You are requested to indicate or tick the applicable box with× and return the completed
Please indicate if this a national government department/ provincial government department/ municipality/ state owned entity/company:Please indicate the name of the department/ municipality/ state owned entity/company:
Please indicate the province where this organisation is based:
- The following questions seek to determine “the capability within the enterprise risk management unit/sectionin the public service”
1.1 Please indicate the total number of employees in your organisation?
50 / 50-100 / 101-200 / 201-500 / 500
If more than 500, indicate the number:
1.2 Please indicate the number of employees in the Enterprise Risk Management(ERM)unit/section (excluding the CRO)
1 / 2 / 3 / 4 / >5
If more than 5, indicate the number:
1.3 Of the number of employees indicated in the previous question, please splitthe number in terms of following:
Deputy Directors (Risk Managers) / Assistance Director (Senior Risk Practitioners) / Risk Assistants
1.4 What is the ideal number of riskemployees/officials (those conducting day to day ERM activities) would you like to have in the ERM unit/section? Indicate the number below:
1.5 Please indicate the ideal number of risk employees/officials (those conducting day to day ERM activities) you would like to have in the ERM unit/section in terms of the below:
Deputy Directors (Risk Managers) / Assistance Director (Senior Risk Practitioners) / Risk Assistants
1.6 Please indicate the ideal academic qualification/s of Deputy Directors (Risk Managers)would you like to have in the ERM unit/section?
Grade 12/ Matric / Diploma / National diploma / Bachelor’s degree/ B Tech / Honours degree / Master’s degree/ MBA / Doctoral degree/ PhD
1.7 Please indicate the ideal academic qualification/s of Assistant Directors (Senior Risk Practitioners) would you like to have in the ERM department?
Grade 12/ Matric / Diploma / National diploma / Bachelor’s degree/ B Tech / Honours degree / Master’s degree/ MBA / Doctoral degree/ PhD
1.8 Please indicate the ideal academic qualification/s of Risk Assistants would you like to have in the ERM unit/section?
Grade 12/ Matric / Diploma / National diploma / Bachelor’s degree/ B Tech / Honours degree / Master’s degree/ MBA / Doctoral degree/ PhD
1.9 Please indicate the ideal risk management experience you would like the Deputy Directors (Risk Managers)to have in the ERM unit/section?
0-2 years / 2-5 years / 5-10 years / 10-15 years / 15-20 years / >20 years
1.10 Please indicate the ideal risk management experience you would like the Assistant Directors (Senior Risk Practitioners)to have in the ERM unit/section?
0-2 years / 2-5 years / 5-10 years / 10-15 years / 15-20 years / >20 years
1.11 Please indicate the ideal risk management experience you would like the Risk Assistants to have in the ERM unit/section?
0-2 years / 2-5 years / 5-10 years / 10-15 years / 15-20 years / >20 years
1.12 Do you have vacant position in the ERM unit/section?
Yes / No
If yes, please indicate the number of vacant position/s:
Please indicate the reason for the availability of vacant positions (i.e. unable to find suitable candidates):
How long has this position been vacant?
1.13 Please indicate the academic qualifications of the Chief Risk Officer (CRO) – You may select more than one option.
No qualification / Grade 12/ Matric / Diploma / National diploma / Bachelor’s degree/ B Tech / Honours degree / Master’s degree/ MBA / Doctoral degree/ PhD
1.14 Please indicate the professional membership of the Chief Risk Officer (CRO)
No membership / Institute of Internal Auditors / Association of Certified Fraud Examiners / Institute of Business Continuity Management / Institute of Risk Management South Africa / South African Institute of Government Auditors / South African Institute of Professional Accountants / South African Institute of Chartered Accountants
Other (if applicable):
1.15 Please indicate the package in which your (CRO) remuneration package fall
Director General/City Manager/ Municipal Manager / Deputy Director General/ Deputy Municipal Managers/ Executive Director / Chief Director/. Divisional Heads/ General Manager / Director/ Senior Manager / Deputy Director/ Manager / Assistance Director/ Assistant Manager
1.16 What is the functional line of reporting for the CRO
AuditCommittee / Risk Management Committee / Director General/City Manager/ Municipal Manager / Deputy Director General/ Deputy Municipal Managers/ Executive Director / Chief Director/. Divisional Heads/ General Manager / Director/ Senior Manager
Other, please specify:
1.17 What is the administrative line of reporting for the CRO
Audit Committee / Risk Management Committee / Director General/City Manager/ Municipal Manager / Deputy Director General/ Deputy Municipal Managers/ Executive Director / Chief Director/. Divisional Heads/ General Manager / Director/ Senior Manager
Other, please specify:
- The following questions seek to determine the maturity of enterprise risk management process and output
2.1 With regards to the latest annual report:
2.1.1 Has your organisation included an undertaking from the Accounting Officer that risks are managed? / Yes / No
2.1.2 Has your organisation indicated whether it conducted a strategic risk assessment for that year? / Yes / No
2.1.3 Has your organisation included the description of risks it faces? / Yes / No
2.2.Comparing risks between this cycle and the previous one, has your organisational risks
Increased / Decreased / Remained the same
2.3 Does your organisation havethe risk management policy, framework, procedures and practices in place?
Yes / No
If yes, please indicate who approved these:
When last was the risk management policy, framework, procedures and practicesreviewed?
