case study for rm maturity within raf › event documentation › road...risk appetite case study 1...

Case Study for Risk Appetite and RM

Maturity within RAF

RM Team - RAF

February 2015

THE STORY OF RAF MATURITY AND RISK APPETITE

RM Governance Structures

RM Maturity

Where it all began?

Potholes on the Road (Challenges faced)

Game Changers

Risk Appetite Case Study

1

RISK GOVERNANCE AT RAF

2

RAF BOARD

AUDIT

COMMITTEE

RMEC

EXECUTIVE

COMMITTEE

RM IN RAF

Thabile Nyaba

Regional Risk and Compliance Officers

x5

Risk Manager

Personal Assistant

Personal Assistant

BCM Manager

Carol Songelwa

Lamlani Dube

Senior Risk Officer

3

CA Manager

BCM Administrator

Old Positions

New Positions

WHERE DID IT ALL BEGIN ?

Took

Executives

and Board

on this

journey

Translated

this into a 3

year RM Plan

Highlighted the

value that will

be derived from

each action

plan

Identified gaps

and road map to

get to the

desired stage

• Did Maturity

assessment and

diagnostic

review using

hybrid of

frameworks in

July 2013

• Decided on

where we want

to be and by

when (maturity

levels and

timelines

5

RISK MATURITY OF RAF

RAF Risk Maturity Assessment Model used hybrid of frameworks including National Treasury’s Risk Maturity Assessment Model

6

Desired state by March 2017

Independent Assessment by PWC

March 2014

Internal Review July 2013

Level 1 Level 2

Level 3

Level 4

Level 5

• Risk management practices that are embedded in the corporate culture (Risk Culture) so that

strategy and decision-making evolve out of a risk-informed process

• Integrated approach of managing risks

• Risk management practiced in all levels of organisation

ACTION PLANS TO IMPROVE RISK MATURITY STATUS

Risk Initiative

(RI) Action Plan

1 Review of currently identified Tasks (Strategic and Operational risks) for

effectiveness, efficiency, adequacy, duplications and alignment. Alignment of tasks with the corporate initiatives / APP/ strategy. Categorization of tasks into either projects, Intervention or Once off. Development of Task Implementation and Monitoring plans.

2 Weighting and quantification of risk, controls and tasks (Total Cost of Risk). Risk and Controls consolidation and aggregation (cross functional risks)

3 Perform Tactical (Executive level) and Operational (GM level) risk assessment s. This also includes risk assessment at the Regions.

4 Identification and reporting on Key Risk Indicators (KRIs) and linking them to KPIs (Key Performance Indicators) for Strategic and Operational risks

5 Risk Consulting (allocation of Risk Advisor) for each Business Unit, Key

Project and Governance Forum. Full implementation of Risk Champion

Strategy.

6 Development, implementation and monitoring of Risk Acceptance

Certificate – for those risks that have been accepted by the Business.

7 Development, Implementation and Monitoring of the Risk Appetite

Statement / Framework. This should include the Risk Escalation and

reporting process

8 Develop a consolidated risk issue / risk events / incidences tracking and monitoring report

9 Conduct Risk modeling and Scenario analysis for risk identification process

10 Implementation of Combined Assurance Framework and Monitoring plan,

including a committee

11 Process Risk Assessment

12 Assess, monitor, implement and monitor Risk, Governance and

Compliance processes (Integrated GRC). Risk Intelligent culture

RI 1

RI 5

RI 10

RI 8

RI 9

RI 7

RI 11

RI 4

RI 3

RI 6 RI

2

2014

2015 2017

RI 12

8

Action plan and value attached

RAF 9

Action Plan

Description of Action Plan Value to be derived from Action Plan

1 Review of currently identified Tasks (Strategic and Operational

risks) for effectiveness, efficiency, adequacy , duplications and

alignment. Alignment of tasks with the corporate initiatives / APP/ strategy. Categorization of tasks into either projects, Intervention or Once off. Development of Task Implementation and Monitoring plans.

