THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

Transcription

1 THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK ACCOUNTABLE SIGNATURE AUTHORISED for implementation SIGNATURE On behalf of Chief Executive Officer SAHRA Council Date Date

2 TABLE OF CONTENTS Section Page I Executive summary 1 II ERM philosophy and policy 4 III ERM organisational structure, roles and responsibilities 6 IV The ERM process 10 V Implementation and integration 26 VI Conclusion 30 Appendix A Glossary of terms 31 B ERM roles and responsibilities 33 C Risk appetite and risk tolerances 41 D Risk categories 43 E Risk rating criteria and Risk assessment 46 F Sample risk register and monitoring template 53 G Illustrative portfolio view of risks 54 H Reporting requirements 56 I Communication requirements 57

3 Section I Executive Summary I EXECUTIVE SUMMARY Introduction In today's business environment, change and uncertainty are constants. Change and uncertainty create both risks and opportunities, which can either erode or enhance value for an organisation. South African Heritage Resources Agency (SAHRA) must manage these risks, within its risk tolerance, consistently, comprehensively and economically through effective enterprise risk management. This will assist the Council and management in achieving its business strategies and objectives. The following internal and external factors drive the need for an effective approach to managing risks across SAHRA: Increased Council and management accountability; Recent corporate failures and the proliferation of new standards and regulations; Increased stakeholder demands on transparency, accountability and corporate integrity; Direct linkage between credibility, ethics and social responsibilities with business performance and success; Stakeholder expectations to quickly adapt to change and uncertainty while striving for operating efficiency; Globalisation and technological advances; and Educated and discerning citizens. Such an environment requires a stronger focus on risk management practices within SAHRA in order to effectively deal with uncertainty, to capitalise on opportunities, to meet objectives and stakeholder expectations, and enhance strategic and tactical decision-making. Enterprise Risk Management Risk can be defined as the possibility that an event will occur that will adversely affect the achievement of SAHRA s objectives. Risk is measured in terms of impact/consequences and likelihood. SAHRA defines enterprise risk management (ERM) as a process, effected by the Council, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the organisation, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of SAHRA s objectives. Thus, ERM is a continuous, proactive and dynamic process to identify, understand, manage and communicate risks that may impact SAHRA s objectives. ERM will assist SAHRA to attain its goals while avoiding pitfalls and surprises along the way. It involves people at every level and requires applying a portfolio view of risk across the entire organisation. By embedding risk management techniques in dayto-day operations, SAHRA is better equipped to identify events affecting its objectives and to manage risks in ways that are consistent with the corporate strategy. Page 1 of 60

4 Section I Executive Summary Benefits of Enterprise Risk Management ERM is designed to strengthen management practices, decision-making and priority-setting to better respond to stakeholder needs. The SAHRA ERM process is expected to provide the following benefits: Consideration of risk during strategy and objective setting Exploitation of opportunities Understanding and the proactive management of critical risks impacting objectives throughout the organisation Identification and implementation of cost effective, integrated responses to multiple risks Enabling the Council and management to have a portfolio view of risks across the entire organisation Rationalisation of resources Reduction in operational surprises and losses Informed decision-making Reporting with greater confidence Support governance responsibilities and satisfy legal and regulatory requirements Enhanced corporate governance processes and accountability Increased internal and external transparency Alignment of internal audit focus with the risk profile of the organisation Managing project specific risks SAHRA The SAHRA ERM Framework provides guidance to implement a consistent, efficient, and economical approach to identify, evaluate and respond to key risks that may impact business objectives. The Framework is based on the published by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission and updated with the requirements of the Public Sector Risk Management Framework (PSRMF). The principles outlined in the Framework will be incorporated into risk management related policies and procedures that will support the establishment of the organisation s ERM framework and ensure that risk management is embedded into day-to-day management activities. The objectives of the Framework are: To define the SAHRA ERM philosophy and policy To provide an overview of the SAHRA ERM process To communicate the key risk management principles To define common ERM terminology and definitions To clarify the ERM organisational structure and related roles and responsibilities To provide guidance related to the key components of an effective ERM initiative To ensure a flexible yet consistent approach to the application of ERM across SAHRA Page 2 of 60

5 Section I Executive Summary ERM Stakeholders The following list represents a sample of internal and external risk management stakeholders that have an interest in SAHRA s performance and the ability to manage risks. Internal Council and its Committees; SAHRA Executive Leadership Team (EXCO); Internal audit function; Department Heads; Department Risk Champions; Risk Owners; and All other SAHRA managerial employees and staff. External Government (National and Provincial); Donors; Suppliers (including asset managers, consultants, banks, insurance); Financial institutions; Community at large; External auditors; Union; and Media Conclusion In today s environment of change and uncertainty, risk management is a critical success factor for achieving SAHRA s strategic and business objectives. Embedding risk management into existing processes is a key to making informed decisions and proactively planning for possible future events stemming from internal as well as external sources. The implementation of an effective ERM process is a strategic initiative that has the full support of the SAHRA s Council and Executive Management. Risk management is everyone s responsibility. The SAHRA ERM Framework provides a proactive, systematic and integrated approach to risk management. The principles outlined in the Framework are the foundation for the risk management philosophy, mission, and vision of the SAHRA ERM initiative. Page 3 of 60

6 Section II ERM Philosophy & Policy II ENTERPRISE RISK MANAGEMENT PHILOSOPHY AND POLICY Enterprise Risk Management Philosophy The vision of SAHRA is to provide for the identification, conservation, protection and promotion of our heritage for the present and future generations. In achieving this vision, SAHRA will face many different types of risks: risks to its business strategy, operational risks and risks associated with the protection of its people, assets and reputation. In order to achieve its business objectives, SAHRA is focused on proactively identifying and managing risks at all levels within the organisation. SAHRA is committed to complying with and maintaining the principles of the Code of Corporate Practices and Conduct as set out in The King Committee Report on Corporate Governance (King II). In terms of this code, the Council is responsible for the total process of risk management, as well as forming its own opinion on the effectiveness of the process. Management is accountable to the Council for designing, implementing and monitoring the process of risk management and integrating it into the day-to-day activities of the organisation. The SAHRA ERM vision is to integrate risk management across the organisation to support the SAHRA vision, mission and values and increase the likelihood of achieving business objectives. SAHRA will accomplish this vision by: Embedding risk management within our culture; Proactively identifying future uncertainties and planning for them; and Training our employees to think about risks as part of their decision making process. SAHRA Enterprise Risk Management Policy SAHRA subscribes to an Enterprise Risk Management process which is aligned with the Public Sector Risk Management Framework which enables the entire organisation to understand, manage and communicate risks from an organisation-wide perspective. It will ensure that all risks that could prevent achieving organisational objectives are identified, response plans are implemented and evaluated and managed on an organisation-wide basis. Reporting to the Council and Audit Committee will take place on pre-defined criteria to ensure adequate monitoring of critical risks. SAHRA will, on the corporate level: Determine the corporate vision and mission Establish clear strategic business objectives and identify and assess significant risks that may prevent the achievement of those objectives Determine the appetite for taking risks Apply fit-for-purpose risk responses Incorporate risk responses into an integrated internal control system which is designed to: Address opportunities Protect the organisation s assets Facilitate effective and efficient operations Assist in ensuring reliable reporting Comply with applicable laws and regulations Page 4 of 60

7 Section II ERM Philosophy & Policy Monitor the effectiveness of business processes and systems for managing risk Apply Council and management policies, which relate to risk management. Provide support and resources to establish, integrate, sustain and continually improve risk management on an enterprise-wide basis. Each department will: Determine business or project objectives, which are aligned with the strategic objectives Identify and assess significant risks that may prevent the achievement of those objectives Apply fit-for-purpose risk responses Incorporate risk responses into an integrated internal control system which is designed to: Address opportunities Protect the organisation s assets Facilitate effective and efficient operations Assist in ensuring reliable reporting Comply with applicable laws and regulations The ERM Framework will form the basis for the overall ERM policy and procedures at SAHRA. All SAHRA corporate and departmental processes, including the strategic planning and objective setting process are included in the scope of the ERM program. The Council, through its Audit Committee, is responsible for the overall risk management process and the development of this policy. The Council will actively participate in risk and control monitoring and analysis to consider and review the enterprise wide risk profile and control environment. Management is responsible to the Council for the implementation of processes and procedures to achieve the outcomes set out in this policy. It is the responsibility of all SAHRA employees to understand and adhere to the policies outlined within this Framework and the risk management procedures. We commit to continuous improvement in the area of risk management. In this regard: An independent external evaluation of the SAHRA ERM Framework and risk management process will be performed at least every 3 years to ensure the Framework is current and the process effective. The Council will review this policy and underlying principles at least annually, to ensure its continued application and relevance. The SAHRA s Risk Management Function will submit proposed changes, or additions, for consideration and recommendation to the Audit Committee, who in turn will submit it to the Council for approval. The Council will make appropriate disclosures in its annual report in relation to the SAHRA ERM process. The Council will disclose: That it is accountable for risk management and the system of internal control; That there is an ongoing process for identifying, evaluating and managing the significant risks facing the organisation; That there is an adequate system of internal control in place to mitigate the significant risks faced by the organisation; and That there is a documented and tested process in place that will allow the organisation to continue its critical business processes in the event of a disastrous incident impacting its activities. Page 5 of 60

8 Section III ERM Organisational Structure, Roles & Responsibilities III ERM ORGANISATIONAL STRUCTURE, ROLES AND RESPONSIBILITIES Managing risks is everyone s responsibility. Development of a formal risk management structure helps ensure that employees across the organisation understand their responsibilities and are accountable with regard to risk management. ERM organisational structure The ERM organisational structure is reflected in the diagram below: Page 6 of 60

9 Section III ERM Organisational Structure, Roles & Responsibilities ERM Roles and responsibilities The following table provides a summary of key ERM roles and responsibilities (detailed ERM roles and responsibilities are included in Appendix B): ERM Internal Stakeholders Key ERM Roles and Responsibilities Council - The Council must ensure that appropriate corporate governance frameworks are established and operating. - Provide risk management philosophy direction. - Approve key risk management documents and decisions. - Review/approve external risk reporting. SAHRA Executive Leadership Team (EXCO) - Ensure integration of risk management into strategic and objective setting, ongoing measurement and key decision making. - Issue risk management directives. - Top down risk management communication. - Ensure control manuals and other key documents reflect policies regarding risk and that the mechanisms are in place to ensure they are maintained. - Build confidence and respect organisation wide, at all levels, to gain acceptance for consistent risk management practices. - Assimilate risk information from varied sources, and make effective business based decisions on risk priorities and actions required. - Ensure inherent risks or business risk profiles associated with individual business functions and processes under their control are adequately and regularly assessed. - Ensure risk reports on status of corrective actions are completed. Risk Owner - Ensure that approved risk responses to identified risks are effectively implemented. - Take responsibility for assessing the design and operating effectiveness and control. - Ensure risks are identified and managed on a daily basis. - Risk owner may delegate responsibility for implementing actions and application to controls to appropriately skilled staff. Department Heads - Set business/departmental risk management strategy. - Provide departmental risk management oversight and guidance. - Monitor effectiveness of risk responses/mitigation. - Ensure controls currently in place over a division are operating effectively. Departmental Risk Champions - Provide risk management expertise and guidance. - Ensure execution of risk management framework and process for the respective division. - Facilitate day-to-day risk management training, PwC Page 7 of 60

10 Section III ERM Organisational Structure, Roles & Responsibilities ERM Internal Stakeholders Key ERM Roles and Responsibilities documentation and coordination. ERM Participant/ operational staff - Execute risk management activities in day-to- day activities in accordance with the ERM framework and risk management procedures. - Escalate ERM framework and process deficiencies and enhancements. Audit Committee - Provide oversight of the independent evaluation of the effectiveness of the ERM process and ensure corrective action is taken. - Reporting and recommendation to Council. Internal Audit/ Assurance Provider - Perform an internal evaluation of the effectiveness of the ERM process. - Plan in detail, and co-ordinate activity to achieve ongoing risk management reporting cycles within SAHRA. - Arrange and facilitate risk meetings, presentations and workshops involving staff across the business, at all levels. - Organise resources across the business, providing risk management training and development where required. - Categorise and prioritise risk information into report formats, and decide on where information can add value. - Provide guidance on the framework used for risk assessment. - Ensure risk is assessed within a formal risk management methodology, to be approved by the Audit Committee. - Monitor risk reports on status of corrective actions are completed. - Monitor controls currently in place over a division are operating effectively. - External verification every 3 years to determine whether the risk management process is being adhered to and remains effective. PwC Page 8 of 60

11 Section IV The ERM Process IV THE ENTERPRISE RISK MANAGEMENT PROCESS Components of the SAHRA Enterprise Risk Management Process The following provides an illustration of the eight key components of the SAHRA ERM process. Internal Environment SAHRA s control environment is the foundation of risk management, providing discipline and structure. The objective of the Internal Environment component is to establish the tone at the top with regards to risk management. The control environment influences how strategy and objectives are established, departmental activities are structured, and risks are identified, assessed and acted upon. It influences the design and functioning of control activities, information and communication systems, and monitoring activities and incorporates the following aspects: The risk management philosophy and culture Risk appetite Oversight by the Council Integrity and ethical values A commitment to competence Organisational structure Assignment of authority and responsibility Human resource standards The goal of this ERM framework is to set the risk management philosophy and policy and outline the ERM process at SAHRA (refer to Section II). However, the effectiveness of risk management is dependent on the tone established by the Council and management and communication across the organisation not only in respect of risk management, but in respect of the control environment in general. PwC Page 9 of 60

