Risk management in the public sector: challenges in its adoption by Brazilian federal universities

The aim of this study was to analyze the perception of the members of the risk committees of federal universities in Brazil regarding the challenges in the adoption of risk management in those institutions. Currently, federal universities are obliged by law to manage their risks. This is a recent process that presents them with considerable challenges, which have scarcely been explored. Studying the challenges in adopting risk management enables federal universities to gradually improve their overall management, with the aim of adopting the process in the best way possible. This study contributes to the professional and academic areas by proposing a set of actions within the operational context of the universities to improve the maturity level of the risk management of those institutions. The procedure adopted was a survey covering 68 federal universities in operation in 2019. The quantitative study was based on a questionnaire sent to the public servants on their governance, risk, and control committees, which had a 73% response rate. The data were analyzed using descriptive statistics and position and dispersion measures. Perception was analyzed regarding the challenges arising from the adoption of risk management, in which a lack of process mapping, the need for staff engagement and training, the emergence of divergences concerning the treatment of risk, and excess demands on staff were highlighted. The evidence indicated that risk management can guarantee and facilitate compliance with laws, regulations, norms, and standards, as well as the identification of external scenarios that can influence the occurrence of events that negatively impact not only the universities but the whole community.


INTRODUCTION
The complexity and scope currently faced by the new public administration can encompass the private as well as the third sector. This relationship is marked by intense interaction processes and bureaucratic mediations, revealing the need to continue efforts to redefine and implement innovative policies in order to strengthen management in the public sector (Matias-Pereira, 2009).
Within this context, a race has begun to preserve the integrity and reputation of public organizations, to follow good practices established by their governance, to align them with the various laws, and to identify the various risks that can compromise the achievement of organizational objectives (Trivelato et al., 2018). Changes and vulnerability to internal and external factors constantly challenge these organizations, requiring decisions, actions, and the formulation and use of strategies related to their processes and management model.
Effective risk management reduces the probability and severity of undesirable events in the public administration, which implies, according to Hill and Dinsdale (2003), predicting future risks and knowing how to deal with them proactively (proactive rather than reactive management). As in private organizations, public organizations are subject to fraud, embezzlement, corruption, and the inefficient allocation of public resources. However, according to Grateron (1999), the public sector has an obligation to satisfy a wide range of social needs, thus requiring rigorous management of limited public resources, with the aim of meeting its social obligations.
For Cooper (2012), it is an interesting time to study risk management in the public sector and the community. From the perspective of regional political development, public sector organizations will face substantial strategic risks in the coming years, due to a series of questions, including significant demographic changes (implications of the aging population), urbanization, economic recessions, as well as advances in technology and communication. Specific risks that can further impact the traditional economic and social objectives of communities emerge.
In this sense, public universities lie within the scope of the services provided by the State. Power et al. (2009) verified how risk management can change organizational and management control practices in higher education in the United Kingdom, through the intermediation of public supervisory agencies. In the higher education sector in the United Kingdom, the Higher Education Funding Council for England (HEFCE) and, more recently, the Quality Assurance Agency for Higher Education (QAA), have used risk-based regulations as a form of control over university governance and internal controls. Since 2002, the HEFCE has set prescriptive guidelines for universities in the United Kingdom, requiring them to design risk management systems. The universities now have high-level risk and auditing committees and monitoring and control systems that provide supervision over the risk management process (Power et al., 2009).
In the case of Brazil, the actions of supervisory bodies, such as the Comptroller General's Office (CGU) and the Federal Court of Auditors (TCU), are gradually creating the conditions for this scenario to also take place in federal universities. One example is the enactment of Joint Normative Ruling n. 1/2016, elaborated by the CGU and by the Ministry of Planning, which discusses the establishment of the Policy for Integrity, Risk, and Internal Controls Management in the federal administration. Moreover, since 2010 the TCU has required the annual management reports of public organizations to provide information on the internal controls structure of their units as well as information on risk management, via Normative Decision n. 107/2010. The Ministry of Education (MEC) also recently enacted MEC Ordinance n. 234/2018, which provides technical recommendations for observing the best practices for risk management. The aim of this study is to analyze the perception of the members of the risk committees in federal universities in Brazil regarding the challenges in the adoption of risk management in those institutions.
