risk management strategy risk managem… · workshop for risk/fraud reports to management and...
TRANSCRIPT
RISK MANAGEMENT STRATEGY, FRAMEWORK & POLICY
2012/13
MOHOKARE LOCAL MUNICIPALITY CHIEF RISK OFFICER
DOCUMENT NO. RMS002
RESPONSIBLE DEPARTMENT RISK MANAGEMENT
DATE APPROVED 16 JULY 2012
NEXT DATE MAY/JUNE 2013
MOHOKARE MUNICIPALITY: RISK MANAGEMENT STRATEGY, FRAMEWORK & POLICY Page 2
RISK MANAGEMENT STRATEGY
1. FOREWORD
The Municipal Manager must ensure that a risk assessment is conducted regularly to identify
emerging risks of the municipality. A risk management strategy must be developed to respond to
all risks affecting the municipality, which must include a fraud prevention plan. The strategy
must be clearly communicated to all officials to ensure that the risk management strategy is
incorporated into the language and culture of the municipality.
Mohokare Local Municipality is faced with internal and external factors and influences that
make it uncertain whether and when they will achieve its objectives. The effect this uncertainty
has on an organization's objectives is “risk”. All activities of an organization involve risk.
Risk Management Strategy is developed in line with the Public Sector Risk Management
Framework.
The development of this Risk Management is a systematic, timely and structured approach to
risk management which contributes to efficiency and to consistent, comparable and reliable
results.
The strategy will assist the municipality to achieve its operation clean audit of 2014
2. VISION
To identify and mitigate risks ensuring sustainability and attainability of Mohokare Local
Municipality objectives.
3. OBJECTIVES
To provide assurance to Council, Management, Risk Management Committee and Audit
Committee that risks are properly addressed.
To provide appropriate learning opportunities for the municipality and its stakeholders.
Integrating risk management to all business activities across the municipality.
To improve operations, communication and reporting in the municipality.
To ensure stakeholders confidence and trust.
Ensure compliance and improved governance
Improve loss prevention, incident management and minimize losses;
MOHOKARE MUNICIPALITY: RISK MANAGEMENT STRATEGY, FRAMEWORK & POLICY Page 3
4. STRATEGIES TO BE IMPLEMENTED
4.1 ACTION PLAN FOR CHIEF RISK OFFICER:
QUARTER ACTIVITIES KEY PERFORMANCE
INDICATORS
July -September
2012 (1)
Review Risk Management Policy and
Framework
Review Fraud Prevention Plan
Conduct risk management workshop for
all employees on Risk Management
Policy including Fraud prevention Plan
Conduct risk assessment on macro-
operational (SDBIP) and IDP projects
Conduct operational risk assessment:
o Income/revenue
o Procurement
o Payment/expenditure
o Reporting (Accounting)
o Information and Technology
o Municipal Planning: IGR, IDP &
PMS
Include risk management in Sec 56/7
manager as KPI.
Develop risk registers and
implementation plans including fraud
risk assessment.
Develop control framework for XDM
Risk management training/fraud
Report monthly to management on
progress made.
Quarterly reports to Council,
management and committees.
Approved Risk
Management Strategy
Approved Fraud
Prevention Plan
Risk Register: Macro-
operational risks
Risk Registers:
o Income
o Procurement
o Expenditure
o Reporting
o IT
o Municipal planning,
IGR, IDP & PMS Performance plans for
Municipal Manager &
Directors includes Risk
Management
Risk registers &
Implementation plans
Control Framework
Workshop for Risk/Fraud
Reports to management and
council on the number of risk
managed, not managed and
in-progress.
October –
December 2012
(2)
Monitoring the implementation of risk
controls by departments.
Monitoring the implementation of
project risks by project owners.
Monitoring the implementation of Fraud
Prevention measures.
Conduct operational risks assessment for
records management/archives.
Risk management training/fraud
Report monthly to management on
progress made.
Implemented controls by
all departments
Risk Managed, not
managed and in-progress Risk registers
Implemented controls by
all departments
Risk Managed, not
managed and in-progress
Workshop for Risk/Fraud
Reports to management and
council on the number of risk
MOHOKARE MUNICIPALITY: RISK MANAGEMENT STRATEGY, FRAMEWORK & POLICY Page 4
Quarterly reports to Council,
management and committees.
managed, not managed and
in-progress.
