Showing Page:
1/38
WHAT IS A RISK?
Risk is a probability or threat of damage, injury, liability, loss, or any other negative
occurrence that is caused by external or internal vulnerabilities, and that may be avoided
through pre-emptive action. Risk implies future uncertainty about deviation from expected
earnings or expected outcome. Risk measures the uncertainty that an investor is willing to
take to realize a gain from an investment.
Description: Risks are of different types and originate from different situations. We have
liquidity risk, sovereign risk, insurance risk, business risk, default risk, etc. Various risks
originate due to the uncertainty arising out of various factors that influence an investment
or a situation.
Risk management is the process of identifying, assessing and controlling threats to an
organization's capital and earnings. These threats, or risks, could stem from a wide variety of
sources, including financial uncertainty, legal liabilities, strategic management errors,
accidents and natural disasters. IT security threats and data-related risks, and the risk
management strategies to alleviate them, have become a top priority for digitized
companies. As a result, a risk management plan increasingly includes companies' processes
for identifying and controlling threats to its digital assets, including proprietary corporate
data, a customer's personally identifiable information and intellectual property.
RISK MANAGEMENT STANDARDS
Since the early 2000s, several industry and government bodies have expanded regulatory
compliance rules that scrutinize companies' risk management plans, policies and
procedures. In an increasing number of industries, boards of directors are required to
review and report on the adequacy of enterprise risk management processes. As a
result, risk analysis, internal audits and other means of risk assessment have become major
components of business strategy.
Risk management standards have been developed by several organizations, including
the National Institute of Standards and Technology and the ISO. These standards are
designed to help organizations identify specific threats, assess unique vulnerabilities to
determine their risk, identify ways to reduce these risks and then implement risk reduction
efforts according to organizational strategy.
Showing Page:
2/38
The ISO 31000 principles, for example, provide frameworks for risk management process
improvements that can be used by companies, regardless of the organization's size or target
sector. The ISO 31000 is designed to "increase the likelihood of achieving objectives,
improve the identification of opportunities and threats, and effectively allocate and use
resources for risk treatment," according to the ISO website. Although ISO 31000 cannot be
used for certification purposes, it can help provide guidance for internal or external risk
audit, and it allows organizations to compare their risk management practices with the
internationally recognized benchmarks.
The ISO recommended the following target areas, or principles, should be part of the overall
risk management process:
The process should create value for the organization.
It should be an integral part of the overall organizational process.
It should factor into the company's overall decision-making process.
It must explicitly address any uncertainty.
It should be systematic and structured.
It should be based on the best available information.
It should be tailored to the project.
It must take into account human factors, including potential errors.
It should be transparent and all-inclusive.
It should be adaptable to change.
It should be continuously monitored and improved upon.
The ISO standards and others like it have been developed worldwide to help organizations
systematically implement risk management best practices. The ultimate goal for these
standards is to establish common frameworks and processes to effectively implement risk
management strategies.
Showing Page:
3/38
These standards are often recognized by international regulatory bodies, or by target
industry groups. They are also regularly supplemented and updated to reflect rapidly
changing sources of business risk. Although following these standards is usually voluntary,
adherence may be required by industry regulators or through business contracts.
RISK MANAGEMENT STRATEGIES AND PROCESSES
All risk management plans follow the same steps that combine to make up the overall risk
management process:
Risk identification. The company identifies and defines potential risks that may
negatively influence a specific company process or project.
Risk analysis. Once specific types of risk are identified, the company then determines
the odds of it occurring, as well as its consequences. The goal of the analysis is to further
understand each specific instance of risk, and how it could influence the company's
projects and objectives.
Risk assessment and evaluation. The risk is then further evaluated after determining
the risk's overall likelihood of occurrence combined with its overall consequence. The
company can then make decisions on whether the risk is acceptable and whether the
company is willing to take it on based on its risk appetite.
Risk mitigation. During this step, companies assess their highest-ranked risks and
develop a plan to alleviate them using specific risk controls. These plans include risk
mitigation processes, risk prevention tactics and contingency plans in the event the risk
comes to fruition.
Risk monitoring. Part of the mitigation plan includes following up on both the risks and
the overall plan to continuously monitor and track new and existing risks. The overall
risk management process should also be reviewed and updated accordingly.
Showing Page:
4/38
RISK MANAGEMENT APPROACHES:
Risk avoidance. While the complete elimination of all risk is rarely avoidance strategy is
designed to deflect as many threats as possible in order to avoid the costly and
disruptive consequences of a damaging event.