Within that context, this study aims to contribute to the academia, as well as providing the public sector with an additional view on the analysis of risk management in federal universities in Brazil. These are public institutions with their own characteristics and relevance that, in providing research and higher education services to society, face specific risks, requiring an adequate risk control system to achieve their objectives as teaching institutions. The study also seeks to contribute by highlighting challenges that may compromise the adoption of risk management in the universities analyzed, which can guarantee and facilitate compliance with laws, regulations, norms, and standards, as well as the identification of external scenarios that can influence the occurrence of events that negatively impact not only the universities, but the whole community.

Risk Management
Risk management consists of a structure that includes different processes to exert control over risks. Coetzee and Lubbe (2011) consider risk management to be a relatively new addition to the wider concept of corporate governance. The structure created by a risk management system includes processes and systems established by management to ensure its risk philosophy is incorporated into the daily activities of the organization. These can be a variety of activities, in which the risks can be managed in the financial (credit, market, liquidity, and liquidation risk) and operational areas. Trivelato et al. (2018) also highlighted the important relationship between risk management and corporate governance, in which risk management is an important tool that aims to preserve the resources and reputation of entities, thus strengthening good governance practices. The capacity to take better decisions in relation to policies, programs, and services is fundamental in an environment shrouded in uncertainty (Hill & Dinsdale, 2003).
Finally, within the conceptual sphere, Brito (2003, p. 15) defines risk management as the "process through which the various risk exposures are identified, measured, and controlled. " It consists of a systematic and methodic process through which the risks that can influence the achievement of the organization's goals are analyzed, evaluated, and addressed (action).
Over time, organizations have sought to adopt standardized and structured approaches that can be recognized. The adoption of a systematized risk management model combines reliability, standardization, and recognition of good practices by institutions, giving rise to various international reference standards, such as COSO ERM, ISO 31000, and Orange Book, among others. International Organization for Standardization (ISO) ISO 31000 -Risk management system -Principles and guidelines was a norm responsible for providing general principles and guidelines for risk management. ISO 31000 provides an internationally accepted standard for identifying and analyzing risks that is highly adopted in numerous countries.
In 2004, The Orange Book: Management of risk -Principles and concepts was published by the British Treasury (Her Majesty's Treasury) as the main reference for the risk management program adopted by the United Kingdom, introducing risk management concepts such as resources to develop and implement risk management processes in government organizations.
Such standards are also being adopted in the public sector in Brazil, which seeks to adopt risk management as a specific additional management method, thus enabling systemic controls and monitoring of incurred risks, as discussed in the following topic.

Risk Management in the Public Sector in Brazil
The importance of risk management has increased ostensibly during the last few decades, and this also applies to public entities. There are, however, unique traits that characterize the analysis and management of risks in the public sector, both in terms of areas of application and of execution (Domokos et al., 2015).
Even though the risk management practices determined by the main institutions are meant for any type of entity, the public sector has characteristics that require a specific system for that segment. Emerging as an independent discipline at the end of the 1970s and start of the 1980s, public risk management is an relatively new but important element of public management and budgeting, and, consequently, the academic literature on this topic remains limited (Qiao, 2007).
When the focus of risk management is on the public sector, in general a more risk-averse view is traditionally adopted for management. This is partly due to the importance given to the legal framework that guides public administration and because public resources need to be managed with appropriate care (McPhee, 2005).
In their studies on risk management in the public sector, Hill and Dinsdale (2003) describe various obstacles to effective risk management that can arise in each stage of the process and that form part of the operational routines of institutions, such as not developing an explicit process R. Cont for decision making on risks, dealing inadequately with uncertainty, or simply ignoring important risks that can lead to serious consequences for the entity or for society. Inadequate institutional management structures and systems can, therefore, negatively affect the process. Thus, a continuous risk management effort requires a systematic and integrated position from the government, especially when a cultural change is sought. For this purpose, each ministry, particularly those directly involved with risk management, should evaluate its decision-making processes, its culture, its knowledge, and its skills within the field of risk management (Hill & Dinsdale, 2003).
In the case of Brazil, the public sector has undergone various changes in terms of advances in the form of management. The formalization of risk management techniques occurred in the Brazilian Central Bank as early as 1997, with the use of market risk management tools to manage international reserves (Banco Central do Brasil, 2017). In 2007, with the creation of the Brazilian Federal Revenue Office, risk management was internalized in its regulations. In 2014, the current Committee for Risk Management, Control, and Integrity was created, which debated and approved the Risk Management Manual of the Treasury Ministry, the first edition of which was published in 2015, representing an important milestone for risk management in the public sector (Ministério da Fazenda, 2018).
The question of risks in management, applied to public policies in Brazil, was recently incorporated as an internal controls procedure.
The supervisory bodies in Brazil have accompanied this process and standards have been issued constituting the legal framework of procedures to be adopted by federal public institutions. Via Joint Normative Instruction MP/ CGU n. 1/2016, in article 13, it is determined that "the agencies and entities of the Federal Executive Branch should implement, maintain, and review their risk management process in accordance with their mission and strategic objectives, observing the established guidelines, " thus including federal universities. The ruling therefore provides general aspects that aim to guide the agencies of the federal executive branch in their adoption of measures to systematize good management practices, highlighting various concepts inherent to the topic of governance, risk management and internal controls, structure, principles, and objectives of internal controls, the definition of responsibilities, the basic structure of a model, and risk management and governance policy.
Another important point of Joint Normative Instruction MP/CGU n. 1/2016 relates to the institution of the Committee for Governance, Risks, and Controls, which is responsible for promoting and supervising, in an integrated manner, the adequate practice, methodology, and structure of governance, risk management, and internal controls in the entities. The standard does not specify the number of members of the committee, but it does determine that it should be composed of the senior manager (in the case in question, the dean) and of the other managers of the subordinate units (pro-deans, heads of department, and coordinators).

Risk Management in Brazilian Federal Universities
Federal universities in Brazil have undergone a process of expansion over the course of recent governments, through the creation of new units, interiorization, and an increase in personnel and course places, among other factors (Carvalho et al., 2018).
Together with the process of expansion and development, the dynamic environment in which federal higher education institutions operate is shrouded in increasing and varying uncertainties and doubts, making risk management essential for the management and control of those institutions (Sedrez & Fernandes, 2011). The expansion of public universities has led to greater complexity in their operations, with a corresponding greater exposure to risks. There needs to be a change from a less controlled environment to a less trusting one with greater control, meaning public universities require a high level of professionalism and responsibility to manage their operations (Assunção et al., 2019;Christopher & Sarens, 2015;Souza et al., 2016).
According to Wang et al. (2018), risk management in higher education is inevitable, as the threats related to disasters, finance, information technology, maintenance, and research can directly affect the reputation and sustainable development of higher education, which could cause a crisis of survival for the institutions. Moreover, federal universities relate with various social segments by providing the teaching, research, and extension services demanded by the community and the market (Ramos et al., 2018;Sousa et al., 2018).
Internal controls are essential in universities, aiming to increase efficiency and effectiveness in the achievement of their goals, and risk management is a key component of this (Anchundia et al., 2018).
Therefore, together with the process of expansion and development, federal universities have improved their management practices, seeking to achieve and meet their institutional objectives within the educational and social spheres (Ribeiro, 2014).
Analyzing the normative aspect in Brazil, federal universities, as autarchies affiliated with the MEC, are subject to Joint Normative Instruction MP/CGU n. 1/2016, as well as MEC Ordinance n. 234/2018, which discusses the same characteristics, principles, and requirements of the joint normative instruction and focuses on the MEC. Therefore, it establishes general guidelines related to risk management and internal controls that are applicable to the plans, goals, strategies, objectives, actions, and programs linked to the public educational policies of the MEC, considering a 60-month conclusion period for the implementation of the new risk management policy.
Consequently, the current standards seek to ensure that federal universities can increase the probability of achieving their objectives, eliminating or reducing risks to acceptable levels, enabling value to be added to the MEC through improved decision-making processes and by adequately addressing the risks and impacts caused by them (MEC Ordinance n. 234/2018). Table 1 summarizes some national and international studies on risk management that are applicable to the universities used in this research. Table 1 Studies related to the topic of risk management in universities Author

Objective Conclusions
Helsloot & Jong (2006) To analyze the risk in higher education in the Netherlands, considering the risks inherent to universities, society, and education as an organization by means of field research.
The results (derived from questionnaires, meetings, and interviews) show that the higher education institutions do not yet have an integrated security, protection, and crisis management policy. Institutions, staff, and students have limited awareness of the range of risks to which they and their environment are exposed.

