Sign In

Securing Management's Support for Effective Risk Management

1.    Purpose


The purpose of this document is to provide guidance to Chief Risk Officers (CROs) in securing the support and commitment of management[1] in enhancing the impact of risk management. It is a supplement to the Public Sector Risk Management Framework (PSRMF or Framework). Its need stems from the observation that management, while being the backbone of the system of risk management, often underplay their role. This tendency undermines the foundation of risk management and is one of the main reasons why this important institutional discipline underperforms its potential to produce value for the institution.

2.    Background


Section 38(1)(a)(i) of the Public Finance Management Act No 1 of 1999 (PFMA) enjoins the Accounting Officer (AO)[2] to ensure that the department, trading entity or constitutional institution has and maintains effective, efficient, and transparent systems of financial and risk management and internal control. While the AO can be seen as the Institution's ultimate CRO, he/she relies extensively on four critical functionaries to successfully fulfil this role:

  • the management group who owns the risks within their designated responsibilities and manage these risks at their source,
  • the risk management function (led by the CRO) which spearheads the establishment of the institution's risk management framework, provides technical support for its implementation, as well as co-ordinates and reports on the overall institutional risk management process,
  • the risk management committee which provides oversight of risk management, is a critical advisor to, and sounding board of the AO on all matters concerning risk and risk management; and
  • the audit committee which provides an additional layer of risk oversight and counsel.

Since the effectiveness of risk management hinges on the full and effective participation of the abovementioned functionaries, it is important that they should fully understand and execute their roles and responsibilities accordingly. Failure by just one group may introduce fundamental weaknesses that can cause sub-optimal outcomes of the risk management effort.

While it has been observed that all these functionaries exhibit some or other weaknesses, these are most pronounced within the management group. This can be attributed to administrative issues as well as cultural factors that negatively affect management's interaction with the system of risk management.

3.    Causes of sub-optimal management participation  


The key management responsibilities for risk management are extracted from the Framework and set out in Annexure A. Failure by management to execute any of these functions, as well as any others delegated by the AO may constitute sub-optimal support and affect the efficacy of the system of risk management.

When confronted with the challenge of inadequate management support, the CRO must first establish why the required level of support is not forthcoming. Remedial measures should then be designed to address these issues. While there might be several idiosyncratic ones, the main reasons in no particular order of importance could be summarised as follows:

3.1. Lack of Understanding

       Management might not fully understand the importance of risk management, especially their pivotal role within it. They most likely perceive risk management as the responsibility of the CRO and the risk management team. They may be content with the level of internal controls and performance within their operational responsibilities and do not see the need for further involvement in the broader risk management process of the institution. This mindset exemplifies silo risk management which causes them to neglect their part in the collective management responsibility for institution-wide risk management.  

3.2. Fear of complexity

       Certain aspects of risk management can be complex, involving various processes, tools, and methodologies. If management finds these aspects challenging to understand or implement, they might be inclined to underplay their role.

3.3. Time and Resource Constraints

       Management has numerous responsibilities, and risk management might not be seen as a priority. If resources are limited, management might focus on areas they perceive as more immediately beneficial to the institution.

3.4. Resistance to Change

       Implementing effective risk management often requires changes to existing processes and structures. Management might resist these changes due to fear of disruption or uncertainty.

3.5. Lack of Accountability

       If there's no clear and officially communicated accountability for risk management, management might feel it's not their responsibility.

3.6. Lack of measurable improvements

       After investing time and effort in risk management activities, management may become disillusioned if they do not see any discernible improvements.

3.7. Conflicting interests

       While it is expected that everyone in the institution should act in common purpose to improve the institution's prospects of achieving its constitutional outcomes, the unfortunate reality is that some individuals may prioritise their personal and vested interests instead. For these individuals, risk management is actually a hinderance thus they are likely to show minimal interest, if not actually using their influence to undermine it.  

3.8. Under-emphasis of risk management in strategic planning and execution

       A significant opportunity to embed risk management in the institution and elevate accountability is lost if inadequate attention is paid to risk management at the strategic planning level. At this level it is expected that the institutional leadership should incorporate risk management data in their analysis and decision-making. The understanding of the risk and opportunities obtained through this process should highlight the need for as well as responsibilities for their mitigation at the operational level, to enhance the prospects of successful strategic outcomes.    

3.9. Lack of confidence in the risk management function

       Management may not be convinced that the risk management function fully understands the inherent complexities and challenges of their work. This could create doubts about the ability of the risk management function to provide effective support and advice. This negative view may be exacerbated if management perceives the risk management function as being unprofessional, overly focused on compliance, or lacking drive and vision.

