Title: How do you make risk management work in your organisation
1How do you make risk management work in your
organisation?
- IRMSA Breakfast
- 27 March 2009
22
3Essential administrative gears
- Appointment of SP (2.5 years)
- Strategic support from Mayor Accounting Officer
(Signed letter) - Developed implemented a risk reporting template
for each project submitted to Mayco/Council - Designed implemented a Project Progress Status
Report (attached to SPs invoice) indicating
progress with (1) annual review (2) operational
workshops and (3) MAPs on week-to-week and
month-to-month basis. - Monthly meetings with EMT Governance
Sub-Committee to discuss operational issues - Implemented RiskCo to discuss high-level risks on
monthly basis - Developed and implemented TOR for RiskCo
- Developed implemented a 1-pager reporting
template to RiskCo indicating (1) Extreme High
etc. risk categories (2) control confidence,
e.g. weak or unsatisfactitoly, etc (3) MAP
status, i.e. Intervention attention finalise
test and maintain
4Essential administrative gears
- In process of upgrading an electronic tool
- Developed and approved organogram
- Designed JDs evaluated advertising
- IRM Strategy Policy in draft format
- Delegations for IRM approved
- Change management plan in draft
- IRM Communication plan in draft
- Fraud prevention and response plan approved as
well as Whistle Blowers Policy - CRO Skills Gap Analysis Draft
- CRO Roles and Responsibilities completed
- Risk Priority Framework completed
- Initially used SPs methodology, but base CoCTs
methodology on PSRMF Draft ISO 31000 draft King
III - Document to control distribution
confidentiality of risk registers
5Levels of Risk
5
6Holistic Risk Management Approach
Environment
Oversight
Process
Roleplayers
Internal Environment Assessment
- Directorate Business Units
- Corporate Services
- Utility Services
- Safety and Security
- Service Delivery Integration
- Community Development
- Economic Social Dev
- Trans, Roads and S/water
- Office of the City Manager
- Strategy and Planning
- Chief Audit Executive
- Health Services
- Housing Services
- Finance Services
Insurance
MayCo / Council
Risk Management objectives defined
OHS
Audit Committee
DRMC
Risk Event/Scenario Identification
Forensics
Internal/External Audit Assurance
Internal Audit
Executive Management Team
Risk Assessment (Ratings)
Human Resources
Executive Directors and Directors
Legal
Control Activity Assessment (confidence)
Envir. Res Man.
Risk Mitigation Planning
Process Reporting
Process Output
Executive
Information Dissemination
Risk Register
Risk Executive Summary Report
Tactical
MAP
Monitoring and Follow-up
Dashboards
Operational
Minutes
Assurance Review
7Executive Summary Stats
8Executive Summary Graphs
9Graphs e.g. Heatmaps Inherent (CFO)
10
Almost certain
7
Likely
5
4
1
2
6
7
3
5
Possible
13
12
8
9
11
14
LIKELIHOOD
10
16
15
Unlikely
3
17
18
21
20
22
23
19
1
Rare
1
7
10
5
3
Catastrophic
Critical
Serious
Significant
Minor
IMPACT
Key
Inherent risk severity (assessed before
existing controls)
Extreme
High
Moderate
Low
Insignificant
10Graphs e.g. Heatmaps Residual (CFO)
Extreme
High
1
2
3
Moderate
5
6
7
4
INHERENT RISK
Low
16
9
13
12
11
8
10
15
14
20
Insignificant
18
17
19
23
21
22
1
7
10
5
3
Unsatisfactory
Weak
Satisfactory
Good
Very good
CONTROL CONFIDENCE
Key
Residual risk severity (assessed after
existing controls)
Priority 1
Priority 2
Priority 3
Priority 4 5
11Integrated Enterprise Risk Management (ERM) Model
Reporting
Corporate Services
Community Development
11
?
?
?
Eco Soc Development
Finance Directorate
?
E.R.M
?
?
?
Office of the City Manager
?
?
?
?
?
Director Safety Security
E.R.M
Strategy Planning
Utility Services
Housing
Directorate Internal Audit
Service Delivery Intergration
Cross cutting Elements/Tools
12Embedding the IRM culture
- Regular circulars to management (top 500)
- Articles in Contact Magazine
- IRM Web-site in progress
- Training of Risk Community Champs
co-ordinators (90min. Introduction 2 X 6 hours
training sessions) - 45 minutes introduction sessions to senior
management meetings - Divided organisation into 13 streams identified
stream leads conducted 82 Strategic and Tactical
workshops engaged with 97 operational workshops
13City Challenges
Council
MayCo
Audit Committee Risk Committee
Executive Management Team
C R O E R M Team
Departments (Budgets, Tourism Emergency
Services)
Assurance Providers- External Internal Audit
Operational Committees
Sections (Disaster Risk Management)
14THE END
- Panel Discussion
- L. Geldenhuys
- ludgel_at_absamail.co.za
- Ludwig.geldenhuys_at_capetown.gov.za