Enterprise Risk Management A new focus Presented by: Phumi Madlala eThekwini Municipality Agenda The Risk Management Process: Definitions Introduction and background Benefits of Risk Management Enterprise Risk Management (ERM) Process Conducting Corruption Risk Assessment: Preparation During the risk assessment Outcome – risk register Ongoing monitoring & reporting 2 Definitions - Risks are uncertain future events that could influence achievement of objectives Risk Management: - Management tool of creating awareness & managing obstacles that have a potential of preventing the organization from achieving it’s objectives; - Is also about assessing, both quantitatively and qualitatively the opportunity for success of business initiatives; - Is composed of methodologies and processes which are designed to develop information critical to achieving the strategic objectives of the organization 3 Legislative mandate 1. MFMA, S 62 (1) ( c ) states: “the accounting officer must ensure that the municipality has and maintains effective, efficient and transparent systems of financial and risk management and internal control” 2. S 78 and 105 further assigns the responsibilities to other officials to ensure “effective, efficient, economical and transparent use of financial and other resources within that official’s area of responsibility” 3. S 165 (2) (b) requires internal audit unit to advise the AO on matters related to……(iv) risk and risk management 4. S166 (1) requires audit committee to advise municipal council, political office-bearers, AO and management staff on matters related to …(ii) risk management 5. King III Code on Corporate Governance and Public Sector Risk Management Framework states: “The Council/ Board is responsible for the total process of risk management, as well as for forming its own opinion on the effectiveness of the process.” 4 Value –add from Risk Management Highlight processes that are not clearly understood; Identifies processes that are inefficient; Promotes efficiency of service delivery; Create awareness of high risk areas and ensures uniformity in addressing exposure areas; Create awareness of what can/cannot be controlled; Ensures reasonable and practical time is taken to implement required responses; Promotes pro-activeness rather than re-active response (reduce surprises); Increases probability(likelihood/chances) of achieving goals Results of Ineffective Risk Management Breakdown in internal control that could prevent the organization from achieving its objective; Reactive responses to potential risks, rather than proactive; Changing/ new risks are not adequately controlled and managed; Internal control practices become outdated with limited account taken of best practice development; 6 OVERSIGHT eThekwini Risk Management Governance Structure Council and Key Committees Audit and Risk Committee MANAGEMENT ASSURANCE GOVERNANCE City Manager and Key Committees Managing Risk & Municipality Sub Committee Risk Management Committee First Line of Defence Second Line of Defence DCM Forum Chief Risk Officer Third Line of Defence Internal Audit and External Auditors Management of Operations Risk Champions eThekwini Municipality - EXCO ERM 7 Risk Management Strategy Overview Identify Risks Analyse Risks Likelihood Impact Monitor / Review Consultation / Communication Establish Goals & Context Evaluate the Risks Treat the Risks eThekwini Municipality - EXCO ERM 8 Corruption Risk Assessment Corruption Risk Management - Part of Enterprise Risk Management, only focusing on exposures that are as a result of corrupt activities; - Best approach to managing fraud/corruption: Prevent it; Whatever that cannot be prevented, controls should detect it quickly; Investigate the root cause of detected/reported fraud cases; Correct root causes/Take quick action Corruption Risk Assessment Risk Assessment: The process of identifying risk exposures and assessing their impact and likelihood that they would have on the achievement of objectives. The process also involves evaluating suitable ways to mitigate the risks to corruption and assessing effectiveness of controls. ERM: • Fraud/corruption risk forms one category of the risks that are significant within Ethekwini municipality, which is managed separately at a strategic level.; • Top down approach – strategic risks are cascaded down to operations Link between risk categories: • Some risks are inter-linked, e.g. failure to manage fraud/corruption risk results in high exposure to compliance risk and by default operational risk (due to weakness in controls) which might lead to reputational risk. Role of compliance in fraud/corruption prevention Highly compliant organizations strong ethical environments reduced fraud/corruption risk Preparation by facilitator • Assessing environment’s exposure to corruption; – Inherent risk exposures; – Perform trends analysis based on stats or working with research/forensic unit; – Understand the sector, read journals/publications like Delivery, most importantly your organisations control environment/operations within your environment; – Stakeholders and their