case study for rm maturity within raf › event documentation › road...risk appetite case study 1...
TRANSCRIPT
Case Study for Risk Appetite and RM
Maturity within RAF
RM Team - RAF
February 2015
THE STORY OF RAF MATURITY AND RISK APPETITE
RM Governance Structures
RM Maturity
Where it all began?
Potholes on the Road (Challenges faced)
Game Changers
Risk Appetite Case Study
1
RISK GOVERNANCE AT RAF
2
RAF BOARD
AUDIT
COMMITTEE
RMEC
EXECUTIVE
COMMITTEE
RM IN RAF
Thabile Nyaba
Regional Risk and Compliance Officers
x5
Risk Manager
Personal Assistant
Personal Assistant
BCM Manager
Carol Songelwa
Lamlani Dube
Senior Risk Officer
3
CA Manager
BCM Administrator
Old Positions
New Positions
WHERE DID IT ALL BEGIN ?
Took
Executives
and Board
on this
journey
Translated
this into a 3
year RM Plan
Highlighted the
value that will
be derived from
each action
plan
Identified gaps
and road map to
get to the
desired stage
• Did Maturity
assessment and
diagnostic
review using
hybrid of
frameworks in
July 2013
• Decided on
where we want
to be and by
when (maturity
levels and
timelines
5
RISK MATURITY OF RAF
RAF Risk Maturity Assessment Model used hybrid of frameworks including National Treasury’s Risk Maturity Assessment Model
6
Desired state by March 2017
Independent Assessment by PWC
March 2014
Internal Review July 2013
Level 1 Level 2
Level 3
Level 4
Level 5
• Risk management practices that are embedded in the corporate culture (Risk Culture) so that
strategy and decision-making evolve out of a risk-informed process
• Integrated approach of managing risks
• Risk management practiced in all levels of organisation
7
ACTION PLANS TO IMPROVE RISK MATURITY STATUS
Risk Initiative
(RI) Action Plan
1 Review of currently identified Tasks (Strategic and Operational risks) for
effectiveness, efficiency, adequacy, duplications and alignment. Alignment of tasks with the corporate initiatives / APP/ strategy. Categorization of tasks into either projects, Intervention or Once off. Development of Task Implementation and Monitoring plans.
2 Weighting and quantification of risk, controls and tasks (Total Cost of Risk). Risk and Controls consolidation and aggregation (cross functional risks)
3 Perform Tactical (Executive level) and Operational (GM level) risk assessment s. This also includes risk assessment at the Regions.
4 Identification and reporting on Key Risk Indicators (KRIs) and linking them to KPIs (Key Performance Indicators) for Strategic and Operational risks
5 Risk Consulting (allocation of Risk Advisor) for each Business Unit, Key
Project and Governance Forum. Full implementation of Risk Champion
Strategy.
6 Development, implementation and monitoring of Risk Acceptance
Certificate – for those risks that have been accepted by the Business.
7 Development, Implementation and Monitoring of the Risk Appetite
Statement / Framework. This should include the Risk Escalation and
reporting process
8 Develop a consolidated risk issue / risk events / incidences tracking and monitoring report
9 Conduct Risk modeling and Scenario analysis for risk identification process
10 Implementation of Combined Assurance Framework and Monitoring plan,
including a committee
11 Process Risk Assessment
12 Assess, monitor, implement and monitor Risk, Governance and
Compliance processes (Integrated GRC). Risk Intelligent culture
RI 1
RI 5
RI 10
RI 8
RI 9
RI 7
RI 11
RI 4
RI 3
RI 6 RI
2
2014
2015 2017
RI 12
8
Action plan and value attached
RAF 9
Action Plan
Description of Action Plan Value to be derived from Action Plan
1 Review of currently identified Tasks (Strategic and Operational
risks) for effectiveness, efficiency, adequacy , duplications and
alignment. Alignment of tasks with the corporate initiatives / APP/ strategy. Categorization of tasks into either projects, Intervention or Once off. Development of Task Implementation and Monitoring plans.
This will ensure that the Tasks that have been identified are adequate for the management of risks , value adding, well articulated and understood in terms of the impact and the resources required to implement them effectively. It will also ensure that the risks are managed by only the effective tasks (mitigation strategies), thereby improving efficiency in the manner that we are managing risks., i.e. we are not over controlling or under controlling the risks. Progress on implementation, based on the monitoring plan, can be used to track and change risk ratings accordingly, ensuring that there is an understanding of when is the risk going to change its rating (when are we going to be satisfied that the risk is managed well). Furthermore, this will make it easy for the risk owners to manage the tasks, as they will be well thought out and few. It will also enable risk and control owners to take full accountability and ownership of managing risks and controls.
2 Weighting and quantification of risk, controls and tasks (Total Cost of Risk). Risk and Controls consolidation and aggregation (cross functional risks)
This will enable the organisation to do cost benefit analysis, ensuring that the cost of mitigating risks doesn't exceed the cost of actual risk. This computation gives clear value of the financial impact of risk materialising allowing you to decide whether it is worth it to take certain risks. The identification of key controls that mitigate risks cutting across different Business Units will result in synergies and minimise duplication of effort throughout the Group, thereby breaking down silos. This will further ensure integrated response to the risks and enable the organisation to keep track on most effective controls to address the risks so as to ensure that these controls remain effective.
3 Perform Tactical (Executive level) and Operational (GM level) risk assessments
This will enhance and cascade the tone currently set by management of embedding risk management into the day to day operations and making sure that the Business Units are taking only those risks that preserve and create value and assist in achieving the strategic objectives of RAF. This will also allow risk information to be relevant and useful in terms of guiding decision-making processes. Further more it will contribute to a broader understanding of the risk universe from which RAF operates within.
4 Identification and reporting on Key Risk Indicators (KRIs) and linking them to KPIs (Key Performance Indicators) for Strategic and Operational risks
KRIs will be used to monitor either exposure to key risks or controls for key risks. The objective of the risk indicator is to provide early warning signals to management and the Board that potential events, that may affect an organisation are about to occur, so that measures could be put in place.
