Transcription
GOVERNMENT OF JAMAICAENTERPRISE RISK MANAGEMENTPOLICYVersion 1.0November 2019Government of Jamaica – Enterprise Risk Management Policy 20191
Government of Jamaica – Enterprise Risk Management Policy 20192
IntroductionPublic sector organisations operate in a dynamic environment of increasing volatility, complexity andambiguity. In dealing with uncertainty, organisations need to become adaptive to change and leadersmust think strategically about how to manage risks to optimize outcomes. For the Government ofJamaica (GoJ) to continually improve its approach to delivering services to its citizens, it is importantthat Ministries, Departments, Agencies (MDAs) and public bodies (PBs) foster flexibility, seekopportunities and focus on results. Integral to this approach is effective risk management, which isrecognised as a core element of effective public administration and a critical component of soundcorporate governance.To establish the Government’s framework for effective risk management, the Cabinet by way ofDecision #23/18 approved an enterprise-wide approach to risk management. This Enterprise RiskManagement (ERM) Policy (the “Policy”) sets the structure and tone for ERM within public entities.The Policy also establishes the authority, responsibilities and accountabilities for the Head of Entity,Board, executive management and other staff.This Policy is designed to assist government entities in meeting the requirements of the FinancialAdministration and Audit Act and Financial Management Regulations (2011) (“Regulations’) section144, which provides for an effective risk management process to guide the identification and1treatment of risks in government departments . The Regulations also require that Accounting Officersshall be responsible for formulating a strategy for risk management in the public sector and forensuring there is effective risk governance and risk management process that monitors and managesthe material risks to which these entities may be exposed.With respect to PBs, the Policy supports the Corporate Governance Framework for Public Bodies(2012). Principle 14 indicates inter alia that:i.Each board should put in place a formal ERM framework developed by the Ministry ofFinance, to manage risk across all functional areas and business units of the Public Body;ii.The framework should be designed to identify, assess, prioritize, monitor and manage risks tothe Public Body.The need for risk management appears to be reasonably understood by Boards of Directors andsenior management and has been implemented in a number of public bodies. However, there is theneed for a more structured and formalised government-wide risk management strategy or riskmanagement approach. The Policy, as developed, can be tailored and applied to all Governmententities. The Policy addresses additional requirements and provides details of key concepts andstructures for consideration.1The current Regulations will be revised to include details of a more comprehensive ERM process.Government of Jamaica – Enterprise Risk Management Policy 20193
Introduction. 3Glossary . 71.Purpose and Objectives . 121.1.Purpose. 121.2.Objectives . 132.Enterprise-wide Risk Governance Framework . 132.1.Defining risk, risk management and enterprise risk management . 142.2.Mission, Vision, Core Values and ERM Principles . 152.2.1.Mission, Vision and Core Values . 152.2.2.ERM Principles . 152.3.Risk Appetite . 152.4.Management Objectives . 163.Managing risk within the Government of Jamaica . 173.1.Why manage risk? . 173.2.Defining enterprise risk and risk management . 183.3.Main principles . 183.4.Risk management cycle . 193.5.Risk Management Process . 203.5.1.Establishing the context . 203.5.2.Identifying risks . 213.5.3.Analysing risks . 243.5.4.Assessing risks . 253.5.5.Treating risks. 263.5.6.Reviewing and reporting . 284.Enterprise-wide Risk Governance Structure . 284.1.The Head of Entity or Board of Directors. 294.2.Governance Committees . 30Government of Jamaica – Enterprise Risk Management Policy 2019Page 5
4.2.1.Risk Management Committee . 304.2.2.Audit Committee . 314.3.Senior Management. 324.4.General Staff . 334.5.Middle Management / Head of Units (First Line of Defence) . 334.6.Risk Management Function (Second Line of Defence) . 344.7.Assurance Function: Internal Audit (Third Line of Defence) . 354.8.External Auditors and Regulators . 355.Policy Maintenance and Revie . 36. 52Appendix 1 - ERM Governance Structure . 37Appendix 2 - Three Lines of Defence Model . 41Appendix 3 - Bow Tie . 43Appendix 4 - Risk identification form. 45Appendix 5 - Risk typology . 46Appendix 6 - Impact and likelihood scoring . 47Appendix 7 - Risk map. 49Appendix 8 - Sample risk register . 50Appendix 9 - Risk appetite measures. 51Government of Jamaica – Enterprise Risk Management Policy 2019Page 6
