4. ACTIVITY 1.2
4
Group exercise (20 min)
What risk?
To the mouse (external factors)?
To the cat (organisation)?
To the environment (environmental influences)?
To the people in the house (consumers / customers /
society)?
6. ACTIVITY 1.3
6
Group exercise (20 min)
Risk to people, animal, goods?
How to minimise risk?
7. ACTIVITY 1.4
7
Group exercise (20 min)
Availability of vehicles: organisation of your choice
What is the risk?
How to minimize?
How to assess success / failure?
8. Total Risk Management Focus
Financial - Risk of
capital
Operational –
Operational failure
Programme –
Managing change
Strategic – Market
changes
8
10. Evolution of Risk Management
10
Ancient Risk
Management
20th Century Risk
Mgt
21th Century Risk
Mgt
11. Comprehensive Risk Management
11
PFMA
MFMA
TRs
Planning and
Organizing
RMP
Risk Mgt
Plan
Risk Board
Process
Policy and
Guidance
Tools & Training
Risk
Identification
Risk
Mitigation
Plan Implementation
Risk
Mitigation
Planning
Risk
Analysis
Risk
Tracking
• Integrated and Stand-
Alone Risk Mgt Tools
Likelihood
Consequence
1
2
3
4
5
1 2 3 4 5
12. Risk & Risk Management Defined
12
Risk
=
Uncertain future events that could influence the
achievement of the objectives of a public institution
13. Risk Management Fundamentals
13
What is Risk?
The impact of uncertain future events that could influence
the achievement of an organisation’s objectives
Risk creates uncertainty and makes planning difficult
14. Risk Management Fundamentals
14
What is Risk?
Risk directly impacts on the service delivery objective of
public and private entities, because it manifests as the
chance of a loss due to adverse events:
Interruptions to service delivery and loss of revenue (income
statement, liquidity)
Consequences of loss of revenue on sustainability (balance
sheet, performance against budget, funding position)
Perceptions of stakeholders (reputation)
15. Risk & Risk Management Defined
15
RISK MANAGEMENT – page 11
A continuous, pro-active and systematic process,
effected by a department’s executive authority,
accounting officer, management and other personnel,
applied in strategic planning and across the
department, designed to identify potential events that
may affect the department, and manage risks to be
within its risk tolerance, to provide reasonable
assurance regarding the achievement of department
objectives.
16. Definition of Risk Management
16
A comprehensive and systematic
approach aimed at identifying,
measuring and controlling
an entity’s exposure to accidental loss,
theft and liability involving human,
financial, physical and
natural resources
17. Risk Management Fundamentals
17
What is Risk Management?
Risk Management focuses on the ability of the
organisation to meet objectives in the future by identifying
risk and making decisions to manage these risks
Risk Management starts with the strategic planning
process
18. ACTIVITY 1.5:
18
Group exercise (30 min): feedback to plenary
Interrogate the definition: what do you see?
19. Risk Management Fundamentals
19
What is Risk Management?
Risk Management is a dynamic, ongoing assessment,
decision-making and implementation process that is
integrated with management activities
Risk Management uses instruments such as financial
market transactions, insurance, control processes,
strategy/product changes, research/intelligence, risk
shifting to control, eliminate or reduce risk.
20. Risk Management Process
20
Structured approach for incorporating risk
management into daily, broader management
process
More than just an exercise of risk avoidance
Rather about identifying opportunities for avoiding or
mitigating losses
22. Components of Risk Management
22
Control environment
Objective setting
Risk identification
Risk assessment
Risk management strategy
Information & communication
Control Activities
Monitoring
23. 23
A Framework for Risk Management
Source: Enterprise Risk Management — Integrated Framework,
Committee of Sponsoring Organizations of the Treadway Commission.
