Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 1
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY
GROUP RISK AND ASSURANCE SERVICES
GROUP RISK MANAGEMENT FRAMEWORK
Effective Date 1 July 2015
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 2
Table of Contents
1. INTRODUCTION ................................................................................................................................................. 4 1.1. BACKGROUND .................................................................................................................. 4
1.2. PURPOSE........................................................................................................................... 5
1.3 APPLICABILITY OF GROUP RISK MANAGEMENT FRAMEWORK ................................... 5 2. OBJECTIVES AND BENEFITS .......................................................................................................................... 6 2.1. Objectives of Group Risk Management Framework ............................................................. 6
2.2. Benefits of Group Risk Management Framework ................................................................ 6
3. ENTERPRISE RISK MANAGEMENT ................................................................................. 7 4. RISK MANAGEMENT GOVERNANCE STRUCTURE ............................................................................... 10 4.1. Governance and Reporting Structure ................................................................................ 10 5. ROLES AND RESPONSIBILITIES .................................................................................................................. 12 6. GROUP RISK MANAGEMENT MODEL AND PROCESS .......................................................................... 14 6.1. Group Risk Management Model ........................................................................................ 14
6.2. Group Risk Management Process ..................................................................................... 15
6.2.1. Risk Identification and Prioritisation ................................................................................... 15
6.2.2. Risk Evaluation and Assessment ...................................................................................... 16
6.2.2.1 Risk Assessment Approach ..................................................................................... 17
6.2.3 Risk Response and Mitigation ........................................................................................... 18
6.2.5 Risk Monitoring and Review ............................................................................................... 21
6.2.6 Communication and Reporting .......................................................................................... 22 7 GROUP RISK MANAGEMENT PROCESS .................................................................................................... 23 8 RISK APPETITE AND RISK TOLERANCE .................................................................................................. 24 8.1 Elements of Risk Appetite and Risk Tolerance .................................................................. 24
8.2 Risk Appetite and Tolerance Thresholds ........................................................................... 26
8.3 Risk Appetite and Risk Tolerance Maturity Model.............................................................. 27 9 CoJ RISK MATRIX ............................................................................................................................................ 30 9.1 RISK HEATMAP ............................................................................................................... 30
9.2 Evaluation of Likelihood ..................................................................................................... 31
9.3 Evaluation of Impact ....................................................................................................... 31
9.4 Interpretation of Risk Exposure Levels ......................................................................... 33
9.5 Assessment of Control Effectiveness ........................................................................... 33
10. City Risk Universe ............................................................................................................. 34
10.1 Key Risk Indicators ............................................................................................................ 36 11. INFORMATION & COMMUNICATION TECHNOLOGY RISK ASSESSMENT .................................... 38 11.1. Risk Governance Domain .................................................................................................. 40
11.2. Risk Response Domain ..................................................................................................... 41
11.3. Risk Evaluation Domain .................................................................................................... 42 12 . GROUP COMBINED ASSURANCE .............................................................................................................. 43 12. LEGISLATION AND REGULATORY ............................................................................................................ 43 12.1. Primary Legislative and Regulatory Provisions .................................................................. 43
12.2. Public Sector and Leading Practice Principles Standards and Codes................................ 44 13. AUTHORITY AND APPROVAL ...................................................................................................................... 44 13.1. Ownership ......................................................................................................................... 44
13.2. Approval ............................................................................................................................ 44
13.3. Implementation .................................................................................................................. 44
13.4. Review and Approval ........................................................................................................ 45 ANNEXURE A: GLOSSARY OF TERMS ............................................................................................................... 46
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 3
External and Internal Factors ...................................................................................................... 46
LIST OF DIAGRAMS DIAGRAM 1: COSO ERM FRAMEWORK 10 DIAGRAM 2: CITY RISK MANAGEMENT GOVERNANCE AND REPORTING STRUCTURE 11 DIAGRAM 3: GROUP RISK MANAGEMENT MODEL 14 LIST OF TABLES TABLE 15: EXTERNAL RISK CATEGORIES 47
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 4
1. INTRODUCTION
1.1. BACKGROUND The Framework is primarily developed to guide, inform and raise awareness to Executives and
Management of the City of Johannesburg Metropolitan Municipality including its Municipal
Entities () on Enterprise Risk Management (ERM) principles and processes adopted by the City.
This document is useful in communicating the City’s approved risk governance structure,
Framework, standards and procedures for risk management. Its main aim is to provide a practical
Framework to assist managers in the effective identification, evaluation and control of risk that
may impact upon the achievement of the corporate, mayoral and service objectives and priorities
that the organisation has set itself to achieve. In this way, risk management is intrinsically linked
to the organisations ‘positive aspirations and achievements’ rather than solely focussed on
‘negative factors’. Staff should therefore view risk management across the organisation as a tool
to support achievement rather than simply another compliance procedure.
The framework is aligned to the Committee of Sponsoring Organisations of the Tread way
Commission (COSO) Enterprise Risk Management Integrated Framework Risk Management
Policy and Framework, King III Report on Corporate Governance, ISO Risk Management
Principles and Guidelines (ISO 31000:2009), ISO:22301 standards of Business Continuity
Management, and National Treasury Public Sector Risk Management Framework.
The City Manager, as the Accounting Officer, is mandated by sections 62(1)(c)(i) and 95(c)(i) of
the Municipal Finance Management Act, which states “Accounting Officers are to ensure that
their municipalities and municipal entities have and maintain effective, efficient and transparent
systems of risk management”, has delegated implementation of the Group Risk Management and
Advisory Framework to the Group Risk and Assurance Services (“GRAS”) Department and to be
the custodians thereof. The GRAS: Risk Management and Advisory Unit (“GRAS: RMAS Unit”)
will take ownership of this delegation.
In turn, Council has delegated its oversight function over ERM to the Group Risk and Governance
Committee (“GRGC”). Accordingly, the GRAS: Executive Director is accountable to the City
Manager, as the Accounting Officer, and the Executive Mayor for the implementation hereof.
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 5
GRAS is mandated to embed Enterprise Risk Management principles throughout the City. Its
mandate is legislative and is derived from the accountability and responsibility of the Accounting
Officer on risk management as defined in the Municipal Finance Management Act (MFMA), the
Municipal Systems Act (MSA) and regulations, and other applicable legislation.
1.2. PURPOSE The main purpose of this framework is to assist the Executives and Management in the effective
implementation of risk management principles in identification, assessment, evaluation, analysis
and control of risks that may hinder achievement of the City’s mayoral goals, its corporate
governance, and service delivery. It is therefore essential that risk management is integrated in to
city’s daily operations and processes for effective, efficient and economical delivery of City’s
mandate. All city employees should therefore view risk management as an inter-linking tool to
support the achievement of City’s objectives.
“If risk management is to be effective there must be a clear link between objectives and risks. It is, therefore, essential that risk management is embedded in the planning process.” 1.3 APPLICABILITY OF GROUP RISK MANAGEMENT FRAMEWORK This framework is applicable to City’s:
Core Administration and its Municipal Entities (“”);
Mayoral Game Changer, Flagship Program and Mayoral Priority Implementation Plans
Internal assurance functions; as well as
Governance oversight processes.
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 6
2. OBJECTIVES AND BENEFITS
2.1. Objectives of Group Risk Management Framework
The key objectives of this City’s Group Risk Management Framework are set out below:
Implementation of purposeful and systematic risk identification, risk assessment, risk
evaluation and risk mitigation management strategies to ensure the achievement of the City’s
goals and objectives;
The creation of a consistent and standard platform for the group risk management process
within the City’s departments and MOEs;
The determination of risk mitigation strategies and controls to reduce risk exposure, and
improve the management of significant and City wide risks;
Regular risk assessment, evaluation and prioritisation of risks with a view to ensure optimal
risk management and related results;
To provide management with proven risk management tools that support their decision-
making responsibilities and processes, and managing key risks (threats and opportunities)
impacting on their goals and objectives;
Ensure that all employees within the City have an understanding of risk, and City adopts a
uniform approach for the identification and prioritisation of risks;
To ensure that risk management processes exist in an environment of continuous feedback
and improvement and
Embedding risk management processes within the strategic and operational activities of the
City.
2.2. Benefits of Group Risk Management Framework Among others, the following are the benefits of Risk Management processes:
• More Informed decisions on regular management of achieving city’s objectives
• Reduction of losses;
• Prevention of fraud and corruption;
• Value for money through more efficient use of resources; and
• Enhanced outputs and outco through improved project and programme management.
Group Risk Management Framework facilitates the following benefits in relation to the City’s risk management process:
Pro-active identification and management of risks arising from strategic and operational
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 7
business activities, including projects, PIP’s, flagship program and contracts city-wide (at
departmental and ME’s)
Analysis, prioritization and evaluation of these risks to ensure adequate and efficient resource
allocation in order to manage the risk exposures to an acceptable levels.
