IMPORTANT ASPECTS OF RISK MANAGEMENT

1

• IMPORTANT ASPECTS OF RISK MANAGEMENT
• CONTENT
• What is Risk Management?
• Risk Management strategy (RMS) in
• SA Government context
• Risk management policy
• Responsibilities of the CRO
• Responsibilities of the RMC
• PIERRE VAN DER MERWE

2

• WHAT IS RISK MANAGEMENT ?
• Risk management /ERM deliberately focuses on all
  risks throughout the institution and may include
  risks from safety, security, disaster management,
  business continuity, insurance and internal
  audit, but their approaches are from different
  angles.
• Risk management (RM) is a mgt discipline with its
  own techniques and principles and worldwide
  recognised as a mgt science.
• Forms part of mgts core responsibilities
• Defined as a systematic process to identify,
  evaluate and address risks on a continuous basis
  before such risks can impact negatively on the
  institutions service delivery capacity.

3

• WHAT IS RISK MANAGEMENT ?
• RM provides reasonable, but not absolute
  assurance, that the institution will be
  successful in achieving its goals and objectives.
• RM addresses all kinds of material risks to the
  objectives of the institution.
• RM address all parts of the institution
• all levels of management participate in its
  processes.
• risk needs a separate focus, because service
  delivery environment and the public sectors
  interface with stakeholders have become far more
  demanding and volatile than before,
• including a number of service delivery and
  general governance failures.

4

• WHAT IS RISK MANAGEMENT ?
• For the institution as a whole, however,
  stakeholders want to see a single coherent
  strategy for managing the institutions various
  risks.
• Why do we need risk management ?
• PFMA, MFMA, King II expect an institution to
  implement a RM plan.
• As a result of organisational failures in the
  past, stakeholders do not want to be caught
  unaware by risk events,
• Corporate governance thus places the
  accountability for RM in the hands of the AA / O.
  

5

• WHAT IS RISK MANAGEMENT ?
• EA, AA, AO, stakeholders now want to know more
  about the risks facing an institution.
• This is understandable in an environment of
  complex and challenging service delivery
  expectations.
• Planning and organisation
• The value of RM is best leveraged when its
  principles and techniques are applied during
  institutional planning processes.
• Given increased volatility and uncertainty, it is
  vital that multiple year plans, take into
  consideration a thorough assessment of risks and
  mitigation strategies.

6

• WHAT IS RISK MANAGEMENT ?
• Planning and organisation
• Existing tools and methodologies such as
• SWOT analysis,
• PEST analysis,
• Porters Model and
• internal reviews can be utilised to supplement
  the institutions RM model.
• Planning, organisation, RM are inter-dependent.
• RM plan must provide the institution with the
  ability to systematically identify new and
  emerging risks, and the assurance that existing
  risks are being addressed in the best possible
  way given the current resource constraints and
  other challenges.

7

• WHAT IS RISK MANAGEMENT ?
• Conclusion
• The need for broad-based RM is thus critical as
  it will also ensure that risks previously given
  inadequate attention are now properly managed.
• RM processes integrated within institutions
  existing structures are likely to be more
  effective in producing the desired service
  delivery other objectives.

8

• RISK MANAGEMENT STRATEGY
• A Risk Management strategy (RMS) in SA Government
  context, outlines a high level plan of an
  institution implementing its risk management (RM)
  policy.
• The Framework is principles based and generic to
  all spheres and sectors of Government and is
  applicable to institutions
• o       National Prov. departments
• o       Constitutional institutions
• o       Public entities
• o       Provincial public entities
• o       Municipalities (Metropolitan, Local,
  District)
• o       Municipal owned entities.
• (Sources Accountant General Public Sector Risk
  Management Framework Jul 2008, IRMSA, ERM Code of
  Practice 2003 and Internet.)