RAF’S JOURNEY TO RISK INTELLIGENCE ROADMAP
Vision
RA
F’s
Va
lue
Develop
Risk &
Governance
components
Monitor
Risk &
governance
components
Total Cost of Risk / Weighting of controls
Risk issues / events/ incidences
Combined Assurance
Framework
I GRC/ Combined Assurance
Risk Task Review
Risk Consulting at BU level
Risk Appetite Statement / Framework
Risk Modeling and Scenario
Analysis
Process Risk Assessment
Tactical and Operational risk
assessment
Risk Acceptance Certificate &
Process
Key Risk Indicators
10
3 YEAR RM PLAN
Activity 2013/2014 2014/2015 2016/2017
Review of currently identified Tasks (Strategic and Operational risks) for effectiveness,
efficiency, adequacy and duplications and alignment
x x x
Total Cost of risk assessment and weighting of controls. x x x
Strategy, Tactical & Operational risk assessments x x x
Key Risk Indicators and framework x x x
Risk Consulting at Business Unit level x x x
Risk Acceptance Certificate and processes x x x
Risk Appetite Statement / Framework x
Risk issues tracking & monitoring processes x x x
Risk modeling and Scenario analysis x
Process Risk Assessment x x
Integrated Risk, Governance and Compliance GRC). x
11
Progress on the Risk Management Plan is reported to the RMEC
12
POTHOLES ON THE ROAD (CHALLENGES)
Pushback on the identified risks –
strategic vs operational risks
Perception on being bearers of bad
news
Perceived additional tasks by Business
Withholding of information by the
business
Risk Acceptance process
Understanding on BCM and Buy in
Differentiation between BCM Incident
and BCM Crisis”
Acceptance of the Risk and
Compliance Specialists by the Regions
Moving ahead and leaving the
organisation behind. RM maturity vs.
org maturity
Reliability of information provided by
management for quantification of
losses”
13
HOW WE OVERCAME (GAME CHANGERS)
14
Text Text
Risk Consulting – value adding
Pro active identification of risks
• Better understanding of the operations
• Relationship building
• Pre consulting (before Exco meetings)
• Pro active identification of mitigations
• Data collection and Risk advisory
Changed the RM report/Process
• Reports on emerging risks
• Materialised risks
• Avoided risks
• Accepted risks
• Key Risk Indicators
• Monthly/Quarterly RM opinion on the
profile
• Year –End RM report
Development of the Risk Appetite
framework
• Monthly and monitoring Reporting on the
Risk appetite
Proactive Risk Identification at Tactical
and Operational level
• Risk Identification (Tactical, Operation and
Process)
• Scenario
• Research
• Benchmarking
• Informed draft of register
Ongoing introspection and reflection
Risk Management Induction and
awareness
• New employees
• Existing employees
• Quick guide on Risk Management
• Risk Champion Forum
Risk Appetite
SOME DEFINITIONS
Risk Bearing Capacity (RBC)
• The maximum amount of risk that the organization is able to accept in line with its mission /values /strategic goals, without exposing it to the point where its existence and survival is under threat.
Risk Appetite
• The amount and type of risk that an organisation is willing to accept in line with its strategic goals. .
12
VALUE OF RISK APPETITE
Risk Appetite statements provide
performance boundaries around
the organization’s strategic
objectives
Documentation of risk appetite
clarifies the organizational stance
and ensures consistency in risk
decisions.
A formal, documented risk appetite statement sets the tone for risk
management at the top and enables employees at all levels to
understand the type and amount of risks they should take.
13
BENEFITS OF IMPLEMENTING A RISK APPETITE FRAMEWORK
It allows a more balanced view of risks and management can then react /take action if the risk profile exceeds /is below the organisation’s desired/target risk appetite.
Provides the basis for more responsive strategic decision making regarding risk
Fosters a more risk intelligent culture that assists in making informed risk based decisions;
Enhances the ability to achieve strategic objectives and it assists in linking risk appetite with strategic goals and required resources to support growth and risks;
14
Action Plans against Risk Appetite
Tracking and monitoring of the Key Risk Indicators (KRIs)
Emerging risks Risk events/Near
misses Accepted and Avoided
Current and changes in the risk profile against the Risk
Appetite
APP targets against Risk Appetite
Wh
ere
is R
isk
Ap
pet
ite
app
lied
?
15
CHARACTERISTICS OF EFFECTIVE RISK APPETITE STATEMENTS
Reflective of organization’s strategy
Reflective of all key aspects of the organisation
Both quantitative and qualitative
Measurable and adjustable over time
Facilitate monitoring of external and internal environment
Enable decision making at all levels
Aid alignment of people, processes, and resources in pursuit of organization’s
strategy
Easy to communicate and monitor throughout the organization
16
Departmental Drivers
\
What are the risks that do not fit
and should therefore be avoided
altogether?
What are the risks that are not
sought after but will come as part
of doing business and that should
therefore be controlled and/or
minimised?
Risk appetite vs risk “diet”
Consideration Drivers
Thorough understanding of the
organisation, strategic objectives, mandate,
legislative environment, SWOT, PESTEL
Understanding of stakeholders i.e. the
expectations and needs
Understanding of the financial position
Understanding of the risk universe and
culture
Historical trends and data analysis
Scenario analysis and testing on
assumptions on which objectives are set
Risk
Appetite
Framework
DRIVERS OF RISK APPETITE
17
RAF – Risk Appetite Journey
LESSONS LEARNED
Start somewhere….just do it!
Keep it simple and don’t complicate
Let it fit the organisation (There is no wrong way but
a suitable way)
Test your thinking throughout the process
Engage with as many people as possible
Know your organisation – thorough understanding
Take key people with you in this journey
Articulate your thinking process – you are the Risk Specialist
16
Step Step Step
Establish the context and
define governing objectives
a. Understand Fund’s business,
its strategic objectives and
financial position
b. Legislative environment
c. PESTEL, SWOT
d. Identify the critical pillars of
the organisation
Understanding the Risk
universe
a. Understand the Philosophy
and Attitude of Risk (Risk
Culture)
b. Risk events and near
misses
c. Review the risk profile -
current and previous ,WEF
and DOT’s
d. review historical data
e. Review insurance covers,
DoA, Materiality
Consultation and
Engagement
a. Executives
b. Assurance Providers
c. Actuaries
d. Business Units
STEPS TAKEN BY THE RAF TO DEVELOP A RISK APPETITE
1 3 2
18
Step Step Step
Articulate / Devise Risk
Bearing Capacity (RBC) and
Risk Appetite Statement
a. Analysis (financial
strength, operational
capacity)
b. risk management practices
c. legal or regulatory
capacity.
d. Conducted simulation and
scenarios
Approval and communication
of RBC & RA
a. Approval process
b. During Risk Workshops
c. Inductions
d. BU Monthly meetings
Monitoring, Reporting and
Operationalisation of the
Risk Appetite
a. Exco and RMEC reports
b. Emerging and materialised
risks against risk appetite
c. Current and changes in
the risk profile against the
Risk Appetite
d. Key Risk Indicators
e. Adhoc Risk Assessments
STEPS TAKEN BY THE RAF TO DEVELOP A RISK APPETITE
4 6 5
19
Illustration
CRITICAL PILLARS FOR RAF AND ANALYSIS ON THEM (STEPS TAKEN - 1 TO 4)
1
Road Accident Fund
2 3
Highest amount
paid
/ settlement
Total Pension
liability
Total Payment
paid to Trade
suppliers last
year
Highest single
fraud committed
Total Fraud
Committed in the
previous years
No. of people died /
injured in one
accident
Legal Fees
SA /
International
People Normal Trading Claims
Highest claim in the
system, awaiting
payment (liability)
Directors Liability
Cover
20
History Current Future
Review of legislation
pertaining to the limits
Productivity
Cases of
suspended people
Wellness Employee
programmes
• Finance
• HIV
Attrition value
Cooperate /
organisational
performance
Staff turnover
Absenteeism
Turnaround
times
Heads of damages
Direct claims
represented
Highest contract
in place
Media Hits
Adverse
judgement
Litigation against
the RAF
System
availability
Productivity
hours
Fraud trends /
Hotspots
Complains from
stakeholders
Backlog of claim
Illustration DEVELOPMENT OF THE RBC THEN THE RA(STEPS
TAKEN - 4 TO 5) RAF deems Rxx Million to be the acceptable level of risk exposure (value at risk) in the pursuit of its strategic
goals. RAF will however not take risks that could result in:
Claims turnaround times being prolonged beyond the current average turnaround time
ICT system non availability for more than xx days a month
Major litigation impacting RAF liability
Critical concerns raised by the Minister which affect the Stakeholder campaign
More than xx% of staff performance
More than xx% of the non availability of required Staff capacity
21
Acceptable risk
Levels
This is a warning sign that the organization is heading for financial constraints
Risk Bearing Capacity
R10
RBC Tolerance Level
R5 Risk Appetite
R2
IMPACT RATING SCALE
22
Impact Assessment Scale Impact Financial
impact
People Effect Stakeholder
impact
Legislative Service/ Operational
effect
5. Catastrophic
RXXXmillio
n
> XX staff non
performance
XX of the staff
turnover
Loss of critical
stakeholder
confidence
Sustained
negative national
reporting
Substitution of RAF with new fund
without incorporating the RAF.
Constitutional court declaring certain
aspects of the RAF Act/regulations as
invalid extending RAF liability beyond
funding.
Replacement of the Board and/or other
key officials for non compliance with
applicable laws.
Claims Turnaround time
>XX days
>XX days per month ICT
system non availability
4. Critical
RXXX
million
XX staff non
performance
XX of the staff
turnover
Sustained impact
on the RAF
Concerns raised
by the Minister
Major litigation impacting the RAF
liability.
Claims Turnaround time
<XXX days
XX days per month ICT
system non availability
3. Significant
R XXX
million
XX staff non
performance
XX of the staff
turnover
Local press
reporting
Major breach of compliance with laws
with punitive fine.
Non compliance with statutory
reporting.
Claims Turnaround time
<XX days
XX days per month ICT
system non availability
2. Moderate
RXX million XX staff non
performance
10% of the staff
turnover
No press
reporting or
external interest
Claims for compensation i.r.o
contractual & delictual liability other
than in terms of the RAF Act.
Non compliance with laws without
punitive fine.
Claims Turnaround time
< 550 days
XX days per month ICT
system non availability
1.Minor
R XX
million
XX staff non
performance
XX of the staff
turnover
Internal issues
Internal
resolution
Non compliance with operational
aspects of the law e.g. language
regulation.
Claims Turnaround time
< XX days
XX day per month ICT
system non availability
R 5
R 10
Escalate to CEO/ DG
Escalate to Board/ Audit Committee
Escalate to Shareholder
Escalate to EXCO
R1
R2 R3
R5 R4
R7
R6
RISK APPETITE REPORTING AND DASHBOARD
(STEPS TAKEN - 6)
How much is it willing (RA) to
take on?
And how much is it actually (diet) taking
on?
Are these in line?
Determine how much risk
the organisation is able (RBC) to
take on
•P
hilo
sop
hy
on
man
agin
g ri
sks
Esca
lati
on
pro
cess
23
R 2
Illustration
RISK APPETITE REPORTING…CONTINUED…
Conclusion:
Based on the analysis of emerged , materialised and avoided risks, KRIs, mitigations and tasks implemented in each of the strategic risks for this quarter it is
concluded that strategic risk profile for this quarter was reasonably managed with mitigation plans implemented within the agreed time, however due to the
Fund's financial status the overall impact on the profile is high.
Explanation of the background colours (Legends) :
1. Red = Critical / High Risk Area (Priority 1 Risk)
2. Amber = Significant / Medium Risk Area(Priority 2 Risk)
3. Green = Moderate / Low Risk Area (Priority 3 Risk)
C. DETAILED STATUS AND MOVEMENTS ON THE STRATEGIC RISK PROFILE
A total of 10 tasks have been identified to mitigate ICT risk. There is one overdue task relating to approval of the e-enablement plan. The draft E-enablement plan/strategy will be re-submitted to OPSIT after clearing all queries raised.
Although the approval for the draft E-enablement plan/strategy was not obtained from the OPSIT, the ICT Function continues to strive to stabilize ICT systems for operational efficiency and increased productivity.
Materialised and emerged risks for the reporting period relate to (a) high number of invalid ID numbers in the Claims system (i.e. 12 000 ID numbers of direct claimants) and (b) the condition of the Menlyn Data centre, generator and UPS.
The KRI on system availability exceeded the set threshold for the month of October (i.e. 24 hours from six reported incidents vs. 5 baseline incidents) as a result of issues experienced on the Claim system, E-mail and network connectivity. There were also 10 unresolved IT queries for the reporting period, mainly concentrated in Cape Town, Johannesburg and Pretoria relating to connectivity.
