THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

Size: px
Start display at page:

Download "THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK"

Transcription

1 THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK ACCOUNTABLE SIGNATURE AUTHORISED for implementation SIGNATURE On behalf of Chief Executive Officer SAHRA Council Date Date

2 TABLE OF CONTENTS Section Page I Executive summary 1 II ERM philosophy and policy 4 III ERM organisational structure, roles and responsibilities 6 IV The ERM process 10 V Implementation and integration 26 VI Conclusion 30 Appendix A Glossary of terms 31 B ERM roles and responsibilities 33 C Risk appetite and risk tolerances 41 D Risk categories 43 E Risk rating criteria and Risk assessment 46 F Sample risk register and monitoring template 53 G Illustrative portfolio view of risks 54 H Reporting requirements 56 I Communication requirements 57

3 Section I Executive Summary I EXECUTIVE SUMMARY Introduction In today's business environment, change and uncertainty are constants. Change and uncertainty create both risks and opportunities, which can either erode or enhance value for an organisation. South African Heritage Resources Agency (SAHRA) must manage these risks, within its risk tolerance, consistently, comprehensively and economically through effective enterprise risk management. This will assist the Council and management in achieving its business strategies and objectives. The following internal and external factors drive the need for an effective approach to managing risks across SAHRA: Increased Council and management accountability; Recent corporate failures and the proliferation of new standards and regulations; Increased stakeholder demands on transparency, accountability and corporate integrity; Direct linkage between credibility, ethics and social responsibilities with business performance and success; Stakeholder expectations to quickly adapt to change and uncertainty while striving for operating efficiency; Globalisation and technological advances; and Educated and discerning citizens. Such an environment requires a stronger focus on risk management practices within SAHRA in order to effectively deal with uncertainty, to capitalise on opportunities, to meet objectives and stakeholder expectations, and enhance strategic and tactical decision-making. Enterprise Risk Management Risk can be defined as the possibility that an event will occur that will adversely affect the achievement of SAHRA s objectives. Risk is measured in terms of impact/consequences and likelihood. SAHRA defines enterprise risk management (ERM) as a process, effected by the Council, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the organisation, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of SAHRA s objectives. Thus, ERM is a continuous, proactive and dynamic process to identify, understand, manage and communicate risks that may impact SAHRA s objectives. ERM will assist SAHRA to attain its goals while avoiding pitfalls and surprises along the way. It involves people at every level and requires applying a portfolio view of risk across the entire organisation. By embedding risk management techniques in dayto-day operations, SAHRA is better equipped to identify events affecting its objectives and to manage risks in ways that are consistent with the corporate strategy. Page 1 of 60

4 Section I Executive Summary Benefits of Enterprise Risk Management ERM is designed to strengthen management practices, decision-making and priority-setting to better respond to stakeholder needs. The SAHRA ERM process is expected to provide the following benefits: Consideration of risk during strategy and objective setting Exploitation of opportunities Understanding and the proactive management of critical risks impacting objectives throughout the organisation Identification and implementation of cost effective, integrated responses to multiple risks Enabling the Council and management to have a portfolio view of risks across the entire organisation Rationalisation of resources Reduction in operational surprises and losses Informed decision-making Reporting with greater confidence Support governance responsibilities and satisfy legal and regulatory requirements Enhanced corporate governance processes and accountability Increased internal and external transparency Alignment of internal audit focus with the risk profile of the organisation Managing project specific risks SAHRA The SAHRA ERM Framework provides guidance to implement a consistent, efficient, and economical approach to identify, evaluate and respond to key risks that may impact business objectives. The Framework is based on the published by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission and updated with the requirements of the Public Sector Risk Management Framework (PSRMF). The principles outlined in the Framework will be incorporated into risk management related policies and procedures that will support the establishment of the organisation s ERM framework and ensure that risk management is embedded into day-to-day management activities. The objectives of the Framework are: To define the SAHRA ERM philosophy and policy To provide an overview of the SAHRA ERM process To communicate the key risk management principles To define common ERM terminology and definitions To clarify the ERM organisational structure and related roles and responsibilities To provide guidance related to the key components of an effective ERM initiative To ensure a flexible yet consistent approach to the application of ERM across SAHRA Page 2 of 60

5 Section I Executive Summary ERM Stakeholders The following list represents a sample of internal and external risk management stakeholders that have an interest in SAHRA s performance and the ability to manage risks. Internal Council and its Committees; SAHRA Executive Leadership Team (EXCO); Internal audit function; Department Heads; Department Risk Champions; Risk Owners; and All other SAHRA managerial employees and staff. External Government (National and Provincial); Donors; Suppliers (including asset managers, consultants, banks, insurance); Financial institutions; Community at large; External auditors; Union; and Media Conclusion In today s environment of change and uncertainty, risk management is a critical success factor for achieving SAHRA s strategic and business objectives. Embedding risk management into existing processes is a key to making informed decisions and proactively planning for possible future events stemming from internal as well as external sources. The implementation of an effective ERM process is a strategic initiative that has the full support of the SAHRA s Council and Executive Management. Risk management is everyone s responsibility. The SAHRA ERM Framework provides a proactive, systematic and integrated approach to risk management. The principles outlined in the Framework are the foundation for the risk management philosophy, mission, and vision of the SAHRA ERM initiative. Page 3 of 60

6 Section II ERM Philosophy & Policy II ENTERPRISE RISK MANAGEMENT PHILOSOPHY AND POLICY Enterprise Risk Management Philosophy The vision of SAHRA is to provide for the identification, conservation, protection and promotion of our heritage for the present and future generations. In achieving this vision, SAHRA will face many different types of risks: risks to its business strategy, operational risks and risks associated with the protection of its people, assets and reputation. In order to achieve its business objectives, SAHRA is focused on proactively identifying and managing risks at all levels within the organisation. SAHRA is committed to complying with and maintaining the principles of the Code of Corporate Practices and Conduct as set out in The King Committee Report on Corporate Governance (King II). In terms of this code, the Council is responsible for the total process of risk management, as well as forming its own opinion on the effectiveness of the process. Management is accountable to the Council for designing, implementing and monitoring the process of risk management and integrating it into the day-to-day activities of the organisation. The SAHRA ERM vision is to integrate risk management across the organisation to support the SAHRA vision, mission and values and increase the likelihood of achieving business objectives. SAHRA will accomplish this vision by: Embedding risk management within our culture; Proactively identifying future uncertainties and planning for them; and Training our employees to think about risks as part of their decision making process. SAHRA Enterprise Risk Management Policy SAHRA subscribes to an Enterprise Risk Management process which is aligned with the Public Sector Risk Management Framework which enables the entire organisation to understand, manage and communicate risks from an organisation-wide perspective. It will ensure that all risks that could prevent achieving organisational objectives are identified, response plans are implemented and evaluated and managed on an organisation-wide basis. Reporting to the Council and Audit Committee will take place on pre-defined criteria to ensure adequate monitoring of critical risks. SAHRA will, on the corporate level: Determine the corporate vision and mission Establish clear strategic business objectives and identify and assess significant risks that may prevent the achievement of those objectives Determine the appetite for taking risks Apply fit-for-purpose risk responses Incorporate risk responses into an integrated internal control system which is designed to: Address opportunities Protect the organisation s assets Facilitate effective and efficient operations Assist in ensuring reliable reporting Comply with applicable laws and regulations Page 4 of 60

7 Section II ERM Philosophy & Policy Monitor the effectiveness of business processes and systems for managing risk Apply Council and management policies, which relate to risk management. Provide support and resources to establish, integrate, sustain and continually improve risk management on an enterprise-wide basis. Each department will: Determine business or project objectives, which are aligned with the strategic objectives Identify and assess significant risks that may prevent the achievement of those objectives Apply fit-for-purpose risk responses Incorporate risk responses into an integrated internal control system which is designed to: Address opportunities Protect the organisation s assets Facilitate effective and efficient operations Assist in ensuring reliable reporting Comply with applicable laws and regulations The ERM Framework will form the basis for the overall ERM policy and procedures at SAHRA. All SAHRA corporate and departmental processes, including the strategic planning and objective setting process are included in the scope of the ERM program. The Council, through its Audit Committee, is responsible for the overall risk management process and the development of this policy. The Council will actively participate in risk and control monitoring and analysis to consider and review the enterprise wide risk profile and control environment. Management is responsible to the Council for the implementation of processes and procedures to achieve the outcomes set out in this policy. It is the responsibility of all SAHRA employees to understand and adhere to the policies outlined within this Framework and the risk management procedures. We commit to continuous improvement in the area of risk management. In this regard: An independent external evaluation of the SAHRA ERM Framework and risk management process will be performed at least every 3 years to ensure the Framework is current and the process effective. The Council will review this policy and underlying principles at least annually, to ensure its continued application and relevance. The SAHRA s Risk Management Function will submit proposed changes, or additions, for consideration and recommendation to the Audit Committee, who in turn will submit it to the Council for approval. The Council will make appropriate disclosures in its annual report in relation to the SAHRA ERM process. The Council will disclose: That it is accountable for risk management and the system of internal control; That there is an ongoing process for identifying, evaluating and managing the significant risks facing the organisation; That there is an adequate system of internal control in place to mitigate the significant risks faced by the organisation; and That there is a documented and tested process in place that will allow the organisation to continue its critical business processes in the event of a disastrous incident impacting its activities. Page 5 of 60