January –
March 2013 (3)
Monitoring the implementation of risk
controls by departments.
Monitoring the implementation of
project risks by project owners.
Monitoring the implementation of Fraud
Prevention measures.
Conduct operational risk assessment on
Human resource management, labour
relations, and administration
Conduct risk assessment on revised
budget and IDP projects.
Risk management training/Fraud
Report monthly to management on
progress made.
Quarterly reports to Council,
management and committees.
Implemented controls by
all departments
Risk Managed, not
managed and in-progress
Risk registers
Revised risk registers
Workshop for Risk/Fraud
Reports to management and
council on the number of risk
managed, not managed and
in-progress.
April – June
2013 (4)
Assist in the IDP and SDBIP
preparations.
Conduct risk assessments: Strategic and
micro-operational
Report monthly to management on
progress made.
Quarterly reports to Council,
management and committees.
Annual report on the effective
Implementation of risk management in
the municipality.
Compliant and credible
IDP, SDBIP
Strategic risk register
Workshop for Risk/Fraud
Reports to management and
council on the number of risk
managed, not managed and
in-progress.
4.2 ACTIVITIES:
Conducting risk assessments in three phases namely:
o Macro – operation from Service Delivery and Budgeting Implementation Plan.
o Operational risks from the business units
Monitoring and reporting to Council, Management, Risk Management and Audit
Committee.
Workshops to employees on risk management.
Risk owners must own their risks i.e. directors, manager and officers and all other
officials
Projects and contracts will be separately assessed.
Risk register, Risk Management Response Plan must be developed and updated regularly.
MOHOKARE MUNICIPALITY: RISK MANAGEMENT STRATEGY, FRAMEWORK & POLICY Page 5
5. BENEFITS
Ensure smooth operations and contribute to the operation clean audit for 2014 and
beyond.
Improved governance and compliance.
6. REPORTING LINE FOR THE CRO AND OTHER STAKEHOLDER
Council
Audit Committee
Municipal Manager
Risk Management
committee
Chief risk Officer Risk Practitioner
Budget & Treasury
Office Technical
Development Corporate
Services
Community
services
7. REVIEW AND ASSURANCE
Internal audit
Risk Management Committee
Audit and Performance Committee
8. ACCOUNTABILITY
Municipal Manager, Directors, Managers and employees are fully accountable for managing
their risks to an acceptable level. The responsibilities outlined in the Risk Management policy
must be discharged.
9. AUTHORITY
Risk Management Unit through the Chief Risk Officer has all the authority to request
information, suggest possible solutions, and inform management on the implementation of Risk
Management Framework in Mohokare Local Municipality.
10. RESOURCES
TYPE DESCRIPTION
Personnel Chief Risk Officer
Risk Practitioner
Equipment/Tools Computer/Lap-top
Projector
Colour printer
MOHOKARE MUNICIPALITY: RISK MANAGEMENT STRATEGY, FRAMEWORK & POLICY Page 6
Banners (2)
Stationery Files (arch liver)
Permanent markers
White board markers
Printing papers
Binder
11. COMMUNICATION AND REPORTING
Regular communications will all stakeholders will be done through reports, registers,
publications and awareness. Risks will be reported to the Chief Risk Officer by the risk
owners/champions on regular bases. Update to the risk register will be made to accommodate
any amendments.
MOHOKARE MUNICIPALITY: RISK MANAGEMENT STRATEGY, FRAMEWORK & POLICY Page 7
RISK MANAGEMENT FRAMEWORK
I. MANDATE
MFMA, Sec 62. (1) The accounting officer of a municipality is responsible for managing the
financial administration of the municipality, and must for this purpose take all reasonable steps
to ensure that:
(c) That the municipality has and maintains effective, efficient and transparent system;
(i) of financial and risk management and internal control; and
(ii) of internal audit operating in accordance with any prescribed norms and standards…
TREASURY REGULATIONS
3.2.1
The accounting officer must ensure that a risk assessment is conducted regularly to
identify emerging risks of the institution. A risk management strategy, which must
include a fraud prevention plan, must be used to direct internal audit effort and priority,
and to determine the skills required of managers and staff to improve controls and to
manage these risks. The strategy must be clearly communicated to all officials to ensure
that the risk management strategy is incorporated into the language and culture of the
institution.
