Sign In

Guidelines for Risk Owners 2022

Print this Guideline

  

1. Purpose

The purpose of this guideline is to assist Risk Owners in discharging their responsibilities.

2. Who is a Risk Owner? 

A Risk Owner is defined as: “The person accountable for ensuring risk is managed appropriately.”  A programme is a management unit established within a department and is responsible for the delivery of clearly defined objectives based on the department’s legislative and other mandates. A Programme Manager is the person who’s accountable for the performance of a programme, and by implication, for the risks that may impede that programme’s performance. Risk ownership follows from the notion that the person who owns the objective owns the risks linked to it. Thus, the Programme Manager is also the Risk Owner for the programme. 

It is important to appreciate another fundamental tenet of risk management when considering risk ownership. This tenet states that a risk must be managed by the person best placed to manage it. It is assumed that this person is duly competent regarding the following:

  •  possessing a profound understanding of the programme’s performance targets,
  • understanding what risks and assumptions are factored into the setting of performance targets,
  • understanding what events and causes of risks will have a meaningful impact on performance, thus deserving attention, and
  • tactical experience and expertise to de-risk performance and deliver on these targets.
It is also assumed that in addition to the embodiment of tactical nous, the Risk Owner is authorised to control the human, financial and other resources to manage risk.  

3. Rationale for having a Risk Owner 

The formal assignment of a Risk Owner for a risk aims to ensure that someone will actually ensure that the risk is managed. It signals that the management of the risk ought to be integrated into and become an organic part of the Risk Owner’s responsibilities. This is an important step in preventing a situation where a risk may not be given the full attention it deserves. It also guards against a situation where “everyone but no one” is accountable causing risks to fall through the cracks.

4.     Modality and supporting roles

Risk Owners assume ownership of the full risk management process in the programme from each stage of identifying, assessing, evaluating, mitigating, monitoring and reporting on risks. 

The Risk Owner should understand that managing risk is an organic part of his/her job and goes hand in glove with managing performance. Obviously, the Risk Owner cannot do it all by him/herself, which then necessitates a division of responsibilities. In reality multiple participants will support the Risk Owner in executing his/her risk ownership role. 

The Risk Owner may appoint a Risk Co-ordinator to handle the day-to-day matters of risk management in the programme and report back on those matters that require his/her personal attention, e.g., approving the risk register, intervening to unblock stalled progress of risk mitigation plans, considering emerging risks, and so on.  

The Risk Owner may sub-delegate responsibility for certain risks to people who are at the coal face. The Guidelines on Budget Programmes issued by the National Treasury states that “the job descriptions of programme managers should specify the extent to which the responsibility and accountability for service delivery and performance may be delegated either within a programme or to the sub-programme manager. In either case such delegation does not limit or diminish the responsibility and accountability of the Programme Manager.” 

Based on the previously mentioned tenet which states that the responsibility for managing risk should be with the person best placed to manage it, the responsibility for managing risks will also accompany the delegation for managing performance. The person to whom a responsibility is delegated is also responsible for managing the attendant risks. As can be seen from The Guidelines on Budget Programmes, the accountability for performance remains with the Programme Manager. By implication, ownership of the attendant risks also remains with the Programme Manager – thus he/she also remains the Risk Owner.    

In some instances, neither the Risk Owner nor his/her delegatees may have the skill or capacity to manage particular risks. For example, security of a vital IT system used by a programme may present a high risk. In such instance the Risk Owner will co-opt someone from outside the programme, in this case the IT Unit to assist him/her with managing the risk. The Risk Owner would agree on specific actions with the IT Unit to ensure that the risk is managed but remains accountable because it has a direct impact on the performance that he/she is accountable for.

5. Legal mandate 

Risk Owners are bound by the legislation applicable to "Other Officials", as set out in:
  • Section 45 of the Public Finance Management Act, for -

o   National Departments

o   Constitutional Institutions

o   Provincial Departments

  • Section 57 of the Public Finance Management Act, for -

o   Public Entities

o   Provincial Public Entities


6. Strategic value of the Risk Owner 

The Risk Owner is the most influential person in risk management process for his/her programme. He/she embodies the expertise, knowledge and leadership qualities to understand and manage the duality of risk and performance for the programme. The Risk Owner controls the authority as well as human, financial and other resources to harness the benefits of effective risk management. In terms of integrating and aligning the programme within the broader Institution, the Risk Owner is the programme’s nodal point at EXCO level, risk committee, audit committee and other committees or fora where issues of risk are deliberated. 

7.     High level responsibilities of the Risk Owner

 

                 i.         Ensure that the programme risks are identified, assessed, evaluated, managed and monitored as per the institution’s risk management framework.

                ii.         Monitor the execution of the delegated activities linked to the management of the programme’s risks.

               iii.         Ensure that the programme’s risks are accurately described and rated in the institution’s risk register.

              iv.         Approve action plans to manage risk while ensuring that the plan incorporates valid inputs of EXCO, Risk Committee, Audit Committee and the Risk Management Unit.  

               v.         Give personal attention to developing the programme’s risk appetite and tolerance level.

              vi.         Ensure that risk management is integrated into the operations of the programme.

             vii.         Ensure that risk management reports are provided to the Risk Management Unit, EXCO, Risk Committee, Audit Committee and others as per their requirements and timeframes.

            viii.         Ensure that the internal and external environments are continuously scanned for emerging risks and opportunities.

              ix.         Where multiple participants are needed to work in concert to manage programme risks, ensure effective co-ordination of these participants.

               x.         Provide guidance and support to manage "problematic" risks and risks of a transversal nature that require a multiple participant approach.

              xi.         Ultimately, in respect of the programme, do anything further that is necessary to ensure that:

a)    key risks are identified.

b)    credible measures to mitigate identified risks are put in place.

c)     objectives are achieved effectively, efficiently, transparently and economically.


8. Competencies of the Risk Owner

In order to be competent in the role the Risk Owner should possess.
  • A profound understanding of the programme’s strategic and performance objectives, key performance areas and key performance indicators.
  • A profound understanding of the nexus between risk and performance, as well as being able to isolate and manage risks that may present a meaningful hinderance to performance.
  •  A good understanding of the institution’s risk management framework and process. 
  • Good analytical skills to assist with the identification, analysis and evaluation of risks.
  • Expert power.
  • Strong leadership and motivational qualities, and
  • Good communication skills.


9. Evaluation 

High level performance indicators for the Risk Owner could include:
  • Success rate in achieving performance targets. 
  • Attendance and participation in the Risk Committee.
  • Timeliness and quality of risk registers submitted to the Risk Management Unit.
  • Internal Audit and Auditor-General’s findings on risk management in the programme.

© Maintained by the National Treasury. All Rights Reserved.