ESTABLISHMENT OF A RISK MANAGEMENT FUNCTION

1. Problems identified to address significant risks. When looking holistically to the establishment of a risk management function the following common problems can be identified address risks in any organization: Lack of applying risk management in an integrated manner Lack of relevant legislation (risk management specific) Lack of training in risk management Lacks of practical techniques to take remedial action Absence of a risk sensitive organizational culture Lack of commitment and leadership (both political & managerial)

2. Risk Management and Public Administration To be affective, an integrated risk management process in any municipality should be aligned to the generic public management processes which are as follows: Policy making The policies that government develops and implements to achieve its objectives in the most beneficial manner. Policy making process should include the following activities: Initiation Agenda setting Processing the issue Considering the options Making the choices Publication Allocation of resources Implementation Adjudication Impact evaluation Feedback

should eliminate risks

Planning The steps that should be followed to achieve the objectives declared in the policy statement. Should indicate the risks that could disrupt the achievement of the objectives and must include the following: effective handling of change provision of direction/framework

opportunities for stakeholders to participate in the planning process facilitate control create high levels of predictability assessment of circumstance forecasting/determine alterative causes of action evaluation/selection of alternatives linking plans to budgets/programmes.

Embraces the forecasting of incidents and depends on certain presumptions and limitations. o Forecasting = Analysis of available and relevant information to forecast circumstances by analyzing this into mitigated risks. o Presumption= The risks that might influence the planning, it set parameters within which planning taking place i.e. the quality/quantity of scarce resources, attitude/skills of officials, management, stakeholders, etc.

Organising The implementation of a formalized and dynamic structure of roles and responsibilities in the organisation and should include: proper reflection of objectives and plans delegated authority to knowledgeable officials knowledge about environment which operate in clear deliverables expected from officials proper direction of behavior in a predetermined direction provision of officials in correct quantities and with relevant skills and qualities. Leadership and motivation

to guide subordinates to such on extant that they will perform optimally to achieve the objectives of the organisation effectively and efficiently leaders should be: competent in their functional areas possess personality trades which will motivate subordinates to respect and follow the instructions from the leader.

Control and evaluation Control is the process to determine whether organizational resources are being used effectively and efficiently to accomplish the objectives of the organisation and to implement corrective action where objectives are not met.

It is necessary to monitor activities of the organisation to ensure that all activities are running according to plan as well as to take remedial action and should: Include ability to identify deviations in time Be flexible to adjust to the changing internal and external environments Be cost effective (cost of implementing controls must not exceed the benefits derived from the controls). Be clear to all stakeholders Cover the critical operational activities Be enforced at all levels of the organisation

Management should however realize that not all activities can be controlled (impossible) must therefore control the exceptions.

3. Risk Management Clarification and definition 3.1 Risk defined To define risk in a universal accepted manner is problematic because the context in which it is defined is diverse for example: In an actuarial context risk is a statistical interpretation In an insurance context risk relates to the person/object insured under the policy.

In a public management context, risk can be defined as: the chance of something happening that will have an impact upon objectives and it is measured in terms of consequences and likelihood of an incident happening (Australian/New Zealand Standards for Risk Management 1999:4) It mainly means the presence of an uncertainty of the occurrence of a loss and in most instances this loss is an economic/financial loss. 3.2 Risk Management Risk management is a managerial function that involves process, functions and managerial activities aimed at achieving the objectives of an organisation in the most effective and efficient way. It therefore focuses managements attention to identify risks that could prevent the organisation from achieving its objectives positively as well as opportunities to enhance the functions and activities of organisations. Although many definitions of risk management can be found, the following definition seems the most applicable to public management and administration. Risk management is a managerial function aimed at protecting the organisation, its people, assets and profits against the consequence (adverse) of pure risk, more particularly aimed at reducing the severity and variability of losses (Valsamalus etal-1996:14)

Risk management therefore complements public management and can be viewed as a mechanism to assist in ensuring that policy matters such as statutory requirements, legislation and procedures are enforced to protect the organisation from losses and prosecution. To be effective, every official in the organisation should be involved in risk management processes which will necessitate a total culture change in the Rustenburg Local Municipality. 4. Objectives of Risk Management An objective can be defined as; to determine and understand what should be sought or aimed at (Oxford dictionary) We all know that literature prescribe certain requirements in terms of objectives; i.e. it must be clear, practical, specific and achievable. The objective of risk management must therefore be set within the above definition. If not, it will lose focus and officials will be influenced negatively. It must therefore entail the planning of sourcing resources that are essential to obtain financial balance and operational stability as soon as a risk has occurred. The recurrence of the loss should be prevented over if possible, be eliminated to achieve the objectives of risk management effectively. 5. Environmental influences on Risk Management When considering the implementation/establishment of a risk management function, the following environmental influences must be taken into consideration: Organizational culture Culture change must be brought about - must break from traditional way of thinking/working. - Must be a shift from the normal responding when risks occurred to advanced risk management tools and processes. - Must be part of the organisations strategic management process: thus a continuous and developing process that occur throughout the organisation strategy and implementation of that strategy. - It must be integrated into the culture of he organisation with an effective risk management policy led by the most senior management of the organisation. Political environment In a South African perspective, attention should be given to the levels of legitimacy. The risk exists that deficient legitimacy could contribute towards officials not rendering optimal services to communities. Economic environment Transformation in local government place increased pressure on financial resources. The risk of diminishing standards of service delivery and the inability to recruit experienced and

