In his book titled ‘Enterprise Risk Management, published by Wiley Finance in 2003, James Lam states that, “The only alternative to risk management is crisis management-and crisis management is much more expensive, time consuming and embarrassing.” Underpinning further the import of risk management, deloitte in a study paper of 2005, observed that, “Value-creating organizations focus on long-term risks and develop far-reaching strategies to address them-usually by including brand, reputation, goodwill, and unique organization’s capabilities knowledge, skills, assets and processess. Such assets serve as a value cushion. These organizations are also successful in communicating to key stakeholders about their long-term approach to risk.
Public sector institutions are bound by their statutory mandates to provide services or products in the interest of the public good. However, there is no organisation that has the luxury of functioning in a risk-free environment and public Institutions are especially vulnerable to risks associated with fulfilling their mandates.
It is an established fact that the public sector environment is fraught with unique challenges such as inadequate capacity, excessive bureaucracy and silo mentality, limited resources, competing priorities and infrastructure backlogs to mention a few. Such dynamics have been seen to increase the risk profile of the public sector as a whole and place an extra duty of care on public sector managers to contain risks within acceptable limits.
Having stated the criticality of Risk management initiative to public sector entities; what exactly is risk management? In answering this question,Risk management has been identified as a valuable management tool which increases an entity’s prospects of success through minimising negative outcomes and optimising opportunities.Local and international trends confirm that risk management is a strategic imperative rather than an option within high performing organisations.
High performing organisations set clear and realistic objectives, develop appropriate strategies aligned to the objectives, understand the intrinsic risks associated therewith and direct resources towards managing such risks on the basis of cost-benefit principles. These entities have implemented and maintained effective, efficient and transparent systems of risk management and internal control.
The formal definition of risk management by COSO ( a consortium of professional Associations in the US), Risk management is defined is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Risk management is therefore an application of management policies and procedures and practices to the task of identifying, analysing, assessing, treating and monitoring the various risks that might prevent an organization from achieving its objectives or enhance probability of their achievement.
Legal Framework
The Kenya government realized the importance of risk management to its entities and consequently issued a directive through Treasury Circular No. 3/2009 of 23rd February, 2009 which provided a policy framework for developing and implementing customized Risk Management strategies in public institutions. This Circular required all heads of public institutions to develop and implement a risk management framework as a fundamental step to establishing proactive, accountable and innovative public service.
Come 2012, the Public Finance Management Act was enacted and its accompanying regulations of 2015. Regulation 165 (1) requires accounting officers to ensure that government entities develop;
(a) risk management strategies, which include fraud prevention mechanisms; and
(b) a system of risk management and internal control that builds robust business operations.
In addition to this, the Mwongozo Code of Governance for state Corporations, requires among others the following on risk management;
(a) The development of a policy on Risk Management which should take into account sustainability ethics and compliance risks.
(b) Review the implementation of the risk management framework in a quarterly basis.
(c) Establish a risk management function within the entity.
Internal Auditor General and steps taken to support Risk management Initiative in the public sector.
The internal. Auditor General Department (IAGD) is one of the departments within the National Treasury with an express mandate of providing internal oversight over the effectiveness of governance processes and structures, risk management processes and controls (GRC) in ministries, departments and agencies. The department is also charged with the responsibilities of offering advisory services on these key areas.
On the area of advisory services, the PFM Act further requires the department to support public sector entities to establish and implement risk strategies to support their operations. In this endeavour, the department has developed its department-wide institutional Risk Management Policy Framework (DIRMPF) based on global standards and best practices. The department considers this framework as an effective benchmark tool for other public sector entities venturing into this area. The department has also supported a pool of risk management subject matter experts who have the requisite knowledge and skills and highly motivated to assist entities improve their risk management processes. This team has so far conducted numerous trainings to MDAS on risk management and in a number of instances have supported entities to design, develop and implement risk management. Another key step taken by the department is to develop risk management tools and templates for the purpose of aiding these entities in this initiative.
Challenges to the development and implementation of risk management In support to the risk management initiative, the following challenges have been noted;
1.Some External Risks that can adversely affect service delivery are beyond the control of management
2.Public sector entities not having a dedicated officer to drive this important discipline and put in place a comprehensive risk management strategy.
3.The attitude that risk management is an issue for the private sector and not the public sector.
4. Failure to embed risk management in entity strategic plans
5.Exclusion of IRM within the existing entity structure to assist in monitoring the implementation of the process e.g., risk manager, risk committee
6.Risk management viewed as a compliance activity and not as a critical strategy in the achievement of strategic objectives
7.Lack of adequate resources to develop and implement the IRM
8.Measurement of risk is oftentimes subjective rather than objective Cultural and change management issues ignoring issues of behavior, attitude and integrity while putting more emphasis on policy and quantification