All ICT risk indicators were within their set threshold for the month of October and November. The number of downtime and the hours lost were lower than in the previous month i.e. 5 incidents versus 11 incidents in October and 16 hours downtime versus 23 hours in October. No security and information integrity incidents happened for the quarter.
Based on the various factors highlighted above, ICT risk is rated High for this quarter. The ICT risk has a direct impact on all strategic objectives.
.
A total of 10 tasks have been identified for the Stakeholder Pressure risk. No overdue task was noted for the reporting period.
Although RAF is currently enduring financial stress, it has however continued with its efforts to be accessible to the communities it serve in such a way that it was awarded Minister's Special Award and was also nominated for various awards for its work and innovation.
Materialised risk for the period relates to a request by RAF for plaintiff attorneys to issue summons on behalf on Direct claimants to avoid prescription. The KRI on negative complaints on poor service delivery by RAF employees has exceeded its target (i.e. 100) for the reporting period. The complaints received are 199 against the baseline of 100 complaints mainly as a result of unpaid claims. During this quarter the writs went up and some the Fund's assets were attached. There were complaints from both attorneys and claimants based on non-payment of claims to black claimants represented by them.
Based on the various factors highlighted above, Stakeholder Pressure risk is rated High for this quarter . The Stakeholder Pressure risk has a direct impact on all strategic objectives.
10 tasks have been identified to reduce the impact of Regulatory Framework risk. No overdue task was noted for the reporting period.
Public comments for RABS Bill have been received until end of October 2014 and the RAF Amendment Bill has also been gazetted for public comments in November 2014. The emerging risks for these two pieces of legislation, will be the confusion that they may have to the public as to which Act will be the future of RAF or which Act is being pursuit by RAF between the two. The other challenge will be readiness of RAF to implement both pieces of legislation concurrently.
The materialised and emerged risks relate to (a) poor file management which result in delays in responding to PAIA file requests, (b) possible legal challenges due to the condonation of prescribed claims and (c) non-compliance with policies (10 incidents in September and 8 in August) with the major ones being violation of special power of attorneys by contacting represented claimants directly (i.e. Project Siyenza) and delays in responding to PAIA Requests.
The number of constitutional cases before the Constitutional Court have reduce from 21 in April 2014 to 17 in September / October 2014. This is mainly due to the finalization of these cases, which were in favour of the Road Accident Fund.
Based on the various factors highlighted above, the Regulatory Framework risk is rated Medium for this quarter. The Regulatory Framework risk has a direct impact on all strategic objectives.
7. Regulatory Framework
1.Fraud & Corruption
3. Information Communication & Technology
4. Stakeholder Pressure
5. Service Delivery
6. People Management
A total of 11 tasks have been identified for the Service Delivery risk. There are no overdue tasks for the reporting period.
The materialised risks for the reporting period include (a) Condonation of prescribed claims, (b) inaccurate reporting, (c) poor file management, (d) invalid ID numbers in the system. Risks emerged mainly relating to (a) summons received for unregistered claims and (b) the impact of Post office strike on the claim process timelines and East London Panel of Attorney.
Service delivery risk remains impacted upon as some of the APP targets have not been met , that is, (a) Reduction of the number of open claims as a result of financial constraints and (b) Reduced turnaround time for settlement of medical cost, Loss of Earnings ,Loss of Support and General damages ( i.e. 1300 vs. 1324 turnaround days). In addition, the clean-up exercise conducted by the region on prescribed direct claims resulted in an increase on the number of condonations for prescription in the amount of 5691 and the organisation incurred an interest costs of R 2.3 million (R 9.5 million for year to date) and sheriff costs of R 515 000 (R 1.9 million for year to date) for the reporting period. To mitigate the risk of legal costs the organisation is exploring means of Alternative Despite Resolution and Litigation Management Strategy.
Although the productivity has not been impacted by the current financial situation but considering that the Fund's ultimate service delivery entails paying the claimants which is currently impacted due to financial constrains. The Service Delivery risk is rated High in this quarter. The Service Delivery risk has a direct impact on all strategic objectives.
A total of 11 tasks have been identified for the People Management risk. There are no overdue tasks for the reporting period.
Materialised risks for the period include (a) The financial loss due to prolonged suspension period. (b) The high cost ( Over R16m accumulative figure since April to October) of sick leave taken on Mondays.
The number of vacancies decreased from 9% to 8% but is still above the set threshold of 7.5%. The absenteeism rate dropped from 2.13 to 1.91 days and is within the set threshold. The number of internal grievances has increased however the matters reported lacked substance. The number of employees on suspension has increased from 7 in October to 10 in November and the salaries paid for these employees and the length of period of such payments need to be reviewed in order to reduce - this expenditure could possibly be classified as fruitless and wasteful expenditure. The amount paid for employees on suspension is R 697 059 for November, currently on R 3 million to date and the average period of employees on suspension is currently 15.6 months.
Based on the various factors highlighted above, the People Management risk is rated Medium for this quarter. The People Management risk has a direct impact on all strategic objectives.
A total of 24 tasks have been identified to reduce the impact of Financial Management risk. There is one overdue task relating to development of the Consultancy Reduction Plan. A Management Directive in this regard has been issued in this regard and the plan is being compiled.
The revenue receipts for the reporting period is R 5.1 billion, whereas the expenditure for the same period is R 8.1 billion, thus resulting a cash shortage of R 3 billion for the reporting period. In addition, there are outstanding claims payment of R 6.5 billion ( as at end of December 2014) which is impacting negatively on the timely payment of 54 000 outstanding claimants and suppliers. The cash balance is at R -1.6 billion (overdraft) as at end of December 2014. In total our short term liability is at R 8.1 billion. The deficit has increased from R 99 billion from previous quarter to R 108 billion.
Several mitigations have been undertaken to secure additional funds include (a) requesting additional funding from the National Treasury ( i.e. 7.8 billion), (b) asking for additional funds from the shareholder through virement and other means, (c) negotiating with SARS on pre-payment of fuel levy and delayed payment of diesel rebate, (d) exploring paying claims in instalments and (e) improve financial controls that resulted in R 5 million savings. Additional funding from the National Treasury is expected to transfer in February 2015. In addition, to resolve the SCM related challenges, the SCM Turnaround Strategy is being implemented with a target of full implementation of March 2015.
