MMC US 116339 10 credits Apply risk management

Скачать презентацию MMC US 116339 10 credits Apply risk management

ec2a20587099f083eae4ee074033319e.ppt

Количество слайдов: 191

MMC US 116339 (10 credits): Apply risk management in South African Municipalities Dr Louw Pieterse (Ph. D, DTh) 1

CASH, INVESTMENT, ASSET AND LIABILITYCONTEXT MANAGING RISK IN A MUNICIPAL MANAGEMENT 2

Notional hours: 10 credits, 100 hours: Class contact including class assessment: 16 hours. Take-home preparation of individual and small group exercises and class assessment Learning Tasks p 28; 39; 63 & 89 of Learner Guide: 4 hours. Preparation of take-home assignment: 80 hours. 3

• SPL MUNICIPAL MINIMUM COMPETENCY TRAINING PROGRAMMES: ASSESSMENT POLICY • In ensuring quality and credibility, all Unit Standard assessments will be dealt with as follows: 4

1. Each Unit Standard will have at least two individual assessments that will contribute to the finding on whether a candidate is competent or not yet competent. The facilitator/assessor of the particular Unit Standard must prepare an assessment plan before the contact session, taking into consideration the Unit Standard outcomes and clearly prescribing the types of assessments, the conditions under which they will be set, when they will be taken and/or submitted, the contribution weight of each assessment to the final mark, how the assessment plan varies from that provided for in the learner guides and what is considered to be threshold for being competent. 5

2. The assessment plan must be explained to participants during the first introductory session of the contact time. 6

3. The first of the minimum of two individual assessments will be written during the contact time of the unit standard and will be fully controlled by the facilitator/assessor who shall act as invigilator as prescribed by Stellenbosch University policy. The format of the assessments may vary, but it is accepted that it will be open book and designed to test ability to do the techniques (e. g. exercises with calculations) and / or insight (e. g. case studies). The facilitator will determine whether in-class assessments may be typed on personal computers and submitted electronically while the facilitator and participant is still in class. Submission afterwards is not permitted. 7

4. The second of the minimum of two individual assessments will be in the format of an applied takehome written assignment bringing theory and practice together. This will be scheduled for submission one calendar month after the last contact day of the Unit Standard. Submission of this assessment must be done by means of a document upload onto www. splshortcourses. co. za. 8

5. A participant must pass all assessments with at least 50% for each to be found competent. If it is decided to include group assessments done during the contact time as part of the assessment plan, it may not contribute more that 20% of the 50% of the contact time assessments and in that case the average mark of the different contact session assessments must be at least 50%. If the group assessment is in the form of a presentation, only group members present during the presentation will earn the group mark. 9

6. All assessments for a Unit Standard will be completed by assessors six weeks after the final assessment submission date and be submitted together with the assessment plan, a memorandum setting out the model answers and comments on individual assessments. These documents must be submitted with the assigned SPL MMC Assessment Coordinator, who shall then in turn submit the assessments for moderation and eventually verification. 10

8. A participant found not yet competent will be given a second opportunity for assessment only if he/she has attended at least eighty per cent of the contact time. The attendance register circulated twice per day will be used as evidence for allowing the second opportunity. Should the rewrite – in the case of the contact time assessment and/or resubmission – in the case of the take-home assignment - still result in a not yet competent result, the participant must re-register and redo the Unit Standard. 11

9. A participant that has – for a proven work-related or serious health reason – not been present during the contact time assessment, but has attended at least fifty per cent of the contact time, will be allowed to do the assessment at the same opportunity scheduled for participants referred to in item 8 above. The attendance register circulated twice per day will be used as evidence for allowing such an opportunity, but should the participant be found not yet competent, no further opportunities will be granted and he/she must re-register and redo the Unit Standard. 12

Purpose of this Unit Standard This unit standard is intended for people involved in municipal finance management or other persons as identified in GG 22967. Persons credited with this unit standard are able to: • Apply the core concepts of risk management in a South African municipality. • Inform policy decision and strategic decision-making processes about the importance of risk management in municipalities. 13

On completion of this Unit Standard you should be able to: • Identify the role played by risk management in a municipality; • Interpret and apply legislation relevant to municipal risk management in South African municipalities; • Demonstrate how risk management contributes to good governance; • Develop a municipality wide risk management and reporting system; • Develop a risk management process. 14 4

Unit 1. Risk and the importance of managing risk in a municipal environment Learning outcomes: • Explain why risk management is important; • Identify and analyse the significance of risk management malpractices in failed entities; • Understand the accountability structure of municipal risk management. 15 9

Critical! • Test – 2 versions with a twist • Assignment! Individual work 16

Practical slides 17

Risk definition 9 -11 • the “chance of something happening that will have an impact on objectives. It is often specified in terms of an event or circumstance and the consequences that may flow from it. It is measured in terms of a combination of the consequences of an event and their likelihoods. It may have a positive or negative impact. ” (Australia/ New Zealand Standard Risk Management AS/NZS 4360: 2004) 18 11

Risk Management definition • the “the culture, processes and structures that are directed towards realising potential opportunities whilst managing adverse effects. ” (Australian and New Zealand Risk Management Standard AS 4360: 2004) 19 11

Case Study: Walking Into Risk - p 13 20 13

• P 13 Identify risks Thato expose to? • Anything to reduce impact of risk? • Any risks on way here? • What did you di about them? 21

What is risk? Risk is the possibility of an incident taking place that can affect desired outcomes. It is measured in terms of likelihood and consequence Measuring Criteria! Positive risk adds value and enhances a municipality’s ability to attain goals. 14 -5. 1. 1. 1 22

What is risk? Not all risk is bad…. • Negative risk consequences drain resources and interfere with a municipality’s financial stability and ability to fulfil its service delivery mandate. • Positive risk consequences produce better than expected results or unexpected opportunities. ? ? ? ? 23 15

What is Risk Management? A continuous, proactive and systematic process, effected by a municipality’s executive authority, accounting officer, management and other personnel, applied in strategic planning and across the municipality, designed to identify risks and manage those risks, to the extent necessary and possible, to provide reasonable assurance regarding the achievement of the municipality’s objectives. 16 - 5. 2. 1. 5 24

Enterprise (or integrated) Risk Management Enterprise risk management (ERM) in an organisation includes the methods and processes used to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress. By identifying and proactively addressing risks and opportunities, organisations protect and create value for the organisation, its employees, customers, regulators, and society overall. Wikipedia 25 16

Enterprise (or integrated) Risk Management …. Cont. ERM can also be described as a risk-based approach to managing an organisation, integrating concepts of internal control, and strategic planning. ERM is evolving to address the needs of various stakeholders, who want to understand the broad spectrum of risks facing complex organizations to ensure they are appropriately managed. 26 16

Why manage risks? • Risk management is pro active and anticipatory – enabling a municipality to achieve its objectives with greater certainty • A robust risk management process aims at increased awareness, transparent evaluation, and sound mitigation of risks facing a municipality • As a management tool, an integrated risk management framework assists in achieving objectives more efficiently. Risk management as a management tool also promotes effective and efficient resource utilization. National Treasury 27 16

Why manage risks? Risk Management Objectives. • To identify and prioritise risks arising from municipal strategy and operations. • Determine level of risk acceptable to the municipality. • Design and implement risk mitigation or management strategies. • Continually monitor and review risk and appropriateness of risk practices. • Contribute to good governance. 28

We all manage risk • • Non-Smokers - ‘avoid’ most of the risk Smokers - ‘accept or absorb, TAKE the risk Quitters - ‘mitigate or control’ the risk ? Incorrect why? Insurance - ‘transfers’ the risk • • • Accepet Mitigate Avoid Transfer Outsource ? ? 29

We all manage risk Other examples? 30

Why is risk management important? It is integrated into municipal operations Efficient and effective service delivery Informed strategic and operational planning Enhances governance and accountability in decision-making • Limits the number of operational surprises • • 31 16

The importance of Risk Management It’s key benefits: • promotes effective and efficient service delivery • provides a more rigorous basis for strategic management • objectives are more likely to be achieved; • damaging problems are less likely to happen; • beneficial opportunities are more likely to be achieved. It’s potential benefits • supporting strategic and business planning; • supporting effective use of resources; • promoting continuous improvement; • fewer shocks and unwelcome surprises; • quicker grasp of new opportunities; • enhancing internal communications; • reassuring stakeholders; • helping focus the internal audit programme; 32 17

Case Studies: p 18 -21 Read answer the three questions at the end 33 18 -21

Responsibility and accountability for Risk Management COUNCIL Executive Mayor / Exco Audit committee Accounting Officer Risk Committee Internal Audit Chief Risk Officer Possible risk management Organisational structure Metro or large B 34 21

Responsibility and accountability for Risk Management COUNCIL Audit committee Mayor Accounting Officer = CRO Risk Committee Internal Audit Delegate Risk Management Possible risk management Organisational structure Small B 35 22

Responsibility for Risk Management • Municipal council sets policy • Executive mayor/committee have immediate political oversight • Accounting officer ensures that policy is implemented • Risk Committee and Chief Risk Officer ensure execution on a day-to-day basis 36 22 -24

Risk Management Policy Statement (23) The risk management policy is a brief statement about the Institution's commitment to risk management. It can be replicated in the risk management plan. The Policy should be published and circulated to existing and new staff as part of the risk awareness strategy. The objectives of the risk management policy could include: • Alignment of risk-taking behaviour of Institution with strategic business objectives; • To promote a risk management culture in all sphere of government and improve risk transparency to the shareholder; • To maximise stakeholder’s value and net worth by managing risks that may impact the defined financial and performance drivers; • To assist the Institution in enhancing and protecting those opportunities that represent the greatest service delivery benefits. National Treasury Risk Management Framework 37 23

Roles and Responsibilities – with respect to Risk Management • • • The Executive Authority The Accounting Officer/Authority The Audit Committee The Risk Management Committee The Chief Risk Officers Management Other Officials The Internal Audit The External Audit The National Treasury page 22 -25 38

The reality It is often found: • Risk Management has been allocated to one official. • The Risk Management unit has been created at a low level • Risk Management is treated as a compliance exercise What should happen: • Ownership of risk management should be imposed on all managers in the municipality. • Risk management should not be seen as an operational issue, but as a strategic initiative with critical and wide objectives. • After compliance with establishing risk management policies, plans, registers – purposeful action should follow 39