Power et al. (2009)
To increase the importance of reputational risk in the organizations.
In the context of universities, there are both specific transformations in organizational practices and a growing generalized concern about reputational risk.
Christopher & Sarens (2015) To examine to what extent the main participants in Australian public universities have developed and implemented risk management in an environment of change management.
The discoveries show that wider influences -largely a result of conflicting management cultures -have had different impacts on the values of the main players and on the consequent adoption of the process.

Souza et al. (2016)
To verify how information security risk management features in a federal public institution according to the perception of the information technology managers. The study was applied in the Federal Institute of Science and Technology of São Paulo.
The results found show the importance of the roles performed by the people, the responsibilities, the development of policies, norms, and procedures, and their implementation, seeking greater control over risks, as well as the various opportunities that involve information technology security. Sousa et al. (2018) To compare the risk management methodologies presented by the Comptroller General's Office and by the Ministry of Planning, Development, and Science and to verify the possibility of adapting these to university management.
It is possible to apply the methodologies to the risk management of university institutions, but there is a need for adaptation, respecting the particularities of university management. Ramos et al. (2018) To propose to investigate, identify, and analyze possible risks that can impact the academic planning of a public university, enabling a contingency plan to be created to mitigate and reduce the impacts on an academic semester.
Risks in university environments can cause various impacts on the academic semester; research applied using stakeholders could be an efficient mechanism for identifying and prioritizing these risks. Identifying the impact and probability of the risks could provide academic managers with a quicker response to the problems identified. Wang et al. (2018) To explore the possibility of applying the enterprise risk management structure in higher education in China based on that structure.
It is necessary to strengthen the self-regulation of the universities based on external supervision of the administrative departments of education and form a prevention and control mechanism that combines academics, governments, and social multi-subjects, as well as broadly identifying and analyzing various risks, so that the cooperative universities can effectively avoid or control all types of risks.
To develop tools for managing processes and risk management at the Eloy Alfaro Secular University of Manabi.
The application of a checklist enabled it to be confirmed that there are inadequacies and opportunities for improvement in the dimensions of direction, strategy, and design in preparing the university for risk management, the integrated management of risks, and implementation and control.
Assunção et al. (2019) To demonstrate a method for identifying and evaluating risks by mapping processes, aiming to contribute to risk management in one department of the Federal University of Mato Grosso do Sul.
A risk matrix was developed with indicators that were able to reveal the level of risks that the unit is willing to bear and seek new ways of addressing them and mitigating them.

METHODOLOGY
First, in relation to its nature, this research is classified as applied and quantitative in terms of the approach to the problem. Regarding the objectives, it is descriptive, and with relation to the technical procedures, it consists of a survey.
The scope of this research includes the employees of federal universities in Brazil, totaling 68 institutions (Anísio Teixeira National Institute of Educational Studies and Research, 2019). Analyses were carried out of the respondents' profile and their perception regarding the challenges derived from the adoption of risk management in the institutions. It should be noted that five of the universities analyzed were excluded from the study as they had not yet started their activities: the Federal University of Rondonópolis (Mato Grosso), the Federal University of the Agreste de Pernambuco, and the Federal University of the Delta do Parnaíba (Piauí). The study therefore covered 63 universities.
Besides containing information on the profile of the public servants involved, the structure of the variables ( Table 2) was elaborated based on the main stages of risk management that feature in the literature and the main legislation, aiming to analyze characteristics that affect the objectives of this research. Thus, through the relationship between the groups of variables, we sought to analyze the perception of the public servants regarding the challenges arising from the adoption of risk management in federal universities in Brazil. The research followed the following steps: y The questionnaire followed the structure of the variables defined in the research and was composed of 19 questions divided into two sections: respondent's profile and perception (Likert scale). The Google Forms ® tool was used to collect the answers. y A pre-test was conducted using members of the governance, risk, and control committees of four universities in order to validate the questionnaire.
y The questionnaire was sent by email to a member of the governance, risk, and control committee of each university, as established by Joint Normative Instruction MP/CGU n. 1/2016 and MEC Ordinance n. 234/2018. Each university analyzed has its own committee, in which only one member answered the questionnaire, and so the member was not specifically chosen. The universities disclose the composition of the members of their committees through internal notices. y The data collection period occurred from 09/24/2019 to 10/31/2019. As a result, 43 responses were obtained, excluding the four questionnaires used during the pre-test phase, thus obtaining a 73% response rate. y The descriptive analysis of the data was carried out using dispersion and position measures.