It should also be noted that the forecasted shortfall for this next financial year is R16 billion and R22 billion if we carry on with the current productivity for subsequent years. The RM division developed a Proposed Claims Payment Model that Finance is currently reviewing, which is meant to assist with the financial situation the Fund is facing. Based on the various factors highlighted above, Financial Management risk is still considered to be a High risk. The Financial Management risk has a direct impact on all strategic objectives.
2. Financial Management
A total of 11 tasks have been identified to mitigate Fraud and Corruption risk at the strategic level and there is one overdue task relating to development and/or review and implementation of Fraud Management Strategy.
The KRIs indicate that for the reporting period (a) the number of fraud cases reported and referred for forensics investigations are on an average of 900 files (previous quarter was 1200 files), (b) losses suffered as a result of fraud in the reporting period is R 160 000 (previous quarter is 5 million), (c) 65 claims repudiated (previous quarter is 150) and (d) number of arrests is 50 persons (previous stats for previous quarter is 80).
To mitigate against the impact of fraud internally and externally to RAF business environment, the following initiatives have been undertaken (a) fraud awareness strategies (4 in the reporting period), (b) repudiation of 65 claims, (c) dismissal or suspension of suspected employees ( 7 employees). As a mitigant, FID will also be rigorously engaging strategies to prevent and recover losses from the guilty party.
Based on the various factors highlighted above, Fraud and Corruption risk is rated Medium for this quarter. The Fraud & Corruption risk has a direct impact on all strategic objectives.
1.Fraud & Corruption
2. Financial Management
3. Information Communication &
Technology
4. Stakeholder Pressure
5. Service Delivery
6. People Management
7. Regulatory Framework
Quarterly Strategic Risk Profile as at December 2014
1.Fraud & Corruption
2. Financial Management
3. Information Communication & Technology
4. Stakeholder Pressure
5. Service Delivery
6. People Management
7. Regulatory Framework
Annual Strategic Risk Profile as at December 2014
25
A total of 11 tasks have been identified for the Service Delivery risk. There are no overdue tasks for the reporting period.
The materialised risks for the reporting period include (a) Condonation of prescribed claims, (b) inaccurate reporting, (c) poor file management, (d) invalid ID numbers in the system. Risks emerged mainly relating to (a) summons received for unregistered claims and (b) the impact of Post office strike on the claim process timelines and East London Panel of Attorney.
Service delivery risk remains impacted upon as some of the APP targets have not been met , that is, (a) Reduction of the number of open claims as a result of financial constraints and (b) Reduced turnaround time for settlement of medical cost, Loss of Earnings ,Loss of Support and General damages ( i.e. 1300 vs. 1324 turnaround days). In addition, the clean-up exercise conducted by the region on prescribed direct claims resulted in an increase on the number of condonations for prescription in the amount of 5691 and the organisation incurred an interest costs of R 2.3 million (R 9.5 million for year to date) and sheriff costs of R 515 000 (R 1.9 million for year to date) for the reporting period. To mitigate the risk of
legal costs the organisation is exploring means of Alternative Despite Resolution and Litigation Management Strategy.
Although the productivity has not been impacted by the current financial situation but considering that the Fund's ultimate service delivery entails paying the claimants which is currently impacted due to financial constrains. The Service Delivery risk is rated High in this quarter. The Service Delivery risk has a direct impact on all strategic objectives.
A total of 11 tasks have been identified for the People Management risk. There are no overdue tasks for the reporting period.
Materialised risks for the period include (a) The financial loss due to prolonged suspension period. (b) The high cost ( Over R16m accumulative figure since April to October) of sick leave taken on Mondays.
The number of vacancies decreased from 9% to 8% but is still above the set threshold of 7.5%. The absenteeism rate dropped from 2.13 to 1.91 days and is within the set threshold. The number of internal grievances has increased however the matters reported lacked substance. The number of employees on suspension has increased from 7 in October to 10 in November and the salaries paid for these employees and the length of period of such payments need to be reviewed in order to reduce - this expenditure could possibly be classified as fruitless and wasteful expenditure. The amount paid for employees on suspension is R 697 059 for November, currently on R 3 million to date and the average period of
employees on suspension is currently 15.6 months.
Based on the various factors highlighted above, the People Management risk is rated Medium for this quarter. The People Management risk has a direct impact on all strategic objectives.
10 tasks have been identified to reduce the impact of Regulatory Framework risk. No overdue task was noted for the reporting period.
Public comments for RABS Bill have been received until end of October 2014 and the RAF Amendment Bill has also been gazetted for public comments in November 2014. The emerging risks for these two pieces of legislation, will be the confusion that they may have to the public as to which Act will be the future of RAF or which Act is being pursuit by RAF between the two. The other challenge will be readiness of RAF to implement both pieces of legislation concurrently.
The materialised and emerged risks relate to (a) poor file management which result in delays in responding to PAIA file requests, (b) possible legal challenges due to the condonation of prescribed claims and (c) non-compliance with policies (10 incidents in September and 8 in August) with the major ones being violation of special power of attorneys by contacting represented claimants directly (i.e. Project Siyenza) and delays in responding to PAIA Requests.
The number of constitutional cases before the Constitutional Court have reduce from 21 in April 2014 to 17 in September / October 2014. This is mainly due to the finalization of these cases, which were in favour of the Road Accident Fund.
Based on the various factors highlighted above, the Regulatory Framework risk is rated Medium for this quarter. The Regulatory Framework risk has a direct impact on all strategic objectives.
7. Regulatory Framework
1.Fraud & Corruption
3. Information Communication & Technology
4. Stakeholder Pressure
5. Service Delivery
6. People Management
A total of 11 tasks have been identified to mitigate Fraud and Corruption risk at the strategic level and there is one overdue task relating to development and/or review and implementation of Fraud Management Strategy.
The KRIs indicate that for the reporting period (a) the number of fraud cases reported and referred for forensics investigations are on an average of 900 files (previous quarter was 1200 files), (b) losses suffered as a result of fraud in the reporting period is R 160 000 (previous quarter is 5 million), (c) 65 claims repudiated (previous quarter is 150) and (d) number of arrests is 50 persons (previous stats for previous quarter is 80).
