Transcript Cifal Workshop June 2012

Enterprise Risk
Management
A new focus
Presented by:
Phumi Madlala
eThekwini Municipality
Agenda
The Risk Management Process:

Definitions

Introduction and background

Benefits of Risk Management

Enterprise Risk Management (ERM) Process
Conducting Corruption Risk Assessment:

Preparation

During the risk assessment

Outcome – risk register

Ongoing monitoring & reporting
2
Definitions
- Risks are uncertain future events that could influence achievement of
objectives
Risk Management:
- Management tool of creating awareness & managing obstacles that have
a potential of preventing the organization from achieving it’s objectives;
- Is also about assessing, both quantitatively and qualitatively the
opportunity for success of business initiatives;
- Is composed of methodologies and processes which are designed to
develop information critical to achieving the strategic objectives of the
organization
3
Legislative mandate
1.
MFMA, S 62 (1) ( c ) states:
“the accounting officer must ensure that the municipality has and maintains effective, efficient and
transparent systems of financial and risk management and internal control”
2.
S 78 and 105 further assigns the responsibilities to other officials to ensure “effective, efficient,
economical and transparent use of financial and other resources within that official’s area of
responsibility”
3.
S 165 (2) (b) requires internal audit unit to advise the AO on matters related to……(iv) risk and risk
management
4.
S166 (1) requires audit committee to advise municipal council, political office-bearers, AO and
management staff on matters related to …(ii) risk management
5.
King III Code on Corporate Governance and Public Sector Risk Management Framework states:
“The Council/ Board is responsible for the total process of risk management, as well as for forming its
own opinion on the effectiveness of the process.”
4
Value –add from Risk Management
Highlight processes that are not clearly understood;
Identifies processes that are inefficient;
Promotes efficiency of service delivery;
Create awareness of high risk areas and ensures
uniformity in addressing exposure areas;
Create awareness of what can/cannot be controlled;
Ensures reasonable and practical time is taken to
implement required responses;
Promotes pro-activeness rather than re-active
response (reduce surprises);
Increases probability(likelihood/chances) of achieving
goals
Results of Ineffective Risk Management
 Breakdown in internal control that could prevent the organization
from achieving its objective;
 Reactive responses to potential risks, rather than proactive;
 Changing/ new risks are not adequately controlled and managed;
 Internal control practices become outdated with limited account
taken of best practice development;
6
OVERSIGHT
eThekwini Risk Management Governance Structure
Council and Key Committees
Audit and Risk Committee
MANAGEMENT
ASSURANCE
GOVERNANCE
City Manager and Key Committees
Managing Risk & Municipality Sub
Committee
Risk Management Committee
First Line of Defence
Second Line of Defence
DCM Forum
Chief Risk Officer
Third Line of Defence
Internal Audit and External
Auditors
Management of Operations
Risk Champions
eThekwini Municipality - EXCO ERM
7
Risk Management Strategy Overview
Identify Risks
Analyse Risks
Likelihood
Impact
Monitor / Review
Consultation / Communication
Establish Goals & Context
Evaluate the Risks
Treat the Risks
eThekwini Municipality - EXCO ERM
8
Corruption Risk Assessment
Corruption Risk Management
- Part of Enterprise Risk Management, only
focusing on exposures that are as a result of
corrupt activities;
- Best approach to managing fraud/corruption:
 Prevent it;
 Whatever that cannot be prevented, controls
should detect it quickly;
Investigate the root cause of detected/reported
fraud cases;
Correct root causes/Take quick action
Corruption Risk Assessment
Risk Assessment:
The process of identifying risk exposures and assessing their impact and likelihood that
they would have on the achievement of objectives. The process also involves evaluating
suitable ways to mitigate the risks to corruption and assessing effectiveness of controls.
ERM:
• Fraud/corruption risk forms one category of the risks that are significant within
Ethekwini municipality, which is managed separately at a strategic level.;
• Top down approach – strategic risks are cascaded down to operations
Link between risk categories:
• Some risks are inter-linked, e.g. failure to manage fraud/corruption risk results in high
exposure to compliance risk and by default operational risk (due to weakness in
controls) which might lead to reputational risk.
Role of compliance in fraud/corruption
prevention
Highly compliant organizations
strong ethical environments
reduced fraud/corruption risk
Preparation by facilitator
•
Assessing environment’s exposure to corruption;
– Inherent risk exposures;
– Perform trends analysis based on stats or working with research/forensic unit;
– Understand the sector, read journals/publications like Delivery, most importantly your organisations control
environment/operations within your environment;
– Stakeholders and their influence to environment;
– Separate facts from opinions;
– Recent media reports & perceptions of organisation (surveys)
•
Establish current risk tolerance level;
– tone at the top;
– sound ethical culture;
– Regular/ongoing training of staff, updates of training manuals , relevance to level of audience according to
expectations
•
Pro-active defence (mitigations)
– Periodic results of data interrogation in relation to corruption risk assessment;
– Be familiar with existing controls from first point of contact with organisation e.g background checks prior
employment/engagement with service providers/ customers;
•
Sound internal control system
– Frequent review and update of Anti – corruption policies and procedures;
– Ensure alignment of company policies/procedures with regulations/ legal findings/ forensic developments/ sector
developments
– Assurance providers, establish relationships with them, ongoing consultations – recent findings on exposures to
corruption
13
Preparing for Corruption Risk Assessment
Important Considerations:
•
•
•
•
•
•
Best suitable form of risk assessment to use: management workshop vs information gathering;
Level at which you are assessing exposure to corruption .e.g. strategic vs operational (dpt’s) –
invite the right audience;
Management’s Tone regarding prevention of corruption e.g understanding/ familiarity with
anti- corruption policies/strategies; support structures; understanding of risk process/ are
they defensive - personalise issues/performance management;
Adequate notification : Pre – reading which directs focus on existing exposures/control
environment/stats from forensics/IA reports/management report/regulatory
developments/other recent developments to combat fraud/corruption within sector (Local
Govern Anti-Corruption Strategy)
Logistics:
– Suitable Venue – promote interaction /co-operation, away from office distractions, no
laptops during session/use of cellphones;
– Duration of assessment – reasonable approximation, worse is to under-estimate time;
control discussions
Pre – planning with leader (buy –in) outlining process/expectations /outcome. He sets the
tone during introduction of corruption risk assessment.
14
During the Assessment
• Introduction by Head: Strategic /Operational. Communicate
expectations/set tone- promote participation & freedom of
expression/ assessment based on facts than opinions;
• Introduction by facilitator – outline the
process/methodology & outcome;
• Reference to pre- reading;
• Control discussions to focus on facts & desired outcome;
• Ensure audience participation and buy in;
• Understand root causes for each risk properly so that correct
controls and relevant actions to address exposures can be
identified;
• Adherence to risk management standards/specifically anticorruption framework/strategy;
15
Corruption Risk Register
Outcome:
•
•
•
•
•
Risk register with identified strategic/operational corruption risks;
Risk owners – strategic (City Manager/Executives)/ operational (Dpt Heads);
Impact & likelihood for each risk- per methodology;
Assessment of current controls i.t.o. effectiveness (IA & other Assurance providers );
Tasks to improve our exposure to each risk:

to address root causes; and

to strengthen current controls; or

once implemented to add to existing controls
• Allocate task owners - based on areas where risk is prevalent, and suitability to
implement action to mitigate root causes;
• Strategic risks to be cascaded down at operational level.
Ongoing monitoring of corruption risk
• Independent annual review of Anti-corruption strategy and it’s effectiveness in
reducing corrupt activities by Internal Audit;
• Anti-corruption/Fraud Prevention Committee – reporting on implementation
of strategy & anti-corruption/ fraud prevention initiatives;
• Governance audit of committees on implementing action per TOR’s;
• Monitoring progress of tasks on corruption risk registers ( strategic &operational);
• Quarterly review of existing risks & identification of emerging risks due to
change in internal/external environment;
• Reporting progress to appropriate structures;
• Ensure implementation of forensic reports recommendations to enhance
internal controls;
• Training of staff on their responsibility to report corruption & fraud activities;
• Promotion of ethical culture throughout municipality;
• Communicate successes in uprooting corruption;
• Response strategy on allegations /articles from media;
References
• Quotes have been taken from various risk
management & anti – corruption standars, best
practice & guidelines.
eThekwini Municipality - EXCO ERM
18
THOUGHT PROVOKING QUOTES:
“The true measure of a man is who he is when nobody
is watching”;
“Perception is more powerful than fact when it comes
to fraud/corruption”;
“If you don’t invest in risk management , it does not
matter what business you are in, it’s a risky business”
“The greatest contributions of risk managers is just
carrying a torch around and providing transparency”
19
LET WHO WE ARE & OUR LIVES
REPRESENT THE LIGHT THAT WE
PROVIDE , &:
KEEP THE LIGHT BURNING.....ALWAYS
“Siyabonga”
“Thank You”
20