4.    Actions the CRO can take to address sub-optimal management participation


The Chief Risk Officer (CRO) has a pivotal role in influencing and assisting management to overcome the issues that cause their sub-optimal engagement and support. It is worth referring to Annexure B, which sets out the typical functions of a CRO and Annexure C, which sets out the desired attributes of a CRO to appreciate the vital task the CRO has and what equips him or her to undertake such task.  It is also important to bear in mind that the effectiveness of a CRO in influencing and motivating management is largely dependent on the depth and extent of the relationship the CRO has with management. A strong relationship takes years of building and nurturing.

The issues highlighted in paragraph 3 signal the importance of the risk management function being well-capacitated to handle the complexities of risk management in the dynamic institutional environment, maintain a professional approach at all times and balance compliance with strategic vision to win the respect and trust of management, and use that as a platform to harmonise their efforts to effectively mitigate risks within the organization.

These are some of the actions that CROs could take:

4.1. Inform, advocate and educate

       This is one of the absolute key responsibilities of the CRO and is elucidated in paragraphs 10(2) of the PSRMF, which states that all employees should be sensitised to the importance risk management has to the achievement of their individual performance objectives as well as the overall institutional objectives, and 10(3) which states that all employees should be equipped to optimally execute their risk management responsibilities through training and development opportunities.

       With the exception those just recently employed, there should be no reason why management are not aware of why the institution has adopted a formalised risk management framework, its anticipated benefits to their work and of the institution as a whole, and their specific roles in the process. In other words, they should be fully au-fait with the risk management framework.

       The CRO should conduct workshops, seminars and training sessions to sensitise management to these fundamentals and their role in it. Management must find the content and messaging to be relatable thus the CRO must be conscious of avoiding theory and jargon to the extent possible, instead using practical case studies and real-life examples to drive the message home. The CRO should solicit the AO's support as a nudge strategy to get management to attend and participate in these activities and have ongoing sessions that cover new topics and refresh the important ones from past sessions.  

4.2. Keeping risk management simple

       The CRO should aim to make the risk management process as straightforward as possible to avoid intimidating management. This could involve:

  • replacing technical risk jargon with equivalent language that is already being used in the institution, to make risk management concepts more accessible and relatable;
  • instead of introducing additional tools, rather adapt existing ones that management is already familiar with to gather necessary risk information, and
  • producing risk reports that are easy to understand and resonate with the institution's objectives, performance metrics and other issues that are important to management.

       One of the strongest signals of simplicity is a risk management framework that is tailored to the actual realities of the institution. The framework incorporates the institution's language and processes, making it distinct from generic frameworks and sets it apart from those developed by other institutions.

The fundamental goal is to make risk management an integral part of the institution's culture, rather than an add-on. By keeping it simple and relevant, the CRO can help ensure that management is engaged and supportive of the risk management effort.

4.3. Assist management with freeing up time and resources

       The CRO should attempt to demonstrate how giving attention to risk management can save time and resources in the long run while preventing unwanted possibilities. Furthermore, keeping the requirements from management as simple as possible, as indicated above, could be helpful. As discussions around risks take up most of management time, doing prior research and analysis and presenting these for discussion with management would not only relieve management of the associated pressures but would also improve the quality of risk information.

4.4. Minimise resistance to change

       This is a challenging task that invariably tests a fundamental capability of CROs to the fullest - the ability to advise and motivate others, including those in more senior positions. This involves encouraging management to embrace new ideas and approaches, viewing change as a positive opportunity rather than a threat. To succeed, the CRO could present a scenario that illustrates the 'before' and 'after' states related to the changes being proposed, providing evidence that the benefits of the 'after' state outweigh those of the 'before' state." That would be a better motivator than relying on generic statements like "it is a risk management best practice" or "we need to comply" or "that's how it's done", and such.     

4.5. Establish, document and remind management of their accountability

       It is presumed that the CRO has fulfilled the requirement to inform, advocate and educate, as mentioned previously. If, after taking all reasonable actions, the desired level of accountability remains elusive, the CRO should enlist the AO to communicate with the non-compliant managers about their accountability. Working with and through the risk committee, combined assurance committee and audit committee may also represent a successful strategy to overcome resistance to accountability.

       Moreover, it is crucial to reinforce formal accountability for risk management. This can be best achieved by immersing risk management as a normal part of management responsibilities and activities. The CRO must influence the modification of job descriptions, performance agreements and operational plans to this end.

4.6. Lack of measurable improvements

       It is natural for management to disengage from risk management if they can't see the corresponding benefits from their investment of time and resources. One of the main reasons for the lack of visible progress, and one that is often overlooked, is the likely disproportionate attention given to an area that's already reached a high level of risk maturity. Another reason is not focusing sufficiently on tackling the issues that would make the biggest impact.

       These scenarios require the CRO to maintain an optimum balance of risk effort and avoid a one-size-fits all approach. This means that areas with higher risk should receive more attention than less risky ones. Misplaced risk effort can only be overcome by a collective effort by management and the risk team in the rigorous identification and analysis of risks and their underlying causes, strategic prioritisation of mitigation activities and key performance indicators to measure success. These aspects need to be re-visited if tangible results are not forthcoming, as part of a natural process of fine-tuning risk management.

4.7. Escalate concerns regarding conflicting interests professionally and promptly

       In instances where conflicts of interest exist, it highly likely that no amount of advocacy, training, technical support and other known remedies within the CRO's influence will help the particular situation. The CRO must promptly communicate his/her concerns with the relevant facts to the AO, risk committee and audit committee, mindful of being especially tactical in demonstrating the potential adverse effects, including of missing opportunities, if the situation is not addressed. Furthermore, the CRO must devise alternative procedures to obtain the risk intelligence that would have been forthcoming had the conflict not existed. There might even be a need to review, update and repeat the previously held institution-wide sessions for promoting ethical culture. While it may be too late to reform those already conflicted, it may prevent others from getting themselves conflicted.

4.8. Providing risk data for strategic planning

       The CRO must be proactive in ensuring that risk management has prominence in the strategic planning agenda. While risk discussions often feature as part of the "threats" segment of the strategic planning programme, and there is a different segment for opportunities, this may be insufficient to fully interrogate all significant issues. It is therefore incumbent on the CRO to provide appropriate risk information and analysis as a way of both nudging and empowering the leadership to factor these in their planning. While it is desirable that the CRO should be invited to participate in the strategic planning discussions, if this is not the case, the CRO should communicate in advance the need for access (at least) to the part of the minutes that deal with risk discussions.

       The CRO's proactiveness should ensure that risk management becomes embedded in the strategic planning process and flows from there into operational management.

4.9. Lack of confidence in the risk management function

       Management is more likely to support a risk management function that not only contributes to institutional success but can also demonstrate it through credible key performance indicators, acts professionally, and complements their work rather than hindering it. A risk team that knows the ins and outs of the institution, understand management's challenges and frustrations and works around those, acknowledges good work and can fulfil the role of a competent and trusted advisor will invariably find favour with management.

       The risk team is expected to subject the risk information provided by management to an appropriate level of professional scepticism and enquiry, bring their own skills and expertise to bear and thereby assist management to improve in areas that are found to be needing attention. That is an elementary value proposition of risk management and includes the expectation that the risk team is able to cite credible external information and produce its own analysis to assist management to manage their risks more efficiently.

       A risk team that merely collects information from management and essentially reproduces the same with little or no value add will quickly lose management's confidence as it betrays an inadequate understanding of the organisation, its environment and priorities, as well as the lack of technical skills, experience and dynamism.

       In the unfortunate event that the risk management function loses the confidence of management, it is crucial to rectify the situation as soon as possible. Assuming that the CRO is not part of the problem, he/she must get to the bottom of management's concerns and put together a plan to address the issues, solicit the support of the AO, risk committee and management for the plan, and provide them with regular updates on progress.  

       The more likely scenario is that the CRO is also part of the problem. In this case, the AO and risk committee must take ownership act swiftly to drive the necessary changes to enhance the professionalism and competence of the risk management function and align its focus on the most important issues for the institution.           

4.10.    Surveying the environment

       The CRO must assess the institution for forewarnings of anything, including the issues mentioned above, that may cause a lapse of management support for risk management. The CRO should "assess the mood" on an ongoing basis and engage those who might be affected in good time. This ought to be supplemented by a culture survey at appropriate intervals to understand whether the institutional environment effectively supports management to do their best risk management. The second important survey is a client survey which gauges how management perceives the risk management function itself. Burning issues flagged through these surveys should be addressed promptly before they descend to a state where management becomes disaffected.





Extract from the Public Sector Risk Management Framework


(1)   Management is accountable to the Accounting Officer / Authority for designing, implementing and monitoring risk management, and integrating it into the day-to-day activities of the institution. As such Management should ensure that it is satisfied with the management of risk and prevent risk management from becoming a series of activities that are detached from the realities of the Institution's business. Risk management, when integrated into the decision making process, becomes a valuable strategic management tool for underpinning the efficacy of service delivery and value for money.  Risk Management should be standing agenda item in Management meetings.