This will ensure that the Tasks that have been identified are adequate for the management of risks , value adding, well articulated and understood in terms of the impact and the resources required to implement them effectively. It will also ensure that the risks are managed by only the effective tasks (mitigation strategies), thereby improving efficiency in the manner that we are managing risks., i.e. we are not over controlling or under controlling the risks. Progress on implementation, based on the monitoring plan, can be used to track and change risk ratings accordingly, ensuring that there is an understanding of when is the risk going to change its rating (when are we going to be satisfied that the risk is managed well). Furthermore, this will make it easy for the risk owners to manage the tasks, as they will be well thought out and few. It will also enable risk and control owners to take full accountability and ownership of managing risks and controls.

2 Weighting and quantification of risk, controls and tasks (Total Cost of Risk). Risk and Controls consolidation and aggregation (cross functional risks)

This will enable the organisation to do cost benefit analysis, ensuring that the cost of mitigating risks doesn't exceed the cost of actual risk. This computation gives clear value of the financial impact of risk materialising allowing you to decide whether it is worth it to take certain risks. The identification of key controls that mitigate risks cutting across different Business Units will result in synergies and minimise duplication of effort throughout the Group, thereby breaking down silos. This will further ensure integrated response to the risks and enable the organisation to keep track on most effective controls to address the risks so as to ensure that these controls remain effective.

3 Perform Tactical (Executive level) and Operational (GM level) risk assessments

This will enhance and cascade the tone currently set by management of embedding risk management into the day to day operations and making sure that the Business Units are taking only those risks that preserve and create value and assist in achieving the strategic objectives of RAF. This will also allow risk information to be relevant and useful in terms of guiding decision-making processes. Further more it will contribute to a broader understanding of the risk universe from which RAF operates within.

4 Identification and reporting on Key Risk Indicators (KRIs) and linking them to KPIs (Key Performance Indicators) for Strategic and Operational risks

KRIs will be used to monitor either exposure to key risks or controls for key risks. The objective of the risk indicator is to provide early warning signals to management and the Board that potential events, that may affect an organisation are about to occur, so that measures could be put in place.

RAF’S JOURNEY TO RISK INTELLIGENCE ROADMAP

Vision

RA

F’s

Va

lue

Develop

Risk &

Governance

components

Monitor

Risk &

governance

components

Total Cost of Risk / Weighting of controls

Risk issues / events/ incidences

Combined Assurance

Framework

I GRC/ Combined Assurance

Risk Task Review

Risk Consulting at BU level

Risk Appetite Statement / Framework

Risk Modeling and Scenario

Analysis

Process Risk Assessment

Tactical and Operational risk

assessment

Risk Acceptance Certificate &

Process

Key Risk Indicators

10

3 YEAR RM PLAN

Activity 2013/2014 2014/2015 2016/2017

Review of currently identified Tasks (Strategic and Operational risks) for effectiveness,

efficiency, adequacy and duplications and alignment

x x x

Total Cost of risk assessment and weighting of controls. x x x

Strategy, Tactical & Operational risk assessments x x x

Key Risk Indicators and framework x x x

Risk Consulting at Business Unit level x x x

Risk Acceptance Certificate and processes x x x

Risk Appetite Statement / Framework x

Risk issues tracking & monitoring processes x x x

Risk modeling and Scenario analysis x

Process Risk Assessment x x

Integrated Risk, Governance and Compliance GRC). x

11

Progress on the Risk Management Plan is reported to the RMEC

POTHOLES ON THE ROAD (CHALLENGES)

Pushback on the identified risks –

strategic vs operational risks

Perception on being bearers of bad

news

Perceived additional tasks by Business

Withholding of information by the

business

Risk Acceptance process

Understanding on BCM and Buy in

Differentiation between BCM Incident

and BCM Crisis”

Acceptance of the Risk and

Compliance Specialists by the Regions

Moving ahead and leaving the

organisation behind. RM maturity vs.

org maturity

Reliability of information provided by

management for quantification of

losses”

13

HOW WE OVERCAME (GAME CHANGERS)

14

Text Text

Risk Consulting – value adding

Pro active identification of risks

• Better understanding of the operations

• Relationship building

• Pre consulting (before Exco meetings)

• Pro active identification of mitigations

• Data collection and Risk advisory

Changed the RM report/Process

• Reports on emerging risks

• Materialised risks

• Avoided risks

• Accepted risks

• Key Risk Indicators

• Monthly/Quarterly RM opinion on the

profile

• Year –End RM report

Development of the Risk Appetite

framework

• Monthly and monitoring Reporting on the

Risk appetite

Proactive Risk Identification at Tactical

and Operational level

• Risk Identification (Tactical, Operation and

Process)

