Define individual risks.

--Measuring the likelihood and impact of individual risks on the capacity of the institution to achieve its defined objectives. The result of this analysis will give an indication of the inherent risk level associated with each of the identified risks.

--Test existing controls to mitigate the identified risks. The result of this (when compared with the inherent risk level) will give an indication of the residual risk level of each of the identified individual risks.

--The individual risks must then be prioritized and treated according to its residual risk levels.

--Risk appetite is the total exposed amount that an organisation wishes to undertake on the basis of risk-return trade-offs for one or more desired and expected outcomes.

--Risk tolerance is the amount of uncertainty an organisation is prepared to accept in total or more narrowly within a certain business unit, a particular category or a specific initiative.

--Risk culture consists of the norms and traditions of behaviour of individuals and of groups in an institution that determine the way in which they identify, understand, discuss and act on the risk the institution controls and takes.

--A risk target is a desired level of risk that the institution believes is optimal to meet its objectives.

--Risk attitude is the institution’s view/perspective of the perceived qualitative and quantitative value that may be gained in comparison to the related potential loss or losses.

--Risk capacity is the amount of risk an institution can actually bear.

Risk drivers are the events that create conditions of risk exposure, highlight risk vulnerabilities or increase either the likelihood that a risk will mature, or the impact if it does.

For instance, let’s say the objective is to increase market share from 10% to 12% over the next three years in a specific market segment. The risk is new competitor that has just entered the same market segment. Risk drivers will then be a visible promotion (market penetration) campaign of the new competitor, and another will be specials offered by the new entrée.

Inherent risk values (levels) are subject to the assessment of the trend and impact that a specific stated risk has in or on a specific municipality. Based on the defined risk assessment criteria, inherent risk values are based on an assessment of risks before institutional controls have been considered.

 Inherent risk values are therefore dependent on the level of exposure of the municipality to conditions that may be either external (outside the boundaries of the municipality) or internal (inside the municipality).

In terms of a performance-based risk analysis the ability of an institution to effectively achieve its objectives within the context of a turbulent (“risk-loaded”) governance and management environment is dependent on two inter-related and interdependent variables, namely:

(1) The magnitude of external pressures for its services; including the demands of communities, the expectations of regulators, such as National Government and the ability of providers, such as taxpayers, to provide the resources required to achieve certain objectives. However, these pressures could also be possible and supportive of certain performance objectives.

(2) The capacity of the internal institutional (organization) to deliver the outputs required to achieve a pre-determined level of outcomes (objectives). This relates to the quality and quantity of available skills and competencies, money, material and other production factors to perform the activities required to achieve the set performance objectives.

Of these two the former (external pressures) relate more to likelihood, while the second element (capacity) relating more to impact. The final question is actually a simple one: Does the organization have the capacity to effectively and successfully meet (respond to) external demands and pressures? If the answer to this question is positive, the institution has effective control over the risks that face it; if not, it is highly exposed to risks that could undermine its performance.

On a practical level, the management of inherent risks has two inter-related dimensions, namely:

--Reducing or illuminating the likelihood that a risk will materialize; and/or

--Reducing the detrimental impact of the risk if it does materialize.

Risks are assessed in terms of a 5-point scale, with “5” representing optimal risk, and “1” negligible risk. These values will differ from enterprise to enterprise, and will be part of its risk policy, but the following may be an example:

Impact

Risks are assessed in terms of a 5-point scale, with “5” representing optimal risk, and “1” negligible risk. These values will differ from enterprise to enterprise, and will be part of its risk policy, but the following may be an example:

Vulnerability

Enterprises are not all equally vulnerable to risk. Larger organisations normally have higher capacity to mitigate risks, and are therefore less vulnerable (exposed) to it. 

The term “velocity” refers to both speeds, as well as direction. This implies that the event or condition that constitutes risk must “approach fast” and has a direct impact of the enterprise’s strategic director and/or its risk mitigating controls. Speed of onset refers to the speed at which a risk is expected to mature; that is, from the point the event occurs or the risk condition is created, until the time the enterprise first experience it as a risk.