GFG
GFG
GFG
Keywords: Public Sector; GRC; Governance; Risk Management; Compliance; Internal Control;
Internal Auditing; Efficiency and Effectiveness.
Jel Codes: D81,G32, H83, M42
1. Introduction
The National Audit Office (NAO), in 2014, states that the Public Sector is continually
faced with challenges and opportunities due to the shifting developments and trends in
modern society. Such challenges, arise from the internal and external factors of a dynamic
world, affect the achievement of the Public Sector’s objectives and set-targets including: value
for money; customer care culture; increased decentralisation and flattened hierarchical
systems; increased diversity and demands for Work-Life Balance and the quality of work.
Academics, for many years, have published various policies and studies about
governance to help face these challenges, underlining the need to transform “the old
paradigm of an internal control focus to a business risk focus; from a reactive, after the fact
response to a real-time, monitoring response; from observers to participants in strategic plans
initiatives” (McNamee & Selim, 1998). The main challenge is to attach the dots between the
content of the business portfolio, the outside world as the object and Governance.
1
This chapter was edited by Engin Boztepe.
2
This Chapter is based on the unpublished MBA Thesis by Zammit, C. (2019).Governance, Risk and Compliance: A Case Study within the
Maltese Public Sector. Faculty of Economics, Management and Accountancy, University of Malta, supervised by Dr. Simon Grima.
3
The research work disclosed in this chapter is partially funded by the Endeavour Scholarship Scheme (Malta). Scholarships are part-
financed by the European Union – European Social Funds (ESF) – Operational Programme II – Cohesion Policy 2014-2020 “Investing in
human capital to create more opportunities and promote the well-being of society”.
1
Every Sector experiences risk, particularly those operating with many employees such
as the Public Sector. Risk Management (RM) in the Public Sector is more complex, with a more
societal impact coming from the extensive variety of involved interests and stakeholders.
McConnell and Drennan (2007) mentioned that the Public Risk can have an impact on Public
values. Public RM is about Public Value Management, where Public leaders reach for public
values such as the way archers reach for their target.
Public leaders are continuously under scrutiny, held responsible for the efficient use of
public funds, and thus should encourage a culture where acting in the best interest of the
citizen is the routine, and not an exception to the rule. Public Governance approach is crucial
to enable Public leaders, as the main actors, deliver the electorally promised values related to
the Public domain (Kruf et. al, 2019).
An effective and functioning governance system encourage the efficient use of
resources; strengthen accountability; and performance with robust scrutiny in order to deliver
the necessary pressures for an overall improved decision making; enhanced Public Sector
performance and minimised corruption. Public Governance takes place in directing Public
values and objectives. Such effective Governance approach will ultimately improve
management; better service delivery; and better overall outcomes with improved People’s
lives (Baldacchino, et al. 2020a).
One of the principal challenges is to educate Public leaders and obtain their full
support. Established risks owners need to communicate the message and sustain an effective
relationship management. The Public Sector in its wide range of functions, must satisfy a
composite range of political, social, economic and environmental objectives subjecting it to
various internal and external constraints that may impact its Governance structures. A well-
informed management will allow the Public Sector to recognise the political, social, economic,
environmental and strategic risks impact of these objectives.
The Public Administration is usually linked with risk avoidance culture, taking a reactive
approach, employing bureaucratic processes to meet stakeholder and regulatory obligations.
This leads to adverse effects on the Public Sector’s reputation. Although significant
improvements have been made worldwide, GRC structures, are still considered to be in their
infancy phases with some limiting factors that are hindering to accomplish a holistic approach
towards GRC (Baldacchino, 2020b).
A pro-active, more risk-based approach is needed by leveraging unity across
regulations and stakeholder interests, to promote constant improvement. In the past years,
Public Risk Management Organisation (PRIMO) 4 has experienced risks not only in public values
but also risks coming from the high fragmentation present in governance principles and from
the high diversity of roles, stakeholders, perspectives, processes and interests. The scenario
makes services, citizens and governance poorly connected, crossing the line from good
governance. The challenge is to connect the services being offered, the clients and the
different levels of governance (Kruf, et al. 2019) (Dali, et al. 2019).
4
European organisation established with the aim of advancing the knowledge and use of risk
management within the local governmental sector, as well as the public sector at large, in Europe.
https://www.primo-europe.eu/
2
Moreover, we will also lay out our understanding and recommendations of how to
develop and strengthen a GRC maturity culture and good governance principles.
3. Research Questions
What is the maturity level of GRC in the Malta Public Sector as perceived by Public
Employees? – RQ1
How does this perception change with the different demographics? (specifically, (1)
Age, (2) Gender, (3) Qualification (Education Level), (4) Grade/Scale in the Public
Service, (5) Years of Employment in Public Service, (6) The different place of work and
(7) the department and section’s objective) –RQ2
What are the gaps, limiting factors (if any) faced by the management in adopting a
robust GRC culture throughout the Public Sector? – RQ3
3
Article 3 of the PAA states that Government Departments, agencies and entities are bodies
managing public resources, that provides services to the public on behalf of the State, and shall
be governed by the PAA provisions, values and the Code of Ethics, and be subject to Ministerial
direction under the Constitution of Malta and the PAA, for which shall be accountable to.
First and foremost, it is the responsibility of all public employees to serve the public in
the best way. The public has the right to expect the highest integrity and competence, fair,
efficient and reasonable service. As emphasized in the PAA (2009, Part I, Article 4), a public
employee forming part of any department, agency and government entity, shall be governed
by values inherent in duties including: deliver service to the general public and the business
community in an impartial, courteous way in the least time possible; be efficient and effective
in the implementation of the policies of the Government of the day, and through their own
conduct make their workplace one which recognizes talent, cultivate skills and abilities,
rewards performance and avoids discrimination.
Additionally, a public employee shall be competent enough in his/her sector and be
able to provide knowledgeable and objective advice when asked to. A public employee is
bound by the Code of Ethics and is obliged to report to his/her superiors any wrong doing;
corruption or bad governance. All Government Departments fall under the responsibility of a
Minister, appointed by the Prime Minister of Malta, to direct and control organisations within
his/her remit. A Ministry is made up of the Minister’s Private Secretariat; Parliamentary
Secretariats that may be appointed to assist the Minister; the office of the Permanent
Secretary which acts as the non-political administrative arm of the Ministry and various
departments, Government entities and agencies falling within the Minister’s portfolio.
The Principal Permanent Secretary (PPS) is the leader of the civil service, upholds and
promotes public administration values and Code of Ethics, and is accountable to the Prime
Minister on all matters relating to the Public Service and the wider Public Sector. The PPS is
empowered to issue directives and guidelines on any matter relating to the management of
the Public Service and provides leadership and direction to the Permanent Secretaries (PS’s),
including setting performance targets and monitor their performance.
The PS’s from their end, as leaders of their respective Ministries must ensure that their
Ministry and line-departments are working towards the fulfilment of government policy
objectives; that are operating efficiently and effectively and delivering satisfactory services and
that are managed as per applicable directives, policies and according to the law.
Headship positions headed by their respective PS’s consists mainly of the Director
General (DG) who is a head of a large department or a division in a ministry; and the Director
who is a head of a small department or a directorate in a ministry. DG’s and Directors are
responsible for encouraging and upholding the Public Administration values, Code of Ethics
and relevant directives governing staff conduct, management and the use of resources.
The office of the Permanent Secretary is made up of the Corporate Services
Directorate. This Directorate provides support services to the departments and sections falling
within the remit of the Ministry, mostly in the areas of accounting and finance, procurement,
human resources (HR), asset management, registry services, parliamentary questions (PQ’s)
and customer care.
In order to ensure that the Public Administration is governed corporately, public
employees at all levels need to establish equitable provision of services and assure that their
behaviour is appropriate to reduce corruption (The Institution of Global Auditors, 2012). The
roles and responsibilities of Public Sector employees found in the First Schedule of Chapter 497
of the PAA entails the assurance that the Public Sector is being governed corporately.
