Provincial Risk Management Framework Annexures

ANNEXURE C

ENTERPRISE RISK MANAGEMENT PROCESS FRAMEWORK

The process of managing institutional risks must be in a continuous and integrated

manner. Risk management is more than risk mitigation; it’s as much about
identifying opportunities as responding to risks. Enterprise risk management
processes consist of a number of interrelated components, namely:

5.1 Control environment: The control environment is the foundation of risk

management, providing discipline and structure. The control environment influences
how strategy and objectives are established, institutional activities are structured,
and risks identified, assessed and managed. It influences the design and functioning
of control activities, information and communication systems, and monitoring
activities. The executive authority is a critical part of the control environment and
significantly influences other control environment elements. As part of the control
environment, management establishes a risk management philosophy, institutional
risk tolerance and appetite levels, promotes a risk culture and integrates risk
management with related processes.

Control environment consists of ten different elements that must all be present and
functioning. The ten elements are discussed below:
 Risk Management Philosophy: Risk management philosophy facilitates the
employees’ ability to recognize and effectively manage risks. The philosophy,
being beliefs about risk and how public institution chooses to conduct its activities
and deal with risk, reflects the value the public institution seeks from risk
management and influences how risk management is applied. Management must
communicate its risk management philosophy to employees through the risk
management policy.
 Risk Tolerance: Risk tolerance is maximum amount of risk a public institution is
willing to sustain or bear after risk treatment in pursuant of institutional
objectives.
 Risk Culture: Risk culture is the set of shared attitudes, values and practices
that characterize how a public institution considers risks in its day-to-day
activities. For those public institutions that do not explicitly define their risk
philosophy, the risk culture may form haphazardly, resulting in significantly
different risk cultures within a public institution or even within a particular
programme, or function.
 Executive Authority: The executive authority is a critical part of the control
environment and significantly influences other control environment elements.
Independence from management, experience, stature of its members, extent of
its involvement, its scrutiny of activities, and appropriateness of its actions all
play a role in the control environment.
 Integrity and Values: Strategy and objectives and the way they are
implemented and achieved are based on preferences, value judgments and
management styles. Management's integrity and commitment to ethical values
influence these preferences and value judgments, which are translated into
standards of behavior. Management integrity is a prerequisite for ethical behavior
in all aspects of a public institution’s activities. The effectiveness of risk
management cannot rise above the integrity and ethical values of those who
establishes, administer and monitor activities. Adequate implementation of formal
codes of conduct is important to the foundation of an effective ethics program.

Provincial Risk Management Framework Annexures Page 1 of 18

Provincial Risk Management Framework Annexures

Code of conduct addresses a variety of behavioral issues, such as integrity,

ethics, conflict of interests, illegal or otherwise improper actions. Compliance with
ethical standards, whether or not embodied in a formal code of conduct, is best
ensured by top management's actions and examples. Of particular importance
are resulting penalties to employees who violate such codes. Mechanisms must
exist to encourage employees’ reporting of suspected incidents fraud, corruption
and theft. Most importantly disciplinary actions against employees who willfully
fail to report violations must be codified.
 Commitment to competency: Competence reflects the knowledge and skills
needed to perform assigned tasks. Management should decide how well these
tasks need to be accomplished weighing the institutional strategy and objectives
against plans for strategy implementation and achievement of the objectives. A
trade-off often exists between competence and cost. The competency levels for
particular jobs should be specified and translated into requisite knowledge and
skills. The necessary knowledge and skills in turn may depend on individuals'
training and experience. Factors considered in developing knowledge and skill
levels include the nature and degree of judgment to be applied to a specific job.
Often a trade-off can be made between the extent of supervision and the
requisite competence level of the individual.
 Philosophy and operating style: Management's philosophy and operating style
affect the way an institution is managed, including the kinds of risks accepted. A
public institution that has been successful accepting significant risks may have a
different outlook on risk management than one that has faced harsh financial,
oversight or regulatory consequences as a result of venturing into dangerous
territory. An informally managed public institution may control operations largely
by face-to-face contact with key managers. A more formally managed one may
rely more on written policies, standards of behavior, performance indicators and
exception reports. The attitude and daily operating style of top management
affect the extent to which actions are aligned with risk philosophy and tolerance.
An effective environment does not require that risks be avoided; rather it
reinforces the need to be knowledgeable about the risks associated with strategic
choices and the public institution’s operating environment, both internal and
external.
 Organizational Structure: A public institution’s organizational structure
provides the framework to plan, execute, control and monitor its activities. A
relevant organizational structure includes defining key areas of authority and
responsibility and establishing appropriate lines of reporting. A public institution
develops an organizational structure suited to its needs. Some are centralized,
others decentralized. Some have direct reporting relationships; others are more
of a matrix institution. The appropriateness of a public institution’s organizational
structure depends, in part, on its size and the nature of its activities. A highly
structured public institution with formal reporting lines and responsibilities may
be appropriate for a large public institution that has numerous programmes or
units. However, such a structure could impede the necessary flow of information
in a small public institution. Whatever the structure, a public institution should be
organized in a way enabling effective risk management.
 Authority and responsibility: Assignment of authority and responsibility
involves the degree to which individuals and teams are authorized and
encouraged to use initiative to address issues and solve problems. It also
includes the establishment of reporting relationships and authorization protocols,
and it pertains to policies that describe appropriate practices, knowledge and
experience of key personnel, and resources provided for carrying out duties.
Alignment of authority and accountability often is designed to encourage

