Public Sector Risk Management Framework

 

Contents

1            BACKGROUND                                                                        

1.1         Purpose                                                                                                              

1.2         Applicability                                                                                                        

1.3         Background of risk management                                                                   

1.3.1               Government objectives and risk management                                     

1.3.2               What is risk?                                                                                             

1.3.3               Risk Management                                                                                    

1.3.4               Enterprise Risk Management                                                                 

1.4         Enterprise Risk Management Architecture                                                    

2            DRIVERS OF RISK MANAGEMENT                                     

2.1         Risk management as a service delivery imperative                                      

2.2         Legal Framework                                                                                            

2.3         Corporate governance guidelines                                                                 

3            ENABLERS OF RISK MANAGEMENT                                

3.1         Risk Management Policy                                                                                

3.2         Risk Management Strategy                                                                            

3.3         Basic requirements for effective ERM implementation                               

3.3.1               Competent personnel                                                                            

3.3.2               Information, Tools and Technology                                                      

3.3.3               Funding for ERM                                                                                    

4            EVALUATION OF ERM                                                         

4.1         Continuous improvement                                                                               

 

Click on the link below to download the relevant guideline

User guidelines

Executive Authority

Accounting Authority / Officer

Management

Other Personnel

Chief Risk Officer

Risk Champions

Risk Management Committee

Audit Committee

Internal Auditors

Click on the link below to download the relevant template

Templates

ERM Policy

ERM Strategy

Risk Management Committee Charter

Fraud Prevention Policy

Risk Categories

Risk Rating Matrix

Guidance on establishing risk tolerance levels

Typical reporting lines of the risk management function

1               BACKGROUND

1.1        Purpose

The Public Sector Risk Management Framework (Framework) represents the pre-eminent source of reference and guidance on risk management practices in the public sector.  The Framework aims to support the objectives of public sector institutions through providing information and guidance to enable the implementation and maintenance of effective systems to identify and mitigate the risks that threaten the attainment of service delivery and other objectives, and optimise opportunities that enhance institutional performance.

The Public Sector Risk Management Framework updates and builds on the National Treasury Risk Management Framework published in 2004.  The Framework retains much of the core information of its predecessor, however, in this edition greater emphasis has been given to simplifying the theoretical and technical aspects of risk management so as to aid understanding and implementation.  The distinguishing features of the revised Framework are the improved design and layout, inclusion of detailed guidelines for various user groups and the provision of ready to use tools and templates, all of which are supported on an electronic platform.

The Framework constitutes all components of the Enterprise Risk Management Architecture.  Accordingly, the title “Framework” and “ERM Architecture” may be used interchangeably.

1.2        Applicability

Public sector institutions are not homogenous hence it is not possible to produce a single blueprint for risk management that can be duplicated across public sector institutions.  The Framework therefore elucidates the principles proven to support and sustain effective risk management.  Institutions are expected to develop their systems of risk management by applying these principles and by adapting the tools and templates provided herein to suit their own unique environments.

Being principles based, the Framework is generic to all spheres and sectors of Government and is applicable to:

o       National departments;

o       Constitutional institutions;

o       Public entities;

o       Provincial departments;

o       Provincial public entities;

o       Municipalities; and

o       Municipal entities.

1.3        Background of risk management

1.3.1  Government objectives and risk management

The concept of risk management is not new to the public service as the basic principles of service delivery (Batho Pele, 1997) clearly articulates the need for prudent risk management to underpin the achievement of government objectives.

Public sector institutions are bound by constitutional mandates to provide products or services in the interest of the public good.  As no institution has the luxury of functioning in a risk-free environment, public sector institutions also encounter risks inherent in producing and delivering such goods and services.  Stakeholders understand this but expect public institutions to perform without any unnecessary exposure to risk.  In other words, stakeholders are averse to value erosion caused by risks that ought to be detected and avoided through prudent management actions.

