Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Enterprise risk management

11.155 Aufrufe

Veröffentlicht am

A generic presentation on ERM

Veröffentlicht in: Präsentationen & Vorträge

Enterprise risk management

  1. 1. Enterprise Risk Management Andre Knipe
  2. 2. ACTIVITY 1.1 2  Individual exercise (30 min)  Risk in your work environment  Participants volunteer to inform plenary  Debrief
  3. 3. Operational … Risk … Management 3
  4. 4. ACTIVITY 1.2 4  Group exercise (20 min)  What risk?  To the mouse (external factors)?  To the cat (organisation)?  To the environment (environmental influences)?  To the people in the house (consumers / customers / society)?
  5. 5. Risk Management? 5
  6. 6. ACTIVITY 1.3 6  Group exercise (20 min)  Risk to people, animal, goods?  How to minimise risk?
  7. 7. ACTIVITY 1.4 7  Group exercise (20 min)  Availability of vehicles: organisation of your choice  What is the risk?  How to minimize?  How to assess success / failure?
  8. 8. Total Risk Management Focus  Financial - Risk of capital  Operational – Operational failure  Programme – Managing change  Strategic – Market changes 8
  9. 9. Why Risk Management? 9  Cost  Schedule  Technical performance
  10. 10. Evolution of Risk Management 10 Ancient Risk Management 20th Century Risk Mgt 21th Century Risk Mgt
  11. 11. Comprehensive Risk Management 11  PFMA  MFMA  TRs Planning and Organizing RMP Risk Mgt Plan Risk Board Process Policy and Guidance Tools & Training Risk Identification Risk Mitigation Plan Implementation Risk Mitigation Planning Risk Analysis Risk Tracking • Integrated and Stand- Alone Risk Mgt Tools Likelihood Consequence 1 2 3 4 5 1 2 3 4 5
  12. 12. Risk & Risk Management Defined 12  Risk  =  Uncertain future events that could influence the achievement of the objectives of a public institution
  13. 13. Risk Management Fundamentals 13  What is Risk?  The impact of uncertain future events that could influence the achievement of an organisation’s objectives  Risk creates uncertainty and makes planning difficult
  14. 14. Risk Management Fundamentals 14  What is Risk?  Risk directly impacts on the service delivery objective of public and private entities, because it manifests as the chance of a loss due to adverse events:  Interruptions to service delivery and loss of revenue (income statement, liquidity)  Consequences of loss of revenue on sustainability (balance sheet, performance against budget, funding position)  Perceptions of stakeholders (reputation)
  15. 15. Risk & Risk Management Defined 15  RISK MANAGEMENT – page 11  A continuous, pro-active and systematic process, effected by a department’s executive authority, accounting officer, management and other personnel, applied in strategic planning and across the department, designed to identify potential events that may affect the department, and manage risks to be within its risk tolerance, to provide reasonable assurance regarding the achievement of department objectives.
  16. 16. Definition of Risk Management 16  A comprehensive and systematic  approach aimed at identifying,  measuring and controlling  an entity’s exposure to accidental loss,  theft and liability involving human,  financial, physical and  natural resources
  17. 17. Risk Management Fundamentals 17  What is Risk Management?  Risk Management focuses on the ability of the organisation to meet objectives in the future by identifying risk and making decisions to manage these risks  Risk Management starts with the strategic planning process
  18. 18. ACTIVITY 1.5: 18  Group exercise (30 min): feedback to plenary  Interrogate the definition: what do you see?
  19. 19. Risk Management Fundamentals 19  What is Risk Management?  Risk Management is a dynamic, ongoing assessment, decision-making and implementation process that is integrated with management activities  Risk Management uses instruments such as financial market transactions, insurance, control processes, strategy/product changes, research/intelligence, risk shifting to control, eliminate or reduce risk.