GlossaryTermDefinitionAcceptResponse to risk taken when the risk is within the organisation’s risk appetite. Also knownas tolerate or retainAssuranceEvidence of certainty (or not) of existence and suitability of controlsAvoidPotential response to a risk that is outside the organisation’s risk appetite, especially whereit is impossible to do anything to manage it and/or the activity that leads to it is optional. Alsoknown as terminate or eliminateBow TieA diagrammatic way of showing the hierarchy of causes and consequences of a risk (seeAnnex 2 for an example)Business ContinuityPlan (BCP)Plan to ensure continuity of business operations in the event of a serious incident thatimpacts the organizationBusiness RiskBusiness risk also referred to as operational risk is related to activities carried out within anentity, arising from structure, systems, people, products or processes.CauseThe underlying circumstances that make it possible for a risk to occur. Why a risk mightoccur. Ask yourself “why?” five timesCommodity RiskThis risk refers to the uncertainties of future market values and of the size of the futureincome, caused by the fluctuation in the prices of commodities. These commodities may begrains, metals, gas, electricity etc. Commodity risks include price risk, quantity risk, costrisk, and political risk.Compliance RiskThe risk of legal or regulatory sanctions, material financial loss, or loss to reputation acompany may suffer as a result of its failure to comply with all applicable laws, regulations,rules, related internal policies and procedures, code of conduct and standards of goodpractices applicable to its activities.ConsequenceThe effects of a risk occurring – so what?Corporate GovernanceA set of relationships between a company’s management, its board, its shareholders andother stakeholders which provides the structure through which the objectives of thecompany are set, and the means of attaining those objectives and monitoring performance.It helps define the way authority and responsibility is allocated and how corporate decisionsare made.Country RiskThis risk refers to the risk of investing in a country, dependent on changes in the businessenvironment that may adversely affect operating profits or the value of assets in a specificcountry. For example, financial factors such as currency controls, devaluation or regulatorychanges, or stability factors such as mass riots, civil war and other potential eventscontribute to companies’ operational risks. Country risk includes political risk, exchange raterisk, economic risk, sovereign risk and transfer risk, which is the risk of capital being lockedup or frozen by government action.Credit RiskThe risk that a borrower or counterparty, for any reason, will default on any type of debt byfailing to honour its financial or contractual obligations. The risk is primarily that of the lenderand includes lost principal and interest, disruption to cash flows, and increased collectioncosts.Disaster RecoveryPlan for use in the event of a serious loss, such as IT failure, fire or earthquake to assist theGovernment of Jamaica – Enterprise Risk Management Policy 2019Page 7
TermDefinitionPlan (DRP)recovery of the organisation and support crisis management. A DRP is the initial stage of aBCP.Financial RiskFinancial risk is an umbrella term for multiple types of risk. Financial risks create thepossibility of losses arising from credit risks related to customers, suppliers and partners,financing and liquidity risks, and market risks related to fluctuations in equity prices, interestrates, exchange rates and commodity prices.Foreign ExchangeRiskThis risk is also known as currency risk or exchange risk and is a financial risk caused by anexposure to unanticipated changes in the exchange rate between two currencies.Fraud RiskThe risk to earnings and capital due to criminal activity against the company (e.g., forgery,fraud embezzlement, theft etc).ImpactThe measurement used to assess the severity of the consequence of a risk occurringInherent RiskThe levels of risk before any control activities are applied, also known as gross orunderlying or unmitigated. Auditors assess risks for inclusion in risk-based plans on aninherent basisLegal RiskLegal risk is defined as the risk of financial or reputational loss arising from: civil litigation orcriminal or regulatory action; disputes for or against the organization; failure to correctlydocument, enforce or adhere to contractual arrangements; inadequate management of noncontractual rights; or failure to meet non-contractual obligations. These actions couldsignificantly negatively impact an organisation’s business, operations or financial condition.LikelihoodEvaluation or judgement regarding the chances of a risk materializing.Liquidity RiskThe risk to earnings or capital arising from situations in which a given security or assetcannot be traded quickly enough in the market to prevent a loss (or make the requiredprofit) because parties in the market do not want to trade for that asset. Liquidity riskincludes the inability to manage unplanned decreases or changes in funding sources.Market RiskThe risk of financial losses arising from changes to the market values of asset portfolio orliabilities. Market risk includes equity risk, interest rate risk, currency risk, and commodityrisk.MitigateTaking actions to make a risk less severe should it occurNear MissA risk that