DOI: 10.17573/ipar.2016.2-3.02 1.01 Original scientific article Key Mechanisms of Risk Management in South Africa's National Government Departments: The Public Sector Risk Management Framework and the King III Benchmark Tankiso Moloi University of Johannesburg, Department of Accountancy, Johannesburg, South Africa smoloi@uj.ac.za ABSTRACT Government provides essential services to the population and therefore, uncertainties that could hinder government's objectives should be identified, mitigated/controlled and monitored. Using the content analysis for data extraction in the annual reports of national government departments (NGDs), this paper explored risk management practices in South Africa's public service, with national government departments as a case in point. The findings are that in general, there are poor risk management practices in the NGDs as the majority of the observed categories were not disclosed in the NGDs annual reports. Since risk deals with the uncertainties on the objectives, it is concerning that NGDs have poor risk management practices, particularly because they are enablers (implementers) of government overarching strategy. As enablers of government strategy, it is recommended that NGDs view risk management as a process that enables them to identify threats which could hinder the attainment of their objectives, whilst also leveraging opportunities that may arise. It is further recommended that the risk process is viewed as a scenario or option analysis exercise that allows NGDs to properly plan, understand the intended outcomes and prepare responses to deal with any uncertainties. A summarised and harmonized risk governance requirement used for the purpose of exploring risk management disclosures has been suggested by this study and it could be used as a reference point of risk disclosure improvement by NGDs. Keywords: risk management, risk disclosures, annual reports, national government departments JEL: M4 Moloi, T. (2016). Key Mechanisms of Risk Management in South Africa's National 37 Government Departments: The Public Sector Risk Management Framework and the King III Benchmark. International Public Administration Review, 74(2-3), 37-52. Tankiso Moloi 1 Introduction Risk management has evolved overtime to become a cornerstone of corporate governance. Today, any organisation wishing to succeed in achieving its objectives has got to identify almost all uncertainties around its strategic objectives. If uncertainties are projected to be negative (threats), those charged with governance should ensure that those uncertainties are thoroughly mitigated to support the achievement of objectives. If uncertainties are positive (opportunities), they should be leveraged upon to deliver more value, Governments, particularly those in developing countries are essential in delivering key services to their populations. On the one side, the inability of government to achieve its objectives could have a considerable implication to the wellbeing of the general public, particularly the vulnerable groups of society. On the other side, any opportunity that could be leveraged by government to deliver services beyond the projected objectives could have a lasting positive impact on the wellbeing of the general public, particularly the vulnerable groups of society. The descriptions provided in the paragraphs above relate to risk and its management. There are other descriptions of risk that support the views expressed above on risk, for instance; Kliem and Ludin (1997), Knight (1999), the Government of Ontario in Canada (2000) all view risk as potential obstacles, consequences and opportunities impacting on the ability of an organisation to meet its objective. Importantly, the Government of Ontario in Canada (2000) accepts that risks of an organisation could be found internally as well as externally. The awareness that risks could emanate internally or externally is vital to the identification of all possible occurrences that could impact on the objectives, including monitoring developments that could have an implication on the organisational objectives. For instance, if the economy is reliant on exports in a certain region, a decline in demand on that region would mean lower revenues for the exporting company, however; this would have implications for government, in this instance lower tax base (collection). Therefore a state department responsible for revenue collection would be expected to capture this uncertainty on its objective. South Africa is facing multiple challenges, the main ones being the slow rate of economic growth, poverty, unemployment and high levels of inequalities. To address these challenges, the South African government published the document 'Strategic Agenda of Government' which identifies certain key focus areas (priorities) namely; education; health; rural development; fighting against crime and corruption, the creation of decent work and sustainable livelihood and human settlements (Presidency, 2015). From the risk perspective, it could be inferred that these are strategic objectives of the South African government which are expected to be 38 International Public Administration Review, Vol. 14, No. 2-3/2016 Key Mechanisms of Risk Management in South Africa's National Government Departments: The Public Sector Risk Management Framework and the King III Benchmark delegated to relevant national government departments (or its agencies) for implementation. If the risk management process has been adopted as required by the Public Sector Risk Management Framework (National Treasury, 2010), those departments (and their agencies) tasked with achieving these objectives need to identify uncertainties around the key strategic objectives. As indicated earlier, on the one hand, should uncertainties be projected to be negative (threats), those charged with governance will have to ensure that those uncertainties are thoroughly mitigated (controlled) to support the achievement of the government objectives. On the other hand, should uncertainties be positive (opportunities), they should be leveraged upon to deliver more value. Given the importance of a government in a developing country such as South Africa