CHAPTER 5 - RISK IDENTIFICATION
14. Risk identification
(1) Risk identification is a deliberate and systematic effort to find, recognise, describe and document the Institution's risks, with the main focus being on the risks that have a significant impact the Institution's objective.
(2) The purpose of risk identification is to understand what is at risk within the context of the Institution's explicit and implicit objectives and to generate a comprehensive inventory of such risks based on the threats and events that might prevent, degrade, delay or enhance the achievement of the objectives.
(3) The risk identification process should expose what is uncertain, as well as the source(s), cause(s) and the consequence(s) of uncertainties.
(4) The risk identification process must be able respond to the typically dynamic nature of the risk environment by being able to timeously detect new and emerging risks, as well as risks that no longer relevant.
(5) The risk identification process should cover all risks, regardless of whether or not the sources of such risks are within the direct control of the Institution. A risk must not be ignored because the Institution does not have control over it.
(6) Risk identification should be inclusive, not overly rely on the inputs of a few senior officials and should also draw as much as possible on unbiased independent sources, including the perspectives of important stakeholders.
(7) Risk workshops and interviews are useful for identifying, filtering and screening risks but it is important that these judgement-based techniques be supplemented by more robust and sophisticated methods where possible, including quantitative techniques.
(8) Risk identification should be strengthened by supplementing management's perceptions of risks with independent information and quantitative analysis. Depending on the risk being considered the following could provide useful information:
a) review of external and internal audit reports;
b) financial analyses;
c) historic data analyses;
d) actual loss data;
e) incident reports;
f) insurance survey reports;
g) health and safety surveys;
h) fraud risk assessment reports;
i) operational research;
j) scenario analyses;
k) forecasting and stress testing;
l) interrogation of trends in key performance indicators;
m) benchmarking against peer group or quasi peer group;
n) market and sector information;
o) specialist and expert judgements;
p) oversight reports issued by relevant authorities such as National Treasury, Provincial Treasury and others, and
q) national and global risk reports such as those issued by the World Economic Forum and the Institute of Risk Management South Africa.
(9) Identification of risk should extend across the institution's entire value chain for producing and delivering services or goods, to identify the threats and opportunities posed by the value chain participants to the Institution's performance.
(10) Contingent risks such as those inherent in guarantees provided to entities and public private partnership arrangements must not be neglected.
(11) The Institution must be aware of specific prescriptions and/or guidance by regulatory and other relevant authorities concerning risk identification and reporting protocols.
15. Focus points of risk identification
(1) To ensure a comprehensive process of risk identification, the Institution should identify risks by considering both internal and external risk factors, through:
a) Strategic risk identification to identify risks ensuing from the strategic choices made in the Integrated Development Plan (IDP), as well as execution risk associated therewith:
i) the Institution's strategic risks should be identified and documented as part of the Institution's strategy setting process, which is assumed to include the consideration of threats and opportunities, and uses the Institutional risk register as one source of information;
ii) strategic risk identification as part of the process to finalise the IDP ensures that strategic targets are risk-adjusted to ensure that they are realistic and achievable within existing and acquirable capacity;
iii) it also helps focus the risk plan to take account of the identified strategic risks that need to be managed through the normal functioning of the system of risk management, and
iv) strategic risks should be formally reviewed concurrently with changes in strategy, or at least once a year to consider new and emerging risks.
b) Operational risk identification based on the SDBIP to identify risks concerned with the Institution's operations:
i) operational risk identification should concern itself with identifying events that retard or advance the achievement of the SDBIP;
ii) the process should examine vulnerabilities and opportunities presented by employees, Institutional processes and systems, contractors, regulatory authorities and external events using a variety of relevant sources and techniques, such as those mentioned in 14(7);
iii) operational risk identification should be an embedded continuous process to identify new and emerging risks and consider changes in known risks using mechanisms such as management and committee meetings, environmental scanning, process reviews and the like, and
iv) operational risk identification should be repeated when significant environmental or Institutional changes occur, or at least once a year, to identify new and emerging risks.
c) Project risk identification to identify risks inherent to particular projects:
i) project risks should be identified for all major projects, covering the whole lifecycle, and
ii) for long term projects, the project risk register should be reviewed at least once a year to identify new and emerging risks.