capable employees will create an environment where it will become difficult to implement and maintain an effective risk management strategy. Administrative environment An environment in which mechanism are lacking to hold officials responsible for their administrative (management) actions will create the risk that responsibility may be negated. There should be effective control in place to mitigate the risk and to create a sound administrative environment which is built on trust and responsibility. 6. Categorizations of risks Strategic risk (Macro environmental risks) These risks refer to risks encountered in a competitive environment and include element such as: - competition - customer changes - industry changes - Customer demands and intellectual capital Financial risks Financial risks include the following elements: Interest rates foreign exchange credit liquidity and cash flow

Operational risks (Business continuity risks) The following can be classified as operational risks accounting systems and control revenue management information systems (IT/GIS) recruitment supply chain policies and regulations organizational culture

Hazards risks Public access Physical Health and Safety of employees Property

Contracts Natural events Suppliers Environmental influences

7. Risk Continuim The risk continuim along which organisations operates, consist of three elements namely: Hazard chance that risk will naturalize Uncertainly meeting the objectives of he organisation Opportunity exploiting opportunities/best practices to manage risk, i.e. financial control measures to combat fraud. 8. Cost of Risk The cost of risk refers to aspects such as: Insurance to cover risks External financing (loans to cover risks materialized) Expenditure on risk control (to identify/evaluate risks) Investigation of risks Development of plans to mitigate risks.

The following categories of losses have an effect on the cost of risk Property loss/damage Consequential losses Cost of paying for liability claims Cost associated with injury/death of employees Pure financial/economic loss

9. Integrated Risk Management Process Integrated risk management requires a culture change that is based on the commitment of each official to minimize risk. The process should be done by senior management with applied methodologies and techniques appropriate to risk management. Before analyzing the risk management process, clear differentiations must be made between integrated risk management and dispersed risk management. Integrated risk management needs to redesign and implement organizational structures, systems and process to manage risk based on universally accepted language, methodology, techniques, practices, etc. in the entire organisation. It is therefore a deliberate managerial strategy which doe not just happen!

Dispersed risk management allows each financial unit to create its own risks management language and methodologies with no structured approach to examine risk collectively.An integrated risk management process therefore involves the following: Capturing risk as an opportunity rather than a threat. Creating competitive advantages by focusing on key success factors and through improved management operations. Enhancing stakeholders value by reducing the adverse impact of down-side risk/losses and maximize up-side potential or opportunities. All organizational activities must be included not focused on finance/development activities. Key components of an integrated risk management process.

10. The ethics in risk mitigation Ethics differentiate between good or bad, right or wrong and are counseled with human behavior and moral names. Good moral philosophies are needed in any organisation to effectively mange risks. Morality can be described as the practical manifestation of ethics. (Ethics is it ethically to approve a tender based on price knowing the tenderer does not have the equipment to execute the tender effectively etc). To achieve an ethical organisational culture, it is necessary to reduce the risks of selfenrichment. All employees must be informed about ethical conduct and must be cultivated on values such as honesty, transparency and morality. Unethical conduct concerns the following: Corruption: is economically driven/ political driven/professional driven- moral and work pressures Mal-administration: these are manifested through the following: conflict of interest bribery illegal gratuities economic extortion 11. Legislation to enhance risk management There are several legislation frameworks that address risk management. Most of these are in an indirect manner. Only one peace of local government legislation addresses risk management directly and that is the MFMA in Section 62 (1)(c) which reads as follows: that the municipality has and maintains effective, efficient and transparent systems (i) of financial and risk management and internal control 12. Integrated Risk Management Programme in Local Government Risk management was already defined as the function to identify, analyze and control the risks which threaten the assets of the organisation as well as to provide protection against adverse consequences of risks to reduce the likelihood of costs. For any risk management programme to be successful, the following should be part of the whole risk management function: ethical culture processes/structure directed towards risks management managerial policies

processes and practices

Risk management can therefore be seen as a much broader concept that risk in itself as the objective is to prevent or minimize the risks in the environment in which the organisation operates. To understand risk management in the local government environment, it is necessary to make a distinction between and have a proper knowledge of both the macro and micro levels in which risks exist. The relationship can be depicted as follows:

Politician

Municipal Manager

Risk Management Committee

Risk Management

MACRO Mission/Vision-Legislation Policies, Code of Conduct Ethics, Risk Strategy, Culture

Address concepts to be in place to control efficiency of risks management

MICRO Risk assessment process (High/Secondary/Operational level)

