A generic presentation on ERM

1. Enterprise Risk Management
Andre Knipe

2. ACTIVITY 1.1
2
 Individual exercise (30 min)
 Risk in your work environment
 Participants volunteer to inform plenary
 Debrief

3. Operational … Risk … Management
3

4. ACTIVITY 1.2
4
 Group exercise (20 min)
 What risk?
 To the mouse (external factors)?
 To the cat (organisation)?
 To the environment (environmental influences)?
 To the people in the house (consumers / customers /
society)?

5. Risk Management?
5

6. ACTIVITY 1.3
6
 Group exercise (20 min)
 Risk to people, animal, goods?
 How to minimise risk?

7. ACTIVITY 1.4
7
 Group exercise (20 min)
 Availability of vehicles: organisation of your choice
 What is the risk?
 How to minimize?
 How to assess success / failure?

8. Total Risk Management Focus
 Financial - Risk of
capital
 Operational –
Operational failure
 Programme –
Managing change
 Strategic – Market
changes
8

9. Why Risk Management?
9
 Cost
 Schedule
 Technical performance

10. Evolution of Risk Management
10
Ancient Risk
Management
20th Century Risk
Mgt
21th Century Risk
Mgt

11. Comprehensive Risk Management
11
 PFMA
 MFMA
 TRs
Planning and
Organizing
RMP
Risk Mgt
Plan
Risk Board
Process
Policy and
Guidance
Tools & Training
Risk
Identification
Risk
Mitigation
Plan Implementation
Risk
Mitigation
Planning
Risk
Analysis
Risk
Tracking
• Integrated and Stand-
Alone Risk Mgt Tools
Likelihood
Consequence
1
2
3
4
5
1 2 3 4 5

12. Risk & Risk Management Defined
12
 Risk
 =
 Uncertain future events that could influence the
achievement of the objectives of a public institution

13. Risk Management Fundamentals
13
 What is Risk?
 The impact of uncertain future events that could influence
the achievement of an organisation’s objectives
 Risk creates uncertainty and makes planning difficult

14. Risk Management Fundamentals
14
 What is Risk?
 Risk directly impacts on the service delivery objective of
public and private entities, because it manifests as the
chance of a loss due to adverse events:
 Interruptions to service delivery and loss of revenue (income
statement, liquidity)
 Consequences of loss of revenue on sustainability (balance
sheet, performance against budget, funding position)
 Perceptions of stakeholders (reputation)

15. Risk & Risk Management Defined
15
 RISK MANAGEMENT – page 11
 A continuous, pro-active and systematic process,
effected by a department’s executive authority,
accounting officer, management and other personnel,
applied in strategic planning and across the
department, designed to identify potential events that
may affect the department, and manage risks to be
within its risk tolerance, to provide reasonable
assurance regarding the achievement of department
objectives.

16. Definition of Risk Management
16
 A comprehensive and systematic
 approach aimed at identifying,
 measuring and controlling
 an entity’s exposure to accidental loss,
 theft and liability involving human,
 financial, physical and
 natural resources

17. Risk Management Fundamentals
17
 What is Risk Management?
 Risk Management focuses on the ability of the
organisation to meet objectives in the future by identifying
risk and making decisions to manage these risks
 Risk Management starts with the strategic planning
process

18. ACTIVITY 1.5:
18
 Group exercise (30 min): feedback to plenary
 Interrogate the definition: what do you see?

19. Risk Management Fundamentals
19
 What is Risk Management?
 Risk Management is a dynamic, ongoing assessment,
decision-making and implementation process that is
integrated with management activities
 Risk Management uses instruments such as financial
market transactions, insurance, control processes,
strategy/product changes, research/intelligence, risk
shifting to control, eliminate or reduce risk.

