THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

Transcription

1 THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK ACCOUNTABLE SIGNATURE AUTHORISED for implementation SIGNATURE On behalf of Chief Executive Officer SAHRA Council Date Date

2 TABLE OF CONTENTS Section Page I Executive summary 1 II ERM philosophy and policy 4 III ERM organisational structure, roles and responsibilities 6 IV The ERM process 10 V Implementation and integration 26 VI Conclusion 30 Appendix A Glossary of terms 31 B ERM roles and responsibilities 33 C Risk appetite and risk tolerances 41 D Risk categories 43 E Risk rating criteria and Risk assessment 46 F Sample risk register and monitoring template 53 G Illustrative portfolio view of risks 54 H Reporting requirements 56 I Communication requirements 57

3 Section I Executive Summary I EXECUTIVE SUMMARY Introduction In today's business environment, change and uncertainty are constants. Change and uncertainty create both risks and opportunities, which can either erode or enhance value for an organisation. South African Heritage Resources Agency (SAHRA) must manage these risks, within its risk tolerance, consistently, comprehensively and economically through effective enterprise risk management. This will assist the Council and management in achieving its business strategies and objectives. The following internal and external factors drive the need for an effective approach to managing risks across SAHRA: Increased Council and management accountability; Recent corporate failures and the proliferation of new standards and regulations; Increased stakeholder demands on transparency, accountability and corporate integrity; Direct linkage between credibility, ethics and social responsibilities with business performance and success; Stakeholder expectations to quickly adapt to change and uncertainty while striving for operating efficiency; Globalisation and technological advances; and Educated and discerning citizens. Such an environment requires a stronger focus on risk management practices within SAHRA in order to effectively deal with uncertainty, to capitalise on opportunities, to meet objectives and stakeholder expectations, and enhance strategic and tactical decision-making. Enterprise Risk Management Risk can be defined as the possibility that an event will occur that will adversely affect the achievement of SAHRA s objectives. Risk is measured in terms of impact/consequences and likelihood. SAHRA defines enterprise risk management (ERM) as a process, effected by the Council, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the organisation, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of SAHRA s objectives. Thus, ERM is a continuous, proactive and dynamic process to identify, understand, manage and communicate risks that may impact SAHRA s objectives. ERM will assist SAHRA to attain its goals while avoiding pitfalls and surprises along the way. It involves people at every level and requires applying a portfolio view of risk across the entire organisation. By embedding risk management techniques in dayto-day operations, SAHRA is better equipped to identify events affecting its objectives and to manage risks in ways that are consistent with the corporate strategy. Page 1 of 60

4 Section I Executive Summary Benefits of Enterprise Risk Management ERM is designed to strengthen management practices, decision-making and priority-setting to better respond to stakeholder needs. The SAHRA ERM process is expected to provide the following benefits: Consideration of risk during strategy and objective setting Exploitation of opportunities Understanding and the proactive management of critical risks impacting objectives throughout the organisation Identification and implementation of cost effective, integrated responses to multiple risks Enabling the Council and management to have a portfolio view of risks across the entire organisation Rationalisation of resources Reduction in operational surprises and losses Informed decision-making Reporting with greater confidence Support governance responsibilities and satisfy legal and regulatory requirements Enhanced corporate governance processes and accountability Increased internal and external transparency Alignment of internal audit focus with the risk profile of the organisation Managing project specific risks SAHRA The SAHRA ERM Framework provides guidance to implement a consistent, efficient, and economical approach to identify, evaluate and respond to key risks that may impact business objectives. The Framework is based on the published by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission and updated with the requirements of the Public Sector Risk Management Framework (PSRMF). The principles outlined in the Framework will be incorporated into risk management related policies and procedures that will support the establishment of the organisation s ERM framework and ensure that risk management is embedded into day-to-day management activities. The objectives of the Framework are: To define the SAHRA ERM philosophy and policy To provide an overview of the SAHRA ERM process To communicate the key risk management principles To define common ERM terminology and definitions To clarify the ERM organisational structure and related roles and responsibilities To provide guidance related to the key components of an effective ERM initiative To ensure a flexible yet consistent approach to the application of ERM across SAHRA Page 2 of 60

5 Section I Executive Summary ERM Stakeholders The following list represents a sample of internal and external risk management stakeholders that have an interest in SAHRA s performance and the ability to manage risks. Internal Council and its Committees; SAHRA Executive Leadership Team (EXCO); Internal audit function; Department Heads; Department Risk Champions; Risk Owners; and All other SAHRA managerial employees and staff. External Government (National and Provincial); Donors; Suppliers (including asset managers, consultants, banks, insurance); Financial institutions; Community at large; External auditors; Union; and Media Conclusion In today s environment of change and uncertainty, risk management is a critical success factor for achieving SAHRA s strategic and business objectives. Embedding risk management into existing processes is a key to making informed decisions and proactively planning for possible future events stemming from internal as well as external sources. The implementation of an effective ERM process is a strategic initiative that has the full support of the SAHRA s Council and Executive Management. Risk management is everyone s responsibility. The SAHRA ERM Framework provides a proactive, systematic and integrated approach to risk management. The principles outlined in the Framework are the foundation for the risk management philosophy, mission, and vision of the SAHRA ERM initiative. Page 3 of 60

6 Section II ERM Philosophy & Policy II ENTERPRISE RISK MANAGEMENT PHILOSOPHY AND POLICY Enterprise Risk Management Philosophy The vision of SAHRA is to provide for the identification, conservation, protection and promotion of our heritage for the present and future generations. In achieving this vision, SAHRA will face many different types of risks: risks to its business strategy, operational risks and risks associated with the protection of its people, assets and reputation. In order to achieve its business objectives, SAHRA is focused on proactively identifying and managing risks at all levels within the organisation. SAHRA is committed to complying with and maintaining the principles of the Code of Corporate Practices and Conduct as set out in The King Committee Report on Corporate Governance (King II). In terms of this code, the Council is responsible for the total process of risk management, as well as forming its own opinion on the effectiveness of the process. Management is accountable to the Council for designing, implementing and monitoring the process of risk management and integrating it into the day-to-day activities of the organisation. The SAHRA ERM vision is to integrate risk management across the organisation to support the SAHRA vision, mission and values and increase the likelihood of achieving business objectives. SAHRA will accomplish this vision by: Embedding risk management within our culture; Proactively identifying future uncertainties and planning for them; and Training our employees to think about risks as part of their decision making process. SAHRA Enterprise Risk Management Policy SAHRA subscribes to an Enterprise Risk Management process which is aligned with the Public Sector Risk Management Framework which enables the entire organisation to understand, manage and communicate risks from an organisation-wide perspective. It will ensure that all risks that could prevent achieving organisational objectives are identified, response plans are implemented and evaluated and managed on an organisation-wide basis. Reporting to the Council and Audit Committee will take place on pre-defined criteria to ensure adequate monitoring of critical risks. SAHRA will, on the corporate level: Determine the corporate vision and mission Establish clear strategic business objectives and identify and assess significant risks that may prevent the achievement of those objectives Determine the appetite for taking risks Apply fit-for-purpose risk responses Incorporate risk responses into an integrated internal control system which is designed to: Address opportunities Protect the organisation s assets Facilitate effective and efficient operations Assist in ensuring reliable reporting Comply with applicable laws and regulations Page 4 of 60

7 Section II ERM Philosophy & Policy Monitor the effectiveness of business processes and systems for managing risk Apply Council and management policies, which relate to risk management. Provide support and resources to establish, integrate, sustain and continually improve risk management on an enterprise-wide basis. Each department will: Determine business or project objectives, which are aligned with the strategic objectives Identify and assess significant risks that may prevent the achievement of those objectives Apply fit-for-purpose risk responses Incorporate risk responses into an integrated internal control system which is designed to: Address opportunities Protect the organisation s assets Facilitate effective and efficient operations Assist in ensuring reliable reporting Comply with applicable laws and regulations The ERM Framework will form the basis for the overall ERM policy and procedures at SAHRA. All SAHRA corporate and departmental processes, including the strategic planning and objective setting process are included in the scope of the ERM program. The Council, through its Audit Committee, is responsible for the overall risk management process and the development of this policy. The Council will actively participate in risk and control monitoring and analysis to consider and review the enterprise wide risk profile and control environment. Management is responsible to the Council for the implementation of processes and procedures to achieve the outcomes set out in this policy. It is the responsibility of all SAHRA employees to understand and adhere to the policies outlined within this Framework and the risk management procedures. We commit to continuous improvement in the area of risk management. In this regard: An independent external evaluation of the SAHRA ERM Framework and risk management process will be performed at least every 3 years to ensure the Framework is current and the process effective. The Council will review this policy and underlying principles at least annually, to ensure its continued application and relevance. The SAHRA s Risk Management Function will submit proposed changes, or additions, for consideration and recommendation to the Audit Committee, who in turn will submit it to the Council for approval. The Council will make appropriate disclosures in its annual report in relation to the SAHRA ERM process. The Council will disclose: That it is accountable for risk management and the system of internal control; That there is an ongoing process for identifying, evaluating and managing the significant risks facing the organisation; That there is an adequate system of internal control in place to mitigate the significant risks faced by the organisation; and That there is a documented and tested process in place that will allow the organisation to continue its critical business processes in the event of a disastrous incident impacting its activities. Page 5 of 60

8 Section III ERM Organisational Structure, Roles & Responsibilities III ERM ORGANISATIONAL STRUCTURE, ROLES AND RESPONSIBILITIES Managing risks is everyone s responsibility. Development of a formal risk management structure helps ensure that employees across the organisation understand their responsibilities and are accountable with regard to risk management. ERM organisational structure The ERM organisational structure is reflected in the diagram below: Page 6 of 60

