Enterprise Risk

Management
A new focus

Presented by:
Phumi Madlala
eThekwini Municipality

Agenda
The Risk Management Process:

Definitions

Introduction and background

Benefits of Risk Management

Enterprise Risk Management (ERM) Process

Conducting Corruption Risk Assessment:

Preparation

During the risk assessment

Outcome risk register

Ongoing monitoring & reporting

2

Definitions
- Risks are uncertain future events that could influence
achievement of objectives
Risk Management:
- Management tool of creating awareness & managing
obstacles that have a potential of preventing the
organization from achieving its objectives;
- Is also about assessing, both quantitatively and qualitatively
the opportunity for success of business initiatives;
- Is composed of methodologies and processes which are
designed to develop information critical to achieving the
strategic objectives of the organization

Legislative mandate
1. MFMA, S 62 (1) ( c ) states:
the accounting officer must ensure that the municipality has and maintains effective, efficient and transparent
systems of financial and risk management and internal control
2. S 78 and 105 further assigns the responsibilities to other officials to ensure effective, efficient, economical and
transparent use of financial and other resources within that officials area of responsibility
3. S 165 (2) (b) requires internal audit unit to advise the AO on matters related to(iv) risk and risk management
4. S166 (1) requires audit committee to advise municipal council, political office-bearers, AO and management staff
on matters related to (ii) risk management
5. King III Code on Corporate Governance and Public Sector Risk Management Framework states:
The Council/ Board is responsible for the total process of risk management, as well as for forming its own opinion
on the effectiveness of the process.

Value add from Risk

Management
Highlight processes that are not clearly
understood;
Identifies processes that are inefficient;
Promotes efficiency of service delivery;
Create awareness of high risk areas and
ensures
uniformity in addressing exposure areas;
Create awareness of what can/cannot be
controlled;
Ensures reasonable and practical time is
taken to implement required responses;
Promotes pro-activeness rather than reactive
response (reduce surprises);

Results of Ineffective Risk

Management
Breakdown in internal control that could prevent the
organization from achieving its objective;
Reactive responses to potential risks, rather than proactive;
Changing/ new risks are not adequately controlled and
managed;
Internal control practices become outdated with limited
account taken of best practice development;

MANAGEMENT
ASSURANC
E

GOVERNANCE

OVERSIG
HT

eThekwini Risk Management Governance

Structure
Council and Key Committees
Audit and Risk Committee

City Manager and Key Committees

Managing Risk &
Municipality Sub
Committee

Risk Management
Committee

First Line of
Defence

Second Line of
Defence

DCM Forum

Chief Risk Officer

Third Line of
Defence
Internal Audit and
External Auditors

Management of
Operations

Risk Champions

eThekwini Municipality - EXCO ERM

Risk Management Strategy

Overview
Establish Goals &
Context

Analyse Risks
Likelihood
Impact

Monitor / Review

Identify Risks

Evaluate the Risks

Treat the Risks
eThekwini Municipality - EXCO ERM

Corruption Risk
Assessment

Corruption Risk
Management

- Part of Enterprise Risk Management, only

focusing on exposures that are as a result
of corrupt activities;
- Best approach to managing
fraud/corruption:
Prevent it;
Whatever that cannot be prevented,
controls should detect it quickly;
Investigate the root cause of
detected/reported fraud cases;
Correct root causes/Take quick action

Corruption Risk
Assessment
Risk Assessment:
The process of identifying risk exposures and assessing their impact and
likelihood that they would have on the achievement of objectives. The
process also involves evaluating suitable ways to mitigate the risks to
corruption and assessing effectiveness of controls.
ERM:
Fraud/corruption risk forms one category of the risks that are significant
within Ethekwini municipality, which is managed separately at a strategic
level.;
Top down approach strategic risks are cascaded down to operations
Link between risk categories:
Some risks are inter-linked, e.g. failure to manage fraud/corruption risk
results in high exposure to compliance risk and by default
operational risk (due to weakness in controls) which might lead to
reputational risk.

