Standard Integrated Risk Management 4 32 - Eskom
StandardTitle: Integrated Risk ManagementStandardDocument Identifier:32-391Alternative Reference N/ANumber:EDC TN published 18.07.2017Rev 6 Document TemplateArea of Applicability:Eskom Holdings SOCLimitedFunctional Area:Enterprise Risk &ResilienceRevision:4Total Pages:32Next Review Date:March 2020DisclosureClassification:Public32-4
Integrated Risk Management StandardUnique Identifier:32-391Revision:4Page:2 of 32ContentPage1.Introduction . 42.Supporting Clauses . 52.1 Scope . 52.1.1 Purpose . 52.1.2 Applicability . 52.2 Normative/Informative References. 52.2.1 Normative . 52.2.2 Informative . 62.3 Definitions . 72.4 Abbreviations . 92.5 Roles and Responsibilities .102.6 Process for Monitoring .102.7 Related/Supporting Documents .103.Standard .113.1 Integrated Risk Management Preamble.113.2 Institutionalising (Incorporating) Integrated Risk Management in the organisation .123.2.1 Foundational Principles.123.2.2 Building blocks .133.3 Integrated Risk Management Process .153.3.1 Communicate and Consult.163.3.2 Establish the context .163.3.3 Identify the risk .173.3.4 Analyse the risk .173.3.5 Evaluate the risk .223.3.6 Treat the risk .233.3.7 Monitor and Review .243.4 Integrated Risk Management Standard Requirements .253.4.1 Requirement 1: Risks of Divisional Business and Operational Plans.253.4.2 Requirement 2: Divisional risk reviews .253.4.3 Requirement 3: Risks of significant decisions and/or changes .253.4.4 Requirement 4: Assurance of Critical Controls .253.4.5 Requirement 5: Learning from Successes and Failures .253.4.6 Requirement 6: Risk Management Planning .263.4.7 Requirement 7: Recording Risk Management .263.4.8 Requirement 8: Monitoring and Reporting Risk Management .263.4.9 Requirement 9: Integrated Risk Management and Projects .263.4.10 Requirement 10: Business Continuity Management .263.4.11 Requirement 11: Disaster Management .274.Acceptance .28CONTROLLED DISCLOSUREWhen downloaded from the document management system, this document is uncontrolled and the responsibility rests with theuser to ensure it is in line with the authorised version on the system.No part of this document may be reproduced without the expressed consent of the copyright holder, Eskom Holdings SOCLimited, Reg No 2002/015527/06.Hard copy printed on: 18 July 2017
Integrated Risk Management StandardUnique Identifier:32-391Revision:4Page:3 of 325.Revisions .296.Development Team .297.Acknowledgements .29Appendix 1 - Quantitative Risk Analysis (QRA) .30Appendix 2 – Disaster Risk Assessment .32CONTROLLED DISCLOSUREWhen downloaded from the document management system, this document is uncontrolled and the responsibility rests with theuser to ensure it is in line with the authorised version on the system.No part of this document may be reproduced without the expressed consent of the copyright holder, Eskom Holdings SOCLimited, Reg No 2002/015527/06.Hard copy printed on: 18 July 2017
Integrated Risk Management Framework and Standard1.Unique Identifier:32-391Revision:4Page:4 of 32IntroductionThe effective management of risk and resilience is essential for Eskom as a company, particularlygiven the role it plays in the South African economy. It is therefore an important element of theEskom Corporate Plan.This standard includes 12 approved building blocks for Risk & Resilience (see figure 1 below),focussing specifically on the 8 common Risk & Resilience management components to ensure thatrisk management will be consistently applied. The four remaining building blocks deal specificallywith Resilience and are covered within their documentation.Figure 1: 12 Building Blocks for Risk & Resilience4 building blocks forResilience8 common building blocks for Risk & ResilienceGovernance&ReportingPolicies &StandardsStandardisedRisk &ResilienceMethodologiesNational gApprovedEnterpriseRiskAppetite gementEnterpriseRisk es &MaturityEvaluationEffective RiskControl,Feedback rcisesThese building blocks support the following: Effective shaping, safeguarding and specialised servicing of risk and resilience across theorganisation through a centre-lead governance and operating model. An integrated approach to managing risk and resilience. Compliance to applicable legislationEskom is committed to the effective management of risk which is central to Eskom’s governanceand management processes, and essential for achieving the organisation’s mandate andobjectives. Eskom’s mandate is to provide electricity in an efficient and sustainable manner,including its generation, transmission, and distribution and sales. Eskom is a critical and strategiccontributor to the South African government’s goal of ensuring security of electricity supply in thecountry as well as economic growth and prosperity.CONTROLLED DISCLOSUREWhen downloaded from the document management system, this document is uncontrolled and the responsibility rests with theuser to ensure it is in line with the authorised version on the system.No part of this document may be reproduced without the expressed consent of the copyright holder, Eskom Holdings SOCLimited, Reg No 2002/015527/06.Hard copy printed on: 18 July 2017