9 Section III ERM Organisational Structure, Roles & Responsibilities ERM Roles and responsibilities The following table provides a summary of key ERM roles and responsibilities (detailed ERM roles and responsibilities are included in Appendix B): ERM Internal Stakeholders Key ERM Roles and Responsibilities Council - The Council must ensure that appropriate corporate governance frameworks are established and operating. - Provide risk management philosophy direction. - Approve key risk management documents and decisions. - Review/approve external risk reporting. SAHRA Executive Leadership Team (EXCO) - Ensure integration of risk management into strategic and objective setting, ongoing measurement and key decision making. - Issue risk management directives. - Top down risk management communication. - Ensure control manuals and other key documents reflect policies regarding risk and that the mechanisms are in place to ensure they are maintained. - Build confidence and respect organisation wide, at all levels, to gain acceptance for consistent risk management practices. - Assimilate risk information from varied sources, and make effective business based decisions on risk priorities and actions required. - Ensure inherent risks or business risk profiles associated with individual business functions and processes under their control are adequately and regularly assessed. - Ensure risk reports on status of corrective actions are completed. Risk Owner - Ensure that approved risk responses to identified risks are effectively implemented. - Take responsibility for assessing the design and operating effectiveness and control. - Ensure risks are identified and managed on a daily basis. - Risk owner may delegate responsibility for implementing actions and application to controls to appropriately skilled staff. Department Heads - Set business/departmental risk management strategy. - Provide departmental risk management oversight and guidance. - Monitor effectiveness of risk responses/mitigation. - Ensure controls currently in place over a division are operating effectively. Departmental Risk Champions - Provide risk management expertise and guidance. - Ensure execution of risk management framework and process for the respective division. - Facilitate day-to-day risk management training, PwC Page 7 of 60

10 Section III ERM Organisational Structure, Roles & Responsibilities ERM Internal Stakeholders Key ERM Roles and Responsibilities documentation and coordination. ERM Participant/ operational staff - Execute risk management activities in day-to- day activities in accordance with the ERM framework and risk management procedures. - Escalate ERM framework and process deficiencies and enhancements. Audit Committee - Provide oversight of the independent evaluation of the effectiveness of the ERM process and ensure corrective action is taken. - Reporting and recommendation to Council. Internal Audit/ Assurance Provider - Perform an internal evaluation of the effectiveness of the ERM process. - Plan in detail, and co-ordinate activity to achieve ongoing risk management reporting cycles within SAHRA. - Arrange and facilitate risk meetings, presentations and workshops involving staff across the business, at all levels. - Organise resources across the business, providing risk management training and development where required. - Categorise and prioritise risk information into report formats, and decide on where information can add value. - Provide guidance on the framework used for risk assessment. - Ensure risk is assessed within a formal risk management methodology, to be approved by the Audit Committee. - Monitor risk reports on status of corrective actions are completed. - Monitor controls currently in place over a division are operating effectively. - External verification every 3 years to determine whether the risk management process is being adhered to and remains effective. PwC Page 8 of 60

11 Section IV The ERM Process IV THE ENTERPRISE RISK MANAGEMENT PROCESS Components of the SAHRA Enterprise Risk Management Process The following provides an illustration of the eight key components of the SAHRA ERM process. Internal Environment SAHRA s control environment is the foundation of risk management, providing discipline and structure. The objective of the Internal Environment component is to establish the tone at the top with regards to risk management. The control environment influences how strategy and objectives are established, departmental activities are structured, and risks are identified, assessed and acted upon. It influences the design and functioning of control activities, information and communication systems, and monitoring activities and incorporates the following aspects: The risk management philosophy and culture Risk appetite Oversight by the Council Integrity and ethical values A commitment to competence Organisational structure Assignment of authority and responsibility Human resource standards The goal of this ERM framework is to set the risk management philosophy and policy and outline the ERM process at SAHRA (refer to Section II). However, the effectiveness of risk management is dependent on the tone established by the Council and management and communication across the organisation not only in respect of risk management, but in respect of the control environment in general. PwC Page 9 of 60

12 Section IV The ERM Process Strategy and Objective Setting The objective of Strategy and Objective Setting is to embed risk management principles into the strategic planning cycle and objective setting processes to ensure that objectives are consistent with SAHRA risk appetite and tolerances. Organisational strategy and objectives serve as the foundation for all risk management activities. Therefore, properly defined, documented, and approved objectives are critical to the success of the SAHRA ERM initiative. This component provides guidance related to establishing risk appetite, incorporating risk management into strategic and financial planning processes, and defining risk tolerances. Risk Identification The objective of Risk Identification is to develop a consistent and sustainable approach to identify events that could impact SAHRA s ability to achieve corporate strategies and objectives. Potential events could arise from internal and/or external sources such as key business processes, technology, personnel, alternative products, and member demographics or behaviour. Potential events with a negative impact represent a risk to SAHRA. Consequently, a risk assessment will be performed for all events with a negative impact. Events with a positive impact represent opportunities for SAHRA, which in turn will be channelled back to the strategic and financial planning processes. How to perform risk identification It is important that the risk identification exercise does not get bogged down in conceptual or theoretical detail. It should also not limit itself to a fixed list of risk categories, although such a list may be helpful. Key steps necessary to effectively identify risks from across the institution. These steps are: 1. Understand what to consider when identifying risks; 2. Gather information from different sources to identify risks; 3. Apply risk identification tools and techniques; 4. Use risk categories for comprehensiveness; 5. Document the risks; 6. Document the risk identification process; and 7. Assess the effectiveness of the risk identification process. Risk Assessment The objective of Risk Assessment is to assess the impact of events and associated risks on SAHRA s strategic objectives. Events and associated risks are assessed from two perspectives: likelihood and impact. This assessment utilises a combination of quantitative and qualitative techniques to derive an overall risk profile for the organisation or the respective divisions. Responses are developed and implemented for events and associated risks having a residual risk which is greater than the risk tolerance. These steps are: 1. Identify and evaluate existing control effectiveness 2. Determine risk likelihood (probability or frequency of risk occurrence); 3. Determine risk impact (consequences of an event occurring) 4. Both the risk likelihood and consequence rating should be performed prior and post controls to determine level of risk rating (Inherent vs. residual rating). 5. Determine risk rating level PwC Page 10 of 60

13 Section IV The ERM Process Risk Response The objective of Risk Response is to determine how SAHRA will respond to events and associated risks. Various risk response strategies will be evaluated, including risk avoidance, reduction, sharing or acceptance. The decision to implement a response will be based on risk tolerances, the effect the response will have on the impact and likelihood ratings and the results of the cost versus benefit evaluation. Once a risk response is implemented, SAHRA will develop ongoing mechanisms to monitor the implementation and effectiveness of the risk response. Control Activities The institution can respond to risk through various mechanisms such as avoidance, transfer, accepting and managing of the risk. When the institution elects to manage the risk, it will require control activities to support the management of the risk to within tolerable levels. Outputs Control activities will produce detailed action plans for managing all material risks. Guidelines The risk assessment will have produced a management's perspective of the effectiveness of the existing controls. This would inform management of additional control interventions required to better manage the risk exposures to an acceptable level. Management will be able to consider the best control options from various alternative control types: Management Control These ensure that the institutions structure and systems support its policies, plans and objectives and operate within laws and regulations; Administrative Control These ensure that policies and objectives are delivered in an efficient and effective manner and that losses are minimised; Accounting Control These ensure that resources allocated are accounted for fully and transparently and are properly documented; Information Technology Control These controls relate to IT systems and include access control, controls of system software programmes, business continuity controls and other controls. Each control type above can be classified as either: Preventative These controls are designed to discourage errors or irregularities from occurring e.g. adequate physical security of assets to prevent losses such as theft or damage. If properly enforced, these controls are usually the most effective type of controls; Detective These controls are designed to find errors or irregularities after they have occurred e.g. performance of reconciliation procedures to identify errors; Corrective These controls usually operate together with detective controls in order to correct identified errors or irregularities. PwC Page 11 of 60

14 Section IV The ERM Process Considerations for improving controls The following questions could provide useful information for a high level understanding of the underlying issues and the control improvements required: What is the risk assessment telling us about the effectiveness of the current controls (What needs to be enhanced)? What are the various options available for addressing the residual risk? What amount and quality of information do we have about the risk (what additional information is required to fully understand and respond to this risk)? How much is the additional control going to cost and how does this compare with the benefits to be derived from the additional control? Is there a necessity for introducing new policies and procedures, or updating the existing policies and procedures? How will we measure whether the new control measures are working or not? What is the action plan for addressing the control gaps? Who is the responsible person? What project plans should we put in place? Assurance on control activities Up until now the control adequacy and effectiveness was based exclusively on management perception. The inherent danger in this is that "optimism bias" could prevail, that is to say, management is more optimistic about the control environment than they really should be. An examination of the control activities performed by an independent party has the advantage of eliminating "optimism bias" and revealing a more realistic perspective of the control activities. Independent assurance can be provided by internal audit, a corporate function, independent consultants or the Auditor-General. The reports provided by these assurance providers should be utilised to update the assessments reflected in the risk register and should form the basis for developing additional control enhancements that is required. Risk Reporting The objective of Risk Reporting is to keep the Council and SAHRA management abreast of: Key events and associated risks facing the SAHRA organisation; Current plans to address the key risks; and Effectiveness of the ERM Framework and process. The Internal Audit Function is responsible for co-ordinating the enterprise-level risk reporting through leveraging existing management reporting channels. PwC Page 12 of 60

15 Section IV The ERM Process Information and Communication The objective of Information and communication is to raise the awareness of enterprise risk management across all levels of the organisation. Existing communication and training channels will be used to reinforce the importance of risk management and ensure that all employees understand their risk management roles and responsibilities. 1. Introduction Relevant information, properly and timeously communicated to relevant stakeholders, is essential in order to equip such stakeholders to identify, assess and respond to risks. 2. Outputs Effective information and communication is intended to support enhanced decision making and accountability through: Relevant, timely, accurate and complete information; Communicating responsibilities and actions. 3. Guidelines When deciding on information and communication protocols, the following aspects should be considered: Understanding clearly the needs and requirements of each stakeholder group. This would include agreeing with them the manner, content and form in which the information should be communicated and the frequency of reporting; To what extent existing reporting channels can be utilised to transmit the required information rather than creating new channels. Various sources of internal and external information is obtained and analysed in all eight components of the ERM process framework (see the ERM Architecture for the components). Furthermore, this information could be in quantitative and qualitative form. The challenge for management is to process and refine large volumes of data into relevant and actionable information, and to keep historical records of analysis, trends and decisions. This challenge can be overcome by implementing an information system to source, capture, process, analyse and report relevant information. 4. Implementing a risk management reporting system The use of the risk management software will enable management to obtain "real time" information for decision making. This will also enhance monitoring activities. Whether or not automated or manual processes are used it is advisable to have customised reports as an early warning system. A risk dashboard can be used to expedite the flow of critical information to enhance decision-making. Supplementary information can be included in more detailed reports such as: progress with risk management implementation, incident reports, and emerging risk reports. 5. Incident reporting system Incident reporting is another means of risk monitoring and reviewing the effectiveness of controls. The principle of real-time incident reporting for key processes is growing in prominence globally. Certain disciplines such as Safety, Health, Environmental and Quality may already have in place incident reporting systems. Such reporting systems should be integrated into the broader risk management incident reporting systems in order to avoid duplication of effort. PwC Page 13 of 60

16 Section IV The ERM Process 6. Emerging risk warning system Emerging risks are previously unrecognised risks that may be an imminent threat. Such risks may emanate through changes in the regulatory environment, external events, internal changes or social trends. Effective risk management will incorporate a process of identifying emerging trends, which could pose threats and risks. The frequency with which emerging risks are deliberately interrogated will be influenced by the rate of change and dynamism the institution is confronted with. Monitoring The objective of Monitoring is to provide feedback regarding the adherence to and effectiveness of the ERM Framework and process. There are two distinct forms of monitoring approaches: On-going monitoring by all SAHRA employees participating in risk management activities; and Independent risk management evaluations performed by Internal Audit or external service providers. Once issues/deficiencies are identified, corrective action plans will be developed, implemented and monitored. PwC Page 14 of 60

17 Section IV The ERM Process STRATEGY AND OBJECTIVE SETTING Overview The cornerstone of Enterprise Risk Management is to assist in the achievement of organisational strategy and objectives. Therefore, it is critical that risk management concepts and principles are incorporated into existing processes to develop and manage organisational strategies and objectives. Objectives are set at the organisational, departmental and project levels, and fall within six categories: Teaching and Learning, Research, Responsiveness and Community Engagement, Finance, Marketing and Advancement and Institutional Development. Objectives are aligned with the risk appetite, which drives risk tolerances throughout the organisation. Therefore, properly defined, documented, and approved objectives are critical to the success of the SAHRA ERM process. Identifying and managing risks will be key elements of the SAHRA strategic and financial planning cycle. Embedding risk management into strategy and financial planning processes will enable SAHRA to proactively identify and understand potential barriers to achieve the organisational strategy and objectives. These risks will be considered in the final decision to select the appropriate strategy and related objectives. Once the strategy and objectives are approved, risk management will be embedded into ongoing performance measurement activities across the organisation. Risk management activities will closely align with the organisational balanced scorecard and other mechanisms that are currently in place to monitor, measure, track and report business objectives and supporting metrics. The goal of this component is to provide guidance for embedding risk management principles into the strategic planning cycle and objective setting processes. This component introduces the concepts of risk appetite and tolerances, which are key to ensuring that the objectives are aligned with the overall risk philosophy of the organisation. Key Principles Appropriate level of management participation during strategy and objective setting processes. Stakeholder expectations are considered when establishing risk appetite and tolerances. Risk appetite is used as a guidepost during strategy and objective setting processes. Corporate strategy, risk appetite and risk tolerances are cascaded across the organisation. Objectives, metrics and risk tolerances are clearly defined and measurable. Risk tolerances utilise the same unit of measure as the related objectives. PwC Page 15 of 60

18 Section IV The ERM Process Key Activities Strategy and Objective Setting Key Activity Description 1. Define the risk appetite Develop the risk appetite at the corporate level, which 2. Incorporate risk management into strategy and objective setting processes will be cascaded across the organisation Integrate risk management principles and techniques into corporate and departmental strategy and objective setting processes 3. Develop risk tolerances Determine the risk tolerances at the corporate and departmental levels Related information Section E Appendix C Implementation and integration Risk appetite and tolerances PwC Page 16 of 60

19 Section IV The ERM Process EVENT IDENTIFICATION Overview An event is an incident or occurrence emanating from internal or external sources that could affect implementation of strategy or achievement of objectives. Events may have positive or negative impacts, or both. The objective of the event identification component is to develop a consistent and sustainable approach to identify events that could impact SAHRA s ability to achieve organisational strategy and objectives (both positive and negative impacts). Potential events could arise from internal and/or external sources. Examples of internal sources of events include key business processes, personnel and technology. Examples of external sources of events include political environment, macroeconomic trends, and natural disasters. Potential events with a negative impact represent a risk to SAHRA. Consequently, a risk assessment will be performed for all events with a negative impact. Events with a positive impact represent opportunities for SAHRA, which in turn will be channelled back to the strategic planning, financial planning, and balanced scorecard development processes. Event identification takes place at departmental level and at the entity level. Significant risks from the departmental level are escalated to the entity level and are supplemented by the identification of risks that have an impact across the organisation, such as strategic risks. Information sources to successfully identify events include: Information on previous events impacting the organisation/division Organisational and departmental objectives for current year Business Continuity plans Forward-looking research, surveys, projections, etc. External sources of event information (e.g., economic forecasts, political environment, etc.) SAHRA will utilise the following approaches for identifying new events: 1. Formal Event Identification Exercises New events will be identified through formal event identification exercises. identification exercises will be conducted: During the implementation of ERM When new objectives are identified/developed On an annual basis aligned to the strategic planning process The formal event 2. Identify and Document New Events on an Ongoing Basis Potential events may be identified at any time by any individual within SAHRA. Such events should be formally communicated to the Departmental Risk Champions who will be responsible for ensuring that appropriate action is taken. PwC Page 17 of 60

20 Section IV The ERM Process 3. Periodic Validation of Event Inventory As outlined in the Reporting component of the SAHRA ERM Framework, management will be responsible for risk management reporting on a periodic basis. Prior to this reporting, mechanisms will be in place to validate the completeness and accuracy of the event inventory and risk assessment results with management. During this exercise, management may identify new events that have not been formally documented. Consequently, this exercise represents the third mechanism to identify new events. Key Principles Involve management representatives (executive and non-executives) from across the organisation as well as relevant third parties during the first event identification exercise (during initial ERM implementation); Identify events that directly impact the strategic and/or departmental objectives of SAHRA; Document event information in the SAHRA ERM system; Events are identified, updated and re-evaluated on a regular basis; Report status of events on a monthly basis to EXCO; Validate the completeness of the event inventory prior to the quarterly reporting process. Key Activities Event Identification Key Activity Description Formal Event Identification Exercise 1. Plan for the event identification Outline of the necessary steps to prepare for the event identification exercise exercise 2. Conduct the event identification exercise 3. Document the results of the event identification exercise Ongoing Event Identification 4. Identify and document new events on an ongoing basis Related information Overview of techniques to conduct the event identification exercise Overview of documentation requirements Process to monitor, identify and document new events on an ongoing basis Appendix D - Risk categories PwC Page 18 of 60

21 Section IV The ERM Process RISK ASSESSMENT Overview Risk Assessment allows SAHRA to consider the extent to which potential events might have a negative impact on achievement of objectives. Risk Assessment is the process that enables management to gain an understanding of the likelihood and impact of potential events and associated risks identified during Event Identification. The Risk Assessment process provides a standard and consistent approach to understand and evaluate risks impacting objectives across all divisions and at an entity level. Thus, it provides SAHRA management with a portfolio view of risks i.e. a risk profile (also refer to Appendix H). During this process, events with a potential of negatively impacting objectives are examined at the departmental and at the entity level. Such events are assessed and included in the overall risk profile of the respective divisions. Risk profiles of the various divisions are combined with the risk profile of entity level risks to form a portfolio view of risk at the organisational level. New events which represent opportunities are channelled back to the strategy and objective setting process (See the Strategy and Objective Setting component of the Framework). Risks are assessed from two perspectives likelihood of occurrence and impact. This assessment utilises a combination of quantitative and qualitative techniques to derive an overall risk profile for the respective division or at the corporate level. Management may assess how events correlate and where sequences of events combine and interact to create significantly different probabilities or impacts. While the impact of a single event might be slight, a sequence or combination of events within or across divisions might have more significant impact. Where potential events are not directly related, management should assess them individually. Where risks are likely to occur within multiple divisions, management may assess and group identified events into common categories. In assessing risks, management consider the likelihood of occurrence and the impact of the risks on an inherent basis i.e. without considering the influence of existing management actions and related controls, and on a residual basis i.e. after taking into account management actions and related controls. The final activity in the risk assessment process is to validate the results with executives and participants of the enterprise wide and respective departmental risk assessments. Validation of the risk assessment is undertaken to gain acceptance and to confirm the prioritisation of events. Key Principles Appropriate level of subject matter experts as well as executives and non-executives participate in the evaluation of events and associated risks. Risk assessments are performed for all events which have a potential of negatively impacting strategic/departmental objectives Events and associated risks are evaluated from two perspectives: likelihood of occurrence and impact The impact of the event and associated risks are assessed using a consistent rating scale incorporating both quantitative and qualitative units of measure Both the inherent and residual impacts are considered in determining the overall risk associated with a given event PwC Page 19 of 60

22 Section IV The ERM Process Risk assessments inherently have a subjective component (such as management s experience, assumption used to estimate the impact, etc.) which will be considered when prioritising events Portfolio view of risks and risk tolerances enable management to prioritise and manage events and associated risks A formal risk assessment is performed on an annual basis The results of the risk assessment are documented in the ERM system Key Activities Risk Assessment Key Activity 1. Select risk assessment technique Description Overview of possible techniques to perform a risk assessment. 2. Assess risks Outline necessary steps to perform a risk assessment. 3. Develop risk profile and prioritise risks Outline steps to develop a risk profile and rank events and associated risks based on the likelihood of occurrence of the event and its impact on the objectives. 4. Validate risk assessment results Overview of the process to validate the results of the risk assessment exercise. Related information Appendix E - Appendix F - Appendix H Risk rating criteria Risk assessment Illustrative portfolio view of risks PwC Page 20 of 60

23 Section IV The ERM Process RISK RESPONSE Overview Risk response relates to the policies, procedures, processes and controls implemented to respond to specified future events. Various response strategies are available for responding to a given event and associated risks. These strategies can broadly be divided into the following four categories: Avoidance - taking action to exit the activities that give rise to the risks Reduction - reducing the event likelihood, impact, or both Sharing - reducing event likelihood or impact by transferring or otherwise sharing a portion of the risk Acceptance - taking no action to affect frequency or impact Taking risks is a part of the ordinary course of business. It is not the intent in all cases to minimise, avoid or eliminate all risks that are identified. However, it is the intent that SAHRA understand the significant events that may negatively impact business objectives and set guidelines to address the associated risks. This is achieved by establishing a standard and consistent process for developing an acceptable response. In selecting the response, an evaluation of the costs and benefits of the response is performed and an approach selected that brings the expected likelihood and impact within the desired risk tolerances. These will vary over time according to specific business objectives and will be reassessed when changes to strategic and operational objectives are effected. The primary input from the risk assessment includes event(s) which have an inherent risk that is greater than the established tolerance levels for SAHRA objectives. These events may or may not have existing risk responses in place within the organisation. If a risk response has been implemented, the effectiveness of the response is evaluated and a determination made whether the response needs to be enhanced or replaced. The ultimate goal is to bring the residual risk (after management actions and/or controls) to a level that is at or below the acceptable risk tolerance levels defined by management, i.e. target risk. A given risk response may lead to identification of new events that represent a risk and/or opportunity. New opportunities will be channelled to strategy and objective setting processes and new risks will be channelled back to event identification and risk assessment activities. Risk responses serve to focus attention on control activities needed to help ensure that the risk responses are carried out properly and in a timely manner. Control activities are the policies and procedures that help ensure risk management strategies are properly executed. They occur throughout the organisation, at all levels and in all functions and usually involve two elements: a policy establishing what should be done and procedures to effect the policy. In selecting control activities, management considers how the control activities are related to one another. In certain instances, a single control activity addresses multiple risk responses, while in others, multiple control activities are need for one risk response. The selection or review of control activities should include consideration of their relevance and appropriateness to the risk response and related objective. PwC Page 21 of 60

24 Section IV The ERM Process The Audit Committee, through the ongoing risk management process, will co-ordinate with various assurance providers to obtain evidence on the effectiveness of control activities in achieving the desired risk response. Through a control effectiveness rating, the effective residual risk rating will be established. Key Principles There are two aspects to a risk response: (1) Development, additions or changes to existing policies, procedures, processes, and controls and (2) Monitoring the effectiveness of the response The timing of risk response selection and implementation will be based on the risk assessment prioritisation Responses will be assessed based on the costs and benefits of implementing the response and the effect on the impact and likelihood A risk owner will be identified for each risk, who will be responsible to ensure that the agreed risk responses are in place/implemented Risk responses are documented in the ERM system Existing risk responses performed by SAHRA will be leveraged, if appropriate An entity-wide view will be taken in determining appropriate risk responses at the departmental and corporate level Risk responses are developed in the context of the risk appetite, objectives and tolerances. Assurance providers such as internal audit will perform monitoring of the effectiveness of risk responses and compliance with policies and procedures. Key Activities 1. Risk Response Key Activity Identify potential risk response strategies Description Identify the various types of response strategies for each event, including avoidance, reduction, sharing, acceptance 2. Evaluate and select a response(s) 3. Implement and monitor response(s) Select a risk response based on the results of the cost vs. benefit analysis, risk appetite, tolerances, overall objectives and effect on likelihood and impact Implement and monitor the selected risk response, including assessment of control effectiveness Related information Appendix G - Sample risk register and monitoring template PwC Page 22 of 60

25 Section IV The ERM Process RISK REPORTING Overview It is important to keep the SAHRA management, the Audit Committee and Council abreast of key risks and the actions resulting from risk management activities. This component of the ERM Framework outlines the process to report risk management information to SAHRA management and the Council on a consistent and timely basis. High-level overview of the SAHRA risk reporting and communication structure Key Principles Risk management reporting will be embedded into ongoing processes to manage objectives and the supporting balanced scorecard Risk management reporting will provide a portfolio view of key risks and risk responses at various levels of the organisation (e.g., organisation-wide and departmental unit) Risk reporting will be driven by internal and external stakeholder expectations and requirements Key Activities Key Stage Reporting Activity 1. Stakeholder reporting requirements 2. Monthly validation 3. Quarterly analysis and interpretation Description Validate and manage stakeholder reporting requirements Validate with the ERM Champions the accuracy of the risk management data. Analyze, evaluate and prioritise the risks at the organisationallevel and develop a portfolio view of risks. PwC Page 23 of 60

26 Section IV The ERM Process Related information Appendix H Appendix I - Illustrative portfolio view of risks Reporting requirements PwC Page 24 of 60

27 Section IV The ERM Process MONITORING Overview Monitoring is a process that assesses the effectiveness of the SAHRA ERM Framework and process over a period of time. A well-developed ERM Framework is only as effective as the dedication of the SAHRA employees who adhere to its principles and incorporate it into their daily decision-making processes and activities. Factors such as employee turnover, job rotations and promotions, and departmental consolidations and reorganisations all have the potential to negatively impact the consistent application of risk management principles. Monitoring mechanisms will assist to: Ensure the consistent application of the Framework across the organisation Ensure the effectiveness of the ERM policies and procedures Identify weaknesses/enhancements and develop corrective action plans The process to monitor SAHRA S ERM Framework takes two distinct forms: Ongoing risk management monitoring activities Ongoing monitoring activities are built into the normal, recurring operating activities across the organisation. Employees are responsible for identifying and escalating potential ERM Framework weaknesses or enhancements. Independent risk management evaluations Separate ERM evaluations performed by individuals not involved with the ERM processes will provide an independent appraisal of the effectiveness of the Risk Management Framework and process. (NOTE: This component focuses on monitoring the consistent execution and application of the ERM Framework. The process to monitor the execution of risk responses is addressed within the risk response component.) Key Principles Ongoing monitoring activities are embedded into risk management activities Employees participating in risk management activities have a responsibility to escalate ERM Framework and process issues and enhancements to the Departmental Risk Champion upon identification Independent evaluations provide an objective perspective of the adequacy and effectiveness of the ERM Framework and process on a periodic basis Issues and enhancements are documented and a corrective action plan is developed and monitored. Issues and enhancements are reported in a timely manner to the Council and Audit Committee. PwC Page 25 of 60

28 Section IV The ERM Process Key Activities Key Stage Monitoring Activity 1. Ongoing risk management monitoring activities 2. Independent risk management evaluations Description Continuous monitoring of the effectiveness of the ERM Framework and process Evaluation performed by a group independent of ongoing risk management activities. Related information Appendix I - Reporting requirements PwC Page 26 of 60

29 Section IV The ERM Process INFORMATION AND COMMUNICATION Overview Effective information and communication are key components to successfully implementing a risk management program. Communication is necessary to increase the awareness of the risk management program. Various mechanisms such as awareness campaigns, training and education sessions, newsletters, etc. exist to ensure that the communication is effective and reaches every employee throughout the organisation. An effective communication and training approach will increase the level of risk management awareness and understanding at all levels of the organisation. The key outputs of the Information and Communication component include: Top-down communications Ongoing risk management communications Risk management stakeholder communication plan SAHRA ERM training approach and supporting documentation Key Principles The importance of risk management is communicated from the Council and Executive Leadership across the organisation A risk management stakeholder communication plan is developed, implemented and monitored Risk management concepts and principles are communicated and reinforced on a regular basis Risk management training is provided to SAHRA employees who have specific ERM responsibilities Key Activities Key Information and Description Training Activity 1. Top-down communication The SAHRA Executive Leadership team to communicate and reinforce risk management principles across SAHRA 2. Ongoing risk management Develop a communication plan to identify and manage the risk management communication needs for each stakeholder. communication 3. ERM framework training Determine the training approach for each risk management role, implement and monitor. Related information Appendix J - Communication requirements PwC Page 27 of 60

30 Section V Implementation & Integration V IMPLEMENTATION AND INTEGRATION Introduction Although risk management is a business process, it is not a process that functions in isolation. Risk management is also not a once-off off activity but is performed on a daily basis as part of ongoing operations. For risk management to be effective, it needs to be linked and integrated with all business processes, from strategic planning to all operational processes. Integrating risk management into day-to-day activities, decision making and business processes The SAHRA ERM framework is designed to help the organisation achieve its business objectives through alignment of its vision, mission and strategies with day-to-day activities. Therefore, the risk management process has to be integrated with SAHRA planning, day-to-day operations and measurement processes. Set out below is a high-level overview of how the risk process is integrated within SAHRA: PwC Page 28 of 60

