The Essential Risk Management Guide

An introduction to the fundamentals of Risk Management & Risk Management software, best practices, and resources, all in one place.

Table of Contents:

Chapter 1: What is Risk Management

What do the standards and governance codes say about risk management:

Now, more than ever, under these trying economic conditions, an organisation needs to operate as a lean-mean machine and key to this, is robust risk management which should be embedded throughout the organisation. Divisional objectives including lower-level objectives must support and be in sync with the overall objectives of the organisation. The risks associated with each of these objectives need to be identified, managed and monitored on an ongoing basis. Every effort should be made to minimise the risks that you wish to reduce / avoid whilst being able to take appropriate risks for reward (opportunity risk) provided that the risks are within the risk appetite and tolerance levels of the organisation.

Rogue behaviour is unacceptable in today’s business environment and can destroy an organisation overnight. Gerry Grimstone, had a message for senior executives. “You can’t easily blame a board member for not knowing something,” Grimstone said. “But you can blame a board member for creating a culture where he or she doesn’t know something.” Grimstone also discussed the “tone from the top”; a need for an organisational culture where assumptions are challenged and ethical risk management practices are acclaimed, not neglected.

It’s quite simple! Lack of disclosure and an ineffective risk management information and reporting system equals negligence. Boards are explicitly given a choice between either having effective risk management in practice or disclosing their ineffectiveness in risk management to the public. If they do neither, it is considered fraud or negligence, as not knowing about a risk is no longer a defense.

At every level of our organisation, we as board members, exco members, managers and employees need to ask ourselves: Do we know what our objectives are? Are we managing the significant risks that threaten our objectives and do we recognize the opportunities and act on them within our risk appetite? Do we want to be part of the solution or are we apathetic and part of the problem?

In summary, effective risk management enables an organisation to optimise the level of risk being taken to best achieve the organisation’s objectives whilst still operating within the risk appetite of the organisation.

Further Reading:

Chapter 2: The need for Risk Management

As a result of organisational failures in the past, stakeholders do not want to be caught unawares by risk events. Stakeholders require assurance that management has taken the necessary steps to protect their interests. Corporate governance thus places the accountability for risk management in the hands of the Accounting Authority / Officer and the Board. Stakeholders expect internal control and other risk mitigation mechanisms to be based on a thorough assessment of institutional wide risks.

Some of the benefits derived from the risk management activities include:

Further Reading:

Chapter 3: What do the standards say?

According to ISO 31000, risk is the “effect of uncertainty on objectives” and an effect is a positive or negative deviation from what is expected. Risk management refers to a “coordinated set of activities and methods that is used to direct an organization and to control the many risks that can affect its ability to achieve objectives.”

The COSO “Risk Management-Integrated Framework” published in 2004 defines RM as a “…process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

Legislation such as PFMA and the MFMA together with corporate governance codes such as King IV expect an institution to implement a risk management plan. The King IV code on corporate governance (copyright Institute of Directors Southern Africa) applies to all entities, regardless of their nature, size or form of incorporation. The Code is implemented on an “apply and explain” basis. The following principles relating to risk governance are embodied in the Code:

Recommended Practices

  1. The governing body should assume responsibility for the governance of risk by setting the direction for how risk should be approached and addressed in the organisation. Risk governance should encompass both:
    • a. the opportunities and associated risks to be considered when developing strategy; and
    • b. the potential positive and negative effects of the same risks on the achievement of organisational objectives.
  2. The governing body should treat risk as integral to the way it makes decisions and executes its duties.
  3. The governing body should approve policy that articulates and gives effect to its set direction on risk.
  4. The governing body should evaluate and agree the nature and extent of the risks that the organisation should be willing to take in pursuit of its strategic objectives. It should approve in particular:
    • a. the organisation’s risk appetite, namely its propensity to take appropriate levels of risk; and
    • b. the limit of the potential loss that the organisation has the capacity to tolerate
  5. The governing body should delegate to management the responsibility to implement and execute effective risk management.
  6. The governing body should exercise ongoing oversight of risk management and, in particular, oversee that it result in the following:
    • a. An assessment of risks and opportunities emanating from the triple context in which the organisation operates and the capitals that the organisation uses and affects
    • b. An assessment of the potential upside, or opportunity, presented by risks with potentially negative effects on achieving organisational objectives
    • c. An assessment of the organisation’s dependence on resources and relationships as represented by the various forms of capital
    • d. The design and implementation of appropriate risk responses
    • e. The establishment and implementation of business continuity arrangements that allow the organisation to operate under conditions of volatility, and to withstand and recover from acute shocks.
    • f. The integration and embedding of risk management in the business activities and culture of the organisation
  7. The governing body should consider the need to receive periodic independent assurance on the effectiveness of risk management.
  8. The nature and extent of the risks and opportunities the organisation is willing to take should be disclosed without compromising sensitive information.
  9. In addition, the following be disclosed in relation to risk:
    • a. An overview of the arrangement for governing and managing risk
    • b.Key areas of focus during the reporting period, including objectives, the key risks that the organisation faces, as well as undue, unexpected or unusual risks and risks taken outside of the risk tolerance levels
    • c. Actions taken to monitor the effectiveness of risk management and how the outcomes were addressed
    • d. Planned areas of future focus

Further Reading:

Chapter 4: What is Risk Assessment?

What do the standards say about risk assessment?


So risk assessment is defined slightly different by the standards with ISO3100 covering a broader range of activities and COSO being more focused; however the overall risk management process is similar in terms of identifying risks, rating / assessing risks, responding to risks (treatment) with ongoing monitoring and review together with reporting and communication.

Performing a risk assessment

Taking the more focused view on risk assessment, once risks have been identified at the various levels of the organisation (associated with the achievement of objectives), it is important to prioritise these risks. Prioritising risks involves rating the impact (severity) and likelihood of the risk. Risks are rated qualitatively based on risk appetite and tolerance thresholds, which ideally, should be specific to individual areas / business units. The following is a typical example of qualitative risk appetite and tolerance model which can be used as a guideline when rating the impact of a risk:


Where possible, risks should also be rated quantitatively. Quantitative risk appetite thresholds should be defined per area / business unit per category of risk so that it is possible to set higher impact thresholds for risks that you wish to take (opportunity related risks) and lower impact thresholds for risks that you wish to avoid. For example, thresholds should be set at every level of the business (business unit) by type of risk (i.e. risks associated with opportunity versus negative / risks to be avoided):


Steps to effective risk assessment:

Step 1: Understand the definition of risk appetite and tolerance and how it relates to your organisation.

Step 2: (a) Formulate and rate risks based on your qualitative risk appetite model / statement. Define risk appetite model/s that take into account materiality at group, divisional and business unit level (b) set up your quantitative risk appetite thresholds at key levels (business units) of your organisation.

Step 3: Report qualitatively as well as quantitatively on your risks, taking into account the significance (importance) of objectives at the different levels (business units) of your organisation.

You can find further information on risk appetite and tolerance at:

In summary, effective risk management enables an organisation to optimise the level of risk being taken to best achieve the organisation’s objectives whilst still operating within the risk appetite of the organisation.

Chapter 5: Why the need for Risk Management Software?

Risk management software facilitates the embedding of risk management within an organisation as set out in the ISO31000 and COSO standards. It is not possible to embed risk management without specialised risk management software. Sadly, many organisations still pay lip service to risk management and think that risk management is about listing and monitoring their top 20 risks in an Excel document, which they discuss with the board and / or exco from time to time. Somehow, however, many of these organisations still manage to come up with a ‘nice’ glossy annual report with a chapter on how well they are performing risk management in line with the standards to appease their shareholders and prospective investors.

In order to claim that your organisation is serious about risk management, the following are a few points worth noting:

In Summary:

In summary, it is impossible to perform effective risk management without risk management software. Having said this, however, as with any system it is a case of garbage-in, garbage-out, so commitment to the risk management process is fundamental to effective risk management.

Effective risk management enables an organisation to optimise the level of risk being taken to best achieve the organisation’s objectives whilst still operating within the risk appetite of the organisation.

Further Reading:

Chapter 6: What Risk Management software will do for my organisation

An organisation cannot manage risk effectively without the use of specialised risk software which drives accountability and ownership for risk in a coordinated manner across the organisation. Therefore, if your organisation is serious about risk management you need specialised risk management software which will:

Why can’t we just use Excel?

And now imagine if you combine the best of both worlds:

A well designed software solution combines the best of both worlds, allowing users to work in a flexible way but also in a structured and consistent way which facilitates data quality, accuracy and completeness enabling consolidated reporting of one version of the truth. One of the key benefits of a system is to be able to provide intelligent reporting at the click of a button which informs the business on as real-time basis as possible. Pulling Excel documents together with disparate information is time consuming, prone to error and frankly a waste of time of expensive resources.

In the design of any system there are many conflicting trade-offs between flexibility, complexity, ease of use, structured versus unstructured data, reportability etc. Choose a system which balances flexibility without being overly complex ensuring ease of use and fit for purpose rather than impossible to configure and maintain.

Further Reading:

Chapter 7: Steps to the successful implementation of risk management software

Software implementation:

  1. Ensure you have an existing risk management policy, risk framework and methodology
  2. Identify the risk champions and risk owners at the various levels of your organisation. Limit the number of users to start with
  3. Sanitise and import your existing Excel-based risk registers into the system
  4. Confirm the kinds of risk management reports you would like out of the system: heat maps, trend analysis etc.
  5. Get buy-in from the top and educate your users as to the value of RM and the reason for a system

Now you are ready to use the software:

  1. Inform users that whilst the system is non-intrusive there will be automated follow-up of action plans and automated risk & control self-assessments
  2. Embed and expand the usage of the system over time
  3. Add value to the organisation with insightful reporting
  4. Demonstrate the effective mitigation of risks and monitoring of controls
  5. Follow up on remedial action plans

Further Reading:

Chapter 8: Considerations and key questions when buying risk management software


Further Reading:

Chapter 9: Key feature comparison checklist

Important features BarnOwl Software B Software C
Is the system a fully integrated GRC software solution offering additional modules such as compliance, incident management and audit
Full system functionality supporting the COSO, ISO31000 standards including functionality to maintain objectives, risks, controls (including multi-rating of controls per assurance provider), contributing factors, KRIs, incident management, action plans, voting, risk & control self-assessments, surveys, questionnaires
Simple and flexible take-on / import functionality
Flexible and parameter-driven to ensure configuration for your risk methodology (ratings etc.)
Ability to maintain a central library of common objectives, risks, controls, KRIs etc.
User-defined fields available anywhere in the system and ability to report on user-defined fields
Linking of objectives to risks and risks to other risks, KRIs etc. enabling dynamic re-assessment and automated notifications to ‘risk owners’ of a changing risk environment
Highly flexible and customisable report generation without any programmer intervention
Combined assurance reporting
Graphical slice and dice reporting: e.g. risk heat map, heat map movement, trends, risk ranking, causal analysis, etc.
Automated risk & control self-assessments without any licensing or cost implications
Online questionnaires and surveys without any licensing or cost implications
Online action plans with email notifications to all auditees without any licensing or cost implications
Offline and online synchronisation enabling workshops to be conducted offline
Ease of use including a ‘Lite’ offering allowing easy adoption and buy-in for the system by the business users.
User / Group security restricting unit and risk owner access
Ability and willingness of the vendor to respond to software enhancement requests
Online help, FAQs, up-to-date system documentation
End user support process, support portal
Regular and seamless software upgrades
Regular user groups, refresher training etc.
Client references and track record of the vendor

Further Reading:

About BarnOwl Risk Management:

The BarnOwl risk management module facilitates a structured and systematic approach to risk management by providing an effective way of prioritising and managing risk and opportunity across the organisation in pursuit of business objectives and strategy. BarnOwl provides a unified view of risk and gives management and staff at every level the ability to identify, assess, manage, monitor and report on risks. BarnOwl provides an early warning system, drives ownership for risk mitigation, and delivers risk intelligence reporting assisting with business growth and sustainability. The BarnOwl risk management module supports and embeds best practices frameworks such as COSO, ISO31000 and The National Treasury Framework.

To learn more about BarnOwl’s Risk Management Software, please click here.

Subscribe to BarnOwl's Information Portal

Subscribe to BarnOwl’s information portal today and receive our monthly newsletter with the latest GRC and audit insights, industry updates, priority access to exclusive events, tip of the month and more straight to your inbox!


GRCReady is the official provider of risk management content for the BarnOwl GRC software solution. GRCReady provides extensive risk libraries and risk maturity checklists/surveys which are integrated with BarnOwl.

GRCReady, based in Australia, offers a comprehensive and holistic library of products and associated services including templates, policies, procedures, guidelines, checklists etc.t to help owners and directors of SMEs, startups and corporates to satisfy their corporate governance, risk management and regulatory compliance needs.

By integrating GRCReady's rich content libraries into BarnOwl's GRC software, we are able to offer our clients a state of the art, turnkey GRC solution.

GRCReady provides, arguably, the most comprehensive risk and governance maturity assessment framework with detailed steps and artefacts. BarnOwl's survey and action plan portal provides a simple and effective way to monitor and report on your current state of risk maturity and suggest and drive remedial action plans to take you to your desired state of risk and governance and maturity.

By integrating GRCReady's risk libraries with the BarnOwl GRC software, means that you don't have to start from scratch. In addition, ongoing updates and insights keep you informed and up-to-date on best practices.


Season Rhyrhm is BarnOwl's preferred partner in Botswana assisting with BarnOwl implementations, support services and client relationship management.

Season Rhythm is an established and distinguished player in the ICT sector in Botswana, specialising in a range of cutting-edge solutions. Season Rhythm leverages BarnOwl to provide tailored GRC&A services to businesses in Botswana facilitating:

  • Governance: Enabling organisations to establish and uphold effective governance structures, ensuring transparency and accountability in decision making processes.
  • Risk Management: Equipping businesses with tools to identify, assess and mitigate risks, safeguarding against potential threats and ensuring continuity in a business environment.
  • Compliance: Ensuring adherence to regulatory frameworks and industry standards, protecting businesses from non-compliance penalties and fostering trust among stakeholders.
  • Audit: Streamling the audit process with comprehensive tools for planning, execution and reporting, driving efficiency and accuracy in internal audit and compliance assessments.


BarnOwl works closely with NSA in the field of GRC and assurance.

NSA is an education and risk & assurance advisory services provider, consisting of a team of professional consultants and facilitators who have been hand-picked on experience and expertise. NSA services include:

  • Strategic intervention: 30 expert consultants facilitating strategic planning, combined assurance, effective governance and risk management assignments.
  • Continuous professional development: CPD training for internal auditors, external auditors, accountants, risk managers, government officials, and psychologists.
  • Online learning: accredited training for the local government sector, including the Municipal Financial Management Program and Supply Chain Management.
  • Online skills development: skills in demand for 2030, including cybersecurity, Protection of Personal Information, Artificial Intelligence, Robotics and programming.

BarnOwl and NSA work closely with our clients to align and enable best practice GRC and assurance framework & methodologies within BarnOwl. NSA regularly presents online information sharing sessions together with BarOwl.


Nico Technologies is BarnOwl's preferred partner in Malawi assisting with BarnOwl implementations, support services and client relationship management.

Nico Technologies Limited is an established IT products and services provider in Malawi, specialising in managed IT services, IT infrastructure services, IT project management, digital solutions, digital transformation and IT advisory.

Nico Technologies uses BarnOwl extensively within their own organisation to automate and manage their own risk and compliance functions.


Morgan Solus is BarnOwl's preferred business continuity specialist consulting firm with its 'BCM toolkit' software. BarnOwl GRC together with the BCM toolkit, provides a comprehensive risk management and BCM software solution.

Morgan Solus is a specialist consultancy firm focusing on risk, resilience and continuity. Morgan Solus's core services are centred on resilience, crisis management, business continuity (BCM), IT services continuity and disaster recovery (DRP) and training.

The BCM toolkit ensures a consistent approach to implementing BCM and IT disaster recover and cuts down implementation timelines by 60% whilst driving up successful outcomes.

BarnOwl's extensive GRC and assurance functionally coupled with Morgan Solus's BCM toolkit provide the ultimate risk management and BCM software solution.


Arbutus Analytics is Barnowl's preferred data analytics software. BarnOwl GRC integrated with Arbutus Analytics, provides the ultimate in continuous risk monitoring.

Arbutus Analyzer is a powerful data access and analysis solution specifically developed for auditors, business analysts, and fraud investigators. Its robust performance and user-friendly features offer you the ability to access and analyse data quickly and simply.

BarnOwl GRC, integrated with the real-time metrics from Arbutus provides a strategic early warning system driving preventative and predictive capability facilitating effective business decision making business improvement. with local sub-sahara African distributor


Barnowl works closely with Pax Resilience in the field of GRC and sustainability.

Pax Resilience offers solutions in risk, resilience and cyber security. Pax Resilience strive to create peace of mind by assisting you to build the resilience in your organisation so essential to survive and thrive in the volatile, uncertain, complex and ambiguous world we live in.

Pax Resilience regularly presents online information sharing sessions together with Barnowl.


Paige Law is the official provider of compliance content for the Barnowl GRC software solution. Paige Law provides an extensive Library of South African acts including provisions [CRMPs] and checklists which are integrated with Barnowl.

Paige Law specialises in compliance, Commercial Law, Legal process consultancy, managed legal services and POPIA/ GDPR.


Registered Address

75 Malibongwe Drive
Linden Ext
South Africa

Postal Address

PO BOX 3009


+27 (0) 11 540 9100


More Information:
Product Support:

Let Us Contact You
Let Us Contact You
I grant BarnOwl permission to contact me for marketing purposes*
*You will receive BarnOwl monthly newsletters & invitations to online events. You can unsubscribe at any time.


If you need assistance with your BarnOwl software, there are three channels available to you:


You will be emailed a ticket number from our issue tracking system and your request will be managed in
this ticket until it is completed.


You can view all your existing tickets or create new ones.


+27 (0) 11 540 9112
to speak to a support consultant

Let Support Contact You
Let Support Contact You