Transcript MMC US116362 - Introduction — SPL Short Courses

MMC US 116339 (10 credits): Apply risk management in South
African Municipalities
Dr Louw Pieterse
(PhD, DTh)
1
CASH, INVESTMENT,
ASSET
LIABILITYCONTEXT
MANAGEMENT
MANAGING RISK
IN AND
A MUNICIPAL
2
Notional hours: 10 credits, 100hours: Class
contact including class assessment: 16 hours.
Take-home preparation of individual and small
group exercises and class assessment Learning
Tasks p28; 39; 63 & 89 of Learner Guide: 4
hours.
Preparation of take-home assignment: 80 hours.
3
• SPL MUNICIPAL MINIMUM COMPETENCY TRAINING
PROGRAMMES: ASSESSMENT POLICY
• In ensuring quality and credibility, all Unit Standard
assessments will be dealt with as follows:
4
1. Each Unit Standard will have at least two individual
assessments that will contribute to the finding on
whether a candidate is competent or not yet
competent. The facilitator/assessor of the particular
Unit Standard must prepare an assessment plan before
the contact session, taking into consideration the Unit
Standard outcomes and clearly prescribing the types of
assessments, the conditions under which they will be
set, when they will be taken and/or submitted, the
contribution weight of each assessment to the final
mark, how the assessment plan varies from that
provided for in the learner guides and what is
considered to be the threshold for being competent.
5
2. The assessment plan must be explained to
participants during the first introductory session of the
contact time.
6
3. The first of the minimum of two individual
assessments will be written during the contact time of
the unit standard and will be fully controlled by the
facilitator/assessor who shall act as invigilator as
prescribed by Stellenbosch University policy. The
format of the assessments may vary, but it is accepted
that it will be open book and designed to test ability to
do the techniques (e.g. exercises with calculations) and
/ or insight (e.g. case studies). The facilitator will
determine whether in-class assessments may be typed
on personal computers and submitted electronically
while the facilitator and participant is still in class.
Submission afterwards is not permitted.
7
4. The second of the minimum of two individual
assessments will be in the format of an applied takehome written assignment bringing theory and practice
together. This will be scheduled for submission one
calendar month after the last contact day of the Unit
Standard. Submission of this assessment must be done
by means of a document upload onto
www.splshortcourses.co.za .
8
5. A participant must pass all assessments with at least
50% for each to be found competent. If it is decided to
include group assessments done during the contact
time as part of the assessment plan, it may not
contribute more that 20% of the 50% of the contact
time assessments and in that case the average mark of
the different contact session assessments must be at
least 50%. If the group assessment is in the form of a
presentation, only group members present during the
presentation will earn the group mark.
9
6. All assessments for a Unit Standard will be
completed by assessors six weeks after the final
assessment submission date and be submitted together
with the assessment plan, a memorandum setting out
the model answers and comments on individual
assessments. These documents must be submitted
with the assigned SPL MMC Assessment Coordinator,
who shall then in turn submit the assessments for
moderation and eventually verification.
10
8. A participant found not yet competent will be given a
second opportunity for assessment only if he/she has
attended at least eighty per cent of the contact time. The
attendance register circulated twice per day will be used as
evidence for allowing the second opportunity. Should the
rewrite – in the case of the contact time assessment and/or
resubmission – in the case of the take-home assignment still result in a not yet competent result, the participant
must re-register and redo the Unit Standard.
11
9. A participant that has – for a proven work-related or
serious health reason – not been present during the contact
time assessment, but has attended at least fifty per cent of
the contact time, will be allowed to do the assessment at
the same opportunity scheduled for participants referred to
in item 8 above. The attendance register circulated twice
per day will be used as evidence for allowing such an
opportunity, but should the participant be found not yet
competent, no further opportunities will be granted and
he/she must re-register and redo the Unit Standard.
12
Purpose of this Unit Standard
This unit standard is intended for people involved in
municipal finance management or other persons as
identified in GG 22967. Persons credited with
this unit standard are able to:
• Apply the core concepts of risk management in a
South African municipality.
• Inform policy decision and strategic decision-making
processes about the importance of risk management in
municipalities.
13
On completion of this Unit Standard you should be
able to:
• Identify the role played by risk management in a
municipality;
• Interpret and apply legislation relevant to municipal
risk management in South African municipalities;
• Demonstrate how risk management contributes to
good governance;
• Develop a municipality wide risk management and
reporting system;
• Develop a risk management process.
14
4
Unit 1. Risk and the importance of managing risk in a
municipal environment
Learning outcomes:
• Explain why risk management is important;
• Identify and analyse the significance of risk
management malpractices in failed entities;
• Understand the accountability structure of municipal
risk management.
15
9
Critical!
• Test – 2 versions with a twist
• Assignment! Individual work
16
Practical slides
17
Risk definition
9-11
• the “chance of something happening that will have an
impact on objectives. It is often specified in terms of an
event or circumstance and the consequences that may
flow from it. It is measured in terms of a combination of
the consequences of an event and their likelihoods. It
may have a positive or negative impact.”
(Australia/ New Zealand Standard Risk Management AS/NZS 4360:2004)
18
11
Risk Management definition
• the “the culture, processes and structures that are
directed towards realising potential opportunities whilst
managing adverse effects.”
(Australian and New Zealand Risk Management Standard AS4360: 2004)
19
11
Case Study: Walking Into Risk - p13
20
13
• P13 Identify risks Thato expose to?
• Anything to reduce impact of risk?
• Any risks on way here?
• What did you di about them?
21
What is risk?
Risk is the possibility of an incident taking place that can
affect desired outcomes.
It is measured in terms of likelihood and consequence
Measuring Criteria!
Positive risk adds value and enhances a municipality’s
ability to attain goals.
14 -5.1.1.1
22
What is risk?
