BarnOwl Info Sharing Insight: Influencing Business Strategy – Alignment Between Performance Management and Risk Management with Deon van der Westhuizen

August 12, 2022

BarnOwl Info Sharing session: 28 July 2022

Influencing Business Strategy – Alignment Between Performance Management and Risk Management

Presented by: Deon van der Westhuizen


Thank you very much Deon for your most informative presentation at our info-sharing event held on 28 July 2022. Thank you too, to all those who attended the session.
I’m sure Deon’s opening statement with reference to some of his engagements resonated with many of us in the audience: “Senior management understand that risk management is important, but they just don’t buy into it. There’s no commitment from the top, and the end result is a once a year risk assessment; which if you follow people like Tim Leech, he will tell you that if you do that type of risk assessment or a once a year risk assessment you can stop it today. It has absolutely no value.”
In this write up I have chosen not to try and summarise Deon’s presentation as I would not do it justice. Instead, I have related Deon’s presentation to the COSO 2017 framework and picked out a few valuable nuggets. I have also included some practical tips on how to go about implementing some of important topics highlighted by Deon, such as a portfolio of risk, risk appetite, combined assurance and data analytics. You can view the full recording of the session as well as download Deon’s slides in the presentation and links section below.

Key points covered in Deon’s presentation include:

Why do we need risk management?

Risk management is informing strategy and redefining strategy. It is not telling you what can go wrong. Risk management not only addresses uncertainty but also opportunity.

Once strategy is set, enterprise risk management provides an effective way for management to fulfil its role, knowing that the organization is attuned to risks that can impact strategy and is managing them well.

All organizations need to set strategy and periodically adjust it, always staying aware of both ever-changing opportunities for creating value and the challenges that will occur in pursuit of that value. To do that, they need the best possible framework for optimizing strategy and performance.

Risk Management helps organisations identify factors that represent not just risk, but change, and how that change could impact performance and necessitate a shift in strategy.

By considering all possibilities—both positive and negative aspects of risk— management can identify new opportunities and unique challenges associated with current opportunities.

Entity wide risk approach – Often a risk can originate in one part of the entity but impact a different part. Risk management cannot be managed effectively in silos. An integrated / interwoven approach informs a portfolio view of the amount of risk it has assumed.

Enterprise risk management allows entities to improve their ability to identify risks and establish appropriate responses, reducing surprises and related costs or losses, while profiting from advantageous developments.

Enterprise risk management allows organizations to anticipate the risks that would affect performance and enable them to put in place the actions needed to minimize disruption and maximize opportunity.

An entity’s medium- and long-term viability depends on its ability to anticipate and respond to change, not only to survive but also to evolve and thrive. This is, in part, enabled by effective enterprise risk management. It becomes increasingly important as the pace of change accelerates and business complexity increases.

These benefits highlight the fact that risk should not be viewed solely as a potential constraint or challenge to setting and carrying out a strategy. Rather, the change that underlies risk and the organizational responses to risk give rise to strategic opportunities and key differentiating capabilities.

Enterprise risk management, as it has typically been practiced, has helped many organizations identify, assess, and manage risks to the strategy. But the most significant causes of value destruction are embedded in the possibility of the strategy not supporting the entity’s mission and vision, and the implications from the strategy.

COSO 2017 enabling risk management

COSO 2017 explains the role of risk management in influencing business strategy and decision-making. Embedding risk management to the extent where both key performance and key risk indicators are contributing to strategic and operational planning processes, designing organizational capacity and the alignment of capital investment needs a structured approach.

The five components in the updated Framework are supported by a set of principles. Adhering to these principles can provide management and the board with a reasonable expectation that the organization understands and strives to manage the risks associated with its strategy and business objectives:


  1. Governance and Culture: Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk management. Culture pertains to ethical values, desired behaviours, and understanding of risk in the entity.
  2. Strategy and Objective-Setting: Enterprise risk management, strategy, and objective-setting work together in the strategic-planning process. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing, and responding to risk.
  3. Performance: Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The organization then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.
  4. Review and Revision: By reviewing entity performance, an organization can consider how well the enterprise risk management components are functioning over time and in light of substantial changes, and what revisions are needed.
  5. Information, Communication, and Reporting: Enterprise risk management requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.


Practical implementation

Deon covered many important aspects of risk management such as portfolio of risk, risk appetite, combined assurance and data analytics. Implementing risk management in a practical way can be challenging. The following are few tips to practical implementation:

Portfolio of Risk
An effective way to develop a portfolio of risk is to identify risks at the various levels of your organisation and link them downwards and upwards. You can start at the top with your level 1 risks (e.g. strategic risks) which are linked to your strategic objectives (associated with vision and mission). Level 2 risks (e.g. business risks) are linked upwards to level 1 risks and downwards to level 3 risks (e.g. operational / process based risks). I was very happy to see a slide on process and sub-process risks which inform the rating of the higher level business risk. An example of a level 2 business risk may be ‘Poor cash flow management’ and the process / operational level 3 risks linked to this risk could be from various processes such as debtors, creditors, payroll, capital expenditure etc.

When rating the residual risk you review linked controls (control adequacy being the design of the controls including assertions / efficacy etc. and if adequate then control effectiveness being how well the control is working), linked key risk indicators, linked loss events / near misses and as mentioned above any linked child or sibling risks from other areas in the organisation which affect this risk.