20. Risk Management Process
20
 Structured approach for incorporating risk
management into daily, broader management
process
 More than just an exercise of risk avoidance
 Rather about identifying opportunities for avoiding or
mitigating losses

21. Risk Management Process
21
 Phases in Risk Management Process:
 Risk Identification
 Risk Assessment
 Risk Response
 Risk Control
 Risk Financing
Context +
Philosophy
Identify
Risks
Measure
Risks
Desired
Results
Develop
Solutions
Choose
Strategy
Execute
Strategy
Monitor
Evaluate
Adjust

22. Components of Risk Management
22
 Control environment
 Objective setting
 Risk identification
 Risk assessment
 Risk management strategy
 Information & communication
 Control Activities
 Monitoring

23. 23
A Framework for Risk Management
Source: Enterprise Risk Management — Integrated Framework,
Committee of Sponsoring Organizations of the Treadway Commission.
Governance structure
Risk Management Philosophy + Risk Appetite
Oversight
Values, ethics
Human Capital-Skills, experience, training
Delegation of authority
Internal:
Infrastructure
Personnel
Process
Technology
External:
Political
Economic
Social
Technological
Environment
Techniques
Qualitative + Quantitative
Likelihood + Impact
Linkage between risks – Portfolio View
Avoidance
Reduction
Sharing
Acceptance Policies and Procedures
Operational Review and Audit
Approval framework
Reporting
Verification and reconciliations
Segregation of duties
Internal and External
Formal and Informal
Communication Methods
Accurate, Timely, Relevant
Share learning and insight
Ongoing, continuous process
Self-Assessments
Independent monitoring and evaluation
Adapt to changes
Improve practices
Align with best practice
Strategic Plan, Business Plan, Budgets

24. ACTIVITY 1.7:
24
 Group exercise: feedback to plenary
 Divide 8 topics between groups

25. Relevance of Risk Management
25
 Align with objectives
 Introduce into existing strategic planning &
operational practices
 Communicate departmental directions
 Include as part of performance appraisals
 Continue to improve control & accountability systems
& processes

26. Relevance of Risk Management
26
 Why focus on risk management? Is it not common
sense? We know how to run our business!
 Focus has traditionally been on historic measures
with some forecasting of the future:
 Annual budgets, actual and variance
 Mainly audit/financial risk focus

27. Relevance of Risk Management
27
 High levels of uncertainty in the internal and external
environment warrant greater effort in managing risk:
 PESTLE - Political, Economic, Social, Technological,
Legal Environmental
 Effect of external factors becoming more pronounced
 Not only budget (financial), but all business and
operational risks - integrated
 Requires more structured approach with frequent reviews
of risk
 Need to be more forward looking and proactive

28. Relevance of Risk Management
28
 Legislative/regulatory/stakeholder pressure
 Constitution
 PFMA & MFMA
 King II/King III
 Best Practise

29. Benefits of Risk Management
29
 Identify & manage of risks
 Identify & implement cost-effective, integrated
responses
 Minimise operational surprises, costly & time-
consuming litigation and unexpected losses

30. Benefits of Risk Management
30
 Rationalise capital & financial resources
 Continuity of service delivery
 Enhance accountability & corporate governance
processes
 Achieve greater openness/transparency in decision-
making & ongoing management processes

31. Benefits of Risk Management
31
 Enhance accountability & corporate governance
processes
 Achieve continuity of service delivery
 Avoid unnecessary wastage
 Achieve openness/transparency in decision-making
& ongoing management processes

32. Delivering what we should?
32

33. Regulatory Framework: International
Instruments: Basel II Accord
33
 Second of the Basel Accords
 “Basel Committee on Banking Supervision”
 Reps from central banks & regulatory authorities of
several EU countries
 Recommends to member states for adoption in local
law

34. Basel II Accord (cont)
34
 How much money must banks keep aside to guard
against financial & operational risks?
 Banks hold capital reserves appropriate to lending /
investment risks (protect solvency) NB!! Liquidity??
 The higher risk, the higher amount to hold

35. Case Study: Barings Bank (1762–1995)
35
 Oldest merchant bank in London
 1995: Nick Leeson lost 827 million Pounds through
speculation
 Leeson held 2 positions: reported to himself
 Internal auditing at fault: absence of oversight
 “How could this happen?”