  20. 20. Risk Management Process 20  Structured approach for incorporating risk management into daily, broader management process  More than just an exercise of risk avoidance  Rather about identifying opportunities for avoiding or mitigating losses
  21. 21. Risk Management Process 21  Phases in Risk Management Process:  Risk Identification  Risk Assessment  Risk Response  Risk Control  Risk Financing Context + Philosophy Identify Risks Measure Risks Desired Results Develop Solutions Choose Strategy Execute Strategy Monitor Evaluate Adjust
  22. 22. Components of Risk Management 22  Control environment  Objective setting  Risk identification  Risk assessment  Risk management strategy  Information & communication  Control Activities  Monitoring
  23. 23. 23 A Framework for Risk Management Source: Enterprise Risk Management — Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission. Governance structure Risk Management Philosophy + Risk Appetite Oversight Values, ethics Human Capital-Skills, experience, training Delegation of authority Internal: Infrastructure Personnel Process Technology External: Political Economic Social Technological Environment Techniques Qualitative + Quantitative Likelihood + Impact Linkage between risks – Portfolio View Avoidance Reduction Sharing Acceptance Policies and Procedures Operational Review and Audit Approval framework Reporting Verification and reconciliations Segregation of duties Internal and External Formal and Informal Communication Methods Accurate, Timely, Relevant Share learning and insight Ongoing, continuous process Self-Assessments Independent monitoring and evaluation Adapt to changes Improve practices Align with best practice Strategic Plan, Business Plan, Budgets
  24. 24. ACTIVITY 1.7: 24  Group exercise: feedback to plenary  Divide 8 topics between groups
  25. 25. Relevance of Risk Management 25  Align with objectives  Introduce into existing strategic planning & operational practices  Communicate departmental directions  Include as part of performance appraisals  Continue to improve control & accountability systems & processes
  26. 26. Relevance of Risk Management 26  Why focus on risk management? Is it not common sense? We know how to run our business!  Focus has traditionally been on historic measures with some forecasting of the future:  Annual budgets, actual and variance  Mainly audit/financial risk focus
  27. 27. Relevance of Risk Management 27  High levels of uncertainty in the internal and external environment warrant greater effort in managing risk:  PESTLE - Political, Economic, Social, Technological, Legal Environmental  Effect of external factors becoming more pronounced  Not only budget (financial), but all business and operational risks - integrated  Requires more structured approach with frequent reviews of risk  Need to be more forward looking and proactive
  28. 28. Relevance of Risk Management 28  Legislative/regulatory/stakeholder pressure  Constitution  PFMA & MFMA  King II/King III  Best Practise
  29. 29. Benefits of Risk Management 29  Identify & manage of risks  Identify & implement cost-effective, integrated responses  Minimise operational surprises, costly & time- consuming litigation and unexpected losses
  30. 30. Benefits of Risk Management 30  Rationalise capital & financial resources  Continuity of service delivery  Enhance accountability & corporate governance processes  Achieve greater openness/transparency in decision- making & ongoing management processes
  31. 31. Benefits of Risk Management 31  Enhance accountability & corporate governance processes  Achieve continuity of service delivery  Avoid unnecessary wastage  Achieve openness/transparency in decision-making & ongoing management processes
  32. 32. Delivering what we should? 32
  33. 33. Regulatory Framework: International Instruments: Basel II Accord 33  Second of the Basel Accords  “Basel Committee on Banking Supervision”  Reps from central banks & regulatory authorities of several EU countries  Recommends to member states for adoption in local law
  34. 34. Basel II Accord (cont) 34  How much money must banks keep aside to guard against financial & operational risks?  Banks hold capital reserves appropriate to lending / investment risks (protect solvency) NB!! Liquidity??  The higher risk, the higher amount to hold
  35. 35. Case Study: Barings Bank (1762–1995) 35  Oldest merchant bank in London  1995: Nick Leeson lost 827 million Pounds through speculation  Leeson held 2 positions: reported to himself  Internal auditing at fault: absence of oversight  “How could this happen?”
  36. 36. Regulatory Framework – Legislative Requirements 36  Policy should include:  “the accounting officer for Volta River Authority … has and maintains :  Effective, efficient & transparency systems of financial and risk management and internal control; and  A system of internal audit under the control & direction of an audit committee…”
  37. 37. Legislative Requirements (Cont.) 37  “An employee in VRA, … :  Must ensure that the system of … and internal control … is carried out within the area of responsibility of that employee”
  38. 38. Legislative Requirements (Cont.) 38  “The accounting officer must ensure that a risk assessment is conducted regularly to identify emerging risks of VRA. A risk management strategy, which must include a fraud prevention plan, must be used to direct internal audit effort and priority, and to determine the skills required of managers and staff to improve controls and to manage these risks. The strategy must be clearly communicated to all employees to ensure that the risk management strategy is incorporated into the language and culture of VRA.”
