Embed Size (px)
Citation preview
Enterprise Risk Management
Andre Knipe
ACTIVITY 1.1
2
Individual exercise (30 min)
Risk in your work environment
Participants volunteer to inform plenary
Debrief
Operational … Risk … Management
3
ACTIVITY 1.2
4
Group exercise (20 min)
What risk?
To the mouse (external factors)?
To the cat (organisation)?
To the environment (environmental influences)?
To the people in the house (consumers / customers /
society)?
Risk Management?
5
ACTIVITY 1.3
6
Group exercise (20 min)
Risk to people, animal, goods?
How to minimise risk?
ACTIVITY 1.4
7
Group exercise (20 min)
Availability of vehicles: organisation of your choice
What is the risk?
How to minimize?
How to assess success / failure?
Total Risk Management Focus
Financial - Risk of capital
Operational –Operational failure
Programme –Managing change
Strategic – Market changes
8
Why Risk Management?
9
Cost
Schedule
Technical performance
Evolution of Risk Management
10
Ancient Risk
Management
20th Century Risk
Mgt
21th Century Risk
Mgt
Comprehensive Risk Management
11
PFMA
MFMA
TRs
Planning and
Organizing
RMP
Risk Mgt
Plan
Risk Board
Process
Policy and
GuidanceTools & Training
Risk
Identification
Risk
Mitigation
Plan Implementation
Risk
Mitigation
Planning
Risk
Analysis
Risk
Tracking
• Integrated and Stand-
Alone Risk Mgt ToolsLik
elih
ood
Consequence
1
2
3
4
5
1 2 3 4 5
Risk & Risk Management Defined
12
Risk
=
Uncertain future events that could influence the
achievement of the objectives of a public institution
Risk Management Fundamentals
13
What is Risk?
The impact of uncertain future events that could influence
the achievement of an organisation’s objectives
Risk creates uncertainty and makes planning difficult
Risk Management Fundamentals
14
What is Risk?
Risk directly impacts on the service delivery objective of
public and private entities, because it manifests as the
chance of a loss due to adverse events:
Interruptions to service delivery and loss of revenue (income
statement, liquidity)
Consequences of loss of revenue on sustainability (balance
sheet, performance against budget, funding position)
Perceptions of stakeholders (reputation)
Risk & Risk Management Defined
15
RISK MANAGEMENT – page 11
A continuous, pro-active and systematic process,
effected by a department’s executive authority,
accounting officer, management and other personnel,
applied in strategic planning and across the
department, designed to identify potential events that
may affect the department, and manage risks to be
within its risk tolerance, to provide reasonable
assurance regarding the achievement of department
objectives.
Definition of Risk Management
16
A comprehensive and systematic
approach aimed at identifying,
measuring and controlling
an entity’s exposure to accidental loss,
theft and liability involving human,
financial, physical and
natural resources
Risk Management Fundamentals
17
What is Risk Management?
Risk Management focuses on the ability of the
organisation to meet objectives in the future by identifying
risk and making decisions to manage these risks
Risk Management starts with the strategic planning
process
ACTIVITY 1.5:
18
Group exercise (30 min): feedback to plenary
Interrogate the definition: what do you see?
Risk Management Fundamentals
19
What is Risk Management?
Risk Management is a dynamic, ongoing assessment,
decision-making and implementation process that is
integrated with management activities
Risk Management uses instruments such as financial
market transactions, insurance, control processes,
strategy/product changes, research/intelligence, risk
shifting to control, eliminate or reduce risk.
Risk Management Process
20
Structured approach for incorporating risk
management into daily, broader management
process
More than just an exercise of risk avoidance
Rather about identifying opportunities for avoiding or
mitigating losses
Risk Management Process
21
Phases in Risk Management Process:
Risk Identification
Risk Assessment
Risk Response
Risk Control
Risk Financing
Context +
PhilosophyIdentify
Risks
Measure
Risks
Desired
Results
Develop
Solutions
Choose
Strategy
Execute
Strategy
MonitorEvaluate
Adjust
Components of Risk Management
22
Control environment
Objective setting
Risk identification
Risk assessment
Risk management strategy
Information & communication
Control Activities
Monitoring
23
A Framework for Risk Management
Source: Enterprise Risk Management — Integrated Framework,
Committee of Sponsoring Organizations of the Treadway Commission.
