1. Introduction

Creative Education

2151-4771 2151-4755

Scientific Research Publishing

10.4236/ce.2026.175050

ce-151535

Article

Social Sciences Humanities

Operational Risk Management in Moroccan Public Universities: An Exploratory Study

Gazoulit

Sarra

1 Oubal

Khadija

1 Research Laboratory in Economic Competitiveness and Managerial Performance (LARCEPEM), Faculty of Legal, Economic and Social Sciences-Souissi, Mohammed V University, Rabat, Morocco

The authors declare no conflicts of interest regarding the publication of this paper.

06 05 2026

05 2026

17 05 802 813 06 03 2026 24 05 2026 27 05 2026

2026

This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license ( https://creativecommons.org/licenses/by/4.0/ ).

https://doi.org/10.4236/ce.2026.175050

Moroccan public universities, like their international counterparts, operate in a complex and constantly evolving environment. They are therefore exposed to various risks, mainly of an operational nature, the management of which is essential to achieve both operational and strategic objectives as well as expected organizational performance. Although efforts are being made in operational risk management within MPUs, these remain limited. An exploratory analysis, conducted through structured and semi-structured interviews with eighteen administrative officials, made it possible to better understand the nature of operational risks faced by all twelve Moroccan public universities, as well as the mechanisms currently used to manage them. The findings reveal that these risks are not yet embedded in the organizational memory of MPUs and that their management mainly relies on an informal framework, in the absence of a structured and formal risk management system.

Risk Operational Risk Operational Risk Management

1. Introduction

Public Moroccan universities, like their counterparts abroad, operate in a complex, unstable, and constantly evolving environment. As such, they are exposed to various types of risks, primarily operational in nature, the management of which is essential for achieving both operational and strategic objectives and for ensuring optimal organizational performance.

Operational risks arise from failures related to individuals, processes, technologies, or external dependencies (Peccia, 2001, cited by [10]). These risks are generally quantifiable, controllable, and should be identified in connection with the institution’s objectives and missions at least once a year ([4]). Our research focuses on operational risks for two main reasons. First, these risks are closely tied to the university’s day-to-day operations—particularly work processes and systems—making them frequent in occurrence. Second, their emergence directly undermines the achievement of both strategic and operational goals.

Operational risk management is defined as “a set of coordinated activities to direct and control an organization with regard to risk” ([6]). Although some initiatives have been undertaken within public Moroccan universities (PMUs) regarding operational risk management, these efforts remain limited and insufficient.

Furthermore, a review of the academic literature reveals a significant gap in research on operational risk management in the Moroccan public sector, particularly within public universities. This observation highlights the need to fill this gap by conducting empirical research that provides a deeper understanding of existing practices and identifies areas for improvement.

In this context, the current article aims to present an overview of operational risk management in Moroccan public universities. The central research question is as follows:

“Does the Moroccan public university have an operational risk management system?”

To answer this, we will examine the following operational questions:

Q1: Do Moroccan public universities have a clear understanding of their operational risks?Q2: How do Moroccan public universities respond to operational risks?

The objective is threefold: to identify the operational risks to which these universities are exposed, to analyze the mechanisms currently in place to anticipate and control them, and finally, to propose areas for improvement to strengthen existing risk management systems.

2. Literature Review

First, Operational risk is defined as “Any risk of loss resulting from the failure or inadequacy of internal processes, resources, systems, or external events, reflecting the vulnerabilities in the operational cycles and daily activities of an organization” (Le Balle II, cited by [2]). According to [5], all public universities are exposed to operational risks. Consequently, operational risk management has become a major concern for public universities seeking to achieve their objectives effectively. It is therefore not surprising that universities are increasingly adopting risk management practices traditionally used in the private sector.

Operational risk management is an integrated process that involves all structures and components of the organization, with clearly defined stages. These stages include the identification, assessment, treatment, communication and monitoring of risks associated with any function, procedure or activity that may hinder the achievement of the organizational objectives (D’Arcy & Brogan, 2001, cited by John & Saidin, 2016).

3. Methods

To achieve the objective mentioned above, we adopted an exploratory approach aimed at collecting descriptive information focused on the main axes of our study, namely the identification of operational risks and the practices used for their management. This approach enables a better understanding of the phenomena under investigation through interviews and qualitative analysis, rather than relying solely on quantitative data.