Governance structure
Risk Management Philosophy + Risk Appetite
Oversight
Values, ethics
Human Capital-Skills, experience, training
Delegation of authority
Internal:
Infrastructure
Personnel
Process
Technology
External:
Political
Economic
Social
Technological
Environment
Techniques
Qualitative + Quantitative
Likelihood + Impact
Linkage between risks – Portfolio View
Avoidance
Reduction
Sharing
Acceptance Policies and Procedures
Operational Review and Audit
Approval framework
Reporting
Verification and reconciliations
Segregation of duties
Internal and External
Formal and Informal
Communication Methods
Accurate, Timely, Relevant
Share learning and insight
Ongoing, continuous process
Self-Assessments
Independent monitoring and evaluation
Adapt to changes
Improve practices
Align with best practice
Strategic Plan, Business Plan, Budgets
25. Relevance of Risk Management
25
Align with objectives
Introduce into existing strategic planning &
operational practices
Communicate departmental directions
Include as part of performance appraisals
Continue to improve control & accountability systems
& processes
26. Relevance of Risk Management
26
Why focus on risk management? Is it not common
sense? We know how to run our business!
Focus has traditionally been on historic measures
with some forecasting of the future:
Annual budgets, actual and variance
Mainly audit/financial risk focus
27. Relevance of Risk Management
27
High levels of uncertainty in the internal and external
environment warrant greater effort in managing risk:
PESTLE - Political, Economic, Social, Technological,
Legal Environmental
Effect of external factors becoming more pronounced
Not only budget (financial), but all business and
operational risks - integrated
Requires more structured approach with frequent reviews
of risk
Need to be more forward looking and proactive
28. Relevance of Risk Management
28
Legislative/regulatory/stakeholder pressure
Constitution
PFMA & MFMA
King II/King III
Best Practise
33. Regulatory Framework: International
Instruments: Basel II Accord
33
Second of the Basel Accords
“Basel Committee on Banking Supervision”
Reps from central banks & regulatory authorities of
several EU countries
Recommends to member states for adoption in local
law
34. Basel II Accord (cont)
34
How much money must banks keep aside to guard
against financial & operational risks?
Banks hold capital reserves appropriate to lending /
investment risks (protect solvency) NB!! Liquidity??
The higher risk, the higher amount to hold
35. Case Study: Barings Bank (1762–1995)
35
Oldest merchant bank in London
1995: Nick Leeson lost 827 million Pounds through
speculation
Leeson held 2 positions: reported to himself
Internal auditing at fault: absence of oversight
“How could this happen?”
36. Regulatory Framework – Legislative
Requirements
36
Policy should include:
“the accounting officer for Volta River Authority …
has and maintains :
Effective, efficient & transparency systems of financial
and risk management and internal control; and
A system of internal audit under the control & direction of
an audit committee…”
37. Legislative Requirements (Cont.)
37
“An employee in VRA, … :
Must ensure that the system of … and internal
control … is carried out within the area of
responsibility of that employee”
38. Legislative Requirements (Cont.)
38
“The accounting officer must ensure that a risk
assessment is conducted regularly to identify
emerging risks of VRA. A risk management strategy,
which must include a fraud prevention plan, must be
used to direct internal audit effort and priority, and to
determine the skills required of managers and staff
to improve controls and to manage these risks. The
strategy must be clearly communicated to all
employees to ensure that the risk management
strategy is incorporated into the language and
culture of VRA.”
39. Legislative Requirements (Cont.)
39
“The Board as a whole (collectively), as well as each
of its directors individually, carries the ultimate
responsibility for the company’s risk management
strategy and for whatever goes wrong in it.” (Romani
Naidoo, 2002, Corporate Governance)
40. Regulatory Framework: Other sources
40
Protocol Against Corruption: SADEC, 2001
Legislation/policy that deals with unlawful activities
“Financial Services Board”: controls financial
services industry
Revenue Services Legislation/policy
41. 41
Key Risks associated with In-
effective Risk Management
Inappropriate internal controls
Risk management not incorporated in
organisation’s culture
Reactive responses, not pro-active
Inadequate plans
Inappropriate controls
Changing/new risks not considered & managed
42. ACTIVITY 2.1
42
Examples from practice: 4 Groups (30 minutes)
Each group chooses any two below
Inappropriate internal controls
Risk management not incorporated in organisation’s
culture
Reactive responses, not pro-active
Inadequate plans
Inappropriate controls
Changing/new risks not considered & managed
43. Creative risk taking is essential to success in any goal where the
stakes are high. Thoughtless risks are destructive, of course, but
perhaps even more wasteful is thoughtless caution which prompts
inaction and promotes failure to seize opportunity.
