Integrated Risk Management 32-391

TR/formatted 14.07.09/voting 15.07.09/authorisation 31 July 2009/published 19.08.09

Standard

Unique Identifier: 32-391

Document Type: EST

Revision: 2

Total pages: 36

Revision date: February 2010

Title: Integrated Risk Management Framework and Standards

Classification: PUBLIC

Content Page

IRM POLICY STATEMENT......................................................................................................................3 1 INTRODUCTION............................................................................................................................4 2 SUPPORTING CLAUSES..............................................................................................................4 2.1 Scope..................................................................................................................................4 2.2 Normative / Informative References...............................................................................4 3 IRM FRAMEWORK........................................................................................................................7 3.1 Commitment and Mandate ..............................................................................................7 3.2 Communication and Training ..........................................................................................8 3.3 Structure, Allocation of Roles and Accountability ........................................................8 3.4 Monitor and Review ........................................................................................................10 4 INTEGRATED RISK MANAGEMENT PROCESS.......................................................................11 4.1 Communication and Consultation.................................................................................11 4.2 Establishing Context .......................................................................................................11 4.3 Risk Identification ............................................................................................................12 4.4 Risk Analysis....................................................................................................................12 4.5 Risk Evaluation................................................................................................................12 4.6 Risk Treatment ................................................................................................................13 4.7 Monitor and Review ........................................................................................................13 5 IRM STANDARDS........................................................................................................................14 5.1 Standard 1: Managing Strategy Risks .........................................................................14 5.2 Standard 2: Managing the Risks Associated with Changes.....................................15 5.3 Standard 3: Project Risk Management ........................................................................17 5.4 Standard 4: Assurance of Critical Controls .................................................................18 5.5 Standard 5: Learning from Successes and Failures..................................................19 5.6 Standard 6: Analysing Risk ...........................................................................................20 5.7 Standard 7: Evaluating Risk ..........................................................................................27 5.8 Standard 8: Treating Risks ............................................................................................28

Integrated Risk Management Unique Identifier 32-391 Policy and Standards Revision: Rev. 2 Page: 2 of 36

PUBLIC When downloaded from the EDC website, this document is uncontrolled and the responsibility rests with the user to ensure it is in line with the

authorised version on the website. Note: This document has not been through the EDC processes prior to authorisation.

5.9 Standard 9: Planning and Recording Risk Management..........................................29 5.10 Standard 10: Monitoring and Reporting Risk Management .....................................31 5.11 Key IRM Definitions ........................................................................................................32 5.12 Abbreviations ...................................................................................................................34 5.13 Roles and Responsibilities.............................................................................................35 5.14 Reporting ..........................................................................................................................35 5.16 Revisions ..........................................................................................................................36 5.17 Development team..........................................................................................................36

Integrated Risk Management Unique Identifier 32-391 Framework and Standards Revision: Rev. 2 Page: 3 of 36

PUBLIC When downloaded from the EDC website, this document is uncontrolled and the responsibility rests with the user to ensure it is in line

with the authorised version on the website. Note: This document has not been through the EDC processes prior to authorisation.

IRM Policy Statement

The effective management of risk is central to the achievement of Eskom’s vision of together, building the power-base for sustainable growth and development in South Africa.

By understanding and managing risk we can provide greater certainty and security for our employees, our customers and all our stakeholders. We will be better informed, more decisive and move with increased confidence to achieve our vision of creating a foundation for South Africa’s competitive position which is sustainable from an economic, environmental and social perspective.

Throughout Eskom we will adopt a structured approach to risk management, using consistent approaches to the assessment and treatment of all types of risk, at all levels and for all activities in the company. Our aim is for risk management to become embedded into all our critical business processes so that before events occur that might affect us achieving our objectives, we identify the risks and manage them on a consistent, proactive way. Similarly, after events occur, we will use systematic processes to learn the lessons about our successes and failures. In this way our company will drive operational excellence and organisational learning and growth.

Responsibility for the management of risk rests with line management in all Divisions and Projects. Those accountable for the management of risks are also accountable for ensuring that the necessary controls remain in place and are effective at all times. Control assurance will focus on improving our ability to manage risk effectively, so that we can quickly and confidently act on opportunities to improve and sustain the quality and continuity of supply, create value and achieve sustained growth.

The ultimate level of risk control will be balanced against our continued encouragement of enterprise and innovation. Assurance of good corporate governance will be achieved through the regular measurement, reporting and communication of risk management performance.

I will ensure that the necessary resources are available to ensure that these policies to be satisfied.

The Executive Risk Management Committee will monitor and review the corporation's risk management system and performance (including compliance with Standards) and report this to the Board Risk Management Committee

This policy is to be reviewed at least every two years.

Jacob Maroga, Chief Executive

November 2008


PUBLIC When downloaded from the EDS database, this document is uncontrolled and the responsibility rests with the user

to ensure it is in line with the authorised version on the database.

1 Introduction

The effective management of risk is central to the continued growth and efficient management of Eskom. Our success is therefore largely measured by how successfully we manage risk.

Risk management involves managing to achieve an appropriate balance between realising opportunities for gains while minimising adverse impacts. It is an integral part of good management practice and an essential element of good corporate governance. It is an iterative process consisting of steps that, when undertaken in sequence, enable continuous improvement in decision-making and facilitate continuous improvement in performance.

To be most effective, risk management should be part of our culture. It should be embedded into our operating philosophy, practices and business processes rather than be viewed or practiced as a separate activity. When this has been achieved, everyone in the organization will become involved in the management of our risks.

2 Supporting Clauses

2.1 Scope

These standards support Eskom’s Integrated Risk Management Policy and describe how we will adopt a structured approach to risk management, using consistent approaches to the assessment and treatment of all types of risk, at all levels and for all activities in the company.

2.1.1 Purpose

These standards, when complied with at all levels and for all activities in the company, will ensure a standard approach to Integrated Risk Management throughout and at all levels of the organisation.

2.1.2 Applicability

This standard shall apply throughout Eskom Holdings Limited, its divisions, subsidiaries and entities wherein Eskom has a controlling interest.