The role of Internal Audit Internal auditors should obtain sufficient evidence to satisfy themselves that the key objectives of the risk management process are being met in order to form an opinion on the adequacy of the risk management process. 40 25

The role of Internal Audit • Internal Audit is one of the key departments in municipal risk management. • It is through internal audit work that the management and the municipal council can obtain comfort that the risk management system is operating effectively. • In order to give a reliable opinion internal audit should avoid assuming responsibility for risk management. 41 25

The role of Internal Audit Ensure: • Effectiveness of risk management system • Procedures are in place to determine acceptable levels of risk • Risks are managed to acceptable levels and internal controls are in operation to mitigate risks • Risk monitoring and review mechanisms are in place and operating effectively. 42 25

RISK MANAGEMENT AND STRATEGIC PLANNING IS THE ESTABLISHMENT OF A CLEAR ACTION PATH BETWEEN: 1. WHERE THE ORGANIZATION IS………. 2. WHERE IT WANTS TO GO………. . 3. ………. AND HOW IT CAN GET THERE. • ASSESSMENT OF WHERE IT IS – SITUATIONAL ANALYSIS (ENVIRONMENTAL SCANNING) – RESOURCE ASSESSMENT – SWOT ANALYSIS - ENVIRONMENTAL RISK ASSESSMENT** • ESTABLISH OBJECTIVES OF WHERE IT WANTS TO GO – ESTABLISH POLICY PRIORITY GUIDELINES 43

RISK MANAGEMENT AND STRATEGIC PLANNING – OBJECTIVE/GOAL SETTING, AFTER CONSIDERING: • ALL THE COMPETING OPTIONS • COMPARATIVE/SENARIO ANALYSIS (CBA ETC) • RISK ASSESSMENT OF COMPETING OPTIONS** • COSTING OF PLAN/S • FORECASTING EXERCISES, INCLUDING SOCIAL AND ECONOMIC TRENDS ETC. • ALLOCATING RESOURCES TO HIGHEST PRIORITIES AND BEST OPTIONS • FINANCIAL ALIGNMENT (PLANS VS. BUDGET ALLOCATION) • DEVISE STRATEGIES OF HOW IT WILL GET THERE. • - VERIFICATION OF ‘BEST OPTIONS’ AGAINST POLICY PRIORITIES – DEVISE ACTION PLANS WITH MEASURABLE OBJECTIVES, WITHIN ORGANIZATION’S MAIN DIVISIONS AND PROGRAMMES - TO. PROVIDE A STRUCTURED OPERATIONAL FRAMEWORK FOR THE ORGANIZATION. – INCLUDE RISK MANAGEMENT PLAN** 44

Risk Management limitations (27) Limitations through: • Poor management processes • Changes in policy, programmes, economic conditions etc. • Poor decision-making • Collusion between managers and employees to override the risk management process • Insufficient capacity to meet risk management requirements • Poor assessment and prioritisation of risks 45 27

LEARNING ACTIVITY p 28 46

Unit 2 – The Legislative Framework Learning outcomes: • Interpret and apply legislation relevant to municipal risk management • Understand apply principles in regulations relevant to municipal risk management • Identify and apply relevant recommendations in commissioned risk management frameworks to municipal risk management 47 30

Key concepts • Page 30 – 31 -definitions 48

Case Studies: p 32 -33 Read answer the three questions at the end 49

The purpose of legislation To: • Implement policy • Promote good governance • Mitigate risks • Ensure that municipalities fulfill their service delivery mandates 50 33

Legislation that is relevant to municipal risk management • • • Municipal Finance Management Act 5. 1. 4. 1. Municipal Systems Act 5. 1. 4. 2. Disaster Management Act 5. 1. 4. 3. Occupations Health and Safety Act 5. 1. 4. 4. Hazardous Substances Act. 5. 1. 4. 5. 51 34

The MFMA Section 62(1)(c). Requires the Accounting Officer to ensure that the municipality has an effective and efficient and transparent system of financial and risk management that is supported by a system of internal control. 52 34

The MFMA Requirements: • Account for and maintain safe custody of all revenue and assets • Prepare and approve budgets before the start of each financial year. Incur expenditure within approved budget limits. • Duties of mayor and other officials • Internal Audit must advise on risk. 53 35

The Municipal Systems Act Requirements: • Inclusive system of government • Implement Integrated Development Plans • Develop and approve policies regarding indigence, credit control and tariffing • Monitoring of performance • Service provision standards and equity • Code of conduct for councillors and employees 54

Disaster Management Act Requirements: • Every metropolitan and district municipality must have a disaster management center. • Recruit and train volunteers • Preform disaster risk management and take steps to minimise risks • Monitor and review disaster preparedness. 55 35

Occupational Safety and Health Act Requirements: • Provide for the health and safety of employees in the conduct of their work • Establish health and safety oversight committee • Identify and evaluate risks • Take steps to protect employees 56 35

Hazardous Substances Act Requirements: • Ensure hazardous substances are handled in a manner that does not endanger employees and the public • Employ skilled employees in an area of hazardous substances handling • Limit use of certain electronic products 57 36

Other Risk Management Frameworks Other frameworks: • National Treasury Risk Management Framework • King I, lll 58 37

KING III • Advocates a risk based approach to internal audit • Internal audit should objectively assess the effectiveness of risk management and the internal control frameworks • Risk management should include fraud and IT risks • The Board (Executive) should take more responsibility for the governance of risk 59

The National Treasury Risk Management Framework 1) Definitions 2) Purpose, Applicability and Background 3) Creating an enabling environment 4) Integration of Risk Management activities 5) Risk Identification 6) Risk Assessment 7) Risk Response 8) Communicating and Reporting 9) Monitoring 10) Risk Management Functions and responsibilities 11) Evaluation of risk management effectiveness 60 37

ISO 31000: 2010 ISO 31000 is intended to be a family of standards relating to risk management codified by the International Organization for Standardization. The purpose of ISO 31000: 2009 is to provide principles and generic guidelines on risk management. ISO 31000 seeks to provide a universally recognised paradigm for practitioners and companies employing risk management processes to replace the myriad of existing standards, methodologies and paradigms that differed between industries, subject matters and regions. (It is a replacement to the existing standard on risk management, AS/NZS 4360: 2004) Wikipedia 61

LEARNING ACTIVITY p 39 62 39

Unit 3 – An Integrated Risk Management Framework Learning Outcomes: • Explain the importance of implementing an integrated risk management system • Identify best practices in risk management and benchmark integrated municipal risk management against these • Understand the role of monitoring and review in the risk management process • Explain the objectives and key components of a risk management plan 63 40

The changing Risk Environment Greater emphasis on performance objectives and therefore on risks that might undermine those objectives. 64 41 -42

Change in approach to Risk Management Old approach • Fragmented – dept/function management risk – Risk is bad! • Risk management primary by Finance and Internal Audit – their job • Ad–hoc – risk management done when management felt the need • Narrow focus, primarily on finance risks and insurable risks Current approach • Integrated, with senior management oversight • Everyone in municipality views risk management as part of his/her job • Risk management process is on-going • Broad focus – all municipal risks and opportunities considered 65 f 44

Integrated Risk Management • Integrated Risk Management is an explicit and systematic approach to managing strategic, operational and project risk to organizational objectives, from an organization-wide perspective. • An integrated risk management system takes into account the organisational structure of a municipality and embeds risk management practices into all the facets of its operations • Continuous, pro-active and systematic processes to identify, understand, manage and communicate risk from a municipality-wide perspective. It is about making strategic decisions that contribute to the achievement of a municipality’s overall strategic and operational objectives. 66 41

The IRM system Must be supported by: • Risk management policy determined by Council and management based on acceptable level of risk • The identification and prioritisation of strategic and operational risks • The putting in place of acceptable mitigation or treatment strategies • The regular review of risk and mitigation strategies • The regular production of reports on the risk management process for the Council and management. 67 42

The IRM Framework provides the municipality with a mechanism to develop an overall approach to manage strategic risks by creating the means to discuss, compare and evaluate substantially different risks on the same page. It applies to an entire organisation and covers all types of risk faced by that organisation e. g. policy, operational, human resources, financial, legal, health and safety, environment, reputational. Treasury Board of Canada 68 45

The IRM/ERM Literature (best practice) • COSO – Enterprise Risk Management – Integrated Framework. • The Treasury Board of Canada Risk Management Framework. • IRM, AIRMAC and ALARM Risk Management Standard • Australia/ New Zealand Standard Risk Management, AS/NZS 4360; 2004 • SA National Treasury Framework 69 45

The importance of the IRMF The framework can: Support the municipality’s governance responsibilities by ensuring that significant risk areas associated with policies, plans, programs and operations are identified and assessed, and that appropriate measures are in place to address unfavourable impacts and to benefit from opportunities. Improve results through more informed decision-making by ensuring that values, competencies, tools and a supportive environment form the foundation for innovation and responsible risk taking, and by encouraging learning from experience while respecting oversight controls. Strengthen accountability by demonstrating that levels of risk associated with policies, plans, programs and operations are explicitly understood and that implementation in risk management measures and stakeholder interests are optimally balanced. Enhance stewardship by strengthening public service capacity to safeguard people, municipal property and interests. TBC 71 46

IRM outcomes (47) • Maximising opportunities by more effective budgets or budgeting and day-to-day operational planning. • Increased knowledge and understanding of key strategic and operational risk exposures • Fewer costly surprises, for example by increasing the ability to prevent adverse outcomes • Better outcomes in terms of municipal efficiency and effectiveness • Greater transparency in decision-making and the ongoing control of processes 72 47

IRM process Risk Manangement Process overview (AS/NZS Identify the risks Monitor and review Communicate and consult Establish the context Analyse the risks Evaluate the risks Treat the risks 73 48

IRM - Communicating and consulting • At each stage of the process • With internal and external stakeholders (levels of government, management, consumers and suppliers) 74 49+50

IRM process Identify the risks Monitor and review Communicate and consult Establish the context Analyse the risks Evaluate the risks Treat the risks 75 48

IRM - Establish the context • The strategic, organisational and risk management context – risks are examined i. t. o. threats and opportunities within context of municipality’s ‘mandate, objectives and available resources’ • Information about both internal and external environment in which the municipality operates. • Bearing in mind the purpose of risk management • Includes assigning roles and responsibilities 76 49+51

IRM process Identify the risks Monitor and review Communicate and consult Establish the context Analyse the risks Evaluate the risks Treat the risks 77 48

IRM - Identifying the risks • • Questionnaires Flowcharts Brainstorming Document review 78 49+53