- Gary Ryan Blair
44. Behind the regulatory framework:
Importance of Risk Management
44
Creation of optimal working environment
Fewer accidents
Greater productivity
Higher staff morale
Costs of losses reduced
Decisions taken under differing conditions of
certainty: legal framework gives some stability
46. 46
A Framework for Risk Management
Source: Enterprise Risk Management — Integrated Framework,
Committee of Sponsoring Organizations of the Treadway Commission.
Governance structure
Risk Management Philosophy + Risk Appetite
Oversight
Values, ethics
Human Capital-Skills, experience, training
Delegation of authority
Internal:
Infrastructure
Personnel
Process
Technology
External:
Political
Economic
Social
Technological
Environment
Techniques
Qualitative + Quantitative
Likelihood + Impact
Linkage between risks – Portfolio View
Avoidance
Reduction
Sharing
Acceptance Policies and Procedures
Operational Review and Audit
Approval framework
Reporting
Verification and reconciliations
Segregation of duties
Internal and External
Formal and Informal
Communication Methods
Accurate, Timely, Relevant
Share learning and insight
Ongoing, continuous process
Self-Assessments
Independent monitoring and evaluation
Adapt to changes
Improve practices
Align with best practice
Strategic Plan, Business Plan, Budgets
47. 47
Objective setting; Organizational context; Risk management
context
Risk identification; What can happen? How can it happen?
Risk assessment; Measuring likelihood; Measuring impact;
Establish the level of risk; Assess risks
Risk management strategy; Identify treatment options
(strategy); Evaluate treatment options; Implement
recommendations
Information/communication
Control activities
Monitoring and evaluation
CONTROLENVIROMENT
48. ACTIVITY 2.2
48
Components of risk management
Component 1: Internal environment
The purpose is to establish the current context of risk
management in your organisation
Prepare an overview/summary of the components of
risk management as applicable in your organisation
Present to the group
49. Formulating a Risk Management Strategy
49
R – Results
Are we achieving the desired
results for the risks we take?
I – Immunisation
Do we have the controls in
place to minimise the risk
losses?
K – Knowledge
Do we have the right people,
skills, culture and values for
effective risk management?
S – Systems
Do we have the systems to
measure and manage risks?
Also see p72-78 in the manual.
50. Formulating a Risk Management Strategy
50
Step 1: Establish the context
Step 2: Identify the risks
Step 3: Analyse the risks
Step 4: Evaluate and prioritise the risks / Assess
the risks
Step 5: Address the risks
Step 6: Monitor and review
Step 7: Documentation of the process
51. Operational Planning
51
Planning is “deciding in advance what to do, how to
do it, when to do it and who is to do it
Operational plans
Tactical plans
Strategic plans
The organisation’s mission
* Purpose * Premises * Values * Directions
Strategic objectives
Tactical objectives
Operational
objectives
52. Operational Planning Process
52
Planning to plan
Formulating a vision & mission statement
Scanning the external environment
Doing a market analysis
Determining all external opportunities and threats
Determining all internal strengths and weaknesses
Identifying strategic issues
Making choices
Establish priorities
Operational plans
Budgeting
Monitoring and evaluation
53. Main issues of operational plan before
execution
53
Determine responsibilities, time frames, cost
Practical execution often neglected as people
engage in academic debate
54. Link between Strategic & Operational
Planning
54
Vision
Mission Statement
Corporate Organisational Objectives
Functional (Operational) Objectives
Functional (Operational) Strategies
Long Term Operational Plan
Short Term Operational Plan
55. Formulating Strategies & Action Plans
55
Review: SWOT provide insight into efficiency of
existing strategies
Strategy should convert weaknesses into strengths;
threats into challenges
Identify 5 types of strategies:
Offensive: exploit opportunities from a premise of strength
Developmental: convert weaknesses into strengths
Diversification: harness strengths to minimise impact of
threats
Defensive: organisation is vulnerable; may require
professional help for business re-engineering
Combination: harness advantages of each; circumstances
will dictate
56. 56
Objective setting; Organizational context; Risk management
context
Risk identification; What can happen? How can it happen?