II. RISKS LEVELS
STRATEGIC RISKS
MACRO-OPERATIONAL
RISKS
OPERATIONAL RISKS
STRATEGIC OBJECTIVES
IDP
MACRO-OPERATIONAL
OBJECTIVES
SDBIP
OPERATIONAL
OBJECTIVES
DEPARTMENTAL
MOHOKARE MUNICIPALITY: RISK MANAGEMENT STRATEGY, FRAMEWORK & POLICY Page 8
III. RISK MANAGEMENT PROCESS
Municipal context:
DIRECTORATE KEY PERFORMANCE AREAS
Office of the Mayor, Speaker and Municipal
Manager
Good governance and Public Participation
Basic services delivery
Municipal transformation and Institutional
development
Municipal Financial viability
Local Economic Development
Technical Services
Community Services
Corporate Services
Budget and Treasury Office
Evaluate and understanding the municipality’s strategic and operational objectives.
Analyzing the processes within the municipality.
SWOT analysis.
Key drivers/ indicators.
Risk identification:
Identify sources of risk in a goal and process.
Identify areas of impacts and events and their causes.
Methods of risk identification
Workshops and interviews;
Brainstorming and risk process flow analysis
History
Risk analysis:
Identify and analyse causes and sources of risks
Analyse positive and negative consequences of risks
Analyse the likelihood and impact of risks (levels)
Risk evaluation:
Quantifying the risks in terms of likelihood and impact
Measurement of risks using the likelihood and impact table
Rating the risks and voting for strategic risks
LIKELIHOOD (OCCURRENCE):
High 3 Event occurs daily or weekly
Medium 2 Event occurs monthly
Low 1 Event occurs quarterly or yearly
Activities Process Goals Risks
MOHOKARE MUNICIPALITY: RISK MANAGEMENT STRATEGY, FRAMEWORK & POLICY Page 9
IMPACT (CONSEQUENCES):
High 3 Cost increases by >5% or more
Medium 2 Cost is material more than 2% but less than 5% or Reputational
Low 1 Cost is fairly low (insignificant) i.e. less than <2%
GRAPH
Imp
act
0
1
2 3
3 6 9
2 4 6
1 2 3
1 2 3
Likelihood
Risk control:
Reduce the risk
Transfer the risk
Accept the risk
Eliminate risk
PROBABILITY (LIKELIHOOD X IMPACT)
High 6 - 9 Immediate escalation of risk to Senior Management for prioritized risk treatment or
Response plan.
Weekly reviews of progress by Senior Management.
Medium 3 - 5 Escalation of risk to Line Management for discussions and appropriate response
Response plan.
Monthly monitoring of risk and progress the treatment plan
Low 1 – 2 Bi-Monthly monitoring of risk and progress.
No immediate need to develop further treatment or response plan
CONTROLS
4 Adequate and effective
3 Adequate
2 Partially adequate
1 Not adequate
Reporting:
Risk registers, Risk Response Plan
Monthly and quarterly reports to the Council, Municipal manager, management and
Committees.
MOHOKARE MUNICIPALITY: RISK MANAGEMENT STRATEGY, FRAMEWORK & POLICY Page 10
Risk monitoring and evaluation:
Refer to the Risk control above
Risk review:
Annually review risks to ascertain the adequacy in control measures implemented and
identify any changes in the environment.
IV. RISK APPETITE
It is the loss the municipality is willing to accept for a given risk-reward ratio.
V. RISK APPETITE STATEMENT
Mohokare Local Municipality is a risk taker; risk profiling will be done for individual risks that
will guide the municipality in establishing risk appetite. Risk appetite will be given for each
individual risk.
Risk Management Committee reviewed the risk management Strategy and Framework and
Policy.