After defining the methodological procedures of the research, the results analysis was carried out.

Respondents' Profile
The purpose of this item is to analyze the respondents' profile. The items that compose Group 1 of the research variables will be shown and analyzed, thus characterizing the professionals of the federal universities in Brazil who are engaged in risk management. Table 3 shows the sex and age group of the respondents.  The respondents in the 31 to 50 age group represent 74.5% of the total, this being the predominant age group. The 20 to 30 age group represents 16.3% and 9.3% are over 50, this being the least representative age group among the respondents. In absolute values, of the 43 respondents, 27 are men, thus representing the majority (62.8%).
In relation to education and position, it can be seen in Table 4 that most of the professionals engaged in risk management at the universities are made up of administrative technicians, who account for 83.7% of the total.  The results of the research show that the educational level of the public servants involved is at least degree level and 41.9% are specialists. A little more than half of the respondents (51.2%) have a master's/PhD, indicating that the employees seek further qualifications. There is a noted movement toward further education through specializations, masters, and PhDs; three employees have a degree, representing 7% of the data. Time of experience at the institution was considered in the research, as shown in Table 5. The data show that more than half of the public servants involved (48.8%) have from six to 15 years' experience. The least experienced ones, with up to five years at their institution, represent 34.9% of the total, while those with more than 20 years' experience account for 14%.
It is noted that the professional's experience in public management and universities contributes to the set of skills, knowledge, and capacities that a public servant needs to perform their functions and resolve problems, as well as to create solutions, independently of their academic training.
In relation to their time of experience specifically in the position they occupy, only one employee has been in the role for more than 20 years, as shown in Table 6. On the other hand, 67.4% of the public servants have only been in the role since recently and have less than five years' experience.
The data show that most (83.7%) have taken part in some training in this sense, showing concern on the part of the public servants about building skills. Moreover, the obligation to adopt internal control, governance, and risk management mechanisms established by Joint Normative Instruction MP/CGU n. 1/2016 contributes to the dissemination of training within the scope of the federal executive branch. The governance, risk, and control committees of each university are responsible for promoting the continuous development of their public agents, through internal actions to train their staff.
It is noted that the risk management policies feature periodical training, with actions aimed at the continuous development of the public servants. The result is therefore positive, considering that most of those in the study have sought training with the aim of developing specific skills to help in the process of adopting risk management at their universities (Hill & Dinsdale, 2003).

Respondents' Perception Regarding the Challenges of Adopting Risk Management
In this stage we will analyze the answers relating to the respondents' perceptions regarding various points that constitute challenges for the adoption of risk management at the universities analyzed. Table 7 shows the descriptive statistics of the answers, which were evaluated using a five-point Likert scale of agreement. Next, Table 8 shows the results regarding the dispersion measures of the answers obtained.  Initially, as the first challenge, we evaluated the respondents' perception regarding the possibility of them ignoring important risks in the institution. Almost half partially/totally agree (48.9%) that there is this possibility. Considering 215 as the maximum number of points possible, it was also one of the variables with the lowest total points in relation to the scale of agreement (Table 8). Moreover, it obtained the second lowest median among the variables. The result may indicate that even with efficient control measures, including the practice of risk management, flaws may emerge that can lead to serious threats to the institutions.
When conducting a study on risk management in universities, Sedrez and Fernandes (2011) verified various relevant risks, such as dropouts, difficulties in maintaining an economic surplus, human error, and image risks. In turn, the study by Ramos et al. (2018) identified some relevant risks that can impact public universities, such as a lack of security in the system, insufficient financial transfers, and strikes. To overcome such obstacles, generic lists of risks can be frequently used to help avoid potential risks being ignored or forgotten (Hill & Dinsdale, 2003). Domokos et al. (2015) mention that the classification of processes by material risks helps to identify circumstances that threaten institutions in the public sector; while Braga (2017) warns of the possibility of those risks being ignored by the senior management of the entities, thus requiring a search for dialogue in the main administrative functions.