To mitigate against the impact of fraud internally and externally to RAF business environment, the following initiatives have been undertaken (a) fraud awareness strategies (4 in the reporting period), (b) repudiation of 65 claims, (c) dismissal or suspension of suspected employees ( 7 employees). As a mitigant, FID will also be rigorously engaging strategies to prevent and recover losses from the guilty party.
Based on the various factors highlighted above, Fraud and Corruption risk is rated Medium for this quarter. The Fraud & Corruption risk has a direct impact on all strategic objectives.
A total of 10 tasks have been identified to mitigate ICT risk. There is one overdue task relating to approval of the e-enablement plan. The draft E-enablement plan/strategy will be re-submitted to OPSIT after clearing all queries raised.
Although the approval for the draft E-enablement plan/strategy was not obtained from the OPSIT, the ICT Function continues to strive to stabilize ICT systems for operational efficiency and increased productivity.
Materialised and emerged risks for the reporting period relate to (a) high number of invalid ID numbers in the Claims system (i.e. 12 000 ID numbers of direct claimants) and (b) the condition of the Menlyn Data centre, generator and UPS.
The KRI on system availability exceeded the set threshold for the month of October (i.e. 24 hours from six reported incidents vs. 5 baseline incidents) as a result of issues experienced on the Claim system, E-mail and network connectivity. There were also 10 unresolved IT queries for the reporting period, mainly concentrated in Cape Town, Johannesburg and Pretoria relating to connectivity.
All ICT risk indicators were within their set threshold for the month of October and November. The number of downtime and the hours lost were lower than in the previous month i.e. 5 incidents versus 11 incidents in October and 16 hours downtime versus 23 hours in October. No security and information integrity incidents happened for the quarter.
Based on the various factors highlighted above, ICT risk is rated High for this quarter. The ICT risk has a direct impact on all strategic objectives.
.
A total of 10 tasks have been identified for the Stakeholder Pressure risk. No overdue task was noted for the reporting period.
Although RAF is currently enduring financial stress, it has however continued with its efforts to be accessible to the communities it serve in such a way that it was awarded Minister's Special Award and was also nominated for various awards for its work and innovation.
Materialised risk for the period relates to a request by RAF for plaintiff attorneys to issue summons on behalf on Direct claimants to avoid prescription. The KRI on negative complaints on poor service delivery by RAF employees has exceeded its target (i.e. 100) for the reporting period. The complaints received are 199 against the baseline of 100 complaints mainly as a result of unpaid claims. During this quarter the writs went up and some the Fund's assets were attached. There were complaints from both attorneys and claimants based on non-payment of claims to black claimants represented by them.
Based on the various factors highlighted above, Stakeholder Pressure risk is rated High for this quarter . The Stakeholder Pressure risk has a direct impact on all strategic objectives.
Explanation of the background colours (Legends) :
1. Red = Critical / High Risk Area (Priority 1 Risk)
2. Amber = Significant / Medium Risk Area(Priority 2 Risk)
3. Green = Moderate / Low Risk Area (Priority 3 Risk)
Conclusion:
Based on the analysis of emerged , materialised and avoided risks, KRIs, mitigations and tasks implemented in each of the strategic risks for this quarter it is concluded that strategic risk profile for this quarter was reasonably managed with mitigation plans implemented within the agreed time, however due to the Fund's financial status the overall impact on the profile is high.
C. DETAILED STATUS AND MOVEMENTS ON THE STRATEGIC RISK PROFILE
A total of 24 tasks have been identified to reduce the impact of Financial Management risk. There is one overdue task relating to development of the Consultancy Reduction Plan. A Management Directive in this regard has been issued in this regard and the plan is being compiled.
The revenue receipts for the reporting period is R 5.1 billion, whereas the expenditure for the same period is R 8.1 billion, thus resulting a cash shortage of R 3 billion for the reporting period. In addition, there are outstanding claims payment of R 6.5 billion ( as at end of December 2014) which is impacting negatively on the timely payment of 54 000 outstanding claimants and suppliers. The cash balance is at R -1.6 billion (overdraft) as at end of December 2014. In total our short term liability is at R 8.1 billion. The deficit has increased from R 99 billion from previous quarter to R 108 billion.
Several mitigations have been undertaken to secure additional funds include (a) requesting additional funding from the National Treasury ( i.e. 7.8 billion), (b) asking for additional funds from the shareholder through virement and other means, (c) negotiating with SARS on pre-payment of fuel levy and delayed payment of diesel rebate, (d) exploring paying claims in instalments and (e) improve financial controls that resulted in R 5 million savings. Additional funding from the National Treasury is expected to transfer in February 2015. In addition, to resolve the SCM related challenges, the SCM Turnaround Strategy is being implemented with a target of full implementation of March 2015.
It should also be noted that the forecasted shortfall for this next financial year is R16 billion and R22 billion if we carry on with the current productivity for subsequent years. The RM division developed a Proposed Claims Payment Model that Finance is currently reviewing, which is meant to assist with the financial situation the Fund is facing. Based on the various factors highlighted above, Financial Management risk is still considered to be a High risk. The Financial Management risk has a direct impact on all strategic objectives.
2. Financial Management
1.Fraud & Corruption
2. Financial Management
3. Information Communication & Technology
4. Stakeholder Pressure
5. Service Delivery
6. People Management
7. Regulatory Framework
Quarterly Strategic Risk Profile as at December 2014
1.Fraud & Corruption
2. Financial Management
3. Information Communication &
Technology
4. Stakeholder Pressure
5. Service Delivery
6. People Management
7. Regulatory Framework
Annual Strategic Risk Profile as at December 2014
B. PERFORMANCE AGAINST THE RISK APPETITE Risk Appetite Statement ( Limits) Risk Category
Impacted
Actual Status Description /
Comments Quarterly Year-To-Date
RAF deems RXX million to be the acceptable
level of risk exposure (value at risk) in the
pursuit of its strategic goals
R 1 R XXX R XX million Within Risk
Appetite
R 2 R XXX R XX million Exceeded
RAF has committed not to take risks that could
result in ICT system not available for more
than XX days a month
R 3 XX hours XX hours Within Risk
Appetite
RAF has committed not to take risks that could
result in critical concerns raised by the Minister
which affect the Stakeholder campaign
R 4 None None Within Risk
Appetite
RAF has committed not to take risks that could
result in claims turnaround times being
prolonged beyond average of XX days
R 5 XXX days XXX days Exceeded
RAF has committed not to take risks that could
impact more than XX% of staff performance.
