City of Johannesburg Blayi... · 2018. 3. 14. · Effective Date 1 July 2015 . ... (ISO 31000:2009), ISO:22301 standards of Business Continuity Management, and National Treasury Public

CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK

COJ - Group Risk Management Framework Page 1

CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY

GROUP RISK AND ASSURANCE SERVICES

GROUP RISK MANAGEMENT FRAMEWORK

Effective Date 1 July 2015



Table of Contents

1. INTRODUCTION ................................................................................................................................................. 4 1.1. BACKGROUND .................................................................................................................. 4

1.2. PURPOSE........................................................................................................................... 5

1.3 APPLICABILITY OF GROUP RISK MANAGEMENT FRAMEWORK ................................... 5 2. OBJECTIVES AND BENEFITS .......................................................................................................................... 6 2.1. Objectives of Group Risk Management Framework ............................................................. 6

2.2. Benefits of Group Risk Management Framework ................................................................ 6

3. ENTERPRISE RISK MANAGEMENT ................................................................................. 7 4. RISK MANAGEMENT GOVERNANCE STRUCTURE ............................................................................... 10 4.1. Governance and Reporting Structure ................................................................................ 10 5. ROLES AND RESPONSIBILITIES .................................................................................................................. 12 6. GROUP RISK MANAGEMENT MODEL AND PROCESS .......................................................................... 14 6.1. Group Risk Management Model ........................................................................................ 14

6.2. Group Risk Management Process ..................................................................................... 15

6.2.1. Risk Identification and Prioritisation ................................................................................... 15

6.2.2. Risk Evaluation and Assessment ...................................................................................... 16

6.2.2.1 Risk Assessment Approach ..................................................................................... 17

6.2.3 Risk Response and Mitigation ........................................................................................... 18

6.2.5 Risk Monitoring and Review ............................................................................................... 21

6.2.6 Communication and Reporting .......................................................................................... 22 7 GROUP RISK MANAGEMENT PROCESS .................................................................................................... 23 8 RISK APPETITE AND RISK TOLERANCE .................................................................................................. 24 8.1 Elements of Risk Appetite and Risk Tolerance .................................................................. 24

8.2 Risk Appetite and Tolerance Thresholds ........................................................................... 26

8.3 Risk Appetite and Risk Tolerance Maturity Model.............................................................. 27 9 CoJ RISK MATRIX ............................................................................................................................................ 30 9.1 RISK HEATMAP ............................................................................................................... 30

9.2 Evaluation of Likelihood ..................................................................................................... 31

9.3 Evaluation of Impact ....................................................................................................... 31

9.4 Interpretation of Risk Exposure Levels ......................................................................... 33

9.5 Assessment of Control Effectiveness ........................................................................... 33

10. City Risk Universe ............................................................................................................. 34

10.1 Key Risk Indicators ............................................................................................................ 36 11. INFORMATION & COMMUNICATION TECHNOLOGY RISK ASSESSMENT .................................... 38 11.1. Risk Governance Domain .................................................................................................. 40

11.2. Risk Response Domain ..................................................................................................... 41

11.3. Risk Evaluation Domain .................................................................................................... 42 12 . GROUP COMBINED ASSURANCE .............................................................................................................. 43 12. LEGISLATION AND REGULATORY ............................................................................................................ 43 12.1. Primary Legislative and Regulatory Provisions .................................................................. 43

12.2. Public Sector and Leading Practice Principles Standards and Codes................................ 44 13. AUTHORITY AND APPROVAL ...................................................................................................................... 44 13.1. Ownership ......................................................................................................................... 44

13.2. Approval ............................................................................................................................ 44

13.3. Implementation .................................................................................................................. 44

13.4. Review and Approval ........................................................................................................ 45 ANNEXURE A: GLOSSARY OF TERMS ............................................................................................................... 46



External and Internal Factors ...................................................................................................... 46

LIST OF DIAGRAMS DIAGRAM 1: COSO ERM FRAMEWORK 10 DIAGRAM 2: CITY RISK MANAGEMENT GOVERNANCE AND REPORTING STRUCTURE 11 DIAGRAM 3: GROUP RISK MANAGEMENT MODEL 14 LIST OF TABLES TABLE 15: EXTERNAL RISK CATEGORIES 47



1. INTRODUCTION

1.1. BACKGROUND The Framework is primarily developed to guide, inform and raise awareness to Executives and

Management of the City of Johannesburg Metropolitan Municipality including its Municipal

Entities () on Enterprise Risk Management (ERM) principles and processes adopted by the City.

This document is useful in communicating the City’s approved risk governance structure,

Framework, standards and procedures for risk management. Its main aim is to provide a practical

Framework to assist managers in the effective identification, evaluation and control of risk that

may impact upon the achievement of the corporate, mayoral and service objectives and priorities

that the organisation has set itself to achieve. In this way, risk management is intrinsically linked

to the organisations ‘positive aspirations and achievements’ rather than solely focussed on

‘negative factors’. Staff should therefore view risk management across the organisation as a tool

to support achievement rather than simply another compliance procedure.

The framework is aligned to the Committee of Sponsoring Organisations of the Tread way

Commission (COSO) Enterprise Risk Management Integrated Framework Risk Management

Policy and Framework, King III Report on Corporate Governance, ISO Risk Management

Principles and Guidelines (ISO 31000:2009), ISO:22301 standards of Business Continuity

Management, and National Treasury Public Sector Risk Management Framework.

The City Manager, as the Accounting Officer, is mandated by sections 62(1)(c)(i) and 95(c)(i) of

the Municipal Finance Management Act, which states “Accounting Officers are to ensure that

their municipalities and municipal entities have and maintain effective, efficient and transparent

systems of risk management”, has delegated implementation of the Group Risk Management and

Advisory Framework to the Group Risk and Assurance Services (“GRAS”) Department and to be

the custodians thereof. The GRAS: Risk Management and Advisory Unit (“GRAS: RMAS Unit”)

will take ownership of this delegation.

In turn, Council has delegated its oversight function over ERM to the Group Risk and Governance

Committee (“GRGC”). Accordingly, the GRAS: Executive Director is accountable to the City

Manager, as the Accounting Officer, and the Executive Mayor for the implementation hereof.



GRAS is mandated to embed Enterprise Risk Management principles throughout the City. Its

mandate is legislative and is derived from the accountability and responsibility of the Accounting

Officer on risk management as defined in the Municipal Finance Management Act (MFMA), the

Municipal Systems Act (MSA) and regulations, and other applicable legislation.

1.2. PURPOSE The main purpose of this framework is to assist the Executives and Management in the effective

implementation of risk management principles in identification, assessment, evaluation, analysis

and control of risks that may hinder achievement of the City’s mayoral goals, its corporate

governance, and service delivery. It is therefore essential that risk management is integrated in to

city’s daily operations and processes for effective, efficient and economical delivery of City’s

mandate. All city employees should therefore view risk management as an inter-linking tool to

support the achievement of City’s objectives.

“If risk management is to be effective there must be a clear link between objectives and risks. It is, therefore, essential that risk management is embedded in the planning process.” 1.3 APPLICABILITY OF GROUP RISK MANAGEMENT FRAMEWORK This framework is applicable to City’s:

Core Administration and its Municipal Entities (“”);

Mayoral Game Changer, Flagship Program and Mayoral Priority Implementation Plans

Internal assurance functions; as well as

Governance oversight processes.



2. OBJECTIVES AND BENEFITS

2.1. Objectives of Group Risk Management Framework

The key objectives of this City’s Group Risk Management Framework are set out below:

Implementation of purposeful and systematic risk identification, risk assessment, risk

evaluation and risk mitigation management strategies to ensure the achievement of the City’s

goals and objectives;

The creation of a consistent and standard platform for the group risk management process

within the City’s departments and MOEs;

The determination of risk mitigation strategies and controls to reduce risk exposure, and

improve the management of significant and City wide risks;

Regular risk assessment, evaluation and prioritisation of risks with a view to ensure optimal

risk management and related results;

To provide management with proven risk management tools that support their decision-

making responsibilities and processes, and managing key risks (threats and opportunities)

impacting on their goals and objectives;

Ensure that all employees within the City have an understanding of risk, and City adopts a

uniform approach for the identification and prioritisation of risks;

To ensure that risk management processes exist in an environment of continuous feedback

and improvement and

Embedding risk management processes within the strategic and operational activities of the

City.

2.2. Benefits of Group Risk Management Framework Among others, the following are the benefits of Risk Management processes:

• More Informed decisions on regular management of achieving city’s objectives

• Reduction of losses;

• Prevention of fraud and corruption;

• Value for money through more efficient use of resources; and

• Enhanced outputs and outco through improved project and programme management.

