The Essential Risk Management Guide

An introduction to the fundamentals of Risk Management & Risk Management software, best practices, and resources, all in one place.

Table of Contents:

Chapter 1: What is Risk Management

What do the standards and governance codes say about risk management:

Now, more than ever, under these trying economic conditions, an organisation needs to operate as a lean-mean machine and key to this, is robust risk management which should be embedded throughout the organisation. Divisional objectives including lower-level objectives must support and be in sync with the overall objectives of the organisation. The risks associated with each of these objectives need to be identified, managed and monitored on an ongoing basis. Every effort should be made to minimise the risks that you wish to reduce / avoid whilst being able to take appropriate risks for reward (opportunity risk) provided that the risks are within the risk appetite and tolerance levels of the organisation.

Rogue behaviour is unacceptable in today’s business environment and can destroy an organisation overnight. Gerry Grimstone, had a message for senior executives. “You can’t easily blame a board member for not knowing something,” Grimstone said. “But you can blame a board member for creating a culture where he or she doesn’t know something.” Grimstone also discussed the “tone from the top”; a need for an organisational culture where assumptions are challenged and ethical risk management practices are acclaimed, not neglected.

It’s quite simple! Lack of disclosure and an ineffective risk management information and reporting system equals negligence. Boards are explicitly given a choice between either having effective risk management in practice or disclosing their ineffectiveness in risk management to the public. If they do neither, it is considered fraud or negligence, as not knowing about a risk is no longer a defense.

At every level of our organisation, we as board members, exco members, managers and employees need to ask ourselves: Do we know what our objectives are? Are we managing the significant risks that threaten our objectives and do we recognize the opportunities and act on them within our risk appetite? Do we want to be part of the solution or are we apathetic and part of the problem?

In summary, effective risk management enables an organisation to optimise the level of risk being taken to best achieve the organisation’s objectives whilst still operating within the risk appetite of the organisation.

Further Reading:

Chapter 2: The need for Risk Management

As a result of organisational failures in the past, stakeholders do not want to be caught unawares by risk events. Stakeholders require assurance that management has taken the necessary steps to protect their interests. Corporate governance thus places the accountability for risk management in the hands of the Accounting Authority / Officer and the Board. Stakeholders expect internal control and other risk mitigation mechanisms to be based on a thorough assessment of institutional wide risks.

Some of the benefits derived from the risk management activities include:

Further Reading:

Chapter 3: What do the standards say?

According to ISO 31000, risk is the “effect of uncertainty on objectives” and an effect is a positive or negative deviation from what is expected. Risk management refers to a “coordinated set of activities and methods that is used to direct an organization and to control the many risks that can affect its ability to achieve objectives.”

The COSO “Risk Management-Integrated Framework” published in 2004 defines RM as a “…process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

Legislation such as PFMA and the MFMA together with corporate governance codes such as King IV expect an institution to implement a risk management plan. The King IV code on corporate governance (copyright Institute of Directors Southern Africa) applies to all entities, regardless of their nature, size or form of incorporation. The Code is implemented on an “apply and explain” basis. The following principles relating to risk governance are embodied in the Code:

Recommended Practices

  1. The governing body should assume responsibility for the governance of risk by setting the direction for how risk should be approached and addressed in the organisation. Risk governance should encompass both:
    • a. the opportunities and associated risks to be considered when developing strategy; and
    • b. the potential positive and negative effects of the same risks on the achievement of organisational objectives.
  2. The governing body should treat risk as integral to the way it makes decisions and executes its duties.
  3. The governing body should approve policy that articulates and gives effect to its set direction on risk.
  4. The governing body should evaluate and agree the nature and extent of the risks that the organisation should be willing to take in pursuit of its strategic objectives. It should approve in particular:
    • a. the organisation’s risk appetite, namely its propensity to take appropriate levels of risk; and
    • b. the limit of the potential loss that the organisation has the capacity to tolerate
  5. The governing body should delegate to management the responsibility to implement and execute effective risk management.
  6. The governing body should exercise ongoing oversight of risk management and, in particular, oversee that it result in the following:
    • a. An assessment of risks and opportunities emanating from the triple context in which the organisation operates and the capitals that the organisation uses and affects
    • b. An assessment of the potential upside, or opportunity, presented by risks with potentially negative effects on achieving organisational objectives
    • c. An assessment of the organisation’s dependence on resources and relationships as represented by the various forms of capital
    • d. The design and implementation of appropriate risk responses
    • e. The establishment and implementation of business continuity arrangements that allow the organisation to operate under conditions of volatility, and to withstand and recover from acute shocks.
    • f. The integration and embedding of risk management in the business activities and culture of the organisation
  7. The governing body should consider the need to receive periodic independent assurance on the effectiveness of risk management.
  8. The nature and extent of the risks and opportunities the organisation is willing to take should be disclosed without compromising sensitive information.
  9. In addition, the following be disclosed in relation to risk:
    • a. An overview of the arrangement for governing and managing risk
    • b.Key areas of focus during the reporting period, including objectives, the key risks that the organisation faces, as well as undue, unexpected or unusual risks and risks taken outside of the risk tolerance levels
    • c. Actions taken to monitor the effectiveness of risk management and how the outcomes were addressed
    • d. Planned areas of future focus

Further Reading:

Chapter 4: What is Risk Assessment?

What do the standards say about risk assessment?


So risk assessment is defined slightly different by the standards with ISO3100 covering a broader range of activities and COSO being more focused; however the overall risk management process is similar in terms of identifying risks, rating / assessing risks, responding to risks (treatment) with ongoing monitoring and review together with reporting and communication.

Performing a risk assessment

Taking the more focused view on risk assessment, once risks have been identified at the various levels of the organisation (associated with the achievement of objectives), it is important to prioritise these risks. Prioritising risks involves rating the impact (severity) and likelihood of the risk. Risks are rated qualitatively based on risk appetite and tolerance thresholds, which ideally, should be specific to individual areas / business units. The following is a typical example of qualitative risk appetite and tolerance model which can be used as a guideline when rating the impact of a risk:


Where possible, risks should also be rated quantitatively. Quantitative risk appetite thresholds should be defined per area / business unit per category of risk so that it is possible to set higher impact thresholds for risks that you wish to take (opportunity related risks) and lower impact thresholds for risks that you wish to avoid. For example, thresholds should be set at every level of the business (business unit) by type of risk (i.e. risks associated with opportunity versus negative / risks to be avoided):


Steps to effective risk assessment:

Step 1: Understand the definition of risk appetite and tolerance and how it relates to your organisation.

Step 2: (a) Formulate and rate risks based on your qualitative risk appetite model / statement. Define risk appetite model/s that take into account materiality at group, divisional and business unit level (b) set up your quantitative risk appetite thresholds at key levels (business units) of your organisation.

Step 3: Report qualitatively as well as quantitatively on your risks, taking into account the significance (importance) of objectives at the different levels (business units) of your organisation.

You can find further information on risk appetite and tolerance at:

In summary, effective risk management enables an organisation to optimise the level of risk being taken to best achieve the organisation’s objectives whilst still operating within the risk appetite of the organisation.

Chapter 5: Why the need for Risk Management Software?

Risk management software facilitates the embedding of risk management within an organisation as set out in the ISO31000 and COSO standards. It is not possible to embed risk management without specialised risk management software. Sadly, many organisations still pay lip service to risk management and think that risk management is about listing and monitoring their top 20 risks in an Excel document, which they discuss with the board and / or exco from time to time. Somehow, however, many of these organisations still manage to come up with a ‘nice’ glossy annual report with a chapter on how well they are performing risk management in line with the standards to appease their shareholders and prospective investors.

In order to claim that your organisation is serious about risk management, the following are a few points worth noting:

In Summary:

In summary, it is impossible to perform effective risk management without risk management software. Having said this, however, as with any system it is a case of garbage-in, garbage-out, so commitment to the risk management process is fundamental to effective risk management.

Effective risk management enables an organisation to optimise the level of risk being taken to best achieve the organisation’s objectives whilst still operating within the risk appetite of the organisation.

Further Reading:

Chapter 6: What Risk Management software will do for my organisation

An organisation cannot manage risk effectively without the use of specialised risk software which drives accountability and ownership for risk in a coordinated manner across the organisation. Therefore, if your organisation is serious about risk management you need specialised risk management software which will:

Why can’t we just use Excel?