• Scenario

• Research

• Benchmarking

• Informed draft of register

Ongoing introspection and reflection

Risk Management Induction and

awareness

• New employees

• Existing employees

• Quick guide on Risk Management

• Risk Champion Forum

Risk Appetite

SOME DEFINITIONS

Risk Bearing Capacity (RBC)

• The maximum amount of risk that the organization is able to accept in line with its mission /values /strategic goals, without exposing it to the point where its existence and survival is under threat.

Risk Appetite

• The amount and type of risk that an organisation is willing to accept in line with its strategic goals. .

12

VALUE OF RISK APPETITE

Risk Appetite statements provide

performance boundaries around

the organization’s strategic

objectives

Documentation of risk appetite

clarifies the organizational stance

and ensures consistency in risk

decisions.

A formal, documented risk appetite statement sets the tone for risk

management at the top and enables employees at all levels to

understand the type and amount of risks they should take.

13

BENEFITS OF IMPLEMENTING A RISK APPETITE FRAMEWORK

It allows a more balanced view of risks and management can then react /take action if the risk profile exceeds /is below the organisation’s desired/target risk appetite.

Provides the basis for more responsive strategic decision making regarding risk

Fosters a more risk intelligent culture that assists in making informed risk based decisions;

Enhances the ability to achieve strategic objectives and it assists in linking risk appetite with strategic goals and required resources to support growth and risks;

14

Action Plans against Risk Appetite

Tracking and monitoring of the Key Risk Indicators (KRIs)

Emerging risks Risk events/Near

misses Accepted and Avoided

Current and changes in the risk profile against the Risk

Appetite

APP targets against Risk Appetite

Wh

ere

is R

isk

Ap

pet

ite

app

lied

?

15

CHARACTERISTICS OF EFFECTIVE RISK APPETITE STATEMENTS

Reflective of organization’s strategy

Reflective of all key aspects of the organisation

Both quantitative and qualitative

Measurable and adjustable over time

Facilitate monitoring of external and internal environment

Enable decision making at all levels

Aid alignment of people, processes, and resources in pursuit of organization’s

strategy

Easy to communicate and monitor throughout the organization

16

Departmental Drivers

\

What are the risks that do not fit

and should therefore be avoided

altogether?

What are the risks that are not

sought after but will come as part

of doing business and that should

therefore be controlled and/or

minimised?

Risk appetite vs risk “diet”

Consideration Drivers

Thorough understanding of the

organisation, strategic objectives, mandate,

legislative environment, SWOT, PESTEL

Understanding of stakeholders i.e. the

expectations and needs

Understanding of the financial position

Understanding of the risk universe and

culture

Historical trends and data analysis

Scenario analysis and testing on

assumptions on which objectives are set

Risk

Appetite

Framework

DRIVERS OF RISK APPETITE

17

RAF – Risk Appetite Journey

LESSONS LEARNED

Start somewhere….just do it!

Keep it simple and don’t complicate

Let it fit the organisation (There is no wrong way but

a suitable way)

Test your thinking throughout the process

Engage with as many people as possible

Know your organisation – thorough understanding

Take key people with you in this journey

Articulate your thinking process – you are the Risk Specialist

16

Step Step Step

Establish the context and

define governing objectives

a. Understand Fund’s business,

its strategic objectives and

financial position

b. Legislative environment

c. PESTEL, SWOT

d. Identify the critical pillars of

the organisation

Understanding the Risk

universe

a. Understand the Philosophy

and Attitude of Risk (Risk

Culture)

b. Risk events and near

misses

c. Review the risk profile -

current and previous ,WEF

and DOT’s

d. review historical data

e. Review insurance covers,

DoA, Materiality

Consultation and

Engagement

a. Executives

b. Assurance Providers

c. Actuaries

d. Business Units

STEPS TAKEN BY THE RAF TO DEVELOP A RISK APPETITE

1 3 2

18

Step Step Step

Articulate / Devise Risk

Bearing Capacity (RBC) and

Risk Appetite Statement

a. Analysis (financial

strength, operational

capacity)

b. risk management practices

c. legal or regulatory

capacity.