Risk assessment; Measuring likelihood; Measuring impact;
Establish the level of risk; Assess risks
Risk management strategy; Identify treatment options
(strategy); Evaluate treatment options; Implement
recommendations
Information/communication
Control activities
Monitoring and evaluation
CONTROLENVIROMENT
57. Formulating Strategies & Action Plans
57
Environmental scan
5 types of strategies:
Offensive: exploit opportunities from a premise of strength
Developmental: convert weaknesses into strengths
Diversification: harness strengths to minimise impact of
threats
Defensive: organisation is vulnerable; may require
professional help for business re-engineering
Combination: harness advantages of each; circumstances
will dictate
Decide on (propose) an overall strategy
58. Objective Setting
58
Break each strategy down into strategic objectives
(narrowly defined area of achievement)
Objectives should include:
service delivery indicators;
indicate what is to be accomplished;
measures to quantify results
What to do:
Identify 5-10 objectives
Determine actions with responsibilities and time-frames to
achieve each objective
59. ACTIVITY 2.3
59
Component 2: Objective setting
Consider the process of objective setting in your
organisation (strategic planning, operational planning,
budgeting)
Also consider objectives in the following 5 categories:
Strategic
Operations
Reporting
Compliance
Safeguarding
Compile a 1-page document on how risk management
should be integrated into objective setting (planning)
60. Risk Management Fundamentals
60
Risk Identification
Start with Risk Register – listing of all risks
Examine all sources of risk
External – PEST
Internal – e.g. governance, ethics & values, infrastructure, HR
Techniques include:
Trends/Patterns
Surveys/Questionnaires
Brainstorming
Scenario analysis
Networking
Value at Risk (VAR) model
Boston Squares
“Bottom-up” risk assessment
61. ACTIVITY 2.4
61
4 Groups (30 minutes)
Component 3: Risk Identification
Compile a basic risk register, i.e. develop a template
Populate the risk register with some examples, i.e.
identify and list possible risks for the organisation
Classify the risks to make it easier
(This should eventually be done for each Division &
Business unit within the organisation)
66. Step 1: Quantify the parameters
66
Example: Impact on cost
Score Impact Consequence
5 Catastrophic Leads to termination of the project
4 Critical Cost increase > 20%
3 Major Cost increase > 10%
2 Significant Cost increase < 10%
1 Negligible Minimal or no impact on cost
Example: Certainty of occurrence
Score Likelihood Occurrence
5 Maximum Certain to occur, almost every time
4 High Will occur frequently, 1 out of 10 times
3 Medium Will occur sometimes, 1 out of 100 times
2 Low Will seldom occur, 1 out of 1000 times
1 Minimum Will almost never occur, 1 out of 10 000 times
69. Step 4: Determine risk acceptability & what
action
69
Risk index Risk magnitude Risk acceptability Proposed actions
20 – 25 Maximum risk Unacceptable Take action to reduce
risk with highest priority,
accounting officer and
executive authority
attention.
15 – 19 High risk Unacceptable
10 – 14 Medium risk Unacceptable Take action to reduce
risk, inform senior
management.
5 – 9 Low risk Acceptable No risk reduction -
control, monitor, inform
management.
1 - 4 Minimum risk Acceptable No risk reduction -
control, monitor, inform
management.
70. ACTIVITY 2.5
70
4 Groups (30 minutes)
Component 4: Risk Assessment (plotting risks on the
matrix)
Consider the risk assessment tool that could be used
in your organisation
Develop/Refine the risk assessment tool
Use the risks identified & plot the risks by using the
assessment tool (as an example)
71. Risk Management Evaluation
71
Estimate the chance of occurrence or frequency for
each potential risk – probability that a loss will occur
Estimate the severity of the loss which is the highest
possible degree of injury or damage to a person /
property item
72. Risk Management Evaluation
72
The measurement of risk
is not an easy step;
it is the most difficult and
least precise step
in the art of risk management
73. Risk Management Fundamentals
73
Risk Management Strategy (response)
Addressing the risk
Management select a response that is expected to bring
risk likelihood & impact within the organisation’s risk
tolerance level
Categories of avoidance, reduction, sharing, acceptance
Refer back to risk assessment tool
74. Risk Management Model to
Evaluate/Prioritise risk
74
Low (CI<50%) Medium (50%>CI<80%) High (CI>80%)
Significant
Must monitor impact
and likelihood.
Manage if
likelyhood increases
beyond threshold.