Risk reduction. Companies are sometimes able to reduce the amount of effect certain
risks can have on company processes. This is achieved by adjusting certain aspects of an
overall project plan or company process, or by reducing its scope.
Risk sharing. Sometimes, the consequences of a risk is shared, or distributed among
several of the project's participants or business departments. The risk could also be
shared with a third party, such as a vendor or business partner.
Risk retaining. Sometimes, companies decide a risk is worth it from a business
standpoint, and decide to retain the risk and deal with any potential fallout. Companies
will often retain a certain level of risk a project's anticipated profit is greater than the
costs of its potential risk.
IMPORTANCE OF
Showing Page:
5/38
RISK MANAGEMENT
Understanding risk management in the public sector
Risk Management is at the forefront of corporate governance in public sector organisation.
The structures, process, corporate values, culture and behaviour are all paradigms of a
business that need continual risk assessment. It is important for a government organisation
to find the perfect fit for managing risk.
A typical risk management process in a public sector organisation involves the following:
Identifying future events or occurrences that threaten success.
Rating the level of risk in terms of likelihood and extent of impact.
Considering whether to tolerate, treat, transfer or terminate a risk.
Reviewing mechanisms for ensuring risk management decisions are up to date and
robust, and stand up to stakeholder scrutiny.
Reporting process update to management and others charged with governance
(ACCA Global).
How risk management is differentiated in the public and private sector?
Focus on the registry
Private sector risk management risk register often focus on the threats that the risk could
pose to revenue attributions to the company. Though the public sector share the same
commonality, it will more likely focus on the risk that could affect the ability of the
organisation to mandate in a cost effective manner and tie in new government legislation
that occur.
Fraud
Public sector organisation are focused on misappropriation cash and other assets. Whereas
for the private sector, corporate theft may be accepted as a cost of business.
Cyber security
A cyber breach has negative implications on the competitive edge of private sector
organisations. A perfect example of a cyber-security private sector breach is the page up
breach. While the public sector must consider reputational risk and protecting stakeholders
you can simply switch providers in the private sector.
How can public sector organisations enhance their Risk posture?
Public sector organisations need to target the risk assessment first at the enterprise level.
They need to map out which risk are potentially the most damaging to the organisational
goals. That is the primary question that needs to be addressed before the organisation
starts. Restructuring its processes. This is to ensure that the organisation covers its bases
before building on it.
Showing Page:
6/38
Risk management workshops are where audit committees and board members can
challenge the organisation’s understanding of its own risk profile.
The public sector, risk management
The South African public sector industry is transforming at a rapid rate and this increases the
exposure to elements of risks and opportunities that may impair/promote the achievement
its objectives.
Risk management is the focus of reducing, minimising and controlling the probability and
input of a negative occurrence; and/ or increasing the probability and impact of a positive
occurrence.
There are various methods of risk management- some of these methods include the same
practice approaches, concepts and tools used in a classic risk management process. Our TIS
holding experts have accumulated specific knowledge and expertise in the public sector
industry, which is an essential key driver for a successful implementation of risk
management in the public sector using specific tools like barn owl & QPR risk management.
1. Policy, monitoring and evaluation
Government need to take decisions based on policy and procedural activities. Government
officials are expected to understand the current day situation, the potential needs and
evolutions, the agendas of all stakeholders. It is recommended that officers who are
responsible for managing projects should minimise risk factors by first understanding the
concept of the risk management process. A risk and vulnerability analysis should be
prepared along with poverty assessment surveys to identify the probability and impact of
the risks.
Recommendations:
TIS holding has a team of policy advisors experienced in the preparation as well as the
evaluation of policies and procedures. Our teams specialise in evaluation of methodologies
on the one hand and in specific key performance areas such as healthcare, finances, defence
and security, and innovation on the other hand
2. Regulatory impact to our society
Those charged with governance are expected to act in the interest of their political
stakeholders and identify, evaluate and respond to the entities’ risk encompassing risk
relating to compliance with law, regulations and financial reporting. Stakeholders expect
those charged with governance of an entity to manage strategic and environmental risks
and to put controls in place to deal with such risks.
Our advice:
Showing Page:
7/38
TIS Holdings has a team of high profiles able to elaborate effective and efficient solutions
with impact and adapted for a complex, flexible and ever changing society.
3. Good governance and information risk
Lately, it appears that the public sector approach to managing risk is materiality, and
probably just a time to meet the challenges of shared services.
The information risk is no longer solely the responsibility of a security manage in IT. But the
benefits of building information risk manager into the routine operating processes of each
department or entity will pay real dividends by ensuring that the control frameworks as
detailed by national treasury will act as an enabler rather than an obstacle.