  39. 39. Legislative Requirements (Cont.) 39  “The Board as a whole (collectively), as well as each of its directors individually, carries the ultimate responsibility for the company’s risk management strategy and for whatever goes wrong in it.” (Romani Naidoo, 2002, Corporate Governance)
  40. 40. Regulatory Framework: Other sources 40  Protocol Against Corruption: SADEC, 2001  Legislation/policy that deals with unlawful activities  “Financial Services Board”: controls financial services industry  Revenue Services Legislation/policy
  41. 41. 41 Key Risks associated with In- effective Risk Management  Inappropriate internal controls  Risk management not incorporated in organisation’s culture  Reactive responses, not pro-active  Inadequate plans  Inappropriate controls  Changing/new risks not considered & managed
  42. 42. ACTIVITY 2.1 42  Examples from practice: 4 Groups (30 minutes)  Each group chooses any two below  Inappropriate internal controls  Risk management not incorporated in organisation’s culture  Reactive responses, not pro-active  Inadequate plans  Inappropriate controls  Changing/new risks not considered & managed
  43. 43. Creative risk taking is essential to success in any goal where the stakes are high. Thoughtless risks are destructive, of course, but perhaps even more wasteful is thoughtless caution which prompts inaction and promotes failure to seize opportunity. - Gary Ryan Blair
  44. 44. Behind the regulatory framework: Importance of Risk Management 44  Creation of optimal working environment  Fewer accidents  Greater productivity  Higher staff morale  Costs of losses reduced  Decisions taken under differing conditions of certainty: legal framework gives some stability
  45. 45. Risk Management Process 45  Phases in Risk Management Process:  Risk Identification  Risk Assessment  Risk Response  Risk Control  Risk Financing Context + Philosophy Identify Risks Measure Risks Desired Results Develop Solutions Choose Strategy Execute Strategy Monitor Evaluate Adjust
  46. 46. 46 A Framework for Risk Management Source: Enterprise Risk Management — Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission. Governance structure Risk Management Philosophy + Risk Appetite Oversight Values, ethics Human Capital-Skills, experience, training Delegation of authority Internal: Infrastructure Personnel Process Technology External: Political Economic Social Technological Environment Techniques Qualitative + Quantitative Likelihood + Impact Linkage between risks – Portfolio View Avoidance Reduction Sharing Acceptance Policies and Procedures Operational Review and Audit Approval framework Reporting Verification and reconciliations Segregation of duties Internal and External Formal and Informal Communication Methods Accurate, Timely, Relevant Share learning and insight Ongoing, continuous process Self-Assessments Independent monitoring and evaluation Adapt to changes Improve practices Align with best practice Strategic Plan, Business Plan, Budgets
  47. 47. 47 Objective setting; Organizational context; Risk management context Risk identification; What can happen? How can it happen? Risk assessment; Measuring likelihood; Measuring impact; Establish the level of risk; Assess risks Risk management strategy; Identify treatment options (strategy); Evaluate treatment options; Implement recommendations Information/communication Control activities Monitoring and evaluation CONTROLENVIROMENT
  48. 48. ACTIVITY 2.2 48  Components of risk management  Component 1: Internal environment  The purpose is to establish the current context of risk management in your organisation  Prepare an overview/summary of the components of risk management as applicable in your organisation  Present to the group
  49. 49. Formulating a Risk Management Strategy 49 R – Results Are we achieving the desired results for the risks we take? I – Immunisation Do we have the controls in place to minimise the risk losses? K – Knowledge Do we have the right people, skills, culture and values for effective risk management? S – Systems Do we have the systems to measure and manage risks? Also see p72-78 in the manual.