2.2 Normative / Informative References

Parties using this policy shall apply the most recent edition of the documents listed below:

2.2.1 Normative

ISO 31000 Risk Management - Principles and guidelines on implementation

EPL 32-86 Integrated Risk Management Policy

EGL 32-555 Risk Management Basics (Guideline 1.1) EGL 32-556 Integrating Risk Management with Strategic Planning (Guideline 1.2) EGL 32-557 Risk Assessment – General (Guideline 2.1) EGL 32-558 Procurement Risk Management (Guideline 2.2) EGL 32-559 Project Risk Management (Guideline 3.1) EGL 32-560 Control self assessment (Guideline 4.1) EGL 32-561 Internal Audit Planning (Guideline 4.2) EGL 32-562 Root cause analysis (Guideline 5.1) EGL 32-563 Organisational learning (Guideline 5.2) EGL 32-564 Project evaluation and investment return range analysis (Guideline 6.1)




EGL 32-565 Project evaluation - budget range analysis (Guideline 6.2) EGL 32-566 Project evaluation - schedule range analysis (Guideline 6.3) EGL 32-567 Cost benefit analysis (Guideline 7.1) EGL 32-568 Risk Based Procedure development (Guideline 8.1) EGL 32-569 Business continuity management (Guideline 8.2) EGL 32-570 Insurance (Guideline 8.3) EGL 32-571 Risk Management Planning (Guideline 9.1) EGL 32-572 The Cura Risk Management Information System (Guideline 9.2) EGL 32-573 Risk Management Performance management (Guideline 10.1) EGL 32-574 Reporting and Escalation (Guideline 10.2) EGL 32-575 Risk Management Maturity Evaluation (Guideline 10.3)

2.2.2 Informative

ISO 9001 Quality Management Systems

King II Report (on Corporate Governance for South Africa – 2002

ISO/IEC Guide 73 Vocabulary for Risk Management

The Integrated Risk Management website will provide details of documentation, frameworks, guidelines and advice available. This site can be found on the Eskom Intranet under the Corporate Services Division website




Figure 1: IRM documentation architecture




3 IRM Framework

The IRM Framework is illustrated graphically in Figure 2 below:

Figure 2: Diagram of IRM Framework

3.1 Commitment and Mandate

The policy statement shown on Page 3 of this document establishes the mandate from the Chief Executive and provides an externally reviewable statement of commitment.

Divisions and Projects will progressively drive down the adoption of risk management processes and compliance with the Eskom IRM Standards, from the top to the bottom of their organisations. Detailed risk management plans for the implementation of the standards will be submitted annually to the ExCo Risk Management Committee for approval and endorsement. Divisions and Projects will measure and report their progress against these plans.

Controls will be allocated to ‘owners’ as part of risk assessment – either during the initial baseline assessment or as part of any subsequent ‘change driven’ risk assessment. Using the Cura risk management information system, Divisions and Projects will track and monitor the allocation and the checking of controls.

Eskom Assurance and Forensics Department is the role of providing assurance that the IRM standards are being complied with. Internal auditors will also monitor and annually evaluate the effectiveness of the Eskom Holding’s risk management framework.

The risk management framework is supported by a series of over-arching Standards (detailed in Section 5) that lay down the principles and performance criteria for the way Eskom and its Divisions




and Projects will effect risk management in the future. Compliance with these Standards is mandatory in all Divisions and Projects, including for Eskom Holdings Corporate.

The standards are supported by guidelines that give advice on best practice methods.

3.2 Communication and Training

Divisions and Projects will develop risk management communications plans and the Cura risk management information will be used, wherever possible, to satisfy reporting needs. Communication plans will be based on stakeholder analysis.

Training of all staff, to some extent, about the risk management processes in Eskom is a major component of implementation. Divisions and Projects will have a training plan that covers:

• Awareness briefings – for all staff;

• Competency training and stewardship for IRM Champions – on the framework, standards and the Cura risk management information system;

• Skills enhancement for facilitators and IRM Champions. Typically in risk assessment and root cause analysis;

• Line manager review – control assurance covering control design and control self assessment; and

• Periodic re-training and continuing professional development of IRM Champions and other risk management professionals.

All practitioners in Risk Management across Eskom will be part of a network to share learnings and mentor development. The network will meet formally as the Eskom Risk Management Working Group.

3.3 Structure, Allocation of Roles and Accountability

Named individuals are accountable for the monitoring and review of risks, for the assurance of controls and for the completion of risk treatment tasks. Risk owners are responsible for ensuring that the assessment of that risk is up to date and is properly recorded in risk registers. Control owners need to ensure that appropriate and periodic assurance takes place to check that the controls the organisation is relying on are in place, effective and cannot be cost-effectively improved. Task owners will have treatment actions to complete by an agreed date. Of course, these tasks can be delegated, but the accountable manager will remain fully responsible for their completion.

All staff are accountable for the ongoing assessment of risks associated with the need to manage changes (both internal and external).

Divisional and Project Managers are accountable for the completion and updating of their risk management plans and for ensuring that risk registers are up to date.

The oversight, governance, assurance and direction of IRM will be provided by a hierarchy of committees (as shown in Figure 3). The Board Risk Management Committee (BRMC) provides an independent and objective oversight of risk management within the Organisation. The ExCo Risk Management Committee (ERMC) steers IRM and its members are accountable for the performance of the framework. Beneath the ExCo Risk Management Committee is a Risk Management Working Group (RMWG) comprising the nominated IRM Champions from each Division and Corporate Functions. The convenor of the RMWG is the Manager, IRM. The RMWG is responsible for the day-to-day coordination of risk management activities and information sharing that occurs between Divisions.




Figure 3: IRM Structures

The Group IRM Function reports to the Manager, Integrated Risk Management and is not tasked with day-to-day risk management activities but may, on default, provide such service to other corporate functions. Corporate IRM provides strategic direction and coordination of:

• Integrated Risk Management;

• Project Risk Management;

• Governance reporting.

Divisions and Projects will nominate IRM Champions who will be responsible for:

• Assisting Management in the implementation of the IRM Standards, Policy and Framework;

• Rolling out IRM in their Divisions through a top-down process of engagement;

• Conducting base line risk assessments as part of the roll-out;

• Acting as custodian of the Risk Management plan;

• Taking the initiative to embed risk management processes into key business processes, including strategic and business plan development;

• Compiling Governance reports as required;

• Liaison with Assurance and Forensics Department and other assurance providers;

• Maintaining and updating Division etc.-level risk registers (based on the consolidation and ‘rolling-up’ of subordinate Site and Function risk registers);

• Developing training plans as part of the roll-out and support for IRM;

• Coordinating the activity of other, subordinate risk management champions, if these are required;

• Embedding a risk management culture within the Division and Project.




3.4 Monitor and Review

The IRM framework is largely self-regulating. Control assurance will be an embedded process not reliant solely on Assurance and Forensics Department. This department’s mandate will reflect its responsibility for the assurance of the ‘control assurance processes’ and not on the assurance of controls generally.

Divisional performance will be measured against risk management plans and KPIs that will be created as part of the annual performance management process and using a Risk Management Maturity Evaluation Process.

The focus of the Monitor and Review strategy is to provide assurance as to whether the Risk Management Framework as a whole is effective and is being implemented correctly.

Control Assurance will principally be through the use of control self assessment, practiced by control owners. The Cura risk management information system will both support and be used to monitor that this is taking place.

