Loading Events

« All Events

  • This event has passed.

Info Sharing Session: BarnOwl and Deloitte

29 July, 2021
9:00 am - 10:00 am


29 July, 2021 @ 9:00 am - 10:00 am


BarnOwl Info Sharing session: 29 July 2021

The evolving role of the CRO to Power Business Performance

Presented by: Mark Victor, Partner – Deloitte Risk Advisory Africa,
Christopher Palm, Chief Risk Advisor – Institute of Risk Management South Africa (IRMSA)
Facilitated by: Jonathan Crisp, Director – BarnOwl


The pandemic has heightened the importance of proactive risk management in the first line, and executives have challenged the current mandate and functioning of risk functions to proactively drive risk management processes and activities that ensure risk powers business performance, beyond compliance.

This is evident through increased risk uncertainty, the need for organisations to revisit their operating models and ways of work, the increased impact of emerging external risks and the increased demand for risk intelligence to help support decision making.

Risk functions need to reimagine their approach and how they can adopt more agile risk management techniques, by leveraging digital risk solutions and insights and playing a more strategic risk advisory role to business.
Thank you very much Mark and Chris for presenting at our info-sharing event held on 29th July 2021. We had a great turn out. Thank you to all those who attended.


Risk powers performance: from compliance to competitive advantage

In the past, risk management was often an exercise in fear and avoidance, with organisations focused primarily on completing necessary, compliance driven activities. But that’s changing. Many leaders are now viewing risks in terms of their potential to power performance and value.

In Mark’s experience, over the past 24 months, there is a greater focus on the agenda of risk in the Exco. There is an increased determination in understanding the impact of risk, not just from an inside-out view but from an outside-in view and understanding the landscape.

Risk needs to power performance and be at the heart strategy. There is a direct intersect between strategy and risk and yet we still see a disconnect in that risk is either not part of the strategic conversation or is a separate conversation or worse still ad hoc. The strategic conversation is not about a traditional risk process; it’s actually about understanding the current macro-economic and external environments, where is our business going, where is the industry going, having a long-term view of the industry, having an understanding of the geographic and geopolitical context and how this speaks to the global markets and translating this into a synthesized view of the risks and opportunities linked to the business drivers.

Strategic Risk Transformation

For risk transformation to occur, a comprehensive framework needs to be applied to align the risk strategy to how the organisation is managed. Managing risk is about steps to enhance value while meeting core business needs.

The conversation around risk and strategic risk at an exco level, needs to be fundamentally different and must be about outcomes and performance and how this translates into what are we doing from a risk perspective, what are we measuring and how this translates into the impact on strategic objectives, business drivers, value, etc. As Mark mentions, “Whilst this is not a new concept, strategic risk conversations are still too operational. We need to talk to the CEO about strategy; is it right, what needs to change, what are the drivers, implications, taking it further. Do we, as a risk function, have enough of an understanding of the strategy, is the CRO involved in the conversations, do we have an outside-in view?” In addition, we see the increased importance of scenario modelling capability, which in theory is part of the risk management capability but is often done as part of strategy setting in isolation to risk management.

Another consideration is whether we have the right level of maturity for our current and future strategy and what capability and operating model do we need? What needs to be in place to run at an optimal level without being over controlled or over engineered, but still run efficiently. Look at the risks and opportunities and connect them back to capability.

The culture of the organisation is a critical element, however, in Mark’s experience, accountability and ownership is not embedded well enough and the risk function needs to help people understand the risks that they are running and for the business to take responsibility. We still find that the risk function does the work for the business instead of promoting accountability and playing the advisory role.

Chris mentioned the need for us risk professionals to challenge the quality of our conversation at board. We walk away too quickly from understanding our stakeholders, which is the first big job we need to do and to get the conversation with the board to the right level of granularity so that we make sense, and that we link and impact the performance of the organisation.

Evolving risk operating models

‘Thick’ or ‘thin’ risk functions can be considered in two dimensions; firstly, the allocation of responsibilities to the 1st or 2nd line of defense and secondly the allocation of responsibilities between 2nd line group and business level risk functions.

Mark spoke about various lines of defense and the role of the risk function. The risk function is not a validation role and not a directing role. We need to move beyond risk champions with a deeper view and greater level of maturity so that risk takes on the advisory and challenging role. We need an operating model, which supports an agile approach driving accountability, performance and structure and enabling the business to make calls and decisions. Chris mentioned, ‘less hard work on the risk registers and more smart work on intelligence’. We need to be relevant, deliver timeous insight including scenario building and alternative futures, to inform business decision making in complex environments.