Governance structure
Risk Management Philosophy + Risk Appetite
Oversight
Values, ethics
Human Capital-Skills, experience, training
Delegation of authority
Internal:
Infrastructure
Personnel
Process
Technology
External:
Political
Economic
Social
Technological
Environment
Techniques
Qualitative + Quantitative
Likelihood + Impact
Linkage between risks – Portfolio View
Avoidance
Reduction
Sharing
Acceptance Policies and Procedures
Operational Review and Audit
Approval framework
Reporting
Verification and reconciliations
Segregation of duties
Internal and External
Formal and Informal
Communication Methods
Accurate, Timely, Relevant
Share learning and insight
Ongoing, continuous process
Self-Assessments
Independent monitoring and evaluation
Adapt to changes
Improve practices
Align with best practice
Strategic Plan, Business Plan, Budgets
ACTIVITY 1.7:
24
Group exercise: feedback to plenary
Divide 8 topics between groups
Relevance of Risk Management
25
Align with objectives
Introduce into existing strategic planning &
operational practices
Communicate departmental directions
Include as part of performance appraisals
Continue to improve control & accountability systems
& processes
Relevance of Risk Management
26
Why focus on risk management? Is it not common
sense? We know how to run our business!
Focus has traditionally been on historic measures
with some forecasting of the future:
Annual budgets, actual and variance
Mainly audit/financial risk focus
Relevance of Risk Management
27
High levels of uncertainty in the internal and external
environment warrant greater effort in managing risk:
PESTLE - Political, Economic, Social, Technological,
Legal Environmental
Effect of external factors becoming more pronounced
Not only budget (financial), but all business and
operational risks - integrated
Requires more structured approach with frequent reviews
of risk
Need to be more forward looking and proactive
Relevance of Risk Management
28
Legislative/regulatory/stakeholder pressure
Constitution
PFMA & MFMA
King II/King III
Best Practise
Benefits of Risk Management
29
Identify & manage of risks
Identify & implement cost-effective, integrated
responses
Minimise operational surprises, costly & time-
consuming litigation and unexpected losses
Benefits of Risk Management
30
Rationalise capital & financial resources
Continuity of service delivery
Enhance accountability & corporate governance
processes
Achieve greater openness/transparency in decision-
making & ongoing management processes
Benefits of Risk Management
31
Enhance accountability & corporate governance
processes
Achieve continuity of service delivery
Avoid unnecessary wastage
Achieve openness/transparency in decision-making
& ongoing management processes
Delivering what we should?
32
Regulatory Framework: International
Instruments: Basel II Accord
33
Second of the Basel Accords
“Basel Committee on Banking Supervision”
Reps from central banks & regulatory authorities of
several EU countries
Recommends to member states for adoption in local
law
Basel II Accord (cont)
34
How much money must banks keep aside to guard
against financial & operational risks?
Banks hold capital reserves appropriate to lending /
investment risks (protect solvency) NB!! Liquidity??
The higher risk, the higher amount to hold
Case Study: Barings Bank (1762–1995)
35
Oldest merchant bank in London
1995: Nick Leeson lost 827 million Pounds through
speculation
Leeson held 2 positions: reported to himself
Internal auditing at fault: absence of oversight
“How could this happen?”
Regulatory Framework – Legislative
Requirements
36
Policy should include:
“the accounting officer for Volta River Authority …
has and maintains :
Effective, efficient & transparency systems of financial
and risk management and internal control; and
A system of internal audit under the control & direction of
an audit committee…”
Legislative Requirements (Cont.)
37
“An employee in VRA, … :
Must ensure that the system of … and internal
control … is carried out within the area of
responsibility of that employee”
Legislative Requirements (Cont.)
38
“The accounting officer must ensure that a risk
assessment is conducted regularly to identify
emerging risks of VRA. A risk management strategy,
which must include a fraud prevention plan, must be
used to direct internal audit effort and priority, and to
determine the skills required of managers and staff
to improve controls and to manage these risks. The
strategy must be clearly communicated to all
employees to ensure that the risk management
strategy is incorporated into the language and
culture of VRA.”
Legislative Requirements (Cont.)