Not all risk is bad….
• Negative risk consequences drain resources and
interfere with a municipality’s financial stability and
ability to fulfil its service delivery mandate.
• Positive risk consequences produce better than
expected results or unexpected opportunities. ????????
23
15
What is Risk Management?
A continuous, proactive and systematic process, effected
by a municipality’s executive authority, accounting officer,
management and other personnel, applied in strategic
planning and across the municipality, designed to identify
risks and manage those risks, to the extent necessary and
possible, to provide reasonable assurance regarding the
achievement of the municipality’s objectives.
16- 5.2.1.5
24
Enterprise (or integrated) Risk Management
Enterprise risk management (ERM) in an organisation
includes the methods and processes used to manage
risks and seize opportunities related to the achievement
of their objectives. ERM provides a framework for risk
management, which typically involves identifying
particular events or circumstances relevant to the
organization's objectives (risks and opportunities),
assessing them in terms of likelihood and magnitude of
impact, determining a response strategy, and
monitoring progress. By identifying and proactively
addressing risks and opportunities, organisations
protect and create value for the organisation, its
employees, customers, regulators, and society overall.
Wikipedia
25
16
Enterprise (or integrated) Risk Management …. Cont.
ERM can also be described as a risk-based approach to
managing an organisation, integrating concepts of
internal control, and strategic planning.
ERM is evolving to address the needs of various
stakeholders, who want to understand the broad
spectrum of risks facing complex organizations to
ensure they are appropriately managed.
26
16
Why manage risks?
• Risk management is pro active and anticipatory –
enabling a municipality to achieve its objectives with
greater certainty
• A robust risk management process aims at increased
awareness, transparent evaluation, and sound
mitigation of risks facing a municipality
• As a management tool, an integrated risk
management framework assists in achieving
objectives more efficiently. Risk management as a
management tool also promotes effective and
efficient resource utilization.
National Treasury
27
16
Why manage risks?
Risk Management Objectives.
• To identify and prioritise risks arising from municipal
strategy and operations.
• Determine level of risk acceptable to the municipality.
• Design and implement risk mitigation or management
strategies.
• Continually monitor and review risk and
appropriateness of risk practices.
• Contribute to good governance.
28
We all manage risk
•
•
•
•
Non-Smokers - ‘avoid’ most of the risk
Smokers - ‘accept or absorb, TAKE the risk
Quitters - ‘mitigate or control’ the risk ? Incorrect why?
Insurance - ‘transfers’ the risk
•
•
•
•
•
Accepet
Mitigate
Avoid
Transfer
Outsource ????
29
We all manage risk
Other examples?
30
Why is risk management important?
•
•
•
•
It is integrated into municipal operations
Efficient and effective service delivery
Informed strategic and operational planning
Enhances governance and accountability in
decision-making
• Limits the number of operational surprises
31
16
The importance of Risk Management
It’s key benefits:
• promotes effective and efficient service delivery
• provides a more rigorous basis for strategic management
• objectives are more likely to be achieved;
• damaging problems are less likely to happen;
• beneficial opportunities are more likely to be achieved.
It’s potential benefits
• supporting strategic and business planning;
• supporting effective use of resources;
• promoting continuous improvement;
• fewer shocks and unwelcome surprises;
• quicker grasp of new opportunities;
• enhancing internal communications;
• reassuring stakeholders;
• helping focus the internal audit programme;
32
17
Case Studies: p 18-21
Read and answer the three questions at the end
33
18-21
Responsibility and accountability for Risk Management
COUNCIL
Executive
Mayor / Exco
Audit
committee
Accounting Officer
Risk
Committee
Internal Audit
Chief Risk
Officer
Possible risk management Organisational structure
Metro or large B
34
21
Responsibility and accountability for Risk Management
COUNCIL
Audit
committee
Mayor
Accounting Officer = CRO
Internal Audit
Risk
Committee
Delegate Risk
Management
Possible risk management Organisational structure
Small B
35
22
Responsibility for Risk Management
• Municipal council sets policy
• Executive mayor/committee have immediate political
oversight
• Accounting officer ensures that policy is
implemented
• Risk Committee and Chief Risk Officer ensure
execution on a day-to-day basis
36
22-24
Risk Management Policy Statement (23)
The risk management policy is a brief statement about the Institution's
commitment to risk management. It can be replicated in the risk
management plan. The Policy should be published and circulated to
existing and new staff as part of the risk awareness strategy.
The objectives of the risk management policy could include:
• Alignment of risk-taking behaviour of Institution with strategic
business objectives;
• To promote a risk management culture in all sphere of government
and improve risk transparency to the shareholder;
• To maximise stakeholder’s value and net worth by managing risks
that may impact the defined financial and performance drivers;
• To assist the Institution in enhancing and protecting those
opportunities that represent the greatest service delivery benefits.
National Treasury Risk Management Framework
37
23
Roles and Responsibilities – with respect to Risk Management
•
•
•
•
•
•
•
•
•
•
The Executive Authority
The Accounting Officer/Authority
The Audit Committee
The Risk Management Committee
The Chief Risk Officers
Management
Other Officials
The Internal Audit
The External Audit
The National Treasury
page 22-25
38
The reality
It is often found:
• Risk Management has been allocated to one official.
• The Risk Management unit has been created at a low level
• Risk Management is treated as a compliance exercise
What should happen:
• Ownership of risk management should be imposed on all
managers in the municipality.
• Risk management should not be seen as an operational issue,
but as a strategic initiative with critical and wide objectives.
• After compliance with establishing risk management policies,
plans, registers – purposeful action should follow
39
The role of Internal Audit
Internal auditors should obtain sufficient evidence to
satisfy themselves that the key objectives of the risk
management process are being met in order to form an
opinion on the adequacy of the risk management
process.