4
allow an organisation to realise its objectives, while addressing uncertainty and acts with
integrity. (OCEG, 2018).
Racz (2010) claimed that “GRC reflects an integrated approach on the issues of
governance, risk and compliance ensuring that an organisation acts in accordance with its self-
imposed rules, its risk appetite and external regulations”. It suggests horizontal and vertical
integration and the use of collaborations across processes and strategy. This can be realised by
concentrating on the leadership role the management must follow, influencing their way of
implementing responsibilities.
GRC needs to be an integration of different disciplines, philosophies to achieve
Principled Performance by setting, evaluating and ensuring the achievement of objectives with
responsibility and integrity and manage the effects of uncertainties on the same objectives.
People in Governance; Strategy and Performance Management; Risk discipline; Audit
discipline; Compliance; and those responsible for ethics are all crucial for realising an effective
GRC function.
PricewaterhouseCoopers (PwC), in its 2004 annual global survey was one of the
initiators in opening discussions regarding the idea of an integrated, holistic approach towards
GRC. PwC regarded GRC as a value adding principle, essential to competitiveness. Similarly,
OCEG’s survey results in 2008 exposed that respondents with an integrated GRC, reported
more effective performance capabilities and an improved level of maturity in their Enterprise
Risk Management (ERM) capabilities.
Consistent with PwC’s and OCEG’s respective surveys, Grant Thornton International
(2009) recommended that the integration of GRC can help organisations to efficiently and
effectively develop their drive for performance. GRC can be considered as the mature,
revolutionary way to approach an integrated version of GRC activities, wherein such activities
continually support and improve each other to help enhance the reliability of achieving an
organisation’s objectives. It goes beyond obstacles and seeks opportunities (Mitchell, 2017).
7. Governance
World Bank (1992) refers to the term Governance as: “traditions and institutions by
which authority in a country is exercised”, whilst the Overseas Development Institute, London,
through Court, Hyden and Mease (2004) refers to the term as “the formation and stewardship
of the formal and informal rules that regulate the public realm, the arena in which state as well
as economic and societal actors interact to make decisions”. It is simply, “the culture, values,
5
mission, structure, and layers of policies, processes and measures by which organisations are
directed and controlled” (OCEG, 2004).
The Institute of Internal Auditors (IIA) refers to Governance as a mixture of structures
and processes executed by the board to advise, direct, manage and monitor an organisation’s
activities towards the attainment of its objectives (IIA, 2010). Governance specifies who is
responsible of what; gives responsibility to people and management; stipulates the
distribution of rights and assures that everything is moving in line with the risk appetite i.e. the
amount of risk an organisation is prepared to accept and risk tolerance i.e. what is acceptable
after putting in place the appropriate controls to mitigate risks.
OCEG (2004) states that it is essential that those in charge of Governance, must
include an “arm’s length direction and control” through the governing authority and direct
control and operation through the management and keep the organisation on track within
established boundaries, whilst managing performance against a plan informing all governing
bodies.
Public Governance can be associated with the way the state plays its role in social,
political and economic development. Managing public affairs incorporates aspects that relate
to Public administration, Public Management and Public Governance concepts (United Nations
World Public Sector Report, 2015). It is about setting direction, instilling ethics, overseeing
results, reporting on accountability, and correcting course of action. Governance is an
organisational culture where boards, directors and executives are committed to corporate
governance, with a high level of integrity and ‘tone at the top’ approach, principles of
transparency, ethics and morals.
6
commission underlined the need to reform European Governance to bring the citizens of the
member states (the object) closer to its institutions (the actors), where it highlights the five
main principles of good governance to be applied in all democratic Governments.
These principles consists mainly of; openness in terms of enhancing transparency in
the daily operations towards the general public and the member states; participation in terms
of inclusiveness in all stages of European policy decision-making; accountability where every
‘actor’ needs to provide clear explanation and assume his role in the policy decision-making
process; effectiveness in terms of policies that deliver what is required; and coherence.
The United Nations Economic and Social Commission for Asia and the Pacific
(UNESCAP) standards are consistent with the above analysis and indicate several fundamental
characteristics for good governance. These include; being participative, informed and
organized; reaching a broad consensus on what is the best interest for the whole community
i.e. consensus oriented; acting with long-term perspective and understanding what is needed
for sustainable human development; being accountable to the public, stakeholders and to
those who will be affected by decisions; being transparent in the decisions; being responsive in
serving stakeholders with a reasonable timeframe; being effective and efficient in producing
results that meet the society needs; making the best use of resources; being equitable and
inclusive in providing opportunities to improve or maintain well-being; and following the rule
of law (UNESCAP, 2009).
Many citizens consider good governance realisable solely by having laws, rules,
systems and structures. These alone do not guarantee good governance. Good leadership is
the major factor if one needs to achieve good governance (Okoth Okombo, et al. 2011). When
all the best practices are in place to assist leaders and managers in taking the best decisions,
then good governance can be achieved.
8. Risk
International Organisation for Standardization (ISO, 2018) refers to the term risk as an
uncertainty, a deviation from the norm. Her Majesty (HM) Treasury in the Orange Book (2004)
continues to add that it can either be positive creating an opportunity or negative acting as a
threat. Moreover, it must matter to the company’s objectives.
In an uncertain world an organisation can face the chance of loss but also the
opportunity for gain. The IIA (2009), consistent with the above definitions, continues to add
that risk needs to be measured in respect of the consequences, the likelihood of occurrence,
and its impact if it does happen.
7
8.2 Risk Management in the Public Sector
The Public Sector face several challenges, uncertainties arising from both internal and
external factors that may affect the achievement of objectives. According to Braig, et al.
(2011), the main challenges in the Public Sector involve frequent leadership changes and
vacant headship positions. Leaders with lack of knowledge in RM and business; lack of clear
risk metrics; complex procedural requirements; and limited risk-culture and risk mind-set. The
variety of risks in the Public Sector is huge and the main responsibility is to guarantee to the
Public that no risk will threat the perceived public value.
Brown & Osbourne (2011) stated that there is a gap in the literature concerning RM in
the Public Sector. Vincent (1996) mentioned that the main difference between the private and
the Public sector lies in the accountability and responsibility of the management. Whereas
private sector organisations are accountable to their shareholders, who, in a voluntary way,
contributed capital for the formation of the organisation. On the other hand, public agencies
and authorities run on public funds collected from taxes.
In contrast with this literature, Spira & Page (2003) suggested that when it comes to
RM, all standards and principles apply much or less the same, concluding that there is no
substantial difference between sectors. However, Hansson (2005) highlighted another
difference in the attitude of the different sectors. This relates to the different measures that
are taken in the management of the identified risks.
A well-managed risk taking, delivers benefits and creates opportunities to citizens and
taxpayers. RM helps ensure that Public Sector activities are appropriately controlled. It assures
better and reliable decision-making; improves efficiency; reduces overall unnecessary costs;
supports innovation and most importantly preserves and enhances the Public Sector’s
reputation which is ultimately expressed in trust and confidence in the service provider.
8
targeting processes and their risks; establishing goals and objectives; and assessing the RM
capability.
COSO suggests that ERM encompasses the alignment of risk appetite and strategy,
enhances risk response, enhances risk avoidance, enhances risk reduction, enhances risk
sharing and enhances risk acceptance decisions; reduces operational surprises and losses; and
proactively seizes and realize opportunities.
COSO presents eight components for an effective ERM framework. These include the
Internal Environment, the significance that RM is given within a department; Objective Setting,
translating a department’s mission statement into strategic objectives; Event Identification,
identifying the internal and external existences of risk that can positively or negatively affect a
department’s objectives; Risk Assessment, analysing and prioritizing risks on the basis of their
occurrence, likelihood and impact; Risk response, addressing risk events in order to bring them
within an acceptable risk appetite and tolerance levels; Control Activities, the Management’s
introduced policies and procedures to implement risk responses; Information and
Communication, the process of identifying, acquiring and communicating relevant information;
and Monitoring, evaluating the ERM process and implement any necessary improvements in
order to keep it effective, efficient and relevant.
