Enterprise Risk

Management
Governance
Framework

Page 0 of 84
Table of Contents
DEFINITION OF TERMS ..................................................................................................................................... 5
1 INTRODUCTION AND BACKGROUND ..................................................................................................... 14
2 RISK MANAGEMENT DEFINED ............................................................................................................... 19
3 ETHEKWINI RISK MANDATE ................................................................................................................... 21
4 LEGAL FRAMEWORK FOR RISK MANAGEMENT ...................................................................................... 25
5 BENEFITS OF ENTERPRISE RISK MANAGEMENT ..................................................................................... 30
SECTION 1 – ENTERPRISE RISK MANAGEMENT POLICY .................................................................................. 33
1 INTRODUCTION ..................................................................................................................................... 33
2 RISK AND RISK MANAGEMENT .............................................................................................................. 33
3 PURPOSE/RATIONALE OF THE POLICY ................................................................................................... 33
4 SCOPE OF THE POLICY............................................................................................................................ 33
5 THE POLICY ............................................................................................................................................ 34
6 LINK BETWEEN RISK POLICY AND CITY’S OBJECTIVES ............................................................................. 34
7 DEVELOPMENT OF RISK APPETITE, RISK CULTURE AND PHILOSOPHY AND EMBEDDING PROCESS ........ 35
8 ACCOUNTABILITIES AND RESPONSIBILITIES FOR MANAGING RISKS ...................................................... 39
9 RISK GOVERNANCE AND OVERSIGHT ..................................................................................................... 40
10 RISK MANAGEMENT IMPLEMENTERS .................................................................................................... 41
11 RISK MANAGEMENT SUPPORT .............................................................................................................. 42
12 RISK MANAGEMENT ASSURANCE PROVIDERS ....................................................................................... 45
13 RISK MANAGEMENT PERFORMANCE ..................................................................................................... 46
14 CONFLICT OF INTEREST .......................................................................................................................... 46
15 POLICY REVIEW ..................................................................................................................................... 46
SECTION 2 - ENTERPRISE RISK MANAGEMENT FRAMEWORK ......................................................................... 47
1 PURPOSE OF THE ERM FRAMEWORK .................................................................................................... 47
2 DESIGN OF THE FRAMEWORK FOR MANAGING RISK ............................................................................. 48
3 IMPLEMENTING RISK MANAGEMENT .................................................................................................... 53
4 RISK MANAGEMENT PROCESS ............................................................................................................... 55
5 GOVERNANCE REQUIREMENTS ............................................................................................................. 65
6 COMMUNICATION AND REPORTING ..................................................................................................... 69
7 COMBINED ASSURANCE ........................................................................................................................ 70
8 MONITORING ........................................................................................................................................ 71
9 EMBEDDING RISK MANAGEMENT ......................................................................................................... 72
SECTION 3 - RISK MANAGEMENT STRATEGY .................................................................................................. 73
1 OBJECTIVES ........................................................................................................................................... 73
2 APPROACH ............................................................................................................................................ 73

Page 1 of 84
3 VALUE PROPOSITION............................................................................................................................. 74
4 RISK APPETITE AND TOLERANCE ............................................................................................................ 75
5 MATURITY ............................................................................................................................................. 75
6 RISK MANAGEMENT LEVELS .................................................................................................................. 75
7 RISK ESCALATION .................................................................................................................................. 76
8 RISK MANAGEMENT METRICS ............................................................................................................... 78
9 RISK MANAGEMENT EMBEDDING EDUCATION AND TRAINING ............................................................. 79
10 DEVELOPMENT OF RISK REGISTER ......................................................................................................... 79
11 ROLES AND RESPONSIBILITIES AND EXPECTATIONS............................................................................... 79
12 QUALITY ASSURANCE AND REVIEWS ..................................................................................................... 80
13 RESOURCES ........................................................................................................................................... 80
SECTION 4 – RISK MANAGEMENT PLAN ......................................................................................................... 81
1 ERM PLAN 2017/18 ............................................................................................................................... 82
2 SOURCES OF INFORMATION .................................................................................................................. 84

Page 2 of 84
Leadership Commitments

EThekwini municipality Council is committed to and embraces the principles of governance

within the municipality.
Council acknowledges that risk management is fundamental to governance, and plays a
pivotal role towards the achievement of municipal objectives through providing assurance
that the risks are identified and actively managed.
The Council recognises that by ensuring that risk management is integrated into service
planning and delivery arrangements, its ability to achieve its objectives and execute its
strategies will be enhanced. Therefore, the Council seeks to proactively identify, understand
and manage the threats and opportunities involved in service delivery as well as those
associated with municipal plans and strategies, to encourage a responsible and informed
approach to risk management
Risk management is a very valuable support to good governance. It provides the community
with confidence that council is being managed in a responsible and accountable manner.

EXCO

Risk management is now receiving greater attention than the past, to improve overall
governance and address challenges facing EThekwini Municipality. Furthermore, the
Municipal Finance Management Act (MFMA), Act 56 of 2003, sets the foundation in Section
62(1) (c) whereby it stipulates that the Accounting Officer has to ensure that the municipality
establishes effective and efficient risk management processes.
Today, more than ever, all the officials of EThekwini Municipality should be embracing risk
management into day to day operations, whilst considering the threats and opportunities to
address challenges and the possible consequences if risk materialises. The importance of
looking at risk management comes in the wake of a more demanding society, scarce
resources, need for innovation and ongoing challenges experienced whilst striving to achieve
municipal objectives outlined in the Integrated Development Plan (IDP).
Public sector risk management and control should be firmly embedded on the daily activities
of every official in EThekwini Municipality, including stakeholders. Effective risk management
processes will ultimately help achieve:

 Greater organizational clarity of purpose by clearly identifying policy needs and actions
required to meet strategic objectives;
 More cohesiveness of effort through organizational consistency and clear role definition,
better decisions through consideration of issues;
 Faster reactions through concentration on key performance trends; and

Accountability by recording decisions in context and allocating responsibility for action.

Page 3 of 84
City Manager

The Accounting Officer, as the risk owner, is required by MFMA to ensure that the
municipality has and maintains effective, efficient and transparent risk management systems.
Risk management is a critical key enabler that drives and shapes out endeavours in the quest
and pursuit of noble vision that of “to be the most caring and liveable city by 2030”.
The implementation of risk management will minimise threats and maximise opportunities in
order for the municipality to deliver its strategic outcomes and objectives.
The municipality remains resolute that in building a city that is not only believing in thriving
when conditions are favourable for such, but also when there are conditions that are contrary
and opposing that which is sought to be achieved. Effective and prudent management of risks
will propel the city to achieve the goals and the aspirations of the people and communities
being served.
The role of various risk governance structures is acknowledged and appreciated as well as
other governance platforms that are available, and thus embracing the principles as defined in
relevant legislation and risk management best practice documents.
The risk management instruments in their entirety give guidance and defined methodology
within eThekwini’s and it entities on the management of risk. These will remain mandatory
requirements established at all levels for the management of risk in eThekwini.

With this commitment, Council, Mayor and Administrative leadership endorse the adoption of
the risk management framework by eThekwini municipality and its entities.

Page 4 of 84
Definition of terms

TERMS DEFINITION

Basic Terms

In terms of section 62 (1) of the MFMA, the accounting officer of a municipality is

responsible for managing the financial administration of the municipality, and
City Manager must for this purpose take all reasonable stem to ensure that the municipality has
and maintains effective, efficient and transparent systems-

(i) of financial and risk management and internal control.

Support the City Managers in carrying out the mandate as per section 62 of the
Deputy City Managers
MFMA as detailed above through the implementation of Cluster Risk Assessments.

Appointed person of the municipality, who may have other duties/responsibilities,

but who is primarily responsible for championing, advising on, formulating,
overseeing and managing all aspects of the Municipality’s risk management
Deputy Head: Enterprise Risk and system; and monitors the Municipality’s entire risk profile, ensuring that major
Advisory Services also referred to risks are identified and reported upwards.
as Chief Risk Officer (CRO) The CRO provides and maintains the risk management infrastructure to assist the
Council and executive management team in fulfilling their risk management
responsibilities. The CRO supports and ensures that the role of governance is
functioning as intended.

Risk Owners / Risk Advisors Employees of the municipality who assist the CRO in the fulfilment of their duties.

An independent assurance function authorised to assess the control environment

Internal Audit (EMARAS) within the Municipality in accordance with definition for internal audit and provide
assurance on risk mitigation city wide.

Objectives Goals that management have set for the municipality or a department to achieve.

Costs associated with:

 Insurance premiums

 Self-retained losses (incurred loss)

 Loss control expenses including safety, security, property conservation,

Cost of Risk
quality control programs, etc.

 Administrative costs (internal and external) including risk management

department, internal claims staff, fees paid to brokers, risk management
consultants, outside claims and loss control services, plus your time as
risk manager and / or claims administrator.

General Risk Management Terms

Risk Effect of uncertainty on objectives

Page 5 of 84
TERMS DEFINITION

Note 1: An effect is a deviation from the expected — positive and/or negative.

Note 2: Objectives can have different aspects (such as financial, health and safety
and environmental goals) and can apply at different levels (such as strategic,
Municipal-wide, project, product and process).

Note 3: Risk is often characterized by reference to potential events and

consequences or a combination of these.

Note 4: Risk is often expressed in terms of a combination of the consequences of

an event (including changes in circumstances) and the associated likelihood of
occurrence.

Note 5: Uncertainty is the state, even partial, of deficiency of information related

to, understanding or knowledge of, an event, its consequence, or likelihood.

Risk Management Co-ordinated activities to direct and control the Municipality with regard to risk.

Set of components that provide the foundations and Municipal arrangements for
designing, implementing, monitoring, reviewing and continually improving risk
management throughout the Municipality.

Note 1: The foundations include the policy, objectives, mandate and commitment
Risk Management Framework to manage risk.

Note 2: The Municipal arrangements include plans, relationships, accountabilities,

resources, processes and activities.

Note 3: The risk management framework is embedded within the Municipality's

overall strategic and operational policies and practices.

Statement of the overall intentions and direction of the Municipality related to

Risk Management Policy
risk management.

Scheme within the risk management framework specifying the approach, the
management components and resources to be applied to the management of
risk.

Note 1: Management components typically include procedures, practices,

assignment of responsibilities, sequence and timing of activities.

Note 2: The risk management plan can be applied to a particular product, process
Risk Management Plan
and project, and part or whole of the Municipality.

Page 6 of 84
TERMS DEFINITION

Risk Management Process Terms

Systematic application of management policies, procedures and practices to the

Risk Management Process activities of communicating, consulting, establishing the context, and identifying,
analysing, evaluating, treating, monitoring and reviewing risk.

Step 1: Communication and Consultation

Continual and iterative processes that the Municipality conducts to provide,

share or obtain information, and to engage in dialogue with stakeholders
regarding the management of risk.

Note 1: The information can relate to the existence, nature, form, likelihood,
significance, evaluation, acceptability and treatment of the management of risk.

Communication and Consultation Note 2: Consultation is a two-way process of informed communication between
the Municipality and its stakeholders on an issue prior to making a decision or
determining a direction on that issue.

Consultation is:

 a process which impacts on a decision through influence rather than power;

 An input to decision making, not joint decision making.

Interested Party Person or group having an interest in the performance or success of the
Municipality. Example: Customers, owners, people in the Municipality, suppliers,
bankers, unions, partners or society, regulators and government.

Person or Municipality that can affect, be affected by, or perceive themselves to

Stakeholder
be affected by a decision or activity.

Stakeholder’s view on a risk.

Risk Perception Note 1: Risk perception reflects the stakeholder's needs, issues, knowledge, belief
and values.

Step 2: Establishing the Context

Defining the external and internal parameters to be taken into account when
Establishing the Context managing risk, and setting the scope and risk criteria for the risk management
policy.

This is external environment in which the Municipality seeks to achieve its

External Context
objectives.

Page 7 of 84
TERMS DEFINITION

Note 1: External context can include:

 the cultural, social, political, legal, regulatory, financial, technological,

economic, natural and competitive environment, whether international,
national, regional or local;

 key drivers and trends having impact on the objectives of the Municipality;
and

 relationships with, and perceptions and values of external stakeholders

Internal environment in which the Municipality seeks to achieve its objectives.

Note 1: Internal context can include:

 governance, Municipal structure, roles and accountabilities;

 policies, objectives, and the strategies that are in place to achieve them;

 the capabilities, understood in terms of resources and knowledge (e.g.

capital, time, people, processes, systems and technologies);
Internal Context
 information systems, information flows and decision making processes (both
formal and informal);

 relationships with, and perceptions and values of internal stakeholders;

 the Municipality's culture;

 standards, guidelines and models adopted by the Municipality;

 Form and extent of contractual relationships.

Terms of reference against which the significance of a risk is evaluated.

Note 1: Risk criteria are based on Municipal objectives, and external and internal
Risk Criteria context.

Note 2: Risk criteria can be derived from standards, laws, policies and other
requirements.

Step 3-5: Risk Assessment

Risk Assessment Overall process of risk identification, risk analysis and risk evaluation.

Step 3: Risk Identification

Process of finding, recognising and describing risks.

Note 1: Risk identification involves the identification of risk sources, events, their
Risk Identification causes and their potential consequences

Note 2: Risk identification can involve historical data, theoretical analysis,

informed and expert opinions, and stakeholder's needs.

Page 8 of 84
TERMS DEFINITION

Structured statement of risk usually containing four elements: sources, events,

Risk Description
causes and consequences.

Element which alone or in combination has the intrinsic potential to give rise to
risk.
Risk Source
Note 1: A risk source can be tangible or intangible.

Occurrence or change of a particular set of circumstances.

Note 1: An event can be one or more occurrences, and can have several causes.

Note 2: An event can consist of something not happening.

Event
Note 3: An event can sometimes be referred to as an “incident” or “accident”.

Note 4: An event without consequences (3.6.1.3) can also be referred to as a

“near miss”, “incident”, “near hit” or “close call”.

Source of potential harm.

Hazard
Note 1: Hazard can be a risk source.

Key Risks Identifying risks which the Municipality perceives to be its most significant risks.

Person or entity with the accountability and authority to manage a risk. The City
Risk Owner Manager, Deputy City Managers, Heads and Deputy Heads – executed at
different levels of the organisation.

Step 4: Risk Analysis

Process to comprehend the nature of risk and to determine the level of risk.

Note 1: Risk analysis provides the basis for risk evaluation and decisions about
Risk Analysis
risk treatment.

Note 2: Risk analysis includes risk estimation.

Chance of something happening.

Note 1: In risk management terminology, the word “likelihood” is used to refer to

the chance of something happening, whether defined, measured or determined
objectively or subjectively, qualitatively or quantitatively, and described using
general terms or mathematically [such as a probability or a frequency over a
Likelihood / Probability given time period.

Note 2: The English term “likelihood” does not have a direct equivalent in some
languages; instead, the equivalent of the term “probability” is often used.
However, in English, “probability” is often narrowly interpreted as a
mathematical term. Therefore, in risk management terminology, “likelihood” is
used with the intent that it should have the same broad interpretation as the

Page 9 of 84
TERMS DEFINITION

term “probability” has in many languages other than English.

Exposure Extent to which the Municipality and/or stakeholder is subject to an event.

Outcome of an event affecting objectives.

Note 1: An event can lead to a range of consequences.

Note 2: A consequence can be certain or uncertain and can have positive or

Consequence / Impact / Severity
negative effects on objectives.

Note 3: Consequences can be expressed qualitatively or quantitatively.

Note 4: Initial consequences can escalate through knock-on effects.

Measure of the chance of occurrence expressed as a number between 0 and 1,

Probability as a Measure
where 0 is impossibility and 1 is absolute certainty.

Number of events or outcomes per defined unit of time.

Frequency Note 1: Frequency can be applied to past events or to potential future events,
where it can be used as a measure of likelihood / probability.

Intrinsic properties of something resulting in susceptibility to a risk source that

Vulnerability
can lead to an event with a consequence.

Tool for ranking and displaying risks by defining ranges for consequence (impact)
Risk Matrix
and likelihood (probability).