9

• RM STRATEGY
• Informed by the RM policy and the institutions
  risk profile.
• E.g., a risk profile with a high level of threat
  to objectives will require a more rigorous
  commitment to RM.
• RMS output a document that describes how
  ongoing RM will work in the institution.
• 5 aspects or elements to be considered
• 1. Structure of the institution
• 2. Accountability
• RM activities
• Monitoring
• Assurance activities

10

• RM STRATEGY ELEMENTS
• 1. Structural configuration describes how the
  institution will be structured ito committees and
  reporting lines to give effect to the RM policy
• 2. Accountability, roles and responsibilities
  This element describes the authority and
  delegation of responsibilities to give effect to
  the RM policy. Framework guides roles and
  responsibilities of each role player
• 3. Risk mgt activities includes the risk
  assessment processes and methodologies,
  monitoring activities and risk reporting
  standards to give effect to the RM policy
• 4. Monitoring of the achievement of the RM
  strategy assess achievement of key milestones
  monitor whether outcomes of RM strategy were
  produced.

11

• RM STRATEGY
• Assurance activities This element considers all
  assurance providers available to the institution
  and integration of their scope of responsibility.
  
• Write RM strategy in straightforward, practical
  terms avoid RM jargon.
• Should reflect institutions language style,
  conventions.
• Should not dwell too much on conceptual models
  and RM theory but simply explains how 5 elements
  interact to reduce the institutions risk
  exposure.

12

• RM STRATEGY
• Include a implementation plan, in the form of a
  project plan and record the tasks, names of
  responsible persons and target dates.
• Documenting the RM implementation plan
• also overcomes problems with changes in personnel
  and is a good way of creating risk awareness and
  promoting a culture of RM .
• Developing a RM implementation plan

13

• RM IMPLEMENTATION PLAN
• Determine the RM activities to be performed
  taking into account the risk profile and related
  costs versus the benefits
• Resourcing requirements This element describes
  the capacity and competence of personnel and the
  strategy to address capacity gaps. It also
  addresses the technology and funding requirements
  to give effect to the RM strategy
• Determine the sequence of activities and the
  target implementation dates The competition for
  mgt attention and resources requires that the
  sequence of activities should be founded on the
  principles of urgency, quick wins
  sustainability of implemented risk mitigation
  strategies

14

• RM IMPLEMENTATION PLAN
• Assign ownership for and communicate RM
  activities
• Agree on frequency and format of reporting
  Consensus should be obtained regarding the
  frequency, content and responsibility for
  reporting.
• Conclusion The RM strategy and RM
  implementation plan should ideally be developed
  together to ensure connectivity and continuity.
• Both documents should be approved by the AA/ O
  and reviewed annually.

15

•  
•      

RM policy The AO/AA sets the right tone.
Awareness by all staff of the need to prevent
loss and to safeguard stakeholders interests,
may not necessary make them knowledgeable about
the institutions standpoint on risk. The AO/AA
should publish a RM policy statement
declaring institutions commitment to
RM. outline commitment to protecting institution
against adverse outcomes, which may impact
negatively on service delivery. confirm
institutions commitment to legal and
regulatory compliance.
16

•  
•      

• RM policy deliverable
• commitment to RM statement.
• It can be replicated in the RM plan.
• It is advisable to publish and circulate the RM
  policy to existing and new staff as part of the
  risk awareness strategy.
• How to draft a RM policy
• A RM policy communicates the institutions
  stance wrt RM.
• It is informed by the institutions risk
  profile,
• appetite for risk,
• loss tolerance levels,
• regulatory compliance expectations,
• safety and health demands,
• sustainability mgt,
• corporate governance requirements, etc.

17

• How to draft a RM policy (cont)
• The RM policy may state the accountability for
  RM, as well as
• responsibilities for RM at various levels
  within the institution.
• drafted in consultation with key stakeholders.
• The RM policy should be reviewed at least
  annually to reflect the current stance on RM.
• /an example of a RM policy.