Must manage and
monitor risks
Extensive
management
essential
Moderate
Risks may be worth
accepting with
monitoring
Management effort
worthwile
Management effort
required
Minor Accept risks
Accept, but monitor
risks
Monitor. Manage risk
if size of risk is
above acceptable
threshold
Risk Management Actions
Likelihood
Impact/Materiality
RiskManagementActions
75. Address the risks
75
Tolerate, Treat, Terminate, Transfer
…or…
Impact
Reduce Terminate
Accept Transfer
Likelihood
76. ACTIVITY 2.6
76
4 Groups (30 minutes)
Component 5: Risk Strategy (response
development)
Consider the existing (if it does exist) risk
management model
Review the effectiveness & appropriateness of risk
responses (strategies)
(This model will be used by each Division &
Business unit within the organisation; units have to
develop their own specific responses to their specific
identified risks)
77. Risk Management Fundamentals
77
Control Activities
Policies and procedures that help ensure that the risk
responses, as well as other entity directives, are carried
out
Occur throughout the organisation, at all levels and in all
functions
Include application and general (internal) controls
78. Control Procedures
78
Policy & procedure
Reporting, reviewing & approving
Checking accuracy of records
Maintaining & reviewing control accounts
Comparing internal data with external sources of
information
Comparing & analysing financial results
Limiting direct physical access to assets
79. Context of Control
79
Should be capable of responding immediately to
evolving risks
Cost of controls must be balanced against benefits
System of control must include procedures for
reporting
System of internal control must be embedded in
operations (“inculcated”)
80. Internal Control Focus Areas
80
Segregation of duties
Accountability for resources
Reconciliations
Prompt & proper recording & classification of
transactions
Authorisation & execution of transactions
Documentation (policy & procedure)
Management supervision & review
81. Types of Controls
81
Access
Information
Management
Administrative
Application
…
82. Risk Management Fundamentals
82
Information & Communication
Management identifies, captures, and communicates
pertinent information in a form and timeframe that enables
people to carry out their responsibilities
Communication occurs in a broader sense, flowing down,
across, and up the organization
Document the process
Always document risk management
Accountability … reporting
Continuous improvement
83. ACTIVITY 2.7
83
4 Groups (30 minutes)
Component 6: Information and Communication
Use all the steps that you followed and document
(map) the risk management process
Develop a basic action plan for a risk management
awareness campaign in your organisation
84. Risk Management Fundamentals
84
Risk Management Monitoring & Review
Continuous monitoring of RMF & process
Updating of risk register
Collection, capturing & communication of pertinent
information
Employees need information to identify, assess & respond to
risk
Early warning (dashboard for Executive)
Effective communication – raise awareness
Risk responses are based on (internal) control activities
Appropriate & effective controls
Ongoing monitoring of risk & risk management
(Ex-post facto) Separate evaluations
85. Risk Management Monitoring
85
Evaluate on an ongoing basis
Determine loss prevention goals at the beginning of
each financial year, as well as programmes to
achieve those goals
Effectiveness of programmes to be expressed in
terms of:
estimated frequency and
severity of losses
86. Risk Management, Internal Control &
Performance Management
86
Mechanisms for controlling or minimising risks
Good controls can reduce
Poor controls can increase
Never completely eliminated:
Accepted as low, not worth further considering
Reduced to acceptable level
87. Relationship between Risk Management and
Internal Audit
87
Risk management and assurance is a collaborative
effort between risk management and internal audit
that includes the correct balance of responsibility
and independent oversight
Internal audit should never assume the functions,
processes or systems of risk management
88. Relationship between Risk Management and
Internal Audit
88
Risk Management Internal Audit
Risk Management Department Internal Audit Department
Business Areas, Shared Services External Auditors, Shared Services
Consultants and Advisors Consultants and Advisors
Establishing risk management policies and
controls
Independent monitoring of risks, risk
management practices and controls
Implement risk measurement and reporting
systems
Validation of risk identification and management
tools and techniques
Assist business managers with the development
of risk capabilities and to development mitigation
strategies
Promoting a risk management culture and
developing common risk language
Generate, validate and circulate risk management
reporting
Review risk management reporting as part of
independent risk oversight
CRO chairs risk management committee(s)