Pro-actively determining and implementing mitigating actions and strategies in order to control
and reduce the risk exposures, and to continually improve City’s management internal
controls and processes.
To maintain on-going monitoring and reporting on risks status.
3. ENTERPRISE RISK MANAGEMENT The underlying premise of enterprise risk management is that every organisation within the public
sector exists to provide service delivery. All organisations face uncertainty, and the challenge for
management is to determine how much uncertainty to accept as it strives to grow stakeholder
value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance
value. Enterprise risk management enables management to effectively deal with uncertainty and
associated risk and opportunity, enhancing the capacity to build stakeholder value.
Enterprise risk management is an ongoing systematic process, effected by City of Johannesburg
Metropolitan Municipality Council, City Manager, Executive Management Team (EMT) and other
personnel, applied in strategy setting and across the City (including its Municipal Entities),
designed to identify potential events that may affect City’s Mission and Vision on service delivery,
and manage risk to be within the risk appetite and risk tolerance, in order to provide reasonable
assurance regarding the achievement of City’s goals, strategic objectives, Mayoral Game
Changer, Flagship Program and Priority Implementation Plans (PIPs)..
ERM includes the following fundamental concepts:
Ongoing process;
ERM is not static, but rather a continuous or interactive process that permeate the City. The process is pervasive and inherent in the way management runs the business.
Effected by management at all levels of the City;
It is accomplished by all employees of the City, on their day to day activities.
Applied in strategy setting;
ERM is applied in strategy setting, in which management considers risks relative to alternative strategies.
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 8
Applied across the City;
It is applied at every level and unit, and therefore the ERM scope includes the entire activities of the City.
Risk Appetite
Risk appetite is the amount of risk, on a broad level, the City is willing to accept in pursuit of value.
Risk Tolerance
is the extent to which the city is willing to accept the degree of risk exposures
Provides reasonable assurance
A well-designed, effective ERM processes provide management and Council with
reasonable assurance regarding achievement of the City’s objectives. It can be expected
to provide reasonable assurance of achieving objectives relating to the reliability of
reporting, and compliance with laws and regulations. Achievement of those categories of
objectives is however within the City’s control and depends on how well the City’s related
activities are performed.
This enterprise risk management framework is geared to guide in achievement of City’s
objectives, set forth in four categories:
• Strategic – high-level goals, aligned with and supporting its mission
• Operations – effective and efficient use of its resources
• Reporting – reliability of reporting
• Compliance – compliance with applicable laws and regulations.
Components of Enterprise Risk Management
Enterprise risk management consists of eight interrelated components. These are integrated with
the management processes. The City’s Group Risk Management Framework, is premised on the
COSO Enterprise Risk Management Integrated Framework, which consists of eight interrelated
components. An overview of this framework is presented on Diagram1 below.. These
components are:
• Internal Environment – The internal environment encompasses the ‘tone at the top’,
and sets the basis for how risk is viewed and addressed by city’s Executives and
Management, this includes risk management philosophy and risk appetite, integrity and
ethical values, and the environment in which they operate.
• Objective Setting – Objectives must exist before management can identify potential risks
affecting their achievement. Enterprise risk management ensures that management has in
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 9
place a process to set objectives and that the chosen objectives support and align with
City’s mission and vision, and are consistent with its risk appetite.
Event Identification – Internal and external events affecting achievement of City’s
objectives must be identified, distinguishing between risks and opportunities.
Opportunities are channelled back to management’s strategy or objective-setting
processes.
• Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis for
determining how they should be managed. Risks are assessed on an inherent and a
residual basis.
• Risk Response – Management selects risk responses – avoiding, accepting, reducing,
or sharing risk – developing a set of actions to align risks with the City’s risk tolerances
and risk appetite.
• Control Activities – Policies and procedures are established and implemented to help
ensure the risk responses are effectively carried out.
• Information and Communication – Relevant information is identified, captured, and
communicated in a form and timeframe that enable the Executives, Management and
employees to carry out their responsibilities. Effective communication also occurs in a
broader sense, flowing down, across, and up the orgnaisational structure.
• Monitoring – The entirety of enterprise risk management is monitored and modifications
made as necessary. Monitoring is accomplished through ongoing management activities,
separate evaluations, or both.
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 10
Diagram 1: COSO ERM Framework
There is a direct relationship between objectives, which the City strives to achieve, and enterprise
risk management components, which represent what is needed to achieve them. The relationship
is depicted in a three-dimensional matrix, on this diagram. This depiction portrays the ability to
focus on the entirety of City’s risk management processes by objective category, its components,
entity, business unit, and any subset thereof.
4. RISK MANAGEMENT GOVERNANCE STRUCTURE
4.1. Governance and Reporting Structure The Council and Mayoral Committee are responsible for the overall governance of risk
management within the City. The responsibility for the oversight of City’s risk management
governance has been delegated to the Group Risk and Governance Committee (GRGC). The
role, responsibility and authority of this committee are defined within its charter as approved by
the Mayoral Committee and Council. The risk governance structure, and related roles and
responsibilities, is designed to ensure that risk management process is effective throughout the
City. The group risk management governance structure of the City is set out in diagram2 below:
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 11
Diagram 2: City Risk Management Governance and Reporting Structure
Council
Executive Mayoral Committee
Group Risk and Governance Committee
GRAS: Risk Advisory Services Unit
Departmental
Risk Champions
Risk Management Units
GRAS: Internal Audit Services Unit (Department
Internal Audit Function)
Internal Audit Functions
Executive Management Team (EMT) and
Combined Assurance Forum
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 12
5. ROLES AND RESPONSIBILITIES
The City’s risk management oversight is the responsibility of the Council and Mayoral Committee.
The Mayoral Committee is responsible through its sub-committees for recognising all significant
and material risks to which the City is exposed.
The Mayoral Committee has delegated its risk management oversight responsibility to the Group
Audit Committee and the Group Risk and Governance Committee i.e. these committees focus on
a specific mandate which includes, inter alia, functions associated with City wide risk
management oversight.
Risk management ownership and responsibility rests with Executives and Management whilst
ultimate accountability vests with the Accounting Officer. The Accounting Officer should ensure
that all strategic and key operational risks that have been identified within the City are discussed
and addressed at Executive Management Team (hereafter “EMT”) Meetings, and Extended EMT
Meetings.
Group Risk and Advisory Services Unit is responsible to provide guide and advisory to City
Manager, the Executives and Management on effective implementation of Risk Management
processes. However, Risk Management is the responsibility of all city officials, regardless of level
or grading.
The risk management responsibilities of various key role players are clearly stipulated on the
table below;
Table 1: Roles and Responsibilities
Governance Structure Roles / responsibility
Council and Mayoral Committee
o Oversight on the City Wide risk management system, processes, risk profile. Accountability ito MFMA, and assurance to stakeholders.
Council Section 79 Committee
o Oversight over the sectoral risk profile and appropriate risk management strategies.
Group Audit Committee (GAC) & Group Performance Audit Committee (GPAC)
o Provides Assurance on City-Wide ERM process and strategic and operational risk profiles.
Group Risk Governance Committee (GRMC)
Provides oversight and advisory on City-Wide ERM Framework, Policies, Process, Group Risk Profile and Group Risk Tolerance / Appetite.
City Manager o Accountability for development and implementation of ERM Governance, architecture and process in the City and management of identified major risks.
o Set the ‘tone’ at the top on risk management principles, processes and governance structures
Executive Audit & Risk o Committee is to support the City Manager and EMT in ensuring effective
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 13
Management Committee implementation of risk management processes to enhance the City’s ability to achieve its strategic objectives.
Business Units o Responsible to design a risk controlled environment within day to day business operations, implement risk tracking model in order to address and manage identified risks to an acceptable levels, the accountability is to regularly report to Senior Management on effective management of identified risks within business units.
Group CFO/ Shareholder Unit (SHU)
o Financial risk management strategy. o Funding and resourcing key risk mitigation strategies. o Monitoring implementation of ERM by the City’s entities.
MOE Board of Directors Governance of ERM within the Municipal Entity
Determine the levels of risk appetite and risk tolerance
Accountability to the GRMC and GAC on ERM through the MOE Audit & Risk Committee.