Advisory on governance and internal audit:
Our team developed a multidisciplinary methodology to scan the level of good governance
of the public sector. Based on our best practice models, we can elaborate adapted
governance models on the strategic level as well as on the operational level.
TIS Holdings has a team expert implanting internal audits within the public sector
environment.
Key to successful working relationship will be the selection of a partner that understands
the culture of the people and the department, or department, and work with the relevant
officials and decision makers.
The integrated risk management framework delivers on the commitment set out by national
treasury risk management framework to strengthen risk management practice within the
public service.
The national treasury risk management framework advances the development and
implementation of modern management practices and support innovation throughout the
public service. It promotes a wholesome approach to better integrated risk management
into strategic decision making.
TIS Holdings helps public entities apply the framework to strengthen management practice,
decision-making and prioritise setting to better respond to community needs; thereby:
Support the government’s governance responsibilities.by ensuring that significant
risk areas associated with policies, plans, progress and operations are identified and
assessed and hat appropriate measures are in place to address unfavourable inputs
and to benefit from opportunities.
Improve results
Strengthen accountability
Enhance stewardships
By strengthening public service capability to safeguard people, government property and
internet.
Showing Page:
8/38
Integrated risk management requires an ongoing assessment of potential risks for an
organisation at every level, and then aggregating the results at the corporate level to
facilitate priority setting and improved decision-making.
Integrating risk management into decision-making
While each organisation will find its own way to integration risk management into existing
decision-making into existing decision-making strategies, the following tailor might require
some attention:
Introducing risking management components into existing strategic planning and
operational processes;
Communicating corporate direction on acceptable level of risk; and
Improving control and accountability systems and processes to take into account
risk management and results.
Conclusion
Finally, one of the greatest challenges to public sector risk management is the nature of
organisational leadership. Elected officials typically have a limited tenure and spend much of
that time educating themselves about the nature of risk they face.
It is important that senior management and politicians are made aware of the opportunity
cost of not managing risk.
Risk management
a) Managing risks is everyone’s job- the board, senior management and other line
managers must remove the misconception that the CRO the only person responsible
for risk. Risk has to be an enterprise-wide concern. Thus, raising awareness and
owning risks within operations to establish a risk ware culture is imperative to a
successful implementation of a CRO’s function.
b) Failure to include risk management in the performance agreements of management.
c) Inability to embed risk management in daily functioning of the public sector
organisations results.
d) Lack of interest and/or possible understanding of daily risk management e.g.
terminology utilised by the CRO.
e) Management struggles to effectively assess risks across the public sector
organisation.
f) Management successfully falls to identify interdependencies in risk management.
g) Management does not value risk management as a discipline equal in importance to
opportunity pursuit, or sees it as a necessary compliance function, or worse- as a
blocker to getting things done.
RISK MANAGEMENT IN PUBLIC SECTOR ORGANISATIONS:
A CASE STUDY
Showing Page:
9/38
Karolina Zofia Kapuscinska and Marek Matejun
Lodz University of Technology, Poland
The evolution of the approach to public sector organizations, demonstrated, in the concepts
of New Public Management and Lean Government, among others, assumes introduction
into the public sector of market rules of operation and management methods that
originated in business organization. An important are for such changes is the development
of measures and management control procedures, which is emphasized, among others, in
the 3ms concept and is manifested in the growing importance of risk management. The
activities of public sector organizations are strongly tied to the presence of risks that need
to be identified, analysed, evaluated, monitored and controlled as a part of the risk
management process.
Given the above, the aim of the present article is to discuss the unique characteristics and
the basic tents of risk management in public sector organizations and to present an example
of practical implementation of this concept in a selected organization. This objective is
achieved through a review of literature and a study conducted in the form of a case study at
the Lodz University of technology- a purposefully selected public university in central
Poland. The empirical part of the article contains a presentation of the adopted organization
solutions pertaining to risk management and the role of risk in organizations, as well as a
formulation of two research hypotheses that are to be verified in the course of further
research by the authors.
What is a risk assessment?
Broadly speaking, a risk assessment is the combined effort of identifying and analysing
potential (future) events that may negatively impact individuals, assets, and/or the
environment (i.e. risk analysis); and making judgments "on the tolerability of the risk on the
basis of a risk analysis" while considering influencing factors (i.e., risk evaluation). Put in
simpler terms, a risk assessment analyses what can go wrong, how likely it is to happen,
what the potential consequences are, and how tolerable the identified risk is. As part of this
process, the resulting determination of risk may be expressed in
a quantitative or qualitative fashion. The risk assessment is an inherent part of an
overall risk management strategy, which attempts to, after a risk assessment, "introduce
control measures to eliminate or reduce" any potential risk-related consequences.
