Loading Events

« All Events

  • This event has passed.

Info Sharing Session: Integrated BCM and Risk Explained

30 July, 2020
9:00 am - 10:00 am


30 July, 2020 @ 9:00 am - 10:00 am

BarnOwl Info Sharing session: 30 July 2020

Presented by Steve Simmonds, Director, SynergyGRC and Jonathan Crisp, Director, BarnOwl

Thank you very much Steve for presenting at our info-sharing event on the 30th July 2020. Thank you also to all those who attended.


Whilst, BCM is a sub-set of the greater enterprise risk management discipline, the link between BCM and Risk Management is often not very well understood. This presentation focusses on BCM and how risk management integrates with BCM, provides objective value, and the ability to recover from setbacks, adapt well to change and keep going in the face of adversity.

In a nutshell, risk management together with BCM enables an organisation to optimise the level of risk being taken to best achieve the organisation’s objectives whilst still operating within the risk appetite of the organisation. Risk management is about preserving and enhancing value creation whilst minimizing the risks that lead to value erosion.

The definition of risk management, BCM and business resilience planning are as follows:

  • According to ISO 31000, risk is the “effect of uncertainty on objectives” and an effect is a positive or negative deviation from what is expected. Risk management refers to a “coordinated set of activities and methods that is used to direct an organization and to control the many risks that can affect its ability to achieve objectives.”
  • The COSO “Risk Management-Integrated Framework” defines RM as a “… process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
  • ISO 22301 provides a framework to plan, establish, implement, operate, monitor, review, maintain and continually improve a business continuity management system (BCMS). It helps organisations protect against, prepare for, respond to, and recover when disruptive incidents arise.
  • Business Resilience Planning: Business resilience planning is a governance and risk management responsibility that boards address to enable them to survive and thrive in an increasingly hostile environment.

Threats (Risks) and Impacts (Consequences)


If we look at the highest WEF (World Economic Forum) findings as seen on the slide above, we can surmise that some things in life are unavoidable; we certainly cannot control all the threats to our business that lead to many of these unforeseen situations.

current threats

If we look at the slide above and the threats (on the left hand side) posed through WEF, they will impact the business and cause disruptions in various ways, shapes and forms (on the right hand side):  Let’s take a look at some of these impacts:

  • Supply chain interruption — any disruption to suppliers, service providers, utilities or infrastructure that impedes the flow of goods or services in or out of the business.
  • Compromised worker H&S – Absenteeism, stress, excessive pressure, uncertainty
  • Loss of staff and staff morale – Indecisive Leadership, loss of key personnel, negative economic growth, remote working, 
  • Data loss/corruption – disruptions affecting access to IT services (IT disaster recovery) or the protection of critical data (cybersecurity). 
  • Restricted Access to Facilities – disruptions of a business entity (like offices, call centres, retail locations, manufacturing plants or warehouses) as well as critical assets like specialised equipment.

However, by doing our due diligence and looking at ways of developing strategies to mitigate these threats and the impact they have on our businesses, we will be well prepared to maintain business functions and overcome these unavoidable situations and as a business, be resilient when we are faced with new unavoidable situations! But what is business resilience? 

Business Continuity Management (BCM)

BCM can be described as a process of identifying and responding to fast – approaching, high – impact interruption risks that can overwhelm inherent operational resiliency.

Operational resiliency focuses on preserving the people, processes and procedures that help businesses survive unexpected threats. 

A resilient business can return to its previous state of operation following a threat to the business that might otherwise disrupt it or shut it down. Such an organization achieves its state of resilience using several techniques such as business continuity management (BCM) that includes disaster recovery (DR) as an important sub-set.

Business Impact Assessment (BIA) and Risk Assessment (RA) explained



Business Impact Assessment: Focuses on

  • The potential impacts of a disruption to critical business sub processes / activities because of a disaster, accident, or emergency
  • Names of organizations and/or sub-processes / activities the critical sub process / activity depends on for normal operations
  • Quantitative Impacts – Financial amount associated with the critical sub process / activity, e.g., annual revenue generated by the process
  • Qualitative Impacts – Non-financial impact to the company, e.g., loss of reputation, loss of customers 

Threat and Risk Assessment: Focuses on

  • Identifying potential threats – Power Outage (Regional Blackout), IT System crash etc.
  • Information types affected – Accounting records – invoices, bills, accounts, Supplier contracts etc.
  • Risk decisions – inherent and residual and preventive actions (Proposed controls)
  • Concurring where BCP’s (Business Continuity Plans) are required 

Business continuity management and risk management complement one another, and both are necessary in today’s high-risk business environment.

Embedding BCM with the Organisations Culture

In the Model below, the Board will focus on corporate strategy development and understanding the business model as many companies do today, however prior to any risk assessment activities the Board will identify and document critical processes and assets which underpin its ability to create value for its shareholders. The criticality of these processes and assets will obviously vary from organisation to organisation.

In the next step the question is asked “what the impact on the business would be if these processes failed or an asset was not available.”