The governance of risk through formal processes, which includes the total MOE system and process of risk management;
MOE Audit and/or Risk Committee
Assurance and Oversight over Entity’s Enterprise Risk Management
Managing Director/ Chief Executive Officer () & Executive Directors
o Senior Management is accountable to the Council/Board for designing, implementing and monitoring risk management, and integrating it into the day-to-day activities.
o Accountability for implementation of ERM Framework, policy and processes. o Ensure that the risk register is in place and is continuously updated through regular
risk assessments and updates to the control environment; and o Providing reports and comment to the Group Risk and Governance Committee as
and when require. o Acknowledge the “ownership” of risks within their business units or functional
areas, and all responsibilities associated with managing such risks; o Cascade risk management into its functional responsibilities; o Monitor risk management within their area of responsibility; o Maintains the business unit risk profile within the City’s risk tolerance and risk
appetite levels;
Group Risk and Audit Services (GRAS)
o Consulting and Advisory on ERM Framework, Policy, strategies & implementation throughout the City-wide (Departments & Entities). ERM Strategy and maturity planning. Defining risk assessment methodology.
o Provide specialist expertise to assist the City to embed risk management and to leverage its benefits to enhance performance.
o Provide advisory to management on determination of risk appetite and tolerance
MOE’s Chief Risk Officers & Risk Management functions
o Facilitate implementation of the ERM Framework, Policy and process. Annual Risk Management Plans
Chief Internal Auditors & Internal Audit function
o Assurance on risk management process city wide (departments and ME’s); and reviewing effectiveness of risk mitigation controls and action plans.
o
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 14
6. GROUP RISK MANAGEMENT MODEL AND PROCESS
6.1. Group Risk Management Model The City and its have adopted a group risk management model and process that will enable the
embedding of a sound risk management practices in all its strategic and operational activities.
City departments and must have a clear understanding of the roles and responsibilities, the
approved methodologies, and the integration processes that have been adopted by the City and
they are required to apply and follow.
The City has embraced the enterprise risk management model (hereafter “ERM”) which
encompasses aligning risk appetite and strategy; enhancing risk response decisions; reducing
surprises and losses; identifying and managing multiple and cross-enterprise risks; seizing
opportunities; and improving deployment of funding and capital. It is important that there is a
common understanding of the term risk as a pre-cursor to the review of risk management, its
benefits and limitations.
The diagram below depicts the City’s group risk management model.
Diagram 3: Group Risk Management Model
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 15
6.2. Group Risk Management Process Enterprise Risk Management processes do not operate in isolation, and therefore integrated into
business processes, in order to maximum value from all operational activities within the City. This
is to increase the probability of effective, efficient and economical achievement of City’s
objectives.
This GRM Framework outlines how the risk management process will be implemented and
maintained within the City. The five interlinked elements of the City’s GRM process being:
Risk identification and prioritisation;
Risk evaluation and assessment;
Risk response and mitigation;
Risk monitoring and review; and
Communication and reporting.
6.2.1. Risk Identification and Prioritisation
An event is an incident or occurrence emanating from internal or external sources that affects
implementation of strategy or achievement of the City’s objectives. Events may have positive or
negative impact, or both. Risk identification process guides management in prioritising and
channelling the resource in managing the key risks to an acceptable level. The risks are
prioritised depending on their inherent and residual risk exposure, where these can be classified
as extreme, high, medium or low.
Event and risk identification involves a purposeful and systematic process to identify significant
and emerging potential risks and opportunities linking to the achievement of the City’s goals and
objectives. Risk identification process covers all risks affecting the city either internally or
externally.
The city has adopted risk workshops and questionnaires as suitable risk identification techniques
for its environment. The process is supplemented by the review and consideration of;
External and internal audit reports;
Internal and external environment;
Financial analyses;
Historical incidents / past events;
Actual losses
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 16
key performance indicators;
City’s Risk Universe;
Best practices;
6.2.2. Risk Evaluation and Assessment City’s Group Risk Management policy stipulates that risk assessments should be conducted
annually. The responsibility to ensure that periodic risk assessments are conducted within the
City rests with the City Manager, the Executives and Management, who assist in creating an
enabling environment.
Risk evaluation and assessment is a systematic process to quantify or qualify the level of risk
associated with a specific threat or event, to enrich the risk intelligence available to the City. The
main purpose of risk assessment is to assist management to prioritise the key risks.
Risk assessment is performed through facilitated risk workshops. Annual risk assessment
requires review of risk management tool (register) identification of risks and emerging risks, and
analysis of residual exposures based on likelihood of its occurrence and the associated risk
impact (nature and extent).
Risks are assessed on the basis of the likelihood and the impact of its occurrence in the following
stages:
a) Firstly, the inherent risk is assessed to establish the level of exposure in the absence of
management strategies and controls to influence the risk;
b) Secondly, a residual risk assessment follows to determine the actual remaining level of risk
after management strategies and controls are put in place to influence the exposure; and
c) Thirdly, the aggregated residual risk is benchmarked against City’s risk appetite and
tolerance to determine the need for further management intervention, if any.
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 17
Diagram 4: Overview of Risk Evaluation and Assessment Approach
These interlinked elements of the GRM process are illustrated in the Diagram 5 and described in
subsequent sections.
6.2.2.1 Risk Assessment Approach
a) STRATEGIC RISK ASSESSMENT PROCESS The approach for strategic risk assessments is top-down, where strategic top risks for the city are
cascaded down to departmental and entities’ strategic risk profiles. This enables the integration
of the strategic risk assessment process to city’s annual strategic planning and budget planning
cycles. Executives and Management is required to develop and implement mitigating actions in
order to manage risk exposures to an acceptable level. Continuous monitoring on the process on
implementation of action plans should be assessed and reported on a quarterly basis to
Executives and Management via relevant committees within the city.
The strategic risk assessment processes within the City incorporates the following:
The identification, evaluation and assessment of the City Wide Top Strategic Risks which may
impact the achievement of the City’s Integrated Development Plan (IDP) and the Joburg GDS
2040.
Residual RiskInherent Risk
Objectives Process Controls
RISK
Inherent Risk before assessment of controls Residual Risk after assessment of controls
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 18
The identification, evaluation and assessment of strategic risks of the City’s Game Changer
programme, flagship program and Priority Implementation Program.
Establishment of risk profiles at departmental and entity levels.
b) OPERATIONAL RISK ASSESSMENT PROCESS Operational risk assessment processes are conducted at all business units/ directorates within
the city, at departmental and entity levels. The process interlinks the identified departmental and
entity strategic risks to business units/directorates. Management is required to develop and
implement mitigating actions in order to manage risk exposures to and acceptable level.
Continuous monitoring on the process of implementation of action plans should be assessed and
reported on quarterly basis to Executives and Management.
c) PROJECT AND CONTRACTS RISK ASSESSEMENT PROCESS
A project risk assessment process is conducted for all significant projects and contracts within the
city (departments and entities). For long term projects, the project risk register is reviewed at
least once a year to identify new and emerging risks. The risk identification process is conducted
with the involvement of a particular project manager/leader. The project manager is required to
develop and implement mitigating actions in order to manage risk exposures to and acceptable
level. Continuous monitoring on the process of implementation of action plans should be
assessed and reported quarterly to Executives and Management.
6.2.3 Risk Response and Mitigation Risk response is concerned with developing strategies to reduce and manage risk exposures. A
proactive approach is generally adopted by determining mitigation actions / plans against risks
identified. The City endeavours to optimally control and manage potential threats and related risk
exposures in such a manner that the exposures are reduced to an acceptable level, which is
below risk appetite and tolerance levels / thresholds and to ensure that those threats or risk
exposures do not materialise.
a) RISK RESPONSE STRATEGIES
The City’s has adopted the following risk response strategies using (4 T’s) as based on best practice:
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 19
Table 2: Explanation of Risk Response Strategies No Response Strategy Explanation of Strategy
1.
Terminate (Avoid) Cease carrying out the activity because modifying it or controlling it would not reduce the risk to an acceptable level within the risk appetite or risk tolerance
2.
Tolerate (Accept) The City intends to accept the risk as it’s tolerable within the existing business model and activities.
3. Treat (Manage) There are resources available that aims to manage and reduce the likelihood of the threat / risk exposure from materialising.
4. Transfer (sharing) risk is transferred to the third party who has more capacity to handle the exposure for example, by contracting out services, taking out insurance
Other method that can be adopted as response strategy is Risk exploitation - Exploiting the
risk factors by implementing strategies to take advantage of the opportunities presented by such
risk factors.
In determining risk response, management should consider the following:
Effects of potential responses on risk likelihood and impact – and which response options is
effective for a particular risk.
Costs versus benefits of potential responses.
Possible opportunities to achieve City objectives going beyond dealing with the specific risk.
In evaluating response options, Executives and management should consider that a response
might affect the likelihood and impact of risks differently.
b) ASSESSING COSTS vs BENEFITS The decision on the nature and extent of risk mitigation controls is informed by the nature of the
risk, the risk rating viz. extreme, high, medium or low; and the associated cost benefits.