almost, but not quite, materialises. This could be because of good controls orbecause of good luckOperational RiskOperational risks are those that are likely to arise from inadequate or failed internalprocesses, people and systems or from external events and will have an effect onorganisational operations at a non-strategic level.OpportunitiesThe flip side of risk, taking advantage of circumstances to result in benefitsOwnerA risk owner takes responsibility for managing a risk although s/he may not be directlyresponsible for the risk actions.Political RiskThis risk refers to the complications investors, businesses and governments may face as aresult of what are commonly referred to as political decisions. That is, any political changethat alters the expected outcome and value of a given economic action by changing theprobability of achieving business objectives. Political risk faced by firms can be defined asGovernment of Jamaica – Enterprise Risk Management Policy 2019Page 8
TermDefinitionthe risk of a strategic, financial, or personnel loss for a firm because of such nonmarketfactors as macroeconomic and social policies (e.g., fiscal, monetary, trade, investment,industrial, income, labour, and developmental), or events related to political instability (e.g.,terrorism, riots, coups, civil war, and insurrection).Preventive ControlType of control that is designed to eliminate the possibility of an undesirable riskmaterializingProject RiskProject risks are those that could cause doubt about the ability to deliver a project to time,budget and qualityReduce/Treat/ControlResponse to a risk that can be (further) reduced by introduction of cost-effective controls.Also known as control or mitigateRemediation ControlsPlanned actions to take after a risk has materialised to manage the after effects. This couldconsist of a business continuity or disaster recovery plan (see above)Reputational RiskReputational risk can be defined as the risk arising from negative perception on the part ofcustomers, counterparties, shareholders, investors, debt-holders, market analysts, otherrelevant parties or regulators that can adversely affect an organisation’s ability to maintainexisting, or establish new, business relationships and continued access to sources offunding (e.g., through the interbank or securitisation markets). Reputational risk ismultidimensional and reflects the perception of other market participants.Residual RiskExisting level of risk taking into account the controls already in place. Also known as currentriskRiskThe possibility of an event occurring that will have an impact on the achievement of1objectives. Risk is measured in terms of impact and likelihood.Risk AppetiteRisk appetite is the aggregate level and types of risk that an organisation is willing to acceptor take to meet its strategic objectives, deliver its business plan or take advantage of anopportunity. The level of risk appetite depends on the nature and type of activities underconsideration. It is decided in advance and is intended to ensure that the organisationoperates within its risk capacity.Risk AppetiteStatement (RAS)The written articulation of the aggregate level and types of risk that an organization willaccept, or avoid, in order to achieve its business objectives. It includes quantitativemeasures expressed relative to fiscal targets, and other relevant measures as appropriate.It should also include qualitative statements to address reputation and conduct risks as wellas money laundering and unethical practices.Risk CapacityThe maximum amount of risk an organization is able to assume given its capital base, riskmanagement and control capabilities as well as its regulatory constraints.Risk ContextThe environment within which risks are being managed, both internal and external to theorganizationRisk CultureAn organisation’s norms, attitudes and behaviours related to risk awareness, risk-taking andrisk management, and controls that shape decisions on risks. Risk culture influences thedecisions of management and employees during the day-to-day activities and has an impacton the risks they assume.1Institute of Internal Auditors: International Practices FrameworkGovernment of Jamaica – Enterprise Risk Management Policy 2019Page 9
TermDefinitionRisk ExposureLevel of risk to which the organisation is exposed, that is the combination of the likelihood ofa risk occurring and its impactRisk GovernanceRisk governance refers to the institutions, rules conventions, processes and mechanisms bywhich decisions about risks are taken and implemented. It can be both normative andpositive, because it analyses and formulates risk management strategies to avoid and/orreduce the human and economic costs caused by disasters. Risk governance goes beyondtraditional risk analysis to include the involvement and participation of various stakeholdersas well as considerations of the broader legal, political, economic and social contexts inwhich a risk is evaluated and managed.Risk GovernanceFrameworkAs part of the overall corporate governance framework, the framework through which theboard and management