Provincial Risk Management Framework Annexures Page 2 of 18

Provincial Risk Management Framework Annexures

individual initiatives, within limits. Delegation of authority, or “empowerment,”

means surrendering central control of certain decisions to subordinates; the
individuals who are closest to everyday activities. A critical challenge is to
delegate only to the extent required to achieve objectives. This means ensuring
that risk acceptance is based on sound practices for risk identification and
assessment, including a comparison between the risks and any potential losses
versus gains in arriving at good service delivery decisions. Another challenge is
ensuring that all personnel understand the public institution’s objectives and how
their actions interrelate and contribute to achievement of the objectives. The
control environment is greatly influenced by the extent to which individuals
recognize that they will be held accountable. This holds true all the way to the
Accounting Officer, who, with Executive Authority oversight, has ultimate
responsibility for all institutional activities.
 Human Resources Policies and Procedures: Human resources policies and
practices pertaining to hiring, orientation, training, evaluating, counseling,
promoting, compensating and taking remedial actions send a message to
employees regarding expected levels of integrity, ethical behavior and
competence. For example, standards for hiring the most qualified individuals,
with emphasis on educational background, prior work experience, past
accomplishments and evidence of integrity and ethical behavior, demonstrate a
public institution’s commitment to competent and trustworthy staff. Transfers
and promotions driven by periodic performance appraisals demonstrate the public
institution’s commitment to the advancement of qualified, competent, and
empowered employees. Competitive compensation programs that include bonus
incentives, formal and informal performance recognition initiatives, serve to
motivate and reinforce outstanding performance. Similarly disciplinary actions
send a message that violations of expected behavior would not be tolerated. It is
essential that employees be equipped to tackle new challenges as issues and
risks throughout the public institution change and become more complex, driven
in part by rapidly changing technologies, economic environment, policy changes,
etc.

5.2 Objective Setting: Objectives must exist before management can identify
events potentially affecting achievement of institutional objectives. Risk
management ensures that management has processes in place to:

 Set objectives;
 Aligns the objectives with the public institution’s mission/vision; and
 Ensure that set objectives are consistent with the public institution’s risk
tolerance.

Objective setting and integration with risk management processes must be

completed prior to the beginning of a financial year.

5.3 Establish context

Establishing context involves:
 Identification of risk in a selected domain of interest;
 Planning of the remainder of the process;
 Mapping out the following
 The scope of risk management;
 The identity and objectives of stakeholders; and
 The basis upon which risks will be evaluated and constraints;

Provincial Risk Management Framework Annexures Page 3 of 18

Provincial Risk Management Framework Annexures

 Developing a framework for the activity and an agenda for identification;

 Developing an analysis of risks involved in the process; and
 Mitigation of risks using available technological, human and organizational
resources
5.3.1 Establishing the external context
External context is the external environment in which the organization seeks
to achieve its objectives. Understanding the external context is important to
ensure that external stakeholders, their objectives and concerns are
considered. It is based on the institutional wide context but with specific
details of legal and regulatory requirements, stakeholder perceptions, and
other aspects of risks specific to the scope of the risk management process.
The external context can include, but is not limited to:
 The cultural, political, legal, regulatory, financial, technological, economic,
natural and competitive environment;
 Key drivers and trends having impact on the objectives of the
organization; and
 Perceptions and values of external stakeholders.
5.3.2 Establishing the internal context
Internal context is the internal environment in which the institution seeks to
achieve its objectives. The risk management process should be aligned with
the institutional culture, processes and structure. Internal context is anything
within the institutional that can influence the way in which an institution will
manage risk. It should be established because:
 Risk management takes place in the context of institutional objectives;
 Objectives and criteria of a particular project or activity should be
considered in the light of objectives of the institution as a whole; and
 A major risk for some institution is failure to achieve their strategic
objectives, and
 This risk affects ongoing institutional commitment, credibility, and trust
It is necessary to understand the internal context, in terms of, for example:
 The capabilities, understood in terms of resources and knowledge (e.g.
capital, time, people, processes, systems and technologies);
 Internal stakeholders;
 Objectives, and the strategies that are in place to achieve them;
 Perceptions, values and culture;
 Standards and reference models adopted by the institution; and
 Structures i.e. governance, roles and accountabilities
5.3.3 Establishing the context of the risk management process
The objectives, strategies, scope and parameters of the activities of an
institution or those parts of the institution where the risk management
process is being applied should be established. The management of risk
should be undertaken with full consideration of the need to justify the
resources used in carrying out risk management. The resources required,
responsibilities and authorities, and the records to be kept should also be
specified. The context of the risk management process will vary according to
institutional needs. It can involve, but is not limited to:
 Defining responsibilities for the risk management process;
 Defining the scope, as well as the depth and breadth of the risk
management activities to be carried out, including specific inclusions and
exclusions;
 Defining the activity, process, function, project, product, service or asset
in terms of time and location as well as its goal and objectives;

