RFP REFERENCE:  CCC/RFP/11/07/2022

1. BACKGROUND

The COMESA Competition Commission (CCC) is established under Article 6 of the COMESA Competition Regulations (“the Regulations”). The Regulations were promulgated by the COMESA Council of Ministers (“the Council”) in 2004 under Article 55 of the COMESA Treaty (“the Treaty”).

Pursuant to Article 2 of the Regulations, the Commission is mandated to promote and encourage competition within the Common Market by, inter alia, preventing restrictive business practices that deter the efficient operation of markets thereby facilitating the regional integration agenda. The ultimate goal of the Regulations is to enhance the welfare of consumers in the Common Market by protecting them against anti-competitive conduct by market actors. The Commission’s core focus areas under the Regulations include investigation of anti-competitive business practices and conduct; mergers and acquisitions; and consumer rights violations. In order to implement its mandate under the Regulations, the Commission regularly engages and cooperates with the Member States through sensitization, advocacy programmes, capacity building, technical assistance and provision of advisory opinions.

The Board of Commissioners of COMESA Competition Commission approved a Risk Policy in April 2019 to ensure effort is made by the Commission to manage risk appropriately, to maximise potential opportunities and minimise the adverse effects of risk. The Commission is mindful that it has grown in recent years and that there is need to review it risk management framework by reviewing the provisions of the current risk policy and implementing them thereafter.

2. OBJECTIVES OF THE ASSIGNMENT

The first objective of the assignment is to develop a Risk Management Framework that incorporates the requirements of the provisions of the Risk Policy such as risk register, detailed risk assessment guidelines and risk mitigation measures. The second objective is to review the internal processes of CCC and evaluate the adequacy and effectiveness of internal controls. The assignment will focus on the following specific areas:

a) Develop CCC’s risk management framework (this involves the review of the Risk Policy and development of the terms of reference for the Risk and Audit Committee of the Board).

b) Review internal processes and evaluate the adequacy and effectiveness of CCC’s internal controls
The Consultant should develop a risk management framework that will provide a foundation for designing, implementing, monitoring, reviewing and continually improving risk management processes of the Commission. The consultant will also review internal processes and the adequacy and effectiveness of internal controls in relation to the changes that the Commission has undergone (from inception in 2013 to date) in order to increase organisational performance through improved processes and efficient use resources.

The Consultant’s report and its recommendations will be presented to the CCC Risk and Audit Committee through the Director and Chief Executive Officer for their consideration and adoption.

3. SCOPE OF WORK AND TASKS
The consultant will adopt the Comprehensive Assessment Model (CAM) in carrying this assignment. CAM is an innovative methodology that provides for integrated assurance. This assurance is based on the evaluation of internal controls and the risk management processes, considering all pertinent business and governance objectives, through a unified and unique assessment approach. CAM brings together a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, internal controls, and governance processes.

The consultant will carry out the following specific tasks:

3.1 Develop a risk management framework for CCC

3.1.1 Review the Risk Policy for CCC and propose updates and amendments to align it with internal and external developments

3.1.2 Develop detailed risk assessment guidelines that enhances uniformity in risk identification, evaluation, and prioritization. This will be followed by coordinated and economical application of resources to mitigate and monitor the probability or impact of the risks.

3.1.3 Identify the risks (both corporate/strategic and operational] that can affect CCC. This will involve determining risks that could potentially prevent CCC from achieving its objectives and documenting their characteristics.

3.1.4 Perform an in-depth analysis of the risks identified in 3.1.3 in order to determine their severity. The Consultant is expected to adopt both the qualitative (subjective tools and techniques, based on the experience and professional judgement of the Consultant, used to decide which risks to focus on) and quantitative (objective tools and techniques that use numerical analyses to assess the impact of a risk) techniques in determining the severity of the risks.