Considering the relative costs and benefits of alternative risk response options. Cost and benefit
measurements for implementing risk responses are made with varying levels of precision. All
direct costs associated with instituting a response, and indirect costs practically measurable,
should be considered. The Executives and Management should consider the opportunity costs
associated with use of resources in responding to those identified risk exposures.
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 20
c) DOCUMENTING RISK RESPONSES
Risk response strategies are documented with the responsibilities and timelines attached thereto,
and communicated to relevant action owners and risk owners. The risk mitigation strategies and
responses are documented in the tool utilised to capture identified risks (risk register) and are
reported to Executive Committees and Independent Committees on an ongoing basis.
Group Risk Advisory Services Unit provides consulting and support services to Executives and
Management on determining and documenting appropriate risk response strategies.
d) CONTROL ACTIVITIIES
Control activities are policies and procedures, to help ensure that management’s risk responses
are carried out. Control activities are categorized based on the nature of objectives and extent of
risk exposures. Just as selection of risk responses considers their appropriateness selection or
review of control activities includes consideration of their relevance and appropriateness to the
risk response and related objective. This is accomplished by separate consideration of the
suitability of the control activities, or by considering residual risk in the context of both the risk
response and related control activities.
Management is responsible for designing, implementing and monitoring the effective functioning
of the system of internal control. All City employees have a role for maintaining effective systems
of internal control, consistent with their delegated authority and areas of responsibility, refer table
below;
Table 3: Internal Control Categories and Objectives
No Internal Control Category Internal Control Category Objective
1.
Management controls To ensure that City’s structure and systems support its policies, plans and objectives, and that it operates within laws and regulations.
2.
Administrative controls To ensure that policies and objectives are implemented in an efficient and effective manner.
3. Accounting controls To ensure that resources are accounted for fully and transparently and are properly documented.
4. Information Technology controls
To ensure security, integrity and availability of information
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 21
Controls that reduce risk exposure or severity may be preventative, directive, detective and
corrective. An explanation of relevant control objectives and examples of these controls are set
out below:
Table 4: Explanation of Types of Internal Control No Control Type Control Objective Examples of Control
1.
Preventative controls
These controls prevent errors or irregularities from occurring.
Physically restring access to specific areas, insisting on two signatories for authorisation, ensuring suitable segregation of duties exists within a process or system, implementing levels of authorisation limits, or restring levels of access on IT systems by way of user profiles.
2.
Directive controls These controls direct how certain processes or activities are conducted. in a manner that is conductive to achieving City objectives
Policy and procedure manuals, delegation of authority, management instructions, guidance notes, and training.
3. Detective controls
To detect as early as possible or serve as a trigger that a possible risk event or error is becoming likely to occur or has occurred so that early intervention could be considered.
Early warning systems, surprise checks, asset inventory verification checks, alarms, exception reports, accident and incident reports, financial reports such as budget monitoring reports and performance of reconciliation procedures to identify errors.
4. Corrective controls
Operate together with detective controls to correct errors or irregularities.
Follow-up and address any errors or omissions identified by way of asset inventory checks, financial and budget monitoring reports, and key account reconciliations.
6.2.5 Risk Monitoring and Review The primary purpose of risk monitoring is to assist Executives and Management to determine
whether:
o Measures (risk responses) previously adopted are still working as intended, and
producing expected results;
o Mitigating actions previously adopted are still appropriate and relevant to the risks
o The previously identified risks are still relevant to operating models, and still apply as
factual reflection of the organisation
o Management timelines are still appropriate
o Identifying any new emerging risks as the operating models evolve.
Risk monitoring serves as the process for tracking identified risks, monitoring residual risks,
identifying new risks, executing risk response plans, and evaluating their effectiveness
throughout. The results on proposed risk responses, which are integrated into managing and
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 22
controlling the risk exposures, are therefore evaluated for adequacy.
The stage involves tracking and reporting on risk exposures to stakeholders (internal and
external). In addition there is an assessment of performance on risk management interventions to
manage the probability and impact or severity of adverse risks occurring. The performance
assessment will also indicate whether additional or alternative interventions and actions should
be determined in ensuring effective mitigating of the identified risk exposures.
Ongoing/ continuous risk monitoring is essential, as the process is integrated into the normal, day
to day operating activities. The continuous monitoring is effective to anticipate and uncover
circumstances that will have negative impact or endanger achievement of objectives as business
operations unfolds, therefore, the threats are quick to be noticed and managed.
For effective risk monitoring, the process should be scheduled as standing agenda at
departmental and Executive and Management meetings. The other step is to arrange a separate
meeting with Group Risk and Advisory Services Unit to assess and evaluate the dashboard and
risk movement periodically.
6.2.6 Communication and Reporting
Information on risk identified, and how those risks are being managed, should be captured and
communicated in a form and timeframe that enables the risk owners and action owners to carry
out their responsibilities. The information should also be documented and communicated to
Executives and Management as part of decision making processes.
Effective communication also occurs, flowing down, across, and upwards the organisation,
therefore, all officials should be made aware of the existence of ERM principles and processes
within the city.
Both financial and non-financial information should be communicate as part of risk management
strategies.
ERM Communication effectively conveys:
The importance and relevance of effective enterprise risk management
The City’s strategic and related objectives
The City’s risk appetite and risk tolerances
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 23
The roles and responsibilities of personnel in effecting and supporting the components of
enterprise risk management
The City’s risk communication and reporting process supports enhanced decision making and
accountability through:
I. Dissemination of relevant, timely, accurate, concise and complete information;
II. Timely escalation of critical, significant and relevant risk information to:
MOE Risk Management Committees and Boards of Directors;
The City’s Executive Audit and Risk Committee;
The City’s Executive Management Team (EMT) and Extended EMT;
Group Risk and Governance Committee (GRGC);
Group Audit Committee; and
The City’s Mayoral Committee and Council.
Timely communication of risk management responsibilities and actions.
7 GROUP RISK MANAGEMENT PROCESS
Group risk management is an ongoing process which requires regular and systematic evaluation
to deliver a sound decision making process. This, in turn, leads to the achievement of high
quality services delivered on a value for money.
Diagram 5: Group Risk Management Process
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 24
8 RISK APPETITE AND RISK TOLERANCE
An effective enterprise risk management process requires that there be defined risk appetite and
risk tolerance levels which will embody the rules and guidelines to the organisation for taking on
risk, or treatment of risk. The City’s risk appetite and tolerance is directly related to its business
strategy. Risk Management must be integral to the strategic planning decisions, as in selecting a
strategy management must have due consideration to the City’s either appetite for risk or the
levels of risk exposures that may be acceptable.
The City determines its risk appetite and risk tolerance in order guide resource allocation and to
influence more informed decision making in regard to planning and implementation processes.
8.1 Elements of Risk Appetite and Risk Tolerance Risk appetite is a key consideration in objective setting and strategies. It is important to
recognize that risk appetite can be articulated either qualitatively or quantitatively. Risk appetite
can also be influenced by historical impacts of past events and the reactions of key stakeholders,
customers, employees, regulations and suppliers.
Risk appetite is defined as the pursuit of risk, while risk tolerance has been defined to be the risk
the organization is willing to deal with.
An overview of the strategic considerations on City’s risk appetite is set out in Diagram below.
Diagram 6: Overview of Considerations Affecting City Risk Appetite
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 25
Existing Risk Profile
The existing level and distribution of risks across risk categories (e.g. financial risk, service delivery risk, operational risk, reputation risk, etc.)
Risk Capacity
The maximum risk the City may bear and remain financially sustainable and resilient
Risk Tolerance
Acceptable levels of variation the City is willing to accept around specific objectives
Desired Level of Risk
What is the desired City balance of growth, risk and return
Determination of Risk Appetite
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 26
8.2 Risk Appetite and Tolerance Thresholds
The risk tolerance levels can be defined for each risk category and/or major risk areas using either
or both qualitative basis and quantitative basis. The risk appetite and tolerance levels below are
qualitative and in accordance with the City’s risk assessment methodology and risk heatmap and
the following are provided as guidance to management.