where there are challenges related to the delivery of essential services, challenges relating to the slow rate of economic growth, poverty, unemployment and high levels of inequalities, it is not surprising that the South African government has given priority to the above-mentioned objective areas (Presidency, 2015). Failure to address these challenges would mean the failure to fulfil the aspirations of the population. It follows then that a tool that permits for the identification, analysis, mitigation, management and monitoring of activities that could hinder the achievement of government objectives should be seen and treated in a serious manner. Since national government departments (and their agencies) are enablers of government strategy, they should have proper risk management processes in place to aid in the modification of any activity that could hinder the attainment of government objectives. Therefore, the main aim of this study is to evaluate the risk management practices in South Africa's NGDs using the information disclosed in their annual reports as a proxy of their risk management practices. The information in the annual reports has been content analysed in order to test if the predetermined risk management practices have been disclosed. The first limitation of this study was that it assessed risk management in national government departments. All other public institutions present an area of future research. Further limitations were that the assessment was limited to the thirty four (34) published annual reports that were located (Moloi, 2015). During the collection phase, it was noted that two NGDs were consolidated as part of the Presidency's annual report (they did not have separate annual reports for analysis). Annual reports for the other four (4) departments could not be located on their websites and any other potential source. The rest of the NGDs (34) had their annual reports published on their websites. In addition to publishing their annual reports on their respective websites, thirty two (32) NGDs annual reports were available on the government online website. The remainder of this paper is structured in the following manner: the review of relevant risk management literature and the discussion of risk management Mednarodna revija za javno upravo, letnik 14, st. 2-3/2016 39 Tankiso Moloi requirements in the South African public sector. The method followed in extracting the relevant data is discussed and then a section presenting the research results and an analysis and interpretation of the findings is presented, 2 Review of Existing Literature on Risk Management in the Public Sector Risk management in South Africa's public sector has not been widely studied, Siswana (2007) agrees with the statement that risk management was a fairly new subject in the South African Public Service, Since risk management was a fairly new subject in the South African context, Siswana (2007) then argued that this had been resultant to the focus being placed more onto the financial risks and other risks did not receive much prominence, It can be argued that the reason why Siswana (2007) highlighted the emphasis on financial risk could be that risk management in the public sector at the time was driven through the PFMA (RSA, 1999), in other words, it was before the publication of the Public Sector Risk Management Framework (National Treasury, 2010), In their paper, Coetzee and Lubbe (2013) also appear to agree with Siswana (2007) that risk has not been widely studied, even though in their case, they argue that it has not been widely studied, not only in South Africa, but across the globe and in both the private and the public sectors. Coetzee and Lubbe (2013) studied the risk maturity of South Africa's public and private sector organisations, Their findings were that South Africa's private sector organisations were mostly risk mature, whilst their counterparts in the public sector lacked many elements within their risk management frameworks, Coetzee and Lubbe (2013) assertion that risk management was behind across all sectors (not only in the public service) is shared by Ene and Dobrea (2006) who argue that every industry has its unique challenges and that the public service is therefore not unique in having risk management challenges. In their assessment, Ene and Dobrea (2006) argue that due to their size, public sector institutions are generally very slow-moving making it difficult to get on with any risk management programme. In addition to this, Ene and Dobrea (2006) believe that due to their nature, public sector institutions are far more open to media and public scrutiny making them susceptible of scrutiny. Cooper (2010) also shares Coetzee and Lubbe (2013) as well as Ene and Dobrea (2006) assertions. Cooper (2010) explored the critical success factors and barriers to strategic risk management within the province of Newfoundland and Labrador, One of the findings of this study was that risk management was a relatively recent management activity and it had not been fully implemented in most organisations especially those in the public sector. Following their evaluation of the United States risk management in the public sector, Braig, Gebre and Sellgren (2011) concluded that implementing a proper risk management was more difficult in public sector than in the private 40 International Public Administration Review, Vol. 14, No. 2-3/2016 Key Mechanisms of Risk Management in South Africa's National Government Departments: The Public Sector Risk Management Framework and the King III Benchmark sector. Accordingly, the following were highlighted as risk management challenges in implementing risk management in the public sector: 1. Mission goals that override other considerations, 2. Frequent leadership changes and vacant leadership positions, 3. Leaders who lack knowledge of risk management and business, 4. Separation of operating budgets from program budgets, 5. Lack of clear risk metrics, 6. Complex procedural requirements, and 7. Limited risk culture and risk mind-set, To address these public sector deficiencies, Braig, Gebre and Sellgren (2011) suggested the development of a risk constitution, the creation of transparency