The ERM assessment tool has been developed in line with the principles of ISO 31000
(2009) “Risk management – Principles and Guidelines”. The introduction of ISO 31000 (2009)
offered a RM model with important steps that can be tailored according to an organisation’s
requirements; easily applicable in various industries including the Public Sector. It indicates
steps for establishing the context; identifying, analysing, evaluating, and treating risks;
communication and consultation; monitoring and review. The main principles found in this
standard includes those related to creating value; being an integral part of the organisational
processes including those related with decision making; addressing uncertainty; being
structured, systematic and in time; using the best available information; taking human factors
into account; facilitating continual improvement; and being transparent, inclusive, dynamic,
iterative and responsive to change.
9. Compliance
South African PwC advisory services leader once stated that a properly integrated GRC
develops the control environment permitting the management to send a message to the board
that the business is in control (Baldacchino, et al. 2019). According to Van Wyk (2013), a strong
interrelationship should exist between GRC and control. Open Compliance and Ethics Group
(OCEG) (2018) states that putting Compliance and ethics at the centre, will help an
organisation drive towards its objectives; act with integrity and stay within mandated
boundaries i.e. laws, rules and regulations and within voluntary boundaries i.e. organisation
values. OCEG continues to add that the main goals of compliance should include those related
with legal and regulatory requirements; with internal policies; managing compliance risks and
establishing an ethical culture.
Ideally, those with compliance responsibilities should understand the current and
future strategy of an organisation and be involved in strategy discussions to ensure that
compliance is factored in the strategic decisions. Collier and Woods (2011) in a study on
Australian and UK authorities revealed that compliance with legislation was a significant driver
in RM implementation, where subsequently the external monitoring of RM had effects on
financial resource allocation.
In few words, compliance develops control. It is the result of satisfying the
requirements of regulations, codes of ethics and conduct; the process of monitoring the
necessary controls. It is all about the adherence to criteria in the respective laws and
regulations, an important function in light of the ever-increasing policies, laws, and legislations.
However, it is not only about complying, adhering with the applicable laws and regulations. An
organisation needs to build an internal culture of compliance and incorporate an ongoing
9
support programme from the board and senior management. It is vital for the long-term
planning and growth of an organisation (Camilleri, et al. 2019)
10
procedures that guarantee management directives and ensures that actions are taken to
address risks identified in the risk assessment stage. Information and Communication is vital
both internally, flowing down, across and up the organisation, and externally with customers,
suppliers and shareholders.
The International Organisation of Supreme Audit Institutions (INTOSAI) framework
relies on the COSO framework, and is revised to the requirements of the public sector, where
controls are understood within the context and characteristics of meeting the social and
political objectives; the use of public funds; the importance of the budget cycle and the
complexity of performance in terms of integrity, legality, transparency, efficiency and
effectiveness in managerial values.
The Criteria of Control (COCO) Framework, developed by the Canadian Institute of
Chartered Accountants (CICA) in 1995, is another international standard built on COSO, with
principles organized to criteria including: Purpose; Commitment; Capability; Action; Monitoring
and Learning. By purpose, the model starts with the need for a clear direction i.e. objectives,
vision and strategy, mission, risks, opportunities, polices, planning and performance indicators.
It continues with the commitment people within the organisation must understand and the
way they need to position themselves within the organisation’s values such as ethical values,
human resource policies, integrity, authority, responsibility, accountability and trust.
The Capability criteria includes the resources and competences such as knowledge,
skills, tools, communication processes, information, co-ordination and control activities that
people must possess to understand and discharge the control model. Employees should have
the correct experience, skills and attitudes to perform well, assess risks and ensure controls.
Monitoring and learning embraces monitoring performance, the internal and external
environment, follow-up procedures, and assessing the effectiveness of control. Each control
activity must be seen as a positive learning process and not as a mechanism for punishing
people.
The COCO criteria encourage a positive response on control activities. COCO refers to
internal control as an action that fosters best results for an organisation through efficiency and
effectiveness of operations; reliability of internal and external reporting and compliance with
relevant laws and regulations (Grima et al. 2017).
11
standards for Internal Control are also based on the COSO framework, for identifying and
addressing key performance management challenges and high internal risks.
Other countries were more proactive in implementing and strengthening RM, making
it part of the priority list in the Public Sector Management agenda. In Canada, the Treasury
Board of Canada Secretariat (2001), developed an Integrated RM Framework that provided
guidance to adopt a holistic approach in managing risk, to enable employees understand and
manage the nature of risk, through an ongoing assessment of the likelihood of risks in an
organisation at every level. Results were than aggregated at the corporate level to ease
priority setting and improve decision-making. Such an integrated RM system tends to become
rooted in an organisation’s corporate strategy, which consequently form a RM culture across
the organisation.
In the United Kingdom (UK), the Chartered Institute of Public Finance and Accountancy
(CIPFA), in 2004, issued “The Good Governance Standard for Public Services”, an update of the
corporate governance framework, highlighting the underpinning governance principles. This
standard specified the meaning of good governance, and ways how to implement transparent
and informed decisions in order to manage risk.
An effective RM system is significant to the successful delivery of Public Services, as it
supports internal control. Subsequently, in the UK, Public service organisations are advised to
produce an annual statement on internal control, including their suitable responses to risks;
insuring against risks; and their executed internal controls together with any actions that were
taken to terminate or modify the activity that caused the risks.
Barrett (2005) stated that Australia failed to deliver reliable ways on assessing the
sector’s overall risk position and in establishing suitable risk treatments for assurance and
performance, given their silo approach towards RM in the Public sector. Thus, a measure of
the RM maturity in the Australian public sector was incorporated for entities to embrace
organisation-wide RM, known as ERM, and was integrated in their strategic and operational
objectives.
12
11.1 Internal Auditing
The IIA (2013), define Internal Auditing as a consulting, independent and objective
assurance intended to add value and improve on organisation’s operations. Internal Auditing
helps an organisation achieve its objectives and improve the effectiveness of governance, RM
and control processes.
OCEG (2018) states that people in Internal Audit and assurance roles needs to be at
the heart of GRC and principled performance. IA’s should be more than just assurance
providers. An IA should provide insight; suggest and advice; guarantee accuracy; assess risks;
be able to access controls; promote ethics in order to improve operations. An IA should assist
the management, audit committee and the board by evaluating, monitoring, examining,
reporting and recommending improvements, however the primary responsibility for
implementation or maintenance rests at the hand of management.
An IA’s primary responsibility is to examine, scrutinise and contribute to the constant
effectiveness of the RM processes and internal control systems. Consistent with the above, the
UK Audit Commission (2001) states that an IA must challenge the risk identification and
evaluation process and provide assurance to officers on the effectiveness of controls. It adds
that such roles should be separated from the operating RM processes and control structures,
as these should remain the management’s responsibility.
Moeller Robert (2007) describes the role of the IA as the “eyes and ears” of
management who visit all areas of an organisation, review, monitor and report back to the
management on the status of operations and activities. However, due to today’s changing
business, increase in complexity and risky environment; the IA functions seen from such a
narrow perspective are not viewed as valuable. The role of IA should be perceived as both an
assurance provider and a value-added trusted advisor to the organisation, by aligning
expectations, building capabilities, delivering quality and increasing value.
12. Methodology
13
during the month of July 2019 to all Maltese Public employees across the Public Service and
the Public Sector (Ministries, Departments, agencies and other public entities). This in order to
obtain participants perception on each statement.
