Sign In

Guidelines for Accounting Officers

1.       Purpose

This guidance document forms a sub-set of the Public Sector Risk Management Framework (Framework). It expands on chapter 11 of the Framework and is intended to assist Accounting Officers in discharging their responsibilities for risk management[1].

2.       Legal mandate and additional sources of reference for risk management  

2.1. Legal mandate

The following instruments provide the legal foundation for the Accounting Officer's responsibility for risk management:

Section 38 (1)(a)(i) of the Public Finance Management Act:

The accounting officer for a department, trading entity or constitutional institution —

(a) must ensure that that department, trading entity or constitutional institution has and maintains —

(i) effective, efficient and transparent systems of financial and risk management and internal control.

Treasury regulation 3.2.1:

The accounting officer must ensure that a risk assessment is conducted regularly to identify emerging risks of the institution. A risk management strategy, which must include a fraud prevention plan, must be used to direct internal audit effort and priority, and to determine the skills required of managers and staff to improve controls and to manage these risks. The strategy must be clearly communicated to all officials to ensure that the risk management strategy is incorporated into the language and culture of the institution.

2.2. Additional References

Further guidance can be drawn from the following:

Paragraph of the Revised Framework for Strategic Plans and Annual Performance Plans, issued by the Department of Performance Monitoring and Evaluation:

The strategic plan must include a summary of key risks which may affect achievement of the identified outcomes and must describe measures which will be taken to mitigate these risks.

King Report on Corporate Governance (King IV).

3.       Role of the Accounting Officer in the risk management process

The Accounting Officer is deemed to be the ultimate Chief Risk Officer of the institution, responsible for steering the institution through a myriad of risks[2] to accomplish institutional objects and optimise value for citizens.

The Accounting Officer should harness the whole-of-institution support and participation, as well as the specialised support and counsel of the Risk Committee and the Audit Committee (or the Audit Committee and Risk Committee where it is one committee), to discharge his/her functions. The impact of this collective organised effort should result in a system of risk management that is responsive to the Institution's drive for efficient, effective, economic and transparent use of resources to achieve pre-determined objectives. Thus, the Accounting Officer is responsible for risk management not just for compliance but for ensuring that it becomes a useful tool to support strategic and tactical decision making, appraising choices, evaluating alternatives and extracting sound judgement, in realisation of:

  1. sustainable and reliable delivery of services;
  2. informed decisions underpinned by appropriate rigour and analysis;                                                                           
  3. innovation;
  4. prevention of fraud and corruption;
  5. better value for money through more efficient use of resources and reduction of waste; and
  6. better outputs and outcomes through improved project and programme management.

4.       Fundamental responsibilities of the Accounting Officer

Responsibilities of the Accounting Officer in regard to the above include:

4.1  Embedding an appropriate risk management culture

The fundamentality of risk culture (as a sub-set of the institutional culture) in successful risk management cannot be over-emphasised. Key actions by the Accounting Officer to build and sustain an appropriate risk culture include:

  • communicating the values and behaviours that support appropriate risk culture, and the expectation of commitment thereto across the Institution;
  • being conscious of own behaviour when dealing with risk sensitive issues and leading by example;
  • holding management accountable for designing, implementing, monitoring and integrating risk management into their day-to-day activities, using job descriptions, performance agreements, operational plans and other appropriate tools to enforce accountability;
  • placing the main/priority risks at the top of the management agenda and devoting personal attention to overseeing management of problematic risks;
  • ensuring appropriate and timely action in respect of the recommendations of the audit committee, internal audit, external audit and risk management committee to improve risk management; and
  • being responsive to addressing legitimate risk issues raised by external control actors (parliament, civil society, media, regulatory authorities and others).

4.2  Demonstrating risk leadership

The Accounting Officer should exemplify the correct tone by driving and being seen to drive the Institution's risk management efforts. This objective can be enhanced through:

  • sharing risk insights, especially insights which may not be easily obtained by others, such as those acquired through engagements with politicians, parliament, key service providers, regulatory authorities, peer institutions, the extended organisation, major clients, etc.;
  • guiding and supporting management and internal structures responsible for various aspects of risk management to perform at a high level;
  • devoting personal attention to ensure effective management of key/priority risks;
  • stepping in to offer support and guidance for managing risks that management may be finding difficult to deal with;
  • accommodating rapid escalations for risk issues demanding urgent attention;
  • holding the structures such as the risk committee, audit committee, fraud prevention committee etc. accountable for their performance;
  • demanding, facilitating and supporting institutional collaboration in managing risks (combined assurance); and
  • being calm and unwavering in making tough decisions and being able to articulately defend such decisions.