From this stage an “Impact Policy” can be developed. This will be a clear statement from the Board on the processes and assets that drive shareholder value within the business and the need to make all reasonable efforts to minimise anything that would impair their performance.

The Risk Assessment phase is now focused on any risk that has an impact on the above, arguably devoid of any arbitrary view on probability.

The next stages are to be conducted at the specialist operational level of the organisation and will look at determining the Business Continuity Strategy and developing and implementing the BCM response.

The final stage does require direction and investment of time and resources from the Board and effectively supports the whole framework and concerns the need to embed good practice throughout the organisation.

embed bcm

Integrated Risk Management and Business Continuity Management

In summary, once we have identified the most significant goals/objectives/ processes/ assets/ resources that make-up our business and what the impact would be if they were compromised, we perform risk assessments to identify the risks that threaten our objectives and what risks (opportunities) to take to achieve our objectives (within our risk appetite and tolerance). Based on our risk response strategy (treat, terminate, tolerate, transfer), we put controls in place to mitigate the risks where possible:


business objectives



In summary

Strategy and risk management are inseparable. Risk and assurance management is a critical management tool which enables an organisation to optimise the level of risk being taken to best achieve the organisation’s objectives whilst still operating within the risk appetite of the organisation. Risk management, business continuity and sustainability are more important now than ever.

Presentation and Video links:

Please see attached presentation here and video link here 

You can find more information about SynergyGRC at www.synergygrc.com or https://linkedin.com/company/synergygrc/

and Steve Simmonds at www.linkedin.com/in/stephen-simmonds-ambci-311618

Useful and associated links:




https://barnowl.co.za/knowledge-centre/ and https://barnowl.co.za/videos/ 


Thank you:

Once again thank you Steve for your time and for your informative presentation and thank you to all those who attended our info sharing session. We look forward to seeing you at our next info sharing session. Please keep a look out for our upcoming events at: https://barnowl.co.za/events/ and feel free to join our next event at https://barnowl.co.za/event/1-july-2020-the-protection-of-personal-information-act-popia-is-here-what-now/ on the 27th August 2020 from 9am to 10am.

Kind regards

Jonathan Crisp

Director – BarnOwl GRC and Audit software


About Steve Simmonds, Director, SynergyGRC

Steve has over 20 years’ experience as a Governance, Risk and Compliance (GRC) Consultant, Management Systems Auditor and subject matter expert in the implementation of management systems and technology frameworks.  He has had exposure to Government, & NGO, State Owned Enterprises, Information Technology Software (Systems, Applications), Manufacturing, Mining and Extraction, and Transportation & Storage industry sectors.  Steve has managed numerous small, medium and large-scale local and international management systems including information technology and information management infrastructure projects incorporating the disciplines of; Governance and Compliance, Information Security, Enterprise Risk,  Business Continuity, Quality Management, Health Safety and Environment, Food Safety, Occupational Hygiene and Occupational Health.

About Jonathan Crisp, Director, BarnOwl

Jonathan Crisp has a BSc Honours in Computer Science, as well a Risk-Based Internal Auditing certification. He has over 30 years’ experience in the IT industry and is one of the founding directors of IDI Technology Solutions.

IDI are the owners and software developers of the BarnOwl GRC and Audit software solution which is the preferred GRC solution in the public sector, endorsed by the Office of the Accountant General (OAG) of South Africa.

Jonathan is an active member of the Risk Intelligence Committee at IRMSA (Institute of Risk Management SA) and is a member of the IIA (Institute of Internal Audit SA).

About BarnOwl:

BarnOwl is a fully integrated governance, risk management, compliance and audit software solution used by over 200 organisations in Africa, Australasia and the UK. BarnOwl is a locally developed software solution and is the preferred risk management solution for the South African public sector supporting the National Treasury risk framework.

Please see www.barnowl.co.za  for more information.

Subscribe to BarnOwl's Information Portal

Subscribe to BarnOwl’s information portal today and receive our monthly newsletter with the latest GRC and audit insights, industry updates, priority access to exclusive events, tip of the month and more straight to your inbox!


GRCReady is the official provider of risk management content for the BarnOwl GRC software solution. GRCReady provides extensive risk libraries and risk maturity checklists/surveys which are integrated with BarnOwl.

GRCReady, based in Australia, offers a comprehensive and holistic library of products and associated services including templates, policies, procedures, guidelines, checklists etc. to help owners and directors of SMEs, startups and corporates to satisfy their corporate governance, risk management and regulatory compliance needs.

By integrating GRCReady's rich content libraries into BarnOwl's GRC software, we are able to offer our clients a state of the art, turnkey GRC solution.

GRCReady provides, arguably, the most comprehensive risk and governance maturity assessment framework with detailed steps and artefacts. BarnOwl's survey and action plan portal provides a simple and effective way to monitor and report on your current state of risk maturity and suggest and drive remedial action plans to take you to your desired state of risk and governance and maturity.

By integrating GRCReady's risk libraries with the BarnOwl GRC software, means that you don't have to start from scratch. In addition, ongoing updates and insights keep you informed and up-to-date on best practices.



