Risk Management Practices by South African Universities: An Annual Report Disclosure Analysis

: This paper assesses risk management practices at South African universities by analyzing the extent of risk management disclosure recommended by King IV and the level of risk governance maturity. This study was motivated by #Feesmustfall disruptions, which pointed to the lack of effective risk management, preparedness for volatility and increased scrutiny by stakeholders. A qualitative content analysis using a risk disclosure checklist was conducted on 18 annual reports and analyzed using an exploratory research design. The results revealed that over 80% of the sampled South African universities have disclosed most of their risk management practices, showing an improved disclosure due to King IV’s “apply and explain” philosophy as introduced in 2016. However, there were areas of improvement identiﬁed, such as: deﬁning and approval of risk appetites and tolerance; development and implementation of business continuity plans; conﬁrming the unpreparedness for volatility; annual revision of policies; and integration of risk management into the culture and daily activities of the university. This paper builds upon previous studies that highlighted a lack of detailed disclosures in South African organizations’ annual reports. This study also provides interesting insights into the impact of social events on organizational practices and supports the notion that legislative accounting practices should echo stakeholders and societal expectations.


Introduction
It was South Africa's first black president Nelson Mandela, who expressed that "Education is the most powerful weapon which one can use to change the world" (Assar et al. 2010), a statement he strongly believed in as the newly elected democratic government embarked on a journey to transform the South African education system. Such an ambitious task was not easy given the inherent challenges of the past. Nonetheless, it was a transformational path needed for the greater good and future of the country, given the economic state at the time (Mncube 2013). Over the years, higher education institutes (HEIs) have become an important social institution that plays a vital role in the country's prosperity (Nongxa 2010). According to Allais (2012), such prosperity is attained by producing a competent workforce that contributes to the country's economic activities.
Therefore, it is in the best interest of the government, the private sector or external funders, the public and regulators for these institutions to strive and continue adding value to the economy and producing future leaders. However, with challenges, such as the high cost of education, increased competition due to globalization, internationalization of education, availability of e-learning, and the increasing demand for free higher education, the future of HEIs with their existing business model and strategic positioning is questionable and uncertain (Kevin 2010;Moloi 2016b;Botha 2019). These views are aligned with Rajab and Handley-Schachler (2009), who outlined that HEIs operate in a complex and rapidly changing environment due to the introduction of new technologies, globalization, generalizing the extent of disclosure in the South African context using their findings is questionable. Moreover, most risk management disclosure studies conducted in the South African setting explored the business sector rather than the education sector. Consequently, the applicability of their findings to the education sector is questionable as the context of risk management and governance varies from industry to industry based on stakeholder expectations, compliance requirements and operational environment. In addition, prior studies on risk management disclosures in the education sector were carried out before the issuance of King IV in 2016 and based on the previous King codes. Thus, the majority of these studies highlighted a lack of detailed disclosures on the actual risk management practices applied as the previous King versions applied the "apply or explain" rather than the "apply and explain" philosophy. Hence, organizations were not required to provide an explanation on the application of the recommended practices.
Given the importance of universities as a societal establishment, the introduction of King IV with the "apply and explain" philosophy, the gap identified in the literature, the recent challenges faced by HEIs resulting in increased scrutiny and demand for information by stakeholders. It is considered imperative that the risk management practices of South African universities, as reflected in their disclosures, be investigated as the question arise: To what extent have South African universities applied and disclosed their risk management practices as per the King IV Code on Corporate Governance and the Higher Education Act No. 101 of 1997?
The following specific questions have arisen and remain unanswered: 1.
What risk management practices could be adopted and applied by South African universities as recommended by King IV for effective risk management? 2.
To what extent have South African universities applied, explain, and disclosed King IV's risk management recommended practices? 3.
What are the minimum risk governance statements that could be incorporated as a proxy for risk governance by South African universities? 4.
How do South African universities govern risk and maturity thereof?
Thus, the study aims to fill the gap identified and address the above-mentioned questions.

Risk Management
Notably, all organizations are faced with risks due to external and internal factors outside the control of the organization (Masama 2017;Chakabva 2015;Scheuerman 2017). These risks need to be managed; thus, risk management approaches and frameworks have been developed over the years to provide a standardized approach to managing risk. Organizations were formed to develop risk management frameworks. There are several frameworks for enterprise risk management (ERM), such as the committee of sponsoring organizations commonly known as the COSO ERM integrated framework, the International Organization for Standardization known as ISO 31000 risk management framework and processes, Casualty Actuarial Society ERM framework, etc. (Andersen 2010;Kimbrough and Componation 2009). These frameworks have evolved over the years based on lessons learned from business failures and fraud. Based on prior studies, there are two commonly used approaches to manage uncertainty known as; Traditional risk management and enterprise risk management (ERM) (Hohenwarter 2014;Masama 2017;Chakabva 2015;Chakabva et al. 2020).

