Events

Acts or omissions that happen inside or outside the enterprise that may potentially or actually cause losses.

Conditions

Conditions are circumstances in the internal or external environment of an enterprise that may potentially or actually cause losses or prevent the achievement of predetermined objectives.

Losses

The term ‘losses’ must be related back to the ability of an enterprise to achieve its objectives. A loss implies an inability of the enterprise to optimally achieve a specific objectives (or objectives). This include the possibility of unproductive performance of resources when activities aimed at achieving objectives are performed (implying that the enterprise may still achieve the objective, but will waste resources in the process).

Organisational capacity

All events and conditions inside the enterprise; that are under the governance –or management control thereof. This control is normally limited to events and conditions that occur in the organisational structures of the enterprise. The focus is on capacity, considering structures, systems, processes and resources as components of an integrated model to achieve optimal capacity.

Performance

The performance of an organisation is dependent on its outcomes (the value, such as profit as promoting the general welfare) that result from the product or services it is providing. Performance is dependent on events and conditions (demands from) the organisation’s “external” environment. Performance must be planned, and expressed in quantified predetermined objectives.

The classical approach towards risk assessment could be explained as follows:

1. Analyzingthe institution’s objectives and ensuring appropriate alignment between the strategic objectives and operating strategies. This includes –

--determining the resources requirements to achieve the specified level of performance; and

--clarify the context within which the risk assessment must be performed.

2. Define individual risks.

3. Measuring the likelihood and impact of individual risks on the capacity of the

institution to achieve its defined objectives. The result of this analysis will give an indication of the inherent risk level associated with each of the identified risks.

4. Test existing controls to mitigate the identified risks. The result of this (when compared with the inherent risk level) will give an indication of the residual risk level of each of the identified individual risks.

5. The individual risks must then be prioritized and treated according to its residual risk levels.

Within the context of an institution’s mission or vision, management establishes strategic objectives, selects strategy, and sets aligned objectives cascading through the institution. This enterprise risk management framework is geared to achieving an institution’s objectives, set forth in four categories:

--Strategic –high-level goals, aligned with and supporting its mission

--Operations –effective and efficient use of its resources

--Reporting –reliability of reporting

--Compliance –compliance with applicable laws and regulations

Organisational Context

--Vision and mission

--Developmental and strategic objectives

--Core activities and functions of the municipality

--Internal and external stakeholders

--Facilities, buildings and logistical chains used

Identify risks

--Define individual risks.

--Describing the risk in more detail.

--Identify risk drivers for each individual risk.

Analyse Risks

--Assess the likelihood of each individual risk, based on an analysis of the trend and perceived momentum of thereof.

--Assess the impact of each individual risk, based on an analysis of the materiality thereof .

Strategic Context

--Relationship with key stakeholders

--Laws, regulations, statutes that impact on the activities of the municipality

--Strategic Plan

--Performance plans

--Policies, standards and procedures

Evaluate Risks

--Listing (risk statements) of risks not requiring treatment

--Determine criteria used in determining which risks to treat

--Listing of risks requiring treatment with related consequence, likelihood and risk level information in agreed risk level order (risk register)

--Key decisions/outcomes from risk assessment meetings and decisions.

Treat Risks

--Determine risk appetite.

--Decide on risk mitigating strategies.

--The individual risks must then be prioritized and treated according to its residual risk levels.

--Implement measures for risk re-assessment and the monitoring of risks.

--Evaluate the impact of risks, and risk mitigating strategies on the enterprise at regular intervals.