Professional Documents
Culture Documents
to ERM 2.0
A Guide for the Public Sector
in Singapore
Contents
01 02
Foreword Introduction
04 07
ERM Maturity in Common Top Risks in the
the Public Sector Public Sector today
09 22
ERM 2.0 in the Public Building Your
Sector – Key Building Practical ERM
Blocks Roadmap
25
Conclusion
Foreword
Many Public Sector organisations in We also provide perspectives on the
Singapore today have done very well in latest ERM initiatives and activities that
implementing and sustaining an organisations have started to embark
Enterprise Risk Management (ERM) on both globally and in Singapore.
framework over the years.
It should be noted that there is no ‘one
ERM is not a static exercise but a size fits all’ ERM programme. ERM is
continuous journey to improve an best tailored to the context of your
organisation's ability to anticipate and organisation, taking into account factors
manage its risks. such as size, nature of operations,
resources available, among others.
This publication shares trends and the
evolution of risks and risk management We hope that this publication provides
practices, as well as key insights, into readers insights on charting a
how Public Sector organisations can sustainable ERM journey where
continuously improve and mature their continuous reinforcement and
ERM practices. improvement remain central
cornerstones of the programme.
Our inputs tap on KPMG’s extensive
experience through the years partnering
the Public Sector in Singapore to
provide practical guidance and
considerations to unlock further value
from ERM as a programme.
“We need to look beyond ERM as an “How do we minimise the ‘blind spots’
academic exercise…” we are facing?”
Figure 1 summarises the typical ERM areas where Public Sector organisations do well. It also covers
components which may not yet be in common practice:
Linked to performance
management Common practice across Public Sector
Observed in some Public Sector organisations
Not yet a common practice in the Public Sector
Figure 1: ERM Maturity in the Public Sector based on KPMG’s ‘7 Pillars of ERM’
There has been a rapidly increasing focus from Some of the common weaknesses identified included
Boards and Senior Management on cyber security no monitoring of privileged users’ activities in IT
and data confidentiality risks and issues, especially in systems, and lapses in managing user accounts and
light of recent incidents in Singapore. Other common access rights.
top risks identified and discussed include downtime
of critical IT systems, as organisations leverage more Annually, KPMG performs an in-depth Root-Cause
and more on technology, as well as talent attraction Analysis on the key findings and issues raised.
and retention risk which has been a continued Results from the analysis were compared with the
concern for many Public Sector organisations. past AGO reports since its genesis (Year 1990) to
detect key trends and solutions to prevent the
This is also in line with recent Auditor-General’s recurrence of similar issues from arising. From the
Office (AGO) reports, where weaknesses in analysis, repeated root causes had been observed.
information technology controls had been a Root causes include: (i) lack of monitoring; (ii)
significant focus area in previous audits – most compliance with controls not prioritised at various
recently in Financial Year 2016/2017 and 2017/2018. supervisory levels; and (iii) insufficient robust
AGO acknowledged that the lack of attention is of procedures. As such, it is crucial for each organisation
concern in view of the public sector’s high to start reviewing the adequacy and effectiveness of
dependency on IT systems and data for Government its existing framework and how to improve and
operations, and the fast-evolving IT security threats. mature it.
TOWARDS
ERM
ERM
2.0
Foundations
Sustained
Innovation
Risk
Political
Budgeting R9 Risk
Risk
R1 • Have we identified and documented
R11 Funding risk causes comprehensively and
Risk
R4 appropriately?
• Are there potential ‘snow-balling’
Supply effects between risks?
R3 Chain Risk • Do our initial likelihood and impact
R3 ratings reflect the reality of risk
R8 Outsourcing exposures?
Media Risk • How much reaction time do we have
Social
Publicity
R1 R5 R2
Media should one of our key risks materialise?
Risk Risk
Procurement • How can we optimise resource
R1: Inadequate
Risk allocation for risk management through
infrastructure to meet
public expectations R1 understanding of risk interconnectivity?
R6 Industry • Are the key controls adequately
Macro- established to mitigate these
Development
economic
Risk
Risk systemically significant risks?
R5
Partnership &
Outreach Risk
GETTING STARTED
Public Sector organisations may start by taking reference from their current top risks identified to explore
risk interconnectivity. Through various methods such as surveys and engaging with stakeholders on an
individual or focus group basis, collect input on potential connections between risks.
Once input has been collected, it is important that key stakeholders have the opportunity to moderate and
calibrate outcomes to agree on an organisation-wide view of interconnectivity.
People Process
Strategic • Strong risk understanding • Regular and robust
Enterprise
Decision and appreciation ERM and risk reporting Risk
Making • Support from the ‘Top’ processes Management
• Established risk governance • Defined risk appetite
structure and tolerance for key
• Broken down departmental risk areas
‘silos’ • Strong risk monitoring
mechanisms
• Senior risk officer (e.g. CRO)
actively involved in strategic • Driven and supported by
discussions data where appropriate
Risks identified and assessed can be used to ‘challenge’ and consider alternate scenarios for strategic
planning and decision-making
Figure 5: How risk management and strategic decision-making can work in practice, and key enablers to
consider for people and process
Getting Started
Public Sector organisations may start considering enhancing the linkage between risk management and
strategy by involving the ERM function in platforms for strategy discussions and decision-making, where
appropriate.
Where strategic information may be deemed highly sensitive, a member of Senior Management should
take on the role of actively providing risk perspectives in such strategic discussion platforms.
From the longer term perspective, organisations should also think about evaluating both risk management
and strategic decision-making processes to identify key touch points for integration, as well as consider the
need for a senior Risk Officer resource to facilitate risk discussions at strategic levels.
1
Ability to obtain overview of
risks at the enterprise level
and the respective entity level
7
Integration with
other organisational
processes
2 Ability to obtain a
summary of risk
management activities
(i.e. controls, action plans,
(i.e. HR systems,
procurement system) key risk indicators)
for monitoring
6 3
Integration
with
assurance
ERM Input / updates
directly by
processes and Automation domain experts
activities (e.g. controls performed
(i.e. control directly by front line), thus
self-assessment, providing clearer
internal audit, understanding of roles and
external audit) responsibilities across the
organisation
Figure 6: Key features and benefits that a tech-enabled ERM programme can bring to organisations
Technology is a key enabler to build a connected and Technology can also enable organisations to prepare
integrated ERM framework. ERM processes can be and report risks in an interactive dashboard format.
enhanced, for example, with more timely and Risks are updated almost real-time and supported by
accurate reporting of information from operations and data and indicators monitored on an ongoing basis.
improved consistency of risk management practices This not only allows Boards and Senior Management
among others. In other words, technology allows to focus on the most critical risk areas, but also
organisations to deploy ‘sensors’ within operational allows for enhanced decision-making based on most
processes and functions, perform analysis on data updated risk information. Figures 7 and 8 provide
and information collected, in order to improve illustrations on how interactive risk dashboards may
timeliness of risk escalation and management. look.
GETTING STARTED
Public Sector organisations are strongly encouraged to perform a review and benchmarking exercise of
their existing ERM programme against latest ERM standards and good practices. This could involve ERM
processes, tools and templates, reporting protocols, risk culture, among others.
Once stakeholders are satisfied with the robustness and effectiveness of the ERM programme in place,
short and long term objectives for ERM technology enablement should be set out with cost-benefit
analysis done before sourcing for potentially suitable systems and tools.
5.4 Breaking through the barriers awareness has been largely established in most
of Risk Culture Public Sector organisations today, especially at Board
and Senior Management levels. At operational levels,
It is critical to start building risk awareness,
risk awareness and understanding may manifest
understanding and culture among stakeholders from
more on specific topics, such as health and safety,
the onset of ERM framework development. Good risk
data confidentiality risks, among others.
Clear RM Risk roles & RM framework Staff have the right Belief that RM adds
expectations from responsibilities supports RM skills value to their day to
Board & Senior are clearly defined achievement of & knowledge day job & there is
Management strategic objectives room for
improvement
Clear communication Appropriate risk
Policies, framework channels between Staff have the right training and
and processes in departments to discuss level of risk related communication Overcoming obstacles
place to support RM risk & control issues; information to make for developing &
Staff follow policies & decisions improving risk
procedures Ability to react management
Openness in and escalate
communicating risk Risk is factored in appropriately when
issues Robust RM & internal decision making faced with risks
control system across
organisation
Reward for risk taking Ability to
within the risk appetite challenge RM
Risk awareness is generally strong in the Public Some organisations have also started considering
Sector. But many organisations still find it challenging fresh approaches to garner further interest in ERM,
to further mature risk culture from strong awareness for instance:
to true appreciation of the value proposition of ERM • ‘Risk Awareness Day / Carnivals’ with interactive
and ultimately drive the right risk behaviours. For booths and activities to encourage mass
many Public Sector organisations, risk management participation. This approach is most useful to
is only selectively integrated with some aspects of communicate basic risk messages to large
operations, such as project and grant management, numbers of stakeholders
among others.
• Lunch-talks or breakfast sessions with invited
external experts to share risk management ‘hot
In sustaining their ERM programmes, most Public
topics’
Sector organisations have periodic initiatives to
continuously build risk culture within key stakeholder • Online Risk Management newsletters to share
groups. Most common approaches include face-to- latest trends, case studies and infographics on a
face ERM training and workshops, e-Learning periodic basis
programmes and topical communication emails. • Customised highly interactive risk ‘master classes’
for small groups of participants (e.g. Risk
Managers)
Figure 10: Some tools and approaches used by organisations to assess risk culture
Another aspect of risk culture that organisations have • Recency effect – Placing greater emphasis on the
started to consider is the threat of bias and mental most recent information we have received, which
traps in risk discussions. Stakeholder engagement may not always be the most critical, to make
and discussions form a significant part of the decisions.
approach to risk identification, assessment and • Anchoring bias – An illogical tendency to “attach”
monitoring processes for many Public Sector ourselves to information we first see or hear
organisations. during a discussion
• Uncertainty effect – An over-aversion to
As stakeholders become increasingly focused on in-
uncertainty which may sometimes lead to a risky
depth risk discussions, it may sometimes be difficult
prospect is valued less than its worst possible
to constantly maintain a high degree of objectivity.
outcome. This may result in the over-emphasis or
Participants tend to fall into one or more of the
overreaction to risk events
following mental traps during risk discussions:
• Status quo bias – A preference for things to
remain the same by not making changes even
though the status quo may not be the best course
of action
GETTING STARTED
For Public Sector organisations that currently have ongoing initiatives to build risk awareness and culture,
they could consider periodic risk culture assessments through various means to identify and address any
‘blind spots’.
Organisations are also encouraged to continuously keep a look out for innovative ways to build sustained
interest in ERM and communicate risk messages, in addition to traditional means such as ERM seminars
and training.
“I use risk
“I know “I know how
management to
my risks” to manage risks”
create value”
Start of
ERM Journey
1 2 3 Mature
ERM
Establish ERM Framework, Incorporate advanced ERM ‘add- Link ERM with strategic planning
A including risk strategy, E ons’ (E.g. risk interconnectivity, H and decision-making
governance, etc. horizon scanning etc.)
Stage 1 typically involves setting the foundations of ‘add-ons’ to augment the ERM programme in place.
an ERM programme, including risk identification Stage 3 focuses largely on the move towards a
processes, as well as establishing the overall ERM technology-enabled and data-driven ERM model.
framework including objectives, governance and
responsibilities. Organisations at this stage typically have sustained
ERM for a period of time, with a strong risk culture
Once the ERM framework and process has been permeating across the organisation from operations
established and sustained for a period of time, to the Board. Due to the acknowledged importance of
organisations may start to move into Stage 2, where ERM to the organisation at this stage, stakeholders
the focus shifts to extracting further value from ERM tend to be more comfortable investing resources to
through integration with other risk management and ensure that ERM efforts provide maximum value to
assurance activities, as well as exploring other ERM stakeholders in line with objectives.
Tea Wei Li
Partner
Risk Consulting
T: +65 6411 8114
E: wtea@kpmg.com.sg
kpmg.com.sg
The information contained herein is of a general nature and is not intended to address the circumstances of any particular
individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such
information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon
such information without appropriate professional advice after a thorough examination of the particular situation.
© 2019 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of
the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a
Swiss entity. All rights reserved. Printed in Singapore.