Risk Management in the Higher Education Sector
It has been established in the literature that all types of organizations are faced with risk stemming from strategic, operational, financial and compliance environments regardless of the economic sector (Kageyama 2014;Masama 2017). The education sector is not immune to disruptions stemming from both internal and external environments. Thus, risk management is a well-studied phenomenon in this sector as various studies concluded that HEIs have a complex risk profile as most of their risks originate within the universities due to aspects such as unpaid student loans, ineffective leadership, procurement practices, IT network integrity and student violence on campus (National Association of College and University Business Officers NACUBO; Kageyama 2014). Previous studies further outlined that universities are faced with risks that are inherent to their operations, which are not faced by other types of organizations, such as observation of the quality of education, residential, infrastructure, attraction, and retention of students and collaboration with other institutions (McDaniel 2007;Kameel 2007;Wade 2011). Moreover, risks also stem from outside factors, such as competition, scrutiny from regulators, government agencies, e-learning, globalization and lack of funds to pursue strategic goals and remain competitive in the globalized environment (Wilson 2013;Chetty and Pather 2015;Moloi 2015b). According to Kageyama (2014), HEIs are resistant to change as for decades relied on the same operational model. Thus, vulnerable to disruptions, such as technological advancements, operational complexities, and globalization. Therefore, HEIs need to develop risk management strategies to manage uncertainty.
However, universities are often associated with a small city as they consist of different campuses, faculties with different heads and stakeholders, industry, and compliance requirements (Dubihlela and Ezeonwuka 2018). Thus, risk managers are challenged with the daunting task of identifying and treating complex risks throughout different campuses with different structures and procedures. Additionally, universities have a higher loss rate than industry sectors due to vandalism and lack of funds for strategic objectives. The cost of claims at universities for both financial and reputational damage can be significant due to their reliance on government subsidies, operational complexity, competitive operational environment with global players, and e-learning (Bubka and Smith 2015;Brewer and Walker 2010). Gurevitz (2009) further concluded that, although the enterprise risk management (ERM) concepts are useful for HEIs, they are frequently presented in a complicated manner and difficult to translate to the educational sector. According to National Association of College and University Business Officers (NACUBO), this is due to the lack of buy-in from management, clear role and objectives, lack of risk content and involvement of top management in an effective ERM program. Thus, according to Brewer and Walker (2010), universities increasingly recognize the significance of effective risk management. However, their focus has been on preventing risk from occurring and managing risk after the event, as few universities integrate risk within their quality assurance regime or strategic planning.
South Africa is home to some of the best universities in Africa, with a reputation for delivering quality in research and teaching. These universities attract students and talent from all over the globe and collaborate with international universities (Reygan 2016). Consequently, there is increasing attention and desire for South African HEIs to continue striving and producing top, skilled, competent workforce and future leaders as education has a role to play in the prosperity of the South African economy (Allais 2012). Nevertheless, in recent years South African universities have not been able to escape their fair share of challenges because of difficult operating conditions, regulatory pressure, competition due to globalization and e-learning and increasing funding uncertainties (Chetty and Pather 2015;Moloi 2016e). According to Kageyama (2014), HEIs are resistant to change as for decades relied on the same operational model. This has resulted in the recent disruptions as the new generation of students has different expectations, such as free higher education due to mass education of the previously disadvantaged races (Moloi 2016e). Thus, South African universities have been forced to change their long-term plans due to the rapid challenges and increased pressure to ensure sustainability (Moloi 2016e). Consequently, South African universities had to develop and implement response strategies to proactively manage these challenges. A significant component of this process is strengthening the ERM at universities to ensure uncertainties have been identified, assessed and strategic responses are developed to mitigate such uncertainty (Moloi 2016e).
From the above, it is deduced that HEIs have been confronted with challenges, such as lack of funding, vandalism, competition, e-learning and globalization, due to the complex and changing operational landscape, organizational culture and lack of effective leadership. In undertaking to manage risk and ensure sustainability, universities adopted risk management practices from the business sector. Universities are perceived as substantially different from other profit-generating entities and nonprofit organizations due to their strategic goals, social organization and operational complexities. Additionally, Abraham (2013) stated that many universities recognize that having an effective risk management process that is fully supported by the council increases the likelihood of achieving the university's objectives. It also allows better allocation of resources and increases transparency in uncertain times as channels of information are within a systematic process. It can be said that risk management helps an HEI maintain its competitive edge, sustain its integrity, reputation and effectively manage risks (Rehman and Hashim 2018;Moloi 2016e; Institute of Directors IoD).