Magnitude of a risk or combination of risks, expressed in terms of the

Level of Risk
combination of consequences and their likelihood.

The product of the impact of the risk on the objective and the likelihood of the
Inherent Risk risk occurring, should no management actions/controls be in place to mitigate the
risk.

Step 5: Risk Evaluation

Process of comparing the results of risk analysis with risk criteria to determine
Risk Evaluation whether the risk and/or its magnitude is acceptable or tolerable.

Note 1: Risk evaluation assists in the decision about risk treatment.

Municipality's approach to assess and eventually pursue, retain, take or turn

Risk Attitude
away from risk.

Risk Appetite Amount and type of risk that the Municipality is willing to pursue or retain.

Municipality's or stakeholder's readiness to bear the risk after risk treatment in

Risk Tolerance order to achieve its objectives.

Note 1: Risk tolerance can be influenced by legal or regulatory requirements.

Page 10 of 84
TERMS DEFINITION

Risk Aversion Attitude to turn away from risk.

Combination of a number of risks into one risk to develop a more complete

Risk Aggregation
understanding of the overall risk.

Step 6: Risk Treatment (also called Risk Response)

Process of selection and implementation of measures to modify risk.

Note 1: Risk treatment can involve:

 avoiding the risk by deciding not to start or continue with the activity that
gives rise to the risk;

 taking or increasing risk in order to pursue an opportunity;

 removing the risk source;

 changing the likelihood;

Risk Treatment
 changing the consequences;

 sharing the risk with another party or parties [including contracts and risk
financing;

 Retaining the risk by informed decision.

Note 2: Risk treatments that deal with negative consequences are sometimes
referred to as «risk mitigation», «risk elimination», «risk prevention» and «risk
reduction».

Note 3: Risk treatment can create new risks or modify existing risks.

Actions taken and implemented by management to treat risks and enhance the
likelihood that established objectives and goals will be achieved.

Risk Controls Note 1: Controls include any process, policy, device, practice, or other actions
which modify risk.

Note 2: Controls may not always exert the intended or assumed modifying effect.

Informed decision to take a particular risk.

Note 1: Risk acceptance can occur without risk treatment or during the process of
Risk Acceptance / Risk Retention
risk treatment.

Note 2: Accepted risks are subject to monitoring and review.

Acceptance of the potential benefit of gain, or burden of loss, from a particular

risk.
Risk Retention / Risk Acceptance
Note 1: Risk retention includes the acceptance of residual risks.

Note 2: The level of risk retained can depend on risk criteria.

Page 11 of 84
TERMS DEFINITION

Informed decision not to be involved in, or to withdraw from, an activity in order

Risk Avoidance / Risk not to be exposed to a particular risk.
Termination Note 1: Risk avoidance can be based on the result of risk evaluation and/or legal
and regulatory obligations.

Sharing with another party the burden of loss, or benefit of gain, of a risk.

Note 1: Legal or statutory requirements can limit, prohibit or mandate the

transfer of certain risk.
Risk Transfer / Risk Sharing
Note 2: Risk transfer can be carried out through insurance or other agreements.

Note 3: Risk transfer can create new risks or modify existing risk.

Note 4: Relocation of the source is not risk transfer.

Form of risk treatment involving contingent arrangements for the provision of

Risk Financing
funds to meet or modify the financial consequences should they occur.

Risk remaining after risk treatment.

Residual Risk Note 1: Residual risk can contain unidentified risk.

Note 2: Residual risk can also be known as «retained risk».

Resilience Adaptive capacity of the Municipality in a complex and changing environment.

Tasks/projects that management commit to implementing, after identifying

Action Plans unacceptable risk exposures, in order to return the exposure to within acceptable
parameters. Each action plan must have a due date and a resource allocated.

Key Risk Indicators Symptoms/signs/events by which key risks can be easily identified.

Step 7: Monitoring and Review

Continual checking, supervising, critically observing or determining the status of

risks in order to identify change from the performance level required or expected.
Monitoring
Note 1: Monitoring can be applied to a risk management framework, risk
management process, risk or control.

Activity undertaken to determine the suitability, adequacy and effectiveness of

the subject matter to achieve established objectives.
Review
Note 1: Review can be applied to a risk management framework, risk
management process, risk or control.

Form of communication intended to inform particular internal or external

Risk Reporting stakeholders by providing information regarding the current state of risk and its
management.

Page 12 of 84
TERMS DEFINITION

Record of information about identified risks.

Risk Register
Note 1: The term risk log” is sometimes used instead of «risk register».

Description of any set of risks.

Risk Profile Note 1: The set of risks can contain those that relate to the whole Municipality,
part of the Municipality, or as otherwise defined.

Systematic, independent and documented process for obtaining evidence and

Risk Management Audit evaluating it objectively in order to determine the extent to which the risk
management framework, or any selected part of it, is adequate and effective.

Page 13 of 84
1 Introduction and Background

The underlying premise of Enterprise Risk Management (ERM) is that every entity exists to
provide value for its stakeholders. All entities face uncertainties and the challenge for
management is to determine how much uncertainty to accept as it strives to grow stakeholder
value. This is done through setting risk appetite and tolerances. Uncertainty presents both risk
and opportunity, with the potential to erode or enhance value. ERM enables management to
effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity
to build value.

Value is maximised when management sets objectives to achieve an optimal balance between
growth and related risks, and effectively deploys resources in pursuit of the entity’s
objectives.

This document sets out eThekwini Municipality’s Risk Management Governance Documents as
follows:

ERM Policy

•This section articulate commitment by municipal leadership on the risk management process and
formalises the establishment of an Enterprise Risk Management processes within the municipality

ERM Framework

•The Enterprise Risk Management Framework specifically addresses the structures, processes and
standards implemented to manage risks on an enterprise-wide basis in a consistent manner.
•The framework details what is involved in the risk managment process, and talks to the value of risk
management.

ERM Strategy

•Defines the municipality's risk universe, what is involved in managing risks, how the municipality
intends to prioritise risks, structures and resources required. The strategy outlines what the
municipality aims to achieve by managing risks and how far it is willing to go in managing each type of
risk

ERM Implementation Plan

•The implementation plan list the activities that the municipality will implement to manage risks within
a particlaur financial year, in order to ensure objectives are achived,.
•The activities are linked according to the risk maturity level that the municipality is at in embedding the
risk management process.

EThekwini Municipality has been established to serve the people through implementation of
various programmes and activities. In implementing these programmes, the municipality has
to navigate through various risks that if not managed effectively could derail the attainment of
our defined objectives and opportunities embedded therein could be lost.

Page 14 of 84
Risk management process evolves and matures as it gets embedded, and also aligns with
strategies that the municipality is adopting at a point in time.

The risk management process for eThekwini municipality has been introduced, and the risk
governance structures as well as their roles and responsibilities also communicated. Routine
risk management and reporting processes have progressed and new innovations introduced
to improve the management/ mitigation of risks.

The management of risk need to be “Enterprise –Wide” and require a solid consistent
foundation that is used when all types of risks from the municipality’s Risk Universe are
mitigated. This solid foundation should be a standard that is adaptable to any kind of
environment according to the size, nature and complexity, and also allow for the accounting
officer to holistically know the critical risks that the municipality is exposed to, and most
importantly that the processes embedded are effective in mitigating those risks to acceptable
levels.

The municipal environment is dynamic and entangled in complexity and so are its risks. The
municipality has adopted the COSO methodology on risk management to provide guidance on
the implementation of risk management within the Municipality(s), and this has set the
foundation and paved the way to implement various risk management controls. Whilst
appreciating its value, COSO has become less favourable in our environment taking into
account most business units implement various ISO standards. In order to achieve
alignment, adoption and adaptation of ISO 31000 is a rational decision. ISO 31000 offers an
improved and enhanced approach to management of risk in our environment. Hence the
municipality has opted to frame and manage risk in lined with ISO.

ISO framework provides a guideline based on the principles of good governance, flexibility,
proportionality, transparency and sustainability. This will ensure continual improvement in
municipal processes and allow for progressive advancement to desired risk maturity levels.
The principles mean the following:

Good governance – Good governance is essentially about effective leadership. Leaders should
rise to the challenges of modern governance. Such leadership is characterised by the ethical
values of responsibility, accountability, fairness and transparency and based on moral duties
that find expression in the concept of Ubuntu. Responsible leaders direct the municipality’s
strategies and operations with a view to achieving sustainable economic, social and
environmental performance.

Flexibility – The ISO standards provides the organisation with the flexibility to tailor the
standard to the requirements of the municipality

Transparency – Transparency is the ease with which an outsider is able to make meaningful
analysis of the Municipality’s actions, its economic fundamentals and the non-financial

Page 15 of 84
aspects pertinent to that organisation. This is a measure of how good management is at
making necessary information available in a candid, accurate and timely manner – not only
the audit data but also general reports and press releases. It reflects whether or not investors
obtain a true picture of what is happening inside the company.

Sustainability – is the primary moral and economic imperative of the 21st century. It is one of
the most important sources of both opportunities and risks for businesses. Nature, society,
and business are interconnected in complex ways that should be understood by decision-
makers. Most importantly, current incremental changes towards sustainability are not
sufficient – we need a fundamental shift in the way organisations and senior management act
and organise themselves.

1.1 Overall purpose of the Enterprise Risk Management

The Enterprise Risk Management process provides a formalised approach used to

PROACTIVELY manage uncertainties and opportunities linked to strategic objectives of the
municipality.

This process allows for management to foresee from the beginning of strategy setting what
lies ahead, options that are available and PROACTIVELY inform decisions on how best
(optimally) the objectives may be achieved with available resources.

The field of risk management is dynamic in line with changing municipal strategies, this
governance document will also change to complement and create relevance of risks
management within context.

1.2 Principles of Enterprise Risk Management

The following principles will be applied at both strategic and operational levels within the
Municipality:

a) Risk management creates and protects value

Risk management contributes to the demonstrable achievement of objectives and

improvement of performance in, for example, health and safety, security, legal and
regulatory compliance, public acceptance, environmental protection, product quality,
project management, efficiency in operations, governance and reputation.

Risk management contributes to eThekwini pursuing its primary objective of the needs of
communities by application of leading practice in health and safety, security, legal and
regulatory compliance, public acceptance, environmental protection, service quality, and
project management, efficiency in operations, governance and reputation.

b) Risk management is an integral part of all Municipality processes

Page 16 of 84
 Risk management is not a stand-alone activity that is separate from the main activities and
processes of the organization. Risk management is part of the responsibilities of
management and an integral part of all organizational processes, including strategic
planning and all project and change management processes.

Risk management is embedded throughout the planning processes from IDP to finalisation
of the budget and program and project implementation.

c) Risk management is part of decision making

Risk management helps decision makers make informed choices, prioritize actions and
distinguish among alternative courses of action.

Decision making takes into account the various options available to management with
detailed research amongst the various alternative courses of action.

d) Risk management explicitly addresses uncertainty

Risk management explicitly takes account of uncertainty, the nature of that uncertainty,
and how it can be addressed.

Uncertainty is a key pillar in risk management. Risk management is key aim to address
uncertainty.

e) Risk management is systematic, structured and timely

A systematic, timely and structured approach to risk management contributes to efficiency

and to consistent, comparable and reliable results.

Risk management is performance in controlled manner that follows a defined approach in

a structured and timely manner.

f) Risk management is based on the best available information

The inputs to the process of managing risk are based on information sources such as
historical data, experience, stakeholder feedback, observation, forecasts and expert
judgement. However, decision makers should inform themselves of, and should take into
account, any limitations of the data or modelling used or the possibility of divergence
among experts.

In managing risk, the best available information is utilised to inform decision making. The
quality of the data is also considered to understand the confidence in the data being
provided.

g) Risk management is tailored

Risk management is aligned with the organization's external and internal context and risk
profile.

Page 17 of 84
 Risk management considers eThekwini’s internal and external environment in managing
risks. Needs of communities are considered and budgets are tailored on a ward basis to
meet this needs.

h) Risk management takes human and cultural factors into account

Risk management recognizes the capabilities, perceptions and intentions of external and
internal people that can facilitate or hinder achievement of the organization's objectives.

Consultation on the development and implementation of risk management ensures

policies; frameworks and practices in eThekwini Municipality reflect the diversity of
activities of the Municipality, employees and our communities.

i) Risk management is transparent and inclusive

Appropriate and timely involvement of stakeholders and, in particular, decision makers at

all levels of the organization, ensures that risk management remains relevant and up-to-
date. Involvement also allows stakeholders to be properly represented and to have their
views taken into account in determining risk criteria.

Risk management in eThekwini Municipality involves the engagement of internal and

external stakeholders through respectful acknowledgement of their contribution to the
communication & consultation and monitoring & reviewing processes.

j) Risk management is dynamic, iterative and responsive to change

Risk management continually senses and responds to change. As external and internal
events occur, context and knowledge change, monitoring and review of risks take place,
new risks emerge, some change, and others disappear.

Risk management in eThekwini Municipality responds to the changing needs of the

Municipality, its employees and its clients by continually self-assessing, monitoring and
reviewing business processes against the Integrated Development Plan. Education and
training within eThekwini Municipality is tailored to the needs of Clusters, Business Units
and Departments.

k) Risk management facilitates continual improvement of the Municipality

The Municipality should develop and implement strategies to improve risk management
maturity alongside all other aspects of the business.

Risks are identified and linked to municipal strategic objectives as outlined in IDP (8 point
plan)

Page 18 of 84
2 Risk Management Defined

2.1 Definition of Risk

(ISO 31000)

Risk is the effect of uncertainty on objectives.

An effect is a deviation from the expected — positive and/or negative. Objectives can have
different aspects (such as financial, health and safety, and environmental goals) and can apply
at different levels (such as strategic, organization-wide, project, product and process). Risk is
often characterized by reference to potential events and consequences, or a combination of
these. Risk is often expressed in terms of a combination of the consequences of an event
(including changes in circumstances) and the associated likelihood of occurrence.

The Institute of Risk Management (IRMSA) defines risk as “…the uncertainty of an event
occurring or not occurring that could have an impact on the achievement of objectives”.

The Public Sector Risk Management Framework guideline from National Treasury defines risk
management as “a systematic process to identify, evaluate and address risks on a
continuous basis before such risks can impact negatively on the municipality’s service
delivery capacity”

Risk not only manifests as negative impacts on the achievement of goals and objectives, but
also as a missed opportunity to enhance organizational performance.

Risk is measured in terms of consequences of impact and likelihood. This definition applies to
each and every level of the enterprise and the overriding policy and philosophy is that the
management of risk is the responsibility of management at each and every level in the
municipality.

The management of risk is no more or less important than the management of organizational
resources and opportunities and it simply forms an integral part of the process of managing
those resources and opportunities.

2.2 Enterprise Risk management

Definition
Enterprise Risk Management (ERM) is the application of risk management holistically
throughout the municipality rather than only in selected business areas or disciplines.
It recognizes that risks (including opportunities) are dynamic, often highly interdependent and
ought not to be considered and managed in isolation. ERM responds to this by providing a
systematic process that ensures consistency on how risks are identified, prioritised and

Page 19 of 84
managed, and develops a methodology for managing municipality wide risks in a
comprehensive and integrated way.
Furthermore, ERM deals with risks and opportunities affecting value creation or preservation.
EThekwini Municipality adopted ISO31000 in developing the Enterprise Risk Management
Process in conjunction with the Public Sector Risk Management Framework and King II Code
of Corporate Governance.
When properly executed, risks management provides reasonable, but not absolute assurance,
that the municipality will be successful in achieving its goals and objectives.”
Finally, it provides guidance of how risk management forms part of an integrated process. It
also provides guidance on how “enterprise wide” risk management will be embedded
throughout the municipality. This includes alignment of all units that manage a category of
risk, performs risk financing functions so that a consistent risk language is used and a holistic
view of the municipal risk universe is projected linked to strategic objective.

2.3 Risk categories

Risk Category refers to "a Group of Potential Causes of Risk".