Aspects to be in place to support the policies to avoid risks

13. Establishing a risk management function The question is where to place the risk management function? (The risk management unit/department)

The risk management function must become integrated in all the Directorates of the municipality and became part of the decision making process and the function must be established in such a way that if any incident or risk arises the Office of the Risk Manager should be able to act immediately. Sight must not be lost of the fact that the establishment of a risk management function will have a cost implication (as already discussed earlier). The cost of risk management function will depend on the organisation and the skills needed. (i.e. the collapse of a company managing the pension fund of employees will have a very high impact and the risks involved are enormous. The focus of the risk management function must be directed at the identification and treatment of all external and internal risks with the objective of adding maximum sustainable value of all the activities of the organisation. The existence of external and internal risks can be illustrated as follows: External Risks

Financial Interest rates Foreign exchange Credits - Liquidity - Cash flow -Research -Intellectual capital Internal Risk - In function system - Accountancy controls -Service -Public access -

Strategy Competition Stakeholders demands Environmental change

Operational

Hazard Risks

Regulation Culture Council composition

Environment Contracts Creditors

To effect the definition of risk management as referred to several times in this document and to ensure senior management involvement and integration, the locus of the integrated risk management function in the municipalitys hierarchy should be on executive level. The reason is being that sufficient authority and senior management integration be established to allow for the Risk Management Office/Unit to execute the various functions, roles and responsibilities, as briefly outlined in the proceedings discussions, as effectively and efficiently as possible . The macro/management structure fore the establishment of an integrated risk management function should typically look as follows:

EXECUTIVE MAYOR

RISK MANAGEMENT COMMITTEE

INTERNAL AUDIT COMMITTEE

CHIEF RISK OFFICER

MUNICIPAL MANAGER

CHIEF AUDIT EXECUTIVE

The emphasis must be placed on integrated risks management as all current risk management strategies are on an adhoc basis i.e. fire risk management, disaster management, occupational health & safety etc. None of these are inclusive/integrated to the other. The implementation of risks management function must therefore involve all the stakeholders/role players to enforce vigilance and care to guide the risk management function in achieving the objectives of the municipality in general but also that of local government at large. Therefore it is also important to establish a Risk Management Committee. Risk Management Committee The Risk Management Committee must have the mandate to ensure that sound risk management systems are set in place which will enhance corporate governance. The Risk

Management Committee have to be the decision-making body and must focus on all aspects that can have an impact on the risk management function i.e.; the external/internal environment with regard to exposure for risk the complexity of processes the impact of public interest the identification of internal/external risks the effectiveness of risk management programmes consideration of the risks strategy and policy monitor and report on the risk management process ensure that risks are continually revised and re-assessed

The role of Internal Audit The question that automatically arises is how/where does Internal Audit feature in the whole process. Internal Audit has to focus on their core function with regard to integrated risk management which is to provide assurance on the effectiveness of the risk management process The Internal Audit function must therefore assist in evaluating controls, verification of measurement mechanism and to ensure that procedures are duly and properly followed. The independence of the Internal Audit function must not become involved in risk management roles/activities for instance the following: management of assurance on risks taking decisions on risk response and implementating risk responses on behalf of management Accepting accountability for risk management ,

The problem currently experienced by most municipalities is that due to lack of a risk management unit/section, the Internal Audit function undertakes the roles and responsibilities on behalf of the risk management unit/section. To prevent the Internal Audit function from the risk of waving its independence, a risk management unit/section must be structured. 14. Structuring a Risk Management Unit The Risk Management Unit should contribute and enhance the conducting of the key functions that should be undertaken by the Risk Management Unit. The following key functional activities can be identified: Communicating the strategic objectives of the organisation; Determining the risk appetite of the organisation; Communicating information on risks and risk training material in a consistent manner at all levels in the organisation; Continuous assessment of risks that may have an impact on officials and stakeholders; cause damage or loss; lead to interruption of service delivery; influence insurance arrangements or result in the contravention of laws;

 Continuous evaluation of identified risks to determine their impact, casual circumstances and likelihood of occurring; Design and implementation of risk-management plans to deal with identifies risks; Investigate incidents to develop and/or enhance controls; Consider and respond to reports, new risks identified and their evaluation; Continuous evaluation of risk incidents and reports to determine trends and to implement corrective actions; Constant evaluation of risk-management activities to ensure correct focus and cost effectiveness of programmes; and Monitoring and coordinating the integrated risk management processes and the outcomes. In structuring the Risk Management Unit, the following aspects should be taken into consideration to enhance the effectiveness of the Unit: The position of the risk management unit in the organizational hierarchy. The level of responsibility and accountability is expected from the risk manager. The number of officials assigned to the Unit.

15. References 1. Institute of Risk Management South Africa; A Training Manual 2. National Forum for Risk Management in the Public Sector (UK) News Letter 3. Geldenhuys L; Integrated Risk Management: A mechanism to minimize risks for Local Government. (Doctoral Dissertation)