40
25
The role of Internal Audit
• Internal Audit is one of the key departments in
municipal risk management.
• It is through internal audit work that the
management and the municipal council can obtain
comfort that the risk management system is
operating effectively.
• In order to give a reliable opinion internal audit
should avoid assuming responsibility for risk
management.
41
25
The role of Internal Audit
Ensure:
• Effectiveness of risk management system
• Procedures are in place to determine acceptable
levels of risk
• Risks are managed to acceptable levels and internal
controls are in operation to mitigate risks
• Risk monitoring and review mechanisms are in place
and operating effectively.
42
25
RISK MANAGEMENT AND STRATEGIC PLANNING
STRATEGIC PLANNING IS THE ESTABLISHMENT OF A CLEAR ACTION PATH BETWEEN:
1. WHERE THE ORGANIZATION IS……….
2. WHERE IT WANTS TO GO………..
3. ……….AND HOW IT CAN GET THERE.
• ASSESSMENT OF WHERE IT IS
– SITUATIONAL ANALYSIS (ENVIRONMENTAL SCANNING)
– RESOURCE ASSESSMENT
– SWOT ANALYSIS
- ENVIRONMENTAL RISK ASSESSMENT**
• ESTABLISH OBJECTIVES OF WHERE IT WANTS TO GO
– ESTABLISH POLICY PRIORITY GUIDELINES
43
RISK MANAGEMENT AND STRATEGIC PLANNING
– OBJECTIVE/GOAL SETTING, AFTER CONSIDERING:
• ALL THE COMPETING OPTIONS
• COMPARATIVE/SENARIO ANALYSIS (CBA ETC)
• RISK ASSESSMENT OF COMPETING OPTIONS**
• COSTING OF PLAN/S
• FORECASTING EXERCISES, INCLUDING SOCIAL AND ECONOMIC TRENDS
ETC.
• ALLOCATING RESOURCES TO HIGHEST PRIORITIES AND BEST OPTIONS
• FINANCIAL ALIGNMENT (PLANS VS. BUDGET ALLOCATION)
• DEVISE STRATEGIES OF HOW IT WILL GET THERE.
•
- VERIFICATION OF ‘BEST OPTIONS’ AGAINST POLICY PRIORITIES
– DEVISE ACTION PLANS WITH MEASURABLE OBJECTIVES, WITHIN
ORGANIZATION’S MAIN DIVISIONS AND PROGRAMMES - TO. PROVIDE A
STRUCTURED OPERATIONAL FRAMEWORK FOR THE ORGANIZATION.
– INCLUDE RISK MANAGEMENT PLAN**
44
Risk Management limitations (27)
Limitations through:
• Poor management processes
• Changes in policy, programmes, economic conditions
etc.
• Poor decision-making
• Collusion between managers and employees to
override the risk management process
• Insufficient capacity to meet risk management
requirements
• Poor assessment and prioritisation of risks
45
27
LEARNING ACTIVITY
p 28
46
Unit 2 – The Legislative Framework
Learning outcomes:
• Interpret and apply legislation relevant to municipal
risk management
• Understand and apply principles in regulations
relevant to municipal risk management
• Identify and apply relevant recommendations in
commissioned risk management frameworks to
municipal risk management
47
30
Key concepts
• Page 30 – 31-definitions
48
Case Studies: p 32-33
Read and answer the three questions at the end
49
The purpose of legislation
To:
• Implement policy
• Promote good governance
• Mitigate risks
• Ensure that municipalities fulfill their service delivery
mandates
50
33
Legislation that is relevant to municipal risk
management
•
•
•
•
•
Municipal Finance Management Act 5.1.4.1.
Municipal Systems Act 5.1.4.2.
Disaster Management Act 5.1.4.3.
Occupations Health and Safety Act 5.1.4.4.
Hazardous Substances Act.5.1.4.5.
51
34
The MFMA
Section 62(1)(c). Requires the Accounting Officer to
ensure that the municipality has an effective and
efficient and transparent system of financial and risk
management that is supported by a system of internal
control.
52
34
The MFMA
Requirements:
• Account for and maintain safe custody of all revenue
and assets
• Prepare and approve budgets before the start of
each financial year. Incur expenditure within
approved budget limits.
• Duties of mayor and other officials
• Internal Audit must advise on risk.
53
35
The Municipal Systems Act
Requirements:
• Inclusive system of government
• Implement Integrated Development Plans
• Develop and approve policies regarding indigence,
credit control and tariffing
• Monitoring of performance
• Service provision standards and equity
• Code of conduct for councillors and employees
54
Disaster Management Act
Requirements:
• Every metropolitan and district municipality must
have a disaster management center.
• Recruit and train volunteers
• Preform disaster risk management and take steps to
minimise risks
• Monitor and review disaster preparedness.
55
35
Occupational Safety and Health Act
Requirements:
• Provide for the health and safety of employees in the
conduct of their work
• Establish health and safety oversight committee
• Identify and evaluate risks
• Take steps to protect employees
56
35
Hazardous Substances Act
Requirements:
• Ensure hazardous substances are handled in a
manner that does not endanger employees and the
public
• Employ skilled employees in an area of hazardous
substances handling
• Limit use of certain electronic products
57
36
Other Risk Management Frameworks
Other frameworks:
• National Treasury Risk Management Framework
• King I, ll, lll
58
37
KING III
• Advocates a risk based approach to internal audit
• Internal audit should objectively assess the
effectiveness of risk management and the internal
control frameworks
• Risk management should include fraud and IT risks
• The Board (Executive) should take more
responsibility for the governance of risk
59
The National Treasury Risk Management Framework
1) Definitions
2) Purpose, Applicability and Background
3) Creating an enabling environment
4) Integration of Risk Management activities
5) Risk Identification
6) Risk Assessment
7) Risk Response
8) Communicating and Reporting
9) Monitoring
10) Risk Management Functions and responsibilities
11) Evaluation of risk management effectiveness
60
37
ISO 31000:2010
ISO 31000 is intended to be a family of standards relating to risk
management codified by the International Organization for
Standardization.