Provincial Risk Management Framework Annexures Page 4 of 18

Provincial Risk Management Framework Annexures

 Defining the relationships between a particular activity and other activities

of the institution;
 Defining the risk assessment methodologies;
 Defining the way performance is evaluated in the management of risk;
 Identifying and specifying the decisions that have to be made; and
 Identifying, scoping or framing studies needed, their extent and
objectives, and the resources required for such studies.
Attention to these and other relevant factors should help ensure that the risk
management approach adopted is appropriate to the situation of the
institution and to the risks affecting the achievement of its objectives.
5.3.4 Developing risk criteria
The institution should develop criteria that are used to evaluate the
significance of risk. The criteria can reflect the institutional values, objectives
and resources. Some criteria can be imposed by, or derived from, legal and
regulatory requirements and other requirements to which the institution
subscribes. Risk criteria should be consistent with the institution’s risk
management policy. Risk criteria should be developed at the beginning of any
risk management process and continually be reviewed.
When defining risk criteria, factors to be considered should include the
following: Nature and types of consequences that can occur and how they will
be measured; How likelihood will be defined; The time frame(s) of the
likelihood and/or consequence; How the level of risk is to be determined; The
level at which risk becomes acceptable or tolerable; What level of risk
requires treatment; and Whether combinations of multiple risks should be
taken into account.
5.4 Event identification
Prior to assessing the risks, factors, both internal and external, with the
ability to affect the achievement of institutional objectives, must be identified.
Risk management is not only about managing negative factors detrimental to
a public institutions, and/or its stakeholders, but a broad based process useful
in managing risks whilst keeping an eye on potential opportunities positively
influencing achievement of objectives, and/or service delivery mandate.
Opportunities or potential opportunities must be fed back into the objective-
setting processes or management strategy.
The types of risks faced by the public institutions are many and varied
according to the dynamics of each public institution. Identifying major trends
and their variation over time is particularly relevant in providing early
warnings. Some external factors to be considered for potential risks include:
Political: the influence of other spheres of government, governing, oversight,
and regulatory bodies; Economic: International, national, and provincial
norms; Social: major demographic and social trends, level of citizens
engagements; and Technological changes
Internal factors reflect management’s choices and include such matters as:
the overall management style, and direction; Governance and accountability
processes; Level of transparency required; Values and ethics; Infrastructure;
Policies, procedures and processes; Human resource capacity; and
Technology
A public institution’s event identification methodology may comprise a
combination of techniques together with supporting tools. Risk identification
techniques look to both the past and the future.
Techniques that focus on past events and trends consider such matters as:
Payment default histories; Overspending/ under spending patterns; Fraud,
and corruption; and Historic poor service delivery records.

Provincial Risk Management Framework Annexures Page 5 of 18

Provincial Risk Management Framework Annexures

Techniques that focus on future exposures consider such matters as: Shifting
demographics; Current & forecasted statistical data; New laws & regulations;
and HIV impact
It may be useful to group potential events into categories. By aggregating
events horizontally across a public institution and vertically within operating
units, management develops an understanding of the interrelationships
between events, gaining enhanced information as a basis for risk assessment.

5.4.1 Possible methods of identifying risks

Different ways might be used as sources during risk identification; all
depending on the dynamics of each public institution. The sources
might include: Interviews (one on one, surveys, questionnaires etc);
Group discussions (brainstorming, workshops, etc); Audits, both
internal and external; Internal control reviews; Networking (peers,
professional associations, etc); Judgmental (speculative, intuitive,
etc); Historic & failure analysis; Personal experience or past public
institution/related sector experience; Scenario (disaster response,
business continuity, economic, Operational, etc) modeling; Processes
flow charting, SWOT (strengths, weaknesses, opportunities, threats)
analysis; Plans (strategic, annual, monthly, quarterly reports, etc);
Historic risk assessments & risk registers; Formal or informal inputs
from programmes; 3rd party (media, suppliers, citizens, etc); and
Informal or formal risks reporting mechanisms