Digital risk solutions – the next generation of GRC

Designing and deploying focused digital tools, enables the organisation to be better equipped to Anticipate, Advise and Assure, with a more proactive and predictive response to risk.

Mark mentioned that one of the biggest challenges is that business acumen is lacking in risk functions; the risk function needs to understand the business at a real level of detail, understand the stakeholders, business drivers, have a holistic view of things including an external lens. The risk function requires a digital focus and to leverage digital assets (social media) and to stop focusing all our effort gathering information but rather interpreting the data.

The fundamentals have not changed but the depth of detail needs to change from a superficial level to a detailed level. We need to deliver leading intelligence and foresight, understand the ops models, business value chain, culture, brand, and reputation and drive predictive capability to help business make informed decisions.

The risk function needs to move beyond compliance and inform business decision-making, drive insights right up front rather than after the affect. The risk function must provide insight which helps inform a decision, and rather than focusing on why we should not do something, we should focus on what we should be doing and what controls and balances need to be in place. A proactive view of emerging risks is critical, exemplified by Donald Rumsfeld’s statement regarding known knowns, known unknowns, and unknown unknowns.

External risk sensing and internal risk monitoring

Leveraging external and internal risk data to provide more continuous Risk Intelligence and enable proactive risk management and decision making.

Digital tools and solutions are required to able to focus on specific parts of the business and understand dynamically and continuously what risk exposures are doing and how they affect the value chain. Digital tools provide continuous dynamic insights, pattern recognition and real time insights e.g., lost customers, incorrect products, inventory holding / losses, pricing etc. It is important to understand the risk and level of risk exposure and to link and monitor key risk indicators and key performance indicators on a real-time basis.

From an external context, digital tools for monitoring social media, security ops centres, external sensing capabilities are no longer a ‘nice to have’. This also cannot be manual, as the business requires rapid and up to date insight. Risk sensing is a critical capability.

Building a more capable and resilient organisation.

We need to challenge the extent to which the current organisational capabilities support the strategy, taking into consideration the current levels of maturity of core business components and required maturity levels to deliver sustainable performance.

Do we have the right level of maturity for our current and future strategy and what capability and operating model do we need, taking into account, governance & organisation, systems & data, people & performance and process?

In summary

In summary, risk powers performance. There is an evolving move to properly measure and monitor the full risk universe (internal and external) informed by real-time indicators, understand the connectedness of risks, synthesize this, and understand the impact on strategic objectives and how we grow and protect our business.

Presentation and video links

Please see attached Deloitte presentation here and the info sharing recording here

Useful and associated links













Contact us


Mark Victor mvictor@deloitte.co.za
Christopher Palm christopherp@irmsa.org.za
Jonathan Crisp jonathan@barnowl.co.za
Cheryl Keller cheryl@barnowl.co.za

Thank you

Once again thank you Mark and Christopher for your time and for your informative presentation and thank you to all those who attended our info sharing session. We look forward to seeing you at our next info sharing session. Please keep a look out for our upcoming events at: https://barnowl.co.za/events/

Kind regards
Jonathan Crisp
Director – BarnOwl GRC and Audit software

About BarnOwl:

BarnOwl is a fully integrated governance, risk management, compliance and audit software solution used by close to 200 organisations in Africa, Australasia and the UK. BarnOwl is a locally developed software solution and is the preferred risk management solution for the South African public sector supporting the National Treasury risk framework.

Please see www.barnowl.co.za for more information.


About Christopher Palm, Chief Risk Advisor, Institute of Risk Management South Africa (IRMSA)


Johannesburg, South Africa,

Partner – Deloitte Risk Advisory Africa

Mark is a Partner within Risk Advisory at Deloitte and leads the Enterprise Risk Management Market offering for the Africa firm. Mark has a service line focus on Governance, Strategic Risk and Sustainability. Mark has deep practical experience providing assurance and advisory solutions to clients across the Financial Services, TMT and ERI industries, with a focus on business transformation solutions to Governance and Risk and Internal Audit functions.