The purpose of ISO 31000:2009 is to provide principles and generic
guidelines on risk management.
ISO 31000 seeks to provide a universally recognised paradigm for
practitioners and companies employing risk management processes to
replace the myriad of existing standards, methodologies and paradigms
that differed between industries, subject matters and regions.
(It is a replacement to the existing standard on risk management, AS/NZS
4360:2004)
Wikipedia
61
LEARNING ACTIVITY
p 39
62
39
Unit 3 – An Integrated Risk Management Framework
Learning Outcomes:
• Explain the importance of implementing an
integrated risk management system
• Identify best practices in risk management and
benchmark integrated municipal risk management
against these
• Understand the role of monitoring and review in the
risk management process
• Explain the objectives and key components of a risk
management plan
63
40
The changing Risk Environment
Greater emphasis on performance objectives and
therefore on risks that might undermine those
objectives.
64
41-42
Change in approach to Risk Management
Old approach
• Fragmented – dept/function management risk – Risk is bad!
• Risk management primary by Finance and Internal Audit –
their job
• Ad–hoc – risk management done when management felt the
need
• Narrow focus, primarily on finance risks and insurable risks
Current approach
• Integrated, with senior management oversight
• Everyone in municipality views risk management as part of
his/her job
• Risk management process is on-going
• Broad focus – all municipal risks and opportunities considered
65
f44
Integrated Risk Management
• Integrated Risk Management is an explicit and systematic
approach to managing strategic, operational and project risk
to organizational objectives, from an organization-wide
perspective.
• An integrated risk management system takes into account the
organisational structure of a municipality and embeds risk
management practices into all the facets of its operations
• Continuous, pro-active and systematic processes to identify,
understand, manage and communicate risk from a
municipality-wide perspective. It is about making strategic
decisions that contribute to the achievement of a
municipality’s overall strategic and operational objectives.
66
41
The IRM system
Must be supported by:
• Risk management policy determined by Council and
management based on acceptable level of risk
• The identification and prioritisation of strategic and
operational risks
• The putting in place of acceptable mitigation or
treatment strategies
• The regular review of risk and mitigation strategies
• The regular production of reports on the risk
management process for the Council and
management.
67
42
The IRM Framework
The IRM Framework provides the municipality with a
mechanism to develop an overall approach to manage
strategic risks by creating the means to discuss,
compare and evaluate substantially different risks on
the same page.
It applies to an entire organisation and covers all types
of risk faced by that organisation e.g. policy,
operational, human resources, financial, legal, health
and safety, environment, reputational.
Treasury Board of Canada
68
45
The IRM/ERM Literature (best practice)
• COSO – Enterprise Risk Management – Integrated
Framework.
• The Treasury Board of Canada Risk Management
Framework.
• IRM, AIRMAC and ALARM Risk Management
Standard
• Australia/ New Zealand Standard Risk Management,
AS/NZS4360;2004
• SA National Treasury Framework
69
45
The National Treasury Risk Management Framework
1) Definitions
2) Purpose, Applicability and Background
3) Creating an enabling environment
4) Integration of Risk Management activities
5) Risk Identification
6) Risk Assessment
7) Risk Response
8) Communicating and Reporting
9) Monitoring
10) Risk Management Functions and responsibilities
11) Evaluation of risk management effectiveness
70
46
The importance of the IRMF
The framework can:
Support the municipality’s governance responsibilities by ensuring
that significant risk areas associated with policies, plans, programs and
operations are identified and assessed, and that appropriate measures
are in place to address unfavourable impacts and to benefit from
opportunities.
Improve results through more informed decision-making by ensuring
that values, competencies, tools and a supportive environment form
the foundation for innovation and responsible risk taking, and by
encouraging learning from experience while respecting oversight
controls.
Strengthen accountability by demonstrating that levels of risk
associated with policies, plans, programs and operations are explicitly
understood and that implementation in risk management measures
and stakeholder interests are optimally balanced.
Enhance stewardship by strengthening public service capacity to
safeguard people, municipal property and interests.
TBC
71
46
IRM outcomes (47)
• Maximising opportunities by more effective budgets
or budgeting and day-to-day operational planning.
• Increased knowledge and understanding of key
strategic and operational risk exposures
• Fewer costly surprises, for example by increasing the
ability to prevent adverse outcomes
• Better outcomes in terms of municipal efficiency and
effectiveness
• Greater transparency in decision-making and the
ongoing control of processes
72
47
IRM process Risk Manangement Process
overview (AS/NZS
Identify the risks
Monitor and review
Communicate and consult
Establish the context
Analyse the risks
Evaluate the risks
Treat the risks
73
48
IRM - Communicating and consulting
• At each stage of the process
• With internal and external stakeholders (levels of
government, management, consumers and suppliers)
74
49+50
IRM process
Identify the risks
Monitor and review
Communicate and consult
Establish the context
Analyse the risks
Evaluate the risks
Treat the risks
75
48
IRM - Establish the context
• The strategic, organisational and risk management
context – risks are examined i.t.o. threats and
opportunities within context of municipality’s
‘mandate, objectives and available resources’
• Information about both internal and external
environment in which the municipality operates.