Risk manager(s) lead and participate in working
groups and teams
Resources
Oversight of risk management activities
Review and report on the effectiveness of risk
management practices - Risk based audit
Responsibilities
Participation in Risk
Management
Activities
89. Measuring Performance of Risk
Management Function
89
Measure against risk plan
Performance measurement of staff in Risk
Management Unit
Regular reporting – In-year
Annual reporting based on plan
Accuracy of risk identification and assessment – one
of indicators
Existence of policies and procedures
Accessibility of risk records
90. Performance on risks?
90
KPA’s of all managers to include risk management
KPI’s to detail risk management performance by
managers
Obviously core business of Risk Management
Unit/Committee in organisational structure
To be reflected as such
91. ACTIVITY 2.8
91
Develop risk management KPA’s for managers
At least 2 KPI’s for each KPA
Discussion
92. Good Governance
92
Role of good governance in RM
Compliance emphasized (remember regulatory
framework)
King I (1994) & II (2002): Organisations should be
good corporate citizens
Prevent loss, safeguard stakeholder interests
King III (2013)
93. Institutional Governance
93
Definition of Institutional Governance:
Embodies process and systems by which public
institutions are directed, controlled and held accountable
Describe systems/practices to manage information,
resources and processes of public institution
94. Institutional Governance
94
Elements of Institutional Governance:
Risk Management
Internal controls and internal control system
Performance management
Internal and external auditing
Reporting
Ethical conduct – Code of conduct
Accountability
95. Institutional Governance
95
Principles of good institutional governance:
Discipline – ethical conduct
Transparency
Independence
Accountability
Responsibility
Fairness
Social responsibility
96. Institutional Governance
96
Components of Institutional Governance:
Clear planning and direction
Appropriate and timely information
Sound resource management
Adequate controls
97. Institutional Governance
97
Management’s Institutional Governance
Responsibilities:
Effective evaluation of institution’s performance
Ensure that institution/staff act lawfully and comply with
government policies
Managing institution’s risk exposure
Ensure that stakeholder rights are not infringed
98. Institutional Governance
98
Test for weaknesses in Institutional Governance:
Checklist to be developed
Planning and direction
Appropriate and timely information
Sound resource management
Adequate controls
99. Institutional Governance
99
Checklist:
Planning and direction
Planning context
Strategic and Operational planning
Decision-making
Institutional culture
Appropriate and timely information
Ministerial direction and Government policy
External and internal reporting
Client interaction
100. Institutional Governance
100
Checklist:
Resource Management
Assets and liabilities
Human Resources
Information Resources (system)
Finances
Adequate controls
Internal controls
Risk management
Fraud prevention
Contract control
102. Practical Implications for
Risk Management
102
Pressure to meet risk management standards of
corporate sector
Responsibility to protects assets, utilise effectively
Implement risk based audit, risk management practise
Move from historic focus to forward looking focus
Skills/experience/resource shortage
Outsourcing of audit function is common
Cannot outsource risk management responsibility, can only
seek help
Often cannot set up dedicated risk department – embedded in
line function responsibilities
Internal audit capability to monitor and review risk management
practise – risk based audit
Sheer range of challenges
How to prioritise and deploy limited resources? - Risk
Assessment!
Cost/benefit realities facing internal audit and risk management
104. Risk Management Best Practise
104
Drivers of successful risk management
Values and Culture should be aligned throughout the
organisation
Organisational philosophy should be that everybody is a risk
manager
Intellectual Capital a vital component
No substitute for technical knowledge, experience and
knowledge of the business
Can be internally or externally sourced
Senior management and governing bodies must
champion risk management
Open communication channels
Team effort – Working groups and committeesA silo mentality hides and
multiplies risk !
105. Risk Management Best Practise
105
Drivers of successful risk management (cont)
Use a common, simple language for risk across the
organisation
Clear risk management function/responsibilities and
coordination of overall risk management activities
Measuring and reporting on risk management
performance
Formal documentation/frameworks
Policies and procedures, Processes, Tools, Templates,
Reporting
Role of Internal Audit
Involvement of Internal Audit in risk governance
structures/committees
Independent review of risk and risk management activities by
Internal Audit
Training, mentoring, collaboration deserves a lot of
attention
106. Key Implementation Factors
106
Organizational design of business
Establishing an ERM organization
Determine a risk philosophy
Survey risk culture
Consider organizational integrity and ethical values
Decide roles and responsibilities
Performing risk assessments
Determining overall risk appetite
Identifying risk responses
Communication of risk results
Monitoring
Oversight & periodic review by management