establish and make decisions about the organisation’s strategy andrisk approach; articulate and monitor adherence to risk appetite and risk limits vis-à-vis theorganisation’s strategy; and identify, measure, manage and control risks.Risk LimitsSpecific quantitative measures or limits based on, for example, forward-looking assumptionsthat allocate the organisation’s aggregate risk to business lines, legal entities as relevant,specific risk categories, concentrations and, as appropriate, other measures.Risk ManagementA process to identify, assess, manage and control potential events or situation to provide2reasonable assurance regarding the achievement of the organisation’s objectives.Risk MapPresentation of risk information on a grid or graph, also referred to as a risk map or heatmap. It is often used to summarise the risk status of an organisation in a single diagram andis useful for reporting to senior management (see annex 4)Risk ProfileThe totality of risks faced by an organisation, considered as a whole.Risk RegisterRecord of risks, the controls currently in place, the risk score, additional controls that arerequired and responsibility for risks and control activities (see annex 5). Separate riskregisters are maintained for different aspects of organisational activities: strategic,operational, project, etcRisk ScoringRisk assessment process that analyses the likelihood and impact of a riskRisk ToleranceRisk tolerance reflects the acceptable variation in outcomes related to specific performancemeasures linked to objectives the entity seeks to achieve.Risk UniverseThe full range of risks which could impact, either positively or negatively, on the ability of theorganisation to achieve its long term objectives.Spotting ControlA control that will identify that a risk is about to occur and highlight this so that pre-emptiveaction can be takenSovereign RiskThe risk arising on chances of a government failing to make debt repayments or nothonouring a loan agreement. These practices can be resorted to by a government in timesof economic or political uncertainty or to portray an assertive position misusing itsindependence. A government can resort to such practices by altering any of its laws,thereby causing adverse losses to investors.Strategic RiskStrategic risks are long-term and/or opportunity driven and are concerned with where theorganisation wants to go, how it plans to get there and how it can ensure survival. These2IbidGovernment of Jamaica – Enterprise Risk Management Policy 2019Page 10
TermDefinitionrisks are very directly linked to the over-arching plans of the organizationTarget Risk ScoreThe level of risk that it is anticipated once all planned actions have been implementedTransferResponse to a risk that is outside the organisation’s risk appetite that can be shared with ortransferred to others, by means of insurance, contract, joint venture, partnership or similararrangementsGovernment of Jamaica – Enterprise Risk Management Policy 2019Page 11
1. Purpose and Objectives1.1.PurposeThis Policy is a formal acknowledgement of the commitment of the GoJ to effective risk management.It aims to ensure that public entities use a consistent approach to effectively manage risk, balanceexposure against opportunities with the goal of enhancing capabilities to create, preserve, and realizevalue for their stakeholders.The GoJ considers ERM to be integral to its operations as it helps to improve decision making ingovernance, strategy, objective setting and day-to-day operations of its entity. It also helps to enhanceperformance by more closely linking strategy and business objectives to both risk and opportunity. Assuch, ERM principles shall be integrated into all aspects of the GoJ’s operations - both at the strategicand operational level - to include governance, strategy, performance management, and internalcontrol.This Policy applies to all public officers and requires all employees to understand the nature of risksand accept responsibility for managing risks in their area of authority. The GoJ has adopted theinternational standard for risk management ISO: 31000 as its ERM framework.The ISO 31000 Risk Management Framework is anchored on eight principles, which are:1) The ERM strategy should be customized and proportionate to the type of organization.2) Appropriate and timely involvement of stakeholders is necessary.3) Structured and comprehensive approach is required.4) Risk management is an integral part of all organizational activities.5) Risk management anticipates, detects, acknowledges and responds to changes.6) Risk management explicitly considers any limitations of available information.7) Human and cultural factors influence all aspects of risk management.8) Risk management is continually improved through learning and experience”33Source: Institute of Risk Management (2018), “A Risk Practitioners Guide to ISO 31000”Government of Jamaica – Enterprise Risk Management Policy 2019Page 12
1.2.ObjectivesThe objectives of ERM in the GoJ are to: Enhance management’s ability to select a strategy that aligns anticipated value creation withthe entity’s risk appetite and its capabilities for consistently managing risks; Embed ERM practices within the strategy-setting and operational processes of public entitiesso that risks are consistently managed in accordance with the GoJ’s values, in a pragmaticand cost-effective way; Proactively anticipate changes to the operating environment (rather than reactively managethe outcomes) that may impact achievement of the entity’s strategic objectives and implementan effective risk mitigation strategy; and Enhance management decision-making so that it can be determined whether decisionscreate, preserve, realize or erode value for the entity.2. Enterprise-wide Risk Governance FrameworkThe GoJ has developed a comprehensive enterprise-wide framework for risk governance (the‘Framework’), which, together with culture, forms the foundation for the effective operation of ERM.Culture reflects the organization’s ethics: the values, beliefs, attitudes and understanding of risk. Itsupports the achievement of the organization’s mission and vision and the GoJ embraces a riskawareness culture, which emphasizes the importance of managing risk and encouraging atransparent and timely flow of risk information.The Framework sets out the GoJ’s enterprise-wide approach to managing risks across public entities.It comprises the following key interrelated components, which are presented in Figure 1 anddiscussed in the following sections: Defining risk, risk management and enterprise risk management – Section 2.1 Mission, vision, core values and guiding ERM principles – Section 2.2 Risk appetite – Section 2.3 Management objectives – Section 2.4 Managing Risk in the GoJ – Section 3 Enterprise-wide Risk governance structure - Section 4Government of Jamaica – Enterprise Risk Management Policy 2019Page 13
Figure 1. GoJ Enterprise-wide Risk Governance FrameworkMission, VisionCore ValuesERM PrinciplesRisk AppetiteManagement ObjectivesEnterprise-wide Risk GovernanceStructureRisk Management Process2.1.Defining risk, risk management and enterprise risk managementTermDefinitionRiskThe possibility of an event occurring that will have an impact on theachievement of objectives. Risk is measured in terms of impact and likelihood.Risk management4A process to identify, asses, manage and control potential events or situation toprovide reasonable assurance regarding the achievement of the organization’sobjectives.5Enterprise RiskThe culture, capabilities and practices, integrated with strategy-setting and itsManagementexecution that organizations rely on to manage risk in creating, preserving, andrealizing value.64Institute of Internal Auditors: International Practices FrameworkIbid6Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2016). Enterprise risk management. Aligningrisk with strategy and performance (Public Exposure Draft)5Government of Jamaica – Enterprise Risk Management Policy 2019Page 14
2.2.Mission, Vision, Core Values and ERM Principles2.2.1.Mission, Vision and Core ValuesThe mission and vision of the GoJ should provide a high level indication of its risk ‘appetite’ in termsof the acceptable type and amount of risk the government will pursue to achieve its objectives. Theyhelp to establish boundaries and focus on how decisions may affect strategy. The GoJ’s strategy isaligned with its mission, vision, and core values to realize its objectives.The Head of Entity or Board and senior management have overall responsibility for the organization,including the approval and oversight of management’s implementation of the GoJ’s ERM strategy andgovernance framework. The Head of Entity or Board and senior management should set the ‘tone atthe top’ and oversee management’s role in fostering and maintaining a robust risk-awareness culture.2.2.2.ERM PrinciplesThe Framework is established on the following overarching ERM principles, which should guidedecision-making throughout the organization. Individually, each principle is equally important, andtaken as a whole, they form GoJ’s risk management philosophy. They sit alongside the operationalprinciples described in the ERM User Guide: GoJ will establish a strong and supportive tone that is communicated from the top of theorganization in support of an ethical risk-awareness culture; Management will define and establish the organization’s risk appetite in the context ofcreating, preserving and realizing value for its stakeholders; Management will ensure effective ERM practices are embedded at the strategic andoperational levels of the organization; and MDAs and public bodies will prioritize risks in order to inform decision-making and optimizeallocation of resources.2.3.Risk AppetiteAn effective risk governance framework includes a strong risk culture, a well-developed risk appetite7articulated through a Risk Appetite Statement (RAS), and defined roles and resp
To establish the Government's framework for effective risk management, the Cabinet by way of Decision #23/18 approved an enterprise-wide approach to risk management. This Enterprise Risk Management (ERM) Policy (the "Policy") sets the structure and tone for ERM within public entities.
