Risk Management Implementation in Public Sector Organizations-Global Phenomena

: The research aims to understand the integrated risk management global adoption, especially ISO 31000 in Public Sector Organizations (PSOs). Through desk research and complemented with literature reviews taken from case studies in the G20 Countries, this study is expected to give a helicopter view about the global adoption speed of ISO 31000 as an international standard of risk management by PSOs across the world


INTRODUCTION
The need for integrated risk management in PSOs has been rising in the last decade along with the uncertainties and risks faced by PSOs to fulfill their mission and mandates.While PSOs have had used many approaches and techniques on risk management, most of them, however, deal with their risks on an ad-hoc basis.
When the International Organization of Standardization (ISO) produced their first Standard ISO 31000:2009 Risk Management -Principles and Guidelines in 2009, many PSOs adopted them as their integrated approach in managing risks.Since then, the adoption has been continued and developed rapidly concurrently with the second version introduction, i.e.ISO 31000:2018 in 2018 (Standard).
Even though the speed of the standard adaptation was slow at first, its movement and significance of such adoption are getting faster and bigger as it gains momentum.It has been observed during 2009-2014, and was implemented by seven of the G20 countries.Whereas during 2014-2019, 13 of the G20 countries implemented it (Choo et al., 2015; Organisation for Economic Co-operation and Development, 2013).
The increased adoption of ISO 31000:2018 comes with the rising public's expectations on the effectiveness of risk management practices in PSOs.The expectations are driven by their stakeholders and rightsholders who demand better public services provided by PSOs (James, 2011).In response, PSOs need to improve their capability and capacity to embrace the demand, and be able to deal with uncertainties and risks in achieving their goals and objectives towards the public interest they serve (Wakhid, 2017).
PSOs, however, are facing some issues and challenges in achieving their goals and objectives.While they must embrace many elements toward sustainable development goals: economics, social, and environmental goals, they also must face some issues and challenges to which private sectors do not need to deal with.Among others are politics, bureaucracies, societal unrest, unemployment level, poverty, and public health services (Martua & Rahmat, 2017).
In addition, they must also take into account the impact of digital dynamics on their public service duties.If the issues and challenges are not well taken into account, it may potentially create some other issues and challenges as new generations are becoming more digitally possessed.Which in turn, it could be transformed as new dimensions of what public interest and services are in demand (RSA Security, 2019).This study serves its purpose i.e. to understand the ISO 31000 adoption in PSOs globally and capture the high level of sensing about the key issues and challenges related to its implementation.The study also recognizes the generic scope of PSOs consists of the general government sector plus government-controlled entities, known as public corporations.

196
Since its primary activity is to engage in commercial activities (International Monetary Fund, 2014), this study limits the scope only to the general government bodies.As suggested by IMF, the general government bodies are generally divided into three subsectors: 1) Central government; 2) State government; and 3) Local government (IMF, 2014).

LITERATURE REVIEW
The review is divided into two parts, firstly is an attempt to understand the phenomena of the global adoption of ISO 31000 Standard, and secondly is an attempt to understand the sense of the key issues and challenges related to the risk management implementation in PSOs.

A. The Adoption of Integrated Risk Management in PSOs
The integrated risk management global adoption in public sector organizations (PSOs) is represented through the acceptance of international risk management standard, namely ISO 31000 Standard by general government bodies of G20 countries.The G20 countries are chosen as a proxy because they account for most of the world's GDP and population.By the end of 2018, they represented 85.7% of world GDP and 63.5 % of the world population respectively (World Bank, 2019).
ISO 31000 Standard is the standard produced by the international organization for standardization (ISO), which was formally agreed and endorsed by their member countries in 2009.The first version was issued in 2009 known as ISO 31000:2008 -Principles and Guidelines of Risk Management and the second was launched by the end of 2018, namely ISO 31000:2018 -Principles and Guidelines of Risk Management.Both versions are quoted as ISO 31000 Standard in this writing.
The period under review is a cycle of a decade from 2009 to 2019, divided into two phases.One cycle of a decade is chosen because ISO 31000 Standard, just like other international ISO standards, has ten years of the review and revision cycle.Whereas, two phases are determined to help us see a reasonable time for the first five years' socialization of the standard, and how it has been well adopted within the 10 years cycle.The first phase is from 2009 to 2014, and the second is from 2015 to 2019.
The first G20 country whose PSOs has adopted integrated risk management was Turkey in 2013.In the research conducted by SIGMA Paper No. 50, it stated that Turkey had implemented risk management in its Ministry of Finance since 2013, which was managed under the Debt and Risk Management Committee.They were also using ISO 31000:2009 to guide their risk management process and its implementation (Tokaç & Williams, 2013).
In the same year, another five G20 countries adopted integrated risk management in their PSOs as described in the OECD's report on Risk Management and Corporate Governance (OECD, 2013).Also, it is stated that there were six member countries of G20 that had included risk management references in their corporate governance practices such as Turkey, India, China, the United Kingdom (UK), the United States (US), and Japan (OECD, 2013).
Entering the second phase, the six countries continued their integrated risk management based on ISO 31000 Standard while improving their scope and depth.In addition, seven more G20 countries adopted ISO 31000 Standard during the second phase including European Union (EU).By the end of 2019, there were a total of 13 G20 countries or 65% of the Group who had implemented ISO 31000 Standard.Some previous studies observed some phenomena during the second phase especially about South Africa, Australia, European Union, Russia, Canada, South Korea, and Indonesia.South Africa confirmed that they had implemented risk management based on ISO 31000 Standard at their National Government Departments (NGDs) in 2016 using the Public Sector Risk Management Framework.This framework could be used for the relevant public service institutions to implement and maintain an effective, efficient, and transparent system of risk management and control (Moloi, 2016).
In the same year, six of the European Union countries were observed that they had adopted risk management to deal with flood risk and increase societal resilience, i.e.England, Belgium, France, Netherland, Poland, and Sweden (Priest et al., 2016).Besides, the Australian government conducted a research in 2016 through a self-assessment of their risk management capability with a total of 143 participants (Australian Government non-Corporate Entities).The results showed that 67% of entities self-reported a maturity level of Systematic or Integrated, and 30% of entities reported achievements of Advanced or Optimal maturity.
Furthermore, the results of a study by the Australian National Audit Office in 2017 showed that at least 143 Australian Government entities have adopted ISO 31000 (Australian National Audit Office, 2017).
Subsequently, Russia and Canada had also implemented ISO 31000 in their PSOs.In 2017, Russia implemented ISO 31000 at The Federal Agency on Technical Regulating and Metrology.This federation functions to render state services and administer public 197 estate in the field of technical regulating and metrology (ISO TC 262 Committee, 2017).On the other hand, Canada had implemented ISO 31000 Standard in their PSOs by 2018.The Standard was adopted at Public Safety Canada to ensure coordination across all federal departments and agencies to protect Canadians against threats ranging from terrorism, cyber-attacks, nuclear weapons to crime and gang violence, and natural hazards and environmental disasters (United Nations, 2019).
Moving to the Asian region in general and SEA (South East Asia) Region in particular, the study noted that five Asian countries are members of the G20 i.e.China, India, Japan, South Korea, and Indonesia.While it had been observed that China, Japan, and India were early adopters in phase one, South Korea and Indonesia adopted ISO 31000 Standard at the later stage of phase two.
South Korea confirmed that they had adopted ISO 31000 Standard since 2014 relatively across most of their PSOs general government extensively.This adoption was pre-initiated by the Crisis Management Guidelines for Public Organizations (CMGPO) in 2007 (Kim, 2014).Indonesia, on the other hand, as the only G20 countries in SEA regions, had adopted ISO 31000 as their national risk management standard, namely SNI ISO 31000 (Standar Nasional Indonesia ISO 31000) in 2011.However, the implementation of ISO 31000-based integrated risk management in their PSOs just started in 2018 in the Ministry of Finance (MOF) of the Government of Indonesia (GOI) (Ministry of Finance, 2016).Afterward, there were some other general government bodies announced their initiatives in 2019 to adopt ISO 31000 Standard, such as the Financial Services Authority (FSA) , the Central Bank of Indonesia (BI) , and the Supreme Audit Board (SAB) .