18

•  
•      

• Enterprise RM Policy
• The Institution commits itself to a process of RM
  that is aligned to
• principles of good corporate governance,
• PFMA /MFMA.
• Institutions adopt a comprehensive approach
• to the mgt of risk.
• The features of this process are outlined in
  the institutions RMS . It is expected that all
  departments / sections, operations and processes
  will be subject to the RMS, indicating that
  departments / sections will work together in a
  consistent and integrated manner, with the
  overall objective of reducing risk, as far as
  reasonably practicable.

19

•  
•      

Effective RM is imperative to the Institution to
fulfil its - mandate, - public service
delivery expectations - internal performance
expectations. The realisation of our strategic
plan depends on us being able to take calculated
risks in a way that does not jeopardise the
direct interests of stakeholders. Sound RM
will enable us to anticipate and respond to
changes in our service delivery environment,
take informed decisions under conditions of
uncertainty.
20

•  
•      

We subscribe to the fundamental principles that
all resources will be applied economically to
ensure The highest standards of service
delivery A mgt system aimed at minimising
risks costs in stakeholders interest
Education and training of all our staff to ensure
continuous improvement in knowledge, skills and
capabilities which facilitate consistent
conformance to the stakeholders expectations
Maintaining an environment, which promotes the
right attitude and sensitivity towards internal
and external stakeholder satisfaction.
21

•  
•      

Adopt entity-wide RM approach which means that
every key risk in each part of institution will
be included in a structured and systematic RM
process. It is expected that the RM processes
will become embedded into the institutions
systems and processes, ensuring that our
responses to risk remain current and dynamic.
All RM efforts will be focused on supporting
the Institutions objectives. Equally, they must
ensure compliance with relevant legislation, and
fulfil the expectations of employees, communities
and other stakeholders ito corporate governance.
22

•  
•      

The risk policy statement shall be reviewed
annually to reflect the current stance on
RM. Every employee has a part to play in this
important endeavour and we look forward to
working with you in achieving these
aims. Signed _______________ Accounting
Authority / Officer _______________ Date
_______________
23

•  
•      

• Responsibilities of the CRO
• CRO is bound by the legislation applicable to
  Other Personnel. - legal foundation
• Strategic value Primary responsibility to
  bring to bear his / her specialist expertise to
  assist the institution to embed and leverage the
  benefits of RM to achieve its stated objectives.
• ERM architecture high level responsibilities
• To derive optimal benefits, conduct RM in a
  systematic manner, using proven methodologies,
  tools and techniques.
• For consistency in Public Sector, institutions
  are encouraged to adopt ERM architecture.

24

•  
•      

• Responsibilities of the CRO
• Overall efficiency of the ERM function.
• Embedding of RM practices
• Fostering a risk aware culture within
  institution.
• CRO effectively assumes role of institutional
  advocate for ERM and
• brings specialist expertise to assist in
  integrating RM throughout the institution.

25

•  
•      

• Responsibilities of the CRO
• Working with senior mgt to develop the overall
  ERM vision, RM strategy, RM policy, risk appetite
  and tolerance levels for approval by AA / O
• Communicating the RM policy, RM strategy and RM
  implementation plan to all stakeholders
• Setting up of the RM structure, RM reporting
  lines within the institution
• Continuously driving the RM process towards best
  practice

26

•  
•      

• Responsibilities of the CRO
• Developing a common risk assessment methodology
  aligned with institutions objectives at
  strategic, tactical and operational levels for
  approval by AA / O.
• Coordinating risk assessments within the
  institution / department / division / business
  unit on a regular basis.
• Sensitising mgt timeously of the need to perform
  risk assessments for all major changes, capital
  expenditure, projects, institutional
  restructuring and similar events, and assist to
  ensure that the attendant processes, particularly
  reporting, are completed efficiently and
  timeously.

27

•  
•      

• Responsibilities of the CRO
• Assisting mgt in developing implementing risk
  responses for each identified material risk
• Help developing the combined assurance plan for
  the institution, together with internal audit and
  mgt
• Ensuring effective information systems exist to
  facilitate overall RM improvement within the
  institution
• Continuously transferring RM principles
  practices, through training interventions, to all
  stakeholders within institution
• Advising mgt in the development of financing
  structures

28

•  
•      

• Responsibilities of the CRO
• Performing a PEST(EL) analysis to identify
  emerging risks facing the institution for further
  action and intervention
• Collating and consolidating the results of the
  various assessments within the institution
• Analysing the results of the assessment process
  to identify trends, within the risk and control
  profile, and develop the necessary high level
  control interventions to manage these trends
• Compiling the necessary reports to the RMC

29

•  
•      

• Responsibilities of the CRO
• Providing input into developing, review of the
• fraud prevention strategy,
• business continuity plans,
• occupational health, safety and
• environmental policies and practices and
• disaster management plans.
• Evaluation
• Set clear RM objectives, KPIs for the CRO.

30

•  
•      

• KPIs for the CRO
• Must measure the CROs effectiveness in leading
  the institutions ERM in contributing to the
  institutions goals and objectives
• Maturity on the implementation of the ERM
• Framework
• RM structures active and credible
• Realistic RM implementation plan achieved
• Proactive identification of emerging risks
• Implementation progress achieved of Loss
• Prevention Programme
• Lack of surprises
• Updated risk profile of the institution
• Updated action plans for all material risks.

31

•  
•      

• Responsibilities of the RMC
• Defined as
• An oversight committee
• responsible to the AA / O for
• RM monitoring (i.e. to assist in designing,
  implementing and coordinating the institutions
  RM initiatives).
• Its constitution is made up of both independent
  members and Management.
• There is currently no legal mandate for the
  establishment of a RMC.

32

•  
•      

• Responsibilities of the RMC Strategic value
• Assisting AA / O in addressing its oversight
  requirements of RM and
• evaluating and monitoring the institutions RM
  performance.
• Role to formulate, promote and review the
  institutions ERM objectives, strategy and policy
  and
• monitor the process at strategic, management and
  operational levels.

33

•  
•      

• Responsibilities of the RMC
• Review the RM policy and strategy and recommend
  for approval by the AO
• Review the risk appetite and tolerance and
  recommend for approval by the AO
• Review the institutions risk identification and
  assessment methodologies to obtain reasonable
  assurance of the completeness and accuracy of the
  risk register
• Evaluate the effectiveness of mitigating
  strategies to address the material risks of the
  Institution

34

•  
•      

• Responsibilities of the RMC
• Report to AO material changes to risk profile
• Review the fraud prevention policy and recommend
  for approval by the AO
• Evaluate effectiveness of the implementation of
  the fraud prevention policy
• Review any material findings and recommendations
  by assurance providers on the system of RM and
  monitor that appropriate action is instituted to
  address the identified weaknesses
• Develop goals, objectives and key performance
  indicators for the Committee for approval by the
  AO

35

•  
•      

• Responsibilities of the RMC
• Develop goals, objectives and key performance
  indicators to measure the effectiveness of the RM
  activity
• Set out the nature, role, responsibility and
  authority of the RM function for approval by AO,
  and
• oversee RM function performance
• Report to AO on the state of RM, together with
  aspects requiring improvement accompanied by the
  RMCs recommendations to address such issues.

36

•  
•      

• Responsibilities of the RMC
• Evaluation
• Clear objectives KPIs should be set for the
  RMC iro RM.
• These indicators should be able to measure the
  RMCs effectiveness in the institutions ERM in
  contributing to the institutions goals and
  objectives.
• Possible RMC KPIs
• Results of the RMC 360 degree assessment
• implementation of the ERM Framework
• Credibility of the implemented RM structures.

37

•  
•      

? Pierre van der Merwe pierre_at_pfiq.
co.za Tel    (012) 470-9450 Fax   (012)
348-4150