Prepared by:
___________________________________ _____________________
Chief Risk Officer Date
APPROVED BY:
______________________________ ____________________
Municipal Manager Date
Not addressed In progress Addressed
MOHOKARE MUNICIPALITY: RISK MANAGEMENT STRATEGY, FRAMEWORK & POLICY Page 11
RISK MANAGEMENT POLICY
Organisation : MOHOKARE LOCAL MUNICIPALITY
Policy : Risk Management
Policy number : RMP102
Effective date : 1 July 2012 – 30 June 2013
A. BACKGROUND
MFMA, Sec 62. (1) The accounting officer of a municipality is responsible for managing the
financial administration of the municipality, and must for this purpose take all reasonable steps
to ensure that:
(c) That the municipality has and maintains effective, efficient and transparent system;
(i) of financial and risk management and internal control; and
(ii) of internal audit operating in accordance with any prescribed norms and standards…
The Municipality is establishing systems that will enable it to respond to unforeseen events with
negative consequences financially or otherwise. The risk management policy seeks to give
guidance to Mohokare Local Municipality in managing risks in a holistic manner.
B. RISK MANAGEMENT PHILOSOPHY
“The management of risks is the responsibility of every employee in Mohokare Local
Municipality”.
C. STATEMENT
The Mohokare Local Municipality’s Council and Management commit themselves to maximize
the achievement of the municipality’s goals and objectives by being pro-active and inclusive in
managing risks.
D. DEFINE ‘RISK’
An unwanted outcome, actual or potential, to the institution’s service delivery and other
performance objectives, caused by the presence of risk factor(s). Some risk factor(s) also present
upside potential, which management must be aware of and be prepared to exploit. This definition
of “risk” also encompasses such opportunities.
E. DEFINE ‘RISK MANAGEMENT’
A systematic and formalised process to identify assesses, manage and monitor risks.
MOHOKARE MUNICIPALITY: RISK MANAGEMENT STRATEGY, FRAMEWORK & POLICY Page 12
F. REASONS FOR POLICY
Clear roles and responsibilities in managing risks
Standard methodologies and techniques for the management of risks
A consistent view of risk profile across the municipality.
A cultural awareness of risks.
Integration of risk management environment within the municipality
Promote good corporate governance in the municipality.
The effective management of risks will ensure sustainability and value creation.
G. PARTIES TO THE POLICY
The following parties should know the policy:
Council
Municipal Manager
Directors
Middle management
Employee
Service providers
H. SPONSOR:
Chief Risk Officer
Contact:
Mbulelo Tshofela
Chief Risk Officer
Telephone: 051 713 9300 ext: 320
Cell: 073 620 5007
Fax: 086 6238309
E-mail: [email protected]
I. OWNER OF THE POLICY
Council
J. RISK MANAGEMENT APPROACH
Design of framework for managing risks
Implementing risk treatment
Monitoring and review of the risk framework
Continual improvement of the framework
MOHOKARE MUNICIPALITY: RISK MANAGEMENT STRATEGY, FRAMEWORK & POLICY Page 13
K. RESPONSIBILITIES FOR STAKEHOLDERS:
COUNCIL
Providing oversight and direction to the Municipal Manager on the risk management
related strategy and policies;
Having knowledge of the extent to which the municipal manager and management have
established effective risk management in their respective units;
Awareness of and concurring with the institution's risk appetite;
Reviewing the institution's portfolio view of risks and considers it against the institution's
risk tolerance;
Influencing how strategy and objectives are established, institutional activities are
structured, and risks are identified, assessed and acted upon;
Requiring that management should have an established set of values by which every
employee should abide by;
Insist on the achievement of objectives, effective performance management and value for
money.
MUNICIPAL MANAGER
The municipal manager must develop and publish a risk management policy.
Municipal manager is responsible for putting systems in place to ensure that risk
management is properly implemented.
Municipal manager has a responsibility to participate in the risk identification process in
order to add value and ensure that all factors (internal and external to the institution) that
could hinder the institution's objectives are taken into account during the process.
The municipal manager should review the risk profile as assessed for its accuracy and
approve thereof.
The municipal manager can utilise the Risk Management Committee to perform their
function with regards to the Risk Assessment
The municipal manager should regularly review all risks that have exceeded tolerance
level.
MANAGEMENT
Acknowledges the "ownership" of risks within their functional areas and all
responsibilities associated with managing such risks;
Cascades risk management into their functional responsibilities;
Empowers officials to perform adequately in terms of risk management responsibilities
through proper communication of responsibilities, comprehensive orientation and
ongoing opportunities for skills development;
Holds officials accountable for their specific risk management responsibilities;
Maintains the functional risk profile within the institution's risk appetite;
Provides reports on the functional risk management consistent with the institution's
reporting protocols (including appearing before committees);
Aligns the functional and institutional risk management methodologies and processes;
Implements the directives of the municipal manager concerning risk management;
Maintains a harmonious working relationship with the CRO and supports the CRO in
matters concerning the functions risk management;
MOHOKARE MUNICIPALITY: RISK MANAGEMENT STRATEGY, FRAMEWORK & POLICY Page 14
Maintains a harmonious working relationship with the Risk Champion and supports the
Risk Champion in matters concerning the functions risk management;
Keeps key functional risks at the forefront of the management agenda and devote
personal attention in overseeing the management of these risks.
CHIEF RISK OFFICER
Working with senior management to develop the overall enterprise risk management
vision, risk management strategy, risk management policy, as well as risk appetite levels
for approval by the municipal manager and council;
Communicating the risk management policy, risk management strategy and risk
management implementation plan to all stakeholders in the institution;
Setting up of the risk management structure and risk management reporting lines within
the institution;
Continuously driving the risk management process towards best practice;
Developing a common risk assessment methodology that is aligned with the institution's
objectives at strategic, tactical and operational levels for approval by the municipal
manager;
Coordinating risk assessments within the institution department on a regular basis;
Sensitising management timeously of the need to perform risk assessments for all major
changes, capital expenditure, projects, institutional restructuring and similar events, and
assist to ensure that the attendant processes, particularly reporting, are completed
efficiently and timeously;
Assisting management in developing and implementing risk responses for each identified
material risk;
Participating in the development of the combined assurance plan for the institution,
together with internal audit and management;
Ensuring effective information systems exist to facilitate overall risk management
improvement within the institution;
Continuously transferring risk management principles and practices, through training
interventions, to all stakeholders within the institution;
Advising management in the development of financing structures;
Performing a PEST(EL) analysis to identify emerging risks facing the institution for
further action and intervention;
Collating and consolidating the results of the various assessments within the institution;
Analysing the results of the assessment process to identify trends, within the risk and
control profile, and develop the necessary high level control interventions to manage
these trends;
Compiling the necessary reports to the Risk Management Committee;
Providing input into the development and subsequent review of the fraud prevention
strategy, business continuity plans, occupational health, safety and environmental policies
and practices and disaster management plans.
MOHOKARE MUNICIPALITY: RISK MANAGEMENT STRATEGY, FRAMEWORK & POLICY Page 15
INTERNAL AUDIT
Responsibilities of Internal Audit in risk management include:
Reviewing the risk philosophy of the institution. This includes the risk management
policy, risk management strategy, fraud prevention plan, risk management reporting
lines, the values that have been developed for the institution;
Reviewing the appropriateness of the risk tolerance levels set by the institution taking
into consideration the risk profile of the institution;
Providing assurance over the design and functioning of the control environment,
information and communication systems and the monitoring systems;
Providing assurance over the institution's risk identification and assessment processes;
Utilising the results of the risk assessment to develop long term and current year internal
audit plans;
Providing independent assurance as to whether the risk management strategy, risk
management implementation plan and fraud prevention plan have been effectively
implemented within the institution;
Providing independent assurance over the adequacy of the control environment. This
includes providing assurance over the effectiveness of the internal controls implemented
to mitigate the identified risks.