12 Section IV The ERM Process Strategy and Objective Setting The objective of Strategy and Objective Setting is to embed risk management principles into the strategic planning cycle and objective setting processes to ensure that objectives are consistent with SAHRA risk appetite and tolerances. Organisational strategy and objectives serve as the foundation for all risk management activities. Therefore, properly defined, documented, and approved objectives are critical to the success of the SAHRA ERM initiative. This component provides guidance related to establishing risk appetite, incorporating risk management into strategic and financial planning processes, and defining risk tolerances. Risk Identification The objective of Risk Identification is to develop a consistent and sustainable approach to identify events that could impact SAHRA s ability to achieve corporate strategies and objectives. Potential events could arise from internal and/or external sources such as key business processes, technology, personnel, alternative products, and member demographics or behaviour. Potential events with a negative impact represent a risk to SAHRA. Consequently, a risk assessment will be performed for all events with a negative impact. Events with a positive impact represent opportunities for SAHRA, which in turn will be channelled back to the strategic and financial planning processes. How to perform risk identification It is important that the risk identification exercise does not get bogged down in conceptual or theoretical detail. It should also not limit itself to a fixed list of risk categories, although such a list may be helpful. Key steps necessary to effectively identify risks from across the institution. These steps are: 1. Understand what to consider when identifying risks; 2. Gather information from different sources to identify risks; 3. Apply risk identification tools and techniques; 4. Use risk categories for comprehensiveness; 5. Document the risks; 6. Document the risk identification process; and 7. Assess the effectiveness of the risk identification process. Risk Assessment The objective of Risk Assessment is to assess the impact of events and associated risks on SAHRA s strategic objectives. Events and associated risks are assessed from two perspectives: likelihood and impact. This assessment utilises a combination of quantitative and qualitative techniques to derive an overall risk profile for the organisation or the respective divisions. Responses are developed and implemented for events and associated risks having a residual risk which is greater than the risk tolerance. These steps are: 1. Identify and evaluate existing control effectiveness 2. Determine risk likelihood (probability or frequency of risk occurrence); 3. Determine risk impact (consequences of an event occurring) 4. Both the risk likelihood and consequence rating should be performed prior and post controls to determine level of risk rating (Inherent vs. residual rating). 5. Determine risk rating level PwC Page 10 of 60

13 Section IV The ERM Process Risk Response The objective of Risk Response is to determine how SAHRA will respond to events and associated risks. Various risk response strategies will be evaluated, including risk avoidance, reduction, sharing or acceptance. The decision to implement a response will be based on risk tolerances, the effect the response will have on the impact and likelihood ratings and the results of the cost versus benefit evaluation. Once a risk response is implemented, SAHRA will develop ongoing mechanisms to monitor the implementation and effectiveness of the risk response. Control Activities The institution can respond to risk through various mechanisms such as avoidance, transfer, accepting and managing of the risk. When the institution elects to manage the risk, it will require control activities to support the management of the risk to within tolerable levels. Outputs Control activities will produce detailed action plans for managing all material risks. Guidelines The risk assessment will have produced a management's perspective of the effectiveness of the existing controls. This would inform management of additional control interventions required to better manage the risk exposures to an acceptable level. Management will be able to consider the best control options from various alternative control types: Management Control These ensure that the institutions structure and systems support its policies, plans and objectives and operate within laws and regulations; Administrative Control These ensure that policies and objectives are delivered in an efficient and effective manner and that losses are minimised; Accounting Control These ensure that resources allocated are accounted for fully and transparently and are properly documented; Information Technology Control These controls relate to IT systems and include access control, controls of system software programmes, business continuity controls and other controls. Each control type above can be classified as either: Preventative These controls are designed to discourage errors or irregularities from occurring e.g. adequate physical security of assets to prevent losses such as theft or damage. If properly enforced, these controls are usually the most effective type of controls; Detective These controls are designed to find errors or irregularities after they have occurred e.g. performance of reconciliation procedures to identify errors; Corrective These controls usually operate together with detective controls in order to correct identified errors or irregularities. PwC Page 11 of 60

14 Section IV The ERM Process Considerations for improving controls The following questions could provide useful information for a high level understanding of the underlying issues and the control improvements required: What is the risk assessment telling us about the effectiveness of the current controls (What needs to be enhanced)? What are the various options available for addressing the residual risk? What amount and quality of information do we have about the risk (what additional information is required to fully understand and respond to this risk)? How much is the additional control going to cost and how does this compare with the benefits to be derived from the additional control? Is there a necessity for introducing new policies and procedures, or updating the existing policies and procedures? How will we measure whether the new control measures are working or not? What is the action plan for addressing the control gaps? Who is the responsible person? What project plans should we put in place? Assurance on control activities Up until now the control adequacy and effectiveness was based exclusively on management perception. The inherent danger in this is that "optimism bias" could prevail, that is to say, management is more optimistic about the control environment than they really should be. An examination of the control activities performed by an independent party has the advantage of eliminating "optimism bias" and revealing a more realistic perspective of the control activities. Independent assurance can be provided by internal audit, a corporate function, independent consultants or the Auditor-General. The reports provided by these assurance providers should be utilised to update the assessments reflected in the risk register and should form the basis for developing additional control enhancements that is required. Risk Reporting The objective of Risk Reporting is to keep the Council and SAHRA management abreast of: Key events and associated risks facing the SAHRA organisation; Current plans to address the key risks; and Effectiveness of the ERM Framework and process. The Internal Audit Function is responsible for co-ordinating the enterprise-level risk reporting through leveraging existing management reporting channels. PwC Page 12 of 60