Divisional and project risk management plan progress will be measured and reported twice a year to the ExCo Risk Management Committee and Board Risk Management Committee. These reports will also be consolidated and an organisation-wide progress report created for Eskom by the Manager, Integrated Risk Management.

Governance reporting will ultimately be to the Board Risk Management Committee. The Company and Division reports will be initially reviewed and endorsed by ExCo Risk Management Committee. Assurance and Forensics Department will verify progress and present a complementary report to both BRMC and ERMC once a year.

Reporting to the Board Risk Management Committee will occur twice a year. Reporting will comprise:

• The risk management plan progress at Divisional level;

• Risk management maturity – for the Division and for Eskom;

• Project risk management maturity – for major projects;

• Consolidated risk profile showing the material risks and risk control effectiveness for each Division and for Eskom;

• Significant changes in the risk profile (including ‘emerging’ risks) since the last report and the reasons for the changes;

• Risk treatment plan progress;

• Performance against Risk Management KPIs (as set).

To drive forward risk management performance measures (KPIs) and goals will be set against which progress will be measured. These will largely be ‘lead measures’ to encourage the take up of good risk management practices and to achieve certain tasks within each Division’s and Project’s Risk Management Plan.

The performance measures will be established at Eskom, Division and Project levels and for individual managers. They will be linked to and integrated into current performance management process in Eskom.

Annually, all Divisions and Projects will conduct a maturity evaluation using the protocol issued by Group IRM. Divisions and Projects will use the results of this evaluation as the basis for the development of the next risk management plan. The results will also be reported to the Board Risk Management Committee.




4 Integrated Risk Management Process

The risk management process that will be followed in all cases is that detailed in ISO 31000 as shown in Figure 4 below. All steps in the process will be applied. Detailed guidance on its application is given in IRM Guideline 2.1 (EGL 32- 557 “Risk Assessment – General”). The definition of risk and its characterisation are discussed in IRM Guideline 1.1 (EGL 32- 555 “Risk Management Basics”). Templates for each step of the process are available on Hyperwave in the form of the Risk Management Toolkit.

Figure 4: Integrated Risk Management Process

4.1 Communication and Consultation

The IRM process will start and continually involve consultation and communication with relevant stakeholders. All risk assessments will be preceded with stakeholder analysis that defines relevant stakeholders, their objectives and communication needs. From this a communication plan will be developed.

4.2 Establishing Context

Before any risk management activity takes place and especially before risk assessment occurs, the external, internal and risk management contexts will be established.

The risk management context will include the definition of suitable risk criteria and a key element structure for the subsequent risk assessment.

The most appropriate tools and methods for risk identification and analysis will be determined during this step in the IRM Process.




4.3 Risk Identification

This will always occur as a workshop involving stakeholders. A trained facilitator and recorder (scribe) will always be present.

Risk identification will always occur using a recognised system and by following the key element structure determined when the risk management context was established.

Risk identified will be recorded in terms of:

• A description of the risk;

• The risk category;

• The risk owner;

• Its causes;

• The nature and extent of consequences;

• The existing controls;

• The control owner(s);

Risks will be described in terms of an event, changes in situation or circumstances and how these lead to consequences. Risks will not be described in terms of consequences only.

Risk owners and controls owners will be named individuals and their names will be recorded in the Cura risk management information system.

4.4 Risk Analysis

This will generally occur using a qualitative system as specified in the Eskom IRM Standards. Risk analysis will be the means whereby we develop an understanding of a risk so that we can develop further, appropriate risk treatment as required. Residual risk will be measured, taking into account the current controls and their effectiveness. Risk Control Effectiveness will also be assessed and expressed for each risk together with a measure of Potential Exposure.

We will not attempt to use any form of semi-quantitative risk analysis.

Quantitative risk analysis will only occur when:

• The consequences are high and significant as shown by our system of consequence criteria;

• The input data is sufficiently reliable to produce defensible risk estimates;

• Our decision making process is sufficiently mature that it requires and can appreciate the results from the quantitative analysis.

4.5 Risk Evaluation

This will be conducted by way of:

• Comparison with any risk criteria developed as part of establishing the context;

• Risk rating and prioritisation for attention using, for qualitative risk analysis, a risk matrix;

• Cost benefit analysis to determine if risk treatment is justifiable.




The Eskom IRM Standards will specify the actions required by management for risks at each level of risk and the time allowed for their completion. They will also specify which levels of management will be permitted to accept the continued exposure and toleration by Eskom of certain levels of risk.

4.6 Risk Treatment

Options for risk treatment will always be considered and compared using cost benefit analysis. The priority in which treatment options are considered will be:

• Risk avoidance - avoiding a (detrimental consequence) risk by deciding not to proceed with the activity likely to create risk (where this is practicable);

• Changing the likelihood of the risk, to enhance the likelihood of beneficial outcomes and reduce the likelihood of negative outcomes;

• Changing the consequences, to increase the gains and reduce the losses. This may include emergency response, contingency and disaster recovery plans;

• Risk Sharing;

• Risk Toleration without further treatment (involving an explicit decision to retain risk).

Risk treatment plans will be created for all risks where the level of risk is judged intolerable by the application of risk criteria and cost benefit analysis. These plans will contain tasks that are allocated to named task owners. A completion date for each risk treatment task will be given that is consistent with the time allowed for completion as specified in the Eskom IRM Standards.

Risk treatment plans will be created in the Cura Risk Management Information System.

4.7 Monitor and Review

Risks will be periodically subjected to formal review by risk owners. This review will involve the monitoring of risk treatment actions, control effectiveness and changes to the external or internal context, including changes to Eskom’s or stakeholder’s objectives.

Controls will be periodically reviewed by control owners to determine if they are both adequate and effective according to an assurance plan. The primary means of control assurance will be through the use of control self assessment by control owners.

Controls and risks will be monitored and reviewed through the application of systematic root cause analysis after events or changes occur, decisions are made or projects are completed. Lessons will be learnt through the root cause analysis of both successes and failures.




5 IRM Standards

These standards impose mandatory requirements on all employees of Eskom. All defined terms are given in bold and italics.

5.1 Standard 1, Managing Strategy Risks

5.1.1 Requirements

A suitable risk assessment will be conducted as part of the development of all business and strategic plans in Eskom. These risk assessments will be used to identify significant risks that could affect the achievement of the plan objectives and budgets. All types of risks will be considered and assessed.

The rigour of the risk assessment will be related to the severity of the consequences.

Risk treatment plans will be developed and implemented to ensure that plan objectives and budgets are met.

