Risk Management in Public and Non-Profit Organizations: A Systematic Literature Review

The recent economic conditions continue to draw significant attention to the multitude of risks organizations face as they pursue strategic goals. Public and non-profit organizations (NPO) are not an exception when it comes to risks that can challenge their service delivery system and growth sustainability. Their unique features and limited resources require them to adopt and adapt different risk management tools and methods as compared to the corporate organizations. Specifically, the risk management approach adopted in public organizations and NPOs has not been significantly addressed. Hence, this paper aims to explore the development of risk management in public organizations and NPOs. By conducting a systematic review of literature, 12 papers published in the Scopus and Web of Science from 2010 until recent year have been selected and analyzed. Findings from the literature analysis found various types of risks occur in these organizations and demonstrate the factors and importance of adopting risk management practices. However, a holistic approach is still not diffused nor sufficiently developed in both public and not-for-profit sectors. Research on the successful delivery of risk management is still dearth, which creates a huge research gap thus still an area worth researching. The findings from this literature analysis suggest that an instrument or tool to evaluate the practices of the risk management system is required. Thus, this paper serves as the basis for further empirical research on risk management practices of public and non-profit organizations.


Introduction
Risk management is a vital function that organizations must undertake to sustain and achieve their organizational goals and objectives, regardless of the private, public, or non-profit status of the organizations. The key goal of risk management is to identify possible risks or threats before they arise. However, in most situations, preparation would be able to include riskavoiding mechanisms, reduce the probability of their occurrence or mitigate their consequences. Generally, successful risk management is not only about risk mitigation. It is all about determining that it is easier to take them, accept them as they are, or reject them by minimizing or attempting to fully remove the effects. Worldwide, public and non-profit organizations are faced with the task of handling their everyday threats better. At the same time, the demand for risk management, especially for governments is growing, mainly following past financial and economic crises or rising threats. As per non-profit organizations, even though they vary in their sizes, they face various types of risks in their operations. The risks, if not mitigated carefully will contribute to the fragility for them to sustain in existence (Roberts et al., 2016). The main distinction between private and public sector risk management is that risk is much more nuanced in the first instance, and its effect is societal. Public sector organizations are typically large and highly bureaucratic, rendering any impetus for risk management in this sector difficult. In their daily operations, the degree and variety of threats faced by government agencies are immense and the primary duty of these authorities is to ensure that no present or future risk can endanger the perceived public value. Public organizations often have to deal much of the time with certain risks, but they are not well trained or able to do so, as compared to the private sectors. Generally, neither the private nor public sector has riskier or less risky cultures since risk and uncertainty can create different challenges for the performance and effectiveness of these organizations. What makes the main difference is the way how they respond to the identified risks (Bozeman & Kingsley, 1998). Despite the importance of risk management in an organization, risk management in public organizations is found to be less studied by the previous literature as compared to the corporate counterparts (Ahmeti & Vladi, 2017). Hence, this paper aims to conduct a systematic review of the literature from 2010 until 2020 on the risk management practices in public and non-profit organizations, highlighting the emergent themes found in the articles. The following section discusses the methodology applied in preparing this systematic review study.

Methodology
Keyword search stage: the discipline-specific journal search In the first step, a systematic review of articles is carried out to identify the current practice of risk management among public and non-profit organizations. Secondly, the relevant articles were then extracted from the Scopus and Web of Science using the word search. In Scopus, TITLE-ABS-KEY ("risk management" AND "non-profit organi*ation" OR "public organi*ation") AND DOCTYPE (ar OR re) AND PUBYEAR > 2009 were searched, which result in 52 articles. Then in the second step, the articles were limited to social sciences and business, management, and accounting areas only. This limit resulted in 29 articles. In the Web of Science, the search was made based on TOPIC: ("risk management" AND "non*profit organi*ation" OR "public organi*ation"), refined by WEB OF SCIENCE CATEGORIES: (MANAGEMENT OR PUBLIC ADMINISTRATION) AND DOCUMENT TYPES: (ARTICLE) AND WEB OF SCIENCE CATEGORIES: (MANAGEMENT OR PUBLIC ADMINISTRATION OR SOCIAL SCIENCES INTERDISCIPLINARY), Timespan: 2010-2020. Additionally, the articles focused on Indexes: SSCI, ESCI, which resulted in 99 articles. However, majority of the articles listed were irrelevant to the study. Thus, the searching strategy focused on "risk management" only, resulted in 10 articles. These resulted in 39 articles selected from the two databases for further consideration.

