Navigating a minefield of local government: Top 5 risks for municipalities

It is no secret that South African municipalities are faced with many challenges. From service delivery protests to financial instability, the minefield of risks and concerns seems endless.

In 2024 South Africa will celebrate 30 years of democracy. However, if one considers the bleak picture painted by the Auditor-General’s (AG) report regarding the state of municipal finances as well as the state of the infrastructure in many municipal areas, the question remains as to how effective local government is in meeting its mandate.

In the aftermath of a global pandemic and in light of these unique challenges, it follows that a more proactive risk management process might be required to achieve a better municipal landscape. This article aims to summarise the top five risks currently faced by municipalities. As providers of oversight and assurance, we as government auditors (internal or external) should be aware of these risks, as they will have an impact on the future of our clients.

1. Standard Transfer Specification

The Standard Transfer Specification Token Identifier Prepaid Electricity Meter Reset, with its looming deadline of 24 November 2024, carries a severe risk of loss of revenue, as the meters that have not been reset, by this date, will no longer function. This can also have a legal implication, as municipalities will fail to provide a basic service (electricity).

The concern here is the slow progress that municipalities have made to date. SALGA (2023) reported that 65% of meters have not been reset yet, which is just less than 3 million meters!

Municipalities that have not started with the reset process can no longer delay. A decision will have to be made as to whether officials will go door-to-door or whether the reset process will be outsourced.

2. Administrative Adjudication of Road Traffic Offences Controversy

The controversial Administrative Adjudication of Road Traffic Offences (Aarto) Act is a step closer to becoming a reality after the Constitutional Court confirmed its constitutionality in July this year.

Its current implementation date is 1 July 2024. This brings yet another risk of loss of revenue for municipalities. Aarto will centralise traffic fine collection, where all fines will be processed by the Road Traffic Infringement Agency. This can result in a loss of municipal revenue, as not all the revenue collected will be paid back to municipalities.

Municipal revenue collection has already been impacted, as prepaid electricity sales have decreased significantly over the last year because of consumers going off the grid to curtail loadshedding. Another big risk for municipalities is readiness to administer the new process. Aarto will completely change the way fines are imposed, enforced and collected. This will require new processes, increased coordination with the National Government and additional training.

3. Local Government Audit Outcomes

In her Report on Local Government Audit Outcomes, the AG slammed municipalities for their failure to implement infrastructure projects. This is a big concern for most municipalities, as it directly impacts service delivery (such as water supply and roads). A review of most municipal financial statements will show large amounts of underexpenditure on municipal grants received from national and provincial governments.

This is a clear indicator of a reactive approach to project management and maintenance. Simply put, municipalities are failing their communities. The root causes seem to relate to poor project management and inadequate supply chain management processes. To correct this, municipalities will need to ensure that a proper risk appetite is set and that adequate standard operating procedures are implemented for infrastructure project management. Supply chain processes should also be closely monitored as part of the project management process.

4. Municipal Business Continuity Planning

The violent protests of 2021, as well as other recent incidents such as the vandalism of the municipal offices in Swellendam, have shown the need for municipal business continuity planning (BCP). A common mistake made by municipalities is to limit their BCPs to information technology and data protection only. A well-developed BCP should include strategies to address damages to offices and infrastructure as well as disruptive events.

Other common errors include ignoring plans for alternative working areas and omitting the BCP from the budget. The question each accounting officer should ask is: if our offices are destroyed tomorrow, how will we continue to serve our communities? Having a BCP is not good enough. It should also be comprehensive, based on a thorough risk assessment and adequately tested.

5. The Protection of Personal Information Act (POPIA) and Cybersecurity risks

Lastly, municipalities can no longer ignore the threats associated with cybersecurity. Gone are the days when cyber risks were just an addition to business risks. The cyber risk landscape and the business risk landscape are the same thing. The Protection of Personal Information Act (POPIA) is no longer a new thing and the time has come for municipalities to take this act seriously. It is also imperative that municipal workers understand that this is not merely an “IT risk”, but a risk that must be owned by all staff.

A common example is where hackers, through the “Darkweb” use phishing and spoofing techniques

to send an email from a legitimate employee’s email address to Human Resources, to “inform” them of a change of banking details. The email looks very legit and even contains a bank confirmation letter with the “new” banking details. Unaware HR officials can easily fall for this trick. Municipalities will therefore need to embark on an awareness project to ensure that all staff is adequately trained. Cybersecurity policies should be implemented to ensure that staff identity, municipal finances, citizen identity and citizen finances are adequately protected against malicious attacks and exploitation.

As independent assurance providers, we should advise and warn our clients as much as possible to enable them to do proper risk management. No municipality can afford to lose any more revenue, not meet its mandate, or suffer unnecessary losses due to inadequate continuity planning or a lack of awareness. With resources becoming increasingly limited and municipalities having to operate in continuously changing environments, the minefield of risks is becoming more treacherous. The price of a reactive approach is too high, and municipalities will need to implement improved and agile risk management processes to navigate the road ahead. 