Remerciez-le!

Remerciez @Admin pour avoir partagé cet document gratuitement, de la manière la plus simple, en partageant sur les réseaux sociaux.

Environmental Affairs Department: REPUBLIC OF SOUTH AFRICA environmental affair

Environmental Affairs Department: REPUBLIC OF SOUTH AFRICA environmental affairs Risk Management – Guide – 2 CONTENTS FOREWORD. .................................................................................................................. 4 INTRODUCTION ........................................................................................................... 5 Purpose ....................................................................................................................... 5 Structure ...................................................................................................................... 6 GUIDEBOOK: WHAT IS RISK MANAGEMENT? INTRODUCTION ........................................................................................................... 8 DEFINITION .................................................................................................................. 8 OVERVIEW ................................................................................................................... 9 Why do we need risk management? . ................................................................... 10 Corporate governance .......................................................................................... 10 Planning and organisation . ..................................................................................... 11 Continuous risk assessment ..................................................................................... 11 Evolution of risk management . ............................................................................... 12 Internal audit plans .................................................................................................. 12 Cultural adjustment ................................................................................................. 13 CONCLUSION . ........................................................................................................... 13 GUIDEBOOK: RISK IDENTIFICATION INTRODUCTION ......................................................................................................... 14 THE RISK IDENTIFICATION PROCESS . ........................................................................ 14 Understand what to consider . ................................................................................ 15 Gather information to identify risks ........................................................................ 16 Apply risk identification tools .................................................................................. 17 Document/ record risks identified . ......................................................................... 18 • Risk identification examples................................................................................. 20 • Document the risk identification process........................................................... 22 • The outputs of risk identification . ......................................................................... 22 GUIDEBOOK: CONTROL ACTIVITIES INTRODUCTION ......................................................................................................... 23 OUPUTS ...................................................................................................................... 23 CONTROL TYPES AND CONTROL TIMING................................................................. 23 • Management controls ......................................................................................... 23 3 • Administrative controls . ........................................................................................ 24 • Accounting controls . ............................................................................................ 24 • Information technology controls ........................................................................ 24 CONSIDERATIONS FOR IMPROVING CONTROLS . ................................................... 25 ASSURANCE ON CONTROL ACTIVITIES ................................................................... 26 GUIDEBOOK: RISK ASSESSMENT INTRODUCTION ......................................................................................................... 26 THE APPROACH . ........................................................................................................ 27 • Identify and evaluate control effectiveness ..................................................... 28 • Determine the risk impact and likelihood . ......................................................... 29 • Determine the overall risk rating.......................................................................... 30 • Document the risk assessment process . ............................................................. 30 • The outputs of the risk assessment process . ....................................................... 31 GUIDEBOOK: RISK RATING IMPACT ...................................................................................................................... 32 LIKELIHOOD. .............................................................................................................. 33 RISK EXPOSURE . ......................................................................................................... 34 GUIDEBOOK: RISK RESPONSE STRATEGY INTRODUCTION ......................................................................................................... 35 DEVELOPING A RISK RESPONSE STRATEGY ............................................................. 35 • Identify and select appropriate risk response option . ...................................... 36 • Assign risk ownership............................................................................................. 38 GLOSSARY . ............................................................................................................. 