(2)   High level responsibilities of Management should include:

    1. executing their responsibilities as set out in the risk management strategy;
    2. empowering officials to perform effectively in their risk management responsibilities through proper communication of responsibilities, comprehensive orientation and ongoing opportunities for skills development;
    3. aligning the functional risk management methodologies and processes with the Institutional process;
    4. devoting personal attention to overseeing the management of key risks within their area of responsibility;
    5. maintaining a co-operative relationship with the Risk Management Unit and Risk Champion;
    6. providing risk management reports;
    7. presenting to the Risk Management and Audit Committees as requested;
    8. maintaining the proper functioning of the control environment within their area of responsibility;
    9. monitoring risk management within their area of responsibility;
    10. holding officials accountable for their specific risk management responsibilities;
    11. maintaining the functional risk profile within the Institution's risk tolerance (ability to tolerate) and appetite (risk that it is willing to take);
    12. implementing the directives of the Accounting Officer / Authority concerning risk management;
    13. prioritizing and ranking risks in their area of responsibility to focus responses and interventions on risks outside the Institution's tolerance levels;
    14. benchmarking risk and risk mitigation activities;
    15. assessing the effectiveness of risk management within area of responsibility; and
    16. developing and implementing a fraud risk response plan.






(Extract from the Public Sector Risk Management Framework)


(1) The primary responsibility of the Chief Risk Officer is to bring to bear his / her specialist expertise to assist the Institution to embed risk management and leverage its benefits to enhance performance.

(2) The high-level responsibilities of the Chief Risk Officer should include:

a)     working with Senior Management to develop the Institution's vision for risk management;

b)     developing, in consultation with management, the Institution's risk management framework incorporating, inter alia, the:

i.       risk management policy;

ii.      risk management strategy;

iii.    risk management implementation plan;

iv.    risk identification and assessment methodology;

v.     risk appetite and tolerance; and

vi.    risk classification.

c)     communicating the Institution's risk management framework to all stakeholders in the Institution and monitoring its implementation;

d)     facilitating orientation and training for the Risk Management Committee;

e)     training all stakeholders in their risk management functions; 

f)      continuously driving risk management to higher levels of maturity;

g)     assisting Management with risk identification, assessment and development of response strategies;

h)     monitoring the implementation of the response strategies;

i)       collating, aggregating, interpreting and analysing the results of risk assessments to extract risk intelligence;

j)       reporting risk intelligence to the Accounting Officer / Authority, Management and the Risk Management Committee; and

k)     participating with Internal Audit, Management and Auditor-General in developing the combined assurance plan for the Institution.

In addition to the above mentioned high level responsibilities, the CRO needs to possess certain attributes to function effectively and efficiently.





(Extract from the Public Sector Risk Management Framework)


1. Qualifications

  • University degree in risk management and/or commerce, financial management or auditing (ideally also accompanied by a post graduate qualification covering organisational strategy and operations).
  1. Experience
  • Risk management experience (minimum of three years).
  • Experience in the rollout of a risk management methodology.
  • Experience in strategic and business planning and functioning at a senior management level.
  • Experience in developing and utilising risk management tools and techniques, high-level computer literacy and a good command of risk management software.

3. Capabilities

  • The ability to:
    • think and act strategically and provide counsel accordingly.
    • develop risk intelligence through effectively aggregating and interpreting significant amounts of data and information.
    • advise and motivate others, some of whom may be in more senior positions.
    • build effective relationships with various risk management-performing functions, such as the functions concerned with disaster management, business continuity, health and safety, insurance, compliance, fraud prevention and the like.
  • Excellent verbal, written and facilitation skills along with well-developed presentation skills.
  • The energy and drive to generate value for the Institution through the risk management function.
Strong managerial skills to effectively run the risk management unit.

4. Knowledge
  • Advanced knowledge and understanding of:
    • enterprise risk management (ERM)
    • corporate governance
    • internal control systems
    • monitoring and evaluation
    • strategic, operational and financial risk management

5. Behaviours
  • Energetic and self-driven
  • Results /output/outcomes and deadline driven
  • Leadership traits
  • Team orientated
  • Change orientated
  • Decision maker
  • Assertive and self-confident
  • Professional and confident
  • Good interpersonal skills
  • Good communicator


[1] "Management" means:

Collectively, all levels of management personnel and officials of the Institution responsible for planning, organising, leading and controlling institutional activities. In other words, everyone except the Chief Risk Officer, Chief Audit Executive and staff reporting to them, who are deemed to be independent of management in the exercise of their responsibilities for risk management.


[2] "Accounting Officer" means:


a)    In a Constitutional Institution: The Chief Executive Officer;

b)    In a National Department: The Director-General;

c)    In a Provincial Department: The Head of Department;



© Maintained by the National Treasury. All Rights Reserved.