To this end, two interview guides—one structured (directive) and the other semi-structured (semi-directive)—were developed to organize discussions with administrative officials (vice presidents, project officers, advisors, secretaries general, division heads, and department heads) across all Moroccan public universities, numbering twelve. Data collection was carried out over a two-month period, from June to July 2023. In total, eighteen interviews were conducted, with some universities involving one or two officials.

The semi-structured interviews made it possible to identify operational risks as well as the mechanisms and practices implemented to manage them. The structured interviews, on the other hand, were used to verify and assess the application of certain operational risk management practices within Moroccan public universities.

4. Results and discussion 4.1. Operational Risks of the Moroccan Public University

This section aims to present the operational risks identified by the interviewees, as well as their frequency of occurrence in the excerpts drawn from the various interviews. This analysis highlights the most recurrent and significant risks within the universities under study (see Table 1), where frequency corresponds to the number of participants who mentioned each concept.

This study was conducted in accordance with fundamental ethical principles, including informed consent from participants, as well as the assurance of anonymity and data confidentiality, which were used exclusively for scientific purposes.

Table 1. Cross-map analysis of the concept “operational risks”.

Table 1

Verbatims	Number of Occurrences
Delay in budget preparation and approval	6
Payment delays	6
Delay in project execution	4
Delay in preparation of accounting reports	3
Low rate of administrative supervision	3
Low rate of pedagogical supervision	3
Delay in commitment	3
Unsuccessful tendering processes	3
Incomplete projects	2
Underutilization of projects	2
Loss of budget positions	2
Non-compliance with accreditation deadlines for academic programs	2
Discrepancies between national and international regulations on mobility	2
Delay in diploma validation during exam periods	2
Difficulty meeting stakeholder requests within requested time frames	2
Absence of an effective monitoring system for ongoing projects	2
Exceeding capacity limits	2
Lack of control over public procurement regulations due to frequent updates	2
Undefined responsibilities between departments	2
Non-implementation of development projects	2
Delay in administrative operations (bureaucratic burden)	2
Delay in decision-making (slow process)	2
Lack of communication	2
Lack of protection of current and fixed assets	2
Lack of IT digitalization	2
Loss of documents and information	2
Difficulty generating information	2
Difficulty paying doctoral students within research projects	2
Incomplete monitoring of national and international agreements	2
Absence of a procedure manual	2
Delay in the granting of State subsidies	2
Majority of purchases made through purchase orders	2
Failure to meet deadlines for bid openings	1
Low international ranking	1
Lack of funding for research projects	1
Non-standardized procedure formats	1
Non-adoption of procedure manuals by the University Council (CU)	1
Non-implementation of external audit recommendations	1
Failures in internal control mechanisms	1

Source: authors.

In summary, the interviews conducted with the respondents allowed us to identify the main operational risks faced by Moroccan public universities and thus provide an answer to our first operational research question:

Q1. Do Moroccan public universities have a clear understanding of theiroperational risks?

Indeed, the respondents were able to identify a significant number of operational risks, though not all of them. This is largely due to the absence or insufficiency of an operational risk register organized by area of activity.

4.2. Operational Risk Management in Moroccan Public Universities

This section analyzes the practices implemented by Moroccan public universities to address operational risks.

It is based on contingency theory, which holds that risk management does not rely on a single model but must be adapted to the specific characteristics of each organization (size, resources, structure, and institutional context). This approach allows the observed arrangements to be understood in relation to their context, whether formalized or informal.

In this perspective, the analysis does not rely on international standards, as these are based on generic frameworks that are not sufficiently adapted to the diversity of contexts.

The objective is therefore to highlight the diversity of mechanisms through which Moroccan public universities manage their operational risks.

This section analyzes the practices implemented by Moroccan public universities to respond to operational risks.

We have chosen not to rely on international standards to assess the practices in place. This approach is justified by the adoption of contingency theory, which asserts that there is no single valid risk management method suitable for all organizations. Thus, each university can legitimately adopt mechanisms tailored to its own specificities.

Our objective is therefore to highlight the range of mechanisms—whether institutionalized or informal—through which Moroccan public universities manage their operational risks.

4.2.1. Formal Operational Risk Management Framework

The formal operational risk management framework refers to a structured system designed to systematically identify, assess, and manage operational risks.

On March 10, 2020, the standard organizational chart for Moroccan public universities introduced the creation of new departments, including the Audit, Management Control, and Quality Assurance Department (ACGAQ). This department brings together several key functions and includes operational risk management among its missions.