Group Risk Management Framework facilitates the following benefits in relation to the City’s risk management process:

Pro-active identification and management of risks arising from strategic and operational



business activities, including projects, PIP’s, flagship program and contracts city-wide (at

departmental and ME’s)

Analysis, prioritization and evaluation of these risks to ensure adequate and efficient resource

allocation in order to manage the risk exposures to an acceptable levels.

Pro-actively determining and implementing mitigating actions and strategies in order to control

and reduce the risk exposures, and to continually improve City’s management internal

controls and processes.

To maintain on-going monitoring and reporting on risks status.

3. ENTERPRISE RISK MANAGEMENT The underlying premise of enterprise risk management is that every organisation within the public

sector exists to provide service delivery. All organisations face uncertainty, and the challenge for

management is to determine how much uncertainty to accept as it strives to grow stakeholder

value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance

value. Enterprise risk management enables management to effectively deal with uncertainty and

associated risk and opportunity, enhancing the capacity to build stakeholder value.

Enterprise risk management is an ongoing systematic process, effected by City of Johannesburg

Metropolitan Municipality Council, City Manager, Executive Management Team (EMT) and other

personnel, applied in strategy setting and across the City (including its Municipal Entities),

designed to identify potential events that may affect City’s Mission and Vision on service delivery,

and manage risk to be within the risk appetite and risk tolerance, in order to provide reasonable

assurance regarding the achievement of City’s goals, strategic objectives, Mayoral Game

Changer, Flagship Program and Priority Implementation Plans (PIPs)..

ERM includes the following fundamental concepts:

Ongoing process;

ERM is not static, but rather a continuous or interactive process that permeate the City. The process is pervasive and inherent in the way management runs the business.

Effected by management at all levels of the City;

It is accomplished by all employees of the City, on their day to day activities.

Applied in strategy setting;

ERM is applied in strategy setting, in which management considers risks relative to alternative strategies.



Applied across the City;

It is applied at every level and unit, and therefore the ERM scope includes the entire activities of the City.

Risk Appetite

Risk appetite is the amount of risk, on a broad level, the City is willing to accept in pursuit of value.

Risk Tolerance

is the extent to which the city is willing to accept the degree of risk exposures

Provides reasonable assurance

A well-designed, effective ERM processes provide management and Council with

reasonable assurance regarding achievement of the City’s objectives. It can be expected

to provide reasonable assurance of achieving objectives relating to the reliability of

reporting, and compliance with laws and regulations. Achievement of those categories of

objectives is however within the City’s control and depends on how well the City’s related

activities are performed.

This enterprise risk management framework is geared to guide in achievement of City’s

objectives, set forth in four categories:

• Strategic – high-level goals, aligned with and supporting its mission

• Operations – effective and efficient use of its resources

• Reporting – reliability of reporting

• Compliance – compliance with applicable laws and regulations.

Components of Enterprise Risk Management

Enterprise risk management consists of eight interrelated components. These are integrated with

the management processes. The City’s Group Risk Management Framework, is premised on the

COSO Enterprise Risk Management Integrated Framework, which consists of eight interrelated

components. An overview of this framework is presented on Diagram1 below.. These

components are:

• Internal Environment – The internal environment encompasses the ‘tone at the top’,

and sets the basis for how risk is viewed and addressed by city’s Executives and

Management, this includes risk management philosophy and risk appetite, integrity and

ethical values, and the environment in which they operate.

• Objective Setting – Objectives must exist before management can identify potential risks

affecting their achievement. Enterprise risk management ensures that management has in



place a process to set objectives and that the chosen objectives support and align with

City’s mission and vision, and are consistent with its risk appetite.

Event Identification – Internal and external events affecting achievement of City’s

objectives must be identified, distinguishing between risks and opportunities.

Opportunities are channelled back to management’s strategy or objective-setting

processes.

• Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis for

determining how they should be managed. Risks are assessed on an inherent and a

residual basis.

• Risk Response – Management selects risk responses – avoiding, accepting, reducing,

or sharing risk – developing a set of actions to align risks with the City’s risk tolerances

and risk appetite.

• Control Activities – Policies and procedures are established and implemented to help

ensure the risk responses are effectively carried out.

• Information and Communication – Relevant information is identified, captured, and

communicated in a form and timeframe that enable the Executives, Management and

employees to carry out their responsibilities. Effective communication also occurs in a

broader sense, flowing down, across, and up the orgnaisational structure.

• Monitoring – The entirety of enterprise risk management is monitored and modifications

made as necessary. Monitoring is accomplished through ongoing management activities,

separate evaluations, or both.



Diagram 1: COSO ERM Framework

There is a direct relationship between objectives, which the City strives to achieve, and enterprise

risk management components, which represent what is needed to achieve them. The relationship

is depicted in a three-dimensional matrix, on this diagram. This depiction portrays the ability to

focus on the entirety of City’s risk management processes by objective category, its components,

entity, business unit, and any subset thereof.

4. RISK MANAGEMENT GOVERNANCE STRUCTURE

4.1. Governance and Reporting Structure The Council and Mayoral Committee are responsible for the overall governance of risk

management within the City. The responsibility for the oversight of City’s risk management

governance has been delegated to the Group Risk and Governance Committee (GRGC). The

role, responsibility and authority of this committee are defined within its charter as approved by

the Mayoral Committee and Council. The risk governance structure, and related roles and

responsibilities, is designed to ensure that risk management process is effective throughout the

City. The group risk management governance structure of the City is set out in diagram2 below:



Diagram 2: City Risk Management Governance and Reporting Structure

Council

Executive Mayoral Committee

Group Risk and Governance Committee

GRAS: Risk Advisory Services Unit

Departmental

Risk Champions

Risk Management Units

GRAS: Internal Audit Services Unit (Department

Internal Audit Function)

Internal Audit Functions

Executive Management Team (EMT) and

Combined Assurance Forum



5. ROLES AND RESPONSIBILITIES

The City’s risk management oversight is the responsibility of the Council and Mayoral Committee.

The Mayoral Committee is responsible through its sub-committees for recognising all significant

and material risks to which the City is exposed.

The Mayoral Committee has delegated its risk management oversight responsibility to the Group

Audit Committee and the Group Risk and Governance Committee i.e. these committees focus on

a specific mandate which includes, inter alia, functions associated with City wide risk

management oversight.

Risk management ownership and responsibility rests with Executives and Management whilst

ultimate accountability vests with the Accounting Officer. The Accounting Officer should ensure

that all strategic and key operational risks that have been identified within the City are discussed

and addressed at Executive Management Team (hereafter “EMT”) Meetings, and Extended EMT

Meetings.

Group Risk and Advisory Services Unit is responsible to provide guide and advisory to City

Manager, the Executives and Management on effective implementation of Risk Management

processes. However, Risk Management is the responsibility of all city officials, regardless of level

or grading.

The risk management responsibilities of various key role players are clearly stipulated on the

table below;

Table 1: Roles and Responsibilities

Governance Structure Roles / responsibility

Council and Mayoral Committee

o Oversight on the City Wide risk management system, processes, risk profile. Accountability ito MFMA, and assurance to stakeholders.

Council Section 79 Committee

o Oversight over the sectoral risk profile and appropriate risk management strategies.

Group Audit Committee (GAC) & Group Performance Audit Committee (GPAC)

o Provides Assurance on City-Wide ERM process and strategic and operational risk profiles.

Group Risk Governance Committee (GRMC)

Provides oversight and advisory on City-Wide ERM Framework, Policies, Process, Group Risk Profile and Group Risk Tolerance / Appetite.

City Manager o Accountability for development and implementation of ERM Governance, architecture and process in the City and management of identified major risks.

o Set the ‘tone’ at the top on risk management principles, processes and governance structures

Executive Audit & Risk o Committee is to support the City Manager and EMT in ensuring effective



Management Committee implementation of risk management processes to enhance the City’s ability to achieve its strategic objectives.

Business Units o Responsible to design a risk controlled environment within day to day business operations, implement risk tracking model in order to address and manage identified risks to an acceptable levels, the accountability is to regularly report to Senior Management on effective management of identified risks within business units.

Group CFO/ Shareholder Unit (SHU)

o Financial risk management strategy. o Funding and resourcing key risk mitigation strategies. o Monitoring implementation of ERM by the City’s entities.

MOE Board of Directors Governance of ERM within the Municipal Entity

Determine the levels of risk appetite and risk tolerance

Accountability to the GRMC and GAC on ERM through the MOE Audit & Risk Committee.