And now imagine if you combine the best of both worlds:

A well designed software solution combines the best of both worlds, allowing users to work in a flexible way but also in a structured and consistent way which facilitates data quality, accuracy and completeness enabling consolidated reporting of one version of the truth. One of the key benefits of a system is to be able to provide intelligent reporting at the click of a button which informs the business on as real-time basis as possible. Pulling Excel documents together with disparate information is time consuming, prone to error and frankly a waste of time of expensive resources.

In the design of any system there are many conflicting trade-offs between flexibility, complexity, ease of use, structured versus unstructured data, reportability etc. Choose a system which balances flexibility without being overly complex ensuring ease of use and fit for purpose rather than impossible to configure and maintain.

Further Reading:

Chapter 7: Steps to the successful implementation of risk management software

Software implementation:

  1. Ensure you have an existing risk management policy, risk framework and methodology
  2. Identify the risk champions and risk owners at the various levels of your organisation. Limit the number of users to start with
  3. Sanitise and import your existing Excel-based risk registers into the system
  4. Confirm the kinds of risk management reports you would like out of the system: heat maps, trend analysis etc.
  5. Get buy-in from the top and educate your users as to the value of RM and the reason for a system

Now you are ready to use the software:

  1. Inform users that whilst the system is non-intrusive there will be automated follow-up of action plans and automated risk & control self-assessments
  2. Embed and expand the usage of the system over time
  3. Add value to the organisation with insightful reporting
  4. Demonstrate the effective mitigation of risks and monitoring of controls
  5. Follow up on remedial action plans

Further Reading:

Chapter 8: Considerations and key questions when buying risk management software


Further Reading:

Chapter 9: Key feature comparison checklist

Important Features BarnOwl Software B Software C
Is the system a fully integrated GRC software solution offering additional modules such as compliance, incident management and audit
Full system functionality supporting the COSO, ISO31000 standards including functionality to maintain objectives, risks, controls (including multi-rating of controls per assurance provider), contributing factors, KRIs, incident management, action plans, voting, risk & control self-assessments, surveys, questionnaires
Simple and flexible take-on / import functionality
Flexible and parameter-driven to ensure configuration for your risk methodology (ratings etc.)
Ability to maintain a central library of common objectives, risks, controls, KRIs etc.
User-defined fields available anywhere in the system and ability to report on user-defined fields
Linking of objectives to risks and risks to other risks, KRIs etc. enabling dynamic re-assessment and automated notifications to ‘risk owners’ of a changing risk environment
Highly flexible and customisable report generation without any programmer intervention
Combined assurance reporting
Graphical slice and dice reporting: e.g. risk heat map, heat map movement, trends, risk ranking, causal analysis, etc.
Automated risk & control self-assessments without any licensing or cost implications
Online questionnaires and surveys without any licensing or cost implications
Online action plans with email notifications to all auditees without any licensing or cost implications
Offline and online synchronisation enabling workshops to be conducted offline
Ease of use including a ‘Lite’ offering allowing easy adoption and buy-in for the system by the business users.
User / Group security restricting unit and risk owner access
Ability and willingness of the vendor to respond to software enhancement requests
Online help, FAQs, up-to-date system documentation
End user support process, support portal
Regular and seamless software upgrades
Regular user groups, refresher training etc.
Client references and track record of the vendor

Further Reading:

About BarnOwl Risk Management:

The BarnOwl risk management module facilitates a structured and systematic approach to risk management by providing an effective way of prioritising and managing risk and opportunity across the organisation in pursuit of business objectives and strategy. BarnOwl provides a unified view of risk and gives management and staff at every level the ability to identify, assess, manage, monitor and report on risks. BarnOwl provides an early warning system, drives ownership for risk mitigation, and delivers risk intelligence reporting assisting with business growth and sustainability. The BarnOwl risk management module supports and embeds best practices frameworks such as COSO, ISO31000 and The National Treasury Framework.

To learn more about BarnOwl’s Risk Management Software, please click here.

© 2022 IDI Technology (Pty) Ltd | PAIA | BBEE Certificate | Tax Clearance Certificate | Privacy Policy | Data Processing Agreement