RISK MANAGEMENT GUIDELINE RISK THRESHOLDS POST PUBLIC COMMENTS
RISK MANAGEMENT GUIDELINE: RISK THRESHOLDS POST PUBLIC COMMENTS Office of the Accountant General Presenter: Bheki Gutshwa | 29 March 2019
PURPOSE OF PRESENTATION q The presentation aims to communicate the following: § the reason for the guideline § the principle taken towards the development and implementation of risk thresholds § the process of obtaining inputs § highlight of key inputs obtained § how the inputs were incorporated § final document § way forward 2
BROAD IDEA OF THE GUIDELINE § developed to further assist departments develop and implement risk thresholds as per the requirements of the PSRMF § developed as a response to the requests that came from different risk officers § supplements the PSRMF as far as the responsibilities of the relevant structures to ensure that risk appetite and tolerance levels are set – for the better application by the government departments § it does not necessitate a change in the legislation – rather it makes emphasis on the responsibility of management to ensure that risk management is integrated to organisational processes 3
PROCESS OF OBTAINING INPUTS § Previous Risk Forum platforms § IRMSA Annual Conference – October 2018 § Published on National Treasury website § Sent emails to: – National departments – Provicial Treasuries – Non-delegated municipalities – Public Entities 4
INPUTS RECEIVED § § § ‘risk tolerance’ process has been put in place and applied throughout, their guideline has six principles of which two of those have been identified in the new guideline, to change terminology to ‘risk thresholds’ as a collective term concern against the idea of excluding bearing capacity the guideline appears to be exclusive of entities, legislature and municipalities while departments provide oversight over them. This may create parallel processes, § there has to be detailed explanation on the rational of ‘Low Deviation under Tolerance’ so that management does not relax its controls as they would know that it is an acceptable deviation, § it was said that the Province will organise a local ‘workshop implementation’ so they advise that National Treasury keep the guideline a living document as they may have further inputs after the implementation. However, this should not delay the approval process. 5
INPUTS RECEIVED Cont… § the province had not started on any similar process as they were waiting for guidance from National Treasury, § they are looking forward to implement the guideline in the Province, § a concern was raised that NT usually separates guidelines for PFMA and MFMA institutions and this create an unnecessary long list of regulations to comply with, § some concerns raised were around the Maturity Model which is viewed as outdated yet the guideline recommends it as a test for maturity assessment prior implementing the risk thresholds, § delegates mentioned generally, risk culture is poor in the departments and this evident as there is lack of risk integration, 6
INPUTS RECEIVED Cont… § Mind-Mapping process i. e. HR will give the state of mind for the staff (human capital), so we know how do to deal with soft issues that affect the workforce § The Risk Bearing Capacity is has been omitted. § Please Include a number of examples in the various categories, for example: finance, SCM, performance management, project management, HR, ICT, Safety and Security, etc § Replace “department” with either “institution” or “organization” unless the guideline is intended for use by Departments only and not the entire public sector. § Inaccurate arithmetic in the matrix. You omitted one level in the range definer add insignificant in the descriptors (refer to the table I have suggested in the general comments) 7
INPUTS RECEIVED Cont… § At the same time, this should be guided by the capabilities of the organisation, its mandate, legislative environment as well as ambitions § RBC - Can we not define RBC in accordance with our understanding of the practical implementation in the public sector, e. g. RBC meaning the financial, human and other resources required to manage or mitigate an identified risk in pursuit for the delivery of high standard quality services. (Foot Note on page 9) § NB!!! Care be taken that management do not set unreasonably high appetites to ensure that they remain within set appetites without adding value. § Encourage SMART planning within allocated resources (new) § Departments can use different matrices or tools to analyse data and prioritise risks in terms of their rankings such as extreme, high, medium, low or trivial (insignificant). 8
INPUTS RECEIVED Cont… § The Inclusion of the Dashboard (which was previously not) § Further illustration on the articulation of risk appetite, using information on figure 4 and exemplary dashboard…inclusion of qualitative, quantitative and KRI/ KCI examples: § Qualitative Example: the accounting officer will not accept a housing construction project that is <80% compliant fit (meeting quality criterion) of the development outcomes and with <100% committed funds [so 20% deviation is an acceptable level]. Therefore, in an instance where executive management is in doubt that a strategic objective (e. g. to complete a good quality construction project) will be economically and efficiently achieved having considered risks and potential consequences. Assuming that management may believe that it is likely (rating 4) for the risk to occur with catastrophic impact (rating 5) thus leaving a residual risk rating of 20 (4*5), which is an 80% deviation. 9
GENERAL COMMENTS § Training on the implementation of Risk Thresholds must be provided. § The examples provided are not adequate. Additional examples in a number of categories must be provided. The examples should include risk appetite, risk tolerance and risk bearing capacity. § Synergise Risk Matrix (p 10) with the illustration on p. 18 § Page 25, para 23: quarterly reviews needs to be risk driven 10
POST RECEIPT OF COMMENTS/ INPUTS Subsequent to the receipt of inputs / comments: § further research was conducted § last editing was done § resulted to the final draft § submission of file for approval 11
RISK THRESHOLDS CYCLE 12
RISK APPETITE AND TOLERANCE q Risk Appetite: § establishing the department’s risk appetite is not an event but a process § process of setting risk appetite thresholds should be done in conjunction with the strategic planning process § should happen at the time of agreeing on the outputs, outcomes and impacts of the department’s strategy § should be reported and discussed at the department’s oversight structures q Risk Tolerance: § the undesirable variation of risk levels in relation to the achievement of an objective § an event where the department has deviated from the normal procedures 13
PROCESS FLOW First Phase Second Phase Context Establishment Mind-map Third Phase Maturity Status Fouth Phase Articulation Fifth Phase Sixth Phase Process Mapping Standardise Risk Categories Risk Matrix Communication Report & Monitoring NB: OUTPUTS 14
ESTABLISH THE DEPARTMENTAL CONTEXT 15
RISK EVALUATION MATRIX The development of risk thresholds is inextricable linked with the risk evaluation matrix, vice versa. 16
DEPARTMENTAL RISK MANAGEMENT STATUS 17
ARTICULATION OF RA & RT § articulation process refers to agreeing and setting up the department’s qualitative or quantitative risk limits § process must involve broad consultation with management and other stakeholders § articulation statement hinges on the set limits and maximum deviation § When conducting the articulation process, it is important to start with the articulation of the risk appetite § Illustration on page 23 18
ILLUSTRATION OF PAGE 23 19
THANK YOU 20
RISK THRESHOLDS CYCLE 21
PROCESS FLOW Outputs NB Notes 22
DEFINITIONS • Risk Appetite means - the level of risk an institution is required to take and/or is willing to accept in all institutional levels in order to achieve its stated objectives. • Risk Tolerance means - the undesirable level of risk variation relative to the achievement of a specific objective. • Risk Bearing Capacity means - the maximum amount of risk an institution is able to handle in line with its mission /values /strategic goals, without exposing it to the point where its existence and survival is under threat. 23
- Slides: 23