The term 'risk management' is currently being utilised very liberally within institutions. For example, safety, security, disaster management, business continuity, insurance and internal audit are often referred to as "risk management."
It is certainly true that these functions form part of the wider subject of risk management. But the term 'risk management' means a deliberate focus on all risks of an institution.
The term 'enterprise risk management' (ERM) has become a popular way of describing application of risk management throughout the institution rather than only in selected business areas or disciplines.
Risk management is a management discipline with its own techniques and principles. It is a recognised management science and has been formalised by international and national codes of practice, standards, regulations and legislation.
Risk management forms part of management's core responsibilities and is an integral part of the internal processes of an institution.
This guidebook will use the simpler term 'risk management' and will explain the function in broad terms, showing how the various technical disciplines associated with risk form part of this wider field.
Risk management is a systematic process to identify, evaluate and address risks on a continuous basis before such risks can impact negatively on the institution's service delivery capacity. This is not the only definition of ERM as a number of alternative definitions are also used by the ERM community.
Click here for alternative definitions of ERM.
When properly executed risk management provides reasonable, but not absolute assurance, that the institution will be successful in achieving its goals and objectives.
Risk management addresses all kinds of material risks to the objectives of the institution. It does not have a bias towards any particular risk control function. Risk management must address all parts of the institution and no part of the institution can claim that they do not need to participate in its processes. Risk management eventually works its way through the entire institution so that all levels of management participate in its processes. Existing risk-related functions such as security risk management, insurance, health and safety risk management etc must also align their activities with the institution's risk management plan. This alignment of activities then allows for risk management to reconfigure as ERM.
Many managers have justifiably asked why 'risk' needs a separate focus, and why it can not be managed as before. The main reason is that the service delivery environment and the public sector's interface with stakeholders have become far more demanding and volatile than before. Historical ways of doing things are no longer effective as evidenced by a number of service delivery and general governance failures. In response to this, the principles of corporate governance and associated legislation require public sector institutions to be more transparent and structured about the ways in which they manage and report on risk.
Stakeholders need to observe that the institution has a proactive and systematic approach to managing organisational risks.
Risk management is recognised by the public sector as an appropriate way of managing risk. Different institutions may have different existing responses to risk, such as safety management and insurable risk to internal control and public relations. It is important that different types of risk receive appropriate attention at an operational or process level. For the institution as a whole, however, stakeholders want to see a single coherent strategy for managing the institution's various risks.
4. Why do we need risk management?i
People often ask why the management of risk can not remain within the ambit of general management. The truth is that it does, but risk management provides a dedicated focus on risk for the following reasons:
4.1 Corporate governance
Legislation such as PFMA and the MFMA together with corporate governance codes such as King II expect an institution to implement a risk management plan. As a result of organisational failures in the past, stakeholders do not want to be caught unawares by risk events. They expect that internal control and other risk mitigation mechanisms to be based on a thorough assessment of institution wide risks.
Previously, members of the Accounting Authorities were not involved in the details of risk management before because it was regarded as an operational function.
Stakeholders require assurance that management has taken the necessary steps to protect their interests. Corporate governance thus places the accountability for risk management in the hands of the Accounting Authority / Officer.
Executive Authorities, Accounting Authorities, Accounting Officers and stakeholders now want to know more about the risks facing an institution. This is understandable in an environment of complex and challenging service delivery expectations.
4.2 Planning and organisation
The value of risk management is best leveraged when its principles and techniques are applied during institutional planning processes and organisation. Given the increased levels of volatility and uncertainty, it is vital that plans, particularly multiple year plans, take into consideration a thorough assessment of risks and mitigation strategies.
For this purpose, existing tools and methodologies such as SWOT analysis, PEST analysis, Porters Model and internal reviews can be utilised to supplement the institutions risk management model. Hence, it becomes clear that planning and organisation and risk management are inter-dependent.
4.3 Continuous risk assessment
The risk profile of an institution is fluid, which is to say that it is changing on a continuous basis. Some risks are created by changes initiated by the institution. Others are the result of changes in society, business, legislation or communities.
Even the best management teams will struggle to keep an accurate perspective of changing risks when risk management is approached on an informal basis.
The risk management plan must provide the institution with the ability to systematically identify new and emerging risks, and the assurance that existing risks are being addressed in the best possible way given the current resource constraints and other challenges.
Change is often beyond the control of management but the risks that it creates needs to be managed.
4.4 Evolution of risk management
Risk management has evolved over recent years. We have seen the integration of risk management techniques with fraud prevention, internal control and corporate governance. There has also been an integration of operational risk management functions into the broader umbrella of enterprise risk management. Aspects such as internal control, safety management, sustainability and environmental management, for example, have increased in importance in recent times. The broadening of risk management has seen a change in emphasis from risks as individual hazards to risks as uncertainties around key objectives.
Risk management has also seen the introduction of new participants into the process. The function is no longer confined to insurance staff, internal auditors, and loss prevention functions.
The wider approach to risk management has brought the function into the view of human resources officers, compliance officers, financial managers, ICT specialists and other functional managers.
4.5 Internal audit plans
Internal audit plans are now based on the outcomes of risk assessments. Internal auditors are increasingly basing their priorities on the risk management plan and give priority to high-risk assets and processes.
Internal audit is well-placed to independently validate key controls. The frameworks of internal control used by auditors are useful contributions to the risk management plan.
Internal audit is a key role player in the assurance process with regards to the effectiveness of risk management.
4.6 Cultural adjustment
The essential behaviours of official charged with responsibility for various activities of risk management must change. This requires a shift in the cultural dynamics insofar as it concerns risk management, which can be achieved through awareness and advocacy, communication, coaching, training and linking to performance measures.
Risk management must be a catalyst for change in behaviour of Managers. Managers need to develop competencies to ensure that they make conscious risk-based decisions. Rather than viewing risk management and its associated activities as mere bureaucracy, managers need to look at it as a powerful driver of service delivery excellence.
There is a danger that risks that fall outside traditional functions may go unmanaged and have serious consequences on the institutional objectives. The need for broad-based risk management is thus critical as it will also ensure that risks that were not previously given adequate attention are now properly managed. Risk management processes that are integrated within the institution's existing structures are likely to be more effective in producing the desired service delivery and other objectives.
i With thanks to IRMSA, adapted from ERM Code of Practice 2003