36. Regulatory Framework – Legislative
Requirements
36
 Policy should include:
 “the accounting officer for Volta River Authority …
has and maintains :
 Effective, efficient & transparency systems of financial
and risk management and internal control; and
 A system of internal audit under the control & direction of
an audit committee…”

37. Legislative Requirements (Cont.)
37
 “An employee in VRA, … :
 Must ensure that the system of … and internal
control … is carried out within the area of
responsibility of that employee”

38. Legislative Requirements (Cont.)
38
 “The accounting officer must ensure that a risk
assessment is conducted regularly to identify
emerging risks of VRA. A risk management strategy,
which must include a fraud prevention plan, must be
used to direct internal audit effort and priority, and to
determine the skills required of managers and staff
to improve controls and to manage these risks. The
strategy must be clearly communicated to all
employees to ensure that the risk management
strategy is incorporated into the language and
culture of VRA.”

39. Legislative Requirements (Cont.)
39
 “The Board as a whole (collectively), as well as each
of its directors individually, carries the ultimate
responsibility for the company’s risk management
strategy and for whatever goes wrong in it.” (Romani
Naidoo, 2002, Corporate Governance)

40. Regulatory Framework: Other sources
40
 Protocol Against Corruption: SADEC, 2001
 Legislation/policy that deals with unlawful activities
 “Financial Services Board”: controls financial
services industry
 Revenue Services Legislation/policy

41. 41
Key Risks associated with In-
effective Risk Management
 Inappropriate internal controls
 Risk management not incorporated in
organisation’s culture
 Reactive responses, not pro-active
 Inadequate plans
 Inappropriate controls
 Changing/new risks not considered & managed

42. ACTIVITY 2.1
42
 Examples from practice: 4 Groups (30 minutes)
 Each group chooses any two below
 Inappropriate internal controls
 Risk management not incorporated in organisation’s
culture
 Reactive responses, not pro-active
 Inadequate plans
 Inappropriate controls
 Changing/new risks not considered & managed

43. Creative risk taking is essential to success in any goal where the
stakes are high. Thoughtless risks are destructive, of course, but
perhaps even more wasteful is thoughtless caution which prompts
inaction and promotes failure to seize opportunity.
- Gary Ryan Blair

44. Behind the regulatory framework:
Importance of Risk Management
44
 Creation of optimal working environment
 Fewer accidents
 Greater productivity
 Higher staff morale
 Costs of losses reduced
 Decisions taken under differing conditions of
certainty: legal framework gives some stability

45. Risk Management Process
45
 Phases in Risk Management Process:
 Risk Identification
 Risk Assessment
 Risk Response
 Risk Control
 Risk Financing
Context +
Philosophy
Identify
Risks
Measure
Risks
Desired
Results
Develop
Solutions
Choose
Strategy
Execute
Strategy
Monitor
Evaluate
Adjust

46. 46
A Framework for Risk Management
Source: Enterprise Risk Management — Integrated Framework,
Committee of Sponsoring Organizations of the Treadway Commission.
Governance structure
Risk Management Philosophy + Risk Appetite
Oversight
Values, ethics
Human Capital-Skills, experience, training
Delegation of authority
Internal:
Infrastructure
Personnel
Process
Technology
External:
Political
Economic
Social
Technological
Environment
Techniques
Qualitative + Quantitative
Likelihood + Impact
Linkage between risks – Portfolio View
Avoidance
Reduction
Sharing
Acceptance Policies and Procedures
Operational Review and Audit
Approval framework
Reporting
Verification and reconciliations
Segregation of duties
Internal and External
Formal and Informal
Communication Methods
Accurate, Timely, Relevant
Share learning and insight
Ongoing, continuous process
Self-Assessments
Independent monitoring and evaluation
Adapt to changes
Improve practices
Align with best practice
Strategic Plan, Business Plan, Budgets

47. 47
Objective setting; Organizational context; Risk management
context
Risk identification; What can happen? How can it happen?
Risk assessment; Measuring likelihood; Measuring impact;
Establish the level of risk; Assess risks
Risk management strategy; Identify treatment options
(strategy); Evaluate treatment options; Implement
recommendations
Information/communication
Control activities
Monitoring and evaluation
CONTROLENVIROMENT

48. ACTIVITY 2.2
48
 Components of risk management
 Component 1: Internal environment
 The purpose is to establish the current context of risk
management in your organisation
 Prepare an overview/summary of the components of
risk management as applicable in your organisation
 Present to the group

49. Formulating a Risk Management Strategy
49
R – Results
Are we achieving the desired
results for the risks we take?
I – Immunisation
Do we have the controls in
place to minimise the risk
losses?
K – Knowledge
Do we have the right people,
skills, culture and values for
effective risk management?
S – Systems
Do we have the systems to
measure and manage risks?
Also see p72-78 in the manual.

50. Formulating a Risk Management Strategy
50
 Step 1: Establish the context
 Step 2: Identify the risks
 Step 3: Analyse the risks
 Step 4: Evaluate and prioritise the risks / Assess
the risks
 Step 5: Address the risks
 Step 6: Monitor and review
 Step 7: Documentation of the process

51. Operational Planning
51
 Planning is “deciding in advance what to do, how to
do it, when to do it and who is to do it
Operational plans
Tactical plans
Strategic plans
The organisation’s mission
* Purpose * Premises * Values * Directions
Strategic objectives
Tactical objectives
Operational
objectives

52. Operational Planning Process
52
 Planning to plan
 Formulating a vision & mission statement
 Scanning the external environment
 Doing a market analysis
 Determining all external opportunities and threats
 Determining all internal strengths and weaknesses
 Identifying strategic issues
 Making choices
 Establish priorities
 Operational plans
 Budgeting
 Monitoring and evaluation

53. Main issues of operational plan before
execution
53
 Determine responsibilities, time frames, cost
 Practical execution often neglected as people
engage in academic debate

54. Link between Strategic & Operational
Planning
54
Vision
Mission Statement
Corporate Organisational Objectives
Functional (Operational) Objectives
Functional (Operational) Strategies
Long Term Operational Plan
Short Term Operational Plan

55. Formulating Strategies & Action Plans
55
 Review: SWOT provide insight into efficiency of
existing strategies
 Strategy should convert weaknesses into strengths;
threats into challenges
 Identify 5 types of strategies:
 Offensive: exploit opportunities from a premise of strength
 Developmental: convert weaknesses into strengths
 Diversification: harness strengths to minimise impact of
threats
 Defensive: organisation is vulnerable; may require
professional help for business re-engineering
 Combination: harness advantages of each; circumstances
will dictate

56. 56
Objective setting; Organizational context; Risk management
context
Risk identification; What can happen? How can it happen?
Risk assessment; Measuring likelihood; Measuring impact;
Establish the level of risk; Assess risks
Risk management strategy; Identify treatment options
(strategy); Evaluate treatment options; Implement
recommendations
Information/communication
Control activities
Monitoring and evaluation
CONTROLENVIROMENT

57. Formulating Strategies & Action Plans
57
 Environmental scan
 5 types of strategies:
 Offensive: exploit opportunities from a premise of strength
 Developmental: convert weaknesses into strengths
 Diversification: harness strengths to minimise impact of
threats
 Defensive: organisation is vulnerable; may require
professional help for business re-engineering
 Combination: harness advantages of each; circumstances
will dictate
 Decide on (propose) an overall strategy

58. Objective Setting
58
 Break each strategy down into strategic objectives
(narrowly defined area of achievement)
 Objectives should include:
 service delivery indicators;
 indicate what is to be accomplished;
 measures to quantify results
 What to do:
 Identify 5-10 objectives
 Determine actions with responsibilities and time-frames to
achieve each objective