Season Rhyrhm is BarnOwl's preferred partner in Botswana assisting with BarnOwl implementations, support services and client relationship management.

Season Rhythm is an established and distinguished player in the ICT sector in Botswana, specialising in a range of cutting-edge solutions. Season Rhythm leverages BarnOwl to provide tailored GRC&A services to businesses in Botswana facilitating:

  • Governance: Enabling organisations to establish and uphold effective governance structures, ensuring transparency and accountability in decision making processes.
  • Risk Management: Equipping businesses with tools to identify, assess and mitigate risks, safeguarding against potential threats and ensuring continuity in a business environment.
  • Compliance: Ensuring adherence to regulatory frameworks and industry standards, protecting businesses from non-compliance penalties and fostering trust among stakeholders.
  • Audit: Streamling the audit process with comprehensive tools for planning, execution and reporting, driving efficiency and accuracy in internal audit and compliance assessments.
  • www.sr.co.bw/ict


BarnOwl works closely with NSA in the field of GRC and assurance.

NSA is an education and risk & assurance advisory services provider, consisting of a team of professional consultants and facilitators who have been hand-picked on experience and expertise. NSA services include:

  • Strategic intervention: 30 expert consultants facilitating strategic planning, combined assurance, effective governance and risk management assignments.
  • Continuous professional development: CPD training for internal auditors, external auditors, accountants, risk managers, government officials, and psychologists.
  • Online learning: accredited training for the local government sector, including the Municipal Financial Management Program and Supply Chain Management.
  • Online skills development: skills in demand for 2030, including cybersecurity, Protection of Personal Information, Artificial Intelligence, Robotics and programming.

BarnOwl and NSA work closely with our clients to align and enable best practice GRC and assurance framework & methodologies within BarnOwl. NSA regularly presents online information sharing sessions together with BarOwl.



Nico Technologies is BarnOwl's preferred partner in Malawi assisting with BarnOwl implementations, support services and client relationship management.

Nico Technologies Limited is an established IT products and services provider in Malawi, specialising in managed IT services, IT infrastructure services, IT project management, digital solutions, digital transformation and IT advisory.

Nico Technologies uses BarnOwl extensively within their own organisation to automate and manage their own risk and compliance functions.



Morgan Solus is BarnOwl's preferred business continuity specialist consulting firm with its 'BCM toolkit' software. BarnOwl GRC together with the BCM toolkit, provides a comprehensive risk management and BCM software solution.

Morgan Solus is a specialist consultancy firm focusing on risk, resilience and continuity. Morgan Solus's core services are centred on resilience, crisis management, business continuity (BCM), IT services continuity and disaster recovery (DRP) and training.

The BCM toolkit ensures a consistent approach to implementing BCM and IT disaster recover and cuts down implementation timelines by 60% whilst driving up successful outcomes.

BarnOwl's extensive GRC and assurance functionally coupled with Morgan Solus's BCM toolkit provide the ultimate risk management and BCM software solution.



Arbutus Analytics is Barnowl's preferred data analytics software. BarnOwl GRC integrated with Arbutus Analytics, provides the ultimate in continuous risk monitoring.

Arbutus Analyzer is a powerful data access and analysis solution specifically developed for auditors, business analysts, and fraud investigators. Its robust performance and user-friendly features offer you the ability to access and analyse data quickly and simply.

BarnOwl GRC, integrated with the real-time metrics from Arbutus provides a strategic early warning system driving preventative and predictive capability facilitating effective business decision making business improvement.

www.arbutussoftware.com with local sub-sahara African distributor www.betasoftware.co.za


Barnowl works closely with Pax Resilience in the field of GRC and sustainability.

Pax Resilience offers solutions in risk, resilience and cyber security. Pax Resilience strive to create peace of mind by assisting you to build the resilience in your organisation so essential to survive and thrive in the volatile, uncertain, complex and ambiguous world we live in.

Pax Resilience regularly presents online information sharing sessions together with Barnowl.



Paige Law is the official provider of compliance content for the Barnowl GRC software solution. Paige Law provides an extensive Library of South African acts including provisions [CRMPs] and checklists which are integrated with Barnowl.

Paige Law specialises in compliance, Commercial Law, Legal process consultancy, managed legal services and POPIA/ GDPR.


Registered Address

75 Malibongwe Drive
Linden Ext
South Africa

Postal Address

PO BOX 3009


+27 (0) 11 540 9100


More Information: info@barnowl.co.za
Product Support: support@barnowl.co.za

Let Us Contact You
Let Us Contact You
I grant BarnOwl permission to contact me for marketing purposes*
*You will receive BarnOwl monthly newsletters & invitations to online events. You can unsubscribe at any time.


If you need assistance with your BarnOwl software, there are three channels available to you:



You will be emailed a ticket number from our issue tracking system and your request will be managed in
this ticket until it is completed.


You can view all your existing tickets or create new ones.


+27 (0) 11 540 9112
to speak to a support consultant

Let Support Contact You
Let Support Contact You