d. Conducted simulation and

scenarios

Approval and communication

of RBC & RA

a. Approval process

b. During Risk Workshops

c. Inductions

d. BU Monthly meetings

Monitoring, Reporting and

Operationalisation of the

Risk Appetite

a. Exco and RMEC reports

b. Emerging and materialised

risks against risk appetite

c. Current and changes in

the risk profile against the

Risk Appetite

d. Key Risk Indicators

e. Adhoc Risk Assessments

STEPS TAKEN BY THE RAF TO DEVELOP A RISK APPETITE

4 6 5

19

Illustration

CRITICAL PILLARS FOR RAF AND ANALYSIS ON THEM (STEPS TAKEN - 1 TO 4)

1

Road Accident Fund

2 3

Highest amount

paid

/ settlement

Total Pension

liability

Total Payment

paid to Trade

suppliers last

year

Highest single

fraud committed

Total Fraud

Committed in the

previous years

No. of people died /

injured in one

accident

Legal Fees

SA /

International

People Normal Trading Claims

Highest claim in the

system, awaiting

payment (liability)

Directors Liability

Cover

20

History Current Future

Review of legislation

pertaining to the limits

Productivity

Cases of

suspended people

Wellness Employee

programmes

• Finance

• HIV

Attrition value

Cooperate /

organisational

performance

Staff turnover

Absenteeism

Turnaround

times

Heads of damages

Direct claims

represented

Highest contract

in place

Media Hits

Adverse

judgement

Litigation against

the RAF

System

availability

Productivity

hours

Fraud trends /

Hotspots

Complains from

stakeholders

Backlog of claim

Illustration DEVELOPMENT OF THE RBC THEN THE RA(STEPS

TAKEN - 4 TO 5) RAF deems Rxx Million to be the acceptable level of risk exposure (value at risk) in the pursuit of its strategic

goals. RAF will however not take risks that could result in:

Claims turnaround times being prolonged beyond the current average turnaround time

ICT system non availability for more than xx days a month

Major litigation impacting RAF liability

Critical concerns raised by the Minister which affect the Stakeholder campaign

More than xx% of staff performance

More than xx% of the non availability of required Staff capacity

21

Acceptable risk

Levels

This is a warning sign that the organization is heading for financial constraints

Risk Bearing Capacity

R10

RBC Tolerance Level

R5 Risk Appetite

R2

IMPACT RATING SCALE

22

Impact Assessment Scale Impact Financial

impact

People Effect Stakeholder

impact

Legislative Service/ Operational

effect

5. Catastrophic

RXXXmillio

n

> XX staff non

performance

XX of the staff

turnover

Loss of critical

stakeholder

confidence

Sustained

negative national

reporting

Substitution of RAF with new fund

without incorporating the RAF.

Constitutional court declaring certain

aspects of the RAF Act/regulations as

invalid extending RAF liability beyond

funding.

Replacement of the Board and/or other

key officials for non compliance with

applicable laws.

Claims Turnaround time

>XX days

>XX days per month ICT

system non availability

4. Critical

RXXX

million

XX staff non

performance

XX of the staff

turnover

Sustained impact

on the RAF

Concerns raised

by the Minister

Major litigation impacting the RAF

liability.


<XXX days

XX days per month ICT


3. Significant

R XXX

million

XX staff non

performance

XX of the staff

turnover

Local press

reporting

Major breach of compliance with laws

with punitive fine.

Non compliance with statutory

reporting.


<XX days



2. Moderate

RXX million XX staff non

performance

10% of the staff

turnover

No press

reporting or

external interest

Claims for compensation i.r.o

contractual & delictual liability other

than in terms of the RAF Act.

Non compliance with laws without

punitive fine.


< 550 days



1.Minor

R XX

million

XX staff non

performance

XX of the staff

turnover

Internal issues

Internal

resolution

Non compliance with operational

aspects of the law e.g. language

regulation.


< XX days

XX day per month ICT


R 5

R 10

Escalate to CEO/ DG

Escalate to Board/ Audit Committee

Escalate to Shareholder

Escalate to EXCO

R1

R2 R3

R5 R4

R7

R6

RISK APPETITE REPORTING AND DASHBOARD

(STEPS TAKEN - 6)

How much is it willing (RA) to

take on?

