
mapping due to the absence of risk-assessments. This was also reflected in the responses of
statements T2.1-T2.5, especially with respect to statement T2.4, with approximately 38
participants of the respondents expressing lack of organized workshops and RM discussions by
senior management towards their employees. Such absence, can have negative ripple effects
on the overall GRC components, given that without formal RM plans and processes, the entire
GRC process is threatened to become a compliance driven bureaucratic exercise.
Moreover, also highlighted is a necessity to train people on (1) the importance of RM
(43 participants) and (2) how to appropriately implement the risk register frameworks at the
place of work, as one of the essential mechanisms demanded by a holistic RM environment (36
participants). Some (13 participants) of the respondents mentioned other gaps including the
lack of people focused on RM or that RM is not dealt with at their place of work. Others (5
participants) argued that they may not be aware about any RM strategies in place.
Also, it transpires from responses from a few participants (3 participants) that
insufficient allocation of human and financial resources could be one of the limiting factors in
the ability to adopt a holistic strategic approach towards RM. Overall this shows, that
developments are required in order to be in line with the mechanisms demanded by an
effective RM environment including actions, components and principles required by the COSO
ERM framework and ISO 31000.
Efficient Compliance and Control – Findings show that participants have a positive
perception of the maturity level in the compliance and control functions. However, similar to
the other themes there was a noticeable level of neutral answers especially in statement T3.3,
where 77 participants disagreed and another 109 participants expressed scepticism that
enough resources, knowledge and skills are present for a full functioning internal control
structure. This might show the need to improve the resource-base.
Thus, we can identify an existing limiting factor with regards to the capability criteria in
resources and competence towards assessing risks and ensuring compliance and control
activities and responsibilities. Such criteria forms part of the principles of the COCO framework
developed by CICA. Also, although funds are being devoted to training as confirmed from T5.5
responses, it transpires that training courses specifically targeted on RM and internal control
practices needs to be introduced.
Internal Auditing – Findings demonstrate a participants’ perception of a good maturity
level and culture in IA. These findings however vary with the place of work and the Ministry,
Department and Section’s objectives.
When the statements were individually tested, the proportion of results in (IA) theme
showed skewness towards a positive perception, indicating that most Public employees
perceive their place of work as being in line with Internal Audit practices. However, from
further comments there were still a number of respondents (36 participants) who were
sceptical about the overall effectiveness of IA’s conducted audits. This shows that the Malta
Public Sector is still not yet fully aligned with the necessary mechanisms demanded by a
holistic GRC environment in the area of Internal Auditing. 93 respondents expressed neutrality

21
when asked whether they see an IA as a trusted advisor across the Public Sector, with 39
participants expressing negative feedback on the same statement T4.1.
It seems that although the Internal Audit and Investigations Department (IAID)’s
effectiveness in its independent, consulting and investigative role in the Public Sector is
improving, more effort needs to be done so that an IA is perceived as not only delivering
assurance, but also as a trusted advisor that adds value and improve operations. The results
from statements T4.2 and T 4.5, show that there is a lack of a decentralised IA functions across
the Public Sector. Also, a lack of information meetings were highlighted in statement T4.3 and
a lack of follow up processes was highlighted in T4.4. Such limiting factors can be a result of
the present gaps in human resources.
Such gaps and weaknesses were seen from the thematic analysis of the further
comments section, giving rise to existent limiting factors. Some respondents (22) stated that
they are not aware that IAID conducts internal auditing at their department, whilst others (38)
stated that they are facing difficulties through the lack of professional accounting staff. They
added that the Public Service might be losing its best human resources with the most
experienced and skilful employees leaving for better salaries, more job satisfaction and better
conditions of work.
Another respondent stated that IA’s recommendations are not always practical to the
real work life scenario issues, and sometimes impossible to implement. The same respondent
added that a decentralised internal audit function is required within every Ministry. This shows
the necessity of specialised IA’s that are preferably experts in their audited areas to be able to
fully understand the role and functions of the audit client and their environment’s
mechanisms. This would enable an Internal Auditor to recommend real-life applicable and
proactive actions for the identified weaknesses.