8 Section III ERM Organisational Structure, Roles & Responsibilities III ERM ORGANISATIONAL STRUCTURE, ROLES AND RESPONSIBILITIES Managing risks is everyone s responsibility. Development of a formal risk management structure helps ensure that employees across the organisation understand their responsibilities and are accountable with regard to risk management. ERM organisational structure The ERM organisational structure is reflected in the diagram below: Page 6 of 60

9 Section III ERM Organisational Structure, Roles & Responsibilities ERM Roles and responsibilities The following table provides a summary of key ERM roles and responsibilities (detailed ERM roles and responsibilities are included in Appendix B): ERM Internal Stakeholders Key ERM Roles and Responsibilities Council - The Council must ensure that appropriate corporate governance frameworks are established and operating. - Provide risk management philosophy direction. - Approve key risk management documents and decisions. - Review/approve external risk reporting. SAHRA Executive Leadership Team (EXCO) - Ensure integration of risk management into strategic and objective setting, ongoing measurement and key decision making. - Issue risk management directives. - Top down risk management communication. - Ensure control manuals and other key documents reflect policies regarding risk and that the mechanisms are in place to ensure they are maintained. - Build confidence and respect organisation wide, at all levels, to gain acceptance for consistent risk management practices. - Assimilate risk information from varied sources, and make effective business based decisions on risk priorities and actions required. - Ensure inherent risks or business risk profiles associated with individual business functions and processes under their control are adequately and regularly assessed. - Ensure risk reports on status of corrective actions are completed. Risk Owner - Ensure that approved risk responses to identified risks are effectively implemented. - Take responsibility for assessing the design and operating effectiveness and control. - Ensure risks are identified and managed on a daily basis. - Risk owner may delegate responsibility for implementing actions and application to controls to appropriately skilled staff. Department Heads - Set business/departmental risk management strategy. - Provide departmental risk management oversight and guidance. - Monitor effectiveness of risk responses/mitigation. - Ensure controls currently in place over a division are operating effectively. Departmental Risk Champions - Provide risk management expertise and guidance. - Ensure execution of risk management framework and process for the respective division. - Facilitate day-to-day risk management training, PwC Page 7 of 60

10 Section III ERM Organisational Structure, Roles & Responsibilities ERM Internal Stakeholders Key ERM Roles and Responsibilities documentation and coordination. ERM Participant/ operational staff - Execute risk management activities in day-to- day activities in accordance with the ERM framework and risk management procedures. - Escalate ERM framework and process deficiencies and enhancements. Audit Committee - Provide oversight of the independent evaluation of the effectiveness of the ERM process and ensure corrective action is taken. - Reporting and recommendation to Council. Internal Audit/ Assurance Provider - Perform an internal evaluation of the effectiveness of the ERM process. - Plan in detail, and co-ordinate activity to achieve ongoing risk management reporting cycles within SAHRA. - Arrange and facilitate risk meetings, presentations and workshops involving staff across the business, at all levels. - Organise resources across the business, providing risk management training and development where required. - Categorise and prioritise risk information into report formats, and decide on where information can add value. - Provide guidance on the framework used for risk assessment. - Ensure risk is assessed within a formal risk management methodology, to be approved by the Audit Committee. - Monitor risk reports on status of corrective actions are completed. - Monitor controls currently in place over a division are operating effectively. - External verification every 3 years to determine whether the risk management process is being adhered to and remains effective. PwC Page 8 of 60

11 Section IV The ERM Process IV THE ENTERPRISE RISK MANAGEMENT PROCESS Components of the SAHRA Enterprise Risk Management Process The following provides an illustration of the eight key components of the SAHRA ERM process. Internal Environment SAHRA s control environment is the foundation of risk management, providing discipline and structure. The objective of the Internal Environment component is to establish the tone at the top with regards to risk management. The control environment influences how strategy and objectives are established, departmental activities are structured, and risks are identified, assessed and acted upon. It influences the design and functioning of control activities, information and communication systems, and monitoring activities and incorporates the following aspects: The risk management philosophy and culture Risk appetite Oversight by the Council Integrity and ethical values A commitment to competence Organisational structure Assignment of authority and responsibility Human resource standards The goal of this ERM framework is to set the risk management philosophy and policy and outline the ERM process at SAHRA (refer to Section II). However, the effectiveness of risk management is dependent on the tone established by the Council and management and communication across the organisation not only in respect of risk management, but in respect of the control environment in general. PwC Page 9 of 60

12 Section IV The ERM Process Strategy and Objective Setting The objective of Strategy and Objective Setting is to embed risk management principles into the strategic planning cycle and objective setting processes to ensure that objectives are consistent with SAHRA risk appetite and tolerances. Organisational strategy and objectives serve as the foundation for all risk management activities. Therefore, properly defined, documented, and approved objectives are critical to the success of the SAHRA ERM initiative. This component provides guidance related to establishing risk appetite, incorporating risk management into strategic and financial planning processes, and defining risk tolerances. Risk Identification The objective of Risk Identification is to develop a consistent and sustainable approach to identify events that could impact SAHRA s ability to achieve corporate strategies and objectives. Potential events could arise from internal and/or external sources such as key business processes, technology, personnel, alternative products, and member demographics or behaviour. Potential events with a negative impact represent a risk to SAHRA. Consequently, a risk assessment will be performed for all events with a negative impact. Events with a positive impact represent opportunities for SAHRA, which in turn will be channelled back to the strategic and financial planning processes. How to perform risk identification It is important that the risk identification exercise does not get bogged down in conceptual or theoretical detail. It should also not limit itself to a fixed list of risk categories, although such a list may be helpful. Key steps necessary to effectively identify risks from across the institution. These steps are: 1. Understand what to consider when identifying risks; 2. Gather information from different sources to identify risks; 3. Apply risk identification tools and techniques; 4. Use risk categories for comprehensiveness; 5. Document the risks; 6. Document the risk identification process; and 7. Assess the effectiveness of the risk identification process. Risk Assessment The objective of Risk Assessment is to assess the impact of events and associated risks on SAHRA s strategic objectives. Events and associated risks are assessed from two perspectives: likelihood and impact. This assessment utilises a combination of quantitative and qualitative techniques to derive an overall risk profile for the organisation or the respective divisions. Responses are developed and implemented for events and associated risks having a residual risk which is greater than the risk tolerance. These steps are: 1. Identify and evaluate existing control effectiveness 2. Determine risk likelihood (probability or frequency of risk occurrence); 3. Determine risk impact (consequences of an event occurring) 4. Both the risk likelihood and consequence rating should be performed prior and post controls to determine level of risk rating (Inherent vs. residual rating). 5. Determine risk rating level PwC Page 10 of 60

13 Section IV The ERM Process Risk Response The objective of Risk Response is to determine how SAHRA will respond to events and associated risks. Various risk response strategies will be evaluated, including risk avoidance, reduction, sharing or acceptance. The decision to implement a response will be based on risk tolerances, the effect the response will have on the impact and likelihood ratings and the results of the cost versus benefit evaluation. Once a risk response is implemented, SAHRA will develop ongoing mechanisms to monitor the implementation and effectiveness of the risk response. Control Activities The institution can respond to risk through various mechanisms such as avoidance, transfer, accepting and managing of the risk. When the institution elects to manage the risk, it will require control activities to support the management of the risk to within tolerable levels. Outputs Control activities will produce detailed action plans for managing all material risks. Guidelines The risk assessment will have produced a management's perspective of the effectiveness of the existing controls. This would inform management of additional control interventions required to better manage the risk exposures to an acceptable level. Management will be able to consider the best control options from various alternative control types: Management Control These ensure that the institutions structure and systems support its policies, plans and objectives and operate within laws and regulations; Administrative Control These ensure that policies and objectives are delivered in an efficient and effective manner and that losses are minimised; Accounting Control These ensure that resources allocated are accounted for fully and transparently and are properly documented; Information Technology Control These controls relate to IT systems and include access control, controls of system software programmes, business continuity controls and other controls. Each control type above can be classified as either: Preventative These controls are designed to discourage errors or irregularities from occurring e.g. adequate physical security of assets to prevent losses such as theft or damage. If properly enforced, these controls are usually the most effective type of controls; Detective These controls are designed to find errors or irregularities after they have occurred e.g. performance of reconciliation procedures to identify errors; Corrective These controls usually operate together with detective controls in order to correct identified errors or irregularities. PwC Page 11 of 60