Subsequently, we verified the perception regarding the possibility of adequately addressing the uncertainty resulting from incomplete or complex information. In this case, 58.1% partially/totally agree that this could occur in their institutions and this is one of the variables with the lowest standard deviation; that is, there was considerable consensus among the respondents (Table 8). For Helsloot and Jong (2006), complexity is a crisis factor in public universities in the Netherlands, in which the risks created can involve various players, each one having or claiming their own role, responsibility, or authority.
It is noted that bigger and/or more complex institutions (such as federal universities) tend to have a wider group of individuals involved in the risk management process and their processes tend to be more delegated (HEFCE, 2005). Thus, the internal processes are naturally more complex, giving rise to the challenge of dealing in the most appropriate way possible with information that requires greater complexity, particularly in the public sector. Specifically in federal universities, questions that involve research, technology, and human resources, besides the constant scrutiny related to constant accountability, show the complexity of the university environment and the difficulty that the respondents will have in analyzing and evaluating the risks embedded in that environment.
There may also be a lack of trust or understanding among the public servants involved, according to 60.5% of the respondents, who totally/partially agreed that there is in fact this possibility in the institutions. It was also one of the variables with the highest level of variance and standard deviation, as shown in Table 8. The lack of consensus among the respondents may be a reflection of the difficulty in identifying the real objectives of the public organizations combined with the absence of a risk culture (Braga, 2017).
The universities need to identify the need to reallocate resources to training, communication, promotion, and support for processes to guarantee a common understanding, management, and communications among the members of the team. Hill and Dinsdale (2003) mentioned integrity, skill, empathy, transparency, dialogue, and communication of risks, as well as a consistent and well understood decision-making process as solutions. The lack of trust and understanding may contribute to the gradual abandonment of risk management as a whole in the universities even before its total adoption. The next item asks whether there are divergences regarding the perceived seriousness of a risk or strategies adopted to manage it. According to the results, 79.1% totally/partially agree. This factor may cause a lack of consensus and solutions regarding the treatment of a particular risk, hindering a quicker resolution of some threat. Helsloot and Jong (2006) report that the level of risk awareness among staff and students is comparatively low, while universities believe that technical solutions could be widely employed. In this sense, Hill and Dinsdale (2003) argue that effective risk management balances the analytical capabilities of science with the democratic virtues of dialogue with the public and their involvement.
Analyzing the next item, which asks whether there is an inadequate institutional structure for risk management, 62.8% partially/totally agree that this may be the case in the universities. Creating a risk management culture in the public sector is a big challenge for institutions, where there is a tendency to preserve the current organizational structure, even if it is clearly inefficient and inadequate for achieving objectives (Braga, 2017;Christopher & Sarens, 2015;Helsloot & Jong, 2006). Added to this are the organizational particularities and cultures of each management team appointed in federal universities, which can enable or impede the implementation of a new control method during their mandate.
The information system is also considered to be a critical factor for the success of risk management. It was asked whether the information system is inefficient and unable to support risk management. In this case, 48.8% partially/totally agree that the information system is a critical factor in supporting risk management and it is inefficient or unable to give support. This is also the factor with the greatest discrepancy among the answers, showing the highest standard deviation and variance. This discrepancy among the respondents may have occurred due to the universities analyzed not having standardized management information systems, creating different perceptions on whether these are able or unable to support risk management. These software programs contain tools capable of covering all stages of risk management, from detection to solution. The studies of Souza et al. (2016) and Ramos et al. (2018) highlighted the importance of security control requirements in order to reduce risks for the institution, involving platforms, databases, network applications, and audits, among others.
Next, we asked about the difficulty in renewing the risk management cycle, given that this should be continuous. To this, 62.8% of the respondents partially/totally agreed. The organizations need to continuously incorporate and improve their risk management processes, maintaining good practices to integrate risk management and build an organizational culture in which everyone is a risk manager. According to Braga (2017, p. 693), "risk management is a permanently unfinished process, which seeks to deal with threats and ever-changing organizations;" that is, the process should be proactively initiated and kept going. Hill and Dinsdale (2003) define risk management as a systematic decision-making and problem-solving process. This process should be well structured in public organizations, including a continuous cycle of learning and the introduction of improvements. Joint Normative Instruction MP/CGU n. 1/2016 also highlights the importance of cyclical monitoring and the need to continuously develop public agents in risk management, while MEC Ordinance n. 234/2018 guides federal universities toward measuring risk management performance using continuous activities or independent evaluations. The result obtained in the research serves as a warning for the entities that are implementing or have recently incorporated risk management, avoiding future weaknesses regarding adoption in the universities analyzed.