Role of compliance in
fraud/corruption prevention
Highly compliant organizations

strong ethical environments

reduced fraud/corruption risk

Preparation by facilitator

Assessing environments exposure to corruption;

Inherent risk exposures;
Perform trends analysis based on stats or working with research/forensic unit;
Understand the sector, read journals/publications like Delivery, most importantly your organisations
control environment/operations within your environment;
Stakeholders and their influence to environment;
Separate facts from opinions;
Recent media reports & perceptions of organisation (surveys)

Establish current risk tolerance level;

tone at the top;
sound ethical culture;
Regular/ongoing training of staff, updates of training manuals , relevance to level of audience
according to expectations

Pro-active defence (mitigations)

Periodic results of data interrogation in relation to corruption risk assessment;
Be familiar with existing controls from first point of contact with organisation e.g background checks
prior employment/engagement with service providers/ customers;

Sound internal control system

Frequent review and update of Anti corruption policies and procedures;
Ensure alignment of company policies/procedures with regulations/ legal findings/ forensic
developments/ sector developments
Assurance providers, establish relationships with them, ongoing consultations recent findings on
exposures to corruption

13

Preparing for Corruption Risk

Assessment
Important Considerations:

Best suitable form of risk assessment to use: management workshop vs

information gathering;
Level at which you are assessing exposure to corruption .e.g. strategic vs
operational (dpts) invite the right audience;
Managements Tone regarding prevention of corruption e.g understanding/
familiarity with anti- corruption policies/strategies; support structures;
understanding of risk process/ are they defensive - personalise
issues/performance management;
Adequate notification : Pre reading which directs focus on existing
exposures/control environment/stats from forensics/IA reports/management
report/regulatory developments/other recent developments to combat
fraud/corruption within sector (Local Govern Anti-Corruption Strategy)
Logistics:
Suitable Venue promote interaction /co-operation, away from office
distractions, no laptops during session/use of cellphones;
Duration of assessment reasonable approximation, worse is to underestimate time; control discussions
Pre planning with leader (buy in) outlining process/expectations /outcome. He
sets the tone during introduction of corruption risk assessment.
14

During the Assessment

Introduction by Head: Strategic /Operational.
Communicate expectations/set tone- promote
participation & freedom of expression/ assessment
based on facts than opinions;
Introduction by facilitator outline the
process/methodology & outcome;
Reference to pre- reading;
Control discussions to focus on facts & desired
outcome;
Ensure audience participation and buy in;
Understand root causes for each risk properly so that
correct controls and relevant actions to address
exposures can be identified;
Adherence to risk management standards/specifically
anti- corruption framework/strategy;
15

Corruption Risk
Register
Outcome:
Risk register with identified strategic/operational corruption risks;
Risk owners strategic (City Manager/Executives)/ operational (Dpt
Heads);
Impact & likelihood for each risk- per methodology;
Assessment of current controls i.t.o. effectiveness ( IA & other Assurance
providers );
Tasks to improve our exposure to each risk:

to address root causes; and

to strengthen current controls; or
once implemented to add to existing controls

Allocate task owners - based on areas where risk is prevalent, and

suitability to implement action to mitigate root causes;
Strategic risks to be cascaded down at operational level.

Ongoing monitoring of
corruption risk
Independent annual review of Anti-corruption strategy and its
effectiveness in reducing corrupt activities by Internal Audit;
Anti-corruption/Fraud Prevention Committee reporting on
implementation of strategy & anti-corruption/ fraud prevention
initiatives;
Governance audit of committees on implementing action per TORs;
Monitoring progress of tasks on corruption risk registers ( strategic
&operational);

Quarterly review of existing risks & identification of emerging risks

due to change in internal/external environment;
Reporting progress to appropriate structures;
Ensure implementation of forensic reports recommendations to
enhance internal controls;
Training of staff on their responsibility to report corruption & fraud
activities;
Promotion of ethical culture throughout municipality;
Communicate successes in uprooting corruption;
Response strategy on allegations /articles from media;

References
Quotes have been taken from various
risk management & anti corruption
standars, best practice & guidelines.

eThekwini Municipality - EXCO ERM

18

THOUGHT PROVOKING
QUOTES:
The true measure of a man is who he is when
nobody is watching;
Perception is more powerful than fact when it
comes to fraud/corruption;
If you dont invest in risk management , it does not
matter what business you are in, its a risky
business
The greatest contributions of risk managers is just
carrying a torch around and providing
transparency
19

LET WHO WE ARE & OUR LIVES

REPRESENT THE LIGHT THAT
WE PROVIDE , &:
KEEP THE LIGHT
BURNING.....ALWAYS
Siyabonga
Thank You
20