14 Section IV The ERM Process Considerations for improving controls The following questions could provide useful information for a high level understanding of the underlying issues and the control improvements required: What is the risk assessment telling us about the effectiveness of the current controls (What needs to be enhanced)? What are the various options available for addressing the residual risk? What amount and quality of information do we have about the risk (what additional information is required to fully understand and respond to this risk)? How much is the additional control going to cost and how does this compare with the benefits to be derived from the additional control? Is there a necessity for introducing new policies and procedures, or updating the existing policies and procedures? How will we measure whether the new control measures are working or not? What is the action plan for addressing the control gaps? Who is the responsible person? What project plans should we put in place? Assurance on control activities Up until now the control adequacy and effectiveness was based exclusively on management perception. The inherent danger in this is that "optimism bias" could prevail, that is to say, management is more optimistic about the control environment than they really should be. An examination of the control activities performed by an independent party has the advantage of eliminating "optimism bias" and revealing a more realistic perspective of the control activities. Independent assurance can be provided by internal audit, a corporate function, independent consultants or the Auditor-General. The reports provided by these assurance providers should be utilised to update the assessments reflected in the risk register and should form the basis for developing additional control enhancements that is required. Risk Reporting The objective of Risk Reporting is to keep the Council and SAHRA management abreast of: Key events and associated risks facing the SAHRA organisation; Current plans to address the key risks; and Effectiveness of the ERM Framework and process. The Internal Audit Function is responsible for co-ordinating the enterprise-level risk reporting through leveraging existing management reporting channels. PwC Page 12 of 60

15 Section IV The ERM Process Information and Communication The objective of Information and communication is to raise the awareness of enterprise risk management across all levels of the organisation. Existing communication and training channels will be used to reinforce the importance of risk management and ensure that all employees understand their risk management roles and responsibilities. 1. Introduction Relevant information, properly and timeously communicated to relevant stakeholders, is essential in order to equip such stakeholders to identify, assess and respond to risks. 2. Outputs Effective information and communication is intended to support enhanced decision making and accountability through: Relevant, timely, accurate and complete information; Communicating responsibilities and actions. 3. Guidelines When deciding on information and communication protocols, the following aspects should be considered: Understanding clearly the needs and requirements of each stakeholder group. This would include agreeing with them the manner, content and form in which the information should be communicated and the frequency of reporting; To what extent existing reporting channels can be utilised to transmit the required information rather than creating new channels. Various sources of internal and external information is obtained and analysed in all eight components of the ERM process framework (see the ERM Architecture for the components). Furthermore, this information could be in quantitative and qualitative form. The challenge for management is to process and refine large volumes of data into relevant and actionable information, and to keep historical records of analysis, trends and decisions. This challenge can be overcome by implementing an information system to source, capture, process, analyse and report relevant information. 4. Implementing a risk management reporting system The use of the risk management software will enable management to obtain "real time" information for decision making. This will also enhance monitoring activities. Whether or not automated or manual processes are used it is advisable to have customised reports as an early warning system. A risk dashboard can be used to expedite the flow of critical information to enhance decision-making. Supplementary information can be included in more detailed reports such as: progress with risk management implementation, incident reports, and emerging risk reports. 5. Incident reporting system Incident reporting is another means of risk monitoring and reviewing the effectiveness of controls. The principle of real-time incident reporting for key processes is growing in prominence globally. Certain disciplines such as Safety, Health, Environmental and Quality may already have in place incident reporting systems. Such reporting systems should be integrated into the broader risk management incident reporting systems in order to avoid duplication of effort. PwC Page 13 of 60

16 Section IV The ERM Process 6. Emerging risk warning system Emerging risks are previously unrecognised risks that may be an imminent threat. Such risks may emanate through changes in the regulatory environment, external events, internal changes or social trends. Effective risk management will incorporate a process of identifying emerging trends, which could pose threats and risks. The frequency with which emerging risks are deliberately interrogated will be influenced by the rate of change and dynamism the institution is confronted with. Monitoring The objective of Monitoring is to provide feedback regarding the adherence to and effectiveness of the ERM Framework and process. There are two distinct forms of monitoring approaches: On-going monitoring by all SAHRA employees participating in risk management activities; and Independent risk management evaluations performed by Internal Audit or external service providers. Once issues/deficiencies are identified, corrective action plans will be developed, implemented and monitored. PwC Page 14 of 60

17 Section IV The ERM Process STRATEGY AND OBJECTIVE SETTING Overview The cornerstone of Enterprise Risk Management is to assist in the achievement of organisational strategy and objectives. Therefore, it is critical that risk management concepts and principles are incorporated into existing processes to develop and manage organisational strategies and objectives. Objectives are set at the organisational, departmental and project levels, and fall within six categories: Teaching and Learning, Research, Responsiveness and Community Engagement, Finance, Marketing and Advancement and Institutional Development. Objectives are aligned with the risk appetite, which drives risk tolerances throughout the organisation. Therefore, properly defined, documented, and approved objectives are critical to the success of the SAHRA ERM process. Identifying and managing risks will be key elements of the SAHRA strategic and financial planning cycle. Embedding risk management into strategy and financial planning processes will enable SAHRA to proactively identify and understand potential barriers to achieve the organisational strategy and objectives. These risks will be considered in the final decision to select the appropriate strategy and related objectives. Once the strategy and objectives are approved, risk management will be embedded into ongoing performance measurement activities across the organisation. Risk management activities will closely align with the organisational balanced scorecard and other mechanisms that are currently in place to monitor, measure, track and report business objectives and supporting metrics. The goal of this component is to provide guidance for embedding risk management principles into the strategic planning cycle and objective setting processes. This component introduces the concepts of risk appetite and tolerances, which are key to ensuring that the objectives are aligned with the overall risk philosophy of the organisation. Key Principles Appropriate level of management participation during strategy and objective setting processes. Stakeholder expectations are considered when establishing risk appetite and tolerances. Risk appetite is used as a guidepost during strategy and objective setting processes. Corporate strategy, risk appetite and risk tolerances are cascaded across the organisation. Objectives, metrics and risk tolerances are clearly defined and measurable. Risk tolerances utilise the same unit of measure as the related objectives. PwC Page 15 of 60

18 Section IV The ERM Process Key Activities Strategy and Objective Setting Key Activity Description 1. Define the risk appetite Develop the risk appetite at the corporate level, which 2. Incorporate risk management into strategy and objective setting processes will be cascaded across the organisation Integrate risk management principles and techniques into corporate and departmental strategy and objective setting processes 3. Develop risk tolerances Determine the risk tolerances at the corporate and departmental levels Related information Section E Appendix C Implementation and integration Risk appetite and tolerances PwC Page 16 of 60

19 Section IV The ERM Process EVENT IDENTIFICATION Overview An event is an incident or occurrence emanating from internal or external sources that could affect implementation of strategy or achievement of objectives. Events may have positive or negative impacts, or both. The objective of the event identification component is to develop a consistent and sustainable approach to identify events that could impact SAHRA s ability to achieve organisational strategy and objectives (both positive and negative impacts). Potential events could arise from internal and/or external sources. Examples of internal sources of events include key business processes, personnel and technology. Examples of external sources of events include political environment, macroeconomic trends, and natural disasters. Potential events with a negative impact represent a risk to SAHRA. Consequently, a risk assessment will be performed for all events with a negative impact. Events with a positive impact represent opportunities for SAHRA, which in turn will be channelled back to the strategic planning, financial planning, and balanced scorecard development processes. Event identification takes place at departmental level and at the entity level. Significant risks from the departmental level are escalated to the entity level and are supplemented by the identification of risks that have an impact across the organisation, such as strategic risks. Information sources to successfully identify events include: Information on previous events impacting the organisation/division Organisational and departmental objectives for current year Business Continuity plans Forward-looking research, surveys, projections, etc. External sources of event information (e.g., economic forecasts, political environment, etc.) SAHRA will utilise the following approaches for identifying new events: 1. Formal Event Identification Exercises New events will be identified through formal event identification exercises. identification exercises will be conducted: During the implementation of ERM When new objectives are identified/developed On an annual basis aligned to the strategic planning process The formal event 2. Identify and Document New Events on an Ongoing Basis Potential events may be identified at any time by any individual within SAHRA. Such events should be formally communicated to the Departmental Risk Champions who will be responsible for ensuring that appropriate action is taken. PwC Page 17 of 60