And how much is it actually (diet) taking

on?

Are these in line?

Determine how much risk

the organisation is able (RBC) to

take on

•P

hilo

sop

hy

on

man

agin

g ri

sks

Esca

lati

on

pro

cess

23

R 2

Illustration

RISK APPETITE REPORTING…CONTINUED…

Conclusion:

Based on the analysis of emerged , materialised and avoided risks, KRIs, mitigations and tasks implemented in each of the strategic risks for this quarter it is

concluded that strategic risk profile for this quarter was reasonably managed with mitigation plans implemented within the agreed time, however due to the

Fund's financial status the overall impact on the profile is high.

Explanation of the background colours (Legends) :

1. Red = Critical / High Risk Area (Priority 1 Risk)

2. Amber = Significant / Medium Risk Area(Priority 2 Risk)

3. Green = Moderate / Low Risk Area (Priority 3 Risk)

C. DETAILED STATUS AND MOVEMENTS ON THE STRATEGIC RISK PROFILE

A total of 10 tasks have been identified to mitigate ICT risk. There is one overdue task relating to approval of the e-enablement plan. The draft E-enablement plan/strategy will be re-submitted to OPSIT after clearing all queries raised.

Although the approval for the draft E-enablement plan/strategy was not obtained from the OPSIT, the ICT Function continues to strive to stabilize ICT systems for operational efficiency and increased productivity.

Materialised and emerged risks for the reporting period relate to (a) high number of invalid ID numbers in the Claims system (i.e. 12 000 ID numbers of direct claimants) and (b) the condition of the Menlyn Data centre, generator and UPS.

The KRI on system availability exceeded the set threshold for the month of October (i.e. 24 hours from six reported incidents vs. 5 baseline incidents) as a result of issues experienced on the Claim system, E-mail and network connectivity. There were also 10 unresolved IT queries for the reporting period, mainly concentrated in Cape Town, Johannesburg and Pretoria relating to connectivity.

All ICT risk indicators were within their set threshold for the month of October and November. The number of downtime and the hours lost were lower than in the previous month i.e. 5 incidents versus 11 incidents in October and 16 hours downtime versus 23 hours in October. No security and information integrity incidents happened for the quarter.

Based on the various factors highlighted above, ICT risk is rated High for this quarter. The ICT risk has a direct impact on all strategic objectives.

.

A total of 10 tasks have been identified for the Stakeholder Pressure risk. No overdue task was noted for the reporting period.

Although RAF is currently enduring financial stress, it has however continued with its efforts to be accessible to the communities it serve in such a way that it was awarded Minister's Special Award and was also nominated for various awards for its work and innovation.

Materialised risk for the period relates to a request by RAF for plaintiff attorneys to issue summons on behalf on Direct claimants to avoid prescription. The KRI on negative complaints on poor service delivery by RAF employees has exceeded its target (i.e. 100) for the reporting period. The complaints received are 199 against the baseline of 100 complaints mainly as a result of unpaid claims. During this quarter the writs went up and some the Fund's assets were attached. There were complaints from both attorneys and claimants based on non-payment of claims to black claimants represented by them.

Based on the various factors highlighted above, Stakeholder Pressure risk is rated High for this quarter . The Stakeholder Pressure risk has a direct impact on all strategic objectives.

10 tasks have been identified to reduce the impact of Regulatory Framework risk. No overdue task was noted for the reporting period.

Public comments for RABS Bill have been received until end of October 2014 and the RAF Amendment Bill has also been gazetted for public comments in November 2014. The emerging risks for these two pieces of legislation, will be the confusion that they may have to the public as to which Act will be the future of RAF or which Act is being pursuit by RAF between the two. The other challenge will be readiness of RAF to implement both pieces of legislation concurrently.

The materialised and emerged risks relate to (a) poor file management which result in delays in responding to PAIA file requests, (b) possible legal challenges due to the condonation of prescribed claims and (c) non-compliance with policies (10 incidents in September and 8 in August) with the major ones being violation of special power of attorneys by contacting represented claimants directly (i.e. Project Siyenza) and delays in responding to PAIA Requests.

The number of constitutional cases before the Constitutional Court have reduce from 21 in April 2014 to 17 in September / October 2014. This is mainly due to the finalization of these cases, which were in favour of the Road Accident Fund.

Based on the various factors highlighted above, the Regulatory Framework risk is rated Medium for this quarter. The Regulatory Framework risk has a direct impact on all strategic objectives.

7. Regulatory Framework

1.Fraud & Corruption

3. Information Communication & Technology

4. Stakeholder Pressure

5. Service Delivery

6. People Management

A total of 11 tasks have been identified for the Service Delivery risk. There are no overdue tasks for the reporting period.

The materialised risks for the reporting period include (a) Condonation of prescribed claims, (b) inaccurate reporting, (c) poor file management, (d) invalid ID numbers in the system. Risks emerged mainly relating to (a) summons received for unregistered claims and (b) the impact of Post office strike on the claim process timelines and East London Panel of Attorney.

Service delivery risk remains impacted upon as some of the APP targets have not been met , that is, (a) Reduction of the number of open claims as a result of financial constraints and (b) Reduced turnaround time for settlement of medical cost, Loss of Earnings ,Loss of Support and General damages ( i.e. 1300 vs. 1324 turnaround days). In addition, the clean-up exercise conducted by the region on prescribed direct claims resulted in an increase on the number of condonations for prescription in the amount of 5691 and the organisation incurred an interest costs of R 2.3 million (R 9.5 million for year to date) and sheriff costs of R 515 000 (R 1.9 million for year to date) for the reporting period. To mitigate the risk of legal costs the organisation is exploring means of Alternative Despite Resolution and Litigation Management Strategy.

Although the productivity has not been impacted by the current financial situation but considering that the Fund's ultimate service delivery entails paying the claimants which is currently impacted due to financial constrains. The Service Delivery risk is rated High in this quarter. The Service Delivery risk has a direct impact on all strategic objectives.

A total of 11 tasks have been identified for the People Management risk. There are no overdue tasks for the reporting period.

Materialised risks for the period include (a) The financial loss due to prolonged suspension period. (b) The high cost ( Over R16m accumulative figure since April to October) of sick leave taken on Mondays.

The number of vacancies decreased from 9% to 8% but is still above the set threshold of 7.5%. The absenteeism rate dropped from 2.13 to 1.91 days and is within the set threshold. The number of internal grievances has increased however the matters reported lacked substance. The number of employees on suspension has increased from 7 in October to 10 in November and the salaries paid for these employees and the length of period of such payments need to be reviewed in order to reduce - this expenditure could possibly be classified as fruitless and wasteful expenditure. The amount paid for employees on suspension is R 697 059 for November, currently on R 3 million to date and the average period of employees on suspension is currently 15.6 months.

Based on the various factors highlighted above, the People Management risk is rated Medium for this quarter. The People Management risk has a direct impact on all strategic objectives.

A total of 24 tasks have been identified to reduce the impact of Financial Management risk. There is one overdue task relating to development of the Consultancy Reduction Plan. A Management Directive in this regard has been issued in this regard and the plan is being compiled.

The revenue receipts for the reporting period is R 5.1 billion, whereas the expenditure for the same period is R 8.1 billion, thus resulting a cash shortage of R 3 billion for the reporting period. In addition, there are outstanding claims payment of R 6.5 billion ( as at end of December 2014) which is impacting negatively on the timely payment of 54 000 outstanding claimants and suppliers. The cash balance is at R -1.6 billion (overdraft) as at end of December 2014. In total our short term liability is at R 8.1 billion. The deficit has increased from R 99 billion from previous quarter to R 108 billion.

Several mitigations have been undertaken to secure additional funds include (a) requesting additional funding from the National Treasury ( i.e. 7.8 billion), (b) asking for additional funds from the shareholder through virement and other means, (c) negotiating with SARS on pre-payment of fuel levy and delayed payment of diesel rebate, (d) exploring paying claims in instalments and (e) improve financial controls that resulted in R 5 million savings. Additional funding from the National Treasury is expected to transfer in February 2015. In addition, to resolve the SCM related challenges, the SCM Turnaround Strategy is being implemented with a target of full implementation of March 2015.

It should also be noted that the forecasted shortfall for this next financial year is R16 billion and R22 billion if we carry on with the current productivity for subsequent years. The RM division developed a Proposed Claims Payment Model that Finance is currently reviewing, which is meant to assist with the financial situation the Fund is facing. Based on the various factors highlighted above, Financial Management risk is still considered to be a High risk. The Financial Management risk has a direct impact on all strategic objectives.

2. Financial Management

A total of 11 tasks have been identified to mitigate Fraud and Corruption risk at the strategic level and there is one overdue task relating to development and/or review and implementation of Fraud Management Strategy.

The KRIs indicate that for the reporting period (a) the number of fraud cases reported and referred for forensics investigations are on an average of 900 files (previous quarter was 1200 files), (b) losses suffered as a result of fraud in the reporting period is R 160 000 (previous quarter is 5 million), (c) 65 claims repudiated (previous quarter is 150) and (d) number of arrests is 50 persons (previous stats for previous quarter is 80).

To mitigate against the impact of fraud internally and externally to RAF business environment, the following initiatives have been undertaken (a) fraud awareness strategies (4 in the reporting period), (b) repudiation of 65 claims, (c) dismissal or suspension of suspected employees ( 7 employees). As a mitigant, FID will also be rigorously engaging strategies to prevent and recover losses from the guilty party.

Based on the various factors highlighted above, Fraud and Corruption risk is rated Medium for this quarter. The Fraud & Corruption risk has a direct impact on all strategic objectives.



3. Information Communication &

Technology


5. Service Delivery



Quarterly Strategic Risk Profile as at December 2014





5. Service Delivery



Annual Strategic Risk Profile as at December 2014

25



Service delivery risk remains impacted upon as some of the APP targets have not been met , that is, (a) Reduction of the number of open claims as a result of financial constraints and (b) Reduced turnaround time for settlement of medical cost, Loss of Earnings ,Loss of Support and General damages ( i.e. 1300 vs. 1324 turnaround days). In addition, the clean-up exercise conducted by the region on prescribed direct claims resulted in an increase on the number of condonations for prescription in the amount of 5691 and the organisation incurred an interest costs of R 2.3 million (R 9.5 million for year to date) and sheriff costs of R 515 000 (R 1.9 million for year to date) for the reporting period. To mitigate the risk of

legal costs the organisation is exploring means of Alternative Despite Resolution and Litigation Management Strategy.




The number of vacancies decreased from 9% to 8% but is still above the set threshold of 7.5%. The absenteeism rate dropped from 2.13 to 1.91 days and is within the set threshold. The number of internal grievances has increased however the matters reported lacked substance. The number of employees on suspension has increased from 7 in October to 10 in November and the salaries paid for these employees and the length of period of such payments need to be reviewed in order to reduce - this expenditure could possibly be classified as fruitless and wasteful expenditure. The amount paid for employees on suspension is R 697 059 for November, currently on R 3 million to date and the average period of

employees on suspension is currently 15.6 months.











5. Service Delivery












.









Conclusion:

Based on the analysis of emerged , materialised and avoided risks, KRIs, mitigations and tasks implemented in each of the strategic risks for this quarter it is concluded that strategic risk profile for this quarter was reasonably managed with mitigation plans implemented within the agreed time, however due to the Fund's financial status the overall impact on the profile is high.











5. Service Delivery







Technology


5. Service Delivery




B. PERFORMANCE AGAINST THE RISK APPETITE Risk Appetite Statement ( Limits) Risk Category

Impacted

Actual Status Description /

Comments Quarterly Year-To-Date

RAF deems RXX million to be the acceptable

level of risk exposure (value at risk) in the

pursuit of its strategic goals

R 1 R XXX R XX million Within Risk

Appetite

R 2 R XXX R XX million Exceeded

RAF has committed not to take risks that could

result in ICT system not available for more

than XX days a month

R 3 XX hours XX hours Within Risk

Appetite


result in critical concerns raised by the Minister

which affect the Stakeholder campaign

R 4 None None Within Risk

Appetite


result in claims turnaround times being

prolonged beyond average of XX days

R 5 XXX days XXX days Exceeded


impact more than XX% of staff performance.

