1.

Introduction - Risk management

The evolution of the approach to public sector organisations is demonstrated in the concepts of New
Public Management (NPM) and Lean Government, among others, assumes introduction into the public
sector of market rules of operation and management methods that originated in business organisations.
An important area for such changes is the development of measures and management control
procedures, which is manifested in the growing importance of risk management.

Generally, organisations exist for their stakeholders and to fulfill the needs of their respective
stakeholders through a series of planned activities, operations and or projects. More often than not, these
activities, operations and projects are filled with uncertainties and opportunities thus making the
attainment of stakeholder needs a challenge. In the context of the current democratic dispensation, the
South African citizens are both stakeholders and stakeholders of the public service as an institution

The activities of public sector organisations are strongly tied to the presence of risks that need to be
identified, analysed, evaluated, monitored and controlled as a part of the risk management process.
Given the above, the aim of this module is to discuss the unique characteristics and the basic tenets of
risk management within the Department of Home Affairs. The department consist of two core functions;
Civics services and Immigration and other supporting functions. The Department of Home Affairs has
been receiving good publicity in the media. However, bad publicity has also been reported and this is an
indication there are some weaknesses that must be strengthen in order to minimize risks

Purpose

This programme This Unit Standard will be useful to learners who are elected political leaders and public
sector officials involved with the service delivery activities that require the use of public assets to render
services to the communities. It will also be useful to South Africa`s public officials and political executives,
strategic executive managers and other role-players. This Unit Standard enables the learner to apply the
core concepts of risk management and inform policy decision and strategic decision-making processes
about the importance of risk management in any sector.

At the end of training, learner will be capable to:

a) Explain risk management in the public sector.

b) Analyse potential risks and the impact thereof on the specific sector.
c) Developing and implementing risk management procedures.
d) Monitoring and assessing risk management procedures

Learning Outcomes

When the learners have completed this learning unit they will be able to:

a) explain the importance of risk management with reference to institutions that have failed
because of poor risk management;
b) explain the role of risk management in good governance with examples;
c) interpret the legislation relevant to risk management in the South African context with
examples;
d) analyse case studies to determine how typical risk scenarios have affected a specific sector
in the past.
1.1. The importance of risk management

Risk can arise from internal or external sources, and might include exposure to such things as:

• economic or financial loss or gain,

• physical damage,
• failure of a project to reach its objectives,
• client dissatisfaction,
• unfavourable publicity,
• a threat to physical safety,
• a breach of security,
• mismanagement,
• failure of equipment,
• fraud.

Risks should not necessarily be avoided. If managed effectively, they allow us to seize opportunities for
improving services and business practices. For example, with the client dissatisfaction previously
identified in the Public Service in general, the principles of Batho Pele have been developed and are in
the process of being implemented in order to address the perceived (or real) poor service standards
historically attributed to government departments. Risks can be categorised according to goals,
objectives or outcomes in the business's corporate, strategic or business plans. At the highest levels,
these represent risks to the department's ability to implement government policy.

1.2. Types of Risks

Quantitative risks are those that can clearly be quantified. They have an impact on time, people, money,
or other resources. An example could be lost revenue, lost production, or delayed time.

Qualitative risks are those that cannot easily be clearly quantified. This may be because you do not have
sufficient historical data to determine the likelihood of the risk and/or its impact is not understood well
enough for a qualitative impact to be associated with it.

1.3. Risks can be categorised into:

a) strategic risks (risks to the organisations' direction, external environment and to the achievement
of its plans);
b) commercial risks (such as failed contractual relationships);
c) operational risks (risks to core business activities, such as inadequate human resources, physical
damage to assets or threats to personal safety);
d) technical risks (risks of managing assets, such as equipment failure);
e) financial and systems risks (risks with financial controls and systems, such as fraud);
f) compliance risks (risks to meeting regulatory obligations).
1.4. What is risk management?

"Risk management is a management function, the object of which is the protection of people, assets and
earnings by avoiding or minimising the potential for loss from pure risk, and the provision of funds to
recover from losses that do occur."

The term 'risk management' is currently being utilised very widely within institutions. Safety, security,
disaster management, business continuity, insurance and internal audit are often referred to as 'risk
management.'
It is certainly true that these functions form part of the wider subject of risk management, but the term
'risk management' means a deliberate focus on all risks of an institution.

The term 'enterprise risk management' (ERM) has become a popular way of describing application of risk
management throughout the institution rather than only in selected business areas or disciplines. Risk
management is a management discipline with its own techniques and principles. It is a recognised
management science and has been formalised by international and national codes of practice, standards,
regulations and legislation.

Risk management forms part of management's core responsibilities and is an integral part of the internal
processes of an institution. It is a systematic process to identify, evaluate and address risks on a
continuous basis before such risks can impact negatively on the institution's service delivery capacity.
We will use the simpler term 'risk management' and will explain the function in broad terms, showing how
the various technical disciplines associated with risk form part of this wider field. When properly executed,
risk management provides reasonable, but not absolute, assurance that the institution will be successful
in achieving its goals and objectives. Risk management addresses all kinds of material risks to the
objectives of the institution. It does not have a bias towards any particular risk control function. Risk
management must address all parts of the institution and no part of the institution can claim that it does
not need to participate in its processes.

It eventually works its way through the entire institution so that all levels participate in its processes.
Existing risk-related functions, such as security risk management, insurance, health and safety risk
management etc. must also align their activities with the institution's risk management plan. This
alignment of activities then allows for risk management to reconfigure as ERM (enterprise risk
management).

1.5. Risk management process should be PACED:

a) Proportionate to the size of your organization

b) Aligned to your organization’s mission
c) Complete
d) Embedded into the culture of the organization and its day-to-day activities
e) Dynamic and responsive

Some examples of risk management processes and plans:

a) House insurance
b) Disaster recovery plans
c) Succession planning

Examples of losses

Generally, losses are divided into four main categories, namely:

a) material damage losses that would involve all cash and assets, together with hardware and
peripheral equipment and the computer centre;
b) financial losses including loss of cash, customers, debtors, future customers and staff;
c) loss of control including failure to make correct business decisions, to control fraud and the loss
of integrity of data;
 d) loss of reputation caused by unfavourable media exposure and possible poor public image of the
institution. It also includes loss of confidential information.

Risk control activities include:

a) fire protection
b) security
c) occupational health and safety
d) natural perils (fire, flood, earthquake etc)
e) motor vehicle risk control
f) transit risk control
g) emergency planning and crisis management
h) legal liability risk control
i) business interruption risk control
j) environmental protection
k) engineering risk control
l) business management control.