Mark has been responsible for developing a number of business lines within Deloitte including Regulatory implementation, Business Risk and Financial Services Internal Audit. Mark qualified as a Chartered Accountant in 1995, and has spent time at Deloitte in Vancouver and Boston, working on a variety of publicly listed and multi-national clients. In addition to serving numerous large listed clients, Mark leads the Risk Advisory TMT sector and is the client leader for one of Deloitte Africa’s Tier 1 clients in the Consumer industry.

About Christopher Palm, Chief Risk Advisor, Institute of Risk Management South Africa (IRMSA)

Christopher’s passion is to collaborate with risk professionals and other key role players both locally and globally to transform risk management into a key component of excellent decision-making.

Christopher believes that a solid enterprise risk management capability within an entity, supported by a risk-mature leadership, will lead to decisions that will effectively respond to both threats and opportunities facing the business world today and well into the future.

Christopher spent 27 years with a South African Power Utility, of which the last 18 were at senior executive level – from Group Audit Manager and Head of Forensics to Head of Enterprise Risk where he established the Utility’s integrated risk management capability in 2008. His most valuable experience throughout his time was the gaining of world-class risk and resilience knowledge, experience and exposure and how it is challenged in practise.

Christopher’s educational background includes a Bachelor Degree – majoring in Accounting, Management Accounting, Commercial Law, Business Economics and Economics. He also obtained an Honours Degree in Business Economics and Management Accounting. He complimented the above by completing the Executive Leadership Development Programme at Wits Business School.

As the founding Chairman of the IRMSA Risk Intelligence Committee, one highlight was the pioneering of the IRMSA Risk Intelligence Report for South Africa, first published in 2015 and now it is seventh edition.

Currently Christopher focusses on working with risk practitioners, C-Suites and Boards to enhance risk maturity and address the more complex elements of risk management such as integrating strategy, risk and resilience and developing applied risk appetite frameworks. Also, the use of big data resulting in risk intelligence through predictive capabilities, systems thinking and scenario development and analysis.

About Jonathan Crisp, Director, BarnOwl GRC Software Solutions

Jonathan Crisp has a BSc Honours in Computer Science, as well a Risk-Based Internal Auditing certification. Jonathan has over 30 years’ experience in the IT industry and is one of the founding directors of IDI Technology Solutions, who are the owners and software developers of the BarnOwl GRC and Audit software solution.

Jonathan is an active member of the Risk Intelligence Committee at IRMSA (Institute of Risk Management SA) and is a member of the IIA (Institute of Internal Audit SA).

You can find more information about BarnOwl at www.barnowl.co.za or contact Jonathan at jonathan@barnowl.co.za

Subscribe to BarnOwl's Information Portal

Subscribe to BarnOwl’s information portal today and receive our monthly newsletter with the latest GRC and audit insights, industry updates, priority access to exclusive events, tip of the month and more straight to your inbox!


GRCReady is the official provider of risk management content for the BarnOwl GRC software solution. GRCReady provides extensive risk libraries and risk maturity checklists/surveys which are integrated with BarnOwl.

GRCReady, based in Australia, offers a comprehensive and holistic library of products and associated services including templates, policies, procedures, guidelines, checklists etc.t to help owners and directors of SMEs, startups and corporates to satisfy their corporate governance, risk management and regulatory compliance needs.

By integrating GRCReady's rich content libraries into BarnOwl's GRC software, we are able to offer our clients a state of the art, turnkey GRC solution.

GRCReady provides, arguably, the most comprehensive risk and governance maturity assessment framework with detailed steps and artefacts. BarnOwl's survey and action plan portal provides a simple and effective way to monitor and report on your current state of risk maturity and suggest and drive remedial action plans to take you to your desired state of risk and governance and maturity.

By integrating GRCReady's risk libraries with the BarnOwl GRC software, means that you don't have to start from scratch. In addition, ongoing updates and insights keep you informed and up-to-date on best practices.



Season Rhyrhm is BarnOwl's preferred partner in Botswana assisting with BarnOwl implementations, support services and client relationship management.

Season Rhythm is an established and distinguished player in the ICT sector in Botswana, specialising in a range of cutting-edge solutions. Season Rhythm leverages BarnOwl to provide tailored GRC&A services to businesses in Botswana facilitating:

  • Governance: Enabling organisations to establish and uphold effective governance structures, ensuring transparency and accountability in decision making processes.
  • Risk Management: Equipping businesses with tools to identify, assess and mitigate risks, safeguarding against potential threats and ensuring continuity in a business environment.
  • Compliance: Ensuring adherence to regulatory frameworks and industry standards, protecting businesses from non-compliance penalties and fostering trust among stakeholders.
  • Audit: Streamling the audit process with comprehensive tools for planning, execution and reporting, driving efficiency and accuracy in internal audit and compliance assessments.
  • www.sr.co.bw/ict


BarnOwl works closely with NSA in the field of GRC and assurance.

NSA is an education and risk & assurance advisory services provider, consisting of a team of professional consultants and facilitators who have been hand-picked on experience and expertise. NSA services include:

  • Strategic intervention: 30 expert consultants facilitating strategic planning, combined assurance, effective governance and risk management assignments.
  • Continuous professional development: CPD training for internal auditors, external auditors, accountants, risk managers, government officials, and psychologists.
  • Online learning: accredited training for the local government sector, including the Municipal Financial Management Program and Supply Chain Management.
  • Online skills development: skills in demand for 2030, including cybersecurity, Protection of Personal Information, Artificial Intelligence, Robotics and programming.

BarnOwl and NSA work closely with our clients to align and enable best practice GRC and assurance framework & methodologies within BarnOwl. NSA regularly presents online information sharing sessions together with BarOwl.



Nico Technologies is BarnOwl's preferred partner in Malawi assisting with BarnOwl implementations, support services and client relationship management.

Nico Technologies Limited is an established IT products and services provider in Malawi, specialising in managed IT services, IT infrastructure services, IT project management, digital solutions, digital transformation and IT advisory.

Nico Technologies uses BarnOwl extensively within their own organisation to automate and manage their own risk and compliance functions.



Morgan Solus is BarnOwl's preferred business continuity specialist consulting firm with its 'BCM toolkit' software. BarnOwl GRC together with the BCM toolkit, provides a comprehensive risk management and BCM software solution.

Morgan Solus is a specialist consultancy firm focusing on risk, resilience and continuity. Morgan Solus's core services are centred on resilience, crisis management, business continuity (BCM), IT services continuity and disaster recovery (DRP) and training.

The BCM toolkit ensures a consistent approach to implementing BCM and IT disaster recover and cuts down implementation timelines by 60% whilst driving up successful outcomes.

BarnOwl's extensive GRC and assurance functionally coupled with Morgan Solus's BCM toolkit provide the ultimate risk management and BCM software solution.



Arbutus Analytics is Barnowl's preferred data analytics software. BarnOwl GRC integrated with Arbutus Analytics, provides the ultimate in continuous risk monitoring.

Arbutus Analyzer is a powerful data access and analysis solution specifically developed for auditors, business analysts, and fraud investigators. Its robust performance and user-friendly features offer you the ability to access and analyse data quickly and simply.

BarnOwl GRC, integrated with the real-time metrics from Arbutus provides a strategic early warning system driving preventative and predictive capability facilitating effective business decision making business improvement.

www.arbutussoftware.com with local sub-sahara African distributor www.betasoftware.co.za


Barnowl works closely with Pax Resilience in the field of GRC and sustainability.

Pax Resilience offers solutions in risk, resilience and cyber security. Pax Resilience strive to create peace of mind by assisting you to build the resilience in your organisation so essential to survive and thrive in the volatile, uncertain, complex and ambiguous world we live in.

Pax Resilience regularly presents online information sharing sessions together with Barnowl.



Paige Law is the official provider of compliance content for the Barnowl GRC software solution. Paige Law provides an extensive Library of South African acts including provisions [CRMPs] and checklists which are integrated with Barnowl.

Paige Law specialises in compliance, Commercial Law, Legal process consultancy, managed legal services and POPIA/ GDPR.


Registered Address

75 Malibongwe Drive
Linden Ext
South Africa

Postal Address

PO BOX 3009


+27 (0) 11 540 9100


More Information: info@barnowl.co.za
Product Support: support@barnowl.co.za

Let Us Contact You
Let Us Contact You
I grant BarnOwl permission to contact me for marketing purposes*
*You will receive BarnOwl monthly newsletters & invitations to online events. You can unsubscribe at any time.


If you need assistance with your BarnOwl software, there are three channels available to you:



You will be emailed a ticket number from our issue tracking system and your request will be managed in
this ticket until it is completed.


You can view all your existing tickets or create new ones.


+27 (0) 11 540 9112
to speak to a support consultant

Let Support Contact You
Let Support Contact You