The output from risk assessments will be held in Risk Registers and Risk Treatment Plans that are stored in the Eskom Cura Risk Management Information System (RMIS). Risks will be allocated to name Risk Owners for monitoring and review. The risk treatment actions will be allocated to name ‘task owners’ and tracked and monitored for completion in the RMIS.

Divisions will conduct formal reviews of strategy risks on a 3 monthly basis. These reviews will involve identifying any new or emerging risks that might affect the achievement of strategic and business plan objectives and budgets. The results of these reviews will be presented to Eskom Executive Risk Management Committee.

5.1.2 Interpretation

A risk will be significant if the potential consequences could have a material impact on the achievement of business plan objectives and budgets of Eskom. This will include those risks which if effectively managed can enhance our ability to achieve business plan objectives and budgets together with those which if not managed properly could prevent or delay us achieving them.

A suitable risk assessment means:

• It considers all types of risks;

• Where-ever possible it is transparent, involves relevant stakeholders and is collaborative (i.e. workshop based);

• Follows a recognised methodology that is consistent with ISO 31000.

Risk Registers and the RMIS are further defined under Standard 8.

Risk Owners are those accountable for specific risks as recorded in a Risk Register held in the RMIS. This may also be recorded in position descriptions and in other policies and procedures.

More detailed advice on the management of strategy risks can be found in IRM Guideline 1.2 (EGL 32-556 “Integrating Risk Management with Strategic Planning”).




5.2 Standard 2, Managing the Risks Associated with Changes

5.2.1 Requirements

Before any significant change, event or decision occurs within Eskom or when a significant external change or event is detected, a suitable risk assessment will be conducted to determine the appropriate risk treatment.

The rigour of the risk assessment will be related to the severity of the consequences.

All types of risks will be considered and assessed.

The person who detects or initiates a significant change is responsible for initiating the risk assessment. He/she will then either conduct the risk assessment or pass it to some one who is accountable for the conduct of the risk assessment.

Wherever practicable this change, event or decision driven risk assessment process will be integrated and embedded in applicable Eskom processes and procedures.


Significant change, event or decision means significant in relation to the achievement of Eskom’s objectives and budgets and involves a consideration of potential consequences. A change, event or decision is significant if it could potentially have a material impact on the achievement of the objectives of Eskom, its customers or stakeholders or could lead to a breach of legal or contractual requirements.

A decision to commences or fund a project is a significant decision and the decision should be based on a suitable risk assessment. Standard 3 gives more detailed and specific requirements for Project Risk Management.

The changes, events and decisions that will trigger risk assessment will be both those that we propose internally together with those that we detect will occur externally and that may affect us achieving our objectives and budgets.

A suitable risk assessment means:

• It considers all types of risks;

• Where-ever possible it is transparent, involves relevant stakeholders and is collaborative (i.e. workshop based);

• Follows a recognised methodology that is consistent with ISO 31000 (IRM Guideline 2.1 EGL 32-557 “Risk Assessment – General” contains detailed guidance on this).

The rigour of the risk assessment will be determined by:

• For simple risks and where the consequences are likely to be small, we will use a simple form of risk assessment that can be applied by most employees after some simple training;

• For more complex and high potential consequence risks, we will use a more rigorous approach that will be facilitated by a properly trained person;

• For the most complex and potentially serious risks, we will use an appropriate specialist to assist us in the facilitation of risk assessment and the design of risk treatment.




This is summarised in Table 1 below. In many cases, a simple scoping risk assessment will take place first and will be used to decide on:

• What further, more rigorous analysis is required;

• What aspects require more rigorous analysis.

Table 1: Risk Assessment Rigour Guide

Most likely consequence (see

Table 5) Complexity of

risks Type of risk assessment Conducted by

5 or 6 Most complex 1, Facilitated review at least, using a systematic method. Qualitative risk analysis.

Where appropriate, followed by:

2, Risk type specific analysis. This will often involve fully quantitative risk analysis.

Trained facilitator with stakeholder participants.

Risk type specialist. E.g. Security, H&S, Reliability, legal.

3 or 4 More complex Facilitated review at least, using a systematic method. E.g. HAZOP, SWIFT and qualitative risk analysis.

Trained facilitator with stakeholder participants.

1 or 2 Simple Simple risk assessment.

E.g. “What-if”, Checklists etc. Workshop not required.

All employees after simple training




5.3 Standard 3, Project Risk Management

Projects will normally constitute significant changes as define under IRM Standard 2 and as such they will require that application of the IRM process and compliance with Standard 2. In particular:

• All projects will have a project Risk Management Plan that is developed at the commencement of the project and which describes how risk management will take place during the project;

• All projects should be planned using a suitable risk assessment to focus the project execution plan on the major sources of uncertainty – the risks;

• The financial justification and business case for the project should be subjected to suitable risk assessment;

• The design of the project should undertake design review using a suitable risk assessment.

Where the approach to the project management, planning, development and execution is phased, risk management will take place in all phases and throughout those phases and a Project Risk Management Plan for each phase will be produced prior to the commencement of each phase. In particular, risk assessment will generally take place at the beginning of the phase and not take place at the end of the phase for approval purposes.

During project execution, where a significant change is planned or occurs, IRM Standard 2 will apply and suitable risk assessment will take place as part of the management of the change.

During projects any critical controls will be subjected to assurance in accordance with IRM Standard 4. After projects have been completed or executed, Eskom will learn lessons through the undertaking of post project reviews that will involve the application of Suitable root cause analysis.

Risk Registers, Risk Management Plans and Risk Treatment Plans for projects will contain information as described under Standard 9 and will be held in the Cura risk management information system.

More detailed advice on project risk management in contained in IRM Guideline 3.1 (EGL 32- 559 “Project Risk Management”). Detailed requirements for quantitative analysis when applied to capital project return, budget and schedule are given in IRM Guidelines 6.1 (EGL 32-564 “Project evaluation and investment return range analysis”), 6.2 (EGL 32-565 “Project evaluation - budget return range analysis”)and 6.3 (EGL 32-566 “Project evaluation - schedule range analysis”) respectively.




5.4 Standard 4, Assurance of Critical Controls

5.4.1 Requirements

Those controls that are business-critical will be allocated to name Control Owners for checking and assurance. Control owners will ensure that there is a process such that controls for which they are accountable are periodically checked and assured to verify that they are adequate, effective and cannot be cost-effectively improved.

Assurance will be a planned and deliberate activity. The design of risk controls will involve deciding and recording when, by what means and by who control checking takes place.

Wherever practicable control assurance will be integrated and embedded in applicable Eskom processes and procedures.


Critical controls are those whose effectiveness will contribute materially to the achievement of the Eskom business plan objectives and budgets or are required for contractual or regulatory compliance. Typically where the level of Potential Exposure (PE) for the risk for which the controls aim to modify is or exceeds the “high” or “national” criteria for the level of the organisation concerned (see Table 4), the control will be Critical.