Risk Disclosures
Risk disclosure can take the form of mandatory and voluntary, with mandatory disclosure driven by regulations and compliance requirements (Moloi 2015c). In the education context, HEIs are required by the Higher Education Act No. 101 of 1997 to report on their performance and operations, including risk management practices (Moloi 2016b;RSA 1997). These disclosures are made using annual reports as the main platform to present corporate information to stakeholders outside the organization (Institute of Directors IoD). Moreover, stakeholders rely on the information contained in the disclosures to make informed decisions. Hence, the annual report is seen as a public document that allows the organization to decode information for the public to make informed decisions on the organization's operational efficiency and sustainability (Adamu 2013a).
Both King III and King IV make recommendations for the board to comment on the integrated report on the system of risk governance. In addition, King IV requires the council to satisfy itself on the execution of its duties regarding risk management processes effectiveness and risk management practices. The annual report is used as the mode of disclosure and communication with external stakeholders. Furthermore, reporting activities by universities is administered by the Higher Education Act No. 101 of 1997 (RSA 1997) as guided by the King IV Report on corporate governance and implementation manual for annual reporting by HEIs issued by the Department of Higher Education and Training (Department of Education DoE; Institute of Directors IoD). The Higher Education Act provides little information on reporting requirements, such as the format and content to be disclosed in the annual report. However, reporting requirements for HEIs are covered by the implementation manual prescribed by the Department of Higher Education and Training for the regulation of annual reporting and acts as a supplementary guide for reporting (Act No. 101 of 1997). The implementation manual covers all areas of reporting ranging from financial reporting to non-financial information, and provides the format and content of required disclosures. The non-financial report is guided by King IV disclosure requirements on corporate governance. In the risk context, the implementation manual as per the Higher Education Act highlighted that the potential risk needs to be identified, and their anticipated impact on the institution should be assessed. In addition, the identified risk should be allocated to a department or risk owners to manage that risk and ensure that it is maintained in the risk register (Higher Education Act No. 101, 1997;Moloi 2015c). The Manual further highlighted that the scope of risk management within the institutions needs to be clearly defined, the individuals or committee responsible need to report at least annually on risk matters. The risk report prepared by the risk committee or chief risk officer should be included in the annual report and signed by the chair of the risk committee. Subsequently, these are consistent with the outlined frameworks, and the risk governance recommended practices as they outlined the importance of risk assessment, risk appetite, and risk governance structure through a risk committee (Act No. 101 of 1997; Institute of Directors IoD; Committee of Sponsoring Organizations of the Treadway Commission COSO; International Organization for Standardization ISO).
However, according to King IV (Institute of Directors IoD), the HEI's council has the discretion to identify how King IV disclosures will be made, whether disclosures will be included in the annual report, social ethics reports, risk management report, sustainability report, online or printed reports. Thus, the governing body can choose to report on multiple platforms while avoiding duplication by simple cross-referencing. Disclosures should be updated at least once a year, formally approved by the governing body and made publicly accessible (Institute of Directors IoD).
Prior studies on risk reporting revealed that high-risk disclosures could improve transparency and confidence between the organization and stakeholders (Louw 2016;Adamu 2013b). This can be accomplished by providing stakeholders with adequate, accurate and timely information for decision-making. Thus, providing stakeholders with insufficient disclosure means management has more information than stakeholders, which is seen as dishonest as funders cannot make informed decisions. Therefore, it is in the best interest of the organization to meet stakeholders' expectations and compliance requirements (Adamu 2013a;Louw 2016). These views are consistent with the requirements of King IV, as the King report promotes qualitative disclosure (Institute of Directors IoD).
Risk management procedures and disclosures are a widely studied phenomenon. Even so, most prior studies have explored the phenomena in the business sector due to factors, such as improved disclosures, mature overall corporate governance environment and JSE listing requirements (Adamu 2013b;Moloi 2015b;Louw 2016). Due to the recent challenges faced by South African universities, there has been substantial attention to universities and risk management specifically (Moloi 2015b). In the South African context, risk management and governance disclosures have been widely researched by Takiso Moloi in numerous studies starting from 2010. Moloi (2010) published a study directed at assessing the extent of corporate governance reporting by South African listed companies. The study assessed the 2006 annual reports of top 40 JSE listed companies for mandatory disclosures, and the results revealed that the majority of the sampled companies complied with the practices with the section of the external auditor and whistleblowing remaining the issue. Additionally, a study was published in 2011 to measure corporate governance practices by South African HEIs. This study confirmed the notion that the majority of the HEIs provided disclosure as per King II requirements. Yet, there was a lack of detailed disclosure on the application. Hence, there was room for betterment in the disclosure statements ).
Furthermore, a study was conducted by Moloi (2015b) to assess risk management of the top 20 listed companies in South African using King III and affirmed the previous findings, as it highlighted the lack of details on the actual practices applied. Moreover, a cross-sectoral comparison study of risk management was conducted to assess the disclosures and the outcomes demonstrated that JSE listed companies applied the King Code due to the listing requirements and shareholders with highly invested interest. The results revealed that the national government departments and HEIs have shortcomings and require much work with regards to the embedding of risk management in the key activities and organizational processes (Moloi 2016c).
A similar study by Ntim et al. (2013) explored, in the South African context, the extent of corporate governance and risk reporting disclosures before and after 2007/2008. It was concluded that risk disclosures are mostly non-financial and qualitative. In addition, there was a connection between corporate governance disclosures and board size, diversity and independence of the board. Perversely, there was a negative relationship between the extent of corporate governance and a dual board structure.
From the studies above, it is inferred that King III was used as the basis of measure through the "apply or explain" concept. Thus, detailed disclosure on the actual risk management practices was not required as long as the rule-based approach is complied with and a valid reason for non-compliance is provided to stakeholders (Institute of Directors IoD). In addition, prior studies revealed that risk management is mostly explored in the private sector, as these organizations have been exposed to corporate scandals and the global financial crisis (Masama 2017;Chakabva 2015;Pichulik 2016;Pickworth 2014;Moloi 2015a). The current most widely used risk management frameworks, COSO ERM and ISO 31,000, originate and were developed for/and by the private sector (Committee of Sponsoring Organizations of the Treadway Commission COSO; International Organization for Standardization ISO). Yet, there are fundamental differences in the operational environment, organizational settings, and strategic objectives in these types of organizations when compared to the higher education sector.
Various authors further outlined that most private companies, when compared with HEIs, have clear objectives, sufficient resources, and effective leaders with effective decisionmaking structures for implementation of business objectives (Mncube 2013;Chetty and Pather 2015). Consequently, risk management content and empirical studies are limited in the higher education sector, especially implementation as the best practices and implementation studies mostly explore the private sector (Brewer and Walker 2010;Moloi 2015a;Grobler and Horne 2017). Moreover, numerous studies confirmed the notion that risk management practices are relatively new in the higher education sector with limited empirical research (Ramirez and Christensen 2013;Grobler and Horne 2017;Andersen 2010;Moloi 2014Moloi , 2016d. The slow adoption of risk management by HEIs is largely ascribed to these institutions being known as a place of forming ideas and being resistant to change (Power 2007;Kezar and Meyer 2007). Ramirez and Christensen (2013) concluded that adopting risk management practices developed for profit-making organizations can be challenging to implement as the principles are vaguely translated due to limited risk management content in the educational sector. Thus, at times risk management practices are viewed with skepticism, and their applicability is questionable due to lack of content and operational differences. Moreover, HEIs often adopt risk management practices that are underdeveloped for their complex organizational setting with multiple campuses, faculties, and hierarchical decision structures (Moloi 2015b).
Lastly, South African studies conducted on risk management disclosure were carried out before the introduction of King IV in 2016 and based on previous King Codes (Moloi 2014;Barac and Moloi 2011;Ntim et al. 2013;Whyntie 2013;Hines et al. 2015). Hence multiple researchers highlighted a lack of detailed disclosures in annual reports on the actual risk management practices applied to govern risk. The highlighted lack of detailed disclosure is due to the previous King Codes, which were underpinned by the "Comply or Explain" requirement, as compliance and actual risk management practice disclosures were not required as long as the reason behind the non-application is provided to stakeholders (Moloi 2014;Wilkinson 2014;Barac and Moloi 2011).