The whole purpose of Risk Categorization is to systematically identify risks in a consistent

manner and organize them so that they can be better managed. It also helps to identify the
root causes of these risks in a better way. The municipality has established the risk category
forum to better manage the risk.
The following risk categories exist within municipality:
 Community and Social Services ;
 Compliance;
 Economic development;
 Fraud, theft and Corruption;
 Governance;
 Infrastructure and Asset Management;
 Safety, Emergency and Security;
 Sustainability;
 Human Resources; and
 IT

Page 20 of 84
3 EThekwini Risk Mandate

The introduction of risk management and ensuring its on-going effectiveness require strong
and sustained commitment by management of the eThekwini Municipality, as well as strategic
and rigorous planning to achieve commitment at all levels. Management should:
 define and endorse the risk management policy;
 ensure that the municipality’s culture and risk management policy are aligned;
 determine risk management performance indicators that align with performance
indicators of the municipality;
 align risk management objectives with the objectives and strategies of the
municipality;
 ensure legal and regulatory compliance;
 assign accountabilities and responsibilities at appropriate levels within the
municipality;
 ensure that the necessary resources are allocated to risk management;
 communicate the benefits of risk management to all stakeholders internal and
external the municipality; and
 ensure that the framework for managing risk continues to remain appropriate.

At least once a year, the Municipality undertakes an assessment of the risk within its internal
and external environment that might impact on the achievement of its objectives through the
enterprise risk management process. The process includes the identification, analysis and
evaluation of the risks. Subsequently mitigations and risk treatment response plans are
implemented to reduce the impact and/ or likelihood of the risk.
Municipality is committed by prioritising good governance in achieving service delivery. Risk
management structure exists within the eThekwini Municipality.

Page 21 of 84
 3.1 EThekwini Municipal Governance Structures

Council
The Council operates on an Executive Committee System

Executive Committee EThekwini Section 79 Statutory Committees Administration Committees

System (EXCO) Committees  Civilian Oversight  Audit Committee
 Community Services  Speaker’s Committee Committee o Main Audit Committee
Committee  Aids Committee  Appeals Committee o Performance Audit
 Security & Emergency  Municipal Public  Ethics Committee Committee
Services Committee Accounts Committee  Ward Committee o Municipal Entities: - DMPT
 Economic (Ushaka Marine); - DICC
Development & (ICC)
Planning Committee  Bid & Specification Committee
 Governance & Human  Bid & Evaluation Committee
Resources Committee  Bid & Adjudication Committee
 Human Settlements &
Infrastructure
Committee

Page 22 of 84
Council

•The Municipal Council has the power to govern the local government affairs of the local community, exercise the municipality’s executive
and legislative authority; and finance the affairs of the municipality by charging fees for services and imposing surcharges on fees and rates
on property

Section 79 Committee

•In terms of section 79 of the Structures Act, a Municipal Council may establish one or more committees necessary for the effective and
efficient performance of any of its functions or the exercise of any of its powers

Statutory Committees

•EThekwini has created the following staturory committees to perform specific functions in compliance with provisions of various acts, such as
MFMA and MSA. The following are the Committees: Civilian Oversight Committee; Appeals Committee ;Ethics Committee and Ward
Committees

Polictical Structure

•The executive committee is the principal committee of the Municipal Councilresponsible for performing its role of political oversight of the
municipality’s functions, programmes and the management of the administration. It receives and considers reports from the other
committees of the council and forwards these reports together with its recommendations to the Council when it cannot dispose of the
matter in terms of its delegated powers.

Political Office Bearers

•Performance agreement with the municipal manager: Monitor the Municipality’s constitutional and statutory functions: Monitor the
accounting officer and chief financial officer: Co-ordinate budget processes: Preparation of the annual budget;Political guidance over financial
affairs: Table the annual budget: Authorise unforeseeable and unavoidable expenditure: Approve increase in funds for capital programmes:
Notify the public of revisions to the service delivery and budget implementation plan: Initiate steps proposed by the accounting office to deal
with serious financial problems: Sign council resolutions approving long term debt: Table annual reports of the Municipality and municipal
entities: Address issues raised by the Auditor General:

Speaker
Page 23 of 84
•The Speaker is the chairperson of the municipal council. The speaker decides when and where the council meets, but if a majority of the
councillors requests the speaker in writing to convene a meeting, a special Council meeting may be held to discuss specific matters.
Mayor

•The Mayor must decide when and where the Executive Committee meets (but if a majority of the members request the mayor in writing to convene a meeting, the mayor
must convene a meeting at a time set out in the request); preside at meetings of the executive committee; perform the duties, including any ceremonial functions, and
exercise the powers delegated to the mayor by the municipal council or the executive committee.

Deputy Mayor

•The deputy mayor exercises the powers and performs the duties of the mayor if the mayor is absent or not available or if the office of the mayor is vacant. In addition, the
mayor may delegate duties to the deputy mayor

Chief Whip

•The Chief Whip of the municipal council is responsible for the conduct of all Councillors.

City Manager

•The municipal manager of a municipality is the accounting officer of the municipality for the purposes of this Act, and, as accounting officer, must exercise the functions and
powers assigned to an accounting officer in terms of this Act; and provide guidance and advice on compliance with this Act to the political structures, political office-bearers
and officials of the municipality; and any municipal entity under the sole or shared control of the municipality

Audit Committee

•Advise the Council, the political office bearers, the accounting officer and the management staff of the municipality on matters relating to internal financial control and
financial audits, accounting policies, the adequacy, reliability and accuracy of financial reporting and information, performance management, effective governance it further

Bid Specification Committee

• The Bid specification committee must compile the specifications for each procurement of goods or services by the municipality or municipal entity

Bid Evaluation Committee

•A bid evaluation committee must evaluate bids in accordance with the specifications for a specific procurement

Bid Adjudication Committee

•A bid adjudication committee must consider the report and recommendations of the bid evaluation committee; and either depending on its delegations, make a final award
or a recommendation to the accounting officer to make the final award; or make another recommendation to the accounting officer how to proceed with the relevant
procurement.

Page 24 of 84
4 Legal Framework for Risk Management

eThekwini Municipality Risk Management Framework derives its legislative mandate from the South
African Constitution, MFMA, National Risk Management Framework, King III and Public Service
Commission (Best Practices on Risk Management Frameworks for the Public Service)

4.1 Municipal Finance Management Act

Section 62(1)(c)(i) of the Municipal Finance Management Act, 2003 requires that:

“The accounting officer of a municipality is responsible for managing the financial

administration of the municipality, and must for this purpose take all reasonable steps to
ensure –

(c) that the municipality has and maintains effective, efficient and transparent
systems

(i) of financial and risk management and internal control”

Section 95(c)(i) of the Municipal Finance Management Act, 2003 requires that:

“The accounting officer of a municipal entity is responsible for managing the financial
administration of the municipality, and must for this purpose take all reasonable steps
to ensure –

(c) that the entity has and maintains effective, efficient and transparent systems –
(i) of financial and risk management and internal control”

Management, other personnel and Risk Champions

The extension of general responsibilities in terms of section 78 of the Municipal

Finance Management Act, 2003 to all senior managers and other officials implies that
responsibility for risk management vests at all levels of management.

Similarly, the extension of the general responsibilities in terms of section 105 of the Municipal
Finance Management Act, 2003 to all other officials of municipal entities implies that the
responsibility for risk management vests at all levels of management and that it is not limited
to only the accounting officer and internal audit.

Internal Audit

Section 165(2)(a)(b)(iv) of the Municipal Finance Management Act, 2003 requires that:

“(2) The internal audit of a municipality must –

Page 25 of 84
 (a) Prepare a risk based audit plan and an internal audit program for each
financial year;

(b) Advise the accounting officer and report to the audit committee on the
implementation of the internal audit plan and matters relating to:

(iv) risk and risk management”.

Audit Committee

Section 166 (2) of the Municipal Finance Management Act, 2003 requires that:

“(2) An audit committee is an independent advisory body which must –

(a) Advise the municipal council, the political office-bearers, the accounting
officer and the management employees of the municipality on matters relating
to:

(ii) Risk management”

4.2 Public Sector Risk management Framework

The Public Sector Risk Management Framework guideline provided by National Treasury
endorsed the development and embedding of risk management processes in line with MFMA
requirements.

It provides guidance on how the risk management best practice standards are best applicable
in a municipal environment.

4.3 King Code on Corporate Governance

Chapter Four of the King III Code defines best practice guidance on the “Governance of Risk “.

The following principles therein relate to risk management (as adapted to eThekwini
Municipality’s reporting structures:

 Council should be responsible for the governance of risk

 Council should determine the levels of risk tolerance
 The risk committee or audit committee should assist Council in carrying out its risk
responsibilities
 Council should delegate to management the responsibility to design, implement and
monitor the risk management plan
 Council should ensure that risk assessments are performed on a continual basis
 Council should ensure that frameworks and methodologies are implemented to increase
the probability of anticipating unpredictable risks

Page 26 of 84
 Council should ensure that management considers and implements appropriate risk
responses
 Council should ensure continual risk monitoring by management
 Council should receive assurance regarding the effectiveness of the risk management
process
 Council should ensure that there are processes in place enabling complete, timely,
relevant, accurate and accessible risk disclosure to stakeholders

4.4 Audit Committees

Strategy, risk performance and sustainability should be managed as inseparable matters. Risk
management is a responsibility of the Accounting Officer.
Risk based internal audit plan should be reviewed and approved by the Accounting Officer.

As the Audit Committee is an integral component of the risk oversight process, it should be
responsible to provide guidance through:

(i) internal financial control and internal audits;

(ii) risk management;

(iii) accounting policies;

(iv) the adequacy, reliability and accuracy of financial reporting and information

(v) performance management;

(vi) effective governance;

(vii) compliance with MFMA, the annual Division of Revenue Act and any other applicable
legislation:

(viii) performance evaluation; and

(ix) any other issues referred to it by the municipality or municipal entity.

4.5 Risk Management

Risk management is an integral part of the strategy and business processes. The following are
the responsibility of the risk management committee herein after referred to as the
Integrated Risk Management Committee and Combined Risk and Managing the City Sub-
Committee:

 Management is responsible for implementing risk management processes;

Page 27 of 84
  Risk management should be an integral part of the company’s day-today activities;
 The process of risk management is the Accounting Officer responsibility;
 The risk philosophy should be approved by Council;
 It should be accompanied by a risk management plan; and
 The Audit Committee performs oversight on risk in line with Section 166 of the MFMA.

Risk Assessment:

On-going risk assessment should be conducted.

Risk Identification:

Risk identification is important.

Risk Quantification and Response:

Key risks should be quantified.

Assurance over the Risk Management Process:

The risk management process should be verified/assured by internal audit.

Disclosure:

The effectiveness of risk management should be reported to Council.

Key Risks Facing the Modern Organisation:

 It is necessary to protect the municipality against a loss of reputation.

 Sustainability risks, including the reporting thereof, are an Accounting Officer
responsibility and ultimately rest with Council.
 IT objectives risk should be included in the business and sustainability plans.
 Risk assessment should take into account the risk of the unknown.

4.6 Internal Audit

The role of internal auditing in ERM

Internal auditing is an independent, objective assurance and consulting activity. Its core role
with regard to ERM is to provide objective assurance to the board on the effectiveness of risk
management. Indeed, research has shown that board directors and internal auditors agree
that the two most important ways that internal auditing provides value to the organization
are in providing objective assurance that the major business risks are being managed
appropriately and providing assurance that the risk management and internal control
framework is operating effectively.

Internal auditing may provide consulting services that improve an eThekwini Municipality’s
governance, risk management, and control processes. The extent of internal auditor’s

Page 28 of 84
consulting in ERM will depend on the other resources, internal and external, available to
Council and on the risk maturity of the eThekwini Municipality and it is likely to vary over
time. Internal auditor’s expertise in considering risks, in understanding the connections
between risks and governance and in facilitation mean that the internal audit activity is well
qualified to act as champion and even project manager for ERM, especially in the early stages
of its introduction. As the organization’s risk maturity increases and risk management
becomes more embedded in the operations of the business, internal auditing’s role in
championing ERM may reduce. Similarly, if an organization employs the services of a risk
management specialist or function, internal auditing is more likely to give value by
concentrating on its assurance role, than by undertaking the more consulting activities.
However, if internal auditing has not yet adopted the risk-based approach represented by
assurance activities, it is unlikely to be equipped to undertake certain consulting activities.

Risk management is a fundamental element of corporate governance. Management is

responsible for establishing and operating the risk management framework on behalf of
Council. Enterprise-wide risk management brings many benefits as a result of its structured,
consistent and coordinated approach. Internal auditor’s core role in relation to ERM should be
to provide assurance to management and to the board on the effectiveness of risk
management. When internal auditing extends its activities beyond this core role, it should
apply certain safeguards, including treating the engagements as consulting services and,
therefore, applying all relevant Standards. In this way, internal auditing will protect its
independence and the objectivity of its assurance services. Within these constraints, ERM can
help raise the profile and increase the effectiveness of internal auditing.

Section 2110 – Risk Management of the International Standards for the Professional Practice
of Internal Auditing States:

“The internal audit activity should assist the organization by identifying and evaluating
significant exposures to risk and contributing to the improvements of the risk management
and control systems –

 A1 - The internal audit activity should monitor and evaluate the effectiveness of the
organization’s risk management system.
 A2 - The internal audit activity should evaluate risk exposures relating to the
organization’s governance, operations and information systems regarding the:
Reliability and integrity of financial and operational information; Effectiveness and
efficiency of operations; Safeguarding of assets; and Compliance with laws, regulations
and contracts; and
 C1 - During consulting engagements, internal auditors should address risk consistent
with the engagement’s objectives and be alert to the existence of other C2 - Internal
auditors should incorporate knowledge of risks gained from consulting engagements
into the process of identifying and evaluating significant risk exposures of the
organization.”

Page 29 of 84
 4.7 Compliance

Risk management should include compliance as part of its function.

4.8 Public Service Commission

The Public Service Commission promotes risks management and has published a guiding
document titled “Best Practices on Risk Management Frameworks for the Public Service “in
April 2003.

The above mentioned attests that risk management cannot be a success if other management
systems are not coordinated with it. Risk management should not be undertaken in isolation
to strategies and other processes.

4.9 Moral and Ethical Obligation

Risk management is the “RIGHT THING TO DO”

Risk management establishes accountability at all levels, and it is everybody’s responsibility.

5 Benefits of Enterprise Risk Management

The benefits of successful implementation of enterprise risk management in eThekwini

encompass:

 Increases the likelihood of achieving objectives;

 Encourages proactive management;

 Ensuring proper planning by analysing major risks that the municipality is
exposed to and taking necessary steps to mitigate before they materialise in
order to achieve strategic objectives

 Improve the identification of opportunities and threats;

 The formal identification and evaluation of risks will improve management and
employees’ understanding of the risks which need to be managed, therefore the
risk appetite and profile of the municipality. Furthermore, it will enable the
analyses and understanding of the causes of risks to ensure effective internal
controls to manage these causes.

Page 30 of 84
  EThekwini faces a myriad of risks affecting different parts of the Municipality and
ERM facilitates effective responses to the interrelated impacts and enhances an
integrated response to multiple risks

 Comply with relevant legal and regulatory requirements and international norms;
 Risk management process based on an ISO Standard will improve alignment
among other ISO Standards that the municipality and its entities has to comply
with. The ISO framework will allow for ease of incorporation into other existing
management system standards like ISO 19011 (Guidelines for auditing,
management systems) etc.
 Improve mandatory and voluntary reporting;
 Risk management is interlinked with processes within the organization and
therefore integrated reporting will enable the municipality to achieve its goals

 Improve governance;
 Compliance to laws, acts and regulations strengthens is crucial for the municipality
 Sound financial management and internal controls

 Improve stakeholder confidence and trust;

 Establishes a reliable basis for decision making and planning.
 Management considers their risk appetite in evaluating strategic alternatives,
setting related objectives and developing mechanisms to manage related risks. It
will assist in ensuring that management and employees understand, and are
committed to the Strategic Focus Areas which have been defined in the IDP and
the SDBIP. This will include an understanding of the key performance indicators
(KPI’s) against which our success is measured.