Figure 1. Inclusion and exclusion criteria
Further screening process which was performed to only include only scholarly articles has narrowed the number of articles. Figure 1 summarizes the process of inclusion and exclusion screening of the articles. In detail, only articles concerning the risk management practice among public and non-profit organizations were included. All other irrelevant articles, for instance, involving banking and finance as well as public-private organizations and those articles that cover risk management as part of network governance were all removed from the list. The selection of articles for this study has further removed nine publications that were found to be duplicate works, which appear in both Scopus and Web of Science. After scanning the abstracts, articles that are insignificant to the research focus were taken out. Additionally, inaccessible articles from the database were also removed, which finally shortlisted only 12 articles for the study review.

Content Analysis Methodology
Next, all the 12 articles were transferred to ATLAS.ti Version 8 and created as primary documents. In this analysis, the researchers summarized shortly based on the assigned keywords (that later coded in the ATLAS.ti). Then, several categories were initiated automatically in the code group as shown in Figure 2. The categorization in ATLAS.ti Version 8 was found easier and more structured when it comes to data sorting (Zairul, 2020).
Studies included (n=12) Studies not eligible according to inclusion and exclusion criteria (n= 130) No

No
Records identified through Scopus search database (n=52)

Figure 2. Code group established from Mendeley metadata
The first round of coding formed 5 codes, which were further grouped into several other codes to answer the study inquiry of "What are the major concerns (emergent themes) on risk management practices among the public and non-profit organizations?" On top of the content analysis for emergent themes (qualitative reviews), the analysis was made to quantitatively summarize the characteristics of the articles under study. These results are presented and discussed in the following sections.

Results and Discussions
The results of the content analyses are presented and discussed separately into quantitative and qualitative views, as follow:

Quantitative Results: Inventory of Article Characteristics
This sub-section highlights the characteristics of the studies, namely year of publication, country, the scope of studies, and finally, the type and rigor of methodology. The researchers found that the use of the phrase "risk management" associated with "public organization" OR "non-profit organization" was scarce from the database. Even though the phrase was searched, the appeared results included articles about various practices and mostly from the natural risk area. Additionally, risk management practices from banking (profit-oriented organizations) were also included in the results. However, these irrelevant articles were taken out from the lists for further review. The research string was a direct reference from the 12 selected articles through different periodicals, including Entrepreneurship and Sustainability Issues, International Journal of Financial Research, Business and Economic Horizons, etc. (see Table 1). Subsequently, the researchers have come up with a critical review by referring to the 12 articles that are associated with risk management practices among public and non-profit organizations. The researchers observed that the publishing trend is almost static in number from year to year from 2013 till 2020, as shown in Table 1. It seems that there is not much publication that highlighted the idea of public risk management from the year 2010 until the recent year, even no article published in years 2010, 2011, 2012, and 2015.
The trends in publishing works related to public and non-profit organizations' risk management were seen rather popular in developing countries like Malaysia and South Africa. There are also related publications reported from other developing countries such as Ghana, Poland and Turkey and developed countries such as Italy, Scotland and South Korea as shown in Table 2. The trends show how the risk management practices start to embed in public and non-profit organizations, but it should not stop there. Risk management should be implemented extensively in the government as well as other non-government organizations that are notprofit oriented as such practices were evidenced have improved the performance of these types of organizations (Kim & Kim, 2020;Scarozza et al., 2017) even though risk management is originally rooted from corporate sectors. As shown in Table 3, the publication regarding risk management practice is more widespread among public organizations, including government agencies as well as municipalities as compared to non-profit organizations. This trend questions the acceptability and practicality of risk management within non-profit organizations.