3.1.5 Develop appropriate responses to CCC’s risks and clearly advising management on the best option of managing the risks out of the four categories of risk treatment [avoidance (eliminate, withdraw from or not become involved), reduction (optimize – mitigate), sharing (transfer – outsource or insure), retention (accept and budget)]

3.2 Perform an evaluation of the existing internal controls

The Consultant will perform the evaluation with guidance from the Comprehensive Assessment Model and these will be done in three major categories as follows:

3.2.1 Evaluate the design of the internal controls

The evaluation of the adequacy of the design of the internal control system must consider the relevance of addressed control objectives and the attributes of the controls designed to achieve them. The Consultant must evaluate the internal control system of CCC against:

a) Relevance: the level to which the control activity addresses the pertinent control objective under analysis
b) Timeliness: how long it takes for controls to respond to negative events.
c) Strength: the strength of a control is determined by a series of factors that influence the probability of control effectiveness should related risks arise

• Discretion: the level to which the control is discretional or subjective, that is, if it is based on strict standards versus human judgment
• Segregation: the level of control segregation that goes beyond the well-known concept of separation of roles and duties between process activities
• Independence: the independence element measures the capability of the control owner to manage resources (technical, human, informational, economic) so that the control is most effective, acquiring or integrating resources as needed
• Integrative control factor (integration): the degree and manner in which the control reinforces other control processes for the same objective
• Automation: the degree to which control process are activated by automated systems (information systems, mechanical devices) that reduce errors derived from human behavior
• Adaptability: how adaptable the control is to fluctuating volumes of activity (i.e. if the control is susceptible to the volatility of the controlled activities, it is less effective)
• Traceability: how traceable the control is, which allows it to be verified subsequently in all respects

d) Coverage: the level in which all significant risks are addressed.

3.2.2 Evaluate the performance of the internal controls

After determining the adequacy of the internal controls, the Consultant will evaluate the performance of the controls by performing the following:

• The availability of financial, technological, or human resources needed to perform the controls is satisfactory
• Compliance to the controls as designed, assuming the controls are considered adequate. This includes compliance with laid down procedures and the governance mechanisms in place.
• The results of activities in place to monitor and measure possible residual risks; this ascertains the degree to which control objectives are not reached (i.e. related either to risk management policies or inadequate controls)

3.2.3 Evaluation of the controls’ cost-effectiveness

Evaluation of the controls’ cost-effectiveness will be performed after the assessment of the design and performance. The main objective is to determine the reasonableness of the overall balance between effectiveness of controls and the cost of controls. The consultant will perform the following assessments:

• Losses, damages, or penalties, and/or lost income arising from risk events
• Cost of the resolution of risk events, which varies in relation to the actions needed to limit the impact of negative events that occur. These include internal costs to restore a situation (for example, reprocessing or reperformance costs and advertisement costs to recover from reputational damage).

4. EXPECTED OUTPUTS

4.1 An updated risk policy for CCC

4.2 Detailed risk assessment guidelines that give clear guidance on risk identification, measurement (development of assessment criteria), recording, risk evaluation (ranking based on probability and impact), responses and continuous monitoring (specifying review intervals)

4.3 Risk register which will be used as a risk management tool to fulfil regulatory compliance with the Risk Policy. The risk register will be a repository for all risks identified and includes additional information about each risk, e.g., nature of the risk, reference and owner, mitigation measures). Specifically, the following items have to be included in the risk register:

a) Two distinct sections for corporate/strategic risks (risks that affect the achievement of the Commission’s mandate) and operational risks (risks that are related to the day-to-day delivery of divisional operations).

b) Each section in a) above should have the following subsections: governance, financial, political, legal, regulatory, information and technology and human resources

c) Each risk should have the following details: identification number, brief description, category (internal or external), probability, impact, rating, required action and responsible person

4.4 Evaluation report on the internal controls of CCC. The report should contain, recommendations on the design of the internal controls, functioning and performance of the internal controls and the cost-benefit analysis of the controls.

5. GEOGRAPHICAL SCOPE

The consultant will be expected to carry out the assignment in Lilongwe; Malawi at the COMESA Competition Commission offices in Kang’ombe Building. This consultancy entails the review of the Commission’s internal controls among other things which may not be properly undertaken virtually. The consultant is therefore expected to undertake this exercise largely physically.

6. METHODOLOGY

The consultant will perform the assignment by conducting interviews with CCC staff and reviewing documentation at the CCC offices. A DRAFT report shall be shared with CCC Director and Chief Executive Officer for review and comments before being finalized.

7. PERIOD OF EXECUTION

The period of execution of the contract starts from the date of the signing of the contract and is estimated to take 60 calendar days from the date of contract signing by the last party.

The table below shows the expected activities and the timeline for the assignment.