• Bearing in mind the purpose of risk management
• Includes assigning roles and responsibilities
76
49+51
IRM process
Identify the risks
Monitor and review
Communicate and consult
Establish the context
Analyse the risks
Evaluate the risks
Treat the risks
77
48
IRM - Identifying the risks
•
•
•
•
Questionnaires
Flowcharts
Brainstorming
Document review
78
49+53
IRM process
Identify the risks
Monitor and review
Communicate and consult
Establish the context
Analyse the risks
Evaluate the risks
Treat the risks
79
48
IRM - Analysing risks (54)
Impact
Likelihood
Risk index = impact x likelihood
Determining the risk acceptance criteria – i.e. which
risks can not be tolerated
80
49+54
From IRM Framework to IRM project
Identify the risks
Analyse the risks
Monitor and review
Communicate and consult
Establish the context
Risk
Register
Risk Assessments
Evaluate the risks
Treat the risks
81
48
Risk Analysis
“Risk analysis aims to establish an understanding of the
level of risk and its nature”
• Level of risk is determined by combining likelihood
and consequence.
• It typically starts with a qualitative approach using a
‘frequency/severity worksheet’.
82
54
Frequency/severity worksheet
Risk Analysis
Frequency/severity worksheet – for natural disasters
Resources
Affected
Financial
Resources
Human
Resources
Possible effect
on resources
Uninsured
storm damage
to public
property
Employees
unable to get to
work
Frequency and
Comments or potential
severity estimate strategies
low frequency
Insurance. Storm
high severity
protection for
vulnerable building.
low frequency
high severity
Identify essential
employees and
arrange transportation
83
Risk analysis – assess potential risk consequences
Estimate frequency and severity for each type of
potential loss.
Frequency : i.e. how often is the loss likely to occur?
• Past records
• Information from employees/insurers
• brainstorming
84
Risk analysis – assess potential risk consequences
Severity: i.e. how bad cumulative losses of that type are
likely to be (either financial losses or interference with
service delivery)
• More subjective – major to a district municipality
may be negligible to a metropolitan municipality
• Estimate size of loss and frequency
85
55
Risk analysis – how severe is the loss?
Assign a rand value to losses if possible. In the absence
of values assign ‘high’ or ‘low’ frequency and severity
for each type of expected loss. Consider the following:
• Rand value of expected loss
• Total losses the municipality can bear without
stopping service delivery.
• Potential effect on the community
• Governing Body’s risk tolerance
86
55
Risk analysis – key risk areas to consider in more
detail
• Governing Body’s risk tolerance – losses tend to be
more severe if the governing body is uncomfortable
about these
• Effect on the community – events that do not directly
damage the municipality’s property such as a severe
economic downturn, can reduce revenue
87
55
Risk analysis – consider key risks in more detail
• Have more than one meeting if necessary but avoid
lengthy meetings that hinder employees for doing
their work
• Carry out more research if necessary
• Maintain an air of strict objectivity and avoid
interpersonal clashes
88
55
Risk analysis. Map out your risks
(111)
A risk map segregates potential losses according to
frequency and severity
• It can be a useful visual guide to choosing the risks to
address first, but is not essential.
• You can achieve the same purpose just making lists
that correspond with the categories on the map
89
55
Risk analysis – define risk map segments
Simple risk maps may include as few as four segments
•
•
•
•
High frequency/high severity
Low frequency/high severity
High frequency/low severity
Low frequency/low severity
Use six segments – low, medium and high, for greater
detail
90
55
Simple Risk Map
Risk Analysis
Sample Risk Map
Frequency
High
Medium
Low
low
Vandalism to
municipal
property
Severity
medium
high
Metro
police liability
claims
Severe flooding
91
55
IRM - Evaluating risks (58)
Includes developing an action plan for each
“maximum” or “high-level” risk.
•
•
•
•
•
•
•
Identifying risk-treatment options which consider:
Proposed actions
Resource requirements
Responsibilities
Timing
Performance measures
Reporting and monitoring requirements
92
58
IRM Framework to IRM project
Identify the risks
Analyse the risks
Monitor and review
Communicate and consult
Establish the context
Risk
Assessment
s
Risk
Register
Evaluate the risks
Treat the risks
93
48
Risk evaluation – prioritise risks
Using your analysis, choose the risks you will address
first, for example:
• Risks that may cause high severity losses, even if
those losses are infrequent
• High frequency but low severity losses that can drain
financial resources due to their cumulative cost.
94
58
IRM - Treating risks
Only extreme or high risks will be treated.
95
58 b
Risk evaluation – prioritise risks
• Risks for which there is an obvious, cost-effective
solution that can be easily implemented
• Risks that threaten the municipality’s public image
and reputation
96
58
IRM Framework to IRM project
Identify the risks
Analyse the risks
Monitor and review
Communicate and consult
Establish the context
Risk
Assessment
s
Risk
Register
Evaluate the risks
Treat the risks
97
48
Risk treatment – create an action plan
With its risk priorities in hand, the team can now gather
to review the results and create a comprehensive
action plan to address high-priority risks.
• Do not ignore the other risks, but
• Direct your initial attention to those that threaten
greater harm
98
59,60
Risk treatment – 4 strategies (104)
•
•
•
•
Avoid
Reduce
Retain
Transfer
99
58 59
Risk treatment – develop the action plan
• Work with municipal departments
• Supervisors and employees will have good ideas
about addressing risks
• An involved employee is also more likely to follow
the action plan
• Consider your municipality’s ability to implement
strategies – both financially and organisationally
100
59
Risk treatment – develop the action plan……
continued
• Brainstorm for ideas which will prevent losses
• Transferring loses and controlling losses after they
occur is a possible second line of defense (recovery
plan)
• Identify risk of loss that remains after you have
implemented your action plan and make plans for
transferring or financing those risks
(contracts/insurance)
101
59
Risk treatment – complete and circulate the action
plan
• Assemble the chosen strategies into a risk action plan
endorsed by the Chief Risk Officer and Risk Committee
• Obtain endorsement of the plan by the Municipal Council
and/or the Mayoral Executive Committee
• Share appropriate sections of the plan with departmental
heads, departmental risk representatives, and other
employees whose activities it affects
• Prepare general information about the action plan for
dissemination to the general employee population
102
59
Risk treatment – contents of the action plan
•
•
•
•
•
•
•
Risk source
Strategies selected
Activities
Target completion date
Responsible person
Actual date of completion
Performance measures
103
59.60
note
residual risk
• Exposure to loss remaining after other known risks
have been countered, factored in, or eliminated
inherent risk
• The probability of loss arising out of circumstances or
existing in an environment, in the absence of any
action to control or modify the circumstances.