By managing level 3 risks effectively, you are able to make an informed decision on how to rate the residual risk at level 2 and in turn level 1.
In terms of a portfolio of risk, depending on your audience (exco / board, business, operational) you present the relevant portfolio (level) of risk knowing that your residual risk ratings are accurate as they are informed by underlying risk data. A portfolio approach to risk management means that you do not get low level, inconsequential risks filtering up to a board pack which minimises the value of risk management.

Risk appetite
There are upside risks that you would like to take to maximise opportunities and there are downside risks that you would ideally like to avoid or minimise.
For example if your opportunity / objective is to ‘Expand into Africa to grow your business’, your risk appetite for risks that enhance this opportunity are higher than those risks that will adversely affect this opportunity. For example, your risk appetite for risks relating to ‘Marketing in Africa’ will be far higher than your risk appetite for risks relating to ‘Regulatory compliance in Africa’.

What this means is that risk management is not just about what can go wrong and avoiding risks; it is about taking calculated risk for reward and managing and monitoring your risk on an ongoing basis to make sure you don’t exceed your risk tolerance (i.e. going out of business). As Deon mentions, risk management provides you with insights and an early warning system in line with your risk appetite enabling you to adapt and refine your strategy.

In a system such as BarnOwl you are able to define qualitative and quantitative risk appetite statements per level of your organisation as well as per category of risk enabling you have a higher appetite for upside risk and a lower appetite for negative risks.

Combined Assurance
Whether you speak about lines of defence or levels of assurance, combined assurance is a coordinated approach that ensures that all assurance activities provided by management, internal assurance providers and external assurance providers adequately address significant risks facing the company and provide assurance that suitable controls exist to mitigate these risks. A combined assurance approach results in gaps or instances of over-assurance being identified and addressed accordingly.
A constant focus is required on those risks that matter to the organisation and to management and the governance and oversight bodies as they monitor the organisation and make decisions.

Advanced data analytics
Data analytics supports continuous monitoring which enables management to determine more quickly and accurately where they should be focusing their attention and resources to improve processes and manage risks that threaten the objectives of the business and to take proactive and preventative action in time.

A system such as BarnOwl GRC, integrated with Arbutus data analytics provides a strategic early warning system driving preventative and predictive capability with real-time insights facilitating effective business decision making and business improvement.

The evolution of risk management

Advanced analytics and data visualization tools will evolve and be very helpful in understanding risk and its impact—both positive and negative.

Leveraging artificial intelligence and automation will give rise to real-time risk-based decision making.

As enterprise risk management practices evolve, it will become important that activities spanning risk, compliance, control, and even governance be efficiently coordinated to provide maximum benefit to the organization. Combined assurance supports this evolution.

In summary

Enterprise risk management enhances strategy selection. Choosing a strategy calls for structured decision-making that analyses risk and aligns resources with the mission and vision of the organization.

There is no doubt that organizations will continue to face a future full of volatility, complexity, and ambiguity. Regardless of the type and size of an entity, strategies need to stay true to their mission. And all entities need to exhibit traits that drive an effective response to change, including agile decision-making, the ability to respond in a cohesive manner, and the adaptive capacity to pivot and reposition while maintaining high levels of trust among stakeholders.

By knowing the risks that will have the greatest impact on the entity, organisations can use enterprise risk management to help put in place capabilities that allow them to act early. This will open up new opportunities.

Mature Risk management is forward looking, predictive, supporting business resilience and sustainability. Risk management when performed effectively, enables an organisation to continually scan and evaluate an ever changing landscape to make sure that new or existing opportunities are exploited and that risks are identified, prioritised and managed on an ongoing basis.

To view the upcoming Risk Management Masterclass with NSA please click here.

Presentation and video links

Please see attached presentation here, and the info sharing recording here


Related links

Deloitte – The evolving role of the CRO to Power Business Performance
Arbutus BarnOwl integration part #1 and Arbutus BarnOwl integration part #2 and

Contact us

Cheryl Keller | BarnOwl:
Deon van der Westhuizen |

Thank you

Once again, thank you Deon for your time and for your informative presentation and thank you to all those who attended our info sharing session. We look forward to seeing you at our next info sharing session. Please keep a look out for our upcoming events at:
Kind regards
Jonathan Crisp
Director – BarnOwl GRC and Audit software

About BarnOwl:

BarnOwl is a fully integrated governance, risk management, compliance and audit software solution used by close to 200 organisations in Africa, Australasia and the UK. BarnOwl is a locally developed software solution and is the preferred risk management solution for the South African public sector supporting the National Treasury risk framework.
Please see for more information.

About Deon van der Westhuizen

Deon is a CA (SA) and a CIA with more than 30 years’ experience specializing in governance, risk management, strategy development and combined assurance.   He designed the risk management framework, the internal audit framework and the combined assurance framework for the South African Government, and updated it again during 2017.  He recently reviewed the effectiveness of the ERM Framework for the Botswana Government via a Commonwealth Program and designed the ERM Framework for companies in the fuel and oil industry.

Deon is an international speaker on issues of governance and risk, an extra-ordinary lecturer at the University of Stellenbosch, a fellow of the IIA Inc, a fellow of Hugenote Kollege and the director of Next Step Academy, an educational institution under the Gravaton group.

Deon’s current focus include the role of artificial intelligence, big data and automation, as well as cybersecurity, disaster recovery and business continuity within the risk space.