15 Section IV The ERM Process Information and Communication The objective of Information and communication is to raise the awareness of enterprise risk management across all levels of the organisation. Existing communication and training channels will be used to reinforce the importance of risk management and ensure that all employees understand their risk management roles and responsibilities. 1. Introduction Relevant information, properly and timeously communicated to relevant stakeholders, is essential in order to equip such stakeholders to identify, assess and respond to risks. 2. Outputs Effective information and communication is intended to support enhanced decision making and accountability through: Relevant, timely, accurate and complete information; Communicating responsibilities and actions. 3. Guidelines When deciding on information and communication protocols, the following aspects should be considered: Understanding clearly the needs and requirements of each stakeholder group. This would include agreeing with them the manner, content and form in which the information should be communicated and the frequency of reporting; To what extent existing reporting channels can be utilised to transmit the required information rather than creating new channels. Various sources of internal and external information is obtained and analysed in all eight components of the ERM process framework (see the ERM Architecture for the components). Furthermore, this information could be in quantitative and qualitative form. The challenge for management is to process and refine large volumes of data into relevant and actionable information, and to keep historical records of analysis, trends and decisions. This challenge can be overcome by implementing an information system to source, capture, process, analyse and report relevant information. 4. Implementing a risk management reporting system The use of the risk management software will enable management to obtain "real time" information for decision making. This will also enhance monitoring activities. Whether or not automated or manual processes are used it is advisable to have customised reports as an early warning system. A risk dashboard can be used to expedite the flow of critical information to enhance decision-making. Supplementary information can be included in more detailed reports such as: progress with risk management implementation, incident reports, and emerging risk reports. 5. Incident reporting system Incident reporting is another means of risk monitoring and reviewing the effectiveness of controls. The principle of real-time incident reporting for key processes is growing in prominence globally. Certain disciplines such as Safety, Health, Environmental and Quality may already have in place incident reporting systems. Such reporting systems should be integrated into the broader risk management incident reporting systems in order to avoid duplication of effort. PwC Page 13 of 60

16 Section IV The ERM Process 6. Emerging risk warning system Emerging risks are previously unrecognised risks that may be an imminent threat. Such risks may emanate through changes in the regulatory environment, external events, internal changes or social trends. Effective risk management will incorporate a process of identifying emerging trends, which could pose threats and risks. The frequency with which emerging risks are deliberately interrogated will be influenced by the rate of change and dynamism the institution is confronted with. Monitoring The objective of Monitoring is to provide feedback regarding the adherence to and effectiveness of the ERM Framework and process. There are two distinct forms of monitoring approaches: On-going monitoring by all SAHRA employees participating in risk management activities; and Independent risk management evaluations performed by Internal Audit or external service providers. Once issues/deficiencies are identified, corrective action plans will be developed, implemented and monitored. PwC Page 14 of 60

17 Section IV The ERM Process STRATEGY AND OBJECTIVE SETTING Overview The cornerstone of Enterprise Risk Management is to assist in the achievement of organisational strategy and objectives. Therefore, it is critical that risk management concepts and principles are incorporated into existing processes to develop and manage organisational strategies and objectives. Objectives are set at the organisational, departmental and project levels, and fall within six categories: Teaching and Learning, Research, Responsiveness and Community Engagement, Finance, Marketing and Advancement and Institutional Development. Objectives are aligned with the risk appetite, which drives risk tolerances throughout the organisation. Therefore, properly defined, documented, and approved objectives are critical to the success of the SAHRA ERM process. Identifying and managing risks will be key elements of the SAHRA strategic and financial planning cycle. Embedding risk management into strategy and financial planning processes will enable SAHRA to proactively identify and understand potential barriers to achieve the organisational strategy and objectives. These risks will be considered in the final decision to select the appropriate strategy and related objectives. Once the strategy and objectives are approved, risk management will be embedded into ongoing performance measurement activities across the organisation. Risk management activities will closely align with the organisational balanced scorecard and other mechanisms that are currently in place to monitor, measure, track and report business objectives and supporting metrics. The goal of this component is to provide guidance for embedding risk management principles into the strategic planning cycle and objective setting processes. This component introduces the concepts of risk appetite and tolerances, which are key to ensuring that the objectives are aligned with the overall risk philosophy of the organisation. Key Principles Appropriate level of management participation during strategy and objective setting processes. Stakeholder expectations are considered when establishing risk appetite and tolerances. Risk appetite is used as a guidepost during strategy and objective setting processes. Corporate strategy, risk appetite and risk tolerances are cascaded across the organisation. Objectives, metrics and risk tolerances are clearly defined and measurable. Risk tolerances utilise the same unit of measure as the related objectives. PwC Page 15 of 60

18 Section IV The ERM Process Key Activities Strategy and Objective Setting Key Activity Description 1. Define the risk appetite Develop the risk appetite at the corporate level, which 2. Incorporate risk management into strategy and objective setting processes will be cascaded across the organisation Integrate risk management principles and techniques into corporate and departmental strategy and objective setting processes 3. Develop risk tolerances Determine the risk tolerances at the corporate and departmental levels Related information Section E Appendix C Implementation and integration Risk appetite and tolerances PwC Page 16 of 60

19 Section IV The ERM Process EVENT IDENTIFICATION Overview An event is an incident or occurrence emanating from internal or external sources that could affect implementation of strategy or achievement of objectives. Events may have positive or negative impacts, or both. The objective of the event identification component is to develop a consistent and sustainable approach to identify events that could impact SAHRA s ability to achieve organisational strategy and objectives (both positive and negative impacts). Potential events could arise from internal and/or external sources. Examples of internal sources of events include key business processes, personnel and technology. Examples of external sources of events include political environment, macroeconomic trends, and natural disasters. Potential events with a negative impact represent a risk to SAHRA. Consequently, a risk assessment will be performed for all events with a negative impact. Events with a positive impact represent opportunities for SAHRA, which in turn will be channelled back to the strategic planning, financial planning, and balanced scorecard development processes. Event identification takes place at departmental level and at the entity level. Significant risks from the departmental level are escalated to the entity level and are supplemented by the identification of risks that have an impact across the organisation, such as strategic risks. Information sources to successfully identify events include: Information on previous events impacting the organisation/division Organisational and departmental objectives for current year Business Continuity plans Forward-looking research, surveys, projections, etc. External sources of event information (e.g., economic forecasts, political environment, etc.) SAHRA will utilise the following approaches for identifying new events: 1. Formal Event Identification Exercises New events will be identified through formal event identification exercises. identification exercises will be conducted: During the implementation of ERM When new objectives are identified/developed On an annual basis aligned to the strategic planning process The formal event 2. Identify and Document New Events on an Ongoing Basis Potential events may be identified at any time by any individual within SAHRA. Such events should be formally communicated to the Departmental Risk Champions who will be responsible for ensuring that appropriate action is taken. PwC Page 17 of 60

20 Section IV The ERM Process 3. Periodic Validation of Event Inventory As outlined in the Reporting component of the SAHRA ERM Framework, management will be responsible for risk management reporting on a periodic basis. Prior to this reporting, mechanisms will be in place to validate the completeness and accuracy of the event inventory and risk assessment results with management. During this exercise, management may identify new events that have not been formally documented. Consequently, this exercise represents the third mechanism to identify new events. Key Principles Involve management representatives (executive and non-executives) from across the organisation as well as relevant third parties during the first event identification exercise (during initial ERM implementation); Identify events that directly impact the strategic and/or departmental objectives of SAHRA; Document event information in the SAHRA ERM system; Events are identified, updated and re-evaluated on a regular basis; Report status of events on a monthly basis to EXCO; Validate the completeness of the event inventory prior to the quarterly reporting process. Key Activities Event Identification Key Activity Description Formal Event Identification Exercise 1. Plan for the event identification Outline of the necessary steps to prepare for the event identification exercise exercise 2. Conduct the event identification exercise 3. Document the results of the event identification exercise Ongoing Event Identification 4. Identify and document new events on an ongoing basis Related information Overview of techniques to conduct the event identification exercise Overview of documentation requirements Process to monitor, identify and document new events on an ongoing basis Appendix D - Risk categories PwC Page 18 of 60

21 Section IV The ERM Process RISK ASSESSMENT Overview Risk Assessment allows SAHRA to consider the extent to which potential events might have a negative impact on achievement of objectives. Risk Assessment is the process that enables management to gain an understanding of the likelihood and impact of potential events and associated risks identified during Event Identification. The Risk Assessment process provides a standard and consistent approach to understand and evaluate risks impacting objectives across all divisions and at an entity level. Thus, it provides SAHRA management with a portfolio view of risks i.e. a risk profile (also refer to Appendix H). During this process, events with a potential of negatively impacting objectives are examined at the departmental and at the entity level. Such events are assessed and included in the overall risk profile of the respective divisions. Risk profiles of the various divisions are combined with the risk profile of entity level risks to form a portfolio view of risk at the organisational level. New events which represent opportunities are channelled back to the strategy and objective setting process (See the Strategy and Objective Setting component of the Framework). Risks are assessed from two perspectives likelihood of occurrence and impact. This assessment utilises a combination of quantitative and qualitative techniques to derive an overall risk profile for the respective division or at the corporate level. Management may assess how events correlate and where sequences of events combine and interact to create significantly different probabilities or impacts. While the impact of a single event might be slight, a sequence or combination of events within or across divisions might have more significant impact. Where potential events are not directly related, management should assess them individually. Where risks are likely to occur within multiple divisions, management may assess and group identified events into common categories. In assessing risks, management consider the likelihood of occurrence and the impact of the risks on an inherent basis i.e. without considering the influence of existing management actions and related controls, and on a residual basis i.e. after taking into account management actions and related controls. The final activity in the risk assessment process is to validate the results with executives and participants of the enterprise wide and respective departmental risk assessments. Validation of the risk assessment is undertaken to gain acceptance and to confirm the prioritisation of events. Key Principles Appropriate level of subject matter experts as well as executives and non-executives participate in the evaluation of events and associated risks. Risk assessments are performed for all events which have a potential of negatively impacting strategic/departmental objectives Events and associated risks are evaluated from two perspectives: likelihood of occurrence and impact The impact of the event and associated risks are assessed using a consistent rating scale incorporating both quantitative and qualitative units of measure Both the inherent and residual impacts are considered in determining the overall risk associated with a given event PwC Page 19 of 60

22 Section IV The ERM Process Risk assessments inherently have a subjective component (such as management s experience, assumption used to estimate the impact, etc.) which will be considered when prioritising events Portfolio view of risks and risk tolerances enable management to prioritise and manage events and associated risks A formal risk assessment is performed on an annual basis The results of the risk assessment are documented in the ERM system Key Activities Risk Assessment Key Activity 1. Select risk assessment technique Description Overview of possible techniques to perform a risk assessment. 2. Assess risks Outline necessary steps to perform a risk assessment. 3. Develop risk profile and prioritise risks Outline steps to develop a risk profile and rank events and associated risks based on the likelihood of occurrence of the event and its impact on the objectives. 4. Validate risk assessment results Overview of the process to validate the results of the risk assessment exercise. Related information Appendix E - Appendix F - Appendix H Risk rating criteria Risk assessment Illustrative portfolio view of risks PwC Page 20 of 60

23 Section IV The ERM Process RISK RESPONSE Overview Risk response relates to the policies, procedures, processes and controls implemented to respond to specified future events. Various response strategies are available for responding to a given event and associated risks. These strategies can broadly be divided into the following four categories: Avoidance - taking action to exit the activities that give rise to the risks Reduction - reducing the event likelihood, impact, or both Sharing - reducing event likelihood or impact by transferring or otherwise sharing a portion of the risk Acceptance - taking no action to affect frequency or impact Taking risks is a part of the ordinary course of business. It is not the intent in all cases to minimise, avoid or eliminate all risks that are identified. However, it is the intent that SAHRA understand the significant events that may negatively impact business objectives and set guidelines to address the associated risks. This is achieved by establishing a standard and consistent process for developing an acceptable response. In selecting the response, an evaluation of the costs and benefits of the response is performed and an approach selected that brings the expected likelihood and impact within the desired risk tolerances. These will vary over time according to specific business objectives and will be reassessed when changes to strategic and operational objectives are effected. The primary input from the risk assessment includes event(s) which have an inherent risk that is greater than the established tolerance levels for SAHRA objectives. These events may or may not have existing risk responses in place within the organisation. If a risk response has been implemented, the effectiveness of the response is evaluated and a determination made whether the response needs to be enhanced or replaced. The ultimate goal is to bring the residual risk (after management actions and/or controls) to a level that is at or below the acceptable risk tolerance levels defined by management, i.e. target risk. A given risk response may lead to identification of new events that represent a risk and/or opportunity. New opportunities will be channelled to strategy and objective setting processes and new risks will be channelled back to event identification and risk assessment activities. Risk responses serve to focus attention on control activities needed to help ensure that the risk responses are carried out properly and in a timely manner. Control activities are the policies and procedures that help ensure risk management strategies are properly executed. They occur throughout the organisation, at all levels and in all functions and usually involve two elements: a policy establishing what should be done and procedures to effect the policy. In selecting control activities, management considers how the control activities are related to one another. In certain instances, a single control activity addresses multiple risk responses, while in others, multiple control activities are need for one risk response. The selection or review of control activities should include consideration of their relevance and appropriateness to the risk response and related objective. PwC Page 21 of 60

24 Section IV The ERM Process The Audit Committee, through the ongoing risk management process, will co-ordinate with various assurance providers to obtain evidence on the effectiveness of control activities in achieving the desired risk response. Through a control effectiveness rating, the effective residual risk rating will be established. Key Principles There are two aspects to a risk response: (1) Development, additions or changes to existing policies, procedures, processes, and controls and (2) Monitoring the effectiveness of the response The timing of risk response selection and implementation will be based on the risk assessment prioritisation Responses will be assessed based on the costs and benefits of implementing the response and the effect on the impact and likelihood A risk owner will be identified for each risk, who will be responsible to ensure that the agreed risk responses are in place/implemented Risk responses are documented in the ERM system Existing risk responses performed by SAHRA will be leveraged, if appropriate An entity-wide view will be taken in determining appropriate risk responses at the departmental and corporate level Risk responses are developed in the context of the risk appetite, objectives and tolerances. Assurance providers such as internal audit will perform monitoring of the effectiveness of risk responses and compliance with policies and procedures. Key Activities 1. Risk Response Key Activity Identify potential risk response strategies Description Identify the various types of response strategies for each event, including avoidance, reduction, sharing, acceptance 2. Evaluate and select a response(s) 3. Implement and monitor response(s) Select a risk response based on the results of the cost vs. benefit analysis, risk appetite, tolerances, overall objectives and effect on likelihood and impact Implement and monitor the selected risk response, including assessment of control effectiveness Related information Appendix G - Sample risk register and monitoring template PwC Page 22 of 60

25 Section IV The ERM Process RISK REPORTING Overview It is important to keep the SAHRA management, the Audit Committee and Council abreast of key risks and the actions resulting from risk management activities. This component of the ERM Framework outlines the process to report risk management information to SAHRA management and the Council on a consistent and timely basis. High-level overview of the SAHRA risk reporting and communication structure Key Principles Risk management reporting will be embedded into ongoing processes to manage objectives and the supporting balanced scorecard Risk management reporting will provide a portfolio view of key risks and risk responses at various levels of the organisation (e.g., organisation-wide and departmental unit) Risk reporting will be driven by internal and external stakeholder expectations and requirements Key Activities Key Stage Reporting Activity 1. Stakeholder reporting requirements 2. Monthly validation 3. Quarterly analysis and interpretation Description Validate and manage stakeholder reporting requirements Validate with the ERM Champions the accuracy of the risk management data. Analyze, evaluate and prioritise the risks at the organisationallevel and develop a portfolio view of risks. PwC Page 23 of 60

26 Section IV The ERM Process Related information Appendix H Appendix I - Illustrative portfolio view of risks Reporting requirements PwC Page 24 of 60

27 Section IV The ERM Process MONITORING Overview Monitoring is a process that assesses the effectiveness of the SAHRA ERM Framework and process over a period of time. A well-developed ERM Framework is only as effective as the dedication of the SAHRA employees who adhere to its principles and incorporate it into their daily decision-making processes and activities. Factors such as employee turnover, job rotations and promotions, and departmental consolidations and reorganisations all have the potential to negatively impact the consistent application of risk management principles. Monitoring mechanisms will assist to: Ensure the consistent application of the Framework across the organisation Ensure the effectiveness of the ERM policies and procedures Identify weaknesses/enhancements and develop corrective action plans The process to monitor SAHRA S ERM Framework takes two distinct forms: Ongoing risk management monitoring activities Ongoing monitoring activities are built into the normal, recurring operating activities across the organisation. Employees are responsible for identifying and escalating potential ERM Framework weaknesses or enhancements. Independent risk management evaluations Separate ERM evaluations performed by individuals not involved with the ERM processes will provide an independent appraisal of the effectiveness of the Risk Management Framework and process. (NOTE: This component focuses on monitoring the consistent execution and application of the ERM Framework. The process to monitor the execution of risk responses is addressed within the risk response component.) Key Principles Ongoing monitoring activities are embedded into risk management activities Employees participating in risk management activities have a responsibility to escalate ERM Framework and process issues and enhancements to the Departmental Risk Champion upon identification Independent evaluations provide an objective perspective of the adequacy and effectiveness of the ERM Framework and process on a periodic basis Issues and enhancements are documented and a corrective action plan is developed and monitored. Issues and enhancements are reported in a timely manner to the Council and Audit Committee. PwC Page 25 of 60