104
60
IRM - Monitor and review
Monitor and review the performance of the risk
management system and changes that might effect it.
105
61
The issue of Risk management capacity (61)
The necessity of having adequate capacity through
which to conduct a full IRM plan
106
61
The issue of Risk tolerance (62)
Understand different tolerances to different risks in
different municipal environments
107
62
108
LEARNING ACTIVITY
p 63
109
63
Unit 4 – The identification of different types of risks
Outcomes:
• Identify different types of risks and classify them
• Provide reasons why these risks need to be managed
• Provide examples of risk mitigation techniques and
apply them to a municipal setting
110
65
Comment 3.2 p66
• Different municipalities have different risks
• But there is a uniform framework and process that
can be adopted to establish risk context and
evaluation criteria for the individual municipality
• Each municipality needs to identify its own risk
mitigation process.
111
66
Purpose of this Unit
• Establish the context for the process of municipal risk
management
• Identify risks that may impact on SA municipalities
• Develop risk evaluation criteria and techniques that
can be considered to mitigate such risks
• (bearing in mind that different municipalities have
different risks)
112
67
Case Study: p 68
Read and answer the three questions at the end
113
IRM process f53 see next slide
Identify the risks
Analyse the risks
Evaluate the risks
Monitor and review
Communicate and consult
Establish the context
Treat the risks
114
Who identifies risks? Stakeholders
• Risk Committee or project team
• Individuals – limited to area of expertise (in the
strategic planning stage)
• Individuals – extends to perception of risk in other
departments or operational areas
• Local Public – typically based on perception and
experience of service
• General Public – largely based on perception
115
Attributes best suited to risk identification
Risk person profilef55
• Reliable and committed to the success of risk
management and the municipality
• Should have access to research resources such as
professional organisations
• Be knowledgeable about the municipality and
operations included in the scope of the risk
management assignment
• Could also be an external expert.
116
f56
118
Risk identification
So, it is important to:
• understand the municipality’s context – and the
SWOT within that context
• build a risk profile of the municipality
• produce a list of potential risks which flow from the
risk profile
• record the potential risks in a Risk Register
119
69
How do you identify risks? f56
Risk identification methods
• Project teams – hold brainstorm sessions
• Individuals – respond to risk questionnaires individually,
assemble as a group to discuss each members input and
arrive at a consensus
• Local public – respond to surveys an voice their views of
risk through the media
• Municipal staff – study historic records such as insurance
claims and audit reports
• Methods such as environmental scanning and SWOT
analysis
120
121
The Risk Register
Content (see page 70)
122
70
123
70
Before we start with risk examples, let us recap
124
f56
125
71-73
Examples of risk
Risks and mitigation
Mitigating against:
• Strategic risks
• Operational risks
• Reputation risks
• Asset management, infrastructure development and
maintenance risks
• Staff risks
• Technology and information risk
• Financial and economic risks
• Legal, contractual and regulatory risks
• Environmental risks
• Business interruption and natural disaster risks
126
73
Pge 74 in the LG complete example as it would appear in risk register
127
Reputational risks
The risk that an activity, action or stance performed or
taken by a municipality or its officials will impair its
image in the community and/or the long term trust
placed in the municipality by its stakeholders, resulting
in the loss of confidence and/or legal action.
All risks and all related components of an organisation
potentially impact on reputation.
Page 76LG
128
76
Asset management, Development and Maintenance risk
The risk that a municipality’s plant and equipment may
not perform to its optimum or perform at all during
service delivery due to error, oversight or omission
related to asset purchase, development and/or
maintenance.
LG page 77
129
77
Staff risk
Staff risks refers to threats that may be directed
towards a municipality’s employees and their ability to
perform their duties. These risks may originate from
within the municipality or from external sources.
Staff too can cause risks to a municipality
LG page 78
130
78
• LG page 80
131
Financial and economic risk
Any risk associated with money!
The risk that a municipality will not have adequate cash
flow to meet financial or service delivery obligations.
LG page 81
132
81
Legal, contractual and regulatory risk
(including compliance and liability)
Sometimes governments change the law or enact
regulations in a way that adversely affects a
municipality’s ability to deliver on its mandate.
Contracts may also be drafted in a way that may result
in a loss to a municipality
LG page 83
133
83
Environmental risks
The risk associated with economic or administrative
consequences of slow or catastrophic environmental
pollution
LG page 85
134
84
Business interruption and Natural disasters risk
The risk that an unforeseen and often sudden event
that causes great damage destruction and human
suffering may occur
Though often caused by nature, disasters can have
human origns. Wars, terrorism and civil disturbances
that destroy homelands are typical causes of disasters
LG page 86.
135
86
External risks
These are more difficult to evaluate and to mitigate
against
Page 87 list for info
136
Internal risks
These are specific to the municipality and over which
the municipality has greater control
Page 87 for info
137
LEARNING ACTIVITY
p 89
138
Unit 5 – the process to prepare an integrated risk
model
Learning outcomes:
• Implement a risk management model in a
municipality
• Apply the theory of the risk management process in
a municipal setting
• Understand the role and responsibilities and
accountability structures for municipal risk
management
• Understand the municipality-wide risk management
and reporting system
139
90
Case Study: p 92
Read and then do the exercise
140
Establishing IRM
What should be in place….
