How do you make risk management work in your organisation

1
How do you make risk management work in your
organisation?

• IRMSA Breakfast
• 27 March 2009

2
2
3
Essential administrative gears

• Appointment of SP (2.5 years)
• Strategic support from Mayor Accounting Officer
  (Signed letter)
• Developed implemented a risk reporting template
  for each project submitted to Mayco/Council
• Designed implemented a Project Progress Status
  Report (attached to SPs invoice) indicating
  progress with (1) annual review (2) operational
  workshops and (3) MAPs on week-to-week and
  month-to-month basis.
• Monthly meetings with EMT Governance
  Sub-Committee to discuss operational issues
• Implemented RiskCo to discuss high-level risks on
  monthly basis
• Developed and implemented TOR for RiskCo
• Developed implemented a 1-pager reporting
  template to RiskCo indicating (1) Extreme High
  etc. risk categories (2) control confidence,
  e.g. weak or unsatisfactitoly, etc (3) MAP
  status, i.e. Intervention attention finalise
  test and maintain

4
Essential administrative gears

• In process of upgrading an electronic tool
• Developed and approved organogram
• Designed JDs evaluated advertising
• IRM Strategy Policy in draft format
• Delegations for IRM approved
• Change management plan in draft
• IRM Communication plan in draft
• Fraud prevention and response plan approved as
  well as Whistle Blowers Policy
• CRO Skills Gap Analysis Draft
• CRO Roles and Responsibilities completed
• Risk Priority Framework completed
• Initially used SPs methodology, but base CoCTs
  methodology on PSRMF Draft ISO 31000 draft King
  III
• Document to control distribution
  confidentiality of risk registers

5
Levels of Risk
5
6
Holistic Risk Management Approach
Environment
Oversight
Process
Roleplayers
Internal Environment Assessment

• Directorate Business Units
• Corporate Services
• Utility Services
• Safety and Security
• Service Delivery Integration
• Community Development
• Economic Social Dev
• Trans, Roads and S/water
• Office of the City Manager
• Strategy and Planning
• Chief Audit Executive
• Health Services
• Housing Services
• Finance Services

Insurance
MayCo / Council
Risk Management objectives defined
OHS
Audit Committee
DRMC
Risk Event/Scenario Identification
Forensics
Internal/External Audit Assurance
Internal Audit
Executive Management Team
Risk Assessment (Ratings)
Human Resources
Executive Directors and Directors
Legal
Control Activity Assessment (confidence)
Envir. Res Man.
Risk Mitigation Planning
Process Reporting
Process Output
Executive
Information Dissemination
Risk Register
Risk Executive Summary Report
Tactical
MAP
Monitoring and Follow-up
Dashboards
Operational
Minutes
Assurance Review
7
Executive Summary Stats
8
Executive Summary Graphs
9
Graphs e.g. Heatmaps Inherent (CFO)
10
Almost certain
7
Likely
5
4
1
2
6
7
3
5
Possible
13
12
8
9
11
14
LIKELIHOOD
10
16
15
Unlikely
3
17
18
21
20
22
23
19
1
Rare
1
7
10
5
3
Catastrophic
Critical
Serious
Significant
Minor
IMPACT
Key
Inherent risk severity (assessed before
existing controls)
Extreme
High
Moderate
Low
Insignificant
10
Graphs e.g. Heatmaps Residual (CFO)
Extreme
High
1
2
3
Moderate
5
6
7
4
INHERENT RISK
Low
16
9
13
12
11
8
10
15
14
20
Insignificant
18
17
19
23
21
22
1
7
10
5
3
Unsatisfactory
Weak
Satisfactory
Good
Very good
CONTROL CONFIDENCE
Key
Residual risk severity (assessed after
existing controls)
Priority 1
Priority 2
Priority 3
Priority 4 5
11
Integrated Enterprise Risk Management (ERM) Model
Reporting
Corporate Services
Community Development
11
?
?
?
Eco Soc Development
Finance Directorate
?
E.R.M
?
?
?
Office of the City Manager
?
?
?
?
?
Director Safety Security
E.R.M
Strategy Planning
Utility Services
Housing
Directorate Internal Audit
Service Delivery Intergration
Cross cutting Elements/Tools
12
Embedding the IRM culture

• Regular circulars to management (top 500)
• Articles in Contact Magazine
• IRM Web-site in progress
• Training of Risk Community Champs
  co-ordinators (90min. Introduction 2 X 6 hours
  training sessions)
• 45 minutes introduction sessions to senior
  management meetings
• Divided organisation into 13 streams identified
  stream leads conducted 82 Strategic and Tactical
  workshops engaged with 97 operational workshops

13
City Challenges
Council
MayCo
Audit Committee Risk Committee
Executive Management Team
C R O E R M Team
Departments (Budgets, Tourism Emergency
Services)
Assurance Providers- External Internal Audit
Operational Committees
Sections (Disaster Risk Management)
14
THE END

• Panel Discussion
• L. Geldenhuys
• ludgel_at_absamail.co.za
• Ludwig.geldenhuys_at_capetown.gov.za