Designing and administering such a questionnaire required important steps. Prior to its
distribution, a piloting exercise was conducted with a small group of public employees in order
to obtain feedback on the quality and effectiveness of the questions and theme statements
(Saunders et al. 2007). The first version of the questionnaire, consisted of eight statements per
theme, with five themes, i.e. forty statements in total. After scrutinising the preliminary pilot
study feedback, we decided to shorten and redesign the statements with less technical words.
Moreover, we reduced the statements based which explained the 4 themes to twenty-five
statements in total. This made the questionnaire less time consuming for the respondents.
Pilot testing provided us with indications on the initial time consumed to complete the
questionnaire; if the instructions, questions, and statements were clear or not; if some of the
questions were objected to be answered or not; if the wording was with simple language and if
the overall layout was user friendly.
The first part of the questionnaire included a covering statement, stating the scope
and objectives of the research and the use of information. The second part consisted of five
different demographic questions, asking for personal details including age; gender; the highest
academic qualification; what Public employment position they hold; and the number of years
employed in the Public Sector. These questions were grouped in three categories, in order to
maintain general responses and make respondents comfortable to participate. Two additional
demographic questions asking for their current office i.e. where they perform their duties, and
their set departmental objectives were included in order to understand better the actor, value
and the object.
The third part, being the salient part of the questionnaire, consisted of twenty-five
different statements explaining the four different themes, to which participants were asked to
answer on a 5 point-Likert scale as to their level of agreement or disagreement with the
themed statements vis-à-vis the level of compliance and enforcement at their place of work.
“1” being a total disagreement; “2” being disagreement; “3” -neutrality; “4” - agreement; and
“5” - total agreement. The last part of the questionnaire was optional, asking for any additional
comments. The responses data were initially inputted into an Ms excel sheet and then
transferred to SPSS software to allow for statistical analysis.
14
more educated workforce. In fact most of the respondents (49.8%) have a Post-Graduate
qualification; 29.2% have an undergraduate qualification and the remaining 21% have a school
leaving/ordinary level. From this result, the researcher can notice t
Most of the respondents (59%) hold a middle management position between scale 6-
12, ranging from Assistant Managers; Managers I to Managers II. 21.6% of the respondents
hold a headship position between scale 1-5. These can range from Assistant Directors;
Directors; DG’s to PS’s. The remaining 19.3% hold a lower position between scale 13-16,
including Clerks, Senior Clerks and Executive officers.
The more experienced public employees segment i.e. over 20 years of service,
participated the most (41%), followed by the new comers (33.4%) i.e. public employees with 1-
9 years of experience. The remaining 25.6% of the respondents were in the 10-19 years of
experience category.
Most of the respondents (32.5%) were from the Ministry for Finance (MFIN) and its
line departments; 10% from the Office of the Prime Minister (OPM); and 8.5% from the
Ministry for Health (Health). These 3 were categorised separately, given the substantial
percentage of respondents. The remaining participants i.e. small percentage of respondents
from various other Ministries and Departments across the Public Service were clustered
together and labelled as Public Service others i.e. an amalgamated 40.5%; whilst the
remaining 8.5% from agencies, authorities and entities were clustered together and labelled as
Public Sector.
Similarly, we conducted a thematic analysis of the respondent’s departmental
objectives. 49% of the respondents mentioned financial related objectives; 24% mentioned
Operational related objectives and the remaining 27% mentioned Services related objectives.
15
non-parametric analogue of the One-Way ANOVA test) to determine how the GRCME Model
measures vary with participants’ (1) Age, (2) Gender, (3) Qualification (Education Level), (4)
Grade/Scale in the Public Service, (5) Years of Employment in Public Service, (6) The different
place of work and (7) the department and section’s objective (i.e. RQ2). The later test was
carried out due to the non-normal distribution identified by the Shapiro-Wilk test.
We then used Structural equation models (SEM); a model that is a most frequently
used technique to perform confirmatory analysis in various data sets. SEM is a general
statement that covers many models that cannot be directly measured and that contain
potential errors in measurement (Raykov and Marcoulides, 2006) and in the literature.
Therefore, path analysis, confirmatory factor analysis, structural equations and structural
equation models are examined under different headings and methods (Bayram 2010).
Confirmatory factor analysis (CFA) is the best method to test the construct validity of
the scale to be used after performing the explanatory factor analysis (EFA). In this respect, CFA
can be considered as an extension of EFA. With EFA we provided information about the factor
structure. We determined the amount of factors of observed variable measure, what these
factors are and whether the factors are related (Schumacker & Lomax, 2004). With CFA, we
tested whether there is a satisfactory relationship between these factors, whether the factors
under consideration are sufficient to explain the model, and the relationships between the
observed variables and the measured structure (Özdamar, 2004, Wetson & Gore, 2006). We
specifically used AMOS 16 software, to check and demonstrate by CFA the validity of the 4-
factor structure resulting from EFA and the reliability of the dimensions in the structure.
The main function of the fit indexes is to determine how much an established model
fits with the data set at hand. There are many fit indexes developed for this purpose. However,
scientists have made several recommendations, regarding which fit indices to report.
McDonald and Ho (2002); TLI (Tucker Lewis Index), carry out the same measurements in CFI
(Comparative Fit Index), GFI (Goodness of Fit Index), NFI (Normed Fit Index) and NNFI (Non-
normed Fit Index). AMOS; Garver and Mentzer (1999); RMSEA (Root Mean Square Error of
Approximation), CFI and NNFI (TLI); Brown (2006); RMSEA, SRMR, CFI and NNFI (TLI); Iacobucci
(2010) recommend reporting CFI and SRMR (Standardized Root Mean Square Residual) fit
indices.
As we can note, researchers have different opinions about which to report. Despite
this, all researchers agree on reporting the χ2 / df ratio. The reason for not giving χ2 value
alone is that χ2 value is sensitive to the sample volume; aimed at eliminating this sensitivity by
dividing the sensitivity value by the degree of freedom.
16
44.21% of the variance and comprised 8 items. Factor 2, which has been termed “Internal
Audit (IA)” explained 6.90% of the total variance and comprised 5 items. Factor 3, which has
been termed “Risk Management (RM)” explained 6.32% of the total variance and comprised of
7 items. Factor 4, which has been termed “Governance (G)” explained 4.54% of the total
variance and comprised 5 items (Hair et al., 1998).
Table 1: Factorsa
Factors/Themes
Statements 1 2 3 4
(Vide
Appendix A)
T1.1 -.725
T1.2 -.737
T1.3 -.606
T1.4 -.673
T1.5 -.670
T2.1 -.687
T2.2 -.617
T2.3 -.500
T2.4 -.759
T2.5 -.649
T2.6 -.552
T2.7 -.497
T3.1 .663
T3.2 .652
T3.3 .680
T3.4 .448
T3.5 .580
T3.6 .584
T3.7 .690
T3.8 .470
T4.1 .559
T4.2 .710
T4.3 .835
T4.4 .879
T4.5 .807
Extraction Method: Principal Component Analysis.
Rotation Method: Oblimin with Kaiser Normalization.a
a. Rotation converged in 16 iterations.
Source: Authors’ Compilation
13.2 Scale Reliability Test
We then generated in SPSS (version 20) the average scores for each theme and the
Cronbach alpha, which revealed that the measures of the 4 factors were internally consistent
with scale reliability. The Cronbach’s alpha coefficients of this scale were between 0.85-0.88 –
Table 2. Therefore, we can conclude that this scale is reliable as part of our statistical analysis.
We also checked the inter-item correlations, which all resulted positive, indicating that
the mean scores of (G); (RM); (CCE) and IA variables are positively related.
17
Table 2: Cronbach’s Alpha (N=305)
Factor/Theme Item Mean Min-Max Crombach’s
Alpha
1 5 3.70 3.531-3.911 0.85
2 7 3.16 2.715-3.587 0.88
3 8 3.67 3.187-4.069 0.88
4 5 3.35 3.302-3.685 0.87
Source: Authors’ Compilation
The computed ‘GRCME Model’ measure of GRC Maturity Level for the Public sector
shows a mean of 3.51 (SD =0.678). All the Factors (1, 2, 3 and 4) produced means that were
close to the computed GRCME Model - Table 3. This shows that participants from the Public
sector, overall, are in agreement that the Maturity level is high. However, they are neutral
about the public sector maturity in ‘Risk Management’. That is, they do not have an opinion or
are unsure whether Risk Management in the public sector is mature enough.
Table 4: Shapiro-Wilk
Statistic df sig
Governance .974 305 .000
Risk Management .991 305 .049
Effective Compliance and Control .975 305 .000
Internal Audit .968 305 .000
Source: Authors’ Compilation
18
0,078, SRMR = 0,057, IFI = 0,087 ). Upon this, the modifications proposed by AMOS were made
and the measurement model was re-estimated and the results are shown in Table 5. According
to the results obtained, the model complied with the data. These results show that the scale
sizes revealed by the EFA are valid and an acceptable scale has emerged.
The Factor loads standardized in the four-factor model ranged between 0.524 to 0.768
for F1, 0.679 to 0.816 for F2, 0.535 to 0.828 for F3, and 0.551 to 0.768 for F4. In addition, the
correlation between F1 and F2 was calculated as 0.759, the correlation between F1 and F3 was
0.779, the correlation between F1 and F4 was 0.828, the correlation between F2 and F3 was
0.716, the correlation between F2 and F4 was 0.664 and the correlation between F3 and F4
19
was 0.776. When the coefficients, validity and reliability tests that emerged as a result of the
analysis were examined, it was revealed that the model was structurally valid.
(1) (IA), which varies with the different place of work (X 2 =7.149, df=2, p-value<0.05); that
is Ministry with a mean rank (μ =96.57), Department with a mean rank (μ =79.35) and
Section with a mean rank (μ =104.19) and the Ministry, Department and Section’s
objectives (X 2 =6.556, df=2, p-value<0.05); Finance with a mean rank (μ =107.93),
Operations with a mean rank (μ =80.72) and Services with a mean rank (μ =102.50).
(2) (RM, which varies with Gender (X 2 =4.719, df=2, p-value<0.1), Male with a mean rank
(μ =101.23), Female with a mean rank (μ =121.36) and Other with a mean rank (μ
=130.41).
13.7 Discussion
The Governance (G) Theme – findings indicate a perception by participants of a
mature and a robust governance culture across the Public Sector, where its Ministries,
Departments, entities and agencies are in line with the essential Governance mechanisms,
following the latest practices; functioning with openness, accountability, transparency,
integrity and ethics in their daily operations. No evident limiting factors were identified with
regards to Governance, except for a visible level of neutral responses in statements T1.1 and
T1.2. This could be because respondents might have been unsure on the response.
Risk Management (RM) Theme – Risk Management in the Public Sector is relatively
still a new area. However, from the results obtained, it can be noted that more effort is
required in order to consider RM in the Maltese Public Sector as being at a mature stage. As
noted also from literature regarding RM in the Public Sector, this area requires the largest
20
improvement. The RM function faces various challenges and uncertainties including
continuous leadership changes; lack of knowledge in RM; lack of clear risk metrics; limited risk-
culture and risk mind-set (Braig, Gebre & Sellgren, 2011).
Also, findings show that Males perceived their place of work as less conscious of RM
practices than how Females perceived it. The need of more consciousness is surely required in
order to adopt a robust internal culture of RM.
From the further comments, it transpires (73 participants) that the Public Sector may
not be fully aware about the amount of risks present in its daily operations. Exercises on
evaluating and prioritizing risks demanded by COSO ERM and ISO 31000 are still in their
infancy phases as shown in most of the responses (33 participants). Moreover, it seems that
there is lack of RM strategies in place, with lack of risk identification, documentation and
mapping due to the absence of risk-assessments. This was also reflected in the responses of
statements T2.1-T2.5, especially with respect to statement T2.4, with approximately 38
participants of the respondents expressing lack of organized workshops and RM discussions by
senior management towards their employees. Such absence, can have negative ripple effects
on the overall GRC components, given that without formal RM plans and processes, the entire
GRC process is threatened to become a compliance driven bureaucratic exercise.
Moreover, also highlighted is a necessity to train people on (1) the importance of RM
(43 participants) and (2) how to appropriately implement the risk register frameworks at the
place of work, as one of the essential mechanisms demanded by a holistic RM environment (36
participants). Some (13 participants) of the respondents mentioned other gaps including the
lack of people focused on RM or that RM is not dealt with at their place of work. Others (5
participants) argued that they may not be aware about any RM strategies in place.
Also, it transpires from responses from a few participants (3 participants) that
insufficient allocation of human and financial resources could be one of the limiting factors in
the ability to adopt a holistic strategic approach towards RM. Overall this shows, that
developments are required in order to be in line with the mechanisms demanded by an
effective RM environment including actions, components and principles required by the COSO
ERM framework and ISO 31000.
Efficient Compliance and Control – Findings show that participants have a positive
perception of the maturity level in the compliance and control functions. However, similar to
the other themes there was a noticeable level of neutral answers especially in statement T3.3,
where 77 participants disagreed and another 109 participants expressed scepticism that
enough resources, knowledge and skills are present for a full functioning internal control
structure. This might show the need to improve the resource-base.
Thus, we can identify an existing limiting factor with regards to the capability criteria in
resources and competence towards assessing risks and ensuring compliance and control
activities and responsibilities. Such criteria forms part of the principles of the COCO framework
developed by CICA. Also, although funds are being devoted to training as confirmed from T5.5
responses, it transpires that training courses specifically targeted on RM and internal control
practices needs to be introduced.
Internal Auditing – Findings demonstrate a participants’ perception of a good maturity
level and culture in IA. These findings however vary with the place of work and the Ministry,
Department and Section’s objectives.
When the statements were individually tested, the proportion of results in (IA) theme
showed skewness towards a positive perception, indicating that most Public employees
perceive their place of work as being in line with Internal Audit practices. However, from
further comments there were still a number of respondents (36 participants) who were
sceptical about the overall effectiveness of IA’s conducted audits. This shows that the Malta
Public Sector is still not yet fully aligned with the necessary mechanisms demanded by a
holistic GRC environment in the area of Internal Auditing. 93 respondents expressed neutrality
21
when asked whether they see an IA as a trusted advisor across the Public Sector, with 39
participants expressing negative feedback on the same statement T4.1.
It seems that although the Internal Audit and Investigations Department (IAID)’s
effectiveness in its independent, consulting and investigative role in the Public Sector is
improving, more effort needs to be done so that an IA is perceived as not only delivering
assurance, but also as a trusted advisor that adds value and improve operations. The results
from statements T4.2 and T 4.5, show that there is a lack of a decentralised IA functions across
the Public Sector. Also, a lack of information meetings were highlighted in statement T4.3 and
a lack of follow up processes was highlighted in T4.4. Such limiting factors can be a result of
the present gaps in human resources.
Such gaps and weaknesses were seen from the thematic analysis of the further
comments section, giving rise to existent limiting factors. Some respondents (22) stated that
they are not aware that IAID conducts internal auditing at their department, whilst others (38)
stated that they are facing difficulties through the lack of professional accounting staff. They
added that the Public Service might be losing its best human resources with the most
experienced and skilful employees leaving for better salaries, more job satisfaction and better
conditions of work.
Another respondent stated that IA’s recommendations are not always practical to the
real work life scenario issues, and sometimes impossible to implement. The same respondent
added that a decentralised internal audit function is required within every Ministry. This shows
the necessity of specialised IA’s that are preferably experts in their audited areas to be able to
fully understand the role and functions of the audit client and their environment’s
mechanisms. This would enable an Internal Auditor to recommend real-life applicable and
proactive actions for the identified weaknesses.