141
93
Municipality/organisational IRM set-up
i.e. prerequisites for the risk model 93-97
•
•
•
•
•
Develop risk management culture
Set the tone at the top
Develop and communicate risk management policy
Communicate risk management issues
Set-up risk management function (including the RM
plan and process)
• Define risk management role of other key
functions/bodies
142
93-97
Defining of the objectives
97
• Organisational objectives
See vision and mission statements (Remember, a risk is
only as significant as the extent to which it impacts on municipal
organisational objectives)
• Risk management objectives
Should support the organisational objectives
• These are then combined as a basis for the strategic
and budget management process
143
97
IRM Pillars the essentials for IRM introduction f87
Process integration
Governance Structures
Communication
Risk Policy
Culture
Integrated Risk Management
144
99
Risk management culture
The ideal risk management culture is one where all
municipal employees:
• Identify and assess risks as these relate to their jobs
• Bring issues to the attention of superiors
• Take actions to strengthen controls
145
93
Key elements of Risk Culture
• It is included in municipal strategy through the
mission, values and vision statements
• It begins with the Municipal Council and must then
filter down to every unit
• It is more than an annual activity. It is a core activity.
• The municipality must be provided with the tools
and infrastructure to manage risk like: framework,
policy, training, etc.
146
93
Key elements a Risk Culture
• Management must be encouraged to be open about
assessing and identifying risk exposures
• There should be procedures for tracking and
correcting deficiencies and reporting them to senior
management
• A risk function with executive powers should be in
place
• Staff must fully understand their role.
147
93
Risk Management Policy it includes:
Definition and
objectives
framework
governance
Integrated risk
management
Roles and
responsibilities
Reporting and
monitoring
procedures
148
94
Communication strategy f91
• Internal – what is IRM, how will it help employees in their
work?
• Consumers – how will IRM affect service delivery both in
the short and long term?
• Government departments – particularly National
Treasury on MFMA implementation
• The media – municipality should have integrated and
comprehensive materials for the media
• Provincial and National governments – most
municipalities will be using IRM analyses for their
planning and budgeting, therefore IRM information will
be familiar. The transparency of IRM analyses and
reporting should facilitate discussions and comparisons
across municipalities/regions
149
95
IRM Municipality and Governance
The Risk Team should have the following clearly defined:
• Roles and responsibilities – everyone must know what
they are doing and where their accountability ends
• Clear ownership – no duplication of work or neglected
processes
• Good representation – across all areas and levels of the
municipality
150
97
IRM and Governance
The Risk Management Committee:
• Chaired by the Accounting Officer/Chief Risk Officer
(independent person appointed by AO)
• Represented at senior management level
• Provides strategic guidance to the work of the IRM
team
151
IRM and Governance
Department representative/committee is responsible
for:
• Checking department’s compliance with IRM policy
and regulatory requirements and reviewing and
discussing risk issues
• Communication of an IRM vision and promoting risk
management culture
• Providing direction of risk assessment
152
Integrated Risk Management Implementation Work
Plan FG 93
A plan through which to apply the Risk Management Policy
The plan documents how risk management will be
conducted and includes:
• Individual responsibilities
• The risk management processes and activities to be
undertaken
• Details the schedule and budget for risk management
activities
• The risk management methods, tools and techniques
153
98
The structure and process of risk management
Implementation of IRM
Environmental scan
(internal/External)
Risk
Management
policy
strategy
Strategic Plan
Risk
Management
register
operations
IRM
guidelines
Database
reporting
IRM
Implementation
plan
governance
consumers
Continuous learning
Department outcomes/objectives
AS/NZS
4360
99
SUMMARY - main RM plan components 100
• Roles and responsibilities
• Documentation
• Risk management process tasks or activities
– Establish the risks?
– Establish how the threats posed by risks are identified
– Establish what action to take – and what options are available
•
•
•
•
•
•
•
•
•
•
Risk avoidance
Risk reduction
Risk retention
Risk transfer
(104)
Timetable for risk management activities
Risk management tools, methods and techniques
Monitor and review
Change Management – monitoring and review
Approaches to risk management monitoring and review
155
Risk mapping
(100-11)
156
IRM Implementation work plan - process integration
f93
Approve:
• Integrated Risk Management Policy
• Initial Integrated Risk Management Guidelines
• Initial Municipal Risk Profile
157
100-105
IRM Implementation work plan f94
•
•
•
•
Establish Risk Committee
IRM Implementation Project Committee
Liaison among municipal department representatives
Key pilot IRM project(s) based on priority decisions
of municipal management
158
159
IRM Framework to IRM project f95
Identify the risks
Analyse the risks
Evaluate the risks
Treat the risks
Monitor and review
Communicate and consult
Establish the context
Risk
Assessme
nts
Risk
Register
How to analyse municipal risk f95
161
Draw a worksheet –teams FG 95
• Critically analyse you municipality’s two most
prominent risks and see if you can describe the
likelihood of them happening and the severity of
their impact if they should happen. Is anyone
monitoring them at the moment? Who would you
delegate that role in your municipality’s
organisational structure? How would you suggest the
monitoring is done?
162
Frequency severity worksheet FG 96
163
Assess frequency of risk consequences
164
Assess severity of risk consequences FG 97
165
Quantify loss event fg 97
• Risk Analysis
• How severe is the loss?
• Assign Rand value to losses if possible. In the
absence of values, assign ‘High’ or ‘Low’ frequency
and severity for each type of expected loss. Consider
the following:
• Rand value of expected loss
• Total losses the municipality can bear without
stopping service delivery.
• Potential effect on the community.
• Governing Body’s risk tolerance
166
CONSIDER MUNICIPAL COUNCIL VIEW AND
IMPACT ON THE COMMUNITY FG 98
Risk Analysis
Key risk areas to consider in more detail
• Governing Body’s risk tolerance – losses tend to be
more severe if the governing body is uncomfortable
about them.