  50. 50. Formulating a Risk Management Strategy 50  Step 1: Establish the context  Step 2: Identify the risks  Step 3: Analyse the risks  Step 4: Evaluate and prioritise the risks / Assess the risks  Step 5: Address the risks  Step 6: Monitor and review  Step 7: Documentation of the process
  51. 51. Operational Planning 51  Planning is “deciding in advance what to do, how to do it, when to do it and who is to do it Operational plans Tactical plans Strategic plans The organisation’s mission * Purpose * Premises * Values * Directions Strategic objectives Tactical objectives Operational objectives
  52. 52. Operational Planning Process 52  Planning to plan  Formulating a vision & mission statement  Scanning the external environment  Doing a market analysis  Determining all external opportunities and threats  Determining all internal strengths and weaknesses  Identifying strategic issues  Making choices  Establish priorities  Operational plans  Budgeting  Monitoring and evaluation
  53. 53. Main issues of operational plan before execution 53  Determine responsibilities, time frames, cost  Practical execution often neglected as people engage in academic debate
  54. 54. Link between Strategic & Operational Planning 54 Vision Mission Statement Corporate Organisational Objectives Functional (Operational) Objectives Functional (Operational) Strategies Long Term Operational Plan Short Term Operational Plan
  55. 55. Formulating Strategies & Action Plans 55  Review: SWOT provide insight into efficiency of existing strategies  Strategy should convert weaknesses into strengths; threats into challenges  Identify 5 types of strategies:  Offensive: exploit opportunities from a premise of strength  Developmental: convert weaknesses into strengths  Diversification: harness strengths to minimise impact of threats  Defensive: organisation is vulnerable; may require professional help for business re-engineering  Combination: harness advantages of each; circumstances will dictate
  56. 56. 56 Objective setting; Organizational context; Risk management context Risk identification; What can happen? How can it happen? Risk assessment; Measuring likelihood; Measuring impact; Establish the level of risk; Assess risks Risk management strategy; Identify treatment options (strategy); Evaluate treatment options; Implement recommendations Information/communication Control activities Monitoring and evaluation CONTROLENVIROMENT
  57. 57. Formulating Strategies & Action Plans 57  Environmental scan  5 types of strategies:  Offensive: exploit opportunities from a premise of strength  Developmental: convert weaknesses into strengths  Diversification: harness strengths to minimise impact of threats  Defensive: organisation is vulnerable; may require professional help for business re-engineering  Combination: harness advantages of each; circumstances will dictate  Decide on (propose) an overall strategy
  58. 58. Objective Setting 58  Break each strategy down into strategic objectives (narrowly defined area of achievement)  Objectives should include:  service delivery indicators;  indicate what is to be accomplished;  measures to quantify results  What to do:  Identify 5-10 objectives  Determine actions with responsibilities and time-frames to achieve each objective
  59. 59. ACTIVITY 2.3 59  Component 2: Objective setting  Consider the process of objective setting in your organisation (strategic planning, operational planning, budgeting)  Also consider objectives in the following 5 categories:  Strategic  Operations  Reporting  Compliance  Safeguarding  Compile a 1-page document on how risk management should be integrated into objective setting (planning)
  60. 60. Risk Management Fundamentals 60  Risk Identification  Start with Risk Register – listing of all risks  Examine all sources of risk  External – PEST  Internal – e.g. governance, ethics & values, infrastructure, HR  Techniques include:  Trends/Patterns  Surveys/Questionnaires  Brainstorming  Scenario analysis  Networking  Value at Risk (VAR) model  Boston Squares  “Bottom-up” risk assessment
  61. 61. ACTIVITY 2.4 61  4 Groups (30 minutes)  Component 3: Risk Identification  Compile a basic risk register, i.e. develop a template  Populate the risk register with some examples, i.e. identify and list possible risks for the organisation  Classify the risks to make it easier  (This should eventually be done for each Division & Business unit within the organisation)
  62. 62. REMEMBER 62  Risk Register = a “list of prioritised risks”
  63. 63. Risk Management Fundamentals 63  Risk Assessment (analysis)  Start with Risk Register  Consider possible areas of risk impact  Risk ranking provides direction and focus – costs, resources, time  Consistent measurement techniques – quantitative  Lots of good judgement – qualitative  4 steps:  Quantify parameters (scoring system)  Apply parameters  Determine risk acceptance criteria (tolerance)  Determine risk acceptability & action to reduce risk  Identify the root cause of the risk
  64. 64. RISK REGISTER 64  This is a list of prioritised risks  See next slide: likelyhood & consequence?