Control Owners are those accountable for specific controls as recorded in a Risk Register held in the RMIS. This may also be recorded in other policies and procedures.

Assurance involves checking of controls and will normally include all three of the following elements:

• Specific day to day control checks, preferably built into systems and procedures;

• Periodic reviews by the control owner using control self assessment;

• Occasional verification by auditors who are independent of line management.

Controls will be adequate if they have been planned and designed in a manner that provides reasonable assurance that business plan objectives and budgets will be achieved efficiently and economically and that legal and contractual requirements are complied with.

The term effective, when applied to controls, addresses the question of whether or not the controls are operating as intended. Controls are effective if they act in such a manner as to provide reasonable assurance business plan objectives and targets will be achieved and that legal and contractual requirements are complied with.

Control owner periodic reviews will normally be achieved through the application of Control Self Assessment.

Risk Registers and the RMIS are further defined under Standard 9.

Guidance on the planning and conduct of control self assessment is given in IRM Guideline 4.1 (EGL 32-560 “Control self assessment”). Advice on internal audit planning as part of risk and control assurance activity is given in IRM Guideline 4.2 (EGL 32-561 “Internal audit planning”).




5.5 Standard 5, Learning from Successes and Failures

5.5.1 Requirements

After any significant event or change, a suitable root cause analysis will be conducted to learn lessons from both successes and failures.

The lessons will be recorded and actions will be taken to ensure that the causes are treated such that subsequent failures are prevented and successes are repeated.

Wherever practicable, post event or post change root cause analysis will be integrated and embedded in applicable Eskom processes and procedures.


Significant event or change means significant in relation to the achievement of Eskom or its customers or stakeholders’ objectives and budgets or to ensure legal or contractual compliance and involves a consideration of potential consequences. An event or change is significant if it could potentially have a material impact on the achievement of business plan objectives, budgets or legal and contractual compliance.

Suitable root cause analysis will be:

• That which follows a recognised system;

• That which identifies not only direct causes, but also latent and root causes;

• Where the root cause analysis process is transparent, involves relevant stakeholders and is collaborative;

• Where the outcomes are recorded;

• Where the lessons learnt are recorded;

• Where actions are agreed that treat the causes.

Further detailed advice on suitable systems for root cause analysis is given in IRM Guideline 5.1 (EGL 32-562 “Root cause analysis”) and the means whereby learning will be distributed in Eskom is described in IRM Guideline 5.2 (EGL 32-563 Organisational learning”).




5.6 Standard 6, Analysing Risk

5.6.1 Requirements

Normally, qualitative risk rating will be used for risk analysis. Semi-quantitative risk analysis will not be used.

Quantitative risk analysis will only be used when:

1. Where a qualitative risk analysis has rated the risk based on the most likely consequence rating being at “5”or “6” as shown in Table 4; and

2. Where reliable data is available; and

3. Where the level of definition required by decision makers is high.

A consequence rating will be chosen from the Table 4 on the basis of the most likely impact on Eskom and its stakeholders choosing the most severe of the consequence types given. A likelihood rating will be chosen from Table 5 on the basis of the corresponding likelihood that Eskom and its stakeholders could be affected at the chosen level of consequence.

Risk Control Effectiveness (RCE) will also be estimated during risk analysis taking into account both the adequacy and effectiveness of controls. Risk Control Effectiveness (RCE) will be a measure of the completeness, relevance and efficacy of the current controls when compared with that which is reasonably achievable.

RCE will be rated using the guide in Table 7. Where RCE is less than “Fully Effective” then a Risk Treatment Plan will be prepared and implemented that addresses the control deficiency.

Risk rating will always be based on residual risk taking into account currently present controls and their effectiveness. We will not use measures of “inherent risk”.

Potential Exposure (PE) will be estimated for each risk analysed. This will represent the total plausible maximum impact on Eskom arising from a risk without regard to controls and will be estimated by considering the consequences that could arise if all existing controls are ineffective or missing. It will be expressed in term of the level within Eskom at which the impact will be felt and will be equivalent to a Rand value. The criteria for PE are given in Table 4 will be used

PE will be used as the primary measure on which to focus and plan assurance activities.

At part of risk analysis, the risk will be categorised based on the predominant cause of the risk. Risks will not be categorised according to consequence types. The system of risk categories used in Eskom will be those shown in Table 2 and Table 3.




Table 2: Eskom risk categories

Category Sub-category

Supply Chain into Eskom • Primary Energy • Water • Fuel • Other Materials • Equipment • Contractors • Utilities • Transport services

Government and Regulators (Eskom Stakeholders)

• Regulators • Central government • Provincial & municipal government

Partners & Investors (Eskom Stakeholders)

• Partners • Investors • Conflicts of interest

Customers (Eskom Stakeholders)

• Short term market demand • Long term market changes • Pricing and tariffs

Community & Society (Eskom Stakeholders)

• Social commitments • Security environment

Competitors (Eskom Stakeholders)

• Competitors

Economic Climate (Finance) • Capital availability • Interest rates • Exchange rates • Insurance

Financial Structure (Finance)

• Asset values • Liabilities • Working capital • Treasury management • Operating expenses • Accounts management

Legal and Compliance requirements

• Legislative & regulatory requirements • External approvals & permits • Taxes, duties and other fees

Natural Events • Weather • Natural fires • Seismic events • Climate change




Category Sub-category

People • Resources • Competency, knowledge & training • Behaviour motivation & morale • Language & communication

Organisational Structure • Structure • Organisational change • Accountability & supervision

IT systems (hardware & software)

• Systems capabilities • Systems maintenance & upgrade • IT security

Information and Knowledge • Data acquisition, maintenance & retention • Organisational learning • Intellectual Property

Business Processes • Business planning & budgeting (Strategic) • Operating processes • Maintenance processes • Commercial & procurement processes • Project management processes • Governance and assurance processes • Decision making & approval processes • Business continuity management

Physical Assets • Design & legacy issues • Operability • Capacity • Reliability, availability of supply

Electricity Output • Quality of supply • Reliability & availability of supply

Waste Products • Solid waste • Liquid waste • Gaseous emissions • Contaminated material




Table 3: Potential Exposure Criteria

Level of Potential Exposure Equivalent Financial Impact on Eskom (Rand Net Profit)

Beyond Eskom impact > R1b

Across Eskom Divisions impact ≥ R200m

Divisional impact ≥ R 35m

Business Unit impact ≥ R10m

Departmental impact ≥ R1m


PUBLIC When downloaded from the EDC website, this document is uncontrolled and the responsibility rests with the user to ensure it is in line

with the authorised version on the website. Note: This document has not been through the EDC processes prior to authorisation.

