1 Chapter 3: Risk Maturity Matrix 1. Capacity in the risk management function Risk management needs time and resources to ensure its effective application. Many local municipalities do not have the budget and/or skills to implement risk management in its full context. To this extent municipalities are required to complete a risk management capacity assessment. The results will influence the extent to which risk assessment is implemented. To this extent municipalities should evaluate their capacity, skills and budget, and the following template could be used to inform the municipal manager’s decision-making process. It is strongly recommended that the first three lines of assurance (Risk Owners, Risk Management, and Internal Audit) complete the assessment to allow the municipal manager to make an informed decision during strategic and operational planning. It also forms the basis of combined assurance. This assessment should be completed irrespective of the maturity status of a municipality. Capacity, skills and budget – risk management 1 LOA 2 LOA 3 LOA Yes/ no Yes/ no Yes/ no Capacity 1 The risk management structure is appropriate for the size and complexity of the functions within municipality. 2 Job descriptions and performance agreements define tasks required to accomplish particular jobs/fill the various positions. 3 Specific lines of authority and responsibility are established to ensure compliance with legislation and regulations relating to risk management. Skills 3 High-level analyses are performed on an annual basis of the knowledge, skills, and abilities needed to perform risk management responsibilities appropriately. 5 Demonstrated risk management ability in general management and extensive practical risk management experience in operating departments. 6 Council understands the importance of internal controls, including the division of responsibility/delegation of authority.
15
Embed
Chapter 3: Risk Maturity Matrix - Risk Management Documents/Roles/r3.… · Chapter 3: Risk Maturity Matrix 1. Capacity in the risk management function Risk management needs time
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Chapter 3: Risk Maturity Matrix
1. Capacity in the risk management function
Risk management needs time and resources to ensure its effective application. Many local
municipalities do not have the budget and/or skills to implement risk management in its full
context. To this extent municipalities are required to complete a risk management capacity
assessment. The results will influence the extent to which risk assessment is implemented.
To this extent municipalities should evaluate their capacity, skills and budget, and the following
template could be used to inform the municipal manager’s decision-making process. It is
strongly recommended that the first three lines of assurance (Risk Owners, Risk Management,
and Internal Audit) complete the assessment to allow the municipal manager to make an
informed decision during strategic and operational planning. It also forms the basis of
combined assurance. This assessment should be completed irrespective of the maturity
status of a municipality.
Capacity, skills and budget – risk management
1
LOA
2
LOA
3
LOA
Yes/
no
Yes/
no
Yes/
no
Capacity
1 The risk management structure is appropriate for the size and
complexity of the functions within municipality.
2 Job descriptions and performance agreements define tasks required
to accomplish particular jobs/fill the various positions.
3 Specific lines of authority and responsibility are established to
ensure compliance with legislation and regulations relating to risk
management.
Skills
3 High-level analyses are performed on an annual basis of the
knowledge, skills, and abilities needed to perform risk management
responsibilities appropriately.
5 Demonstrated risk management ability in general management and
extensive practical risk management experience in operating
departments.
6 Council understands the importance of internal controls, including
the division of responsibility/delegation of authority.
2
7 Regular risk management employee evaluations are documented
and shared with employees.
8 The municipality continuously provides mentoring and training
opportunities needed to attract, develop, and retain sufficient and
competent staff.
9 The municipality checks credentials, references, and past work
experience of potential new employees. Background checks are
conducted on candidates for employment.
10 Effective policies and procedures for hiring, orienting, training,
evaluating, councilling, promoting, compensating, disciplining, and
terminating risk management employees.
Budget
12 The risk management function has sufficient budget to perform their
responsibilities.
Template 1: Assessment for skills, capacity and budget
2. Maturity matrix to assess maturity of a municipality
A maturity matrix should be simplistic and easy to apply. The following model serves the purpose of simplicity, and is widely used to assess risk management maturity⁷ .
The maturity assessment forms the basis of this framework. The extent to which risk management will be implemented in a municipality is directly aligned with its culture, capacity and capability to do so, and therefor aligned with its risk management maturity.
Diagram 3: Components of the maturity assessment
In this model maturity of risk management can be evaluated on three levels, as depicted in the table below. The model differentiates between:
Oversight
•Risk culture
•Risk strategy and appetite
•Risk governance
Systems
•Risk resources and infrastructure
•Risk monitoring and reporting
Processes
•Risk identification
•Risk assessment
•Risk management
3
a. Risk oversight; b. Risk systems; and c. Risk processes.
The following table reflects some of the roles of the different lines of assurance, which is then used to assess the maturity of the municipality by applying a maturity index.
________________________
⁷Deloitte: Enterprise risk management – A risk intelligent approach. Deloitte Advisory August 2015.
4
Three levels of risk maturity assessment
Five lines of assurance
Technology
Risk governance (assessment A)
Municipal Council and the Audit Committee
Foster a risk intelligent culture;
Approve the risk appetite;
Ratify key components of the integrated risk management program; and
Routinely discuss municipal risks with executive management.
Information technology on a pervasive basis:
Provides dashboards to oversee risks on a real-time basis;
Improve monitoring and reporting of risks;
Support timely maintenance and pre-empt potential problems; and
Facilitate risk escalations.
Risk infrastructure and management (assessment B)
Executive management: o Defines the risk appetite; o Evaluate proposed
strategies against the risk appetite;
o Provide timely risk related information by: Aggregating risk
information; Identifying and
assessing municipal risks;
Determining risk response strategies; and
Monitoring risks and risk response plans.
Senior management o Aggregate risk
information o Identify and asses
risks o Determine risk
response strategies o Monitor risks and risk
response plans
Risk management: o Creates a risk
methodology; o Provide direction
and training on the use of the methodology;
o Implement and manage technology systems for risk assessment; and
Internal audit: o Provides assurance
on the risk management process, the risk response plan for critical risks, and the risk and control matrix.
Risk ownership (assessment C)
Municipal process owners
Take intelligent risks;
Identify and assess risks;
Respond to risks; and
Monitor risks and report to executive management.
Table 2: The five lines of assurance in the maturity assessment
5
3. Maturity index (rating scale)
Each of the elements above is then measured on a five point scale:
Maturity rating 1
Basic risk management
Response to ad-hoc, high incidences of liquidity problems, irregular expenditure, high levels of wastage, increased vacancy in key positions, lack of consequence management;
Continual “fire fighting”; and
Risk identification depends on individual capabilities and verbal wisdom.
Maturity rating 2
Fragmented risk management
Independent risk management activities;
Limited focus on linkages between risks;
Limited alignment of risks to strategies; and
Disparate monitoring and reporting functions.
Maturity rating 3
Compliant risk management
Implemented risk management framework, policies and training programs;
Routine risk assessments with a dedicated risk manager;
Communication of top strategic risks to Council; and
Knowledge sharing across risk activities.
Maturity rating 4
Integrated risk management
Coordinated risk management across different silo’s;
Risk appetite is fully defined;
Municipal-wide monitoring, measuring and reporting;
Technology designed and implemented for real-time measurement; and
High correlation between risk assessment and audit activities.
Maturity rating 5
Risk intelligent Risk management embedded in strategic planning, capital and budget allocations, resource planning;
Application of risk bearing capacity principles in planning;
Balance between risk taking (value creation) and risk mitigation (for potential value destruction);
Linkage to performance measures and performance bonuses;
Risk modelling and what-if analysis;
Risk management applied in all decision-making;
Early warning indicators used; and
Industry benchmarking
Table 3: Rating scale for maturity index
6
The assessment methodology applied in the following table illustrates three levels of
assessment (Assessment A: Oversight; Assessment B: Systems, and Assessment C:
Processes) to assist in determining a municipality’s maturity. For ease of application, the five
risk maturity ratings have been condensed into three, namely Fragmented
(Basic/Fragmented), Integrated (Compliant/Integrated); and Risk Intelligent. The rating
should be applied as follows:
i. Use the risk elements in column 1 and
measure the current status of the
municipality by comparing their own risk
management to the descriptions under the
heading of fragmented, integrated and risk
intelligent.
ii. Award 1 mark for a fragmented rating, 2
marks for an integrated rating, and three
marks for a risk intelligent rating.
iii. Aggregate the marks once all the ratings
have been completed. Note that there are
22 elements that should be rated.
Diagram 4: Maturity status
If the total score is between 22 and 33, the risk management within your municipality is rated
as fragmented. If the score is between 34 and 48, your risk management is rated as
integrated, and if the score is between 49 and 66, the risk management has a status of risk
intelligent.
The diagram below illustrates the calculation of the maturity
x
=
Diagram 5: Calculation of maturity
Fragmented
Integrated
Risk intelligent
Oversight
•Risk culture
•Risk strategy and appetite
•Risk governance
Systems
•Risk resources and infrastructure
•Risk monitoring and reporting
Processes
•Risk identification
•Risk assessment
•Risk management
Maturity rating 1
Maturity rating 2
Maturity rating 3
Maturity rating 4
Maturity rating 5
Fragmented
Integrated
Risk intelligent
7
Assessment A: Risk governance
The key driver for a municipality’s risk management maturity is the attitude that the municipal council, its audit committee and senior management take
towards the role of risk management, assessed as follows: