Enterprise risk management (ERM) entails the processes and procedures applied to mitigate uncertainties that could impact the achievement of objectives. New public management introduced business practices such as ERM to the public sector, which was adopted by the South African government across all three spheres of government including municipalities. Local government is obliged to implement ERM because of legislative requirements, National Treasury prescripts and the adoption of the King IV Code of Corporate Governance.
To discuss ERM within the public sector and provides the contextualisation of ERM. It sets out the ERM structure, roles and responsibilities required by legislation and good corporate governance. Recommendations to improve ERM are provided.
Within the South African local government.
This study adopted a qualitative research approach and applied a research method based on desktop analysis of literature and secondary data sources using unobtrusive research techniques.
Reference is only made to risk in relation to financial management in municipal legislation. National Treasury has guided ERM through the Public Sector Risk Management Framework. The King IV Code provides guidance to local government councils regarding risk governance.
The current legislative framework does not provide adequate guidance for effective ERM. Focus is placed on controls and compliance, which undermines ERM’s potential contribution to value creation. ERM within local government has little predictive value and has limited contribution in ensuring objectives are achieved.
The application of enterprise risk management (ERM), which can be defined as within organisations, private and public, has become a common practice. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines ERM:
[
Enterprise risk management emerged as a concept and as management function within corporations in the mid-1990s (Dickinson
This research followed a qualitative approach in which literature and secondary data were analysed through unobtrusive research techniques. The non-reactive techniques applied, which include conceptual, content and historical or comparative analysis (Auriacombe
This article aims to discuss the origins of ERM within the public sector and provides the contextualisation of ERM within the South African government. It sets out the structure, roles and responsibilities required by legislation and the good corporate governance requirements for ERM in local government. Recommendations for further consideration to improve ERM are provided.
The New NPM movement emerged in the late 1970s and 1980s. According to Kisner and Vigoda-Gadot (
The NPM had modernisation as its primary agenda and incorporated practices from the private sector in the pursuit of public sector efficiency. In doing so, NPM drew heavily upon private sector performance criteria and practices (Lapsley
The introduction of risk management in the public sector as part of these reforms was heavily influenced by private sector disasters such as the collapse of Barings bank and corporate failures such as WorldCom and Enron. The adoption of risk management was considered to offer public service managers the ability to balance the need to be entrepreneurial, while still focusing on avoiding unnecessary failures. According to Lapsley (
In the South African context, no single trigger for public finance management (PFM) reforms as part of the NPM can be identified; however, the primary identified driver of PFM reforms was political change (Pretorius & Pretorius
As a result of the numerous criticisms levelled at NPM, many Anglo-Saxon countries (including South Africa) introduced post-NPM reforms at the end of the 1990s. These new paradigms, which have been identified by scholars in Public Administration, include good (or sound) governance, the Neo-Weberian state, Public Value Management, New Public Governance (NPG), Digital-Era Governance and Public Value Management to name the most prominent ones (De Vries & Nemic
Increased international demand for good governance has resulted in the discipline of ERM rising to further prominence. The Singapore Code of Corporate Governance, for example, introduced the concept of risk governance as a key principle 2 to the Code as it recognised ‘…that good risk management goes hand-in-hand with good corporate governance’ (PWC
The linkage between governance and risk management in local government is confirmed by the Auditor-General in the ‘Consolidated general report on the local government audit outcomes MFMA 2019-20 report’ when he reported that the municipal governance structures assisted the Overstrand municipality to adequately respond to key risk areas and proactively address identified deficiencies (Auditor-General South Africa
The word ‘risk’ is common and widely used in everyday vocabulary, covering such divergent matters as personal circumstances (health, investments and adventurous activities), societal matters (economic conditions and military food security) and organisational matters (corporate governance, strategy and business continuity). Haimes (
Risk is herein seen in the context of enterprise-wide risk management (ERM) which is defined by the International Organization for Standardization (ISO) in Standard 31000:2018 as being ‘the effect of uncertainty on objectives’. This definition is closely aligned with that provided by the King IV Report on Governance for South Africa (IODSA
[
South Africa is a constitutional democracy with a three-tier system of government and an independent judiciary. The national, provincial and local levels of government are defined in the
The purpose of local government is to provide democratic and accountable government to local communities and to ensure the provision of services to communities in a sustainable manner. In addition, the aim of the local government is to promote social and economic development, a safe and healthy environment and to encourage the involvement of communities and community organisations in the matters of local government (Sections 152, 153 and 154 of the Constitution). The Constitution (section 152) recognises that not all municipalities have the same capabilities or resources and provides for a caveat for the objectives, namely, that a municipality must achieve these objectives within its financial and administrative capacity. The Constitution provides for, in section 195,
The preamble of the
[
The only reference in legislation governing local government addressing risk is found in MFMA management in section 62 of the MFMA, which requires the Accounting Officer (AO) to take reasonable steps to ensure that the resources of the municipality are used effectively, efficiently and economically. In order to do so, the AO must ensure that full and proper records of the financial affairs of the municipality are kept and that the municipality has and maintains effective, efficient and transparent systems of financial and risk management and internal control (MFMA 2003:73). The MFMA further prescribes in section 165 that an internal audit unit should be established, which must:
prepare a risk-based audit plan and an internal audit program for each financial year;
advise the accounting officer and report to the audit committee on the implementation of the internal audit plan and matters relating to internal audit; internal controls; accounting procedures and practices; risk and risk management. (MFMA 2003:153)
Section 166 of the MFMA requires the municipality to establish an audit committee which should be an independent advisory body that must advise the municipal council, political office-bearers, the AO and the management of the municipality on matters related to,
The roles related to ERM within local government are divided between the exercise of oversight to ensure its effectiveness and that of implementation and its day-to-day operation.
Risk oversight in local government has been vested in an audit committee, which usually is referred to as an audit and risk committee, as it has also been tasked to exercise oversight of ERM from a governance perspective. In local government, an audit committee must be established in terms of Section 166 of the
The audit committee is the only committee recognised in local government legislation as being responsible for the oversight of risk management. In terms of the revised Treasury Internal Audit Framework, risk management is an essential part of effective corporate governance and while it is a management responsibility, management expects the audit committee to oversee and provide advice on the organisation’s risk management (National Treasury
Whether management has a comprehensive risk management framework.
Whether a sound and effective approach has been followed in developing strategic risk management plans.
The impact of the organisation’s risk management framework on the control environment.
The organisation’s fraud prevention plan is to be satisfied that the organisation has appropriate processes and systems in place to capture, monitor and effectively investigate fraudulent activities (National Treasury
The audit committee is the only committee recognised in the MFMA as being responsible for the oversight of risk management. National Treasury (
The responsibility for implementing an effective risk management system lies with the AO, who is also responsible for creating an enabling environment for the management of risks and ensuring that the necessary risk management framework and process is implemented to achieve the municipality’s objectives. According to Treasury, the high-level risk management responsibilities of the AO include,
Setting the tone at the top by supporting ERM and allocating resources for its functioning.
Establishing the necessary structures and reporting lines to support ERM.
Approving the risk management strategy, risk management policy, risk management implementation plan and fraud risk management policy.
Approving the municipality’s risk appetite and risk tolerance.
Influencing a ‘risk aware’ culture and approving a code of conduct.
Holding management accountable for integrating risk management principles into their day-to-day activities.
Ensuring that a conducive control environment exists to ensure that identified risks are proactively managed.
Leveraging the audit committee, internal audit, RMC and other appropriate structures for assurance on the effectiveness of risk management and acting upon their recommendations.
Providing appropriate leadership and guidance on various aspects of risk management (National Treasury
Although there are many role-players in the typical risk management process, the MFMA holds the AO responsible and accountable for risk management. Some of the responsibilities attached to this accountability arrangement may be delegated to other officials, for example, senior managers, line managers or technical specialists. Section 24 of the Public Sector Risk Management Framework makes provision for the AO to appoint an RMC to assist them to discharge their responsibilities for risk management. According to the Guide for an RMC issued by the National Treasury, such a committee is defined as ‘an oversight committee responsible to the Accounting Authority/Officer for the monitoring of risk management (i.e. to assist in designing, implementing and coordinating the institution’s risk management initiatives)’ (National Treasury
The role of the RMC in local government is not that of a board-level committee, but a committee established to advise the AO on risk-related matters. Risk management committee has several high-level responsibilities, including:
The review of the risk management policy and strategy.
Review the risk appetite and tolerance and recommend for approval by the AO.
Review the institution’s risk identification and assessment methodologies to obtain reasonable assurance of the completeness and accuracy of the risk register.
Develop goals, objectives, and key performance indicators to measure the effectiveness of the risk management activity.
Provide proper and timely reports to the AO on the state of risk management, together with aspects requiring improvement accompanied by the Committee’s recommendations to address such issues (National Treasury
According to National Treasury, the primary responsibility of the chief risk officer (CRO) is to assist the institution to embed risk management and leverage its benefits to enhance performance. In this regard, the CRO is accountable to the AO (National Treasury
Internal auditing should be an independent, objective assurance and consulting activity. Its core role regarding ERM is to provide objective assurance to the municipal council and management on the effectiveness of risk management practice (IIA
Reviewing the risk management policy, strategy, fraud prevention plan, risk reporting lines and the values that have been developed for the institution.
Reviewing the appropriateness of risk tolerance levels for the municipality given its risk profile.
Assuring the design and functioning of the control environment, information and communication systems and monitoring systems.
Providing assurance over the institution’s risk identification and assessment processes and the effectiveness of internal controls to mitigate identified risks.
Utilising the results of the risk assessment to develop long term and current year internal audit plans (National Treasury
In addition to the legislated requirements for good governance and risk management within South African local government, other important guidelines and frameworks that address corporate governance and effective ERM exist, which need to be considered.
Although not legislated, the importance of corporate governance code and risk management frameworks cannot be underestimated. In South Africa, as is the case internationally (UK Corporate Governance Code 2018/ ISO 37000 as examples), there has been a move away from a rule-driven approach to governance to one that is based on principle. In these codes, as is the case in the fourth report on Corporate Governance released by the Institute of Directors of South Africa in 2016 (King IV), good governance is about leadership, applying sound principles and not mindless compliance to requirements.
King IV refers to corporate governance as ‘the exercise of ethical and effective leadership by the governing body towards the achievement of the following governance outcomes:
‘Ethical culture
Good performance
Effective control\Legitimacy’ (IODSA
King IV, unlike earlier codes (King codes I–III which applied only to business entities), is also applicable to the public sector. This is particularly demonstrated by it using the term ‘governing body’ instead of ‘board’ when referring to the structure that has primary accountability for the governance and performance of an organisation. King IV indicates that the definition of a governing includes ‘… among others, the board of directors of a company, the board of a retirement fund, the accounting authority of a state-owned entity and a municipal council’ (IODSA
King IV can be summarised as follows: an ethical governing body will provide leadership to the organisation and, through the application of recommended practices to implement good corporate governance principles, the desired outcomes will be attained. King IV identifies 17 principles, of which 16 are universally applicable to all organisations including local government. In addition to the principles of good governance, King IV includes several supplements which provide high-level guidance and direction on how the code should be interpreted and applied within specific sectors and organisational types. Local government is addressed in part 6.2 – Supplement for municipalities. According to King IV (
[
Municipal good governance requirements.
Number | Summary |
---|---|
1. | Lead ethically and effectively |
2. | Govern ethics in a way that supports the establishment of an ethical culture |
3. | Ensure that the municipality is and is seen to be a responsible corporate citizen |
4. | Appreciate that |
5. | Ensure that reports issued enable stakeholders to make informed assessments |
6. | Serve as the focal point and custodian of corporate governance |
7. | Ensure appropriate balance on council to discharge governance role and responsibilities objectively and effectively |
8. | Ensure that delegation promotes independent judgement |
9. | Ensure the evaluation of its performance and that of its committees, its speaker and its councillors |
10. | Ensure the appointment of, and delegation to, management and contribute to role clarity and the effective exercise of authority and responsibilities |
11. | |
12. | Govern technology and information |
13. | Govern compliance in a way that supports being ethical and a good corporate citizen |
14. | Ensure fair, responsible and transparent remuneration |
15. | Ensure that assurance services and functions enable an effective control environment |
16. | Adopt a stakeholder-inclusive approach |
, Author’s, emphasis and summarisation.
The good governance principles in King IV that are explicitly applicable to the area of risk management include the following:
In the supplement for local government, King IV acknowledges that these recommended practices are subject to section 59 of the
As municipalities have no authority to appoint an auditor (the Auditor-General serves as the external auditor of all local authorities), the audit committee’s duties with regard to the appointment and independence of the auditor in terms of the code do not apply. The MFMA prescribes the structure and functions of the municipal audit committee and therefore these requirements prevail over the recommended practices in the Code. Where allowed by the legislation, however, King IV’s recommended practices with respect to the execution of the duties of the audit committee should be considered to supplement the minimum standard set by law (King IV
The South African Bureau of Standards (SABS) operates under the requirements of the
Key terms such as risk, risk management, stakeholder, risk source, event, consequence, likelihood and control are defined.
Principles such as stating that the primary purpose of ERM is to create and protect value are established. Eight further principles that should be considered when developing an organisation’s ERM framework are provided.
A framework by which ERM can be integrated into the organisation and its structures is introduced.
The risk management process, including the elements of risk identification, analysis, evaluation, treatment, monitoring and review as well as communication and consultation is addressed (Veltsos
The principle-based approach applied by ISO 31000:2018 is well aligned with the principles identified by King IV by which an organisation should be governed. The extent to which the principles, framework and risk management process have been effectively implemented in a municipality will determine its risk maturity.
The LGRMF also incorporates the requirements of King III and IV insofar as the management of risk is concerned. The LGRMF further states that it is ‘principle’ rather than ‘prescript’ based and ‘… adopts the approach of elucidating the principles, standards, models and practices proven to support and sustain effective risk management’ (National Treasury
The expressed purpose of the LGRMF is to support municipalities to improve and sustain their performance by enhancing their systems of risk management to protect against adverse outcomes and optimise opportunities (National Treasury
[…] municipalities should through the risk management process achieve, among other things, the following outcomes needed to underpin and enhance performance:
More sustainable and reliable delivery of services;
Informed decisions underpinned by appropriate rigour and analysis;
Innovation;
Reduction of waste (i.e. wasted resources, such as time and money);
Prevention of fraud and corruption, unauthorised, fruitless and irregular expenditure;
Better value for money through more efficient and effective use of resources; and
Better outputs and outcomes through the improved project and program management. (National Treasury
Chapter 3 of the LGRMF deals with risk maturity and a simplistic model of risk maturity is provided based on a rating scale with three levels, which will result in the municipality’s risk maturity being classified as fragmented, compliant or risk intelligent. (National Treasury
[
The LGRMF identifies the components of risk maturity as set out in
Components of risk maturity.
Components | Categories |
---|---|
Risk culture | Risk culture |
Risk strategy and appetite | |
Risk governance | |
Risk systems | Risk resources and infrastructure |
Risk monitoring and reporting | |
Risk processes | Risk identification |
Risk assessment | |
Risk management |
Assessing the maturity of a municipality’s risk management is of paramount importance as it determines whether the underlying key criteria that could impact the ability to achieve constitutional obligations have been mitigated. The risk maturity assessment, in its current form, is not comprehensive and would require further consideration to provide the level of insight and guidance to local government to improve ERM practices.
No direct reference to ERM is evident in South African municipal legislation – only reference to ‘risk’ which is raised in terms of financial management in the MFMA. However, there are several National Treasury requirements and corporate governance prescripts for ERM within local government in South Africa. The National Treasury’s Public Sector Risk Management Framework has been followed up by the LGRMF, which provides significantly improved guidance to local government on the implementation and management of risk. The LGRMF, in conjunction with the King IV requirements for good governance, addresses the requirements for ERM in local government in South Africa. The component of the LGRMF which deals with risk maturity however requires substantial further development and refinement to enable municipalities to identify shortcomings in ERM practice and implement improvements.
The authors declare that they have no financial or personal relationships that may have inappropriately influenced them in writing this article.
The work is based on a doctoral research by C.E.W., under the supervision of D.N.-S.
Ethical clearance to conduct the study was obtained from the University of Johannesburg School of Public Management, Governance and Public Policy Research Ethics Committee (reference number: 2019SPMG09).
This research was funded by the supervisory linked bursary of the National Research Foundation.
Data sharing is not applicable to this article as no new data were created or analysed in this study.
The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of any affiliated agency of the authors.