Integrated Risk Management Framework and StandardUnique Identifier:32-391Revision:4Page:5 of 32It is therefore imperative that there will be one standard for the management of all types of risksthat will be consistently applied across all of Eskom including its subsidiaries and projects. Theobjective of managing risk is to ensure that Eskom is able to formulate and execute its strategyeffectively, to operate its business efficiently. It is therefore important that risks that impact Eskom’sobjectives are identified, effectively managed and continuously monitored.2.Supporting Clauses2.1ScopeThis standard supports Eskom’s Enterprise Risk and Resilience Policy and describes a structuredapproach to risk management, using consistent approaches to the assessment and treatment of alltypes of risk, at all levels and for all activities in the company and describes a commonmethodology.2.1.1 PurposeThis standard, when complied with at all levels and for all activities in the company, will ensure astandard approach to Integrated Risk Management throughout and at all levels of the organisation.2.1.2 ApplicabilityThis standard shall apply throughout Eskom Holdings SOC Ltd, its divisions, subsidiaries,integrated operations, and entities wherein Eskom has a controlling interest.2.2Normative/Informative ReferencesParties using this document shall apply the most recent edition of the documents listed in thefollowing paragraphs.2.2.1 Normative[1]32-86 – Enterprise Risk & Resilience Policy.[2]ISO 31000: 2009 - Risk Management - Principles and guidelines on implementation[3]ISO 31004: 2013 - Risk Management – Guidance for the implementation of ISO 31000[4]ISO/IEC Guide 73 - Vocabulary for Risk Management[5]ISO 31010: 2009 - Risk management – Risk assessment techniques[6]King III - King Code of Governance for South Africa 2009[7]Eskom Risk Appetite and Tolerance Statement and Profile[8]Disaster Management Act (Act No. 57 of 2002) as amendedCONTROLLED DISCLOSUREWhen downloaded from the document management system, this document is uncontrolled and the responsibility rests with theuser to ensure it is in line with the authorised version on the system.No part of this document may be reproduced without the expressed consent of the copyright holder, Eskom Holdings SOCLimited, Reg No 2002/015527/06.Hard copy printed on: 18 July 2017
Integrated Risk Management Framework and StandardUnique Identifier:32-391Revision:4Page:6 of 322.2.2 Informative[9]ISO 9001: 2015 - Quality Management Systems[10] 240-79747329 – Business Continuity Standard[11] 240-86786675 – Disaster Management Standard[12] 240-105203484 – Incident Command System Standard[13] 32-973 – Simulation Exercise StandardCONTROLLED DISCLOSUREWhen downloaded from the document management system, this document is uncontrolled and the responsibility rests with theuser to ensure it is in line with the authorised version on the system.No part of this document may be reproduced without the expressed consent of the copyright holder, Eskom Holdings SOCLimited, Reg No 2002/015527/06.Hard copy printed on: 18 July 2017
Integrated Risk Management Framework and Standard2.3Unique Identifier:32-391Revision:4Page:7 of ce is a process that provides confidence that objectives will beachieved with a tolerable level of residual risk.Business RiskCauseSomething that gives rise to or creates a risk or an event.Communication andconsultationContinual or iterative process that an organization conducts to provide,share and or obtain information and to engage in dialogue withstakeholders regarding the management of riskConsequenceOutcome of an event affecting objectivesControlMeasure that is modifying riskControl ownerThe person nominated as accountable for the assurance of the controlto ensure that both the design and the operation of the control areeffective. Control owners names are recorded in risk registers.Control selfassessmentThe planned, periodic review by managers of work processes,procedures and systems to ensure that the risk controls are stilleffective and appropriate. The review should focus on opportunitiesfor improvement with existing work processes; procedures andsystems and with the risk controls.Control tasksProcess of developing, selecting and implementing measures toenhance controls.Cost benefit analysisAn objective assessment comparing all the costs of treating a riskagainst all the benefits from the residual risk.DisasterA progressive or sudden, widespread or localised, natural or humancaused occurrence which (a) causes or threatens to cause (i) death, injury or disease;(ii) damage to property, infrastructure or the environment; or(iii) significant disruption of the life of a community; and(b) is of a magnitude that exceeds the ability of those affected by thedisaster to cope with its effects using only their own resourcesEmerging riskEmerging risks are those risks an organization has not yet recognizedor those which are known to exist, but are not well understood.ExposureExtent to which an organization is subjected to an eventExternal contextExternal environment in which the organization seeks to achieve itsobjectivesKey element structureCONTROLLED DISCLOSUREWhen downloaded from the document management system, this document is uncontrolled and the responsibility rests with theuser to ensure it is in line with the authorised version on the system.No part of this document may be reproduced without the expressed consent of the copyright holder, Eskom Holdings SOCLimited, Reg No 2002/015527/06.Hard copy printed on: 18 July 2017
Integrated Risk Management Framework and StandardUnique Identifier:32-391Revision:4Page:8 of 32Internal contextInternal environment in which the organization seeks to achieve itsobjectivesLevel of riskMagnitude of a risk expressed in terms of the combination ofconsequences and their likelihoodLikelihoodChance of something happening.MonitoringContinual checking, supervising, critically observing or determining thestatus in order to identify change from the performance level requiredor expected.Potential exposureThe total plausible maximum impact on Eskom arising from a riskwithout regard to controls.ReviewActivity undertaken to determine the suitability, adequacy andeffectiveness of the subject matter to achieve established objectivesRiskThe effect of uncertainty on objectives.Risk analysisProcess to comprehend the nature of risk and to determine the level ofriskRisk appetiteAmount and type of risk that the organization is prepared to take inorder to achieve its objectives.Risk assessmentOverall process of risk identification , risk analysis and risk evaluationRisk controleffectiveness (RCE)A relative assessment of actual level of control that is currently presentand effective compared with that which is reasonably achievable for aparticular risk.Risk criteriaTerms of reference against which the significance of a risk isevaluatedRisk evaluationProcess of comparing the results of the risk analysis against riskcriteria to determine whether the level of risk is acceptable ortolerable.Risk identificationProcess of finding, recognizing and describing risksRisk managementCoordinated activities to direct and control an organization with regardto riskRisk managementframeworkSet of components that provide the foundations and organizationalarrangements for designing, implementing, monitoring, reviewing andcontinually improving risk management processes throughout theorganizationRisk managementinformation systemThe database operated by Eskom that holds all risk managementinformation including all risk registers, risk treatment plans and riskmanagement plans.CONTROLLED DISCLOSUREWhen downloaded from the document management system, this document is uncontrolled and the responsibility rests with theuser to ensure it is in line with the authorised version on the system.No part of this document may be reproduced without the expressed consent of the copyright holder, Eskom Holdings SOCLimited, Reg No 2002/015527/06.Hard copy printed on: 18 July 2017
Integrated Risk Management Framework and StandardUnique Identifier:32-391Revision:4Page:9 of 32Risk managementpolicyOverall intentions and direction of an organization related to riskmanagementRisk managementprocessSystematic application of management policies, procedures andpractices to the tasks of communicating, consultation, establishing thecontext, identifying, analysing, evaluating, treating, monitoring andreviewing riskRisk matrixTool for ranking and displaying risks by defining ranges forconsequence and likelihoodRisk ownerPerson with the accountability and authority for managing the risk andany associated risk treatments.Risk registerRecord of information about identified risksRisk reportingForm of communication intended to address particular internal orexternal stakeholders to provide information regarding the currentstate of risk and its managementRisk toleranceRisk tolerance is the organization’s readiness to bear the