14 Conclusions
The Public Sector requires a framework to address and improve the quality of Public
RM, better manage current risks and stakeholder expectations, to expand GRC. After analysing
the findings that came out from this study, we identified some gaps in the maturity level of
GRC. The Public Sector will be benefitting, as it will sustain improvements towards RM issues;
improve its overall reputation; customer trust and confidence in the services being offered.
If used for public consumption, it can determine the Public Sector’s GRC state of
maturity and protect reputation, given the more effective management of risks. Barrett (2005)
states that an effective RM is the corner stone of good governance and can lead to improved
overall performance; better service delivery; better project management; maximising the
efficient use of resources; minimising fraud, waste and poor value-for-money decision-making.
All in all, Society as the object will also be benefiting as when connecting Public
organisations as the main actors, the services being offered as the content and society as the
object, success in terms of efficiency and effectiveness of the Public Sector services towards
society will automatically improve, minimising the risk of lack of connection in the different
governance elements that can cause disruption. A successful implementation of GRC together
with improvements in RM and internal auditing, will have a positive impact on the overall
performance, and on the attainment of objectives.
REFERENCING
Asante, A.O. (2015), “Auditors’ Independence and Audit Quality: Evidence from Banks in
Ghana”, available at:
http://ir.presbyuniversity.edu.gh:8080/jspui/bitstream/123456789/127/1/AUDITORS
%E2%80%99%20INDEPENDENCE%20AND%20AUDIT%20QUALITY%20EVIDENCE%20FROM
%20BANKS%20IN%20GHANA.pdf (accessed 20 April 2019).
22
Audit Commission (2001), “Worth the risk: improving risk management in local government”,
available at: https://moderngov.rotherham.gov.uk/documents/s3633/Worth%20The
%20Risk%20-%20Audit%20Commission.pdf (accessed 15 March 2019).
Baldacchino, G. 2006. Islands, Island Studies. Island Studies Journal, Vol. 1, No. 1, 3-18.
Baldacchino,P.J., Vella, C. and Grima, S., 2019. The Corporate Governance Code and
Compliance by Maltese Listed Companies. International Journal of Economics and
Business Administration Volume VII, Issue 2, 2019, pp 71-90.
Baldacchino, P., Camilleri, A., Schembri, B., Grima, S., Thalassinos, E. 2020a. Performance
Evaluation of the Board of Directors in Listed Companies: A Small State perspective.
International Journal of Finance, Insurance and Risk Management. Volume X, Issue 1,
2020.99-119
Baldacchino, P., Tabone, N., Schembri, Camilleri, J., Grima, S. 2020b. An Analysis of the Board
of Directors Composition: The Case of Maltese Listed Companies. International Journal of
Finance, Insurance and Risk Management. Volume X, Issue 1, 2020.99-119
Barrett, P. (2005), “Future Challenges for Risk Management in the Australian Public Sector”,
available at:
https://pdfs.semanticscholar.org/0cf6/23a7deff6a24b8c1a9510170e4c91ff2e637.pdf
(accessed 15 March 2019).
Bayram N. (2010) Yapısal Eşitlik Modellemesine Giriş AMOS Uygulamaları, Bursa, Ezgi Kitapevi
Bezzina, F., Grima, S., and Mamo, J. (2014), “Risk management practices adopted by financial
firms in Malta”, Managerial Finance, Vol. 40. No. 6, pp. 587-612.
Borg, G., Baldachino, P.J., Buttigieg, S., Boztepe, E. and Grima, S. 2020. Challenging the
Adequacy of the Conventional ‘Three lines of Defence’ Model: A case Study on Maltese
Credit Institutions. Chapter 18, pp. 303-324. Contemporary Issues in Audit Management
and Forensic Accounting. Contemporary Studies in Economic and Financial Analysis,
Volume 102 Emerald Group Publishing Limited.
Bozeman, B. and Jorgensen, B. (2007), “Public Values: An Inventory”, Administration & Society,
Vol. 39, No 3, pp. 354-381.
Braig, S., Gebre, B., and Sellgren, A., (2011), “Strengthening risk management in the US public
sector”, Working Paper No. 28, McKinsey and Company, U.S., May 2011.
Braun, Virginia and Clarke, Victoria(2006) 'Using thematic analysis in psychology', Qualitative
Research in Psychology, 3: 2, 77 — 101. http://dx.doi.org/10.1191/1478088706qp063oa
Briguglio, L. 1995. Small island developing states and their economic vulnerabilities. World
Development, Vol. 23, No. 9, 1615-1632.
Brown, L. and Osbourne, S. (2011), “Innovation in Public Services: Engaging with Risk”,
available at:
https://www.researchgate.net/publication/263271921_Innovation_in_Public_Services_En
gaging_with_Risk (accessed 19 March 2019).
Brown TA. Introduction to CFA. Confirmatory Factor Analysis for Applied Research. 3rd ed.
New York: The Guilford Press; 2006
Büyüköztürk, Ş. 2002. Factor Analysis: Basic Concepts and Use in Scale Development.
Journal of Education Management, Fall, 470-433.
Camilleri,S.J., Grima,L., Grima,S. 2019. The effect of dividend policy on share price volatility: an
analysis of Mediterranean banks’ stocks, Managerial Finance, Vol. 45 Issue: 2, pp.348-
364, https://doi.org/10.1108/MF-11-2017-0451
Canadian Institute of Chartered Accountants (CICA) (1995), “The COCO Framework”, available
at: www.cica.ca (accessed 20 February 2019).
Chartered Institute of Public Finance and Accountancy (CIPFA) (2004), “The Good Governance
Standard for Public Services”, available at:
https://www.jrf.org.uk/sites/default/files/jrf/migrated/files/1898531862.pdf (accessed 21
February 2019).
23
Collier, P. and Woods, M. (2011), “A Comparison of the Local Authority Adoption of Risk
Management in England and Australia”, Australian Accounting Review, Vol. 21, No. 57 pp.
111-123.
Committee of Sponsoring Organizations of the Treadway Commission (COSO) (1992), “Internal
Control Integrated Framework”, available at: https://www.coso.org/Pages/default.aspx
(accessed 20 February 2019).
Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2004),
“Enterprise Risk Management – Integrated Framework, Executive Summary”, available at:
https://www.coso.org/Documents/COSO-ERM-Executive-Summary.pdf (accessed 20
February 2019).
Court, J., Hyden, G., and Mease, K. (2004), “Making sense of Governance: The Need for
involving local stakeholders”, available at: https://www.odi.org/sites/odi.org.uk/files/odi-
assets/publications-opinion-files/4092.pdf (accessed 20 April 2019).
Dalli Gonzi, R., Grima, S., Kizilkaya, M. and Spiteri, J. 2019. The Dali Model in Risk-Management
Practice: The Case of Financial Services Firms. Journal of Risk and Financial Management.
MDPI. pp 1-15.
De Visscher C., Sarens G., Van Gils D. (2010), “Risk Management and Internal Control in the
Public Sector: An In-Depth Analysis of Belgian Social Security Public Institutions”, available
at:
https://finances.belgium.be/sites/default/files/downloads/BdocB_2010_Q3A_deVisscher
_Sarens_vanGils.pdf (accessed 10 March 2019).
Drennan, L.T. and McConnell, A. (2007), Risk and Crisis Management in the Public Sector,
Routledge, Abingdon, Oxon.
European Commission (2001), “European Governance – A White Paper”, available at:
https://ehne.fr/en/article/material-civilization/expertise-and-knowledge/european-
commissions-white-paper-european-governance-2001 (accessed 21 April 2019).
Garver, M.S., & Mentzer, J.T. (1999). Logistics research methods: Employing structural
equation modeling to test for construct validity. Journal of Business Logistics, 20(1), 33-57.
Grant Thornton International (2009), “Enterprise risk management: creating value in a volatile
economy”, available at: http://www.gtrus.ru/doc/public/gti/gti_erm_en.pdf (accessed 19
March 2019).