B. Issues and challenges related to the risk management implementation in PSOs
The issues and challenges related to the risk management implementation are divided into two perspectives.The first perspective is the issues and challenges which are seen or considered as the trigger to start implementing integrated risk management in PSOs.Whereas, the second is about the issues and challenges related to the implementation of risk management in PSOs.
Most PSOs in G20 countries are triggered to implement risk management due to financial crisis challenges, such as those that hit the US and Europe regions in 2008, and the ones that hit Greece in 2009.For large countries like the US and China, it is even more serious since financial crisis was a challenge with the greatest consequences (OECD, 2013).These phenomena are quite similar globally where most literatures express similar viewpoints.
Looking forward to their risk management implementation in PSOs, each region and countries face different issues and challenges.For example, in Turkey, the issues and challenges faced by the Debt Management Unit at the Turkish Treasury is to set up the ORM (Operational Risk Management) framework, especially in terms of integrating data and reporting.They face this challenge because there is much uncertainty in their operation activity about who should report errors when more than one unit is involved in the process (Tokaç & Williams, 2013).
In the EU region, UK, and US, the issues and challenges are regarding the way the organizational leaders improve the ERM ISO 31000 framework to be relevant to high technology environment.These particular challenges are driven by more advanced technological developments in the EU region and US than other regions.Thus, it requires specific strategies from organizational leaders in adjusting ISO 31000 to their business models (Choo et al., 2015).More specifically, the UK and another five of the EU countries (Belgium, France, Netherland, Poland, and Sweden) are facing another issue and challenge, which is to deal with flood risk and increase societal resilience (Priest et al., 2016) While the challenges in the EU region, UK and US are quite homogenous related to technological issues and challenges, it is not the case in other regions, specifically the African region where one of the G20 country namely South Africa located.In this case, South Africa faces multiples challenges besides technology.The main ones are being the slow rate of economic growth, poverty, unemployment and high levels of inequalities (Moloi, 2016).To address these challenges, the South African government published the document namely "Strategic Agenda of Government".This document identifies certain key focus areas, i.e. education, health, rural development, the fight against crime and corruption, the creation of decent work, and sustainable livelihood and human settlements (Moloi, 2016).
In Canada, the issues and challenges are to ensure coordination across all federal departments and agencies to protect Canadians against threats ranging from terrorism, cyber-attacks, gang violence, natural hazards, and environmental disasters (United Nations, 2019).Whereas in Australia, the main challenge of the risk management implementation in their PSOs is to improve risk management capability.This challenge arises because of limited resource availability and consistency in enhancing risk management practices (Australian National Audit Office, 2017).As for the Asian region, we made some observations on four G20 countries.In 2012, Chinese government faced critical issues and challenges in the political field.According to the report from The Wall Street Journal, challenges such as corruption, income inequality, and party governance are at the top of the domestic issues list (The Wall Street Journal, 2012).Likewise, it also became the trigger for the risk management implementation in their PSOs.Besides, China also emphasized the domain of cyber and digitalization as forthcoming issues and challenges related to their risk management implementation in PSOs.The issues regards the political and economic war between China and the US that made the Chinese internet users feel threatened by a shadow IT economy.Illegal programs are often installed on computers and are not provided with security updates.Hackers can gain access to these unprotected computers and use them as a base for worldwide attacks (Merics, 2015).
On the other hand, in Japan, based on research from the Deloitte Tohmatsu Group (Deloitte Japan), the Japanese government faces several risk management implementation challenges in 2017, namely (Deloitte Touche Tohmatsu, 2018): • New business model transformation to increase interest rates, net profit of core business line for mega and domestic banks, and profit margins on lending from the international section of mega-bank.• Changes in the macro-environment such as geopolitics that poses extremely uncertain risks, especially in political tension between Japan and China.• Upgrading the strategies for the financial institutions to face cyber risk, because there are not any explicit international or national regulatory standards for cyber-security.• Creating a framework to address the reputational risks at a higher level in financial institutions.
Meanwhile, in India, the biggest issue and challenge to the Indian economy are originated at the macro level.While India has been able to bring down poverty, the same cannot be said about income and wealth distribution to Indian economics.The poor human development ranking of India in a global setting is certainly one of its major risks and may affect the growth process (Roy, 2018).Besides, India also faces serious issues and challenges related to digitalization.According to the Economic Times, these issues and challenges related to data leakage, ransomware, ATM/credit cards denial of service, diversion of network traffic intrusion in IT systems, and networks using malware are on the rise.Also, the data leakage could come in various forms, in October 2019, there is Israeli spyware allegedly used to spy on Indian journalists and human rights activists' attest.
Furthermore, in South Korea, the adoption of risk management in this country is also triggered by the financial crisis.Then in the implementation of risk management, South Korea also faces several issues and challenges such as the complexity of the disaster fund preparation and distribution to the dispersion of authority, and responsibility and the duplication of tasks among relevant agencies (Kim, 2014).
When it comes to Indonesia, the largest country of ASEAN (Association of East Asia Nations) regions and also a member of G20, According to Mahsyar (2011), the implementation of integrated risk management in PSOs faces many issues and challenges related to: • The inadequate information system of public services including lack of responsiveness, information, accessibility, coordination, willingness to hear public complaints/suggestions/aspirations, and efficiency.• Human resources, especially the professionalism, competence, empathy, and ethics of public service officers.
• The weaknesses of the institutional side, especially in organizational design that is full of hierarchy and too bureaucratic.
• Based on the literature review above, four generic issues and challenges are noted across the G20 countries namely governance, human factors, digitalization, and environmental.Below is the summary of the study with its respective generic issues and challenges.The Economic Times Report: "Why cybersecurity should be India's foremost priority" (2019).

South Korea
The complexity of the disaster fund preparation and distribution to the dispersion of authority, and responsibility and the duplication of tasks among relevant agencies.

Environmental
International Journal: "How Did Enterprise Risk Management First Appear in the Korean Public Sector?", 2016.