14 Conclusions
The Public Sector requires a framework to address and improve the quality of Public
RM, better manage current risks and stakeholder expectations, to expand GRC. After analysing
the findings that came out from this study, we identified some gaps in the maturity level of
GRC. The Public Sector will be benefitting, as it will sustain improvements towards RM issues;
improve its overall reputation; customer trust and confidence in the services being offered.
If used for public consumption, it can determine the Public Sector’s GRC state of
maturity and protect reputation, given the more effective management of risks. Barrett (2005)
states that an effective RM is the corner stone of good governance and can lead to improved
overall performance; better service delivery; better project management; maximising the
efficient use of resources; minimising fraud, waste and poor value-for-money decision-making.
All in all, Society as the object will also be benefiting as when connecting Public
organisations as the main actors, the services being offered as the content and society as the
object, success in terms of efficiency and effectiveness of the Public Sector services towards
society will automatically improve, minimising the risk of lack of connection in the different
governance elements that can cause disruption. A successful implementation of GRC together
with improvements in RM and internal auditing, will have a positive impact on the overall
performance, and on the attainment of objectives.

REFERENCING

Asante, A.O. (2015), “Auditors’ Independence and Audit Quality: Evidence from Banks in
Ghana”, available at:
http://ir.presbyuniversity.edu.gh:8080/jspui/bitstream/123456789/127/1/AUDITORS
%E2%80%99%20INDEPENDENCE%20AND%20AUDIT%20QUALITY%20EVIDENCE%20FROM
%20BANKS%20IN%20GHANA.pdf (accessed 20 April 2019).

22
Audit Commission (2001), “Worth the risk: improving risk management in local government”,
available at: https://moderngov.rotherham.gov.uk/documents/s3633/Worth%20The
%20Risk%20-%20Audit%20Commission.pdf (accessed 15 March 2019).
Baldacchino, G. 2006. Islands, Island Studies. Island Studies Journal, Vol. 1, No. 1, 3-18.
Baldacchino,P.J., Vella, C. and Grima, S., 2019. The Corporate Governance Code and
Compliance by Maltese Listed Companies. International Journal of Economics and
Business Administration Volume VII, Issue 2, 2019, pp 71-90.
Baldacchino, P., Camilleri, A., Schembri, B., Grima, S., Thalassinos, E. 2020a. Performance
Evaluation of the Board of Directors in Listed Companies: A Small State perspective.
International Journal of Finance, Insurance and Risk Management. Volume X, Issue 1,
2020.99-119
Baldacchino, P., Tabone, N., Schembri, Camilleri, J., Grima, S. 2020b. An Analysis of the Board
of Directors Composition: The Case of Maltese Listed Companies. International Journal of
Finance, Insurance and Risk Management. Volume X, Issue 1, 2020.99-119
Barrett, P. (2005), “Future Challenges for Risk Management in the Australian Public Sector”,
available at:
https://pdfs.semanticscholar.org/0cf6/23a7deff6a24b8c1a9510170e4c91ff2e637.pdf
(accessed 15 March 2019).
Bayram N. (2010) Yapısal Eşitlik Modellemesine Giriş AMOS Uygulamaları, Bursa, Ezgi Kitapevi
Bezzina, F., Grima, S., and Mamo, J. (2014), “Risk management practices adopted by financial
firms in Malta”, Managerial Finance, Vol. 40. No. 6, pp. 587-612.
Borg, G., Baldachino, P.J., Buttigieg, S., Boztepe, E. and Grima, S. 2020. Challenging the
Adequacy of the Conventional ‘Three lines of Defence’ Model: A case Study on Maltese
Credit Institutions. Chapter 18, pp. 303-324. Contemporary Issues in Audit Management
and Forensic Accounting. Contemporary Studies in Economic and Financial Analysis,
Volume 102 Emerald Group Publishing Limited.
Bozeman, B. and Jorgensen, B. (2007), “Public Values: An Inventory”, Administration & Society,
Vol. 39, No 3, pp. 354-381.
Braig, S., Gebre, B., and Sellgren, A., (2011), “Strengthening risk management in the US public
sector”, Working Paper No. 28, McKinsey and Company, U.S., May 2011.
Braun, Virginia and Clarke, Victoria(2006) 'Using thematic analysis in psychology', Qualitative
Research in Psychology, 3: 2, 77 — 101. http://dx.doi.org/10.1191/1478088706qp063oa
Briguglio, L. 1995. Small island developing states and their economic vulnerabilities. World
Development, Vol. 23, No. 9, 1615-1632.
Brown, L. and Osbourne, S. (2011), “Innovation in Public Services: Engaging with Risk”,
available at:
https://www.researchgate.net/publication/263271921_Innovation_in_Public_Services_En
gaging_with_Risk (accessed 19 March 2019).
Brown TA. Introduction to CFA. Confirmatory Factor Analysis for Applied Research. 3rd ed.
New York: The Guilford Press; 2006
Büyüköztürk, Ş. 2002. Factor Analysis: Basic Concepts and Use in Scale Development.
Journal of Education Management, Fall, 470-433.
Camilleri,S.J., Grima,L., Grima,S. 2019. The effect of dividend policy on share price volatility: an
analysis of Mediterranean banks’ stocks, Managerial Finance, Vol. 45 Issue: 2, pp.348-
364, https://doi.org/10.1108/MF-11-2017-0451
Canadian Institute of Chartered Accountants (CICA) (1995), “The COCO Framework”, available
at: www.cica.ca (accessed 20 February 2019).
Chartered Institute of Public Finance and Accountancy (CIPFA) (2004), “The Good Governance
Standard for Public Services”, available at:
https://www.jrf.org.uk/sites/default/files/jrf/migrated/files/1898531862.pdf (accessed 21
February 2019).