influence to environment; – Separate facts from opinions; – Recent media reports & perceptions of organisation (surveys) • Establish current risk tolerance level; – tone at the top; – sound ethical culture; – Regular/ongoing training of staff, updates of training manuals , relevance to level of audience according to expectations • Pro-active defence (mitigations) – Periodic results of data interrogation in relation to corruption risk assessment; – Be familiar with existing controls from first point of contact with organisation e.g background checks prior employment/engagement with service providers/ customers; • Sound internal control system – Frequent review and update of Anti – corruption policies and procedures; – Ensure alignment of company policies/procedures with regulations/ legal findings/ forensic developments/ sector developments – Assurance providers, establish relationships with them, ongoing consultations – recent findings on exposures to corruption 13 Preparing for Corruption Risk Assessment Important Considerations: • • • • • • Best suitable form of risk assessment to use: management workshop vs information gathering; Level at which you are assessing exposure to corruption .e.g. strategic vs operational (dpt’s) – invite the right audience; Management’s Tone regarding prevention of corruption e.g understanding/ familiarity with anti- corruption policies/strategies; support structures; understanding of risk process/ are they defensive - personalise issues/performance management; Adequate notification : Pre – reading which directs focus on existing exposures/control environment/stats from forensics/IA reports/management report/regulatory developments/other recent developments to combat fraud/corruption within sector (Local Govern Anti-Corruption Strategy) Logistics: – Suitable Venue – promote interaction /co-operation, away from office distractions, no laptops during session/use of cellphones; – Duration of assessment – reasonable approximation, worse is to under-estimate time; control discussions Pre – planning with leader (buy –in) outlining process/expectations /outcome. He sets the tone during introduction of corruption risk assessment. 14 During the Assessment • Introduction by Head: Strategic /Operational. Communicate expectations/set tone- promote participation & freedom of expression/ assessment based on facts than opinions; • Introduction by facilitator – outline the process/methodology & outcome; • Reference to pre- reading; • Control discussions to focus on facts & desired outcome; • Ensure audience participation and buy in; • Understand root causes for each risk properly so that correct controls and relevant actions to address exposures can be identified; • Adherence to risk management standards/specifically anticorruption framework/strategy; 15 Corruption Risk Register Outcome: • • • • • Risk register with identified strategic/operational corruption risks; Risk owners – strategic (City Manager/Executives)/ operational (Dpt Heads); Impact & likelihood for each risk- per methodology; Assessment of current controls i.t.o. effectiveness (IA & other Assurance providers ); Tasks to improve our exposure to each risk: to address root causes; and to strengthen current controls; or once implemented to add to existing controls • Allocate task owners - based on areas where risk is prevalent, and suitability to implement action to mitigate root causes; • Strategic risks to be cascaded down at operational level. Ongoing monitoring of corruption risk • Independent annual review of Anti-corruption strategy and it’s effectiveness in reducing corrupt activities by Internal Audit; • Anti-corruption/Fraud Prevention Committee – reporting on implementation of strategy & anti-corruption/ fraud prevention initiatives; • Governance audit of committees on implementing action per TOR’s; • Monitoring progress of tasks on corruption risk registers ( strategic &operational); • Quarterly review of existing risks & identification of emerging risks due to change in internal/external environment; • Reporting progress to appropriate structures; • Ensure implementation of forensic reports recommendations to enhance internal controls; • Training of staff on their responsibility to report corruption & fraud activities; • Promotion of ethical culture throughout municipality; • Communicate successes in uprooting corruption; • Response strategy on allegations /articles from media; References • Quotes have been taken from various risk management & anti – corruption standars, best practice & guidelines. eThekwini Municipality - EXCO ERM 18 THOUGHT PROVOKING QUOTES: “The true measure of a man is who he is when nobody is watching”; “Perception is more powerful than fact when it comes to fraud/corruption”; “If you don’t invest in risk management , it does not matter what business you are in, it’s a risky business” “The greatest contributions of risk managers is just carrying a torch around and providing transparency” 19 LET WHO WE ARE & OUR LIVES REPRESENT THE LIGHT THAT WE PROVIDE , &: KEEP THE LIGHT BURNING.....ALWAYS “Siyabonga” “Thank You” 20