5.4.2 Possible Sources of risks might include: New activities and services
rendered; Disposal or cessation of current activities; Procurement &
tenders; Legislative changes; Changes in the economic conditions;
Socio-political changes (like elections); Events (national, provincial,
area and international); Behaviour of contractors; Suppliers or
employees; Financial/market conditions; Management activities; Weak
internal control; Technology/technical changes, (new hardware and
software implementations); and Natural events (flooding, fires, etc),

5.4.3 Possible areas of risks impact:

Risk assessment should concentrate on all significant possible areas of
impact relevant to the public institution or activity, and may include:
Assets and resources (i.e. including human, physical, financial,
technical, and information); Service delivery; Performance of
activities; and Organizational behaviour and Environment

5.4.4 Key questions that can be used to identify and control risks: What,
when, where, why and how risks are likely to occur and who might be
involved; What is the source of each risk; What are the consequences
of each risk; What controls presently exist to mitigate each risk; To
what extent are controls effective; What alternative, appropriate
controls are available; What are the public institution’s obligations
(external and internal); What is the need for research into specific
risks, scope for such research and resources required; What is the
reliability of the information; and Is there scope for bench-marking
with peer or related public and/or private sector institutions
5.5 Risk Assessment

Provincial Risk Management Framework Annexures Page 6 of 18

Provincial Risk Management Framework Annexures

Risk assessment allows a public institution to consider how potential events

might affect the achievement of objectives. Identified risks are assessed by
analyzing the likelihood and its impact. A number of processes might be
utilized to rate impact and likelihood; the following might be utilized
including: Historical experience; appropriate available information; Reliable
practices; Scenario, economic, and operations modeling; and Specialist and
expert advice.

Risk assessments can either be quantitative or qualitative. Quantitative risk

assessments assign financial values to processes, expected losses, and
controls costs i.e. cost versus benefit analysis. A qualitative risk assessment
does not try to assign financial values to processes, expected losses, and
controls costs. Institutional and/or outside specialists, such as risk owners,
experts, etc are utilized to calculate relative values of processes, expected
losses, and costs of required controls.

A quantitative risk assessment is usually conducted through a combination of

questionnaires and collaborative workshops involving specialists from within
and/or outside the public institution. Questionnaires are distributed ahead of
workshops. The questionnaires are designed to discover what processes and
controls are already deployed. In the risk assessment workshops participants
identify processes and estimate their relative values. Next they try to
determine what risks each process may be facing.

The specialists come up with controls to mitigate the risks for the participants
to consider and the approximate cost of each control measure. And then
finally, the results are presented to management for consideration during a
cost-benefit analysis. The basic process for qualitative assessments is very
similar to what happens in the quantitative approach. The difference is in the
details. Comparisons between the value of one asset and another are relative,
and participants do not invest a lot of time trying to calculate precise financial
implications. The same is true for calculating the possible impact from a risk
being realized and the cost of implementing controls.

The benefits of a qualitative approach are that it overcomes the challenge of

calculating accurate figures for values, cost of control, and so on, and the
process is much less demanding. Qualitative risk management projects can
typically start to show significant results within a few weeks, whereas most
quantitative projects see little benefit for months, and sometimes even years,
of effort. The drawback of a qualitative approach is that the resulting figures
are vague and some decision makers, especially those with finance
backgrounds, may not be comfortable with the relative values determined
during a qualitative risk assessment project. Risk assessment processes
include 4 steps:

Step 1: Quantifying the parameters (scoring system) of impact and likelihood

before the actual assessment

Provincial Risk Management Framework Annexures Page 7 of 18

 Provincial Risk Management Framework Annexures

EXAMPLE: RISK IMPACT SCORING PARAMETERS:

Rate Impact Impact measure Enhanced Rating Scales

Critical Negative outcomes or missed Extremely High Significance Strategic
(Catastrophic opportunities that are of critical objectives cannot be achieved, resulting in
5 impact) importance to the achievement of the significant financial impact and questions
objectives. about future viability.
Major (Very Negative outcomes or missed Highly Significant Difficult to achieve
material opportunities that are likely to have a strategic objectives and / or material
4
impact) relatively substantial impact on the ability financial impact.
to meet objectives.
Moderate Negative outcomes or missed Moderately Significant Noticeable
impact opportunities that are likely to have a challenges to a strategic objectives.
3
relatively moderate impact on the ability
to meet objectives.
Minor impact Negative outcomes or missed Slightly Significant Small material
opportunities that are likely to have a impact
2
relatively low impact on the ability to
meet objectives.
Insignificant Negative outcomes or missed Not Significant No discernable impact.
opportunities that are likely to have a Neither a strategic nor financial impact.
1
negligible impact on the ability to meet
objectives.