Risk Governance Maturity
Risk management application differs from organization to organization as it requires time and resources for effective application as some organizations may not have the resources to apply risk management to their full extent (Wilkinson 2014). It is significant to note that governing risk does not follow an organizational life cycle approach where an organization initiates risk governance and after some time reaches good or mature governance. It is possible for a newly established organization with the right structures and systems in place to have mature risk governance, compared to an organization that has existed for years without building the right systems and structures. Therefore, risk management is subject to resource availability, commitment to good governance and not determined by organizational maturity (Rehman and Hashim 2018;Wilkinson and Plant 2012;Wilkinson 2014). Thus, organizations need to continuously assess their risk management maturity as such assessment will determine blind spots and areas of improvement in their systems of risk governance (Bhasin 2016). Consequently, in recent years there has been a demand for a framework that measures corporate governance in general and risk management to be specific (Wessels and Wilkinson 2016).
Several studies highlighted that risk maturity models consist of the following elements; (1) attributes-which refers to the qualities and characteristics, which can be associated with an organization's risk management framework (Wilkinson and Plant 2012;Wilkinson 2014;Rehman and Hashim 2018).
(2) modes of maturity-refers to the different layers of the organization's risk governance maturity and gives a summary of the extent to which risk management framework has been implemented (Wilkinson and Plant 2012;Rehman and Hashim 2018). In addition, several studies outlined that risk maturity can be measured within a five-level approach with the levels of maturity known as nascent, emerging, integrated, predictive and advanced. These levels of maturity consist of minimum risk governance requirements for effective risk management; thus, organizations can adopt the minimum risk governance requirement and measure the extent of implementation within the five levels to identify areas of improvement (Risk and Insurance Management Society RIMS;Coetzee et al. 2010;Rehman and Hashim 2018). Figure 1 below illustrates the different modes of risk maturity and the minimum risk governance requirements within each level of maturity as guided by the risk governance attributes.
in their systems of risk governance (Bhasin 2016). Consequently, in recent years there has been a demand for a framework that measures corporate governance in general and risk management to be specific (Wessels and Wilkinson 2016).
Several studies highlighted that risk maturity models consist of the following elements; (1) attributes-which refers to the qualities and characteristics, which can be associated with an organization's risk management framework (Wilkinson and Plant 2012;Wilkinson 2014;Rehman and Hashim 2018).
(2) modes of maturity-refers to the different layers of the organization's risk governance maturity and gives a summary of the extent to which risk management framework has been implemented (Wilkinson and Plant 2012;Rehman and Hashim 2018). In addition, several studies outlined that risk maturity can be measured within a five-level approach with the levels of maturity known as nascent, emerging, integrated, predictive and advanced. These levels of maturity consist of minimum risk governance requirements for effective risk management; thus, organizations can adopt the minimum risk governance requirement and measure the extent of implementation within the five levels to identify areas of improvement (RIMS 2009;Coetzee et al. 2010;Rehman and Hashim 2018). Figure 1 below illustrates the different modes of risk maturity and the minimum risk governance requirements within each level of maturity as guided by the risk governance attributes. It can, therefore, be concluded that there is a need for a current study exploring risk management disclosures and risk governance maturity at HEIs in South Africa after the implementation of King IV.

Stakeholder and Legitimacy Theories and Disclosures
This section discusses theories relevant and considered for this study. Voluntary disclosures are motivated and driven by disclosure theories, such as stakeholder and legitimacy theory (Kiyanda 2014). According to the stakeholder theory, all organizations have a set of stakeholders, such as government agencies, society and investors. Therefore, they are accountable to all its stakeholders to disclose information that may be of interest to the different stakeholders (Kiyanda 2014). In the case of the educational sector, prior studies have highlighted increased scrutiny and demand for accountability and transparency by stakeholders as HEIs were faced with complex challenges threatening their objectives It can, therefore, be concluded that there is a need for a current study exploring risk management disclosures and risk governance maturity at HEIs in South Africa after the implementation of King IV.

Stakeholder and Legitimacy Theories and Disclosures
This section discusses theories relevant and considered for this study. Voluntary disclosures are motivated and driven by disclosure theories, such as stakeholder and legitimacy theory (Kiyanda 2014). According to the stakeholder theory, all organizations have a set of stakeholders, such as government agencies, society and investors. Therefore, they are accountable to all its stakeholders to disclose information that may be of interest to the different stakeholders (Kiyanda 2014). In the case of the educational sector, prior studies have highlighted increased scrutiny and demand for accountability and transparency by stakeholders as HEIs were faced with complex challenges threatening their objectives (Moloi 2015a). Thus, it is a moral obligation for management to provide stakeholders with adequate information on their operational activities and fulfill their social contract with society (Kiyanda 2014).
Contrary to the stakeholder theory, which focuses on the interest of stakeholders, the legitimacy theory focuses on the interest of the organization as disclosures are made to be accepted by society (Kiyanda 2014). These disclosures are widely used in social and environmental disclosure studies (De Villiers and Van Staden 2006;Kiyanda 2014). In the education sector, HEIs could be making disclosures on their operational activities and efforts to be accepted by the society they serve, as it has been discussed that HEIs are an important societal establishment. Accordingly, for this study, both stakeholder theory and legitimacy theory are viewed as applicable to this study.

Research Methodology
To address the research questions, the study was conducted in two phases: Phase one: Prior studies, ERM framework, risk governance frameworks and King codes were reviewed to establish the risk management practices and the minimum governance requirements, acting as a proxy for risk governance.
Phase two: A checklist was developed using the King IV recommended practices and risk governance maturity framework based on prior studies. The checklist was deployed to conduct a qualitative content analysis of the annual reports of the sampled universities.
The study employed a qualitative content analysis method, using an exploratory research design. This approach was adopted and deemed relevant as the study aimed to explore the extent of risk management practices disclosure as recommended by King IV. As well as risk governance maturity thereof, using annual reports which are deemed official communication between organizations and external stakeholders and are qualitative in nature as King IV recommends a qualitative narrative on the application of the practices for effective risk management. A qualitative approach, therefore, allowed the researcher to comprehend the disclosure statements in the annual report. The annual reports were assessed to determine if they carried full disclosure, nondisclosure, or obscure disclosure while concurrently measuring risk governance maturity according to the disclosures made. A risk disclosure checklist was developed using the King IV reports' 11 recommended practices for effective risk management and risk governance maturity framework. The risk disclosure checklist was employed for this study for several reasons: first, it is less expensive and allows the researcher to assess qualitatively without expensive software. Second, it allows the researcher to assess the completeness of content compared to a pre-defined set of disclosure statements.
The checklist was deployed as a data collection tool to conduct a content analysis on a total of 18 sampled annual reports, which were purposively selected within the traditional, comprehensive and university of technology categories in the South African education sector. This sample was split between two universities per category and analyzed over three years (2015)(2016)(2017) for data triangulation and insights into trends over the years. The year 2015 was selected as the year of the trigger event #Feesmustfall, with 2016 as the year King IV was issued and lastly 2017 as an aftermath year to understand the risk management practice disclosures after an improved recommended practices and the introduction of "apply and explain" philosophy.
To ensure the adaptability of the results, the data analysis process was documented using excel, and the records are kept. When the content analysis was conducted, a formal approach was employed for replication and as follows: Phase 1: getting accustomed to the annual risk reports section by conducting an in-depth reading of the report and highlight relevant disclosures.
Phase 2: the second phase consisted of a comprehensive reading of the report and answering the checklist governance statements. The disclosure statements were then recorded on the excel spreadsheet on the relevant King IV recommended practices nor minimum risk governance requirements.
Phase 3: evaluating completeness and accuracy by read-through across the years to confirm details. Once accuracy was confirmed, the data were then analyzed using excel and reported in aggregate.
Phase 4: results and visualization, comparison, insights, generating and comparison with literature to confirm or reject trends.