Totals 4 8 12
As per the research methodology applied, almost all the articles are empirical in which five of them applied quantitative and qualitative methods respectively, and one applied a mixedmethod approach. Only one paper was conceptual. This analysis is summarized in For instance, the five quantitative articles were further categorized into three rigor levels, as described below: i. Level 1: Descriptive statistics were presented from the data collected through questionnaire surveys, where answers provided quantitatively, for example using a 5-point Likert scale. ii. Level 2: Descriptive analyses were provided with statistical analyses such as correlations and regressions. Additionally, the operationalization of variables was described. iii. Level 3: An experimental design consisting of control and experimental groups, and p-values were used to assess statistical significance. Generally, the five quantitative articles were evenly split between level 1 (three articles) and level 2 (two articles), while none of the articles was experimental in design (level 3). Table 4. For instance, the five quantitative articles were further categorized into three rigor levels, as described below: iv. Level 1: Descriptive statistics were presented from the data collected through questionnaire surveys, where answers provided quantitatively, for example using a 5-point Likert scale. v. Level 2: Descriptive analyses were provided with statistical analyses such as correlations and regressions. Additionally, the operationalization of variables was described. vi. Level 3: An experimental design consisting of control and experimental groups, and p-values were used to assess statistical significance. Generally, the five quantitative articles were evenly split between level 1 (three articles) and level 2 (two articles), while none of the articles was experimental in design (level 3).

Author (Year) Mix method Qualitative Quantitative Conceptual Total
(Domańska-Szaruga, 2020) 1 1 (Ghani et al., 2019) 1 1 (Moloi, 2018) 1 1 (Gibb & McNulty, 2014) 1 1 (Kim & Kim, 2020) 1 1 (Scarozza et al., 2017) 1 1 (Kumah et al., 2019) 1 1 (Karakaya & Karakaya, 2017) 1 1 (Arshad, Abu Bakar, et al., 2016) 1 1 (Moloi, 2017) 1 1 (Spikin, 2013) 1 1 (Hood & Smith, 2013) 1 Totals 1 5 5 1 12 For the qualitative studies, the five articles were further classified into four levels of rigor, as follow: i. Level 1: A descriptive, narrative, or case study report, in which no methodology is named or demonstrated, or described in detail. ii. Level 2: A methodology is mentioned (e.g., semi-structured interview, grounded theory). Qualitative data were not recorded, but excerpts of field notes might be provided. Results are provided in the form of categories, in which the categories might be emergent or be predetermined by the selected theoretical/conceptual framework. Codes might be provided but the coding methodology is not explained. iii. Level 3: A systematic methodology is explained. For instance, audio or video recordings were gathered and transcribed, and observation was noted and described accordingly. iv. Level 4: The study describes in detail the methodology used. For instance, triangulating (Yin, 2018) and the emergent coding process (Saldana, 2009) were described with the stopping point of saturation being revealed and explained (Silverman, 2013). Additionally, other strong rigor signifiers such as member checking (Silverman, 2013) to indicate validity, and reliability measures were reported. Overall, the rigor of the qualitative study falls under level 1 (3 articles); level 2, and 3 with one article respectively.

Qualitative Results: Emergent Themes
The 12 articles highlighted different views of risk management practices within public and non-profit organizations. One article discusses in detail the importance of risk management culture within the organization, one article describes the concepts of risk management within these organizations and the rest of the articles highlight the extent of risk management practices in various dimensions. Risk management culture depending on the risk culture, in which people in the organization have a complete understanding of risks faced and the way the risks are managed within their organization. Risk culture on the other hand denotes knowledge, understanding beliefs, values, and attitudes of risk shared by a group of individuals with a common purpose. The risk culture applies to all organizations, inclusive of public and non-profit organizations. It has a direct effect on the ability to make strategic risk decisions and deliver on promises of performance. Inadvertently, organizations with inappropriate risk cultures will find themselves allowing practices that are totally at odds with stated procedures and policies or operating entirely beyond these policies (Richardson & Fenech, 2013). Thus, the existence of risk management culture is the key element that contributes to effective and efficient risk management in an organization. From the articles reviewed, it is concluded that employees in non-profit organizations (NPOs) did not well understand the risk management concept and process (Ghani et al., 2019;Karakaya & Karakaya, 2017), which indicates low-risk culture within NPOs. This is due to the lack of specific risk management guidelines that they have . It shows the importance of specific guidelines as the basis of practice, especially for those who have no background in risk management. However, it is the role of board members to ensure the practicability of risk management practice in their organization . Besides, the risk management culture also depends on the existence of risk managementtalented employees. However, the studies found that the public organizations were unable to control risk management function with an ideal number of talented employees (Kumah et al., 2019;Moloi, 2018). Thus, it is important to have experienced and talented employees within the field of risk management within the public and non-profit organizations to inculcate the risk and risk management culture within those organizations. This factor is crucial since it affects the extent of risk management practice within a particular organization. Overall, the risk management practice in public and non-profit organizations is still low (Domańska-Szaruga, 2020) to medium (Scarozza et al., 2017) as compared to other organizations in corporate sectors. This is due to the low to medium embeddedness of risk management within these organizations, depending on the roles of their board members Scarozza et al., 2017). For instance, in NPOs, the employees have limited opportunity to access the existed risk management system (Gibb & McNulty, 2014). Additionally, the risk management function was not embedded holistically and practiced comprehensively within the NPOs. In other words, some organizations have formulated their risk management policies and framework, but only kept and practice the risk management within their unit/department without communicating them to the entire organization. This may infer that the management of the organizations treats risk management as a formal requirement by the relevant authority but not an element of effective management. The condition is somewhat similar within the public organizations, in which the studies found that the overall score for the extent of risk management practices in local government was very low (Domańska-Szaruga, 2020). The extent of risk management practices within public and non-profit organizations is summarized in Figure 3 below.

Figure 3. Network view of the extent of risk management practices in public and nonprofit organizations
As per the application of theories, it seems not to be highlighted in the articles under review. This is because, only three out of 11 empirical articles relate their studies with the relevant theory, namely agency, decision, and institutional theory, as depicted in Figure 4.

Figure 4. Network diagram of theories applied in the reviewed studies
For instance, from an institutional point of view, the risk management function is said to be able to produce organizational-specific rules and procedures in avoiding blame when things go wrong (Scarozza et al., 2017). This can happen when people, which referring to the employer and employees (agent and principal, as explained by agency theory) (Kumah et al., 2019) concerned with the specific steps in the risk management process, such as selecting the suitable strategies or techniques that will be used to mitigate the identified and measured risks (Spikin, 2012) as explained by decision theory.

Conclusions
In summary, this article provides a brief systematic literature review on the risk management practice in public and non-profit organizations. The searching process of articles supports the earlier findings that the numbers of risk management articles in public and non-profit organizations are scarce as compared to the numbers in the corporate counterparts. For instance, based on the reviewed articles, the practice of risk management in public and nonprofit organizations is comparatively lower than the practice in private and corporate sectors. This might be the reason behind the lower numbers of articles in this area. Additionally, most organizations practice risk management merely due to the requirement or recommendation of the relevant authority. Since the practice was not mandatory, the risk and risk management culture within these two organizations is still low. However, those who have implemented risk management comprehensively can see the improvement of their organizations in terms of operation and training. In other words, risk management has assisted them in improving their organizations and achieving the mission of their organizations. All in all, the research findings indicate the importance of risk management in public and nonprofit organizations. Thus, future studies should further explore other databases or search strings regarding the risk management practices in public and non-profit organizations. Perhaps, more articles could be found in peer-reviewed journals other than Scopus and Web of Science.