Showing Page:
10/38
The purpose of risk assessment
Employers in each workplace have a general duty to ensure the safety and health of workers
in every aspect related to their work. The purpose of carrying out a risk assessment is to
enable the employer to take the measures necessary for the safety and health protection of
workers.
These measures include:
Prevention of occupational risks;
Providing information to workers;
Providing training to workers;
Providing the organisation and means to implement the necessary measures.
Whilst the purpose of risk assessment includes the prevention of occupational risks, and this
should always be the goal, it will not always be achievable in practice. Where elimination of
risks is not possible, the risks should be reduced and the residual risk controlled. At a later
stage, as part of a review programme, such residual risk will be reassessed and the
possibility of elimination of the risk, perhaps in the light of new knowledge, can be
reconsidered.
The risk assessment should be structured and applied so as to help employers to:
Identify the hazards created at work and evaluate the risks associated with these
hazards, to determine what measures they should take to protect the health and safety
of their employees and other workers, having due regard to legislative requirements;
Evaluate the risks in order to make the best informed selection of work equipment,
chemical substances or preparations used, the fitting out of the workplace, and the
organisation of work;
Check whether the measures in place are adequate;
Prioritise action if further measures are found to be necessary as a result of the
assessment;
Demonstrate to themselves, the competent authorities, workers and their
representatives that all factors pertinent to the work have been considered, and that
an informed valid judgment has been made about the risks and the measures necessary
to safeguard health and safety;
Ensure that the preventive measures and the working and production methods, which
are considered to be necessary and implemented following a risk assessment, provide
an improvement in the level of worker's protection.
What is the goal of risk assessment?
Showing Page:
11/38
The aim of risk assessment process is to evaluate hazards, then remove or minimize the
level of its risk by adding control measures as necessary. By doing so, you have created a
safer and healthier workplace
The goal is to try to answer the following questions:
What can happen and under what circumstances?
What are the possible consequences?
How likely are those possible consequences to occur?
Is the risk controlled effectively or is further action required?
How do you plan for a risk assessment?
In general, determine:
What the score of your risk assessment will be (e.g., be specific about what you are
assessing such as the lifetime of the product, the physical area where the work
activity takes place, or the types of hazards).
The resources needed (e.g., train a team of individuals to carry out the assessment,
the types of information sources, etc.)
Who are the stakeholders involved (e.g., manager, supervisors, worker
representatives, suppliers, etc.)
What relevant laws, regulations, codes, or standards may apply in your jurisdiction,
as well as organisational policies and procedures?
Risk Management Step
There are certain logical steps to take when carrying out a risk assessment
1. Look for the hazard.
2. Decide who might be harmed and how.
3. Evaluate the risks arising from the hazards and decide whether existing precautions are
adequate or more should be done.
4. Record the findings.
5. Inform colleagues of your findings.
6. Review your assessment from time to time and revise it if necessary.
Showing Page:
12/38
Types of risk assessments
There are two types of risk assessments:
1. Qualitative: Object probability estimate based upon known risk information applied the
circumstances being considered.
2. Quantitative: This type is subjective, based upon personal judgement backed by
generalised data risk.
The two types of risk assessment (qualitative and quantitative) are not mutually exclusive.
Qualitative assessments are easier to make and are the ones required for legal purposes.
When there are types of work, whose hazards and risks are similar in different workplaces
or physical areas, a general risk assessment can be made.
Benefits of Risk Assessment
• To enable control measures to be devised.
• To gain an idea of the relative importance of risks.
• To take decisions on controls which are cost effective and appropriate?
How are risks ranked or prioritized?
Ranking or prioritizing hazards is one way to help determine which risks is the most serious
and thus which to control first. Priority is usually established by taking into account the
employee exposure and the potential for incident, incident, injury or illness. By assigning a
priority to the risks, you are creating a ranking or an action list.
There is no one simple or single way to determine the level of risk. Nor will a single
technique apply in all situations. The organisation has to determine which technique will
work best for each situation. Ranking hazards requires the knowledge of the workplace
activities, urgency of situations and most importantly objective judgement.
For simple or less complex situations, an assessment can literally be a discussion or
brainstorming session based on knowledge and experience in some cases, checklists or a
probability matrix can be helpful. For more complex situations, a team of knowledgeable
personnel who are familiar with the work is usually necessary.
Below is a simple example of a risk matrix table showing the relationship between
probability and severity?
Table 1: Risk matrix
Showing Page:
13/38