Grima, S.; Romanova. I.; and Bezzina, F., 2017. Misuse of Derivatives: Considerations for
Internal Control. Contemporary Issues in Finance: Current Challenges from Across Europe
(Series Editor Rupeika-Apoga, R., Romanova, I., Grima, S. & Bezzina, F.), Contemporary
Studies in Economic and Financial Analysis, Volume 98) Emerald Group Publishing Limited,
chp 4, pp49-62
Grima, S. and Thalassinos, E. (2020) – Financial Derivatives: A Blessing or a curse? Emerald
Group Publishing Limited. Edited by Dalli Gonzi, R. and Thalassinos, I.Chapter 4.163-174
Hair, J.F., Anderson, R.E., Tatham, R.L. and Black, W.C. 1998. Multivariate Data Analysis,
5th ed., Prentice-Hall, Upper Saddle River, NJ.
Hansson, S. (2005), “Seven Myths of Risk”, Risk Management: An International Journal 2005,
Vol. 7, No. 2, pp. 7-17.
Her Majesty (HM) Treasury (2014), “The Orange Book, Management of Risk – Principles and
Concepts”, available at:
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/
attachment_data/file/220647/orange_book.pdf (accessed 05 March 2019).
Horne, S. (2017), “8–27 Years of fraud control in the New South Wales public sector: 1989–
2016”, In the Changing Face of Corruption in the Asia Pacific, Elsevier, New York, pp. 111–
25.
Iacobucci, D. (2010). Structural equations modeling: Fit indices, sample size, and advanced
topics. Journal of Consumer Psychology, 20, 90-98.
24
International Organisation for Standardization (ISO) (2009), “ISO 31000:2009, Risk
Management – Principles and Guidelines”, available at: www.iso.org (accessed 12
February 2019).
International Organisation for Standardization (ISO) (2018), “ISO 31000:2018, Risk
Management in Organisations”, available at: www.iso.org (accessed 12 February 2019).
International Organisation of Supreme Audit Institutions (INTOSAI) (2004), “Guidelines for
Internal Control Standards for the Public Sector”, available at: www.intosai.org (accessed
15 February 2019).
King, R. 1993. The geographical fascination of islands. In Lockhart, D.G., Drakakis-Smith, D. and
Schembri, J. (Eds), The Development Process in Small Island States. Routledge, London,
pp. 13-37.
Kong, Y., Lartey, P.Y., Bah, F.B.M., Biswas, N.B. (2018), “The Value of Public Sector Risk
Management: An Empirical Assessment of Ghana”, available at:
https://www.researchgate.net/publication/326738992_The_Value_of_Public_Sector_Risk
_Management_An_Empirical_Assessment_of_Ghana (accessed 12 March 2019).
Kruf, J.P., Grima, S., Kzilkaya, M.,Spiteri, J.,Slob, W. and O’Dea, J. 2019. The PRIMO FORTE
Framework for Good Governance in Public, Private and Civic Organisations: An Analysis on
Small EU States. European Research Studies Journal Volume XXII, Issue 4, 2019, pp. 15-34.
Lerskullawat, A. (2017), “Effects of banking sector and capital market development on the
bank lending channel of monetary policy: An ASEAN country case study”, Kasetsart
Journal of Social Sciences, Vol. 38, No. 1, pp. 9–17.
Lim, C.Y., Woods, M., Humphrey, C., and Seow, J.L. (2017), “The paradoxes of risk management
in the banking sector”, The British Accounting Review, Vol. 49, No. 1, pp. 75-90.
McNamee, D. and Selim, G.M. (1998), Risk Management: Changing the Internal Auditor’s
Paradigm, The Institute of Internal Auditors Research Foundation, Altamonte Springs, FL.
Mitchell, S.L. (2017), “What is GRC?”, available at: https://medium.com/grc360/what-is-grc-
d9d542b1e217 (accessed 03 February 2019).
Mitchell, S.L. and Stern Switzer, C. (2013), “GRC Capability Model (OCEG Red Book)”, available
at: Lulu.com (accessed 10 February 2019).
Moeller, R. (2007), COSO Enterprise Risk Management, Understanding the New Integrated
ERM Framework, John Wiley & Sons Inc, Hoboken, New Jersey.
National Audit Office (NAO) Malta (2014), “Annual Reports for Year 2014 on the Public
Accounts”, available at: http://nao.gov.mt/en/recent-publications (accessed 12 April
2019).
Office of the Prime Minister (OPM) Malta (1994), “Code of Ethics for Employees in the Public
Sector”, available at: https://publicservice.gov.mt/en/people/Documents/People-
Support-Wellbeing/Policies%20and%20Guidelines/Code-of-Ethics.pdf (accessed 18 April
2019).
Office of the Prime Minister (OPM) Malta (2016), “The Public Service Management Code”,
available at: https://publicservice.gov.mt/en/Documents/Public%20Service
%20Management%20Code/PSMC.pdf (accessed 18 April 2019).
Okoth, O., Kwaka, J., Muluka, B., Nyaboto B.S. (2011), Challenging the Rulers: A Leadership
Model for Good Governance, East African Educational Publishers Ltd, Kenya.
Open Compliance and Ethics Group (OCEG) (2008), “OCEG Benchmarking Series Report: GRC
Measurement and Metrics”, available at: www.oceg.org/ (accessed 03 February 2019).
Open Compliance and Ethics Group (OCEG) (2018), “Pillars of Principled Performance”,
available at: https://www.oceg.org/about/what-is-principled-performance/ (accessed 10
February 2019).
Open Compliance and Ethics Group (OCEG) (2018), “What is GRC?”, available at:
https://www.oceg.org/about/what-is-grc/ (accessed 10 February 2019).
25
Organisation for Economic Cooperation and Development (OECD) (2004), “OECD Principles of
Corporate Governance”, available at:
https://www.oecd.org/daf/ca/corporategovernanceprinciples/31557724.pdf (accessed 12
February 2019).
Özdamar, K. 2002. Statistical Data Analysis with Multivariate Programs (Multivariate Analysis).
Eskişehir: Kaan Bookstore.
Özdamar K. (2004) Tabloların Oluşturulması, Güvenirlik ve Soru Analizi. Paket Programlarla
İstatistiksel Veri Analizi-1. 5th ed. Eskişehir, Kaan Kitabevi
McDonald, R. P., & Ho, M.-H. R. (2002). Principles and practice in reporting structural equation
analyses. Psychological Methods, 7, 64-82. doi:10.1037/1082-989X.7.1.64
Pellegrini, C.B., Meoli, M., Urga, G. (2017), “Money market funds, shadow banking and
systemic risk in United Kingdom”, Finance Research Letters, Vol.21, pp. 163-171.
PricewaterhouseCoopers (PwC) (2004), “8th Annual Global CEO Survey”, available at:
http://www.globes.co.il/Serve/Researches/documents/8thAnnualGlobalCEOSurvey.pdf
(accessed 12 April 2019).
Public Risk Management Organisation (PRIMO) (2009), “Risk management attitudes and
behaviours in European public entities”, available at: https://www.primo-europe.eu/wp-
content/uploads/2010/01/publicentities_researchreport-english.pdf (accessed 12 March
2019).
Publicservice.gov.mt. 2020. size of the Public Service and the Public Sector
https://publicservice.gov.mt/mt/Pages/Home.aspx
Raykov, T., & Marcoulides, G. A. (2006). A first course in structural equation modeling (2nd
ed.). Lawrence Erlbaum Associates Publishers.
Saunders, M., Lewis, P., and Thornhill, A. (2007), Research Methods for Business Students,
Pearson Education Ltd, Harlow, Essex, England.
Schumacker RE, Lomax RG. A Beginner's Guide to Structural Equation Modeling. 2nd ed. New
Jersey: Lawrance Erlbaum; 2004.
Spira, L. and Page, M. (2003), “Risk Management: The reinvention of internal control and the
changing role of internal audit”, Accounting, Auditing & Accountability Journal, Vol. 16,
No. 4, pp. 640-661.
Sterck, M., Scheers, B. and Bouckaert, G. (2005), “The modernisation of the Public Control
pyramid: International trends”, available at:
http://steunpuntbov.be/rapport/s0405009.pdf (accessed 19 April 2019).
Surveysystem.com, 2020. Sample Size Calculator. https://www.surveysystem.com/sscalc.htm
Tabachnick, B.G. & Fideli, L.S. 2001. Using Multivariate Statistics (Fourth Edition). Boston:
Ally and Bacon.
Tavşancıl, E. 2002. Measurement of Attitudes and Data Analysis with SPSS. Ankara: Nobel
Publications.
The Committee on the Financial Aspects of Corporate Governance (1992), “The Cadbury
Report”, available at:
https://ecgi.global/download/file/fid/9448 (accessed 12 February 2019).
The Institute of Internal Auditors (IIA) (2009), “IIA Position Paper: The Role of Internal Auditing
in Enterprise-Wide Risk Management”, available at: https://na.theiia.org/standards-
guidance/Public%20Documents/PP%20The%20Role%20of%20Internal%20Auditing%20in
%20Enterprise%20Risk%20Management.pdf (accessed 20 April 2019).
The Institute of Internal Auditors (IIA) (2010), “Governance, Risk & Control”, available at:
https://na.theiia.org/standards-guidance/topics/Pages/Governance-Risk-and-Control.aspx
(accessed 20 April 2019).
The Institute of Internal Auditors (IIA) (2013), “The Three Lines of Defence in Effective Risk
Management and Control”, available at: https://na.theiia.org/standards-guidance/Public
%20Documents/PP%20The%20Three%20Lines%20of%20Defense%20in%20Effective
%20Risk%20Management%20and%20Control.pdf (accessed 21 April 2019).
26
The Institute of Internal Auditors Research Foundation (IIARF) (2013), “Contrasting GRC and
ERM: Perceptions and Practices Among Internal Auditors”, available at:
https://na.theiia.org/periodicals/Public%20Documents/Contrasting%20GRC%20and
%20ERM_2013%20IIARF%20research%20report.pdf (accessed 20 April 2019).
The Laws of Malta (1964), “Constitution of Malta”, available at:
http://www.justiceservices.gov.mt/DownloadDocument.aspx?
app=lom&itemid=8566&l=1 (accessed 02 February 2019).
The Laws of Malta (2009), “Chapter 497, Public Administration Act”, available at:
http://www.justiceservices.gov.mt/DownloadDocument.aspx?app=lom&itemid=8963
(accessed 03 February 2019).
The Laws of Malta (2017), “Legal Notice 66 of 2017 Constitution of Malta : Public Service
Commission Disciplinary Regulations”, available at:
http://www.justiceservices.gov.mt/DownloadDocument.aspx?app=lp&itemid=28303&l=1
(accessed 02 February 2019).
The Risk Management Society (RIMS) (2018), “What Is ERM?”, available at:
http://www.rims.org/erm/pages/WhatisERM.aspx (accessed 20 March 2019).
The State of Queensland (Queensland Treasury) (2011), “A Guide to Risk Management”
available at: https://s3.treasury.qld.gov.au/files/guide-to-risk-management.pdf (accessed
02 March 2019).
The World Bank Group (2019), “Worldwide Governance Indicators”, available at:
https://info.worldbank.org/governance/wgi/#home (accessed 20 April 2019).
Treasury Board of Canada Secretariat (2001), “Integrated Risk Management Framework”,
available at: https://www.canada.ca/en/treasury-board-secretariat/corporate/risk-
management/guide-integrated-risk-management.html (accessed 12 March 2019).
Tricker, B. (2012), Corporate Governance: Principles, Policies and Practices, Oxford University
Press, United Kingdom.
United Nations Department of Economic and Social Affairs (UNDESA) (2015), “World Public
Sector Report 2015 : Responsive and Accountable Public Governance”, available at:
https://www.un.org/development/desa/publications/2015-world-public-sector-
report.html (accessed 20 April 2019).
United Nations Economic and Social Commission for Asia and the Pacific (UNESCAP) (2009),
“What is Good Governance?”, available at: https://www.unescap.org/resources/what-
good-governance (accessed 20 April 2019).
Vincent, J. (1996), “Managing risk in public services: A review of the international literature”.
International Journal of Public Sector Management, Vol. 9, No. 2, pp. 57-64.
Xuereb, K., Grima, S., Bezzina, F., Farrugia, A. and Marano, P. 2019. The Impact of the General
Data Protection Regulation on the Financial Services’ Industry of Small European States.
International Journal of Economics and Business Administration Volume VII, Issue 4, 2019,
pp. 243-266.
Wetson, R., & Gore Jr, P.A. (2006). A brief guide to structural equation model. The Counseling
Psychologist, 34(5), 719-751.
27
Other
What is your highest academic qualification (level of education)?
School Leaving/Ordinary Level
Undergraduate
Post-Graduate
What is your current Public Service Grade/Scale?
Scale 1-5
Scale 6-12
Scale 13-16
For how many years you’ve been working in the Public Sector?
1-9 years
10-19 years
Over 20 years
Where do you currently work (Ministry/Department/Section)?
Please answer using this Likert Scale: 1- ‘totally disagree’ and 5- ‘totally agree’
No. Theme 1: Governance 1 2 3 4 5
T 1.1 A strong governance structure is in place, with an
established mission statement, composed with a set of
derived strategic objectives; clear and understood roles,
responsibilities, values; with policies and procedures
that are documented and communicated to all
employees.
T 1.2 A Good Corporate Governance framework is in place
and working effectively with a high level of integrity,
transparency, openness, ethics and morals in the daily
operations of the Ministry/Department.
T 1.3 The Ministry/Department is fully accountable to the
respective stakeholders, to the public and to those
affected by its decisions and operations.
5
Okoth Okombo et al., 2011
28
No. Theme 2: Risk Management 1 2 3 4 5
T 2.1 The Ministry/Department has people responsible for
risk management practices that transmits a risk
management culture across the ministry/department,
through an integrated risk register framework with risk
policies and procedures rooted in the corporate
strategy; attached and linked to the operations and
overall strategic objectives.
T 2.2 Communication of the identified risks to the relevant
stakeholders is done promptly and in time to avoid
adverse effects on operations.
T 2.3 Risks, uncertainties, drivers for opportunities and
threats can affect a Ministry’s/Department’s value
creation. These are clearly known and understood by
the Public Leaders (actors) in my Ministry/Department.
T 2.4 Senior management organize workshops and regular
discussions with employees on exposures to different
types of risks; determines and communicates the
aggregated level of risk appetite and risk tolerance, to
provide reasonable assurance regarding the
achievement of set objectives.
29
No. Theme 3: Effective Compliance and Control 1 2 3 4 5
T 3.1 Integrity, tolerance, commitment and compliance with
applicable laws and regulations together with an ethical
behaviour are central to the Ministry’s/Department’s
operations and organisational culture.
T 3.2 The Ministry/Department reaches set targets, goals and
objectives efficiently, whilst Management is effective in
the decisions it takes to reach objectives.
T 3.3 The budgets allocated are sufficient for the
Department/Ministry to reach its goals and objectives
in time.
30
T 4.3 The Internal Audit and Investigations Department
(IAID), conducts regular internal audit activities at your
respective Ministry/Department and deliver
information meetings on its operations.
T 4.4 The Internal Auditor’s findings are accepted, and
recommendations are understood by the Management.
Follow up processes to ensure that the recommended
actions have been effectively implemented are usually
conducted.
T 4.5 Internal Auditors are specialised and possess excellent
knowledge and experience in their audited areas. They
offer professional, realistic, practical recommendations
in line with the real-life scenarios.
Further Comments
Do you have any further comments to add?
31