Table 5: Risk Appetite and Tolerance
Risk Category Strategic Financial ICT Regulatory Operational Reporting Fraud
Risk Universe
Sources:
Local government regulatory environment
GDS2040, IDP/SDBIP
Mayoral Priorities
X X X X X X X
Risk assessment(using risk assessment methodology)
X X X X X X X
Inherent & Residual risk matrix (risk heat map) X X X X X X X
Risk appetite X X X X X X X
Risk Tolerance X X X X X X X
Table 6: Risk Appetite and Tolerance
# Risk Categories Risk Appetite Risk Tolerance
1. Fraud and Corruption: Zero Zero Tolerance
2. Non Compliance with Supply Chain Management Regulations: Zero
Low Tolerance
3. Regulatory Non-compliance Zero Low Tolerance
4. Financial Governance / Management risks Low Low Tolerance
5. Financial underperformance
(% aligned to SDIP annual target)
Approved annual
target
Low Tolerance
6. Service delivery and Operational Risks:
(organisational performance indicators)
Approved annual
Target
Low Tolerance
7. Organisational & governance risks (accountability) Low Low Tolerance
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 27
8. Information and Communication Technology (ICT) Governance and
Delivery
Low Moderate
9. Financial reporting - Adverse & Disclaimer audit outco: Zero Zero Tolerance
10. Financial reporting – Unqualified audit (with matters of emphasis): Low Moderate
11. Non-Financial Reporting (AoPO/ Organisational Performance): Adverse &
disclaimer audit outco
Zero Zero tolerance
12. Non-Financial Reporting (AoPO/ Organisational Performance):
Unqualified audit outcome (with matters of emphasis)
Low Moderate
The general principle is that the City’s tolerance levels is for medium /moderate to low risk
exposures.
8.3 Risk Appetite and Risk Tolerance Maturity Model Given the City’s size and structure, and the nature and extent of its business operations, it is
beneficial to determine its risk appetite and tolerance maturity model.
The objectives of the City risk appetite and risk tolerance maturity model are set out below:
Give effect to the public sector and leading practice risk appetite and risk tolerance principles
contained within this City’s Group Risk Management Policy and Framework;
Articulate the phased approach for the transition of the City from an existing awareness state
to the desired state of being enabled to establish risk appetite and risk tolerance maturity; and
Provide the recommended road map for the enhancement of the level of risk appetite and risk
tolerance maturity within the City.
Table 7: Maturity Model
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 28
No Description
of Maturity
Level
Key Characteristics or Criteria for Establishing Risk Appetite Key Characteristics or Criteria for
Establishing Risk Tolerance
1. Aware Awareness of the concept of risk appetite within the CoJ Group Risk and Assurance Department.
A scoring system for assessing risk exposure has been defined and applied
A City wide risk exposure heat map is in place
2. Defined City’s overarching risk appetite strategy and policy defined as part of CoJ Group Risk Management Strategy and Framework.
City risk tolerance policy and strategy defined as part of Risk Management Strategy Framework.
Executive management sets strategic City objectives with board and Mayoral Committee oversight.
Identification, review and approval of appropriate key risk indicators (KRIs) and key performance indicators (KPIs) for Top CoJ Wide Strategic Risks.
3. Managed Develop a risk appetite approach which includes the following: o Create an overall risk appetite statement that is broad
enough and descriptive enough for City departments and entities to manage their risks consistently within it.
o Risk appetite for each major class of City objectives and strategic and priority projects.
o Risk appetite for different categories of risk.
City wide strategy and risk appetite statements developed and defined
Risk appetite is developed at executive management level and proposed to MOE boards, the City Manager/Accounting Officer and City’s Mayoral Committee for approval.
Once risk appetite is approved, it is communicated to all City departments and MOEs, including personnel and key stakeholders.
Analysis and assessment of the City’s ability to physically and financially recover from significant risk events (at both department and MOE level).
Management determines the level of tolerance around risks acceptable at department and MOE level in measuring the achievement of strategic and operational objectives, which should be endorsed by MOE boards, the City Manager and the City’s Mayoral Committee.
Risk tolerance is expressed in the same indicators as its related objectives.
Establish risk tolerance thresholds for Mayoral Priority Implementation Program and the City’s Game Changers.
Setting risk tolerance is a collective senior and executive management responsibility.
Identification, review and approval of appropriate key risk indicators (KRIs) and key performance indicators (KPIs) related to the strategic risks of City’s core administration departments and MOEs.
The risk tolerance levels set by the City is reflected in the CoJ group risk exposure rating scale used to assess the severity of risks.
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 29
No Description
of Maturity
Level
Key Characteristics or Criteria for Establishing Risk Appetite Key Characteristics or Criteria for
Establishing Risk Tolerance
4. Enabled Monitor and review risk appetite which includes the following:
Once risk appetite is communicated, executive management with MoE board and Mayoral Committee support and periodically revisit and enforce it.
Management monitor activities for consistency with risk appetite through a combination of ongoing monitoring and separate or independent evaluations.
Periodic review of risk appetite in relation to the City’s strategic imperatives and changes in business model requirements.
In setting risk tolerance management considers the relative importance of related objectives.
Tolerance levels are supported by rigorous analysis and expert management judgement.
Establish tolerance for individual material risks, as well as aggregate tolerance for particular categories of risk.
Risk tolerance levels are revised as more reliable information beco available.
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 30
9 CoJ RISK MATRIX
The City applies the 5 X 5 risk exposure scoring system i.e. the twenty five (25) element model,
and risk dashboard, as it allows for a more precise scoring approach. The risk exposure or
severity level is obtained by multiplying the risk impact rating by the risk likelihood rating.
Risks are assessed (rate) on the basis of the likelihood of the event occurring and the impact that the event will have to City objective(s) should it occur.
a) Inherent Rating -: risk is assessed to establish its level of exposure in the absence of management controls currently in place;
b) Residual Rating-; risk is assessed to establish its level of exposure after management current / existing controls are considered;
c) Control Effectiveness-: Management current / existing controls are assessed for their effectiveness to address and reduce the identified risk exposure to an acceptable level.
9.1 RISK HEATMAP
Diagram 7: Risk Rating Matrix and Risk Exposure Dashboard
LIK
EL
IHO
OD
5 LOW MEDIUM HIGH
EXTREME EXTREME
4 LOW MEDIUM HIGH
HIGH EXTREME
3 LOW MEDIUM MEDIUM
HIGH HIGH
2 LOW LOW MEDIUM
MEDIUM MEDIUM
1 LOW LOW LOW
LOW LOW
IMPACT 1 2 3 4 5
The areas of risks exceeding risk appetite requires management’s immediate attention in
reviewing and improving current controls and implementing adequate mitigating actions.
Inherent Risk = Potential Impact (Qualitative or Quantitative) X Likelihood of Occurrence
Residual Risk Exposure = Inherent Risk X (1 – Control Adequacy / Effectiveness)
Risk
tolerance
Risk appetite line
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 31
9.2 Evaluation of Likelihood
Table 8: Scale for Evaluation of Risk Likelihood:
Rating Score Description Probability
5
Almost certain
Event has occurred within the last year
repeatedly
The event is certain to occur within this
financial year.
4 Likely Event has occurred within the last financial year. The event is likely to occur within this
financial year.
3 Possible The event has a probability of occurring at some
time, in the next year.
Event has been recoded within
organisation as well as within the sector in
the last 2 years.
2 Unlikely Very few recorded or known incidents has
occurred within other organisations within
sector.
The event may occur at some time, within
the next 2 years.
1 Rare Event may occur in exceptional circumstances.
No recorded incidents or little opportunity for
occurrence.
No event recorded in the last 3 years.
9.3 Evaluation of Impact
Table 9: Scale for Evaluation of Risk Impact:
Severity Ranking
Financial Service Delivery Reputation Stakeholders / Human Capital
Systems Environment
Not significant
1
Minimal direct loss or opportunity cost - less than 2% of budget
Negligible impact on achievement of monthly activities and objectives
•Occasional complaints with no or insignificant impact
•Reputation intact
Minimal impact on stakeholder support
Minor or very low staff attrition rate (<4% )
Key systems are no in operative for half a day
Short term transient impact on environment or community – negligible action required
Minor
2
Direct loss or opportunity cost of 2% to 5% of budget
Negative impact on achievement of quarterly service delivery targets and objectives or minor performance reduction
•Intra-sector knowledge of incident, but no media attention
Marginal decrease in stakeholder support
Staff attrition (<10% ) on an annual basis)
Key systems not in operative in less than 24 hours
Medium term, immaterial effect on environment.
Moderate
3
Event would have serious financial impact (> 4 -6% on budget/income or > R00000*) on either
• Negative impact on achievement of targets in more than 1 year
service delivery
•credibility and/or investors lost in more within 2 years
•Adverse national media coverage
Key skilled staff lost (>10%<25%) in 1 year
Key systems not in operative in 1 day
Measurable environmental harm caused - medium tern recovery
Community complaints voiced privately
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 32
income or budget.
Loss of creditworthiness in more than 1 year
disruptions in more than 1 year
(national TV headlines) and loss of service in more than 1 year.
Major
4
Event would
have very
serious financial
impact (> 8% on
budget/income
or > R00000*)
on either
income or
budget.