20 Section IV The ERM Process 3. Periodic Validation of Event Inventory As outlined in the Reporting component of the SAHRA ERM Framework, management will be responsible for risk management reporting on a periodic basis. Prior to this reporting, mechanisms will be in place to validate the completeness and accuracy of the event inventory and risk assessment results with management. During this exercise, management may identify new events that have not been formally documented. Consequently, this exercise represents the third mechanism to identify new events. Key Principles Involve management representatives (executive and non-executives) from across the organisation as well as relevant third parties during the first event identification exercise (during initial ERM implementation); Identify events that directly impact the strategic and/or departmental objectives of SAHRA; Document event information in the SAHRA ERM system; Events are identified, updated and re-evaluated on a regular basis; Report status of events on a monthly basis to EXCO; Validate the completeness of the event inventory prior to the quarterly reporting process. Key Activities Event Identification Key Activity Description Formal Event Identification Exercise 1. Plan for the event identification Outline of the necessary steps to prepare for the event identification exercise exercise 2. Conduct the event identification exercise 3. Document the results of the event identification exercise Ongoing Event Identification 4. Identify and document new events on an ongoing basis Related information Overview of techniques to conduct the event identification exercise Overview of documentation requirements Process to monitor, identify and document new events on an ongoing basis Appendix D - Risk categories PwC Page 18 of 60

21 Section IV The ERM Process RISK ASSESSMENT Overview Risk Assessment allows SAHRA to consider the extent to which potential events might have a negative impact on achievement of objectives. Risk Assessment is the process that enables management to gain an understanding of the likelihood and impact of potential events and associated risks identified during Event Identification. The Risk Assessment process provides a standard and consistent approach to understand and evaluate risks impacting objectives across all divisions and at an entity level. Thus, it provides SAHRA management with a portfolio view of risks i.e. a risk profile (also refer to Appendix H). During this process, events with a potential of negatively impacting objectives are examined at the departmental and at the entity level. Such events are assessed and included in the overall risk profile of the respective divisions. Risk profiles of the various divisions are combined with the risk profile of entity level risks to form a portfolio view of risk at the organisational level. New events which represent opportunities are channelled back to the strategy and objective setting process (See the Strategy and Objective Setting component of the Framework). Risks are assessed from two perspectives likelihood of occurrence and impact. This assessment utilises a combination of quantitative and qualitative techniques to derive an overall risk profile for the respective division or at the corporate level. Management may assess how events correlate and where sequences of events combine and interact to create significantly different probabilities or impacts. While the impact of a single event might be slight, a sequence or combination of events within or across divisions might have more significant impact. Where potential events are not directly related, management should assess them individually. Where risks are likely to occur within multiple divisions, management may assess and group identified events into common categories. In assessing risks, management consider the likelihood of occurrence and the impact of the risks on an inherent basis i.e. without considering the influence of existing management actions and related controls, and on a residual basis i.e. after taking into account management actions and related controls. The final activity in the risk assessment process is to validate the results with executives and participants of the enterprise wide and respective departmental risk assessments. Validation of the risk assessment is undertaken to gain acceptance and to confirm the prioritisation of events. Key Principles Appropriate level of subject matter experts as well as executives and non-executives participate in the evaluation of events and associated risks. Risk assessments are performed for all events which have a potential of negatively impacting strategic/departmental objectives Events and associated risks are evaluated from two perspectives: likelihood of occurrence and impact The impact of the event and associated risks are assessed using a consistent rating scale incorporating both quantitative and qualitative units of measure Both the inherent and residual impacts are considered in determining the overall risk associated with a given event PwC Page 19 of 60

22 Section IV The ERM Process Risk assessments inherently have a subjective component (such as management s experience, assumption used to estimate the impact, etc.) which will be considered when prioritising events Portfolio view of risks and risk tolerances enable management to prioritise and manage events and associated risks A formal risk assessment is performed on an annual basis The results of the risk assessment are documented in the ERM system Key Activities Risk Assessment Key Activity 1. Select risk assessment technique Description Overview of possible techniques to perform a risk assessment. 2. Assess risks Outline necessary steps to perform a risk assessment. 3. Develop risk profile and prioritise risks Outline steps to develop a risk profile and rank events and associated risks based on the likelihood of occurrence of the event and its impact on the objectives. 4. Validate risk assessment results Overview of the process to validate the results of the risk assessment exercise. Related information Appendix E - Appendix F - Appendix H Risk rating criteria Risk assessment Illustrative portfolio view of risks PwC Page 20 of 60

23 Section IV The ERM Process RISK RESPONSE Overview Risk response relates to the policies, procedures, processes and controls implemented to respond to specified future events. Various response strategies are available for responding to a given event and associated risks. These strategies can broadly be divided into the following four categories: Avoidance - taking action to exit the activities that give rise to the risks Reduction - reducing the event likelihood, impact, or both Sharing - reducing event likelihood or impact by transferring or otherwise sharing a portion of the risk Acceptance - taking no action to affect frequency or impact Taking risks is a part of the ordinary course of business. It is not the intent in all cases to minimise, avoid or eliminate all risks that are identified. However, it is the intent that SAHRA understand the significant events that may negatively impact business objectives and set guidelines to address the associated risks. This is achieved by establishing a standard and consistent process for developing an acceptable response. In selecting the response, an evaluation of the costs and benefits of the response is performed and an approach selected that brings the expected likelihood and impact within the desired risk tolerances. These will vary over time according to specific business objectives and will be reassessed when changes to strategic and operational objectives are effected. The primary input from the risk assessment includes event(s) which have an inherent risk that is greater than the established tolerance levels for SAHRA objectives. These events may or may not have existing risk responses in place within the organisation. If a risk response has been implemented, the effectiveness of the response is evaluated and a determination made whether the response needs to be enhanced or replaced. The ultimate goal is to bring the residual risk (after management actions and/or controls) to a level that is at or below the acceptable risk tolerance levels defined by management, i.e. target risk. A given risk response may lead to identification of new events that represent a risk and/or opportunity. New opportunities will be channelled to strategy and objective setting processes and new risks will be channelled back to event identification and risk assessment activities. Risk responses serve to focus attention on control activities needed to help ensure that the risk responses are carried out properly and in a timely manner. Control activities are the policies and procedures that help ensure risk management strategies are properly executed. They occur throughout the organisation, at all levels and in all functions and usually involve two elements: a policy establishing what should be done and procedures to effect the policy. In selecting control activities, management considers how the control activities are related to one another. In certain instances, a single control activity addresses multiple risk responses, while in others, multiple control activities are need for one risk response. The selection or review of control activities should include consideration of their relevance and appropriateness to the risk response and related objective. PwC Page 21 of 60

24 Section IV The ERM Process The Audit Committee, through the ongoing risk management process, will co-ordinate with various assurance providers to obtain evidence on the effectiveness of control activities in achieving the desired risk response. Through a control effectiveness rating, the effective residual risk rating will be established. Key Principles There are two aspects to a risk response: (1) Development, additions or changes to existing policies, procedures, processes, and controls and (2) Monitoring the effectiveness of the response The timing of risk response selection and implementation will be based on the risk assessment prioritisation Responses will be assessed based on the costs and benefits of implementing the response and the effect on the impact and likelihood A risk owner will be identified for each risk, who will be responsible to ensure that the agreed risk responses are in place/implemented Risk responses are documented in the ERM system Existing risk responses performed by SAHRA will be leveraged, if appropriate An entity-wide view will be taken in determining appropriate risk responses at the departmental and corporate level Risk responses are developed in the context of the risk appetite, objectives and tolerances. Assurance providers such as internal audit will perform monitoring of the effectiveness of risk responses and compliance with policies and procedures. Key Activities 1. Risk Response Key Activity Identify potential risk response strategies Description Identify the various types of response strategies for each event, including avoidance, reduction, sharing, acceptance 2. Evaluate and select a response(s) 3. Implement and monitor response(s) Select a risk response based on the results of the cost vs. benefit analysis, risk appetite, tolerances, overall objectives and effect on likelihood and impact Implement and monitor the selected risk response, including assessment of control effectiveness Related information Appendix G - Sample risk register and monitoring template PwC Page 22 of 60

25 Section IV The ERM Process RISK REPORTING Overview It is important to keep the SAHRA management, the Audit Committee and Council abreast of key risks and the actions resulting from risk management activities. This component of the ERM Framework outlines the process to report risk management information to SAHRA management and the Council on a consistent and timely basis. High-level overview of the SAHRA risk reporting and communication structure Key Principles Risk management reporting will be embedded into ongoing processes to manage objectives and the supporting balanced scorecard Risk management reporting will provide a portfolio view of key risks and risk responses at various levels of the organisation (e.g., organisation-wide and departmental unit) Risk reporting will be driven by internal and external stakeholder expectations and requirements Key Activities Key Stage Reporting Activity 1. Stakeholder reporting requirements 2. Monthly validation 3. Quarterly analysis and interpretation Description Validate and manage stakeholder reporting requirements Validate with the ERM Champions the accuracy of the risk management data. Analyze, evaluate and prioritise the risks at the organisationallevel and develop a portfolio view of risks. PwC Page 23 of 60

26 Section IV The ERM Process Related information Appendix H Appendix I - Illustrative portfolio view of risks Reporting requirements PwC Page 24 of 60

27 Section IV The ERM Process MONITORING Overview Monitoring is a process that assesses the effectiveness of the SAHRA ERM Framework and process over a period of time. A well-developed ERM Framework is only as effective as the dedication of the SAHRA employees who adhere to its principles and incorporate it into their daily decision-making processes and activities. Factors such as employee turnover, job rotations and promotions, and departmental consolidations and reorganisations all have the potential to negatively impact the consistent application of risk management principles. Monitoring mechanisms will assist to: Ensure the consistent application of the Framework across the organisation Ensure the effectiveness of the ERM policies and procedures Identify weaknesses/enhancements and develop corrective action plans The process to monitor SAHRA S ERM Framework takes two distinct forms: Ongoing risk management monitoring activities Ongoing monitoring activities are built into the normal, recurring operating activities across the organisation. Employees are responsible for identifying and escalating potential ERM Framework weaknesses or enhancements. Independent risk management evaluations Separate ERM evaluations performed by individuals not involved with the ERM processes will provide an independent appraisal of the effectiveness of the Risk Management Framework and process. (NOTE: This component focuses on monitoring the consistent execution and application of the ERM Framework. The process to monitor the execution of risk responses is addressed within the risk response component.) Key Principles Ongoing monitoring activities are embedded into risk management activities Employees participating in risk management activities have a responsibility to escalate ERM Framework and process issues and enhancements to the Departmental Risk Champion upon identification Independent evaluations provide an objective perspective of the adequacy and effectiveness of the ERM Framework and process on a periodic basis Issues and enhancements are documented and a corrective action plan is developed and monitored. Issues and enhancements are reported in a timely manner to the Council and Audit Committee. PwC Page 25 of 60

A Risk Management Standard

A Risk Management Standard A Risk Management Standard Introduction This Risk Management Standard is the result of work by a team drawn from the major risk management organisations in the UK, including the Institute of Risk management

More information

ENTERPRISE RISK MANAGEMENT POLICY

ENTERPRISE RISK MANAGEMENT POLICY ENTERPRISE RISK MANAGEMENT POLICY TITLE OF POLICY POLICY OWNER POLICY CHAMPION DOCUMENT HISTORY: Policy Title Status Enterprise Risk Management Policy (current, revised, no change, redundant) Approving

More information

Integrated Risk Management:

Integrated Risk Management: Integrated Risk Management: A Framework for Fraser Health For further information contact: Integrated Risk Management Fraser Health Corporate Office 300, 10334 152A Street Surrey, BC V3R 8T4 Phone: (604)

More information

IRM CERTIFICATE AND DIPLOMA OUTLINE SYLLABUS

IRM CERTIFICATE AND DIPLOMA OUTLINE SYLLABUS IRM CERTIFICATE AND DIPLOMA OUTLINE SYLLABUS 1 Module 1: Principles of Risk and Risk Management Module aims The aim of this module is to provide an introduction to the principles and concepts of risk and

More information

RISK MANAGEMENT FRAMEWORK 2013-2014 OKHAHLAMBA LOCAL MUNICIPALITYITY

RISK MANAGEMENT FRAMEWORK 2013-2014 OKHAHLAMBA LOCAL MUNICIPALITYITY RISK MANAGEMENT FRAMEWORK 2013-2014 OKHAHLAMBA LOCAL MUNICIPALITYITY Page 1 CONTENTS 1. Foreword by the Mayor... 3 2. Background... 4 2.1 Introduction... 4 2.2 Overall purpose of the Enterprise Risk Management

More information

IFAD Policy on Enterprise Risk Management

IFAD Policy on Enterprise Risk Management Document: EB 2008/94/R.4 Agenda: 5 Date: 6 August 2008 Distribution: Public Original: English E IFAD Policy on Enterprise Risk Management Executive Board Ninety-fourth Session Rome, 10-11 September 2008

More information

ENTERPRISE RISK MANAGEMENT FRAMEWORK

ENTERPRISE RISK MANAGEMENT FRAMEWORK ROCKHAMPTON REGIONAL COUNCIL ENTERPRISE RISK MANAGEMENT FRAMEWORK 2013 Adopted 25 June 2013 Reviewed: October 2015 TABLE OF CONTENTS 1. Introduction... 3 1.1 Council s Mission... 3 1.2 Council s Values...

More information

International Diploma in Risk Management Syllabus

International Diploma in Risk Management Syllabus International Diploma in Risk Management Syllabus Module 1: Principles of Risk and Risk Management The aim of this module is to provide an introduction to the principles and concepts of risk and risk management.

More information

APPLICATION OF KING III CORPORATE GOVERNANCE PRINCIPLES 2014

APPLICATION OF KING III CORPORATE GOVERNANCE PRINCIPLES 2014 WOOLWORTHS HOLDINGS LIMITED CORPORATE GOVERNANCE PRINCIPLES 2014 CORPORATE GOVERNANCE PRINCIPLES 2014 CORPORATE GOVERNANCE PRINCIPLES 2014 This table is a useful reference to each of the King III principles

More information

APPLICATION OF THE KING III REPORT ON CORPORATE GOVERNANCE PRINCIPLES

APPLICATION OF THE KING III REPORT ON CORPORATE GOVERNANCE PRINCIPLES APPLICATION OF THE KING III REPORT ON CORPORATE GOVERNANCE PRINCIPLES Ethical Leadership and Corporate Citizenship The board should provide effective leadership based on ethical foundation. that the company

More information

Audit of the Test of Design of Entity-Level Controls

Audit of the Test of Design of Entity-Level Controls Audit of the Test of Design of Entity-Level Controls Canadian Grain Commission Audit & Evaluation Services Final Report March 2012 Canadian Grain Commission 0 Entity Level Controls 2011 Table of Contents

More information

Saldanha Bay Municipality. Risk Management Strategy. Inclusive of, framework, procedures and methodology

Saldanha Bay Municipality. Risk Management Strategy. Inclusive of, framework, procedures and methodology Inclusive of, framework, procedures and methodology Contents 1 Introduction 1 1.1 Legislative Framework and best practice 1 1.2 Purpose of Enterprise Risk Management 2 1.3 Scope and Applicability 3 1.4

More information

ENTERPRISE RISK MANAGEMENT FRAMEWORK

ENTERPRISE RISK MANAGEMENT FRAMEWORK ENTERPRISE RISK MANAGEMENT FRAMEWORK COVENANT HEALTH LEGAL & RISK MANAGEMENT CONTENTS 1.0 PURPOSE OF THE DOCUMENT... 3 2.0 INTRODUCTION AND OVERVIEW... 4 3.0 GOVERNANCE STRUCTURE AND ACCOUNTABILITY...

More information

Matthew E. Breecher Breecher & Company PC November 12, 2008

Matthew E. Breecher Breecher & Company PC November 12, 2008 Applying COSO s Enterprise Risk Management Integrated Framework Matthew E. Breecher Breecher & Company PC November 12, 2008 The basic outline for this presentation was provided by: Objectives for the session:

More information

Risk Management Strategy EEA & Norway Grants 2009-2014. Adopted by the Financial Mechanism Committee on 27 February 2013.

Risk Management Strategy EEA & Norway Grants 2009-2014. Adopted by the Financial Mechanism Committee on 27 February 2013. Risk Management Strategy EEA & Norway Grants 2009-2014 Adopted by the Financial Mechanism Committee on 27 February 2013. Contents 1 Purpose of the strategy... 3 2 Risk management as part of managing for

More information

Confident in our Future, Risk Management Policy Statement and Strategy

Confident in our Future, Risk Management Policy Statement and Strategy Confident in our Future, Risk Management Policy Statement and Strategy Risk Management Policy Statement Introduction Risk management aims to maximise opportunities and minimise exposure to ensure the residents

More information

Clarius Group Risk Management Policy and Framework

Clarius Group Risk Management Policy and Framework 1. Introduction Clarius Group Risk Management Policy and Framework 1.1 Definition Risk is the chance of something happening that will have an impact on objectives. Risk provides the opportunity (upside)

More information

Risk Management Policy Adopted by:

Risk Management Policy Adopted by: Risk Management Policy Adopted by: Infigen Energy Limited Infigen Energy (Bermuda) Limited Infigen Energy RE Limited in its capacity as Responsible Entity of Infigen Energy Trust Adopted: 17 December 2009

More information

Developing an Effective Enterprise Risk Management Program

Developing an Effective Enterprise Risk Management Program Developing an Effective Enterprise Risk Management Program Jay Brietz, CPA and CIA Senior Manager This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

Principles for An. Effective Risk Appetite Framework

Principles for An. Effective Risk Appetite Framework Principles for An Effective Risk Appetite Framework 18 November 2013 Table of Contents Page I. Introduction... 1 II. Key definitions... 2 III. Principles... 3 1. Risk appetite framework... 3 1.1 An effective

More information

A Risk-Based Audit Strategy November 2006 Internal Audit Department

A Risk-Based Audit Strategy November 2006 Internal Audit Department Mental Health Mental Retardation Authority of Harris County ENTERPRISE RISK MANAGEMENT A Framework For Assessing, Evaluating And Measuring Our Agency s Risk A Risk-Based Audit Strategy November 2006 Internal

More information

Risk Assessment & Enterprise Risk Management

Risk Assessment & Enterprise Risk Management Risk Assessment & Enterprise Risk 1 Healthcare Corporate Governance Today s environment requires building a culture of risk awareness and management of risk across the organization, while formulating less

More information

SOL PLAATJE MUNICIPALITY ENTERPRISE RISK MANAGEMENT FRAMEWORK AND POLICY

SOL PLAATJE MUNICIPALITY ENTERPRISE RISK MANAGEMENT FRAMEWORK AND POLICY SOL PLAATJE MUNICIPALITY ENTERPRISE RISK MANAGEMENT FRAMEWORK AND POLICY Prepared by: SOL PLAATJE MUNICIPALITY RISK MANAGEMENT UNIT AND Consolidated Advisory Services This document should be read in conjunction

More information

Enterprise Risk Management

Enterprise Risk Management Cayman Islands Society of Professional Accountants Enterprise Risk Management March 19, 2015 Dr. Sandra B. Richtermeyer, CPA, CMA What is Risk Management? Risk management is a process, effected by an entity's

More information

Project Governance a board responsibility. Corporate Governance Network

Project Governance a board responsibility. Corporate Governance Network Project Governance a board responsibility Corporate Governance Network November 2015 1 Contents Page Introduction 3 Board responsibilities 3 What is project governance? 4 The boards duties in respect of

More information

Accreditation Application Forms

Accreditation Application Forms The Institute of Risk Management The Institute of Risk Management Accreditation Application Forms Universities and Professional Associations The Institute of Risk Management Accreditation Application Forms

More information

Enterprise Risk Management

Enterprise Risk Management Enterprise Risk Management Topic Gateway Series No. 49 1 Prepared by Jasmin Harvey and Technical Information Service July 2008 About Topic Gateways Topic Gateways are intended as a refresher or introduction

More information

Administrative Guidelines on the Internal Control Framework and Internal Audit Standards

Administrative Guidelines on the Internal Control Framework and Internal Audit Standards Administrative Guidelines on the Internal Control Framework and Internal Audit Standards GCF/B.09/18 18 February 2015 Meeting of the Board 24 26 March 2015 Songdo, Republic of Korea Agenda item 24 Page

More information

APPENDIX 50. Enterprise risk management - Risk management overview

APPENDIX 50. Enterprise risk management - Risk management overview APPENDIX 50 Enterprise risk management - Risk management overview Energex regulatory proposal October 2014 ENTERPRISE RISK MANAGEMENT Risk Management Overview (RMO) 06 11 2013 Table of Contents 1. INTRODUCTION...

More information

Enterprise Risk Management Framework 2012 2016. Strengthening our commitment to risk management

Enterprise Risk Management Framework 2012 2016. Strengthening our commitment to risk management Enterprise Risk Management Framework 2012 2016 Strengthening our commitment to risk management Contents Director-General s message... 3 Introduction... 4 Purpose... 4 What is risk management?... 4 Benefits

More information

RISK MANAGEMENT FRAMEWORK. 2 RESPONSIBLE PERSON: Sarah Price, Chief Officer

RISK MANAGEMENT FRAMEWORK. 2 RESPONSIBLE PERSON: Sarah Price, Chief Officer RISK MANAGEMENT FRAMEWORK 1 SUMMARY The Risk Management Framework consists of the following: Risk Management policy Risk Management strategy Risk Management accountability Risk Management framework structure.

More information

A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000

A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 Contents Executive summary Introduction Acknowledgements Part 1: Risk, risk management and ISO 31000 1 Nature

More information

Risk Management Policy and Framework

Risk Management Policy and Framework Risk Management Policy and Framework December 2014 phone 1300 360 605 08 89589500 email info@centraldesert.nt.gov.au location 1Bagot Street Alice Springs NT 0870 post PO Box 2257 Alice Springs NT 0871

More information

A Guide to Corporate Governance for QFC Authorised Firms

A Guide to Corporate Governance for QFC Authorised Firms A Guide to Corporate Governance for QFC Authorised Firms January 2012 Disclaimer The goal of the Qatar Financial Centre Regulatory Authority ( Regulatory Authority ) in producing this document is to provide

More information

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012 GUIDANCE NOTE FOR DEPOSIT-TAKERS Operational Risk Management March 2012 Version 1.0 Contents Page No 1 Introduction 2 2 Overview 3 Operational risk - fundamental principles and governance 3 Fundamental

More information

STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES. ENTERPRISE RISK MANAGEMENT Framework

STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES. ENTERPRISE RISK MANAGEMENT Framework STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES ENTERPRISE RISK MANAGEMENT Framework September 2011 Notice This document is intended as a reference tool to assist Ontario credit unions to develop an

More information

ENTERPRISE RISK MANAGEMENT POLICY

ENTERPRISE RISK MANAGEMENT POLICY ENTERPRISE RISK MANAGEMENT Approved by the Audit Committee on 14 February 2003 and adopted by resolution of the Board on 28 March 2003 Revisions approved by the Audit and Risk Committee on 14 February

More information

Compliance Management Framework. Managing Compliance at the University

Compliance Management Framework. Managing Compliance at the University Compliance Management Framework Managing Compliance at the University Risk and Compliance Office Effective from 07-10-2014 Contents 1 Compliance Management Framework... 2 1.1 Purpose of the Compliance

More information

RISK MANAGEMENT STRATEGY AND FRAMEWORK

RISK MANAGEMENT STRATEGY AND FRAMEWORK Uniting Church in Australia Synod of Victoria and Tasmania RISK MANAGEMENT STRATEGY AND FRAMEWORK Prepared by: Synod Risk Management Committee Date Prepared and Issued: February 2010 S:\AdminFinance\EDAF\Risk

More information

Risk Management Policy

Risk Management Policy 1 Purpose Risk management relates to the culture, processes and structures directed towards the effective management of potential opportunities and adverse effects within the University s environment.

More information

CSR / Sustainability Governance and Management Assessment By Coro Strandberg Principal, Strandberg Consulting www.corostrandberg.

CSR / Sustainability Governance and Management Assessment By Coro Strandberg Principal, Strandberg Consulting www.corostrandberg. Introduction CSR / Sustainability Governance and Management Assessment By Coro Strandberg Principal, Strandberg Consulting www.corostrandberg.com June 2015 Companies which adopt CSR or sustainability 1

More information

Framework for Enterprise Risk Management

Framework for Enterprise Risk Management Framework for Enterprise Risk Management 2013 Johnson & Johnson Contents Introduction.... 4 J&J Strategic Framework... 5 What is Risk?.......................................................... 7 J&J Approach

More information

Enterprise Risk Management Policy

Enterprise Risk Management Policy Enterprise Risk Management Policy A Framework for Managing Opportunity and Risk Date: 27 November 2015 Version: 13.0 Classification: Unclassified Authors: Julie Holland - Risk Management Facilitator Quality

More information

Enterprise Risk Management in Colleges and Universities

Enterprise Risk Management in Colleges and Universities Enterprise Risk Management in Colleges and Universities Cherry Bekaert & Holland, L.L.P. Neal Beggan, CISA, CRISC Shane Hester, CPA, CISA Cherry, Bekaert & Holland, L.L.P. The Firm of Choice. 1 Cherry,

More information

Understanding and articulating risk appetite

Understanding and articulating risk appetite Understanding and articulating risk appetite advisory Understanding and articulating risk appetite Understanding and articulating risk appetite When risk appetite is properly understood and clearly defined,

More information

STEVE TSHWETE LOCAL MUNICIPALITY

STEVE TSHWETE LOCAL MUNICIPALITY STLM Performance Management System Framework 1 STEVE TSHWETE LOCAL MUNICIPALITY PERFORMANCE MANAGEMENT SYSTEM FRAMEWORK 2015-16 REVIEW STLM Performance Management System Framework 2 Contents CHAPTER 1...

More information

WFP ENTERPRISE RISK MANAGEMENT POLICY

WFP ENTERPRISE RISK MANAGEMENT POLICY WFP ENTERPRISE RISK MANAGEMENT POLICY Informal Consultation 3 March 2015 World Food Programme Rome, Italy EXECUTIVE SUMMARY For many organizations, risk management is about minimizing the risk to achievement

More information

Introduction to Enterprise Risk Management at UVM DRAFT

Introduction to Enterprise Risk Management at UVM DRAFT Introduction to Enterprise Management at UVM 1 Enterprise What is Enterprise Management? Enterprise risk management is a structured, consistent, and continuous process across the whole organization for

More information

Operational Risk Management Program Version 1.0 October 2013

Operational Risk Management Program Version 1.0 October 2013 Introduction This module applies to Fannie Mae and Freddie Mac (collectively, the Enterprises), the Federal Home Loan Banks (FHLBanks), and the Office of Finance, (which for purposes of this module are

More information

Implementing an Integrated City-wide Risk Management Framework

Implementing an Integrated City-wide Risk Management Framework AUDITOR GENERAL S REPORT ACTION REQUIRED Implementing an Integrated City-wide Risk Management Framework Date: June 11, 2015 To: From: Wards: Audit Committee Auditor General All Reference Number: SUMMARY

More information

Functional and technical specifications. Background

Functional and technical specifications. Background Functional and technical specifications Background In terms of the Public Audit Act, 2004 (Act No. 25 of 2004) (PAA), the deputy auditor-general (DAG) is responsible for maintaining an effective, efficient

More information

Guidance Note: Corporate Governance - Board of Directors. March 2015. Ce document est aussi disponible en français.

Guidance Note: Corporate Governance - Board of Directors. March 2015. Ce document est aussi disponible en français. Guidance Note: Corporate Governance - Board of Directors March 2015 Ce document est aussi disponible en français. Applicability The Guidance Note: Corporate Governance - Board of Directors (the Guidance

More information

UNITED NATIONS OFFICE FOR PROJECT SERVICES. ORGANIZATIONAL DIRECTIVE No. 33. UNOPS Strategic Risk Management Planning Framework

UNITED NATIONS OFFICE FOR PROJECT SERVICES. ORGANIZATIONAL DIRECTIVE No. 33. UNOPS Strategic Risk Management Planning Framework UNOPS UNITED NATIONS OFFICE FOR PROJECT SERVICES Headquarters, Copenhagen O.D. No. 33 16 April 2010 ORGANIZATIONAL DIRECTIVE No. 33 UNOPS Strategic Risk Management Planning Framework 1. Introduction 1.1.

More information

RSA ARCHER OPERATIONAL RISK MANAGEMENT

RSA ARCHER OPERATIONAL RISK MANAGEMENT RSA ARCHER OPERATIONAL RISK MANAGEMENT 87% of organizations surveyed have seen the volume and complexity of risks increase over the past five years. Another 20% of these organizations have seen the volume

More information

Handbook for municipal finance officers Performance management Section J

Handbook for municipal finance officers Performance management Section J 1. Introduction The Department of Provincial and Local Government (DPLG) defined performance management as a strategic approach to management, which equips leaders, managers, employees and stakeholders

More information

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide RISK BASED AUDITING: A VALUE ADD PROPOSITION Participant Guide About This Course About This Course Adding Value for Risk-based Auditing Seminar Description In this seminar, we will focus on: The foundation

More information

Compliance Policy AGL Energy Limited

Compliance Policy AGL Energy Limited Compliance Policy AGL Energy Limited November 2013 Table of Contents 1. About this Document... 3 2. Policy Statement... 4 3. Purpose... 4 4. AGL Compliance Context... 4 5. Scope... 5 6. Objectives... 5

More information

The Role of the Board in Enterprise Risk Management

The Role of the Board in Enterprise Risk Management Enterprise Risk The Role of the Board in Enterprise Risk Management The board of directors plays an essential role in ensuring that an effective ERM program is in place. Governance, policy, and assurance

More information

Council Meeting Agenda 27/07/15

Council Meeting Agenda 27/07/15 3 Risk Management Framework Abstract Council s Risk Management Framework ( the Framework ) was adopted by Council in 2012. The Framework provides structure and guidance to Council s risk management activities

More information

10-005 Enterprise Risk Management

10-005 Enterprise Risk Management 10-005 Enterprise Risk Management Current update: 09/16/10 Original Issuance: 03/31/08 Purpose This policy provides guidance and direction to State Board of Administration business unit heads for identifying,

More information

Risk Management Policy

Risk Management Policy Risk Management Policy Responsible Officer Author Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date effective from December 2008 Date last amended December 2012

More information

INTERNAL AUDIT FRAMEWORK

INTERNAL AUDIT FRAMEWORK INTERNAL AUDIT FRAMEWORK April 2007 Contents 1. Introduction... 3 2. Internal Audit Definition... 4 3. Structure... 5 3.1. Roles, Responsibilities and Accountabilities... 5 3.2. Authority... 11 3.3. Composition...

More information

Enterprise-Wide Risk Assessment

Enterprise-Wide Risk Assessment Enterprise-Wide Risk Assessment Agenda 1. Definition of risk. 2. Risk drivers in higher education today. 3. Implementing an enterprise-wide risk management (ERM) program to effectively assess, manage,

More information

Business Continuity Management Framework 2014 2017

Business Continuity Management Framework 2014 2017 Business Continuity Management Framework 2014 2017 Blackpool Council Business Continuity Framework V3.0 Page 1 of 13 CONTENTS 1.0 Forward 03 2.0 Administration 04 3.0 Policy 05 4.0 Business Continuity

More information

Risk Management. National Occupational Standards February 2014

Risk Management. National Occupational Standards February 2014 Risk Management National Occupational Standards February 2014 Skills CFA 6 Graphite Square, Vauxhall Walk, London, SE11 5EE T: 0207 0919620 F: 0207 0917340 E: info@skillscfa.org www.skillscfa.org Skills

More information

Risk Management Policy

Risk Management Policy Risk Management Policy Risk Management Policy Record Number D14/79827 Responsible Manager Manager Strategy and Governance Last reviewed 10 March 2015 Adoption reference Council Resolution number 90.5 Previous

More information

University of St. Gallen Law School Law and Economics Research Paper Series. Working Paper No. 2008-19 June 2007

University of St. Gallen Law School Law and Economics Research Paper Series. Working Paper No. 2008-19 June 2007 University of St. Gallen Law School Law and Economics Research Paper Series Working Paper No. 2008-19 June 2007 Enterprise Risk Management A View from the Insurance Industry Wolfgang Errath and Andreas

More information

GAO. Standards for Internal Control in the Federal Government. Internal Control. United States General Accounting Office.

GAO. Standards for Internal Control in the Federal Government. Internal Control. United States General Accounting Office. GAO United States General Accounting Office Internal Control November 1999 Standards for Internal Control in the Federal Government GAO/AIMD-00-21.3.1 Foreword Federal policymakers and program managers

More information

New Risk Management Paradigms for Asset Managers

New Risk Management Paradigms for Asset Managers April 2014 Asset Management New Management Paradigms for Asset Managers Point of view The financial crisis has caused deep reflection by regulators, asset managers and investors as to the effectiveness

More information

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012 The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only Agenda Introduction Basic program components Recent trends in higher education risk management Why

More information

Office of the Auditor General AUDIT OF IT GOVERNANCE. Tabled at Audit Committee March 12, 2015

Office of the Auditor General AUDIT OF IT GOVERNANCE. Tabled at Audit Committee March 12, 2015 Office of the Auditor General AUDIT OF IT GOVERNANCE Tabled at Audit Committee March 12, 2015 This page has intentionally been left blank Table of Contents Executive Summary... 1 Introduction... 1 Background...