EXAMPLE: RISK LIKELIHOOD SCORING PARAMETERS:

Rate Likelihood Occurrence Enhanced Rating Scales

The risk is already occurring, or is Highly Likely Already occurring or
5 Maximum likely to occur more than once within almost certainly will occur in
the next 12 months specified time period (>90%)
The risk could easily occur, and is Likely More likely than not to occur
4 High likely to occur at least once within in the specified time period (>
the next 12 months. 50%).
There is an above average chance
Possibly May occur during the
3 Medium that the risk will occur at least once
specified time period (< 50%)
in the next three years.
The risk occurs infrequently and is
Unlikely Not likely to occur in the
2 Low unlikely to occur within the next
specified time period (< 25%)
three years.
The risk is conceivable but is only
Very Unlikely and Virtually no
1 Minimum likely to occur in extreme
chance it will ever happen. (< 5%)
circumstances.

Provincial Risk Management Framework Annexures Page 8 of 18

 Provincial Risk Management Framework Annexures

Step 2: Applying the parameters to the risk matrix to indicate what areas of the risk
matrix would be regarded as high, medium or low risk (see the example below):

Inherent Risk index = impact x likelihood

I 5 5 10 15 20 25 Risk index Risk Magnitude

Very High Risk/ Maximum
M 4 4 8 12 16 20 20 – 25

P 3 3 6 9 12 15 15 – 19 High risk

A 2 2 4 6 8 10 10 – 14 Moderate/Medium risk

C 1 1 2 3 4 5 5–9 Low risk

T 1 2 3 4 5 1–4 Minimum/Very low risk

LIKELIHOOD

Step 3: Determining the risk acceptance criteria by identifying what risks will not be
tolerated or accepted;

EXAMPLE: RISK ACCEPABILITY CRITERIA:

Risk Score – 5 Risk Score - 10 Risk Score - 15 Risk Score 20 Risk Score 25
Accept the Risk Partially accept risk Risk unacceptable Risk highly unacceptable Risk highly unacceptable

Risk Score – 4 Risk Score - 8 Risk Score - 12 Risk Score - 16 Risk Score - 20
Accept the Risk Partially accept risk Partially accept risk Risk unacceptable Risk highly unacceptable

Risk Score – 3 Risk Score - 6 Risk Score - 9 Risk Score - 12 Risk Score - 15 Risk
Appetite
Accept the Risk Partially accept risk Partially accept risk Partially accept risk Risk unacceptable
Line
Risk Score – 2 Risk Score - 4 Risk Score - 6 Risk Score - 8 Risk Score - 10
Accept the Risk Accept the Risk Partially accept risk Partially accept risk Partially accept risk
Risk Score – 1 Risk Score - 2 Risk Score - 3 Risk Score - 4 Risk Score - 5
Accept the Risk Accept the Risk Accept the Risk Accept the Risk Partially accept the Risk

Provincial Risk Management Framework Annexures Page 9 of 18

Provincial Risk Management Framework Annexures

Step 4: Determine residual risk and what action will be proposed to reduce the risk (see the example below). Residual risk
rating is determined by multiplying: The controls effectiveness and the inherent risk

Internal Control and /or Risk Management Effectiveness Rating Scales

Rating Control and Category of Controls Adequacy and Effectiveness to Risk Management Effectiveness Scales
/ or RM alter the inherent risk
effectiveness
Non-existent Controls activities are inadequate and ineffective and No Risk Management. The public
5 risk exposures are pervasive. institution lets the risk occur and lives with
the results.
Weak Control activities are limited in design adequacy as Low Risk Management The risks typically
well as operating effectiveness to mitigate risks can be detected, but the public institution
4 exposures. Some of the risk exposure appears to be relies more on contingency and recovery
controlled, but there are major deficiencies. plans.
Satisfactory Control activities are improved in design adequacy and Moderate Risk Management Through
operating effectiveness to mitigate risks exposures. effective monitoring, occurrence of risk is
3 However, there is still room for improvement in certain identified and with sufficient time to act its,
areas. impact can be reduced or opportunity is
increased.
Good Control activities are adequately designed and Extensive Risk Management ongoing
operating effectively to mitigate the majority of key risk monitoring and proactive activities help
2 exposures. assure the impact of risk occurrence will be
minimal or opportunities enhanced.

Very good Control activities are adequately designed and Continuous Risk Management A
operating effectively to manage and control all key risk comprehensive risk management
exposures. programme is in place that helps assure that
1
the risks are prevented or there will be no
measurable impact on objectives or
opportunities are optimized.

Provincial Risk Management Framework Annexures Page 10 of 18

Provincial Risk Management Framework Annexures

5.6 Risk response strategy

Management must identify and adopt risk response strategies for all the
identified risks and consider their effect: On likelihood and impact; in relation
to risk tolerances; and costs versus benefits.
The consideration of strategies, selecting and implementing a strategy is
integral to risk management, it requires that management select a response
that is expected to alter the inherent risk rating, thus bringing the risk to
within the public institution’s risk tolerance levels and improve the public
institution’s risk profile.
Risk management strategies may fall within the categories of:
 Risk acceptance: No action to affect likelihood or impact because it is such
a minimal risk, or the cost to implement the risk mitigations plan is too
high relative to the cost of the risk;
 Risk reduction: Reduce the risk likelihood, impact, or both;
 Risk sharing: Reduce risk likelihood or impact by transferring or otherwise
sharing a portion of the risk;
 Risk transfer: Transferring the risks associated with a particular activity;
and
 Risk avoidance: Take action to remove the activities that give rise to the
risks

As part of risk management, for each risk a public institution considers

potential responses from a range of response categories. This gives sufficient
depth to response selection and also challenges the “status quo.”
Having selected a risk response strategy option/s with appropriate responses,
management reassesses the remaining residual risk. Management should
recognize that some level of residual risk will always exist, not only because
resources are limited, but also because of inherent future uncertainty and
limitations inherent in all activities.

Provincial Risk Management Framework Annexures Page 11 of 18

 Provincial Risk Management Framework Annexures

EXAMPLE: POSSIBLE RISK RESPONSE STRATEGIES FOR IDENTIFIED RISKS :

Scale Risk Residual Risk Index Risk Tolerance Recommended Risk Accountability
Magnitude (Inherent risk X response strategy
controls effectiveness) Desired Actions to Options
manage Residual Risks
5 Maximum 20-25 Highly Unacceptable Take immediate action/s to Avoid, reduce, share, or HOD
High – Very High avoid, reduce, share, or transfer the risk
transfer risk with highest
Inform Executive
priority. Inform Executive
authority
Authority
4 High Risk 15-19 Unacceptable Take immediate action/s to Avoid, reduce, share, or Programme
High – Medium avoid, reduce, share, or transfer the risk Manager
transfer risk with highest Inform HOD
priority. Inform Accounting
officer
3 Medium Risk 10-14 Partially Take immediate action/s to Reduce, share, or Senior
Low – Medium Unacceptable reduce, share, or transfer transfer the risk Management
risk. Inform Programme Inform
management Programme
Manager
2 Low Risk 5-9 Fairly Acceptable Take immediate action/s to Accept (reduce) risk, but Line Management
Very Low – Low accept (reduce) risk, but detect, monitor, and
detect, monitor, and address its impact Inform Senior
address its impact. Inform Management
senior management
1 Very Low Risk 1-4 Acceptable Take no action, but Accept the Risk All
anticipate risk, monitor,
Inform
and address its impact.
Management
Inform management

Provincial Risk Management Framework Annexures Page 12 of 18

Provincial Risk Management Framework Annexures

EXAMPLE: POSSIBLE FRAUD RISK RESPONSE STRATEGIES:

Risk Risk Fraud Risk Risk Tolerance Proposed management Accountability, Roles &
Index magnitude action to control fraud Responsibilities
acceptability
(Ranking risks
score
of):
All
1-4 Minimum risk Unacceptable Zero Tolerance Control, monitor, and
inform management. Inform Senior Management
Unacceptable Zero Tolerance Senior Management
5-8 Low risk Take action to reduce risk,
inform senior management. Inform Programme Manager
Definitely Zero Tolerance Programme Manager
9-12 Medium risk Take action to reduce risk,
Unacceptable
inform top management. Inform HOD
Totally Zero Tolerance
15 - 25 High risk Take action to reduce risk HOD
Unacceptable
with highest priority,
Zero Tolerance
20 - 25 Maximum accounting officer and Inform the Executive Authority
Risk executive authority
attention.

Provincial Risk Management Framework Annexures Page 13 of 18

Provincial Risk Management Framework Annexures

5.7 Information and Communication Flow

Relevant information must be disseminated through all levels of a public

institution, to enable role players to effectively execute their assigned duties.
The Chief Risk Officer, along with the Accounting Officers must prioritize
developing efficient and effective communication and information flow
structures. The structures must capture the dynamics of the public institution.
Information must be identified, captured and communicated in a form and
timeframe that enable role players to carry out their allocated responsibilities.
Information must be communicated to all levels of a public institution to
identify, assess and respond to risks. Communication about processes and
procedures should align with, and underpin, the desired risk culture. In
addition, communication should be appropriately “framed”; the presentation
of information can significantly affect how it is interpreted and how the
associated risks or opportunities are viewed. Communication should raise
awareness about the importance and relevance of effective risk management,
communicate the public institution’s risk tolerance levels, implement and
support a common risk language, and advise employees of their roles and
responsibilities in effecting and supporting the process of risk management.
Communications channels also should ensure employees can communicate
risk-based information across public institution’s units, processes or functional
units. In most cases, normal reporting lines in a public institution are the
appropriate channels of communication. In some circumstances, however,
separate lines of communication are needed to serve as a fail-safe mechanism
in case normal channels are inoperative or compromised. Whatever channels
of communication are used, it is imperative that employees understand that
there will be no reprisals for duly reporting relevant information.

Efficient flow of relevant institutional risk management information can be

achieved through the incorporation of risk management reporting into the
institution’s reporting framework. This process can be efficiently implemented
through the Chief risk officer and the Strategic Planning Manager by:
 The Determination of information needs of the oversight stakeholders
i.e. Chief risk officer, Risk management committee, Accounting Officer,
Audit committee, etc; and
 Determining the best reporting format responding to the information
needs of the oversight stakeholders and incorporate into the public
institution’s reporting framework

5.8 Control Activities

Risk responses serve to focus attention on control activities needed to help
ensure that the risk responses are carried out properly and in a timely
manner. Control activities are part of the process by which a public institution
strives to achieve objectives. Control activities are the policies and procedures
that help ensure risk management strategies are properly executed. They
occur throughout the public institution, at all levels and in all functions. They
usually involve two elements: a policy establishing what should be done and
the procedures necessary to optimally implement the policy.

5.8.1 Internal Control: Internal controls are an integral part of risk

management. The Framework encompasses internal control, forming a
more robust conceptualization and tool for management. Control

Provincial Risk Management Framework Annexures Page 14 of 18

Provincial Risk Management Framework Annexures

procedures relate to the actual policies and procedures in addition to

the control environment that management has established to achieve
the public institution’s objectives. Policies and procedures help create
boundaries and parameters to authority and responsibility, and also
provide some scope of organisational precedent for action.

5.8.2 Control procedures: Specific control procedures include:

 Reviewing, monitoring and reporting on compliance to relevant
legislations, public institutional procedures, policies, processes, etc;
 Ensuring the accuracy of records; and
 Establishing controls on applications and environment of computer
information systems

5.8.3 Context of control: The following concepts are important in

understanding the nature and context of controls:
 Controls should be capable of responding immediately to evolving
risks to the business of the public institution arising from factors
within the public institution and to changes in the environment;
 The controls costs must be balanced against the benefits, including
the risks it is designed to manage;
 The control system must include procedures for reporting
immediately to appropriate levels of management any significant
findings of weaknesses that are identified together with details of
corrective action taken or needed;
 Controls can help minimize the occurrence of errors and
breakdowns, but cannot provide absolute assurance that they will
not occur; and
 The system of internal control should be embedded in the
operations of the public institution and form part of its culture.

5.8.4 Broad internal control focus areas: Internal controls processes in

public institutions should focus on the following key areas:
 Adequate segregation of duties : Key duties and
responsibilities in authorizing, processing, recording, and reviewing
transactions and events should be separated among individuals
 Custody and accountability for resources: Access to resources and
records are to be limited to authorized individuals who are
accountable for their custody or use
 Prompt and proper recording and classification of transactions: To
ensure that information maintains its relevance and value to
management in controlling operations and decision-making and to
ensure that timely and reliable information is available to
management
 Authorization and execution of transactions: Requires that
employees execute their assigned duties in accordance with
directives and within the limitations established by management or
legislation
 Documentation: Internal control structures, i.e. policies and
procedures, and all transactions and significant events are to be
clearly documented
 Management supervision and review: Competent supervision is to
be provided, including assignment, review and approval of an
employee's work

Provincial Risk Management Framework Annexures Page 15 of 18

Provincial Risk Management Framework Annexures

Employees should be provided with the necessary guidance and training to

help ensure that errors, wasteful, and wrongful acts are minimized and that
specific management directives are understood and achieved.

In addition, computer controls should be geared towards the following areas:

5.8.4.1 Access controls

Controls should be designed to:
 Prevent unauthorized changes to programs which process data
 Prevent unauthorized access to files storing accounting and
financial information and application programs
 Prevent unauthorized access to computer operating systems and
system software programs
 Ensure that user-id’s and passwords should be used to limit access
to programs, data files and software applications
 Ensure that firewalls are installed to prevent data corruption from
unauthorized access, both internal and external

Controls should be designed to manage the operations of the system and to

ensure that programmed procedures are applied correctly and consistently
during the processing of data. Computer controls such as scheduling of
processing time, execution of programs by competent personnel, monitoring
and review of the function of hardware, division and rotation of duties and
maintenance of system and manual logs with regular follow-up management
should be available.

5.8.4.2 System Software Programs

Controls should be designed for programs, which do not process data to

ensure that they are installed or developed and maintained in an authorized
and effective manner, and that access to system software is limited.
This could be achieved through security over system software, database
systems, networks and processing by users on personal computers. There
should be support structures, error correction methods and adequate
documentation for the systems.
Controls should be designed to ensure the continuity of processing, by
preventing system interruption or limiting this to a minimum.
Controls that should be in place include physical protection against the
elements such as fire, water and power. There should be emergency plan and
disaster recovery procedures, provision of alternative processing facilities,
backups of data files, maintenance of hardware, adequate insurance, cable
protection, uninterruptible power supply, prevention of viruses and personnel
controls affecting security and continuity.

5.8.4.3 Information systems controls

With widespread reliance on information systems, controls are needed over
significant systems. Two broad groupings of information systems control
activities can be used. The first is general controls, which apply to many if not
all application systems and help ensure their continued, proper operation. The
second is application controls, which include computerized steps within
application software to control the technology application. Combined with

Provincial Risk Management Framework Annexures Page 16 of 18

Provincial Risk Management Framework Annexures

other manual process controls where necessary, these controls ensure

completeness, accuracy and validity of information.

5.8.4.4 General controls

Include controls over information technology management, which will address
the information technology oversight process, monitoring and reporting
information technology activities, and public institution’s improvement
initiatives. Other controls include information technology infrastructure,
security management and software acquisition, development and
maintenance. These controls apply to all systems from mainframe to
client/server to desktop computing environments.

5.8.4.5 Application controls

Application controls are designed to ensure completeness, accuracy,
authorization and validity of data capture and transaction processing.
Individual applications may rely on effective operation of controls over
information systems to ensure that interface data are generated when
needed, supporting applications are available and interface errors are
detected and corrected timeously
Because each public institution has its own set of objectives and
implementation approaches, there will be differences in objectives, structure
and related control activities. Even if two public institutions had identical
objectives and structures, their control activities would likely be different, as
different people who use individual judgments in effecting internal control
manage them. Moreover, controls reflect the environment and industry in
which a public institution operates, as well as the complexity of its operations,
its history and its culture. The Control Objectives for Information and related
Technology (COBIT) framework should be utilized for proper guidance on
information technology controls.
5.9 Monitoring
Risk management processes must be regularly monitored; a process that
assesses both the presence and functioning of its components and the quality
of their performance over time. Monitoring can be done in two ways, through
ongoing activities, separate evaluations, or both. This will ensure that risk
management continues to be applied at all levels and across the public
institution.
Ongoing monitoring is built into the normal, recurring operating activities of a
public institution, is performed on a real-time basis and reacts dynamically to
changing conditions and is ingrained in the public institution. As a result, it is
more effective than separate evaluations. Since separate evaluations take
place after the fact, problems often will be identified more quickly by ongoing
monitoring routines. Many public institutions with sound ongoing monitoring
activities nonetheless conduct separate evaluations of risk management.
The frequency of separate evaluations is a matter of management's
judgment. In making that determination, consideration is given to the nature
and degree of changes, from both internal and external events, and their
associated risks, the competence and experience of the personnel
implementing risk management strategies and related controls and the results
of the ongoing monitoring. Usually, some combination of ongoing monitoring
and separate evaluations will ensure that risk management maintains its
effectiveness over time.

Provincial Risk Management Framework Annexures Page 17 of 18

Provincial Risk Management Framework Annexures

The extent of documentation of a public institutions’ risk management varies

with the public institution’s size, complexity and similar factors. The fact that
elements of risk management are not documented does not mean that they
are not effective or that they cannot be evaluated. However, an appropriate
level of documentation usually makes monitoring more effective and efficient.
Where management intends to make a statement to external parties
regarding risk management effectiveness, it should consider developing and
retaining documentation to support the statement.
All risk management deficiencies that affect a public institution’s ability to
develop and implement its strategy and to achieve its established objectives
should be reported to those positioned to take necessary action. The nature of
matters to be communicated will vary depending on individuals' authority to
deal with circumstances that arise and on the oversight activities of superiors.
The term “deficiency” refers to a condition within the risk management
process worthy of attention. A deficiency, therefore, may represent a
perceived, potential or real shortcoming, or an opportunity to strengthen the
process to increase the likelihood that the public institution’s objectives will be
achieved. Information generated in the course of operating activities usually
is reported through normal channels. Alternative communications channels
also should exist for reporting sensitive information such as illegal or
improper acts, fraud, corruption and theft.
Providing relevant information on risk management deficiencies to the right
stakeholders is critical. Protocols should be established to identify what
information is needed at a particular level for effective decision making. Such
protocols reflect the general rule that a risk owner should receive information
that affects actions or behavior of personnel under his or her responsibility, as
well as information needed to achieve specific objectives.

Monitoring and oversight of risk management processes by the Chief Risk

Officer’s, Audit and Risk Management Committee’s must be on a
predetermined bases.

Provincial Risk Management Framework Annexures Page 18 of 18