Assessed Annual Reports
Due to the lack of a comprehensive list of all HEIs, which are publicly funded and published their annual reports between 2015 and 2017, the time constraints of the study and the methods employed, which is labor-intensive as the researcher was required to comprehend the disclosure statements, two universities per category were selected, and three annual reports per university from 2015 to 2017 were analyzed. The sample size was deemed sufficient as all categories were presented evenly, and the researcher employed data triangulation. The reporting year was 2017, 2015, selected as the year #Feesmustfall, which is used as a trigger event started, and 2016 was selected as the year in which King IV was issued. Both 2015 and 2016 were used for comparison and trend analysis. Table 1 below illustrates the number of annual reports assessed per category for the period under review.

Risk Management Practices Disclosures
The developed checklist was used to assess the extent of risk management practices disclosure by South African universities. To accomplish this, three categories of disclosures were created, namely, full disclosure, nondisclosure and obscure disclosure. The researcher then conducted a content analysis of the annual reports to assess if the risk management practice disclosure statement on the sampled university has full disclosures, nondisclosure, or obscure disclosures. Universities with full disclosure were marked as "yes". Universities that did not make any disclosures on specific practices were marked as "no", while universities that did not disclose in detail were marked as "obscure". Lastly, all sampled universities with full disclosures were added together and presented as a percentage of "yes", the same applied with "no" and "obscure", respectively.

Results and Discussion
The checklist created comprised of two sections, namely, risk governance structure and risk management practices. The two sections consist of risk management practice disclosures as recommended by King IV for good governance.

King IV Recommended Practices
Explanation of practices evaluated as presented in result Tables 2 and 3.

1.1
The council should consider allocating the oversight role of risk governance to a dedicated committee or adding it to the responsibilities of another committee, such as the audit committee.

1.2
If the audit and risk committees are separate, the Council should consider one or more members to be a member of both committees for more effective functioning.

1.3
The committee for risk management should have executive and non-executive members, with the majority being non-executive members. 1.4 The council should assume the responsibility to govern risk or through a dedicated committee by setting the direction for how risk should be approached and addressed in the university, including the following: the potential positives and negatives effects of the risk in the achievement of objectives. 1.5 The council should treat risk as integral to the way it makes decisions and executes its duties.

1.6
The council should approve policies that articulate and gives effects to its set direction on risk.

1.7
The council should evaluate and agree on the nature and extent of risks that the organization is willing to take in pursuit of its strategic objectives, such as approving the universities' risk appetite and risk tolerance. 1.8 The council should delegate to management the responsibility to implement and execute effective risk management. 1.9 The council should exercise ongoing oversight of risk management to ensure the following: 1. An assessment of risks and opportunities; 2.
An assessment of opportunities presented by risks; 3.
The design and implementation of appropriate risk responses; 4.
The establishment and implementation of business continuity arrangement; 5.
The integration and embedding of risk management in the business activities and culture of the university.

1.10
The following should be disclosed concerning risk: 1. An overview of the arrangement for governing and managing risks; 2.
Key areas of focus during the reporting period, including objectives, the key risk facing the University, as well as unexpected or unusual risk and risk taken outside the risk tolerance levels; 3.
Actions were taken to monitor the effectiveness of risk management and how outcomes were addressed.

1.11
The council should consider the need to receive periodic assurance on the effectiveness of risk management.

Risk Governance Structure
Presented in Table 2 is the risk governance structural section of the checklist, which assesses the extent of disclosures relating to the formation of the risk governance structure. Concerning disclosures on the risk management structure, the results revealed that South African universities have disclosed information regarding their risk governance structure, as they have established risk governance structures, such as an audit-or a standalone committee, such as a risk management committee. As shown in Table 2, South African universities have applied and disclosed King IV's risk management practices regarding their risk governance structure as applied and disclosed by over 80% of sampled universities in 2017. These universities have formed either a risk committee or audit committee. As well, on instances where the risk committee and the audit committee were separate, one member was part of both committees for effective performance. Additionally, almost 83% of the sampled university's risk committee consisted of executive and non-executive members. According to Moloi (2015b), it does not seem like South African HEIs have embraced the idea of separate risk departments within their structures. Notably, they placed high reliance on the audit committee for risk management issues. Whyntie (2013) reasoned that having different board committees may create more layers of bureaucracy. Moreover, a study was conducted between 2003 and 2011 demonstrated that having a separate risk committee is associated with high audit fees (Hines et al. 2015). Therefore, some organization prefers an audit committee that handles both audit and risk management issues.
Nonetheless, some universities (17% of the sample) have not reformed their governance as recommended by King IV, which recommended that the audit or risk committee should be made up of both executive and non-executive members, with the majority being non-executive. These universities mentioned their risk governance committee members. However, they did not distinguish if they are executed (internal) or non-executive (external). Thus, the "obscure" disclosure.