4.3  Setting up and maintaining an appropriate risk architecture

Risk management delivers the best outcomes when it is a systematic process, executed using proven methodologies, tools and techniques and is a near seamless fit in the Institution's routine functioning. Therefore, a critical task of the Accounting Officer is to "right fit" and resource the Institution to handle the complexities and nuances of managing risks. The following actions are essential for this responsibility:

  • establishing the Institution's overall approach to risk management and codifying an appropriate risk management framework;
  • ensuring appropriate allocation of resources, which include, but is not limited to finance, people, skills, experience and competence;
  • establishing effective internal structures and reporting lines for risk management;
  • designating an individual as the Chief Risk Officer; and
  • ensuring development and implementation of the enabling documents mentioned below.

4.4  Approving enabling documents

The following documents are needed to communicate the Institution's intent, establish the context for risk management and provide operational instructions and guidance. The Accounting Officer should ensure timely approval of these documents, as well as any amendments:  

  • risk management policy statement expressing the Institution's commitment to risk management;
  • risk management framework;
  • risk management strategy and implementation plan;
  • fraud prevention policy, strategy and implementation plan; and
  • risk appetite and tolerance framework.

4.5  Assigning responsibilities and maintaining appropriate internal structures

The responsibility for risk management should vest at all levels of responsibility in the Institution. The Accounting Officer should delegate responsibilities to ensure the broadest possible breadth and depth of risk coverage given existing resources. At least the following functions and responsibilities should be in place:

Chief Risk Officer (CRO)

  • the CRO should be the most senior official of the risk management function, which provides risk management services to the whole Institution;
  • the risk management function under the guidance of CRO is responsible for the Institution's risk policy and framework, provision of technical guidance and support across the Institution and the central co-ordination of risk management for the Institution at large;
  • the position of the CRO should afford sufficient "power of office" and influence in decision-making, and if not reporting directly to the Accounting Officer, should report at a level that allows for the exercise influence and gravitas; and
  • the CRO's should have a dotted reporting line to the Risk Management Committee.

Risk Management Function

Under the supervision of the CRO, the risk management function should:

  • develop the Institution's risk management framework;
  • own the institutional risk register;
  • co-ordinate risk management activities for the purposes of maintaining the institutional risk register;
  • co-ordinate institutional risk reporting;
  • render technical support and guidance to line functions; and
  • collaborate with other functions to enable combined assurance.

Risk Owners

  • these are senior management level staff who are accountable for particular outcomes, thus are also accountable for managing the risks to those outcomes;
  • risk owners should drive the integration of risk management in their day-to-day activities through embedding risk surveillance, assessment, evaluation and monitoring in their internal control processes;
  • risk owners may sub-delegate risk management responsibilities to their staff;
  • risk owners also leverage the capacity and expertise of relevant corporate support functions and other business units to manage risks which their own business units cannot fully manage; and
  • in the abovementioned instance the arrangement is best captured and formalised through service level agreements, however the overriding principle is that the risk owner remains accountable for the risk since it is his/her outcome that's affected by the risk.

Risk Champions

  • a risk champion is the accountable person for a specific category of risk at a strategic level (aggregate or portfolio level), given his/her expertise, knowledge and leadership qualities in that particular area;
  • a risk champion may support risk owners to manage risks. e.g., the head of ICT may assist line managers (risk owners) to manage ICT risks, the CFO may assist line functions to manage financial risks, and the Head of Human Resources may do the same for people risk in line functions, without assuming accountability for these risks at the line function level; and   
  • the risk champion may go beyond the normal support routines and take more decisive steps to tackle poorly managed risks at the line function level when this poses a significant threat to the risk portfolio.  

Risk Co-ordinators

  • risk co-ordinators support risk owners by facilitating risk management and reporting activities;
  • risk co-ordinators also liaise with the corporate risk function under the supervision of the risk owner for exchange of information, submission of risk reports and other responsibilities; and
  • while the appointment of risk co-ordinators is the responsibility of risk owners, the Accounting Officer may offer guidance and support in that regard.

Internal Audit

The Internal Audit function is a useful resource to the Accounting Officer for independent, objective assurance on the effectiveness of the Institution's system of risk management and recommendations to address identified deficiencies. Internal audit may also perform advisory and consulting roles concerning risk management matters.