2.4 Has the risk management policy, framework, procedures and practices been communicated throughout the organisation?
Yes / No
If yes, how was this communicated?
2.5 Is the risk management policy, framework, procedures and practices subject to an audit?
Yes / No
If yes, who conducts an audit
2.6 Did the internal audit make findings on the risk management policy, framework, procedures and practices?
Yes / No
If yes, briefly explain
2.7 Did the Auditor General make findings on the risk management policies, framework, procedures and practices?
Yes / No
If yes, briefly explain
2.8 Please indicate if risk management process is integrated into the following key processes:
Strategic planning / Yes / No
If integrated into the strategic planning, when does the strategic risk assessment process take place (i.e. June):
Internal audit planning / Yes / No
If integrated intoaudit planning, when does the audit planning process take place (i.e. June):
Combined assurance planning / Yes / No
If integrated into the combined assurance, when does the combined assurance process take place (i.e. June):
2.9 Please indicate if your organisation has the following:
Strategic Risk register / Yes / No
Operational Risk registers / Yes / No
Risk management tool (Risk computer software) / Yes / No
Please indicate the name of the software/tool (i.e. Cura):
In your experience, doesthe risk management tool add value (does it enable you to do risk management better)? / Yes / No
2.10 How often does your organisation reviewand update risk registers?
Please state (i.e. five times per year)
2.11 How many times is your organisational risk report discussed by the Executive Committee/ Management Committee?
Please state (i.e. five times per year)
Briefly list the types of comments/ recommendations you normally receive from the Executive/ Management committee on the risk report (i.e. risk ratings need to be adjusted)
2.12 How many times is your organisational risk report discussed by the risk management committee?
Please state (i.e. five times per year)
Briefly list the types of comments/ recommendations your normally receive from the risk management committee on the risk report.
2.13 How many times is your organisational risk report discussed by the audit committee?
Please state (i.e. five times per year)
Briefly list the types of comments/ recommendations your normally receive from the audit committee on the risk report
2.14 Please indicate if the organisation has:
A risk management strategy in place / Yes / No
If yes, what is the duration of the risk management strategy (i.e. one to three years)
2.15 Please indicate if the organisation has:
A risk management implementation plan (annual plan) in place / Yes / No
2.16 Please indicate who has the final authority in approving the risk management plan:
Audit committee / Yes / No
Risk management committee / Yes / No
Accounting Officer / Yes / No
Chief Risk Officer / Yes / No
2.17 Please indicate the tool and technique used for identification of risk:
Analysis of audit reports / Yes / No
Workshops / Yes / No
Brainstorming / Yes / No
Interviews/ focus groups / Yes / No
Survey/ questionnaires / Yes / No
Other, please list
- The following questions aim at determining your perception on the support from senior leadership, including relevant structures and its impact on the effectiveness of the overall system of risk management
3.1 In your opinion, do you feel that the support provided through the Public Sector Risk Management Framework is adequate to assist you with improvements in your organisation’s system of risk management?
Yes / No
If no, please list steps that you feel that they could be useful in ensuring that the support is adequate for the improvement of your risk process:
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.2 Please tick the relevant field (you can either select fully effective OR ineffective) / Effective / Ineffective
3.2.1 The organisations senior management (Accounting Officer) give full support and focus to the Enterprise Risk Management process
3.2.2 Line management has taken full ownership of risk management in the organisation
3.2.3 The organisation has an effective culture of risk management
3.2.4 Strategy and planning are linked to risk management
3. 2.5 There is an adequate level of risk management understanding within your organisation
3.2.6 The organisation has defined the risk appetite and the risk tolerance levels
3.2.7 Risk management is linked to performance management for all employees of the organisation
3.2.8 The organisation has an effective process of identifying risks
3.2.9 The organisation has an effective process of recording risks
3.2.10 The organisation has an effective process of evaluating and prioritizing risks
3.2.11 The organisation has an effective process of developing and implementing the risk response strategies
3.2.12 The organisation has an effective process of resourcing risk management response strategies and processes
3.2.13 The organisation monitors the risk performance on an ongoing basis
3.2.14 There is continuous reporting of risks to all relevant structures
3.2.15The Risk Management Committee/ Audit and Risk Committee members have relevant qualifications and experience. They further provide and appropriate oversight valuable input in the organisation’s risk management process
3.2.16 The independent Chair of the Risk Management Committee has relevant qualifications and experience. He/She further provides valuable input and suitable oversight in the organisation’s risk management process
3.2.17Please list the main obstacles that hinders your organisation to have an effective risk management:
3.2.17.1.
3.2.17.2.
3.2.17.3.
3.2.17.4.
3.2.17.5.
3.2.17.6.
3.2.17.7.
3.2.17.8.