Risk Management Practices
Presented in Table 3 and Figure 2 below are the results for Section two of the checklist known as risk management practices, which assess the extent of risk management practices disclosures by South African universities. All universities marked as fully disclosed were added together and presented as a percentage of "yes". The same applied with "no" and "obscure". Figure 2 provides insights on the trend using the comparison years.  Table 3 above summarizes risk management practice disclosures, using 2017 as the reporting year and two additional years for data comparison. To further comprehend these results, Figure 2 illustrates the disclosure trends over the years. J.  x FOR PEER REVIEW 12 of 23 placed high reliance on the audit committee for risk management issues. Whyntie (2013) reasoned that having different board committees may create more layers of bureaucracy. Moreover, a study was conducted between 2003 and 2011 demonstrated that having a separate risk committee is associated with high audit fees (Hines et al. 2015). Therefore, some organization prefers an audit committee that handles both audit and risk management issues. Nonetheless, some universities (17% of the sample) have not reformed their governance as recommended by King IV, which recommended that the audit or risk committee should be made up of both executive and non-executive members, with the majority being non-executive. These universities mentioned their risk governance committee members. However, they did not distinguish if they are executed (internal) or non-executive (external). Thus, the "obscure" disclosure.

Risk Management Practices
Presented in Table 3 and Figure 2 below are the results for Section two of the checklist known as risk management practices, which assess the extent of risk management practices disclosures by South African universities. All universities marked as fully disclosed were added together and presented as a percentage of "yes". The same applied with "no" and "obscure". Figure 2 provides insights on the trend using the comparison years.  Table 3 above summarizes risk management practice disclosures, using 2017 as the reporting year and two additional years for data comparison. To further comprehend these results, Figure 2 illustrates the disclosure trends over the years. Regarding risk management practices disclosures, South African universities adopted, applied and explained King IV's risk management practices as applied by more  Regarding risk management practices disclosures, South African universities adopted, applied and explained King IV's risk management practices as applied by more than 80% of the sampled universities. This improvement in the disclosure since prior studies can be ascribed to the King code issuance on corporate governance in South Africa, especially the King IV "apply and explain" philosophy as it promotes risk management and qualitative disclosures. Additionally, the increased detailed disclosures compensate for the limitations of previous King codes and the lack of detailed disclosures on the actual risk management practices applied as highlighted by prior studies, which were conducted before King IV was issued in 2016 (Moloi et al. , 2014Wilkinson 2014).
As shown in Table 3 above, principle 1.4 was disclosed by nearly 83% of sampled universities as the council assumed the responsibility to govern risk. Still, around 17% of sampled universities did not disclose information regarding the responsibility to govern risk. The same can be said regarding principle 1.5, as approximately 17% of sampled universities did not clearly outline that the council treats risk as integral to the way it makes decisions and executes its duties. This increased attention to managing risk is ascribed to the challenges faced by South African universities with the potential to entirely shift their operational objectives (Moloi 2015b).
Principle 1.6 relating to annual revision and approval of policies was disclosed by 66% of sampled universities, while 17% of sampled universities did not disclose whatsoever. The remaining 17% of sampled universities obscurely disclosed as they mentioned policies without outlining approval by the council. This could be due to the poor quality of disclosures and the lack of details on approval, even though practiced within the university. According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), organizations should set the tone at the top by establishing a code of conduct, policies and training programs on risk and ethics. Thus, having up-to-date policies promotes an ethical environment. Moreover, the # Feesmustfall disruptions resulting in universities revising and updating their policies to enforce students to comply with institutional policies as the protest resulted in student arrests and court cases in 2016 and 2017 (Mapheta 2016). Similarly, contributing to the disclosure in 2016 and 2017 can be accredited to the maturity of risk governance adoption as per King IV and reporting requirement, which creates an ethical environment.
Regarding the definition and approval of risk appetite and tolerance level as outlined by principle 1.7, Only 50% of sampled universities had full disclosure, while the other 50% of the sampled did not make any disclosures. However, this could be due to the universities not yet adopted the recommended practices, as the preceding King codes did not have a principle or did not require an organization to define risk appetite and tolerance levels. Nevertheless, the importance of risk appetite cannot be ignored as the ERM framework, and King IV all recommend the definition of these levels so that risk can be taken within acceptable levels and monitored (Pricewaterhouse Coopers PWC; Institute of Directors IoD; Committee of Sponsoring Organizations of the Treadway Commission COSO; International Organization for Standardization ISO). Furthermore, these results are consistent with the study on annual report disclosures in the USA, Canada and Germany, which has discovered that qualitative risk disclosure is frequently compared to quantitatively and submit that organizations are struggling to quantify their risk exposure (Dobler et al. 2011).
Principle 1.8 recommends the council delegate the responsibility for the implementation of effective risk management. The results have shown that 83% of sampled universities did disclose, whereas around 17% of universities obscurely disclosed as the annual report only shown the responsibilities without outlining delegation to executive management. Relating to principle 1.9, which outlines ongoing oversights, nearly 33% of sampled universities obscurely disclosed this principle as it consisted of several recommendations. Consequently, about 67% of sampled universities partially applied and disclosed some of the requirements. Notable, the Obscure disclosure was due to factors such; the lack of business continuity plan arrangements for volatile operational environments, such as the #Feesmustfall. Integrating and embedding risk management practices within the culture and activities of the university. Moreover, even though disclosures on risk assessment were complete, assessment of opportunities presented by risk was also a challenge as it was not disclosed. Even so, according to Kageyama (2014), universities often associate with a small city as they consist of different campuses, faculties with different heads and stakeholders, industry and compliance requirements. Consequently, integrating and creating a risk culture can be challenging, especially for previously divided organizations due to their past.
Furthermore, King IV, through principle 1.10, recommends the annual reports to provide a risk governance overview. This requirement was disclosed by 100% of the sampled universities as they outlined the formation of the risk committee, conducted risk assessment workshops and monitored risk within established reporting structures for communication. Lastly, 100% of the sampled universities received periodic assurance on the effectiveness of their risk management processes as outlined by principle 1.11.
Although King IV was not yet issued in 2015, it is important to note that some principles were already being implemented by the sampled universities as King IV was an expansion and improvement of previous King codes. As shown in Figure 2, in 2015, 100% of sampled universities disclosed principle 1.4 compared to 100% and 83% of sampled universities in 2016 and 2017, respectively. In addition, 80% of sampled universities disclosed principle 1.5 compared to 83% in both 2016 and 2017. Relating to the approval revision and approval of policies as outlined by principle 1.6, the results revealed 60% disclosure by the sampled universities in 2015 and 83% in 2016. King IV was introduced, and #Feesmustfall started in 2015. Therefore, most universities in 2016 strengthened their policies and procedure, though the disclosure declined to 66% in 2017. Additionally, the years 2015 and 2016 displayed a higher nondisclosure relating to principle 1.7 as 80% and 83% of sampled universities did not make disclosures in the respective years. This is due to the requirements of developing and approving risk appetite and tolerance level only coming into existence in 2016. Therefore, most universities had not adopted compared to 2017, where it was only 50% nondisclosure.
Moreover, principle 1.8 revealed that about 80% of sampled universities disclosed in 2015 as compared to 100% in 2016 and 83% in 2017. At the same time, the year 2017 showed an obscure disclosure relating to principle 1.9 at 33% of sampled universities and 60% in 2015 and 83% in 2016 showed a correspondingly significant improvement ascribed to the adoption and application of King IV maturing.
Noteworthy, South African universities disclosed the recommended practices they adopted and applied as over 80% of sampled universities disclosed most of the recommended practices. This demonstrates compliance with the higher education act reporting guidelines and the Higher Education Act No. 101 of 1997 and King IV (RSA 1997; Institute of Directors IoD). However, there were still some challenges, such as disclosures on the annual revision and approval of policies by the council as it has shown a 67% disclosure by the sampled universities in 2017. According to Akyar (2014), for an ethical environment to exist, the board should frequently revise and approved policies and procedures to reflect on the actual practices and principles at the university. There was also a lack of disclosure on risk appetite and risk tolerance level, though it has improved when compared to previous years. Thus, far it still showed that 50% of sampled universities did not disclose. These results are an improvement from prior studies, but still consistent with the findings of Moloi (2015b) as asserted that the determination, monitoring of risk appetite and risk tolerance levels are of concern in South African universities as 95% of sampled universities were silent on these in their annual reports in 2014.
Lastly, approximately 33% of the sampled universities obscurely disclosed principle 1.9 as it consisted of a number of requirements. Notable, the lack of disclosure relating to the assessment of opportunities, business continuity arrangements, integrating risk management into daily activities and culture of the universities were the challenges, which were not disclosed. Arguably, this is due to some universities not yet have developed busi-ness continuity plans in 2015 and 2016. However, disruptions, such as #Feesmustfall, gave rise to disclosures, such as the risk of disruption and vandalism, which were of concern by the universities. Thus, some universities were considering developing business continuity and contingency arrangements. Hence, the increase to 50% of sampled universities in 2017. According to ContinuitySA (2018) strategic and future-oriented organization develops contingency plans to recover its operations under volatile conditions; thus, the lack of disclosure on business continuity plans confirms that South African universities were not prepared for events, such as #Feesmustfall as they have not yet developed their contingency plans for volatility.