• Effect on the community – events that do not directly
damage the municipality’s property, such as a severe
economic downturn, can reduce revenue.
167
ENCOURAGE HEALTHY RISK ANALYSIS
DELIBERATIONS fg 98
• Risk Analysis
• Consider key risks in more detail
• Have more than one meeting if necessary but avoid
lengthy meetings that hinder employees for doing
their work.
• Carry out more research if necessary.
• Maintain an air of strict objectivity and avoid
interpersonal clashes.
168
DEVELOP MUNICIPAL RISK MAP fg99
• Risk Analysis
• Map Your Risks!
• A risk map segregates potential losses according to
frequency and severity.
• It can be a useful visual guide to choosing the risks to
address first, but is not essential.
• You can achieve the same purpose just making lists
that correspond with the categories on the map.
169
DEFINE RISK MAP SEGMENTS
• Risk Analysis
• Define Risk Map Segments
• Simple risk maps may include as few as four
segments:
• High frequency/high severity
• Low frequency/high severity
• High frequency/low severity
• Low frequency/low severity
• Use six segments – low, medium and high, for greater
detail.
170
SAMPLE RISK MAP
171
HOW TO EVALUATE RISKS fg100
172
PRIORITISE RISKS fg100
• Risk Evaluation
• Prioritise Risks
• Using your analysis, choose the risks you will address
first, for example:
• Risks that may cause high severity losses, even if
those losses are infrequent.
• High frequency but low severity losses that can drain
financial resources due to their cumulative cost.
173
fg101
• Risk Evaluation
• Prioritise Risks (cont’d)
• Risks for which there is an obvious, cost-effective
solution that can be easily implemented.
• Risks that threaten the municipality’s public image
and reputation.
174
HOW TO TREAT RISKS fg102
175
CREATE AN ACTION PLAN
• Risk Treatment
• Create an Action Plan
• With its risk priorities in hand, the team can now
gather to review the results and create a
comprehensive action plan to address high-priority
risks.
• Don’t ignore the other risks, but
• Direct your initial attention to those that that
threaten greater harm.
176
FOUR RESPONSES TO RISK
•
•
•
•
•
•
Risk Treatment
Four Risk Treatment Strategies
Avoid
Reduce
Retain
Transfer
177
HOW TO DEVELOP ACTION PLAN fg103
•
•
•
•
Risk Treatment
Develop the Action Plan
Work with municipal departments.
Supervisors and employees will have good ideas
about addressing their risks.
• An involved employee is also more likely to follow
the action plan.
• Consider your municipality’s ability to implement
strategies – both financially and organisationally.
178
•
•
•
•
Risk Treatment
Develop the Action Plan (cont’d)
Brainstorm for ideas that will prevent losses
Transferring losses and controlling losses after they
occur is a possible second line of defence (Recovery
Plan).
• Identify risk of loss that remains after you have
implemented your action plan, and make plans for
transferring or financing those risks (Contracts/
Insurance).
179
CIRCULATE ACTION PLAN (COUNCIL) fg 104
• Risk Treatment
• Complete and circulate the action plan
• Assemble the chosen strategies into a risk action
plan endorsed by the Chief Risk Officer and Risk
Committee.
• Obtain endorsement of the plan by the Municipal
Council and/or Mayoral Executive Committee.
180
CIRCULATE ACTION PLAN (SENIOR MANAGEMENT/
104FF)
• Risk Treatment
• Complete and circulate the action plan
• Share appropriate sections of the plan with
department heads, departmental risk
representatives, and other employees whose
activities it affects.
• Prepare general information about the action plan
for dissemination to the general employee
population.
181
Contents of Action Plan 105
•
•
•
•
•
•
•
•
Risk Treatment
Risk Source
Strategies selected
Activities
Target completion date
Responsible person
Actual date of completion
Performance measures
182
Monitoring and review 105
183
Monitoring and review 106
Monitor, evaluate and modify the action plan
• The Chief Risk Officer monitors the plan’s
implementation and evaluates its effectiveness
• The Risk Committee or project team continue to
meet – quarterly or more often – to review the
implementation of the action plan and make changes
if needed
184
106-10
Monitoring and reviewing
Risk action plan is a dynamic document.
• If initially piloted for a few departments or
operational areas, the plan should be extended and
reviewed on an on-going basis
• The Risk Committee or Project Team should monitor
changes in the entity’s operations (identify new
activities or operational areas, changes in the way
operations are carried out) and modify the action
plan to address new areas of risk.
185
107
Minimum requirements to be included in a municipal
risk management plan
AO must perform integrated risk management
readiness check which includes:
•
•
•
•
People and skills level
IT resources
Municipal Operational processes
Environment
LG 111-113
186
Municipal maturity in risk management
A risk management maturity assessment is a tool
through which to ascertain the status of risk
management within the operations i.e. the extent to
which the IRM practices permeate the key risk
management areas.
LG 114
187
LEARNING ACTIVITY
p 116-117
188
A municipality is never to small for IRM
• Questions ?
• Note all the annexures for info-next slide
189
Annexures
• A – Example submission to Council to approve a Risk
Management Committee Charter and members
• B – Example of a Risk Management Committee Charter
• C – Example of a Risk Management Committee ToR
• D – Example of Municipality IRM Policy
• E – Example size of risk – Impact guide
• F – Example size of risk – Impact grid
• G – Example risk identification form – RM1
• H – Example Risk Management Meeting Record – RM2
• I – Example Risk Reporting Form – RM3
• J – Example pro-forma Risk Register – RM4
• K – Example Municipality Risk Maturity
Assessment
• L – Environmental Risk Case study
190
119-167
Assignment
191
• My contact detail
[email protected]
192