Loss of
creditworthines
s in 1 year
Negative
impact on
achievement
of targets
within 1 year
service
delivery
disruptions in 1
year
Qualified annual external audit report every year
credibility and/or
investors lost in
more than 1 Year
Adverse national
media coverage
(national TV
headlines) and
loss of service >1
year.
Medium term public impact with minor political implications.
Certain key
executives
and/or key
employees and
skills
(>25%<50%) are
lost > 1 year
Key systems not in operative in 2 days
Harm to environment
and community health
and living standards in
more than 1 year
Critical
5
Event would
have
Catastrophic
financial impact
(> 15 to 25% on
budget/income
or > R00000*)
on either
income or
budget.
Loss of
creditworthines
s in >1 year
Negative impact
on achievement
targets in > 1 year
service
delivery
disruptions in
>1 year
Qualified annual external audit report every year
credibility and/or
investors lost > 1
Year
stakeholder
relations lost > 1
Year
Adverse national
media coverage
(national TV
headlines) and
loss of service >1
month.
Employees may have suffered fatalities. Event may have resulted in staff loss causing catastrophic consequences
Loss of key personnel and skills (50% or more) in 1 year
Key Systems not in operative in 3 -5 days
Harm to environment
and community health
and living standards in >
1 year
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 33
9.4 Interpretation of Risk Exposure Levels
The interpretation of the various risk exposure levels and the general risk management approach
in relation to each risk exposure level is set out on the table below:
Table 10: Interpretation of Risk Exposure Levels
9.5 Assessment of Control Effectiveness
The table below is used to assist management in the assessment of the perceived effectiveness
of controls to mitigate or reduce the impact or likelihood of specific risks.
Table 11: Control Effectiveness
Effectiveness Factor Qualification Criteria
Poor
1
Control fails to address the risk and is not documented or fully in operation.
Fair
2
Control addresses risk, at least partly, but documentation and / or operation could be improved. These control measures are for reduction and mitigation. They are intended to reduce the severity (consequences) of incidents.
Good
3
Control addresses risk, but documentation and / or operation of control could be improved. These control measures are for prevention and are intended to remove certain causes of incidents, reduce their likelihood or prevent the occurrence of the risk
Excellent
4
Control eliminates the root causes of the risks addresses risk, is officially documented and in operation.
Exposure Rating Assessment Action Required
Extreme 18 - 25 Unacceptable Requires immediate attention from management on implementation of corrective measures
High 12 - 16 Unacceptable Implementation of improvement opportunities and validation of current controls
Medium 6 - 10 Acceptable with caution Evaluation and improvement of current controls
Low 1 - 5 Acceptable
Validation and optimization of controls
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 34
10. City Risk Universe Due to nature and extent of the City’s business operations, the City’s risk universe is diverse, dynamic, and multi-faceted. An overview of the City’s Risk Universe is deped in Diagram 7. Diagram 8: City Risk Universe
CITY RISK UNIVERSE
JOBURG GROWTH AND DEVELOPMENT STRATEGY 2040 OUTPUTS AND OUTCO CITY OVERSIGHT STRUCTURES
CITY FIVE YEAR INTEGRATED DEVELOPMENT PLAN (IDP)
MAYORAL GAME CHANGER AND FLAGSHIP PROGRAM
Game Changer: Communication and Stakeholder Management Programme of Action
Flagship Programme: Corridors of Freedom
Flagship Programme: Jozi@Work
Flagship Programme: Green and Blue
Economy
Flagship Programme: Smart City
Mayoral Priority Implementation Plans
Financial Sustainability and Resilience
Safer Cities
Engaged Active Citizenry
Resource Sustainability
Investment Attraction, Retention and Expansion
Agriculture and
Food Security
City Service Delivery and Functional Areas
Sustainable Services:
Development Planning
Water and Electricity
Rates and Taxes
Waste Removal
Housing Development
Environmental Services
Infrastructure Development
Social Housing
Community Development
Economic Growth:
Economic Development
Transport
Roads Infrastructure
Fresh Produce Market
Metro Bus
Property Management
Human and Social Development:
Health Services
Social Development
Traffic Management
By-Law Compliance
Licensing Prosecution and Courts
Emergency Management Services
City Theatres
City Parks and Zoo
Administration and Governance:
City Billing and Revenue Collection
Customer Relations and Urban Management
Group Strategy Policy Coordination and Relations
Corporate Shared Services
Group Communications
Group Legal and Contracts
Group Risk and Assurance Services
Office of the City Manager
Public Office of the Executive Mayor
Speaker’s Office
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 35
STRATEGIC AREAS OPERATIONAL AREAS
REPORTING AREAS COMPLIANCE AREAS
Stakeholder Management:
National Government
Provincial Government
City Citizens and Communities
Customers
Process:
Revenue and Collection Management
Cash Management
Supply Chain Management
Service Delivery
Change Management
Project Management
Periodic Management Reporting:
Operational and Strategic Management Reporting
Actual Versus Budgeted Income and Expenditure Financial Reporting
Project Management Reporting
Legislative and Regulatory Compliance:
Regulatory Compliance Management
Local Government Legislative Obligations and Oversight
External Factors:
Political Environment
Natural Environment
Economic Environment
Socio-Economic Environment
Personnel and Culture:
Human Capital Capacity
Training and Development
Occupational Health and Safety
Combined Assurance Reporting:
Risk Management Reports
Compliance Management Reports
Internal Audit Reports
Security and Investigation Reports
Legal:
Investigations of Fraud and Corruption
Contract Management
Litigation Claim Management
Governance:
Strategic Planning
Business Continuity
Reputation Management
Policy and Frameworks
Combined Assurance
Monitoring and Oversight
Financial:
City Funding
Centralised Financial Management
Credit and Liquidity
Interest Rates
Insurance Portfolio
Statutory Reporting:
Audited Annual Financial Statements
Oversight Committee Reports
Annual Report
Information Communication and Technology
Systems
Information
Management
Knowledge
Management
Physical Assets:
City Infrastructure
City Vehicles
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 36
Other City Assets
10.1 Key Risk Indicators These are established the early warning signals ‘red flags’ in order to alert City Manager, the
Executives and Management on possible threats to the city. These early warning signals known
as Key Risk Indicators (KRI’s) assist City Manager, the Executives and Management to
proactively address threats before they can actually occur. KRIs are fundamental components of
a risk and control framework and a sound risk management practice. KRIs are identified as part
of the risk identification process by providing a measurement mechanism which raises alarm bells
before a risk actually materialises.
KRIs are identified as opposition to Key Performance Areas (KPA’s), the metrics is capable to
highlight the probability of being subject to a risk that may exceed its defined risk appetite or
tolerance. The constant measure and monitoring of KRIs provides value to the City in a variety of
ways and bring the following benefits:
Risk Appetite: KRIs require the determination of appropriate thresholds for action at different
levels within the City;
Risk and Opportunity Identification: KRIs are designed to alert management to trends that
may adversely affect the achievement of City objectives, or may indicate the presence of new
opportunities;
Risk Treatment: KRIs initiate action to mitigate developing risks by serving as triggering
mechanisms for business units charged with monitoring particular KRIs;
Risk Reporting: By design, KRIs provide measurable data conducive for aggregation.
Relevant risk intelligence summary reports are promptly communicated to appropriate senior
or executive managers and MOE boards and City committees with oversight responsibilities.
The City’s Mayoral Game Changer, Flagship Program and Priority Implementation Plans, core
administration departments, support service and group departments and have unique strategic
objectives and operational requirements. Thus KRIs are developed for these areas of the City’s
business. A summary of the core elements of well-designed City KRIs are set out below:
Based on established practices and benchmarks;
Developed consistently across the City;
Selected indicators drill down to the root cause of the events;
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 37
Provide an unambiguous and intuitive view of the highlighted risk;
Identification and implementation of appropriate and cost effective detective controls;
Allow for measurable comparisons across time and business units;
Provide opportunities to assess the performance of risk owners; and
Determine notification methods, recipients and action or response sequences
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 38
11. INFORMATION & COMMUNICATION TECHNOLOGY RISK ASSESSMENT
The City’s information and communication technology (ICT) risk assessment framework is based
on the ISACA IT principles and risk assessment framework, and further developed into a
comprehensive ICT risk process model. This ICT risk assessment process model is also aligned
with COBIT and Val IT standards. This ICT risk management process model groups key activities
into three domains.
In addition, substantial guidance is provided on the key activities within each process,
responsibilities for the process, information flows between processes and performance
management of the process.
The three domains of the City’s ICT risk assessment framework are:
Risk Governance;
Risk Evaluation; and
Risk Response.
Each domain contains three processes, as deped in Diagram 10.
