Embed Size (px)
Citation preview
Enterprise Risk Management
A new focus
Presented by: Phumi Madlala
eThekwini Municipality
AgendaThe Risk Management Process:
Definitions
Introduction and background
Benefits of Risk Management
Enterprise Risk Management (ERM) Process
Conducting Corruption Risk Assessment: Preparation During the risk assessment Outcome – risk register Ongoing monitoring & reporting
2
Definitions- Risks are uncertain future events that could influence achievement of
objectives
Risk Management:
- Management tool of creating awareness & managing obstacles that have a potential of preventing the organization from achieving it’s objectives;
- Is also about assessing, both quantitatively and qualitatively the opportunity for success of business initiatives;
- Is composed of methodologies and processes which are designed to develop information critical to achieving the strategic objectives of the organization
3
1. MFMA, S 62 (1) ( c ) states:
“the accounting officer must ensure that the municipality has and maintains effective, efficient and transparent systems of financial and risk management and internal control”
2. S 78 and 105 further assigns the responsibilities to other officials to ensure “effective, efficient, economical and transparent use of financial and other resources within that official’s area of responsibility”
3. S 165 (2) (b) requires internal audit unit to advise the AO on matters related to……(iv) risk and risk management
4. S166 (1) requires audit committee to advise municipal council, political office-bearers, AO and management staff on matters related to …(ii) risk management
5. King III Code on Corporate Governance and Public Sector Risk Management Framework states:
“The Council/ Board is responsible for the total process of risk management, as well as for forming its own opinion on the effectiveness of the process.”
Legislative mandate
4
Value –add from Risk ManagementHighlight processes that are not clearly understood;Identifies processes that are inefficient;Promotes efficiency of service delivery;Create awareness of high risk areas and ensures
uniformity in addressing exposure areas;Create awareness of what can/cannot be controlled;Ensures reasonable and practical time is taken to implement required responses;Promotes pro-activeness rather than re-active response (reduce surprises);Increases probability(likelihood/chances) of achieving goals
Results of Ineffective Risk Management
Breakdown in internal control that could prevent the organization from achieving its objective;
Reactive responses to potential risks, rather than proactive;
Changing/ new risks are not adequately controlled and managed;
Internal control practices become outdated with limited account taken of best practice development;
6
eThekwini Risk Management Governance Structure
eThekwini Municipality - EXCO ERM 7
Council and Key Committees
Audit and Risk Committee
Risk Management Committee Managing Risk & Municipality Sub Committee
GO
VERN
ANCE
OVE
RSIG
HT
MAN
AGEM
ENT
ASSU
RAN
CE
First Line of Defence
DCM Forum
Management of Operations
Second Line of Defence
Chief Risk Officer
Risk Champions
Third Line of Defence
Internal Audit and External Auditors
City Manager and Key Committees
Risk Management Strategy Overview
eThekwini Municipality - EXCO ERM 8
Establish Goals & Context
Identify Risks
Analyse Risks
Evaluate the Risks
Treat the Risks
LikelihoodImpact
Monitor / Review
Corruption Risk Assessment
Corruption Risk Management- Part of Enterprise Risk Management, only
focusing on exposures that are as a result of corrupt activities;
- Best approach to managing fraud/corruption: Prevent it; Whatever that cannot be prevented, controls
should detect it quickly;Investigate the root cause of detected/reported
fraud cases;Correct root causes/Take quick action
Corruption Risk Assessment
Risk Assessment:The process of identifying risk exposures and assessing their impact and likelihood that they would have on the achievement of objectives. The process also involves evaluating suitable ways to mitigate the risks to corruption and assessing effectiveness of controls.
ERM:• Fraud/corruption risk forms one category of the risks that are significant within
Ethekwini municipality, which is managed separately at a strategic level.;• Top down approach – strategic risks are cascaded down to operations
Link between risk categories:• Some risks are inter-linked, e.g. failure to manage fraud/corruption risk results in high
exposure to compliance risk and by default operational risk (due to weakness in controls) which might lead to reputational risk.
