SECTION 2: PROCESS FRAMEWORK
CHAPTER 3 - CREATING AN ENABLING ENVIRONMENT
5. Creating an enabling environment for the management of risks
(1) In terms of section 62(1)(c)(1) of the MFMA, the Accounting Officer is responsible for ensuring that the Institution has an effective, efficient and transparent system of risk management.
(2) An appropriate Institutional environment must exist to support such a system, therefore establishing and maintaining a conducive environment becomes a critical responsibility for the Accounting Officer.
(3) The Institution's environment is the foundation of risk management, providing the underpinning culture, discipline, structure and processes that influence how strategy and objectives are established, how Institutional activities are planned and executed and how risks are identified, assessed and mitigated.
(4) To create a conducive environment, the Accounting Officer should ensure that the Institution:
a) operates within its Constitutional mandate;
b) adopts a value system founded on a public service ethos;
c) embraces a positive institutional culture characterised, inter alia by: respect for the Constitution and legal mandate(s) under which the Institution functions, respect for citizens and their needs, responsible stewardship of public resources and a commitment to exceptional performance;
d) has the required capacity to execute its mandate;
e) adopts management practices that embrace the concepts of delegation of authority, personal responsibility, accountability and performance management;
f) has an appropriate organisational structure supported by basic financial and management systems underpinned by risk management and internal controls, and
g) incorporates the elements of this Framework within job descriptions, operational policies and reporting procedures throughout Institution, to enable risk management as an embedded and routine part of operations and responsibilities.
(5) A compliance culture is critical for the effective management of risks in the local government environment. The typical preponderance of legislation and regulations are intended to drive good behaviour by restricting undesirable risk taking and encouraging positive actions. Good compliance would normally correlate to good performance (read: good risk management) without the need for extravagant risk management practices.
(6) The capabilities of the entire Institution must be harnessed in the risk management effort through a process of combined assurance. Every employee, working group and committee should become an integral part of the collective system of risk management. Their roles and expected contribution must be formally established and communicated and they need to be capacitated to perform accordingly.
6. Setting institutional objectives
(1) The Accounting Officer should establish objectives that are consistent with the Institution’s Constitutional mandate and follows the prescribed consultative process to solicit public inputs.
(2) The Accounting Officer must ensure that:
a) objectives are finalised through a rigorous analysis of the costs and citizenry value associated with incurring such costs;
b) services are appropriate, economical, efficient and equitable;
c) the Institution has and maintains an effective process to identify the risks inherent in the chosen objectives, and
d) the Institution is able to manage such risks effectively, economically and efficiently, or
e) the decision to assume relatively high risk is done in terms of an approved risk appetite framework.
7. Risk management policy
(1) The Institution should operate within the terms of a risk management policy approved by the Accounting Officer, or the governing body in the case of municipal entities.
(2) The risk management policy should:
a) communicate the Institution’s risk management philosophy particularly how risk management is expected to support the Institution in achieving its objectives;
b) incorporate a statement committing the Institution to implementing and maintaining an effective, efficient and transparent system of risk management;
c) define risk and risk management as they apply within the Institution’s particular context;
d) spell out the objectives of risk management;
e) outline the risk management approach, and
f) identify the key role players and their responsibilities.
(3) The risk management policy should be communicated to all incumbent officials as well as new recruits within a reasonable time after they join the Institution.
8. Risk management strategy
(1) The implementation of the Institution’s risk management policy should be guided by a strategy approved by the Accounting Officer, or the governing body in the case of municipal entities.
(2) The strategy should include:
a) a description of the risk management modality;
b) the Institution's risk management architecture, responsibilities for various activities and reporting protocols;
c) the current state of risk management and a plan of action to improve the Institution's risk management capabilities, and
d) details of review and assurance of the risk management process.
(3) The Institution must apply measures for combating fraud, corruption, favouritism and unfair and irregular practices in municipal supply chain management in terms of paragraph (112)(1)(m) of the MFMA. Thus, the risk management strategy must specifically address this requirement.
9. Organisational structure
(1) The Accounting Officer should delegate the functions set out in chapter 14 to the Institution’s Chief Risk Officer.
(2) The Accounting Officer should further delegate functions to support the institutional system of risk management being mindful of the need for optimal co-ordination and synergy of risk management activities.
(3) To give effect to the above, the work of business units, working groups and committees should be structured and co-ordinated through a process of combined assurance to provide a complete perspective of the Institution’s risk exposures as well as opportunities, and how they are being managed.
(4) The job profiles and performance management criteria of all staff, as well as the terms of reference for working groups and committees must incorporate their responsibilities for risk management.
10. Human resource capacity
(1) Adequate human resources capacity, represented by the requisite staff complement and bearing the appropriate skills and experience is fundamental to implement and maintain the system of risk management.
(2) All employees should be sensitised to the importance of risk management to the achievement of their individual performance objectives as well as the overall institutional objectives.
(3) Training and development opportunities should be provided to equip employees to optimally execute their responsibilities as described in Section 3.
(5) The Chief Risk Officer and staff reporting to him/her should possess the necessary skills, competencies and attitudes to execute the functions set out in Chapter 14.
(6) The job profiles and performance management criteria of all management and staff must incorporate their responsibilities for risk management.
11. Tools and technology
(1) Tools and technology can produce considerable efficiencies by simplifying complex processes, providing business intelligence and accelerating otherwise time-consuming tasks in the risk management process.
(2) The Institution should embrace the use of automated tools for acquiring, capturing, organising, storing and interrogating data, as well as for communicating and tracking information in order to reach higher levels of risk maturity.
(3) The above can be achieved by use of existing line of business applications as well as other support tools and technology already in use in the Institution, with adaptation as may be necessary. This should be considered first before investment in specialised systems is considered.
(4) This Framework provides a number of tools which could be of benefit.
12. Funding the risk management activities
(1) Financial commitments are needed to cover the cost of implementing, maintaining and continuously improving the state of risk management and control.
(2) The Chief Risk Officer should control the operating and capital costs of running the Risk Management Unit.
(3) The cost of implementing and improving controls should be the responsibility of the respective Risk Owners, who should provide for such costs in their capital or operational budgets.
(4) Financial commitments to risk management be considered on the basis of cost versus the value that citizens derive.