The governance of risk through formal processes, which includes the total MOE system and process of risk management;

MOE Audit and/or Risk Committee

Assurance and Oversight over Entity’s Enterprise Risk Management

Managing Director/ Chief Executive Officer () & Executive Directors

o Senior Management is accountable to the Council/Board for designing, implementing and monitoring risk management, and integrating it into the day-to-day activities.

o Accountability for implementation of ERM Framework, policy and processes. o Ensure that the risk register is in place and is continuously updated through regular

risk assessments and updates to the control environment; and o Providing reports and comment to the Group Risk and Governance Committee as

and when require. o Acknowledge the “ownership” of risks within their business units or functional

areas, and all responsibilities associated with managing such risks; o Cascade risk management into its functional responsibilities; o Monitor risk management within their area of responsibility; o Maintains the business unit risk profile within the City’s risk tolerance and risk

appetite levels;

Group Risk and Audit Services (GRAS)

o Consulting and Advisory on ERM Framework, Policy, strategies & implementation throughout the City-wide (Departments & Entities). ERM Strategy and maturity planning. Defining risk assessment methodology.

o Provide specialist expertise to assist the City to embed risk management and to leverage its benefits to enhance performance.

o Provide advisory to management on determination of risk appetite and tolerance

MOE’s Chief Risk Officers & Risk Management functions

o Facilitate implementation of the ERM Framework, Policy and process. Annual Risk Management Plans

Chief Internal Auditors & Internal Audit function

o Assurance on risk management process city wide (departments and ME’s); and reviewing effectiveness of risk mitigation controls and action plans.

o



6. GROUP RISK MANAGEMENT MODEL AND PROCESS

6.1. Group Risk Management Model The City and its have adopted a group risk management model and process that will enable the

embedding of a sound risk management practices in all its strategic and operational activities.

City departments and must have a clear understanding of the roles and responsibilities, the

approved methodologies, and the integration processes that have been adopted by the City and

they are required to apply and follow.

The City has embraced the enterprise risk management model (hereafter “ERM”) which

encompasses aligning risk appetite and strategy; enhancing risk response decisions; reducing

surprises and losses; identifying and managing multiple and cross-enterprise risks; seizing

opportunities; and improving deployment of funding and capital. It is important that there is a

common understanding of the term risk as a pre-cursor to the review of risk management, its

benefits and limitations.

The diagram below depicts the City’s group risk management model.

Diagram 3: Group Risk Management Model



6.2. Group Risk Management Process Enterprise Risk Management processes do not operate in isolation, and therefore integrated into

business processes, in order to maximum value from all operational activities within the City. This

is to increase the probability of effective, efficient and economical achievement of City’s

objectives.

This GRM Framework outlines how the risk management process will be implemented and

maintained within the City. The five interlinked elements of the City’s GRM process being:

Risk identification and prioritisation;

Risk evaluation and assessment;

Risk response and mitigation;

Risk monitoring and review; and

Communication and reporting.

6.2.1. Risk Identification and Prioritisation

An event is an incident or occurrence emanating from internal or external sources that affects

implementation of strategy or achievement of the City’s objectives. Events may have positive or

negative impact, or both. Risk identification process guides management in prioritising and

channelling the resource in managing the key risks to an acceptable level. The risks are

prioritised depending on their inherent and residual risk exposure, where these can be classified

as extreme, high, medium or low.

Event and risk identification involves a purposeful and systematic process to identify significant

and emerging potential risks and opportunities linking to the achievement of the City’s goals and

objectives. Risk identification process covers all risks affecting the city either internally or

externally.

The city has adopted risk workshops and questionnaires as suitable risk identification techniques

for its environment. The process is supplemented by the review and consideration of;

External and internal audit reports;

Internal and external environment;

Financial analyses;

Historical incidents / past events;

Actual losses



key performance indicators;

City’s Risk Universe;

Best practices;

6.2.2. Risk Evaluation and Assessment City’s Group Risk Management policy stipulates that risk assessments should be conducted

annually. The responsibility to ensure that periodic risk assessments are conducted within the

City rests with the City Manager, the Executives and Management, who assist in creating an

enabling environment.

Risk evaluation and assessment is a systematic process to quantify or qualify the level of risk

associated with a specific threat or event, to enrich the risk intelligence available to the City. The

main purpose of risk assessment is to assist management to prioritise the key risks.

Risk assessment is performed through facilitated risk workshops. Annual risk assessment

requires review of risk management tool (register) identification of risks and emerging risks, and

analysis of residual exposures based on likelihood of its occurrence and the associated risk

impact (nature and extent).

Risks are assessed on the basis of the likelihood and the impact of its occurrence in the following

stages:

a) Firstly, the inherent risk is assessed to establish the level of exposure in the absence of

management strategies and controls to influence the risk;

b) Secondly, a residual risk assessment follows to determine the actual remaining level of risk

after management strategies and controls are put in place to influence the exposure; and

c) Thirdly, the aggregated residual risk is benchmarked against City’s risk appetite and

tolerance to determine the need for further management intervention, if any.



Diagram 4: Overview of Risk Evaluation and Assessment Approach

These interlinked elements of the GRM process are illustrated in the Diagram 5 and described in

subsequent sections.

6.2.2.1 Risk Assessment Approach

a) STRATEGIC RISK ASSESSMENT PROCESS The approach for strategic risk assessments is top-down, where strategic top risks for the city are

cascaded down to departmental and entities’ strategic risk profiles. This enables the integration

of the strategic risk assessment process to city’s annual strategic planning and budget planning

cycles. Executives and Management is required to develop and implement mitigating actions in

order to manage risk exposures to an acceptable level. Continuous monitoring on the process on

implementation of action plans should be assessed and reported on a quarterly basis to

Executives and Management via relevant committees within the city.

The strategic risk assessment processes within the City incorporates the following:

The identification, evaluation and assessment of the City Wide Top Strategic Risks which may

impact the achievement of the City’s Integrated Development Plan (IDP) and the Joburg GDS

2040.

Residual RiskInherent Risk

Objectives Process Controls

RISK

Inherent Risk before assessment of controls Residual Risk after assessment of controls



The identification, evaluation and assessment of strategic risks of the City’s Game Changer

programme, flagship program and Priority Implementation Program.

Establishment of risk profiles at departmental and entity levels.

b) OPERATIONAL RISK ASSESSMENT PROCESS Operational risk assessment processes are conducted at all business units/ directorates within

the city, at departmental and entity levels. The process interlinks the identified departmental and

entity strategic risks to business units/directorates. Management is required to develop and

implement mitigating actions in order to manage risk exposures to and acceptable level.

Continuous monitoring on the process of implementation of action plans should be assessed and

reported on quarterly basis to Executives and Management.

c) PROJECT AND CONTRACTS RISK ASSESSEMENT PROCESS

A project risk assessment process is conducted for all significant projects and contracts within the

city (departments and entities). For long term projects, the project risk register is reviewed at

least once a year to identify new and emerging risks. The risk identification process is conducted

with the involvement of a particular project manager/leader. The project manager is required to

develop and implement mitigating actions in order to manage risk exposures to and acceptable

level. Continuous monitoring on the process of implementation of action plans should be

assessed and reported quarterly to Executives and Management.

6.2.3 Risk Response and Mitigation Risk response is concerned with developing strategies to reduce and manage risk exposures. A

proactive approach is generally adopted by determining mitigation actions / plans against risks

identified. The City endeavours to optimally control and manage potential threats and related risk

exposures in such a manner that the exposures are reduced to an acceptable level, which is

below risk appetite and tolerance levels / thresholds and to ensure that those threats or risk

exposures do not materialise.

a) RISK RESPONSE STRATEGIES

The City’s has adopted the following risk response strategies using (4 T’s) as based on best practice:



Table 2: Explanation of Risk Response Strategies No Response Strategy Explanation of Strategy

1.

Terminate (Avoid) Cease carrying out the activity because modifying it or controlling it would not reduce the risk to an acceptable level within the risk appetite or risk tolerance

2.

Tolerate (Accept) The City intends to accept the risk as it’s tolerable within the existing business model and activities.

3. Treat (Manage) There are resources available that aims to manage and reduce the likelihood of the threat / risk exposure from materialising.

4. Transfer (sharing) risk is transferred to the third party who has more capacity to handle the exposure for example, by contracting out services, taking out insurance

Other method that can be adopted as response strategy is Risk exploitation - Exploiting the

risk factors by implementing strategies to take advantage of the opportunities presented by such

risk factors.

In determining risk response, management should consider the following:

Effects of potential responses on risk likelihood and impact – and which response options is

effective for a particular risk.

Costs versus benefits of potential responses.

Possible opportunities to achieve City objectives going beyond dealing with the specific risk.

In evaluating response options, Executives and management should consider that a response

might affect the likelihood and impact of risks differently.

b) ASSESSING COSTS vs BENEFITS The decision on the nature and extent of risk mitigation controls is informed by the nature of the

risk, the risk rating viz. extreme, high, medium or low; and the associated cost benefits.

Considering the relative costs and benefits of alternative risk response options. Cost and benefit

measurements for implementing risk responses are made with varying levels of precision. All

direct costs associated with instituting a response, and indirect costs practically measurable,

should be considered. The Executives and Management should consider the opportunity costs

associated with use of resources in responding to those identified risk exposures.



c) DOCUMENTING RISK RESPONSES

Risk response strategies are documented with the responsibilities and timelines attached thereto,

and communicated to relevant action owners and risk owners. The risk mitigation strategies and

responses are documented in the tool utilised to capture identified risks (risk register) and are

reported to Executive Committees and Independent Committees on an ongoing basis.

Group Risk Advisory Services Unit provides consulting and support services to Executives and

Management on determining and documenting appropriate risk response strategies.

d) CONTROL ACTIVITIIES

Control activities are policies and procedures, to help ensure that management’s risk responses

are carried out. Control activities are categorized based on the nature of objectives and extent of

risk exposures. Just as selection of risk responses considers their appropriateness selection or

review of control activities includes consideration of their relevance and appropriateness to the

risk response and related objective. This is accomplished by separate consideration of the

suitability of the control activities, or by considering residual risk in the context of both the risk

response and related control activities.

Management is responsible for designing, implementing and monitoring the effective functioning

of the system of internal control. All City employees have a role for maintaining effective systems

of internal control, consistent with their delegated authority and areas of responsibility, refer table

below;

Table 3: Internal Control Categories and Objectives

No Internal Control Category Internal Control Category Objective

1.

Management controls To ensure that City’s structure and systems support its policies, plans and objectives, and that it operates within laws and regulations.

2.

Administrative controls To ensure that policies and objectives are implemented in an efficient and effective manner.

3. Accounting controls To ensure that resources are accounted for fully and transparently and are properly documented.

4. Information Technology controls

To ensure security, integrity and availability of information



Controls that reduce risk exposure or severity may be preventative, directive, detective and

corrective. An explanation of relevant control objectives and examples of these controls are set

out below:

Table 4: Explanation of Types of Internal Control No Control Type Control Objective Examples of Control

1.

Preventative controls

These controls prevent errors or irregularities from occurring.

Physically restring access to specific areas, insisting on two signatories for authorisation, ensuring suitable segregation of duties exists within a process or system, implementing levels of authorisation limits, or restring levels of access on IT systems by way of user profiles.

2.

Directive controls These controls direct how certain processes or activities are conducted. in a manner that is conductive to achieving City objectives

Policy and procedure manuals, delegation of authority, management instructions, guidance notes, and training.

3. Detective controls

To detect as early as possible or serve as a trigger that a possible risk event or error is becoming likely to occur or has occurred so that early intervention could be considered.

Early warning systems, surprise checks, asset inventory verification checks, alarms, exception reports, accident and incident reports, financial reports such as budget monitoring reports and performance of reconciliation procedures to identify errors.

4. Corrective controls

Operate together with detective controls to correct errors or irregularities.

Follow-up and address any errors or omissions identified by way of asset inventory checks, financial and budget monitoring reports, and key account reconciliations.

6.2.5 Risk Monitoring and Review The primary purpose of risk monitoring is to assist Executives and Management to determine

whether:

o Measures (risk responses) previously adopted are still working as intended, and

producing expected results;

o Mitigating actions previously adopted are still appropriate and relevant to the risks

o The previously identified risks are still relevant to operating models, and still apply as

factual reflection of the organisation

o Management timelines are still appropriate

o Identifying any new emerging risks as the operating models evolve.

Risk monitoring serves as the process for tracking identified risks, monitoring residual risks,

identifying new risks, executing risk response plans, and evaluating their effectiveness

throughout. The results on proposed risk responses, which are integrated into managing and



controlling the risk exposures, are therefore evaluated for adequacy.

The stage involves tracking and reporting on risk exposures to stakeholders (internal and

external). In addition there is an assessment of performance on risk management interventions to

manage the probability and impact or severity of adverse risks occurring. The performance

assessment will also indicate whether additional or alternative interventions and actions should

be determined in ensuring effective mitigating of the identified risk exposures.

Ongoing/ continuous risk monitoring is essential, as the process is integrated into the normal, day

to day operating activities. The continuous monitoring is effective to anticipate and uncover

circumstances that will have negative impact or endanger achievement of objectives as business

operations unfolds, therefore, the threats are quick to be noticed and managed.

For effective risk monitoring, the process should be scheduled as standing agenda at

departmental and Executive and Management meetings. The other step is to arrange a separate

meeting with Group Risk and Advisory Services Unit to assess and evaluate the dashboard and

risk movement periodically.

6.2.6 Communication and Reporting

Information on risk identified, and how those risks are being managed, should be captured and

communicated in a form and timeframe that enables the risk owners and action owners to carry

out their responsibilities. The information should also be documented and communicated to

Executives and Management as part of decision making processes.

Effective communication also occurs, flowing down, across, and upwards the organisation,

therefore, all officials should be made aware of the existence of ERM principles and processes

within the city.

Both financial and non-financial information should be communicate as part of risk management

strategies.

ERM Communication effectively conveys:

The importance and relevance of effective enterprise risk management

The City’s strategic and related objectives

The City’s risk appetite and risk tolerances



The roles and responsibilities of personnel in effecting and supporting the components of

enterprise risk management

The City’s risk communication and reporting process supports enhanced decision making and

accountability through:

I. Dissemination of relevant, timely, accurate, concise and complete information;

II. Timely escalation of critical, significant and relevant risk information to:

MOE Risk Management Committees and Boards of Directors;

The City’s Executive Audit and Risk Committee;

The City’s Executive Management Team (EMT) and Extended EMT;

Group Risk and Governance Committee (GRGC);

Group Audit Committee; and

The City’s Mayoral Committee and Council.

Timely communication of risk management responsibilities and actions.

7 GROUP RISK MANAGEMENT PROCESS

Group risk management is an ongoing process which requires regular and systematic evaluation

to deliver a sound decision making process. This, in turn, leads to the achievement of high

quality services delivered on a value for money.

Diagram 5: Group Risk Management Process



8 RISK APPETITE AND RISK TOLERANCE

An effective enterprise risk management process requires that there be defined risk appetite and

risk tolerance levels which will embody the rules and guidelines to the organisation for taking on

risk, or treatment of risk. The City’s risk appetite and tolerance is directly related to its business

strategy. Risk Management must be integral to the strategic planning decisions, as in selecting a

strategy management must have due consideration to the City’s either appetite for risk or the

levels of risk exposures that may be acceptable.

The City determines its risk appetite and risk tolerance in order guide resource allocation and to

influence more informed decision making in regard to planning and implementation processes.

8.1 Elements of Risk Appetite and Risk Tolerance Risk appetite is a key consideration in objective setting and strategies. It is important to

recognize that risk appetite can be articulated either qualitatively or quantitatively. Risk appetite

can also be influenced by historical impacts of past events and the reactions of key stakeholders,

customers, employees, regulations and suppliers.

Risk appetite is defined as the pursuit of risk, while risk tolerance has been defined to be the risk

the organization is willing to deal with.

An overview of the strategic considerations on City’s risk appetite is set out in Diagram below.

Diagram 6: Overview of Considerations Affecting City Risk Appetite



Existing Risk Profile

The existing level and distribution of risks across risk categories (e.g. financial risk, service delivery risk, operational risk, reputation risk, etc.)

Risk Capacity

The maximum risk the City may bear and remain financially sustainable and resilient

Risk Tolerance

Acceptable levels of variation the City is willing to accept around specific objectives

Desired Level of Risk

What is the desired City balance of growth, risk and return

Determination of Risk Appetite



8.2 Risk Appetite and Tolerance Thresholds

The risk tolerance levels can be defined for each risk category and/or major risk areas using either

or both qualitative basis and quantitative basis. The risk appetite and tolerance levels below are

qualitative and in accordance with the City’s risk assessment methodology and risk heatmap and

the following are provided as guidance to management.

Table 5: Risk Appetite and Tolerance

Risk Category Strategic Financial ICT Regulatory Operational Reporting Fraud

Risk Universe

Sources:

Local government regulatory environment

GDS2040, IDP/SDBIP

Mayoral Priorities

X X X X X X X

Risk assessment(using risk assessment methodology)

X X X X X X X

Inherent & Residual risk matrix (risk heat map) X X X X X X X

Risk appetite X X X X X X X

Risk Tolerance X X X X X X X

Table 6: Risk Appetite and Tolerance

# Risk Categories Risk Appetite Risk Tolerance

1. Fraud and Corruption: Zero Zero Tolerance

2. Non Compliance with Supply Chain Management Regulations: Zero

Low Tolerance

3. Regulatory Non-compliance Zero Low Tolerance

4. Financial Governance / Management risks Low Low Tolerance

5. Financial underperformance

(% aligned to SDIP annual target)

Approved annual

target

Low Tolerance

6. Service delivery and Operational Risks:

(organisational performance indicators)

Approved annual

Target

Low Tolerance

7. Organisational & governance risks (accountability) Low Low Tolerance



8. Information and Communication Technology (ICT) Governance and

Delivery

Low Moderate

9. Financial reporting - Adverse & Disclaimer audit outco: Zero Zero Tolerance

10. Financial reporting – Unqualified audit (with matters of emphasis): Low Moderate

11. Non-Financial Reporting (AoPO/ Organisational Performance): Adverse &

disclaimer audit outco

Zero Zero tolerance

12. Non-Financial Reporting (AoPO/ Organisational Performance):

Unqualified audit outcome (with matters of emphasis)

Low Moderate

The general principle is that the City’s tolerance levels is for medium /moderate to low risk

exposures.

8.3 Risk Appetite and Risk Tolerance Maturity Model Given the City’s size and structure, and the nature and extent of its business operations, it is

beneficial to determine its risk appetite and tolerance maturity model.

The objectives of the City risk appetite and risk tolerance maturity model are set out below:

Give effect to the public sector and leading practice risk appetite and risk tolerance principles

contained within this City’s Group Risk Management Policy and Framework;

Articulate the phased approach for the transition of the City from an existing awareness state

to the desired state of being enabled to establish risk appetite and risk tolerance maturity; and

Provide the recommended road map for the enhancement of the level of risk appetite and risk

tolerance maturity within the City.

Table 7: Maturity Model



No Description

of Maturity

Level

Key Characteristics or Criteria for Establishing Risk Appetite Key Characteristics or Criteria for

Establishing Risk Tolerance

1. Aware Awareness of the concept of risk appetite within the CoJ Group Risk and Assurance Department.

A scoring system for assessing risk exposure has been defined and applied

A City wide risk exposure heat map is in place

2. Defined City’s overarching risk appetite strategy and policy defined as part of CoJ Group Risk Management Strategy and Framework.

City risk tolerance policy and strategy defined as part of Risk Management Strategy Framework.

Executive management sets strategic City objectives with board and Mayoral Committee oversight.

Identification, review and approval of appropriate key risk indicators (KRIs) and key performance indicators (KPIs) for Top CoJ Wide Strategic Risks.

3. Managed Develop a risk appetite approach which includes the following: o Create an overall risk appetite statement that is broad

enough and descriptive enough for City departments and entities to manage their risks consistently within it.

o Risk appetite for each major class of City objectives and strategic and priority projects.

o Risk appetite for different categories of risk.

City wide strategy and risk appetite statements developed and defined

Risk appetite is developed at executive management level and proposed to MOE boards, the City Manager/Accounting Officer and City’s Mayoral Committee for approval.

Once risk appetite is approved, it is communicated to all City departments and MOEs, including personnel and key stakeholders.

Analysis and assessment of the City’s ability to physically and financially recover from significant risk events (at both department and MOE level).

Management determines the level of tolerance around risks acceptable at department and MOE level in measuring the achievement of strategic and operational objectives, which should be endorsed by MOE boards, the City Manager and the City’s Mayoral Committee.

Risk tolerance is expressed in the same indicators as its related objectives.

Establish risk tolerance thresholds for Mayoral Priority Implementation Program and the City’s Game Changers.

Setting risk tolerance is a collective senior and executive management responsibility.

Identification, review and approval of appropriate key risk indicators (KRIs) and key performance indicators (KPIs) related to the strategic risks of City’s core administration departments and MOEs.

The risk tolerance levels set by the City is reflected in the CoJ group risk exposure rating scale used to assess the severity of risks.



No Description

of Maturity

Level

Key Characteristics or Criteria for Establishing Risk Appetite Key Characteristics or Criteria for

Establishing Risk Tolerance

4. Enabled Monitor and review risk appetite which includes the following:

Once risk appetite is communicated, executive management with MoE board and Mayoral Committee support and periodically revisit and enforce it.

Management monitor activities for consistency with risk appetite through a combination of ongoing monitoring and separate or independent evaluations.

Periodic review of risk appetite in relation to the City’s strategic imperatives and changes in business model requirements.

In setting risk tolerance management considers the relative importance of related objectives.

Tolerance levels are supported by rigorous analysis and expert management judgement.

Establish tolerance for individual material risks, as well as aggregate tolerance for particular categories of risk.

Risk tolerance levels are revised as more reliable information beco available.



9 CoJ RISK MATRIX

The City applies the 5 X 5 risk exposure scoring system i.e. the twenty five (25) element model,

and risk dashboard, as it allows for a more precise scoring approach. The risk exposure or

severity level is obtained by multiplying the risk impact rating by the risk likelihood rating.

Risks are assessed (rate) on the basis of the likelihood of the event occurring and the impact that the event will have to City objective(s) should it occur.

a) Inherent Rating -: risk is assessed to establish its level of exposure in the absence of management controls currently in place;

b) Residual Rating-; risk is assessed to establish its level of exposure after management current / existing controls are considered;

c) Control Effectiveness-: Management current / existing controls are assessed for their effectiveness to address and reduce the identified risk exposure to an acceptable level.

9.1 RISK HEATMAP

Diagram 7: Risk Rating Matrix and Risk Exposure Dashboard

LIK

EL

IHO

OD

5 LOW MEDIUM HIGH

EXTREME EXTREME

4 LOW MEDIUM HIGH

HIGH EXTREME

3 LOW MEDIUM MEDIUM

HIGH HIGH

2 LOW LOW MEDIUM

MEDIUM MEDIUM

1 LOW LOW LOW

LOW LOW

IMPACT 1 2 3 4 5

The areas of risks exceeding risk appetite requires management’s immediate attention in

reviewing and improving current controls and implementing adequate mitigating actions.

Inherent Risk = Potential Impact (Qualitative or Quantitative) X Likelihood of Occurrence

Residual Risk Exposure = Inherent Risk X (1 – Control Adequacy / Effectiveness)

Risk

tolerance

Risk appetite line



9.2 Evaluation of Likelihood

Table 8: Scale for Evaluation of Risk Likelihood:

Rating Score Description Probability

5

Almost certain

Event has occurred within the last year

repeatedly

The event is certain to occur within this

financial year.

4 Likely Event has occurred within the last financial year. The event is likely to occur within this

financial year.

3 Possible The event has a probability of occurring at some

time, in the next year.

Event has been recoded within

organisation as well as within the sector in

the last 2 years.

2 Unlikely Very few recorded or known incidents has

occurred within other organisations within

sector.

The event may occur at some time, within

the next 2 years.

1 Rare Event may occur in exceptional circumstances.

No recorded incidents or little opportunity for

occurrence.

No event recorded in the last 3 years.

9.3 Evaluation of Impact

Table 9: Scale for Evaluation of Risk Impact:

Severity Ranking

Financial Service Delivery Reputation Stakeholders / Human Capital

Systems Environment

Not significant

1

Minimal direct loss or opportunity cost - less than 2% of budget

Negligible impact on achievement of monthly activities and objectives

•Occasional complaints with no or insignificant impact

•Reputation intact

Minimal impact on stakeholder support

Minor or very low staff attrition rate (<4% )

Key systems are no in operative for half a day

Short term transient impact on environment or community – negligible action required

Minor

2

Direct loss or opportunity cost of 2% to 5% of budget

Negative impact on achievement of quarterly service delivery targets and objectives or minor performance reduction

•Intra-sector knowledge of incident, but no media attention

Marginal decrease in stakeholder support

Staff attrition (<10% ) on an annual basis)

Key systems not in operative in less than 24 hours

Medium term, immaterial effect on environment.

Moderate

3

Event would have serious financial impact (> 4 -6% on budget/income or > R00000*) on either

• Negative impact on achievement of targets in more than 1 year

service delivery

•credibility and/or investors lost in more within 2 years

•Adverse national media coverage

Key skilled staff lost (>10%<25%) in 1 year

Key systems not in operative in 1 day

Measurable environmental harm caused - medium tern recovery

Community complaints voiced privately



income or budget.

Loss of creditworthiness in more than 1 year

disruptions in more than 1 year

(national TV headlines) and loss of service in more than 1 year.

Major

4

Event would

have very

serious financial

impact (> 8% on

budget/income

or > R00000*)

on either

income or

budget.

Loss of

creditworthines

s in 1 year

Negative

impact on

achievement

of targets

within 1 year

service

delivery

disruptions in 1

year

Qualified annual external audit report every year

credibility and/or

investors lost in

more than 1 Year

Adverse national

media coverage

(national TV

headlines) and

loss of service >1

year.

Medium term public impact with minor political implications.