59. ACTIVITY 2.3
59
 Component 2: Objective setting
 Consider the process of objective setting in your
organisation (strategic planning, operational planning,
budgeting)
 Also consider objectives in the following 5 categories:
 Strategic
 Operations
 Reporting
 Compliance
 Safeguarding
 Compile a 1-page document on how risk management
should be integrated into objective setting (planning)

60. Risk Management Fundamentals
60
 Risk Identification
 Start with Risk Register – listing of all risks
 Examine all sources of risk
 External – PEST
 Internal – e.g. governance, ethics & values, infrastructure, HR
 Techniques include:
 Trends/Patterns
 Surveys/Questionnaires
 Brainstorming
 Scenario analysis
 Networking
 Value at Risk (VAR) model
 Boston Squares
 “Bottom-up” risk assessment

61. ACTIVITY 2.4
61
 4 Groups (30 minutes)
 Component 3: Risk Identification
 Compile a basic risk register, i.e. develop a template
 Populate the risk register with some examples, i.e.
identify and list possible risks for the organisation
 Classify the risks to make it easier
 (This should eventually be done for each Division &
Business unit within the organisation)

62. REMEMBER
62
 Risk Register = a “list of prioritised risks”

63. Risk Management Fundamentals
63
 Risk Assessment (analysis)
 Start with Risk Register
 Consider possible areas of risk impact
 Risk ranking provides direction and focus – costs,
resources, time
 Consistent measurement techniques – quantitative
 Lots of good judgement – qualitative
 4 steps:
 Quantify parameters (scoring system)
 Apply parameters
 Determine risk acceptance criteria (tolerance)
 Determine risk acceptability & action to reduce risk
 Identify the root cause of the risk

64. RISK REGISTER
64
 This is a list of prioritised risks
 See next slide: likelyhood & consequence?

65. Risk Assessment tool:
Consequence vs. Likelihood
65
Likelihood
Consequence
1
2
3
4
5
1 2 3 4 5

66. Step 1: Quantify the parameters
66
Example: Impact on cost
Score Impact Consequence
5 Catastrophic Leads to termination of the project
4 Critical Cost increase > 20%
3 Major Cost increase > 10%
2 Significant Cost increase < 10%
1 Negligible Minimal or no impact on cost
Example: Certainty of occurrence
Score Likelihood Occurrence
5 Maximum Certain to occur, almost every time
4 High Will occur frequently, 1 out of 10 times
3 Medium Will occur sometimes, 1 out of 100 times
2 Low Will seldom occur, 1 out of 1000 times
1 Minimum Will almost never occur, 1 out of 10 000 times

67. Step 2: Applying the parameters
67
 Risk index = impact x likelihood
IMPACT
5 5 10 15 20 25
Risk index
Risk
Magnitude
4 4 8 12 16 20 20 - 25 Maximum
3 3 6 9 12 15 15 - 19 High risk
2 2 4 6 8 10 10 - 14 Medium risk
1 1 2 3 4 5 5 - 9 Low risk
1 2 3 4 5 1 - 4 Minimum risk
LIKELIHOOD

68. Step 3: Determine risk acceptance
68
 Risk tolerance…
IMPACT
5 5 10 15 20 25
4 4 8 12 16 20
3 3 6 9 12 15
2 2 4 6 8 10
1 1 2 3 4 5
1 2 3 4 5
LIKELIHOOD
4 8
3 6 9
2 4 6 8
1 2 3 4 5
15 20 25
12 16 20
12 15
10
Unacceptable risks
Acceptable risks
5
10

69. Step 4: Determine risk acceptability & what
action
69
Risk index Risk magnitude Risk acceptability Proposed actions
20 – 25 Maximum risk Unacceptable Take action to reduce
risk with highest priority,
accounting officer and
executive authority
attention.
15 – 19 High risk Unacceptable
10 – 14 Medium risk Unacceptable Take action to reduce
risk, inform senior
management.
5 – 9 Low risk Acceptable No risk reduction -
control, monitor, inform
management.
1 - 4 Minimum risk Acceptable No risk reduction -
control, monitor, inform
management.