Risk Governance Maturity
While risk management practice disclosures were being assessed concurrently, the risk governance maturity was assessed using a checklist, which comprised of risk governance maturity levels and the minimum risk governance requirements. The minimum requirements were assessed whether it has been incorporated and were presented as a percentage of "yes" and "no". See Table 2 for detailed levels and requirements.
The results revealed that South African universities governed risk by applying the minimum risk governance requirements as recommended by risk management maturity frameworks and the King IV recommended practices. Moreover, it was observed that the sampled universities are mature beyond the Nascent and Emerging risk governance maturity levels. This was evidenced by over 80% of the sampled universities incorporating the majority of the minimum risk governance requirements as per integrated-level 3. This is attributed to some universities, which applied minimum requirements for predictive level 4 and advanced level 5. Similarly, for the integrated level, most of the minimum risk governance requirements are incorporated by over 80% of the sampled universities.
Notwithstanding, there were challenges, such as adopting risk appetite, which was incorporated by only 50% of the sampled universities. Moreover, there is a lack of sufficient information or disclosure, which resulted in 100% of sampled universities not incorporating key risk indicators and cost versus benefit analysis for all risk response strategies (Dubihlela and Ezeonwuka 2018). These challenges were also highlighted by Dobler et al. (2011). As discussed above, there is an increased qualitative disclosure with organizations struggling on quantitative disclosures because of a lack of quantification of risk exposure. Further confirmed by Moloi (2015b) as highlighted that the determination and monitoring of risk appetite and risk tolerance levels are of concern in the South African higher education sector as 95% of sampled universities were silent on the determination and approval of risk appetite and tolerance level at that time. One more lack of incorporation was about developing, executing, and testing business continuity plans as 50% of sampled universities did not have these plans in place. Even though they disclosed that they are considering developing contingency plans given the #Feesmustfall disruption. This lack of business continuity plan was also highlighted by Moloi (2015b) as asserted that most South African universities were not prepared for the #Feesmustfall disruptions as their risk management practices, such as business continuity plans and emergency plans, could not keep up with the student disruption. Thus, most universities found themselves not able to conduct final exams in 2015 as they could not recover their critical functions to operate under volatile conditions. Hence, Moloi (2016d) concluded that these universities were not prepared for events, such as #Feesmustfall, which utterly shifted their strategic objective, and some universities were unable to resume operation due to the disruptions and complete the academic year.
Risk appetite and tolerance levels were incorporated by 66% of sampled universities to govern risk. Resulting in unexpected and emerging risks not tracked by 50% of sampled universities. The lack of tracking on the unusual risk taken outside tolerance levels is attributed to the lack of risk appetite, tolerance levels and quantifications. Lastly, training on risk management was not conducted by 80% of sampled universities as per the annual report, and 67% of sampled universities were monitoring their risk management processes for effectiveness and received periodic assurance. According to Andersen and Terp (2006), risk training for risk awareness can assist an organization with integrating risk in the organization's culture.
Therefore, it can be concluded that South African universities are at the integrated level of maturity but improving to predictive and advanced level of risk governance maturity (Table 4). This is because some universities have started applying minimum requirements in levels 4 and 5. Almost 67% of sampled universities were already linking risk with their strategic objective and vision. Moreover, 50% of sampled universities embedded risk management or looking at embedding it into strategic planning, capital allocation and decision-making. This is supported by Moloi (2014) highlighted that South African HEIs had demonstrated some better practices with regards to the day-to-day integration of risks to the university activities as well as embedding of risk management systems and practices by management to deliver on the council's strategy as 68% of South Africa's HEIs indicated that they practiced it.

Conclusions
The main aim of this paper was to assess the extent of risk management practice disclosures of South African universities and risk governance maturity thereof. The study used #Feesmustfall as a trigger event. This was also at the back of the introduction of King IV in 2016, which came with the "apply and explain" concept requiring organizations to disclose sufficient and relevant information for applied recommended practices. Furthermore, the study was motivated by the lack of research on risk management in the education sector in the South African context, to be specific. The results revealed that South African universities have mostly applied and explained their risk management practices and im-proved given King IV's issuance. Hence, it can be concluded that the study filled the gap highlighted by prior studies as it contributes to the identified gap on risk management and risk governance empirical studies in the South African context and the higher education sector specifically. Thus, provides unique insights into the application and disclosure of risk management practices in the education sector and submits an understanding of the risk governance maturity in the South African context. That is unparalleled as the study used King IV, unlike prior studies that were either from other countries, the public or private sector or uses King codes and highlighting a lack of detailed disclosure due to the "apply or explain" philosophy. Lastly. The study provides an interesting view on the impact of social events, such as protests on risk management practices employed and further supports the notion of how legislative accounting practices echo stakeholder, societal expectations, and the potential to transform organizational practices.

Implications of the Study
The study further contributes to the body of risk management through theoretical implications as it provides new insights into the application and disclosures of risk management practices in the education sector to fill the identified gap. In addition, the study provides an understanding of risk governance arrangements and maturity by South African universities. The findings of the study are of significance to academics, which may replicate this exploratory study in other sectors to confirm the validity of the findings and methodologies using the developed checklist to set a foundation to assess King IV disclosures utilizing other methods that are quantitative and cover a larger sample size. Regarding practical implications, the findings of the study have implications to risk practitioners and policies. The findings of this study are significant in assisting risk practitioners and managers to better understand risk management requirements and disclosure perimeters within the higher education context. Furthermore, the study highlights the different approaches to assess risk governance maturity and the best practices to achieve continuous improving risk governance maturity. Therefore, practitioners can use the guidelines to assess their environment and completeness of risk disclosures in their annual reports.
Concerning policy implications, the findings could be significant to the Department of Education, as it governs reporting requirements through the reporting manuals and implementation for HEIs. The department can identify gaps in the disclosures and application of the risk management practices by revising its reporting guidelines and implementation manuals. Moreover, the challenges and gaps identified in the reporting practices can be addressed by imposing certain transparent requirements on disclosures in the annual reports as even though the universities use the same guidelines and manuals, they report differently and at the discretion of the specific institution. Additionally, even though King IV is the main framework for governance, including risk governance. There are shortcomings heightened as it only recommended practices to be applied for effective risk governance without providing for criteria to measure the maturity of the applied practices and assess the completeness of disclosures. Thus, the Institute of Directors Southern African can use the gaps frequently highlighted by researchers and this study to expand the scope to measure maturity as King Codes are the main framework for corporate governance and risk governance, to be specific. It is important to note that King Code is non-legislative and is based on principles and practices. Therefore, to promote good governance and sustainability, the principles should be integrated into the companies' Act to enforce good governance principles, such as business continuity plans for sustainability.

Limitations of the Study
Although a detailed process was followed in designing the research methodology and performing the study to ensure adequate coverage and reduce potential limitations, however, the following limitations have been identified: First, the study employed content analysis using annual reports as published by the South African universities. Therefore, risk disclosure statements in the annual reports may not reflect the actual risk management practices applied as some information may not be disclosed due to their sensitivity and being of a strategic nature. Second, content analysis as a research method relies on the quality of the annual report; hence, risk management disclosure may be incomplete and overlook significant information resulting in the researcher not able to conclude on the extent of disclosure or maturity for the specific practices omitted. Third, the study uses King IV as a corporate governance framework that recommends the best practices for effective risk management. Although, King IV improved on King III's "apply or explain" philosophy to proceed beyond a compliance "tick box" mindset to "apply and explain" philosophy, which is an outcome-based best practice. Still, King IV does not have the legislative powers to enforce adoption and disclosures, relying on regulatory bodies to enforce the recommended practices.
Fourthly, the study is delineated to South African universities and industry-specific. Therefore, its findings may not be generalizable to other sectors, privately funded HEIs, and other countries due to differences in legislation, strategic objectives and operating environment. Therefore, the findings may require further studies to be conclusive. Lastly, the time-frame or "constraints" of the study, the use of qualitative content analysis, which is known as labor or time-consuming resulting in data coding errors or personal biases and the use of a nonprobability, purposive sampling approach, which can result in the sample size becoming unrepresentative of the population. However, to address this, the researcher used data triangulation methods for consistency and comparison and ensured all South Africa university categories were represented evenly.

Future Research
The study highlighted some limitations and paved the way for the suggestion for potential future research:

•
The study only assesses the extent of disclosures by universities; a study can be conducted, including colleges and private universities, which are not publicly funded to establish if the same conclusion can be reached by applying the same methods; • The study was conducted using content analysis, which is labor-intensive, resulting in 18 annual reports being assessed for the period under review. A future study could be conducted using a questionnaire and collect primary data from the universities. One of the limitations of using annual reports is reliance on disclosure and working on the assumption that disclosure represents actual practices at university. Therefore, primary data collection will address such limitations; • This study used a qualitative approach; a study can be developed using a quantitative methodology to cover a larger population and sample.
Author Contributions: The material of this study was conducted with the intention of I.S. pursuance of his master's degree in Internal Auditing, a co-supervised collaboration between J.D. (principal supervisor) and L.B. (co-supervisor. Both supervisors significantly contributed to the research conceptualization and further collaborated as supervisors. Their duties were to assist with the completion of the research project, conduct all reviews and guide the direction of the research project, the data analysis and overall academic write-up. All authors have read and agreed to the published version of the manuscript.
Funding: This research received no external funding.

Institutional Review Board Statement: Not applicable.
Informed Consent Statement: Not applicable as the study was conducted utilizing sourced data by way of content analysis.
Data Availability Statement: Data and reports for the public universities in South Africa is archived with the auditor general and publicly available. The data supporting reported data is presented in Tables 1-4 as presented in the study.