in the processes, establishment of a dedicated risk organisation, building of a risk culture and focussing on few core processes as key things that need to be done. 3 Discussion of Risk Management in South Africa's Public Service Risk management in South Africa's public sector is administered through the Public Sector Risk Management Framework (National Treasury, 2010). This document provides guidance on how the South African public service should manage the overall process of risk. Accordingly, the Public Sector Risk Management Framework (National Treasury, 2010) document was developed in response to the requirements of the Public Finance Management Act (RSA, 1999) as well as the Municipal Finance Management Act (RSA, 2003) for the relevant public service institutions to implement and maintain effective, efficient and transparent system of risk management and control, The Public Sector Risk Management Framework (National Treasury, 2010) defines risk as an 'unwanted outcome, actual or potential, to the institutions service delivery and other performance objective, caused by the presence of risk factors'. Further in the definition, the framework acknowledges that some risk factors also present an upside potential. This definition is consistent with other definitions that views risk as both a threat and an opportunity (Williams, Smith, & Young, 1995; Kliem & Ludin, 1997; Knight, 1999; AIRMIC, Alarm & IRM, 2010). Of importance in this definition is the realisation that risk can both be a threat or an opportunity. Therefore, those charged with governing public service institutions need not only view risk as negative (threat) but also positive (an opportunity). Should the uncertainty be negative (threat), proper mitigations/ controls need to be defined and vice versa if the uncertainty is positive (opportunity), this has to be leveraged to increase value. A further important layer of the definition is the outright statement indicating the unwanted Mednarodna revija za javno upravo, letnik 14, st. 2-3/2016 41 Tankiso Moloi outcome that could impact service delivery and performance objective. This is a crucial link between risk and the strategic objectives (to be achieved through performance) of public service institutions, The main criticism that could be levelled against the definition provided in the framework is that it does not incorporate a perspective that would seek to emphasise to those charged with governance that risks could emanate both internally as well as externally. This could weaken the process as those identifying risks could only focus on certain risk factors, likely to be internal factors ignoring external shocks. It has been indicated earlier that the awareness that risks can emanate internally or externally is vital to the identification of all possible occurrences impacting the objectives, including monitoring developments (internally and externally) that could have an implication on the organisational objectives, In terms of its applicability, the Public Sector Risk Management Framework (National Treasury, 2010) approach is principle based rather than being prescriptive based. This means that institutions in the public sector can develop their own systems of risk management, however; these systems should be premised on the principles advanced by the framework. The framework places a substantial emphasis on the accounting officer/authority of the institution concerned to be a pillar of risk management activities in the organisations they are responsible for, The Public Sector Risk Management Framework (National Treasury, 2010) appears to be based on the ISO 31000, the Australian and New Zealand (ANZ) standards as the the risk management process adopted follows the following approach; 1) risk identification, 2) risk assessment, 3) risk response, 4) communication and reporting, and lastly, 5) risk monitoring, Chapter 13 of the framework introduces the risk management committees, The difference between the risk committees as proposed by the framework and the ones proposed in the King III Report on Corporate Governance (loD, 2009) is that the risk management committees in King III are a sub-committee of the board whereas in the Public Sector Risk Management Framework (National Treasury, 2010), these committees are appointed by the accounting officer/ authority so that they could assist with an oversight of risk (these committees report to the accounting officer/authority), In the absence of risk committee, the framework proposes that the audit committee performs the risk committee functions, It was noted that the framework requires that the chairperson of the risk committee should be an independent person (not an employee of the department), This requirement also applies to the chairperson of the audit committee in the public sector (National Treasury, 2001 & RSA, 1999), 42 International Public Administration Review, Vol. 14, No. 2-3/2016 Key Mechanisms of Risk Management in South Africa's National Government Departments: The Public Sector Risk Management Framework and the King III Benchmark 4 Research Method Followed This paper critically explored risk management practices in national government departments based on the developed, harmonised requirements of the Public Sector Risk Management Framework (National Treasury, 2010) which is a framework applicable to the public sector organisations and the King III Report on Corporate Governance risk requirements (loD, 2009), applying to all entities regardless of manner or form, Due to the fact that the data that check compliance with the required framework were coded directly from the annual report, a method that supports the coding of information was applied, This method is called the content analysis method, Several researchers are in agreement that content analysis is a method that cuts between qualitative and quantitative traditions and therefore it is widely used for rigorous exploration of many important but yet difficult issues to study (Gephart, 1993; Carley, 1993; Morris, 1994; Kelle, 1995), Researchers such as Erdener and Dunn (1990), Jauch, Osborn and Martin (1980), Mangena (2004), Barac and Moloi (2009), Barac, Marx and Moloi (2011), Moloi (2014, 2015a+b+c) have all supported the use of content analysis method in extracting information by a way of coding and they all agree that content analysis has been growing in the course of the past decades and has now become an accepted research methodology in the social and business studies, For Holsti (1969) and Weber (1990) there are validity and reliability concerns on the manner in which content analysis method is used. To analyse how NGDs performed in reporting the required risk management information in their annual reports, the coding principles were formulated and these principles were utilised in coding and analysing relevant information from the NGDs annual reports, Once the determination was made in line with the formulated coding principles, the information was then entered into the code-book for analysing the NGDs performance, Formulated coding principles for themes reported in the audit committee reports were based on the following guideline: Annual reports coding principles followed Contained (C) Not Contained (NC) If the annual report of the NGD under review contains the coded category of information, the item is marked as Contained (C) in the designed code-book. On the contrary, if the annual report analysed does not contain the coded category of information, the item will be marked Not Contained (NC) in the designed code-book. Mednarodna revija za javno upravo, letnik 14, st. 2-3/2016 43 Tankiso Moloi S Research Findings and Interpretation Table 1: Public sector risk management requirements vs King III risk requirements Public Sector Risk Management Framework King III Report on Corporate Governance - Risk Governance of Risk Governance of risk - The Accounting Officer/ Authority is the ultimate Chief Risk Officer of the Institution and is accountable for the institutions overall governance of risk - The Accounting Officer/ Authority is responsible for ensuring that the institutional environment supports the effective functioning of risk management - The Accounting Officer/ Authority must ensure that the institution has and maintains an effective process to identify the risks inherent to the institutional objectives - The Accounting Officer/ Authority must ensure that the institution manages risks effectively, economically and efficiently - The institution must operate within the terms of risk management policy approved by the Accounting Officer/ Authority - Risk management policy should be communicated to aLL incumbent officials and arrangements should be made for communicating the policy to new recruits - The board has to ensure that the policy and plan for system and process of risk management is in place - The board should comment on the integrated reporting on the effectiveness of the system and process of risk governance - The board has to express their responsibility of the risk governance on the charter - Risk governance incorporated in the boards on-going training - The board is to ensure that documented, approved risk management policy and plan are widely distributed across the company - The board is to ensure that the implementation of risk management plan is reviewed at least once, annually - The board should continually monitor the implementation of risk management plan Determination of tolerance and appetite levels Determination of tolerance and appetite levels - The Risk Committee considers, reviews and recommends approvaL by the Accounting Officer, the risk appetite of an institution - The Risk Committee considers, reviews and recommends approvaL by the Accounting Officer, the risk toLerance of an institution - Determination of the levels of risk tolerance as well as the appetite levels annually - Risks taken are within the tolerance and appetite levels Relevant committee to assist the Accounting Officer Relevant committee to assist the board - Oversight of risk couLd be performed by the audit committee in the absence of the risk committee - Membership to consist of both management and external members - The Chairperson of the Risk Management Committee shouLd be an independent externaL person - The Committee considers, reviews and recommends approvaL by the Accounting Officer, the risk management policy, strategy and implementation plan - Committee consider risk management policy and plan and monitor the risk management process - Membership consists of executive, non-executive and senior management. Committee has access to independent experts - Committee have a minimum of three (3) members who meet at least twice per annum - Performance of risk committee evaluated by the board once a year Delegation of responsibilities to management - The Accounting Officer/ Authority shouLd deLegate roLes and responsibilities in a manner that ensures coordination and synergy of risk management activities - The Chief Risk Officer (CRO) should possess necessary skiLLs, competencies and attitudes to execute the risk management functions - Management is responsible for executing their responsibilities outlined in the risk management strategy and for integrating risk management into the operationaL routines - Internal processes to be established to sensitise aLL empLoyees of the reLevance of risk management to the achievement of their goals Delegation of responsibilities to management - Management has risk management systems and processes to execute the board risk strategy - Management ensures that risk is integrated on day to day activities of the company - CRO is experienced on strategic matters and has access to the board or its committee and executive management Risk identification and assessment Risk identification and assessments - A process that is systematic, ensures risks are documented, and that there is formaL risk assessment at Least once annuaLLy - Divergent risks are raised - Risk should be prioritized - The Risk Committee considers, reviews and recommends approval by the Accounting Officer, the risk identification and assessment methodoLogies - The Risk Committee evaLuates the effectiveness of risk management policy and strategy (including the plan) - A process that is systematic, ensures risks are documented, and that there is formal risk assessment at least once annually - Risks are prioritized and ranked - Divergence risks are raised - Top down approach in risk assessments - Board regular receives and reviews risk register Risk response and monitoring Risk response and monitoring - Risk response Leads to identification and expLoitation of opportunities to improve the performance of the institution - Management to deveLop response strategies for aLL materiaL risks - Management is responsible for designing, implementing and monitoring the effective functioning of system of internaL controL - Response strategies to be documented and responsibiLities and timeLines attached thereto shouLd be communicated to all relevant risk owners - Noting of risk responses to the risk register - Risk response leads to identification and exploitation of opportunities to improve the performance of the company - Responsibility for monitoring risks is defined in the risk management plan Assurance and disclosures Assurance and disclosures - The Risk Committee review the materiaL findings and recommendations by assurance providers on the system of risk management and monitor the implementation of such recommendations - Management assurance that risk management is integrated in the company's daily activities - Internal audit's written assessment on the effectiveness of the system of internal controls and risk management 44 International Public Administration Review, Vol. 14, No. 2-3/2016 Key Mechanisms of Risk Management in South Africa's National Government Departments: The Public Sector Risk Management Framework and the King III Benchmark Usually NGDs in South Africa would focus on the implementation of the Public Sector Risk Management Framework as guided by the National Treasury department. Since the publication of King III Report on Corporate Governance which is supposed to be applied by all organisations regardless of manner or form, a harmonization of the King III risk requirements and the Public Sector Risk Management Framework had to be made to identify if consistencies exists as NGDs are expected to buy into the spirit of the King III Report by applying its contents in their processes. A harmonised table (Table 1) has been prepared to demonstrate the requirements of both the Public Sector Risk Management Framework (National Treasury, 2010) and the King III Report on Corporate Governance (loD, 2009). It is clear in Table 1 that there are no glaring inconsistencies between the King III risk requirements and the Public Sector Risk Management Framework. The results projected in Table 2 and Table 3 below present the aggregated research findings obtained based on the content analysis performed on the annual reports of National Government Departments (NGDs). Table 2 shows coded risk management categories relating to the governance of risk, determination of tolerance and appetite levels, establishment of relevant committee to assist the Accounting Officer/Authority and the delegation of responsibilities to management of an institution concerned. Using the annual report as a proxy of risk management practices in the NGDs, it is clear in Table 2 that, in general, there are poor risk management practices in the NGDs as the majority of the observed categories were not disclosed in the NGDs annual reports. It is observed in Table 2 that eight (8) NGDs disclosed the fact that the Accounting Officer was the ultimate Chief Risk Officer and therefore ultimately responsible for the overall governance of risk in the NGD they oversee. A further eight (8) NGDs disclosed that the Accounting Officer ensures that the institution has and maintains and effective process to identify risks inherent to the institutional objectives. Further, eight (8) NGDs disclosed the fact that the Accounting Officer was responsible for ensuring that the institution manages its risks effectively, economically and efficiently. Seven (7) NGDs disclosed the information that the Accounting Officer was responsible for ensuring that the institutional environment supports the effective functioning of risk management. In addition to this, ten (10) NGDs indicated that their NGDs operated within the terms of risk management policies approved by the Accounting Officers. The inability to explicitly state this in an organization could cloud the message of setting the tone from the top and the risk process may not receive the prominence it deserves and may not feature in the strategic nerve centre of decision making process. Mednarodna revija za javno upravo, letnik 14, st. 2-3/2016 45 Tankiso Moloi Table 2: Governance of risk, tolerance & appetite, relevant committee and delegation of responsibilities Code Category observed incorporated (i) Not incorporated (Ni) n NGD % n NGD % A Incorporation of statements relating to the governance of risks within the organisation observed A1 Oversight body has approved the policy and plan for the system and process of risk management (n = 34) io Z9 Z4 12 AZ Oversight body has commented in the integrated (annual) report with regards to the effectiveness of the system and process of risk governance (n = 34) e Z4 ZS 1S AB Oversight body has expressed its responsibility of risk governance on the charter (n = 34) e Z4 ZS 1S A4 Risk governance is part of an ongoing oversight body's training (n = 34) o o B4 1oo AS Approved risk management policy and plan widely distributed across the organisation (n = 34) o o B4 1oo AS Risk management plan is approved by the oversight body annually (n = 34) o o B4 1oo Ai Oversight body continually monitor the implementation of risk management plan (n = 34) 1 Z1 Z1 19 B Incorporation of statements relating to the levels and the extent of risk appetite and tolerance within the organization B1 The organisation determines the levels of risk appetite and tolerance levels annually (n = 34) 1 B BB 91 BZ Risks taken within the previous year and reported on are within the defined tolerance and appetite levels (n = 34) 1 B BB 91 C Incorporation of statements relating to the relevant committee of the oversight body C1 The relevant committee considers risk management policy and plan and it monitors the risk management process (n = 34) S 1S Z9 eS CZ Membership of the committee consist of executive (as invitees) and non-executive members (n = 34) 14 41 zo S9 CB The relevant committee has access to independent experts (n = 34) o o B4 1oo C4 The relevant committee has a minimum of three members who meet at least twice per annum (n = 34) B4 1oo o o CS Performance of relevant committee is evaluated the oversight body annually (n = 34) o o B4 1oo D Incorporation of statements relating to the delegation of responsibilities to management by the oversight body D1 Management has risk management systems and processes to execute the oversight body's risk strategy (n = 34) 9 ZS ZS 14 DZ Management has ensured that risk is integrated on the day to day activities of the organisation (n = 34) 19 SS 1S 44 DB The Chief Risk Officer is experienced on strategic as well as risk related matters (n = 34) 11 BZ ZB Se D4 The Chief Risk Officer has access to the oversight body or its committee and executive management (n = 34) 11 BZ ZB Se n: number of integrated/annual reports observed in a sector oversight body: Executive/accounting authority (Minster/Director-General) NGD: National Government Department There was no NGD disclosing whether the risk management policy was communicated to aH incumbent officials and that arrangements were made to ensure that the policy was made available to all new recruits. Poor disclosure of information relating to the NGDs appetite and tolerance levels was observed. In this regard, of the thirty four (34) evaluated NGDs annual reports, only one (1) NGD indicated that its risk committee considers, reviews and recommends approvals of the NGD's risk tolerance and appetite levels to the Accounting Officer. Further, of the thirty four (34) evaluated NGDs annual reports, five (5) NGD indicated that the risk committee considers, reviews and recommends the approval by the risk management policy, strategy and the implementation plans. The non-disclosure of this information raises doubts as to whether the appetite and tolerance levels have been determined. It further raises doubts about the value added by the risk committees. 46 International Public Administration Review, Vol. 14, No. 2-3/2016 Key Mechanisms of Risk Management in South Africa's National Government Departments: The Public Sector Risk Management Framework and the King III Benchmark The limited disclosure of information relating to the risk committees, in this regard, the indication of whether the chairperson of the committee was independent and not an employee of an NGD concerned further raises doubt about the objectivity and independence of these committees (thirteen (13) of thirty four (34) observed NGDs disclosed this information). It is reiterated here that the King III Report on Corporate Governance and the Public Sector Risk Management Frameworks calls for the chairperson of the risk committee to be independent. Further limited disclosures were observed on the disclosure of information relating to the competencies of the Chief Risk Officers (eleven (11) of thirty four (34) observed NGDs disclosed this information), the establishment of mechanisms to inform all employees on the importance of risk management in the attainment of their individual organisational objectives (nine (9) of thirty four (34) observed NGDs disclosed this information) and the delegation of roles and responsibilities by the Accounting Officer to ensure the coordination and synergy of risk management activities (no NGD disclosed this). There was, however one category where NGDs observed had improved disclosure and that category relates to the integration of risk management strategy to the NGDs operational routines. In this regard, nineteen (19) of the thirty four (34) observed NGDs had indicated that there was an integration of risk management strategy to their operational routines. As indicated in the introductory, risk is concerned with the uncertainty on the objectives. It is worrying that NGDs have poor risk management practices, particularly because they are enablers of government overarching strategy. Failure to identify, assess, control / mitigate / leverage and manage uncertainties could result in the inability to deliver the government's strategic imperatives, leading to a negative impact on the delivery of services or even failure to see the opportunity to leverage and deliver more. Table 3 shows coded risk management categories relating to the risk identification risk assessment, risk response, risk monitoring as well as assurance and risk disclosure. There was a better performance in categories coded in Table 3, compared to those coded in Table 2. In this regard, thirty one (31) NGDs indicated that the risk management process was viewed as a systematic process which ensures that risks are documented and that there was a formal risk assessment at least once per year. With regard to the identification and documentation of divergent risks, it was observed that twenty six (26) NGDs disclosed that they had done this. Another improved disclosure was observed on the disclosure of information relating to the development of response strategies for all material risks by management, where twenty one (21) disclosed that they had done this exercise. Mednarodna revija za javno upravo, letnik 14, st. 2-3/2016 47 Tankiso Moloi Table 3: Risk identification, assessment, risk response, risk monitoring, assurance and risk disclosure Code Category observed Incorporated (i) Not incorporated (NI) n NGD % n NGD % E Incorporation of statements relating to the risk approach E1 To identify risks, the organisation follows a system that is systematic and this system ensures that risks are documented (N = 34) 31 91 3 9 E2 Top down approach to risk assessment is followed (n =34) 0 0 34 100 E3 Risk assessments are conducted, at least once annually (N = 34) 31 91 1 3 E4 Risks are ranked for prioritization (N = 34) 15 44 19 56 E5 Divergent risks have been rased (N = 34) 26 76 8 24 E6 The oversight body receives regular risk reports, it reviews and deliberate on these reports (N = 34) 4 12 30 88 F Incorporation of statements relating to risk response and management responsibility of risk monitoring F1 Risk reports submitted to and reviewed by management contains risk responses (N = 34) 21 62 13 38 F2 Risk responses contains opportunities that have been exploited to improve performance of the organization (N = 34) 2 6 32 94 G Incorporation of statements relating to the role of relevant parties in the combined assurance G1 The organisation has an approved combined assurance framework (N = 34) 0 0 34 100 G2 Management (through Enterprise Risk Management division) as a first line of defence in the combined assurance has provided assurance that risk management is integrated in the organisation's daily activities and that controls are in place (N = 34) 0 0 34 100 G3 Internal audit as the second tier of defence has provided a written assessment on the effectiveness of risk management and the entire system of internal controls (N = 34) 0 0 34 100 G4 Other external assurance providers as the third tier of defence have provided a written assessment on the effectiveness of risk management and the entire system of internal controls (N = 34) 0 0 34 100 n: number of integrated/annual reports observed in a sector oversight body: Executive/accounting authority (Minster/Director-General) NGD: National Government Department With regard to the information relating to the documentation of response strategies as well as communication of timelines to all risk owners, it was observed that nineteen (19) NGDs disclosed this information. The final improved disclosure was observed on the disclosure of information relating to the responsibility of designing, implementing and monitoring the effectiveness of the system of internal controls where seventeen (17) NGDs disclosed this information, There was, however; some weak disclosure of information observed, particularly in categories relating to the prioritisation of risks as only fifteen (15) NGDs disclosed this information, In addition to this, of the thirty four (34) NGDs observed, only three (3) NGDs recorded the information relating to the evaluation of effectiveness of risk management policy and strategy (including the plans) in their annual reports, Four (4) NGDs disclosed the category relating to the review and recommendation of approval by Accounting Officer of the risk identification and assessment methodologies, The non-disclosure of this information cast doubt as to whether the right tone is set from the top, Two (2) NGDs indicated that they had identified risk responses leading to the exploitation of opportunities to improve the performance of the institution, Risk has to be seen in the context of both the threat and opportunity, 48 International Public Administration Review, Vol. 14, No. 2-3/2016 Key Mechanisms of Risk Management in South Africa's National Government Departments: The Public Sector Risk Management Framework and the King III Benchmark Looking at the risk from only the threat perspective could result in an oversight on possible opportunities that may be leveraged to derive more value. With regard to the consideration and reviewing of all material findings and recommendations by assurance providers on the system of risk management and monitoring the implementation of such recommendations, it was noted that no NGD disclosed this category. 6 Conclusion and Recommendations The main aim of the study was to evaluate the risk management practices in South Africa's NGDs using the information disclosed in their annual reports as a proxy of their risk management practices. The content analysis method was used to extract the risk related information in the NGDs annual reports. The results obtained indicate that in general, there were poor risk management practices in the NGDs as the majority of the observed categories were not disclosed in the NGDs annual reports. Since risk deals with the uncertainties on the objectives, it is concerning that NGDs have poor risk management practices, particularly because they are enablers (implementers) of government overarching strategy. The implications of poor risk management practices is that NGDs may not necessarily identify threats that could hinder the attainment of government objectives. At the same, they may also fail to leverage opportunities that may arise. As enablers of government strategy, it is recommended that NGDs view risk management as a process enabling them properly identify, analyse, mitigate, manage and monitor all activities that could hinder to achieve government objectives. Tankiso Moloi, PhD is Professor in the Department of Accountancy at the University of Johannesburg. He has written and reviewed several articles on corporate governance and risk management in South Africa. Mednarodna revija za javno upravo, letnik 14, st. 2-3/2016 49 Tankiso Moloi References AIRMIC, Alarm and IRM. (2010). A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000. Retrieved 11. 5. 2015, from https://www.theirm.orq/media/886062/ISQ3100 doc.pdf Barac, K., & Moloi, T. (2010). Assessment of corporate governance reporting in the annual report of South African listed companies. Southern African Journal of Accountability and Auditing Research, 10(1), 19-31. Barac, K., Marx, B., & Moloi, T. (2011). Corporate Governance Practices at South African Higher Education Institutions: An annual Report Disclosure Analysis. Journal of Economic and Financial Sciences, 4(2), 317-332. Braiq, S., Gebre, B., & Sellqren, A. (2011). Strengthening risk management in the US public sector. McKinsey & Company. Carley, K. (1993). Coding Choices for Textual Analysis: A Comparison of Content Analysis and Map Analysis. Sociological Methodology, 23(1), 75-126. DQI: 10.2307/271007 Coetzee, G. P., & Lubbe, D. (2013). The risk maturity of South African private and public sector organisations. Southern African Journal of Accountability and Auditing Research, 14(1), 45-56. Cooper, T. (2010). Strategic risk management in the municipal and public Sector: An exploration of critical success factors and barriers to strategic risk management within the province of Newfoundland and Labrador (PhD). Memorial University. Erdener, C., & Dunn, C. (1990). Content analysis. In A. S. Huff (Ed.), Mapping strategic thought (pp. 291-300). Chichester, NY: John Wiley and Sons. Ene, N. C., & Dobrea, C. R. (2006). Adapting risk management principles to the Public Sector Reforms. Administratie SI Management Public, 6(1), 126-130. Gephart, R. P. (1993). The Textual Approach: Risk and Blame in Disaster Sensemaking. Academy of Management Journal, 36(1), 1465-1514. DQI: 10.2307/256819 Government of Ontario in Canada. (2000). Risk Management Framework for the Government of Ontario. Ontario: Office of the Controller. Holsti, Q. R. (1969). Content Analysis for the Social Sciences and Humanities. Reading, MA: Addison-Wesley. IoD - Institute of Directors. (2009). King III Report on Corporate Governance. Johannesburg: IQD. Jauch, L., Qsborn, R., & Martin, T. (1980). Structured content analysis of cases: A complementary method for organizational research. Academy of Management Review, 5(1), 517-525. Kelle, U. (1995). Computer-Aided Qualitative Data Analysis: Theory, Methods and Practice. London, UK: Sage Publications. Kliem, L. R., & Ludin, I. (1997). Reducing Project Risk. England: Gower. Knight, K. W. (1999). Australian and New Zealand risk management standards. Stratshield: Standard Association of Australia. Mangena, M. (2004). Exploring the extent and determinant of accounting information disclosure in interim reports: an empirical study of UK listed companies (PhD Thesis). University of Bedfordshire. 50 International Public Administration Review, Vol. 14, No. 2-3/2016 Key Mechanisms of Risk Management in South Africa's National Government Departments: The Public Sector Risk Management Framework and the King III Benchmark Moloi, T. (2014). Disclosure of risk management practices in the top South Africa's mining companies: An annual/integrated report disclosure analysis. African Journal of Business Management, 8(17), 681-688. DOI: 10.5897/AJBM2014.7517 Moloi, T. (2015a). Assessing corporate governance disclosures in the South Africa's national government departments: the state and corporate governance. Southern African Journal of Accountability and Auditing Research, 17(1), 1-10. Moloi, T. (2015b). Critical examinations of risks disclosed by South African mining companies' pre and post the Marikana event. Problems and Perspectives in Management, 13(4), 168-176. Moloi, T. (2015c). Disclosure of risk management practices in the top 20 South Africa's listed companies: An annual/ integrated report disclosure analysis. Corporate Ownership and Control, Special Conference Issue, Spring, 928-935. Morris, R. (1994). Computerized content analysis in management research: A demonstration of advantages and limitations. Journal of Management, 20(1), 903-931. DOI: 10.1016/0149-2063(94)90035-3 National Treasury. (2001). Treasury Regulations. Pretoria: South Africa. National Treasury. (2010). The Public Sector Risk Management Framework. Pretoria: South Africa. Republic of South Africa. (1999). The Public Finance Management Act No.1, 1999. Retrieved 4. 2. 2015, from http://www.treasury.gov.za/iegisiation/PFMA/act.pdf Republic of South Africa. (2003). The Municipal Finance Management Act No.1, 2003. Retrieved 12. 5. 2015, from http://mfma.treasury.gov.za/Pages/Default. aspx Siswana, B. (2007). Leadership and governance in the South African public service: An overview of the public finance management system (PhD Thesis). University of Pretoria: Pretoria. The Presidency. (2015). The strategic agenda of government: A summary. Retrieved 11. 5. 2015, from http://www.thepresidency.gov.za/docs/ strategy/2010-11-12-13/strategic agenda.pdf Weber, R. (1990). Basis Content Analysis (2nd ed.). Thousand Oaks, CA: Sage Publications. DOI: 10.4135/9781412983488 Williams, C. A; Smith M. L., & Young P. C. (1995). Risk Management and Insurance (7th ed.). New York: McGraw-Hill. Mednarodna revija za javno upravo, letnik 14, st. 2-3/2016 51 Tankiso Moloi POVZETEK 1.01 Izvirni znanstveni članek Ključni mehanizmi obvladovanja tveganja na ministrstvih nacionalne vlade Južne Afrike: Okvir za obvladovanje tveganja v javnem sektorju in merilo King III Ministrstva nacionalne vlade (in njihove agencije) izvajajo (omogočajo) splošno vladno strategijo v Južni Afriki. Zato je bistvenega pomena, da uporabljajo ustrezne postopke, ki pomagajo pri spreminjanju vsake dejavnosti, ki bi lahko ovirala doseganje ciljev vlade, in hkrati omogočajo izkoriščanje morebitnih priložnosti. V tem prispevku ocenjujemo prakso obvladovanja tveganja na ministrstvih nacionalne vlade Južne Afrike s pomočjo informacij, objavljenih v njihovih letnih poročilih, kot predstavitev ukrepov za obvladovanje tveganja. Analizirali smo informacije v letnem poročilu vsakega ministrstva, da bi preverili, ali vsebujejo načrtovano prakso obvladovanja tveganja, ki je bila sestavljena z uporabo predpisa Okvir za obvladovanje tveganja v javnem sektorju in poročila King III o upravljanju podjetij, Ministrstva v Južni Afriki navadno izvajajo Okvir za obvladovanje tveganja v javnem sektorju v skladu s smernicami Državne zakladnice. Po objavi poročila King III o upravljanju podjetij, ki ga morajo upoštevati vse organizacije ne glede na vrsto ali obliko, je bila potrebna uskladitev zahtev glede tveganja v poročilu King III in v Okviru za obvladovanje tveganja v javnem sektorju, da bi našli morebitne neskladnosti, saj se od ministrstev pričakuje, da bodo poročilo King III upoštevala in njegovo vsebino uporabljala v svojih postopkih, V postopku usklajevanja se je izkazalo, da med zahtevami poročila King III in okvira za obvladovanje tveganja v javnem sektorju ni očitnih neskladnosti, Pridobljeni rezultati kažejo, da je praksa obvladovanja tveganja na ministrstvih slaba, saj večina opazovanih kategorij ni bila objavljena v letnih poročilih ministrstev. Ker je tveganje povezano z negotovostjo ciljev, je slaba praksa obvladovanja tveganja na ministrstvih skrb vzbujajoča, zlasti ker prav ministrstva omogočajo (izvajajo) splošno vladno strategijo. Posledica slabe prakse obvladovanja tveganja je, da ministrstva morda ne opažajo groženj doseganju ciljev vlade. Poleg tega morda ne izkoriščajo vseh morebitnih priložnosti. Ministrstva kot izvajalci vladne strategije bi morala obvladovanje tveganja razumeti in privzeti kot postopek, ki omogoča pravilno ugotavljati, analizirati, blažiti, upravljati in spremljati vse dejavnosti, ki bi lahko ovirale doseganje ciljev vlade. 52 International Public Administration Review, Vol. 14, No. 2-3/2016