70. ACTIVITY 2.5
70
 4 Groups (30 minutes)
 Component 4: Risk Assessment (plotting risks on the
matrix)
 Consider the risk assessment tool that could be used
in your organisation
 Develop/Refine the risk assessment tool
 Use the risks identified & plot the risks by using the
assessment tool (as an example)

71. Risk Management Evaluation
71
 Estimate the chance of occurrence or frequency for
each potential risk – probability that a loss will occur
 Estimate the severity of the loss which is the highest
possible degree of injury or damage to a person /
property item

72. Risk Management Evaluation
72
 The measurement of risk
 is not an easy step;
 it is the most difficult and
 least precise step
 in the art of risk management

73. Risk Management Fundamentals
73
 Risk Management Strategy (response)
 Addressing the risk
 Management select a response that is expected to bring
risk likelihood & impact within the organisation’s risk
tolerance level
 Categories of avoidance, reduction, sharing, acceptance
 Refer back to risk assessment tool

74. Risk Management Model to
Evaluate/Prioritise risk
74
Low (CI<50%) Medium (50%>CI<80%) High (CI>80%)
Significant
Must monitor impact
and likelihood.
Manage if
likelyhood increases
beyond threshold.
Must manage and
monitor risks
Extensive
management
essential
Moderate
Risks may be worth
accepting with
monitoring
Management effort
worthwile
Management effort
required
Minor Accept risks
Accept, but monitor
risks
Monitor. Manage risk
if size of risk is
above acceptable
threshold
Risk Management Actions
Likelihood
Impact/Materiality
RiskManagementActions

75. Address the risks
75
 Tolerate, Treat, Terminate, Transfer
 …or…
Impact
Reduce Terminate
Accept Transfer
Likelihood

76. ACTIVITY 2.6
76
 4 Groups (30 minutes)
 Component 5: Risk Strategy (response
development)
 Consider the existing (if it does exist) risk
management model
 Review the effectiveness & appropriateness of risk
responses (strategies)
 (This model will be used by each Division &
Business unit within the organisation; units have to
develop their own specific responses to their specific
identified risks)

77. Risk Management Fundamentals
77
 Control Activities
 Policies and procedures that help ensure that the risk
responses, as well as other entity directives, are carried
out
 Occur throughout the organisation, at all levels and in all
functions
 Include application and general (internal) controls

78. Control Procedures
78
 Policy & procedure
 Reporting, reviewing & approving
 Checking accuracy of records
 Maintaining & reviewing control accounts
 Comparing internal data with external sources of
information
 Comparing & analysing financial results
 Limiting direct physical access to assets

79. Context of Control
79
 Should be capable of responding immediately to
evolving risks
 Cost of controls must be balanced against benefits
 System of control must include procedures for
reporting
 System of internal control must be embedded in
operations (“inculcated”)

80. Internal Control Focus Areas
80
 Segregation of duties
 Accountability for resources
 Reconciliations
 Prompt & proper recording & classification of
transactions
 Authorisation & execution of transactions
 Documentation (policy & procedure)
 Management supervision & review

81. Types of Controls
81
 Access
 Information
 Management
 Administrative
 Application
 …

82. Risk Management Fundamentals
82
 Information & Communication
 Management identifies, captures, and communicates
pertinent information in a form and timeframe that enables
people to carry out their responsibilities
 Communication occurs in a broader sense, flowing down,
across, and up the organization
 Document the process
 Always document risk management
 Accountability … reporting
 Continuous improvement

83. ACTIVITY 2.7
83
 4 Groups (30 minutes)
 Component 6: Information and Communication
 Use all the steps that you followed and document
(map) the risk management process
 Develop a basic action plan for a risk management
awareness campaign in your organisation