39
“The Board as a whole (collectively), as well as each
of its directors individually, carries the ultimate
responsibility for the company’s risk management
strategy and for whatever goes wrong in it.” (Romani
Naidoo, 2002, Corporate Governance)
Regulatory Framework: Other sources
40
Protocol Against Corruption: SADEC, 2001
Legislation/policy that deals with unlawful activities
“Financial Services Board”: controls financial
services industry
Revenue Services Legislation/policy
41
Key Risks associated with In-
effective Risk Management
Inappropriate internal controls
Risk management not incorporated in
organisation’s culture
Reactive responses, not pro-active
Inadequate plans
Inappropriate controls
Changing/new risks not considered & managed
ACTIVITY 2.1
42
Examples from practice: 4 Groups (30 minutes)
Each group chooses any two below
Inappropriate internal controls
Risk management not incorporated in organisation’s
culture
Reactive responses, not pro-active
Inadequate plans
Inappropriate controls
Changing/new risks not considered & managed
Creative risk taking is essential to success in any goal where the
stakes are high. Thoughtless risks are destructive, of course, but
perhaps even more wasteful is thoughtless caution which prompts
inaction and promotes failure to seize opportunity.
- Gary Ryan Blair
Behind the regulatory framework:
Importance of Risk Management
44
Creation of optimal working environment
Fewer accidents
Greater productivity
Higher staff morale
Costs of losses reduced
Decisions taken under differing conditions of
certainty: legal framework gives some stability
Risk Management Process
45
Phases in Risk Management Process:
Risk Identification
Risk Assessment
Risk Response
Risk Control
Risk Financing
Context +
PhilosophyIdentify
Risks
Measure
Risks
Desired
Results
Develop
Solutions
Choose
Strategy
Execute
Strategy
MonitorEvaluate
Adjust
46
A Framework for Risk Management
Source: Enterprise Risk Management — Integrated Framework,
Committee of Sponsoring Organizations of the Treadway Commission.
Governance structure
Risk Management Philosophy + Risk Appetite
Oversight
Values, ethics
Human Capital-Skills, experience, training
Delegation of authority
Internal:
Infrastructure
Personnel
Process
Technology
External:
Political
Economic
Social
Technological
Environment
Techniques
Qualitative + Quantitative
Likelihood + Impact
Linkage between risks – Portfolio View
Avoidance
Reduction
Sharing
Acceptance Policies and Procedures
Operational Review and Audit
Approval framework
Reporting
Verification and reconciliations
Segregation of duties
Internal and External
Formal and Informal
Communication Methods
Accurate, Timely, Relevant
Share learning and insight
Ongoing, continuous process
Self-Assessments
Independent monitoring and evaluation
Adapt to changes
Improve practices
Align with best practice
Strategic Plan, Business Plan, Budgets
47
Objective setting; Organizational context; Risk management context
Risk identification; What can happen? How can it happen?
Risk assessment; Measuring likelihood; Measuring impact; Establish the level of risk; Assess risks
Risk management strategy; Identify treatment options (strategy); Evaluate treatment options; Implement recommendations
Information/communication
Control activities
Monitoring and evaluation
CO
NTR
OL
ENV
IRO
MEN
T
ACTIVITY 2.2
48
Components of risk management
Component 1: Internal environment
The purpose is to establish the current context of risk
management in your organisation
Prepare an overview/summary of the components of
risk management as applicable in your organisation
Present to the group
Formulating a Risk Management Strategy
49
R – Results
Are we achieving the desired
results for the risks we take?
I – Immunisation
Do we have the controls in
place to minimise the risk
losses?
K – Knowledge
Do we have the right people,
skills, culture and values for
effective risk management?
S – Systems
Do we have the systems to
measure and manage risks?
Also see p72-78 in the manual.