Role of compliance in fraud/corruption prevention
Highly compliant organizations
strong ethical environments
reduced fraud/corruption risk
Preparation by facilitator• Assessing environment’s exposure to corruption;
– Inherent risk exposures;– Perform trends analysis based on stats or working with research/forensic unit;– Understand the sector, read journals/publications like Delivery, most importantly your organisations control
environment/operations within your environment;– Stakeholders and their influence to environment;– Separate facts from opinions;– Recent media reports & perceptions of organisation (surveys)
• Establish current risk tolerance level;– tone at the top;– sound ethical culture;– Regular/ongoing training of staff, updates of training manuals , relevance to level of audience according to expectations
• Pro-active defence (mitigations)– Periodic results of data interrogation in relation to corruption risk assessment;– Be familiar with existing controls from first point of contact with organisation e.g background checks prior
employment/engagement with service providers/ customers;
• Sound internal control system– Frequent review and update of Anti – corruption policies and procedures;– Ensure alignment of company policies/procedures with regulations/ legal findings/ forensic developments/ sector
developments– Assurance providers, establish relationships with them, ongoing consultations – recent findings on exposures to
corruption
13
Preparing for Corruption Risk AssessmentImportant Considerations:
• Best suitable form of risk assessment to use: management workshop vs information gathering; • Level at which you are assessing exposure to corruption .e.g. strategic vs operational (dpt’s) –
invite the right audience;• Management’s Tone regarding prevention of corruption e.g understanding/ familiarity with
anti- corruption policies/strategies; support structures; understanding of risk process/ are they defensive - personalise issues/performance management;
• Adequate notification : Pre – reading which directs focus on existing exposures/control environment/stats from forensics/IA reports/management report/regulatory developments/other recent developments to combat fraud/corruption within sector (Local Govern Anti-Corruption Strategy)
• Logistics: – Suitable Venue – promote interaction /co-operation, away from office distractions, no
laptops during session/use of cellphones;– Duration of assessment – reasonable approximation, worse is to under-estimate time;
control discussions• Pre – planning with leader (buy –in) outlining process/expectations /outcome. He sets the
tone during introduction of corruption risk assessment.
14
During the Assessment• Introduction by Head: Strategic /Operational. Communicate
expectations/set tone- promote participation & freedom of expression/ assessment based on facts than opinions;
• Introduction by facilitator – outline the process/methodology & outcome;
• Reference to pre- reading;• Control discussions to focus on facts & desired outcome;• Ensure audience participation and buy in;• Understand root causes for each risk properly so that
correct controls and relevant actions to address exposures can be identified;
• Adherence to risk management standards/specifically anti- corruption framework/strategy;
15
Corruption Risk Register
Outcome:• Risk register with identified strategic/operational corruption risks;• Risk owners – strategic (City Manager/Executives)/ operational (Dpt Heads);
• Impact & likelihood for each risk- per methodology;• Assessment of current controls i.t.o. effectiveness (IA & other Assurance providers );• Tasks to improve our exposure to each risk:
to address root causes; and to strengthen current controls; or once implemented to add to existing controls
• Allocate task owners - based on areas where risk is prevalent, and suitability to implement action to mitigate root causes;
• Strategic risks to be cascaded down at operational level.
Ongoing monitoring of corruption risk
• Independent annual review of Anti-corruption strategy and it’s effectiveness in reducing corrupt activities by Internal Audit;
• Anti-corruption/Fraud Prevention Committee – reporting on implementation of strategy & anti-corruption/ fraud prevention initiatives;
• Governance audit of committees on implementing action per TOR’s;• Monitoring progress of tasks on corruption risk registers ( strategic &operational);
• Quarterly review of existing risks & identification of emerging risks due to change in internal/external environment;
• Reporting progress to appropriate structures;• Ensure implementation of forensic reports recommendations to enhance
internal controls;• Training of staff on their responsibility to report corruption & fraud activities;• Promotion of ethical culture throughout municipality;• Communicate successes in uprooting corruption;• Response strategy on allegations /articles from media;
References
• Quotes have been taken from various risk management & anti – corruption standars, best practice & guidelines.
eThekwini Municipality - EXCO ERM 18
THOUGHT PROVOKING QUOTES:“The true measure of a man is who he is when nobody is watching”;
“Perception is more powerful than fact when it comes to fraud/corruption”;
“If you don’t invest in risk management , it does not matter what business you are in, it’s a risky business”
“The greatest contributions of risk managers is just carrying a torch around and providing transparency”
19
LET WHO WE ARE & OUR LIVES REPRESENT THE LIGHT THAT WE PROVIDE , &:
KEEP THE LIGHT BURNING.....ALWAYS“Siyabonga”
“Thank You”20