84. Risk Management Fundamentals
84
 Risk Management Monitoring & Review
 Continuous monitoring of RMF & process
 Updating of risk register
 Collection, capturing & communication of pertinent
information
 Employees need information to identify, assess & respond to
risk
 Early warning (dashboard for Executive)
 Effective communication – raise awareness
 Risk responses are based on (internal) control activities
 Appropriate & effective controls
 Ongoing monitoring of risk & risk management
 (Ex-post facto) Separate evaluations

85. Risk Management Monitoring
85
 Evaluate on an ongoing basis
 Determine loss prevention goals at the beginning of
each financial year, as well as programmes to
achieve those goals
 Effectiveness of programmes to be expressed in
terms of:
 estimated frequency and
 severity of losses

86. Risk Management, Internal Control &
Performance Management
86
 Mechanisms for controlling or minimising risks
 Good controls can reduce
 Poor controls can increase
 Never completely eliminated:
 Accepted as low, not worth further considering
 Reduced to acceptable level

87. Relationship between Risk Management and
Internal Audit
87
 Risk management and assurance is a collaborative
effort between risk management and internal audit
that includes the correct balance of responsibility
and independent oversight
 Internal audit should never assume the functions,
processes or systems of risk management

88. Relationship between Risk Management and
Internal Audit
88
Risk Management Internal Audit
Risk Management Department Internal Audit Department
Business Areas, Shared Services External Auditors, Shared Services
Consultants and Advisors Consultants and Advisors
Establishing risk management policies and
controls
Independent monitoring of risks, risk
management practices and controls
Implement risk measurement and reporting
systems
Validation of risk identification and management
tools and techniques
Assist business managers with the development
of risk capabilities and to development mitigation
strategies
Promoting a risk management culture and
developing common risk language
Generate, validate and circulate risk management
reporting
Review risk management reporting as part of
independent risk oversight
CRO chairs risk management committee(s)
Risk manager(s) lead and participate in working
groups and teams
Resources
Oversight of risk management activities
Review and report on the effectiveness of risk
management practices - Risk based audit
Responsibilities
Participation in Risk
Management
Activities

89. Measuring Performance of Risk
Management Function
89
 Measure against risk plan
 Performance measurement of staff in Risk
Management Unit
 Regular reporting – In-year
 Annual reporting based on plan
 Accuracy of risk identification and assessment – one
of indicators
 Existence of policies and procedures
 Accessibility of risk records

90. Performance on risks?
90
 KPA’s of all managers to include risk management
 KPI’s to detail risk management performance by
managers
 Obviously core business of Risk Management
Unit/Committee in organisational structure
 To be reflected as such

91. ACTIVITY 2.8
91
 Develop risk management KPA’s for managers
 At least 2 KPI’s for each KPA
 Discussion

92. Good Governance
92
 Role of good governance in RM
 Compliance emphasized (remember regulatory
framework)
 King I (1994) & II (2002): Organisations should be
good corporate citizens
 Prevent loss, safeguard stakeholder interests
 King III (2013)

93. Institutional Governance
93
 Definition of Institutional Governance:
 Embodies process and systems by which public
institutions are directed, controlled and held accountable
 Describe systems/practices to manage information,
resources and processes of public institution

94. Institutional Governance
94
 Elements of Institutional Governance:
 Risk Management
 Internal controls and internal control system
 Performance management
 Internal and external auditing
 Reporting
 Ethical conduct – Code of conduct
 Accountability

95. Institutional Governance
95
 Principles of good institutional governance:
 Discipline – ethical conduct
 Transparency
 Independence
 Accountability
 Responsibility
 Fairness
 Social responsibility

96. Institutional Governance
96
 Components of Institutional Governance:
 Clear planning and direction
 Appropriate and timely information
 Sound resource management
 Adequate controls

97. Institutional Governance
97
 Management’s Institutional Governance
Responsibilities:
 Effective evaluation of institution’s performance
 Ensure that institution/staff act lawfully and comply with
government policies
 Managing institution’s risk exposure
 Ensure that stakeholder rights are not infringed

98. Institutional Governance
98
 Test for weaknesses in Institutional Governance:
 Checklist to be developed
 Planning and direction
 Appropriate and timely information
 Sound resource management
 Adequate controls

99. Institutional Governance
99
 Checklist:
 Planning and direction
 Planning context
 Strategic and Operational planning
 Decision-making
 Institutional culture
 Appropriate and timely information
 Ministerial direction and Government policy
 External and internal reporting
 Client interaction

100. Institutional Governance
100
 Checklist:
 Resource Management
 Assets and liabilities
 Human Resources
 Information Resources (system)
 Finances
 Adequate controls
 Internal controls
 Risk management
 Fraud prevention
 Contract control

101. Institutional Governance
101
 Accountability process in Public Sector:
 Political Accountability
 Statutory Accountability
 Managerial Accountability

102. Practical Implications for
Risk Management
102
 Pressure to meet risk management standards of
corporate sector
 Responsibility to protects assets, utilise effectively
 Implement risk based audit, risk management practise
 Move from historic focus to forward looking focus
 Skills/experience/resource shortage
 Outsourcing of audit function is common
 Cannot outsource risk management responsibility, can only
seek help
 Often cannot set up dedicated risk department – embedded in
line function responsibilities
 Internal audit capability to monitor and review risk management
practise – risk based audit
 Sheer range of challenges
 How to prioritise and deploy limited resources? - Risk
Assessment!
 Cost/benefit realities facing internal audit and risk management

103. Factors Governing the Risk Management
Decision
103
Governance & Planning
Business Plan
Risk Philosophy
Risk Management Policy
Regulatory Environment
Risk Profiling
Exposures
and Sensitivity
Organisational Risk and
Competitive Environment
Market/Business Conditions
Fundamental and Technical
Context +
Philosophy
Context +
Philosophy
Context +
Philosophy
Identify
Risks
Identify
Risks
Measure
Risks
Measure
Risks
Desired
Results
Desired
Results
Develop
Solutions
Develop
Solutions
Develop
Solutions
Choose
Strategy
Choose
Strategy
Choose
Strategy
Execute
Strategy
Execute
Strategy
Monitor
Evaluate
Adjust
Monitor
Evaluate
Adjust
Monitor
Evaluate
Adjust • Risk Management
Framework
Risk Management
Decision
Manage/Mitigate/
Accept/Transfer

104. Risk Management Best Practise
104
 Drivers of successful risk management
 Values and Culture should be aligned throughout the
organisation
 Organisational philosophy should be that everybody is a risk
manager
 Intellectual Capital a vital component
 No substitute for technical knowledge, experience and
knowledge of the business
 Can be internally or externally sourced
 Senior management and governing bodies must
champion risk management
 Open communication channels
 Team effort – Working groups and committeesA silo mentality hides and
multiplies risk !

105. Risk Management Best Practise
105
 Drivers of successful risk management (cont)
 Use a common, simple language for risk across the
organisation
 Clear risk management function/responsibilities and
coordination of overall risk management activities
 Measuring and reporting on risk management
performance
 Formal documentation/frameworks
 Policies and procedures, Processes, Tools, Templates,
Reporting
 Role of Internal Audit
 Involvement of Internal Audit in risk governance
structures/committees
 Independent review of risk and risk management activities by
Internal Audit
 Training, mentoring, collaboration deserves a lot of
attention

106. Key Implementation Factors
106
 Organizational design of business
 Establishing an ERM organization
 Determine a risk philosophy
 Survey risk culture
 Consider organizational integrity and ethical values
 Decide roles and responsibilities
 Performing risk assessments
 Determining overall risk appetite
 Identifying risk responses
 Communication of risk results
 Monitoring
 Oversight & periodic review by management

107. Thank you!
Andre Knipe
knipeandre@gmail.com