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 39
Diagram 9: Risk Assessment Framework
Integrate
With ERM
Establish and
Maintain a Common Risk View
Make Risk- Aware
Business Decisions
Business Objectives
Communication
Risk Response
Ensure that IT-related risk issues, opportunities and events are addressed in
a cost-effective manner and in line with business priorities.
Articulate
Risk
Manage
Risk
React to Events
Analyse
Risk
Risk Evaluation
Ensure that IT-related risks and
opportunities are identified, analysed and presented in business terms.
Collect Data
Maintain
Risk Profile
Risk Governance
Ensure that ICT risk management practices are embedded in the City,
enabling it to secure an optimal risk return.
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 40
11.1. Risk Governance Domain
Risks accompany change, and are often accompanied by potential benefits and opportunities.
Therefore ICT risk governance implies a process to enable the City to benefit from both business
and ICT changes while minimizing the negative consequences of the associated risks.
A summary of City’s ICT risk governance processes, sub- processes and process outco is
provided on table below;
Table 12: ICT Risk Governance Processes
Process Sub-Process Process Outco
Establish and Maintain a
Common Risk View
Perform enterprise risk assessment City Risk Assessment
Risk Appetite and Tolerance
Alignment to Risk Policy
ICT Risk Culture
Effective ICT Risk
Communication
ICT Risk Management
Accountability
ICT Risk Strategy and
Business Strategy
Alignment
ICT Risk Strategy and City
Risk Strategy Alignment
ICT Resource Management
Independent Assurance
Management buy-in
ICT Response Prioritization
Propose risk tolerance thresholds
Approve risk tolerance
Align ICT risk policy
Promote ICT risk-aware culture
Encourage effective communication of ICT risk
Integrate with ERM
Establish and maintain accountability for ICT
risk management
Co-ordinate ICT risk strategy and business risk
strategy
Adapt ICT risk practices to enterprise risk
practices
Provide adequate resources for ICT risk
management
Provide independent assurance over ICT risk
management
Make Risk- Aware Business
Decisions
Gain management buy-in for the ICT risk
Approve ICT risk analysis
Embed ICT risk considerations in strategic
business decision making
Accept ICT risk
Prioritize ICT risk response activities
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 41
11.2. Risk Response Domain
Appropriate steps taken or procedures implemented upon discovery of an unacceptably high
degree of exposure to one or more ICT risks. The purpose is to bring risk in line with the defined
risk appetite for the City after risk analysis. In other words, a response needs to be defined such
that future residual risk (current risk with the risk response defined and implemented) is, as much
as possible (usually depending on budgets available), within risk tolerance limits.
A summary of City’s ICT risk response processes, sub- processes and process outco is provided
on table below;
Table 13: ICT Risk Response Processes
Process Sub-Process Process Outco
Articulate Risk
Communicate ICT risk analysis results ICT Risk Analysis Results
Communication
State of Compliance
Reporting and Interpretation
of Findings
Inventory Controls and
Implementation
ICT Risk Action Plan Progress
Reporting
Incident Response Plan
ICT Risk Monitoring
Report ICT risk management activities and state of
compliance
Interpret independent ICT assessment findings
Identify ICT-related opportunities
Manage Risk
Inventory controls
Monitor operational alignment with risk tolerance
thresholds
Respond to discovered risk exposure and
opportunity
Implement controls
Report ICT risk action plan progress
Respond to Events
Maintain incident response plans
Monitor ICT risk
Initiate incident response
Communicate lessons learned from risk events
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 42
11.3. Risk Evaluation Domain
A process of determination of ICT risk management priorities through establishment of qualitative
and/or quantitative relationships between benefits and associated risks.
A summary of City’s ICT risk evaluation processes, sub- processes and process outco is
provided on table below;
Table 14: ICT Risk Evaluation Processes
Process Sub-Process Process Outco
Collect Data Establish and maintain a model for data collection Data Collection Model
ICT Risk Scenarios
ICT Risk Register
Maintenance
ICT Risk Map
ICT Risk Analysis Scope
Definition
Risk Response Options:
o Risk Avoidance
o Risk
Reduction/Mitigation
o Risk Sharing/Transfer
o Risk Acceptance
ICT Risk Analysis Peer Review
ICT Resources Mapping
Key ICT Risk Indicators
Collect data on the operating environment
Collect data on risk events
Identify risk factors
Analyse Risk
Define ICT risk analysis scope
Estimate ICT risk
Identify risk response options
Perform a peer review of ICT risk analysis
Maintain Risk Profile
Map ICT resources to business processes
Determine business criticality of ICT resources
Understand ICT capabilities
Update ICT risk scenario components
Maintain the ICT risk register
ICT risk map
Develop ICT risk indicators
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 43
12 . GROUP COMBINED ASSURANCE
Risk management monitoring and reporting process is coordinated with the Group Combined
Assurance Plan. This plan clearly indicates the of the parties responsible for providing periodic
assurance to the City’s Executive Management Team, Group Risk and Governance Committee,
Group Audit Committee and the Mayoral Committee in relation to the management of significant,
material and emerging risk areas within City. Consistent with leading practice, the Group
Combined Assurance Framework, the parties that are included within this plan are set out below:
Executives and Management city wide;
Group Internal Audit Services Unit;
internal audit functions;
Group Risk Advisory Services Unit;
Group Compliance Advisory and Assurance Services;
Group Combined Assurance and Business Process Improvements Services
Office of the Auditor-General; and
Other appropriate external service providers.
The combined assurance plan should clearly indicate the key risk areas, and the frequency of the
provision of assurance by relevant assurance providers.
12. LEGISLATION AND REGULATORY
This Framework is developed based on the following legislative regulatory frameworks and
leading practice risk management principles, standards and codes:
12.1. Primary Legislative and Regulatory Provisions
Municipal Finance Management Act No 56 of 2003
Municipal Systems Act No 32 of 2000, as amended
Companies Act No 71 of 2008, as amended
Anti-Corruption legislation
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 44
12.2. Public Sector and Leading Practice Principles Standards and Codes
National Treasury: Public Sector Risk Management Framework: April 2010
COSO Enterprise Risk Management - Integrated Framework 2004
COSO Strengthening Enterprise Risk Management for Strategic Advantage 2009
COSO Developing Key Risk Indicators to Strengthen Enterprise Risk Management 2010
COSO Enterprise Risk Management – Understanding and Communicating Risk Appetite:
January 2012
ISO 31000: 2009 Risk Management Principles and Guidelines
ISO:22301 standards of Business Continuity Management
King III Corporate Governance
ISACA and COBIT Framework for the Governance and Management of Enterprise ICT
13. AUTHORITY AND APPROVAL
13.1. Ownership Ownership of this GRM Framework vests with the Group Risk and Governance Committee, this
in turn, has been delegated to the GRAS – Risk Advisory Services (RAS) Unit.
13.2. Approval
GRAS is responsible for the coordination, drafting and update of this GRM Framework, and will
submit this framework to the Group Risk and Governance Committee for review and approval.
13.3. Implementation
GRAS – RAS Unit is responsible for the implementation and roll-out of this GRM Framework in
accordance with the Group Risk Management Policy across the City, and reports to the
Accounting Officer and Group Risk and Governance Committee on the status of implementation
on a quarterly basis.
The Accounting Officers and Boards are responsible for the adherence to and implementation of
this GRM Framework in their respective.
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
COJ - Group Risk Management Framework Page 45
13.4. Review and Approval This GRM Framework will be reviewed and approved annually or as necessitated by changes in
legislation or the requirements the City’s risk management landscape.
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
Group Risk Management Framework Page 46
ANNEXURE A: GLOSSARY OF TERMS
External and Internal Factors A myriad of external and internal factors drive events that affect strategy implementation and
achievement of objectives. As part of enterprise risk management, management recognizes the
importance of understanding these external and internal factors and the type of events that can
emanate therefrom. External factors, along with examples of related events and their
implications, include:
Economic – Related events include goods and services price movements, capital availability,
sovereign economic ratings of South Africa and the City of Johannesburg, resulting in, for
example, in higher or lower cost of capital and new competition from other African or
Southern African cities.
Natural environment – Events include flood, fire, or earthquake, resulting in loss or damage to
the City’s infrastructure, and restred access to offices and buildings, or loss of human capital.
Political – Events include election of government officials with new political agendas, and new
laws and regulations, resulting in, for example, significant changes in the strategic priorities of
the City.
Social – Events include changing demographics, social mores, family structures, and work/life
priorities, and terrorism activity, resulting in changing or increasing demand for stakeholder
and community services, and related requirements.
Technological – Events include new means of electronic commerce, resulting in expanded
availability of data, reductions in infrastructure costs, and increased demand for technology-
based services.