XXX has committed not to take risks that could
result in more than XX % of the non availability
of required staff capacity
R 6 XX% staff turnover XX% average Exceeded
RAF has committed not to take risks that could
result in major litigation impacting XXX liability
R 7 Constitutional Court
Cases
XX Constitutional
Court Cases in the
beginning of the
year
Exceeded
Conclusion : The current risk profile of the RAF, in consideration of materialised risks and emerging risks, is above / below both risk appetite of
R xx million and risk bearing capacity of R XXX million. We have exceeded 4 out of 7 risk appetite limits, pertaining to R2, R5, R6 and R7. This
indicates that the objectives and APP targets impacted by these might not be met.
RISK APPETITE REPORTING
Conclusion:
Based on the analysis of emerged , materialised and avoided risks, KRIs, mitigations and tasks implemented in each of the strategic risks for this quarter it is
concluded that strategic risk profile for this quarter was reasonably managed with mitigation plans implemented within the agreed time, however due to the
Fund's financial status the overall impact on the profile is high.
Explanation of the background colours (Legends) :
1. Red = Critical / High Risk Area (Priority 1 Risk)
2. Amber = Significant / Medium Risk Area(Priority 2 Risk)
3. Green = Moderate / Low Risk Area (Priority 3 Risk)
C. DETAILED STATUS AND MOVEMENTS ON THE STRATEGIC RISK PROFILE
A total of 10 tasks have been identified to mitigate ICT risk. There is one overdue task relating to approval of the e-enablement plan. The draft E-enablement plan/strategy will be re-submitted to OPSIT after clearing all queries raised.
Although the approval for the draft E-enablement plan/strategy was not obtained from the OPSIT, the ICT Function continues to strive to stabilize ICT systems for operational efficiency and increased productivity.
Materialised and emerged risks for the reporting period relate to (a) high number of invalid ID numbers in the Claims system (i.e. 12 000 ID numbers of direct claimants) and (b) the condition of the Menlyn Data centre, generator and UPS.
The KRI on system availability exceeded the set threshold for the month of October (i.e. 24 hours from six reported incidents vs. 5 baseline incidents) as a result of issues experienced on the Claim system, E-mail and network connectivity. There were also 10 unresolved IT queries for the reporting period, mainly concentrated in Cape Town, Johannesburg and Pretoria relating to connectivity.
All ICT risk indicators were within their set threshold for the month of October and November. The number of downtime and the hours lost were lower than in the previous month i.e. 5 incidents versus 11 incidents in October and 16 hours downtime versus 23 hours in October. No security and information integrity incidents happened for the quarter.
Based on the various factors highlighted above, ICT risk is rated High for this quarter. The ICT risk has a direct impact on all strategic objectives.
.
A total of 10 tasks have been identified for the Stakeholder Pressure risk. No overdue task was noted for the reporting period.
Although RAF is currently enduring financial stress, it has however continued with its efforts to be accessible to the communities it serve in such a way that it was awarded Minister's Special Award and was also nominated for various awards for its work and innovation.
Materialised risk for the period relates to a request by RAF for plaintiff attorneys to issue summons on behalf on Direct claimants to avoid prescription. The KRI on negative complaints on poor service delivery by RAF employees has exceeded its target (i.e. 100) for the reporting period. The complaints received are 199 against the baseline of 100 complaints mainly as a result of unpaid claims. During this quarter the writs went up and some the Fund's assets were attached. There were complaints from both attorneys and claimants based on non-payment of claims to black claimants represented by them.
Based on the various factors highlighted above, Stakeholder Pressure risk is rated High for this quarter . The Stakeholder Pressure risk has a direct impact on all strategic objectives.
10 tasks have been identified to reduce the impact of Regulatory Framework risk. No overdue task was noted for the reporting period.
Public comments for RABS Bill have been received until end of October 2014 and the RAF Amendment Bill has also been gazetted for public comments in November 2014. The emerging risks for these two pieces of legislation, will be the confusion that they may have to the public as to which Act will be the future of RAF or which Act is being pursuit by RAF between the two. The other challenge will be readiness of RAF to implement both pieces of legislation concurrently.
The materialised and emerged risks relate to (a) poor file management which result in delays in responding to PAIA file requests, (b) possible legal challenges due to the condonation of prescribed claims and (c) non-compliance with policies (10 incidents in September and 8 in August) with the major ones being violation of special power of attorneys by contacting represented claimants directly (i.e. Project Siyenza) and delays in responding to PAIA Requests.
The number of constitutional cases before the Constitutional Court have reduce from 21 in April 2014 to 17 in September / October 2014. This is mainly due to the finalization of these cases, which were in favour of the Road Accident Fund.
Based on the various factors highlighted above, the Regulatory Framework risk is rated Medium for this quarter. The Regulatory Framework risk has a direct impact on all strategic objectives.
7. Regulatory Framework
1.Fraud & Corruption
3. Information Communication & Technology
4. Stakeholder Pressure
5. Service Delivery
6. People Management
A total of 11 tasks have been identified for the Service Delivery risk. There are no overdue tasks for the reporting period.
The materialised risks for the reporting period include (a) Condonation of prescribed claims, (b) inaccurate reporting, (c) poor file management, (d) invalid ID numbers in the system. Risks emerged mainly relating to (a) summons received for unregistered claims and (b) the impact of Post office strike on the claim process timelines and East London Panel of Attorney.
Service delivery risk remains impacted upon as some of the APP targets have not been met , that is, (a) Reduction of the number of open claims as a result of financial constraints and (b) Reduced turnaround time for settlement of medical cost, Loss of Earnings ,Loss of Support and General damages ( i.e. 1300 vs. 1324 turnaround days). In addition, the clean-up exercise conducted by the region on prescribed direct claims resulted in an increase on the number of condonations for prescription in the amount of 5691 and the organisation incurred an interest costs of R 2.3 million (R 9.5 million for year to date) and sheriff costs of R 515 000 (R 1.9 million for year to date) for the reporting period. To mitigate the risk of legal costs the organisation is exploring means of Alternative Despite Resolution and Litigation Management Strategy.
Although the productivity has not been impacted by the current financial situation but considering that the Fund's ultimate service delivery entails paying the claimants which is currently impacted due to financial constrains. The Service Delivery risk is rated High in this quarter. The Service Delivery risk has a direct impact on all strategic objectives.