EMPLOYEES
Familiarity with the overall enterprise risk management vision, risk management strategy,
fraud risk management policy and risk management policy;
Acting in terms of the spirit and letter of the above;
Applying the risk management process to their respective roles;
Focusing upon identifying risks and reporting these to the relevant risk owner. Where
possible and appropriate, manage these risks;
Acting within the risk appetite and tolerance levels set by the business unit;
Adhering to the code of conduct for the institution;
Maintaining the functioning of the control environment, information and communication
as well as the monitoring systems within their delegated responsibility;
Providing information and cooperation with other role players;
Participation in risk identification and risk assessment within their business unit;
Implementation of risk responses to address the identified risks;
All personnel who suspect that some kind of fraud has been attempted or committed, to
immediately report their suspicion to their respective departments;
Should the employee wish to remain anonymous, they may contact the external fraud
Hotline to report the matter.
RISK MANAGEMENT COMMITTEE
Review the risk management policy and strategy and recommend for approval by the
municipal manager and council;
Review the risk appetite and tolerance and recommend for approval by the municipal
manager and council;
Review the institution's risk identification and assessment methodologies to obtain
reasonable assurance of the completeness and accuracy of the risk register;
MOHOKARE MUNICIPALITY: RISK MANAGEMENT STRATEGY, FRAMEWORK & POLICY Page 16
Evaluate the effectiveness of mitigating strategies to address the material risks of the
Institution;
Report to the municipal manager any material changes to the risk profile of the
Institution;
Review the fraud prevention policy and recommend for approval by the municipal
manager and council;
Evaluate the effectiveness of the implementation of the fraud prevention policy;
Review any material findings and recommendations by assurance providers on the
system of risk management and monitor that appropriate action is instituted to address the
identified weaknesses;
Develop goals, objectives and key performance indicators for the Committee for approval
by the municipal manger;
Develop goals, objectives and key performance indicators to measure the effectiveness of
the risk management activity;
Set out the nature, role, responsibility and authority of the risk management function
within the Institution for approval by the municipal manger, and oversee the performance
of the risk management function;
Provide proper and timely reports to the municipal manger on the state of risk
management, together with aspects requiring improvement accompanied by the
Committee's recommendations to address such issues.
AUDIT COMMITTEE
Gains thorough understanding of the risk management policy, risk management strategy,
risk management implementation plan, and fraud risk management policy of the
institution to enable them to add value to the risk management process when making
recommendations to improve the process;
Reviews and critiques the risk appetite and recommends this for approval by the
municipal manager;
Reviews the completeness of the risk assessment process implemented by management to
ensure that all possible categories of risks, both internal and external to the institution,
have been identified during the risk assessment process. This includes an awareness of
emerging risks pertaining to the institution.
Reviews the risk profile and management action plans to address the risks;
Reviews the adequacy of adapted risk responses;
The audit committee must monitor the progress made with the management action plan;
Reviews the progress made with regards to the implementation of the risk management
strategy of the institution;
Facilitates and monitors the coordination of all assurance activities implemented by the
institution;
Reviews and recommends any risk disclosures in the annual financial statements;
Provides regular feedback to the municipal manager on the effectiveness of the risk
management process implemented by the institution;
Reviews the process implemented by Management in respect of fraud prevention and
ensures that all fraud related incidents have been followed up appropriately;
Reviews and ensures that the internal audit plans are aligned to the risk profile of the
institution;
MOHOKARE MUNICIPALITY: RISK MANAGEMENT STRATEGY, FRAMEWORK & POLICY Page 17
Reviews the effectiveness of the internal audit assurance activities and recommends
appropriate action to address any shortcomings.
L. COMMUNICATION
Risk Management Policy will be communicated to all stakeholders through workshops, training
and publications.
M. MONITORING AND REPORTING
The risk management efforts will be monitored and measured in accordance with the approved
Risk Management Framework. Risks owners/ champions will report risks to the Chief Risk
Officer to update risk register.
N. POLICY REVIEW
In order for the municipality to respond effectively to the changes in the environment, the policy
will be reviewed annually.
O. RESOLVING CONFICT OF INTEREST
Approved Risk Management Framework will have a common language to accommodate all risk
management practitioners in the municipality e.g. Disaster risk management, Environmental
Health and Safety and Finance etc.
PREPARED BY:
______________________________ ____________________
Chief Risk Officer Date
APPROVED BY:
______________________________ ____________________
Municipal Manager Date