Table 4: Consequence criteria

The consequence criteria will change with time and are therefore subject to periodic review.


PUBLIC When downloaded from the EDS database, this document is uncontrolled and the responsibility rests with the user to ensure it is in line with the authorised version on the database

Table 5: Likelihood criteria

Category Criteria • 99% probability, or

• impact is occurring now, or E • could occur within “days to weeks”

• >70% probability, or

• balance of probability will occur, or D • could occur within “weeks to months”


• may occur shortly but a distinct probability it won’t, or C

• could occur within “months to years”


• may occur but not anticipated, or B

• could occur in “years to decades”

• <5% probability

• occurrence requires exceptional circumstances

• exceptionally unlikely, even in the long term future A

• only occur as a “100 year event”

The matrix in Table 6 will be used to determine the relative ranking of risks.

Table 6: Risk Matrix

6 III II I I I

5 III II II I I

4 IV III II I I

3 IV III II II I

2 IV IV III II II

Con

sequ

ence

s

1 IV IV III III III

A B C D E Likelihood


PUBLIC When downloaded from the EDS database, this document is uncontrolled and the responsibility rests with the user to ensure it is in line with the authorised version on the database.

Table 7: Risk Control Effectiveness

RCE Guide

Fully effective Nothing more to be done except review and monitor the existing controls. Controls are well designed for the risk, are largely preventative and address the root causes and Management believes that they are effective and reliable at all times. Reactive controls only support preventative controls.

Partially effective

Most controls are designed correctly and are in place and effective. Some more work to be done to improve operating effectiveness or Management has doubts about operational effectiveness and reliability.

Ineffective

While the design of controls may be largely correct in that they treat most of the root causes of the risk, they are not currently very effective. There may be an over-reliance on reactive controls.

or

Some of the controls do not seem correctly designed in that they do not treat root causes, those that are correctly designed are operating effectively.

Totally ineffective

Significant control gaps. Either controls do not treat root causes or they do not operate at all effectively. Controls, if they exist are just reactive.

None Virtually no credible control. Management has no confidence that any degree of control is being achieved due to poor control design and/or very limited operational effectiveness.


Residual risk means the assessed level of risk taking into account the controls currently in place and their assessed level of effectiveness.

Risk Control Effectiveness (RCE) will be relative assessment of actual level of control that is currently present and effective compared with that reasonably achievable for that particular risk. RCE will therefore be an indicator as to whether Eskom is doing all that it could or should to manage a particular risk.

Often, the failure of a control will be a major cause of a risk and should be identified as so during risk identification.

Potential Exposure (PE) can be estimated as being equivalent to the total of the net profit lost, plus the legal liability, recovery or compensation payments made and any opportunity costs.



5.7 Standard 7, Evaluating Risk

5.7.1 Requirements

The results of risk analysis will be subjected to risk evaluation, to make decisions about whether further treatment is required, which risks need treatment and treatment priorities.

Generally, risk evaluation will involve three distinct steps:

1. comparing the level of risk found with risk criteria;

2. prioritising the risks for attention according to risk rating, potential exposure and risk control effectiveness;

3. deciding on the scope for further control and risk treatment through suitable cost benefit analysis.

Eskom may specify risk criteria to be adopted in the evaluation of specified risks.

Priority for attention and the seniority of management sign-off for the continued toleration by Eskom to a level of residual risk will be as shown in Table 8. The decision to tolerate a risk and continue the exposure should be based on a consideration of:

• whether it would be cost-effective to further treat the risk;

• Eskom’s willingness to tolerate risks of that type and level.

Table 8: Priority for attention

Priority Suggested timing of treatment Authority for continued toleration of residual risk

I Short term. Normally within 1 month. Managing Directors, Chief Executive and Board

II Medium term. Normally within 3 months.

Managing Directors, Senior General Managers and General Managers

III Normally within 1 year Senior General Managers, General Managers and Managers

IV Ongoing control as part of a management system. All staff

Low or tolerable risks may be accepted with minimal further treatment. They will be monitored and periodically reviewed to ensure they remain so.




There are very few risk criteria specified by legislation. In the field of occupational health and safety, the ALARP (as low as is reasonably practicable) criteria framework is normally required to be applied as part of decision making as to what is a tolerable level of risk.

Eskom may create its own risk criteria.

When conducting Cost Benefit Analysis and there is uncertainty about the costs to be incurred or benefits to be gained, the analysis should take explicitly into account that uncertainty. In all cases, suitable Cost Benefit Analysis should include all costs and ancillary costs (dis-benefits) as well as benefits and ancillary benefits (opportunities). If most of the costs and/or the benefits are unlikely to be experienced within the first year or so then it will be necessary to discount the benefits (and indirect costs) to allow the assessment to be made “in today’s money”.

To take into account qualitative, non-financial and less tangible costs and benefits, qualitative cost benefit analysis should be used to support decisions on risk treatment. If necessary, non-financial impacts should be converted to equivalent financial measures using the cross-table relationships shown in Table 4.

Further detailed advice on cost benefit analysis can be found in IRM 7.1 (EGL 32-567 “Cost benefit analysis).

5.8 Standard 8, Treating Risks

5.8.1 Requirements

Options for treating risk will always be considered as part of Risk Assessment, Root Cause Analysis or control checking and assurance activities. Risk treatment options, which are not necessarily mutually exclusive or appropriate in all circumstances, include:

• Risk avoidance - avoiding a (detrimental consequence) risk by deciding not to proceed with the activity likely to create risk (where this is practicable);

• Changing the likelihood of the risk, to enhance the likelihood of beneficial outcomes and reduce the likelihood of negative outcomes;

• Changing the consequences, to increase the gains and reduce the losses. This may include emergency response, contingency and disaster recovery plans;

• Risk Sharing;

• Risk Toleration without further treatment (involving an explicit decision to retain risk).

The options for risk treatment should be considered in the order of preference given above.

Risk treatment will involve the design of controls to treat causes. It will also involve deciding and recording when, by what means and by whom control checking will take place.

Selecting the most appropriate treatment option will involve comparing the cost of implementing each option against the benefits derived from it. In general, the cost of treating risks will need to be commensurate with the benefits obtained.

When making such cost versus benefit judgements, all costs and dis-benefits as well as benefits and opportunities will be considered.

A number of treatment options will always be considered and applied, either individually or in combination.



Decisions should take account of the need to consider carefully rare but severe risks that may warrant risk treatment actions that are not justifiable on strictly economic grounds. Legal, reputational and community requirements may override simple financial cost benefit analysis and in these cases a qualitative cost benefit analysis (see Standard 7) should be used.

Risk treatment actions will be resolved into a number of specific tasks and these will be allocated to named individuals (task owners) who will be accountable for their completion. Risk Treatment Plans are to be created in the RMIS. These should comply with the requirements of Standard 9.