risk after risktreatment, in order to achieve its objectives.Risk treatmentProcess of developing, selecting and implementing measures tomodify riskRisk treatment planDocuments the risk treatment actions to be taken. Includes details ofseparate tasks, task owners and completing dates.Situation awarenessSituation awareness (SA) involves being aware of what is happeningin the vicinity, in order to understand how information, events, andone's own actions will impact goals and objectives, both immediatelyand in the near future. It is critical to decision-makers in complex,dynamic areas.Task ownerThe person nominated as accountable for the completion of a risktreatment visional ExecutiveER&REnterprise Risk and ResilienceEXCOExecutive CommitteeGEGroup ExecutiveGMGeneral ManagerIRMIntegrated Risk ManagementCONTROLLED DISCLOSUREWhen downloaded from the document management system, this document is uncontrolled and the responsibility rests with theuser to ensure it is in line with the authorised version on the system.No part of this document may be reproduced without the expressed consent of the copyright holder, Eskom Holdings SOCLimited, Reg No 2002/015527/06.Hard copy printed on: 18 July 2017
Integrated Risk Management Framework and StandardAbbreviation32-391Revision:4Page:10 of 32ExplanationMancoManagement CommitteeRMRisk Management2.5Unique Identifier:Roles and ResponsibilitiesThis standard is issued under the authority of the Group Executive – Transmission andSustainability & Risk. The roles and responsibilities are fully defined in the Enterprise Risk andResilience Policy (32-86) for the oversight and management of risk and include the following roleplayers: Eskom Board of Directors Group Chief Executive Group Executive assigned accountability for risk (Chief Risk Officer) Group/Divisional Executives Risk process experts (champions)2.6Process for MonitoringThe implementation of this standard will be monitored as part of a divisional self-assessmentprocess and peer reviews as well as other assurance providers.2.7Related/Supporting DocumentsNot applicableCONTROLLED DISCLOSUREWhen downloaded from the document management system, this document is uncontrolled and the responsibility rests with theuser to ensure it is in line with the authorised version on the system.No part of this document may be reproduced without the expressed consent of the copyright holder, Eskom Holdings SOCLimited, Reg No 2002/015527/06.Hard copy printed on: 18 July 2017
Integrated Risk Management Framework and Standard3.Unique Identifier:32-391Revision:4Page:11 of 32Standard3.1Integrated Risk Management Preamble Eskom promotes an organisational culture which values effective management of risk andresilience through capabilities and measures embedded within its operations, decisionmaking processes, and the development and implementation of strategy. Eskom's governance of risk and resilience is aligned with the principles as set out by theKing Code on Corporate Governance, including the allocation of dedicated time at the BoardAudit & Risk Committee to assist it in carrying out its responsibilities in relation to executingits oversight of risk and resilience management in the company. Eskom is committed to embedding risk management at all levels of the organization in orderto identify the risks and manage them in a consistent and proactive way, prior to eventsoccurring that might prevent us from achieving our objectives. Eskom will adopt a structured approach to risk management, using consistent approaches tothe assessment, treatment, monitoring and reporting of all types of risk, at all levels and forall activities across the business. There will be one standard for the management of all types of risks that will be consistentlyapplied across Eskom including its subsidiaries and projects. The Board Audit and Risk Committee will set Eskom’s risk appetite and risk tolerance levels. Risk Management is primarily the responsibility of line management, regarded as the first lineof defence. The Eskom Executive Committee (Exco), through its Risk & Sustainability Sub-committee willmonitor and review the organisation’s risk management plan, risk management system andrisk performance and report this to the Board on a quarterly basis. The Audit and Risk Committee is responsible for providing oversight over the functioning ofCombined Assurance activities as the third line of defence. Assurance is provided throughIndependent reviews on adequacy of risk, control and governance mechanisms, includingcompliance of Eskom-wide risk management practices and processes. One Integrated Risk Management System (CURA) is use for all business risk information. Integrated Risk Management is included in performance contracts of all Group and DivisionalExecutives. Eskom drives continued enhancement of its risk and resilience management practices,through an annually updated Eskom Holdings Risk & Resilience Management Plan which isprepared by management and approved by the Eskom Board.CONTROLLED DISCLOSUREWhen downloaded from the document management system, this document is uncontrolled and the responsibility rests with theuser to ensure it is in line with the authorised version on the system.No part of this document may be reproduced without the expressed consent of the copyright holder, Eskom Holdings SOCLimited, Reg No 2002/015527/06.Hard copy printed on: 18 July 2017
Integrated Risk Management Framework and Standard3.2Unique Identifier:32-391Revision:4Page:12 of 32Institutionalising (Incorporating) Integrated Risk Management in the organisation3.2.1 Foundational Principles Inculcating a risk culture at all levels of the organisationA risk intelligent organisation will require a significant shift in culture. A clear set of risktraits have been identified that will clearly communicate the expectation of leadershipand staff in relation to risk. These traits are: -Think holistically about risk and uncertainty-Take the right risks for reward (managing threats and capitalising on opportunities)-Speak a common risk language-Effectively use forward-thinking risk concepts and tools to make better decisions-Create lasting value and ensure sustainability-Continuously learnEffective change management and communicationCommunication and change management are intended to address particular internal orexternal stakeholders to provide information regarding the current state of risk and itsmanagement and to solicit understanding and support for the step changes that arerequired to get Eskom to a risk intelligent state.The implementation of changes must be supported by setting up communicationprocesses and channels, organisational support structures and the means for ongoingmonitoring and performance review. Implementing risk into foundations of business strategy and planningOrganizations must develop, implement and continuously improve a framework whosepurpose is to integrate the process for managing risk into the organization's overallgovernance, strategy and planning, management, reporting processes, policies, valuesand culture.Eskom’s risk management process should be aligned with the organization's culture,processes, structures and strategy. Integration with Eskom’s strategy must beestablished as:orisk management assists the organisation to achieve its objectives;oobjectives and criteria of a particular project, process or activity should beconsidered in the light of objectives of the organization as a whole; andCONTROLLED DISCLOSUREWhen downloaded from the document management system, this document is uncontrolled and the responsibility rests with theuser to ensure it is in line with the authorised version on the system.No part of this document may be reproduced without the expressed consent of the copyright holder, Eskom Holdings SOCLimited, Reg No 2002/015527/06.Hard copy printed on: 18 July 2017
Integrated Risk Management Framework and Standardo Unique Identifier:32-391Revision:4Page:13 of 32some organisations fail to recognize opportunities to achieve their strategic, projector business objectives, and this affects ongoing organizational commitment,credibility, trust and value.Integrated risk management systemsIn accordance with best practice and in order to safeguard risk at a corporate level, asingle risk management system based on ISO 31000 has been implemented. All otherworking systems utilised should be inputs to the Eskom single risk managementsystem (E.g.: project specific tools for analysis) Integration with audit, compliance, governance, and combined assuranceinitiativesCooperation with internal audit, compliance, governance and other relatedmanagement governance processes is essential to enable a comprehensivecompliance and assurance framework delivering combined assurance.Eskom internal audit has the role of providing assurance that the risk standards arebeing complied with and will also monitor and annually evaluate the effectiveness ofRisk Management.3.2.2 Building blocks Governance and ReportingAssurance of good corporate governance will be achieved through the regularmeasurement, reporting and communication of risk and resilience managementperformance. The Risk and Sustainability Manco will monitor and review theorganisation’s risk management system and performance and report this to Exco on aregular basis.A quarterly report will be submitted by Enterprise Risk and Resilience to the BoardAudit and Risk Committee, a subcommittee of the Eskom Board.Resolutions requested from governing bodies across the business shall beaccompanied by a formal risk assessment in accordance with the Eskom riskmethodology. The associated resource requirements shall form part of the approvalrequested. Policies and standardsThe Enterprise Risk and Resilience policy defines Eskom’s integrated riskmanagement principles formulated to promote the creation of a consistent and valueadding process that assists the organisation to achieve its objectives.CONTROLLED DISCLOSUREWhen downloaded from the document management system, this document is uncontrolled and the responsibility rests with theuser to ensure it is in line with the authorised version on the system.No part of this document may be reproduced without the expressed consent of the copyright holder, Eskom Holdings SOCLimited, Reg No 2002/015527/06.Hard copy printed on: 18 July 2017
Integrated Risk Management Framework and StandardUnique Identifier:32-391Revision:4Page:14 of 32The Integrated risk management standard supports Eskom’s Enterprise RiskManagement Policy and describes how Eskom will adopt a structured approach to riskmanagement, using consistent approaches to the assessment and treatment of alltypes of risk initiatives, at all levels and for all activities in the company. Standardised Risk & Resilience methodologyEskom will adopt a structured and consistent approach to risk & resiliencemanagement at all levels and for all activities in the organisation. Enterprise Risk & Resilience Management plansEskom, its Divisions and Functions will prepare and maintain suitable risk managementplans.Risk management plans will be reviewed annually as
Risk analysis Process to comprehend the nature of risk and to determine the level of risk Risk appetite Amount and type of risk that the organization is prepared to take in order to achieve its objectives. Risk assessment Overall process of risk identification , risk analysis and risk eva
81. Risk Identification, page 29 82. Risk Indicator*, page 30 83. Risk Management Ω, pages 30 84. Risk Management Alternatives Development, page 30 85. Risk Management Cycle, page 30 86. Risk Management Methodology Ω, page 30 87. Risk Management Plan, page 30 88. Risk Management Strategy, pages 31 89. Risk
Risk is the effect of uncertainty on objectives (e.g. the objectives of an event). Risk management Risk management is the process of identifying hazards and controlling risks. The risk management process involves four main steps: 1. risk assessment; 2. risk control and risk rating; 3. risk transfer; and 4. risk review. Risk assessment
Standard Bank Group risk management report for the six months ended June 2010 1 Risk management report for the six months ended 30 June 2010 1. Overview 2 2. Risk management framework 3 3. Risk categories 6 4. Reporting frameworks 8 5. Capital management 10 6. Credit risk 17 7. Country risk 36 8. Liquidity risk 38 9. Market risk 42 10 .
1.5 Tactical Risk Decisions and Crisis Management 16 1.5.1 Risk preparation 17 1.5.2 Risk discovery 17 1.5.3 Risk recovery 18 1.6 Strategic Risk Mitigation 19 1.6.1 The value-maximizing level of risk mitigation (risk-neutral) 19 1.6.2 Strategic risk-return trade-o s for risk-averse managers 20 1.6.3 P
Tunnelling Risk Assessment 0. Abstract 1. Introduction and scope 2. Use of risk management 3. Objectives of risk assessment 4. Risk management in early design stages 5. Risk management during tendering and contract negotiation 6. Risk management during construction 7. Typical components of risk management 8. Risk management tools 9. References .
Risk Matrix 15 Risk Assessment Feature 32 Customize the Risk Matrix 34 Chapter 5: Reference 43 General Reference 44 Family Field Descriptions 60 ii Risk Matrix. Chapter 1: Overview1. Overview of the Risk Matrix Module2. Chapter 2: Risk and Risk Assessment3. About Risk and Risk Assessment4. Specify Risk Values to Determine an Overall Risk Rank5
The central part of a risk management plan is a document that details the risks and processes for addressing them. 1. Identify and assess the Risks 2. Determine Risk Response Strategy Avoid the risk Transfer the risk Mitigate the risk Accept the risk 3. Execute a risk management plan 4. Monitor the risks and enhance risk management plan
Automotive is ready to inform and assist government in promoting the country’s competitiveness around the world; global trade is complex and it needs the knowledge and insight industry experts can offer. Looking globally, there are challenges enough without Brexit - even superpowers aren’t immune from the effects of trade tensions, unsettling business and consumer confidence. Furthermore .