Then, we sought to analyze the respondents' perception regarding the lack of process mapping, which is the decisive procedure for the effective adoption of risk management in the universities. The results show that 37.2% partially agree and 44.2% totally agree (totaling 81.4%), thus making it clear that the public servants see process mapping as a relevant tool for the adoption of risk management. Moreover, it was one of the variables with the highest total points on the scale (Table 8). Assunção et al. (2019) demonstrated how the application of process mapping in one federal university contributed to its risk management, by recognizing and monitoring various threats.
The next item involves the lack of engagement of the public servants involved, which is a compromising factor for risk management. The results indicated that 51.2% totally agree and 32.6% partially agree (83.8%), and this is the variable with the highest score on the scale (182 out of 215) and, consequently, the greatest agreement among the respondents (Table 8). The highest mean and median among the variables analyzed were also obtained. The public servants recognize that a lack of engagement constitutes a challenge for risk management, considering that there may be a lack of proactivity from the public servant. Braga (2017) raises this question when analyzing the logic of the public structure, highlighting one set of difficulties related to the organizational culture in the public sector. In the study of Ramos et al. (2018), it was identified that demotivation among collaborators (teachers and administrative technicians, among others) is a risk with a high impact on the risk framework in a public university. The authors verified that the high impact is due to the low productivity and difficulty of taking internal measures to mitigate this type of risk. Assunção et al. (2019) verified that some errors are caused due to demotivated employees, who are under pressure or face very tight deadlines, use obsolete systems, and lack training.
It is therefore an aspect that needs to be reviewed by the universities analyzed and by their respective governance, risk, and control committees, and an environment and culture should be provided that are able to motivate employees and reduce the appetite for risk. The institutions should offer the support and reward systems needed for their teams to produce better results (Hill & Dinsdale, 2003). Consequently, adequate communication channels are mechanisms that provide timely information, constant alignment, motivation, and engagement (COSO, 2007;ISO, 2018).
When asked whether a lack of employee training still constitutes a limiting factor for the success of risk management, 79.1% answered that they partially/ totally agree. Thus, it is perceived that public servant training constitutes a limiting factor for the success of risk management. Despite most of the public servants having taken part in some specific course on risk management, there is still a need to extend training to the whole university, by incorporating training programs into internal training policies; one of the responsibilities of the governance, risk, and control committee is to promote the continuous development of public agents (Joint Normative Instruction MP/CGU n. 1/2016). In addition, MEC Ordinance n. 234/2018 mentions that continuous education should be carried out at all levels of management.
Thus, despite this obligation, the data from the research revealed that there was a high level of agreement (Table 8) that the lack of training is a challenge for the adoption of risk management, serving as a warning for the universities analyzed. According to the HEFCE (2005), there is a need to incentivize managers to develop skills and knowledge in risk management through training and self-development programs. Finally, the adoption of risk management will require managerial skills within the field of organizational behavior, team leadership, and change management (Hill & Dinsdale, 2003).
It was also verified whether the current excess demands may compromise the success of the adoption of risk management in the institutions. To this, 76.8% of the respondents partially/totally agreed. It is understood that, with the current level of demand for services, the public servants may encounter difficulties in the adoption of risk management. The new rules making the adoption of risk management in federal universities obligatory (Joint Normative Instruction MP/CGU n. 1/2016 and MEC Ordinance n. 234/2018) create growing pressure on them to create a control process that enables operational accountability, efficiency, and effectiveness. The same occurs in relation to the audits carried out by the supervisory bodies (TCU and CGU). The lack of personnel may also be a limiting factor in this sense, making adoption slow and/or ineffective, thus giving rise to another warning for the universities analyzed, as it was one of the variables with the highest scores on the scale (Table 8).
Concluding the analysis, it was verified whether sufficient and appropriate resources (people, structure, information technology systems, and tools to manage R. Cont. Fin. -USP, São Paulo, v. 32, n. 86, p. 241-254, May/Aug. 2021 risks) are allocated for risk management. More than half (53.5%) of the public servants partially/totally disagree, and this is the variable with the lowest median and lowest score out of the maximum total points possible (117 out of 215).