Certain key

executives

and/or key

employees and

skills

(>25%<50%) are

lost > 1 year

Key systems not in operative in 2 days

Harm to environment

and community health

and living standards in

more than 1 year

Critical

5

Event would

have

Catastrophic

financial impact

(> 15 to 25% on

budget/income

or > R00000*)

on either

income or

budget.

Loss of

creditworthines

s in >1 year

Negative impact

on achievement

targets in > 1 year

service

delivery

disruptions in

>1 year

Qualified annual external audit report every year

credibility and/or

investors lost > 1

Year

stakeholder

relations lost > 1

Year

Adverse national

media coverage

(national TV

headlines) and

loss of service >1

month.

Employees may have suffered fatalities. Event may have resulted in staff loss causing catastrophic consequences

Loss of key personnel and skills (50% or more) in 1 year

Key Systems not in operative in 3 -5 days

Harm to environment

and community health

and living standards in >

1 year



9.4 Interpretation of Risk Exposure Levels

The interpretation of the various risk exposure levels and the general risk management approach

in relation to each risk exposure level is set out on the table below:

Table 10: Interpretation of Risk Exposure Levels

9.5 Assessment of Control Effectiveness

The table below is used to assist management in the assessment of the perceived effectiveness

of controls to mitigate or reduce the impact or likelihood of specific risks.

Table 11: Control Effectiveness

Effectiveness Factor Qualification Criteria

Poor

1

Control fails to address the risk and is not documented or fully in operation.

Fair

2

Control addresses risk, at least partly, but documentation and / or operation could be improved. These control measures are for reduction and mitigation. They are intended to reduce the severity (consequences) of incidents.

Good

3

Control addresses risk, but documentation and / or operation of control could be improved. These control measures are for prevention and are intended to remove certain causes of incidents, reduce their likelihood or prevent the occurrence of the risk

Excellent

4

Control eliminates the root causes of the risks addresses risk, is officially documented and in operation.

Exposure Rating Assessment Action Required

Extreme 18 - 25 Unacceptable Requires immediate attention from management on implementation of corrective measures

High 12 - 16 Unacceptable Implementation of improvement opportunities and validation of current controls

Medium 6 - 10 Acceptable with caution Evaluation and improvement of current controls

Low 1 - 5 Acceptable

Validation and optimization of controls



10. City Risk Universe Due to nature and extent of the City’s business operations, the City’s risk universe is diverse, dynamic, and multi-faceted. An overview of the City’s Risk Universe is deped in Diagram 7. Diagram 8: City Risk Universe

CITY RISK UNIVERSE

JOBURG GROWTH AND DEVELOPMENT STRATEGY 2040 OUTPUTS AND OUTCO CITY OVERSIGHT STRUCTURES

CITY FIVE YEAR INTEGRATED DEVELOPMENT PLAN (IDP)

MAYORAL GAME CHANGER AND FLAGSHIP PROGRAM

Game Changer: Communication and Stakeholder Management Programme of Action

Flagship Programme: Corridors of Freedom

Flagship Programme: Jozi@Work

Flagship Programme: Green and Blue

Economy

Flagship Programme: Smart City

Mayoral Priority Implementation Plans

Financial Sustainability and Resilience

Safer Cities

Engaged Active Citizenry

Resource Sustainability

Investment Attraction, Retention and Expansion

Agriculture and

Food Security

City Service Delivery and Functional Areas

Sustainable Services:

Development Planning

Water and Electricity

Rates and Taxes

Waste Removal

Housing Development

Environmental Services

Infrastructure Development

Social Housing

Community Development

Economic Growth:

Economic Development

Transport

Roads Infrastructure

Fresh Produce Market

Metro Bus

Property Management

Human and Social Development:

Health Services

Social Development

Traffic Management

By-Law Compliance

Licensing Prosecution and Courts

Emergency Management Services

City Theatres

City Parks and Zoo

Administration and Governance:

City Billing and Revenue Collection

Customer Relations and Urban Management

Group Strategy Policy Coordination and Relations

Corporate Shared Services

Group Communications

Group Legal and Contracts

Group Risk and Assurance Services

Office of the City Manager

Public Office of the Executive Mayor

Speaker’s Office



STRATEGIC AREAS OPERATIONAL AREAS

REPORTING AREAS COMPLIANCE AREAS

Stakeholder Management:

National Government

Provincial Government

City Citizens and Communities

Customers

Process:

Revenue and Collection Management

Cash Management

Supply Chain Management

Service Delivery

Change Management

Project Management

Periodic Management Reporting:

Operational and Strategic Management Reporting

Actual Versus Budgeted Income and Expenditure Financial Reporting

Project Management Reporting

Legislative and Regulatory Compliance:

Regulatory Compliance Management

Local Government Legislative Obligations and Oversight

External Factors:

Political Environment

Natural Environment

Economic Environment

Socio-Economic Environment

Personnel and Culture:

Human Capital Capacity

Training and Development

Occupational Health and Safety

Combined Assurance Reporting:

Risk Management Reports

Compliance Management Reports

Internal Audit Reports

Security and Investigation Reports

Legal:

Investigations of Fraud and Corruption

Contract Management

Litigation Claim Management

Governance:

Strategic Planning

Business Continuity

Reputation Management

Policy and Frameworks

Combined Assurance

Monitoring and Oversight

Financial:

City Funding

Centralised Financial Management

Credit and Liquidity

Interest Rates

Insurance Portfolio

Statutory Reporting:

Audited Annual Financial Statements

Oversight Committee Reports

Annual Report

Information Communication and Technology

Systems

Information

Management

Knowledge

Management

Physical Assets:

City Infrastructure

City Vehicles



Other City Assets

10.1 Key Risk Indicators These are established the early warning signals ‘red flags’ in order to alert City Manager, the

Executives and Management on possible threats to the city. These early warning signals known

as Key Risk Indicators (KRI’s) assist City Manager, the Executives and Management to

proactively address threats before they can actually occur. KRIs are fundamental components of

a risk and control framework and a sound risk management practice. KRIs are identified as part

of the risk identification process by providing a measurement mechanism which raises alarm bells

before a risk actually materialises.

KRIs are identified as opposition to Key Performance Areas (KPA’s), the metrics is capable to

highlight the probability of being subject to a risk that may exceed its defined risk appetite or

tolerance. The constant measure and monitoring of KRIs provides value to the City in a variety of

ways and bring the following benefits:

Risk Appetite: KRIs require the determination of appropriate thresholds for action at different

levels within the City;

Risk and Opportunity Identification: KRIs are designed to alert management to trends that

may adversely affect the achievement of City objectives, or may indicate the presence of new

opportunities;

Risk Treatment: KRIs initiate action to mitigate developing risks by serving as triggering

mechanisms for business units charged with monitoring particular KRIs;

Risk Reporting: By design, KRIs provide measurable data conducive for aggregation.

Relevant risk intelligence summary reports are promptly communicated to appropriate senior

or executive managers and MOE boards and City committees with oversight responsibilities.

The City’s Mayoral Game Changer, Flagship Program and Priority Implementation Plans, core

administration departments, support service and group departments and have unique strategic

objectives and operational requirements. Thus KRIs are developed for these areas of the City’s

business. A summary of the core elements of well-designed City KRIs are set out below:

Based on established practices and benchmarks;

Developed consistently across the City;

Selected indicators drill down to the root cause of the events;



Provide an unambiguous and intuitive view of the highlighted risk;

Identification and implementation of appropriate and cost effective detective controls;

Allow for measurable comparisons across time and business units;

Provide opportunities to assess the performance of risk owners; and

Determine notification methods, recipients and action or response sequences



11. INFORMATION & COMMUNICATION TECHNOLOGY RISK ASSESSMENT

The City’s information and communication technology (ICT) risk assessment framework is based

on the ISACA IT principles and risk assessment framework, and further developed into a

comprehensive ICT risk process model. This ICT risk assessment process model is also aligned

with COBIT and Val IT standards. This ICT risk management process model groups key activities

into three domains.

In addition, substantial guidance is provided on the key activities within each process,

responsibilities for the process, information flows between processes and performance

management of the process.

The three domains of the City’s ICT risk assessment framework are:

Risk Governance;

Risk Evaluation; and

Risk Response.

Each domain contains three processes, as deped in Diagram 10.



Diagram 9: Risk Assessment Framework

Integrate

With ERM

Establish and

Maintain a Common Risk View

Make Risk- Aware

Business Decisions

Business Objectives

Communication

Risk Response

Ensure that IT-related risk issues, opportunities and events are addressed in

a cost-effective manner and in line with business priorities.

Articulate

Risk

Manage

Risk

React to Events

Analyse

Risk

Risk Evaluation

Ensure that IT-related risks and

opportunities are identified, analysed and presented in business terms.

