THE USE OF BEST PRACTICE IN THE PUBLIC SECTOR
According to the results of the Financial Management Capability Maturity Model that has been rolled out throughout the public sector, it has become evident that the majority of public sector institutions are still battling with integrating risk management with other institutional processes. It appears as if many of these institutions are more comfortable with adopting a “tick box” exercise as opposed to implementing best practice. As much as complying with risk management prescripts is necessary, it is just as important to ensure that risk management is fully integrated so that there is a quantifiable benefit to an institution’s performance. The structure of the risk management function is crucial and should address the considerations below:
- Whether or not institutions should form a separate independent Risk Management Committee (RMC) vs. a combined one; and how to effectively measure whether or not the RMC does add value through the system of risk management within an institution.
- Who the Chief Risk Officer (CRO) reports to.
- The use of Risk Champions within institutions.
With the view that public sector institutions have been struggling, particularly in successfully embedding risk management, it is of important that we understand and identify where these hindrances could arise from.
Many institutions often attempt to implement every “risk management buzzword” without considering its suitability. Below are examples of what could negatively influence progress in effectively embedding risk management:
Risk Management Not Given Priority
The CRO is an expert in risk management that operates at a senior level, and is employed to ensure that risk management is embedded within the institution. The Accounting Officer and Executive Management team expect that whatever the CRO introduces will bring value to the institution and will enhance performance.
Structural Roles Overlap
Institutions should be extra careful when addressing risk management responsibilities in order to avoid a duplication of effort. For example, if existing structures within an institution already cater for risk management reporting and control, the institution could just work on strengthening and formalising these risk management structures, instead of introducing additional structures.
It is unfortunate that that the public sector is still stuck on ensuring that risk management prescripts are complied with. Institutions appear to be more concerned about making sure that the Auditor – General places all of the ticks in the desired places following an audit. This does not suggest that compliance is not important. However, it is also important that one should understand the underlying reasons for compliance and should assess how certain prescripts can be best implemented within the unique nature of the South African Public Sector.
Considering that institutions are unique, it is vital that the approach pertaining to system implementations, particularly related to risk management, should be equally unique. Therefore, before making a decision on how to best implement certain risk management processes, it is necessary for an institution to consider the following:
- Whether the existing structures within the institution do not already play a role, and have responsibilities, in the management of risks; identifying the extent of involvement with regard to those roles and responsibilities.
- Whether the considered prescripts bring value to institutions.
- Whether the institution is actually ready for the considered risk management recommended prescripts.
- The state of the institution, for example, whether the institution is in distress or whether it is business as usual.
- Whether the implementation of the considered prescript would enhance or undermine the perception of the CRO by Executive Management and the Accounting Officer (as well as other relevant stakeholders).
Best practice pertaining to the embedding of risk management should not be followed blindly and requires an understanding of where the content is drawn from. In most cases, information that advises the recommended risk management prescript is drawn from corporate institutions, which are structured differently from the South African Public Sector.
As the saying goes, “A good CRO ultimately works himself out of a job”. It is therefore important to remember that, ultimately, CROs should create a system of risk management that is designed for, and is compatible with, the institutional nature and culture. Going forward, public sector institutions would benefit tremendously by using the existing risk management frameworks and tailoring it in line with the nature of the organisation. In doing so, these institutions will uncover the benefit of having an effective risk management programme.