IRM process Identify the risks Monitor and review Communicate and consult Establish the context Analyse the risks Evaluate the risks Treat the risks 79 48

IRM - Analysing risks (54) Impact Likelihood Risk index = impact x likelihood Determining the risk acceptance criteria – i. e. which risks can not be tolerated 80 49+54

From IRM Framework to IRM project Identify the risks Analyse the risks Monitor and review Communicate and consult Establish the context Risk Register Risk Assessments Evaluate the risks Treat the risks 81 48

Risk Analysis “Risk analysis aims to establish an understanding of the level of risk and its nature” • Level of risk is determined by combining likelihood and consequence. • It typically starts with a qualitative approach using a ‘frequency/severity worksheet’. 82 54

Frequency/severity worksheet Risk Analysis Frequency/severity worksheet – for natural disasters Resources Possible effect Frequency and Comments or potential Affected on resources severity estimate strategies Financial Uninsured low frequency Insurance. Storm Resources storm damage high severity protection for to public vulnerable building. property Human Employees low frequency Identify essential Resources unable to get to high severity employees and work arrange transportation 83

Risk analysis – assess potential risk consequences Estimate frequency and severity for each type of potential loss. Frequency : i. e. how often is the loss likely to occur? • Past records • Information from employees/insurers • brainstorming 84

Risk analysis – assess potential risk consequences Severity: i. e. how bad cumulative losses of that type are likely to be (either financial losses or interference with service delivery) • More subjective – major to a district municipality may be negligible to a metropolitan municipality • Estimate size of loss and frequency 85 55

Risk analysis – how severe is the loss? Assign a rand value to losses if possible. In the absence of values assign ‘high’ or ‘low’ frequency and severity for each type of expected loss. Consider the following: • Rand value of expected loss • Total losses the municipality can bear without stopping service delivery. • Potential effect on the community • Governing Body’s risk tolerance 86 55

Risk analysis – key risk areas to consider in more detail • Governing Body’s risk tolerance – losses tend to be more severe if the governing body is uncomfortable about these • Effect on the community – events that do not directly damage the municipality’s property such as a severe economic downturn, can reduce revenue 87 55

Risk analysis – consider key risks in more detail • Have more than one meeting if necessary but avoid lengthy meetings that hinder employees for doing their work • Carry out more research if necessary • Maintain an air of strict objectivity and avoid interpersonal clashes 88 55

Risk analysis. Map out your risks (111) A risk map segregates potential losses according to frequency and severity • It can be a useful visual guide to choosing the risks to address first, but is not essential. • You can achieve the same purpose just making lists that correspond with the categories on the map 89 55

Risk analysis – define risk map segments Simple risk maps may include as few as four segments • • High frequency/high severity Low frequency/high severity High frequency/low severity Low frequency/low severity Use six segments – low, medium and high, for greater detail 90 55

Simple Risk Map Risk Analysis Sample Risk Map Frequency Severity low medium high High Vandalism to municipal property Medium Metro police liability claims Low Severe flooding 91 55

IRM - Evaluating risks (58) Includes developing an action plan for each “maximum” or “high-level” risk. • • Identifying risk-treatment options which consider: Proposed actions Resource requirements Responsibilities Timing Performance measures Reporting and monitoring requirements 92 58

IRM Framework to IRM project Identify the risks Analyse the risks Monitor and review Communicate and consult Establish the context Risk Assessment s Risk Register Evaluate the risks Treat the risks 93 48

Risk evaluation – prioritise risks Using your analysis, choose the risks you will address first, for example: • Risks that may cause high severity losses, even if those losses are infrequent • High frequency but low severity losses that can drain financial resources due to their cumulative cost. 94 58

IRM - Treating risks Only extreme or high risks will be treated. 95 58 b

Risk evaluation – prioritise risks • Risks for which there is an obvious, cost-effective solution that can be easily implemented • Risks that threaten the municipality’s public image and reputation 96 58

Risk treatment – create an action plan With its risk priorities in hand, the team can now gather to review the results and create a comprehensive action plan to address high-priority risks. • Do not ignore the other risks, but • Direct your initial attention to those that threaten greater harm 98 59, 60

Risk treatment – 4 strategies (104) • • Avoid Reduce Retain Transfer 99 58 59

Risk treatment – develop the action plan • Work with municipal departments • Supervisors and employees will have good ideas about addressing risks • An involved employee is also more likely to follow the action plan • Consider your municipality’s ability to implement strategies – both financially and organisationally 100 59

Risk treatment – develop the action plan…… continued • Brainstorm for ideas which will prevent losses • Transferring loses and controlling losses after they occur is a possible second line of defense (recovery plan) • Identify risk of loss that remains after you have implemented your action plan and make plans for transferring or financing those risks (contracts/insurance) 101 59

Risk treatment – complete and circulate the action plan • Assemble the chosen strategies into a risk action plan endorsed by the Chief Risk Officer and Risk Committee • Obtain endorsement of the plan by the Municipal Council and/or the Mayoral Executive Committee • Share appropriate sections of the plan with departmental heads, departmental risk representatives, and other employees whose activities it affects • Prepare general information about the action plan for dissemination to the general employee population 102 59

Risk treatment – contents of the action plan • • Risk source Strategies selected Activities Target completion date Responsible person Actual date of completion Performance measures 103 59. 60

note residual risk • Exposure to loss remaining after other known risks have been countered, factored in, or eliminated inherent risk • The probability of loss arising out of circumstances or existing in an environment, in the absence of any action to control or modify the circumstances. 104 60

IRM - Monitor and review the performance of the risk management system and changes that might effect it. 105 61

The issue of Risk management capacity (61) The necessity of having adequate capacity through which to conduct a full IRM plan 106 61

The issue of Risk tolerance (62) Understand different tolerances to different risks in different municipal environments 107 62

108 108

LEARNING ACTIVITY p 63 109 63

Unit 4 – The identification of different types of risks Outcomes: • Identify different types of risks and classify them • Provide reasons why these risks need to be managed • Provide examples of risk mitigation techniques and apply them to a municipal setting 110 65

Comment 3. 2 p 66 • Different municipalities have different risks • But there is a uniform framework and process that can be adopted to establish risk context and evaluation criteria for the individual municipality • Each municipality needs to identify its own risk mitigation process. 111 66

Purpose of this Unit • Establish the context for the process of municipal risk management • Identify risks that may impact on SA municipalities • Develop risk evaluation criteria and techniques that can be considered to mitigate such risks • (bearing in mind that different municipalities have different risks) 112 67

Case Study: p 68 Read answer the three questions at the end 113

IRM process f 53 see next slide Identify the risks Analyse the risks Evaluate the risks Monitor and review Communicate and consult Establish the context Treat the risks 114

Who identifies risks? Stakeholders • Risk Committee or project team • Individuals – limited to area of expertise (in the strategic planning stage) • Individuals – extends to perception of risk in other departments or operational areas • Local Public – typically based on perception and experience of service • General Public – largely based on perception 115

Attributes best suited to risk identification Risk person profilef 55 • Reliable and committed to the success of risk management and the municipality • Should have access to research resources such as professional organisations • Be knowledgeable about the municipality and operations included in the scope of the risk management assignment • Could also be an external expert. 116

f 56 118

Risk identification So, it is important to: • understand the municipality’s context – and the SWOT within that context • build a risk profile of the municipality • produce a list of potential risks which flow from the risk profile • record the potential risks in a Risk Register 119 69

How do you identify risks? f 56 Risk identification methods • Project teams – hold brainstorm sessions • Individuals – respond to risk questionnaires individually, assemble as a group to discuss each members input and arrive at a consensus • Local public – respond to surveys an voice their views of risk through the media • Municipal staff – study historic records such as insurance claims and audit reports • Methods such as environmental scanning and SWOT analysis 120

121 121

The Risk Register Content (see page 70) 122 70

123 70 123 70

Before we start with risk examples, let us recap 124

f 56 125 71 -73

Examples of risk Risks and mitigation Mitigating against: • Strategic risks • Operational risks • Reputation risks • Asset management, infrastructure development and maintenance risks • Staff risks • Technology and information risk • Financial and economic risks • Legal, contractual and regulatory risks • Environmental risks • Business interruption and natural disaster risks 126 73

Pge 74 in the LG complete example as it would appear in risk register 127

Reputational risks The risk that an activity, action or stance performed or taken by a municipality or its officials will impair its image in the community and/or the long term trust placed in the municipality by its stakeholders, resulting in the loss of confidence and/or legal action. All risks and all related components of an organisation potentially impact on reputation. Page 76 LG 128 76

Asset management, Development and Maintenance risk The risk that a municipality’s plant and equipment may not perform to its optimum or perform at all during service delivery due to error, oversight or omission related to asset purchase, development and/or maintenance. LG page 77 129 77

Staff risks refers to threats that may be directed towards a municipality’s employees and their ability to perform their duties. These risks may originate from within the municipality or from external sources. Staff too can cause risks to a municipality LG page 78 130 78

• LG page 80 131

Financial and economic risk Any risk associated with money! The risk that a municipality will not have adequate cash flow to meet financial or service delivery obligations. LG page 81 132 81

Legal, contractual and regulatory risk (including compliance and liability) Sometimes governments change the law or enact regulations in a way that adversely affects a municipality’s ability to deliver on its mandate. Contracts may also be drafted in a way that may result in a loss to a municipality LG page 83 133 83

Environmental risks The risk associated with economic or administrative consequences of slow or catastrophic environmental pollution LG page 85 134 84

Business interruption and Natural disasters risk The risk that an unforeseen and often sudden event that causes great damage destruction and human suffering may occur Though often caused by nature, disasters can have human origns. Wars, terrorism and civil disturbances that destroy homelands are typical causes of disasters LG page 86. 135 86

External risks These are more difficult to evaluate and to mitigate against Page 87 list for info 136

Internal risks These are specific to the municipality and over which the municipality has greater control Page 87 for info 137

LEARNING ACTIVITY p 89 138

Unit 5 – the process to prepare an integrated risk model Learning outcomes: • Implement a risk management model in a municipality • Apply theory of the risk management process in a municipal setting • Understand the role and responsibilities and accountability structures for municipal risk management • Understand the municipality-wide risk management and reporting system 139 90

Case Study: p 92 Read and then do the exercise 140

Establishing IRM What should be in place…. 141 93

Municipality/organisational IRM set-up i. e. prerequisites for the risk model 93 -97 Develop risk management culture Set the tone at the top Develop and communicate risk management policy Communicate risk management issues Set-up risk management function (including the RM plan and process) • Define risk management role of other key functions/bodies • • • 142 93 -97

Defining of the objectives 97 • Organisational objectives See vision and mission statements (Remember, a risk is only as significant as the extent to which it impacts on municipal organisational objectives) • Risk management objectives Should support the organisational objectives • These are then combined as a basis for the strategic and budget management process 143 97

IRM Pillars the essentials for IRM introduction f 87 Process integration Governance Structures Communication Risk Policy Culture Integrated Risk Management 144 99

Risk management culture The ideal risk management culture is one where all municipal employees: • Identify and assess risks as these relate to their jobs • Bring issues to the attention of superiors • Take actions to strengthen controls 145 93

Key elements of Risk Culture • It is included in municipal strategy through the mission, values and vision statements • It begins with the Municipal Council and must then filter down to every unit • It is more than an annual activity. It is a core activity. • The municipality must be provided with the tools and infrastructure to manage risk like: framework, policy, training, etc. 146 93

Key elements a Risk Culture • Management must be encouraged to be open about assessing and identifying risk exposures • There should be procedures for tracking and correcting deficiencies and reporting them to senior management • A risk function with executive powers should be in place • Staff must fully understand their role. 147 93

Risk Management Policy it includes: Definition and objectives framework governance Integrated risk management Roles and responsibilities Reporting and monitoring procedures 148 94

Communication strategy f 91 • Internal – what is IRM, how will it help employees in their work? • Consumers – how will IRM affect service delivery both in the short and long term? • Government departments – particularly National Treasury on MFMA implementation • The media – municipality should have integrated and comprehensive materials for the media • Provincial and National governments – most municipalities will be using IRM analyses for their planning and budgeting, therefore IRM information will be familiar. The transparency of IRM analyses and reporting should facilitate discussions and comparisons across municipalities/regions 149 95

IRM Municipality and Governance The Risk Team should have the following clearly defined: • Roles and responsibilities – everyone must know what they are doing and where their accountability ends • Clear ownership – no duplication of work or neglected processes • Good representation – across all areas and levels of the municipality 150 97

IRM and Governance The Risk Management Committee: • Chaired by the Accounting Officer/Chief Risk Officer (independent person appointed by AO) • Represented at senior management level • Provides strategic guidance to the work of the IRM team 151

IRM and Governance Department representative/committee is responsible for: • Checking department’s compliance with IRM policy and regulatory requirements and reviewing and discussing risk issues • Communication of an IRM vision and promoting risk management culture • Providing direction of risk assessment 152

Integrated Risk Management Implementation Work Plan FG 93 A plan through which to apply the Risk Management Policy The plan documents how risk management will be conducted and includes: • Individual responsibilities • The risk management processes and activities to be undertaken • Details the schedule and budget for risk management activities • The risk management methods, tools and techniques 153 98

The structure and process of risk management Implementation of IRM Environmental scan (internal/External) Risk Management policy strategy Strategic Plan Risk Management register operations IRM guidelines Database reporting IRM Implementation plan governance consumers Continuous learning Department outcomes/objectives AS/NZS 99 4360

SUMMARY - main RM plan components 100 • Roles and responsibilities • Documentation • Risk management process tasks or activities – Establish the risks? – Establish how the threats posed by risks are identified – Establish what action to take – and what options are available • • • Risk avoidance (104) Risk reduction Risk retention Risk transfer Timetable for risk management activities Risk management tools, methods and techniques Monitor and review Change Management – monitoring and review Approaches to risk management monitoring and review 155 Risk mapping (100 -11)

156 156

IRM Implementation work plan - process integration f 93 Approve: • Integrated Risk Management Policy • Initial Integrated Risk Management Guidelines • Initial Municipal Risk Profile 157 100 -105

IRM Implementation work plan f 94 • • Establish Risk Committee IRM Implementation Project Committee Liaison among municipal department representatives Key pilot IRM project(s) based on priority decisions of municipal management 158

159 159

IRM Framework to IRM project f 95 Identify the risks Analyse the risks Evaluate the risks Treat the risks Monitor and review Communicate and consult Establish the context Risk Assessme nts Risk Register

How to analyse municipal risk f 95 161

Draw a worksheet –teams FG 95 • Critically analyse you municipality’s two most prominent risks and see if you can describe the likelihood of them happening and the severity of their impact if they should happen. Is anyone monitoring them at the moment? Who would you delegate that role in your municipality’s organisational structure? How would you suggest the monitoring is done? 162

Frequency severity worksheet FG 96 163

Assess frequency of risk consequences 164

Assess severity of risk consequences FG 97 165

Quantify loss event fg 97 • Risk Analysis • How severe is the loss? • Assign Rand value to losses if possible. In the absence of values, assign ‘High’ or ‘Low’ frequency and severity for each type of expected loss. Consider the following: • Rand value of expected loss • Total losses the municipality can bear without stopping service delivery. • Potential effect on the community. • Governing Body’s risk tolerance 166

CONSIDER MUNICIPAL COUNCIL VIEW AND IMPACT ON THE COMMUNITY FG 98 Risk Analysis Key risk areas to consider in more detail • Governing Body’s risk tolerance – losses tend to be more severe if the governing body is uncomfortable about them. • Effect on the community – events that do not directly damage the municipality’s property, such as a severe economic downturn, can reduce revenue. 167

ENCOURAGE HEALTHY RISK ANALYSIS DELIBERATIONS fg 98 • Risk Analysis • Consider key risks in more detail • Have more than one meeting if necessary but avoid lengthy meetings that hinder employees for doing their work. • Carry out more research if necessary. • Maintain an air of strict objectivity and avoid interpersonal clashes. 168

DEVELOP MUNICIPAL RISK MAP fg 99 • Risk Analysis • Map Your Risks! • A risk map segregates potential losses according to frequency and severity. • It can be a useful visual guide to choosing the risks to address first, but is not essential. • You can achieve the same purpose just making lists that correspond with the categories on the map. 169

DEFINE RISK MAP SEGMENTS • Risk Analysis • Define Risk Map Segments • Simple risk maps may include as few as four segments: • High frequency/high severity • Low frequency/high severity • High frequency/low severity • Low frequency/low severity • Use six segments – low, medium and high, for greater detail. 170

SAMPLE RISK MAP 171

HOW TO EVALUATE RISKS fg 100 172

PRIORITISE RISKS fg 100 • Risk Evaluation • Prioritise Risks • Using your analysis, choose the risks you will address first, for example: • Risks that may cause high severity losses, even if those losses are infrequent. • High frequency but low severity losses that can drain financial resources due to their cumulative cost. 173

fg 101 • Risk Evaluation • Prioritise Risks (cont’d) • Risks for which there is an obvious, cost-effective solution that can be easily implemented. • Risks that threaten the municipality’s public image and reputation. 174

HOW TO TREAT RISKS fg 102 175

CREATE AN ACTION PLAN • Risk Treatment • Create an Action Plan • With its risk priorities in hand, the team can now gather to review the results and create a comprehensive action plan to address high-priority risks. • Don’t ignore the other risks, but • Direct your initial attention to those that threaten greater harm. 176

FOUR RESPONSES TO RISK • • • Risk Treatment Four Risk Treatment Strategies Avoid Reduce Retain Transfer 177

HOW TO DEVELOP ACTION PLAN fg 103 Risk Treatment Develop the Action Plan Work with municipal departments. Supervisors and employees will have good ideas about addressing their risks. • An involved employee is also more likely to follow the action plan. • Consider your municipality’s ability to implement strategies – both financially and organisationally. • • 178

Risk Treatment Develop the Action Plan (cont’d) Brainstorm for ideas that will prevent losses Transferring losses and controlling losses after they occur is a possible second line of defence (Recovery Plan). • Identify risk of loss that remains after you have implemented your action plan, and make plans for transferring or financing those risks (Contracts/ Insurance). • • 179

CIRCULATE ACTION PLAN (COUNCIL) fg 104 • Risk Treatment • Complete and circulate the action plan • Assemble the chosen strategies into a risk action plan endorsed by the Chief Risk Officer and Risk Committee. • Obtain endorsement of the plan by the Municipal Council and/or Mayoral Executive Committee. 180

CIRCULATE ACTION PLAN (SENIOR MANAGEMENT/ 104 FF) • Risk Treatment • Complete and circulate the action plan • Share appropriate sections of the plan with department heads, departmental risk representatives, and other employees whose activities it affects. • Prepare general information about the action plan for dissemination to the general employee population. 181

Contents of Action Plan 105 • • Risk Treatment Risk Source Strategies selected Activities Target completion date Responsible person Actual date of completion Performance measures 182

Monitoring and review 105 183

Monitoring and review 106 Monitor, evaluate and modify the action plan • The Chief Risk Officer monitors the plan’s implementation and evaluates its effectiveness • The Risk Committee or project team continue to meet – quarterly or more often – to review the implementation of the action plan and make changes if needed 184 106 -10

Monitoring and reviewing Risk action plan is a dynamic document. • If initially piloted for a few departments or operational areas, the plan should be extended and reviewed on an on-going basis • The Risk Committee or Project Team should monitor changes in the entity’s operations (identify new activities or operational areas, changes in the way operations are carried out) and modify the action plan to address new areas of risk. 185 107

Minimum requirements to be included in a municipal risk management plan AO must perform integrated risk management readiness check which includes: • • People and skills level IT resources Municipal Operational processes Environment LG 111 -113 186

Municipal maturity in risk management A risk management maturity assessment is a tool through which to ascertain the status of risk management within the operations i. e. the extent to which the IRM practices permeate the key risk management areas. LG 114 187

LEARNING ACTIVITY p 116 -117 188

A municipality is never to small for IRM • Questions ? • Note all the annexures for info-next slide 189

Annexures • A – Example submission to Council to approve a Risk Management Committee Charter and members • B – Example of a Risk Management Committee Charter • C – Example of a Risk Management Committee To. R • D – Example of Municipality IRM Policy • E – Example size of risk – Impact guide • F – Example size of risk – Impact grid • G – Example risk identification form – RM 1 • H – Example Risk Management Meeting Record – RM 2 • I – Example Risk Reporting Form – RM 3 • J – Example pro-forma Risk Register – RM 4 • K – Example Municipality Risk Maturity Assessment • L – Environmental Risk Case study 190 119 -167

Assignment 191

• My contact detail Louwp@gapmap. co. za 192