 Improve controls;
 The risk management process will ensure that the system of internal control is
cost effective. Areas of over control should be identified and re-assessed.

 Effectively allocate and use resources for risk treatment; - Effective budgeting
process to incorporate mitigations requires financial resources.

 Improve operational effectiveness and efficiency;

 The identification of risk in areas such as Capital Project will maximise the
opportunity of delivering the project on time, right quality and within budget.
 Improve loss prevention, incident management and minimize losses;
 ERM provides the rigour for management to identify alternative risk responses –
risk avoidance, reduction, sharing, and acceptance.

Page 31 of 84
 Improve organizational learning;
 The risk management process creates a platform to educate all management and
employees on their responsibility for risk management and the effective
application of internal controls. Risk management will be embedded at all levels
within the Municipality.

 Improve organizational resilience:

 Municipal resilience is critical in ensuring prompt and quality services irrespective
of the conditions in the operating environment. Risk management process will
drive implementation of resilience building mechanism across the municipality.

Page 32 of 84
 SECTION 1 – ENTERPRISE RISK MANAGEMENT POLICY
1 Introduction
The Accounting Officer has committed eThekwini Municipality (Institution) to a process of risk
management that is aligned to the principles of good corporate governance, as supported by
the Municipal Finance Management Act (MFMA), Act no 56 of 2003.

2 Risk and Risk Management

Risk refers to an unwanted outcome, actual or potential, to the department’s service delivery
and other performance objectives, caused by the presence of risk factor(s). Some risk
factor(s) also present upside potential, which Management must be aware of and be prepared
to exploit. Such opportunities are encompassed in this definition of risk.

Risk management is a systematic and formalised process instituted by management to

identify, assess, manage and monitor risks.

2.1 Benefits of Risk Management

EThekwini Municipality implements and maintains effective, efficient and transparent systems
of risk management and internal control. The risk management assist achievement, among
other things, the following outcomes needed to underpin and enhance performance:
 more sustainable and reliable delivery of services;
 informed decisions underpinned by appropriate rigour and analysis;
 innovation;
 reduced waste;
 prevention of fraud and corruption;
 better value for money through more efficient use of resources; and
 better outputs and outcomes through improved project and programme management.

3 Purpose/rationale of the Policy

The purpose of this Policy is to articulate eThekwini Municipality’s risk management
philosophy. EThekwini Municipality recognizes that risk management is a systematic and
formalized process to identify, assess, manage and monitor risks and therefore adopts a
comprehensive approach to the management of risk.

4 Scope of the Policy

This policy is applicable throughout the municipality and its entities in as far as risk
management are concerned.

Page 33 of 84
 All other risk related policies in the municipality and its entities will align to this enterprise
wide risk management policy.

5 The Policy
The realisation of our strategic plan depends on us being able to take calculated risks in a way
that does not jeopardise the direct interests of stakeholders. Sound management of risk will
enable us to anticipate and respond to changes in our service delivery environment, as well as
make informed decisions under conditions of uncertainty.
We subscribe to the fundamental principles that all resources will be applied economically to
ensure:
 The highest standards of service delivery;
 A management system containing the appropriate elements aimed at minimising risks and
costs in the interest of all stakeholders;
 Education and training of all our employees to ensure continuous improvement in
knowledge, skills and capabilities which facilitate consistent conformance to the
stakeholders expectations; and
 Maintaining an environment, which promotes the right attitude and sensitivity towards
internal and external stakeholder satisfaction.
An entity-wide approach to risk management is adopted by eThekwini Municipality, which
means that every key risk in each part of the Municipality will be included in a structured and
systematic process of risk management. It is expected that the risk management processes
will become embedded into the department’s systems and processes, ensuring that our
responses to risks remain current and dynamic. All risk management efforts will be focused
on supporting the Municipality objectives. Equally, they must ensure compliance with
relevant legislation, and fulfil the expectations of employees, communities and other
stakeholders in terms of corporate governance.

6 Link between Risk Policy and City’s Objectives

The Risk Policy is an endorsement by leadership on how the implementation of risk
management process will contribute to maximise the potential of achieving municipal
objectives. The following are the strategic objectives:

 Develop and Sustain our Spatial, Natural and Built Environment;

 Developing a Prosperous, Diverse Economy and Employment Creation;

 Creating a Quality Living Environment;

 Fostering a Socially Equitable Environment;

 Creating a Platform for Growth, Empowerment and Skills Development;
 Embracing our cultural diversity, arts and heritage;

Page 34 of 84
  Good Governance and Responsive Local Government; and

 Financially Accountable and Sustainable.

7 Development of Risk Appetite, Risk Culture and Philosophy and

embedding process
Risk appetite is the amount of risk, on a broad level; an organization is willing to accept in
pursuit of value. Each organization pursues various objectives to add value and should broadly
understand the risk it is willing to undertake in doing so.

An organization must consider its risk appetite at the same time it decides which goals or
operational tactics to pursue. To determine risk appetite, management, with board review
and concurrence, should take three steps:
1. Develop risk appetite
2. Communicate risk appetite
3. Monitor and update risk appetite

7.1 Develop Risk Appetite

Developing risk appetite does not mean the organization shuns risk as part of its strategic
initiatives, however, the opposite. Just as organizations set different objectives, they will
develop different risk appetites. There is no standard or universal risk appetite statement that
applies to all organizations, nor is there a “right” risk appetite. Rather, management and the
board must make choices in setting risk appetite, understanding the trade-offs involved in
having higher or lower risk appetites.

7.2 Communicate Risk Appetite

Several common approaches are used to communicate risk appetite. The first is to create an
overall risk appetite statement that is broad enough yet descriptive enough for organizational
units to manage their risks consistently within it. The second is to communicate risk appetite
for each major class of organizational objectives. The third is to communicate risk appetite for
different categories of risk.

7.3 Monitor and Update Risk Appetite

Once risk appetite is communicated, management, with Council support, needs to revisit and
reinforce it. Risk appetite cannot be set once and then left alone. Rather, it should be
reviewed in relation to how the organization operates, especially if the entity’s business
model changes. Management should monitor activities for consistency with risk appetite
through a combination of ongoing monitoring and separate evaluations. Internal auditing can
support management in this monitoring. In addition, organizations, when monitoring risk

Page 35 of 84
appetite, should focus on creating a culture that is risk-aware and that has organizational
goals consistent with Council.

7.4 Developing Risk Appetite

Developing risk appetite is about managing the organization. It is not about developing a
statement to be filed in a report. There are many ways to create a clear statement of risk
appetite. Organizations should identify the parameters of their risk appetite along key
strategic, operational, reporting, and compliance objectives.

Developing a risk appetite is not an end in itself and should not require an inordinate amount
of time. Remember the purposes of risk appetite are to:

 provide effective communication throughout the organization in order to drive the

implementation of enterprise risk management;
 change discussions about risk so that they involve questioning of whether risks are
properly identified and managed within the risk appetite; and

 provide a basis for further discussion of risk appetite as strategies and objectives
change.

7.5 Considerations Affecting Risk Appetite

Risk appetite is not developed in isolation from other factors. An organization should consider
its capacity to take on extra risk in seeking its objectives. It should also consider its existing risk
profile, not as a determinant of risk appetite but as an indication of the risks it currently
addresses. An overview of the considerations affecting risk appetite is shown in diagrams
below.

Page 36 of 84
 Overview of Considerations Affecting Risk

Existing Risk The current level and distribution of risks across the
Profile municipality and across the various risk categories

The amount of risk that the municipality is able to support

Risk Capacity
in pursuit of its objectives
Determination of
Risk Appetite
Acceptable level of variation the municipality is willing to
Risk Tolerance
accept regarding the pursuit of its objectives

Attitudes
The attitude towards growth, risk and return
Towards Risk

An organization has a number of goals and objectives it can pursue. Ultimately, it will decide
on those that best meet stakeholder preferences for growth, return, safety, sustainability
and its willingness to accept risk. The objectives, in turn, may be pursued using a number of
alternative strategies. As shown in the diagram below, the articulation of a risk appetite
provides boundaries on the choice of strategies and the operational decisions that are able
to pursue those objectives.

Interrelationship of Strategy, Management Decisions and Risk Appetite

Formulates Establishes Makes decisions on

Sets strategic strategies: operations, how to manage risks
goal and - Integrated compliance, and relating to the
objectives Development reporting achievement of
Plan objectives objectives

Considers risk appetite in setting of strategies, objective and how to manage risks

7.6 Steps in Adopting Risk Appetite

Each organization must determine its own risk appetite; there is no single universal risk
appetite. But how does an organization get to the point of having a risk appetite statement
that can be communicated through the organization? And how does risk appetite stay
relevant over time?

Page 37 of 84
To effectively adopt risk appetite, an organization must take three key steps:
1. Management develops, with council review and concurrence, a view of the
organization’s overall risk appetite.
2. This view of risk appetite is translated into a written or oral form that can be shared
across the organization.
3. Management monitors the risk appetite over time, adjusting how it is expressed as
business and operational conditions warrant.

7.7 Communicating Risk Appetite

Once an overall risk appetite is developed, management must then choose the right
mechanism for communicating it. As we noted earlier, risk appetite statements will vary,
and organizations may communicate risk appetite at various levels of detail or precision. The
point is that each organization should determine the best way to communicate risk appetite
to operational leaders in a specific enough manner that the organization can monitor
whether risks are being managed within that appetite.

To be effective, risk appetite must be:

 operationalized through appropriate risk tolerances;

 stated in a way that assists management in decision making; and

 specific enough to be monitored by management and others responsible for risk

management.

7.8 Monitoring and Updating Risk Appetite

Once an organization’s risk appetite is developed and communicated, management, with

Council support, must revisit and reinforce it. Risk appetite cannot be set once and then left
alone for extended periods. Rather, it should be reviewed and incorporated into decisions
about how the organization operates. This is especially important if the organization’s
business model begins to change.

Management cannot just assume that responsible individuals will implement risk
management within the appropriate risk appetite. Therefore, some organizations will
review the application of risk appetite through a series of monitoring activities.
Management should monitor the organization’s activities for consistency with risk appetite
through the specifics identified with risk tolerances. Most organizations have key
performance risk metrics that they use to measure performance. It is easy to integrate risk
tolerances into the monitoring process used to evaluate performance. Internal auditing can
provide independent insight on the effectiveness of such processes.

Page 38 of 84
 7.9 Creating a Culture
For many organizations, monitoring risk tolerances requires a culture that is aware of risk
and risk appetite. Management, by revisiting and reinforcing risk appetite, is in a position to
create a culture whose organizational goals are consistent with the Council’s, and to hold
those responsible for implementing risk management within the risk appetite parameters.

Many organizations are effective at creating a risk-aware culture: a culture that emanates
from senior management, cascades through the organization, and is supported by Council.
In an effective culture, each member of the organization has a clear idea of what is
acceptable, whether in relation to behaving ethically, pursuing the wrong objectives, or
encountering too much risk in pursuing the right objectives.

Creating a culture is one way of reinforcing overall risk appetite. The approach is best used
when the organization has a well-communicated risk appetite and associated risk
tolerances, to the point at which the following outcomes exist:
 Consistent implementation across units
 Effective monitoring and communication of risk and changes in risk appetite

 Consistent understanding of risk appetite and related tolerances for each

organizational unit
 Consistency between risk appetite, objectives, and relevant reward systems

This approach draws on ongoing and separate evaluations conducted as part of the
organization’s monitoring. The individuals doing the monitoring consider whether the
objectives being set and the risk response decisions being made are consistent with the
organization’s stated risk appetite. Any variation from the stated (or desired) risk appetite is
then reported to management and Council as part of the normal internal reporting process.

8 Accountabilities and Responsibilities for managing risks

Every employee is responsible for executing risk management processes and adhering to risk
management procedures laid down by the Municipality’s management in their areas of
responsibilities.
In addition, the municipality has established the risk management department with
appropriately capacitated officials to assist in the development of the risk policy, risk strategy,
risk framework and risk plan. The ERM department assists and advises management on
implementation of risk governance. Management implements enterprise risk management.

Page 39 of 84
9 Risk Governance and Oversight

The above diagram illustrates the risk governance structure within the municipality

9.1 Council

Council are custodians of risk management process, define strategic objectives. This
governance structure has a responsibility to ensure that properly established and functioning
systems of risk management are in place to protect the municipality against significant risks.

9.2 Audit Committee

The Audit Committee is an independent committee responsible for oversight of the

department’s control, governance and risk management. The responsibilities of the Audit
Committee with regard to risk management are formally defined in its charter. The Audit
Committee provides an independent and objective view of the department's risk
management effectiveness. The Committee is responsible for providing the Municipal
Manager with independent counsel, advice and direction in respect of risk management. The
stakeholders rely on the Committee for an independent and objective view of the
Municipality’s risks and effectiveness of the risk management processes. In this way, the
Committee provides valuable assurance that stakeholder interests are protected.

Page 40 of 84
 9.3 Integrated Risk Management Committee

The Committee is responsible for engaging on strategic risk issues of risk management,
evaluating and monitoring the Municipality’s performance with regards to risk management.
The role of the Committee is to formulate, promote and review the Municipality’s ERM
objectives, strategy and policy and monitor the process at strategic, management and
operational levels.

9.4 Integrated Combined Risk and Managing the City Sub-

Committee

The Committee is responsible for engaging on operational risk issues, key stakeholder issues,
evaluating and monitoring the Municipality’s performance with regards to risk management.
It promotes integration of processes and provides input to the Integrated Risk Management
Committee for consideration.

10 Risk Management Implementers

10.1 10.1 Accounting Officer

The Accounting Officer is the ultimate Chief Risk Officer of the Municipality and is accountable
for the Municipality’s overall governance of risk. By setting the tone at the top, the
Accounting Officer promotes accountability, integrity and other factors that will create a
positive control environment.

 The Accounting Officer ensures that employees receive full support and resources in
fulfilling their risk responsibilities.
 Ensure that proper governance mechanisms/instruments are in place to effectively
monitor and report risk and the way they are managed.

10.2 Management

Management is responsible for executing their responsibilities outlined in the risk

management strategy and for integrating risk management into the operational routines.

10.3 All Employees

Other officials are responsible for integrating risk management into their day-to-day activities.
They must ensure that their delegated risk management responsibilities are executed and
continuously report on progress.

Page 41 of 84
11 Risk Management Support

11.1 Chief Risk Officer

The Chief Risk Officer is the custodian of the Risk Management Framework, championing and
coordinating risk management activities throughout the Municipality. The primary
responsibility of the Chief Risk Officer is to bring to bear his/her specialist expertise to support
and guide the Municipality’s various role players in embedding risk management and leverage
benefits to enhance performance.

11.2 Cluster and Unit Risk Champion

The Risk Champion's responsibility involves implementing and intervening in instances where
the risk management efforts are being hampered, for example, by forging co-operation by
Management and other officials and the lack of departmental skills and expertise.

11.3 The Three Lines of Defence

King III defines combined assurance as follows: Integrating and aligning assurance processes in
an organisation to maximise risk and governance oversight and control efficiencies, and
optimise overall assurance to the audit and risk committee, considering the company's risk
appetite.
1st Line of Defence. The City Manager, supported by Management (EXCO) has an overall
responsibility for the management of risks facing the Executive Management and staff within
each business unit. Take ownership for the identification, assessment, and management,
monitoring and reporting of enterprise risks arising within their areas of responsibility.