Collect Data

Maintain

Risk Profile

Risk Governance

Ensure that ICT risk management practices are embedded in the City,

enabling it to secure an optimal risk return.



11.1. Risk Governance Domain

Risks accompany change, and are often accompanied by potential benefits and opportunities.

Therefore ICT risk governance implies a process to enable the City to benefit from both business

and ICT changes while minimizing the negative consequences of the associated risks.

A summary of City’s ICT risk governance processes, sub- processes and process outco is

provided on table below;

Table 12: ICT Risk Governance Processes

Process Sub-Process Process Outco

Establish and Maintain a

Common Risk View

Perform enterprise risk assessment City Risk Assessment

Risk Appetite and Tolerance

Alignment to Risk Policy

ICT Risk Culture

Effective ICT Risk

Communication

ICT Risk Management

Accountability

ICT Risk Strategy and

Business Strategy

Alignment

ICT Risk Strategy and City

Risk Strategy Alignment

ICT Resource Management

Independent Assurance

Management buy-in

ICT Response Prioritization

Propose risk tolerance thresholds

Approve risk tolerance

Align ICT risk policy

Promote ICT risk-aware culture

Encourage effective communication of ICT risk

Integrate with ERM

Establish and maintain accountability for ICT

risk management

Co-ordinate ICT risk strategy and business risk

strategy

Adapt ICT risk practices to enterprise risk

practices

Provide adequate resources for ICT risk

management

Provide independent assurance over ICT risk

management

Make Risk- Aware Business

Decisions

Gain management buy-in for the ICT risk

Approve ICT risk analysis

Embed ICT risk considerations in strategic

business decision making

Accept ICT risk

Prioritize ICT risk response activities



11.2. Risk Response Domain

Appropriate steps taken or procedures implemented upon discovery of an unacceptably high

degree of exposure to one or more ICT risks. The purpose is to bring risk in line with the defined

risk appetite for the City after risk analysis. In other words, a response needs to be defined such

that future residual risk (current risk with the risk response defined and implemented) is, as much

as possible (usually depending on budgets available), within risk tolerance limits.

A summary of City’s ICT risk response processes, sub- processes and process outco is provided

on table below;

Table 13: ICT Risk Response Processes


Articulate Risk

Communicate ICT risk analysis results ICT Risk Analysis Results

Communication

State of Compliance

Reporting and Interpretation

of Findings

Inventory Controls and

Implementation

ICT Risk Action Plan Progress

Reporting

Incident Response Plan

ICT Risk Monitoring

Report ICT risk management activities and state of

compliance

Interpret independent ICT assessment findings

Identify ICT-related opportunities

Manage Risk

Inventory controls

Monitor operational alignment with risk tolerance

thresholds

Respond to discovered risk exposure and

opportunity

Implement controls

Report ICT risk action plan progress

Respond to Events

Maintain incident response plans

Monitor ICT risk

Initiate incident response

Communicate lessons learned from risk events

http://www.businessdictionary.com/definition/procedure.html

http://www.businessdictionary.com/definition/discovery.html

http://www.businessdictionary.com/definition/high.html

http://www.businessdictionary.com/definition/degree.html

http://www.businessdictionary.com/definition/exposure.html

http://www.businessdictionary.com/definition/risk.html



11.3. Risk Evaluation Domain

A process of determination of ICT risk management priorities through establishment of qualitative

and/or quantitative relationships between benefits and associated risks.

A summary of City’s ICT risk evaluation processes, sub- processes and process outco is

provided on table below;

Table 14: ICT Risk Evaluation Processes


Collect Data Establish and maintain a model for data collection Data Collection Model

ICT Risk Scenarios

ICT Risk Register

Maintenance

ICT Risk Map

ICT Risk Analysis Scope

Definition

Risk Response Options:

o Risk Avoidance

o Risk

Reduction/Mitigation

o Risk Sharing/Transfer

o Risk Acceptance

ICT Risk Analysis Peer Review

ICT Resources Mapping

Key ICT Risk Indicators

Collect data on the operating environment

Collect data on risk events

Identify risk factors

Analyse Risk

Define ICT risk analysis scope

Estimate ICT risk

Identify risk response options

Perform a peer review of ICT risk analysis

Maintain Risk Profile

Map ICT resources to business processes

Determine business criticality of ICT resources

Understand ICT capabilities

Update ICT risk scenario components

Maintain the ICT risk register

ICT risk map

Develop ICT risk indicators

http://www.businessdictionary.com/definition/risk-management.html

http://www.businessdictionary.com/definition/priority.html

http://www.businessdictionary.com/definition/establishment.html

http://www.businessdictionary.com/definition/qualitative.html

http://www.businessdictionary.com/definition/quantitative.html

http://www.businessdictionary.com/definition/relationship.html

http://www.businessdictionary.com/definition/benefit.html

http://www.businessdictionary.com/definition/associated.html

http://www.businessdictionary.com/definition/risk.html



12 . GROUP COMBINED ASSURANCE

Risk management monitoring and reporting process is coordinated with the Group Combined

Assurance Plan. This plan clearly indicates the of the parties responsible for providing periodic

assurance to the City’s Executive Management Team, Group Risk and Governance Committee,

Group Audit Committee and the Mayoral Committee in relation to the management of significant,

material and emerging risk areas within City. Consistent with leading practice, the Group

Combined Assurance Framework, the parties that are included within this plan are set out below:

Executives and Management city wide;

Group Internal Audit Services Unit;

internal audit functions;

Group Risk Advisory Services Unit;

Group Compliance Advisory and Assurance Services;

Group Combined Assurance and Business Process Improvements Services

Office of the Auditor-General; and

Other appropriate external service providers.

The combined assurance plan should clearly indicate the key risk areas, and the frequency of the

provision of assurance by relevant assurance providers.

12. LEGISLATION AND REGULATORY

This Framework is developed based on the following legislative regulatory frameworks and

leading practice risk management principles, standards and codes:

12.1. Primary Legislative and Regulatory Provisions

Municipal Finance Management Act No 56 of 2003

Municipal Systems Act No 32 of 2000, as amended

Companies Act No 71 of 2008, as amended

Anti-Corruption legislation



12.2. Public Sector and Leading Practice Principles Standards and Codes

National Treasury: Public Sector Risk Management Framework: April 2010

COSO Enterprise Risk Management - Integrated Framework 2004

COSO Strengthening Enterprise Risk Management for Strategic Advantage 2009

COSO Developing Key Risk Indicators to Strengthen Enterprise Risk Management 2010

COSO Enterprise Risk Management – Understanding and Communicating Risk Appetite:

January 2012

ISO 31000: 2009 Risk Management Principles and Guidelines

ISO:22301 standards of Business Continuity Management

King III Corporate Governance

ISACA and COBIT Framework for the Governance and Management of Enterprise ICT

13. AUTHORITY AND APPROVAL

13.1. Ownership Ownership of this GRM Framework vests with the Group Risk and Governance Committee, this

in turn, has been delegated to the GRAS – Risk Advisory Services (RAS) Unit.

13.2. Approval

GRAS is responsible for the coordination, drafting and update of this GRM Framework, and will

submit this framework to the Group Risk and Governance Committee for review and approval.

13.3. Implementation

GRAS – RAS Unit is responsible for the implementation and roll-out of this GRM Framework in

accordance with the Group Risk Management Policy across the City, and reports to the

Accounting Officer and Group Risk and Governance Committee on the status of implementation

on a quarterly basis.

The Accounting Officers and Boards are responsible for the adherence to and implementation of

this GRM Framework in their respective.



13.4. Review and Approval This GRM Framework will be reviewed and approved annually or as necessitated by changes in

legislation or the requirements the City’s risk management landscape.

CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK

Group Risk Management Framework Page 46

ANNEXURE A: GLOSSARY OF TERMS

External and Internal Factors A myriad of external and internal factors drive events that affect strategy implementation and

achievement of objectives. As part of enterprise risk management, management recognizes the

importance of understanding these external and internal factors and the type of events that can

emanate therefrom. External factors, along with examples of related events and their

implications, include:

Economic – Related events include goods and services price movements, capital availability,

sovereign economic ratings of South Africa and the City of Johannesburg, resulting in, for

example, in higher or lower cost of capital and new competition from other African or

Southern African cities.

Natural environment – Events include flood, fire, or earthquake, resulting in loss or damage to

the City’s infrastructure, and restred access to offices and buildings, or loss of human capital.

Political – Events include election of government officials with new political agendas, and new

laws and regulations, resulting in, for example, significant changes in the strategic priorities of

the City.

Social – Events include changing demographics, social mores, family structures, and work/life

priorities, and terrorism activity, resulting in changing or increasing demand for stakeholder

and community services, and related requirements.