31 Section V Implementation & Integration Vision and mission The vision and mission represent the starting point for setting SAHRA overall priorities. They establish the direction for the organisation s future and provide focus for the core business processes and operations. Both the vision and mission are approved by the Council and communicated throughout the organisation. Periodically, SAHRA will evaluate its mission and vision, and the risk process will be an important component of this evaluation. Risks, including potential threats to achievement of the mission and vision, as well as opportunities for exploitation, will be identified and assessed. SAHRA will consider these risks in determining the nature and direction of its strategy. Strategic and departmental objectives Remaining focussed on the mission, SAHRA will develop its strategic objectives, balancing the needs of its stakeholders, risks and opportunities. Departmental objectives, aligned with the strategic objectives, will be identified for each division and specific performance targets will be set for each of these objectives. The risks that might prevent the achievement of each objective should be identified and assessed as part of assessing the planning, and ongoing monitoring, process. SAHRA s response to key risks should be addressed in each department s business plan. The performance measurement process should integrate, and consider, the key risks and selected risk response strategies in determining the targets established for each business objective. This will facilitate the ongoing monitoring of performance and risks. Day-to-day operations SAHRA management and staff are accountable for achieving the objectives established in the departmental business plans. They are also accountable for establishing appropriate and efficient risk management processes related to those objectives. There should be an ongoing application of the risk management process to enable staff to identify, assess and respond to risks in their direct areas of responsibility, and to identify risks that require a broader response by the organisation. The following are factors to be considered by each division to integrate risk management into existing decision-making structures: Aligning risk management with objectives at all levels of the organisation; Introducing risk management components into operational practices; Communicating departmental risk tolerances; Including risk management as part of employees performance appraisals; and Continuously improving control and accountability systems and processes to take into account risk management and its results. The risks requiring a broader response should be communicated to the Departmental Risk Champion and Departmental Head for consideration from an enterprise-wide perspective. Alignment It is important that SAHRA s objectives, risks and controls be aligned at all levels within the organisation. This includes: Alignment between strategies, operational objectives and individual job accountabilities Alignment between the risks being taken and SAHRA s appetite and tolerance for risk Alignment between the control and the desired level of investment in implementing such control In order to achieve this alignment, SAHRA must streamline the actions of all staff, individually and collectively towards achieving its business objectives. This alignment should encompass the respective business processes and operational activities undertaken by all levels of staff. This will require ERM principles to be incorporated into the SAHRA business processes and related policies and procedures. PwC Page 29 of 60

32 Section V Implementation & Integration Integrating risk management with project management A project is undertaken to create specified deliverables of a certain quality within time and resource constraints. Projects need to be carefully managed and monitored through their life cycle for the desired outcomes to be successfully delivered. Risks can occur at each stage of a project and each supporting process provides sources of risk that should be addressed. The SAHRA project methodology should ensure the integration of risk management in each phase of the project life cycle, including: The identification, weighting and costing of major risks associated with each option in the project assessment phase; Documentation and tracking of risks identified for the selected alternative; Ongoing management of risk actions required, including the anticipated cost and time implication in the project budget; Analysis of anticipated versus actual risks encountered and evaluation of risk management response during project close out; and Post-live monitoring of risks to ensure the achievement of the intended project deliverables and objectives. Development of risk management related policies and procedures The principles outlined in the Framework will be incorporated into risk management related policies and procedures that will support the establishment of the organisation s ERM framework and ensure that risk management is embedded into day-to-day management activities. This may require the incorporation of risk management principles into existing policies and procedures that address specific organisational activities such as finance, treasury, environment health and safety, insurance etc; the creation of specific risk management procedures to be applied at the organisational or departmental level; the creation of policies and procedures that address a specific area of risk and/or the creation of formal written policies and procedures that record current behaviours. The relationship between enterprise risk management and internal audit While the responsibility for ongoing risk management and internal audit are separated, they are interdependent to ensure the attainment of the organisations objectives. Internal audit plays a pivotal role in ensuring effective risk management in the following ways: Risk-driven internal audit approach: The final phases in the risk management cycle are to evaluate the status of the risks identified on an ongoing basis, through review and monitoring of the controls in place to mitigate the risks identified and then to integrate that evaluation, by informing and reporting at appropriate levels. Internal audit will be involved in the risk management function to the extent that the audit plan is derived from the risks identified in the process, and links through to monitoring management actions and their reliance on key controls to mitigate risk. Internal audit focuses on the risk areas, higher risk areas first, and tests the system of control to ensure that key controls are operating as intended. Accordingly, the results of the internal audit reviews, in terms of the effectiveness of controls, will be fed back into the risk management process to enable a constant re-evaluation of residual risk in order to determine the action required by management. PwC Page 30 of 60

33 Section V Implementation & Integration Providing assurance on enterprise risk management process: One of the key requirements of the Council is to gain assurance that the enterprise risk management process is working effectively and that the key risks identified are being managed to an acceptable level. Internal audit, as an independent, objective assurance and consulting activity, may be requested to provide the Council with the assurance that the risk management framework is operating effectively and that an appropriate assessment of risk is performed, that responsibility is appropriately assigned and that management actions are carried out in a timely and effective manner. PwC Page 31 of 60

34 Section VI - Conclusion VI CONCLUSION SAHRA is operating in a fast-changing environment that continually presents management with a multitude of risks. An organisation cannot avoid or ignore risk rather it must ensure that an effective and efficient risk management process is in place that allows the capturing of opportunities and provides protection from adverse events. The SAHRA ERM framework provides SAHRA with a methodology to achieve this end. PwC Page 32 of 60

35 Appendix A Glossary Of Terms A Glossary of terms Control activity Control effectiveness assessment Department Enterprise wide risk management Event Event identification SAHRA ERM system Impact Inherent risk Internal environment Likelihood Monitoring Opportunity Reporting Residual risk Risk The policies and procedures implemented by management to help ensure that management s risk responses are properly executed. An independent assessment (usually by the Internal Audit Function with the assistance of assurance providers) of the effectiveness of the control activities implemented in achieving the desired risk response. SAHRA department or organisational unit (e.g. Finance, Human Resources etc) Enterprise wide risk management is a continuous, proactive and systematic process, effected by SAHRA s personnel, applied in strategic planning and across the organisation, designed to identify potential events that may affect the organisation, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of objectives. An incident or occurrence, from sources internal or external to SAHRA that could affect the implementation of the strategy or the achievement of objectives. An ERM component which is designed to develop a consistent and sustainable approach to identify events that could impact, positively or negatively, SAHRA s ability to achieve its organisational strategy and objectives The data repository used to capture all risk data, generate risk reports for management and monitor the presence and effectiveness of the ERM framework and process over a period of time. Result or effect of an event The risk the organisation is exposed to in absolute terms, i.e. in the absence of any management actions (including control activities) management might take (or have taken) to alter either the risk s likelihood of occurrence or impact. Encompasses the tone of the organisation, influencing the risk consciousness of its people, and is the foundation for all other components of enterprise risk management, providing discipline and structure. Includes the risk management philosophy; the risk appetite and culture; oversight by the Council; the integrity, ethical values and competence of SAHRA employees; management s philosophy and operating style; and the way management assigns authority and responsibility, and organises and develops its people. The possibility that a given event will occur. A process that assesses the presence and effectiveness of the SAHRA ERM framework components and process over a period of time. Possibility that an event will occur and positively affect the achievement of objectives Formal processes of informing key stakeholders of the results of the ERM initiative and its effectiveness The remaining risk after management has taken action to alter an inherent risk s likelihood or impact The possibility that an event will occur and adversely affect the achievement of objectives PwC Page 33 of 60

36 Appendix A Glossary Of Terms Risk appetite Risk assessment Risk Owner Risk response Risk tolerance Stakeholders Target risk The broad-based level of risk that SAHRA is willing to accept in pursuing its corporate goals and its strategic imperatives. The process that enables management to understand the likelihood and impact of potential events and associated risks. The individual in a department (manager or otherwise) responsible to ensure that a specific risk is appropriately managed. An ERM component which relates to the policies, procedures, processes and controls implemented by management to avoid, reduce, share or accept risks associated with a specified future event taking into account the risk tolerances of the organisation and the cost versus benefit including the effect on event likelihood and impact. The acceptable level of variation relative to the achievement of objectives. Parties that are affected by SAHRA, such as the Council, students, employees and suppliers. The level of risk, which is within the risk appetite of the organisation, to be achieved through an action plan to improve the management of the risk. PwC Page 34 of 60

37 Appendix B ERM Roles & Responsibilities B ERM roles and responsibilities ERM Internal Stakeholders Council Audit Committee ERM Role Risk Management Philosophy Risk Management Oversight and Control Key ERM Responsibilities Oversight of SAHRA ERM Framework/ Process Approve SAHRA Enterprise Risk Management Framework, (incorporating policy and process), including changes or additions. Approve the risk appetite of the organisation. Approve SAHRA risk management governance framework, ERM Risk Management structure, roles and responsibilities and delegations. Ensure that management creates and maintains an effective risk management, compliance and control environment. Monitor the ERM process and associated risks Review and approve annual business plan, including risk related elements, submitted by the VC. Review and approve the annual enterprise-wide risk assessment. Understand key risks and associated opportunity strategies and monitor effectiveness of management s responses/ mitigation. Review SAHRA enterprise-wide portfolio of risk, evaluate against risk appetite and consider impact of business strategy and organisational changes. Approve action on new risks that could have a significant strategic, financial or reputational impact. Reporting, communication and change management Communicate the importance of an effective risk management program across the organisation - tone at the top. Approve the risk management related activities (including specific risks) that will be reported to internal and external stakeholders (e.g. annual report, insurers, regulatory bodies, etc.). Consider reports from the Audit Committee relating to key risks/ risk profile, high impact/low likelihood risks (contingencies) and the effectiveness of the risk management function (ongoing monitoring reports and independent evaluation). Develop, Implement and Sustain the SAHRA ERM Framework Review the SAHRA Enterprise Risk Management Framework (incorporating policy and process), including changes or additions. Review the adequacy and efficiency of risk policies, procedures, practices and controls. Ensure that management creates and maintains an effective process to identify, evaluate and manage risk. Review the SAHRA ERM Risk Management roles and responsibilities and recommend levels of accountability and responsibility to the Council. PwC Page 35 of 60