The public sector environment is fraught with unique challenges, such as lack of capacity, lengthy decision lead times, limited resources, competing objectives and infrastructure backlogs to mention a few.  Such dynamics place an extra risk management burden on public sector managers.

Risk management is a management tool that increases an institution’s prospects of success through getting it right the first time and minimising negative outcomes.  Value is maximised when institutions set clear and realistic objectives, develop appropriate strategies, understand the intrinsic risks associated therewith and direct resources towards managing such risks on the basis of cost-benefit principles.  Within high performing institutions, risk management is a strategic imperative rather than an option.

Seen in this context, it is clear why Government places a high importance on positioning risk management as a central part of service delivery improvement.  Such importance is further emphasised with the various legislative instruments which make up the Legal Framework for risk management in the public sector.

1.3.2  What is risk?

There are numerous definitions of risk, which are informed principally by the context in which they are applied.  Institutions need to adopt a definition that best contextualises risk is in their specific environment.

A generic definition of risk is adopted in the Framework, as follows: “A risk is any threat or event that is currently occurring, or that has a reasonable chance of occurring in the future, which could undermine the institution’s pursuit of its goals and objectives.”

Risks manifest as negative impacts on goals and objectives or as missed opportunities to enhance institutional performance.  Stakeholders expect public sector institutions to anticipate and manage risks in order to eliminate waste and inefficiency, reduce shocks and crises and to continuously improve capacity for delivering on their institutionalised mandates.

Click here for other alternative definitions of “risk”.

1.3.3  Risk Management

Risk management forms part of management’s core responsibilities and is an integral part of the internal processes of an institution.  It is a systematic process to identify, evaluate and address risks on a continuous basis before such risks can impact negatively on the institution’s service delivery capacity.

When properly executed risk management provides reasonable, but not absolute assurance, that the institution will be successful in achieving its goals and objectives.

Click here for additional information on what is risk management?

1.3.4  Enterprise Risk Management

Enterprise risk management (ERM) is the application of risk management throughout the institution rather than only in selected business areas or disciplines.  ERM recognises that risks (including opportunities) are dynamic, often highly interdependent and ought not to be considered and managed in isolation.  ERM responds to this challenge by providing a methodology for managing institution-wide risks in a comprehensive and integrated way.

Click here for alternative definitions of ERM.

1.4        Enterprise Risk Management Architecture

Any successful ERM implementation is reliant and dependent on an architecture that considers various interrelated and inter-dependent components.  The public sector framework adopts the following architecture, consisting of:

o       Process framework;

o       Drivers;

o       Enablers;

o       Human resource capacity consisting of:

o       Implementors;

o       Support specialists; and

o       Assurance providers.

o       Tools and technology;

o       Oversight Framework.

The ERM architecture is depicted graphically below:

The complete process framework is described in more detail by clicking on each of the components below:

o       Internal environment (Establishing a proper environment in which ERM can function)

o       Objective setting (Establishing objectives aligned to the institution’s mission, which become the reference point for identifying and assessing risks and determining risk appetite and risk tolerance)

o       Risk identification (The process concerned with identifying events that produce risks that threaten the achievement of objectives)

o       Risk assessment (The process concerned with determining the magnitude of risk exposure by assessing the likelihood of the risk materialising and the impact that it would have on the achievement of objectives)

o       Risk response (The process concerned with determining how the institution will mitigate the risks it is confronted with, through consideration of alternatives such as risk avoidance, reduction, risk sharing or acceptance)

o       Control activities (Establishing policies and appropriate procedures such as approvals, authorisations, segregation of duties, reconciliations and physical safeguards to ensure that the chosen risk responses are implemented)

o       Information and communication (The process of identifying, capturing and communicating information to enable officials to carry out their responsibilities)

o       Monitoring (The process of monitoring and assessing the presence and functioning of the various components over time)

2               DRIVERS OF RISK MANAGEMENT

2.1        Risk management as a service delivery imperative

Risk management benefits the institution by underpinning and bolstering institutional performance through: