CHAPTER 7 - RISK RESPONSE
17. Responding to risks
(1) Risk response is concerned with developing appropriate strategies, tactics and internal controls to address risks.
(2) Risk response should also make provision for the exploitation of opportunities to improve the performance of the Institution.
(3) Management should develop response strategies for all priority risks, whether or not the management thereof is within the direct control of the Institution, prioritising the risks exceeding ro nearing the risk appetite level.
(4) Where the management of the risk is within the control of the Institution, the response strategies should consider:
a) to the extent that avoiding the risk is not in violation of its constitutional mandate, avoiding the risk by, for example, choosing a different strategy or terminating the activity that produces the risk;
b) treating the risk by, for example, implementing or improving the internal control system to deal with the risk events;
c) transferring the risk (but not the accountability for achieving the related objective) to another party more competent to manage it by, for example, contracting out services, establishing strategic partnerships and buying insurance;
d) accepting the risk where cost and strategy considerations rule out alternative strategies, and
e) exploiting the risk factors by implementing strategies to take advantage of the opportunities presented by such risk factors.
(5) In instances where risk is unavoidable but also not within the control of management, the response strategies should consider measures such as forward planning and lobbing. The assistance of Council as well as provincial and national government is vital in such instances and should be called upon as necessary.
(6) Risk responses must produce net positive outcomes, that is to say, it must reduce net negative outcomes or maximise positive outcomes. It is important therefore to ensure through careful thought before implementation, and monitoring thereafter, that responding to risks does not inadvertently produce adverse results. A typical example would be where actions taken in one area stifles the performance of another, with an end result placing the Institution in a worse position.
(7) Response strategies should be documented and the responsibilities and implementation timelines should be communicated to the relevant persons.
(8) Incidents (risks that have eventualised) must be addressed in terms of the Institution's Incident Management and/or Business Continuity & Disaster Recovery processes. However, the possibility of new risks triggered should be considered when this happens.
18. Designing control activities to mitigate risks
(1) Management is responsible for designing, implementing and monitoring the effective functioning of system internal controls.
(2) Without derogating from the above, everyone in the Institution should also have responsibilities for maintaining effective systems of internal controls, in line with their delegated authority.
(3) Management should develop the internal control architecture through:
a) preventative controls to prevent errors or irregularities from occurring e.g. physical security of assets to prevent theft;
b) detective controls to find errors or irregularities after they have occurred e.g. performance of reconciliation procedures to identify errors, and
c) corrective controls that operate together with detective controls to correct errors or irregularities.
(4) The internal control architecture should include:
a) management controls to ensure that the Institution's structure and systems support its policies, plans and objectives, and that it operates within laws and regulations;
b) administrative controls to ensure that policies and objectives are implemented in an efficient and effective manner;
c) accounting controls to ensure that resources are accounted for fully and transparently and are properly documented, and
d) information technology controls to ensure security, integrity and availability of information.