XXX has committed not to take risks that could

result in more than XX % of the non availability

of required staff capacity

R 6 XX% staff turnover XX% average Exceeded


result in major litigation impacting XXX liability

R 7 Constitutional Court

Cases

XX Constitutional

Court Cases in the

beginning of the

year

Exceeded

Conclusion : The current risk profile of the RAF, in consideration of materialised risks and emerging risks, is above / below both risk appetite of

R xx million and risk bearing capacity of R XXX million. We have exceeded 4 out of 7 risk appetite limits, pertaining to R2, R5, R6 and R7. This

indicates that the objectives and APP targets impacted by these might not be met.

RISK APPETITE REPORTING

Conclusion:

Based on the analysis of emerged , materialised and avoided risks, KRIs, mitigations and tasks implemented in each of the strategic risks for this quarter it is

concluded that strategic risk profile for this quarter was reasonably managed with mitigation plans implemented within the agreed time, however due to the

Fund's financial status the overall impact on the profile is high.












.














5. Service Delivery




Service delivery risk remains impacted upon as some of the APP targets have not been met , that is, (a) Reduction of the number of open claims as a result of financial constraints and (b) Reduced turnaround time for settlement of medical cost, Loss of Earnings ,Loss of Support and General damages ( i.e. 1300 vs. 1324 turnaround days). In addition, the clean-up exercise conducted by the region on prescribed direct claims resulted in an increase on the number of condonations for prescription in the amount of 5691 and the organisation incurred an interest costs of R 2.3 million (R 9.5 million for year to date) and sheriff costs of R 515 000 (R 1.9 million for year to date) for the reporting period. To mitigate the risk of legal costs the organisation is exploring means of Alternative Despite Resolution and Litigation Management Strategy.




The number of vacancies decreased from 9% to 8% but is still above the set threshold of 7.5%. The absenteeism rate dropped from 2.13 to 1.91 days and is within the set threshold. The number of internal grievances has increased however the matters reported lacked substance. The number of employees on suspension has increased from 7 in October to 10 in November and the salaries paid for these employees and the length of period of such payments need to be reviewed in order to reduce - this expenditure could possibly be classified as fruitless and wasteful expenditure. The amount paid for employees on suspension is R 697 059 for November, currently on R 3 million to date and the average period of employees on suspension is currently 15.6 months.














Technology


5. Service Delivery








5. Service Delivery




24

R1

R2

R3

R4

R5

R6

R7


R1

R2

R3

R4

R5

R6

R7

Quarterly Strategic Risk Profile as at January 2015

Illustration

RM DASHBOARD

Risk Assessment Risk Appetite Limits (for this

month)

No. of Overdue tasks

KRI Movement

No of emerging risks

No of materialised risks Risk Name Risk Owner Prior Current Risk

Movement

R1 CXO Within Risk Appetite

2 Up 0 0

R2 CXO Exceeded 2 Up 5 2


0 Up 0 1


0 Down 2 0

R5 CXO Exceeded 1 Up 8 3


0 Up 1 0


0 Down 4 0

H

H

H

M

M

M

H

H

M

H

H

H

M

H

26

RISK APPETITE ROLES AND RESPONSIBILITIES

Executives

• Review the Risk Appetite framework and all its components annually and/or as and when the Road Accident’s

profile changes and submits to the Board for approval.

• Report to the Board on the Road Accident Fund’s performance against the set risk appetite

• On-going review, management and monitoring of current strategic and tactical risks according to the Risk

Appetite Framework.

• Escalate those risks that are above the Road Accident Fund’s risk appetite

• Affirm risk appetite compliance in respective business units.

• Compliance committees of the board

General Managers/Senior Managers

• Report to the Executives on the Road Accident Fund’s performance against the set risk appetite

• On-going review, management and monitoring of operational and process risk according to the Risk

Appetite Framework.

• Escalate those risks that are above the Road Accident Fund’s risk appetite

Board of Directors

• Discusses, challenges and ultimately approve the Risk Appetite statement

• Reviews it annually and authorizes exceptions, if any

• Communicates it to shareholders

• Take decisions on those risks that are above the Road Accident Funds’ risk appetite

27

34

Lack of clear

guidance on the

company’s risk

appetite leads to

inconsistent risk

standards and

increases influence of

risk aversion.

case study for rm maturity within raf › event documentation › road...risk appetite case study 1...

Documents