The implementation of the Institution’s risk management policy should be guided by a strategy approved by the Accounting Officer / Authority.
The risk management strategy is informed by the risk management policy and the Institution's risk profile. For example, a risk profile with a high level of threat to objectives will require a more rigorous commitment to risk management.
2. Developing a risk management strategy
The risk management strategy should include the following six main elements:
· A plan of action to improve the Institution’s risk management maturity;
· A focus on the prevention of fraud and corruption;
· The Institution’s risk management architecture and reporting lines;
· A description of the risk management modality;
· User guidelines; and
· Details of review and assurance of the risk management process.
The Institution must have a fraud prevention policy approved by the Accounting Officer/ Authority expressing the Institution’s commitment to managing fraud and corruption.
The Institution must develop a fraud prevention strategy (including a plan) to guide the implementation of the fraud prevention policy.
The risk management strategy should be written in straightforward and practical terms and avoid risk management jargon. It should reflect the language style and conventions of the Institution. The risk management strategy should not dwell too much on conceptual models and risk management theory.
The risk management strategy should include a risk management implementation plan, in the form of a project plan and record the tasks, names of responsible persons and target dates.
Documenting the risk management implementation plan also overcomes problems with changes in personnel and is a good way of creating risk awareness and promoting a culture of risk management.
3. Developing a risk management implementation plan
This plan is a well sequenced range of date-linked steps towards implementing the requirements specified in the risk management strategy and to some extent those contained in the fraud prevention plan. The risk management implementation plan is drafted once the risk management strategy and fraud prevention documents have been approved.
The following steps need to be taken when developing the risk management implementation plan:
· Determine the risk management activities to be performed taking into account the risk profile and related costs versus the benefits;
· Resourcing requirements
This element describes the capacity and competence of personnel and the strategy to address capacity gaps. It also addresses the technology and funding requirements to give effect to the risk management strategy;
· Determine the sequence of activities and the target implementation dates
The competition for management attention and resources requires that the sequence of activities should be founded on the principles of urgency, quick wins and sustainability of implemented risk mitigation strategies;
· Assign ownership for and communicate risk management activities; and
· Agree on frequency and format of reporting.
Consensus should be obtained regarding the frequency, content and responsibility for reporting.
The risk management strategy and risk management implementation plan should ideally be developed together to ensure connectivity and continuity. Both documents should be approved by the Accounting Officer / Authority and reviewed on an annual basis.