A total of 11 tasks have been identified for the People Management risk. There are no overdue tasks for the reporting period.
Materialised risks for the period include (a) The financial loss due to prolonged suspension period. (b) The high cost ( Over R16m accumulative figure since April to October) of sick leave taken on Mondays.
The number of vacancies decreased from 9% to 8% but is still above the set threshold of 7.5%. The absenteeism rate dropped from 2.13 to 1.91 days and is within the set threshold. The number of internal grievances has increased however the matters reported lacked substance. The number of employees on suspension has increased from 7 in October to 10 in November and the salaries paid for these employees and the length of period of such payments need to be reviewed in order to reduce - this expenditure could possibly be classified as fruitless and wasteful expenditure. The amount paid for employees on suspension is R 697 059 for November, currently on R 3 million to date and the average period of employees on suspension is currently 15.6 months.
Based on the various factors highlighted above, the People Management risk is rated Medium for this quarter. The People Management risk has a direct impact on all strategic objectives.
A total of 24 tasks have been identified to reduce the impact of Financial Management risk. There is one overdue task relating to development of the Consultancy Reduction Plan. A Management Directive in this regard has been issued in this regard and the plan is being compiled.
The revenue receipts for the reporting period is R 5.1 billion, whereas the expenditure for the same period is R 8.1 billion, thus resulting a cash shortage of R 3 billion for the reporting period. In addition, there are outstanding claims payment of R 6.5 billion ( as at end of December 2014) which is impacting negatively on the timely payment of 54 000 outstanding claimants and suppliers. The cash balance is at R -1.6 billion (overdraft) as at end of December 2014. In total our short term liability is at R 8.1 billion. The deficit has increased from R 99 billion from previous quarter to R 108 billion.
Several mitigations have been undertaken to secure additional funds include (a) requesting additional funding from the National Treasury ( i.e. 7.8 billion), (b) asking for additional funds from the shareholder through virement and other means, (c) negotiating with SARS on pre-payment of fuel levy and delayed payment of diesel rebate, (d) exploring paying claims in instalments and (e) improve financial controls that resulted in R 5 million savings. Additional funding from the National Treasury is expected to transfer in February 2015. In addition, to resolve the SCM related challenges, the SCM Turnaround Strategy is being implemented with a target of full implementation of March 2015.
It should also be noted that the forecasted shortfall for this next financial year is R16 billion and R22 billion if we carry on with the current productivity for subsequent years. The RM division developed a Proposed Claims Payment Model that Finance is currently reviewing, which is meant to assist with the financial situation the Fund is facing. Based on the various factors highlighted above, Financial Management risk is still considered to be a High risk. The Financial Management risk has a direct impact on all strategic objectives.
2. Financial Management
A total of 11 tasks have been identified to mitigate Fraud and Corruption risk at the strategic level and there is one overdue task relating to development and/or review and implementation of Fraud Management Strategy.
The KRIs indicate that for the reporting period (a) the number of fraud cases reported and referred for forensics investigations are on an average of 900 files (previous quarter was 1200 files), (b) losses suffered as a result of fraud in the reporting period is R 160 000 (previous quarter is 5 million), (c) 65 claims repudiated (previous quarter is 150) and (d) number of arrests is 50 persons (previous stats for previous quarter is 80).
To mitigate against the impact of fraud internally and externally to RAF business environment, the following initiatives have been undertaken (a) fraud awareness strategies (4 in the reporting period), (b) repudiation of 65 claims, (c) dismissal or suspension of suspected employees ( 7 employees). As a mitigant, FID will also be rigorously engaging strategies to prevent and recover losses from the guilty party.
Based on the various factors highlighted above, Fraud and Corruption risk is rated Medium for this quarter. The Fraud & Corruption risk has a direct impact on all strategic objectives.
1.Fraud & Corruption
2. Financial Management
3. Information Communication &
Technology
4. Stakeholder Pressure
5. Service Delivery
6. People Management
7. Regulatory Framework
Quarterly Strategic Risk Profile as at December 2014
1.Fraud & Corruption
2. Financial Management
3. Information Communication & Technology
4. Stakeholder Pressure
5. Service Delivery
6. People Management
7. Regulatory Framework
Annual Strategic Risk Profile as at December 2014
24
R1
R2
R3
R4
R5
R6
R7
Quarterly Strategic Risk Profile as at December 2014
R1
R2
R3
R4
R5
R6
R7
Quarterly Strategic Risk Profile as at January 2015
Illustration
RM DASHBOARD
Risk Assessment Risk Appetite Limits (for this
month)
No. of Overdue tasks
KRI Movement
No of emerging risks
No of materialised risks Risk Name Risk Owner Prior Current Risk
Movement
R1 CXO Within Risk Appetite
2 Up 0 0
R2 CXO Exceeded 2 Up 5 2
R3 CXO Within Risk Appetite
0 Up 0 1
R4 CXO Within Risk Appetite
0 Down 2 0
R5 CXO Exceeded 1 Up 8 3
R6 CXO Within Risk Appetite
0 Up 1 0
R7 CXO Within Risk Appetite
0 Down 4 0
H
H
H
M
M
M
H
H
M
H
H
H
M
H
26
RISK APPETITE ROLES AND RESPONSIBILITIES
Executives
• Review the Risk Appetite framework and all its components annually and/or as and when the Road Accident’s
profile changes and submits to the Board for approval.
• Report to the Board on the Road Accident Fund’s performance against the set risk appetite
• On-going review, management and monitoring of current strategic and tactical risks according to the Risk
Appetite Framework.
• Escalate those risks that are above the Road Accident Fund’s risk appetite
• Affirm risk appetite compliance in respective business units.
• Compliance committees of the board
General Managers/Senior Managers
• Report to the Executives on the Road Accident Fund’s performance against the set risk appetite
• On-going review, management and monitoring of operational and process risk according to the Risk
Appetite Framework.
• Escalate those risks that are above the Road Accident Fund’s risk appetite
Board of Directors
• Discusses, challenges and ultimately approve the Risk Appetite statement
• Reviews it annually and authorizes exceptions, if any
• Communicates it to shareholders
• Take decisions on those risks that are above the Road Accident Funds’ risk appetite
27
34
Lack of clear
guidance on the
company’s risk
appetite leads to
inconsistent risk
standards and
increases influence of
risk aversion.