23
Collier, P. and Woods, M. (2011), “A Comparison of the Local Authority Adoption of Risk
Management in England and Australia”, Australian Accounting Review, Vol. 21, No. 57 pp.
111-123.
Committee of Sponsoring Organizations of the Treadway Commission (COSO) (1992), “Internal
Control Integrated Framework”, available at: https://www.coso.org/Pages/default.aspx
(accessed 20 February 2019).
Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2004),
“Enterprise Risk Management – Integrated Framework, Executive Summary”, available at:
https://www.coso.org/Documents/COSO-ERM-Executive-Summary.pdf (accessed 20
February 2019).
Court, J., Hyden, G., and Mease, K. (2004), “Making sense of Governance: The Need for
involving local stakeholders”, available at: https://www.odi.org/sites/odi.org.uk/files/odi-
assets/publications-opinion-files/4092.pdf (accessed 20 April 2019).
Dalli Gonzi, R., Grima, S., Kizilkaya, M. and Spiteri, J. 2019. The Dali Model in Risk-Management
Practice: The Case of Financial Services Firms. Journal of Risk and Financial Management.
MDPI. pp 1-15.
De Visscher C., Sarens G., Van Gils D. (2010), “Risk Management and Internal Control in the
Public Sector: An In-Depth Analysis of Belgian Social Security Public Institutions”, available
at:
https://finances.belgium.be/sites/default/files/downloads/BdocB_2010_Q3A_deVisscher
_Sarens_vanGils.pdf (accessed 10 March 2019).
Drennan, L.T. and McConnell, A. (2007), Risk and Crisis Management in the Public Sector,
Routledge, Abingdon, Oxon.
European Commission (2001), “European Governance – A White Paper”, available at:
https://ehne.fr/en/article/material-civilization/expertise-and-knowledge/european-
commissions-white-paper-european-governance-2001 (accessed 21 April 2019).
Garver, M.S., & Mentzer, J.T. (1999). Logistics research methods: Employing structural
equation modeling to test for construct validity. Journal of Business Logistics, 20(1), 33-57.
Grant Thornton International (2009), “Enterprise risk management: creating value in a volatile
economy”, available at: http://www.gtrus.ru/doc/public/gti/gti_erm_en.pdf (accessed 19
March 2019).
Grima, S.; Romanova. I.; and Bezzina, F., 2017. Misuse of Derivatives: Considerations for
Internal Control. Contemporary Issues in Finance: Current Challenges from Across Europe
(Series Editor Rupeika-Apoga, R., Romanova, I., Grima, S. & Bezzina, F.), Contemporary
Studies in Economic and Financial Analysis, Volume 98) Emerald Group Publishing Limited,
chp 4, pp49-62
Grima, S. and Thalassinos, E. (2020) – Financial Derivatives: A Blessing or a curse? Emerald
Group Publishing Limited. Edited by Dalli Gonzi, R. and Thalassinos, I.Chapter 4.163-174
Hair, J.F., Anderson, R.E., Tatham, R.L. and Black, W.C. 1998. Multivariate Data Analysis,
5th ed., Prentice-Hall, Upper Saddle River, NJ.
Hansson, S. (2005), “Seven Myths of Risk”, Risk Management: An International Journal 2005,
Vol. 7, No. 2, pp. 7-17.
Her Majesty (HM) Treasury (2014), “The Orange Book, Management of Risk – Principles and
Concepts”, available at:
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/
attachment_data/file/220647/orange_book.pdf (accessed 05 March 2019).
Horne, S. (2017), “8–27 Years of fraud control in the New South Wales public sector: 1989–
2016”, In the Changing Face of Corruption in the Asia Pacific, Elsevier, New York, pp. 111–
25.
Iacobucci, D. (2010). Structural equations modeling: Fit indices, sample size, and advanced
topics. Journal of Consumer Psychology, 20, 90-98.