More information

A&CS Assurance Review. Accounting Policy Division Rule Making Participation in Standard Setting. Report

A&CS Assurance Review. Accounting Policy Division Rule Making Participation in Standard Setting. Report A&CS Assurance Review Accounting Policy Division Rule Making Participation in Standard Setting Report April 2010 Table of Contents Background... 1 Engagement Objectives, Scope and Approach... 1 Overall

More information

AMTRAK CORPORATE GOVERNANCE: Implementing a Risk Management Framework is Essential to Achieving Amtrak s Strategic Goals

AMTRAK CORPORATE GOVERNANCE: Implementing a Risk Management Framework is Essential to Achieving Amtrak s Strategic Goals AMTRAK CORPORATE GOVERNANCE: Implementing a Risk Management Framework is Essential to Achieving Amtrak s Strategic Goals Report No. OIG-A-2012-007 March 30, 2012 NATIONAL RAILROAD PASSENGER CORPORATION

More information

Strategic Risk Management for School Board Trustees

Strategic Risk Management for School Board Trustees Strategic Management for School Board Trustees A Management Process Framework May, 2012 Table of Contents Introduction Page I. Purpose....................................... 3 II. Applicability and Scope............................

More information

RISK MANAGEMENT POLICY (Revised October 2015)

RISK MANAGEMENT POLICY (Revised October 2015) UNIVERSITY OF LEICESTER RISK MANAGEMENT POLICY (Revised October 2015) 1. This risk management policy ( the policy ) forms part of the University s internal control and corporate governance arrangements.

More information

Sample risk committee charter

Sample risk committee charter Sample risk committee charter 1 Next This sample risk committee charter is based on leading practices observed by Deloitte in the analysis of a variety of materials. It is important to note that the Risk

More information

King Report on Corporate Governance for South Africa. What it means to you

King Report on Corporate Governance for South Africa. What it means to you King Report on Corporate Governance for South Africa 2002 What it means to you King Report on Corporate Governance for South Africa 2002 www.cliffedekker.com Index Introduction Directors and their Responsibilities

More information

Practice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE

Practice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE Practice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE March 2012 Table of Contents Executive Summary... 1 Introduction... 1 Risk Management and Assurance (Assurance Services)... 1 Assurance Framework...

More information

Governance and Risk Management in the Public Sector. Fernando A. Fernandez Inter-American Development Bank (202) 623-1430 e-mail: fernandof@iadb.

Governance and Risk Management in the Public Sector. Fernando A. Fernandez Inter-American Development Bank (202) 623-1430 e-mail: fernandof@iadb. Governance and Risk Management in the Public Sector Fernando A. Fernandez Inter-American Development Bank (202) 623-1430 e-mail: fernandof@iadb.org 1 Agenda Governance, why is it important? Compliance

More information

Revenue Scotland. Risk Management Framework

Revenue Scotland. Risk Management Framework Revenue Scotland Risk Management Framework Contents 1. Introduction... 3 1.1 Overview of risk management... 3 2. Policy statement... 4 3. Risk management approach... 5 3.1 Risk management objectives...

More information

Application of King III Corporate Governance Principles

Application of King III Corporate Governance Principles APPLICATION of KING III CORPORATE GOVERNANCE PRINCIPLES 2013 Application of Corporate Governance Principles This table is a useful reference to each of the principles and how, in broad terms, they have

More information

Operational Risk Management in a Debt Management Office

Operational Risk Management in a Debt Management Office Operational Risk Management in a Debt Management Office Based on Client Presentation January 2008 Outline The importance of operational risk management (ORM) International best practice A high-level perspective,

More information

Avondale College Limited Enterprise Risk Management Framework 2014 2017

Avondale College Limited Enterprise Risk Management Framework 2014 2017 Avondale College Limited Enterprise Risk Management Framework 2014 2017 President s message Risk management is part of our daily life, something we do regularly; often without realising we are doing it.

More information

RISK MANAGEMENT STRATEGY

RISK MANAGEMENT STRATEGY RISK MANAGEMENT STRATEGY 1 Introduction The purpose of this document is to outline a which facilitates the effective recognition and management of risks facing the University. The Combined Code on Corporate

More information

Capital Adequacy: Advanced Measurement Approaches to Operational Risk

Capital Adequacy: Advanced Measurement Approaches to Operational Risk Prudential Standard APS 115 Capital Adequacy: Advanced Measurement Approaches to Operational Risk Objective and key requirements of this Prudential Standard This Prudential Standard sets out the requirements

More information

T The Revised COSO ERM Framework. Robert Hirth Chairman, COSO

T The Revised COSO ERM Framework. Robert Hirth Chairman, COSO T The Revised COSO ERM Framework Robert Hirth Chairman, COSO COSO: Thought Leadership to Improve Your Organization What the Heck is COSO?... Originally formed in 1985, COSO is a joint initiative of five

More information

MARCH 2012. Strategic Risk Policy Update March 2012 v1.10.doc

MARCH 2012. Strategic Risk Policy Update March 2012 v1.10.doc MARCH 2012 Version 1.10 Strategic Risk Policy Update March 2012 v1.10.doc Document History Current Version Document Name Risk Management Policy Statement and Strategic Framework Last Updated By Alan Till

More information

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL Evaluation and Inspection Services Memorandum May 5, 2009 TO: FROM: SUBJECT: James Manning Acting Chief Operating Officer Federal Student

More information

Enterprise Risk Management: COSO, New COSO, ISO 31000. Review of ERM

Enterprise Risk Management: COSO, New COSO, ISO 31000. Review of ERM Enterprise Risk Management: COSO, New COSO, Dr. Hugh Van Seaton, Ed. D., CSSGB, CGMA, CPA Review of ERM COSO a process, effected by an entity's board of directors, management and other personnel, applied

More information

Risk Management Policy

Risk Management Policy Risk Management Policy DOCUMENT CONTROL Developed by: Date: Origination: Quality, Systems & Shared s March 2014 Authorised by: Colette Kelleher April 2014 DOCUMENT REVIEW HISTORY Original Circulation date:

More information

IT Governance. What is it and how to audit it. 21 April 2009

IT Governance. What is it and how to audit it. 21 April 2009 What is it and how to audit it 21 April 2009 Agenda Can you define What are the key objectives of How should be structured Roles and responsibilities Key challenges and barriers Auditing Scope Test procedures

More information

KING III CORPORATE GOVERNANCE COMPLIANCE REGISTER

KING III CORPORATE GOVERNANCE COMPLIANCE REGISTER KING III CORPORATE GOVERNANCE REGISTER CHAPTER 1: ETHICAL LEADERSHIP AND CORPORATE CITIZENSHIP NON 1.1. The board should provide effective leadership based on an ethical foundation 1.2. The board should

More information

Fraud Prevention and Deterrence

Fraud Prevention and Deterrence Fraud Prevention and Deterrence Fraud Risk Assessment 2016 Association of Certified Fraud Examiners, Inc. What Is Fraud Risk? The vulnerability that an organization faces from individuals capable of combining

More information

R I S K M A N A G E M E N T S Y S T E M F R A M E W O R K

R I S K M A N A G E M E N T S Y S T E M F R A M E W O R K R I S K M A N A G E M E N T S Y S T E M F R A M E W O R K VERSION REV 4.0 OWNER VP OPS AND ENG EFFECTIVE DATE MARCH 2014 REVIEW DATE MARCH 2014 1. PURPOSE, APPLICATION AND SCOPE This Management System

More information

Risk Management Policy and Process Guide

Risk Management Policy and Process Guide Risk Management Policy and Process Guide Status: pending Next review date: December 2015 Page 1 Information Reader Box Directorate Medical Nursing Patients & Information Commissioning Operations (including

More information

Risk Management Policy

Risk Management Policy Risk Management Policy Effective from 4 July 2015 Version Number: 2.1 Author: Director of Planning Planning Directorate Document Control Information Status and reason for development Revised updating the

More information

University Audit and Compliance. Internal Controls Enterprise-Wide Risk Assessment

University Audit and Compliance. Internal Controls Enterprise-Wide Risk Assessment Internal Controls Enterprise-Wide Risk Assessment Balancing Risk and Controls In order to achieve goals and objectives, management needs to effectively balance risks and controls. Control procedures need

More information

University of New England Compliance Management Framework and Procedures

University of New England Compliance Management Framework and Procedures University of New England Compliance Management Framework and Procedures Document data: Document type: Administering entity: Framework and Procedures Audit and Risk Directorate Records management system

More information

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance Applying Integrated Risk Management Scenarios for Improving Enterprise Governance János Ivanyos Trusted Business Partners Ltd, Budapest, Hungary, ivanyos@trusted.hu Abstract: The term of scenario is used

More information

Enterprise risk management: A pragmatic, four-phase implementation plan

Enterprise risk management: A pragmatic, four-phase implementation plan Enterprise risk management: A pragmatic, four-phase implementation plan Prepared by: John Brackett, Managing Director, Risk Advisory Services, RSM McGladrey, Inc. 704.442.3820, john.brackett@mcgladrey.com

More information