It is important that the Accounting Officer / Authority sets the right tone for risk management in the Institution. Although all staff will be aware of the need to prevent loss and to safeguard stakeholders' interests, they may not be quite so clear about the Institution's standpoint on risk.
The Institution should operate within the terms of a risk management policy approved by the Accounting Officer / Authority. This is a statement that declares the Institution's commitment to risk management.
It is therefore common for the Accounting Officer / Authority to publish a risk management policy. The risk management policy should be communicated to all incumbent officials and arrangements should be made for communicating the policy to all new recruits.
The risk management policy outlines the Institution's commitment to protecting the Institution against adverse outcomes, which may impact negatively on service delivery. It will also confirm the Institution's commitment to legal and regulatory compliance.
The risk management policy is a brief statement about the Institution's commitment to risk management. It can be replicated in the risk management plan. It is advisable to publish and circulate the risk management policy to existing and new staff as part of the risk awareness strategy.
The objectives of the risk management policy could include the following:
· Alignment of risk-taking behaviour of Institution with strategic business objectives;
· To promote a risk management culture in all sphere of government and improve risk transparency to the shareholder;
· To maximise shareholders value and net worth by managing risks that may impact the defined financial and performance drivers;
· To assist the Institution in enhancing and protecting those opportunities that represent the greatest service delivery benefits.
3. How to draft a risk management policy
A risk management policy communicates the Institution's stance with regard to risk management. The risk management policy is informed by the Institution's risk profile, appetite for risk, loss tolerance levels, regulatory compliance expectations, safety and health demands, sustainability management, corporate governance requirements etc.
The risk management policy should:
· be drafted in consultation with key stakeholders;
· be reviewed at least annually to reflect the current stance on risk management;
· communicate the Institution’s risk management philosophy in the context of how risk management is expected to support the Institution in achieving its objectives;
· incorporate a statement committing the Institution to implementing and maintaining an effective, efficient and transparent system of risk management;
· define risk and risk management as they apply within the Institution’s particular context;
· spell out the objectives of risk management;
· outline the risk management approach; and
· identify the key role players and their responsibilities, such as:
o Executive Committee;
o Accounting Officer / Authority;
o Risk Management Committee;
o Audit Committee;
o Other Officials;
o Internal Audit;
o External Audit; and
o Chief Risk Officer.
Click here for an example of a risk management policy.