2nd Line of Defence comprises of three offensive/ defensive lines being Executive
Management, supported by the Finance, Legal and Human Resources. These functions
provide support (technical or otherwise) and advice to the management at EXCO level and
Business Units. Risk Function recommends risk policies for EXCO approval, provide objective
oversight and co-ordinate ERM activities in conjunction with other specialist risk related
functions. The Risk Function is not accountable for the day-to-day management of financial
and non-financial risks.
3rd Line of Defence provides three offensive/defensive line being Internal Audit, External Audit
and Council Committees. They provide independent objective assurance on the effectiveness
of the management of enterprise risks across the enterprise. This is provided to the eThekwini
Municipality EXCO through the Internal Audit function and External Audit, which are
supported by the Audit and Risk Management Committees existing at Business Level

Page 42 of 84
 Management

Internal External
assurance assurance

Combined Assurance

Risk areas affecting eThekwini Municipality

11.3.1 First Line of Defence

Management/Business Unit Executive Teams
• Ensure that the risks to the achievement of the eThekwini Municipality overall strategic
and business objectives are identified, assessed, managed, monitored and reported
effectively, through the implementation of the policy statements, supporting guidance
and procedures.
• Management and Heads/Executives are responsible for designing and implementing
processes that will enable them to effectively manage risk within the defined risk
appetite.
• Ensure that key process controls are documented, regularly reviewed and updated.
• Report on the status of the management of risk to the relevant management. This is
distributed to the Audit and Risk Committees.
• The Municipal Manager is accountable for the establishment, maintenance and
monitoring of the systems of internal control, risk management arrangements and for
providing assurance on these systems to the EXCO, Audit and Risk Committee.
• Are responsible to the Municipal Manager for the establishment, maintenance,
monitoring of the systems of internal control, risk management arrangements and for
providing assurance on these systems to the Municipal Manager, Council, Audit and Risk
Committee.

All employees
• Must be aware of and understand the risks associated with their actions and comply with
the policies standards, supporting guidance and procedures.

Page 43 of 84
• Must ensure the identification of new risks to their area of accountability and
responsibility to manage and/or escalate to management those risks as appropriate.
• To report significant risk matters, including deficiencies in policies and procedures to their
management and/or in exceptional circumstances to use the Whistle-blowing process.

11.3.2 Second Line of Defense

Treasury
• Manages the control functions on an integrated basis in order to ensure a coherent and
consistent approach to risk control within finance, strategic planning, balance sheet and
capital management.
• Responsible for ensuring effectiveness, efficiency and integrity of the system of internal
control, including financial, operational, compliance and risk management.

Risk Management
• Provides guidance to the Council on overall leadership, vision and direction for ERM.
• Assists the City Manager and eThekwini Municipality EXCO to develop their risk
management strategy and policy in accordance with the Council approved risk appetite.
• Oversees and promotes the development and implementation of a consistent global ERM
framework that supports the achievement the municipality’s overall goals and objectives.
• Recommends the ERM framework for identifying, assessing, managing, monitoring and
reporting all enterprise risks across the organization for approval to the Council.
• Develops, communicates and assists in the implementation of ERM policy supporting
guidance and procedures.
• Recommends policy, supporting guidance and procedures on risk management to be
applied from business unit to the EXCO levels.
• Maintenance of the -ERM framework and policy
• Promotes the development of reporting structures, meeting the information
requirements of the City Manager and EXCO for risk aggregation and concentration of
organisation-wide risk exposures.
• Assists the Chief Audit Executive and EXCO to formulate the risk appetite and strategies
for managing the risks facing the municipality.
• Provides central expertise on all aspects of risk related policies, supporting guidance and
procedures, and assists the business in the implementation of risk management
methodologies and initiatives developed at EXCO level.
• Provides oversight for risk management activities across the municipality.
• Reports on challenges to risk management information received from the Chief Executive
and Business Units and distribute reports to various risk committees.

Other Specialist Functions (for example Finance, Legal, etc.)

• Support the risk functions through the provision of advice and specialist knowledge to
management in achieving compliance with the Risk Management Strategy.

Page 44 of 84
 11.3.3 Third Line of Defence

Audit and Risk Committees

• Responsible for reviewing on behalf of the EXCO the effectiveness and integrity of the
eThekwini Municipality system of control including controls relating to risk management,
and monitoring processes and procedures.
• Reviews the approach through which risk management is conducted and the
effectiveness of these processes and systems.
• Receives and reviews reports relating to the effectiveness of the system of control,
integrity of the system of control and risk management arrangements within the
eThekwini Municipality and its business units.
• Supports the Council in conducting its responsibilities through the provision of
information relating to the status of the system of control and risk management
arrangements of the business units falling within its remit.

Internal Audit
• Supports the Audit, Risk and Council’s Committees to meet their terms of reference.
• Provides independent objective review, evaluate the effectiveness and integrity of the
system of control and risk management arrangements.
• The Chief Audit Executive meets regularly with the Chairman of the Audit and Risk
Committees, attends all Audit and Risk Committees meetings and meets regularly with
the Deputy City Manager's and City Manager.

12 Risk Management Assurance Providers

12.1 Internal Audit

The role of the Internal Auditing in risk management is to provide an independent, objective
assurance on the effectiveness of the department’s system of risk management. Internal
Auditing must evaluate the effectiveness of the entire system of risk management and
provide recommendations for improvement where necessary.

12.2 External Audit

The external auditor (Auditor-General) provides an independent opinion on the effectiveness
of risk management.
An entity-wide approach to risk management will be adopted by the Institution, which means
that every key risk in each part of the Institution will be included in a structured and
systematic process of risk management. It is expected that the risk management processes
will become embedded into the Institution’s systems and processes, ensuring that our
responses to risk remain current and dynamic.
All risk management efforts will be focused on supporting the Institution’s objectives. Equally,
they must ensure compliance with relevant legislation, and fulfil the expectations of
employees, communities and other stakeholders in terms of corporate governance.

Page 45 of 84
13 Risk Management Performance
A self-assessment on risk maturity is annually carried out by municipality in an attempt to
identify gaps and put mechanisms in place to improve risk effectiveness. An independent
review of enterprise risk management is performed by a co-sourced service provider due to
risk management being part of internal audit which ensures independence of the review. The
result of maturity assessment and effectiveness review is reported to Audit Committee.

14 Conflict of Interest
Issues of conflict of interest are dealt with in terms of the municipality policy on conflict of
interest.

15 Policy review
This Policy shall be reviewed annually and /or as and when need arises.

Recommended by the Accounting Officer

Signature: _______________
Date: _______________

Approved by the Council / Authority:

Signature: _______________
Date: _______________

Page 46 of 84
 Section 2 - Enterprise Risk Management Framework

1 Purpose of the ERM framework

The purpose of framework is to:

 Provide a comprehensive approach to enhance and integrate risk management into

strategic decision-making;
 Provide guidance for the accounting officer, managers and employees when developing,
implementing and monitoring processes, systems and techniques for managing risk, which
are appropriate to the context of the municipality.
 Advance the development and implementation of modern management practices and to
support innovation throughout the municipality; and
 Contribute to building a risk-smart workforce and environment that allows for innovation
and responsible risk-taking, while ensuring precautions are taken to protect the public
interest and maintain public trust.

This framework sets the context in which risks are managed, how they will be identified,
analysed, controlled, monitored, and reviewed.
The Enterprise Risk Management Framework specifically addresses the structures, processes
and standards implemented to manage risks on an enterprise-wide basis in a consistent
manner.
As the field of risk management is dynamic, this framework document is expected to change
from time to time.

The implementation of the Enterprise Risk Management Framework will:

 Support the municipality’s governance responsibilities by ensuring that significant risk

areas associated with policies, IDP, programs, projects and operations are identified
and assessed, and that appropriate measures are in place to address uncertain
impacts;
 Improve results through informed decision-making, by ensuring that values,
competencies, tools and the supportive environment form the foundation for
innovation and responsible risk-taking, and by encouraging learning from experience;
 Strengthen accountability by demonstrating that risk associated with policies, IDP,
programs, projects and operations are explicitly understood and that investment in
risk management measures and stakeholder interests are optimally balanced; and
 Enhance stewardship and transparency by strengthening the Municipality’s capacity.

The success of risk management will depend on the tone of management in providing the
foundation and arrangements that will embed throughout the organization at all levels. The

Page 47 of 84
 framework assists in managing risks effectively through the application of the risk
management process at varying levels and within specific contexts of the organization.
Furthermore, framework ensures that information about risk derived from the risk
management process is adequately reported and used as a basis for decision making and
accountability at all relevant organizational levels
The diagram below describes the necessary components of the framework for managing risk.

PRINCIPLES FRAMEWORK PROCESS

1 2 3

1. Creates and protects values

2. Integral part of organisational Mandate and Committment Context
process
3. Everyone is responsible for
risk management Design of Risk Assessment

COMMUNICATION AND CONSULTATION

4. Part of decision making Framework and
5. Considers human and cultural

MONITORING AND REVIEW

Managing Risk
factors PLAN Risk Identification
6. Based on best available
information
7. Transparent and inclusive Continual Risk Analysis
8. Explicitly address uncertainty Improvement Implementing
9. Systematic, structures and of Risk
timely Framework Management
10. Tailored and Process ADJUST Risk Evaluation
11. Dynamic, iterative and ADJUST
responsive to change
12. Facilitates continual
Monitoring and
improvement and
Reviewing Risk
enhancement Management Risk Response
CHECK

2 Design of the framework for managing risk

2.1 Understanding the Municipality and its context

Evaluating eThekwini municipality’s external context includes, but is not limited to:
 the social and cultural, political, legal, regulatory, financial, technological, economic,
natural and
 competitive environment, whether international, national, regional or local;
 key drivers and trends having impact on the objectives of the municipality; and
 relationships with, and perceptions and values of, external stakeholders to eThekwini
municipality.

Evaluating the organization's internal context may include, but is not limited to:

Page 48 of 84
  governance, organizational structure, roles and accountabilities;
 policies, objectives, and the strategies that are in place to achieve them;
 capabilities, understood in terms of resources and knowledge (e.g. capital, time,
people, processes, systems and technologies);
 information systems, information flows and decision making processes (both formal
and informal);
 relationships with, and perceptions and values of, internal stakeholders;
 the organization's culture;
 standards, guidelines and models adopted by the organization; and
 the form and extent of contractual relationships.

2.2 Establishing risk management policy

EThekwini risk management policy clearly states the municipality’s objectives for and
commitment to, risk management and addresses the following:
 The municipality’s rationale for managing risk;
 links between the municipal objectives and policies and the risk management policy;
 accountabilities and responsibilities for managing risk;
 The way in which conflicting interests are dealt with;
 Commitment to make the necessary resources available to assist those accountable
and responsible for managing risk;
 The way in which risk management performance will be measured and reported; and
 Commitment to review and improve the risk management policy and framework
periodically and in response to an event or change in circumstances.
 Ensure the risk management policy is appropriately communicated.

2.3 Accountability

EThekwini municipality ensures that there is accountability, authority and appropriate

competence for managing risk, including implementing and maintaining the risk management
process and ensuring the adequacy, effectiveness and efficiency of any controls. This is
facilitated by:
 Identifying risk owners that have the accountability and authority to manage risks;
 Identifying accountability for the development, implementation and maintenance of
the framework for managing risk;
 Identifying other responsibilities of all stakeholders at all levels in the municipality for
the risk management process;
 Establishing performance measurement and external and/or internal reporting and
escalation processes; and
 Ensuring appropriate levels of recognition in the municipality.

Page 49 of 84
 2.4 Council responsibilities
The following are the broad responsibilities pertaining risk management
 Council has the ultimate responsibility for the approval of policies at eThekwini
municipality.

 The Audit Committee is charged with the responsibility of providing oversight on

behalf of the municipal council.

 The City Manager is overall accountable for the implementation of enterprise risk
management in the municipality.
 Management are the risk owners at various levels within the municipality.

 Risk category owners are responsible for providing support and expert advice to
management in embedding category risk management in the municipality.
 Risk Champions assist the risk owners (management) in discharging their risk
management responsibilities as articulated in the policy.

 Every employee within eThekwini municipality has a responsibility to manage risk

within their respective areas of operations.

2.5 Institutional Affiliation

The following standard setting bodies, professional organisation’s and regulators provide
guidance in the risk management fraternity:

 Auditor General of South Africa(AGSA);

 National Treasury(NT);

 Institute of Directors South Africa (IODSA);

 International Standards Organisation(ISO); and
 Institute of Risk Management South Africa (IRMSA).
ERM Department – Framework

 Australian/New Zealand Standards (A/NZ)

Page 50 of 84
 2.6 Integration of risk management

Performance

Internal
Budget audit
reports

Intergrated Process
Materialized/
Strategic Risk
Emerging Risks/
Register
Opportunities

Risk Profile
IDP
Review

Risk management should be embedded in all the municipality’s activities and processes in a
way that it is relevant, effective and efficient. The risk management process should become
part of, and not separate from any of the municipal processes. It is critical that risk
management should be embedded into the policy development, strategic and operational
planning, review and change management processes.
The governance structure and process are based on the management of risk. Effective risk
management is regarded by managers as essential for the achievement of the organization's
objectives.
The municipal risk management plan will outline activities on how the risk management policy
and framework should be implemented, and embedded in all of the municipality’s
programmes and processes. This plan can be integrated into other municipal plans, such as a
strategic plan etc.

Page 51 of 84
 2.7 Resources

2.7.1 Human resources

The municipality has established the risk management unit, with suitably qualified and
experienced risk practitioners who provides support to management on matters of
implementation. The risk practitioners keep abreast of the latest development in the
profession through participation in the on-going professional development
initiatives/programmes.
Ethekwini has introduced a range of skills development initiatives aimed at developing and
up skilling the risk champions to create awareness of the latest risk management
developments, competency and understanding. The following are the initiatives:
 Risk Champions forum – The forum meet quarterly to provide update and engagement
on current risk trends and profile; and
 Monthly cluster/Unit risk champions meetings – These meetings are aimed at
providing specific attention to risk matters affecting the cluster and its units.

2.7.2 Technological Resource

The CURA system is used to capture, manage, monitor and report risks that have been
identified.
The intranet and share point are valuable internal systems that are utilised to publicise risk
documents and for general communication to all employees.

2.8 Knowledge Management

The Enterprise Risk Management processes and procedures are documented and
continuously updated to reflect current risk management practices. These are official risk
reference documents.

2.9 Training Programmes

Risk management training is offered at induction stage for all new municipal employees.
Refresher training is conducted annually, during risk assessments, risk reviews and when
necessary.
Training programmes are continually updated to align with municipal policies and
strategies, industry best practice as well as risk management best practice and guidelines.
Categories of risk are managed under different units but coordinated municipal wide by
ERM under Risk Category Forum – for all categories in one forum.

Page 52 of 84
 Risk will only assist with risk outside the risk appetite and tolerance, issues that have been
elevated strategically as well as issues raised by oversight and regulators.

2.10 Establish internal communication and reporting mechanisms

The municipality has established an internal communication platform and defined
reporting mechanisms to support and encourage accountability and ownership of risk
across all clusters and units. These mechanisms ensure that:
 Key components of the risk management framework, and any subsequent
modifications, are communicated appropriately;
 There is adequate internal reporting on the framework, its effectiveness and the
outcomes;
 Relevant information derived from the application of risk management is available
at appropriate levels and times; and
 There are processes for consultation with internal stakeholders.
The above mentioned mechanisms includes processes to consolidate risk information
from a variety of sources such as but not limited to business risk registers, research
papers, Global Risk Report, South African Risk Report, and any other source that might
have risk sensitive information.; Establish external communication and reporting
mechanisms
IDP- Alignment of risks to IDP objectives and strategic focus areas

2.11 Annual risk report

Aligned with annual ERM plan will have annual communication strategy Conduct
questionnaires to various stakeholders and consider improvements. Risk research
documents – communicates benchmarks with other metros and trends and analysis.
Information published on Municipal IQ literature with a focus on local government. Risk
Africa – international best practice and professional bodies, e.g. Risk SA, Global Risks, BCI
and Continuity Central and PMI for project governance and Delivery- local government
sector.

3 Implementing Risk Management

3.1 Implementing the framework for managing risk

The framework will be implemented in a phased approach over five year period. This will
allow alignment with IDP objectives whistle the process involves towards desired maturity
levels.

Page 53 of 84
The road map below indicates targeted activities that will be implemented over 5year period.