Internal Audit is required in terms of the Treasury Regulations to develop its internal audit plan on the basis of the key risk areas of the Institution. This presents an ideal opportunity for the Accounting Officer to influence the internal audit plan and thereby receive valuable input from Internal Audit regarding whether, based on their professional judgement: 

  • the risk management policy, risk management strategy, fraud prevention plan, risk management reporting lines and risk culture are appropriate and having the desired impact;
  • significant risks are identified and assessed;
  • management actions are appropriate to limit risk to an acceptable level;
  • relevant risk information is captured and communicated in a timely manner to enable the Accounting Officer, management, officials, risk management committee and audit committee to be effective in discharging their respective risk management responsibilities;
  • risk appetite and tolerance parameters are reasonable, being adhered to and having the desired impact; and
  • the design and functioning of the control environment, information and communication systems and the monitoring systems are adequate and effective to address the main risks.

In instances where Internal Audit has to assume risk management functions, the Accounting Officer should protect the independence and objectivity of Internal Audit by ensuring that it does not assume responsibilities reserved for management. Internal Auditor may:

  • assist with developing the risk management policy, strategy and implementation plan, without taking ownership;
  • co-ordinate risk management activities;
  • facilitate identification and assessment of risks;
  • recommend risk treatment; and
  • develop and disseminate risk reports.
Establishing risk oversight

Risk oversight is a vital part of a robust system of risk management. The oversight process brings value that enables the Accounting Officer to make better decisions to steer organisational performance, mitigate risks and accomplish strategic objectives. In this way risk oversight is an important contributor not only to the effectiveness of the Institution, but also the effectiveness of the Accounting Officer as a leader.

The PFMA mandates the establishment of the Audit Committee, while the Public Sector Risk Management Framework recommends the establishment of a Risk Management Committee, as well as the adoption of a combined assurance process.

Risk Management Committee (RMC)

The key service the RMC provides to the Accounting Officer is overseeing the system of risk management, part of which involves evaluating and monitoring the Institution's risk performance. Integral to the RMC's responsibilities would be to review and recommend for approval the institution's ERM objectives, strategy and policy and to monitor the risk management process at strategic, management and operational levels.

Critical factors to be considered by the Accounting Officer in establishing the RMC are:

  • membership should comprise both management and external members with the necessary blend of skills, competencies and attributes;
  • key skills, knowledge and competence required are:
  • a good understanding of the Institution's mandate and operations, as well as the political, economic, social, technological and regulatory milieu within which it functions;
  • the ability to act independently and objectively; and
  • a thorough knowledge of risk management principles and their practical application
  • an external person (not in the employ of the Institution) and having no vested interests should be the chairperson
  • the delegated authority of the committee should be codified in a terms of reference and should include:
  • reviewing and recommending for the approval of the Accounting Officer the:
  1. risk management policy;
  2. risk management framework;
  3. risk management strategy and implementation plan; and
  4. risk appetite and tolerance parameters.
  • evaluating the extent and effectiveness of integration of risk management within the Institution;
  • assessing implementation of the risk management strategy and implementation plan;
  • collaborating with the Audit Committee and other participants in the combined assurance process to exchange risk information;
  • providing timely and useful reports to the Accounting Officer on the state of risk management, especially the management of top/priority risks, with recommendations to address any identified deficiencies;
  • proposing establishment of risk management sub-committees where justified, for example, in instances where the scale, complexity or geographical dispersion of activities would make the Risk Management Committee more effective by working through sub-committees;
  • reviewing risk findings and recommendations by assurance providers and external control actors (parliament, regulatory authorities, media, professional bodies, etc) and recommend appropriate responses and action plan;
  • assisting the Accounting Officer with preparing regulatory disclosures concerning risk and risk management; and
  • developing its own key performance indicators for approval by the Accounting Officer.

Audit Committee

The Audit Committee is a prescribed committee in terms of the PFMA. It reports to the Accounting Officer and is charged with the independent and objective oversight of the Institution's control, governance and risk management. Stakeholders perceive the Audit Committee as the most credible commentator on an Institution's risks and its system of risk management as a whole.

Given its prominent role conferred by the PFMA and the included risk management oversight mandate, the Accounting Officer should expect the Audit Committee to provide vital insights and counsel in matters concerning individual risks, components of the system of risk management and the system as a whole.