  65. 65. Risk Assessment tool: Consequence vs. Likelihood 65 Likelihood Consequence 1 2 3 4 5 1 2 3 4 5
  66. 66. Step 1: Quantify the parameters 66 Example: Impact on cost Score Impact Consequence 5 Catastrophic Leads to termination of the project 4 Critical Cost increase > 20% 3 Major Cost increase > 10% 2 Significant Cost increase < 10% 1 Negligible Minimal or no impact on cost Example: Certainty of occurrence Score Likelihood Occurrence 5 Maximum Certain to occur, almost every time 4 High Will occur frequently, 1 out of 10 times 3 Medium Will occur sometimes, 1 out of 100 times 2 Low Will seldom occur, 1 out of 1000 times 1 Minimum Will almost never occur, 1 out of 10 000 times
  67. 67. Step 2: Applying the parameters 67  Risk index = impact x likelihood IMPACT 5 5 10 15 20 25 Risk index Risk Magnitude 4 4 8 12 16 20 20 - 25 Maximum 3 3 6 9 12 15 15 - 19 High risk 2 2 4 6 8 10 10 - 14 Medium risk 1 1 2 3 4 5 5 - 9 Low risk 1 2 3 4 5 1 - 4 Minimum risk LIKELIHOOD
  68. 68. Step 3: Determine risk acceptance 68  Risk tolerance… IMPACT 5 5 10 15 20 25 4 4 8 12 16 20 3 3 6 9 12 15 2 2 4 6 8 10 1 1 2 3 4 5 1 2 3 4 5 LIKELIHOOD 4 8 3 6 9 2 4 6 8 1 2 3 4 5 15 20 25 12 16 20 12 15 10 Unacceptable risks Acceptable risks 5 10
  69. 69. Step 4: Determine risk acceptability & what action 69 Risk index Risk magnitude Risk acceptability Proposed actions 20 – 25 Maximum risk Unacceptable Take action to reduce risk with highest priority, accounting officer and executive authority attention. 15 – 19 High risk Unacceptable 10 – 14 Medium risk Unacceptable Take action to reduce risk, inform senior management. 5 – 9 Low risk Acceptable No risk reduction - control, monitor, inform management. 1 - 4 Minimum risk Acceptable No risk reduction - control, monitor, inform management.
  70. 70. ACTIVITY 2.5 70  4 Groups (30 minutes)  Component 4: Risk Assessment (plotting risks on the matrix)  Consider the risk assessment tool that could be used in your organisation  Develop/Refine the risk assessment tool  Use the risks identified & plot the risks by using the assessment tool (as an example)
  71. 71. Risk Management Evaluation 71  Estimate the chance of occurrence or frequency for each potential risk – probability that a loss will occur  Estimate the severity of the loss which is the highest possible degree of injury or damage to a person / property item
  72. 72. Risk Management Evaluation 72  The measurement of risk  is not an easy step;  it is the most difficult and  least precise step  in the art of risk management
  73. 73. Risk Management Fundamentals 73  Risk Management Strategy (response)  Addressing the risk  Management select a response that is expected to bring risk likelihood & impact within the organisation’s risk tolerance level  Categories of avoidance, reduction, sharing, acceptance  Refer back to risk assessment tool
  74. 74. Risk Management Model to Evaluate/Prioritise risk 74 Low (CI<50%) Medium (50%>CI<80%) High (CI>80%) Significant Must monitor impact and likelihood. Manage if likelyhood increases beyond threshold. Must manage and monitor risks Extensive management essential Moderate Risks may be worth accepting with monitoring Management effort worthwile Management effort required Minor Accept risks Accept, but monitor risks Monitor. Manage risk if size of risk is above acceptable threshold Risk Management Actions Likelihood Impact/Materiality RiskManagementActions
  75. 75. Address the risks 75  Tolerate, Treat, Terminate, Transfer  …or… Impact Reduce Terminate Accept Transfer Likelihood
  76. 76. ACTIVITY 2.6 76  4 Groups (30 minutes)  Component 5: Risk Strategy (response development)  Consider the existing (if it does exist) risk management model  Review the effectiveness & appropriateness of risk responses (strategies)  (This model will be used by each Division & Business unit within the organisation; units have to develop their own specific responses to their specific identified risks)
  77. 77. Risk Management Fundamentals 77  Control Activities  Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out  Occur throughout the organisation, at all levels and in all functions  Include application and general (internal) controls
  78. 78. Control Procedures 78  Policy & procedure  Reporting, reviewing & approving  Checking accuracy of records  Maintaining & reviewing control accounts  Comparing internal data with external sources of information  Comparing & analysing financial results  Limiting direct physical access to assets
  79. 79. Context of Control 79  Should be capable of responding immediately to evolving risks  Cost of controls must be balanced against benefits  System of control must include procedures for reporting  System of internal control must be embedded in operations (“inculcated”)
  80. 80. Internal Control Focus Areas 80  Segregation of duties  Accountability for resources  Reconciliations  Prompt & proper recording & classification of transactions  Authorisation & execution of transactions  Documentation (policy & procedure)  Management supervision & review
  81. 81. Types of Controls 81  Access  Information  Management  Administrative  Application  …
  82. 82. Risk Management Fundamentals 82  Information & Communication  Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities  Communication occurs in a broader sense, flowing down, across, and up the organization  Document the process  Always document risk management  Accountability … reporting  Continuous improvement
  83. 83. ACTIVITY 2.7 83  4 Groups (30 minutes)  Component 6: Information and Communication  Use all the steps that you followed and document (map) the risk management process  Develop a basic action plan for a risk management awareness campaign in your organisation
  84. 84. Risk Management Fundamentals 84  Risk Management Monitoring & Review  Continuous monitoring of RMF & process  Updating of risk register  Collection, capturing & communication of pertinent information  Employees need information to identify, assess & respond to risk  Early warning (dashboard for Executive)  Effective communication – raise awareness  Risk responses are based on (internal) control activities  Appropriate & effective controls  Ongoing monitoring of risk & risk management  (Ex-post facto) Separate evaluations
  85. 85. Risk Management Monitoring 85  Evaluate on an ongoing basis  Determine loss prevention goals at the beginning of each financial year, as well as programmes to achieve those goals  Effectiveness of programmes to be expressed in terms of:  estimated frequency and  severity of losses
  86. 86. Risk Management, Internal Control & Performance Management 86  Mechanisms for controlling or minimising risks  Good controls can reduce  Poor controls can increase  Never completely eliminated:  Accepted as low, not worth further considering  Reduced to acceptable level
  87. 87. Relationship between Risk Management and Internal Audit 87  Risk management and assurance is a collaborative effort between risk management and internal audit that includes the correct balance of responsibility and independent oversight  Internal audit should never assume the functions, processes or systems of risk management
  88. 88. Relationship between Risk Management and Internal Audit 88 Risk Management Internal Audit Risk Management Department Internal Audit Department Business Areas, Shared Services External Auditors, Shared Services Consultants and Advisors Consultants and Advisors Establishing risk management policies and controls Independent monitoring of risks, risk management practices and controls Implement risk measurement and reporting systems Validation of risk identification and management tools and techniques Assist business managers with the development of risk capabilities and to development mitigation strategies Promoting a risk management culture and developing common risk language Generate, validate and circulate risk management reporting Review risk management reporting as part of independent risk oversight CRO chairs risk management committee(s) Risk manager(s) lead and participate in working groups and teams Resources Oversight of risk management activities Review and report on the effectiveness of risk management practices - Risk based audit Responsibilities Participation in Risk Management Activities
  89. 89. Measuring Performance of Risk Management Function 89  Measure against risk plan  Performance measurement of staff in Risk Management Unit  Regular reporting – In-year  Annual reporting based on plan  Accuracy of risk identification and assessment – one of indicators  Existence of policies and procedures  Accessibility of risk records
  90. 90. Performance on risks? 90  KPA’s of all managers to include risk management  KPI’s to detail risk management performance by managers  Obviously core business of Risk Management Unit/Committee in organisational structure  To be reflected as such
  91. 91. ACTIVITY 2.8 91  Develop risk management KPA’s for managers  At least 2 KPI’s for each KPA  Discussion
  92. 92. Good Governance 92  Role of good governance in RM  Compliance emphasized (remember regulatory framework)  King I (1994) & II (2002): Organisations should be good corporate citizens  Prevent loss, safeguard stakeholder interests  King III (2013)
  93. 93. Institutional Governance 93  Definition of Institutional Governance:  Embodies process and systems by which public institutions are directed, controlled and held accountable  Describe systems/practices to manage information, resources and processes of public institution
  94. 94. Institutional Governance 94  Elements of Institutional Governance:  Risk Management  Internal controls and internal control system  Performance management  Internal and external auditing  Reporting  Ethical conduct – Code of conduct  Accountability
  95. 95. Institutional Governance 95  Principles of good institutional governance:  Discipline – ethical conduct  Transparency  Independence  Accountability  Responsibility  Fairness  Social responsibility
  96. 96. Institutional Governance 96  Components of Institutional Governance:  Clear planning and direction  Appropriate and timely information  Sound resource management  Adequate controls
  97. 97. Institutional Governance 97  Management’s Institutional Governance Responsibilities:  Effective evaluation of institution’s performance  Ensure that institution/staff act lawfully and comply with government policies  Managing institution’s risk exposure  Ensure that stakeholder rights are not infringed
  98. 98. Institutional Governance 98  Test for weaknesses in Institutional Governance:  Checklist to be developed  Planning and direction  Appropriate and timely information  Sound resource management  Adequate controls
  99. 99. Institutional Governance 99  Checklist:  Planning and direction  Planning context  Strategic and Operational planning  Decision-making  Institutional culture  Appropriate and timely information  Ministerial direction and Government policy  External and internal reporting  Client interaction
  100. 100. Institutional Governance 100  Checklist:  Resource Management  Assets and liabilities  Human Resources  Information Resources (system)  Finances  Adequate controls  Internal controls  Risk management  Fraud prevention  Contract control
  101. 101. Institutional Governance 101  Accountability process in Public Sector:  Political Accountability  Statutory Accountability  Managerial Accountability
  102. 102. Practical Implications for Risk Management 102  Pressure to meet risk management standards of corporate sector  Responsibility to protects assets, utilise effectively  Implement risk based audit, risk management practise  Move from historic focus to forward looking focus  Skills/experience/resource shortage  Outsourcing of audit function is common  Cannot outsource risk management responsibility, can only seek help  Often cannot set up dedicated risk department – embedded in line function responsibilities  Internal audit capability to monitor and review risk management practise – risk based audit  Sheer range of challenges  How to prioritise and deploy limited resources? - Risk Assessment!  Cost/benefit realities facing internal audit and risk management
  103. 103. Factors Governing the Risk Management Decision 103 Governance & Planning Business Plan Risk Philosophy Risk Management Policy Regulatory Environment Risk Profiling Exposures and Sensitivity Organisational Risk and Competitive Environment Market/Business Conditions Fundamental and Technical Context + Philosophy Context + Philosophy Context + Philosophy Identify Risks Identify Risks Measure Risks Measure Risks Desired Results Desired Results Develop Solutions Develop Solutions Develop Solutions Choose Strategy Choose Strategy Choose Strategy Execute Strategy Execute Strategy Monitor Evaluate Adjust Monitor Evaluate Adjust Monitor Evaluate Adjust • Risk Management Framework Risk Management Decision Manage/Mitigate/ Accept/Transfer
  104. 104. Risk Management Best Practise 104  Drivers of successful risk management  Values and Culture should be aligned throughout the organisation  Organisational philosophy should be that everybody is a risk manager  Intellectual Capital a vital component  No substitute for technical knowledge, experience and knowledge of the business  Can be internally or externally sourced  Senior management and governing bodies must champion risk management  Open communication channels  Team effort – Working groups and committeesA silo mentality hides and multiplies risk !
  105. 105. Risk Management Best Practise 105  Drivers of successful risk management (cont)  Use a common, simple language for risk across the organisation  Clear risk management function/responsibilities and coordination of overall risk management activities  Measuring and reporting on risk management performance  Formal documentation/frameworks  Policies and procedures, Processes, Tools, Templates, Reporting  Role of Internal Audit  Involvement of Internal Audit in risk governance structures/committees  Independent review of risk and risk management activities by Internal Audit  Training, mentoring, collaboration deserves a lot of attention
  106. 106. Key Implementation Factors 106  Organizational design of business  Establishing an ERM organization  Determine a risk philosophy  Survey risk culture  Consider organizational integrity and ethical values  Decide roles and responsibilities  Performing risk assessments  Determining overall risk appetite  Identifying risk responses  Communication of risk results  Monitoring  Oversight & periodic review by management
  107. 107. Thank you! Andre Knipe knipeandre@gmail.com

×