Events also stem from choices management makes about how it will function. The City’s
capability and capacity reflect previous choices, influence future events, and affect management
decisions. Internal factors, along with examples of related events and the implications, include:
Infrastructure – Events include the level of capital allocation to flagship and priority
infrastructure program for the improvement of the City’s infrastructure. The level of capital
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
Group Risk Management Framework Page 47
allocation for preventive City infrastructure and equipment maintenance, in order to reduce
infrastructure and equipment downtime, and improve service delivery to stakeholders and
customers.
Personnel – Events include workplace accidents, fraudulent activities, and expiration of labour
agreements, resulting in loss of available skills and personnel, monetary or reputational
damage, and loss of employee productivity.
Process – Events include process modification without adequate change management
protocols, process execution errors, and outsourcing customer services without adequate
oversight, resulting in service delivery inefficiency, and customer dissatisfaction.
Technology – Events include decreasing resources to handle volume volatility, security
breaches, and potential systems downtime, resulting in customer and service delivery
backlog, fraudulent transactions, and inability to continue business operations.
Identifying external and internal factors that influence events is useful to effective event
identification. Once the major contributing factors are identified, management considers their
significance and focus on events that affect achievement of objectives.
Table 15: External Risk Categories
No Risk Category Explanation of Risk Category
1. Natural Environment Risk
Risks arising from the City’s natural environment and its impact on normal operations e.g. degradation of the environment, pollution, etc.
2. Economical and Market Risk
Risks relating to the City’s economic environment such as sudden increases in unemployment and changes in the wage rates, or inflation and interest rates etc.
3. Socio-Economic Environment Risk
Risks relating to the City’s social environment such as major demographic and social trends, level of citizen engagement, unemployment rates, migration of workers, inadequate community upliftment etc.
4. Technology Risk Risks arising from the effects of advancements and changes in technology e.g. changes in ICT environment.
5. Legislative Environment Risk
Risks relating to the City’s legislative environment e.g. significant changes in legislation etc.
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
Group Risk Management Framework Page 48
Table 16: Internal Risk Categories
No Risk Category Explanation of Risk Category
1. Strategic Risk Risks that have bearing on strategic decision making direction, goals, mandates, priorities and key objectives of the City as a whole. These risks have an adverse effect on business continuity and may include, inter alia, plans failing, poor corporate strategy, and adverse political and regulatory changes.
2. Stakeholder Management Risk
Risk of inadequate consultation and communication with key City stakeholders in relation to the City’s strategic decision making, and the planning and implementation of mayoral priority and flagship program.
3. Service Delivery Risk Risk of the City’s service delivery to customers and stakeholders not meeting required standards or expectations.
4. Regulatory Risk Risks arising from failure to implement regulatory compliance requirements as per the MFMA, MSA, Treasury Regulations, supply chain management regulations and other applicable legislative requirements.
5. Governance Risk Failure to comply with leading practice corporate governance processes as per King III Code of Corporate Governance. Corporate governance is defined as a system by which City is directed and controlled.
6. Operational or Process Risk
Risk of direct or indirect losses resulting from internal processes and procedures, inadequate systems or methodologies, human errors omissions, design errors, unsafe behaviour, sabotage and the actual activities undertaken by the City.
7. Financial Risk Risk that the City does not have sufficient funds available to timeously fulfil its cash flow obligations. These risks could encompass non-existence of essential and adequate financial controls, and non-compliance with relevant Treasury Regulations.
8. Reputation Risk Risks that have a negative impact on the good name, public perception, image and credibility of the City.
9. Human Capital or Intellectual Capital Risk
Risks arising from the actions or non-actions of employees, intentional or unintentional, human resource administration, employee relations etc.
Risk of the City failing to meet its mandate and/or objectives due to lack of critical skills capacity, loss of key executives, or retention of acquired intellectual capital.
10. Asset Loss Risk Risks arising from damage to or theft of the City’s assets and infrastructure.
11. Management Information Risk
Risks relating to the City’s management information and reporting.
12. Information and Communication Technology () Risk
Risks arising from the City’s infrastructure and operations. Information security
13. Project Risk Risks of projects not meeting key objectives, timefra or agreed outputs and exceeding project budgets.
14. Legal/Litigation Risk Risks arising from violation of laws, regulations or agreements/contracts and those that may give rise to legal liability.
Risks of potential financial loss or reputational damage caused as a result of failure to protect vested rights or obligations or abide by legal obligations and/or requirements.
15. Occupational Health and Safety Risk
Risks that have a negative impact on the health and safety of the City’s employees, customers, contractors and citizens arising from non-compliance with the Occupational Health and Safety Act.
16. Fraud and Corruption Risk
Risks relating to illegal or improper acts by employees and third parties resulting in a loss of City assets or resources.
17. Business Continuity Risk
Risks related to the City’s preparedness or the absence thereof to deal with disasters and interruptions that could impact the normal functioning of the City.
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
Group Risk Management Framework Page 49
An explanation of the terms used within the document is provided in alphabetical order below:
No Term Definition or Explanation of Term
1. Assurance Assurance is an objective examination of evidence for the purpose of providing an assessment on governance, risk management and control processes for the City.
2. City Wide Top Strategic Risks
City’s strategic risks identified at organisational level (City wide) which should be managed and performance reported by Senior Management on regular basis i.e quarterly and financial year basis.
3. Combined Assurance Combined assurance refers to the integration and aligning of assurance processes in the institution to maximise risk and governance oversight and control efficiencies, thereby optimising overall assurance.
4. Governance The combination of processes and structures implemented by the City to inform, direct, manage and monitor its activities toward the achievement of its objectives.
5. Inherent Risk This means the risk exposure in the absence of management interventions (existing controls).
6. Residual Risk This means the remaining exposure of risk after taking into account management interventions (controls in place).
7. Internal Controls are processes for assuring achievement of city's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. Controls involve means by which city's resources are allocated, monitored, measured and utilised towards achievement of objectives resulting into effective delivery of service.
8. Key Risks risks impacting on Mayoral priorities’ outco
9. Management includes employees of the City of Johannesburg who control or direct any directorate, department, unit, division, process or resources of the City.
10. Process set of activities designed by Council, Mayoral, and management within the city in order to achieve city’s mandate
11. Risk is a probability of uncertain future events/ threats that could have negative impact towards achievement of objectives
12. Risk Appetite is the amount of risk, on a broad level, that the city is willing to accept in pursuit of value.
13. Risk Tolerance is the extent to which the city is willing to accept the degree of risk exposures
14. Risk Assessment is a process undertaken by management to identify, analyse and evaluate risks considering their likelihood and impact, as a basis for determining how the risk should be managed and reduced to an acceptable level.
15. Risk Impact is the consequences on risk occurrence
16. Likelihood Is the probability of risk occurring
16. Risk Management A continuous, proactive and systematic process, effected by Council, Mayoral Committee and Accounting Officer, management and other personnel, applied in strategic planning and across the City, designed to identify risks and to manage those risks, to the extent necessary and possible, to provide reasonable assurance regarding the achievement of the City’s objectives.
17. Risk Owner Is accountable to ensure proper management and control of all aspects on risks identified. The Risk Owner has responsibility over action owner in ensuring that mitigating plans are effectively and sufficiently implemented and risks are being reviewed periodically.
18. Action Owner A delegated role responsible for taking actions in relation to specific risk. Action
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ADVISORY SERVICES GROUP RISK MANAGEMENT FRAMEWORK
Group Risk Management Framework Page 50
No Term Definition or Explanation of Term
Owner’s responsibility is to effectively implement mitigating plans and keep the risk owner apprised on the progress.
19. Risk Rating The risk exposure classification (very high or extreme risk, high risk, moderate risk, or low risk) allocated to a risk, based on its probability of occurrence and potential impact on the City.
20. Risk Register A tool for capturing each risk or exposure, its likelihood of occurrence, potential impact and rating, and how the risk is currently being controlled, as well as additional risk mitigation measures that may be required for the effective management of each risk identified.
21. Strategic Goals and Objectives
High-level City goals and objectives that are aligned with and support its mission and vision.
22 Risk Monitoring is the process for tracking identified risks, monitoring residual risks, identifying new risks, executing risk response plans, and evaluating their effectiveness on quarterly basis. It is necessary to review, monitor and report on the action plans developed, progress being made in managing the identified risks.
_________________________ ____________________________ Ms. SINAYE NXUMALO Mr. J. MAKORO EXECUTIVE DIRECTOR CHAIRPERSON GROUP RISK & ADVISORY SERVISES GROUP RISK & GOVERNANCE COMMITTEE
DATE: DATE: __________________________ Mr. TREVOR FOWLER CITY MANAGER CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY DATE: