SECTION 4: PERFORMANCE AND EVALUATION OF RISK MANAGEMENT
CHAPTER 29 - EVALUATION OF RISK MANAGEMENT EFFECTIVENESS
40. Evaluation of value add
(1) Evaluation of risk management effectiveness is vital to maximise the value proposition of risk management.
(2) Institutions should strive to incrementally and sustainably achieve a mature risk management regime in order to optimise the benefits of risk management.
(3) Institutions should periodically evaluate the value add of risk management by measuring outcomes against pre-set key performance indicators aligned to the overall goals and objectives of the Institution.
(4) Institutions should utilise the Financial Management Maturity Capability Model developed by the National Treasury to evaluate their current and progressive risk management maturity.
41. Performance Indicators
(1) Everyone in the Institution has a part to play in achieving and sustaining a vibrant system of risk management and to that extent must function within a framework of responsibilities and performance indicators.
(2) The Accounting Officer should evaluate his/her own performance in leading the risk management process in the Institution through the following and other relevant indicators:
a) the risk management maturity trend as measured in terms of an appropriate index such as the Financial Capability Maturity Model;
b) the Institution's performance against key performance indicators and targets, including comparison of year-on-year performance;
c) percentage change in unauthorised expenditure, fruitless and wasteful expenditure and irregular expenditure based on year-on-year comparisons;
d) percentage change in fraud and corruption based on year-on-year comparisons;
e) percentage change in incidents based on year-on-year comparisons, and
f) comparison of year-on-year outcomes of regularity and performance audits.
(3) Insofar as it concerns the responsibilities of the Audit Committee for risk management, the Accounting Officer should evaluate the performance of the Committee through the following and other relevant indicators:
a) the Auditor-General’s report on the effectiveness of the Audit Committee;
b) the results of the Audit Committee’s own 360-degree assessment;
c) the Committee’s co-ordination of combined assurance, and
d) the quality and timeliness of the Audit Committee’s counsel and recommendations on matters concerning the system of risk management.
(4) The Accounting Officer should evaluate the performance of the Risk Management Committee through the following and other relevant indicators:
a) the results of the Risk Management Committee’s own 360-degree assessment;
b) the pace and quality of the implementation of the risk management framework;
c) the Internal Audit report on the state of risk management;
d) the Auditor-General’s report on the effectiveness of the Risk Management Committee, and
e) the quality and timeliness of the Risk Management Committee’s counsel and recommendations.
(5) The Accounting Officer, in consultation with the Risk Management Committee, should evaluate the performance of the Chief Risk Officer through the following and other relevant indicators:
a) development and implementation of the risk management policy, strategy and implementation plan;
b) the Institution’s collective awareness, skill and participation in risk management;
c) risk management maturity;
d) quality and timeliness of support to Management, other officials and the Risk Management Committee, and
e) quality and timeliness of risk intelligence.
(6) The Accounting Officer should evaluate the performance of Management through the following and other relevant indicators:
a) business unit performance against key indicators, including comparison of year-on year performance;
b) implementation of risk management action plans;
c) co-operation with the Risk Management Unit, Risk Management Committee, Risk Champion and relevant stakeholders involved in risk management;
d) quality and timeliness of risk identification, assessment and reporting;
e) proactive identification of new and emerging risks;
f) year-on-year reduction in adverse incidents and losses;
g) elimination of unauthorised expenditure, fruitless and wasteful expenditure and irregular expenditure;
h) reduction in fraud, and
i) progress in securing improved Internal Audit and Auditor-General outcomes in regularity and performance audits.
(8) Insofar as it concerns the responsibilities of Internal Auditing for risk management, the Accounting Officer should evaluate the performance of Internal Auditing through the following and other relevant indicators:
a) timeliness and quality of assurance on risk management;
b) timeliness and quality of recommendations to improve risk management, and
c) adoption of risk-based auditing.
(9) Management should evaluate the performance of their staff through the following and other relevant indicators:
a) implementation of risk management action plans.