Enterprise Risk Management Framework



Public Sector Risk Management Framework

Guidebook: Risk identification

(for the purposes of this guideline, the term “Institution” refers to National Departments, Provincial Department, Constitutional Institutions, Public Entities, Provincial Entities, Municipalities (Metropolitan, Local and District) and Municipal Owned Entities)

Note: All underlined words in this document contain a link to a relevant example, guidebook or template. If you click on the link it will open the relevant document automatically.

Published by:

Contents

1 Introduction 1

2 The outputs of risk identification 1

3 The risk identification process 2

4 How to perform risk identification 2

5 A more detailed look at risk identification 5

Introduction

Management almost always know what risks the institution is exposed to but they do not always formally record such risks. The purpose of completing a risk identification exercise is to identify, discuss and document the risks facing the institution. The document in which the risks are recorded is known as the “risk register”. The risk register serves three main purposes.

The first is that it is a source of information to report the key risks throughout the institution, as well as to key stakeholders.

The second purpose of the risk register is for the benefit of management. Management uses the risk register to focus their priorities.

The third purpose of the risk register is to help the auditors to focus their plans on the institution’s top risks.

The outputs of risk identification

The main output of a risk identification exercise is a risk register.

There is no single blueprint for the format of a risk register and institutions have a great degree of flexibility regarding how they lay out their documents. As a minimum the description of the risk, the rating of each risk, the control owner of each risk and the current control effectiveness for each risk should be recorded.

Click here to see a sample risk register.

Click here to see an example of a risk register.

The risk identification process

Risk identification is a deliberate and systematic effort to understand and document all of the key risks facing the institution.

Risk identification starts with understanding the institutional objectives, both implicit and explicit. Risks are those things that will effect the institution form achieving these objectives. The risks in question do not only relate to fraud, finance or safety but encompasses the whole spectrum of risk that can affect the achievement of objectives.

When identifying risks, it is also important to bear in mind that “risk” also has an opportunity component (refer to the definition of risk as adopted in the risk management framework). This means there must also be deliberate attention to identifying potential opportunities that could be exploited to improve institutional performance.

How to perform risk identification

It is important that the risk identification exercise does not get bogged down in conceptual or theoretical detail. It should also not limit itself to a fixed list of risk categories, although such a list may be helpful.

Click here to see a list of typical risk categories.

Risk identification must be informed by objectives. An example is provided below:

Objective

To build 2 000 houses

Risk

The starting point for risk identification should be to question what in the internal and external environment would prevent this from happening.

Risk identification must produce reliable and relevant information. It is therefore critical that the risk identification process is comprehensive and rigorous. Although participative workshops are a popular and quick way of identifying risks, good risk identification cannot rely solely on the perceptions and subjectivity of a select group of managers.

Since risk workshops are useful only for filtering and screening of possible risks, it is important that the workshops are supplemented by more sophisticated methods to determine which risk are” real” or not. Examples of more sophisticated methods of analysis include stress testing, benchmarking, data analysis, forecasting, environmental scanning etc.

It is also important to note that certain activities lend themselves to certain types of risk identification methodologies e.g. financial management – forecasting, stress testing, modelling; health and safety – physical inspection, historical analysis; Engineering – HAZOP, stress testing, inspections, fault tree analysis.

Therefore, management must not be comfortable with simply accepting the results of a risk assessment workshop as the only and most superior method and must strive to match the discipline and its best technique for the sake of quality and complete risks.

The risk identification process must identify unwanted events, undesirable outcomes, emerging threats, as well as existing and emerging opportunities.

Data analysis, review of performance indicators, economic information, loss data, scenario planning and the like can produce important risk information. Furthermore, processes used during strategic planning like SWOT Analysis, PEST(EL) Analysis and benchmarking will have revealed important risks and opportunities that must not be ignored i.e. they must be included in the risk register.

Certain disciplines like IT, Strategic Management, Health and Safety etc. already have in place established risk identification methodologies as informed by their professional norms and standards. The risk identification process should recognise and utilise the outputs of these techniques in order not to “re-invent the wheel”.

Experience has shown that management often disregards well controlled risks when documenting the risk profile of the institution. It however must be stressed that a well controlled risk must still be recorded in the risk profile of the institution. The reason for this logic is that the processes for identifying risk must ignore at that point any mitigating factors (these will be considered when the risk is being assessed).

Risk information should ideally be captured in the following manner:

1) Identify and record the risk, the risk description, its root causes and the possible consequences;

2) Identify the key controls currently in place to mitigate the identified risks.

A more detailed look at risk identification

Risk identification is one of the most important parts of the risk management process because if not all of the risks are identified, or risks are incorrectly identified, management will not focus their attention on the most important issues.

To ensure rigour in risk identification, the process must consider the following:

1) Strategic risks

These risks emanate from the strategic choices made by the institution, specifically with regard to whether such choices enhance or strengthen the institution’s ability to perform its mandate.

2) Sector specific risks

These risks are inherent to the sector in which the institution is operating. For example, an institution operating in the housing development sector will inherently face the danger of structural failure of houses. Similarly an institution operating in the health sector will inherently be exposed to legal liability for negligence which results in the death / injury to patients. Likewise, an institution in the educational sector will inherently be faced with challenges posed by the delinquency of learners.

3) Operational risks

These risks are unique to the internal operations of the institution and concern employees, processes, systems and events.

The questions as set out below should assist in stimulating the right thought process and discussion to identify key risks.

1) What are the main objectives of our institution?

|What are our strategic objectives? |What are our business objectives? |

|What are our financial targets? |What are our service delivery targets? |

|What are our other key targets? | |

2) Who are our stakeholders and how can they pose a risk to us and how can we pose a risk to them?

|Customers |Communities |

|Suppliers |Creditors |

|Employees | |

3) How do we create value for stakeholders?

|Service delivery |Financial sustainability |

|Reputation |Compliance |

|Administration | |

4) What are the critical success factors

|Core skills |IT systems |

|Cost containment |Budgeting |

|Staff retention | |

5) What are the institution’s critical processes?

|Procurement |Processing payments |

|Distribution |Information management |

|Administration | |

6) What are the potential sources of risk and change that could impact on the above?

|Accidents |Cash flow variances |Civil unrest |

|Contract breach |Crime |Currency exchange rates |

|Distribution failures |Economy variance |Engineering failures |

|Environmental incidents |Expense management |Financial difficulties |

|Fire |Fraud |Human resources failures |

|Inflation |Interest rate change |Labour relations failure |

|Medical incidents |Natural perils |Negligence |

|Procurement failures |Project failures |Quality failures |

|Social change |Strategy execution |Technology failure |

Once the initial risk identification process has been completed, management should already start considering whether any of the risks are interconnected, i.e. is there any correlation between the identified risks?[pic]

-----------------------

RISK

RISK MANAGEMENT

CONTROL

RISK MANAGEMENT

RISK

CONTROLS

-----------------------

© 2008 "" "Firm name" "KPMG " KPMG . All rights reserved.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download