Develop and establish focus

based risk profile to prove risk
management's value added -
assessment of culture change.
Quantify and qualify risk value-
assessment of culture change.
Governance structure
reporting

Establish leadership authority and

approval of the desired maturity
assessment and roadmap -
assessment of culture change

Revision of ERM Framework and

documentation of risk process that
will assist in reaching desired risk
maturity. Asssess culture change

Introduction of new ISO 31000 Methodology,

Training and awareness municipal-wide change
management. -Setting risk appetite and tolerance
-Identify improvements and successes to our
current ERM processes. Leadership engagement
on desired risk maturity level

Drafting and consulting of

various stakeholders on
review of ERM policy and
framework- Questionaire on
current ERM process and
improvements

The detailed activities that will be implemented on annual basis are outlined on the ERM Plan
in section 4
Risk management has been integrated with other municipal processes as detailed in section
1.2.6
This framework integrates other risk categories framework i.e. compliance framework which
promotes adherence to all legislation impacting on the municipal environment.

Page 54 of 84
 It is desired that risk management proactively inform decision making, the ideal time for risk
identification is during the development and setting objectives, in this way risk management is
aligned with outcomes.
There will be focused attention on risk training and awareness for political and administrative
leadership, new and existing employees as well as stakeholders.
The risk management department will participate in various public risk management forum.

3.2 Monitoring and Review of the Framework (BCM, ERM, PRM)

In order to ensure that risk management is effective and continues to support municipal
performance, the city should perform the following;

 Measure risk management performance against indicators; Periodically measure

progress against, deviation from the risk management plan;
 Periodically review whether the ERM, BCM and Project Risk Management framework,
policy and plan are still appropriate against its internal and external context;
 Report progress on risk management plan on quarterly basis; and
 Review effectiveness of the risk management framework.

3.3 Continual Improvement of the Framework

Based on the results of monitoring and reviews, decision should be made regarding the areas
of improvements on risk management culture.

4 Risk Management Process

Within the ERM Department the following are the specific focus areas that drives our
engagement;

 Informed risk advisory services; and

 Project Risk Management.
 Business Continuity Management

4.1 Business Continuity Management

EThekwini Municipality BCM drives the implementation of continuity risk response with
specific focuses on strategic, tactical and operational capability of the municipality to prepare
for, respond to and recover from incidents and business disruptions in order to continue
business operations at an acceptable predefined level. Furthermore it drives availability of
municipal services, programs and operations, including all resources involved, and the timely
resumption of services in the event of a disruption.

Page 55 of 84
 4.2 Project Risk Management
To support the delivery of capital projects within municipality clusters/units by ensuring that
risks associated with projects delivery are identified, analysed, evaluated and reported to
various project stakeholders for decision making therefore maximizing the opportunity of
delivering projects on time, right quality and within allocated budget.
To embedded risk management principles and culture throughout projects delivery cycle.
Project risk management will assist the municipality to integrate and enhances the delivery of
capital projects thus improving and fast tracking service delivery.

4.3 Risk Categorization

Risk Category refers to "a Group of Potential Causes of Risk".
The whole purpose of Risk Categorization is to systematically identify risks in a consistent
manner and organize them so that they can be better managed. It also helps to identify the
root causes of these risks in a better way. The municipality has establish the risk category
forum to better manage the risk.
The following are of some of the risk categories that exist within municipality:
 Health and Safety Category;
 Compliance Category;
 Fraud and Theft Category;
 IT Category;
 Human Resource Category; and
 Infrastructure and Assets Management Category.

4.4 Risk Assessments

Once a year, the Municipality will undertake a thorough assessment of its risks at all levels
Strategic level, Programs/Clusters level, Projects level/Units and Process Level/Department
using the following methodology.
A risk assessment is the process by which the risks to be managed in the Municipality are
identified. Comprehensive identification using a well-structured systematic process is critical,
because risks not identified are never further analyzed and thus leading to major catastrophic
events or surprises.

Page 56 of 84
 Establish Goals & Context

Identify Risks
Consultation / Communication

Analyse Risks

Monitor / Review
Likelihood
Impact

Evaluate the Risks

Likelihood
Treat the Risks

The Enterprise Risk Management Process – ISO 31000:2009

There are many different processes and methodologies in use by which risks can be identified
i.e. risk workshops, interviews, questionnaires and surveys, research, control and risk
assessments.
At a minimum a risk assessment should result in:
 Identification of relevant risks towards the achievement of objectives; and
 The prioritization of risks, which often necessitates estimating the timing, magnitude
and probability of risk occurrence.
The first part of carrying out a structured risk assessment is to profile the key building blocks
of the Municipality. This will highlight dependencies, critical parts of the business and start
to pinpoint vulnerabilities.

4.5 Profile the context (Internal and External)

By establishing the context, the organization articulates its objectives, defines the external
and internal parameters to be taken into account when managing risk, and sets the scope and
risk criteria for the remaining process. While many of these parameters are similar to those
considered in the design of the risk management framework (see 1.2.1), when establishing
the context for the risk management process, they need to be considered in greater detail and
particularly how they relate to the scope of the particular risk management process.

4.5.1 Establishing the external context

The external context is the external environment in which the organization seeks to achieve
its objectives.

Page 57 of 84
Understanding the external context is important in order to ensure that the objectives and
concerns of external stakeholders are considered when developing risk criteria. It is based on
the organization-wide context, but with specific details of legal and regulatory requirements,
stakeholder perceptions and other aspects of risks specific to the scope of the risk
management process.
The external context can include, but is not limited to:
 The social and cultural, political, legal, regulatory, financial, technological, economic,
natural and competitive environment, whether international, national, regional or
local;
 Key drivers and trends having impact on the objectives of the Municipality; and
 Relationships with, perceptions and values of external stakeholders.
Stakeholders may include the following but no limited to:
 Community;
 Councilors;
 Consumers;
 Business;
 National & Provincial Government;
 Employee organizations;
 Preferred suppliers; and
 Professional bodies.

4.5.2 Establishing the internal context

The internal context is the internal environment in which the organization seeks to achieve its
objectives.
The risk management process should be aligned with the Municipality's culture, processes,
structure and strategy. Internal context is anything within the Municipality that can influence
the way in which an organization will manage risk.
The following are the internal stakeholders:
 Political leadership
 Employees
 Executives

4.6 Map the Municipality’s strategy

The Municipality’s strategy must be specifically verified and interpreted in the context of risk.
This is incorporated in the 5 year integrated development plan. The future direction and
intent of the Municipality must be understood.
The Municipality may be seeking to differentiate. For example, investments into technology
(e.g. upgrading of the IT system) may be the strategic direction of the Municipality.
When mapping the strategy, risk appetite must be considered where the desired return from
a strategy should be aligned with the Municipality’s risk appetite. Different strategies will
expose the Municipality to different risks.

Page 58 of 84
 4.7 Profile the key processes
The key activity chains must be profiled and documented. The service delivery processes must
be profiled. The drivers of service delivery processes and the key features of these processes
must be identified and interpreted. For example:
 The processes that generate cash must be profiled;
 The drivers of the Municipality’s processes and the key features of these processes
must be identified and interpreted;
 Incoming actions such as recruitment, purchasing and procurement must be identified;
 Outgoing processes such as public relations, investments and branding should be
profiled; and
 Inherent and cyclical processes such as budgeting, information systems and staffing
matters must be incorporated into the Municipality’s risk profile.

4.8 Profile the Municipality’s value creation processes

The manner in which economic value is generated by the Municipality must be identified and
interpreted. This contributes to the understanding of potential risk in the Municipality. The
drivers of value must be identified. Methods of valuation must be understood. The
Municipality’s values of risk can be identified, calculated and profiled. These values will relate
to all classes of asset and liability within the business. The following aspects should be
profiled:
 Asset values;
 Revenue and expenditure streams;
 Service portfolios; and
 Socio economic processes.

4.9 Identify and profile the Municipality’s key assets and

performance drivers
The key assets and performance drivers should be profiled and should include amongst
others:
 Critical success factors;
 Consumer satisfaction;
 Core competencies;
 Competitive strengths and weaknesses; and
 Asset performance.

4.10 Profile the objectives of the Clusters/Units/Process

The profile of the individual functional objectives should take into consideration:
 Revenue and expenditure targets;
 Community objectives service needs and targets;
 Socio economic targets; and
 Other operational objectives

Page 59 of 84
 4.11 Risk Assessment Process
Risk assessment is the overall process of risk identification, risk analysis and risk evaluation.
The municipality should identify sources of risk, areas of impacts, events (including changes in
circumstances) and their causes and their potential consequences. The aim of this step is to
generate a comprehensive list of risks based on those events that might create, enhance,
prevent, degrade, accelerate or delay the achievement of objectives. It is important to identify
the risks associated with not pursuing an opportunity. Comprehensive identification is critical,
because a risk that is not identified at this stage will not be included in further analysis.
NOTE ISO/IEC 31010 provides guidance on risk assessment techniques.
The next part of the risk assessment process is to identify threats and risks to all of the
elements of the Municipality’s model, profiled above. This can be done using the following
processes:

4.11.1 Identify potential sources of risk associated with the Municipality’s profile
Having established the Municipality’s profile, the risk assessment process must then identify
the potential sources of risk associated with each element of the profile. The Municipality will
follow a top-down approach. Risk is apparent in potential sudden and unforeseen events, in
variances, volatility and failure.
Risk will be apparent in non-linear change, weakness and non-performance. Risk will also be
reflected in dimensions of non-conformance. Sources of risk will be classified into external
and internal factors. The risk assessment process must select a time period within which risks
will be considered. The process must have a future orientation as well as examining the facts
of today’s operational profile.

4.11.2 Assess the impact of risk across the Municipality

Risks do not normally exist in isolation. They usually have a potential knock-on effect on other
functions, processes and risk categories. These cause and effect relationships must be
identified and understood. This principle must become a deliberate and formal part of the risk
assessment process. The results of the process must be documented. The aggregated effect of
these risk groupings and linkages should be profiled. Many cross-functional effects of risk may
not be immediately apparent without deliberate and systematic analysis, so a formal
approach is required.

4.11.3 Identify any influencing factors that may contribute to or shape the risk
profile
Having identified a key risk exposure (e.g. increasing competition, lack of funding) the risk
assessment must identify the factors that influence and shape the risk (e.g. barriers to entry).
Every key risk will have influencing factors or variables. Such factors may relate to inherent
risk dynamics such as aggregation, accumulation and correlation. Others may relate to timing
and cyclical factors.

Page 60 of 84
Other influences will be reflected in volatility, dependencies and criticality. The degree of
diversification and spread of value may also shape the risk profile. All influencing factors must
be documented as part of the process.

4.11.4 Evaluate recent and imminent internal changes as possible sources of risk
Recent changes in the Municipality may be a source of present risk (e.g. restructuring
process). Equally, imminent change may alter the risk profile. The nature of the changes may
relate to the launch of programs or services.
Major changes in the Municipality’s organizational structure can change the dynamics of risk.
Retrenchments, cutbacks and layoffs are obvious sources of risk. Significant shifts in strategic
direction may increase the values at risk in the Municipality. Identify external changes and
identify associated risks
Risk assessment processes must not only focus on existing dynamics prevailing in the
Municipality. Near-future changes must also be included in the process. Time horizons should
be determined for this. Anticipated changes that are self-generating will be easily identifiable,
such as investments, capital projects or launching of new capital projects. Their associated
risks must be assessed as part of the risk strategy.
Certain changes in the local government sector, but outside of the Municipality’s control can
also be anticipated such as regulatory change and competitive movements.

4.11.5 Identify the potential root causes of risk events

Exposures could indicate the potential for risks materializing. Perils or triggers cause actual
events. Such triggers or events must be identified and documented. The purpose of
identifying potential root causes is to give direction to risk intervention measures. This
process of identifying root causes of events may be left until after the first round of risk
assessments has been completed.

4.11.6 Identify the key controls currently implemented for the identified risks
The existing controls implemented for identified risks must be documented. The term
“control” should not be construed only as a financial term. It is now the commonly accepted
term to describe any mitigating measure for any particular type of risk. Controls may take the
form of financial mitigations such as hedges, insurance or securities.
They may be managerial in nature such as compliance procedures, policies and levels of
authority. Controls may be strategic in nature such as diversification related. Controls could
also be legal such as contracts and indemnities.

4.11.7 Identify the perceived shortcomings in current measures to mitigate the

impact of risks
Management must embark upon a formal process to evaluate the appropriateness of current
controls. The levels of risk appetite and limits of risk tolerance will provide the framework to
gauge these. Executive observation and judgment is often sufficient to identify shortcomings
in control measures, and the level of desired control effectiveness can be expressed.

Page 61 of 84
Operational and technical risks lend themselves to a more rigorous process of evaluating
control effectiveness. Management must consider all categories of mitigation in this process.
Results must be recorded in the relevant risk registers.

4.11.8 Consider control effectiveness

Controls are the management activities / policies / procedures/ processes / functions /
departments / physical controls that the Council, Municipal Manager and Management have
put in place, and rely upon, to manage the strategic and significant risks. These actions may
reduce the likelihood of occurrence of a potential risk, the impact of such a risk, or both.
When selecting control activities management needs to consider how control activities are
related to one another.
Management then needs to assess the control effectiveness based on their understanding of
the control environment currently in place at the Municipality. At this stage of the process,
the controls are un-audited, and rated according to management’s interpretation of control
effectiveness.

4.11.9 Calculate residual risk status

Residual risk reflects the risk remaining after management’s intended actions to mitigate an
inherent risk have been effectively implemented. Risks are now ranked, taking into
consideration the inherent risk rating, and the control effectiveness rating. The ranking of risks
in terms of net potential effect provides management with some perspective of priorities, and
should assist in the allocation of capital and resources in the Municipality.

4.11.10 Control requirements

Every risk will have a number of controls, mitigations or interventions that have been
designed to contain the potential impact or likelihood of the risk. These controls need to be
identified and evaluated. They will form the basis of an assurance plan to the Council and
Municipal Manager, and may be tested by the internal audit process or other independent
means of evaluation.
The following aspects of the control environment should be considered:

4.11.11 Verify and evaluate the controls currently in place for key risks
It is vital that all of the existing controls for identified risks are in turn identified and
evaluated. Such controls may take the form of policies, procedures, management activities
and instructions. The controls must be evaluated in two essential ways.
Firstly, an evaluation of the appropriateness and adequacy of the existing controls for the risk
must be undertaken.
Secondly, the performance of the existing controls must be evaluated.
Desired levels of control effectiveness must be determined. The gap between existing control
effectiveness and desired effectiveness must result in an action plan.

Page 62 of 84
 4.11.12 Evaluate the strategic mitigations in place for key risks
A specific review of the Municipality’s strategic position in the context of risk must be carried
out. The Municipality’s ability to liquidate its positions must be assessed. The degree of
strategic flexibility in response to a risk event must be considered.
The robustness of the strategy in the context of the risk assessment findings must be
evaluated. Likely strategic responses to risk and their performance are aspects that must be
fully understood. This process may require separate processes of scenario planning around
strategic intent.

4.11.13 Identify and evaluate the post-event measures in place for response to risk
The ability of the Municipality to respond to a risk event must be evaluated in detail, and the
results recorded as a control in the risk register. Post-event measures include crisis
management capabilities, emergency planning, business continuity plans and contingency
planning. These responses should incorporate planned measures that cover the basic types of
managerial response, such as finance, people, technology and consumers.
The criteria for performance will include speed of response, comprehensiveness of response
and degree of readiness.

4.11.14 Review the financial risk protection measures in place to respond to the
consequences of risk events
The Municipality’s risk finance measures include an insurance portfolio, self-insurance policies
and funds, financial provisions, and operating budgets for the funding of losses or variances.
Management must compare the results of risk assessment processes with the current risk
finance arrangements.
This will highlight the net financial effect of risk events upon the Municipality. It will also
influence the decisions relating to the structure of risk finance. Certain risks may be deemed
intolerable and may require a self-insurance facility or provision to manage the risk. Low risks
may lead to greater risk retention limits.

4.11.15 Verify the levels of compliance with regulatory requirements

Adherence to legislation and regulatory frameworks is not negotiable. It is essential that
risk-related requirements are incorporated into control frameworks. Relevant requirements
must be verified. It is the responsibility of management to build compliance processes around
these requirements. Any material breaches must be reported as deemed appropriate through
the structures of reporting developed for this.
Having ascertained the suitability, appropriateness and effectiveness of risk controls,
management will decide upon further action plans for actual and possible risks:

4.11.16 Take decisions on the acceptability of identified risks and controls

A distinct and conscious process of decision-making for each key risk must be made taking
into consideration the risk tolerance levels for the Municipality. The decisions made for every
Page 63 of 84
key risk must be recorded. Decision options include the possibility to tolerate / accept, treat /
reduce, transfer / share or terminate / avoid risks. The potential impact upon strategic and
operational objectives will influence the outcomes of decision-making processes.
When taking a decision care should be taken when taking any action that could:
 Result in serious injury or fatality;
 Result in significant harm to the environment;
 Impact on the reputation of the Municipality;
 Impact on the performance of the Municipality;
 Result in a fine by regulatory authorities;
 Undermine the independent and objective review of activities.
Possible prohibited risk areas include the following:
 Changes that could result in regulatory breach;
 Fraud and corruption;
 Theft of the Municipality property; and
 Access to the property by unauthorized personnel.
Any of the above would constitute an unacceptable risk.

4.11.17 Document your action plans for risk mitigation

The action plans for improving or changing risk mitigation measures must be documented in
the risk registers. It is important that a process of tracking progress made with risk
interventions is followed. Such a process provides a trail of information that may prove to be
necessary at some future stage. Good governance practices would expect this. Because risk is
often a process of perception, misunderstandings can arise where no record is kept.
The action plans must be unambiguous and provide target dates and names of responsible
persons. A process of follow-through must be used.

4.11.18 Use the outputs of risk assessments for budgeting and capital allocation
processes
It is important that risk information is factored into budgeting decisions. The variability of
budgeted targets must be considered, and one must assume that the risks associated with key
Municipality objectives in the budgets have been evaluated as part of risk assessment
processes. Considerations around budgeting should also be put in the context of cost-of-risk
evaluations.

4.11.19 Identify Key Risk Indicators

KRIs are metrics used to provide an early signal of increasing risk exposure in various areas
within municipality. KRIs are typically derived from specific events or root causes, identified
internally or externally, that can prevent achievement of strategic objectives. The benefit of
adopting use of KRIs is to anticipate emerging risks and shifts in risks over time can reduce
losses, identify opportunities for strategic exploitation, these KRIs should be identified from
Top 10 strategic risk and be reported on monthly basis. A dashboard and color coding system
must be implemented as a reporting mechanism to management.

Page 64 of 84
5 Governance requirements
Government has the responsibility to make policies and laws about the rights and
responsibilities of citizens and the delivery of government services. Government collects
revenue (income) from taxes and uses this money to provide services and infrastructure that
improves the lives of all the people in the country, particularly the poor.
The Constitution of South Africa sets the rules for how government works. There are three
spheres of government in South Africa:
 National government;
 Provincial government; and
 Local government.
The spheres of government are autonomous and should not be seen as hierarchical. The
Constitution says: “The spheres of government are distinctive, inter-related and inter-
dependent”. At the same time they all operate according to the Constitution and laws and
policies made by national Parliament.
The government machinery is made up of three parts:
 The elected members (legislatures) – who represent the public, approve policies and
laws and monitor the work of the executive and departments.
 The Cabinet or Executive committee (executive)– who co-ordinate the making of
policies and laws and oversee implementation by the government departments
 The Judiciary is also defined as part of government, but they are independent so that
courts can protect citizens without being influenced or pressurized by government.
The independence of the Judiciary is a cornerstone of constitutional democracy. It
guarantees the supremacy of the Constitution. We do not deal with the Judiciary here
since they are not formally part of the policy-making or implementation machinery of
government.

5.1 National:
Role, powers and functions
 Laws and policies are approved by Parliament which is made up of the National
Assembly and the National Council of Provinces (NCOP). The National Assembly is
made up of members of Parliament, elected every five years.
 The NCOP was set up to ensure that provincial and local governments are directly
represented in Parliament. It is made up of representatives of provincial legislatures
and local government. Each province has a set number of permanent and rotating
representatives. The NCOP has to debate and vote on any law or policy that affects
provincial or local government.
 The President is elected by Parliament and appoints a Cabinet of Ministers. They act as
the executive committee of government and each Minister is the political head of a
government department.

Page 65 of 84
  Each government department is responsible for implementing the laws and policies
decided on by Parliament or the Cabinet. Government departments are headed by a
Director General and employ Directors (managers) and public servants (staff) to do the
work of government.
 Every department prepares a budget for its work. The budgets are put into one
national budget by the Treasury (Department of Finance), which has to be approved by
Parliament. The Treasury has to balance the income and expenditure of government in
the budget and will rarely give departments everything they ask for.
 The Presidency coordinates the work of government and provides direction and
strategic support to ministers and departments. The Presidency monitors and
evaluates overall progress towards achieving government goals.
 The Department of Public Service and Administration (DPSA) sets the policies and
framework for the Public Service at national and provincial level. This role may be
extended to local government in the future.
 Some departments only exist at national level because they deal with issues that
concern the whole country. Examples are Defense, Foreign Affairs, Water and Forestry,
Science and Technology, Trade and Industry, Mineral and Energy, Public Enterprises,
Home Affairs and Public Service and Administration. Other departments have national
and provincial departments because they deal with direct provincial service delivery.
Examples are Education, Housing, Health and Social Development.
 Provincial or local government may not do anything that is against the laws or policies
set down by national government. Provincial government gets most of its money from
the national government through Treasury. Local government also gets grants and
some loans through the Treasury.
 The Department of Provincial and Local Government (which resides at the national
level) is responsible for national co-ordination of provinces and municipalities. In every
province, the provincial Departments of Local Government monitors and supports
municipalities.

5.2 Provincial:
Role, powers and functions
 There are nine provincial governments. Every province has a Legislature made up of
between 30 and 90 members of the Provincial Legislature (MPLs). Some provincial laws
are approved by Legislatures. The Legislature also passes a provincial budget every
year. Legislatures are elected in provincial elections that are held with national
elections, every five years.
 A Premier is elected by the Legislature and appoints Members of the Executive Council
(MECs) to be the political heads of each provincial department. The MECs and the
Premier form the Provincial Executive Council (Cabinet).
 Provincial government is headed by a Director General and provincial departments are
headed by a Deputy Director General or a Head of Department. They employ Directors
(managers) and public servants to do the work of government. Most of the public

Page 66 of 84
 servants in the country fall under provincial government – these include teachers and
nurses.
 In each of the nine provinces there are usually at least twelve departments. The names
are slightly different and in some provinces departments are combined.
Each province has to develop a Provincial Growth and Development Strategy (PGDS) that
spells out the overall framework and plan for developing the economy and improving services.
Provinces also have a Spatial Development Framework (SDF) that says where and how
residential and business development should take place and how the environment should be
protected.
The provincial MEC and Department of Local Government are responsible for co-ordination,
monitoring and support of municipalities in each province.

5.3 Local (municipal):

Role, powers and functions
 The whole of South Africa is divided into local municipalities. Each municipality has a
council where decisions are made and municipal officials and staff who implement the
work of the municipality.
 The Council is made up of elected members who approve policies and by-laws for their
area. The Council has to pass a budget for its municipality each year. They must also
decide on development plans and service delivery for their municipal area.
 The work of the Council is coordinated by a Mayor who is elected by Council. The
Mayor is assisted by councilors in an Executive Committee (elected by council) or a
Mayoral Committee (appointed by the mayor). The Mayor together with the Executive
or Mayoral Committee also oversees the work of the Municipal Manager and
department heads. In some very small municipalities the whole Council forms the
executive – this is called a Plenary Executive.
 The work of the municipality is done by the municipal administration that is headed by
the Municipal Manager and other officials. S/he is responsible for employing staff and
coordinating them to implement all programs approved by council.

5.4 Establish an organizational framework of assurance for key

risks and controls
A framework of assurance must be developed for risks. Key players in the Municipality will
combine to provide assurance to the Council and Municipal Manager that risks are being
appropriately managed. This combined approach to assurance normally involves external
auditors, internal auditors and management working together through the audit committee.
Other experts should be chosen to provide assurance regarding specialized categories of risk,
such as environmental management. The assurance framework must be formalized and
should incorporate appropriate reporting processes.

Page 67 of 84
 5.5 Internal audit provides assurance that management processes
are adequate to identify and monitor significant risks
The internal audit function’s evaluation must examine the techniques used to identify risk.
The categories and the scope of risk assessments should be considered. The methodologies
used to extract risk information must be reviewed. A consensus view of the Municipality’s risk
profile should be apparent. Monitoring processes should be wholly aligned with the results of
risk assessments.
The internal audit function should particularly seek evidence that the processes of risk
identification are dynamic and continuous, rather than attempts to comply with governance
expectations.

5.6 The outputs of risk assessments are used to direct internal

audit plans
Internal audit plans depend greatly on the outputs of risk assessments. Risks identified from
risk assessments must be incorporated into internal audit plans according to management and
audit committee priorities. The risk assessment process is useful for internal audit staff
because it provides the necessary priorities regarding risk as opposed to using standardized
audit sheets.
The audit activities will focus on adherence to controls for the key risks that have been
identified. In addition, internal audit staff may direct management towards the need for
better controls around key risks.

5.7 Internal audit provides an evaluation of risk management

processes
The internal auditors must verify that risk reports are credible and offer a balanced
assessment of risks. It is vital that an enterprise-wide view of risk management is adopted by
the Municipality, and the Internal Audit Function will examine this. The reliability of risk
information, particularly the information regarding controls, should be scrutinized by the
Internal Audit Function. The Internal Audit Function should work with specialist providers of
assurance where necessary.

5.8 Internal audit provides objective confirmation on assurance

The Internal Audit Function plays a key role in coordinating the key players in the risk
management process to provide assurance to the Council and Municipal Manager. The
Internal Auditor is not normally the only provider of assurance.
The function does, however, have an important role in evaluating the effectiveness of control
systems. The process of assurance must of necessity involve the Council, the Audit
Committee, Municipal Manager, Management, External Auditors, Regulators and the Internal
Audit Function.

Page 68 of 84
 5.9 Safety, Health, Environment and Quality management
A formal safety management program is essential for our business. The risks will vary
according to each operational site, but the principles of risk management will always apply,
i.e. risk identification, and risk assessment, formal action plans for mitigation, monitoring,
reporting and assurance.
The scope of the safety management program should include administrative aspects, safety
awareness and training, health, hygiene, electrical safety, physical safety, micro-
environmental exposures and legislative requirements in line with prevailing policy on safety.

5.10 Common Language

Given that the enterprise risk management process will strive to integrate various participants
and specialists from different risk professionals, it is vital that the process does not confuse all
concerned by using disjointed terminology.
Frequently used risk management terminology should be defined in such a way that it ensures
different disciplines have a common interpretation of the terminology in question.
(Refer to definitions on page 6 for terminology)

6 Communication and Reporting

Like any other process, the success of risk management depends on the availability of reliable
information and effective communication at various levels. Pertinent information should be
identified, captured and communicated in a form and time frame that enable people to carry
out their responsibilities.

Information is needed at all levels to identify, assess and respond to risks. The challenge for
management is to process and refine large volumes of data into relevant and actionable
information.

Risk information is to be maintained on a risk management database (Cura) by the Risk

Officer. Line management will be responsible for ensuring that the risk information is
complete, accurate and relevant. The database will allow the access to the risk officials and
line management to execute the relevant functions.

The database structure is based on the municipality risk profiles, as follows:

 Strategic Register;
 Operational (Clusters, Units, Department);
 Risk Categories (Health & Safety, Compliance, Fraud and Corruption and IT); and
 Project specific.
Additional assessments can be maintained – for example incident tracking and compliance
assessments.

For each profile the following minimum information should be maintained on the database
(CURA):

Page 69 of 84
  Strategic and business objectives;
 Risk category;
 Risk name.
 Risk description (including root cause and consequence)
 Risk owner
 Inherent risk rating
 Risk Indicator
 Control names for controls that mitigate the risk
 Control descriptions (including whether it is a preventative, detective or corrective
control)
 Control effectiveness rating
 Residual risk ratings
 Task information where identified – details, due dates and the accountable officials.
 Key Performance Indicator

The databases will be used to extract the required reports to evidence the status of risk
management within the municipality.

7 Combined Assurance
Internal Audit is required by the MFMA to plan the audit coverage to address the risks
identified through the risk management processes developed and maintained by
management. It is therefore imperative that the risk assessment process and the internal
audit planning process be aligned so that timely and relevant risk information is available to
internal audit when they are devising their audit coverage plans. The risks identified cannot all
be reviewed by Internal Audit. Some risks, for example reputation, are not able to be
reviewed and others, such as technical construction, cannot reasonably be expected to be
reviewed by Internal Audit.

There are several assurance functions that may exist in the municipality at any time and
include:
 The Office of the Auditor General,
 Internal Audit,
 Consulting engineers,
 Ethics’ specialists,
 Compliance and Legal specialists,
 Culture and climate surveys,
 Health and safety inspectors,
 Information security,
 Quality,
 Loss Control Units, and
 Monitoring and evaluation Units.

Page 70 of 84
 The assurance that they provide is reported to different management structures and this may
be outside the Internal Audit governance reporting structures, including the Audit
Committees.

Internal Audit takes the responsibility to ensure the assurance activities are coordinated,
provide optimal coverage of the risk profiles, where possible, and are reported to the
appropriate management and governance forum. The Audit Committee approves the
overall/combined assurance plan and extent of assurance coverage. They will also review the
appropriateness of the recipients of the different assurance activities.

Each assurance provider should develop their coverage plan based on the risk profiles of the
municipality. Typically the plan should consider the risk assessment ratings. Where
management has assessed that there is a high residual risk gap and has actions to address the
gap, the assurance provider should consider reviewing the actions rather than confirming
management’s assessment. Conversely where there is a low or negligible gap the controls that
have been assessed by management as mitigating the risk should be evaluated.

The results of the work performed should be used by the chief risk officer to facilitate, if
necessary, a rerating of the risk and incorporating the agreed management actions into the
risk management tasks. This will enable a central tracking capability for all such tasks and
actions. Where their work is in response to an incident or event, e.g. loss control, the results
of the work performed should be used by the chief risk officer to facilitate, if necessary, a
rerating of the risk and incorporating the agreed management actions into the risk
management tasks.

8 Monitoring
If existing controls are weak and exposes the municipality’s activities to risks, management
should come up with the action plans to reduce risk to an acceptable level. Management
should decide on the implementation date of the agreed upon action plan and the
responsibility for the implementation of the action plan should be assigned to capable
officials.

It is critical that management should develop key performance indicators regarding the
performance of agreed upon controls. Key performance indicators will provide the feedback
regarding effectiveness of controls against identified risks.

Management’s performance with the processes of ERM will be measured and monitored
through the following performance management activities:
 Monitoring of progress made by management with the implementation of the ERM
methodology;
 Monitoring of key risk indicators;
 Monitoring of loss and incident data;
 Management’s progress made with risk mitigation action plans; and
 Annual quality assurance review of ERM performance.

Page 71 of 84
 The following should be considered in measuring the performance of management on
embedding ERM:
 Whether annual assessments were performed;
 Whether quarterly assessments were performed;
 Whether assessments are performed in terms of ratings as per the established
methodology;
 Consistency in the use of terminology as defined; and
 Whether both quantitative and qualitative reporting are taking place.

9 Embedding Risk Management

Value is created, preserved or eroded by management decisions ranging from strategic
planning to daily operations of the municipality. Inherent in decisions is the recognition of risk
and opportunity, requiring that management consider information about the internal and
external environment deploys precious resources and appropriately adjusts municipality
activities to changing circumstances. For the municipality, value is realized when constituents
recognize receipt of valued services at an acceptable cost. Risk management facilitates
management’s ability to both create sustainable value and communicate the value created to
stakeholders.
The following factors require consideration when integrating ERM into municipality’s decision
making structures:
 Aligning risk management with strategic and operational objectives at all levels of the
municipality;
 Introducing risk management components into existing strategic planning and
operational practices;
 Develop, communicating and monitoring municipality’s risk tolerance and appetite;
 Including risk management as part of employees’ performance appraisals and Business
Units’ annual operational plans; and
 Continuously improving control and accountability systems and processes to take into
account risk management and its results.

Page 72 of 84
 Section 3 - Risk Management Strategy

1 Objectives

The following are the objectives of the Risk Management Strategy;

 Increase the likelihood of achieving its goals and delivering outcomes;

 Improve the identification of opportunities and threats;
 Improve governance, stakeholder confidence and trust;
 Establish a reliable basis for decision making and planning;
 Effectively allocate and use resources for risk treatment; and
 Improve Municipal resilience.
It is the role of the risk management team within the municipality to provide support,
guidance, professional advice and the necessary tools and techniques to enable the
municipality to take control of the risks that threaten delivery. The work of the team will be
directed to effect the achievement of the following risk management objectives:

 Align the Municipality’s culture with the risk management framework

 Integrate and embed the risk management framework across the Municipality
 Enable the Municipality to recognise and manage the risks it faces Minimise the cost of
risk
 Anticipate and respond to emerging risks, internal & external influences and a
changing operating environment
 Implement a consistent method of measuring risk.

2 Approach

To promote an integrated approach to risk management, it is critical that there is a single

approach for the management of municipal risks, adopted across all levels of the municipality
and embedded in all municipal process.

This risk management strategy forms part of the overall risk governance framework, the
essential elements of which includes:

 Risk Management Policy Statement and Strategy (including governance and

accountabilities)
 Risk Management Methodology
 Risk Management Tools and Guidance to support the methodology
 Risk Management Training Programme
 Risk Assurance Statement.

Page 73 of 84
 The municipality’s approach to risk management is that the discipline of effectively managing
risk is integrated throughout the municipality and involves all key stakeholders including but
not limited to political office bearers, suppliers etc.

EXCO and executive management of the municipality will be focussed on the strategic and
municipal critical risks that could impact on the achievement of objectives or successful
delivery of services to our communities. More detailed operational risks will be the primary
concern of clusters and units, where managers will be controlling and monitoring their risks
and escalating these to a strategic level if they are no longer containable and manageable at
an operational level.
Identified risks and mitigations will be managed through the risk register and should be
regularly discussed, reviewed and updated with the concern clusters/units. Frequent risk
reporting takes place across all levels of the municipality in line with the risk management
framework. The governance and reporting arrangements which set out what risk information
is reported to which committee/structure is articulated in the strategy.

The ERM function has a critical role to play in supporting the cluster/unit by providing
oversight, challenge and assurance that risk is being effectively managed across the
municipality; whilst delivering a high performing, customer focused service.

3 Value proposition

A structured, consistent, and continuous risk management process applied across the entire
organization that brings value by:
 Proactively identifying, assessing, and prioritizing material risks thereby increasing
the probability of achieving the defined objectives;
 Developing and deploying appropriate effective mitigation strategies ;
 Promoting holistic approach to management of municipal activities;
 Unearth valuable information to inform decision making;
 Aligning with strategic objectives and administrative processes; and
 Embedding key components into the municipal’s culture:
o Risk ownership, governance, and oversight;
o Reporting and communications;
o Embedding the risk culture ;
o Optimising service and project delivery versus funding ;and
o Leveraging technology and tools.

Page 74 of 84
4 Risk Appetite and Tolerance

Ensuring that there is an on-going effectiveness of risk management requires a strong and
sustained commitment by the leaders of the municipality as well as strategic and rigorous
planning to achieve commitment at all levels. The tone set by senior management towards
risk management has the greatest impact on municipal appetite.

Risk appetite is best summarised as “the amount of risk the municipality is willing to accept”
and is about looking at both the propensity to take risk and the propensity to exercise control.

EThekwini Municipality aims to be risk aware, but not overly risk averse and to actively
manage risks to protect, harness opportunities, prudent innovation and sustain the
municipality’s operations. To deliver on the IDP, the municipality recognises that it will have to
manage certain risks. Intolerable risks are those that:

 Fall outside of service level standards and business rules;

 Negatively affect the safety of employees, citizens and infrastructure;
 Have a damaging impact on our reputation;
 Lead to breaches of laws and regulations;
 Endanger the operations of the municipality; and
 Have a residual risk ranking of Priority 1(Critical Risk), 2(Major Risk) & 3(Moderate
Risk).
Culture, strategy and commitment to serve our communities through delivering of quality and
prompt services, all influence our risk appetite. The risk appetite and tolerances is key
strategic risk instrument that defines our levels of exposure and the appropriate audience for
mitigation.

5 Maturity

EThekwini municipality and its entities are on a risk management journey. Risk maturity refers
to where the business is on that journey and how well established risk management is as a
discipline across the municipality. Maturity modelling is a valuable tool, enabling us to
benchmark our current risk management capability and help us direct our resources to areas
that need improvement and further development. Modelling allows us to set long term plans
for the service and track our position through the journey. This is conveyed in our roadmap,
shown as on the strategy – which sets out the direction of travel for the next 5 years. We
measure maturity and compare ourselves against the National Treasury on an annual basis.

6 Risk management levels

Page 75 of 84
 The approach to risk management is founded upon ensuring risk is effectively and consistently
managed across all levels of the municipality. The risk culture that emanates from the
strategic leadership team throughout the municipality is essential in ensuring all levels buy
into and adhere to the risk process.
Risk Management Levels
The following are the risk management level that guide engagement in the municipality:
 Leadership/Strategic Level: The highest level of risk is managed at this level. Reports
on the top business critical risks are reviewed by the Executive Committee discussed at
their management meeting bi-annually and on quarterly basis. This level sets the tone
for effective risk management across the whole Municipality. At this level, the risk
management strategy is agreed and endorsed and its principles championed by the
strategic leaders of the Council.
 Cluster Level: The function complies with the risk management strategy and ensures
risks are identified against the delivery of the annual service plan. This level is the key
lever for escalation of risks through to a strategic level where they are no longer
containable by the function alone.
 Unit Level: The identification of risks from the initial business case stage in a
programme/project and continued risk management throughout the project lifecycle
to ensure the objectives can be achieved.
 Department Level: The day to day management activities provide reasonable
assurance that the main tactical and operational risks arising from service operations
are identified, assessed, managed and monitored. Close links between the service risk
champions and the Risk Team strengthen the process and ensure consistency in the
risk messages delivered within the services.

7 Risk escalation

In the event that a single risk or group of risks exceed a pre agreed threshold, then the risks
should be escalated to a senior level via the pre agreed procedure. The Risk owner will initially
be responsible for either deciding on a course of action or escalating the information further
up the process to a senior level. Similarly it should also be clear where a risk can be delegated
to a lower level for action.

7.1 Process
The risk owner identifies that the risk needs to be moved because it fits into one of the
categories as stated above, initially seek the advice of the Risk Champion within your Function
regarding moving the risk. If a risk is multi service or Municipality wide the risk owner should
consult with other relevant parties before recommending a change of level.

Page 76 of 84
A risk may need to be escalated to a higher level if:

 the risk becomes too unwieldy to manage at the current level

 the risk rating cannot be controlled/contained within its current level
 the risk remains very high even after mitigations are implemented
 the risk will impact on more than one service/project or function if the risk event
materialises
 instinct tells the owner it is out of their control
 the risk moves outside the appetite boundaries / comfort zone.

A risk may need to be moved to a lower level if:

 the risk can be controlled / managed at a lower level.

 the risk rating decreases significantly.
 the risk event will only affect one function/ service area / team and the impact will be,
and
 limited then this should be controlled more locally at a lower level.

7.2 Strategic Level

If the risk is to be moved to the Strategic Level then the ERM will need to be consulted so this
can be considered by Risk Management Committee for inclusion on the Strategic Risk
Register. If Risk Management Committee endorses the inclusion of this risk then the ERM will

Page 77 of 84
 ensure the risk features in the Strategic Risk Register and falls within the standard monitoring
and review cycle.

7.3 Function Level

If the risk is to be escalated to the function level then in conjunction with the Risk Champion
the risk owner needs to consult with senior management regarding inclusion to the function
risk register. This ideally should be raised with the function leadership team either at the next
available meeting or remotely. Similarly to the escalation process if the risk is considered to be
moved down a level then the appropriate Risk Champion should be involved to assist in the
process.

8 Risk management metrics

A risk matrix is used to evaluate the risks so that there is an understanding of the risk
exposure faced, which in turn influences the level of risk treatment that should be applied to
manage/reduce/prevent the risk from occurring. At eThekwini municipality, the adopted
matrix for assessing risk is shown below in diagram.

Ensuring that all business risks are assessed and managed through the adopted risk
management methodology drives consistency through the risk management framework and
enables risks to be compared and reported on against a like for like basis. It also provides the
council with the ability to map its collective risk exposure of a particular activity, objective,
outcome, function(s) or indeed whole Council operation.

Page 78 of 84
 Probability=Likelihood and Effectiveness=Impact

9 Risk management embedding education and training

The Corporate Risk Team is responsible for developing workforce risk management capability
across the Municipality, through the provision of guidance, education, training and support.
The existing suite of guidance materials have been reconfigured to ensure compatibility with
the Municipality’s new outcomes led operating model.

The risk management process, risk matrix and overarching risk management framework were
largely unchanged. However, the risk management intranet pages are continually being
improved and new training with accompanying companion guidance will be developed and
rolled out.

The risk management strategy, guidance and training materials are reviewed on a regular
basis to ensure they continue to meet the needs of the Municipality and incorporate the very
latest industry best practice.

10 Development of risk register

As part of good governance, the municipality manages and maintains a register of its key
strategic and operational business risks - assigning named individuals as responsible officers
for ensuring the risks and their treatment measures are monitored and effectively managed.

The risk register is a critical tool for the service in capturing and reporting on risk activity and
the Municipality’s risk profile. The risk register is a live database where new risks are
captured, others are managed to extinction and some require close and regular monitoring.

The data within the register is used to inform the business of the threats it faces in delivering
outcomes and services to the communities. It is part of the municipality internal governance
and performance frameworks and is used to ensure the Municipality operates effectively.

The current system in use is CURA which is administered by the ERM Team and managed out
in the Municipality by the directorate risk champions and power users.

11 Roles and responsibilities and expectations

business risk is effectively managed across the Municipality. The risk management framework
has been fully endorsed and supported by the leaders of the Council who set the Municipal
tone for risk management and champion the benefits through all levels of the business.

Page 79 of 84
 This strategy formalises those inherent responsibilities to manage risk and the table below
outlines the key responsibilities for each stakeholder.

12 Quality assurance and reviews

To ensure the risk management framework remains fit for purpose, we continually seek to
review and improve our risk management methodology and embrace new initiatives and
industry practices that suit the needs of our Municipality. We adapt to our changing operating
environment and economic conditions and have a risk framework with sufficient flexibility to
cope with these changes.

Members of the ERM Team have the necessary skills, professional knowledge and relevant
qualifications in their field and are members of external risk forums, working groups and
related risk education and learning industry groups. Risk skills and knowledge from these are
fed back into our day to day practices at eThekwini Municipality to ensure we are at the
forefront of enterprise risk management.

The risk management policy & strategy, guidance and associated tools are regularly reviewed
to ensure the impact of new legislation, government guidance or internal changes in practice
are captured and reflected.

Risk management is subject to the municipality internal audit practices and as such, is audited
in line with the timetabling set by the Internal Audit Plan. Any recommendations arising from
audit activity is channelled back through our annual work plans to ensure they are addressed.

13 Resources

Recognition from Executive Management of the importance of risk management to the

effective operation of the municipality is resonated through the appropriate allocation of
resources to deliver the function across eThekwini Municipality.

There is a central risk management team led by the Chief Audit Executive who are supported
by a chain of risk management champions and risk register power users across each area of
the municipality.

The primary role of the ERM Team is to set the risk management framework and direct how it
should be applied, providing training, guidance and support to embed the risk management
principles across the business. The Risk Champion Forum is an integral part of the risk
management as it promotes risk management at the business unit level and drive forward
consistent application of the framework the municipality.

The ERM Team has an operating budget for risk management to aid service delivery and has
access and support from both senior management and members.

Page 80 of 84
Section 4 – Risk Management Plan

The city wide enterprise risk management implementation plan for the municipality is
developed and prepared each financial year in order to achieve objectives through the
implementation of the enterprise risk management policy, framework and strategy. The plan
includes all activities and required milestones to be achieved in a financial year.
The municipality intends to achieve the following objectives through Enterprise Risk
Management:
 Compliance with Section 152 (1) of the Constitution, Section 62 (1)(c)(i), Section 165
(2)(a)(b)(iv) of the Municipal Finance Management Act and King III Code on Corporate
Governance.
 Conducting risk research and analysis in support of corporate strategy and decision
making council wide.
 To develop, co-ordinate, implement and monitor the Enterprise Risk Management and
Business Continuity Management (BCM) processes within the municipality.

 To integrate city wide risk management activities to facilitate a holistic risk profile for
the city.
The above objectives should take into account:

 Current level of performance of ERM in the municipality;

 Desire level of maturity by the municipality for ERM in the future; and

 Available and required resources and skills.

The risk plan addresses, short, medium and long term enterprise risk management goals as
per the approved roadmap.

Page 81 of 84
1 ERM Plan 2017/18

Responsible
Activity Due Date Outputs / Outcomes
official
Risk Planning
An approved risk management implementation plan for the
Develop an annual ERM Chief Risk
30-Jun-18 2018/19 year
implementation plan Officer
Risk Orientation

Obtain approval of the reviewed ERM Chief Risk

31-Dec-17 Approved ERM framework
Framework Officer

Chief Risk
30-Jun-18 Implement findings from prior ERM Reviews
Officer
Chief Risk
Quarterly 4 x ERM Training and Awareness Presentations
Officer
Chief Risk
30-Jun-18 Conduct ERM presentations as part of HR induction
Officer
Risk culture creation Chief Risk
30-Jun-18 Risk management seminar
Officer
Chief Risk
30-Jun-18 Pilot on development of risk appetite and tolerance
Officer
Update Risk management publications on Intranet
Chief Risk
30-Apr-18
Officer

Page 82 of 84
 Responsible
Activity Due Date Outputs / Outcomes
official
Risk Assessment

Annual 2017-18 strategic risk Chief Risk

31-Jul-17 2017-18 Strategic risk register
assessment Officer

Chief Risk
Operational risk assessments 31-Aug-17 Cluster & Unit risk registers
Officer
Chief Risk
2 Entities Risk Assessments 31-Jul-17 DMTP & DICC risk registers
Officer
Chief Risk
2 Category risk assessments 30-Jun-18 Two Category Risk Registers
Officer
Risk Response

Action plans for mitigating 2017-18 Chief Risk

Quarterly Action plans implemented per agreed milestone
strategic risks Officer

Key risk Indicators (KRIs) for strategic Chief Risk

30-Sep-17 Key risk indicators (KRI) linked to strategic risks
risks Officer
Risk Monitoring & Reporting
ERM Progress presented to Combined Chief Risk
Monthly Contribute to implementation of the Combined Risk Assurance plan
Risk Sub-Committee meeting Officer
ERM and BCM Reports to Audit Chief Risk
Quarterly 8 Reports produced, 2 per quarter (ERM & BCM Report)
Committee Officer
Coordination of Accountng Officer's Chief Risk
Quarterly 4 Reports produced, one per quarter
Report to Audit Committee Officer

Page 83 of 84
 Responsible
Activity Due Date Outputs / Outcomes
official
Chief Risk
AC Report to EXCO Quarterly 4 Reports produced, one per quarter
Officer
Chief Risk
Risk input into annual report disclosure Annually ERM /BCM Annual Report
Officer
eThekwini Risk Maturity Self- Chief Risk
Bi-annually National Treasury maturity assessments
Assessment Officer
Develop and implement ERM systems Chief Risk
30-Jun-18 CURA system enhancements
and infrastructure Officer

2 Sources of Information

ISO 31000 – Principles and guidelines

ISO Guide 73:2009, Risk management – Vocabulary
ISO/IEC 31010, Risk management – Risk assessment techniques

Page 84 of 84