39 4 1. FOREWORD The concept of risk management is not new to the public service,in that the basic principles of service delivery (Batho Pele, 1997) clearly articulate the need for prudent risk management to underpin the achievement of Government’s objectives. The DEA Enterprise Risk Management Handbook forms the basis of our efforts to improve the risk management capability of the DEAin support of achieving a risk intelligent culture. We need to enhance our capability to identify, manage and monitor those risks at a strategic, operational and process level that may impact (positively and negatively) on the DEA achiev- ing its mandate and strategic intent. Further, it is important for all of us to understand that the respon- sibility for risk management vests at all levels of management and is not limited to only the accounting officer, the Enterprise Risk Management Directorate and Internal Audit.Therefore, the decision-making processes of the DEA must at all times consider both risk and reward whilst meeting the needs and expectations of our stakeholders and partners. The handbook provides a structured and uniform approach for achieving the above. Mr Alf Willis Director General (ACTING) Date: 19/06/2013 5 1. INTRODUCTION 1.1 Purpose The DEA Enterprise Risk Management Guide represents the source of reference and guidance for management and staff on the governance, implementation and execution of risk management within the organisation. The Guide’s purpose is to create a structured and consistent ap- proach to risk management, aligning strategy, processes, people, technology and information systems for the purpose of evaluating and managing the uncertainties that the DEA faces due to the nature of the business, the change in environment, legislation and control environment. Starting from the premise that risk is an unavoidable consequence of any organisation’s activities, the aim of the Guide is to provide the overall direction within which management and employees can operate in order to embed a strong risk management culture throughout the DEA. The Guide outlines the DEA’s beliefs about risk and how it chooses to manage risk and reflects the value that the DEA seeks. The Guide details the commitments the DEA has made to Enterprise Risk Management (ERM) and the approach to be followed in implementing ERM and managing risks. This Guide provides the foundation for creating a culture of risk management in the or- ganisation that is embedded in all its operational processes. This Guide further serves as a base to set objectives regarding the level of ERM performance and responsibility that the DEA shall strive to achieve, and against which all ERM activities and opera- tions shall be evaluated. On a practical level, the Guide also serves to ensure that the re- sults and intelligence provided from the risk management pro- 6 cesses serve to inform decision-making and priority setting at all levels of the organisation. Finally, the Guide acknowledges the Public Sector Risk Management Framework and endeavours to align to the princi- ples of risk management recommended within the public sector. 1.2 Structure This Guide is comprised of the following: 1. DEA Enterprise Risk Management (ERM) Framework (Graphical representation) 2. Guidebooks: a) What is risk management b) Risk identification c) Control activities d) Risk assessment e) Risk rating f) Risk response strategy g) Glossary of risk management terminology 7 DEA ENTERPRISE RISK MANAGEMENT FRAMEWORK Figure 1: DEA Enterprise Risk Management (ERM) Framework Enterprise Risk Management (ERM) Framework DEA Strategy 1. DEA Enterprise Risk Management 2. Legal Mandate 4. Structures & Respons- ibilities 6. ERM Process 7. ERM Inform- ation System 9. ERM Methodologies (Tools & Techniques) PFMA S 38 (1) (a) (i) S45 Treasury Regulations Sections 3.2.1, 3.2.7 (a) Oversight Fraud Prevention Committe (FPC), Risk Management Committee (RMC), Audit Committee (AC), Parliamentary Committees National Treasury Assurance Internal Audit Auditor General Roles and Responsibilities (incl. reporting lines) • Establish the contents • Identify event(s) (inclusive of contributing factors & consequences) • Communicate positive event to the Strategy function • Conduct risk assessment • Develop action plans • Execute plans • Monitor, review & reprt on risk mitigation 8. ERM Reprting Information Database(s) CSA Root Cause Analysis KRI’s Scenario Planning Risk Assess- ment 3. Policy 5. Coaching & Training • Risk Registers • Programme/ unit RM Reports • Audit Committee • Fraud Prevention Committee • Annual Report Disclosure Risk Analysis Matrix Enterprise Risk Management Policy Fraud Risk Management Policy 10. Internal Controls 11. Monitoring & Reviews 8 GUIDEBOOK: WHAT IS RISK MANAGEMENT? 1. INTRODUCTION The term ‘risk management’ is currently being utilised very liberally within institutions. For example, safety, security, disaster manage- ment, business continuity, insurance and internal audit are often referred to as “risk management.” It is certainly true that these functions form part of the wider sub- ject of risk management. But the term ‘risk management’ means a deliberate focus on all risks of an institution. The term ‘enterprise risk management’ (ERM) has become a pop- ular way of describing application of risk management through- out the institution rather than only in selected business areas or disciplines. Risk management is a management discipline with its own tech- niques and principles. It is a recognised management science and has been formalised by international and national codes of practice, standards, regulations and legislation. Risk management forms part of management’s core responsibili- ties and is an integral part of the internal processes of an institu- tion. This guidebook will use the simpler term ‘risk management’ and will explain the function in broad terms, showing how the various technical disciplines associated with risk form part of this wider field. 2. DEFINITION Risk management is a systematic process to identify, evaluate and address risks on a continuous basis before such risks can im- pact negatively on the institution’s service delivery capacity. This 9 is not the only definition of ERM as a number of alternative defini- tions are also used by the ERM community. The DEA defines risk management as the culture, processes and structures that are directed towards realising potential opportuni- ties whilst managing adverse effects When properly executed risk management provides reasonable, but not absolute assurance, that the institution will be successful in achieving its goals and objectives. 3. OVERVIEW Risk management addresses all kinds of material risks to the objec- tives of the institution. It does not have a bias towards any particu- lar risk control function. Risk management must address all parts of the institution and no part of the institution can claim that they do not need to participate in its processes. Risk management even- tually works its way through the entire institution so that all levels of management participate in its processes. Existing risk-related functions such as security risk management, health and safety risk management etc must also align their activities with the institu- tion’s risk management plan. This alignment of activities then al- lows for risk management to reconfigure as ERM. Many managers have justifiably asked why ‘risk’ needs a separate focus, and why it cannot be managed as before. The main rea- son is that the service delivery environment and the public sec- tor’s interface with stakeholders have become far more demand- ing and volatile than before. Historical ways of doing things are no longer effective as evidenced by a number of service uploads/Management/ riskmanagement-guide.pdf