Technological – Events include new means of electronic commerce, resulting in expanded

availability of data, reductions in infrastructure costs, and increased demand for technology-

based services.

Events also stem from choices management makes about how it will function. The City’s

capability and capacity reflect previous choices, influence future events, and affect management

decisions. Internal factors, along with examples of related events and the implications, include:

Infrastructure – Events include the level of capital allocation to flagship and priority

infrastructure program for the improvement of the City’s infrastructure. The level of capital



allocation for preventive City infrastructure and equipment maintenance, in order to reduce

infrastructure and equipment downtime, and improve service delivery to stakeholders and

customers.

Personnel – Events include workplace accidents, fraudulent activities, and expiration of labour

agreements, resulting in loss of available skills and personnel, monetary or reputational

damage, and loss of employee productivity.

Process – Events include process modification without adequate change management

protocols, process execution errors, and outsourcing customer services without adequate

oversight, resulting in service delivery inefficiency, and customer dissatisfaction.

Technology – Events include decreasing resources to handle volume volatility, security

breaches, and potential systems downtime, resulting in customer and service delivery

backlog, fraudulent transactions, and inability to continue business operations.

Identifying external and internal factors that influence events is useful to effective event

identification. Once the major contributing factors are identified, management considers their

significance and focus on events that affect achievement of objectives.

Table 15: External Risk Categories

No Risk Category Explanation of Risk Category

1. Natural Environment Risk

Risks arising from the City’s natural environment and its impact on normal operations e.g. degradation of the environment, pollution, etc.

2. Economical and Market Risk

Risks relating to the City’s economic environment such as sudden increases in unemployment and changes in the wage rates, or inflation and interest rates etc.

3. Socio-Economic Environment Risk

Risks relating to the City’s social environment such as major demographic and social trends, level of citizen engagement, unemployment rates, migration of workers, inadequate community upliftment etc.

4. Technology Risk Risks arising from the effects of advancements and changes in technology e.g. changes in ICT environment.

5. Legislative Environment Risk

Risks relating to the City’s legislative environment e.g. significant changes in legislation etc.



Table 16: Internal Risk Categories

No Risk Category Explanation of Risk Category

1. Strategic Risk Risks that have bearing on strategic decision making direction, goals, mandates, priorities and key objectives of the City as a whole. These risks have an adverse effect on business continuity and may include, inter alia, plans failing, poor corporate strategy, and adverse political and regulatory changes.

2. Stakeholder Management Risk

Risk of inadequate consultation and communication with key City stakeholders in relation to the City’s strategic decision making, and the planning and implementation of mayoral priority and flagship program.

3. Service Delivery Risk Risk of the City’s service delivery to customers and stakeholders not meeting required standards or expectations.

4. Regulatory Risk Risks arising from failure to implement regulatory compliance requirements as per the MFMA, MSA, Treasury Regulations, supply chain management regulations and other applicable legislative requirements.

5. Governance Risk Failure to comply with leading practice corporate governance processes as per King III Code of Corporate Governance. Corporate governance is defined as a system by which City is directed and controlled.

6. Operational or Process Risk

Risk of direct or indirect losses resulting from internal processes and procedures, inadequate systems or methodologies, human errors omissions, design errors, unsafe behaviour, sabotage and the actual activities undertaken by the City.

7. Financial Risk Risk that the City does not have sufficient funds available to timeously fulfil its cash flow obligations. These risks could encompass non-existence of essential and adequate financial controls, and non-compliance with relevant Treasury Regulations.

8. Reputation Risk Risks that have a negative impact on the good name, public perception, image and credibility of the City.

9. Human Capital or Intellectual Capital Risk

Risks arising from the actions or non-actions of employees, intentional or unintentional, human resource administration, employee relations etc.

Risk of the City failing to meet its mandate and/or objectives due to lack of critical skills capacity, loss of key executives, or retention of acquired intellectual capital.

10. Asset Loss Risk Risks arising from damage to or theft of the City’s assets and infrastructure.

11. Management Information Risk

Risks relating to the City’s management information and reporting.

12. Information and Communication Technology () Risk

Risks arising from the City’s infrastructure and operations. Information security

13. Project Risk Risks of projects not meeting key objectives, timefra or agreed outputs and exceeding project budgets.

14. Legal/Litigation Risk Risks arising from violation of laws, regulations or agreements/contracts and those that may give rise to legal liability.

Risks of potential financial loss or reputational damage caused as a result of failure to protect vested rights or obligations or abide by legal obligations and/or requirements.

15. Occupational Health and Safety Risk

Risks that have a negative impact on the health and safety of the City’s employees, customers, contractors and citizens arising from non-compliance with the Occupational Health and Safety Act.

16. Fraud and Corruption Risk

Risks relating to illegal or improper acts by employees and third parties resulting in a loss of City assets or resources.

17. Business Continuity Risk

Risks related to the City’s preparedness or the absence thereof to deal with disasters and interruptions that could impact the normal functioning of the City.



An explanation of the terms used within the document is provided in alphabetical order below:

No Term Definition or Explanation of Term

1. Assurance Assurance is an objective examination of evidence for the purpose of providing an assessment on governance, risk management and control processes for the City.

2. City Wide Top Strategic Risks

City’s strategic risks identified at organisational level (City wide) which should be managed and performance reported by Senior Management on regular basis i.e quarterly and financial year basis.

3. Combined Assurance Combined assurance refers to the integration and aligning of assurance processes in the institution to maximise risk and governance oversight and control efficiencies, thereby optimising overall assurance.

4. Governance The combination of processes and structures implemented by the City to inform, direct, manage and monitor its activities toward the achievement of its objectives.

5. Inherent Risk This means the risk exposure in the absence of management interventions (existing controls).

6. Residual Risk This means the remaining exposure of risk after taking into account management interventions (controls in place).

7. Internal Controls are processes for assuring achievement of city's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. Controls involve means by which city's resources are allocated, monitored, measured and utilised towards achievement of objectives resulting into effective delivery of service.

8. Key Risks risks impacting on Mayoral priorities’ outco

9. Management includes employees of the City of Johannesburg who control or direct any directorate, department, unit, division, process or resources of the City.

10. Process set of activities designed by Council, Mayoral, and management within the city in order to achieve city’s mandate

11. Risk is a probability of uncertain future events/ threats that could have negative impact towards achievement of objectives

12. Risk Appetite is the amount of risk, on a broad level, that the city is willing to accept in pursuit of value.

13. Risk Tolerance is the extent to which the city is willing to accept the degree of risk exposures

14. Risk Assessment is a process undertaken by management to identify, analyse and evaluate risks considering their likelihood and impact, as a basis for determining how the risk should be managed and reduced to an acceptable level.

15. Risk Impact is the consequences on risk occurrence

16. Likelihood Is the probability of risk occurring

16. Risk Management A continuous, proactive and systematic process, effected by Council, Mayoral Committee and Accounting Officer, management and other personnel, applied in strategic planning and across the City, designed to identify risks and to manage those risks, to the extent necessary and possible, to provide reasonable assurance regarding the achievement of the City’s objectives.

17. Risk Owner Is accountable to ensure proper management and control of all aspects on risks identified. The Risk Owner has responsibility over action owner in ensuring that mitigating plans are effectively and sufficiently implemented and risks are being reviewed periodically.

18. Action Owner A delegated role responsible for taking actions in relation to specific risk. Action



No Term Definition or Explanation of Term

Owner’s responsibility is to effectively implement mitigating plans and keep the risk owner apprised on the progress.

19. Risk Rating The risk exposure classification (very high or extreme risk, high risk, moderate risk, or low risk) allocated to a risk, based on its probability of occurrence and potential impact on the City.

20. Risk Register A tool for capturing each risk or exposure, its likelihood of occurrence, potential impact and rating, and how the risk is currently being controlled, as well as additional risk mitigation measures that may be required for the effective management of each risk identified.

21. Strategic Goals and Objectives

High-level City goals and objectives that are aligned with and support its mission and vision.

22 Risk Monitoring is the process for tracking identified risks, monitoring residual risks, identifying new risks, executing risk response plans, and evaluating their effectiveness on quarterly basis. It is necessary to review, monitor and report on the action plans developed, progress being made in managing the identified risks.

_________________________ ____________________________ Ms. SINAYE NXUMALO Mr. J. MAKORO EXECUTIVE DIRECTOR CHAIRPERSON GROUP RISK & ADVISORY SERVISES GROUP RISK & GOVERNANCE COMMITTEE

DATE: DATE: __________________________ Mr. TREVOR FOWLER CITY MANAGER CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY DATE:

Documents

City of Johannesburg Blayi... · 2018. 3. 14. · Effective Date 1 July 2015 . ... (ISO 31000:2009), ISO:22301 standards of Business Continuity Management, and National Treasury Public