Risk sharing involves another party or parties bearing or sharing some part of the risk preferably by mutual consent. Mechanisms include the use of contracts, insurance arrangements and organisational structures such as partnerships to spread responsibility and liability. Generally there will be some distribution of capital associated with the sharing of the risks with another organisation, such as the premium paid for insurance or the fees paid for contracted work.

Where risks are shared in whole or in part, the organisation transferring the risk has acquired a new risk, in that the organisation to which the risk has been transferred may not manage the risk effectively or appropriately.

After risks have been changed or shared, there will be residual risks that are retained. Risks can also be retained by default, e.g. when there is a failure to identify or appropriately share or otherwise treat risks.

Sensitivity analysis is the preferred way of testing the effectiveness of different options for treating risk. For large PE’s a combination of treatments may be necessary. For example, a situation where we have some preventative controls, affect some risk sharing through contracted-out work and support this by obtaining appropriate insurance cover.

5.9 Standard 9, Planning and Recording Risk Management

5.9.1 Requirements

Eskom, its Divisions and Functions will prepare and maintain suitable Risk Management Plans. Each project will also prepare a risk management plan and this will be updated for each phase (see Standard 3).

Risk Management Plans will be reviewed annually as part of the business planning process and will be revised to reflect the actions required to be taken to further comply with these Standards.

The outputs from each stage of the risk management process will be recorded appropriately. Specifically, all material risks will be recorded in Risk Registers. These will contain information about the relied-upon controls in terms of a description on the control and the control owner.

Risk treatment tasks will be recorded in Risk Treatment Plans.

All Risk Management Plans, Risk Registers and Risk Treatment Plans will be recorded, stored and maintained in the RMIS.




Risk Management Plans will contain:

• specific actions, tasks and measures to be adopted that will further risk management and to comply with the Eskom IRM Policy and these Standards;

• a timetable for implementation;

• details of the mechanism for and frequency of review of the status of the Risk Management Plan.

In preparing and maintaining Risk Management Plans, stakeholder analysis will be conducted in order to develop a communication plan for stakeholders. This will specify the risk management reporting that should take place in each case.

Risk Registers will contain, for each risk:

• a description of the risk;

• the Eskom risk category;

• the name of the risk owner;

• the causes;

• the nature and extent of the expected consequences associated with the risk;

• the existing controls being relied upon;

• the name(s) of the control owner(s);

• Risk Control Effectiveness (RCE);

• the Risk Rating;

• the Potential Exposure (PE);

• notes explaining the basis for risk rating.

Risk Treatment Plans will contain:

• the tasks to be completed and the risks they address;

• who has responsibility for implementation of certain treatment tasks;

• the timetable for implementation;

• details of the mechanism for and frequency of review of the status of the treatment plan.



5.10 Standard 10, Monitoring and Reporting Risk Management

5.10.1 Requirements

The Eskom Board Risk Management Committee will review each quarter:

• All risks that are rated II or above;

• Risks where the level of PE is greater than or equal to “Across Eskom Divisions impact “level where the RCE is less that “Fully effective”.

All risks where the level of PE is greater than or equal to “Across Eskom Divisions impact “ and where RCE is less than “Fully effective” will be reported to the Chief Executive as soon as they are identified and rated as such. In these cases a written Risk Treatment Plan for those risks should also be submitted.

Eskom and its Divisions will report to the Board Risk Management Committee twice a year on the progress made in the implementation of the IRM Policy Statement and these Standards. Reporting will be using specified templates and against specified performance measures. The reports for Eskom and each of its Divisions will contain:

• The current Risk Management Plan and the progress being made with it;

• The Risk Management Plan for the next year, when available and the key tasks;

• Performance against specified performance measures;

• A comparison of the current level of risk management maturity against that for the previous period;

• Risks rated I or II and/or with a PE at a level greater than or equal to “Across Eskom Divisions impact “ and the changes in those risks since the last report with an explanation for the change in each case.

Over and above this, Eskom and its Divisions will each develop communication plans for specific internal and external stakeholders to convey appropriate risk management information.


Before reports are made to the Board Risk Management Committee, Divisions and Projects will ensure that Risk Registers, Risk Treatment Plans and Risk Management Plans held in the RMIS are up to date.

Performance measures and targets may be specified to be achieved across the organisation for risk management and for achieving compliance with the IRM Policy Statement and these Standards. Divisions and Projects will be required to measure and report progress against these performance measures.


PUBLIC When downloaded from the EDS database, this document is uncontrolled and the responsibility rests with the user to ensure it is in line with the authorised version on the database

5.11 Key IRM Definitions

TERM DEFINITION

Assurance Assurance is a process that provides confidence that objectives will be achieved with a tolerable level of residual risk.

Cause Something that gives rise to or creates a risk or an event.

Communication and consultation

Continual or iterative process that an organization conducts to provide, share and or obtain information and to engage in dialogue with stakeholders regarding the management of risk

Consequence Outcome of an event affecting objectives Control Measure that is modifying risk

Control assessment The periodic and systematic review of processes to ensure that controls are still effective and appropriate.

Control owner The person nominated as accountable for the assurance of the control to ensure that both the design and the operation of the control are effective. Control owners names are recorded in risk registers.

Control self assessment

The planned, periodic review by managers of work processes, procedures and systems to ensure that the risk controls are still effective and appropriate. The review should focus on opportunities for improvement with existing work processes; procedures and systems and with the risk controls.

Cost The direct or indirect investment or loss of money, time, labour, disruption, goodwill, political, operational continuity or other intangibles accompanying the management of risk.

Cost benefit analysis An objective assessment comparing all the costs of treating a risk against all the benefits from the residual risk.

Event Occurrence or change of a particular set of circumstances Exposure Extent to which an organization is subjected to an event External context External environment in which the organization seeks to achieve its objectives

Frequency Measure of the likelihood of an event expressed as a number of events or outcomes per defined unit of time

Hazard Potential source of harm Internal context Internal environment in which the organization seeks to achieve its objectives

Level of risk Magnitude of a risk expressed in terms of the combination of consequences and their likelihood

Likelihood Chance of something happening.

Monitoring Continual checking, supervising, critically observing or determining the status in order to identify change from the performance level required or expected.

Net present value (NPV)

A measure of the cash generated by the investment after paying back Eskom’s lenders for the use of their money. It is what an investment is worth to Eskom in today’s money.

Potential exposure The total plausible maximum impact on Eskom arising from a risk without regard to controls.

Probability Measure of the chance of occurrence expressed as a number between 0 and 1 where 0 is impossibility and 1 is absolute certainty.