METHODS
The desk research is conducted through a literature review of a case study to capture the global phenomena of integrated risk management in PSOs.In particular, it addresses the global adoption and implementation of the ISO 31000 Standard in those PSOs.The desk research is continued to identify and enlist the common issues and challenges related to the risk management implementation in the PSOs.However, it only focuses on PSOs in the general government bodies.The reason is the lack of very few studies ever made on the risk management implementation in the government sector, while the demand for a better quality of government's public services is rising (IPSOs MORI, 2010).Hence, this study could give a sense of wider horizon of the issues and challenges related to the implementation of such risk management in PSOs -government bodies.

RESULTS AND DISCUSSION
By the end of 2019, there were a total of 13 G20 countries or 65% of the group who have implemented ISO 31000 standards.Thus, the spreading of integrated risk management implementation in PSOs is fairly fundamental as it has been adopted by more than half of G20 countries in the last ten year.Moreover, the figure has actually been rising since then.
Using the summary of table 1, there are four common issues and challenges mentioned by the G20 countries that have adopted ISO 31000 Standard in their PSOs, namely: Digitalization, Governance, Human Factors, and Environmental.
The issues and challenges related to digitalization are primarily observed in the top six G20 countries with the highest GDP i.e. the United States, the European Union, Japan, the United Kingdom, China, and India.Since the issues and challenges faced by PSOs in those six countries are predominantly about digitalization, their attempts in the ISO 31000 Standard implementation are deeply contextual in the high technology, environment.Hence, cyber risk and digitalization are considered the most common issues and challenges.
The issues and challenges related to bad governance are mostly about corruption and red-tape, which are observed in China and Indonesia.China put their eyes on corruption as emphasis, while Indonesia deals not only corruption, but also addressing some other primary issues and challenges related to Human Factors, inadequate information systems, and the organizational design that is deemed too bureaucratic.
Beside Indonesia, the issues and challenges related to Human Factors have also been observed in India, Russia, Australia, and South Africa.The issues and challenges are as follows: • Poor human development that slows the income and wealth distribution to the Indian economics (India).
• Increasing the level of human safety or health (Russia).
• Limited resources availability and consistency to enhancing risk management practices (Australia).
• Poverty, Unemployment, and High levels of inequalities (South Africa).
• Lack of professionalism, competence, empathy, and ethics of Public Services Officer (Indonesia).
Lastly, the issues and challenges related to environmental factors are observed in Canada, South Korea and also Russia.Some challenges deal with natural hazards, animals and plants' health or safety, environmental disasters, whereas others deal with those associated with terrorism, nuclear weapons, and gang violence.
The summary of the result is presented in table 2 below which gives an indication that most high GDP countries (above USD 2 trillion) except India, are apparently and mostly dealing with digitalization as issues and challenges related to risk management

CONCLUSION
The adoption of ISO 31000 based risk management (ISO 31000 Standard) in PSOs has been notable in G20 countries right after its birth in 2009, and then widely adopted in the last ten years from 2009 to 2019.Since G20 countries account for more than 85.7% of world GDP and 63.5% of the world population, it is reasonable to say that ISO 31000 Standard has been well accepted and fairly adopted globally.By the end of 2019, more than 65% of G20 countries have had adopted ISO 31000 Standard reference.Furthermore, some common issues and challenges related to the implementation of risk management in PSOs have been discovered namely digitalization, governance, environmental, and human factors.Since all those issues and challenges might indicate a bigger issue of management change in PSOs, further study in this field is suggested to capture more explicitly the challenges of change management and its echoed to the domain of their risk management implementation.

LIMITATIONS
However, some limitations which relate to the sampling and base period, need to be well noted.Since the sample has been purposively limited to G20 countries, consequently it does not reflect other critical factors of issues and challenges which have probably been experienced by non G20 countries.Further, the base period of study 2009 -2019 which might be sufficient for the purpose of this particular study, it might not be the case for other purposes of similar study.
Therefore, further empirical study at certain country level is recommended to capture a better understanding at the ground work level of PSOs.Hopefully such empirical studies could be conducted in comparison between the implementation of iso 31000 in one of G20 countries versus one of non G20 countries.It is further recommended that it takes into account a much longer time horizon which consider the context or future orientation of PSOs.
Through such future studies, better understanding about how PSOs use the iso 31000 standard could be obtained especially on how effectively the implementation of iso 31000 help them create and protect value of their organizations sustainably, and to a certain extent how it might illuminate -if relevant to the change management process in the organizations.Based on that understanding, the empirical results could also be used to identify improvements not only for better practices of risk management in PSOs but also to increase greater knowledge of risk management implementation in general, and perhaps of change management in particular.
credit cards denial of service, -Diversion of network traffic intrusion in IT systems and networks using malware

Table 1 .
Issues and Challenges Related to Risk Management Implementation in PSOs. ISSN:

Table 2 .
Summary of issues and challenges