38 Appendix B ERM Roles & Responsibilities ERM Internal Stakeholders ERM Role Key ERM Responsibilities Review and approve the scope of work of the risk management function, the resources required and their planned activities. Review the appointment, performance and replacement of the Risk Officer (when it is deemed necessary to have this full time position). Review and approve the process to implement the risk strategy and policy, and enhance the level of risk awareness within SAHRA through the development and implementation of appropriate procedures. Provide guidance in respect of risk management and support management in the monitoring of risk across the organisation. Monitor the ERM process and associated risks Review and validate prioritised enterprise-wide risk assessment, profile and risk registers and evaluate against risk appetite. Understand key risks and associated opportunity strategies and monitor effectiveness of management s responses/ mitigation. Review significant events, performance surprises and incidents and understand root cause and required actions. Review the summary of significant issues raised in the reports from assurance providers, understand cause of non-compliance and monitor corrective actions. Consider new risks that could have a significant financial, strategic, operational or reputational impact and escalate to the Council as appropriate. Consider high impact/low likelihood risks (contingencies) and review plans for ongoing monitoring/ testing by assurance providers. Review summary prepared by Internal Audit/external assurance providers regarding the effectiveness of the overall ERM process, the status of corrective actions and adherence to the SAHRA Risk Management Framework. Reporting, communication, and change management: Communicate the importance of an effective risk management program across the organisation - tone at the top. Report risk profile, key risks and related actions arising from Audit Committee reviews to the Council. Report high impact/low likelihood risks (contingencies) and plans for ongoing monitoring/ testing by assurance providers to the Council. Report on the effectiveness of the SAHRA ERM process and corrective actions to the Council. Report results of the annual risk identification and assessment process (enterprise level). PwC Page 36 of 60

39 Appendix B ERM Roles & Responsibilities ERM Internal Stakeholders SAHRA Executive Leadership Team (EXCO) ERM Role Risk Management Approach, Strategy and Directives Key ERM Responsibilities Escalate new risks that could have a significant financial, strategic, operational or reputational impact to the Council. Develop, Implement and Sustain the SAHRA ERM Framework Assist in establishing the appropriate tone at the executive level to implement an effective ERM process. Develop and maintain an enterprise-wide risk management framework (incorporating processes, procedures, tools and reports). Implement the ERM framework and policy at an organisational level. Integrate risk management into objective and strategic goal setting processes. Ensure risk management is incorporated into business planning and objective setting processes at an enterprise and departmental level. Establish appropriate levels of risk management responsibility and accountability throughout the organisation. Propose the enterprise risk appetite and enterprise risk tolerance. Recommend risk management resource needs and requirements as identified by the Internal Audit Function. Assume overall ownership of enterprise risk management for respective areas of the organisation. Participate in annual enterprise-wide risk assessment. Implement decisions taken by the Audit Committee, where applicable. Promote risk management competence throughout the organisation and develop performance measures related to ERM. Ensure objectives and metrics are documented in the SAHRA ERM system. Define and monitor ERM roles, responsibilities and accountabilities relating to SAHRA Departmental Risk Champions and Departmental Heads. Liaise with assurance providers (including Internal Audit), determine requirements and plans to achieve ERM requirements. Coordinate training and guidance to Departmental Risk Champions. Monitor the ERM process and associated risks Review and validate prioritised enterprise-wide risk assessment, profile and risk registers (including key risks at a departmental level) collated by the Internal Audit Function and evaluate against risk appetite. Understand key risks and monitor effectiveness of management s risk responses/ mitigation. Review significant events, performance surprises and incidents and understand root cause and required PwC Page 37 of 60

40 Appendix B ERM Roles & Responsibilities ERM Internal Stakeholders Departmental Heads ERM Role Risk Management departmental approach and strategy Key ERM Responsibilities actions. Review summary of significant issues raised in reports from assurance providers, understand cause of noncompliance and monitor corrective actions. Identify and/or consider new risks on an ongoing basis that could have a significant financial, strategic, operational or reputational impact and escalate to the Audit Committee. Consider high impact/low likelihood risks (contingencies) and ensure appropriate plans are in place. Ensure ongoing monitoring/ testing thereof through assurance providers. Review summary prepared by Internal Audit/ assurance providers regarding the effectiveness of the overall ERM process, the status of corrective actions and adherence to the SAHRA Risk Management Framework. Oversee and review results and ensure consistency of risk management activities at the departmental level (e.g. risk appetite and tolerance, risk profiles, risk assessments). Analyse trends in the risk profile and levels of exposure and control effectiveness. Ensure management implements day-to-day measurement, monitoring and evaluation of risk across the organisation. Review reports from assurance providers, understand cause of non-compliance, monitor corrective actions and summarise significant issues for reporting to Audit Committee. Reporting, communication, and change management Communicate the importance of an effective risk management program across the organisation - tone at the top. Escalate new risks arising that could have a significant financial, strategic, operational or reputational impact to the Audit Committee and communicate to Internal Audit. Facilitate cross departmental learning and knowledge sharing in respect of risk management. Establish and maintain a risk communication and reporting process. Develop, Implement and Sustain the SAHRA ERM Framework Overall responsibility for the implementation of the ERM framework, policy and process at an operational level. Ensure risk management is embedded into core management activities, including objective setting processes, and is executed reliably. Approve event/ risk identification and risk assessment approaches at departmental level in line with PwC Page 38 of 60

41 Appendix B ERM Roles & Responsibilities ERM Internal Stakeholders ERM Role methodology. Key ERM Responsibilities Departmental Risk Champions Risk Management departmental implementatio n and coordination Identify and prioritise risks and participate in the annual departmental risk identification and assessment process. Develop departmental risk appetite and risk tolerance in line with entity level risk appetite. Ensure risks are identified, managed and regularly assessed and that controls are operating effectively. Execution of risk taking and mitigation activities consistent with risk tolerance, where applicable. Identify and provide sufficient level of resources to ERM, including the designation of Departmental Risk Champion(s) and ensure succession planning. Identify/ communicate significant events, performance surprises and incidents, understand root cause and determine required actions. Identify/ consider new risks arising that could have a significant financial, strategic, operational or reputational impact. Monitor the ERM process and associated risks Understand departmental risks and monitor effectiveness of management s risk responses/ mitigation. Review and validate prioritised departmental risk assessment and register and evaluate against risk appetite. Review adherence to the principles of the SAHRA Risk Management Framework. Participate in independent ERM evaluations as necessary. Reporting, communication, and change management Communicate the importance of effective risk management - tone at the top. Communicate key risks and related mitigation, new risks identified and escalate high risk events and incidents to SAHRA Executive Leadership as necessary and communicate to Risk Officer. Coordinate monthly, quarterly and annual risk reports. Develop, Implement and Sustain the SAHRA ERM Framework Coordinate, conduct (as necessary), facilitate, followup and document results of risk management activities at departmental level. Drive the performance of the annual departmental risk identification, assessment and prioritisation. Assume ownership of departmental risk management implementation and on-going sustainability, including the execution of risk management policies. PwC Page 39 of 60

42 Appendix B ERM Roles & Responsibilities ERM Internal Stakeholders ERM Role Key ERM Responsibilities Coordinate with management to validate risk data prior to reporting. ERM Participant/ operational staff Risk Management Implementatio n Record significant events, performance surprises and incidents and understand root cause and record required actions. Monitor the ERM process and associated risks Maintain departmental risk registers incorporating risk owners, responses, mitigation, status and action plans. Monitor adherence to the principles of the SAHRA Risk Management Framework. Evaluate effectiveness of risk management framework and activities and identify ERM weaknesses, enhancements and related actions. Co-operate in independent risk management evaluations done by Internal Audit, regulators, etc. Reporting, communication, and change management Assist the Internal Audit Function in coordinating ERM workshops, training, interviews, etc. Maintain communication with the respective Departmental heads and risk management function and ensure timely reporting of incidents, risks identified, risk response strategies, mitigation, status and action plans. Record and communicate new risks that could have a significant financial, strategic, operational or reputational impact to the Departmental Head. Prepare monthly, quarterly and annual risk reports. Develop, Implement and Sustain the SAHRA ERM Framework Identify, assess, respond and manage risks that may impede the achievement of SAHRA objectives at an operational/ organisational level. Ensure compliance with the SAHRA ERM Framework. Participate in ERM workshops, interviews, meetings, training session, etc. Monitoring of the ERM process and risks Monitor the business environment to identify potential risks. Ensure controls are operating effectively, report on status and corrective actions; and Participate in independent evaluations. Reporting, communication, and change management Report any risks identified to Departmental Risk champion. Participate in risk reporting, validation and training activities as necessary. PwC Page 40 of 60

43 Appendix B ERM Roles & Responsibilities ERM Internal Stakeholders Programme manager(s) Internal Audit/ Assurance Provider ERM Role Co-ordinate and monitor risks on projects Independent ERM Review Key ERM Responsibilities Develop, Implement and Sustain the SAHRA ERM Framework Ensure risk management is embedded into programme and project methodologies and processes, and is executed reliably. Identify, assess, respond and manage programme risks that arise as a result of a portfolio of projects. Consider all relevant risks in the prioritisation of projects. Reporting, communication, and change management Report overall status and risks relating to programme management and co-ordinate, monitor and report project risks to the relevant Departmental Head Develop, Implement and Sustain the SAHRA ERM Framework Provide risk management expertise to the organisation and guidance on the implementation of the framework. Provide input to the Executive Leadership team regarding risk management resource needs and requirements. Assist senior management, Audit Committee/ Council in fulfilling their responsibilities to monitor risks and controls and provide assurance to the Council regarding the effectiveness of the risk management process. Provide training and guidance to Departmental Risk Champions. Drive the performance of the annual enterprise - wide risk identification and assessment process. Monitoring of the ERM process and risks Collate and aggregate enterprise and departmental risk management information to form a prioritised entity level risk register and portfolio of risks. Monitor and validate the effectiveness of mitigation activities including independent control effectiveness reviews, assess the impact on residual risk and assess management s action plans. Coordinate with Departmental Risk Champions/ management to validate risk data prior to reporting. Monitor the effectiveness of the overall ERM process at all levels of the organisation (ongoing monitoring reports and independent evaluation) consider deficiencies in the process and monitor corrective actions to enable continual improvement. Evaluate the ERM process and internal controls Evaluate the effectiveness of SAHRA Risk Management processes and associated controls, monitor compliance with the framework and provide independent assurance to the Council/ Audit PwC Page 41 of 60

