Andre Nel CAE NW PIA- CIA, CCSA, CISA, RGA

1. Provincial Internal Audit perspective of the status in implementation of risk management in the province Andre Nel CAE NW PIA- CIA, CCSA, CISA, RGA

2. What do we want to achieve? • The objective of risk management?

3. Substance over form • It is the impact that matters not how we write it.

4. What are the risks that we have to manage? [1] • In terms of paragraphs 14 and 16 of the Public Sector Risk Management Framework, risk identification and assessment should be systematic and should focus on a comprehensive inventory of risks.

5. What are the risks that we have to manage?[2] • In terms of risk mitigation in response to risks, the Framework emphasizes the need to develop response strategies for all material risks, whether or not within management’s direct control.

6. What are the risks that we have to manage?[3] • Regular and effective monitoring processes in paragraph 20 of the PSRMF should ensure that risk management systems are in line with the Department’s plan, policy and strategy.

7. What risks are we talking about? • Unsatisfactory embedding of risk management due to lack of commitment to manage and report risk management -par. 10 (3) of PSRMF, • Risk of the Department’s identified risks being incomplete based on the approved APP - par. 14 (2) and (4) of PSRMF, • Compliance risks are not adequately identified/mitigated and aligned to specific legislative provisions - par. 13 (5) of PSRMF,

8. What risks are we talking about? • Risk of incorrect cause being identified which affects the nature and extent of mitigation interventions - par. 17 (1) of PSRMF, • Risk of risks being incorrectly assessed inherently - par. 16 (5) (a) of PSRMF, • Risk of incorrect assessment of controls, which would affect the residual rating and consequently extent of mitigation - par. 16 (5) (b) of PSRMF, (inclusive of incorrect control identification etc)

9. What risks are we talking about? • Incorrect development and application of the risk treatment matrix to ensure that the mitigation intervention is appropriate in relation to the risk appetite - par. 16 (5) (b) and 17 (4) of PSRMF, • Risk of inappropriate mitigating/ treatment plans developed (ie repeating current controls, treatment plans not responding to identified causes, treatment plans not assessed for practicality) - par. 17 and 18 of PSRMF,

10. What risks are we talking about? • Incorrect development and application of the risk treatment matrix to ensure that the mitigation intervention is appropriate in relation to the risk appetite - par. 16 (5) (b) and 17 (4) of PSRMF, • Risk of inappropriate mitigating/ treatment plans developed (ie repeating current controls, treatment plans not responding to identified causes, treatment plans not assessed for practicality) - par. 17 and 18 of PSRMF,

11. What risks are we talking about? • Inappropriate timeframes developed in alignment with the targets/ indicators in the APP. The timeframes should be in alignment with the APP to ensure that application of mitigation plans is timely - par. 17 (7) of PSRMF, • Failure by task owners to report adequately and effectively on risk managed- par. 19 (2) of PSRMF, • Inadequate and ineffective oversight by the Risk Management Committee - par. 24 of PSRMF.

12. The vision- internal and external

13. The risk identification and assessment process • Master risk management assessment • Strategic risk assessment • Operation assessment

14. Introspection One of the greatest attributes of any leader is the ability to do introspection.

15. The end • Be passionate, • have an inspired vision and share it, • never stop learning, and • motivate people to walk the road in search of excellence together with you. Andre Nel