According to the interviews conducted, the ACGAQ Department is involved in operational risk management both directly and indirectly:

In a limited number of cases, direct management is handled by auditors, who act as risk managers through the development of risk maps, enabling the identification, analysis, assessment, and treatment of risks. However, in 50% of situations, it is carried out by heads of units, based on an informal risk management approach.Indirect risk management is primarily ensured by internal audit activities, which, through audit reports, contribute to the identification, analysis, and treatment of risks while issuing recommendations aimed at strengthening their control. Management control also plays a role in this process by supporting risk identification and analysis through the monitoring of indicators and various projects, although this function is not yet operational in all Moroccan public universities. In addition, quality assurance is involved in around 50% of public universities, contributing to the identification and analysis of weaknesses as well as to risk treatment, notably through the implementation or updating of organizational frameworks that support risk control and continuous improvement of operations (Figures 1-4).

Figure 1

Figure 1. The operational risk management ensured by the heads of units.

Figure 2

Figure 2. The internal audit function of UPM.

Figure 3

Figure 3. The management control function of UPMs.

Figure 4

Figure 4.The quality function of UPMs.

Data from the interviews reveal that no function is exclusively dedicated to operational risk management. This situation is explained by two main reasons:

The lack of institutionalization of this function in the official organizational chart of Moroccan public universities.

“There will be no function dedicated to operational risk management as long asit is not institutionalized.”—Vice President of a Moroccan Public University (statement from a single interviewee).

The absence of a regulatory framework mandating the adoption of such a function at the national level.

In contrast, the majority of respondents indicate that an initiative is currently underway to formalize a specific operational risk management framework. The delay in its implementation is explained by several factors:

The low prioritization of risk management in university strategic plans.The lack of an institutionally approved risk management policy, especially by University Councils.The lack of awareness and risk culture at all hierarchical levels.

In this context, the efforts deployed by universities remain limited, although some signs of progress are beginning to emerge. However, the current performance of the ACGAQ Department appears constrained due to several challenges:

The recent creation of the department, which is still undergoing organizational integration.The multiplicity of missions, which spreads resources thin and blurs priorities.The lack of strategic and operational support.The shortage of qualified human resources.The insufficient specific skills, worsened by the lack of ongoing training.

Ultimately, operational risk management in Moroccan public universities still largely relies on a traditional, reactive, and informal approach. Each risk is addressed in isolation, without capitalizing on experience or embedding the risk management process in the organizational memory.

4.2.2. Informal Framework for Operational Risk Management

The informal operational risk management framework refers to the use of non-formalized management processes for the treatment of identified risks, implemented in an isolated manner, without coordination or a structured methodological framework.

Based on a corpus of semi-structured interviews, and after data preprocessing (cleaning, removing stop words, correcting errors, standardizing the data, etc.), we used the qualitative analysis software NVivo 11 to generate a word cloud. This visualization is based on the weighted frequency of terms and aims to highlight the most recurrent expressions used by respondents, in order to reveal non-formalized operational risk management practices as they emerge from their discourse.

The word cloud is used as a descriptive and exploratory tool to identify lexical regularities within the collected data.

The most salient expressions, particularly those related to non-formalized operational risk management practices, are highlighted in bold within the figure (see Figure 5).

Figure 5

Figure 5. Word cloud related to operational risk management.

In this perspective, the detailed analysis of responses makes it possible to highlight the most frequently mobilized practices, presented in Table 2, where frequency corresponds to the number of participants who mentioned each concept.

Table 2. Cross-map analysis of the concept “operational risk management.

Table 2

Verbatims	Number of Occurrences
Scheduling periodic professional training sessions	10
Organizing periodic follow-up meetings (between different university components)	5
Implementation of the organizational chart	5
Staff awareness-raising within the institution	4
Expansion of partnerships	3
Digitization of management processes	3
Updating procedures	3
Compliance with regulations	2
Development of action plans	2
Expansion of old structures	2
Opening or creation of new institutions	2
Exchange of best management practices	2
Promotion of scientific research through funding means and tools	2
Use of software facilitating data consolidation	2
Re-engagement of stakeholders to define respective projects in order to integrate them into the procurement forecast program	2
Rapid follow-up on calls for tenders once the budget is approved	2
Development of risk maps with priority ranking (high-medium-low)	2
Improvement of coordination between different structures	2
Email follow-up with institutions to respond to requested queries	2
Risk identification	2
Anticipation of errors	2
Development of communication channels with Ministry of Finance representatives	2
Monitoring audit recommendations	2
Implementation of an information and management system capable of effectively communicating information	2
Reporting on results	2
Development of an adequate communication system specific to each project	1
Involvement of Vice-Presidents in university project development	1
Execution of scientific projects	1
Negotiation of standard forms of agreements	1
Recruitment aligned with needs	1
Motivation and involvement of staff	1
Acceleration of payment operations	1
Use of the Internal Audit Service	1

Source: authors.

Table 2 highlights informal operational risk management practices, some of which recur frequently. The most commonly cited are professional training, follow-up meetings, implementation of the organizational chart, and staff awareness-raising.

4.3. Discussion

In the majority of Moroccan public universities, operational risk management still relies on a traditional “silo” approach. This method involves isolating each operational risk to address it separately, without considering possible interactions between them ([1]). Each type of risk is thus treated as autonomous, leading to fragmented management ([11]). This mode of management is generally carried out informally.

However, this method presents notable limitations. It lacks coherence, especially when similar risks are handled differently ([8]). Moreover, it overlooks the interdependencies between risks, which reduces the overall understanding of their nature and impacts ([13]). By addressing risks one by one, universities deprive themselves of an in-depth and systemic view of risk management ([8]).

In contrast, modern operational risk management favors a holistic and integrated approach. It advocates for the simultaneous consideration of different risks as well as their interactions ([9]). This approach enables universities to better anticipate and manage events that could negatively affect their performance ([12]). This process is based on a formal and structured framework.

Currently, in most Moroccan public universities, formal risk management systems are still under development. Although these systems bear different names, they all pursue a common goal: to identify, prioritize, and quantify risks with the aim of improving their management ([14]). As for Informal mechanisms, they remain predominant and continue to address critical operational risks individually in the absence of a clear and consolidated institutional framework.

Consequently, these observations lead us to propose actions to improve operational risk management in Moroccan public universities (UPM):

Adopt a formal operational risk management policy, validated by the University Council, to establish it as an institutional reference document.Foster collective awareness through an annual risk management awareness day.Pilot the operational risk management process in one or two university units to assess its relevance before a full-scale rollout.Organize targeted continuous training sessions on operational risk management (identification, assessment, treatment, monitoring, etc.).Develop an operational risk map by unit (departments, faculties, services).Implement an operational risk monitoring dashboard (indicators, alerts, action plans, deadlines).

5. Conclusion

The exploratory analysis, conducted through structured and semi-structured interviews with eighteen administrative officials, enabled a better understanding of the nature of operational risks faced by Moroccan public universities (MPUs), as well as the mechanisms currently employed to manage them. It revealed that these risks are not yet embedded in the organizational memory of MPUs and that their management primarily relies on an informal system, pending the establishment of a formal, structured, and robust framework.

To date, MPUs rely on an operational risk management system based on two complementary forms: a formal mechanism under development and an informal mechanism already operational in daily practice.

The work of [3] supports this complementarity, highlighting the absence of a negative relationship between these two types of mechanisms. Thus, formal and informal approaches are not opposed; they can coexist harmoniously, through various modes of mobilization, resulting in a form of mixed control.

The specific nature of public universities, compared to other public sector entities, appears to justify this duality. Consequently, it seems not only relevant but also necessary to design a robust operational risk management framework based on the integration of formal and informal mechanisms, in order to better address the organizational complexity and the specific challenges of higher education.

Finally, it should be emphasized that the results of our research remain relative, as they are based on a small number of respondents. Consequently, a confirmatory study, aimed at a large sample, would be desirable to strengthen the conclusions of our research.

References 1.

Altanashat, M., Dubai, M. a., & Alhety, S. (2019). The Impact of Enterprise Risk Management on Institutional Performance in Jordanian Public Shareholding Companies. JournalofBusiness&RetailManagementResearch,13, 256-268. https://doi.org/10.24052/jbrmr/v13is03/art-23 10.24052/jbrmr/v13is03/art-23

https://doi.org/10.24052/jbrmr/v13is03/art-23

Altanashat, M.

Dubai, M.

Alhety, S.

2019

10.24052/jbrmr/v13is03/art-23

Chemlal, M., Benazzou, L., Mrabet, A., & Gharib, B. (2020). L’impact de la gestion des risques opérationnels sur la performance financière des banques marocaines cotées en bourse. Revue Internationale du Marketing et Management Stratégique, 2, 152.

Chemlal, M.

Benazzou, L.

Mrabet, A.

Gharib, B.

2020

Da, A., Christophe, M., & Favoreu, C. (2018). Interrelations entre système de contrôle informel et système formel de contrôle dans une organisation complexe: Cas d’une université française. FinanceContrôleStratégie,21-1.

Da, A.

Christophe, M.

Favoreu, C.

2018

Dobrowolski, Z. (2019). Risk Management at a Public University, Jagiellonian University Repository. Wydawnictwo SAN,20, 37-48.

Dobrowolski, Z.

University, J

2019

Hassen, S. S., & Zakaria, M. S. (2013). Managing University IT Risks in Structured and Organized Environment. ResearchJournalofAppliedSciences,EngineeringandTechnology,6, 2270-2276. https://doi.org/10.19026/rjaset.6.3858 10.19026/rjaset.6.3858

https://doi.org/10.19026/rjaset.6.3858

Hassen, S.

Zakaria, M.

Sciences, E

2013

10.19026/rjaset.6.3858

ISO Guide 73 (2009). Managementdu risque-vocabulaire. Première edition.

2009 73 2009

John, D. I., & Saidin, S. Z. (2016). A Moderating Role of Board Characteristics on Enterprise Risk Management Implementation: Evidence from the Nigerian Banking Sector. International Journal of Economics and Financial Issues, 6, 96-103.

John, D.

Saidin, S.

2016

Lundqvist, S. A. (2013). An Exploratory Study of Enterprise Risk Management: Pillars of ERM. JournalofAccounting,Auditing&Finance,29, 393-429. https://doi.org/10.1177/0148558x14535780 10.1177/0148558x14535780

https://doi.org/10.1177/0148558x14535780

Lundqvist, S.

Accounting, A

2013

10.1177/0148558x14535780

Mohd-Sanusi, Z., Motjaba-Nia, S., Roosle, N. A., Sari, R. N., & Harjitok, A. (2017). Effects of Corporate Governance Structures on Enterprise Risk Management Practices in Malaysia. International Journal of Economics and Financial Issues, 7, 6-13. https://www.econjournals.com/index.php/ijefi/article/view/2570

Mohd-Sanusi, Z.

Motjaba-Nia, S.

Roosle, N.

Sari, R.

Harjitok, A.

2017

10.

Mokgatle, B. (2013). Enterprise Risk Management withinPublic Sector Institutions forImproving Compliance: ACase Study into aPublic Sector Institution. Gordon Institute of Business Science, University of Pretoria.

Mokgatle, B.

Science, U

2013

11.

Pagach, D. P., & Warr, R. S. (2010). The Effects of Enterprise Risk Management on Firm Performance. SSRNElectronicJournal. https://doi.org/10.2139/ssrn.1155218 10.2139/ssrn.1155218

https://doi.org/10.2139/ssrn.1155218

Pagach, D.

Warr, R.

2010

10.2139/ssrn.1155218

12.

Tavakoli, S., Talib, N., & Hazrat Soltan, E. K. (2016). Enterprise Risk Management Adoption and Financial Benefits Creation: Examining the Contributions of COSO ERM Maturity and Board of Directors. Journal of Soft Computing and Decision Support System,3, 13-19.

Tavakoli, S.

Talib, N.

Soltan, E.

2016

13.

Wihlborg, M. (2009). The Pedagogical Dimension of Internationalisation? A Challenging Quality Issue in Higher Education for the Twenty-First Century. EuropeanEducationalResearchJournal,8, 117-132. https://doi.org/10.2304/eerj.2009.8.1.117 10.2304/eerj.2009.8.1.117

https://doi.org/10.2304/eerj.2009.8.1.117

Wihlborg, M.

2009

10.2304/eerj.2009.8.1.117

14.

Yazid, A. S., Hussin, M. R., & Daud, W. N. W. (2011). An Examination of Enterprise Risk Management (ERM) Practices among the Government-Linked Companies (GLCs) in Malaysia. InternationalBusinessResearch,4, 94-103. https://doi.org/10.5539/ibr.v4n4p94 10.5539/ibr.v4n4p94

https://doi.org/10.5539/ibr.v4n4p94

Yazid, A.

Hussin, M.

Daud, W.

2011

10.5539/ibr.v4n4p94