44 Appendix B ERM Roles & Responsibilities ERM Internal Stakeholders ERM Role Key ERM Responsibilities Committee on the effective operation thereof. Provide input into the control effectiveness ratings. Reporting, communication, and change management Report evaluation findings and recommendations to improve the SAHRA ERM process to the Audit Committee. Report to Audit Committee on the adequacy of the organisation's systems and controls for managing risk. Coordinate and consolidate monthly, quarterly and annual risk reports. Provide and/or coordinate training to all personnel involved in the ERM program. PwC Page 42 of 60

45 Appendix C Risk Appetite & Risk Tolerances C Risk appetite and risk tolerances Risk appetite Risk appetite is the amount of risk that SAHRA is willing to accept in pursuit of the achievement of its objectives, which provides a basis to create and sustain value. Risk appetite is an important, forwardlooking perspective because it: Serves as a guide to SAHRA as to how much risk is acceptable Is used as a benchmark during the strategy and objective setting process Sets stakeholder expectations with regards to the level of risk that SAHRA is willing to undertake. The risk appetite will need to be re-evaluated: As part of the annual strategy planning cycle and objective setting processes. When significant changes are made to the SAHRA organisation (mergers, restructuring etc) When changes are made to the overall strategy and objectives of SAHRA With changes in the business and economic landscape With changes in expectations and risk preferences of key stakeholders Risk appetite is developed at the entity level by the Executive Leadership Team and proposed to the Council, through the Audit Committee, for approval. Once approved, it is the responsibility of the Council and the Executive Leadership Team to communicate the entity s risk appetite to the SAHRA staff and key stakeholders (as deemed necessary). Examples of how SAHRA may state its risk appetite are as follows: Examples of Risk Appetite Risk appetite categories Strategy Operations Reporting Compliance Risk Appetite Example SAHRA will accept a moderate degree of risk in pursuing a new strategic initiative that is in alignment with the SAHRA longterm goals. SAHRA is willing to accept a minimal increase in cost per student. SAHRA will accept a minimal level of skilled personnel turnover given the specialised nature of its business. SAHRA will not accept any deviation from financial reporting policies and procedures. SAHRA will not accept any non-compliance with any legal or regulatory requirement. Once the organisational risk appetite has been approved by senior management and the Council, the risk appetite for each department within SAHRA is determined. This decision, once made by Executive Leadership Team, is communicated to management and is considered during their objective setting processes. Risk appetite may vary significantly by department. The following is considered when determining the risk appetite for each SAHRA department: Maturity of the business/functional unit/department; Nature of the business; PwC Page 43 of 60

46 Appendix C Risk Appetite & Risk Tolerances Management expertise and experience; Stakeholder expectations of the business/functional unit; SAHRA enterprise risk appetite analysis defined above. The risk appetite is a key input to the SAHRA strategy planning process. Accordingly, the risk appetite will need to be developed and communicated during the strategy and objective setting processes of SAHRA. The risk appetite should be updated, as deemed necessary, as part of the strategic planning process. Risk tolerance Risk tolerances are the acceptable levels of variation relative to the achievement of objectives. Risk tolerances are established taking into consideration the risk appetite of the organisation or the respective department. Operating within risk tolerances provides greater assurance that the organisation remains within its risk appetite. While the goal is to achieve or surpass the performance targets outlined in the balanced scorecards, management realises that various factors impact the organisation s ability to achieve each objective. Risk tolerances will first be defined at the organisational level and then cascaded throughout SAHRA. As part of the objective setting process, SAHRA Executive Leadership Team will develop risk tolerances at the entity level and these will be approved by the Council. Departmental heads develop and approve risk tolerances for their respective departments. Entity/departmental risk tolerances will be defined utilising the same metric(s) that are utilised to measure and monitor SAHRA s overall/departmental performance. The rating system used within the balanced scorecard will be used as a starting point to identify and evaluate risk tolerances. PwC Page 44 of 60

47 Appendix D Risk Categories D Risk categories Risks identified at SAHRA will be grouped into similar types of risk called risk categories. The risk categories are aligned to SAHRA strategic objectives, and will facilitate the coordinated management of risk across the organisation. The risk categories to be used to group risks are as follows: Strategy Governance (Leadership, direction, planning and decision- making, succession planning, values and ethics, transparency, non financial reporting, accountability framework) Organisational structure and alignment (policies and procedures, process) Restructuring Change management Relationships with stakeholders (including communication) Research and development New services Resource allocation Fraud Human Resources Recruitment Retention Key dependency Leadership Skills and competencies Development and training Employment equity Culture Incentive and remuneration Performance measurement Employee satisfaction/morale Unethical behaviour Industrial action HIV/AIDS Intellectual property Physical Safety Operational Student registration Academic structure Cost per student PR and marketing Retention of students Policies Standard Operating Procedures Standards of Practice Student satisfaction Supply chain Purchasing Quality - inbound Logistics Inventory management Contract management PwC Page 45 of 60

48 Appendix D Risk Categories Facilities / Building management and Support services Business interruption Safeguarding and security Asset management Maintenance Insurance (including fidelity cover) Information Technology Planning and organisation Development and implementation Reliability, delivery and support Electronic commerce Infrastructure Business continuity Information security Systems Financial management Cost management Cost centre accountability Income Cash flow Working capital Interest rate Investment Fraud Capital requirements Systems Financial reporting Regulatory and Compliance Regulatory changes Government policy Compliance with legislation, regulations and industry standards Legal/ Litigation Compliance with policies and procedures and standard operating procedures Safety, health and environment Quality systems - Document management standards Contract management PwC Page 46 of 60

49 Appendix F Risk Assessment E Risk rating criteria and Risk Assessment The impact and likelihood scores combined determine the priority of risks and what risks are reported at the entity level. This also provides an indication of the exposure of the organisation to risks being the likelihood plus the impact rating Catastrophic 8-10 Major 6-7 Moderate 5 Minor 2-4 Risk Rating Impact Fundamentally undermines the ability to achieve core business Detailed action plan required Significant impact to the business / programme Needs senior management attention Potential to have a marked impact on the business, but presents less of an immediate priority Specify management responsibility Comparatively low impact at present Manage by routine procedures People Reputation Business Process & Systems Injuries not requiring medical treatment. Minor injury or First Aid Treatment Case. Serious injury causing hospitalisation. Life threatening injury or multiple serious injuries causing hospitalisation. Death or multiple life threatening injuries. 1% staff turnover. 2% staff turnover, 5% staff turnover. 10% staff turnover 15% staff turnover. Internal Review Minor errors in systems or processes requiring corrective action, or minor delay without impact on overall schedule. Scrutiny required by internal committees or internal audit to prevent escalation. Policy procedural rule occasionally not met or services do not fully meet needs. Scrutiny required by external committees. One or more key accountability requirements not met. Inconvenient but not organisation welfare threatening. Intense public, political and media scrutiny. Eg: front page headlines, TV, etc. Strategies not consistent with organisational objectives. Trends show service is degraded. Assembly inquiry or Commission of inquiry or adverse national media. Critical system failure, bad policy advice or ongoing non-compliance. Business severely affected. Financial 1% of Budget 2.5% of Budget > 5%% of Budget > 10% of Budget > 20% of Budget PwC Page 47 of 60

50 Appendix F Risk Assessment Likelihood Catastrophic or Major risks must be reported to Senior Management and Insignificant Minor Moderate Major Catastrophic require detailed treatment plans to reduce the risk to Minor or Moderate. Numerical Historical: : > 1 in 10 Is expected to occur in most circumstances Almost Certain in Will probably occur Likely in 100 Might occur at some time 1,000 in the future Possible in 1,000 10,000 Could occur but doubtful Unlikely in 10,000 May occur but only in 100,000 exceptional circumstances Rare PwC Page 48 of 60

51 Appendix F Sample Risk Register & Monitoring Template F Sample risk register and monitoring template The risk register is compiled using the outputs of event identification, risk assessment and risk response steps in the framework. It is used to record all the risks identified by management that could impact the attainment of the organisation s strategic objectives, the inherent risk ratings decided upon and the appropriate risk response taking into account the entity s risk appetite. It also provides for management to record the management actions and controls it has in place to mitigate the identified risks and serves as an action registry for those areas where there are gaps in the controls implemented. Risk Description Risk Inherent Risk Control Control Residual Action Action Due Risk Monitoring ref. of risk owner risk rating respo effectiveness risk owner date ranking nse rating rating* status Assurance provider Frequency L I T L I T * To be determined by Risk Officer in consultation with Assurance provider Key L I T Likelihood Impact Total (i.e. L+I) The ongoing monitoring of enterprise risk management is a critical factor in ensuring that the process remains effective and relevant to the entity. The risk monitoring template allows the risk officer to allocate the responsibility for providing assurance on the control effectiveness of implemented controls and to record the results of the work performed as a control effectiveness rating. The responsibility and frequency of monitoring activities is also documented. By continually monitoring the risk ranking status, the organisation is continually aligned with the stated risk appetite. PwC Page 49 of 60

52 Appendix F Sample Risk Register & Monitoring Template Action status Ranking status Control effectiveness rating Indicator Meaning Symbol Meaning Action Plan Overdue Target ranking achieved 3 Identified controls are not operating effectively and significant & immediate action is required Action Plan due by the next report Risk ranking reduced 2 Identified controls are operating satisfactorily but there is moderate scope for improvement Risk ranking Action Plan on Schedule unchanged 1 New Risks since last report Risk ranking increased Identified controls are operating as intended with only limited/minor room for improvement PwC Page 50 of 60

53 Appendix G Illustrative Portfolio View Of Risks G Illustrative portfolio view of risks From the information in the risk register, it is possible to categorise and aggregate the risks in order to provide management with a portfolio view of risks. Possible alternatives in presenting a portfolio view include the following: - Risk profile of risk categories at the entity or departmental level - Risk profile by strategic objective at the entity or departmental level - Risk profile of departments at the entity level - Risk profile of risk owners at the entity level - Risk profile of top 20 or 30 risks at the entity or departmental level Risk profiles can be presented on an inherent or a residual risk basis and can also reflect the movement of risk ratings over a period of time. One example of how this information can be presented graphically is included below. Such a graphical representation allows management to obtain a snapshot view of the risks facing the organisations and identify those risk categories that are outside of the entities risk appetite. (illustrative example only) Impact Catastrophic 3 2 Major 10 1 Moderate Minor Insignificant Rar Unlikely Possible Likely Almost Certain e Likelihood of Occurrence Catastrophic 1 Students 4 Information technology 7 Procurement 10 - Investment 2 Finance 5 Funding 8 Regulatory 11 - Reporting 3 Reputation 6 Strategy 9 - Research Major Moderate Minor PwC Page 51 of 60

54 Appendix H Reporting Requirements H Reporting requirements Type of Risk Management Information Council Key risk management issues and related actions arising from the quarterly Audit Committee reviews including: Reporting Responsibility Timing Format of Report Audit Committee Quarterly Council risk management quarterly report Forum for Discussion and Evaluation Council Meeting Reports on the ongoing operation of the risk management process and reviews on the effectiveness thereof. Prioritised updated risk register and monitoring report for key risks (top 20) to include: Risk owners, risk responses and mitigation Actions and status New risks, risks removed, change in ranking status Control effectiveness and residual risk ratings Audit Committee (with assistance of Internal Audit) Quarterly Council risk management quarterly report Council Meeting Updated enterprise risk profile and broad strategies for risk responses High impact/low probability risks plans and risk response effectiveness/ ongoing monitoring Results of the annual risk identification and assessment process (enterprise level) Independent review of the effectiveness of the risk management process, related recommendations and action plans Identification of new risks that could have a significant financial, strategic, operational or reputational impact Audit Committee (with assistance of Internal Audit) Audit Committee (with assistance of Internal Audit) Quarterly Quarterly Council risk management quarterly report Council risk management quarterly report Audit Committee Annual Annual risk assessment report Audit Committee (independent review results) Annual Annual independent review report Audit Committee Immediate Ad-hoc report on significant risk arising Council Meeting Council Meeting Council Meeting Council Meeting Ad-hoc Council meeting, as necessary PwC Page 52 of 60

55 Appendix H Reporting Requirements Type of Risk Management Information Audit Committee Independent review of the effectiveness of the risk management process, related recommendations and action plans Prioritised updated risk register and monitoring report for key risks to include: Risk owners, risk responses and mitigation Actions and status New risks, risks removed, change in ranking status Control effectiveness and residual risk ratings Updated enterprise risk profile and broad strategies for risk responses High impact/low probability risks plans and risk response effectiveness/ ongoing monitoring Performance surprises/significant incidents, the cause and corrective action Summary of significant issues raised in reports from assurance providers (regulatory bodies, internal audit), the cause of noncompliances and corrective action Monitoring of the effectiveness of the risk management process, compliance with ERM framework and procedures, recommended improvements and related actions Results of the annual risk identification and assessment process (enterprise and summary of departmental) Identification of new risks that could have a significant financial, strategic, operational or reputational impact Reporting Responsibility Internal Audit/ Assurance Provider Timing Annual Format of Report Annual independent report Internal Audit Quarterly Risk management quarterly report Internal Audit/CEO Quarterly Risk management quarterly report Internal Audit Quarterly Risk management quarterly report CEO Quarterly Risk management quarterly report CEO Quarterly Risk management quarterly report Internal Audit Quarterly Risk management quarterly report Internal Audit Annual Annual risk assessment report CEO Immediate Ad-hoc report on significant risk arising Forum for Discussion and Evaluation Audit Committee meeting Audit Committee meeting Audit Committee meeting Audit Committee meeting Audit Committee meeting Audit Committee meeting Audit Committee meeting Audit Committee meeting Ad-hoc meetings, escalate to Chairperson of the Council. PwC Page 53 of 60

56 Appendix H Reporting Requirements Type of Risk Management Information Reporting Responsibility Timing Format of Report SAHRA Executive Leadership Team Prioritised updated risk register and monitoring report for key risks (departmental and enterprise) to include: Internal Audit Monthly Monthly risk management report Risk owners, risk responses and mitigation Actions and status New risks, risks removed, change in ranking status Control effectiveness and residual risk ratings Updated enterprise risk profile and broad strategies for risk responses High impact/low probability risks plans and risk response effectiveness/ ongoing monitoring Performance surprises/significant incidents, the cause and corrective action Summary of significant issues raised in reports from assurance providers (regulatory bodies, internal audit), the cause of noncompliances and corrective action Monitoring of the effectiveness of the risk management process, compliance with ERM framework and procedures, recommended improvements and related actions Results of the annual risk identification and assessment process (enterprise-wide and summary of divisions) Identification of new risks that could have a significant financial, strategic, operational or reputational impact Department Heads (with assistance of Internal Audit) Internal Audit Departmental Heads Departmental Heads Quarterly Quarterly/ changed status Monthly Monthly Relevant monthly risk management report Relevant monthly risk management report Monthly risk management report Monthly risk management report Internal Audit Monthly Monthly risk management report Internal Audit Annual Annual risk assessment report Departmental Heads Immediate Ad-hoc report on significant risk arising Forum for Discussion and Evaluation Exco Meeting Exco Meeting Exco Meeting Exco Meeting Exco Meeting Exco Meeting Exco Meeting Ad-hoc Exco meeting, escalate to Risk Committee PwC Page 54 of 60

57 Appendix H Reporting Requirements Type of Risk Management Information Reporting Responsibility Timing Format of Report Forum for Discussion and Evaluation Internal Audit Function (based on information reviewed by relevant Head of Department) Prioritised updated departmental risk register and monitoring report to include: Risk Champions Monthly Monthly departmental risk Monthly meeting with Risk Officer Risk owners, risk responses and mitigation management report Actions and status New risks, risks removed, change in ranking status Performance surprises/significant incidents, the cause and corrective action Monitoring of the effectiveness of the risk management process, compliance with ERM framework and procedures, recommended improvements and related actions Reports from assurance providers (regulatory bodies, external audit), the cause of non-compliances and corrective action Results of the departmental annual risk identification and assessment Identification of new risks that could have a significant financial, strategic, operational or reputational impact Risk Champions Monthly Monthly departmental risk management report Risk Champions Monthly Monthly departmental risk management report Assurance providers Ad-hoc, as reports are issued Report issued by assurance provider Risk Champions Annual Annual departmental risk assessment report Risk Champions Immediate Ad-hoc report on significant risk arising Monthly meeting with Risk Officer Monthly meeting with Risk Officer Ad-hoc meetings, as required Validation/review meeting with Risk Officer Ad-hoc, escalate to Head of Department / CEO PwC Page 55 of 60

58 Appendix H Reporting Requirements Type of Risk Management Information Departmental Heads Prioritised updated departmental risk register and monitoring report to include: Risk owners, risk responses and mitigation Actions and status New risks, risks removed, change in ranking status Performance surprises/significant incidents, the cause and corrective action Monitoring of the effectiveness of the risk management process, compliance with ERM framework and procedures, recommended improvements and related actions Results of the departmental annual risk identification and assessment Identification of new risks that could have a significant financial, strategic, operational or reputational impact Reporting Responsibility Timing Format of Report Risk Champion Monthly Monthly departmental risk management report Risk Champion Monthly Monthly departmental risk management report Risk Champion Monthly Monthly departmental risk management report Risk Champion Annual Annual departmental risk assessment report Risk Champion Immediate Ad-hoc report on significant risk arising Forum for Discussion and Evaluation Monthly departmental management meeting Monthly departmental management meeting Monthly departmental management meeting Annual departmental risk assessment meeting Ad-hoc, escalate to Head of Department and Risk Officer PwC Page 56 of 60

59 Appendix I Communication Requirements I Communication requirements An ongoing risk management communication strategy will address how SAHRA will communicate and distribute risk management policies, procedures and key principles on an ongoing basis. The information and frequency of risk management communication may vary based on the stakeholder. Therefore, a communication plan should be developed to identify and manage the risk management communication needs for each stakeholder. Potential channels of communication may include the Intranet, s, newsletters and bulletin boards. The following table, which indicates an example of the communication requirements per stakeholder, can be used as a starting point to develop the communication strategy and plan: Illustrative Example Only Risk Management Stakeholders External stakeholders Internal stakeholders Council Audit Committee SAHRA Executive Leadership Team Departmental Heads Internal Audit Internal Audit Sample Risk Management Communication Requirements Risk management disclosures Emphasis on the importance of an effective risk management program across the organisation establish a consistent tone across the organisation Overall effectiveness of SAHRA ERM Framework and process Overall effectiveness of SAHRA ERM Framework and process ERM responsibilities during strategy and objective setting Reinforce the need to integrate ERM into division/ functional unit Enhancements to the ERM framework and process Overall ERM update Person Responsible for Communication Timing Mode of Communication Council Once a year Annual report Council Audit Committee SAHRA Executive Leadership team Risk champions Chair of the Audit Committee Head of Internal Audit Ongoing Quarterly Annually - s - Staff bulletins Presentation Presentation Internal Audit Annually - - Strategy/ objective setting meetings Internal Audit Quarterly DH meetings Risk champions Ad hoc - - Verbal Departmental Heads Quarterly - - Quarterly ERM Champions meetings PwC Page 57 of 60

60 Appendix I Communication Requirements Risk Management Stakeholders ERM Participants Sample Risk Management Communication Requirements ERM responsibilities linkage to objective management Person Responsible for Communication Departmental Heads/ Department Risk Champions Timing Quarterly Mode of Communication - - Quarterly ERM Participants meetings - Strategy/ objective setting meetings PwC Page 58 of 60