Guidelines for Risk Owners 2022
1. Purpose
The purpose of this
guideline is to assist Risk Owners in discharging their responsibilities.
2. Who is a Risk Owner?
A Risk Owner is defined as:
“The person accountable for ensuring risk is managed appropriately.” A programme is a management unit established within
a department and is responsible for the delivery of clearly defined objectives based
on the department’s legislative and other mandates. A Programme Manager is the
person who’s accountable for the performance of a programme, and by
implication, for the risks that may impede that programme’s performance. Risk
ownership follows from the notion that the person who owns the objective owns
the risks linked to it. Thus, the Programme Manager is also the Risk Owner for
the programme.
It is important to appreciate another fundamental
tenet of risk management when considering risk ownership. This tenet states that
a risk must be managed by the person best placed to manage it. It is assumed
that this person is duly competent regarding the following:
possessing a profound understanding of the programme’s performance
targets,
understanding what risks and assumptions are factored into the setting
of performance targets,
understanding what events and causes of risks will have a meaningful
impact on performance, thus deserving attention, and
tactical experience and expertise to de-risk performance and deliver on
these targets.
It is also assumed that in
addition to the embodiment of tactical nous, the Risk Owner is authorised to
control the human, financial and other resources to manage risk.
3. Rationale for having a Risk Owner
The formal assignment of a Risk Owner for a
risk aims to ensure that someone will actually ensure that the risk is managed.
It signals that the management of the risk ought to be integrated into and
become an organic part of the Risk Owner’s responsibilities. This is an
important step in preventing a situation where a risk may not be given the full
attention it deserves. It also guards against a situation where “everyone but
no one” is accountable causing risks to fall through the cracks.
4.
Modality and supporting roles
Risk Owners assume ownership of the full risk
management process in the programme from each stage of identifying, assessing, evaluating,
mitigating, monitoring and reporting on risks.
The Risk Owner should understand that managing
risk is an organic part of his/her job and goes hand in glove with managing
performance. Obviously, the Risk Owner cannot do it all by him/herself, which then
necessitates a division of responsibilities. In reality multiple participants will
support the Risk Owner in executing his/her risk ownership role.
The Risk Owner may appoint a Risk
Co-ordinator to handle the day-to-day matters of risk management in the programme
and report back on those matters that require his/her personal attention, e.g.,
approving the risk register, intervening to unblock stalled progress of risk
mitigation plans, considering emerging risks, and so on.
The Risk Owner may sub-delegate responsibility
for certain risks to people who are at the coal face. The Guidelines on Budget
Programmes issued by the National Treasury states that “the job descriptions
of programme managers should specify the extent to which the responsibility and
accountability for service delivery and performance may be delegated either
within a programme or to the sub-programme manager. In either case such
delegation does not limit or diminish the responsibility and accountability of
the Programme Manager.”
Based on the previously mentioned tenet which
states that the responsibility for managing risk should be with the person best
placed to manage it, the responsibility for managing risks will also accompany the
delegation for managing performance. The person to whom a responsibility is delegated
is also responsible for managing the attendant risks. As can be seen from The
Guidelines on Budget Programmes, the accountability for performance remains
with the Programme Manager. By implication, ownership of the attendant risks
also remains with the Programme Manager – thus he/she also remains the Risk Owner.
In some instances, neither the Risk Owner nor
his/her delegatees may have the skill or capacity to manage particular risks.
For example, security of a vital IT system used by a programme may present a
high risk. In such instance the Risk Owner will co-opt someone from outside the
programme, in this case the IT Unit to assist him/her with managing the risk.
The Risk Owner would agree on specific actions with the IT Unit to ensure that
the risk is managed but remains accountable because it has a direct impact on
the performance that he/she is accountable for.
5. Legal mandate
Risk Owners are bound by
the legislation applicable to "Other Officials", as set out in:
- Section 45 of the Public Finance Management Act,
for -
o National
Departments
o Constitutional
Institutions
o Provincial
Departments
- Section 57 of the Public Finance Management Act,
for -
o
Public Entities
o
Provincial Public Entities
6. Strategic value of the Risk Owner
The Risk Owner is the most influential
person in risk management process for his/her programme. He/she embodies the
expertise, knowledge and leadership qualities to understand and manage the
duality of risk and performance for the programme. The Risk Owner controls the authority
as well as human, financial and other resources to harness the benefits of
effective risk management. In terms of integrating and aligning the programme
within the broader Institution, the Risk Owner is the programme’s nodal point at EXCO level, risk committee,
audit committee and other committees or fora where issues of risk are
deliberated.
7.
High level responsibilities of the Risk Owner
i.
Ensure that the programme risks are identified, assessed, evaluated,
managed and monitored as per the institution’s risk management framework.
ii.
Monitor the execution of the delegated activities linked to the
management of the programme’s risks.
iii.
Ensure that the programme’s risks are accurately described and rated in
the institution’s risk register.
iv.
Approve action plans to manage risk while ensuring that the plan
incorporates valid inputs of EXCO, Risk Committee, Audit Committee and the Risk
Management Unit.
v.
Give personal attention to developing the programme’s risk appetite and tolerance
level.
vi.
Ensure that risk management is integrated into the operations of the programme.
vii.
Ensure that risk management reports are provided to the Risk Management
Unit, EXCO, Risk Committee, Audit Committee and others as per their
requirements and timeframes.
viii.
Ensure that the internal and external environments are continuously scanned
for emerging risks and opportunities.
ix.
Where multiple participants are needed to work in concert to manage programme
risks, ensure effective co-ordination of these participants.
x.
Provide guidance and support to manage "problematic" risks and
risks of a transversal nature that require a multiple participant approach.
xi.
Ultimately, in respect of the programme, do anything further that is
necessary to ensure that:
a) key risks are identified.
b) credible measures to mitigate identified risks are put in place.
c) objectives are achieved effectively, efficiently, transparently
and economically.
8. Competencies of the Risk Owner
In order to be competent in the role the Risk Owner
should possess.
- A profound understanding of the programme’s strategic and performance
objectives, key performance areas and key performance indicators.
- A profound understanding of the nexus between risk and performance, as
well as being able to isolate and manage risks that may present a meaningful hinderance
to performance.
- A good understanding of the institution’s risk management framework and process.
- Good analytical skills to assist with the identification, analysis and
evaluation of risks.
- Expert power.
- Strong leadership and motivational qualities, and
- Good communication skills.
9. Evaluation
High level performance
indicators for the Risk Owner could include:
- Success rate in achieving performance targets.
- Attendance and participation in the Risk Committee.
- Timeliness and quality of risk registers submitted to the Risk
Management Unit.
- Internal Audit and Auditor-General’s findings on risk management in the
programme.