The Accounting Officer should ensure that the following are covered in the Audit Committee's charter insofar as it concerns the committee's oversight responsibility for risk management:

  • the Audit Committee should provide an independent and objective view of the Institution's risk management effectiveness;
  • responsibilities of the Audit Committee, where there is a separate Risk Management Committee, should include:
  • providing regular feedback to the Accounting Officer on the adequacy and effectiveness of the system risk management (of which the Risk Committee is part), including recommendations for improvement;
  • ensuring that the internal and external audit plans are aligned to the risk profile of the Institution, especially that it sufficiently covers:

    (i)    financial reporting risks, including the risk of fraud;

    (ii)   internal financial controls; and

    (iii) IT risks as they relate to financial reporting.
  • reviewing and recommending risk management disclosures for the annual report and financial statements;
  • the Audit Committee should evaluate the effectiveness of Internal Audit in its responsibilities for risk management; and
  • where there is no Risk Management Committee, the responsibilities of the Audit Committee for risk management should be the same as those of the Risk Committee (as described above) and should be included in the audit committee charter.

Combined assurance

The Accounting Officer should implement combined assurance to obtain an increased level of assurance on how the key/priority risks are being managed. It is presumed that the quality of risk information improves incrementally as it is processed through the various lines of defence in the combined assurance model, resulting in a more holistic view of the Institution's risk profile and related issues.

The Accounting Officer should ensure:

  • a combined assurance model is adopted;
  • the ERM system is sufficiently robust and provides useful information input into the combined assurance process;
  • key/priority risks are identified and are the main focus of the combined assurance process;
  • specific responsibilities are assigned to the different levels of defence, i.e., management level (1st level of defence[3]), internal assurance providers (2nd level of defence[4]) and external assurance providers (3rd level of defence[5]), avoiding duplication and optimising the relative advantage of each defence;
  • where uncertainty exists regarding the most appropriate assurance provider, the Accounting Officer shall decide, having duly considered the inputs of the Audit Committee and Risk Committee;
  • where the Auditor-General is identified as the assurance provider, the Accounting Officer should inform them of such to determine whether or not it is acceptable to them.
  • in light of yet unsettled global debate as to whether the co-ordination of combined assurance should be with the Internal Audit or Risk Management function, the Accounting Officer should make a determination pursuant to consultations with the Audit Committee and Risk Committee, while also considering the Institution's operational issues and unique circumstances; and
  • considering a similar ongoing debate on whether the Audit Committee or Risk Management Committee should be responsible for overseeing combined assurance, it is recommended that the Accounting Officer should deal with this question in the same way.

5.       Monitoring and Evaluation

The Accounting Officer should adopt and monitor appropriate metrics to assess the effectiveness of risk management. Possible metrics include:

  • maturity level of risk management measured in terms of a credible model[6];
  • the Institution's performance against pre-determined objectives (year-on-year performance and multi-year performance trends);
  • change in incidents of fraud and corruption (year-on-year and multi-year trends);
  • operational losses (year-on-year losses and multi-year trends); and
  • Auditor-General findings, for regularity, performance and compliance audits (year-on-year outcomes and multi-year trends)

[1] Risk management is a systematic and formalised process to identify, assess, manage and monitor risks to improve the Institution's prospects of accomplishing its key objectives. The Public Sector Risk Management Framework advocates Enterprise Risk Management (ERM) for this purpose. ERM is a formal, systematic and inclusive process, which uses the Institution's strategy and objectives as the focal point to identify, assess, manage and monitor risks to enhance the prospects of accomplishing strategy and objectives.

[2] Risks are unwanted outcomes to the Institution's service delivery and other performance objectives. Risks are caused by the presence of risk factors. Some risk factors also present upside potential and opportunities for better outcomes. The definition of "risk" is expanded to encompass missing out on such opportunities.

[3] management (risk owners) who are accountable to manage risks affecting their assigned objectives

[4] internal assurance providers not directly responsible for managing risks, but provide an internal oversight function e.g., Performance Monitoring and Evaluation, Risk Management, Compliance, Finance Committee, ICT Committee, Human Resources Committee, etc.

[5] Internal Audit, as well as external assurance providers that provide independent, objective assurance, e.g., Auditor-General, State Security Agency

[6] The National Treasury has developed a risk maturity model which is available to all public institutions  

© Maintained by the National Treasury. All Rights Reserved.