Residual risk Risk remaining after risk treatments. Resilience Capacity to resist being affected by an event

Review Activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectives



TERM DEFINITION

Risk

Effect of uncertainty on objectives. Note 1 An effect is a deviation from the expected - positive and/or negative Note 2 Objectives can have different aspects, such as financial, health and safety, and environmental goals and can apply at different levels such as strategic, organization-wide, project, product and process Note 3 Risk is often characterized by reference to potential events, a consequence, or a combination of these and how they can affect the achievement of objectives. Note 4 Risk is often expressed in terms of a combination of the consequences of an event or a change in circumstances, and their associated likelihood of occurrence.

Risk acceptance Informed decision to take a particular risk

Risk aggregation Process to combine individual risks to obtain a more complete understanding of risk

Risk analysis Process to comprehend the nature of risk and to determine the level of risk Risk appetite Amount and type of risk an organization is prepared to pursue or take Risk assessment Overall process of risk identification , risk analysis and risk evaluation Risk aversion Attitude to turn away from risk

Risk avoidance Decision not to be involved in, or to withdraw from, an activity based on the level of risk

Risk control effectiveness (RCE)

A relative assessment of actual level of control that is currently present and effective compared with that which is reasonably achievable for a particular risk.

Risk criteria Terms of reference against which the significance of a risk is evaluated

Risk evaluation Process of comparing the results of the risk analysis against risk criteria to determine whether the level of risk is acceptable or tolerable.

Risk financing Form of risk treatment involving contingent arrangements for the provision of funds to meet the financial consequences should they occur

Risk identification Process of finding, recognizing and describing risks Risk management Coordinated activities to direct and control an organization with regard to risk

Risk management audit

Systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which the risk management framework is adequate and effective.

Risk management framework

Set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management processes throughout the organization

Risk management information system

The database operated by Eskom that holds all risk management information including all risk registers, risk treatment plans and risk management plans.

Risk management plan

Document within the risk management framework specifying the approach, the management elements and resources to be applied to the management of risk.

Risk management policy

Overall intentions and direction of an organization related to the risk management

Risk management process

Systematic application of management policies, procedures and practices to the tasks of communicating, consultation, establishing the context, identifying, analyzing, evaluating, treating, monitoring and reviewing risk



TERM DEFINITION

Risk matrix Tool for ranking and displaying risks by defining ranges for consequence and likelihood

Risk owner Person with the accountability and authority for managing the risk and any associated risk treatments.

Risk perception Stakeholder ’s view on a risk Risk profile Description of a set of risks Risk register Record of information about identified risks

Risk reporting Form of communication intended to address particular internal or external stakeholders to provide information regarding the current state of risk and its management

Risk retention Acceptance of the benefit of gain, or burden of loss, from a particular risk

Risk sharing Form of risk treatment involving the agreed distribution of risk with other parties

Risk source Anything which alone or in combination has the intrinsic potential to give rise to risk

Risk tolerance

Organization’s readiness to bear the risk after risk treatment in order to achieve its objectives

Risk treatment Process of developing, selecting and implementing measures to modify risk

Risk treatment plan Documents the risk treatment actions to be taken. Includes details of separate tasks, task owners and completing dates.

Root cause

The underlying cause of an event or source of risk that if rectified will prevent the recurrence of not just the event or risk with those exact circumstances, but many others with similar root causes. When applied to successes it can elicit the actions required to emulate and repeat the success.

Root cause analysis Root cause analysis is the systematic process of learning from events or incidents to identify the underlying causes of the event or source of risk.

Stakeholder Those people and organizations who may can affect, be affected by, or perceive themselves to be affected by a decision or activity

Task owner The person nominated as accountable for the completion of a risk treatment action.

Uncertainty State, even partial, of deficiency of information or understanding or knowledge of related to an event, its consequence, or likelihood

Vulnerability Intrinsic properties of something that create susceptibility to a source of risk that can lead to a consequence

5.12 Abbreviations

EXCO: Executive Management Committee

GM: General Manager

IRM: Integrated Risk Management

MD: Managing Director

RM: Risk Management

ERMC: Eskom Risk Management Committee

RMWG: Risk Management Working Group



5.13 Roles and Responsibilities

5.13.1 These standards are issued under the authority of the Chief Executive.

5.13.2 The Managing Director (Corporate Services Division) is accountable for the overall direction and function of Eskom’s risk management programme and reports back directly to the Holdings Board, through the Board Risk Management Committee.

5.13.3 Group IRM has developed a common Eskom Group risk framework supported by appropriate methodologies, one common language and supported by an executive sponsor (MD – CSD)

5.13.4 The Managing Directors of the various line divisions, subsidiaries and corporate divisions in Eskom are responsible for, and committed to, the implementation of the integrated risk management standards. These aspects include coordinating the risk management strategy, ensuring compliance with these standards and the planning and implementation of the IRM Framework in their divisions, subsidiaries and projects.

5.13.5 Every staff member is responsible for the effective management of Risk. Management is responsible for the development of risk management plans and the implementation of risk treatment plans.

5.13.6 To achieve the objective to establish Integrated Risk Management in Eskom accountability and responsibility will be allocated for the monitoring and review of risks to Risk Owners, for the assurance of controls to Control Owners and for the completion of risk treatment tasks to Task Owners.

5.14 Reporting

Divisions shall report at a prescribed time and in a prescribed format on their risk management performance, risk profiles and changes to those. They will present these to the Eskom Executive Risk Management Group and Board Risk Management Committee.

The Cura Risk Management Information System will be used to generate standard reports using templates created by Group IRM.

6. Authorisation

This policy has been seen and accepted by: Name Designation

PJ Maroga Chief Executive I du Plessis Acting Finance Director BA Dames Chief Officer (Generation and Generation Primary Energy Divisions) MM Ntsokolo Managing Director (Transmission Division) A Noah Managing Director (Distribution Division) JA Dladla Managing Director (Office of the Chief Executive ) E Johnson Chief Officer (Network and Customer Services) Dr SJ Lennon Managing Director (Corporate Services Division) E Pule Acting Managing Director (Human Resources Division) B Conradie M Koko

(Acting) Managing Director (Enterprises Division) (Acting) Managing Director (Engineering)

K Lakmeeharan P Dukashe

[Managing Director] System Operations and Planning Division (Acting) Managing Director (Nuclear)

T Govender Managing Director (Generation Division) V Nemukula Acting Managing Director (Primary Energy Division)



7. Revisions

Date Rev. Remarks

Dec 2009 0 New document Feb 2009 1 Superseded previous Rev.0

Consequence Table was replaced and formatting corrected June 2009 2 Re-submitted through voting process

8. Development team

Name Department / Area

C H Palm Group Integrated Risk Management A Swart Group Integrated Risk Management G Purdy Consultant, Broadleaf Consulting