Formulating a Risk Management Strategy
50
Step 1: Establish the context
Step 2: Identify the risks
Step 3: Analyse the risks
Step 4: Evaluate and prioritise the risks / Assess
the risks
Step 5: Address the risks
Step 6: Monitor and review
Step 7: Documentation of the process
Operational Planning
51
Planning is “deciding in advance what to do, how to
do it, when to do it and who is to do it
Operational plans
Tactical plans
Strategic plans
The organisation’s mission
* Purpose * Premises * Values * Directions
Strategic objectives
Tactical objectives
Operational
objectives
Operational Planning Process
52
Planning to plan
Formulating a vision & mission statement
Scanning the external environment
Doing a market analysis
Determining all external opportunities and threats
Determining all internal strengths and weaknesses
Identifying strategic issues
Making choices
Establish priorities
Operational plans
Budgeting
Monitoring and evaluation
Main issues of operational plan before
execution
53
Determine responsibilities, time frames, cost
Practical execution often neglected as people
engage in academic debate
Link between Strategic & Operational
Planning
54
Vision
Mission Statement
Corporate Organisational Objectives
Functional (Operational) Objectives
Functional (Operational) Strategies
Long Term Operational Plan
Short Term Operational Plan
Formulating Strategies & Action Plans
55
Review: SWOT provide insight into efficiency of existing strategies
Strategy should convert weaknesses into strengths; threats into challenges
Identify 5 types of strategies: Offensive: exploit opportunities from a premise of strength
Developmental: convert weaknesses into strengths
Diversification: harness strengths to minimise impact of threats
Defensive: organisation is vulnerable; may require professional help for business re-engineering
Combination: harness advantages of each; circumstances will dictate
56
Objective setting; Organizational context; Risk management context
Risk identification; What can happen? How can it happen?
Risk assessment; Measuring likelihood; Measuring impact; Establish the level of risk; Assess risks
Risk management strategy; Identify treatment options (strategy); Evaluate treatment options; Implement recommendations
Information/communication
Control activities
Monitoring and evaluation
CO
NTR
OL
ENV
IRO
MEN
T
Formulating Strategies & Action Plans
57
Environmental scan
5 types of strategies:
Offensive: exploit opportunities from a premise of strength
Developmental: convert weaknesses into strengths
Diversification: harness strengths to minimise impact of
threats
Defensive: organisation is vulnerable; may require
professional help for business re-engineering
Combination: harness advantages of each; circumstances
will dictate
Decide on (propose) an overall strategy
Objective Setting
58
Break each strategy down into strategic objectives
(narrowly defined area of achievement)
Objectives should include:
service delivery indicators;
indicate what is to be accomplished;
measures to quantify results
What to do:
Identify 5-10 objectives
Determine actions with responsibilities and time-frames to
achieve each objective
ACTIVITY 2.3
59
Component 2: Objective setting
Consider the process of objective setting in your
organisation (strategic planning, operational planning,
budgeting)
Also consider objectives in the following 5 categories:
Strategic
Operations
Reporting
Compliance
Safeguarding
Compile a 1-page document on how risk management
should be integrated into objective setting (planning)
Risk Management Fundamentals
60
Risk Identification
Start with Risk Register – listing of all risks
Examine all sources of risk
External – PEST
Internal – e.g. governance, ethics & values, infrastructure, HR
Techniques include:
Trends/Patterns
Surveys/Questionnaires
Brainstorming
Scenario analysis
Networking
Value at Risk (VAR) model
Boston Squares
“Bottom-up” risk assessment
ACTIVITY 2.4
61
4 Groups (30 minutes)
Component 3: Risk Identification
Compile a basic risk register, i.e. develop a template
Populate the risk register with some examples, i.e.
identify and list possible risks for the organisation
Classify the risks to make it easier
(This should eventually be done for each Division &
Business unit within the organisation)
REMEMBER
62
Risk Register = a “list of prioritised risks”
Risk Management Fundamentals
63
Risk Assessment (analysis) Start with Risk Register
Consider possible areas of risk impact
Risk ranking provides direction and focus – costs, resources, time
Consistent measurement techniques – quantitative
Lots of good judgement – qualitative
4 steps:
Quantify parameters (scoring system)
Apply parameters
Determine risk acceptance criteria (tolerance)
Determine risk acceptability & action to reduce risk
Identify the root cause of the risk
RISK REGISTER
64
This is a list of prioritised risks
See next slide: likelyhood & consequence?
Risk Assessment tool:
Consequence vs. Likelihood
65
Lik
elih
ood
Consequence
1
2
3
4
5
1 2 3 4 5
Step 1: Quantify the parameters
66
Example: Impact on cost
Score Impact Consequence
5 Catastrophic Leads to termination of the project
4 Critical Cost increase > 20%
3 Major Cost increase > 10%
2 Significant Cost increase < 10%
1 Negligible Minimal or no impact on cost
Example: Certainty of occurrence
Score Likelihood Occurrence
5 Maximum Certain to occur, almost every time
4 High Will occur frequently, 1 out of 10 times
3 Medium Will occur sometimes, 1 out of 100 times
2 Low Will seldom occur, 1 out of 1000 times
1 Minimum Will almost never occur, 1 out of 10 000 times
Step 2: Applying the parameters
67
Risk index = impact x likelihood
IMP
AC
T
5 5 10 15 20 25Risk index
Risk
Magnitude
4 4 8 12 16 20 20 - 25 Maximum
3 3 6 9 12 15 15 - 19 High risk
2 2 4 6 8 10 10 - 14 Medium risk
1 1 2 3 4 5 5 - 9 Low risk
1 2 3 4 5 1 - 4 Minimum risk
LIKELIHOOD
Step 3: Determine risk acceptance
68
Risk tolerance…
IMP
AC
T
5 5 10 15 20 25
4 4 8 12 16 20
3 3 6 9 12 15
2 2 4 6 8 10
1 1 2 3 4 5
1 2 3 4 5
LIKELIHOOD
4 8
3 6 9
2 4 6 8
1 2 3 4 5
15 20 25
12 16 20
12 15
10
Unacceptable risks
Acceptable risks
5
10
Step 4: Determine risk acceptability & what
action
69
Risk index Risk magnitude Risk acceptability Proposed actions
20 – 25 Maximum risk Unacceptable Take action to reduce
risk with highest priority,
accounting officer and
executive authority
attention.
15 – 19 High risk Unacceptable
10 – 14 Medium risk Unacceptable Take action to reduce
risk, inform senior
management.
5 – 9 Low risk Acceptable No risk reduction -
control, monitor, inform
management.
1 - 4 Minimum risk Acceptable No risk reduction -
control, monitor, inform
management.
ACTIVITY 2.5
70
4 Groups (30 minutes)
Component 4: Risk Assessment (plotting risks on the
matrix)
Consider the risk assessment tool that could be used
in your organisation
Develop/Refine the risk assessment tool
Use the risks identified & plot the risks by using the
assessment tool (as an example)
Risk Management Evaluation
71
Estimate the chance of occurrence or frequency for
each potential risk – probability that a loss will occur
Estimate the severity of the loss which is the highest
possible degree of injury or damage to a person /
property item
Risk Management Evaluation
72
The measurement of risk
is not an easy step;
it is the most difficult and
least precise step
in the art of risk management
Risk Management Fundamentals
73
Risk Management Strategy (response)
Addressing the risk
Management select a response that is expected to bring
risk likelihood & impact within the organisation’s risk
tolerance level
Categories of avoidance, reduction, sharing, acceptance
Refer back to risk assessment tool
Risk Management Model to
Evaluate/Prioritise risk
74
Low (CI<50%) Medium (50%>CI<80%) High (CI>80%)
Significant
Must monitor impact
and likelihood.
Manage if
likelyhood increases
beyond threshold.
Must manage and
monitor risks
Extensive
management
essential
Moderate
Risks may be worth
accepting with
monitoring
Management effort
worthwile
Management effort
required
Minor Accept risksAccept, but monitor
risks
Monitor. Manage risk
if size of risk is
above acceptable
threshold
Risk Management Actions
Likelihood
Imp
act
/ M
ate
riali
ty
Ris
k M
an
ag
em
en
t A
cti
on
s
Address the risks
75
Tolerate, Treat, Terminate, Transfer
…or…Im
pact
Reduce Terminate
Accept Transfer
Likelihood
ACTIVITY 2.6
76
4 Groups (30 minutes)
Component 5: Risk Strategy (response
development)
Consider the existing (if it does exist) risk
management model
Review the effectiveness & appropriateness of risk
responses (strategies)
(This model will be used by each Division &
Business unit within the organisation; units have to
develop their own specific responses to their specific
identified risks)
Risk Management Fundamentals
77
Control Activities
Policies and procedures that help ensure that the risk
responses, as well as other entity directives, are carried
out
Occur throughout the organisation, at all levels and in all
functions
Include application and general (internal) controls
Control Procedures
78
Policy & procedure
Reporting, reviewing & approving
Checking accuracy of records
Maintaining & reviewing control accounts
Comparing internal data with external sources of
information
Comparing & analysing financial results
Limiting direct physical access to assets
Context of Control
79
Should be capable of responding immediately to
evolving risks
Cost of controls must be balanced against benefits
System of control must include procedures for
reporting
System of internal control must be embedded in
operations (“inculcated”)
Internal Control Focus Areas
80
Segregation of duties
Accountability for resources
Reconciliations
Prompt & proper recording & classification of
transactions
Authorisation & execution of transactions
Documentation (policy & procedure)
Management supervision & review
Types of Controls
81
Access
Information
Management
Administrative
Application
…
Risk Management Fundamentals
82
Information & Communication
Management identifies, captures, and communicates
pertinent information in a form and timeframe that enables
people to carry out their responsibilities
Communication occurs in a broader sense, flowing down,
across, and up the organization
Document the process
Always document risk management
Accountability … reporting
Continuous improvement
ACTIVITY 2.7
83
4 Groups (30 minutes)
Component 6: Information and Communication
Use all the steps that you followed and document
(map) the risk management process
Develop a basic action plan for a risk management
awareness campaign in your organisation
Risk Management Fundamentals
84
Risk Management Monitoring & Review
Continuous monitoring of RMF & process
Updating of risk register
Collection, capturing & communication of pertinent
information
Employees need information to identify, assess & respond to
risk
Early warning (dashboard for Executive)
Effective communication – raise awareness
Risk responses are based on (internal) control activities
Appropriate & effective controls
Ongoing monitoring of risk & risk management
(Ex-post facto) Separate evaluations
Risk Management Monitoring
85
Evaluate on an ongoing basis
Determine loss prevention goals at the beginning of
each financial year, as well as programmes to
achieve those goals
Effectiveness of programmes to be expressed in
terms of:
estimated frequency and
severity of losses
Risk Management, Internal Control &
Performance Management
86
Mechanisms for controlling or minimising risks
Good controls can reduce
Poor controls can increase
Never completely eliminated:
Accepted as low, not worth further considering
Reduced to acceptable level
Relationship between Risk Management and
Internal Audit
87
Risk management and assurance is a collaborative
effort between risk management and internal audit
that includes the correct balance of responsibility
and independent oversight
Internal audit should never assume the functions,
processes or systems of risk management
Relationship between Risk Management and
Internal Audit
88
Risk Management Internal Audit
Risk Management Department Internal Audit Department
Business Areas, Shared Services External Auditors, Shared ServicesConsultants and Advisors Consultants and Advisors
Establishing risk management policies and
controls
Independent monitoring of risks, risk
management practices and controls
Implement risk measurement and reporting
systems
Validation of risk identification and management
tools and techniques
Assist business managers with the development
of risk capabilities and to development mitigation
strategiesPromoting a risk management culture and
developing common risk language
Generate, validate and circulate risk management
reporting
Review risk management reporting as part of
independent risk oversight
CRO chairs risk management committee(s)Risk manager(s) lead and participate in working
groups and teams
Resources
Oversight of risk management activities
Review and report on the effectiveness of risk
management practices - Risk based audit
Responsibilities
Participation in Risk
Management
Activities
Measuring Performance of Risk
Management Function
89
Measure against risk plan
Performance measurement of staff in Risk
Management Unit
Regular reporting – In-year
Annual reporting based on plan
Accuracy of risk identification and assessment – one
of indicators
Existence of policies and procedures
Accessibility of risk records
Performance on risks?
90
KPA’s of all managers to include risk management
KPI’s to detail risk management performance by
managers
Obviously core business of Risk Management
Unit/Committee in organisational structure
To be reflected as such
ACTIVITY 2.8
91
Develop risk management KPA’s for managers
At least 2 KPI’s for each KPA
Discussion
Good Governance
92
Role of good governance in RM
Compliance emphasized (remember regulatory
framework)
King I (1994) & II (2002): Organisations should be
good corporate citizens
Prevent loss, safeguard stakeholder interests
King III (2013)
Institutional Governance
93
Definition of Institutional Governance:
Embodies process and systems by which public
institutions are directed, controlled and held accountable
Describe systems/practices to manage information,
resources and processes of public institution
Institutional Governance
94
Elements of Institutional Governance:
Risk Management
Internal controls and internal control system
Performance management
Internal and external auditing
Reporting
Ethical conduct – Code of conduct
Accountability
Institutional Governance
95
Principles of good institutional governance:
Discipline – ethical conduct
Transparency
Independence
Accountability
Responsibility
Fairness
Social responsibility
Institutional Governance
96
Components of Institutional Governance:
Clear planning and direction
Appropriate and timely information
Sound resource management
Adequate controls
Institutional Governance
97
Management’s Institutional Governance
Responsibilities:
Effective evaluation of institution’s performance
Ensure that institution/staff act lawfully and comply with
government policies
Managing institution’s risk exposure
Ensure that stakeholder rights are not infringed
Institutional Governance
98
Test for weaknesses in Institutional Governance:
Checklist to be developed
Planning and direction
Appropriate and timely information
Sound resource management
Adequate controls
Institutional Governance
99
Checklist:
Planning and direction
Planning context
Strategic and Operational planning
Decision-making
Institutional culture
Appropriate and timely information
Ministerial direction and Government policy
External and internal reporting
Client interaction
Institutional Governance
100
Checklist:
Resource Management
Assets and liabilities
Human Resources
Information Resources (system)
Finances
Adequate controls
Internal controls
Risk management
Fraud prevention
Contract control
Institutional Governance
101
Accountability process in Public Sector:
Political Accountability
Statutory Accountability
Managerial Accountability
Practical Implications for
Risk Management
102
Pressure to meet risk management standards of corporate sector Responsibility to protects assets, utilise effectively
Implement risk based audit, risk management practise
Move from historic focus to forward looking focus
Skills/experience/resource shortage Outsourcing of audit function is common
Cannot outsource risk management responsibility, can only seek help
Often cannot set up dedicated risk department – embedded in line function responsibilities
Internal audit capability to monitor and review risk management practise – risk based audit
Sheer range of challenges How to prioritise and deploy limited resources? - Risk
Assessment!
Cost/benefit realities facing internal audit and risk management
Factors Governing the Risk Management
Decision
103
Governance & PlanningBusiness Plan
Risk Philosophy Risk Management PolicyRegulatory Environment
Risk ProfilingExposures
and Sensitivity
Organisational Risk andCompetitive Environment
Market/Business ConditionsFundamental and Technical
Context +
Philosophy
Context +
Philosophy
Context +
PhilosophyIdentify
Risks
Identify
Risks
Measure
Risks
Measure
Risks
Desired
Results
Desired
Results
Develop
Solutions
Develop
Solutions
Develop
Solutions
Choose
Strategy
Choose
Strategy
Choose
Strategy
Execute
Strategy
Execute
Strategy
MonitorEvaluate
Adjust
MonitorEvaluate
Adjust
MonitorEvaluate
Adjust • Risk Management Framework
Risk ManagementDecision
Manage/Mitigate/Accept/Transfer
Risk Management Best Practise
104
Drivers of successful risk management
Values and Culture should be aligned throughout the organisation
Organisational philosophy should be that everybody is a risk manager
Intellectual Capital a vital component
No substitute for technical knowledge, experience and knowledge of the business
Can be internally or externally sourced
Senior management and governing bodies must champion risk management
Open communication channels
Team effort – Working groups and committeesA silo mentality hides and
multiplies risk !
Risk Management Best Practise
105
Drivers of successful risk management (cont)
Use a common, simple language for risk across the organisation
Clear risk management function/responsibilities and coordination of overall risk management activities
Measuring and reporting on risk management performance
Formal documentation/frameworks Policies and procedures, Processes, Tools, Templates,
Reporting
Role of Internal Audit Involvement of Internal Audit in risk governance
structures/committees
Independent review of risk and risk management activities by Internal Audit
Training, mentoring, collaboration deserves a lot of attention
Key Implementation Factors
106
Organizational design of business
Establishing an ERM organization
Determine a risk philosophy
Survey risk culture
Consider organizational integrity and ethical values
Decide roles and responsibilities
Performing risk assessments
Determining overall risk appetite
Identifying risk responses
Communication of risk results
Monitoring
Oversight & periodic review by management