24
International Organisation for Standardization (ISO) (2009), “ISO 31000:2009, Risk
Management – Principles and Guidelines”, available at: www.iso.org (accessed 12
February 2019).
International Organisation for Standardization (ISO) (2018), “ISO 31000:2018, Risk
Management in Organisations”, available at: www.iso.org (accessed 12 February 2019).
International Organisation of Supreme Audit Institutions (INTOSAI) (2004), “Guidelines for
Internal Control Standards for the Public Sector”, available at: www.intosai.org (accessed
15 February 2019).
King, R. 1993. The geographical fascination of islands. In Lockhart, D.G., Drakakis-Smith, D. and
Schembri, J. (Eds), The Development Process in Small Island States. Routledge, London,
pp. 13-37.
Kong, Y., Lartey, P.Y., Bah, F.B.M., Biswas, N.B. (2018), “The Value of Public Sector Risk
Management: An Empirical Assessment of Ghana”, available at:
https://www.researchgate.net/publication/326738992_The_Value_of_Public_Sector_Risk
_Management_An_Empirical_Assessment_of_Ghana (accessed 12 March 2019).
Kruf, J.P., Grima, S., Kzilkaya, M.,Spiteri, J.,Slob, W. and O’Dea, J. 2019. The PRIMO FORTE
Framework for Good Governance in Public, Private and Civic Organisations: An Analysis on
Small EU States. European Research Studies Journal Volume XXII, Issue 4, 2019, pp. 15-34.
Lerskullawat, A. (2017), “Effects of banking sector and capital market development on the
bank lending channel of monetary policy: An ASEAN country case study”, Kasetsart
Journal of Social Sciences, Vol. 38, No. 1, pp. 9–17.
Lim, C.Y., Woods, M., Humphrey, C., and Seow, J.L. (2017), “The paradoxes of risk management
in the banking sector”, The British Accounting Review, Vol. 49, No. 1, pp. 75-90.

McNamee, D. and Selim, G.M. (1998), Risk Management: Changing the Internal Auditor’s
Paradigm, The Institute of Internal Auditors Research Foundation, Altamonte Springs, FL.
Mitchell, S.L. (2017), “What is GRC?”, available at: https://medium.com/grc360/what-is-grc-
d9d542b1e217 (accessed 03 February 2019).
Mitchell, S.L. and Stern Switzer, C. (2013), “GRC Capability Model (OCEG Red Book)”, available
at: Lulu.com (accessed 10 February 2019).
Moeller, R. (2007), COSO Enterprise Risk Management, Understanding the New Integrated
ERM Framework, John Wiley & Sons Inc, Hoboken, New Jersey.
National Audit Office (NAO) Malta (2014), “Annual Reports for Year 2014 on the Public
Accounts”, available at: http://nao.gov.mt/en/recent-publications (accessed 12 April
2019).
Office of the Prime Minister (OPM) Malta (1994), “Code of Ethics for Employees in the Public
Sector”, available at: https://publicservice.gov.mt/en/people/Documents/People-
Support-Wellbeing/Policies%20and%20Guidelines/Code-of-Ethics.pdf (accessed 18 April
2019).
Office of the Prime Minister (OPM) Malta (2016), “The Public Service Management Code”,
available at: https://publicservice.gov.mt/en/Documents/Public%20Service
%20Management%20Code/PSMC.pdf (accessed 18 April 2019).
Okoth, O., Kwaka, J., Muluka, B., Nyaboto B.S. (2011), Challenging the Rulers: A Leadership
Model for Good Governance, East African Educational Publishers Ltd, Kenya.
Open Compliance and Ethics Group (OCEG) (2008), “OCEG Benchmarking Series Report: GRC
Measurement and Metrics”, available at: www.oceg.org/ (accessed 03 February 2019).
Open Compliance and Ethics Group (OCEG) (2018), “Pillars of Principled Performance”,
available at: https://www.oceg.org/about/what-is-principled-performance/ (accessed 10
February 2019).
Open Compliance and Ethics Group (OCEG) (2018), “What is GRC?”, available at:
https://www.oceg.org/about/what-is-grc/ (accessed 10 February 2019).

25
Organisation for Economic Cooperation and Development (OECD) (2004), “OECD Principles of
Corporate Governance”, available at:
https://www.oecd.org/daf/ca/corporategovernanceprinciples/31557724.pdf (accessed 12
February 2019).
Özdamar, K. 2002. Statistical Data Analysis with Multivariate Programs (Multivariate Analysis).
Eskişehir: Kaan Bookstore.
Özdamar K. (2004) Tabloların Oluşturulması, Güvenirlik ve Soru Analizi. Paket Programlarla
İstatistiksel Veri Analizi-1. 5th ed. Eskişehir, Kaan Kitabevi
McDonald, R. P., & Ho, M.-H. R. (2002). Principles and practice in reporting structural equation
analyses. Psychological Methods, 7, 64-82. doi:10.1037/1082-989X.7.1.64
Pellegrini, C.B., Meoli, M., Urga, G. (2017), “Money market funds, shadow banking and
systemic risk in United Kingdom”, Finance Research Letters, Vol.21, pp. 163-171.
PricewaterhouseCoopers (PwC) (2004), “8th Annual Global CEO Survey”, available at:
http://www.globes.co.il/Serve/Researches/documents/8thAnnualGlobalCEOSurvey.pdf
(accessed 12 April 2019).
Public Risk Management Organisation (PRIMO) (2009), “Risk management attitudes and
behaviours in European public entities”, available at: https://www.primo-europe.eu/wp-
content/uploads/2010/01/publicentities_researchreport-english.pdf (accessed 12 March
2019).
Publicservice.gov.mt. 2020. size of the Public Service and the Public Sector
https://publicservice.gov.mt/mt/Pages/Home.aspx
Raykov, T., & Marcoulides, G. A. (2006). A first course in structural equation modeling (2nd
ed.). Lawrence Erlbaum Associates Publishers.
Saunders, M., Lewis, P., and Thornhill, A. (2007), Research Methods for Business Students,
Pearson Education Ltd, Harlow, Essex, England.
Schumacker RE, Lomax RG. A Beginner's Guide to Structural Equation Modeling. 2nd ed. New
Jersey: Lawrance Erlbaum; 2004.
Spira, L. and Page, M. (2003), “Risk Management: The reinvention of internal control and the
changing role of internal audit”, Accounting, Auditing & Accountability Journal, Vol. 16,
No. 4, pp. 640-661.
Sterck, M., Scheers, B. and Bouckaert, G. (2005), “The modernisation of the Public Control
pyramid: International trends”, available at:
http://steunpuntbov.be/rapport/s0405009.pdf (accessed 19 April 2019).
Surveysystem.com, 2020. Sample Size Calculator. https://www.surveysystem.com/sscalc.htm
Tabachnick, B.G. & Fideli, L.S. 2001. Using Multivariate Statistics (Fourth Edition). Boston:
Ally and Bacon.
Tavşancıl, E. 2002. Measurement of Attitudes and Data Analysis with SPSS. Ankara: Nobel
Publications.
The Committee on the Financial Aspects of Corporate Governance (1992), “The Cadbury
Report”, available at:
https://ecgi.global/download/file/fid/9448 (accessed 12 February 2019).
The Institute of Internal Auditors (IIA) (2009), “IIA Position Paper: The Role of Internal Auditing
in Enterprise-Wide Risk Management”, available at: https://na.theiia.org/standards-
guidance/Public%20Documents/PP%20The%20Role%20of%20Internal%20Auditing%20in
%20Enterprise%20Risk%20Management.pdf (accessed 20 April 2019).
The Institute of Internal Auditors (IIA) (2010), “Governance, Risk & Control”, available at:
https://na.theiia.org/standards-guidance/topics/Pages/Governance-Risk-and-Control.aspx
(accessed 20 April 2019).
The Institute of Internal Auditors (IIA) (2013), “The Three Lines of Defence in Effective Risk
Management and Control”, available at: https://na.theiia.org/standards-guidance/Public
%20Documents/PP%20The%20Three%20Lines%20of%20Defense%20in%20Effective
%20Risk%20Management%20and%20Control.pdf (accessed 21 April 2019).

26
The Institute of Internal Auditors Research Foundation (IIARF) (2013), “Contrasting GRC and
ERM: Perceptions and Practices Among Internal Auditors”, available at:
https://na.theiia.org/periodicals/Public%20Documents/Contrasting%20GRC%20and
%20ERM_2013%20IIARF%20research%20report.pdf (accessed 20 April 2019).
The Laws of Malta (1964), “Constitution of Malta”, available at:
http://www.justiceservices.gov.mt/DownloadDocument.aspx?
app=lom&itemid=8566&l=1 (accessed 02 February 2019).
The Laws of Malta (2009), “Chapter 497, Public Administration Act”, available at:
http://www.justiceservices.gov.mt/DownloadDocument.aspx?app=lom&itemid=8963
(accessed 03 February 2019).
The Laws of Malta (2017), “Legal Notice 66 of 2017 Constitution of Malta : Public Service
Commission Disciplinary Regulations”, available at:
http://www.justiceservices.gov.mt/DownloadDocument.aspx?app=lp&itemid=28303&l=1
(accessed 02 February 2019).
The Risk Management Society (RIMS) (2018), “What Is ERM?”, available at:
http://www.rims.org/erm/pages/WhatisERM.aspx (accessed 20 March 2019).
The State of Queensland (Queensland Treasury) (2011), “A Guide to Risk Management”
available at: https://s3.treasury.qld.gov.au/files/guide-to-risk-management.pdf (accessed
02 March 2019).
The World Bank Group (2019), “Worldwide Governance Indicators”, available at:
https://info.worldbank.org/governance/wgi/#home (accessed 20 April 2019).
Treasury Board of Canada Secretariat (2001), “Integrated Risk Management Framework”,
available at: https://www.canada.ca/en/treasury-board-secretariat/corporate/risk-
management/guide-integrated-risk-management.html (accessed 12 March 2019).
Tricker, B. (2012), Corporate Governance: Principles, Policies and Practices, Oxford University
Press, United Kingdom.
United Nations Department of Economic and Social Affairs (UNDESA) (2015), “World Public
Sector Report 2015 : Responsive and Accountable Public Governance”, available at:
https://www.un.org/development/desa/publications/2015-world-public-sector-
report.html (accessed 20 April 2019).
United Nations Economic and Social Commission for Asia and the Pacific (UNESCAP) (2009),
“What is Good Governance?”, available at: https://www.unescap.org/resources/what-
good-governance (accessed 20 April 2019).
Vincent, J. (1996), “Managing risk in public services: A review of the international literature”.
International Journal of Public Sector Management, Vol. 9, No. 2, pp. 57-64.
Xuereb, K., Grima, S., Bezzina, F., Farrugia, A. and Marano, P. 2019. The Impact of the General
Data Protection Regulation on the Financial Services’ Industry of Small European States.
International Journal of Economics and Business Administration Volume VII, Issue 4, 2019,
pp. 243-266.
Wetson, R., & Gore Jr, P.A. (2006). A brief guide to structural equation model. The Counseling
Psychologist, 34(5), 719-751.

Appendix A: Questionnaire circulated to Public Employees

Understanding the Actor, Value and Objective
What is your age?
18-30 years old
31-49 years old
Over 50
What is your gender?
Male
Female

27
Other
What is your highest academic qualification (level of education)?
School Leaving/Ordinary Level
Undergraduate
Post-Graduate
What is your current Public Service Grade/Scale?
Scale 1-5
Scale 6-12
Scale 13-16
For how many years you’ve been working in the Public Sector?
1-9 years
10-19 years
Over 20 years
Where do you currently work (Ministry/Department/Section)?

What are the main objectives of your Ministry/Department/Section?

Please answer using this Likert Scale: 1- ‘totally disagree’ and 5- ‘totally agree’
No. Theme 1: Governance 1 2 3 4 5
T 1.1 A strong governance structure is in place, with an
established mission statement, composed with a set of
derived strategic objectives; clear and understood roles,
responsibilities, values; with policies and procedures
that are documented and communicated to all
employees.
T 1.2 A Good Corporate Governance framework is in place
and working effectively with a high level of integrity,
transparency, openness, ethics and morals in the daily
operations of the Ministry/Department.
T 1.3 The Ministry/Department is fully accountable to the
respective stakeholders, to the public and to those
affected by its decisions and operations.