Each university analyzed probably provides appropriate resources at different levels for adopting risk management, resulting in higher standard deviations and variances in terms of the answers (Table 8). It is important to highlight that MEC Ordinance n. 234/2018 defines that the senior management should establish the conditions and structure for risk management. For Hill and Dinsdale (2003), the capacity to effectively manage risks depends a lot on the structure and on the systems used by the public servants. Thus, the creation of policies, norms, guidelines, and training may not be enough in the process of adopting risk management due to structural questions (Braga, 2017). In this sense, it can be noted that the universities analyzed do not yet have enough of a general structure for risk management to be carried out effectively. Changes in the management of the universities require restructuring, investment in infrastructure, institutional expansion, and big capital projects.

CONCLUSION
The study sought to identify the perception of the members of the risk committees of federal universities in Brazil regarding the challenges of adopting risk management in those institutions.
First, we sought to analyze the profile of the public servants involved in the formation of the governance, risk, and control committees of the universities. Despite most of the respondents having experience and training in risk management, it was observed in the analysis of the challenges that a lack of staff training also constituted a limiting factor for the success of risk management, as well as a lack of engagement. Training and capacity building focused solely on members of the risk management committee may not be enough, considering that risk management should be present in all processes of the institutions.
Second, we analyzed the perception of the public servants of the universities analyzed in terms of the challenges arising from the adoption of risk management. It was possible to verify that most of the respondents agree with the challenges mentioned in the research in their institutions, recognizing that the adoption of risk management still needs to overcome various adversities.
The items related to the lack of trust, inefficiency of the information system, and insufficient resources were the ones that obtained the greatest divergence among the respondents, while complex information and divergences regarding the risk obtained the greatest consensus among the variables. It can be noted that the universities analyzed do not yet have a sufficient structure for risk management to be carried out effectively. Changes in the management of the universities require restructuring, investment in infrastructure, institutional expansion, and big capital projects.
With relation to the total scores, the items related to the lack of engagement, process mapping, lack of training, and excess demands were the ones that obtained the highest scores, while ignoring relevant risks and insufficient resources obtained the lowest scores. The lack of engagement perceived by the public servants is a factor that compromises risk management in the universities. Added to this is the relationship between the lack of training and excess demands.
Unmotivated, undertrained, and overworked public servants are challenges that require the universities to take a stance to avoid failure in the adoption of risk management. Leadership, training, and a fair demand of activities should be taken into account. The absence of process mapping is, for the public servants, a relevant challenge in the universities. Problems derived from non-compliance with processes may arise. If the universities do not have their activity processes mapped, the identification of the risks derived from non-compliance may be compromised, leaving the institutions more vulnerable.
Given the challenges proposed in the research, it was possible to note that the organizational structures, systems, and processes that enable the adoption of a systematic approach in risk management increase the probability of good decisions being taken regarding risks. In an environment shrouded in difficulties, the main managers should assume the most important role, ensuring that the structures, systems, and strategies for the effective management of risks are available in the universities. As highlighted by Braga (2017), the characteristics of public administration (risk culture, fear of accountability, lack of planning) reveal the difficulties of adopting risk management in federal universities. It was also possible to perceive that the challenges proposed R. Cont. Fin. -USP, São Paulo, v. 32, n. 86, p. 241-254, May/Aug. 2021 by Hill and Dinsdale (2003) were perceived by most of the respondents, thus corroborating the literature on the topic.
Thus, the study aimed to contribute to the professional and academic areas by showing the perception of federal universities regarding the main aspects of risk management, even though this is in an initial phase of obligatory adoption in the Brazilian public sector. It may also therefore contribute or create perspectives regarding the challenges and benefits perceived by the public servants themselves.
Federal universities can identify each one of the points analyzed in the study in order to carry out various improvements, with the aim of adapting to the risk management recently imposed by the legislation. Based on the results of the study, a set of actions can be proposed, embedded in the operational context of the universities, in order to improve the level of maturity of the risk management of those institutions given the challenges proposed.
Finally, it is important to highlight the limitations of this study. One was the obtainment of answers from only one member of the risk committees of the universities, which does not guarantee representing the opinion of the rest. No specific member of the committees was chosen, which may have created some bias of opinion. It is also important to highlight that the study was applied to a specific niche, covering only federal universities, which have their own particular characteristics. We suggest also studying other federal bodies with the aim of better understanding risk management in the public sector in a more comprehensive way.