T 1.4 The Ministry/Department keeps itself informed and

organized on the latest policies, procedures and
practices respective to its functional areas for the best
interest of the whole community and for the overall
Public Sector image and reputation.
T 1.5 Best practices are in place, to assist leaders in taking the
best decisions, as “Good Leadership is the major factor if
one needs to achieve good governance”5.

5
Okoth Okombo et al., 2011

28
No. Theme 2: Risk Management 1 2 3 4 5
T 2.1 The Ministry/Department has people responsible for
risk management practices that transmits a risk
management culture across the ministry/department,
through an integrated risk register framework with risk
policies and procedures rooted in the corporate
strategy; attached and linked to the operations and
overall strategic objectives.
T 2.2 Communication of the identified risks to the relevant
stakeholders is done promptly and in time to avoid
adverse effects on operations.
T 2.3 Risks, uncertainties, drivers for opportunities and
threats can affect a Ministry’s/Department’s value
creation. These are clearly known and understood by
the Public Leaders (actors) in my Ministry/Department.
T 2.4 Senior management organize workshops and regular
discussions with employees on exposures to different
types of risks; determines and communicates the
aggregated level of risk appetite and risk tolerance, to
provide reasonable assurance regarding the
achievement of set objectives.

T 2.5 Employees below management level are sought to

provide input, recommendations and feedback into the
risk identification process in order to assist in
identifying the variety of risks arising from internal and
external sources.

T2.6 Control activities are in place, assessed and reviewed

regularly to ensure that management directives are
being carried out and are being effective and relevant. A
report evaluating such activities is compiled and
referred to the top management on a yearly basis.

T2.7 Management and staff have the correct capacity,

resources, tools, techniques, capabilities, necessary
knowledge and skills to assess risks and ensure controls;
measure and regularly monitor performance and results
vis-à-vis objectives, strategic plans, targets to obtain an
effective performance measurement and ensure that
strategy is steering to the right direction.

29
No. Theme 3: Effective Compliance and Control 1 2 3 4 5
T 3.1 Integrity, tolerance, commitment and compliance with
applicable laws and regulations together with an ethical
behaviour are central to the Ministry’s/Department’s
operations and organisational culture.
T 3.2 The Ministry/Department reaches set targets, goals and
objectives efficiently, whilst Management is effective in
the decisions it takes to reach objectives.
T 3.3 The budgets allocated are sufficient for the
Department/Ministry to reach its goals and objectives
in time.

T 3.4 The Ministry/Department control structure focus on the

commitment and responsibility of its Public employees,
towards objectives, values; and on the prevention and
detection of fraud in the use of public funds and in
safeguarding resources against loss, misuse and
damage.
T 3.5 The Financial Reporting of the Ministry/Department is
compliant with the respective standards, rules and
regulations.
T3.6 The Ministry/Department has effective, direct, clear and
confidential lines of communication permitting
personnel to communicate concerns to the
management, with a reputation of addressing, giving
weight and ensuring confidentiality to all employee
concerns, where issues are dealt with in a timely
manner without much disruption.
T3.7 The Ministry/Department has formal and informal ways
to collect and process communications and feedback
from external stakeholders.
T3.8 Money invested in training officials and management is
seen as an investment that can provide a positive return
on the efficiency and effectiveness of the
Ministry’s/Department’s daily operations.

No. Theme 4: Internal Auditing 1 2 3 4 5

T 4.1 Respectable relationship and communication between
the management and auditors can be felt i.e. Internal
audit is seen as a credible trusted advisor and perceived
as a consulting body that adds value and improve
operations and not as a detriment in the management’s
eyes.
T 4.2 An internal audit function is in place, with regular
quality reviews defining required quality standards and
staff performance feedback.

30
T 4.3 The Internal Audit and Investigations Department
(IAID), conducts regular internal audit activities at your
respective Ministry/Department and deliver
information meetings on its operations.
T 4.4 The Internal Auditor’s findings are accepted, and
recommendations are understood by the Management.
Follow up processes to ensure that the recommended
actions have been effectively implemented are usually
conducted.
T 4.5 Internal Auditors are specialised and possess excellent
knowledge and experience in their audited areas. They
offer professional, realistic, practical recommendations
in line with the real-life scenarios.

Further Comments
Do you have any further comments to add?

31